Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tony_Graham
Advisor

Massive logging for user

Tomer,

I am seeing massive number of logs being generated for one of my users. It shows as Login>Logout>Logout>Login>Login>Update>Lather Rinse Repeat. This is happening EVERY SECOND!!

It has to be generating a lot of activity for your cloud service.

 

 

0 Kudos
19 Replies
the_rock
Legend
Legend

Can you attach the screenshot? I always work with 2 customers who use mgmt cloud server and I never seen this problem.

Andy

0 Kudos
Tony_Graham
Advisor

See attached. Even more odd it his active status is Disconnected most of the time.

Username redacted.

0 Kudos
the_rock
Legend
Legend

Wait a second...is this regarding specifically identity awareness?? The reason I ask is because I dont see it from smart-1 cloud instance, but harmony connect...I dont have that instance running for any customer, so cant say for sure.

0 Kudos
Tony_Graham
Advisor

What I am seeing is in the logs and events viewer of the beta. Just absolutely flooded with these entries.

I haven't done anything special. I do note that at this time it has stopped so I assume the user powered

down for the day. **Confirmed user shutdown laptop. Logging is looking more normal now. I assume when

he powers on tomorrow the flood will begin again.

0 Kudos
the_rock
Legend
Legend

what Identity source is this user using? Identity agent, regular AD query??

0 Kudos
Tony_Graham
Advisor

There is no AD involved. All I have done is create my beta account and send 3 users invites to install agents on 3 machines.

So I have exactly 3 accounts enrolled in the beta.

1 user laptop seems to be having an issue where it just floods the system with these login/logout/update requests all day.

0 Kudos
PhoneBoy
Admin
Admin

Just to let @the_rock know, the Identity Awareness integration in Harmony Connect is different from what's supported on a traditional gateway.
It supports SAML providers (Azure AD, Okta, etc) directly and doesn't use the methods supported on a regular Check Point gateway.
Have you configured an Identity Provider at all?

Tony_Graham
Advisor

Not that I am aware of. I just checked and I never activated it.

No idea why it started flooding me with Identity awareness logs.

Like I said when the guy shut his laptop down it stopped.

0 Kudos
PhoneBoy
Admin
Admin

Have the user Collect Logs off the laptop (it's a button in the Harmony Connect app) and send them to @Tomer_Sole.
He'll probably contact you out-of-band tomorrow morning.

0 Kudos
Tony_Graham
Advisor

Will do.

0 Kudos
the_rock
Legend
Legend

Sorry brother, I figured it was something else, but was not sure...too many products :))

0 Kudos
PhoneBoy
Admin
Admin

Trust me, I know 🙂

0 Kudos
Tony_Graham
Advisor

No apologies required! Have a pint my friend. It's St. Patty's Day!

PhoneBoy
Admin
Admin

Paging @Tomer_Sole 

0 Kudos
Tomer_Sole
Mentor
Mentor

Indeed, if this is for a single end user, this should not happen, these many logs at the portal do not give a big value to the admin that sees them. And it could indicate on a potential problem with Harmony Connect App that runs on that single endpoint.

 

If this is for many end users connecting to the Internet at the same time then it's probably less of an issue, and you can use filters or start from the Access Control or Cyber-Attack View overview pages to drill down to the needed events.

 

 

Either way let's work this out as a support ticket. Check Point Support handles trials for cloud products as well. Harmony Connect for Users is in public beta but already supported by TAC. See exact steps for submitting support tickets for Harmony Connect at https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Tony_Graham
Advisor

I will first work on replicating the issue and see if I can pinpoint the cause.

As there are frequent updates to the Harmony Connect app it could be something

that has already been resolved in an update. I will start by asking the end user to update

Harmony Connect to the latest version.

0 Kudos
PhoneBoy
Admin
Admin

The client generally should auto-update. 
If that's not happening, that's a different problem 🙂

0 Kudos
Tony_Graham
Advisor

Well, I have not seen it auto update on my system. I tend to open the app once in awhile to see if anything has changed and it has stated 'version update available'

or something along those lines a couple of times now. I clicked on it to update Connect. Maybe I am just catching it before it auto installs, I don't know.

0 Kudos
Tomer_Sole
Mentor
Mentor

In general we are monitoring end users that are active and contain an old version and contact the administrator of their account. The automatic updates happen behind the scenes.  So if you weren't contacted, you should be fine 

0 Kudos
Upcoming Events

    CheckMates Events