This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DmitriyDubovik
Contributor
‎2023-09-28 01:27 AM
Jump to solution

PDP proccess don t take username using Identity Collector

Good day! 

We have:

1. SG 81.20

2. IC 81.040

3. Cisco ISE 3.0

 

GW taking logs from Identity Collector -> Identity collector taking logs from Cisco ISE -> Cisco ISE taking Identites and logs from Active Directory 

In SMS (Smarconsole):

1) We have LDAP account unit object of LDAP 

 

2) We have only Identity Collector identity source

 

In IC:

1) We have only ISE group in the Query pool. ISE machine is green. Log collected with Username. 

 

1.png

2.png

 

3) In GW 

pdp don t take username, because of it rules don t work properly (ise-1 computer that admins ise, just example)

 

3.png

 

4.png

 

In smartconsole we see this on every login attempt:

 

5.png

I checked every setting on everything, but I still don’t understand what could be wrong.

 

 

 

0 Kudos
1 Solution

Accepted Solutions
DmitriyDubovik
Contributor
‎2023-10-25 12:20 AM
In response to Vincent_Bacher
Jump to solution

https://support.checkpoint.com/results/sk/sk147417

 

problem solved here

View solution in original post

7 Replies
Vincent_Bacher
MVP Silver
MVP Silver
‎2023-09-28 02:42 AM
Jump to solution

Do you receive sAMAccountName or UserPrincipalName as user name?
I remember in the past to be forced to define the ldap search query accordingly in Guidbedit to be able to get correct ldap search results.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
DmitriyDubovik
Contributor
‎2023-09-28 03:30 AM
In response to Vincent_Bacher
Jump to solution

nothing at all

0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
‎2023-09-28 11:01 PM
In response to DmitriyDubovik
Jump to solution

I meant from ISE. What's the Username collected from ISE? sAMAccountName or UserPrincipalName?
PDP needs something to make ldap query for group membership resolution.
Error message from Smartlog in your post may point to the issue that the wrong one is used.
In case the Attr received leads to errors when trying to resolve group memberships, sometimes UserLoginAttr is to be modified in the Checkpoint Database using guidbedit.

identity-collector-ldap.png
 

In case pdp process queries using wrong attr, user cannot be found, leading to same error message as above.

To clarify, you might want to debug.

Then first enable debug on the PDP

 

 

fw debug fwd off PDP_LOG_SIZE=50000000
fw debug fwd off PDP_NUM_LOGS=20
fw kill pdpd
pdp debug off
pdp debug reset
pdp debug set all all

 

 

replicate issue

disable debug

 

 

fw debug fwd off PDP_LOG_SIZE=10000000
fw debug fwd off PDP_NUM_LOGS=10
pdp debug off
pdp debug reset
fw kill pdpd

 

 

and then you are able to analyse the collected files in $FWDIR/logs/pdpd.elg*
In case my idea is correct, you could see hints pointing to that.
Or maybe pointing to a different root cause.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
DmitriyDubovik
Contributor
‎2023-10-25 12:20 AM
In response to Vincent_Bacher
Jump to solution

https://support.checkpoint.com/results/sk/sk147417

 

problem solved here

Matlu
MVP Silver
MVP Silver
‎2023-12-14 03:03 PM
In response to Vincent_Bacher
Jump to solution

Hello,

Are the tshoot commands similar for "SMB" machines?

I have a "negotiation" problem between my GW 1590 SMB, and my SRV AD which has the IDC installed.

On these machines, is it viable to "restart" the PDP process with the command, "fw kill pdpd"?

Greetings.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-09-28 09:17 AM
Jump to solution

Can you verify ldap account unit is configured properly in smart console? You still need that even with IC set up.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-28 12:13 PM
Jump to solution

Gateways must be able to query Active Directory to obtain the groups the user is associated with.
This points to an issue in your LDAP configuration.
For troubleshooting that, see: https://support.checkpoint.com/results/sk/sk100406 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events