Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Peter_Elmer
Employee
Employee

Getting_Started_Guide_PDP_Broker_HF_v7 .pdf

Scaling identity sharing across management domains and geographical regions is achieved using the PDP Broker architecture element. This document is describing the functionality, installation and related troubleshooting of the PDP Broker. The PDP Broker software HF for R80.10 can be requested contacting Check Point Sales Engineers and will be provided by Check Point Solution Center.

6 Replies
Chris_Atkinson
Employee
Employee

Those interested in the PDP Broker should now explore R80.40 for this functionality.

0 Kudos
Reply
Alex_Mondol
Participant

we run r80.30 across the board. what is the procedure notes to deploying identity broker on r80.30? we don't want to install it on r80.10 with HF 

0 Kudos
Reply
Royi_Priov
Employee
Employee

Hi @Alex_Mondol 

There is no availability for this project on versions below R80.40, and also the document on this thread was written for R80.10 RFE which is not recommended to use anymore.

Identity Broker is a feature which was released as part of R80.40. There is no need to install an additional HF on top of that. I recommend reviewing Identity Awareness R80.40 admin guide for more info.

 

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
Reply
Alex_Mondol
Participant

Thank you for your response.

New Question arrises. We have two VSX Cluster Gateways at two geographical locations separated by at least 1 hr drive time. Each Cluster of 23500 series gateways we have VSXs that incorporate perimeter FWs of the following like Perimeter, BC, Departmental, and VPN. Since we have collapsed these different zones into two clusters or four gateways if we have deployed two Identity Collector Servers (one at each geographical location) who would you recommend becoming PDPs and PEPs? do the gateways now run PDP and PEP on all FWs? 

 

0 Kudos
Reply
Royi_Priov
Employee
Employee

Hi @Alex_Mondol ,

[I would assume you've meant there are 2 separate clusters, one per site (overall 4 gateways).]

I don't think there is an implementation that we consider as a mistake here.

However, take into consideration that PDP is the one which perform the database operations (communication with IDC, perform group fetch by LDAP, Access roles matching with SmartDashboard configuration) - if both cluster gateways will be configured as PDP, this operation will be done twice.

The other option is to have only one PDP gateway (one of the cluster gateways) and use Identity Sharing between sites.

If we are handling a small scale environment (user-wise) - although this is the more resource efficient implementation, I would recommend take the first one (each site configure PDP gateway), to simplify the implementation.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
Reply
Alex_Mondol
Participant

Yes, your assumption is correct ...here are 2 separate clusters, one per site (overall 4 gateways). 

Each cluster runs a perimeter (Blades running: IDS/IPS/AV/ANITBOT/), BC (Blades running: AV/Antibot), and VPN(Blades same as Perimeter) All VSX infrastructure...

Would a good design be to put a load of resources for PDP is the one which performs the database operations (communication with IDC, perform group fetch by LDAP, Access roles matching with SmartDashboard configuration)  onto the BC which doesn't have too significant load on it to be the PDP and share with PEPs of Perimeter and VPN? 

Currently, we have 23500 boxes with 128gig of memory share between VSX and our CORE-XL count for CPUs are 8  for each VS.  With these metrics would BC which is less loaded in traffic and inspection points be able to handle the PDP role? 

0 Kudos
Reply