This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vincent_Bacher
Leader Leader
Leader
‎2018-01-22 06:44 AM

R80.10 - Identity sharing question

Hello Mates,

we are just upgrading a bunch of R77.30 gateways to R80.10.

Now we have detected, that the gateways connect to almost all other gateways for identity sharing.

We just enabled identity sharing on some chosen gateways because we don't want and need sharing between all gateways.

Does anybody facing this behavior as well or does anybody know if there is any way to make the gateways connect to just the pdp/pep server we have connected in the cluster object/identity sharing?

best
Vincent

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
5 Replies
Gaurav_Pandya
Advisor
‎2018-01-22 07:52 AM

Hi Vincent,

You can select the Gateways between which Identity information is shared. Below are the steps.

You can refer below URL for more information.

https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_IdentityAwareness_AdminGuide...

0 Kudos
Vincent_Bacher
Leader Leader
Leader
‎2018-01-22 07:57 AM
In response to Gaurav_Pandya

Hello,

i am familiar in how to configure that.

As i mentioned, identity sharing is disabled on almost all gateways but they are connected nevertheless.

Best
Vincent

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
John_Parnell
Participant
‎2018-01-22 09:52 AM
In response to Vincent_Bacher

The PDP should show connected to the PEP on all the other gateways in a single domain, regardless of identity sharing being turned on or not. The identity sharing should only be turned on, on the appliance that is collecting the logins so to prevent duplicates which can lead to orphaned objects in the PEP table.

0 Kudos
Vincent_Bacher
Leader Leader
Leader
‎2018-01-22 10:00 PM
In response to John_Parnell

This sounds conclusive. Thanks a lot.

Viele Grüße / best regards

Vincent Bacher

Vincent Bacher

PS Implementation Engineer (L3)

Dimension Data Germany

Tel: +49 6172 6808 067

Mob: +49 1743230235

vincent.bacher@dimensiondata.com

Dimension Data Germany AG & Co. KG, Horexstr. 7, 61352 Bad Homburg, Germany

For more information, please go to www.dimensiondata.com<http://www.dimensiondata.com/>

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Tzvi_Katz
Employee
Employee
‎2018-01-22 10:49 PM
In response to Gaurav_Pandya

Hi Vincent, Gaurav,

If the change of behavior of sharing occurred without any change in sharing setup and the definitions then I suggest to open a TAC and request it to be escalated to CFG task. We had recently identified a situation where under some conditions a gateway shares identities to other than selected gateways, but it is not a degradation and same behavior exist in R77.X as well.

Maybe a change of setting done as part to the introduction to R80.10 to the environment had amplified the issue.

Regards, 

Tzvi Katz - Identity awareness R&D group manager.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events