This is what I'll have to do if I can't get it enabled globally.  The issue is that we have our global policy that we want to setup IA on so we can start to do away with needing to assign static IPs to each user that needs custom firewall rules.  If we can't get it setup globally it may not be worth setting up at all for us.

I haven't played with global rules and IA but I'm guessing you could define IA roles and therefore IA based rules globally. But not gateway connection to ID source. Will check tomorrow.

I think you are little bit confused by on how identity awareness works.

• When you create an account unit in smartconsole that allows you to create the mapping between the LDAP groups and the access roles that you will use in your policies. This communication requires access from your management server to the DCS if it is R80.10 mgmt server and from mgmt server and smartconsole machine if R77.30 mgmt server and lower.
• Now the gw side which is the fun part. In the configuration you have to tell the gateway which account unit it is going to use for identity awareness and which includes the dcs and the domain name.
• The acquisition method you configure this on the gateway object, this tells the gw what are the sources for identities (Identity collector, WMI, captive portal, Radius accounting, Identity agents,etc)

In your case you have identity collector as acquisition source. What happens the  identity collector reads the security event on the DCs after that it extracts the username and the ip information form that security event and forwards it to the gateway using https connection. As soon the pdp process on the gateway receives the information from the collector it checks the domain information and the account unites after that it opens an LDAP connection to the dcs to get the user’s groups after it receives the groups it starts the calculation of the access roles based on ldap groups and create the binding between the access roles and the LDAP group to enforce policies.

As conclusion, if you can tell the gateways that configured in CMA to use the Account unit in global domain and you should be ok. The identity collector doesn’t connect to the management server or CMAs it connects to the gateways. 

Thanks

OK so I'm just trying to verify that I have this all configured right...in one of our local policies I have 2 account units showing up:

The '-g' group is created in the global policy so I can create access roles that can be used globally.  I have created 2 access groups: 

One with the '-g' is created in the global policy and is added to the local policy when global is reassigned.  The one without the '-g' was just created locally.  I created 2 rules, granting ICMP access to different servers.  If I try to ping either of the servers it doesn't hit on either of the rules...global nor local.

If I check pdp monitor user for my account it only shows that I'm in the 'All Users' group.  Do I need to create an Access Group first and then an access role? I had this working locally and then the pdp service stopped responding and I had to reconfigure it on the gateway.

When you mentioned the User Directory on the Gateway object I can only use the 'Any' option or use the local Account Unit.  If I try to use the global one it just errors out and says that the global object can't be modified.  Should I leave it at any or should I select the local Account Unit?

It might take quite long time often enough to have user roles updated from AD security logs retrieved by IDC. It's nowhere near instantaneous. So either wait or use captive portal. We have given that as a backup option if automatic role update is taking too long to propagate.

Captive portal is a good option to verify that rules work as expected as you can force update your role.

In your case it would be interesting to see if globally defined role is associated with the user if you do captive portal. 

Hope you're learning to use CLI commands both PDP and PEP.  They will be you friend you're planning to use IA

hey bro, did you fix this?

I have a problem where i need to create 20 LDAP AU (20 child domains) x 15 CMA... crazy to do without global LDAP AU

but it seems that the FW cannot correctly make LDAP Query to servers/domain defined in global LDAP AU   
(An error was detected while trying to authenticate against the AD server.
It may be a problem of bad configuration or connectivity.
Please refer to the troubleshooting guide for more help)

Same LDAP AU configured locally it works...

Any help very appreciated

So I wouldn't be able to create a global account unit (AD_AU-g) for the purpose of creating global access roles that will be installed on all firewalls assigned to that policy?

I have the AU setup globally and can talk to AD, but when I put the access group in an IA enabled gateway, it doesn't see my user as being in the particular AD group (and hence access group) so the rule doesn't hit.

I was referring to the "local" role not working  @Houssameddine Zeghlache And not as redirect action but direct login into portal itself, as in https://gw_ip_or_name/connect

Hope it clarifies.

outstanding work as usual thanks Peter