topic Re: problem with the operation of the user identification function in Checkpoint by domain accounts in Firewall and Security Management

problem with the operation of the user identification function in Checkpoint by domain accounts

Arturxr — Wed, 23 Nov 2022 09:54:12 GMT

We have rules for providing basic Internet access:
1. Through a group in the active directory (access role)
2. Through a group with ip addresses (network group)
In the access role, under the tab users there is a group AD <group> with more than 2000 users but normally only 300 users come through.
When checking the problem user in PDP, the output of the command shows that:
1. "Groups: All Users" (This user is a member of an AD group)
2. "Roles: -" (Access Role not defined)

Therefore the given user does not fall under our rule. At the same time the given user is a member of the AD group.
Conclusion: The traffic doesn't reach the target rule (with active directory), but it goes through other rules (not with active directory), because CheckPoint cannot correctly identify the AD group the user is in.
We tried sk106964.
We tried rules with access role raised above allowing rules by ip
These solutions did not solve our problems.
Also, we have rules where some users are given internet by active directory, the rules work but after some time internet access is lost, traffic stops going by the rule.
We have main domain and subdomains, users from subdomains are also present in the main domain
Please advise, have you faced such problems and were you able to solve them?

Re: problem with the operation of the user identification function in Checkpoint by domain accounts

Lesley — Wed, 23 Nov 2022 10:03:15 GMT

Hello,

Do you use ADquery as source or IDC collectors? Also the rule with a access role, does the rule not work at all or only for a limited amount of users? Did the rule ever worked before? How are the settings for the LDAP account unit? Everything looks correct over there? Are you able to fetch branches?

If you use ADquery I would recommend to use IDC collectors. This is the way to go now.

Re: problem with the operation of the user identification function in Checkpoint by domain accounts

Arturxr — Wed, 23 Nov 2022 10:46:16 GMT

1. We use IDC as source
2. Some rules work for a limited number of users, some do not work at all, did not work correctly before
3. Tell me, what settings should we check?

Re: problem with the operation of the user identification function in Checkpoint by domain accounts

_Val_ — Wed, 23 Nov 2022 11:37:04 GMT

Please open a TAC request

Re: problem with the operation of the user identification function in Checkpoint by domain accounts

Lesley — Wed, 23 Nov 2022 11:53:16 GMT

3: Under LDAP account unit: check if the domain is correct. Try to fetch the branches from all DC's. If LDAPS is used, try to fetch fingerprint and see if they changed.

Also what is the output of: pdp idc groups_update status on the gateways?

Re: problem with the operation of the user identification function in Checkpoint by domain accounts

Arturxr — Wed, 23 Nov 2022 12:56:19 GMT

Checked that the domain is correct - everything is set up correctly
Tried to get branches from all dc
pdp idc groups_update status was disabled, turned it on, then checked with a command:
pep show user query usr <user>
The problem was not solved.

Re: problem with the operation of the user identification function in Checkpoint by domain accounts

Arturxr — Wed, 23 Nov 2022 12:57:07 GMT

We have opened a case in the TAC, but we still have not been offered any solution for a long time