Is your firewall overloaded by Identity Awareness (IA) queries? Here's a potential root cause AND fix

Is your firewall overloaded by Identity Awareness (IA) queries? Here's a potential root cause AND fix
0

#1

An overload of IA queries can bring your firewall to it's knees. I've seen it many times. Think about what else is in your environment that needs authentication against your DC (EMR/EHR systems, mail, etc.) . In the example that there are Exchange servers internal to the environment....these Exchange servers are constantly authenticating against the DC’s. Every time this happens the DC creates a security event and sends it off to the gateway. If there is an overabundance of info being sent, the PDPD daemon on the gw can get overworked and will peg. The PDPD daemon is responsible for creating identities on the gateway. It’s child service is adlog which queries the dc’s. If the PDPD daemon is pegged then adlog cannot function. Therefore if another product is relying on IA, it will not function properly…for example AccessRoles within App/URL filtering.


To resolve this you need to EXCLUDE all exchange servers in the environment. You need make sure the DC’s do NOT pass on any security events to the gateway(s).


  1. Go to: Gateway Cluster Properties
  2. Select Identity Awareness
  3. Select Settings next to the checked Active Directory Query
  4. Select the Advanced button on the Active Directory Query Dialog
  5. Add each network specific to the Exchange server(s). If a network does not exist create one using 255.255.255.255 subnet.
  6. Push policy (effects of fix can take around 5 minutes)




#2

thank you for posting


#3

There is also a scalability re-write for IA in R80.10 which has also now been backported to R77.30. Although if you want it on R77.30 you'll have to log a support case with TAC for the code.



#4

Hi,
For large deployments my advise is to use the identity collector. Even go for the identity agents if needed. The aim is to get the overload from firewalls. I encounter these kind of problems from 2013 like pdp overload, high utilization of network. Therefore we setup a meeting and make a proposal to Checkpoint team to write the identity awaresness dc agent than it’s born. Other vendors Forti/Pan have been using the same approach., get rid of the applications not needed on the firewall. Identity collector is unique in terms of filtering on the agent, otherwise you put a load and decision process on the firewall. You can still use the classical IA at simple AD sites (low number of users and groups).