topic Re: rule with access role that not match in Firewall and Security Management

rule with access role that not match

Paolo_Francese — Mon, 03 Aug 2020 14:39:53 GMT

Hi,

I've made a rule where the source is an access role containing an Active Directory user, but this rule is never matched.

I've other rules containing access roles that works as expected.

I've also check that pdp knows about this user with the command

pdp monitor user user_name

and the user is known to pdp.

Is there a way to understand why the rule does not match?

thanks in advance

Re: rule with access role that not match

Chris_Atkinson — Wed, 05 Aug 2020 12:09:00 GMT

There are some version / hotfix level specific issues of this nature in earlier releases, quickest path will be to seek help from TAC to investigate & correlate with any known issues vs config etc.

Re: rule with access role that not match

Paolo_Francese — Wed, 05 Aug 2020 12:53:43 GMT

I better investigate this issue and I discovered that identity is get from an Identity Collector that send username and IP to the gateways, but between the user and the gateways there is a router that NAT the connections, so the traffic generated by the user reaches the gateway with a source IP that is not the one reported by Identity Collector.

I think that the rule mismatch is caused because of this IP mismatch due to NAT.
What do you think?

Thanks in advance

Re: rule with access role that not match

_Val_ — Wed, 05 Aug 2020 13:44:34 GMT

Can be the case

Re: rule with access role that not match

MartinTzvetanov — Fri, 07 Aug 2020 12:33:07 GMT

How does the access role looks like? If it's for a specific user/group from AD and ANY machines, the only needed info is the username, so I'm not so sure that NAT is causing the problem.

Re: rule with access role that not match

Paolo_Francese — Fri, 07 Aug 2020 13:33:25 GMT

Access role object is populated only with one active directory user, other field are set to default values.