Support Center > Search Results > SecureKnowledge Details
Identity Session Conciliation Technical Level
Solution

Background

Identity session conciliation is an enhanced mechanism for handling identity sessions inside the PDP and PEP Security Gateways.

When PDP and PEP receive information for an identity on an IP address which was already received by another source, the conciliation mechanism determines how to handle the new identity session. 

PDP Conciliation

The PDP conciliation mechanism decides whether to keep the new identity session, reject it, or append it to the existing identity session.

The decision is based on these factors:

  • Confidence - The strength of each identity session is determined by its identity source (Identity Agent, Identity Collector).
  • Locality - The locality of each identity session is determined by its path (hop count).
  • Time To Live (TTL) - This is the identity session creation time.
  • PDP Preference -The PDP Security Gateway from which the PDP receives the identity session.

Some identity sources such as Identity Agent, Terminal Server, Captive Portal, and Remote Access VPN cannot be appended to others. In these cases, the conciliation decision is only override or reject.

Identity sources such as ADQuery, Radius Accounting, Identity Collector, and Web-API can be appended to each other. In these cases, the conciliation decision is append.

Example 1

The PDP received an Identity Agent session and then received a new identity from Identity Collector on the same IP address.

The conciliation decision is to reject the Identity Collector session based on the confidence factor, because the Identity Agent is of greater strength.

Example 2

The PDP received a Web-API session and then received a new identity from Identity Collector on the same IP Address.

The conciliation decision is to append the Identity Collector session because both identity sources can be joined.

Example 3

The PDP received an Identity Collector session, and then received a new identity from Identity Collector on the same IP address.

The conciliation decision is to override the existing Identity Collector session based on the TTL factor and because only a single Identity Collector session can exist per IP address.

Contact Check Point Support to change the default behavior.

PEP Conciliation

The PEP conciliation mechanism between two identity sessions from two different PDP Security Gateways decides whether to keep the new identity session or reject it.

Each session is given a global score based on all these parameters.

  • Confidence - The identity sources from which the sessions originated (for example, Radius Accounting, Identity Collector, etc.).
  • PDP Preference - The PDP Security Gateways from which the PEP received the sessions.
  • Time To Live - TTL value of the sessions.
  • Full session - Do the sessions contain both user identity and machine identity or just one of them.

If the new session's global score is equal to or higher than the global score of the existing session, the PEP overrides the existing session. Otherwise, the existing session remains.

By default, if you do not apply any advanced configurations, the mechanism only considers the Identity Sources Confidence parameter. Therefore, the session with the highest confidence remains.

Contact Check Point Support to change the default behavior.

    This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

    Give us Feedback
    Please rate this document
    [1=Worst,5=Best]
    Comment