Identity Conciliation

Identity session conciliation is an enhanced mechanism for handling identity sessions inside the PDP Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways. and PEP Check Point Identity Awareness Security Gateway that acts as Policy Enforcement Point: receives identities via identity sharing; redirects users to Captive Portal. Security Gateways.

When PDP and PEP get information for an identity on an IP address, and a different source got it earlier, the conciliation mechanism determines how to handle the new identity session.

The default Identity Collection mechanism is designed to work well in nearly all environments. Because Identity Collection is a complex and sensitive mechanism, users cannot change it by themselves. To request custom changes to the Identity Collection mechanism, contact Check Point Support.

PDP Conciliation

The PDP conciliation mechanism decides whether to keep the new identity session, reject it, or append it to the current identity session.

The decision is based on these factors:

• Confidence - The strength of each identity session is determined by its identity source (Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from sk134312., Identity Collector Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement. For more information, see sk108235. You can download the Identity Collector package from sk134312.).

• Locality - The locality of each identity session is determined by its path (hop count).

• Time To Live (TTL) - This is the identity session creation time.

• PDP Preference -The PDP Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. from which the PDP receives the identity session.

Some identity sources such as Identity Agent, Terminal Server, Captive Portal A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication., and Remote Access VPN cannot be appended to others. In these cases, the conciliation decision is only override or reject.

Identity sources such as ADQuery, Radius Accounting, Identity Collector, and Web-API can be appended to each other . In these cases, the conciliation decision is append.

Example 1

The PDP received an Identity Agent session and then received a new identity from Identity Collector on the same IP address.

The conciliation decision is to reject the Identity Collector session based on the confidence factor, because the Identity Agent is of greater strength.

Example 2

The PDP received a Web-API session and then received a new identity from Identity Collector on the same IP Address.

The conciliation decision is to append the Identity Collector session because both identity sources can be joined.

Example 3

The PDP received an Identity Collector session, and then received a new identity from Identity Collector on the same IP address.

The conciliation decision is to override the current Identity Collector session based on the TTL factor and because only a single Identity Collector session can exist per IP address.

PEP Conciliation

The PEP conciliation mechanism between two identity sessions from two different PDP Security Gateways decides whether to keep the new identity session or reject it.

Each session is given a global score based on all these parameters.

• Confidence - The identity sources from which the sessions originated (for example, Radius Accounting, Identity Collector, etc.).

• PDP Preference - The PDP Security Gateways from which the PEP received the sessions.

• Time To Live - TTL value of the sessions.

• Full session - Do the sessions contain both user identity and machine identity or just one of them.

If the new session's global score is equal to or higher than the global score of the current session, the PEP overrides the current session. If not, the current session remains.

By default, if you do not apply any advanced configurations, the mechanism only considers the Identity Sources Confidence parameter. Therefore, the session with the highest confidence remains.