https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Access-Rules/m-p/74425#M11621 What does the Access Role you’ve configured look like? Fri, 07 Feb 2020 11:25:08 GMT PhoneBoy 2020-02-07T11:25:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Access-Rules/m-p/74402#M11620 <P>Hello</P><P>We are using&nbsp;<SPAN>Identity awareness with identity collector. When we create a access rule within the access policy in order to block a group of computers from accessing the internet, however this does not work, the traffic doesnt even match this rule.&nbsp;</SPAN>Creating a simular rule for users from the AD works just fine but not the computers.&nbsp;</P><P>Any ideas?</P><P>Running version R80.20 HFA Take 91&nbsp;</P><P>&nbsp;</P><P>//Johan</P> Fri, 07 Feb 2020 08:54:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Access-Rules/m-p/74402#M11620 Johan_Rudberg 2020-02-07T08:54:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Access-Rules/m-p/74425#M11621 What does the Access Role you’ve configured look like? Fri, 07 Feb 2020 11:25:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Access-Rules/m-p/74425#M11621 PhoneBoy 2020-02-07T11:25:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Access-Rules/m-p/74439#M11622 <P>probably there is no match for this access role. When you select specific workstations, which setting you have for "users" section?</P><P>Is your workstation exist here?</P><P>pep s u q mchn &lt;workstation_name&gt;</P> Fri, 07 Feb 2020 12:43:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Access-Rules/m-p/74439#M11622 abihsot__ 2020-02-07T12:43:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Access-Rules/m-p/74448#M11623 <P>Are the computers you are trying to block part of the AD domain? or are they standalone?&nbsp;</P> Fri, 07 Feb 2020 13:19:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Access-Rules/m-p/74448#M11623 Daniel_Taney 2020-02-07T13:19:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Access-Rules/m-p/74465#M11624 <P>I remember I had to split "mixed"roles after upgrade to R80.x as machine IDs stopped working if the same role also had user IDs.</P> <P>Try using role that has machine IDs / groups only if you have not done that</P> Fri, 07 Feb 2020 15:19:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Access-Rules/m-p/74465#M11624 Kaspars_Zibarts 2020-02-07T15:19:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Access-Rules/m-p/74970#M11625 <P>We resolved this problem by rebooting the management server, now the rule works!</P><P>&nbsp;</P><P>However from the moment when a computer is added to the AD group it takes X hours before the rule deny the traffic, why is that so?</P><P>&nbsp;</P><P>//Johan</P> Wed, 12 Feb 2020 12:27:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Access-Rules/m-p/74970#M11625 Johan_Rudberg 2020-02-12T12:27:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Access-Rules/m-p/74972#M11626 <P>By default it is 4 hours. You have to change it if you want more frequent active directory fetch for group membership. You can do manually by using following command:</P><P>&nbsp;</P><P>pdp update</P><P>Command: root-&gt;update</P><P>Available options:<BR />all - recalculate all users and machines group membership<BR />specific - recalculate group membership for a user/machine<BR />refetch_interval - LDAP user info refetch interval<BR />update_rate - the max number of sessions updated within a minute</P> Wed, 12 Feb 2020 12:35:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Access-Rules/m-p/74972#M11626 abihsot__ 2020-02-12T12:35:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Access-Rules/m-p/75071#M11627 It is a AD Group configured under Machine in the Access Role Thu, 13 Feb 2020 08:34:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-Access-Rules/m-p/75071#M11627 Johan_Rudberg 2020-02-13T08:34:36Z