This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fdhfdshs5454
Contributor
Contributor
‎2023-10-10 01:58 AM
Jump to solution

IA sharing at scale

Hello

We manage 50+ gw with full meshed IA sharing.

We face lot of isues with IA.
Some random IA not propagated accross gw, some random IA agents not able to connect to their local gw...
Something that improve the behavior a little bit is a cronjob to kill pep and pdp every night...

We think about centralising IA on a dedicated gw, so IA agents connect to this specific gw and it redistribute IA to all gw.

It's a big change that cannot be fully tested outside production and we are a little bit afraid things get worse than now.

How do you folks manage IA at scale?
Do you have to kill pep and pdp every night too?
Do you centralise IA to a single sharing gw?

Thanks for your advises.

0 Kudos
1 Solution

Accepted Solutions
fdhfdshs5454
Contributor
Contributor
‎2023-10-20 09:08 AM
In response to fdhfdshs5454
Jump to solution

We are slowly migrating to this setup and it looks like our issues disappear.

Checkpoint should really highlight the usage of very centric PDP to avoid IA sharing issues as soon as 2 firewalls are involved.

View solution in original post

0 Kudos
10 Replies
G_W_Albrecht
Legend Legend
Legend
‎2023-10-10 03:14 AM
Jump to solution

sk88520: Best Practices - Identity Awareness Large Scale Deployment

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
fdhfdshs5454
Contributor
Contributor
‎2023-10-10 03:32 AM
In response to G_W_Albrecht
Jump to solution

Yes, I read that.

I want to know administator feedback about IA sharing in general, this solution or others they may have deployed to fix IA.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-10-10 04:25 AM
Jump to solution

R81.20 has some relevant IA enhancements...

Are you using any of the following today and what version are the current Gateways?

- Identity Collector

- Identity Broker

- Dedicated PDPs

CCSM R77/R80/ELITE
0 Kudos
fdhfdshs5454
Contributor
Contributor
‎2023-10-11 04:15 AM
In response to Chris_Atkinson
Jump to solution

We are currently running R81.10 HFA110 on every gw.

We'll upgrade to R81.20 as soon as we get a maintenance windows.

  • Identity Collector: No. We don't use ADQuery. Only IA agents. Plus, each remote gateway fetch from its local DC
  • Identity Broker: No. We didn't invest in it as the configuration involve files modifications with complex syntax on every firewalls. Now, if you tell us it enhance the UX, we'll consider it. But how is it different from "classical" PDP? Why is it not the default PDP mecanism?
  • Dedicated PDPs: No. That's what this post is all about... Is it a good move? Is the user community doing it? what is their feeddback?...
0 Kudos
Daniel_Szydelko
Advisor
Advisor
‎2023-10-11 05:46 AM
In response to fdhfdshs5454
Jump to solution

Hello,

Please check not resolved issues in IA for R81.20:

https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/Upcoming-Resolved-Issues.htm?tocpath=__...

BR,

Daniel.

0 Kudos
ProxyOps
Contributor
‎2023-10-13 05:28 AM
Jump to solution

Hello,

we use dedicated PDP Brokers. The firewall itselfs only do the pep enforcement. We completly seperated these two services from each other. These PDP Brokers are full meshed to share all identies with each other. The peps only consume the identies from their local PDP Broker.

We don't need to kill pep / pdp every night.

We setup a centralised IA PDP Broker for every region.

We switched from our full meshed design to PDP Brokers in 2021. I draw our design and uploaded it here:

 

ProxyOps_1-1697200005813.jpeg


If you want more informations, feel free to contact me via private message.

 

Best regards



fdhfdshs5454
Contributor
Contributor
‎2023-10-16 06:20 AM
In response to ProxyOps
Jump to solution

Hello,

Thanks for sharing.

Your setup make sense to us. We will think about making something similar.

Thanks mate!

0 Kudos
fdhfdshs5454
Contributor
Contributor
‎2023-10-20 09:08 AM
In response to fdhfdshs5454
Jump to solution

We are slowly migrating to this setup and it looks like our issues disappear.

Checkpoint should really highlight the usage of very centric PDP to avoid IA sharing issues as soon as 2 firewalls are involved.

0 Kudos
CP-NDA
Collaborator
‎2023-10-24 02:42 AM
In response to ProxyOps
Jump to solution

Hi @ProxyOps 

 

Very interesting design!

Just wondering if your PDP Broker are working with Cluster_XL or not ? Does Cluster_XL synchronize the IA tables ?

Today we have a central design with IA Sharing accross multiples site which is just working fine. Problem is to find window maintenance to upgrade this central IA gateway.

This central Gateway is doing PDP for all users and then share identity with PEP to all remote GW.

Thank you

 

0 Kudos
ProxyOps
Contributor
‎2023-10-24 03:58 AM
In response to CP-NDA
Jump to solution

Hi @CP-NDA 

we are running our PDP Broker as Clusters (Cluster_XL) active-standby on VMs. 

Our PDP Brokers are running R81 currently are cluster_xl is not snycing the relevant tables for a interruption free failover.
When we do a failover the PDP Broker has to sync from scratch again with all over PDP Brokers.

I checked the R81.20 release noted and maybe something was improved here?


"Improved resiliency, scalability, and stability for PDPs and Identity Broker. Additional threads handle authentication and authorization flows."

I know cluster_xl is syncing some IA tables for PEP but I am not able to find a sk for that.

I have to admit, that we update the PDP Broker Gateways only if required as we need them to be as stable as possible.

 

Best regards

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events