App Control ignoring a rule

Devon_Bingham · ‎2018-02-13

Hello,

So recently we have noticed sporadic behavior where our gateways seem to ignore a rule in application control for our IT department users. we have it setup to identify these users via Active Directory using a security group. What we are seeing is it does not pick up on this rule and instead hits on a rule further down the rulebase that specifies the source as a network object instead of the AD security group. This also seems to be happening with other rules as well but much less frequently. ID awareness is working as the user is identified in the logs so I know it is at least communicating with AD.

This issue started happening after we upgraded our Management server to 80.10 but I don't think it is actually related to that.

we are currently on 77.30 with a 80.10 management server. The gateways are being replaced in about 2 weeks with newer hardware/80.10 builds. I am unsure what the best way to troubleshoot this issue is and would love to hear any suggestions on how I can proceed. If I cannot figure it out before we replace the gateways I will simply engage CP support at that time.

PhoneBoy · ‎2018-02-13

You might want to see what identities are acquired on the gateway.

I believe you can do this with the command adlog a dc.

You may also want to review: ATRG: Identity Awareness

Zach_Rack · ‎2018-02-14

Hey Devon,

Is those machines that ignoring the rules are accessible by multiple users.?

In other words : more than one person log-in to the same machine using his AD Cred.

phlrnnr · ‎2019-01-24

I'm having a similar issue, except with Identity Collector. AD Query is disabled. R80.20, Take 17. Single user in a particular group, but the group rule gets skipped. How / when does the GW get group info for a particular user? What troubleshooting commands can be run to see what the GW knows about a user and what groups they are in?

PhoneBoy · ‎2019-01-24

The gateway is supposed to query the configured LDAP server to get the groups, regardless of whether you are using ADQuery or Identity Collector.

The ATRG I linked above should contain the necessary troubleshooting steps.

Timothy_Hall · ‎2019-01-24

Try running these on the gateway:

pdp monitor user (username)

pdp monitor ip (IP address)

pdp monitor groups (groupname) - Shows all current known members of (groupname)

These commands will show the user/IP mappings and all group memberships cached on the gateway sliced and diced different ways. My understanding is that once a gateway forms a mapping (whether doing it locally via pdpd or getting it from the IC), the gateway will immediately query the domain for the group memberships and place them in the IA cache which is visible with the above commands.

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

phlrnnr · ‎2019-01-25

Thank you! The output of 'pdp monitor user xxxxx' showed me that the group I used in my access role (Domain_Users) was not tied to the user object. That led me to sk106328: Domain Users can not be added to Access Role. It is confusing because you can add it to the access role, but it just isn't used. We are building a hierarchy of rules from more specific to less specific to build out policies accordingly.

For example:

- User Group 1 (inline layer)

- User Group 2 (inline layer)

- All Other Authenticated Users (inline layer)

- All Unauthenticated Users (inline layer)

I was hoping to use 'Domain Users' to identify 'All Other Authenticated Users'. I'll try creating an LDAP Group per the sk article and see if that will do what I intended.

Thanks again for your help!

Are you a member of CheckMates?

App Control ignoring a rule