- Products
- Learn
- Local User Groups
- Partners
- More
Maestro Masters
Round Table session with Maestro experts
Hi,
We migrated a traditionnal cluster to a Maestro infra last weekend. R81.10 T81
Everything worked as expected but after a while some IA Rule stop matching on one of the member. Identity is acquired via Identity Agent. Users connect to PDP which is the Security Group running in Maestro
In the logs the same trafic is accepter on Member 1_2 but dropped on Member 1_1.
"pdp monitor ip x.x.x.x" returns the correct Roles on both members but rules is not matched. If we change source by IP everything is ok.
I know that Seucurity Group are not the best way to do PDP but in this sutuation we don't have other GW to play taht role. Also it's never metionned that it's not supported (only not recommended in the Maesto limitations SK)
Do you have any idea of what could be the cause ? Any similar problem on your side ?
TAC is already involved but has not provided relevant info right now.
Thank you
Please see the solution found with R&D
I believe the need for a separate gateway to perform IA functions for a Maestro Security Group is a consequence of the Single Management Object (SMO) approach to management, and I don't see how you will able to work around that. I also assume you are familiar with sk175587: Identity Based Access Control and Threat Prevention - Design Guidelines - Quantum Maestro.
Hi,
Thank you for the reply
Yes we are familiar with this SK
Unfortunately we don't have the option to do PDP outside SG... If it's a clear limitation I wondering why it's not clearly mentionned that we should not implement this. Also this should be reported in Maestro limitations SK don't you think ?
Thank you
Support suggested to use this exception for IA trafic
Right to keep the distribution algorithm from messing with the IA traffic and ensuring symmetry by always sending it to the SMO, makes sense.
Seems to be a good idea but I don't know if trafic for IA is considered as a local connection
You can configure the Security Group
to forward specific inbound connections to the SMO Security Group Member.
| Important:
|
just out of curiosity could you elaborate on what seems to be the issue here?
For my understanding..
if you do pep show user all you see the relevant user in both modules?
Is it not marked down as service account by any chance?
Please see the solution found with R&D
Very interesting. And well written sk.
Thanks
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
24 | |
4 | |
4 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 |
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY