https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-ignores-machines/m-p/74935#M11653 <P>Quoting from here:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk60301" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk60301</A><BR /><BR /></P> <UL> <LI><STRONG>User Change:</STRONG><SPAN>&nbsp;</SPAN>If an unknown user association is encountered, and "assume one user per IP" is "on", all of the currently associated users are revoked, and the new association is added as the only user for this IP address. If there were any machine associations for this IP address, they are left intact. See "Single User Assumption" in the Identity Awareness Administration Guide for more information.<BR /><BR /></LI> <LI><STRONG>Multi user host detected:</STRONG><SPAN>&nbsp;</SPAN>If 7 (by default) users are currently associated for the same IP address, the IP address is automatically considered a "multi user host". A log about it is issued, all of the currently associated users are revoked and all new user associations for this IP address are ignored.</LI> </UL> <P>In a nutshell, AD Query as the default choice only working reliably if users do not change machines too often. AD Query looks for log on events only and ignores log off ones. You can tweak the behaviour by tuning "Single User Assumption" settings (see the guide), but if you want a reliable tool allowing often user changes on a single PC, use IA Agent.</P> Wed, 12 Feb 2020 08:37:45 GMT _Val_ 2020-02-12T08:37:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-ignores-machines/m-p/74930#M11652 <P>Hello!&nbsp;</P><P>I am setting up a test environment. There is a distributed installation of Check Point, a pair of test computers, AD DS, IIS. AD Query connects correctly. Then, when changing the user, the message "<STRONG>Machine (machine name) at (IP address) has 1 users (or more) currently connected to it, and will be automatically ignored"&nbsp;</STRONG>appears in the logs. I did not make any additional settings on the gateway or in the account unit. Please tell me how to fix it.</P><P>Thanks!!</P> Wed, 12 Feb 2020 08:17:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-ignores-machines/m-p/74930#M11652 Alexey_Dagil 2020-02-12T08:17:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-ignores-machines/m-p/74935#M11653 <P>Quoting from here:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk60301" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk60301</A><BR /><BR /></P> <UL> <LI><STRONG>User Change:</STRONG><SPAN>&nbsp;</SPAN>If an unknown user association is encountered, and "assume one user per IP" is "on", all of the currently associated users are revoked, and the new association is added as the only user for this IP address. If there were any machine associations for this IP address, they are left intact. See "Single User Assumption" in the Identity Awareness Administration Guide for more information.<BR /><BR /></LI> <LI><STRONG>Multi user host detected:</STRONG><SPAN>&nbsp;</SPAN>If 7 (by default) users are currently associated for the same IP address, the IP address is automatically considered a "multi user host". A log about it is issued, all of the currently associated users are revoked and all new user associations for this IP address are ignored.</LI> </UL> <P>In a nutshell, AD Query as the default choice only working reliably if users do not change machines too often. AD Query looks for log on events only and ignores log off ones. You can tweak the behaviour by tuning "Single User Assumption" settings (see the guide), but if you want a reliable tool allowing often user changes on a single PC, use IA Agent.</P> Wed, 12 Feb 2020 08:37:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-ignores-machines/m-p/74935#M11653 _Val_ 2020-02-12T08:37:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-ignores-machines/m-p/74936#M11654 <P>In addition, look here:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk114096" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk114096</A></P> <P>for setting multi-user threshold, if required</P> Wed, 12 Feb 2020 08:40:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-ignores-machines/m-p/74936#M11654 _Val_ 2020-02-12T08:40:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-ignores-machines/m-p/75058#M11655 Thanks! It was a Multi-User detection threshold. Thu, 13 Feb 2020 06:06:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-ignores-machines/m-p/75058#M11655 Alexey_Dagil 2020-02-13T06:06:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-ignores-machines/m-p/75076#M11656 <P>I am glad it works for you now</P> Thu, 13 Feb 2020 09:49:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-ignores-machines/m-p/75076#M11656 _Val_ 2020-02-13T09:49:35Z