topic Re: Identity collector and MUH agent - Ignores more than 7 Logins in Firewall and Security Management

Identity collector and MUH agent - Ignores more than 7 Logins

Henrik_Oersnes_ — Tue, 22 Jun 2021 06:28:25 GMT

Hi all Checkmates,

This is my first post, so first of all thanks for all the great post and knowledge sharing.

This weekend I change my FW setup from identity sharing to identity collector, for a simpler identity sharing between my firewalls
On the firewall clusters I also disabled "Active directory query" as this would be done on the ID Collector.

Now FWCLUS01/DMZ ignores more than 7 logins
"x.x.x.x with machine: Termial-Server100@domain.xzy, was marked as a multi user host IP. user login events for that IP will be ignored from now on"

It is ingnored when it hit's the native Multi-user host Detection Threshold = 7 . I have tried to change this threshold by using the cli configuration tool "adlogconfig a" and change the "Multi-user host Detection Threshold" to "10" and install policy.
This does not change the behavior.

Do any of you know if this setting is an option when running with Identity collector ?

The Firewall (FWCLUS02/WAN) collecting user from terminal server via MUH Agent is accepting the the increasement of "Multi-user host Detection Threshold" but I guess this is because the MUH Agent config is this FWCLUS02/WAN and it looks at the parameter.

My firewall setup:
The user on the terminal server environment is auth with MUH agent against FWCLUS02/WAN=Blue line
Identity sharing is used on both FWCLUS01/DMZ and FWCLUS02/WAN shown as the = Green line
VDA User A is connecting to the DMZapplicaiton = red
All FW/SMS is running R80.40 Take 118

When the VDA user A connects to DMZapplication and FWCLUS01/DMZ looks up the amount of user on the terminal server from identity collector and if it is above 7 it will add into this state "x.x.x.x with machine: Termial-Server100@domain.xzy, was marked as a multi user host IP. user login events for that IP will be ignored from now on"

It looks like when Identity collector is used it looks like i'm missing the parameter to increase "Multi-user host Detection Threshold" to more than 7.

Hope someone in the checkmates community have been through the same and have a solution for it.

/Henrik

Re: Identity collector and MUH agent - Ignores more than 7 Logins

the_rock — Tue, 22 Jun 2021 12:27:44 GMT

Just a shot in the dark, but did you try pdp update all command?

Re: Identity collector and MUH agent - Ignores more than 7 Logins

Henrik_Oersnes_ — Wed, 23 Jun 2021 05:41:32 GMT

Hi,

I just tried it this morning nothing changed.
When I did a test after your command I was able to see the connection to the "DMZapplication" showed up in the logs for FWCLUS01DMZ as a compleat different user.
This user was who ever loged into the Terminal server latest!

I might have a misconfiguration/design somware.
Atm. it looks like the Identity collector does not work well with in a MUH setup.

Re: Identity collector and MUH agent - Ignores more than 7 Logins

Wolfgang — Wed, 23 Jun 2021 06:13:36 GMT

@Henrik_Oersnes_

another shot in the dark....Did you tried the new MUH v2 agent on your terminalserver

Terminal Server Agent v2 (MUH2) - FAQ

Re: Identity collector and MUH agent - Ignores more than 7 Logins

Benedikt_Weissl — Wed, 23 Jun 2021 07:31:34 GMT

Are the terminal server IPs excluded in the identity collector config? Try to authenticate every user only via one mechanism, either via identity collector or MUHv2 agent.

Re: Identity collector and MUH agent - Ignores more than 7 Logins

Henrik_Oersnes_ — Wed, 23 Jun 2021 11:28:15 GMT

Hi,
This is a design flaw from my side. I have misunderstood what the use case is for Identity collector.

I expected that the Firewall cluster/GW participated in the identity collector setup, also would send back info about users connected to them as MUH can't connect to the identity collector.

In my case I will need setup "Identity sharing" between the two cluster.
And as you write Benedik_Weissl exclude the server running with the MUH.
Hope to change my configuration this Friday and let you know if it works.

Hope Checkpoint would move MUH feature to Identity collector in a furture relase.

Thanks for your inputs.