Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Justin_Hickey
Collaborator
Jump to solution

Url Filtering Gets Confuzzled by Multi-Logins

We have several machines where there quick user switching. I've noticed that sometimes we'll get a complaint about a user who is supposed to be allowed to login to webmail sites, not being allowed to login to webmail sites. They get a block message. When I look in the logs The message has about 5-10 userids listed as the source. I'm assuming it just takes one of these with the email restriction to block the traffic. 

I also seem to have the same problem outbound. One ip by some ISP could service 1,000 destinations. If one is categorized as malicious all traffic to that ip is blocked. 

Any pointers ? 

1 Solution

Accepted Solutions
Kyle_Danielson
Employee
Employee

If you're in a scenario where users will be rapidly logging in and out, you might want to configure 'Assume that only one user is connected per computer'.

This way, when the gateway gets a new login event from the same IP as a previous association, we'll clear the previous one. If you don't have this check box set, you can run into these kinds of unexpected privilege escalation/de-escalation issues.

View solution in original post

2 Replies
Timothy_Hall
Champion
Champion

Check out the optional Identity Awareness Agent software that can be loaded on problematic systems in your network that are roaming around or have local user switching situations, there is no way to detect these types of events purely from the network and software is required on the workstation to help out:

sk63920: Identity Awareness Agent for Mac OS X

sk107415: Check Point Identity Agent for Microsoft Windows 10

sk88520: Best Practices - Identity Awareness Large Scale Deployment

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
Kyle_Danielson
Employee
Employee

If you're in a scenario where users will be rapidly logging in and out, you might want to configure 'Assume that only one user is connected per computer'.

This way, when the gateway gets a new login event from the same IP as a previous association, we'll clear the previous one. If you don't have this check box set, you can run into these kinds of unexpected privilege escalation/de-escalation issues.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events