https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Users-limit/m-p/102182#M10194 <P>Hi</P><P>Can someone help me interpret this logs?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-11-16 16_17_37-poller - 172.20.3.2 - Connessione Desktop remoto.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/8952iC4588A13DFDDFA4C/image-size/large?v=v2&amp;px=999" role="button" title="2020-11-16 16_17_37-poller - 172.20.3.2 - Connessione Desktop remoto.png" alt="2020-11-16 16_17_37-poller - 172.20.3.2 - Connessione Desktop remoto.png" /></span></P><P>(note that this has been filtered with the ip 10.0.4.80)</P><P>The person who is complaining about the malfunctioning Identity awareness told me that he logged into&nbsp;the machine 10.0.4.80 with his user and <EM>from</EM>&nbsp;that machine he used other credentials (that can be seen expiring alltogether at 16:53.05) to log into other machines for example in RDP. The malfunctioning that he's experiencing is that the url-filtering doesn't let him into pages permitted for his user.</P><P>&nbsp;</P><P>Now it seems like those credentials have been detected by the Identity awareness and, at some point, the highlighted alert popped up&nbsp;(<EM>Machine (machine name) at (IP address) has 1 users (or more) currently connected to it, and will be automatically ignored</EM>).</P><P>Now I've read <A href="https://community.checkpoint.com/t5/Next-Generation-Firewall/Identity-Awareness-ignores-machines/td-p/74930" target="_self">something</A> about that message, and it seems to me that the outcome of reaching that threshold should not be a ban.</P><P>&nbsp;</P><P>Is there anything suspicious that could have caused the reported malfunctionig or is this actually ok?</P><P>&nbsp;</P><P>Thanks</P> Mon, 16 Nov 2020 16:02:20 GMT Stefano_Cappell 2020-11-16T16:02:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Users-limit/m-p/102182#M10194 <P>Hi</P><P>Can someone help me interpret this logs?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-11-16 16_17_37-poller - 172.20.3.2 - Connessione Desktop remoto.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/8952iC4588A13DFDDFA4C/image-size/large?v=v2&amp;px=999" role="button" title="2020-11-16 16_17_37-poller - 172.20.3.2 - Connessione Desktop remoto.png" alt="2020-11-16 16_17_37-poller - 172.20.3.2 - Connessione Desktop remoto.png" /></span></P><P>(note that this has been filtered with the ip 10.0.4.80)</P><P>The person who is complaining about the malfunctioning Identity awareness told me that he logged into&nbsp;the machine 10.0.4.80 with his user and <EM>from</EM>&nbsp;that machine he used other credentials (that can be seen expiring alltogether at 16:53.05) to log into other machines for example in RDP. The malfunctioning that he's experiencing is that the url-filtering doesn't let him into pages permitted for his user.</P><P>&nbsp;</P><P>Now it seems like those credentials have been detected by the Identity awareness and, at some point, the highlighted alert popped up&nbsp;(<EM>Machine (machine name) at (IP address) has 1 users (or more) currently connected to it, and will be automatically ignored</EM>).</P><P>Now I've read <A href="https://community.checkpoint.com/t5/Next-Generation-Firewall/Identity-Awareness-ignores-machines/td-p/74930" target="_self">something</A> about that message, and it seems to me that the outcome of reaching that threshold should not be a ban.</P><P>&nbsp;</P><P>Is there anything suspicious that could have caused the reported malfunctionig or is this actually ok?</P><P>&nbsp;</P><P>Thanks</P> Mon, 16 Nov 2020 16:02:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Users-limit/m-p/102182#M10194 Stefano_Cappell 2020-11-16T16:02:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Users-limit/m-p/102197#M10195 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/8232">@Royi_Priov</a>&nbsp;why would IA expire all 7 sessions at once there? I thought it would simply disallow 8th user IP association on the same machine.</P> Mon, 16 Nov 2020 19:34:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Users-limit/m-p/102197#M10195 Kaspars_Zibarts 2020-11-16T19:34:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Users-limit/m-p/102243#M10196 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/6500">@Stefano_Cappell</a>&nbsp;,</P> <P>From what I understand, all the users logged in to this machine are service accounts (besides the real user).</P> <P>I do recommend filtering out service accounts as it will both save GW resources and not process them, and also avoid such scenarios.</P> <P>Please read about service accounts under&nbsp;sk86441 ("Filter-out service accounts").</P> <P>&nbsp;</P> <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/11456">@Kaspars_Zibarts</a>&nbsp;- once we understand that more than 7 users were logged into one machine, all these identities are revoked as we are tagging this machine as MUH machine. According to our decision, having too many users (and access roles, due to that) on one machine can cause permission escalated to some of the users, and we would like to avoid that). Thanks for tagging me btw&nbsp;8)</img></P> Tue, 17 Nov 2020 08:02:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Users-limit/m-p/102243#M10196 Royi_Priov 2020-11-17T08:02:09Z