cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

App Control ignoring a rule

Hello,

   So recently we have noticed sporadic behavior where our gateways seem to ignore a rule in application control for our IT department users. we have it setup to identify these users via Active Directory using a security group. What we are seeing is it does not pick up on this rule and instead hits on a rule further down the rulebase that specifies the source as a network object instead of the AD security group. This also seems to be happening with other rules as well but much less frequently. ID awareness is working as the user is identified in the logs so I know it is at least communicating with AD.

   This issue started happening after we upgraded our Management server to 80.10 but I don't think it is actually related to that.

we are currently on 77.30 with a 80.10 management server. The gateways are being replaced in about 2 weeks with newer hardware/80.10 builds. I am unsure what the best way to troubleshoot this issue is and would love to hear any suggestions on how I can proceed. If I cannot figure it out before we replace the gateways I will simply engage CP support at that time.

6 Replies
Admin
Admin

Re: App Control ignoring a rule

You might want to see what identities are acquired on the gateway.

I believe you can do this with the command adlog a dc

You may also want to review: ATRG: Identity Awareness 

Zach_Rack
Nickel

Re: App Control ignoring a rule

Hey Devon,

Is those machines that ignoring the rules are accessible by multiple users.?

In other words : more than one person log-in to the same machine using his AD Cred.


0 Kudos
phlrnnr
Copper

Re: App Control ignoring a rule

I'm having a similar issue, except with Identity Collector.  AD Query is disabled.  R80.20, Take 17.  Single user in a particular group, but the group rule gets skipped.  How / when does the GW get group info for a particular user?  What troubleshooting commands can be run to see what the GW knows about a user and what groups they are in?

Admin
Admin

Re: App Control ignoring a rule

The gateway is supposed to query the configured LDAP server to get the groups, regardless of whether you are using ADQuery or Identity Collector.

The ATRG I linked above should contain the necessary troubleshooting steps. 

Re: App Control ignoring a rule

Try running these on the gateway:

pdp monitor user (username)

pdp monitor ip (IP address)

pdp monitor groups (groupname) - Shows all current known members of (groupname)

These commands will show the user/IP mappings and all group memberships cached on the gateway sliced and diced different ways.  My understanding is that once a gateway forms a mapping (whether doing it locally via pdpd or getting it from the IC), the gateway will immediately query the domain for the group memberships and place them in the IA cache which is visible with the above commands.

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
phlrnnr
Copper

Re: App Control ignoring a rule

Thank you!  The output of 'pdp monitor user xxxxx' showed me that the group I used in my access role (Domain_Users) was not tied to the user object.  That led me to sk106328: Domain Users can not be added to Access Role.  It is confusing because you can add it to the access role, but it just isn't used.  We are building a hierarchy of rules from more specific to less specific to build out policies accordingly.

For example:

- User Group 1 (inline layer)

- User Group 2 (inline layer)

- All Other Authenticated Users (inline layer)

- All Unauthenticated Users (inline layer)

I was hoping to use 'Domain Users' to identify 'All Other Authenticated Users'.  I'll try creating an LDAP Group per the sk article and see if that will do what I intended.

Thanks again for your help!

0 Kudos