This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex-
Leader Leader
Leader
‎2022-10-11 04:02 AM

Identity Sharing and Cisco ISE

I'm successfully using Identity Collector and Cisco ISE to send tags to a pilot gateway.

I do not find however if I can use this setup along with Identity Sharing with other gateways of the SMS to share tags like it happens with accounts and the documentation isn't explicit on this.

Should it work?

Firewalls are R80.40 Take 173 with plans to go to R81.10 when the next hotfix is GA.

0 Kudos
10 Replies
G_W_Albrecht
Legend Legend
Legend
‎2022-10-11 06:12 AM

You could use Identity Broker, see:

sk88520: Best Practices - Identity Awareness Large Scale Deployment

sk170765: Identity Awareness Scalable Design - Identity Agent

sk86441: ATRG: Identity Awareness

sk146835: Identity Session Conciliation

CCSE / CCTE / CCME / CCSM Elite / SMB Specialist
0 Kudos
Alex-
Leader Leader
Leader
‎2022-10-12 01:05 AM
In response to G_W_Albrecht

For now the solution is to connect the Identity Collector to each gateway, effectively turning them into PDP so the broker would be a more complex way to do the same.

The idea is to have a low-end cluster serving as PDP for the ISE tags and sending them to all other gateways but it seems that nothing happens with tags when this is configured.

0 Kudos
Sorin_Gogean
Advisor
‎2022-10-12 01:37 AM
In response to Alex-

hey,

 

as we have deployed also IC in our environment, to grab identities from AD and ISE (TAGS), my recommendation is to have at least 2 IC's per GW/Cluster for redundancy. in our case, as we have 3 clusters, we have set 6 IC's, 2 per each region - so we have redundancy and independency.

 

as for identity sharing, as I know you can configure a GW to share identities with all other GWs - so what is not working in your case ?

Untitled.png

 

thank you,

0 Kudos
Alex-
Leader Leader
Leader
‎2022-10-12 01:46 AM
In response to Sorin_Gogean

I'm using 2 Identity Collectors for redundancy. I had to get a custom JAR file to ensure stability between them and the ISE but since then it works.

Whenever I enable Identity Sharing, tags don't seem to get exchanged. I'm just wondering if they should be or if this feature does not support ISE tags.

0 Kudos
Sorin_Gogean
Advisor
‎2022-10-12 02:31 AM
In response to Alex-

"I had to get a custom JAR file to ensure stability between them and the ISE but since then it works." - can you elaborate on this a bit more, as I have a problem with IC versions over R80.0119.000 (new ones uses pxGrid v2) and our ISE environment - looses communication after random periods.

 

In regards to the shared identity, I doubt it will share the ISE TAG, but I think it will share the identity group that the TAG was matched to.

can you check that part, and have a rule with an identity ISE TAG base on an GW that gets identities from another gateway ?

 

thank you,

0 Kudos
Alex-
Leader Leader
Leader
‎2022-10-12 02:38 AM
In response to Sorin_Gogean

That was quite a long case with TAC about the ISE going to Disconnected mode in the Collector and not coming back up short of a reboot of the server, not just the service.

In the end, I got a custom JAR file to replace one in place which completely solved the issue.

0 Kudos
Sorin_Gogean
Advisor
‎2022-10-12 02:43 AM
In response to Alex-

So I see the same, with newer IC versions, the ISE connections go in Established and data is exchanged, but after 1 hour or 3 hours, they go Disconnected.

In some cases if I restart the service it's coming back but the same will happen in couple of hours, or it's staying Disconnected.

Is it possible to share the CheckPoint case so I can ask my support engineer look and see if there is any resemblance between them?

 

thank you,

PS: were the versions I share behaving the same, or you don't remember the details ?

0 Kudos
Alex-
Leader Leader
Leader
‎2022-10-12 03:21 AM
In response to Sorin_Gogean

I will send you the SR in a private message. What happened is that a message from the ISE wouldn't be accepted by the IC because of some unsupported content, after which the IC would disconnect the ISE and keep on sending keepalives without ever reconnecting. This could happen after an hour or a week, there was no definitive pattern.

Sorin_Gogean
Advisor
‎2022-10-12 03:24 AM
In response to Alex-

thank you, 

 

now on the Identity Sharing, check this and let us know how it goes...

"In regards to the shared identity, I doubt it will share the ISE TAG, but I think it will share the identity group that the TAG was matched to.

can you check that part, and have a rule with an identity ISE TAG base on an GW that gets identities from another gateway ?"

 

ty,

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-14 08:35 AM

Once identities are acquired, they can be shared with other gateways.
That said, you might need to (manually) create the relevant identity tags on the Check Point side, but that's just a guess.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events