This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
FredrikV
Contributor
‎2022-09-27 03:47 AM
Jump to solution

PDP Identity Sharing mode

My apologies if the answer is documented somewhere else in this forum. I just can't find it.

We have a Maestro platform in which we run several security groups with VSLS. A long time ago we had help from TAC to change the PDP mode in security group 1 from Pull to Push. For a couple of reasons pull just doesn't work for us. Now we must implement the same change to security group 3. However, the steps performed by TAC was not documented in the case notes. The only thing we know for certains was that the GuiDBEdit tools was used.

I have search for a SK that could describe what actions need to taken.

We are running version R81.10 Take 66.

PDPs (both access and aggregation layers) are external the to Maestro by running as separate VMs in VMware datacenter. Works well in security group 1 with Push mode configured. Users are identified with the help of the ID Agent which is installed on every workstation and laptop. Agents talk to the PDP access layer, which by a PDP broker shares information to the PDP aggregation layer, which pushes identites to the PEP on each gateway.

Can anyone point out instructions where in GuiDBEdit this can be changed in the same way in SG3?

I've already read this: https://community.checkpoint.com/t5/Security-Gateways/Identity-sharing-how-to-change-modes/m-p/62906...

 

Big thanks,

Fredrik

 

 

1 Solution

Accepted Solutions
Peter_Elmer
Employee
Employee
‎2022-09-27 07:50 AM
Jump to solution

Hello @FredrikV,  - cc thanks @_Val_ for pining to this post !

as mentioned by @G_W_Albrecht you may want to study sk175587. It is linked form the Maestro Administration Guide.

Due to the load balancing of Maestro performed on inbound connections you need to work with Push ID Sharing method. Changing from SmartPull to Push needs to be done with the support of TAC or PS to avoid misconfigurations. 

I'll talk to R&D to see if the procedure can get published but I can't promise anything for now. 

For Identity Based guidelines you may want to work with your local presales office. Further reading that may help are sk179544 and sk170765

best regards

pelmer

 

View solution in original post

11 Replies
_Val_
Admin
Admin
‎2022-09-27 04:35 AM
Jump to solution

It is the best to take it with TAC

0 Kudos
FredrikV
Contributor
‎2022-09-27 04:42 AM
In response to _Val_
Jump to solution

Got it

0 Kudos
_Val_
Admin
Admin
‎2022-09-27 04:37 AM
Jump to solution

@Peter_Elmer what do you think?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-09-27 05:07 AM
Jump to solution

sk175587: Identity Based Access Control and Threat Prevention - Design Guidelines - Quantum Maestro

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Daniel_Szydelko
Advisor
Advisor
‎2022-09-27 06:08 AM
Jump to solution

I believe it should be something like this (Unfortunately I haven't possibility to check it - it's from my personal notes):

Network Objects -> network_objects -> [Name of PDP cluster or name of VS] -> identity_aware_blade -> publish_method: change from smart_pull to push

You can check it for existing configuration VS's in SecGrp and PDP cluster).

BR

Daniel.

Tobias_Moritz
Advisor
‎2022-09-28 06:26 AM
In response to Daniel_Szydelko
Jump to solution

In the past, it was also highly recommened to clear the IDA tables and restart all involved pdpd and pepd after changing the sharing method from smart-pull to push.

sk170516 is unrelated to your topic, but shows one example of how to clear these tables (and restart the processes).

Not sure, if it is still needed to today, so you better go through this together with TAC as suggested by Peter and Val.

FredrikV
Contributor
‎2022-09-30 01:00 AM
In response to Tobias_Moritz
Jump to solution

Yes. We did both methods actually. On a lab VS without load I only restarted the PEP daemon without emptying any tables. Looks like it did the trick anyways. But still better to be sure. Did clear the tables on the more critical VS's.

0 Kudos
FredrikV
Contributor
‎2022-09-30 12:56 AM
In response to Daniel_Szydelko
Jump to solution

Yes, that's correct. And not to be forgotten - reinstallation of policies and restarting pdp and pep daemons.

Peter_Elmer
Employee
Employee
‎2022-09-27 07:50 AM
Jump to solution

Hello @FredrikV,  - cc thanks @_Val_ for pining to this post !

as mentioned by @G_W_Albrecht you may want to study sk175587. It is linked form the Maestro Administration Guide.

Due to the load balancing of Maestro performed on inbound connections you need to work with Push ID Sharing method. Changing from SmartPull to Push needs to be done with the support of TAC or PS to avoid misconfigurations. 

I'll talk to R&D to see if the procedure can get published but I can't promise anything for now. 

For Identity Based guidelines you may want to work with your local presales office. Further reading that may help are sk179544 and sk170765

best regards

pelmer

 

FredrikV
Contributor
‎2022-09-30 12:50 AM
In response to Peter_Elmer
Jump to solution

Thanks everyone for your valuable advices!

We successfully made the change this morning, as per instructions provided both by TAC and PMs. It's always nice when actions can be confirmed from multiply resources.

Br,

Fredrik

0 Kudos
FredrikV
Contributor
‎2022-09-30 01:02 AM
In response to Peter_Elmer
Jump to solution

Thank you Peter for confirming that within the Maestro platform.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events