Identity Conciliation - PEP

A Policy Enforcement Point (PEP Check Point Identity Awareness Security Gateway that acts as Policy Enforcement Point: receives identities via identity sharing; redirects users to Captive Portal.) Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. uses the PEP Identity Conciliation mechanism.

Note - Identity Conciliation is supported for Security Gateway versions R80.40 and higher.

PEP Identity Conciliation - Actions

When the PEP Security Gateway receives an update about an identity (user identity or machine identity) on an IP address, from which the PEP has an active session, it does one of these actions:

Action	Description
Override	Deletes the current identity session. Keeps the new identity session.
Reject	Rejects the new identity session. Keeps the current identity session.

PEP Identity Conciliation - Default Configuration

By default, the PEP Identity Conciliation decides based on Confidence.

The PDP Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways.Security Gateway gives a higher priority to a session that has a higher score.

These are the default scores for different identity sources:

• Captive Portal A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication. - 20

• Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from Support Center. -30

• Remote Access VPN client - 40

• Active Directory Query - 0

• Ifmap - 0

• Identity Agent for a Terminal Server - 40

• RADIUS Accounting - 10

• Identity Web API -15

• Identity Collector Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement. You can download the Identity Collector package from Support Center. See sk134312. -10

To change the confidence scores, contact Check Point Support.

PEP Identity Conciliation - Custom Configuration

In a custom configuration, the PEP Identity Conciliation can compare the two sessions based on a global score that considers Confidence and one or more of these other factors:

Factor	Description
PDP Preference	This is the PDP Security Gateway from which the PDP receives the identity session. The session that comes from a PDP with higher priority gets points based on this factor. By default, no PDP is preferred.
Time to Live	The PDPSecurity Gateway gives a higher priority to a session that has more time remaining until the session expiration time.
Full Session	If one session has user identity and machine identity, and the other session has one kind of identity, the session with user identity and machine identity gets points based on this factor.
Connect_Time	The session with the newer connect timestamp gets a higher store. This factor does not exist in default and basic configurations.

To make a custom configuration, contact Check Point Support.