This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Peter_Elmer
Employee
Employee
‎2019-01-22 12:38 AM

Getting_Started_Guide_PDP_Broker_HF_v7 .pdf

Scaling identity sharing across management domains and geographical regions is achieved using the PDP Broker architecture element. This document is describing the functionality, installation and related troubleshooting of the PDP Broker. The PDP Broker software HF for R80.10 can be requested contacting Check Point Sales Engineers and will be provided by Check Point Solution Center.

6 Replies
Chris_Atkinson
Employee Employee
Employee
‎2020-03-12 07:17 PM

Those interested in the PDP Broker should now explore R80.40 for this functionality.

CCSM R77/R80/ELITE
0 Kudos
Alex_Mondol
Participant
‎2020-10-23 08:51 AM

we run r80.30 across the board. what is the procedure notes to deploying identity broker on r80.30? we don't want to install it on r80.10 with HF 

0 Kudos
Royi_Priov
Employee
Employee
‎2020-10-25 02:26 AM
In response to Alex_Mondol

Hi @Alex_Mondol 

There is no availability for this project on versions below R80.40, and also the document on this thread was written for R80.10 RFE which is not recommended to use anymore.

Identity Broker is a feature which was released as part of R80.40. There is no need to install an additional HF on top of that. I recommend reviewing Identity Awareness R80.40 admin guide for more info.

 

Thanks,
Royi Priov
R&D Group manager, Infinity Identity
0 Kudos
Alex_Mondol
Participant
‎2020-10-27 02:39 PM
In response to Royi_Priov

Thank you for your response.

New Question arrises. We have two VSX Cluster Gateways at two geographical locations separated by at least 1 hr drive time. Each Cluster of 23500 series gateways we have VSXs that incorporate perimeter FWs of the following like Perimeter, BC, Departmental, and VPN. Since we have collapsed these different zones into two clusters or four gateways if we have deployed two Identity Collector Servers (one at each geographical location) who would you recommend becoming PDPs and PEPs? do the gateways now run PDP and PEP on all FWs? 

 

0 Kudos
Royi_Priov
Employee
Employee
‎2020-10-28 03:38 AM
In response to Alex_Mondol

Hi @Alex_Mondol ,

[I would assume you've meant there are 2 separate clusters, one per site (overall 4 gateways).]

I don't think there is an implementation that we consider as a mistake here.

However, take into consideration that PDP is the one which perform the database operations (communication with IDC, perform group fetch by LDAP, Access roles matching with SmartDashboard configuration) - if both cluster gateways will be configured as PDP, this operation will be done twice.

The other option is to have only one PDP gateway (one of the cluster gateways) and use Identity Sharing between sites.

If we are handling a small scale environment (user-wise) - although this is the more resource efficient implementation, I would recommend take the first one (each site configure PDP gateway), to simplify the implementation.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity
0 Kudos
Alex_Mondol
Participant
‎2020-10-28 12:31 PM
In response to Royi_Priov

Yes, your assumption is correct ...here are 2 separate clusters, one per site (overall 4 gateways). 

Each cluster runs a perimeter (Blades running: IDS/IPS/AV/ANITBOT/), BC (Blades running: AV/Antibot), and VPN(Blades same as Perimeter) All VSX infrastructure...

Would a good design be to put a load of resources for PDP is the one which performs the database operations (communication with IDC, perform group fetch by LDAP, Access roles matching with SmartDashboard configuration)  onto the BC which doesn't have too significant load on it to be the PDP and share with PEPs of Perimeter and VPN? 

Currently, we have 23500 boxes with 128gig of memory share between VSX and our CORE-XL count for CPUs are 8  for each VS.  With these metrics would BC which is less loaded in traffic and inspection points be able to handle the PDP role? 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top