Create a Post
Showing results for 
Search instead for 
Did you mean: 

Scheduled AD-Group Membership sync with PDP



at the moment I'm testing Identity Awareness with LDAP-Group Memebership Access Roles.


When I add / remove one user from a specfic LDAP - Group which is linked to a Access Role it takes a long time before the gateway notfies about that group membership change (~90mins).


I know that group membership think on checkpoint side can be manually started on the shell with the command "pdp update all".

This works as expected.

Does anybody know if I can globally change this auto - sync to a lower value or do I need something like a cron job for this?





1 Reply


If your LDAP-groups are referencing to ActiveDirectory-groups, then use the ActiveDirectory-groups in your accessrole-object instead of the LDAP-groups.
Which release are you running? There are known problems with the membership, but they are mostly solved since R80.10.