topic Identity Collector not receiving events in Firewall and Security Management

Identity Collector not receiving events

pnobels — Wed, 22 Jun 2022 10:20:22 GMT

Hi,

using sk108235 and sk122686.

i installed Identity Collector 81.035.0000 on Windows Server 2019.

I am successfully connected to ADC servers. I have created a query pool

I'm also successfully connected to one gw running R80.10.

Problem is i'm not seeing any events coming in from the ADC's in the IDC gui. When i clicked on 'logins monitor' and start monitoring, also nothing shows up...

Firewall ports between the IDC server and ADC's are okay. I even disabled fw's on both to be 100% sure. The user account is member of the event log readers.

In the logs i see things like :

[ 2200 4356]@SRV[22 Jun 12:00:07] [Event (NAC::IS::TD::Surprise)] UTILS::Event::wait: Timeout in the wait
[ 2200 4364]@SRV[22 Jun 12:00:07] [Event (NAC::IS::TD::Surprise)] UTILS::Event::wait: Timeout in the wait
[ 2200 4360]@SRV[22 Jun 12:00:07] [Event (NAC::IS::TD::Surprise)] UTILS::Event::wait: Timeout in the wait
[ 2200 4364]@SRV[22 Jun 12:00:07] [Exception (NAC::IS::TD::Critical)] UTILS::LoggingException::LoggingException: Operation Timed Out
[ 2200 4356]@SRV[22 Jun 12:00:07] [Exception (NAC::IS::TD::Critical)] UTILS::LoggingException::LoggingException: Operation Timed Out
[ 2200 4360]@SRV[22 Jun 12:00:07] [Exception (NAC::IS::TD::Critical)] UTILS::LoggingException::LoggingException: Operation Timed Out
[ 2200 4356]@SRV[22 Jun 12:00:07] [PDPChannel (TD::Important)] NAC::IDCOLLECTOR::PDPChannel::run: TimeOutException when waiting on notifiction lock
[ 2200 4360]@SRV[22 Jun 12:00:07] [PDPChannel (TD::Important)] NAC::IDCOLLECTOR::PDPChannel::run: TimeOutException when waiting on notifiction lock
[ 2200 4364]@SRV[22 Jun 12:00:07] [PDPChannel (TD::Important)] NAC::IDCOLLECTOR::PDPChannel::run: TimeOutException when waiting on notifiction lock

and

[ 2200 5492]@SRV[22 Jun 12:00:17] [WinHttpCCC (NAC::IS::TD::Surprise)] UTILS::WinHttpCCC::asyncCallbackMethod: STATUS_REQUEST_ERROR: error 12175 (async API 5) on request (id 1 - 1c1e838)

Anyone having an idea?

Re: Identity Collector not receiving events

Sorin_Gogean — Wed, 22 Jun 2022 11:07:56 GMT

hey,

As we implemented IA with IC without issues on AD side (we had some glitches with ISE/pxGrid) I have some questions.

(preferably to answer each one 😊)

Do you have multiple AD domains/subdomains ?

The domain you are addressing does have log-in events ?

Is the account you use allowed to read AD log events ?

Do you use LDAPs or simple LDAP ? (have you changed the port/checkbox accordingly)

Can you show s a screenshot of the IC with the AD server/servers you connect to - do you see events counting ?

Ty,

Re: Identity Collector not receiving events

pnobels — Wed, 22 Jun 2022 14:04:46 GMT

Do you have multiple AD domains/subdomains ? Only one domain.

The domain you are addressing does have log-in events ? This might be the problem. With log-in events, you mean eventid 4624? I talked to the AD admin and the closest thing i can see is eventid 4776. No 4624.

https://community.checkpoint.com/t5/Security-Gateways/Identity-Collector-not-getting-any-events/td-p/65440

This thread seems to suggest that indeed event IDs 4624, 4768, 4769, 4770 are needed.

Is the account you use allowed to read AD log events ? Yes

Do you use LDAPs or simple LDAP ? (have you changed the port/checkbox accordingly) Can't find this setting back but taking into account above this is probably not the issue.

Re: Identity Collector not receiving events

Sorin_Gogean — Wed, 22 Jun 2022 14:18:41 GMT

Can you have a look here and see if the AD account is created properly , as I know the AD user requirements are like...

For AD integration - the Identity Collector requires an AD user that belongs to the default Event Log Readers group.
No administrative role is required for this user. "

(https://community.checkpoint.com/t5/Security-Gateways/Identity-Collector-integration-design-guidelines/m-p/150665?search-action-id=44883405532&search-result-uid=150665 )

Mainly it should be (sk179544):

(4) Integrating to Identity Collector - Learning Login Events

Show / Hide the section

Watch the training video (2 min 30 sec).

This video is about:

Integrating Identity Collector to the Active Directory Domain
Defining Active Directory Domain as an Identity Source
Adding a Query Pool
Monitor Login Events

(5) Migrating to Identity Collector as identity source in addition to AD Query

Show / Hide the section

Watch the training video (3 min 34 sec).

This video is about:

Integrating Identity Collector to the Active Directory Domain
Using ID Collector in parallel to AD Query
Connecting the ID Collector to the gateway
Monitor ID Sessions

Ty,