Identity Cache Mode for Identity Sharing Protocols

Important:

This feature is available in the R81.20 Jumbo Hotfix Accumulator, Take 70 and higher.
This feature is disabled by default.

Overview

Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. operates with a default setting that adheres to a stringent approach to handle acute error flows.

This involves implementing the "prefer to delete" principle, which leads to the widespread deletion of identities in specific error scenarios.

Disconnection from the PDP Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways. for longer than 10 minutes.
- When a PDP (Policy Decision Point) or PEP Check Point Identity Awareness Security Gateway that acts as Policy Enforcement Point: receives identities via identity sharing; redirects users to Captive Portal. (Policy Enforcement Point) becomes disconnected, all the identities it has learned are deleted.
- When information is shared between PDPs through an Identity Broker Identity Sharing mechanism between Identity Servers (PDP): (1) Communication channel between PDPs based on Web-API (2) Identity Sharing capabilities between PDPs - ability to add, remove, and update the identity session., any deletions made should be efficiently communicated and reflected in the downstream layers of Identity Broker Subscribers.
  
  This ensures a synchronized and accurate data state throughout the entire identity management ecosystem.
If the PDP encounters a failure and reboots, there is a risk that it might synchronize an empty database with its peer systems.

The outcome of the behavior described above:

No Identity-based enforcement, and connectivity is broken.
Performance impact as a result of running and propagating the massive identity deletion logic.
Lack of resiliency, even in cases where the environment was designed to have alternative identity propagation paths.
In large scale environments, it may take hours until the system is fully recovered.

Identity Awareness Gateway uses the Identity Cache Mode for Identity Sharing protocols.

The Identity Cache Mode follows the "prefer to keep" principle, enabling Identity Awareness to regain stability without causing the aforementioned disruptions.

This approach prioritizes maintaining system integrity while addressing the issues highlighted earlier.

Instead of conducting extensive deletions, the relevant identities are kept in the database.
- PDP-to-PEP sharing - By default, 24 hours.
- PDP-to-PDP sharing - By default, 24 hours (configurable in CLI).
Allows identity propagation from alternative paths to overrun existing information at all times.
- Conciliation decision for the existing relevant Identity Sessions is "overwrite".
Upon the restoration of connectivity, assuming that the Identity Session has not been overwritten, the pertinent Identity Sessions undergo a "refresh" process, reverting to their initial state and logic.

Viewing the Current Status of the Identity Cache Mode

Enabling the Identity Cache Mode

Note - By default, the Identity Cache Mode is disabled in the R81.20 Jumbo Hotfix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulator.

Procedure

Connect to the command line on the Security Gateway / each Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member / Scalable Platform Security Group.
Log in to the Expert mode.

In the VSNext / Legacy VSX mode, go to the context of the applicable Virtual Gateway / Legacy Virtual System:

vsenv <VS ID>

Enable the Identity Cache Mode:

To enable the Identity Cache Mode for the PDP-to-PDP sharing protocol (Identity Broker), run:

pdp broker identity_cache_mode enable

To enable the Identity Cache Mode for the PDP-to-PEP sharing protocol, run:

pep control identity_cache_mode enable

Disabling the Identity Cache Mode

Best Practice - Do not disable the Identity Cache Mode.

Procedure

Connect to the command line on the Security Gateway / each Cluster Member / Scalable Platform Security Group.
Log in to the Expert mode.

In the VSNext / Legacy VSX mode, go to the context of the applicable Virtual Gateway / Legacy Virtual System:

vsenv <VS ID>

Disable the Identity Cache Mode:

To disable the Identity Cache Mode for the PDP-to-PDP sharing protocol (Identity Broker), run:

pdp broker identity_cache_mode disable

To disable the Identity Cache Mode for the PDP-to-PEP sharing protocol, run:

pep control identity_cache_mode disable

Configuration of the Identity Cache Mode

For the PDP-to-PDP sharing protocol (Identity Broker), it is possible to configure the timeout for keeping the Identity Session in the database.

Procedure

Connect to the command line on the Security Gateway / each Cluster Member / Scalable Platform Security Group.
Log in to the Expert mode.

In the VSNext / Legacy VSX mode, go to the context of the applicable Virtual Gateway / Legacy Virtual System:

vsenv <VS ID>

Configure the required Identity Cache Mode Session timeout:

pdp broker identity_cache_mode set_timeout <Timeout in Seconds>