Nested Groups

Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. supports the use of LDAP nested groups. When a group is nested in a different group, users in the nested group are identified as part of the parent group.

For example, if Group_B is a member of Group_A, then Security Gateway identifies Group_B members as part of Group_A.

This table shows the available queries for nested groups:

Nested Groups Query

Description

CLI Command on Security Gateway

Recursive nested groups query

The gateway sends a query with the user name to the LDAP server.

Query results include all the groups that the user is a member of.

To know if a group is nested in a different group, and for each nesting level, you must send a new query.

This configuration is enabled by default.

The default nesting depth is 20.

For details, see sk66561.

pdp nested_groups __set_state 1

Per-user nested groups query

With one LDAP query, the response includes all groups for the given user, with all nesting levels.

Query results include groups from all branches in the forest.

The LDAP server sends the groups of a given user as a flat list.

The gateway sends this type of query to Global Catalog ports 3268/3269.

For details, see sk134292.

Best Practice - Use this query if you work with multiple branches in the account unit or if you use cross-domain trees with group membership.

For example, a user belongs in the domain tree example1.com and in the domain tree example2.com.

pdp nested_groups __set_state 2

Per-user nested groups query

With one LDAP query, the response includes all groups for the given user, with all nesting levels.

Query results include groups from the branch specified in the LDAP account unit.

The LDAP server sends the groups of a given user as a flat list.

You can use one of these ports reserved for LDAP communication: 3268, 3269, 389, 636.

Best Practice - Use this query if you work with a single branch in each account unit.

pdp nested_groups __set_state 4

Multi per-group nested groups query

The gateway sends one LDAP query, which includes the user name and the group.

In response, the LDAP server indicates if the user is a member of this group or not.

Best Practice - Use this query in a Microsoft Active Directory environment with many defined users and groups, and fewer groups defined in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

pdp nested_groups __set_state 3

To see the configuration status of nested groups, run this command:

pdp nested_groups status