https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Unsuccessful-User-Directory-Queries/m-p/152194#M25338 <P>Remember that however users are acquired, the gateways do the lookup (via LDAP) for the groups.<BR />Not sure this will help.</P> Fri, 01 Jul 2022 15:14:53 GMT PhoneBoy 2022-07-01T15:14:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Unsuccessful-User-Directory-Queries/m-p/151429#M24727 <P>Hello everyone,</P> <P>&nbsp;</P> <P>As I was stating in other topics, we're close to get the IA into production.</P> <P>We've deployed IC in pairs, so we assure redundancy, we collect log-ins from AD and we got also ISE pxGrig integrated too.</P> <P>&nbsp;</P> <P>What still bothers me, is the HIGH number of "Unsuccessful User Directory Queries" we're seeing in reports (screenshot below).</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%" height="25px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.JPG" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/16999iB661D7D3C42A4437/image-size/medium?v=v2&amp;px=400" role="button" title="Capture.JPG" alt="Capture.JPG" /></span></TD> <TD width="50%" height="25px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.JPG" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/17000iD8B112C63D4DC861/image-size/medium?v=v2&amp;px=400" role="button" title="Capture.JPG" alt="Capture.JPG" /></span></TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>What I can tell, is that our AD Domain (xyz.int) has 4 main sub-domains (ALV, EU, NA and AP) and our IC's are set to grab log-is from the ALV.xyz.int .&nbsp;</P> <P>All good here as we properly see log-ins on each region, and we properly identify the users and machines against AD (groups and everything).&nbsp;</P> <P>&nbsp;</P> <P>My guess is that the cross regions log-ins are going to the&nbsp;"Unsuccessful User Directory Queries" figures, because <A href="mailto:user1@eu.xyz.it" target="_blank">user1@eu.xyz.int</A>&nbsp;is properly found in the EU Cluster, but the <A href="mailto:user2@na.xyz.int" target="_blank">user2@na.xyz.int</A>&nbsp;or&nbsp;<A href="mailto:user2@na.xyz.int" target="_blank">user3@ap.xyz.int</A>&nbsp;are not. (actually they all show up like <A href="mailto:user1@xyz.com" target="_blank">user1@xyz.com</A>&nbsp;or <A href="mailto:user1@xyz.com" target="_blank">user2@xyz.com</A>&nbsp;or&nbsp;<A href="mailto:user1@xyz.com" target="_blank">user3@xyz.com</A>&nbsp;) still in the settings we have LDAP/User Catalog defined for all 4 sub-domains.</P> <P>&nbsp;</P> <P>As a next step, since we just read about it. we're going to address on our LDAP/User Catalog settings the AD Global Catalog (see&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk134292" target="_self">sk134292</A> ) .<BR /><BR />Does anyone else faced similar problem, or my understanding for "Unsuccessful User Directory Queries" is caused by smth else?<BR /><BR /><BR /></P> <P>Any ideas or hints are welcomed.&nbsp;</P> <P>&nbsp;</P> <P>Thank you,&nbsp;</P> Wed, 22 Jun 2022 08:47:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Unsuccessful-User-Directory-Queries/m-p/151429#M24727 Sorin_Gogean 2022-06-22T08:47:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Unsuccessful-User-Directory-Queries/m-p/152056#M25139 <P>TAC would have to take some debugs to find the root cause for your specific case.<BR />In one of the SRs I reviewed, the issue was that ISE was sending usernames to the gateway that aren't in Active Directory.<BR />That would cause the LDAP query to fail, thus that counter to increase.</P> Wed, 29 Jun 2022 19:57:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Unsuccessful-User-Directory-Queries/m-p/152056#M25139 PhoneBoy 2022-06-29T19:57:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Unsuccessful-User-Directory-Queries/m-p/152110#M25187 <P>hey&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;,</P> <P>&nbsp;</P> <P>I will also open a TAC to look into this, as most likely it's like you said, usernames are sent by ISE.</P> <P>We were thinking to use GlobalCatalog for getting User/Machine groups, could this GC address this user search in AD.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>Ty,</P> Thu, 30 Jun 2022 10:29:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Unsuccessful-User-Directory-Queries/m-p/152110#M25187 Sorin_Gogean 2022-06-30T10:29:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Unsuccessful-User-Directory-Queries/m-p/152194#M25338 <P>Remember that however users are acquired, the gateways do the lookup (via LDAP) for the groups.<BR />Not sure this will help.</P> Fri, 01 Jul 2022 15:14:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-Unsuccessful-User-Directory-Queries/m-p/152194#M25338 PhoneBoy 2022-07-01T15:14:53Z