Checking Identity Awareness Counters for discrepancies

One of our customers is running Identity Awarenss (IA) on a Check Point 61K that is using an Identity Sharing Gateway to collect and share identities.

A process was recommended in order to verify that the relevant IA configuration on both devices is synscronized:

  1. Run "pep show pdp all" on both devices - 61K and an Identity Sharing
    Gateway (running on a Check Point 4600 Apliance)
  2. Verify that the "Users" value displayed on both devices is within a small
    threshold (e.g. 10) of each other

Can you recomend any other checks that Indeni can implement in order to verify the integrity of IA across several devices?

We have followed up on this issue with our Check Point contacts and the following is a summary of the knowledge that we gained from them:

  1. When logged into the 61k, how do we know which device is running the "Identity Sharing Gateway" for it?
    pep show pdp all will list an IP address -> look in dashboard

  2. Is the "pep show pdp all" command the right one to run on both the 61k and the Identity Sharing Gateway?

  3. Is this pep command taxing on the device? How often is it OK to run?
    It is just printing the contents of a table, so no more taxing than dumping the connections table.I wouldn’t hesitate to run this during production.

  4. What is the difference we should expect in values between the devices?
    In the case of SmartPush, they should always be within 5 or 10, accounting for whatever the timer is that causes the pdp gateway to send an update of identities to the pep gateway.In the case of SmartPull it could be more because the pep gateway won’t request the identity until it sees traffic, so if a user logs in they will exist on the pdp side but only show up in pep when they send traffic across the network.

"pdp monitor summary all" to see all the users and machines

"pdp monitor user smith" or "pep show user query usr smith" to see specific username's smith info