pdp nested_groups

Description

Configures the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. queries LDAP Nested Groups.

Shows the current configuration LDAP Nested Group queries.

Syntax

pdp nested_groups

      auto_tune {enable | disable}

      clear

      depth <options>

      disable

      enable

      show

      status

      __set_state <options>

Important - In a ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

Parameters

Parameter

Description

auto_tune {enable | disable}

Note - This feature is available only in the R80.40 Jumbo Hotfix Accumulator Take 119 and higher.

Enables and disables the auto-tune feature.

This feature calculates and automatically selects the state of Nested Groups based on the LDAP configuration on the Security Gateway and the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

Notes:

  • When you enable this feature, the Security Gateway automatically configures the best the state of Nested Groups it calculated.

  • When you disable this feature, the Security Gateway automatically returns to the state of Nested Groups you configured earlier with the "__set_state" parameter.

Best Practice - Enable this feature on the Policy Decision Point (PDPClosed Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways.) to increase the performance.

clear

Clears the list of users, for which the depth was not enough.

depth <1 - 40>

Configures the nested groups depth (between 1 and 40).

disable

Disables the nested groups.

enable

Enables the nested groups.

show

Shows a list of users, for which the depth was not enough.

status

Shows the configuration status of nested groups.

__set_state {1 | 2 | 3 | 4}

Configures the nested groups state:

  • 1 - Recursive (this is the default)

    • The Security Gateway queries each user to find out its group memberships, and then queries each group recursively until it determines the nested groups.

    • We recommend this method for environments that have few nested groups or no nested groups configured on the LDAP server.

  • 2 - Per-user

  • 3 - Multi per-group

    • The Security Gateway sends one LDAP query. This LDAP query includes a user and a group. The response shows if the user is included in this group.

    • We recommend this method for environments that have all types of users and groups and have a small number of access roles with nested groups in them.

  • 4 - Per user, if there is a single branch in each Account Unit

    • The Security Gateway sends one LDAP query. The response includes all groups for the specified user, including the nesting levels. This query shows groups from the branch specified in the LDAP account unit. This type of query can work over all LDAP ports (TCP 3268 or 3269, TCP 389 or 636).

    • Use this state if you work with a single branch on each account unit.

    Note - This state "4" is available only in the R80.40 Jumbo Hotfix Accumulator Take 91 and higher.