This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dehaasm
Collaborator
‎2023-11-30 06:47 AM
Jump to solution

IA How to disable identity pull from PEP to PDP

We have an on premise PDP which is pushing/ sharing the identities to a Azure Cloudguard using the public IP address of the gateway (also restricted on the source public IP address). This is quiet helpfull as this is Out of Band management and not crossing any Azure Load Balancer. This is working and the Azure Cloudguard PEP has all the user information. The Azure Cloudguard also tries to retrieve the identities by connecting to the same IP address but the IP address from the PDP is not reachable.

We know that sk60701 explains how to change the IP address of the identity sharing gateways but we dont want to do that, hence it is already working, but the PDP "complains" that is lost its connection to the Azure Cloudguard. Again the connection from the PDP to Azure firewalls PEP are working fine and the gateways have the identities but the opposite direction is not able to establish the connection.

The only thing we try to avoid is that the PDP is reporting errors but in fact is working fine and the Azure cloudguard does not need to share its identities, but only receive from the PDP.

Is there a way to control and only enforce PDP push identities from the PDP to PEP and not to perform any PDP pull from the PEP in Azure?

Perhaps there is some neat feature called smartpush from PDP to PEP and not to perform any smartpulls, asking for a friend 🙂

0 Kudos
2 Solutions

Accepted Solutions
Tobias_Moritz
Advisor
‎2023-11-30 07:46 AM
Jump to solution

You could try changing publish_method on the gateway from smart_pull to push (GuiDBedit: Table -> Network Objects -> network_objects -> FirewallName -> identity_aware_blade -> publish_method), save and install policy.

You may need to reset IA tables after that change (see sk170516 for the commands) and relearn all identities (maintenance window required).

View solution in original post

0 Kudos
Tobias_Moritz
Advisor
‎2023-11-30 07:50 AM
In response to Tobias_Moritz
Jump to solution

You can check afterwards with "pdp connection pep -e" on PDP. There is column named "Publish" which should show "Smart-Pull" before and "Push" after the change I mentioned.

View solution in original post

5 Replies
the_rock
Legend
Legend
‎2023-11-30 07:39 AM
Jump to solution

Personally, Im not aware of such a feature, maybe TAC would be able to confirm for you.

Best regards,

Andy

0 Kudos
Tobias_Moritz
Advisor
‎2023-11-30 07:46 AM
Jump to solution

You could try changing publish_method on the gateway from smart_pull to push (GuiDBedit: Table -> Network Objects -> network_objects -> FirewallName -> identity_aware_blade -> publish_method), save and install policy.

You may need to reset IA tables after that change (see sk170516 for the commands) and relearn all identities (maintenance window required).

0 Kudos
Tobias_Moritz
Advisor
‎2023-11-30 07:50 AM
In response to Tobias_Moritz
Jump to solution

You can check afterwards with "pdp connection pep -e" on PDP. There is column named "Publish" which should show "Smart-Pull" before and "Push" after the change I mentioned.

dehaasm
Collaborator
‎2023-12-04 07:34 AM
In response to Tobias_Moritz
Jump to solution

thanks Tobias that worked for me no need to do any restart of PDPD or relearning it just works out of the box, just needed to allow port 15015 towards the gateways that is it.

0 Kudos
the_rock
Legend
Legend
‎2023-12-04 07:37 AM
In response to dehaasm
Jump to solution

Thanks for letting us know, glad it worked.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events