CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


CPUG Challenge 2018?? We will be holding another CPUG Challenge for 2018.
The plan is to time it around CPX again (earlier this year), but not necessarily limit it to those in attendance.
I'll provide more details as we get a bit closer, but be ready! -E

 

Results 1 to 5 of 5

Thread: Identity sharing out of sync

  1. #1
    Join Date
    2014-09-29
    Posts
    2
    Rep Power
    0

    Default Identity sharing out of sync

    We have installed two Check Point R77.20 clusters. One of the clusters collect the user and computer information with AD Query,
    Identity Agent for Terminal Servers and Browser-based authentication (Captive Portal).

    The second cluster was configured to sync the identities with the first cluster by using identity Sharing.

    For our scenario it is very important that both cluster have the same identities!

    The configuration works great, but after some days the second cluster lost a lot of identities!
    The collecting cluster have 2000 identities and the second Cluster only know about 1000 identities.

    Bad result: Our user-based rules doesnít work correct at second cluster! :-(

    Since weeks we try to solve the problem with Check Point Support Center...maybe the Check Point Community works better!

    Any thoughts or suggestions?

  2. #2
    Join Date
    2008-03-19
    Posts
    23
    Rep Power
    0

    Default Re: Identity sharing out of sync

    Hi there

    sounds like you might be having issue with identity sharing mechanism. Default method is "Smart Pull" and it is really built for large data centre cluster sharing ID's out to a small branch office firewall. Sounds like you need to change it the "Push" method, that will stop doing any intelligence and simply will push out IDs to PEP (second cluster) as they arrive on PDP (your first cluster). I don't think I'm in position to share actual technical details here, but contact your CP support and ask them about it.

    We struggled for almost a year with similar symptoms before finding this solution from R&D...

    Good luck.

    K

  3. #3
    Join Date
    2014-09-29
    Posts
    2
    Rep Power
    0

    Default Re: Identity sharing out of sync

    Thanks for the fast answer! :-)

    We know the two identity awareness propagation methods (Push + Smart-Pull). We have not test the "Push" method at the moment because
    itís not the default and recommended method. But it sounds good for us too.

    Have implement the "Push" method in productive environment and how long does it work without errors?

  4. #4
    Join Date
    2008-03-19
    Posts
    23
    Rep Power
    0

    Default Re: Identity sharing out of sync

    We have had it on from september and haven't had a single problem since. I have to admit that we are planning to use ADQuery agent soon, but that's whole new subject.

  5. #5
    Join Date
    2009-12-11
    Posts
    19
    Rep Power
    0

    Default Re: Identity sharing out of sync

    Where is the setting of Push or Smart-Pull located?

    TIA,

    Bill

Similar Threads

  1. Identity sharing - any updates in R77(.10)?
    By Carsten in forum Identity Awareness Blade
    Replies: 0
    Last Post: 2014-01-10, 02:41
  2. Identity sharing between cluster not working!
    By yellowtree in forum Identity Awareness Blade
    Replies: 3
    Last Post: 2013-09-03, 13:03
  3. Identity Awareness in QoS?
    By LydaRA in forum QoS (Quality of Service) (Formerly FloodGate-1)
    Replies: 1
    Last Post: 2012-02-28, 14:53
  4. Identity logging vs. Identity awareness
    By phlegm in forum Identity Awareness Blade
    Replies: 3
    Last Post: 2011-11-09, 08:50
  5. Sync will not function since there aren't any sync(secured) interfaces
    By Wardrivn in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 3
    Last Post: 2009-08-17, 17:00

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •