Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
KM1895
Contributor
Contributor

Access Roles not synced

 

hi,

I have come across a bit of a challenge with identity Awareness.

We are using Identity Collector and identity sharing, with 4 gatewas acting as PDP, and several others as PEP.

 

A new access role was recently created, with access rule on a PEP gateway. this is currently in test, and will be moved to production if successful

For one user, this works just fine, and he gets the correct access.

For other users, they do not hit this access rule at all.

When i run a pep show user query usr <username>, i see that the new access role is not associated with the user at all.

Have tried running the pdp sync and pdp update on the PDP gateway closest to the PEP gateway, but the new access role is not associated at all with the user.

 

Is this because of the cache on the PDP gateway, as the users will log on again before the 24 hours expire, thus the cached identity is reused? 

What would be a potential consequence if we reduce the time limit on the cache before entries are deleted?

The environment is R81.10 with jumbo t66 on top, and there are only appliances in the environment.

 

Any input here would be appreciated:)

 

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

Is the Access Role in use in any policy on the other gateways?
Not sure how the PDP on the remote gateways will handle roles it does not have any rules for. 

This might require a TAC case to get to the bottom of.
https://help.checkpoint.com 

0 Kudos
KM1895
Contributor
Contributor

hi,

 

I actually didnt check. The pdp and pep gateways are actually connected( they are the internal and external cluster for the customer),

 

So, it could be that the access rule is not set on the PDP gateway? But is that a requirement in order for the access rule to work on the PEP gateway? if so, i can check this, and copy the rule over if necessary.

0 Kudos
KM1895
Contributor
Contributor

update:

 

The access role is succesfully synced over to the PEP gateway, so that is good.

However, why would it take 48 hours in order for this to sync properly?

 

0 Kudos
PhoneBoy
Admin
Admin

That's unusual.
Recommend a TAC case to investigate: https://help.checkpoint.com 

0 Kudos
CheckPointerXL
Advisor
Advisor

Hello,

we are facing similiar problem, did you fix it?

an access role in a pep gateway is working only from some users (same vlan, same domain), other user are not synced from PDP gateway, where the identity is corrected associated

0 Kudos
the_rock
Legend
Legend

Maybe this is related? TAC gave us this for similar issue with a customer...

Andy

https://support.checkpoint.com/results/sk/sk181429

0 Kudos
CheckPointerXL
Advisor
Advisor

thanks Andy,

no, on pdp gateway the identity is ok

TAC Case araised

the_rock
Legend
Legend

Let us know what they say.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events