topic Re: rule based on a group not working anymore in Firewall and Security Management

rule based on a group not working anymore

flachance — Mon, 25 Nov 2024 14:58:15 GMT

The management and gateways are R81.20 JHF take 76

We made two rules for application access similar to this

1.access_role_exception to Facebook Allow

2.access_role_blockFB to Facebook Drop

access_role_exceptions contains AD group FB_exception

access_role_blockFB contains AD group Org_group

Everybody is in Org_group and some are also in FB_exception

This worked well as of last Friday. This morning everybody is blocked even if they are in FB_exception.

I can see in the logs that the correct groups are associated with the correct users.

What could cause this? Why won't it match rule 1 anymore?

thanks

Francis

Re: rule based on a group not working anymore

flachance — Mon, 25 Nov 2024 15:06:11 GMT

So in SmartLog I see the correct group in one gateway but not all. In CLI on the gateway that would require the correct info running pep s u q usr username returns User Groups:<Unavailable>. We're using Identity Collector. In the Identity Collector gui everything looks fine

Re: rule based on a group not working anymore

Lesley — Mon, 25 Nov 2024 16:14:15 GMT

If problem is only present on one gateway. I don’t think there is an issue on IDC or AD. Worth running basic health check like hcp maybe some important daemon is crashed like pdp or pep. If it is a cluster maybe do failover and reboot.

Re: rule based on a group not working anymore

flachance — Mon, 25 Nov 2024 18:06:41 GMT

so for one user I tried pdp update specific username and it updated is Identity Roles properly.

I have another one with the issue when I do a pep s u q user username for him I see two entries (two different IPs) the oldest one has the correct Identity Roles but the newest one doesn't.

I also tried pdp update specific username for him but it changed nothing

Re: rule based on a group not working anymore

flachance — Mon, 25 Nov 2024 18:10:14 GMT

I tried pdp update specific machinename for him and it's ok now.

I'm not sure I understand how often this should update on its own.

Re: rule based on a group not working anymore

the_rock — Tue, 26 Nov 2024 01:37:45 GMT

I would try test like this...instead of access role group, use subnet in the rule and see if it works by an IP. If it does, then you know 100% without any doubt its role association thats the issue.

Andy