Activating the Identity Awareness Software Blade

Note - Run this procedure only on the PDP Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. that shares identities with other Security Gateways. Refer to the Identity Sharing configuration options below.

Step	Instructions
1	Connect with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
2	From the left navigation panel, click Gateways & Servers.
3	Create a new Host object with these settings: Name: LocalHost IPv4 address: 127.0.0.1
4	Open the applicable Security Gateway / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object.
5	From the left tree, click the General Properties page.
6	On the Network Security tab, select the Identity Awareness Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities.: The Identity Awareness Configuration wizard opens. Click Cancel to close the wizard if the displayed methods are not needed.
7	From the left tree, click the Identity Awareness page.
8	Select Identity Web API and click Settings.
9	Configure the Identity Web API settings: In the Authorized Clients section, click [+] and select the Host object you created earlier (LocalHost). In the Selected Client Secret field, enter your secret word or generate a random secret. Click OK. Note - If you add more than one authorized client host, the host that represent 127.0.0.1 must be the first item in the Authorized Clients list of the Identity Web API.
10	Click OK.
11	Install the Access Control Policy.

Support for Identity Awareness Identity Sharing

CloudGuard Controller Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. now supports sending updates to Security Gateways using the Identity Sharing configuration. Identity Sharing significantly reduces the load on Security Gateways.

With the Identity Sharing configuration, a Security Gateway configured as a PDP (Policy Decision Point) gets identity information and shares it with other Security Gateways configured as PEPs (Policy Enforcement Points). Only the PDP Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Security Gateway performs the group membership query and calculates the Access Role object.

Note - The supported PDP and PEP Security Gateway versions are R81.10 and higher.

To configure Identity Sharing for the PDP Security Gateway that shares the identities:

1. In SmartConsole > Security Gateway properties > Identity Awareness > select Identity Web API. This makes the Security Gateway receive the CloudGuard Controller updates.

2. Click on Settings and add Authorized Clients.

3. In Identity Awareness > Identity Sharing, select Share local identities with other gateways.

For PEP Security Gateways that enforce traffic:

Note: Do not select Identity Web API.

1. In Identity Awareness > Identity Sharing, select Get identities from other gateways.

2. Select the PDP Security Gateway/s from which to pull identities.

Publish the SmartConsole session and install policy on the applicable Security Gateways.

Note - If you manually delete identities on the Security Gateway (for example, with the: pdp __ed ra command), the CloudGuard Controller on the Management Server is not aware of it and will not re-push these identities to the Security Gateway. In this scenario, you must use the vsec_controller_cli command to force an update for this Security Gateway.

For more information on Identity Awareness PDP sharing, refer to R82 Identity Awareness Administration Guide.