topic Re: Switching Identity Awareness AD - NTLMv1 to NTLMv2 in Firewall and Security Management

Switching Identity Awareness AD - NTLMv1 to NTLMv2

checkandmate — Wed, 28 Jul 2021 04:10:54 GMT

Hi All

Forgive me if this has been asked before, I could not find any posts which answered this... currently have Identity Awareness configured and using NTLMv1. Planning to migrate to NTLMv2.

Version R80.40 181

Reviewed ...

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_IdentityAwareness_AdminGuide/Topics-IDAG/Configuring-Identity-Sources-Configuring-AD-Query.htm?Highlight=ntlm

Would like to confirm the steps for a platform already using IA.

After step ...

On the Security Management Server:
1. Connect to the command line.
2. Log in to the Expert mode.
3. Run:
  adlogconfig a
4. Enter the number of this option:
  Use NTLMv2
5. Enter the number of this option:
  Exit and save

My concern is step (c). Do you need to disable / enable IA blade - then run back through the wizard to essentially reinstall IA?

Just need a little clarification.

Thanks in advance.

Shane

Re: Switching Identity Awareness AD - NTLMv1 to NTLMv2

PhoneBoy — Wed, 28 Jul 2021 05:43:39 GMT

Pretty sure this is not required.

Re: Switching Identity Awareness AD - NTLMv1 to NTLMv2

checkandmate — Sun, 29 Aug 2021 04:55:27 GMT

Thanks for the prompt response 🙂

Re: Switching Identity Awareness AD - NTLMv1 to NTLMv2

LazarusG — Wed, 22 Sep 2021 15:35:16 GMT

how would you validate the change from the checkpoint estate? if disabling and re-enabling/configuring the blade isn't necessary can the instructions be updated?

Re: Switching Identity Awareness AD - NTLMv1 to NTLMv2

PhoneBoy — Wed, 22 Sep 2021 15:38:10 GMT

I assume you can see the changes reflected in the adlogconfig output.

Re: Switching Identity Awareness AD - NTLMv1 to NTLMv2

LazarusG — Thu, 23 Sep 2021 11:03:12 GMT

indeed so - thank you, also seems you can revert the setting by choosing option 21 again from adlogconfig a

[ ] Override configuration
[ ] Enable Adlog
[ ] Enable log for login or logoff
[ ] Use log original creation time
Association timeout : 0
Full Name Query Interval (days, 0=disabled) : 0
Full Name Fetch Hour : 0
Multi-user host Detection Threshold: 7
Revoked user timeout interval : 14400
[X] Enable Multi-User Host persistence DB
Multi-User Host persistence machine timeout (minutes): 2592000
Service Account Detection Threshold: 10
[ ] Automatically Exclude Service Accounts
[ ] Override default communication parameters
Query Within count : 0
Query Max returned objects in each iteration: 0
[X] Disable password expiration check
[X] Use NTLMv2 <===========you are correct!
[ ] Single User Assumption
[ ] Don't report machines
[X] LDAP groups update notifications
Notifications accumulation time : 10 (sec)
[X] Notify only user-related LDAP changes
[ ] Prefer IPv6 DC addresses
[1] WMI query Type

====================================================

1 - Override file
2 - AD Log feature
3 - Enable log for login or logoff
4 - Use log original creation time
5 - Association timeout
6 - Full Name Query Interval
7 - Full Name Fetch Hour
8 - Add Domain name
9 - Delete Domain
10 - Username
11 - Password
12 - Domain Controllers
13 - Change Multi-User detection threshold
14 - Change Revoked User timeout interval
15 - Multi-User Host Persistence DB
16 - Multi-User Host Persistence machine timeout
17 - Override Default Communication Parameters
18 - Query Within interval
19 - Max returned objects in each iteration
20 - Password expiration check
21 - Use NTLMv2
22 - Single User Assumption
23 - Change Service Account Detection Threshold
24 - Ignore Events From Different Domains
25 - Automatically Exclude Service Accounts
26 - Don't report machines
27 - Turn LDAP groups update on/off
28 - Notifications accumulation time
29 - Update only user-related LDAP changes
30 - Prefer IPv6 DC addresses
31 - WMI Query Type
32 - Exit without saving
33 - Exit and save

Please enter your choice: 33
- Saving configuration file '/opt/CPsuite-R81.10/fw1/conf/ad_log_override.C'
Note: you can run 'adlogconfig a -test domainName' in order to test connectivity
[Expert@r81mgmt:0]# adlogconfig

adlogconfig usage:
adlogconfig l [-test domainName] - if you are using Identity Logging
adlogconfig a [-test domainName] - if you are using AD Query (Identity Awareness)

I do suspect the steps to disable and re-enable the identity awareness blade are necessary though and i expect we can only validate gateways are doing ntlmv2 in packet captures(?)

Re: Switching Identity Awareness AD - NTLMv1 to NTLMv2

Edi — Wed, 08 Jun 2022 12:56:11 GMT

Hi, Can you please confirm if this apply for R80.30 too. Thanks

Re: Switching Identity Awareness AD - NTLMv1 to NTLMv2

checkandmate — Thu, 09 Jun 2022 03:52:52 GMT

After I made the initial change / tested, we confirmed IA was still reaching out to AD via NTLMv1. We are utilising R81.

Reaching out to TAC they recommended reinstalling IA, ie.. general properties, disable / reenable IA (without OK) and follow the wizard. This has now been done on CP, and Im waiting from monitoring back from Server.

Once I have the results.. .I will post again.

Re: Switching Identity Awareness AD - NTLMv1 to NTLMv2

ThierryReboul — Thu, 23 Jun 2022 10:25:32 GMT

Hi @checkandmate,

I'm looking at the same thing, did this work for you? Can you share your feedback on the procedure?

Thanks!

Re: Switching Identity Awareness AD - NTLMv1 to NTLMv2

AndreasD — Wed, 03 Aug 2022 13:03:45 GMT

This was extremely helpful for me. Thank you.

Re: Switching Identity Awareness AD - NTLMv1 to NTLMv2

checkandmate — Thu, 04 Aug 2022 00:39:59 GMT

Update

After performing the above procedure we still found NTLMv1 traffic reaching out to the DC's. Another ticket was raised with TAC and confirmed this is expected behavior. See CP reply :-

"As we discussed over the phone, even you move to NTLMv2, the gateway will still show the NTLMv1. Even if the GW is set to use v2, it still tries v1 before anything else. If the SMS output of "adlogconfig" shows Use NTLMv2, then the database will be pushed to FW to use NTLMv2

Regards,"

Re: Switching Identity Awareness AD - NTLMv1 to NTLMv2

frankcar — Fri, 23 Feb 2024 10:47:08 GMT

I see this old post, but from my changes I been making on the mgmt via adlogconfig a or l i have to issue this command once exit and save to reconfigure with new settings.

adlog l control reconf

adlog a control reconf