Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
G_W_Albrecht
Legend Legend
Legend

SMB Identity Collector Mystery

If we follow sk123858: Identity Collector support on SMB Appliances, Identity Collector is not supported with 1100, 1200R, 1400, 600, 700 Gaia Embedded R77.20, R75.20 Appliances and the same is declared in sk108235 - Identity Collector - Technical Overview. sk105380 Features and Known Limitations for R77.20.xx does not mention it, but in sk159772 Check Point R80.20 for 1500 Appliances Features and Known Limitations we find that Identity Collector is supported neither Locally nor Centrally managed !

The background for this limitation: The PDP of SMB Appliances has no API listening to tcp/443.

But Identity Sharing between PDP on a Gaia GW and PEPs on SMB Appliances do work, see sk106965: Identity Sharing does not work with SMB appliance running for details.

So we have tested in lab a central GAiA GW with SMB star VPN topology. Identity Collector updates the GAiA GW and the GAiA GW performs Identity Sharing with the PEPs on the SMB Appliances! This does work, so sk123858 seems a little too narrow-minded...😎

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
6 Replies
PhoneBoy
Admin
Admin

You're correct, the underlying issue is the Identity Awareness API is not supported on SMB appliances.
Any feature that relies on this API is therefore not supported…at least directly.
If you have a regular gateway in the environment and implement identity sharing with the SMB appliances, that most definitely works.
Not sure exactly how to best represent this in the SK, though.
0 Kudos
rlopesdu
Employee
Employee

Hi,

This is a very interesting solution that overcomes some of the limitations as described in the abovementioned sk.

I have a customer who is only using SMB appliances and wants to deploy Identity Awareness using a dedicated Gaia FW as PDP.

Question: as the management is only currently licensed to support SMB appliances, do we need to foresee a "full-Gaia" management license for this only firewall who will serve as PDP? 

Thanks and best regards

0 Kudos
PhoneBoy
Admin
Admin

Yes, you will need a license to manage that gateway.

rlopesdu
Employee
Employee

Thanks for the clarification. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

In R81.10.00 for Quantum spark 1500\1600\1800, Identity collector is supported for centrally managed appliances.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Steven_Sultana
Contributor

Only if there is a domain controller locally, as per sk178604.

SMBGWY-2486An AD Domain Controller used for authenticating users that is located in the external zone of a device using Hide-NAT is not supported.

Workaround: Install another Domain Controller in the internal zone of the device.
R81.10.00
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events