This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
KM1895
Collaborator
Collaborator
‎2023-03-30 02:43 AM

Access Roles not synced

 

hi,

I have come across a bit of a challenge with identity Awareness.

We are using Identity Collector and identity sharing, with 4 gatewas acting as PDP, and several others as PEP.

 

A new access role was recently created, with access rule on a PEP gateway. this is currently in test, and will be moved to production if successful

For one user, this works just fine, and he gets the correct access.

For other users, they do not hit this access rule at all.

When i run a pep show user query usr <username>, i see that the new access role is not associated with the user at all.

Have tried running the pdp sync and pdp update on the PDP gateway closest to the PEP gateway, but the new access role is not associated at all with the user.

 

Is this because of the cache on the PDP gateway, as the users will log on again before the 24 hours expire, thus the cached identity is reused? 

What would be a potential consequence if we reduce the time limit on the cache before entries are deleted?

The environment is R81.10 with jumbo t66 on top, and there are only appliances in the environment.

 

Any input here would be appreciated:)

 

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2023-03-30 08:01 PM

Is the Access Role in use in any policy on the other gateways?
Not sure how the PDP on the remote gateways will handle roles it does not have any rules for. 

This might require a TAC case to get to the bottom of.
https://help.checkpoint.com 

0 Kudos
KM1895
Collaborator
Collaborator
‎2023-03-31 12:13 AM
In response to PhoneBoy

hi,

 

I actually didnt check. The pdp and pep gateways are actually connected( they are the internal and external cluster for the customer),

 

So, it could be that the access rule is not set on the PDP gateway? But is that a requirement in order for the access rule to work on the PEP gateway? if so, i can check this, and copy the rule over if necessary.

0 Kudos
KM1895
Collaborator
Collaborator
‎2023-03-31 03:58 AM
In response to KM1895

update:

 

The access role is succesfully synced over to the PEP gateway, so that is good.

However, why would it take 48 hours in order for this to sync properly?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-31 03:22 PM
In response to KM1895

That's unusual.
Recommend a TAC case to investigate: https://help.checkpoint.com 

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2024-07-25 06:59 AM

Hello,

we are facing similiar problem, did you fix it?

an access role in a pep gateway is working only from some users (same vlan, same domain), other user are not synced from PDP gateway, where the identity is corrected associated

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-07-25 09:53 AM
In response to CheckPointerXL

Maybe this is related? TAC gave us this for similar issue with a customer...

Andy

https://support.checkpoint.com/results/sk/sk181429

Best,
Andy
0 Kudos
CheckPointerXL
Advisor
Advisor
‎2024-07-25 10:48 AM
In response to the_rock

thanks Andy,

no, on pdp gateway the identity is ok

TAC Case araised

the_rock
MVP Platinum
MVP Platinum
‎2024-07-25 10:49 AM
In response to CheckPointerXL

Let us know what they say.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events