Automatic Reconnection to Prioritized Policy Decision Point (PDP) Gateways

Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from Support Center. for a User Endpoint Computer and Identity Agent for a Terminal Server can reconnect to the original Policy Decision Point (PDP Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways.) Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. after it recovers from a failure.

To configure the automatic reconnection to a higher-priority PDP Security Gateway:

1. Configure the PDP Security Gateway:

   1. Connect to the command line on the PDP Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway.

   2. Log in to the Expert mode.

   3. Get the current recovery interval value:

      pdp auth recovery_interval show

   4. Configure the applicable recovery interval value (in seconds):

      pdp auth recovery_interval set <1-864000>

2. Install the Access Control Policy on this PDP Identity Awareness Gateway.

Notes The value of the recovery_interval parameter controls the recovery interval. During the recovery interval, the Identity Client searches for a higher priority PDP Security Gateway. You can set the recovery interval between 1 and 864000 seconds. The default recovery interval value is 14400 seconds. On a VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0., configure the recovery_interval parameter in the context of each Virtual System with Identity Awareness enabled. The Identity Client fetches the value of the recovery_interval parameter when it connects to the PDP Security Gateway. Therefore, you must set the same value on all applicable PDP Security Gateways in your environment. Site priority depends on the priority configured in the Identity Agent Distributed Configuration Tool Check Point Identity Agent control tool for Windows-based client computers that are members of an Active Directory domain. The Distributed Configuration tool lets you configure connectivity and trust rules for Identity Agents - to which Identity Awareness Security Gateways the Identity Agent should connect, depending on its IPv4 / IPv6 address, or Active Directory Site. This tool is installed a part of the Identity Agent: go to the Windows Start menu > All Programs > Check Point > Identity Agent > open the Distributed Configuration. Note - You must have administrative access to this Active Directory domain to allow automatic creation of new LDAP keys and writing.. Site priority does not rely on other methods, such as DNS resolving. When two or more sites are unreachable, the Identity Client tries to reconnect to the primary site only one time. If the attempt fails, the Identity Client reconnects to the primary site gradually.