topic Re: IA sharing at scale in General Topics

IA sharing at scale

fdhfdshs5454 — Tue, 10 Oct 2023 08:58:28 GMT

Hello

We manage 50+ gw with full meshed IA sharing.

We face lot of isues with IA.
Some random IA not propagated accross gw, some random IA agents not able to connect to their local gw...
Something that improve the behavior a little bit is a cronjob to kill pep and pdp every night...

We think about centralising IA on a dedicated gw, so IA agents connect to this specific gw and it redistribute IA to all gw.

It's a big change that cannot be fully tested outside production and we are a little bit afraid things get worse than now.

How do you folks manage IA at scale?
Do you have to kill pep and pdp every night too?
Do you centralise IA to a single sharing gw?

Thanks for your advises.

Re: IA sharing at scale

G_W_Albrecht — Tue, 10 Oct 2023 10:14:14 GMT

sk88520: Best Practices - Identity Awareness Large Scale Deployment

Re: IA sharing at scale

fdhfdshs5454 — Tue, 10 Oct 2023 10:32:27 GMT

Yes, I read that.

I want to know administator feedback about IA sharing in general, this solution or others they may have deployed to fix IA.

Re: IA sharing at scale

Chris_Atkinson — Tue, 10 Oct 2023 11:29:03 GMT

R81.20 has some relevant IA enhancements...

Are you using any of the following today and what version are the current Gateways?

- Identity Collector

- Identity Broker

- Dedicated PDPs

Re: IA sharing at scale

fdhfdshs5454 — Wed, 11 Oct 2023 11:16:41 GMT

We are currently running R81.10 HFA110 on every gw.

We'll upgrade to R81.20 as soon as we get a maintenance windows.

Identity Collector: No. We don't use ADQuery. Only IA agents. Plus, each remote gateway fetch from its local DC
Identity Broker: No. We didn't invest in it as the configuration involve files modifications with complex syntax on every firewalls. Now, if you tell us it enhance the UX, we'll consider it. But how is it different from "classical" PDP? Why is it not the default PDP mecanism?
Dedicated PDPs: No. That's what this post is all about... Is it a good move? Is the user community doing it? what is their feeddback?...

Re: IA sharing at scale

Daniel_Szydelko — Wed, 11 Oct 2023 12:46:45 GMT

Hello,

Please check not resolved issues in IA for R81.20:

https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/Upcoming-Resolved-Issues.htm?tocpath=_____6

BR,

Daniel.

Re: IA sharing at scale

ProxyOps — Fri, 13 Oct 2023 16:19:51 GMT

Hello,

we use dedicated PDP Brokers. The firewall itselfs only do the pep enforcement. We completly seperated these two services from each other. These PDP Brokers are full meshed to share all identies with each other. The peps only consume the identies from their local PDP Broker.

We don't need to kill pep / pdp every night.

We setup a centralised IA PDP Broker for every region.

We switched from our full meshed design to PDP Brokers in 2021. I draw our design and uploaded it here:

If you want more informations, feel free to contact me via private message.

Best regards

Re: IA sharing at scale

fdhfdshs5454 — Mon, 16 Oct 2023 13:20:42 GMT

Hello,

Thanks for sharing.

Your setup make sense to us. We will think about making something similar.

Thanks mate!

Re: IA sharing at scale

fdhfdshs5454 — Fri, 20 Oct 2023 16:08:30 GMT

We are slowly migrating to this setup and it looks like our issues disappear.

Checkpoint should really highlight the usage of very centric PDP to avoid IA sharing issues as soon as 2 firewalls are involved.

Re: IA sharing at scale

CP-NDA — Tue, 24 Oct 2023 09:42:24 GMT

Hi @ProxyOps

Very interesting design!

Just wondering if your PDP Broker are working with Cluster_XL or not ? Does Cluster_XL synchronize the IA tables ?

Today we have a central design with IA Sharing accross multiples site which is just working fine. Problem is to find window maintenance to upgrade this central IA gateway.

This central Gateway is doing PDP for all users and then share identity with PEP to all remote GW.

Thank you

Re: IA sharing at scale

ProxyOps — Tue, 24 Oct 2023 10:58:54 GMT

Hi @CP-NDA

we are running our PDP Broker as Clusters (Cluster_XL) active-standby on VMs.

Our PDP Brokers are running R81 currently are cluster_xl is not snycing the relevant tables for a interruption free failover.
When we do a failover the PDP Broker has to sync from scratch again with all over PDP Brokers.

I checked the R81.20 release noted and maybe something was improved here?

"Improved resiliency, scalability, and stability for PDPs and Identity Broker. Additional threads handle authentication and authorization flows."

I know cluster_xl is syncing some IA tables for PEP but I am not able to find a sk for that.

I have to admit, that we update the PDP Broker Gateways only if required as we need them to be as stable as possible.

Best regards