Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

R80.10 - Identity sharing question

Hello Mates,

we are just upgrading a bunch of R77.30 gateways to R80.10.

Now we have detected, that the gateways connect to almost all other gateways for identity sharing.

We just enabled identity sharing on some chosen gateways because we don't want and need sharing between all gateways.

Does anybody facing this behavior as well or does anybody know if there is any way to make the gateways connect to just the pdp/pep server we have connected in the cluster object/identity sharing?

best
Vincent

and now to something completely different
0 Kudos
5 Replies
Highlighted

Hi Vincent,

You can select the Gateways between which Identity information is shared. Below are the steps.

You can refer below URL for more information.

https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_IdentityAwareness_AdminGuide...

0 Kudos
Highlighted

Hello,

i am familiar in how to configure that.

As i mentioned, identity sharing is disabled on almost all gateways but they are connected nevertheless.

Best
Vincent

and now to something completely different
0 Kudos
Highlighted
Participant

The PDP should show connected to the PEP on all the other gateways in a single domain, regardless of identity sharing being turned on or not. The identity sharing should only be turned on, on the appliance that is collecting the logins so to prevent duplicates which can lead to orphaned objects in the PEP table.

0 Kudos
Highlighted

This sounds conclusive. Thanks a lot.

Viele Grüße / best regards

Vincent Bacher

Vincent Bacher

PS Implementation Engineer (L3)

Dimension Data Germany

Tel: +49 6172 6808 067

Mob: +49 1743230235

vincent.bacher@dimensiondata.com

Dimension Data Germany AG & Co. KG, Horexstr. 7, 61352 Bad Homburg, Germany

For more information, please go to www.dimensiondata.com<http://www.dimensiondata.com/>

and now to something completely different
0 Kudos
Highlighted
Employee+
Employee+

Hi Vincent, Gaurav,

If the change of behavior of sharing occurred without any change in sharing setup and the definitions then I suggest to open a TAC and request it to be escalated to CFG task. We had recently identified a situation where under some conditions a gateway shares identities to other than selected gateways, but it is not a degradation and same behavior exist in R77.X as well.

Maybe a change of setting done as part to the introduction to R80.10 to the environment had amplified the issue.

Regards, 

Tzvi Katz - Identity awareness R&D group manager.