Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
FredrikV
Contributor
Jump to solution

PDP Identity Sharing mode

My apologies if the answer is documented somewhere else in this forum. I just can't find it.

We have a Maestro platform in which we run several security groups with VSLS. A long time ago we had help from TAC to change the PDP mode in security group 1 from Pull to Push. For a couple of reasons pull just doesn't work for us. Now we must implement the same change to security group 3. However, the steps performed by TAC was not documented in the case notes. The only thing we know for certains was that the GuiDBEdit tools was used.

I have search for a SK that could describe what actions need to taken.

We are running version R81.10 Take 66.

PDPs (both access and aggregation layers) are external the to Maestro by running as separate VMs in VMware datacenter. Works well in security group 1 with Push mode configured. Users are identified with the help of the ID Agent which is installed on every workstation and laptop. Agents talk to the PDP access layer, which by a PDP broker shares information to the PDP aggregation layer, which pushes identites to the PEP on each gateway.

Can anyone point out instructions where in GuiDBEdit this can be changed in the same way in SG3?

I've already read this: https://community.checkpoint.com/t5/Security-Gateways/Identity-sharing-how-to-change-modes/m-p/62906...

 

Big thanks,

Fredrik

 

 

1 Solution

Accepted Solutions
Peter_Elmer
Employee
Employee

Hello @FredrikV,  - cc thanks @_Val_ for pining to this post !

as mentioned by @G_W_Albrecht you may want to study sk175587. It is linked form the Maestro Administration Guide.

Due to the load balancing of Maestro performed on inbound connections you need to work with Push ID Sharing method. Changing from SmartPull to Push needs to be done with the support of TAC or PS to avoid misconfigurations. 

I'll talk to R&D to see if the procedure can get published but I can't promise anything for now. 

For Identity Based guidelines you may want to work with your local presales office. Further reading that may help are sk179544 and sk170765

best regards

pelmer

 

View solution in original post

11 Replies
_Val_
Admin
Admin

It is the best to take it with TAC

0 Kudos
FredrikV
Contributor

Got it

0 Kudos
_Val_
Admin
Admin

@Peter_Elmer what do you think?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
Daniel_Szydelko
Advisor
Advisor

I believe it should be something like this (Unfortunately I haven't possibility to check it - it's from my personal notes):

Network Objects -> network_objects -> [Name of PDP cluster or name of VS] -> identity_aware_blade -> publish_method: change from smart_pull to push

You can check it for existing configuration VS's in SecGrp and PDP cluster).

BR

Daniel.

Tobias_Moritz
Advisor

In the past, it was also highly recommened to clear the IDA tables and restart all involved pdpd and pepd after changing the sharing method from smart-pull to push.

sk170516 is unrelated to your topic, but shows one example of how to clear these tables (and restart the processes).

Not sure, if it is still needed to today, so you better go through this together with TAC as suggested by Peter and Val.

FredrikV
Contributor

Yes. We did both methods actually. On a lab VS without load I only restarted the PEP daemon without emptying any tables. Looks like it did the trick anyways. But still better to be sure. Did clear the tables on the more critical VS's.

0 Kudos
FredrikV
Contributor

Yes, that's correct. And not to be forgotten - reinstallation of policies and restarting pdp and pep daemons.

Peter_Elmer
Employee
Employee

Hello @FredrikV,  - cc thanks @_Val_ for pining to this post !

as mentioned by @G_W_Albrecht you may want to study sk175587. It is linked form the Maestro Administration Guide.

Due to the load balancing of Maestro performed on inbound connections you need to work with Push ID Sharing method. Changing from SmartPull to Push needs to be done with the support of TAC or PS to avoid misconfigurations. 

I'll talk to R&D to see if the procedure can get published but I can't promise anything for now. 

For Identity Based guidelines you may want to work with your local presales office. Further reading that may help are sk179544 and sk170765

best regards

pelmer

 

FredrikV
Contributor

Thanks everyone for your valuable advices!

We successfully made the change this morning, as per instructions provided both by TAC and PMs. It's always nice when actions can be confirmed from multiply resources.

Br,

Fredrik

0 Kudos
FredrikV
Contributor

Thank you Peter for confirming that within the Maestro platform.

0 Kudos