Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
chuka
Explorer

Identity Awareness Issues after resetting AD service account

Hello All,

 

I am running an environment with R80.10 and AD Query enabled for my gateways. All have been well till we had to perform a yearly password rotation for service accounts.

After the service account change, rules based on ID management and Mobile access authentication via AD stopped working.

I have updated the LDAP Account object with the new passwords, yet the issue still persist.

 

Output of adlog a DC show the gateways are connected to the DC's. Output of the Test_ad_Connectivity tool returns a success status.

 

At this point don't know what else to check, any ideas on how to resolve.

 

regards.

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

Have you opened a TAC case by chance?
Possible @Royi_Priov has a suggestion.

0 Kudos
chuka
Explorer

Hi PhoneBoy,

 

Thanks for the response, I have logged a request with a checkpoint patner, who are our first level support, they insist the permissions on the account have changed, which is not the case.

To isolate the account permissions possibility, i have setup an identity collector, however the gateways are not identifying users.

 

regards.

0 Kudos
Timothy_Hall
Champion
Champion

Sounds like something is stuck in pdpd.  Anything interesting getting logged into $FWDIR/log/pdpd.elg?  As a last resort try killing it with "fw kill pdpd" and letting cpwd automatically restart pdpd within 60 seconds.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
chuka
Explorer

Hi Tim,

Thanks for having a look, the only noticeable thing in pdpd.elg is that their are no user associations coming in. I have killed the process and restarted the gateway, stuck at same.

I have also deployed an IDC, issue still same, a snippet of pdpd.elg is shown below.

Anymore thoughts is welcomed.

 

 

 

[25936 4106254096]@fw-xxxx-[16 Jun 1:19:49] [TRACKER]: #3478674 -> OUTGOING -> IDENTITY_REVOKE -> to pep: 127.0.0.1 (ipv4); (ipv6), RevokeInformation dump:
Unique ID : cbdd72e9
Remove existing connections : no

[25936 4106254096]@fw-xxx[16 Jun 1:19:49] [TRACKER]: #3478675 -> OUTGOING -> IDENTITY_REVOKE -> to pep: 127.0.0.1 (ipv4); (ipv6), RevokeInformation dump:
Unique ID : a5f1ee1c
Remove existing connections : no

[25936 4106254096]@fw-xxx[16 Jun 1:19:54] [TRACKER]: #3478676 -> INCOMING -> AGENT_REQUEST -> ip: , type: IDCLogEvent
[25936 4106254096]@fw-xxx[16 Jun 1:19:54] [TRACKER]: #3478677 -> OUTGOING -> AGENT_RESPONSE -> ip: , type: IDCLogEvent, result: OK
[25936 4106254096]@fw-fw-xxx[16 Jun 1:19:54] [TRACKER]: #3478678 -> INCOMING -> AGENT_REQUEST -> ip: , type: IDCEvent
[25936 4106254096]@fw-xxx[16 Jun 1:19:54] [TRACKER]: #3478679 -> INCOMING -> IDCOLLECTOR_ASSOCIATION -> Ip: x.x.x.x; User: ; User Groups: ; User Roles: ; Machine: bitlocker02v; Machine Groups: ; Machine Roles: ; Domain: xxxx.com; Source Type: AD; TTL: 43200; IDC IP: x.x.x.x


0 Kudos
Royi_Priov
Employee
Employee

Hi @chuka ,

[25936 4106254096]@fw-xxx[16 Jun 1:19:54] [TRACKER]: #3478679 -> INCOMING -> IDCOLLECTOR_ASSOCIATION -> Ip: x.x.x.x; User: ; User Groups: ; User Roles: ; Machine: bitlocker02v; Machine Groups: ; Machine Roles: ; Domain: xxxx.com; Source Type: AD; TTL: 43200; IDC IP: x.x.x.x

 

This log means that IDC published an association to PDP for bitlocker02v machine in the specified domain.

The rest of Identity Awareness chain is:

  1. send LDAP request to receive the identity groups. 
  2. match the identity (user/machine) + LDAP groups with Check Point access roles.
  3. publish this identity to all relevant PEP gateways.

 

I do recommend addressing this with TAC, as it seems to be something in the configuration which needs to be tuned.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events