This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_Herselman
Collaborator
‎2018-12-19 08:28 PM

Stop clearing ADQuery Identity Awareness during policy installation

Installing policy has the effect of clearing known user identity awareness, the primary reason why we advocate only handling this outside of business hours.

There are however often reasons why customers ask for policy installations during work hours, is there no way for a security gateway not to clear PDP during this process as user's internet access is subsequently inhibited until they restart their browser (initiates Kerberos browser based authentication as the browser handles captive portal detection), switches or cycles connectivity (initiates captive portal detection) or re-login (initiates ADQuery event)?

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2018-12-21 02:37 PM

As far as I know, this shouldn't happen.

There's a note in our Best Practice documentation about something that happens during policy installation, namely we re-lookup all the LDAP groups associated with each user the gateway knows about.

Best Practices - Identity Awareness Large Scale Deployment 

That couldn't happen if we cleared all the users on policy installation.

I recommend opening a TAC case.

0 Kudos