topic Re: PDP Identity Sharing mode in Hyperscale Firewall (Maestro)

PDP Identity Sharing mode

FredrikV — Tue, 27 Sep 2022 10:47:31 GMT

My apologies if the answer is documented somewhere else in this forum. I just can't find it.

We have a Maestro platform in which we run several security groups with VSLS. A long time ago we had help from TAC to change the PDP mode in security group 1 from Pull to Push. For a couple of reasons pull just doesn't work for us. Now we must implement the same change to security group 3. However, the steps performed by TAC was not documented in the case notes. The only thing we know for certains was that the GuiDBEdit tools was used.

I have search for a SK that could describe what actions need to taken.

We are running version R81.10 Take 66.

PDPs (both access and aggregation layers) are external the to Maestro by running as separate VMs in VMware datacenter. Works well in security group 1 with Push mode configured. Users are identified with the help of the ID Agent which is installed on every workstation and laptop. Agents talk to the PDP access layer, which by a PDP broker shares information to the PDP aggregation layer, which pushes identites to the PEP on each gateway.

Can anyone point out instructions where in GuiDBEdit this can be changed in the same way in SG3?

I've already read this: https://community.checkpoint.com/t5/Security-Gateways/Identity-sharing-how-to-change-modes/m-p/62906#

Big thanks,

Fredrik

Re: PDP Identity Sharing mode

_Val_ — Tue, 27 Sep 2022 11:35:08 GMT

It is the best to take it with TAC

Re: PDP Identity Sharing mode

_Val_ — Tue, 27 Sep 2022 11:37:54 GMT

@Peter_Elmer what do you think?

Re: PDP Identity Sharing mode

FredrikV — Tue, 27 Sep 2022 11:42:32 GMT

Got it

Re: PDP Identity Sharing mode

G_W_Albrecht — Tue, 27 Sep 2022 12:07:51 GMT

sk175587: Identity Based Access Control and Threat Prevention - Design Guidelines - Quantum Maestro

Re: PDP Identity Sharing mode

Daniel_Szydelko — Tue, 27 Sep 2022 13:09:35 GMT

I believe it should be something like this (Unfortunately I haven't possibility to check it - it's from my personal notes):

Network Objects -> network_objects -> [Name of PDP cluster or name of VS] -> identity_aware_blade -> publish_method: change from smart_pull to push

You can check it for existing configuration VS's in SecGrp and PDP cluster).

Daniel.

Re: PDP Identity Sharing mode

Peter_Elmer — Tue, 27 Sep 2022 14:50:11 GMT

Hello @FredrikV, - cc thanks @_Val_ for pining to this post !

as mentioned by @G_W_Albrecht you may want to study sk175587. It is linked form the Maestro Administration Guide.

Due to the load balancing of Maestro performed on inbound connections you need to work with Push ID Sharing method. Changing from SmartPull to Push needs to be done with the support of TAC or PS to avoid misconfigurations.

I'll talk to R&D to see if the procedure can get published but I can't promise anything for now.

For Identity Based guidelines you may want to work with your local presales office. Further reading that may help are sk179544 and sk170765.

best regards

pelmer

Re: PDP Identity Sharing mode

Tobias_Moritz — Wed, 28 Sep 2022 13:26:32 GMT

In the past, it was also highly recommened to clear the IDA tables and restart all involved pdpd and pepd after changing the sharing method from smart-pull to push.

sk170516 is unrelated to your topic, but shows one example of how to clear these tables (and restart the processes).

Not sure, if it is still needed to today, so you better go through this together with TAC as suggested by Peter and Val.

Re: PDP Identity Sharing mode

FredrikV — Fri, 30 Sep 2022 07:50:55 GMT

Thanks everyone for your valuable advices!

We successfully made the change this morning, as per instructions provided both by TAC and PMs. It's always nice when actions can be confirmed from multiply resources.

Br,

Fredrik

Re: PDP Identity Sharing mode

FredrikV — Fri, 30 Sep 2022 07:56:22 GMT

Yes, that's correct. And not to be forgotten - reinstallation of policies and restarting pdp and pep daemons.

Re: PDP Identity Sharing mode

FredrikV — Fri, 30 Sep 2022 08:00:51 GMT

Yes. We did both methods actually. On a lab VS without load I only restarted the PEP daemon without emptying any tables. Looks like it did the trick anyways. But still better to be sure. Did clear the tables on the more critical VS's.

Re: PDP Identity Sharing mode

FredrikV — Fri, 30 Sep 2022 08:02:14 GMT

Thank you Peter for confirming that within the Maestro platform.