Question |
Answer(s) |
Can we connect to Azure AD through Identity Collector? Is that available in newer versions? |
Not at this point. |
Does identity agent require to install in AD server? |
not for Azure AD, no |
Does SCIM support? |
no |
So we can connect to Azzure only from GW AD setup ... as I remember It can coexist with Identity Collector - right? |
no GW AD setup, but MGMT. Yes, if you are using multiple identity sources, they can coexist |
Can this method be an alternative for Open-ID that we currently are using with Citrix NetScaler? |
Not sure the question is relevant. Can you elaborate? |
Is a Tenant Restriction available For Azure AD? |
When you configure the SPN, you configure it on a specific tenant. For each AD tenant, you will need to configure a dedicated SPN. On the Check Point management, you will need to create a connector with the SPN details (directory id ,app id ,secret) for each tenant |
Can we use it for internal users and internal gateways assuming all the users are in Azure AD? In that case, only CMA needs to have access to the Azure AD? |
The CMA need access to Azure
One GW that acts as a PDP needs access to AZure, the rest of the gateways can get the identities from the PDP.
PEP gateways does not need access to AZure
|
Has this been tested with an AD containing more than thousand (~1000) GPs (Groups Objects)? |
There is no restriction, it was tested on several production environments |
works this access only with HTTP/S or with other protocol as well.. e.g. ssh |
Azure AD is an identity provider, so to all kind of connections |
Can AzureAD Identities/Access Roles be used for Capsule WorkSpace? |
Should work with R81 GW |
For Generic data center object - How is caching handled? What happens in the case of feed connexion failure? |
The admin would be notified by the SamrtConsole log The objects its content is cashed on the management and being sent to the gateway, in case of a failure ( an issue with reading the objects from the file) is would not affect the management nor the gateway. All would use the last data that has been read from the file. |
Do you plan to add JSON based import, support for services as well? |
Generic Data Center object is JSON based, but just for network entities, not services |
Do the rules based on dynamic objects fall into some kind of slow path or they are properly accelerated? |
No, data center objects are SecureXL friendly |
How are logs populated? Are they providing object definition src details? |
Yes, You will see the connector name |
Can remote access VPN authenticate with Azure AD?? |
This feature is on work Mobile access blade authentication against Azure AD is already supported in R80.40 |
Are the use cases you described right now also executable via API? |
live answered |
Tenant Restriction = allow only users to access the companies O365 tenant |
as I mentioned, this is an off-topic for this session |
R81 is a stable version - can we use it at the customer production network for gateway and mgmt both? |
Yes, the first jumbo hotfix has been already published. |
do we have control over the datacenter objects cache-timeout? How long is this info cached ( in case the underlying connector to the data center is down ) and how would you know it's down? |
The latest update change the default to 7 days Edit enforcementSessionTimeoutInMinutes parameter in vsec.conf |
How can we know that the data center is not connected? |
The issue is documented in the R81 admin guide: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CloudGuard_Controller_AdminGuide/T... |
Do you keep a JSON object cached between management server reboots? |
The data is being cashed on the gateway, in case that the management will fetch new data after reboot the gateway would be updated accordingly |
Shalom Valeri, can this replace the use of OpenID & OAuth allowing users to access web applications/pages? |
Yes |
Can we use the identities sharing feature for such identities? |
Azure AD identities can work with Identity Awareness' Identity Sharing |