Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Lesley
Advisor
Jump to solution

Identity Awareness - active directory changes / time

Hi everyone,

I am working with a customer who has an Identity Awareness setup.

I am running 2 collectors on Windows. And a R81.10 cluster with Jumbo take 30.

The customers main complain is that if they make a change in active directory it takes long to be 'active' on the Check Point.

On the Check Point I have a few firewall rules with access roles in it based on a AD group.

The customer adds a new machine(or a user) in the AD group and sees that it is synced to all AD servers. But the rule is not working, after a period of time it starts to work. The customer is wondering if there is any way to speed this up a bit. I noticed sometimes it takes even a few hours. Is there any setting on the gateway or the collector I can change? Or is it random timer?

 

Thank you for the feedback.

BR

Lesley

0 Kudos
1 Solution

Accepted Solutions
4 Replies
PhoneBoy
Admin
Admin
Lesley
Advisor

Thank you for the update. Settings was not enabled. I changed it and now we are going to test it. Will get back to you.

 

[Expert@FW1:0]# pdp idc groups_update status
automatic LDAP groups update is disabled
[Expert@FW1:0]# pdp idc groups_update on
automatic LDAP groups update is enabled

0 Kudos
the_rock
Legend
Legend

Ironically enough, I worked with customer who was doing regular AD query (not identity collector) and they asked me about it, but when we spoke to TAC, they said changes would be instant on CP side. Well, not exactly : - ). We still, to this day, notice that most changes do take effect quick, but I would day about 20% of the time, takes a bit of time. 

On the other hand, I also work with client who uses 2 IA collectors and they never had this problem, nor did they ever have to implement sk phoneboy mentioned. Maybe its isolated case, I have no clue in the world. All I can say is, I hope the commands help your case.

0 Kudos
Lesley
Advisor

Thanks all, customer has tested it today and was way quicker, around 5 minutes. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events