Hi @PhoneBoy ,

1. All the gateways are on R81.20 - JHF 84
2. Yes, they are all managed by the central Management, located at Site A
3. Not sure if you have seen the attachment "SCHEMA.png", anyway I'll explain it better:

- there are two main "headquarters" defined by the domain. Let's say "alpha.local" and "beta.local".
The domains are trusted and people will connect via Remote Access to their gateways; They need to access resources located across all the infrastructure
(of course I'm talking about people connected from the office, I know that Remote Access role wins over everything else)

- Some branch offices have an internal Domain Controller, which is a replica of the main at the HQ.
DFS is configured so that "alpha.local" or "beta.local" answer to all the related domain controller, technically the closest one but not always...

- there are two IDC, one at the "alpha.local" HQ and one on cloud (Azure) which is connected via s2s VPN to the Alpha HQ.
All the DC (both domains) are configured on each IDC; The domains and related DC are defined by query pools

- each gateway is configured to collect data from both the IDC

Just to be clear here are the problems:
- sometimes a user logged in from a office on domain X, can' t access resources on the office of domain Y, even though an Access Role is configured to allow the connection.

- on the IDC I see mixed results for a user/IP, in particular I don't understand why I see records from months ago (this could explain the missed match of the rules)

Thanks
 

I' ve attached a new schema, I hope it's more clear but I don't get the point of showing the gateways (all the sites have a checkpoint gateway except for Azure).

Some more infos:

- all the gateways are managed from a SMS at the central "Alpha" HQ (Site A)

- there are several domain controllers, they are all connected to the IDC to collect data; "Alpha" sites use a query pool for their Alpha domain, "Beta" sites use a query pool for Beta domain.

- there is also that IDC on Azure, I' ve added it for redundancy purpose but if I understand well is not even useful unless all the gateways have a direct VPN to Azure.
It' s more important to have an IDC on site Beta, correct?

- I don't know if it's important but site B and B1 are connected through a MPLS connection; the same for A and A3

Now, what do you exactly mean for "nearest AD server"?
Since the IDC is installed on site A, should it be configured to connect to Site A domain controller only? (and Site B for the domain "Beta.local")?

What about gateways pulling identities from the nearest IDC?
At this point I would just remove the IDC on Azure, they will use the "nearest" in any case; Unless I configure another IDC on Site B, at that point:
Sites B and B1 will use IDC at Site B; Sites A, A1, A2 and A3 will use IDC at Site A, correct?

Can you please explain better "Identity Sharing should happen between the relevant gateways"?
My first idea was that the sharing should happen only between the gateways A and B, exchanging identities from the respective query pools, but then I thought that everyone had to collect data from everywhere... and I understand it's probably wrong.

I could try to configure an IDC on each site with a DC, but if not strictly necessary I would avoid because of the resources needed.

Thank you!

The reason the location of the various gateways are important is because of latency between the various components matters (AD/IDC/Gateway).

Any site that has a Domain Controller and a Check Point gateway should have it's own Identity Collector instance.
That means adding IDC instances to: A1, A3, and B.
Each IDC instance should ONLY be pulling identities from the local DC and nowhere else.
The gateways at each site should be configured to do LDAP queries to the local DC (or nearest in the case of A2 and B1).
That would be the most ideal and scalable configuration.

If you don't want an IDC installed at the smaller sites (I assume these are the A1/2/3 sites), then the IDC at Site A should be querying the DCs at A1 and A3 and you should have an IDC at Site B querying it's local DC.

Either way, all gateways (at A1, A2, A3, A, B, and B1) should be sharing identities with each other and set up to query via LDAP the groups from the nearest DC.

sorry @PhoneBoy ,

there is still a thing that I don't get: you wrote

"The gateways at each site should be configured to do LDAP queries to the local DC"

and

"all gateways (at A1, A2, A3, A, B, and B1) should be sharing identities with each other and set up to query via LDAP the groups from the nearest DC."

maybe it's a typo, or I miss something, but are you talking about AD query?
Isnt' the IDC purpose to get rid of AD query?
If you meant "IDC" it would make sense to me, can you please confirm?

Thank you very much, now I'm going to start modifying the configuration.