Identity Sharing

Best Practice - In a distributed environment with multiple Identity Awareness Security Gateways and AD Query, an Identity Sharing configuration improves performance and flexibility.

In this configuration, Identity Awareness Security Gateways share identity information with other Identity Awareness Security Gateways. You can configure Identity Sharing across multiple Security Gateways if the Security Gateways have Identity Awareness Software Blade enabled.

Without Identity Sharing:

  • Identity Agents connect to only one Identity Awareness Security Gateway.

  • When traffic goes through more than one Identity Awareness Security Gateway, you can require users to authenticate on each Identity Awareness Security Gateway (for example, in Captive Portal).

  • Each Identity Awareness Security Gateway is connected to an identity source (for example, AD Query). Each Identity Awareness Security Gateway makes a query to the Active Directory. Each Identity Awareness Security Gateway queries for the group membership and calculates the Access Role object. This increases the load on the Security Gateways.

An Identity Awareness Security Gateway configured as a Policy Decision Point gets identity information and shares it with other Identity Awareness Security Gateways configured as Policy Enforcement Points. This way, only one Identity Awareness Security Gateway performs the group membership query and calculates the Access Role object. This reduces the load on the identity sources, on User Directory, or on the two of them.

PDP - Policy Decision Point:

  • Gets user/computer identities from the designated identity sources.

  • Shares user/computer identities with other Identity Awareness Security Gateways.

PEP - Policy Enforcement Point:

  • Provides the applicable Access Roles to the Rule Base process. It enforces the procedure as defined in the policy.

  • Receives identities through Identity Sharing.

  • Can redirect users to the Identity Awareness Captive Portal.

Supported Configurations for Identity Sharing:

  • One PDP shares identities to multiple PEPs.

  • One PEP receives identities from multiple PDPs.

  • PDP and PEP processes run on different Security Gateways and use Smart-Pull Identity Sharing for the connection.

  • PDP and PEP processes run on the same Security Gateway and use Push Identity Sharing for the connection.

When an Identity Server needs to connect to an Identity Awareness Gateway for Identity Sharing, the Identity Server uses the IP Address of the Identity Awareness Gateway object.

If a network configuration does not allow communication with this IP Address of the Identity Awareness Gateway, you can configure a different IPv4 Address for the communication channel between the Identity Server and the Identity Awareness Gateway. For more information, see sk60701.

  1. Open SmartConsole for the Management Server / Multi-Domain Server that manages the Identity Awareness Security Gateways.

  2. Configure Identity Awareness Security Gateways that share identities (Policy Decision Points):

    1. From the left navigation panel, click Gateways & Servers.

    2. Open the applicable Security Gateway object.

    3. From the left tree, click Identity Awareness > Identity Sharing.

    4. Click Share local identities with other gateways.

    5. Click OK.

  3. Configure Identity Awareness Security Gateways that receive identities (Policy Enforcement Points):

    1. Open the applicable Security Gateway object.

    2. From the left tree, click Identity Awareness > Identity Sharing.

    3. Click Get identities from other gateways.

    4. Below Get identities from other gateways, to the right of the table, click the plus button.

      A list of PDP Security Gateways appears.

    5. Select the applicable PDP Security Gateway from the list.

      Note - The list contains only Security Gateways that have Share local identities with other gateways enabled.

    6. Click OK.

  4. Install the Access Control policy on all these Security Gateways.

In large environments, not all PEPs must have the identities from all PDPs. For example, it is not necessary for small branch offices with a small number of users to keep all of the identities from the PDP in the headquarters office.

When Smart Pull is configured, identities are sent to the PEP only when the PEP requests or pulls them from the PDP. This saves space on the PEP and avoids transactions between the PDP and the PEP that are not necessary.

The Smart-Pull Identity Sharing operation stages are:

    • The PDP gets identities and keeps them in the PDP repository.

    • The PDP notifies the applicable PEPs about the network (Class C), where the user was identified.

    Notes:

    • The PDP does not publish the identities to the PEPs until the Identity Propagation stage.

    • The pep show network pdp command on the PEP shows the PDPs and the networks they identify.

    • The pdp network info command on the PDP shows all the networks it publishes.

  2. A user initiates a connection through the PEP. If the policy must have an identity element, the PEP searches for the identity in its local database.

    • If the PEP finds the identity in its local database, then:

      1. The PEP registers to the PDP for notification about a smaller network (subnet mask 255.255.255.240).

      2. The PDP publishes all the currently known identities from the networks with the subnet mask 255.255.255.240 to the PEPs that register.

    • If the PEP does not find the identity in its local database, the PEP searches for a PDP that knows the applicable Class C network to find the identity.

    Notes:

    • The pep show network registration command on the PEP shows the networks with the subnet mask 255.255.255.240, to which the PEP is registered.

    • The pdp network registered command on the PDP shows the list of the PEPs for the networks with the subnet mask 255.255.255.240.

    1. The PDP gets the identity of a user, who has an IP address from an already registered network with the subnet mask 255.255.255.240.

    2. The PDP immediately publishes the identity to the registered PEPs.

In Push Identity Sharing, when a PDP gets an identity, the PDP publishes the identity to the PEP.

Note - This is the only supported sharing method for an Identity Awareness Security Gateway that performs PDP and PEP roles.

When Identity Sharing operates as expected, these are the open connections between the PDP and the PEP:

  • Identity connection - shares identity information from the PDP to the PEP. The PDP opens this connection to the PEP on port 15105. The pepd process listens for incoming identity connections on this port.

  • Network connection - shares network information from the PEP to the PDP. The PEP opens this connection to the PDP on port 28581. The pdpd process listens for incoming network connections on this port.

If the PEP is configured in Push mode, it receives Identity connections but does not send Network connections.

If the PDP or PEP is a cluster, all members open the outgoing connection but only the active cluster member gets incoming connections. The cluster uses its Virtual IP Address (VIP) for connections.

Important - Check Point Security Gateways have implied rules to allow these connections. If a third-party gateway drops the traffic, Identity Sharing does not work.

For more information, see Configuration Scenarios.

Example

In this example, the IP address of the PDP is 10.10.10.10 and the IP address of the PEP is 11.11.11.11.

To monitor connections on the PDP, on the PDP Gateway or active Cluster Member, run:

pdp connections pep

For more information, see pdp connections.

To monitor connections on the PEP, on the PEP Gateway or active Cluster Member, run:

pep show pdp all

For more information, see pep show.

Important - On Scalable Platforms (Maestro and Chassis), you must run the applicable commands in the Expert mode on the applicable Security Group.

Example output of the "pdp connections pep" command:

[Expert@MyGW1:0]# pdp connections pep
------------------------------------------------------------------------------------------------------
| Direction | IP            | Port  | Name  | Type           | Status    | Location | IPv6 Supported |
------------------------------------------------------------------------------------------------------
| Incoming  | 172.23.57.237 | 28581 | MyGW2 | Single Gateway | Connected | Remote   | No             |
------------------------------------------------------------------------------------------------------
| Outgoing  | 127.0.0.1     | 15105 | MyGW3 | Single Gateway | Connected | Locally  | No             |
------------------------------------------------------------------------------------------------------
| Outgoing  | 172.23.57.237 | 15105 | MyGW2 | Single Gateway | Connected | Remote   | No             |
------------------------------------------------------------------------------------------------------
[Expert@MyGW1:0]#

Example output of the "pep show pdp all" command:

[Expert@MyGW1:0]# pep show pdp all
Command: root->show->pdp->all
---------------------------------------------------------------------------
| Direction | IP            | ID | Status    | Users | Connect time       |
---------------------------------------------------------------------------
| Incoming  | 127.0.0.1     | 0  | Connected | 0     | 13Oct2022 20:04:46 |
---------------------------------------------------------------------------
| Incoming  | 172.23.57.220 | 0  | Connected | 0     | 13Oct2022  9:44:11 |
---------------------------------------------------------------------------
| Outgoing  | 172.23.57.220 | 0  | Connected | N/A   | 13Oct2022  9:44:09 |
---------------------------------------------------------------------------
[Expert@MyGW1:0]#