topic Re: PEP not enforcing all roles in General Topics

PEP not enforcing all roles

KM1895 — Tue, 18 Apr 2023 07:41:35 GMT

hi,

We are currently experiencing issues with Identity Awareness. PEP gateways arent enforcing access roles for all users. This seems to be affecting various amounts of users, and a workaround has been to restart the pep daemon, which is not a proper fix.

The setup is pretty standard, with 3 pdp gateways feeding identities to some pep gateways. This has been working quite well, but last week, we noticed an increase in users losing access to resourcec, where the rules are based on access roles.

Identity source is identity collector, and service accounts are excluded. Identity collectors appear to be working fine, and i see plenty of events being registered, same with users and machines.

Not sure if there are problems with cache, time to live or other of the settings? What would be the potential risk of changing any of these values, and if so, are there any recommendation on what to set?

We are running r81.10, t66

Re: PEP not enforcing all roles

Vincent_Bacher — Tue, 18 Apr 2023 08:51:58 GMT

Hi,

did you check for problematic users if the session is visible at the pep using pep s u q usr <loginname> ?
If yes, are the roles listed? If not, do you see any role calculation issues maybe with AD controllers?

br

Re: PEP not enforcing all roles

KM1895 — Tue, 18 Apr 2023 09:37:06 GMT

hi,

I havent checked, but i think someone else checked this earlier. We are suspecting full pdp and pep kernel tables, as the gateways are still on the default 30.000. The main pdp currently has 42k identified users and machines. so we will probably try to expand these, and clear the tables.

Re: PEP not enforcing all roles

Vincent_Bacher — Tue, 18 Apr 2023 13:00:55 GMT

Yes, i would then as well recommend extending the tables, we have this issue as well whenever we forget to set the table sizes accordingly when deploying new devices using ia.

Re: PEP not enforcing all roles

the_rock — Tue, 18 Apr 2023 14:50:25 GMT

I attached debug TAC gave me while ago for pdp/pep debugs, so might be worth doing those (well, just pep in your case)

Andy

Re: PEP not enforcing all roles

Vincent_Bacher — Tue, 18 Apr 2023 14:51:15 GMT

Just in case what i am usually setting:

Ia_max_authenticated_users	200000
Ia_max_enforced_identities	200000

Re: PEP not enforcing all roles

Vincent_Bacher — Tue, 18 Apr 2023 14:56:13 GMT

In addition because of possible very high amount of logs, i increase log size and number of rotated elg before starting debug and resetting same afterwards

before:

fw debug fwd off PDP_LOG_SIZE=50000000 fw debug fwd off PDP_NUM_LOGS=20 fw debug fwd off PEP_LOG_SIZE=50000000 fw debug fwd off PEP_NUM_LOGS=20 fw kill pdpd fw kill pepd

after

fw debug fwd off PDP_LOG_SIZE=10000000 fw debug fwd off PDP_NUM_LOGS=10 fw debug fwd off PEP_LOG_SIZE=10000000 fw debug fwd off PEP_NUM_LOGS=10 fw kill pdpd fw kill pepd