topic Re: IA Rule not matching with PDP & PEP on Maestro in Hyperscale Firewall (Maestro)

IA Rule not matching with PDP & PEP on Maestro

CP-NDA — Tue, 24 Jan 2023 11:54:26 GMT

Hi,

We migrated a traditionnal cluster to a Maestro infra last weekend. R81.10 T81

Everything worked as expected but after a while some IA Rule stop matching on one of the member. Identity is acquired via Identity Agent. Users connect to PDP which is the Security Group running in Maestro

In the logs the same trafic is accepter on Member 1_2 but dropped on Member 1_1.

"pdp monitor ip x.x.x.x" returns the correct Roles on both members but rules is not matched. If we change source by IP everything is ok.

I know that Seucurity Group are not the best way to do PDP but in this sutuation we don't have other GW to play taht role. Also it's never metionned that it's not supported (only not recommended in the Maesto limitations SK)

Do you have any idea of what could be the cause ? Any similar problem on your side ?

TAC is already involved but has not provided relevant info right now.

Thank you

Re: IA Rule not matching with PDP & PEP on Maestro

Timothy_Hall — Tue, 24 Jan 2023 12:41:33 GMT

I believe the need for a separate gateway to perform IA functions for a Maestro Security Group is a consequence of the Single Management Object (SMO) approach to management, and I don't see how you will able to work around that. I also assume you are familiar with sk175587: Identity Based Access Control and Threat Prevention - Design Guidelines - Quantum Maestro.

Re: IA Rule not matching with PDP & PEP on Maestro

CP-NDA — Tue, 24 Jan 2023 12:43:44 GMT

Hi,

Thank you for the reply

Yes we are familiar with this SK

Unfortunately we don't have the option to do PDP outside SG... If it's a clear limitation I wondering why it's not clearly mentionned that we should not implement this. Also this should be reported in Maestro limitations SK don't you think ?

Thank you

Re: IA Rule not matching with PDP & PEP on Maestro

CP-NDA — Tue, 24 Jan 2023 12:53:28 GMT

Support suggested to use this exception for IA trafic

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Maestro_AdminGuide/Topics-Maestro-AG/Forwarding-specific-inbound-connections-to-SMO.htm?Highlight=Forwarding%20specific%20inbound%20connections%20to%20the%20SMO%20Security%20Group%20Member

Re: IA Rule not matching with PDP & PEP on Maestro

Timothy_Hall — Tue, 24 Jan 2023 13:34:24 GMT

Right to keep the distribution algorithm from messing with the IA traffic and ensuring symmetry by always sending it to the SMO, makes sense.

Re: IA Rule not matching with PDP & PEP on Maestro

CP-NDA — Tue, 24 Jan 2023 14:14:38 GMT

Seems to be a good idea but I don't know if trafic for IA is considered as a local connection

You can configure the Security Group

to forward specific inbound connections to the SMO Security Group Member.

Important:

This command supports only IPv4 connections.
This command does not support local connections.
In VSX mode, you must run this command in the context of the applicable Virtual System.
This command supports a maximum of 15 exceptions
(in VSX mode, this limit is global for all Virtual Systems).
These exceptions are saved in the $FWDIR/tmp/tmp_exception_entries.txt file (IPv4 addresses are converted to a special format).

Re: IA Rule not matching with PDP & PEP on Maestro

Machine_Head — Wed, 25 Jan 2023 10:01:21 GMT

just out of curiosity could you elaborate on what seems to be the issue here?
For my understanding..

if you do pep show user all you see the relevant user in both modules?

Is it not marked down as service account by any chance?

Re: IA Rule not matching with PDP & PEP on Maestro

CP-NDA — Tue, 31 Jan 2023 16:01:24 GMT

Please see the solution found with R&D

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180561

Re: IA Rule not matching with PDP & PEP on Maestro

Machine_Head — Tue, 31 Jan 2023 16:07:30 GMT

Very interesting. And well written sk.

Thanks