Identity Cache Mode for Identity Sharing Protocols
Overview
Identity Awareness
Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. operates with a default setting that adheres to a stringent approach to handle acute error flows.
This involves implementing the "prefer to delete" principle, which leads to the widespread deletion of identities in specific error scenarios.
-
Disconnection from the PDP
Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways. for longer than 10 minutes.-
When a PDP (Policy Decision Point) or PEP
Check Point Identity Awareness Security Gateway that acts as Policy Enforcement Point: receives identities via identity sharing; redirects users to Captive Portal. (Policy Enforcement Point) becomes disconnected, all the identities it has learned are deleted. -
When information is shared between PDP Security Gateways through an Identity Broker
Identity Sharing mechanism between Identity Servers (PDP): (1) Communication channel between PDPs based on Web-API (2) Identity Sharing capabilities between PDPs - ability to add, remove, and update the identity session., any deletions made should be efficiently communicated and reflected in the downstream layers of Identity Broker Subscribers.This ensures a synchronized and accurate data state throughout the entire identity management ecosystem.
-
-
If the PDP encounters a failure and reboots, there is a risk that it might synchronize an empty database with its peer systems.
The outcome of the behavior described above:
-
No Identity-based enforcement, and connectivity is broken.
-
Performance impact as a result of running and propagating the massive identity deletion logic.
-
Lack of resiliency, even in cases where the environment was designed to have alternative identity propagation paths.
-
In large scale environments, it may take hours until the system is fully recovered.
Identity Awareness Gateway R82 and higher uses the Identity Cache Mode for Identity Sharing protocols.
|
|
Important - In R82 and higher, the Identity Cache Mode is enabled by default with a cache duration of 1 hour. |
The Identity Cache Mode follows the "prefer to keep" principle, enabling Identity Awareness to regain stability without causing the aforementioned disruptions.
This approach prioritizes maintaining system integrity while addressing the issues highlighted earlier.
-
Instead of conducting extensive deletions, the relevant identities are kept in the database.
-
PDP-to-PEP sharing - By default, 24 hours.
-
PDP-to-PDP sharing - By default, 1 hour (configurable).
-
-
Allows identity propagation from alternative paths to overrun existing information at all times.
-
Conciliation decision for the existing relevant Identity Sessions is "overwrite".
-
-
Upon the restoration of connectivity, assuming that the Identity Session has not been overwritten, the pertinent Identity Sessions undergo a "refresh" process, reverting to their initial state and logic.
Upgrade from the R81.20 Jumbo Hotfix Accumulator to R82
The Identity Cache Mode feature is available in the R81.20 Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA., Take 70 and higher.
In the R81.20 Jumbo Hotfix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulator, this feature is disabled by default and has a different default timeout for PDP-to-PDP sharing (24 hours).
During an upgrade to R82, the previous configuration is preserved.
Viewing the Current Status of the Identity Cache Mode
Procedure
-
Connect to the command line on the Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / each Cluster Member Security Gateway that is part of a cluster. / Scalable Platform Security Group. -
Log in to the Expert mode.
-
In the VSNext / Traditional VSX
Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode, go to the context of the applicable Virtual Gateway / Legacy Virtual System:vsenv <VS ID> -
Examine the current Identity Cache Mode status:
-
To see the status for the PDP-to-PDP sharing protocol (Identity Broker), run:
pdp broker identity_cache_mode status -
To see the status for the PDP-to-PEP sharing protocol, run:
pep control identity_cache_mode status
Possible outputs:
-
"
Identity Cache Mode is enabled" (this is the default) -
"
Identity Cache Mode is disabled"
-
Configuring the Identity Cache Mode on All Security Gateways
The default configuration for all Identity Awareness Gateways managed by a Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. / Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.:
-
The Identity Cache Mode is enabled.
-
The timeout for the PDP-to-PDP sharing protocol (Identity Broker) is 60 minutes.
You can change the global configuration in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. or with the Management API.
To configure the global Identity Cache Mode settings in SmartConsole for all managed Identity Awareness Gateways
-
Connect with SmartConsole to the Security Management Server / Domain Management Server.
-
In the top left corner, click > Global properties.
-
In the left tree, click Identity Awareness.
-
In the Cache Duration section:
-
To disable the Identity Cache Mode, clear the checkbox In case of connectivity loss, extend identity cache for up to [ ] minutes.
Warning - Do not disable the Identity Cache Mode unless Check Point Support explicitly asked you to do so.
-
To enable the Identity Cache Mode again, select the checkbox In case of connectivity loss, extend identity cache for up to [ ] minutes.
-
To change the timeout for the PDP-to-PDP sharing protocol (Identity Broker), enter the required value.
-
-
Click OK.
-
Install the Access Control Policy on all Identity Awareness Gateways.
-
On each Identity Awareness Gateway, examine the current Identity Cache Mode status.
Run these commands in the Expert mode.
-
To see the status for the PDP-to-PDP sharing protocol (Identity Broker), run:
pdp broker identity_cache_mode status -
To see the status for the PDP-to-PEP sharing protocol, run:
pep control identity_cache_mode status
-
To configure the global Identity Cache Mode settings with Management API for all managed Identity Awareness Gateways
|
|
Note - See one of these Management API references (chapter "Manage & Settings" > section "Global Properties"):
|
-
Examine the current Identity Awareness global properties:
mgmt_cli show global-propertiesExample (default output):
[Expert@MyMgmt:0]# mgmt_cli show global-properties Username: ****** Password: ************ ... ... ... identity-awareness: cache-mode: true cache-mode-duration: 60 [Expert@MyMgmt:0]#
-
Configure the required Identity Cache Mode global status:
mgmt_cli set global-properties identity-awareness.cache-mode {true | false}Where:
-
true- Enables the Identity Cache Mode globally -
false- Disables the Identity Cache Mode globally
Warning - Do not disable the Identity Cache Mode unless Check Point Support explicitly asked you to do so.
-
-
Configure the required Identity Cache Mode global timeout (in minutes) for the PDP-to-PDP sharing protocol (Identity Broker):
mgmt_cli set global-properties identity-awareness.cache-mode-duration <1-2880> -
Install the Access Control policy on all Identity Awareness Gateways:
mgmt_cli install-policy <parameters>
Configuring the Identity Cache Mode on Specific Security Gateways
You can override the global Identity Cache Mode configuration on each managed Security Gateway / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. / Scalable Platform Security Group / VSNext Virtual Gateway / Traditional VSX Virtual System.
|
|
Important:
|
Explanation
|
|
Note - See one of these Management API references:
|
To override the Identity Cache Mode global status on a specific Identity Awareness Gateway
-
Example for a Simple Gateway object:
mgmt_cli set simple-gateway name <Name of Object> identity-awareness-settings.identity-sharing-settings.cache-mode.override-profile true -
Example for a Cluster object:
mgmt_cli set simple-cluster name <Name of Object> identity-awareness-settings.identity-sharing-settings.cache-mode.override-profile true -
Example for a Traditional VSX Virtual System object:
mgmt_cli set legacy-virtual-system name <Name of Object> identity-awareness-settings.identity-sharing-settings.cache-mode.override-profile true
To restore the Identity Cache Mode global status and timeout for PDP to-PDP sharing on a specific Identity Awareness Gateway
-
Example for a Simple Gateway object:
mgmt_cli set simple-gateway name <Name of Object> identity-awareness-settings.identity-sharing-settings.cache-mode.override-profile false -
Example for a Cluster object:
mgmt_cli set simple-cluster name <Name of Object> identity-awareness-settings.identity-sharing-settings.cache-mode.override-profile false -
Example for a Traditional VSX Virtual System object:
mgmt_cli set legacy-virtual-system name <Name of Object> identity-awareness-settings.identity-sharing-settings.cache-mode.override-profile false
To override the Identity Cache Mode global timeout for PDP to-PDP sharing on a specific Identity Awareness Gateway
|
|
Note - This timeout override is supported only if you override the global Identity Cache Mode configuration on the Identity Awareness Gateway. |
-
Example for a Simple Gateway object:
mgmt_cli set simple-gateway name <Name of Object> identity-awareness-settings.identity-sharing-settings.cache-mode.override-profile true identity-awareness-settings.identity-sharing-settings.cache-mode.value <Timeout in Minutes> -
Example for a Cluster object:
mgmt_cli set simple-cluster name <Name of Object> identity-awareness-settings.identity-sharing-settings.cache-mode.override-profile true identity-awareness-settings.identity-sharing-settings.cache-mode.value <Timeout in Minutes> -
Example for a Traditional VSX Virtual System object:
mgmt_cli set legacy-virtual-system name <Name of Object> identity-awareness-settings.identity-sharing-settings.cache-mode.override-profile true identity-awareness-settings.identity-sharing-settings.cache-mode.value <Timeout in Minutes>