This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AkiYa
Collaborator
‎2024-03-14 03:19 AM

Identity Collector - pdp empty

Hi all,

I have a strange issue with Identity Collector where the users/ip are not actually collected by the gateway.

The IDC is correctly configured and working, all the gateways are directly connected to this IDC which is set as unique source in Identity Awareness.
I can see the events increasing, all is green.
Now the problem:

Access Roles rules are not applied since users are not seen by the gateway; The command "pdp m ip [ip address]" shows an empty record

idc.png


Note that this gateway is connected by VPN s2s, but the traffic is passing correctly (at least I guess... there is no info about specific rules).

What am I missing?
It looks like the IDC is not passing info at all.
Thanks

0 Kudos
9 Replies
NiladriSarkar
Contributor
‎2024-03-14 04:12 AM

Will you be able to run test_ad_connectivity on the gateway to confirm the gateway is able to fetch required information.

More about it here: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...

Example

IPv4 of AD DC

192.168.230.240

Domain

mydc.local

Username

Administrator

Password

aaaa

Syntax

[Expert@GW:0]# $FWDIR/bin/test_ad_connectivity -u "Administrator" -c "aaaa" -D "CN=Administrator,CN=Users,DC=mydc,DC=local" -d mydc.local -i 192.168.230.240 -b "DC=mydc,DC=local" -o test.txt
[Expert@GW:0]#

Output

[Expert@GW:0]# cat $FWDIR/tmp/test.txt
(
   :status (SUCCESS_LDAP_WMI)
   :err_msg ("WMI_SUCCESS;LDAP_SUCCESS")
   :ldap_status (LDAP_SUCCESS)
   :wmi_status (WMI_SUCCESS)
   :timestamp ("Mon Feb 26 10:17:41 2018")
)
[Expert@GW:0]#

 

Note - In order to know the output is authentic, pay attention that the timestamp is the same as the local time.

0 Kudos
AkiYa
Collaborator
‎2024-03-14 04:36 AM
In response to NiladriSarkar

Maybe my assumption is wrong, but as I said I configured the gateway to get users and IP from Identity Collector, NOT the domain controllers.

This command should check the access to the Domain Controller.

Anyway the output is:


(
:status (COMM_ERR)
:err_msg ("ADLOG_ERROR_INTERNAL;LDAP_OPERATIONS_ERROR")
:ldap_status (LDAP_OPERATIONS_ERROR)
:wmi_status (ADLOG_ERROR_INTERNAL)
:timestamp ("Thu Mar 14 12:30:44 2024")
)

 

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-03-14 05:32 AM

So on IDC side, you can see logs increasing every hour, correct? Can you send output of below (in my lab example)

Andy

[Expert@CP-gw:0]# pdp idc status
Identity Collector IP: 172.16.10.111
Identity Sources:
No information about identity sources


[Expert@CP-gw:0]#

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
AkiYa
Collaborator
‎2024-03-14 07:34 AM
In response to the_rock

Yes, the logs are increasing in real time; If I launch "pdp idc status" I get a list of the domain controllers divided by Identity Collectors (there are two IDC), all showing they are connected and with several events received in the last minute.

Lesley
MVP Gold
MVP Gold
‎2024-03-14 06:33 AM

Do you still have a LDAP account unit in Smart Console? I think you still need it even if you use IDC. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
AkiYa
Collaborator
‎2024-03-14 07:38 AM
In response to Lesley

Yes, still have the LDAP account unit.

What is really strange is that the user/machine/ip associations are different on different gateways and also change after some time.

We have two domains (trusted) and from the gateway of the domain "alpha.local" with "pdp m ip x.x.x.x" I can see the correct association with the machine name, but the user sometimes changes (I'm logged in with my domain user but I launch RDP sessions to servers with a domain admin).

From the gateway of the domain "beta.local" if I check the same IP, I get different or empty associations (I don't even know why, they should be the same). 

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-03-14 07:46 AM
In response to AkiYa

Are you able to fetch the branches okay? This only would not work if its S1C instance (thats expected), but works on regular mgmt server.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
AkiYa
Collaborator
‎2024-03-21 09:47 AM
In response to the_rock

Yes, I'm able to fetch the branches

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-03-21 12:38 PM
In response to AkiYa

Any output with adlog a dc ?

Also as a start follow this SK and make sure the user has enough rights:

https://support.checkpoint.com/results/sk/sk113747

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events