https://community.checkpoint.com/t5/General-Topics/Stop-clearing-ADQuery-Identity-Awareness-during-policy/m-p/18293#M3289 <HTML><HEAD></HEAD><BODY><P>As far as I know, this shouldn't happen.</P><P>There's a note in our Best Practice documentation about something that happens during policy installation, namely we re-lookup all the LDAP groups associated with each user the gateway knows about.</P><P><A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk88520" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk88520">Best Practices - Identity Awareness Large Scale Deployment</A>&nbsp;</P><P>That couldn't happen if we cleared all the users on policy installation.</P><P></P><P>I recommend opening a TAC case.</P></BODY></HTML> Fri, 21 Dec 2018 22:37:57 GMT PhoneBoy 2018-12-21T22:37:57Z https://community.checkpoint.com/t5/General-Topics/Stop-clearing-ADQuery-Identity-Awareness-during-policy/m-p/18292#M3288 <HTML><HEAD></HEAD><BODY><P>Installing policy has the effect of clearing known user identity awareness, the primary reason why we advocate only handling this outside of business hours.</P><P></P><P>There are however often reasons why customers ask for policy installations during work hours, is there no way for a security gateway not to clear PDP during this process as user's internet access is subsequently inhibited until they restart their browser (initiates Kerberos browser based authentication as the browser handles captive portal detection), switches or cycles connectivity (initiates captive portal detection) or re-login (initiates ADQuery event)?</P></BODY></HTML> Thu, 20 Dec 2018 04:28:22 GMT https://community.checkpoint.com/t5/General-Topics/Stop-clearing-ADQuery-Identity-Awareness-during-policy/m-p/18292#M3288 David_Herselman 2018-12-20T04:28:22Z https://community.checkpoint.com/t5/General-Topics/Stop-clearing-ADQuery-Identity-Awareness-during-policy/m-p/18293#M3289 <HTML><HEAD></HEAD><BODY><P>As far as I know, this shouldn't happen.</P><P>There's a note in our Best Practice documentation about something that happens during policy installation, namely we re-lookup all the LDAP groups associated with each user the gateway knows about.</P><P><A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk88520" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk88520">Best Practices - Identity Awareness Large Scale Deployment</A>&nbsp;</P><P>That couldn't happen if we cleared all the users on policy installation.</P><P></P><P>I recommend opening a TAC case.</P></BODY></HTML> Fri, 21 Dec 2018 22:37:57 GMT https://community.checkpoint.com/t5/General-Topics/Stop-clearing-ADQuery-Identity-Awareness-during-policy/m-p/18293#M3289 PhoneBoy 2018-12-21T22:37:57Z