This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Lesley
MVP Gold
MVP Gold
‎2022-11-08 07:12 AM
Jump to solution

Identity Awareness - active directory changes / time

Hi everyone,

I am working with a customer who has an Identity Awareness setup.

I am running 2 collectors on Windows. And a R81.10 cluster with Jumbo take 30.

The customers main complain is that if they make a change in active directory it takes long to be 'active' on the Check Point.

On the Check Point I have a few firewall rules with access roles in it based on a AD group.

The customer adds a new machine(or a user) in the AD group and sees that it is synced to all AD servers. But the rule is not working, after a period of time it starts to work. The customer is wondering if there is any way to speed this up a bit. I noticed sometimes it takes even a few hours. Is there any setting on the gateway or the collector I can change? Or is it random timer?

 

Thank you for the feedback.

BR

Lesley

-------
Please press "Accept as Solution" if my post solved it 🙂
Labels
0 Kudos
1 Solution

Accepted Solutions
4 Replies
PhoneBoy
Admin
Admin
‎2022-11-08 07:40 AM
Jump to solution

Have you implemented: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Lesley
MVP Gold
MVP Gold
‎2022-11-08 07:49 AM
In response to PhoneBoy
Jump to solution

Thank you for the update. Settings was not enabled. I changed it and now we are going to test it. Will get back to you.

 

[Expert@FW1:0]# pdp idc groups_update status
automatic LDAP groups update is disabled
[Expert@FW1:0]# pdp idc groups_update on
automatic LDAP groups update is enabled

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-11-08 07:32 PM
In response to Lesley
Jump to solution

Ironically enough, I worked with customer who was doing regular AD query (not identity collector) and they asked me about it, but when we spoke to TAC, they said changes would be instant on CP side. Well, not exactly : - ). We still, to this day, notice that most changes do take effect quick, but I would day about 20% of the time, takes a bit of time. 

On the other hand, I also work with client who uses 2 IA collectors and they never had this problem, nor did they ever have to implement sk phoneboy mentioned. Maybe its isolated case, I have no clue in the world. All I can say is, I hope the commands help your case.

Best,
Andy
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2022-11-09 12:16 AM
In response to Lesley
Jump to solution

Thanks all, customer has tested it today and was way quicker, around 5 minutes. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events