cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1260
Views
10
Helpful
2
Replies
NaveenG_Wi-Fi
Beginner

Check Point Identity Collector integration with Cisco ISE 2.4 PxGrid

Hi,

 

I have a distributed ISE deployment with 2 PAN (PxGrid enabled) nodes, 2 MNT and 5 PSNs. I have integrated Check Point Identity Collector with ISE PxGrid Node. While integrating I exported Internal CA certificate from 'Primary PxGrid Node' which was used along with Root Certificate (domain) to generate 'Server certificate' in .jks format.

My concern is, what if the 'Primary PxGrd Node' breaks ? Will the Identity Collector still be ale to communicate with 'Secondary PxGrid Node'? Note that I used internal CA cert of Primary PxGrid Node to generate Server Certificate which was used while integrating Check Point Identity Collector.

 

Regards,

N

2 REPLIES 2
Damien Miller
VIP Advisor

This is one of the reasons I usually recommend using internal PKI certs signed outside of ISE. On the ISE side I will use a common pxgrid cert across the nodes leveraging a generic friendly name for the CN, then the friendly name and PXG FQDNs in the SAN fields. I find it makes integrations much easier since there is a single trust chain and a common signing root/intermediate that can sign the client side too.
Greg Gibbs
Cisco Employee

This is probably something you need to confirm with Checkpoint as their whitepaper does not address distributed deployments.

The IDC version I have in my lab (version R80.10) does have an optional 'Secondary Node' setting (see the below screenshot) in the ISE Server Settings configuration. It's unclear, however, if the IDC will automatically trust the certificate trust chain in the JKS certificate file or if it only trusts the identity certificate.

Each ISE node has pxGrid certificate so, if it is the latter, there might be two options (again, this would need to be confirmed by Checkpoint for their validated design and best practice).

  1. Add the two pxGrid nodes into the IDC as separate ISE servers using their own individual certificates. Add both ISE servers to your Query Pool.
  2. Ensure you have both pxGrid node FQDNs in the SAN for your pxGrid cert on the Primary node. Export that pxGrid certificate with the private key and import it into the Secondary node for the pxGrid usage. This would ensure that both nodes use the same identity certificate. You would then use this certificate in IDC with a single ISE server that has the  Primary and Secondary nodes defined.

Note that the integration with IDC uses pxGrid version 1, which I believe only functions in an Active/Standby capacity. If you validate with Checkpoint and/or test this scenario, please update this post for others that might be looking at this integration.

Screen Shot 2020-07-30 at 4.29.56 pm.png

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube