Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Shay_Levin
Admin
Admin

TechTalk - Deep Dive - R81 New Identities

tech-talk-template_R81-social.pngR81 brings new useful identities.
This is a step by step TechTalk Deep Dive on configuring and using the following identities:

• Azure AD Users/Groups
• Objects that are managed by an external JSON file
• Merge objects dynamically from multiple clouds and regions into a single object

Recording:

Useful Materials:

 

Webinar Q&A

Question Answer(s)
Can we connect to Azure AD through Identity Collector?
Is that available in newer versions?
Not at this point.
Does identity agent require to install in AD server? not for Azure AD, no
Does SCIM support? no
So we can connect to Azzure only from GW AD setup ... as I remember
It can coexist with Identity Collector - right?
no GW AD setup, but MGMT. Yes, if you are using multiple identity sources, they can coexist
Can this method be an alternative for Open-ID that we currently are using with Citrix NetScaler? Not sure the question is relevant. Can you elaborate?
Is a Tenant Restriction available For Azure AD? When you configure the SPN, you configure it on a specific tenant.
For each AD tenant, you will need to configure a dedicated SPN.
On the Check Point management, you will need to create a connector with the SPN details (directory id ,app id ,secret) for each tenant
Can we use it for internal users and internal gateways assuming all the users are in Azure AD? In that case, only CMA needs to have access to the Azure AD?

The CMA  need access to Azure

One GW that acts as a PDP needs access to AZure, the rest of the gateways can get the identities from the PDP.

PEP gateways does not need access to AZure

Has this been tested with an AD containing more than thousand (~1000) GPs (Groups Objects)? There is no restriction, it was tested on several production environments
works this access only with HTTP/S or with other protocol as well.. e.g. ssh Azure AD is an identity provider, so to all kind of connections
Can AzureAD Identities/Access Roles be used for Capsule WorkSpace? Should work with R81 GW
For Generic data center object - How is caching handled? What happens in the case of feed connexion failure? The admin would be notified by the SamrtConsole log
The objects its content is cashed on the management and being sent to the gateway, in case of a failure ( an issue with reading the objects from the file) is would not affect the management nor the gateway. All would use the last data that has been read from the file.
Do you plan to add JSON based import, support for services as well? Generic Data Center object is JSON based, but just for network entities, not services
Do the rules based on dynamic objects fall into some kind of slow path or they are properly accelerated? No, data center objects are SecureXL friendly
How are logs populated? Are they providing object definition src details? Yes, You will see the connector name
Can remote access VPN authenticate with Azure AD?? This feature is on work
Mobile access blade authentication against Azure AD is already supported in R80.40
Are the use cases you described right now also executable via API? live answered
Tenant Restriction = allow only users to access the companies O365 tenant as I mentioned, this is an off-topic for this session
R81 is a stable version - can we use it at the customer production network for gateway and mgmt both? Yes, the first jumbo hotfix has been already published.
do we have control over the datacenter objects cache-timeout? How long is this info cached ( in case the underlying connector to the data center is down ) and how would you know it's down?


The latest update change the default to 7 days
Edit enforcementSessionTimeoutInMinutes parameter in vsec.conf
How can we know that the data center is not connected? The issue is documented in the R81 admin guide:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CloudGuard_Controller_AdminGuide/T...
Do you keep a JSON object cached between management server reboots? The data is being cashed on the gateway, in case that the management will fetch new data after reboot the gateway would be updated accordingly 
Shalom Valeri, can this replace the use of OpenID & OAuth allowing users to access web applications/pages? Yes
Can we use the identities sharing feature for such identities? Azure AD identities can work with Identity Awareness' Identity Sharing

 

2 Replies
s-quintanilla
Explorer

Hi, where can we access to the recorded session?

0 Kudos
_Val_
Admin
Admin

We will post it later on

0 Kudos