Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copper

Identity sharing - how to change modes

Hello, as per this document:

https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_IdentityAwareness_AdminGuide...

there are two methods for a remote PEP gateway to learn identities, Smart-Pull or Push Sharing. Based on the output of "pdp connections pep" command (and the fact we can only see a handful of entries one one the other cluster) it seems we have smart-pull mode.

I want to change this to push method. We have a second site with an identical cluster and I would like the PEP databases to be synchronised on both. I cannot find anything that tells me how to do this?

(We are R80.20)

thanks

2 Replies
Highlighted
Sapphire

Re: Identity sharing - how to change modes

This has been an old trick in the first days to cope with IA issues - but it is not (or no longer ?) documented in any sk. This is understandable, as that needs a manual GUIDbedit change on SMS, a thing that should never be done without a good reason 😊. Which issues are you experiencing that would justify such a change ?

Also, this change is for AD Query only, and AD Query is today commonly replaced by Identity collector. For more information, see sk44178: IdentityLogging - Frequently Asked Questionssk86441: ATRG: IdentityAwareness, sk108235: IdentityCollector - Technical Overview and sk88520: Best Practices - IdentityAwareness Large Scale Deployment.

0 Kudos
Copper

Re: Identity sharing - how to change modes

Hi thanks for the reply.

 

Yes I suspected it was a Dbedit under the hood somewhere.

 

We did have an issue where an ADquery fetched user was showing on one gateway but not on another where an IA rule was used and therefore the users access was not working. It took me a while to understand why so few users where showing on my other shared cluster compared to the cluster doing ADQuery. That issue however has now self resolved.

So really no reason for us to change mode now - other to to simplify troubleshooting a bit, I still don't fully understand how the smart decides what to pull and what not to pull but I can live with that 🙂

0 Kudos