topic Re: Identity Collector and CrowdStrike in Firewall and Security Management

Identity Collector and CrowdStrike

SteveW — Fri, 14 Apr 2023 08:23:28 GMT

Hi CheckMates

Is anyone having issue with Identity Collectors when CrowdStrike is running on the domain controllers?

I'm running Identity Collectors on two dedicated servers (so not directly on the domain controllers) but since CrowdStrike has been installed on the domain controllers the id collectors stop receiving events from the DCs at least once per day. The Status Description for each DC remains 'connected' but the events stop incrementing. Restarting the Id Collector service on the Collectors kick-starts the process and they start receiving AD events again.

CrowdStrike technical support have reported that this is a known issue because it interrupts the Identity Collector's connection to AD and no RST packet is sent by the domain controller to reset the tcp session.

One suggested workaround is to configure Task Scheduler on the Collectors to periodically restart the service (say, every 6 hours) but this is not ideal.

Is Check Point R&D aware of the problem (hi, Royi Priov) and is there a better solution to keep the Id Collectors running?

Thanks,

Steve

Re: Identity Collector and CrowdStrike

the_rock — Sat, 15 Apr 2023 02:03:39 GMT

I had someone tell me they had CP case open for this, but no resolution was given. I can ask them what happened with it and report back.

Re: Identity Collector and CrowdStrike

Chris_Atkinson — Fri, 14 Apr 2023 13:57:13 GMT

Was any context provided for why the communication is interrupted?

@Royi_Priov

Re: Identity Collector and CrowdStrike

Royi_Priov — Mon, 17 Apr 2023 06:59:45 GMT

Hi,

Thanks for tagging me.

Yes, there is a known issue, where crowdstrike is closing IDC connection to DC.

It was addressed in bug ID IDA-5232 from our side.

It will be added to the next GA of IDC, but as for now please use the fix from IDA-5232.

Re: Identity Collector and CrowdStrike

SteveW — Mon, 17 Apr 2023 10:20:44 GMT

Hi Royi,

Thanks for the update, I will try the bug fix.

Kind regards

Steve

Re: Identity Collector and CrowdStrike

r1der — Fri, 19 May 2023 22:07:46 GMT

Did that fix your issue? I was going to say we aren't having any problems with it, but CrowdStrike was not installed on the server I have Identity Collector running on. It is installed on the DC however. I also have one other server where both are installed and running fine.

Has this been fixed in Identity Collector version R81.040? Where do I get IDA-5232?
I can't seem to find that, if I end up running into issues after installing CS on another server.

Re: Identity Collector and CrowdStrike

Chris_Atkinson — Sat, 20 May 2023 02:51:33 GMT

Next release of IDC is not yet available, contact TAC in the interim.

Re: Identity Collector and CrowdStrike

SteveW — Mon, 22 May 2023 15:22:58 GMT

Hi r1der,

My Identity Collectors run on two servers that are separate from my DCs. It's possible that you are not seeing the problem because your Identity Collectors are running on your DCs.
The workaround I used was to set up a task in Windows Task Scheduler on the Identity Collectors that restarts the CP Id Collector service every 6 hours regardless of whether or not it has failed. And the restart schedule is offset by 6 hours between the two Collectors so they do not both restart the service at the same time.

This workaround has been successful so far so I'll keep using it until the fix is rolled into the GA updates.

You might be able to use something similar if you have multiple ID Collectors for resilience.

Re: Identity Collector and CrowdStrike

the_rock — Mon, 22 May 2023 17:25:37 GMT

Thanks for sharing that @SteveW 👍

Re: Identity Collector and CrowdStrike

r1der — Wed, 31 May 2023 20:55:35 GMT

Thanks for the update! Good to know the service and that you can just restart it to get it running again.

Re: Identity Collector and CrowdStrike

Maurice_Conway — Mon, 19 Jun 2023 18:12:02 GMT

Hi Royi,

Was it ever determined what on Crowdstrike was closing the connection?

Thanks,

Maurice