CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 4 of 4

Thread: Gateway Disconnects After Policy Install

  1. #1
    Join Date
    2015-05-18
    Posts
    6
    Rep Power
    0

    Default Gateway Disconnects After Policy Install

    I've encountered a bit of a head-scratcher that I'm hoping someone else may have seen. We just recently upgraded a Clustered gateway from R75.40 to R77.20. Since the upgrade, whenever we push policy to this Gateway, it immediately disconnects from the PDP Gateway for Identity Awareness.

    This Gateway sits on the Internet-facing perimeter, so we did not want it directly querying AD servers inside our network. We put the PDP role on a Gateway inside our network. It is configured to Share Identities with the outside DMZ Firewall. This solution was running very reliably for over 6 months prior to the upgrade to 77.20. Since then, the PDP Gateway reports the DMZ firewall as Disconnected in SmartView Monitor immediately after a policy push. We have other R77.20 VSX Gateways also receiving identity data from this PDP, but we cannot reproduce this behavior on any of them.

    I've already gone a round with CP support, and they seem to be a little stumped. They suggested I install the latest HFA, but there was no specific reason for doing so. I have a feeling this is just a shot in the dark hoping that something in the HFA may fix the behavior. However, reading the release notes, there doesn't seem to be anything that even remotely resembles this behavior.

    Has anyone else seen this happen? Any suggestions are greatly appreciated!

    Thanks.

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    8

    Default Re: Gateway Disconnects After Policy Install

    Quote Originally Posted by SVXDan83 View Post
    I've encountered a bit of a head-scratcher that I'm hoping someone else may have seen. We just recently upgraded a Clustered gateway from R75.40 to R77.20. Since the upgrade, whenever we push policy to this Gateway, it immediately disconnects from the PDP Gateway for Identity Awareness.

    This Gateway sits on the Internet-facing perimeter, so we did not want it directly querying AD servers inside our network. We put the PDP role on a Gateway inside our network. It is configured to Share Identities with the outside DMZ Firewall. This solution was running very reliably for over 6 months prior to the upgrade to 77.20. Since then, the PDP Gateway reports the DMZ firewall as Disconnected in SmartView Monitor immediately after a policy push. We have other R77.20 VSX Gateways also receiving identity data from this PDP, but we cannot reproduce this behavior on any of them.

    I've already gone a round with CP support, and they seem to be a little stumped. They suggested I install the latest HFA, but there was no specific reason for doing so. I have a feeling this is just a shot in the dark hoping that something in the HFA may fix the behavior. However, reading the release notes, there doesn't seem to be anything that even remotely resembles this behavior.

    Has anyone else seen this happen? Any suggestions are greatly appreciated!

    Thanks.
    I know PDP is responsible with collecting identities, but I am not sure what PDP gateway mean? It's a separate box or just a Security Gateway?
    Also can you detail what disconnecting really mean? What tool are you using to sense this disconnection?

  3. #3
    Join Date
    2015-05-27
    Location
    London
    Posts
    35
    Rep Power
    0

    Default Re: Gateway Disconnects After Policy Install

    Do you have share identities configured in both directions i.e. on the dedicated PDP gateway and the firewall it's sharing with. I've seen issues in the past with identity sharing not working correctly if it's enabled on once firewall but not the one you want it to share with?

  4. #4
    Join Date
    2015-05-18
    Posts
    6
    Rep Power
    0

    Default Re: Gateway Disconnects After Policy Install

    Quote Originally Posted by brian_netsec View Post
    Do you have share identities configured in both directions i.e. on the dedicated PDP gateway and the firewall it's sharing with. I've seen issues in the past with identity sharing not working correctly if it's enabled on once firewall but not the one you want it to share with?
    @laf_c: Sorry for not being clear. This is a separate Open Server Gateway sitting inside our network that has the Active Directory Query configured on it. It acts as the PDP to share identities with all the other Gateways. Its running the latest R77.20 HFA. We are seeing that it is disconnected from a couple of different sources. First, SmartView Monitor puts a red X over the Gateway when you look at the Distributed Enforcement status under the Identity Awareness Blade. We also see an error in SmartLog that is written about 10 seconds after the policy installs from the PDP Gateway indicating its connection was lost to the outside Gateway for Identity Awareness. Finally, if you run the "pep show user all" command from the Outside DMZ, I don't see any users listed. When I do this from any other Gateway (including the one performing the AD Query), I see all the users I would expect to see.

    @brian_netsec: I don't believe I have it enabled on the Outside DMZ Gateway. I can certainly give that a shot, thanks!

    Thanks for your input so far!

Similar Threads

  1. Gateway loses state table on policy install
    By sleith in forum Firewall Blade
    Replies: 3
    Last Post: 2014-07-16, 18:43
  2. Replies: 1
    Last Post: 2013-08-26, 18:05
  3. Replies: 0
    Last Post: 2011-10-20, 03:28
  4. Gateway connection lost during policy install
    By quartino in forum SmartDashboard
    Replies: 3
    Last Post: 2010-08-02, 02:18
  5. SecureClient disconnects on policy load
    By denbesten in forum SecureClient/SecuRemote
    Replies: 1
    Last Post: 2010-07-16, 23:16

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •