topic Re: Idenity Awareness on VSX Virtual System environment in Firewall and Security Management

Idenity Awareness on VSX Virtual System environment

Security_Consul — Tue, 14 Apr 2020 18:24:01 GMT

I enable Idenity Awareness on VSX Virtual System( Test2 ) under VSX Gateway, I connected with my LDAP Server without Wizard When use ID Wizard config I got error "SmartDashboard could not connected Server" So i config manual connect LDAP Server that can Query User Database from LDAP Server when i create Access Role user list appeared. Problem is when I Testing with account under Access Roles specific user/group to any dest any service the Policy rule is't any Hit count.

I dont any config on VSX Gateway without DNS,MGT IP

Q1: Why Idenity Awareness Wizard show "SmartDashboard could not connected Server" I prefer to use Wizard not manual config
Q2: Why Access Roles not have any hit count?

Q3: How to config Idenity Awareness on VSX Virtual System?

I Diagram

Re: Idenity Awareness on VSX Virtual System environment

Maarten_Sjouw — Tue, 14 Apr 2020 21:16:00 GMT

First of all it helps if you mention the version you are working with.
Second point is that you need to know is that the way the connections are setup differs per version.

R77.xx during setup the connection is made between the Windows machine, running SmartDashboard, to the AD server
- Once active the Gateway and the AD server run the actual connection for checking group memberships and also AD server to gateway for login entries to tie the user to an IP.
R80.10 and up, the initial connection is setup from the SMS to the AD server (Since last month MS only accepts LDAPS connections!!!) For changing things in SmartConsole (adding roles) the management server directly connects to the AD server
R80.20 and up allow the gateway to act as a proxy for the connection between Management server and AD server

Also keep in mind that the gateway by default will try to login by means of NTLM v1, use 'adlogconfig a' to change this behavior to NTLM v2 (don't forget to push policy directly after changing the setting to take effect!!)

In a VSX environment the VS will have it's own connection to the AD server, this is not done by the VSX gateway/cluster, like some other things are done on that level. This way each VS can be used in it's own environment with it's own AD server.

Re: Idenity Awareness on VSX Virtual System environment

Security_Consul — Wed, 15 Apr 2020 04:45:11 GMT

Hi Maarten

Thank for reply

I running GAIA R80.30 with 3.10 kernal.

About LDAPS you meaning every since last month Microsoft AD Server integrate with Checkpoint version above 8.10 have to enable LDAPS? I test offline LAB its have enable SSL or not if have to enable (Smartdashboard > LDAP Account unit > Servers tab > AD Server > Encryption > Enable Use SSL > OK) Right?

I actually test enable LDAPS my Access Roles can not Query AD User when i disable that can Query

Next about Proxy as i understood if connection between SMS - AD Server is not same environment (Same Network) should use Proxy selected VS that can routed to AD Server? (Smartdashboard > LDAP Account unit > Object Management tab > Management Server Needs proxy to reach AD Server > Select VS > OK) Right?

Could you tell me why smartdashboard show error when connect with AD Server

Re: Idenity Awareness on VSX Virtual System environment

Maarten_Sjouw — Wed, 15 Apr 2020 07:36:57 GMT

The latest update from MS has been set to enforce LDAPS, so when that was installed you should not be able anymore to connect without LDAPS.
(SmartConsole > LDAP Account unit > Servers tab > AD Server > Encryption > Enable Use SSL > OK) Right!!

Proxy is only needed when the management server is NOT able to connect directly to the AD server, in your case check the logs of your Palo fro drops between SMS and ad server, AD server and gateway and gateway to AD..

Re: Idenity Awareness on VSX Virtual System environment

Security_Consul — Wed, 15 Apr 2020 12:50:52 GMT

Palo side is any allow all same as Checkpoint

Admin PC running Smartdashboard have to communicate with AD Server?

Re: Idenity Awareness on VSX Virtual System environment

Security_Consul — Wed, 15 Apr 2020 17:53:21 GMT

Admin PC run Smartdashboard have to connect AD Server. AdminPC connecting to VS0 that can route to AD Server that why i successfully connected then VS0 share to VS1 by (Virtual System object - Properties - Other - Legacy Authentication - section Authentication Servers Accessibility (including LDAP) - select "Shared". VS1 also success connected.

Seem like bug or cache when i disable idenity awareness on VS0 and VS1 and I enable idenity awareness again on only VS1 its still successfully connected. first time i tested VS1 can not connect before.

Re: Idenity Awareness on VSX Virtual System environment

Maarten_Sjouw — Wed, 15 Apr 2020 22:18:54 GMT

The Authentication part is ca completely different thing from Identity awareness.
The reason you probably need the access from your client to the AD server during setup, is that the managemnt server still needs everything added and setup, the Wizard is just collecting all information to put into the database when done.