https://community.checkpoint.com/t5/SASE-and-Remote-Access/Is-it-possible-to-create-an-alert-when-the-MAC-address/m-p/200698#M4263 <P>Greetings everyone!<BR /><BR />I want to know if it is possible to get a notification when the MAC address associated to an AD user changes. We're dealing with R81.10 with Remote Access.</P><P>&nbsp;</P><P><A href="https://community.checkpoint.com/t5/Management/Identity-awareness-Access-role-based-on-MAC-address/td-p/7725" target="_blank">https://community.checkpoint.com/t5/Management/Identity-awareness-Access-role-based-on-MAC-address/td-p/7725</A></P><P>&nbsp;</P><P>In the conversation above&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/597">@Timothy_Hall</a>&nbsp;mentions that L2 header gets stripped off by the time the packet reaches the INSPECT engine. However, in the same conversation there is a mention of an RFE for an External Tag. I tried to google about this, but to no avail so far.</P><P>&nbsp;</P><P>I thought about a script that will read pep and pdp logs and make a notification when MAC of a user changes, but it looks like it would be quite resource heavy as our network activity is very high. On the other hand, I'm completely open to using 3rd party resources to gather that kind of information.</P><P>&nbsp;</P><P>Thank you!</P><P>&nbsp;</P> Fri, 15 Dec 2023 08:53:42 GMT kamilazat 2023-12-15T08:53:42Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Is-it-possible-to-create-an-alert-when-the-MAC-address/m-p/200698#M4263 <P>Greetings everyone!<BR /><BR />I want to know if it is possible to get a notification when the MAC address associated to an AD user changes. We're dealing with R81.10 with Remote Access.</P><P>&nbsp;</P><P><A href="https://community.checkpoint.com/t5/Management/Identity-awareness-Access-role-based-on-MAC-address/td-p/7725" target="_blank">https://community.checkpoint.com/t5/Management/Identity-awareness-Access-role-based-on-MAC-address/td-p/7725</A></P><P>&nbsp;</P><P>In the conversation above&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/597">@Timothy_Hall</a>&nbsp;mentions that L2 header gets stripped off by the time the packet reaches the INSPECT engine. However, in the same conversation there is a mention of an RFE for an External Tag. I tried to google about this, but to no avail so far.</P><P>&nbsp;</P><P>I thought about a script that will read pep and pdp logs and make a notification when MAC of a user changes, but it looks like it would be quite resource heavy as our network activity is very high. On the other hand, I'm completely open to using 3rd party resources to gather that kind of information.</P><P>&nbsp;</P><P>Thank you!</P><P>&nbsp;</P> Fri, 15 Dec 2023 08:53:42 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Is-it-possible-to-create-an-alert-when-the-MAC-address/m-p/200698#M4263 kamilazat 2023-12-15T08:53:42Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Is-it-possible-to-create-an-alert-when-the-MAC-address/m-p/200761#M4264 <P>The feature mentioned in the thread is called Identity Tags:&nbsp;<A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_IdentityAwareness_AdminGuide/Content/Topics-IDAG/Configuring-Identity-Awareness-Using-Identity-Tags-in-Access-Role-Matching.htm" target="_blank">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_IdentityAwareness_AdminGuide/Content/Topics-IDAG/Configuring-Identity-Awareness-Using-Identity-Tags-in-Access-Role-Matching.htm</A><BR />The tags are assigned by Cisco ISE or a SAML provider.</P> <P>In any case, Identity Awareness does not track Layer 2 information, at least not in a way that would be easy to query.<BR />Therefore, you'd have to use an external system (the identity provider itself) to get this information.&nbsp;</P> Fri, 15 Dec 2023 18:30:34 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Is-it-possible-to-create-an-alert-when-the-MAC-address/m-p/200761#M4264 PhoneBoy 2023-12-15T18:30:34Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Is-it-possible-to-create-an-alert-when-the-MAC-address/m-p/200818#M4265 <P>Thank you&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>. It was really helpful clarifying the possibilities within Identity Awareness.</P><P>Though I was reading about SmartEvent and started wondering if it can help me in this context. Apparently it can provide a wide variety of information, but I'm not sure if MAC changes of AD users is within its scope.</P><P>&nbsp;</P><P>Edit: I will, of course, resort to Cisco ISE or a SAML if need be. But,&nbsp;I want to be able to solve this without using any service other than CheckPoint if possible.</P> Sun, 17 Dec 2023 09:56:39 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Is-it-possible-to-create-an-alert-when-the-MAC-address/m-p/200818#M4265 kamilazat 2023-12-17T09:56:39Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Is-it-possible-to-create-an-alert-when-the-MAC-address/m-p/200891#M4266 <P>We don't use MAC addresses in policy decisions, so there's not really a mechanism designed to track this in the product.</P> Mon, 18 Dec 2023 13:35:09 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Is-it-possible-to-create-an-alert-when-the-MAC-address/m-p/200891#M4266 PhoneBoy 2023-12-18T13:35:09Z