topic Re: Identity awareness blade issue in Firewall and Security Management

Identity awareness blade issue

the_rock — Wed, 02 Feb 2022 00:57:32 GMT

Hey guys,

I hope someone can clarify this for me. I dont believe it ever worked properly for the customer. So, here is the situation. IA blade is enabled and there are few access roles configured. It does work for the most part, but one thing that fails is this...

So, if same user logs into multiple machines, then ONLY first machine they logged into will give them Internet access, not any sequential ones. So say user joesmith logs into windows box with IP 10.10.10.10, then to another windows with IP 10.10.10.11 and 3rd one 10.10.10.12...well, ONLY 10.10.10.10 IP machine will give them proper external access, not any other ones.

Option on gateway to assume that only one user is connected per machine is not checked, so logically, one would think that would allow same user to get access when connected to multiple machines. The drop we see on fw is that it comes to right layer and then explicit clean up rule drops the traffic, since it does not recognize access role association. We tried revoking IP, user, pdp update all...nothing worked.

Not sure if there is something else Im missing here?

Thanks as always!

Re: Identity awareness blade issue

PhoneBoy — Wed, 02 Feb 2022 06:51:04 GMT

What version/JHF level?

@Royi_Priov

Re: Identity awareness blade issue

G_W_Albrecht — Wed, 02 Feb 2022 09:34:07 GMT

sk115776: Specific user is not identified by Identity Awareness

Re: Identity awareness blade issue

the_rock — Wed, 02 Feb 2022 11:36:24 GMT

R81.10 mgmt jumbo 9, R80.40 jumbo 120 gateway cluster

Re: Identity awareness blade issue

the_rock — Wed, 02 Feb 2022 11:37:45 GMT

Thanks a lot G, will check this in a bit.

Re: Identity awareness blade issue

the_rock — Wed, 02 Feb 2022 13:50:15 GMT

I really hope this works. I did the changes and will ask customer to test. Funny enough, I went to that gateway setting thats in sk yesterday, but totally omitted the part about "automatically exclude users...". My bad...will let you know for sure if this fixes it. Thanks as always brother, grateful for all the help.

Re: Identity awareness blade issue

the_rock — Wed, 02 Feb 2022 15:10:09 GMT

Sadly, did not help. I made changes and asked client to test, but same behavior, no access when same user logs into 2nd machine. I will call TAC later and see if we can do some tests, since we already have active case opened for this since the weekend.

Re: Identity awareness blade issue

lfar — Wed, 02 Feb 2022 15:59:55 GMT

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_IdentityAwareness_AdminGuide/Topics-IDAG/CLI/pdp-conciliation.htm

Try enabling any of the above, depending on the source from where your identities are being learned.

Re: Identity awareness blade issue

the_rock — Wed, 02 Feb 2022 16:10:12 GMT

I ran it on both cluster members and asked client to test, so will see if any difference. Will keep you posted.

Re: Identity awareness blade issue

the_rock — Wed, 02 Feb 2022 16:23:28 GMT

No luck, just tried.

Re: Identity awareness blade issue

the_rock — Wed, 02 Feb 2022 19:47:12 GMT

Just quick update guys...spoke with TAC and Harry had me do below options (we had checked internal users before, as well as all gateways directories). Once this was done, we pushed policy, but also had to install identity agent on windows machine we tested and then same user worked fine! I will still ask customer to test with few different users.

Re: Identity awareness blade issue

Magnus-Holmberg — Wed, 02 Feb 2022 23:05:19 GMT

Have had the issue that needed to install the identity agents if users roam quickly between wifi/lan to make sure update correctly.

Re: Identity awareness blade issue

the_rock — Wed, 02 Feb 2022 23:48:39 GMT

I never realized that before, but I guess IA agent is needed on windows in situation like this. Otherwise, if its only 1 user logged into 1 machine at the time, no need for IA agent.