This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dor_Marcovitch
Advisor
‎2020-08-25 03:34 AM

Identity Sharing - updates from multiple sources

hey,

i am writing a document for a regarding the IA blade.

currently we have about 8 clusters which are connected to all of the DCs in the environment which is OK from my point of view because the environment is not that large and mandatory because of the network topology.

on some computers there is a use of the "switch user" function of Windows OS, so we need to start using the IA Agent for those computers. that brings up the need of using identity sharing between the security GWs.

from what i read there are 2 methods, "smart-pull" and "push". the first one the PEP only ask the PDP for the identity if it is unknown for the GW, but because the computer is connected to the DC it might get the identity from it and not ask the PDP for the identity even if a switch user was performed and the identity was updated on the PDP.

regarding the "push" method wont it create a sort of "loop" of notifications because all FWs connects to all DCs and an update from a DC will also update all the FWs using the Identity Sharing feature?

am i right or do i miss anything ? 

 

thanks

dor

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2020-08-26 09:47 PM

What precise methods are you using to acquire identities here?
You mention agents, what else?

In general gateways should acquire identities from sources as close to the user as possible and share identities between other gateways.
However, multiple gateway clusters should not be acquiring identities from the same AD servers.

0 Kudos
Dor_Marcovitch
Advisor
‎2020-08-27 01:03 AM
In response to PhoneBoy

all GWs are connected to all of our Domain controllers to get Identities, we have acoutn 10 DCs spread over the network.

i didnt split the DCs between the GWs.

another source is for some users that use identity agent because of the need to use the switch user function of the OS

 

0 Kudos