cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Activating Identity Awareness R80 gateway with Active Directory can obtain user list

Hi, im trying to activate my identity Awareness blade on R80 gateway, in the wizard the connection with my AD result ok, but when Im trying to create a Access Role requesting a list of users of the domain controller, it doesn't  work.

When I use the test_ad_connectivity -x itsvsa.com.ve -o my_test2.txt -s -w command on expert mode, I can see these results:

[Expert@gwr801:0]# cat my_test2.txt
(
        :status (SUCCESS_WMI)
        :err_msg ("ADLOG_SUCCESS;LDAP_OPERATIONS_ERROR")
        :ldap_status (LDAP_OPERATIONS_ERROR)
        :wmi_status (ADLOG_SUCCESS)
        :timestamp ("Fri Nov 23 10:37:19 2018")

Using another diagnostic commands, the output shows connection with the active directory, in fact I can observe data for machines on =the domain an users of certainf OUs. but in the Securty Management I can not obtaing the user list, to create access roles based rules.

other ouptputs:

[Expert@gwr801:0]# adlog a dc
Domain controllers:
Domain Name               IP Address                Events (last hour)   Connection state
============================================================================================================
itsvsa.com.ve             10.16.13.50               167                  has connection
Ignored domain controllers on this gateway:
No ignored domain controllers found.
[Expert@gwr801:0]# adlog a q a
ip: 10.16.13.4 --> Users: Ernesto Cabello (ernesto.cabello@itsvsa.com.ve); fortilab (fortilab@itsvsa.com.ve);
ip: 10.16.13.50 --> Machines: amazonas@itsvsa.com.ve;
ip: 10.16.13.51 --> Machines: caroni@itsvsa.com.ve;
ip: 10.16.13.52 --> Machines: neveri@itsvsa.com.ve;
ip: 10.16.13.56 --> Machines: veeam@itsvsa.com.ve;
ip: 10.16.13.70 --> Users: Gabriel Salcedo (gabriel.salcedo@itsvsa.com.ve);  --> Machines: cesar-pc@itsvsa.com.ve;
ip: 10.16.13.73 --> Users: Angel Garcia (angel.garcia@itsvsa.com.ve);  --> Machines: desktop-3h34386@itsvsa.com.ve;
ip: 10.16.13.101 --> Users: Antonio Rodriguez (antonio.rodriguez@itsvsa.com.ve);  --> Machines: arodriguez@itsvsa.com.ve;
ip: 10.16.13.127 --> Users: Javier Orejarena (javier.orejarena@itsvsa.com.ve);  --> Machines: ccert@itsvsa.com.ve;
ip: 10.16.13.182 --> Users: Angelica Rangel (angelica.rangel@itsvsa.com.ve);  --> Machines: raranguren@itsvsa.com.ve;
ip: 10.16.13.185 --> Users: Arquimedes Gardie (arquimedes.gardie@itsvsa.com.ve);
ip: 10.16.13.201 --> Users: Ludexi Ortega (ludexi.ortega@itsvsa.com.ve);  --> Machines: ortegal@itsvsa.com.ve;
ip: 10.16.13.214 --> Users: Yeritson Pernia (yeritson.pernia@itsvsa.com.ve);  --> Machines: vmartinez@itsvsa.com.ve;
ip: 10.16.13.222 --> Users: Janeth Laguado (janeth.laguado@itsvsa.com.ve);  --> Machines: jlaguadorrhh@itsvsa.com.ve;
ip: 192.168.200.50 --> Machines: amazonas@itsvsa.com.ve;
ip: 192.168.200.51 --> Machines: caroni@itsvsa.com.ve;
I can see detailed information of the domain via shell, but not on the Security management, 
thanks for anyone help me. 
9 Replies

Re: Activating Identity Awareness R80 gateway with Active Directory can obtain user list

Hi Antonio,

Please make sure that your PC in which you are opening smart console should be also in same domain.

0 Kudos
Admin
Admin

Re: Activating Identity Awareness R80 gateway with Active Directory can obtain user list

First, there is no such gateway version R80: you are either using R80.10 or R80.20.

That said for this question it's not terribly relevant.

One relevant question: are you using Identity Collector or ADQuery?

Your gateway shows the users it has been told about by the AD server.

A seperate LDAP lookup must be performed on each user (and management) to get the groups associated with each user.

Re: Activating Identity Awareness R80 gateway with Active Directory can obtain user list

thank you Dameon, in fact, R80.10 its the release what I was working on. I activate the ip forwargind on my PC host for the lab and try again, and obtain successful results, listing the users, machines and othe info from the domain controller. But I still seeing the error message LDAP_OPERATIONS_ERROR

Re: Activating Identity Awareness R80 gateway with Active Directory can obtain user list

the error message, is obtained when I run the script $FWDIR/bin/test_ad_connectivity on the gateway, and when I do the same on the SC, obtain a general error.

Right now, I can go ahead with my lab environment, we can build rules on the Url Filter Layer based on Identity captured from the AD. When I procced to the production deployment I probably need checkpoint support if the behavior persist on the real configuration. 

thanks to all

0 Kudos
Admin
Admin

Re: Activating Identity Awareness R80 gateway with Active Directory can obtain user list

Check $FWDIR/log/test_ad_connectivity.elg to see if you can see more details.

Re: Activating Identity Awareness R80 gateway with Active Directory can obtain user list

You need to allow your workstation IP address to be allowed somewhere (LDAP). SmartConsole is using your internal IP of desktop.

CLI of mamagement is using IP of management server.

Kind regards,
Jozko Mrkvicka
0 Kudos

Re: Activating Identity Awareness R80 gateway with Active Directory can obtain user list

The SmartConsole machine is not connecting to the AD server anymore in R80+, only the management server and the gateway are doing this now.

In a Multi-domain environment the MDS and Domain server are both making connections (at least they were in R80.10, I need to see about this in R80.20).

Regards, Maarten

Re: Activating Identity Awareness R80 gateway with Active Directory can obtain user list

thanks for your support, really, we solve the issue, activating the IP forwarding on my PC, to give connection from the SC to the AD. However, when I run the test, right now the SC list the user for me, to add access control rules, but the test_connection script still sayng the same message, LDAP OPERATIONS ERROR

Re: Activating Identity Awareness R80 gateway with Active Directory can obtain user list

This is probably because the -w option "Specifies that only the WMI connectivity test (no LDAP) should be performed".  LDAP worked for me without this option or with -l 

 test_ad_connectivity -x itsvsa.com.ve -o my_test2.txt -s -l

0 Kudos