https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-Query-in-Remote-Access-connection/m-p/114459#M8938 <P>We migrate from R80.30 to R80.40. In R80.30 Remote Access uses AD Query information, now the information is not processed.</P><P>The AD Query is working fine for the other contexts, but it's not applied to VPN connection.</P><P>In PDPd and PEPd&nbsp;logs I can see the AD connection for the machine in the VPN, but I think it's not processed by the identity Awareness.</P><P class="lia-indent-padding-left-30px"><EM>[25387 4059584320]@CPFW01[24 Mar 9:15:20] [TRACKER]: #40148 -&gt; INCOMING -&gt; ADQUERY_ASSOCIATION -&gt; </EM><BR /><EM>Association</EM><BR /><EM>ip: 10.18.172.35</EM><BR /><EM>user: </EM><BR /><EM>machine: d580-55931</EM><BR /><EM>domain: interno.trt18.jus.br</EM><BR /><EM>reason: 0</EM></P><P>In the PDPd log I found this:</P><P class="lia-indent-padding-left-30px">[25387 4059584320]@CPFW01[24 Mar 9:15:20] [SESSION_UTILS (TD::Events)] pdp::PDPSessionConciliation::shouldOverrideSuperSessionByPriority: existing super session 6bd521f4 office mode IP score (1) &gt; new association office mode IP score (0) - reject new association</P><P><BR />Is there a way for identity awareness to use AD Query Data in Remote Access connection?&nbsp;</P><P>Thanks in advance!</P> Wed, 24 Mar 2021 13:14:28 GMT saulosouza 2021-03-24T13:14:28Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-Query-in-Remote-Access-connection/m-p/114459#M8938 <P>We migrate from R80.30 to R80.40. In R80.30 Remote Access uses AD Query information, now the information is not processed.</P><P>The AD Query is working fine for the other contexts, but it's not applied to VPN connection.</P><P>In PDPd and PEPd&nbsp;logs I can see the AD connection for the machine in the VPN, but I think it's not processed by the identity Awareness.</P><P class="lia-indent-padding-left-30px"><EM>[25387 4059584320]@CPFW01[24 Mar 9:15:20] [TRACKER]: #40148 -&gt; INCOMING -&gt; ADQUERY_ASSOCIATION -&gt; </EM><BR /><EM>Association</EM><BR /><EM>ip: 10.18.172.35</EM><BR /><EM>user: </EM><BR /><EM>machine: d580-55931</EM><BR /><EM>domain: interno.trt18.jus.br</EM><BR /><EM>reason: 0</EM></P><P>In the PDPd log I found this:</P><P class="lia-indent-padding-left-30px">[25387 4059584320]@CPFW01[24 Mar 9:15:20] [SESSION_UTILS (TD::Events)] pdp::PDPSessionConciliation::shouldOverrideSuperSessionByPriority: existing super session 6bd521f4 office mode IP score (1) &gt; new association office mode IP score (0) - reject new association</P><P><BR />Is there a way for identity awareness to use AD Query Data in Remote Access connection?&nbsp;</P><P>Thanks in advance!</P> Wed, 24 Mar 2021 13:14:28 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-Query-in-Remote-Access-connection/m-p/114459#M8938 saulosouza 2021-03-24T13:14:28Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-Query-in-Remote-Access-connection/m-p/114483#M8939 <P>Remote Access clients don't require AD Query because we're authenticating the user directly.<BR />However, it needs to be enabled as an identity source on the gateway object (it's not by default).</P> Wed, 24 Mar 2021 16:18:10 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-Query-in-Remote-Access-connection/m-p/114483#M8939 PhoneBoy 2021-03-24T16:18:10Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-Query-in-Remote-Access-connection/m-p/114484#M8940 <P>Thank you, I have already enabled Remote access as a source. The login is fine, what I want is the information of AD query, when is available.&nbsp;</P> Wed, 24 Mar 2021 16:27:00 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-Query-in-Remote-Access-connection/m-p/114484#M8940 saulosouza 2021-03-24T16:27:00Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-Query-in-Remote-Access-connection/m-p/114663#M8941 <P>What’s happening is explained here:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk146835&amp;partition=Basic&amp;product=Identity" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk146835&amp;partition=Basic&amp;product=Identity</A></P> <P>Specifically “<SPAN>Some identity sources such as Identity Agent, Terminal Server, Captive Portal, and Remote Access VPN </SPAN><STRONG>cannot be appended</STRONG><SPAN> to others. In these cases, the conciliation decision is only </SPAN><STRONG>override</STRONG><SPAN> or </SPAN><STRONG>reject</STRONG><SPAN>.”<BR />Note this is new behavior as of R80.40.<BR />Not 100% sure you can change this, a TAC case will be required.</SPAN></P> Thu, 25 Mar 2021 21:49:39 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-Query-in-Remote-Access-connection/m-p/114663#M8941 PhoneBoy 2021-03-25T21:49:39Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-Query-in-Remote-Access-connection/m-p/225876#M8942 <P>Hi PhoneBoy,</P> <P>&nbsp;</P> <P>Old post but I am in a similar situation. Then do you mean that Remote Access clients authenticate directly against the AD and not through AD Query which uses WMI to look into&nbsp;<SPAN class="mc-variable Vars_Other.tp_active_directory variable">Active Directory</SPAN><SPAN>&nbsp;Security Event Logs?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Regards,</SPAN></P> <P><SPAN>Julián</SPAN></P> Fri, 06 Sep 2024 12:23:46 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-Query-in-Remote-Access-connection/m-p/225876#M8942 fjulianom 2024-09-06T12:23:46Z