Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Scheduled AD-Group Membership sync with PDP

Hello,

 

at the moment I'm testing Identity Awareness with LDAP-Group Memebership Access Roles.

 

When I add / remove one user from a specfic LDAP - Group which is linked to a Access Role it takes a long time before the gateway notfies about that group membership change (~90mins).

 

I know that group membership think on checkpoint side can be manually started on the shell with the command "pdp update all".

This works as expected.

Does anybody know if I can globally change this auto - sync to a lower value or do I need something like a cron job for this?

 

Regards

 

Florian

1 Reply
Platinum

Florian,

If your LDAP-groups are referencing to ActiveDirectory-groups, then use the ActiveDirectory-groups in your accessrole-object instead of the LDAP-groups.
Which release are you running? There are known problems with the membership, but they are mostly solved since R80.10.

Wolfgang