pdp broker

Description

These commands control the PDPClosed Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways. Identity BrokerClosed Identity Sharing mechanism between Identity Servers (PDP): (1) Communication channel between PDPs based on Web-API (2) Identity Sharing capabilities between PDPs - ability to add, remove, and update the identity session..

Syntax

pdp broker

      debug {set | unset} <options>

      discard <options>

      reconnect <options>

      status [-e]

      sync <options>

Parameters

Parameter

Description

debug set <options>

debug unset <options>

Controls the debug of the PDP Identity Broker.

The available <options> are:

 

  • Print the logs related to remote Publisher PDPs:

    pdp broker debug set pub <IP Address of Publisher PDP>

  • Disable the logs related to remote Publisher PDPs:

    pdp broker debug unset pub <IP Address of Publisher PDP>

 

  • Print the extended logs related to remote Publisher PDPs:

    pdp broker debug set pub_ext <IP Address of Publisher PDP>

  • Disable the extended logs related to remote Publisher PDPs:

    pdp broker debug unset pub_ext <IP Address of Publisher PDP>

 

  • Print the logs related to communication with remote Publisher PDPs:

    pdp broker debug set pub_transport <IP Address of Publisher PDP>

    Enable this debug on the Subscriber PDP side to observe the Publisher PDP's JSON requests in these cases:

    • To monitor networking issues in case the message was not received.

    • To monitor the JSON requests from the Publisher PDPs and related message-parsing issues.

    • To monitor if the content of the JSON does not meet the requirements (for example: Sharing ID).

  • Disable the logs related to communication with remote Publisher PDPs:

    pdp broker debug unset pub_transport <IP Address of Publisher PDP>

 

  • Print the logs related to remote Subscriber PDPs:

    pdp broker debug set sub <IP Address of Subscriber PDP>

  • Disable the logs related to remote Subscriber PDPs:

    pdp broker debug unset sub <IP Address of Subscriber PDP>

 

  • Print the extended logs related to remote Subscriber PDPs:

    pdp broker debug set sub_ext <IP Address of Subscriber PDP>

  • Disable the extended logs related to remote Subscriber PDPs:

    pdp broker debug unset sub_ext <IP Address of Subscriber PDP>

 

  • Print the logs related to communication with remote Subscriber PDPs:

    pdp broker debug set sub_transport <IP Address of Subscriber PDP>

  • Disable the logs related to communication with remote Subscriber PDPs:

    pdp broker debug unset sub_transport <IP Address of Subscriber PDP>

 

Notes:

  • For more information about the debug, see pdp debug.

  • To see the HTTP related issues, run this command to enable the debug on the Publisher PDP side:

    pdp debug set HttpClient all

    To see more information for some errors, run this command:

    pdp broker status [-e]

discard <option>

Controls the timeout for discarding sessions received from the specified Publisher PDP during a disconnection.

The available <options> are:

  • Show the current timeout:

    pdp broker discard show_timeout <IP Address of Publisher PDP>

  • Configure the new timeout (in seconds):

    pdp broker discard set_timeout <IP Address of Publisher PDP> <Timeout>

reconnect <IP Address of Subscriber PDP>

Forces the reconnection to the specified Subscriber PDP immediately.

If you run this command, the PDP ignores the keep-alive intervals and exponential backoff timeouts, and sends the handshake / keep-alive immediately.

Best Practice - You can use this command when a long time passed since the PDP disconnected, and it is necessary to establish the connection again immediately.

status [-e]

Shows the status of remote Publisher PDPs and Subscriber PDPs.

The option "-e" flag adds more information (Subscriber PDP port and the last error time and description).

sync <option>

Synchronizes identities with the specified Publisher PDPs or Subscriber PDPs.

The available <options> are:

 

  • Send the synchronization request (in the next broker message) to the specified remote Publisher PDP:

    pdp broker sync pub <IP Address of Publisher PDP>

  • Send the synchronization request (in the next broker message) to all remote Publisher PDPs:

    pdp broker sync pub all

 

Control the schedule for synchronization with remote Publisher PDPs:

pdp broker sync schedule {add <option> | remove <option>| show <option>}

  • To add new synchronization time:

    pdp broker sync schedule add <IP Address of Publisher PDP> "<HH:MM>"

  • To remove the current schedule:

    pdp broker sync schedule remove <IP Address of Publisher PDP> "<HH:MM>"

  • To show the current schedule:

    pdp broker sync schedule show [<IP Address of Publisher PDP>]

 

  • Initiate the synchronization with the specified remote Subscriber PDP:

    pdp broker sync sub <IP Address of Subscriber PDP>

  • Initiate the synchronization with all remote Subscriber PDPs:

    pdp broker sync sub all