topic Re: Rules containing an Access Role which is a group containing a user from another AD does not matc in Firewall and Security Management

Rules containing an Access Role which is a group containing a user from another AD does not match

clement_leconte — Thu, 31 Mar 2022 09:05:54 GMT

Hello everyone,

I didn't found the location for Identity Awareness issues, therefore I picked General Topics but if anyone knows what is the right location please let me know,

The title is a bit long and maybe will not be clear enough so here's my case :

First the architecture :

I have one checkpoint Gateway (4400) on standalone configuration with the R80.40 release
I have 2 Active Directories (let's say A and B) which are on different VLANs (respectively 1 and 2) which are on a trust relationship (I can log on a computer being in domain A with an account of domain B)
I have one computer which is in VLAN 1 and registered in domain B

The main purpose of this architecture is to test Identity Awareness and its abilities,

I've decided to use the terminal agents (light version) and managed to make kerberos logging in for both domain, I've set up rules to test both users from A and B and everything is fine so far.

But when I've tried to create a rule with an Access Role containing a local group created on A that is containing users of B the users of B aren't matched on the rule while users of A that are in the same local group are matched by the rule,

Actually we won't have the access on B to create and manage groups, I know that we can do the same thing by creating an Access Role on the SmartConsole and adding the groups / users to it and it should be working fine but this will be tedious as all groups/OU... are already created on A

Is there anything that I can do to fix this or am I missing something ?

I know that it may not be clear so feel free to ask any question you have,

Thanks in advance for your help and your time,

Re: Rules containing an Access Role which is a group containing a user from another AD does not matc

PhoneBoy — Mon, 04 Apr 2022 15:25:33 GMT

The group information for a user is only obtained by querying the relevant AD domain via LDAP.
Since you're not querying the users of B (and only A), the users from B won't be part of the relevant group.
This seems like expected behavior.

Re: Rules containing an Access Role which is a group containing a user from another AD does not matc

clement_leconte — Mon, 04 Apr 2022 15:32:54 GMT

Thanks for your answer,

So even if the user is in the group, the rule won't match because they are not created on the same AD domain ?
There is no other solution to counter this than creating Access Roles containing both users/groups of A and B ?

Re: Rules containing an Access Role which is a group containing a user from another AD does not matc

PhoneBoy — Mon, 04 Apr 2022 16:58:20 GMT

Right, because the underlying LDAP query is likely only getting the users from the domain in which it is queried, not the ones from the cross-trust relationship.