- Products
- Learn
- Local User Groups
- Partners
-
More
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
IDC Spotlight -
Uplevel The SOC
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi CheckMates,
I have published a new SK for Identity Awareness agents with direct links and list of resolved issues for your use.
The SK is sk134312.
It includes the following agents:
We will update this SK from time to time with new versions after they will be QAed.
In case you have remarks or any clarification is needed - I'm here to answer.
Thanks,
Royi Priov
Team Leader, Identity Awareness R&D.
Nice! This was an outstanding SK! Thanks!
With pleasure!
Hi Royi,
Question, what is recommended for deployment of Identity Agents?
There are packages available on the UserCenter (thank you for the URL/SK btw!) and on the Security Gateway under the folder: /opt/CPNacPortal/htdocs/nac/nacclients/ ?
Is there a difference between those packages?
Thank you in advance!
Kind regards,
Sean
Hi Sean Van Loon,
That's a good question.
sk134312will be updated from time to time with a newer version of our agents.
Every time a gateway version is released (e.g. R80.20) the newest version of each version will be included in it (the latest one from the SK).
It means that if you want to get the most updated agent it will be available on sk134312
Since the agents are backward compatible, you can upgrade the agent even without upgrading the gateway.
I hope this is clear.
Royi Priov
Identity Awareness R&D.
An update - a new version was uploaded to the SK.
Thanks,
Royi.
I have a few follow up questions related to Identity Collector:
1. Is this the same agent that can be downloaded from the GW at https://<IP_of_Security Gateway>/_IA_IDC/download/CPIdentityCollector.msi ?
2. What is the recommended versioning? Does the IDC version have to be greater than or equal to the highest version GW that has identity awareness enabled and tied to IDC? For example, in an environment with R80.20 Mgmt, and mixed GWs of R80.10, and R77.30, would the IDC agent need to be R80.10 or greater?
3. Does the version of the IDC agent only tie to the version of the GWs of running IA? Or does Security Management version matter? Hypothetically, if my entire environment were R80.10, and I wanted to upgrade management to R80.20, would I have upgrade IDC to R80.20 at the same time management is upgraded? Or only before we start upgrading GWs?
4. What is upgrade process for the IDC on the servers? As long as there are redundant IDC servers, is it simply uninstall/reinstall of the .msi?
Thanks for your help!
Phil
@phlrnnr wrote:
I have a few follow up questions related to Identity Collector:
1. Is this the same agent that can be downloaded from the GW at https://<IP_of_Security Gateway>/_IA_IDC/download/CPIdentityCollector.msi ?
2. What is the recommended versioning? Does the IDC version have to be greater than or equal to the highest version GW that has identity awareness enabled and tied to IDC? For example, in an environment with R80.20 Mgmt, and mixed GWs of R80.10, and R77.30, would the IDC agent need to be R80.10 or greater?
3. Does the version of the IDC agent only tie to the version of the GWs of running IA? Or does Security Management version matter? Hypothetically, if my entire environment were R80.10, and I wanted to upgrade management to R80.20, would I have upgrade IDC to R80.20 at the same time management is upgraded? Or only before we start upgrading GWs?
4. What is upgrade process for the IDC on the servers? As long as there are redundant IDC servers, is it simply uninstall/reinstall of the .msi?
Thanks for your help!
Phil
1. The one on the SK is the most updated.
The IDC exists on the GW is the newest one available when the version (R80.10 / R80.20, etc) was released.
2. There is full BC of IDC version. However, the newest one is the most recommended.
3. Security MGMT is not relevant to this flow. The communication is IDC <-> GW.
4. Yes.
Good luck 🙂
Royi Priov
@phlrnnr wrote:
I tested uninstall/reinstall in our lab and the configuration was wiped in the process. Is there any way to preserve the IDC configuration from one version to the next?
Sorry, I forgot about the database wipe.
There are 2 options to save the config while upgrading:
I do recommend the first method. you can always export the configuration before staring the procedure to be on the safe side.
Thanks,
Royi Priov
if there are a mixed networks with R77.xx and R80.xx GWs, we can download IDC from the link you posted instead of from the GWs and installed on the windows, which could feed identities to either R77.xx and R80.xx PDPs, correct? thanks in advance!
Hi Royi,
I see that there is currently no agent for linux/unix. Is there a plan to create one?
Or is there an alternative for linux/unix users to authenticate with the Check Point?
Thanks in advance!
Kind regards,
Sean
@Sean_Van_Loon wrote:
Hi Royi,
I see that there is currently no agent for linux/unix. Is there a plan to create one?
Or is there an alternative for linux/unix users to authenticate with the Check Point?
Thanks in advance!
Kind regards,
Sean
Hi @Sean_Van_Loon ,
Indeed, there is no linux based agent and currently there is no plan to crewate one.
You can use captive portal for linux machines.
Thanks,
Royi.
Hello Royi
Is there a way to make upgrade of identity agent , without any action of user, I can see in the administration guide 80.40, identity agent upgrades, but does it works and how ?
If agent is no longer compatible, pc client can download and install automaticly since gateway ?
Thanks
Hi @remi0403 ,
Our agents are backward compatible. Therefore, there is no situation where the clients are not compatible with the gw version. They might not support new features, but they will keep the current functionality.
My personal recommendation is to use GPO, with a prepackaged msi. Please use sk134312 for the latest version.
Hi Royi!
May i ask what's the difference between light and full?
Also, the MSI seems to be the same for (mostly) everything now but the different versions point to different download links?
Many thanks
br
Vincent
Many Thanks!
Silly me, wasn't finding it in the admin guide 🙂
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY