Identity Sharing

Best Practice - In a distributed environment with multiple Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Security Gateways and AD Query Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server., an Identity Sharing configuration improves performance and flexibility.

In this configuration, Identity Awareness Security Gateways share identity information with other Identity Awareness Security Gateways. You can configure Identity Sharing across multiple Security Gateways if the Security Gateways have Identity Awareness Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. enabled.

Without Identity Sharing:

Identity Agents connect to only one Identity Awareness Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..
When traffic goes through more than one Identity Awareness Security Gateway, you can require users to authenticate on each Identity Awareness Security Gateway (for example, in Captive Portal A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication.).
Each Identity Awareness Security Gateway is connected to an identity source (for example, AD Query). Each Identity Awareness Security Gateway makes a query to the Active Directory. Each Identity Awareness Security Gateway queries for the group membership and calculates the Access Role Access Role objects let you configure network access according to: Networks, Users and user groups, Computers and computer groups, Remote Access Clients. After you activate the Identity Awareness Software Blade, you can create Access Role objects and use them in the Source and Destination columns of Access Control Policy rules. object. This increases the load on the Security Gateways.

Introduction to Identity Sharing

An Identity Awareness Security Gateway configured as a Policy Decision Point gets identity information and shares it with other Identity Awareness Security Gateways configured as Policy Enforcement Points. This way, only one Identity Awareness Security Gateway performs the group membership query and calculates the Access Role object. This reduces the load on the identity sources, on User Directory Check Point Software Blade on a Management Server that integrates LDAP and other external user management servers with Check Point products and security solutions., or on the two of them.

PDP - Policy Decision Point:

Gets user/computer identities from the designated identity sources.
Shares user/computer identities with other Identity Awareness Security Gateways.

PEP - Policy Enforcement Point:

Provides the applicable Access Roles to the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. process. It enforces the procedure as defined in the policy.
Receives identities through Identity Sharing.
Can redirect users to the Identity Awareness Captive Portal.

Supported Configurations for Identity Sharing:

One PDP Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways. shares identities to multiple PEPs.
One PEP Check Point Identity Awareness Security Gateway that acts as Policy Enforcement Point: receives identities via identity sharing; redirects users to Captive Portal. receives identities from multiple PDPs.
PDP and PEP processes run on different Security Gateways and use Smart-Pull Identity Sharing for the connection.
PDP and PEP processes run on the same Security Gateway and use Push Identity Sharing for the connection.

When an Identity Server Check Point Security Gateway with enabled Identity Awareness Software Blade. needs to connect to an Identity Awareness Gateway for Identity Sharing, the Identity Server uses the IP Address of the Identity Awareness Gateway object.

If a network configuration does not allow communication with this IP Address of the Identity Awareness Gateway, you can configure a different IPv4 Address for the communication channel between the Identity Server and the Identity Awareness Gateway. For more information, see sk60701.

Smart-Pull Identity Sharing

In large environments, not all PEPs must have the identities from all PDPs. For example, it is not necessary for small branch offices with a small number of users to keep all of the identities from the PDP in the headquarters office.

When Smart Pull is configured, identities are sent to the PEP only when the PEP requests or pulls them from the PDP. This saves space on the PEP and avoids transactions between the PDP and the PEP that are not necessary.

The Smart-Pull Identity Sharing operation stages are:

Identity Acquisition

The PDP gets identities and keeps them in the PDP repository.
The PDP notifies the applicable PEPs about the network (Class C), where the user was identified.

Notes:

The PDP does not publish the identities to the PEPs until the Identity Propagation stage.
The pep show network pdp command on the PEP shows the PDPs and the networks they identify.
The pdp network info command on the PDP shows all the networks it publishes.

Sub-Network Registration

A user initiates a connection through the PEP. If the policy must have an identity element, the PEP searches for the identity in its local database.

If the PEP finds the identity in its local database, then:
1. The PEP registers to the PDP for notification about a smaller network (subnet mask 255.255.255.240).
2. The PDP publishes all the currently known identities from the networks with the subnet mask 255.255.255.240 to the PEPs that register.
If the PEP does not find the identity in its local database, the PEP searches for a PDP that knows the applicable Class C network to find the identity.

Notes:

The pep show network registration command on the PEP shows the networks with the subnet mask 255.255.255.240, to which the PEP is registered.
The pdp network registered command on the PDP shows the list of the PEPs for the networks with the subnet mask 255.255.255.240.

Identity Propagation
1. The PDP gets the identity of a user, who has an IP address from an already registered network with the subnet mask 255.255.255.240.
2. The PDP immediately publishes the identity to the registered PEPs.

Monitoring Identity Sharing

When Identity Sharing operates as expected, these are the open connections between the PDP and the PEP:

Identity connection - shares identity information from the PDP to the PEP. The PDP opens this connection to the PEP on port 15105. The pepd process listens for incoming identity connections on this port.
Network connection - shares network information from the PEP to the PDP. The PEP opens this connection to the PDP on port 28581. The pdpd process listens for incoming network connections on this port.

If the PEP is configured in Push mode, it receives Identity connections but does not send Network connections.

If the PDP or PEP is a cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., all members open the outgoing connection but only the active cluster member Security Gateway that is part of a cluster. gets incoming connections. The cluster uses its Virtual IP Address (VIP) for connections.

Important - Check Point Security Gateways have implied rules to allow these connections. If a third-party gateway drops the traffic, Identity Sharing does not work.

For more information, see Configuration Scenarios.

Example

In this example, the IP address of the PDP is 10.10.10.10 and the IP address of the PEP is 11.11.11.11.

To monitor connections on the PDP, on the PDP Gateway or active Cluster Member, run:

pdp connections pep

For more information, see pdp connections.

To monitor connections on the PEP, on the PEPGateway or active Cluster Member, run:

pep show pdp all

For more information, see pep show.

Important - On Scalable Platforms (Maestro and Chassis), you must run the applicable commands in the Expert mode on the applicable Security Group.

Example output of the "pdp connections pep" command:

[Expert@MyGW1:0]# pdp connections pep
------------------------------------------------------------------------------------------------------
| Direction | IP            | Port  | Name  | Type           | Status    | Location | IPv6 Supported |
------------------------------------------------------------------------------------------------------
| Incoming  | 172.23.57.237 | 28581 | MyGW2 | Single Gateway | Connected | Remote   | No             |
------------------------------------------------------------------------------------------------------
| Outgoing  | 127.0.0.1     | 15105 | MyGW3 | Single Gateway | Connected | Locally  | No             |
------------------------------------------------------------------------------------------------------
| Outgoing  | 172.23.57.237 | 15105 | MyGW2 | Single Gateway | Connected | Remote   | No             |
------------------------------------------------------------------------------------------------------
[Expert@MyGW1:0]#

Example output of the "pep show pdp all" command:

[Expert@MyGW1:0]# pep show pdp all
Command: root->show->pdp->all
---------------------------------------------------------------------------
| Direction | IP            | ID | Status    | Users | Connect time       |
---------------------------------------------------------------------------
| Incoming  | 127.0.0.1     | 0  | Connected | 0     | 13Oct2022 20:04:46 |
---------------------------------------------------------------------------
| Incoming  | 172.23.57.220 | 0  | Connected | 0     | 13Oct2022  9:44:11 |
---------------------------------------------------------------------------
| Outgoing  | 172.23.57.220 | 0  | Connected | N/A   | 13Oct2022  9:44:09 |
---------------------------------------------------------------------------
[Expert@MyGW1:0]#