This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Carlos_Machado1
Participant
‎2018-03-21 11:51 AM

Identity Awareness for dynamic environments

Hi, all.

I was taking a look at the Identity Awareness documentation looking for answers to possible questions on this subject and I couldn't find anything on this:

What happens to user-to-ip mapping when a user logs in to their laptop using a wired connection but then disconnects from it and stays connected only to wifi? Since the user hasn't logged out and logged in again, I believe AD Query won't be useful. Does Check Point have something like "client probing" or any other identity acquisition method for this kind of scenario?

Thanks in advance!

0 Kudos
9 Replies
Mark_Gurevich
Contributor
‎2018-03-21 01:05 PM

Hi,

Aside login events, the next events are read as well, so if SSO is in use AD query still might be useful:

4768: A Kerberos authentication ticket (TGT) was requested.
*4769: A Kerberos service ticket was requested.
*4770: A Kerberos service ticket was renewed.

You may also consider to add Captive Portal to major allow rules

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-03-21 01:36 PM

We are not using AD query but identity collector (IDC) instead. Much more efficient solution for larger scale. No issues with users jumping between WiFi and LAN. IDC subscribes to AD logs and gets updated, not instantly but fairly quickly.

One down side is that you can have only one username per IP with IDC. I know r&d are working on allowing more but not too sure when it's coming out.

0 Kudos
Mark_Gurevich
Contributor
‎2018-03-22 02:19 AM
In response to Kaspars_Zibarts

Hi Kaspars,

Which build of IDC you've got installed?

0 Kudos
Carlos_Machado1
Participant
‎2018-03-22 06:43 AM
In response to Kaspars_Zibarts

Thanks for your reply, Kaspars.

But if the IDC is subscribing to the AD logs, wouldn't it still need to "wait" for a session log out and session re-log in in order to map the user to their new ip? I mean, if the user jumps from LAN to wifi without re-logging in, there won't be a security log to read the new information from, right?

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-03-22 09:31 AM
In response to Carlos_Machado1

From what I understand it subscribes to more logs than that. Let me confirm

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-03-23 12:53 AM
In response to Carlos_Machado1

I believe it's this one (4769: A Kerberos service ticket was requested) but let me check next week when I'm in a position to confirm both firewall and DC logs

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-03-27 04:00 AM
In response to Kaspars_Zibarts

Here you go, confirmed. When I unplugged network cable:

[ 137060 137000]@xxxxxxxxx[27 Mar 12:47:01]  [GatheringManager (TD::Important)] NAC::IDCOLLECTOR::GatheringManager::processEvent: processEvent process EventRecordID: 3542097560 ; EventID 4769, entity: , machine: xxxxxxx, IP: xxxxxxxxx, domain: xxxxxxxx.com

According to my sources: Usually other applications (e.g. Outlook) cause background authentication to the user with the new IP after this roaming

0 Kudos
PhoneBoy
Admin
Admin
‎2018-03-22 11:14 AM

Identity Agent (loaded on Client IP) will provide the quickest update to user/IP association.

0 Kudos
Carlos_Machado1
Participant
‎2018-03-23 09:10 AM
In response to PhoneBoy

Now we're talking. Thanks.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events