Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1999
Views
10
Helpful
2
Replies

Check Point Identity Collector integration with Cisco ISE 2.4 PxGrid

NaveenG_Wi-Fi
Level 1
Level 1

‎07-29-2020 05:09 AM

Hi,

 

I have a distributed ISE deployment with 2 PAN (PxGrid enabled) nodes, 2 MNT and 5 PSNs. I have integrated Check Point Identity Collector with ISE PxGrid Node. While integrating I exported Internal CA certificate from 'Primary PxGrid Node' which was used along with Root Certificate (domain) to generate 'Server certificate' in .jks format.

My concern is, what if the 'Primary PxGrd Node' breaks ? Will the Identity Collector still be ale to communicate with 'Secondary PxGrid Node'? Note that I used internal CA cert of Primary PxGrid Node to generate Server Certificate which was used while integrating Check Point Identity Collector.

 

Regards,

N

0 Helpful
2 Replies 2

Damien Miller
VIP Alumni
VIP Alumni

‎07-29-2020 11:42 PM

This is one of the reasons I usually recommend using internal PKI certs signed outside of ISE. On the ISE side I will use a common pxgrid cert across the nodes leveraging a generic friendly name for the CN, then the friendly name and PXG FQDNs in the SAN fields. I find it makes integrations much easier since there is a single trust chain and a common signing root/intermediate that can sign the client side too.

Greg Gibbs
Cisco Employee
Cisco Employee

‎07-29-2020 11:47 PM

This is probably something you need to confirm with Checkpoint as their whitepaper does not address distributed deployments.

The IDC version I have in my lab (version R80.10) does have an optional 'Secondary Node' setting (see the below screenshot) in the ISE Server Settings configuration. It's unclear, however, if the IDC will automatically trust the certificate trust chain in the JKS certificate file or if it only trusts the identity certificate.

Each ISE node has pxGrid certificate so, if it is the latter, there might be two options (again, this would need to be confirmed by Checkpoint for their validated design and best practice).

  1. Add the two pxGrid nodes into the IDC as separate ISE servers using their own individual certificates. Add both ISE servers to your Query Pool.
  2. Ensure you have both pxGrid node FQDNs in the SAN for your pxGrid cert on the Primary node. Export that pxGrid certificate with the private key and import it into the Secondary node for the pxGrid usage. This would ensure that both nodes use the same identity certificate. You would then use this certificate in IDC with a single ISE server that has the  Primary and Secondary nodes defined.

Note that the integration with IDC uses pxGrid version 1, which I believe only functions in an Active/Standby capacity. If you validate with Checkpoint and/or test this scenario, please update this post for others that might be looking at this integration.

Screen Shot 2020-07-30 at 4.29.56 pm.png

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents