PDP Multi-Process

When PDPClosed Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways. Multi-Process is enabled, a PDP Gateway runs several PDP instances in parallel to improve performance. The Gateway distributes load between the PDP instances automatically. PDP Multi-Process is disabled by default. Each PDP instance is identical.

 

PDP Single Process (Default Configuration)

PDP Multi-Process

Number of Identity Agents supported for each PDP

20,000 Identity Agents for each PDP Gateway

100,000 Identity Agents for each PDP Gateway

Number of identities supported for each PDP

Up to 200,000 identities within one hour for each PDP Gateway, 100 logins per second using Identity AgentClosed Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from Support Center.s

Up to 1,000,000 identities within one hour (rush hour) for each PDP Gateway, 500 logins per second using Identity Agent

PDP Multi-Process Prerequisites

PDP Multi-Process Use Case

Each PDP instance supports up to 20,000 Identity Agents, for a maximum of 100,000 Identity Agents if you run 5 PDP instances.

If the Identity Source is not an Identity Agent (for example: Identity CollectorClosed Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses and sends it to the Check Point Security Gateways for identity enforcement, you can download the Identity Collector package from the Support Center., Web API, Remote Access VPN), these are the recommended numbers of PDP instances to use:

Number of Identities

Number of PDP Instances Recommended

Up to 50,000 identities

1 PDP instance

50,000-200,000 identities

3 PDP instances

200,000-1,000,000 identities

5 PDP instances

Using PDP Multi-Process

Notes:

  • On Scalable Platforms, you must run the applicable commands in the Expert mode on the applicable Security Group.

    You must add "g_all" in front of the command listed below.

  • See the R82.10 CLI Reference Guide.

This procedure requires a restart of all Check Point processes and applications. Schedule a maintenance window to do this procedure.

  1. Connect to the command line on the PDP Gateway.

  2. Log in to the Expert mode.

  3. Run:

    pdp control multi_instance set [<number_of_pdp_instances>]

    For the <number_of_pdp_instances>, enter the number of PDP instances from 1 to 5.

    For example, to set 3 PDP instances, run:

    pdp control multi_instance set 3

  4. In a ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. configuration, do steps 1-3 for all Cluster Members.

  5. Stop all Check Point applications on the Security Gateway / all Cluster Members:

    cpstop

  6. Start all Check Point applications on the Security Gateway / all Cluster Members:

    cpstart

To disable PDP Multi-Process, set the number of PDP processes to 1. In a Cluster configuration, do this procedure on all cluster members. This procedure requires a restart of all Check Point processes and applications.

  1. Connect to the command line on the PDP Gateway.

  2. Log in to the Expert mode.

  3. Run:

    pdp control multi_instance set 1

  4. In a Cluster configuration, do steps 1-3 for all Cluster Members.

  5. Stop all Check Point applications on the Security Gateway / all Cluster Members:

    cpstop

  6. Start all Check Point applications on the Security Gateway / all Cluster Members:

    cpstart

You can view how many PDP processes exist on a Gateway

  1. Connect to the command line on the PDP Gateway.

  2. Log in to the Expert mode.

  3. Run:

    pdp control multi_instance status

    The output of the command shows the number of active PDP processes. If there is exactly one PDP process, the output says "Multi Instance is disabled".