Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
0f41af9d-f27d-4
Participant

Identity Awareness issue - User identified but the rule is not matching

Hi All,

I'd ask for help/advise for the issue with Identity awareness.

I have Checkpoint 3600 R80.40 Take 309 managed by SMC 80.40

I've enabled the IA blade and configured settings/rules.

I've created the rule with single user to be permitted Destination/Service - any.

All networks and machines allowed.

While testing I can see the test user successfully identified with AD name but the rule is not matching.

I've recreated the rule - still not working.

 

Kind regards,

Paul

 

0 Kudos
10 Replies
the_rock
Authority
Authority

Hi Paul, would you mind send us the screenshot of the rule and also tell us what other rule is being matched? Is it possible you have a rule above IA rule that could be catching the traffic?

0 Kudos
0f41af9d-f27d-4
Participant

Hi Rock,

Sure.

I'm attaching the pictures with the rules and logs.

I've tested with the rule above IA permitting all the traffic and it works fine. However if I add the role object - it stops working.

 

0 Kudos
the_rock
Authority
Authority

Not sure in that case, may need more testing, maybe contact TAC and see if they can do remote session. Personally, I would just make sure user is included in right access role group and maybe do tcpdump and/or fw monitor as well to test traffic.

 

Also, maybe run some pdp commands to see the state:

 

adlog a dc

pdp monitor ip x.x.x.x

pdp monitor user xxxxx

 

Hope that helps.

0 Kudos
0f41af9d-f27d-4
Participant

Thank you for sharing useful commands.

AD queries are working fine.

I've raised a TAC.

Hopefully support can fix it.

Benedikt_Weissl
Advisor

Check out the Multi User Host detection:

https://community.checkpoint.com/t5/Security-Gateways/Identity-Awareness-Multi-User-Host/m-p/80173/h...

Maybe service accounts login cause the source host to be marked as "multi user host", you can check with "pdp muh status"

0 Kudos
Kaspars_Zibarts
Authority
Authority

It doesn't look like your user has assumed the defined role. You can check from logs by running filter

blade:"Identity Awareness" AND action:"Log In" AND src:x.x.x.x

change x.x.x.x to users IP of course

then you should see what roles are associated with this IP:

image.png

 

the_rock
Authority
Authority

Thats actually an EXCELLENT point! I totally forgot about it, but I agree that if thats wrong, the rule would not work.

0 Kudos
0f41af9d-f27d-4
Participant

Thank you for the advice.

That's interesting!

I've found the logs with failed login and error:

"Failed to get users groups for the domain.
Verify that this domain name is configured in your LDAP Account Unit."

Looks like I've chosen the wrong domain.

I'll check the settings an let you know.

the_rock
Authority
Authority

Please let us know if you can correct that, I am 99% sure that is the issue. Big thanks to @Kaspars_Zibarts for pointing that out!!

0 Kudos
Tuatara
Explorer

Hello,

Have you solve this issue, we have the same issue

0 Kudos