topic Re: Identity Awareness - AD Query: strange behaviour in Firewall and Security Management

Identity Awareness - AD Query: strange behaviour

Kryten — Wed, 02 Mar 2022 13:15:06 GMT

Hello,

I am currently investigating an issue one of our customers has wih AD-Query in Identity Awareness.
Initially the problem reported was occurences of "A secondary session request was received from the same IP. This caused logout of the current session", in combination with users complaining about access problems. They were getting the blockpage instead of access that should be allowed for this user or group. The customer suspects that these secondary session logouts are causing the problems.

After looking at the logs, I think the problem might be something else, but I can not make sense of it(yet). I am still fairly new to Check Point, so maybe I am missing something here.

Here is one example of events from the logs, where the problem occured last week:

08:01:12: machine authentication(AD Query)
connections from machine, no user yet: access denied
08:02:38: user authentication(AD Query)
connections: access allowed based on user/group rules, source username in logs
08:02:54: A secondary session request was received from the same IP. This caused logout of the current session(AD Query)
connections: access still allowed, seeing source user name in logs
08:14:28: Machine authentication(AD Query)
connections: access denied, no source user name listed, only machine as source
08:21:58: "A secondary session request was received..."(AD Query)
connections: access allowed again, source user name in logs

To me it seems the user does not get logged out in between. The secondary Session notification says it does cause a logout, but shouldn't I see another user login on the same time then, the one that caused this?
I am confused by this and I would really like to understand what exactly is happening here. Is there any way to find out what exactly does cause these secondary session events or why the access for the user is not working anymore after the machine logs back in?

The customer already tried looking up the events in the Domain Controller, but while seeing them there, there is also no info on what exactly caused them.

Also this is not happening very often and cannot be reproduced manually, which makes debugging this a bit harder. Any help on how to find this out would be much appreciated.

Cheers,

Alex

Re: Identity Awareness - AD Query: strange behaviour

the_rock — Wed, 02 Mar 2022 14:28:45 GMT

Hey Alex,

Can you confirm below settings on IA tab of identity awareness on the firewall objects?

Andy

Re: Identity Awareness - AD Query: strange behaviour

Kryten — Wed, 02 Mar 2022 14:54:35 GMT

The first Option is checked, the second is not.

Are machine identities treated the same way as a user when it comes to sessions per IP? I would have thought that the first Option only applies to user identities, just as it says....

Re: Identity Awareness - AD Query: strange behaviour

the_rock — Wed, 02 Mar 2022 15:04:46 GMT

I think thats your problem...uncheck 1st option and push policy and test.

Andy

Re: Identity Awareness - AD Query: strange behaviour

Kryten — Wed, 02 Mar 2022 15:55:52 GMT

I will have to discuss this with the customer, but I think there is porobably a reason why it is configured like that and we do not want to break other things too easily 🙂

Also I would like to understand what exactly is happening and why before I change things. As I said, there is only one user using that machine, so I would naturally think that this option would do no harm....so what is the problem here?

Re: Identity Awareness - AD Query: strange behaviour

the_rock — Wed, 02 Mar 2022 17:48:39 GMT

Right, but...if you think about it logically, that setting says "assume that one user is connected per computer", meaning if 2nd person tried to connect to that same IP, it will not work.

Andy

Re: Identity Awareness - AD Query: strange behaviour

Kryten — Thu, 03 Mar 2022 08:28:36 GMT

But there is no second person involved here...only one user and his personal computer.

I understand that other things than a user logging into his computer can cause additional login events, like opening a captive portal (in this case we see "Source: Captive Portal" so that is not the case for this user here) or login to fileshares. I just want to know if there is a way to find out what exactly caused these events.

Re: Identity Awareness - AD Query: strange behaviour

the_rock — Thu, 03 Mar 2022 13:14:04 GMT

Sorry sorry, my bad, I did not realize it was just one user, apologies. So, you are saying just one user was attempting a connection and those logs came up? If so, I would involve TAC, because it makes no sense that log would say secondary session came from same IP. Is there identity agent involved here or no?

Andy

Re: Identity Awareness - AD Query: strange behaviour

Kryten — Fri, 04 Mar 2022 15:45:14 GMT

Only AD-Query so far, we tried using the Identity Agent for one affected user but saw no difference. Its hard to tell though, as this happens pretty rarely.
I know of a few cases where a secondary session can happen, thus I would like to be able to somehow find out exactly the cause for these. I start to fear that this is not possible without monitoing the user and his computer closely, which is also not possible 🙂

I guess a TAC Case it is then...

Thanks a lot so far!

Re: Identity Awareness - AD Query: strange behaviour

Paul_Hagyard — Fri, 03 Jun 2022 04:30:15 GMT

Service account login on the same device? Exclude service accounts under advanced settings if so.

Re: Identity Awareness - AD Query: strange behaviour

George_Casper — Fri, 03 Jun 2022 14:51:25 GMT

Any chance the customer's Active Directory folks elevated CVE-2021-26414 to enforce ahead of next months Microsoft patches? Checkpoint released jumbo's this past month or so to address the issue. See sk176148