Identity Conciliation - PDP

A Policy Decision Point (PDP Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways.) Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. uses the PDP Identity Conciliation mechanism.

Note - Identity Conciliation is supported for Security Gateway versions R80.40 and higher.

PDP Identity Conciliation - Actions

When the PDP Security Gateway receives an update about an identity (user identity or machine identity) on an IP address, from which the PDP has an active session, it does one of these actions:

Action	Description
Override	Deletes the current identity session. Keeps the new identity session.
Reject	Rejects the new identity session. Keeps the current identity session.
Append	Adds the new identity information to the current identity session.

Action

Description

Override

Deletes the current identity session.

Keeps the new identity session.

Reject

Rejects the new identity session.

Keeps the current identity session.

Append

Adds the new identity information to the current identity session.

PDP Identity Conciliation - Terms

Type of Identity Session	Description
Per-Entity	The PDP Security Gateway receives the session from an identity source other than an Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from Support Center. for a User Endpoint Computer. The session comes from: AD Query Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server. RADIUS Accounting Identity Collector Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses and sends it to the Check Point Security Gateways or Infinity Identity solution for identity enforcement, you can download the Identity Collector package from the Support Center. Identity Web API
Per-Host	The PDP Security Gateway receives the session from an identity source directly on the user host: Identity Agent for a User Endpoint Computer Identity Agent for a Terminal Server (MUH) Remote Access VPN client Captive Portal A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication.
Between PDP Security Gateways in the same Management Domain	The PDP Security Gateway receives the session in one of these ways: Locally - the PDP Security Gateway) receives the identity directly from the identity source. From an Identity Broker Identity Sharing mechanism between Identity Servers (PDP): (1) Communication channel between PDPs based on Web-API (2) Identity Sharing capabilities between PDPs - ability to add, remove, and update the identity session. Publisher, when the same Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. manages the two Security Gateways - this Identity Subscriber and the Identity Publisher
Between PDP Security Gateways in different Management Domains ("external session")	The PDP Security Gateway receives the session from an Identity Broker Publisher, when different Management Servers manage the two Security Gateways - this Identity Subscriber and the Identity Publisher

PDP Identity Conciliation - PDP Session Parameters

Parameter	Description
Office Mode IP Address	If the current session, or the new session comes from a Remote Access VPN client, then the PDP Security Gateway gives a higher priority to the session from a Remote Access VPN client.
Confidence	The PDP Security Gateway gives a higher priority to a session that has a higher score. These are the default scores for different identity sources: 40 - Remote Access VPN client, or Identity Agent for a Terminal Server 30 - Identity Agent 20 - Captive Portal 15 - Identity Web API 10 - Identity Collector, or RADIUS Accounting 0 - AD Query, or IFMAP
Locality	The Security Gateway gives a higher priority to a session that was shared by fewer Gateways (lower hop count). Example: Session A Identity Source => PDP Identity Publisher (Hop Count = 0) => PDP Identity Subscriber (Hop Count = 1) Total Hop Count = 1 Session B Identity Source => PDP Identity Publisher (Hop Count = 0) => PDP Identity Subscriber/Publisher (Hop Count -1) => PDP Identity Subscriber (Hop Count = 2) Total Hop Count = 2 Because Session A has a lower hop count, the PDP Gateway gives higher priority to Session A.
Time To Live (TTL)	The PDP Security Gateway gives a higher priority to a session that has a more recent time stamp (created more recently). The timestamp is in the Epoch Time format.
Full Session	The PDP Security Gateway gives a higher priority to a session that has a user identity and a machine identity (comparing to a session that has only one of these attributes).
PDP Preference	The PDP Security Gateway gives a higher priority to a session that it receives from a specific PDP Identity Publisher. By default, there are no preferred Identity Publishers.

PDP Identity Conciliation - Possible Session Scenarios

The PDP Identity Conciliation supports these scenarios:

Scenario	Internal Session Category	Current Session	New Session	Management Domains of PDP Security Gateways	Identity Conciliation Action	Description
1	PerEntityInDomain	Per-Entity	Per-Entity	Same	Always Append	The two identity sessions are Per-Entity sessions. The same Management Server manages the two PDP Security Gateways. The default action is "Append" (administrator cannot change this behavior). Priorities of session parameters: Value0 - Confidence Value1 - Time to Live (TTL) Value2- Locality Value3 - PDP Preference
2	PerEntityExternal	Per-Entity	Per-Entity	Different	Based on the configured priorities of session parameters	The two identity sessions are Per-Entity sessions. Different Management Servers manage the two PDP Security Gateways. Priorities of session parameters: Value0 -Locality Value1 - Confidence Value2 - Time to Live (TTL) Value3 - PDP Preference
3	PerHostInDomain	Per-Host or Per-Entity	Per-Host	Same	If the new session arrives directly from the Identity Source , the decision is Override. If the new session arrives from an Identity Broker, the decision is based on the configured priorities of session parameters	The current session is a Per-Host session or a Per-Entity session. The new session is a Per-Host session. The same Management Server manages the two PDP Security Gateways. When the PDP Security Gateway receives the session directly from the Identity Source (not from an Identity Broker, the decision is Append. When the PDP Security Gateway receives the session from an Identity Broker, the decision is according to the configured priorities of the session parameters. Priorities of session parameters: Value0 - Office Mode IP Address Value1 - Confidence Value2 - Time to Live (TTL) Value3 - Locality Value4 - Full Session Value5 - PDP Preference
4	PerHostInDomain	Per-Host	Per-Entity	Same	Based on the configured priorities of session parameters	The current session is a Per-Host session. The new session is a Per-Entity session. The same Management Server manages the two PDP Security Gateways. Priorities of session parameters: Value0 - Office Mode IP Address Value1 - Confidence Value2 - Time to Live (TTL) Value3 - Locality Value4 - Full Session Value5 - PDP Preference
5	PerHostExternal	Per-Host or Per Entity	Per-Host	Different	If the new session arrives directly from the Identity Source , the decision is Override. If the new session arrives from an Identity Broker, the decision is based on the configured priorities of session parameters	The current session is a Per-Host session or a Per-Entity session The new session is a Per-Host session. The same Management Server manages the two PDPSecurity Gateways. When the PDP Security Gateway receives the session directly from the Identity Source (not from an Identity Broker, the decision is Append. When the PDP Security Gateway receives the session from an Identity Broker, the decision is according to the configured priorities of the session parameters. Priorities of session parameters: Value0 - Locality Value1 - Confidence Value2 - Time to Live (TTL) Value3 - Full Session Value4 - PDP Preference
6	PerHostExternal	Per-Host	Per-Entity	Different	Based on the configured priorities of session parameters	The current session is a Per-Host session. The new session is a Per-Entity session. Different Management Servers manage the two PDP Security Gateways. Priorities of session parameters: Value0 - Locality Value1 - Confidence Value2 - Time to Live (TTL) Value3 - Full Session Value4 - PDP Preference

PDP Identity Conciliation - Decision Flow

In cases when PDP Security Gateway does not make the default action, it examines the configured priorities of the session parameters.

The Security Gateway decides which Session Scenario applies.
The Security Gateway compares the two identity sessions based on the first session parameter:
- If the current session gets higher priority based on the session parameter, the Security Gateway decides to Reject the new session.
- If the new session gets higher priority based on the session parameter, the Security Gateway decides to Override the current session.
If neither the current, nor the new session gets higher priority (the sessions are in a "tie"), the Security Gateway compares the next session parameter until it makes a decision.

PDP Identity Conciliation - Examples

#	Current Session	New Session	Management Domain	PDP Conciliation Decision
1	Identity source - Identity Collector. The Security Gateway received this identity session through the Identity Broker sharing mechanism. The same Management Server manages the two PDP Security Gateways.	Identity source - RADIUS Accounting. The Security Gateway received this identity session directly.	The same Management Server manages the two PDP Security Gateways.	Append the new session to the current session. Internal session category - PerEntityInDomain.
2	Identity source - Identity Agent for a Terminal Server. The Security Gateway received this identity session through the Identity Broker sharing mechanism. The same Management Server manages the two PDP Security Gateways.	Identity source - Remote Access VPN client. The Security Gateway received this identity session directly.	The same Management Server manages the two PDP Security Gateways.	Override the current session with the new session. Internal session category - PerHostInDomain.
3	Identity source - Identity Web API. The Security Gateway received this identity session through the Identity Broker sharing mechanism.	Identity source - Captive Portal. The Security Gateway received this identity session through the Identity Broker sharing mechanism.	Different Management Servers manage the two PDP Security Gateways	Internal session category - PerHostExternal. The Security Gateway compares the two session based on these session parameters: Value0 - Locality (hop count) Value1 - Confidence Value2 - Time to Live (TTL) Value3 - Full Session Value4 - PDP Preference Example: The Security Gateway compares the two session based on the first session parameter on the list - "Locality": If the current session has a lower hop count, then it has the higher priority. The decision is to Reject the new session. If the new session has a lower hop count, then it has the lower priority. The decision is to Override the current session with the new session. If the sessions have the same hop count (a "tie"), the Security Gateway compares the two session based on the second session parameter on the list - "Confidence": The Confidence score of Captive Portal (20) is greater than the Confidence score of Identity Web API (15). The decision is to Override the current session with the new session.

Current Session

New Session

Management Domain

PDP Conciliation Decision

Identity source - Identity Collector.

The Security Gateway received this identity session through the Identity Broker sharing mechanism.

The same Management Server manages the two PDP Security Gateways.

Identity source - RADIUS Accounting.

The Security Gateway received this identity session directly.

The same Management Server manages the two PDP Security Gateways.

Append the new session to the current session.

Internal session category - PerEntityInDomain.

Identity source - Identity Agent for a Terminal Server.

The Security Gateway received this identity session through the Identity Broker sharing mechanism.

The same Management Server manages the two PDP Security Gateways.

Identity source - Remote Access VPN client.

The Security Gateway received this identity session directly.

The same Management Server manages the two PDP Security Gateways.

Override the current session with the new session.

Internal session category - PerHostInDomain.

Identity source - Identity Web API.

The Security Gateway received this identity session through the Identity Broker sharing mechanism.

Identity source - Captive Portal.

The Security Gateway received this identity session through the Identity Broker sharing mechanism.

Different Management Servers manage the two PDP Security Gateways

Internal session category - PerHostExternal.

The Security Gateway compares the two session based on these session parameters:

Value0 - Locality (hop count)
Value1 - Confidence
Value2 - Time to Live (TTL)
Value3 - Full Session
Value4 - PDP Preference

Example:

The Security Gateway compares the two session based on the first session parameter on the list - "Locality":
- If the current session has a lower hop count, then it has the higher priority.
  
  The decision is to Reject the new session.
- If the new session has a lower hop count, then it has the lower priority.
  
  The decision is to Override the current session with the new session.
If the sessions have the same hop count (a "tie"), the Security Gateway compares the two session based on the second session parameter on the list - "Confidence":
- The Confidence score of Captive Portal (20) is greater than the Confidence score of Identity Web API (15).
  
  The decision is to Override the current session with the new session.

PDP Identity Conciliation - Configuration

Warning - We recommend to use the default values in the configuration file. Wrong configuration can lead to connectivity issues for end-users.

Note - In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

Editing the configuration file:

Connect to the command line on the Security Gateway / each Cluster Member Security Gateway that is part of a cluster. / Scalable Platform Security Group.
Log in to the Expert mode.

Back up the current configuration file:

cp -v $FWDIR/conf/pdp_session_conciliation.C{,_BKP}

Edit the current configuration file:

vi $FWDIR/conf/pdp_session_conciliation.C

Make the applicable changes.

Warning - Be careful when you edit this file. If the syntax of this file is wrong, the Security Gateway uses the default values for all parameters.

Save the changes in the file and exit the editor.

On a Scalable Platform Security Group - copy the updated file to all Security Group Members:

asg_cp2blades $FWDIR/conf/pdp_session_conciliation.C

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., install the Access Control Policy on this Security Gateway / Cluster object.

Parameters in the configuration file:

Section

Parameter

Parameter and Default Value

Description

PDPPreferencesConfig

Contains the IP addresses and preference values for preferred PDP Identity Publishers.

The higher the preference value, the higher the priority.

127.0.0.1 (0)

Default value.

ConfidenceConfig

ScorePerAttribute

:HasLogoutNotification (0)

:HasAuthorization (0)

:HasAuthentication (0)

:HasKeepAlive (0)

:HasIpSpoofingDetection (0)

:HasRoamingDetection (0)

:HasLogout (0)

Advanced parameters related to the session state.

Warning - Change these values only if Check Point Support or R&D explicitly told you to do so. Contact Check Point Support.

ScorePerIdentitySource

Scores for Identity Sources.

:portal (20)

Score for Captive Portal.

:ida_agent (30)

Score for Identity Agent for a User Endpoint Computer.

:vpn (40)

Score for Remote Access VPN clients.

:adq (0)

Score for AD Query.

:ifmap (0)

Score for IFMAP

:muh_agent (40)

Score for Identity Agent for a Terminal Server v1.

:radius (10)

Score for RADIUS Accounting.

:ida_api (15)

Score for Identity Web API.

:idc (10)

Score for Identity Collector.

:muh_agent2 (40)

Score for Identity Agent for a Terminal Server v2.

ConciliationConfig

Session parameters and their priority for the possible session scenarios.

See:

PDP Identity Conciliation - Terms
PDP Identity Conciliation - PDP Session Parameters
PDP Identity Conciliation - Possible Session Scenarios

PerHostInDomain

:0 (OfficeModeIp)

:1 (Confidence)

:2 (Ttl)

:3 (Locality)

:4 (FullSession)

:5 (PdpPreference)

PerEntityInDomain

:0 (Confidence)

:1 (Ttl)

:2 (Locality)

:3 (PdpPreference)

PerHostExternal

:0 (Locality)

:1 (Confidence)

:2 (Ttl)

:3 (FullSession)

:4 (PdpPreference)

PerEntityExternal

:0 (Locality)

:1 (Confidence)

:2 (Ttl)

:3 (PdpPreference)

Examples:

PDP Identity Conciliation Configuration File - Example 1

All Security Gateways in the environment are in the same Management domain.

One PDP Publisher shares information from Identity Collector.

A second PDP Publisher shares information from Identity Agent for a Terminal Server.

The administer wants to prefer the PDP Publisher that sends information from Identity Collector.

The relevant Internal Session Category is PerHostInDomain. By default, the session from the PDP Publisher that sent the Identity Agent session remains because it has the higher Confidence priority.

To prefer the PDP Publisher that sends information from Identity Collector,make these changes in the $FWDIR/conf/ pdp_session_conciliation.C file in the PDP Gateway.

Change the ordered set of PerHostInDomain behavior as shown. Put "(PdpPreference)" in position :0 and decrease the position of other parameters by one.

:PerHostInDomain (

:0 (PdpPreference)

:1 (OfficeModeIp)

:2 (Confidence)

:3 (Ttl)

:4 (Locality)

:5 (FullSession)

)
Change the score of the relevant PDP Publisher (Identity Collector) in the PDPPreferencesConfig sub-section to be higher than the score of the other PDP Publisher (Identity Agent for a Terminal Server).
Install policy.

PDP Identity Conciliation Configuration File - Example 2

This example shows how to configure Remote Access VPN and Identity Agent on the same user endpoint computer. With this configuration, the PDP Gateway can identify users when they log in through Remote Access VPN. If Identity Agent is installed on the user endpoint computer, the PDP Gateway does not stop the previous connection.

Without this configuration, there is flapping of the identity between Identity Agent and Remote Access VPN. Each causes the other to log off every 10-15 minutes.

To configure Remote Access VPN and Identity Agent on the same user endpoint computer and prevent flapping, make these changes in the $FWDIR/conf/ pdp_session_conciliation.C file in the PDP Gateway.

In the section PerHostInDomain:
1. Put "(Confidence)" in the position :0
2. Put "(OfficeModeIP)" in the position :1
In the section ScorePerIdenitiySource:
1. Increase the score of ida_agent so that it is higher than the score of vpn
  
  Example: If the score of vpn is 30, make the score of ida_agent 40.
Save the changes in the file.
In SmartConsole install policy.
On the Security Gateway / each Cluster Member / Security Group, restart the pdpd daemon with the "fw kill pdpd" command.