topic Re: Identity Rule Access Role issue in Firewall and Security Management

Identity Rule Access Role issue

Nandhakumar — Tue, 04 May 2021 15:25:18 GMT

Hi,

We have firewall enabled with identity awareness blade. It collects identity from identity collector, which it makes communication to our internal domain controllers for fetching identities and forward to gateway.

We got requirement from user to add specific rule where user can access vendor link from any network (corporate IP only), any user but from particular server.

We created access rule for this requirement. However, its not working. If you suggest any troubleshooting steps, it would be much appreciated.

Could see traffic getting dropped in firewall when user tries to telnet to vendor portal from the allowed particular server/machine.

Re: Identity Rule Access Role issue

PhoneBoy — Wed, 05 May 2021 01:59:10 GMT

Let’s start with exactly what you created in the rulebase versus what got logged when the user tried to access.
Might help to know version/JHF level as well.
Also maybe check in the CLI of the gateway if it’s associating the right roles using pdp monitor user username.

Re: Identity Rule Access Role issue

Nandhakumar — Wed, 05 May 2021 03:41:56 GMT

I have created access role in source column like below

Network - Any

Users - Any

Machine - Specific Security Group created in AD (This group contains machines/servers not any user ID's)

Destination - Vendor Website IP address

Gateway version is R80.40/ JHF Accumulator take 91

When i run pdp monitor user username, I am not getting this access role but getting other access roles. Working fine If I create access role with any network, specific users and any machine (Not for this scenario for others i am saying).
Why with specific machine is not working?

Also, please let me know how can i make this service in running state and see logs in Login Monitor section of Identity collectors. Please see attached screenshot for details.

Re: Identity Rule Access Role issue

PhoneBoy — Wed, 05 May 2021 04:38:34 GMT

Logins Monitor might be this: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk166076&partition=Basic&product=Identity

Re: Identity Rule Access Role issue

Nandhakumar — Wed, 05 May 2021 05:18:45 GMT

We have added Domain Controller as identity source manually but still having same issues. 'Is Forwarded Log Event Collector' was already in disabled state. This sk166076 doesn't resolve my issue. Do you know that we need to start any windows services for this to work?

Re: Identity Rule Access Role issue

Kaspars_Zibarts — Wed, 05 May 2021 07:00:09 GMT

I don't think I quite understand the requirement here.

Do you mean that the "vendor link"is a URL and accessed via browser?

In that case is it safe to assume that the "particular server"is a proxy?

So users would connect to proxy and proxy would make connection to the vendor?

Re: Identity Rule Access Role issue

MartinTzvetanov — Wed, 05 May 2021 07:37:16 GMT

How the users connect to this particular server RDP/SSH? Why don't you just create a rule with this server as IP, not by access role?

Re: Identity Rule Access Role issue

Martin_Stolz — Wed, 05 May 2021 18:22:41 GMT

Important is the status in the "Identity Sources" tab, is your configured AD server listed green?
And if you see a higher number than 0 in column "Total Events Received" you are receiving events 🙂

On the identity collector you have great log file "C:\Windows\Temp\ia.log"

To have the events in the UI, you need to turn on the "Loging Monitor".
Please click on the small grey "power button" behind the "Loging Monitor" text and you will see the monitoring events.
Your screenshot is showing that the "Logins Monitor" is disabled.

By the way i think the question from Martin Tzvetanov is a valid one.
If any user should have access and you want to allow the system itself as source,
why not creating a simple rule for allowing "YourServerIP" to vendors Website IP?

But sometimes the destination IP of a website could change,
so you could think about using FQDN object as destination instead of IP.

Re: Identity Rule Access Role issue

Nandhakumar — Thu, 06 May 2021 03:09:13 GMT

Yes we added AD domain controller and tested successfully. All displayed as Green in Identity sources dashboard. Yesterday only i have noticed that power like button for Login Monitor. After I turn on, I could see the event logs.

I created rule using access role where I given specific machine group as source. In that group, as of now only one server added. In future, group owner may add many servers (That's the reason we haven't created IP base rule)

I asked user to check but he told that he still unable to telnet for that site. I ran debug on firewall and observed drops.

When I ran this command 'pdp monitor machine <machine name>', I am not getting any output. At this time, 'ignore machine identities' check box was in enabled state in IC.

I disabled 'ignore machine identities' would fix the issue. Now, I want to understand, How long this identity will be seen in gateway?

Also, how would we force changes made in IC to forward to gateway? I hope, currently it keeps the association time to live for 720 minutes. So if that is case, can't the changes pushed to gateways until it get expire.