topic Re: Activating Identity Awareness R80 gateway with Active Directory can obtain user list in Firewall and Security Management

Activating Identity Awareness R80 gateway with Active Directory can obtain user list

Antonio_Rodrigu — Fri, 23 Nov 2018 15:18:03 GMT

Hi, im trying to activate my identity Awareness blade on R80 gateway, in the wizard the connection with my AD result ok, but when Im trying to create a Access Role requesting a list of users of the domain controller, it doesn't work.

When I use the test_ad_connectivity -x itsvsa.com.ve -o my_test2.txt -s -w command on expert mode, I can see these results:

[Expert@gwr801:0]# cat my_test2.txt
(
        :status (SUCCESS_WMI)
        :err_msg ("ADLOG_SUCCESS;LDAP_OPERATIONS_ERROR")
        :ldap_status (LDAP_OPERATIONS_ERROR)
        :wmi_status (ADLOG_SUCCESS)
        :timestamp ("Fri Nov 23 10:37:19 2018")

Using another diagnostic commands, the output shows connection with the active directory, in fact I can observe data for machines on =the domain an users of certainf OUs. but in the Securty Management I can not obtaing the user list, to create access roles based rules.

other ouptputs:

[Expert@gwr801:0]# adlog a dc
Domain controllers:
Domain Name IP Address Events (last hour) Connection state
============================================================================================================
itsvsa.com.ve 10.16.13.50 167 has connection

Ignored domain controllers on this gateway:
No ignored domain controllers found.

[Expert@gwr801:0]# adlog a q a
ip: 10.16.13.4 --> Users: Ernesto Cabello (ernesto.cabello@itsvsa.com.ve); fortilab (fortilab@itsvsa.com.ve);
ip: 10.16.13.50 --> Machines: amazonas@itsvsa.com.ve;
ip: 10.16.13.51 --> Machines: caroni@itsvsa.com.ve;
ip: 10.16.13.52 --> Machines: neveri@itsvsa.com.ve;
ip: 10.16.13.56 --> Machines: veeam@itsvsa.com.ve;
ip: 10.16.13.70 --> Users: Gabriel Salcedo (gabriel.salcedo@itsvsa.com.ve); --> Machines: cesar-pc@itsvsa.com.ve;
ip: 10.16.13.73 --> Users: Angel Garcia (angel.garcia@itsvsa.com.ve); --> Machines: desktop-3h34386@itsvsa.com.ve;
ip: 10.16.13.101 --> Users: Antonio Rodriguez (antonio.rodriguez@itsvsa.com.ve); --> Machines: arodriguez@itsvsa.com.ve;
ip: 10.16.13.127 --> Users: Javier Orejarena (javier.orejarena@itsvsa.com.ve); --> Machines: ccert@itsvsa.com.ve;
ip: 10.16.13.182 --> Users: Angelica Rangel (angelica.rangel@itsvsa.com.ve); --> Machines: raranguren@itsvsa.com.ve;
ip: 10.16.13.185 --> Users: Arquimedes Gardie (arquimedes.gardie@itsvsa.com.ve);
ip: 10.16.13.201 --> Users: Ludexi Ortega (ludexi.ortega@itsvsa.com.ve); --> Machines: ortegal@itsvsa.com.ve;
ip: 10.16.13.214 --> Users: Yeritson Pernia (yeritson.pernia@itsvsa.com.ve); --> Machines: vmartinez@itsvsa.com.ve;
ip: 10.16.13.222 --> Users: Janeth Laguado (janeth.laguado@itsvsa.com.ve); --> Machines: jlaguadorrhh@itsvsa.com.ve;
ip: 192.168.200.50 --> Machines: amazonas@itsvsa.com.ve;
ip: 192.168.200.51 --> Machines: caroni@itsvsa.com.ve;

I can see detailed information of the domain via shell, but not on the Security management,

thanks for anyone help me.

Re: Activating Identity Awareness R80 gateway with Active Directory can obtain user list

Gaurav_Pandya — Fri, 23 Nov 2018 16:58:09 GMT

Hi Antonio,

Please make sure that your PC in which you are opening smart console should be also in same domain.

Re: Activating Identity Awareness R80 gateway with Active Directory can obtain user list

PhoneBoy — Fri, 23 Nov 2018 18:16:52 GMT

First, there is no such gateway version R80: you are either using R80.10 or R80.20.

That said for this question it's not terribly relevant.

One relevant question: are you using Identity Collector or ADQuery?

Your gateway shows the users it has been told about by the AD server.

A seperate LDAP lookup must be performed on each user (and management) to get the groups associated with each user.

Re: Activating Identity Awareness R80 gateway with Active Directory can obtain user list

JozkoMrkvicka — Sat, 24 Nov 2018 17:44:14 GMT

You need to allow your workstation IP address to be allowed somewhere (LDAP). SmartConsole is using your internal IP of desktop.

CLI of mamagement is using IP of management server.

Re: Activating Identity Awareness R80 gateway with Active Directory can obtain user list

Maarten_Sjouw — Sat, 24 Nov 2018 23:05:55 GMT

The SmartConsole machine is not connecting to the AD server anymore in R80+, only the management server and the gateway are doing this now.

In a Multi-domain environment the MDS and Domain server are both making connections (at least they were in R80.10, I need to see about this in R80.20).

Re: Activating Identity Awareness R80 gateway with Active Directory can obtain user list

Antonio_Rodrigu — Sun, 25 Nov 2018 00:16:34 GMT

thanks for your support, really, we solve the issue, activating the IP forwarding on my PC, to give connection from the SC to the AD. However, when I run the test, right now the SC list the user for me, to add access control rules, but the test_connection script still sayng the same message, LDAP OPERATIONS ERROR

Re: Activating Identity Awareness R80 gateway with Active Directory can obtain user list

Antonio_Rodrigu — Sun, 25 Nov 2018 00:23:28 GMT

thank you Dameon, in fact, R80.10 its the release what I was working on. I activate the ip forwargind on my PC host for the lab and try again, and obtain successful results, listing the users, machines and othe info from the domain controller. But I still seeing the error message LDAP_OPERATIONS_ERROR

Re: Activating Identity Awareness R80 gateway with Active Directory can obtain user list

Antonio_Rodrigu — Sun, 25 Nov 2018 00:27:56 GMT

the error message, is obtained when I run the script $FWDIR/bin/test_ad_connectivity on the gateway, and when I do the same on the SC, obtain a general error.

Right now, I can go ahead with my lab environment, we can build rules on the Url Filter Layer based on Identity captured from the AD. When I procced to the production deployment I probably need checkpoint support if the behavior persist on the real configuration.

thanks to all

Re: Activating Identity Awareness R80 gateway with Active Directory can obtain user list

PhoneBoy — Sun, 25 Nov 2018 03:15:41 GMT

Check $FWDIR/log/test_ad_connectivity.elg to see if you can see more details.

Re: Activating Identity Awareness R80 gateway with Active Directory can obtain user list

Alexei_Subbotsk — Fri, 08 Mar 2019 21:36:59 GMT

This is probably because the -w option "Specifies that only the WMI connectivity test (no LDAP) should be performed". LDAP worked for me without this option or with -l

test_ad_connectivity -x itsvsa.com.ve -o my_test2.txt -s -l