This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2017-11-12 04:00 PM

Proper settings for Identity Awareness on vSEC?

I have been reading the R80.10 vSEC limitations (sk110519), and have encountered this:

To enforce security policy with imported Data Center objects, the following conditions must be met on every vSEC Gateway, on which such policy is installed:

  • vSEC Controller Enforcer Hotfix must be installed
  • Identity Awareness blade must be activated with Terminal Servers authentication

The R80.10 vSEC Controller Administration Guide describes the procedure for enabling this functionality.

But I do not recall seeing this requirement in actual vSEC deployment guides.

Can someone shed a light on what's what with the IA with Terminal Services for vSEC?

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2017-11-12 07:53 PM

It may be that the "Terminal Server" option is required to ensure that Identity Awareness pulls the information from the sent via the Identity Awareness API, which the vSEC Controller uses.

However, that is merely a guess. 

0 Kudos
Tzvi_Katz
Employee
Employee
‎2017-11-15 07:39 AM

In R77.30 since IDA Web API were not exposed through the management, the TS Agent was piggybacked. in R80.10 the setting is done via the Web API section properly.  

0 Kudos
Vladimir
Champion
Champion
‎2017-11-15 07:49 AM
In response to Tzvi_Katz

So the TS setting is not required in R80.X for proper enforcement of policies containing data center objects?

If this is, indeed, the case, you may want to address it in sk110519.

Thank you,

Vladimir

0 Kudos
Chandhrasekar_S
Collaborator
‎2017-11-15 08:36 AM

Hi Vlad,

I want to share my experience

I have vSEC R80.10 gateway with 'Identity Awareness' blade enabled with 'Terminal Services' option.

I have configured the 'DataCenter' object to have my Azure subscription in the management server. I can see the management server getting all the updates fine whenever there is change to my Azure datacenter objects

Whenever I add 'Tags' to my Azure VM's, the management server is able to recognize the Tags in security policies and updates them.

The 'TAGS' don't work when 'Identity Awareness' blade is enabled, It works when I disable the 'Identity Awareness' blade, however the vSEC gateways couldn't get any updated Tags. Other VM's without TAGS are also being allowed by security policies

I checked with my SE, he says he could get his TAGS to work fine in his lab. I have an Support ticket open, they have sent it to DEV team for further research. I will update this thread once I have a resolution

Does anyone face similar issues with TAGS in their setup?

Chandru

0 Kudos
Vladimir
Champion
Champion
‎2017-11-15 08:55 AM
In response to Chandhrasekar_S

Thank you for sharing your experience.

Please ask your SE about TS options in R80.10 and let us know the outcome of your troubleshooting sessions.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events