topic Re: Identity Awarness question in General Topics

Identity Awarness question

RemoteUser — Tue, 24 Jun 2025 14:05:29 GMT

Users are assigned to the access roles, but the IA system is unable to recognize their accounts within the GRP AD groups that have permissions to access the resources.
how can i resolve this. if i do pdp monitor user Jhon123 the output it's empty

Thanks

Re: Identity Awarness question

Chris_Atkinson — Tue, 24 Jun 2025 15:03:11 GMT

Please share additional details about the environment including version/jumbo, adquery or identity collector etc

Have you validated the settings of the account unit, how many are configured ?

Re: Identity Awarness question

RemoteUser — Tue, 24 Jun 2025 15:12:33 GMT

Hi @Chris_Atkinson
R81.20 JHF 53
identity collector.
all criteria should match the AR, the AR is configured to use AD groups

Re: Identity Awarness question

PhoneBoy — Tue, 24 Jun 2025 15:32:17 GMT

We need a lot more information like:

Version/JHF of gateways/management
How you have Identity Awareness set up (what acquisition method(s) are in use)
A diagram of the relevant gateways, identity sources, and how they connect to each other and the Internet

Generally, though, groups come from two places:

The SAML Assertion (when used with Entra ID or other SAML provider)
LDAP queries from the gateway (used with all other identity sources)

For troubleshooting, see https://support.checkpoint.com/results/sk/sk183118

Re: Identity Awarness question

RemoteUser — Tue, 24 Jun 2025 15:36:26 GMT

Hi @PhoneBoy as i said:
user is not known by the PDP Broker, Identity Collector, we performend a restart of the Identity collector service on the server but nothing change .

Re: Identity Awarness question

RemoteUser — Tue, 24 Jun 2025 15:36:47 GMT

the sk doesn't exist

Re: Identity Awarness question

PhoneBoy — Tue, 24 Jun 2025 15:48:33 GMT

Sorry, didn't notice that SK was internal.
In any case, you should start by troubleshooting Identity Collector: https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics-IA-Clients-AG/Identity-Collector-Debug.htm

Re: Identity Awarness question

RemoteUser — Tue, 24 Jun 2025 15:51:38 GMT

Myabe this one:
https://support.checkpoint.com/results/sk/sk114096

Re: Identity Awarness question

the_rock — Tue, 24 Jun 2025 16:11:36 GMT

If you run pdp update all command, what does it show?

Andy

Re: Identity Awarness question

garrod — Wed, 25 Jun 2025 06:33:11 GMT

Verify the AD Permission as well

https://support.checkpoint.com/results/sk/sk43874

https://support.checkpoint.com/results/sk/sk93938

Re: Identity Awarness question

RemoteUser — Wed, 25 Jun 2025 13:09:38 GMT

it's seemes issue related to domain controller

Re: Identity Awarness question

RemoteUser — Thu, 26 Jun 2025 14:47:43 GMT

pdp update all
output > update operation may take a few minutes

Re: Identity Awarness question

the_rock — Thu, 26 Jun 2025 14:57:34 GMT

So command did work, but not sure if it did much. Does pdp monitor user work for ANY user at all?

Andy

Re: Identity Awarness question

RemoteUser — Thu, 26 Jun 2025 14:59:39 GMT

take for example a user john.
qunado i do the:
pdp m u john
sometimes i get
sometimes i don't
sometimes i get an incorrect ip..

Re: Identity Awarness question

the_rock — Thu, 26 Jun 2025 15:04:38 GMT

What about any other user?

Andy

Re: Identity Awarness question

RemoteUser — Thu, 26 Jun 2025 15:05:59 GMT

it's randomic but same behavior

Re: Identity Awarness question

the_rock — Thu, 26 Jun 2025 15:08:21 GMT

Have you tried cprestart or reboot? Or if its a cluster,a failover?

Andy

Re: Identity Awarness question

RemoteUser — Thu, 26 Jun 2025 15:09:10 GMT

yes no fortune

Re: Identity Awarness question

the_rock — Thu, 26 Jun 2025 15:26:57 GMT

Here is what TAC gave me while ago for IA debugs, maybe give it a go and see if anything useful is there.

Andy

(•)•) Identity awareness debugs
# cd $FWDIR/log
# rm pdpd.elg.*
# echo "=debug_start=" >> $FWDIR/log/pdpd.elg
(•) To turn pdp debug on:
# adlog a d on
# pdp debug on
# pep debug on
# pdp debug set all all
(•) Replicate the issue
(•) To turn them off:
# adlog a d off
# pdp debug unset all all
# pdp debug off
# pep debug off
# pdp d reset
# pep d unset all all
Collect debug:
$FWDIR/log/pdpd.elg
# tar zcvf pdpd_debugs.tgz pdpd.elg*
# tar zcvf pepd_debugs.tgz pepd.elg*