Management General Management Topics Logging and Reporting Multi-Domain Management Policy Management
- Local User Groups
AI & Machine Learning
I've noticed that with R80.10 there was a loss of functionality in user templates, namely group membership option. Its no longer there.
As for today we cannot have the newly created user automatically added to a given set of user group(s), as defined by the user template, as it used to worked before (<R80)
Although it is not visible anymore on the user template properties it actually still worked after migration and until JHF take 24. So now its not visible AND doesn't work anymore.
Does it make sense to RFE a feature that existed previously ?
There are a few features in R77.30 that didn't make the cut in R80.10 for various reasons.
In some cases, the features are still there and just aren't visible in the GUI.
In other cases, the functionality is not there at all (e.g. SmartProvisioning).
The plan is to close those gaps in future versions, but that will take time.
As R&D participates actively here, posts like these do help bring visibility to the issue.
That said, the fact JHF 24 broke something that was previously working is probably worth a TAC case to see if that is intended behavior or not.
Hi Pedro, can you please elaborate on what exactly worked automatically after your upgrade? As far as I know in order to have a user automatically get added to a group, you still need to pick the group. Are you using some predefined script for this?
This was a feature that was present forever in the product prior to R80.
For example, I create a User Template called Test_Template:
When I create a user, I can based it off that template.
The user is automatically in the groups I created in the template with no action required by the administrator.
You'll notice that when you create a template in R80.10 that the "Groups" tab is missing (a feature degradation IMO):
Which means it's not possible to set a list of default groups in a template created in R80.10.
Maybe it is through the magic of dbedit, but that's a separate conversation.
However, what was working for Pedro Boavida prior to applying JHF 24 was that templates created in R77.30 would still work as they did in R77.30 (i.e. they would automatically set the user's groups to the correct value when creating a user based on that template).
Does that make sense?
Thanks for your efforts explaining the issue more clearly. That's precisely my point!
After upgrade to R80.x the "groups" tab was no longer visible in user template...... but still worked in the sense that a user created from that template still received the group membership - like previously defined on R77.
Later, just after applying JHF 24 this stopped working, which means that newly created users stopped receiving group membership.
Now I rely on pertaining users to groups manually, so my policy logic can work as established.
I understand this is by design of new version, however I'm bringing this subject here because it was indeed a useful feature and I hope it can be restored / fixed in upcoming releases.
Selecting user groups within the user editor or user template editor is a limitation of R80 and R80.10. It will be returned in our next releases.
Pedro - I was mostly interested with your description of the change since the Jumbo-Hotfix. The decision was that we will resolve this in the next releases.
Hope this helps
Usually unintended changes within hotfixes of the Management will get fixed on their own as a regular quality check, but this case is a bit unique. Because at the moment the decision is to hold with that gap for our next releases, in case Pedro wants to restore the behavior pre-JHF 24 then a support case will help.
We are facing the same issue since upgrading an environment to R80.10 (also past JHF 24).
This is a pain point for the daily ops team which creates new remote access users.
Workflow for new RAS-users with R77.30:
Workflow for new RAS-users with R80.10 past JHF24:
Step 3 is needed, because in R80.10 the color of the template is ignored.
Steps 5 to 8 are needed, because group membership cannot be handled by template anymore (this was discussed above).
Step 9 is needed, because new cert enrollment keys cannot be created until the user object is created. While the old R77 Dashboard creates the user in background when you switch to the certificates tab, the new R80 SmartConsole does not do so. So we have to close this window with the okay button to let it create the user. Then we have to open it again to create the cert enrollment key.
We would be very happy to circumvent these new GUI limitations by using the new API.
Unfortunately, there are still some gaps in the new API and managing user objects seems to one of them.
Maybe someone here can help us out with the (as far as I know undocumented and unsupported) generic-object API calls (which are firing classic CPMI calls, if I'm right)? Tomer Sole
We would really appreciate your help.
Thank you and best regards,
steps 5-8 will not be needed with the upcoming R80.20. The next R80.20 Public EA (not the one that you can use right now) will contain automatically adding users to groups if the template defines that. There is also the option for R80.20 Production EA.
we will look into step 3.
Step 9 is a change in the product because we wanted to give a consistent experience - new objects are not created until you OK the editor, across the board. Unfortunately this meant that the User Object got that extra step.
Automating your security recipes is important. Which parts are you still missing out of the generic way (see its limtiations)? https://community.checkpoint.com/docs/DOC-2844
Thank you for this very fast and helpful response!
I wasn't aware of that DOC-2844, thank you for the link.
Is it also possible to create the certificate enrollment key from ICA for that new user by using the API?
This would be nice, because then we could automate this daily ops task completely without moving authentication away from ICA to something other.
Is there an update to the inclusion of this?
I haven't installed R80.20M1 but I could not find a reference to it in the resolved issues or new features.