Re: Identity Awarness question

RemoteUser · ‎2025-06-24

Users are assigned to the access roles, but the IA system is unable to recognize their accounts within the GRP AD groups that have permissions to access the resources.
how can i resolve this. if i do pdp monitor user Jhon123 the output it's empty

Thanks

Chris_Atkinson · ‎2025-06-24

Please share additional details about the environment including version/jumbo, adquery or identity collector etc

Have you validated the settings of the account unit, how many are configured ?

CCSM R77/R80/ELITE

RemoteUser · ‎2025-06-24

Hi @Chris_Atkinson
R81.20 JHF 53
identity collector.
all criteria should match the AR, the AR is configured to use AD groups

PhoneBoy · ‎2025-06-24

We need a lot more information like:

Version/JHF of gateways/management
How you have Identity Awareness set up (what acquisition method(s) are in use)
A diagram of the relevant gateways, identity sources, and how they connect to each other and the Internet

Generally, though, groups come from two places:

The SAML Assertion (when used with Entra ID or other SAML provider)
LDAP queries from the gateway (used with all other identity sources)

For troubleshooting, see https://support.checkpoint.com/results/sk/sk183118

RemoteUser · ‎2025-06-24

Hi @PhoneBoy as i said:
user is not known by the PDP Broker, Identity Collector, we performend a restart of the Identity collector service on the server but nothing change .

RemoteUser · ‎2025-06-24

the sk doesn't exist

PhoneBoy · ‎2025-06-24

Sorry, didn't notice that SK was internal.
In any case, you should start by troubleshooting Identity Collector: https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics-IA-Client...

RemoteUser · ‎2025-06-24

Myabe this one:
https://support.checkpoint.com/results/sk/sk114096

the_rock · ‎2025-06-24

If you run pdp update all command, what does it show?

Andy

Best,
Andy
"Have a great day and if its not, change it"

RemoteUser · ‎2025-06-25

it's seemes issue related to domain controller

RemoteUser · ‎2025-06-26

pdp update all
output > update operation may take a few minutes

the_rock · ‎2025-06-26

So command did work, but not sure if it did much. Does pdp monitor user work for ANY user at all?

Andy

Best,
Andy
"Have a great day and if its not, change it"

RemoteUser · ‎2025-06-26

take for example a user john.
qunado i do the:
pdp m u john
sometimes i get
sometimes i don't
sometimes i get an incorrect ip..

the_rock · ‎2025-06-26

What about any other user?

Andy

Best,
Andy
"Have a great day and if its not, change it"

RemoteUser · ‎2025-06-26

it's randomic but same behavior

the_rock · ‎2025-06-26

Have you tried cprestart or reboot? Or if its a cluster,a failover?

Andy

Best,
Andy
"Have a great day and if its not, change it"

RemoteUser · ‎2025-06-26

yes no fortune

the_rock · ‎2025-06-26

Here is what TAC gave me while ago for IA debugs, maybe give it a go and see if anything useful is there.

Andy

(•)•) Identity awareness debugs
# cd $FWDIR/log
# rm pdpd.elg.*
# echo "=debug_start=" >> $FWDIR/log/pdpd.elg
(•) To turn pdp debug on:
# adlog a d on
# pdp debug on
# pep debug on
# pdp debug set all all
(•) Replicate the issue
(•) To turn them off:
# adlog a d off
# pdp debug unset all all
# pdp debug off
# pep debug off
# pdp d reset
# pep d unset all all
Collect debug:
$FWDIR/log/pdpd.elg
# tar zcvf pdpd_debugs.tgz pdpd.elg*
# tar zcvf pepd_debugs.tgz pepd.elg*

Best,
Andy
"Have a great day and if its not, change it"

garrod · ‎2025-06-24

Verify the AD Permission as well

https://support.checkpoint.com/results/sk/sk43874

https://support.checkpoint.com/results/sk/sk93938

Are you a member of CheckMates?

Identity Awarness question