topic Re: Identity Awareness issue - User identified but the rule is not matching in General Topics

Identity Awareness issue - User identified but the rule is not matching

0f41af9d-f27d-4 — Mon, 26 Apr 2021 00:12:37 GMT

Hi All,

I'd ask for help/advise for the issue with Identity awareness.

I have Checkpoint 3600 R80.40 Take 309 managed by SMC 80.40

I've enabled the IA blade and configured settings/rules.

I've created the rule with single user to be permitted Destination/Service - any.

All networks and machines allowed.

While testing I can see the test user successfully identified with AD name but the rule is not matching.

I've recreated the rule - still not working.

Kind regards,

Paul

Re: Identity Awareness issue - User identified but the rule is not matching

the_rock — Mon, 26 Apr 2021 00:21:11 GMT

Hi Paul, would you mind send us the screenshot of the rule and also tell us what other rule is being matched? Is it possible you have a rule above IA rule that could be catching the traffic?

Re: Identity Awareness issue - User identified but the rule is not matching

0f41af9d-f27d-4 — Mon, 26 Apr 2021 00:33:26 GMT

Hi Rock,

Sure.

I'm attaching the pictures with the rules and logs.

I've tested with the rule above IA permitting all the traffic and it works fine. However if I add the role object - it stops working.

Re: Identity Awareness issue - User identified but the rule is not matching

the_rock — Mon, 26 Apr 2021 00:37:19 GMT

Not sure in that case, may need more testing, maybe contact TAC and see if they can do remote session. Personally, I would just make sure user is included in right access role group and maybe do tcpdump and/or fw monitor as well to test traffic.

Also, maybe run some pdp commands to see the state:

adlog a dc

pdp monitor ip x.x.x.x

pdp monitor user xxxxx

Hope that helps.

Re: Identity Awareness issue - User identified but the rule is not matching

0f41af9d-f27d-4 — Mon, 26 Apr 2021 00:53:48 GMT

Thank you for sharing useful commands.

AD queries are working fine.

I've raised a TAC.

Hopefully support can fix it.

Re: Identity Awareness issue - User identified but the rule is not matching

Benedikt_Weissl — Mon, 26 Apr 2021 07:40:22 GMT

Check out the Multi User Host detection:

https://community.checkpoint.com/t5/Security-Gateways/Identity-Awareness-Multi-User-Host/m-p/80173/highlight/true#M11463

Maybe service accounts login cause the source host to be marked as "multi user host", you can check with "pdp muh status"

Re: Identity Awareness issue - User identified but the rule is not matching

Kaspars_Zibarts — Mon, 26 Apr 2021 08:01:54 GMT

It doesn't look like your user has assumed the defined role. You can check from logs by running filter

blade:"Identity Awareness" AND action:"Log In" AND src:x.x.x.x

change x.x.x.x to users IP of course

then you should see what roles are associated with this IP:

Re: Identity Awareness issue - User identified but the rule is not matching

the_rock — Mon, 26 Apr 2021 13:05:49 GMT

Thats actually an EXCELLENT point! I totally forgot about it, but I agree that if thats wrong, the rule would not work.

Re: Identity Awareness issue - User identified but the rule is not matching

0f41af9d-f27d-4 — Mon, 26 Apr 2021 20:26:25 GMT

Thank you for the advice.

That's interesting!

I've found the logs with failed login and error:

"Failed to get users groups for the domain.
Verify that this domain name is configured in your LDAP Account Unit."

Looks like I've chosen the wrong domain.

I'll check the settings an let you know.

Re: Identity Awareness issue - User identified but the rule is not matching

the_rock — Mon, 26 Apr 2021 20:29:15 GMT

Please let us know if you can correct that, I am 99% sure that is the issue. Big thanks to @Kaspars_Zibarts for pointing that out!!

Re: Identity Awareness issue - User identified but the rule is not matching

Tuatara — Sat, 26 Jun 2021 16:48:05 GMT

Hello,

Have you solve this issue, we have the same issue