Identity Sharing

Best Practice - In a distributed environment with multiple Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Security Gateways and AD Query Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server., an Identity Sharing configuration can improve performance and flexibility.

In this configuration, Identity Awareness Security Gateways can share identity information with other Identity Awareness Security Gateways. You can configure Identity Sharing across multiple Security Gateways if the Security Gateways have Identity Awareness Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. enabled.

Without Identity Sharing:

Identity Agents can connect to only one Identity Awareness Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..
When traffic goes through more than one Identity Awareness Security Gateway, users may be required to authenticate on each Identity Awareness Security Gateway (for example, in Captive Portal A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication.).
Each Identity Awareness Security Gateway is connected to an identity source (for example, AD Query). Each Identity Awareness Security Gateway makes a query to the Active Directory. Each Identity Awareness Security Gateway queries for the group membership and calculates the Access Role Access Role objects let you configure network access according to: Networks, Users and user groups, Computers and computer groups, Remote Access Clients. After you activate the Identity Awareness Software Blade, you can create Access Role objects and use them in the Source and Destination columns of Access Control Policy rules. object. This increases the load on the Security Gateways.

Identity Sharing Configuration Options

An Identity Awareness Security Gateway configured as a Policy Decision Point gets identity information and shares it with other Identity Awareness Security Gateways configured as Policy Enforcement Points. This way, only one Identity Awareness Security Gateway performs the group membership query and calculates the Access Role object. This reduces the load on the identity sources on User Directory Check Point Software Blade on a Management Server that integrates LDAP and other external user management servers with Check Point products and security solutions., or on both.

PDP - Policy Decision Point:

Gets user/machine identities from the designated identity sources.
Shares user/machine identities with other Identity Awareness Security Gateways.

PEP - Policy Enforcement Point:

Provides the applicable Access Roles to the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. matching process. It enforces the procedure as defined in the policy.
Can receive identities through Identity Sharing.
Can redirect users to the Identity Awareness Captive Portal.

Supported Configurations for Identity Sharing:

One PDP Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways. shares identities to multiple PEPs.
One PEP Check Point Identity Awareness Security Gateway that acts as Policy Enforcement Point: receives identities via identity sharing; redirects users to Captive Portal. receives identities from multiple PDPs.
PDP and PEP processes run on different Security Gateways and use a Smart-Pull Sharing method for the connection.
PDP and PEP processes run on the same Security Gateway and use a Push Sharing method for the connection.

Identity Sharing Configuration Procedure

To configure Identity Sharing, you must do these steps in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.:

Configure Identity Awareness Security Gateways that share identities (Policy Decision Points):
1. From the left navigation panel, click Gateways & Servers.
2. Open the applicable Security Gateway object.
3. From the left tree, click Identity Awareness > Identity Sharing.
4. Click Share local identities with other gateways.
5. Click OK.
Configure Identity Awareness Security Gateways that receive identities (Policy Enforcement Points):
1. Open the applicable Security Gateway object.
2. From the left tree, click Identity Awareness > Identity Sharing.
3. Click Get identities from other gateways.
4. Select the applicable PDP Security Gateway from the list.
  
  Note - Only Security Gateways that have the "Share local identities with other gateways" option selected appear on the list.
5. Click OK.
Install the Access Control policy on all these Security Gateways.

Smart-Pull Identity Sharing Method

In large environments, not all PEPs require the identities from all PDPs. For example, small branch offices with a small number of users do not need to store all of the identities from the PDP in the headquarters office.

When the Smart Pull method is configured, identities are sent to the PEP only when the PEP requests or pulls them from the PDP. This saves space on the PEP and avoids unnecessary transactions between the PDP and the PEP on the network.

The Smart-Pull Identity Sharing operation stages are:

Identity Acquisition

The PDP gets identities and keeps them in the PDP repository.
The PDP notifies the applicable PEPs about the network (Class C), where the user was identified.

Notes:

The PDP does not publish the identities to the PEPs yet.
You can run the "pep show network pdp" command on the PEP to show the PDPs and the networks they identify.
You can run the "pdp network info" command on the PDP to show all the networks it publishes.

Sub-Network Registration

A user initiates a connection through the PEP. If the policy requires an identity element, the PEP searches for the identity in its local database.

If the identity is not found, the PEP searches for a PDP that knows the applicable Class C network to resolve the identity.
If the identity is found, then:
1. The PEP registers to the PDP for notification about a smaller network (subnet mask 255.255.255.240).
2. The PDP publishes all the currently known identities from the networks with the subnet mask 255.255.255.240 to the registering PEPs.

Notes:

You can run the "pep show network registration" command on the PEP to show the networks with the subnet mask 255.255.255.240, to which the PEP is registered.
You can run the "pdp network registered" command on the PDP to show the list of the PEPs for the networks with the subnet mask 255.255.255.240.

Identity Propagation
1. The PDP gets identity of a user, who has an IP address from an already registered network with the subnet mask 255.255.255.240.
2. The PDP immediately publishes the identity to the registered PEPs.