Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ryan_Ryan
Advisor

Identity sharing - how to change modes

Hello, as per this document:

https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_IdentityAwareness_AdminGuide...

there are two methods for a remote PEP gateway to learn identities, Smart-Pull or Push Sharing. Based on the output of "pdp connections pep" command (and the fact we can only see a handful of entries one one the other cluster) it seems we have smart-pull mode.

I want to change this to push method. We have a second site with an identical cluster and I would like the PEP databases to be synchronised on both. I cannot find anything that tells me how to do this?

(We are R80.20)

thanks

4 Replies
G_W_Albrecht
Legend
Legend

This has been an old trick in the first days to cope with IA issues - but it is not (or no longer ?) documented in any sk. This is understandable, as that needs a manual GUIDbedit change on SMS, a thing that should never be done without a good reason 😊. Which issues are you experiencing that would justify such a change ?

Also, this change is for AD Query only, and AD Query is today commonly replaced by Identity collector. For more information, see sk44178: IdentityLogging - Frequently Asked Questionssk86441: ATRG: IdentityAwareness, sk108235: IdentityCollector - Technical Overview and sk88520: Best Practices - IdentityAwareness Large Scale Deployment.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Ryan_Ryan
Advisor

Hi thanks for the reply.

 

Yes I suspected it was a Dbedit under the hood somewhere.

 

We did have an issue where an ADquery fetched user was showing on one gateway but not on another where an IA rule was used and therefore the users access was not working. It took me a while to understand why so few users where showing on my other shared cluster compared to the cluster doing ADQuery. That issue however has now self resolved.

So really no reason for us to change mode now - other to to simplify troubleshooting a bit, I still don't fully understand how the smart decides what to pull and what not to pull but I can live with that 🙂

0 Kudos
Dor_Marcovitch
Advisor

from what i understand from TAC, Push method is not supported by R&D that is why the configuration is not open for all users.

0 Kudos
G_W_Albrecht
Legend
Legend

Unlikely - documentation says:

Push Sharing Method

This method is straight-forward: a PDP publishes each identity when it is acquired to the PEP.

Note - It is the only sharing method for the Identity Awareness Security Gateway that runs both as PDP and PEP.

CCSE CCTE CCSM SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events