https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-enforce-user-based-policy-AD-query-from-Security/m-p/107781#M14455 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/8232">@Royi_Priov</a>&nbsp;will have to comment on your first question, but I suspect the answer is no.</P> <P>Identity Collector is generally recommended in larger AD environments (more than a few hundred users).<BR />It uses<SPAN>&nbsp;the Windows Event Log API for fetching the DC's security logs, which is in contrast to AD Query which uses WMI, with the identities pushed from the Active Directory server.</SPAN><BR />More details here:&nbsp;<A href="https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108235" target="_blank" rel="noopener">https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108235</A></P> Thu, 14 Jan 2021 05:12:32 GMT PhoneBoy 2021-01-14T05:12:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-enforce-user-based-policy-AD-query-from-Security/m-p/107452#M14388 <P>Hi All</P><P>We have integrated the CheckPoint with Active Directory to enforce user-based policy through an AD query. Post integration, we are able to fetch all user information through the dashboard therby create access role objects and also push the user-based policy to the Gateway. But the main problem here is that the Gateway is not able to enforce this user-based policy.&nbsp;</P><P>Setup details:</P><P>Management server: Baremetal server R80.20</P><P>Gateway: 44k Chassis R80.20sp</P><P>AD server: Windows 2012</P><P>AD user for integration: Not Administrator but followed&nbsp;sk93938</P><P><STRONG>Observation:</STRONG></P><P>"#adlog a dc" command shows "has connection" to all the domain controllers.</P><P><SPAN>&nbsp; wbemtest results show success for the user that is used to integrate with AD.</SPAN></P><P><SPAN>No firewall between Gateway and Domain controllers to block DCE-PRC protocol port negotiation.</SPAN></P><P><SPAN>No drop logs in the Gateway where AD query is running for traffic towards Domain controller except for the occasional TCP out of state drops(traffic is symmetric checked).</SPAN></P><P><SPAN>Able to see user information from "adlog a query ip/user" command output.</SPAN></P><P><SPAN>Only able to see failed authentication and logout logs for the users in the CheckPoint smartlog.</SPAN></P><P><SPAN>test_ad_connectivity -x &lt;customer domain&gt; -o my_test.txt output is shown below.</SPAN></P><P><SPAN>[Expert@Checkpoint-ch01-01:0]# more my_test.txt<BR />(<BR />:status (SUCCESS_WMI)<BR />:err_msg ("ADLOG_SUCCESS;LDAP_PROTOCOL_ERROR")<BR />:ldap_status (LDAP_PROTOCOL_ERROR)<BR />:wmi_status (ADLOG_SUCCESS)<BR />:timestamp ("Fri Jan 8 17:14:28 2021")</SPAN></P><P><STRONG>My Analysis:</STRONG></P><P>Chances are that the domain controller is not sending user login event logs to CheckPoint.</P><P>OR</P><P>The Gateway is not able to extract the information for the logs pulled from the Domain controller.</P><P>&nbsp;</P><P>Need your expertise to proceed further!</P><P>&nbsp;</P><P>Thanks</P><P>Amith Gururaj Rao</P> Mon, 11 Jan 2021 10:20:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-enforce-user-based-policy-AD-query-from-Security/m-p/107452#M14388 amith_rao 2021-01-11T10:20:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-enforce-user-based-policy-AD-query-from-Security/m-p/107559#M14396 <P>Is there a TCP connection between the AD Servers and the gateway?</P> Tue, 12 Jan 2021 04:30:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-enforce-user-based-policy-AD-query-from-Security/m-p/107559#M14396 PhoneBoy 2021-01-12T04:30:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-enforce-user-based-policy-AD-query-from-Security/m-p/107561#M14397 <P>Yes, I can see traffic on ports 135 and 389 between Gateway and AD server.</P><P>Just to give more background we are doing a Migration from PAN to CheckPoint. A similar user-based policy is properly being enforced by the existing PAN gateway but only to note they are using user-id agent server for AD query and the credential used by them is super admin.</P> Tue, 12 Jan 2021 05:42:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-enforce-user-based-policy-AD-query-from-Security/m-p/107561#M14397 amith_rao 2021-01-12T05:42:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-enforce-user-based-policy-AD-query-from-Security/m-p/107655#M14421 <P>What we do with AD Query is subscribe to very specific events, which the AD Server is supposed to send us.<BR />The gateway then looks up the groups via LDAP.<BR />That said, for anything more than a few hundred users, Identity Collector is probably a better solution than AD Query.&nbsp;</P> <P>Recommend a TAC case to troubleshoot this.</P> Tue, 12 Jan 2021 21:40:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-enforce-user-based-policy-AD-query-from-Security/m-p/107655#M14421 PhoneBoy 2021-01-12T21:40:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-enforce-user-based-policy-AD-query-from-Security/m-p/107676#M14425 <P>Thanks for the valuable input&nbsp;Dameon and also we will consider moving it to the TAC.</P><P>Meanwhile, during yesterdays troubleshooting it was observed that the AD server is not enabled with Success &amp; Failure for both "Audit Account logon events" and "Audit Logon Events" as per&nbsp;sk60501.&nbsp;</P><P>So before going ahead with the enablement of these settings can the below two options work?<BR />&nbsp;<BR />1. Considering the integration with an Administrator account, will it have the privilege to read the Audit logs even though the "success &amp; failure for Audit account logon event and Audit logon event is not enabled" in the AD server.</P><P>2. Will the Identity collector be of any help in this scenario? the reason for this question is we don't have enough information on the querying method of the identity collector and how different it is from the typical AD query.</P> Wed, 13 Jan 2021 06:50:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-enforce-user-based-policy-AD-query-from-Security/m-p/107676#M14425 amith_rao 2021-01-13T06:50:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-enforce-user-based-policy-AD-query-from-Security/m-p/107781#M14455 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/8232">@Royi_Priov</a>&nbsp;will have to comment on your first question, but I suspect the answer is no.</P> <P>Identity Collector is generally recommended in larger AD environments (more than a few hundred users).<BR />It uses<SPAN>&nbsp;the Windows Event Log API for fetching the DC's security logs, which is in contrast to AD Query which uses WMI, with the identities pushed from the Active Directory server.</SPAN><BR />More details here:&nbsp;<A href="https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108235" target="_blank" rel="noopener">https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108235</A></P> Thu, 14 Jan 2021 05:12:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-enforce-user-based-policy-AD-query-from-Security/m-p/107781#M14455 PhoneBoy 2021-01-14T05:12:32Z