topic Identity Awareness Issues after resetting AD service account in Firewall and Security Management

Identity Awareness Issues after resetting AD service account

chuka — Tue, 11 Jun 2019 16:51:47 GMT

Hello All,

I am running an environment with R80.10 and AD Query enabled for my gateways. All have been well till we had to perform a yearly password rotation for service accounts.

After the service account change, rules based on ID management and Mobile access authentication via AD stopped working.

I have updated the LDAP Account object with the new passwords, yet the issue still persist.

Output of adlog a DC show the gateways are connected to the DC's. Output of the Test_ad_Connectivity tool returns a success status.

At this point don't know what else to check, any ideas on how to resolve.

regards.

Re: Identity Awareness Issues after resetting AD service account

PhoneBoy — Thu, 13 Jun 2019 18:28:13 GMT

Have you opened a TAC case by chance?
Possible @Royi_Priov has a suggestion.

Re: Identity Awareness Issues after resetting AD service account

Timothy_Hall — Fri, 14 Jun 2019 01:14:08 GMT

Sounds like something is stuck in pdpd. Anything interesting getting logged into $FWDIR/log/pdpd.elg? As a last resort try killing it with "fw kill pdpd" and letting cpwd automatically restart pdpd within 60 seconds.

Re: Identity Awareness Issues after resetting AD service account

chuka — Sun, 16 Jun 2019 00:19:05 GMT

Hi PhoneBoy,

Thanks for the response, I have logged a request with a checkpoint patner, who are our first level support, they insist the permissions on the account have changed, which is not the case.

To isolate the account permissions possibility, i have setup an identity collector, however the gateways are not identifying users.

regards.

Re: Identity Awareness Issues after resetting AD service account

chuka — Sun, 16 Jun 2019 00:30:26 GMT

Hi Tim,

Thanks for having a look, the only noticeable thing in pdpd.elg is that their are no user associations coming in. I have killed the process and restarted the gateway, stuck at same.

I have also deployed an IDC, issue still same, a snippet of pdpd.elg is shown below.

Anymore thoughts is welcomed.

[25936 4106254096]@fw-xxxx-[16 Jun 1:19:49] [TRACKER]: #3478674 -> OUTGOING -> IDENTITY_REVOKE -> to pep: 127.0.0.1 (ipv4); (ipv6), RevokeInformation dump:
Unique ID : cbdd72e9
Remove existing connections : no

[25936 4106254096]@fw-xxx[16 Jun 1:19:49] [TRACKER]: #3478675 -> OUTGOING -> IDENTITY_REVOKE -> to pep: 127.0.0.1 (ipv4); (ipv6), RevokeInformation dump:
Unique ID : a5f1ee1c
Remove existing connections : no

[25936 4106254096]@fw-xxx[16 Jun 1:19:54] [TRACKER]: #3478676 -> INCOMING -> AGENT_REQUEST -> ip: , type: IDCLogEvent
[25936 4106254096]@fw-xxx[16 Jun 1:19:54] [TRACKER]: #3478677 -> OUTGOING -> AGENT_RESPONSE -> ip: , type: IDCLogEvent, result: OK
[25936 4106254096]@fw-fw-xxx[16 Jun 1:19:54] [TRACKER]: #3478678 -> INCOMING -> AGENT_REQUEST -> ip: , type: IDCEvent
[25936 4106254096]@fw-xxx[16 Jun 1:19:54] [TRACKER]: #3478679 -> INCOMING -> IDCOLLECTOR_ASSOCIATION -> Ip: x.x.x.x; User: ; User Groups: ; User Roles: ; Machine: bitlocker02v; Machine Groups: ; Machine Roles: ; Domain: xxxx.com; Source Type: AD; TTL: 43200; IDC IP: x.x.x.x

Re: Identity Awareness Issues after resetting AD service account

Royi_Priov — Tue, 18 Jun 2019 12:55:47 GMT

Hi @chuka ,

[25936 4106254096]@fw-xxx[16 Jun 1:19:54] [TRACKER]: #3478679 -> INCOMING -> IDCOLLECTOR_ASSOCIATION -> Ip: x.x.x.x; User: ; User Groups: ; User Roles: ; Machine: bitlocker02v; Machine Groups: ; Machine Roles: ; Domain: xxxx.com; Source Type: AD; TTL: 43200; IDC IP: x.x.x.x

This log means that IDC published an association to PDP for bitlocker02v machine in the specified domain.

The rest of Identity Awareness chain is:

send LDAP request to receive the identity groups.
match the identity (user/machine) + LDAP groups with Check Point access roles.
publish this identity to all relevant PEP gateways.

I do recommend addressing this with TAC, as it seems to be something in the configuration which needs to be tuned.