This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RemoteUser
Advisor
‎2025-06-24 07:05 AM

Identity Awarness question

Users are assigned to the access roles, but the IA system is unable to recognize their accounts within the GRP AD groups that have permissions to access the resources.
how can i resolve this. if i do pdp monitor user Jhon123 the output it's empty

Thanks

0 Kudos
18 Replies
Chris_Atkinson
Employee Employee
Employee
‎2025-06-24 08:01 AM

Please share additional details about the environment including version/jumbo, adquery or identity collector etc

Have you validated the settings of the account unit, how many are configured ?

CCSM R77/R80/ELITE
0 Kudos
RemoteUser
Advisor
‎2025-06-24 08:11 AM
In response to Chris_Atkinson

Hi @Chris_Atkinson 
R81.20 JHF 53
identity collector.
all criteria should match the AR, the AR is configured to use AD groups



0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-24 08:32 AM

We need a lot more information like:

  • Version/JHF of gateways/management
  • How you have Identity Awareness set up (what acquisition method(s) are in use) 
  • A diagram of the relevant gateways, identity sources, and how they connect to each other and the Internet

Generally, though, groups come from two places:

  • The SAML Assertion (when used with Entra ID or other SAML provider)
  • LDAP queries from the gateway (used with all other identity sources) 

For troubleshooting, see https://support.checkpoint.com/results/sk/sk183118 

0 Kudos
RemoteUser
Advisor
‎2025-06-24 08:36 AM
In response to PhoneBoy

Hi @PhoneBoy  as i said:
 user is not known by the PDP Broker, Identity Collector, we performend a restart of the Identity collector service on the server but nothing change .

0 Kudos
RemoteUser
Advisor
‎2025-06-24 08:36 AM
In response to RemoteUser

the sk doesn't exist

0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-24 08:48 AM
In response to RemoteUser

Sorry, didn't notice that SK was internal.
In any case, you should start by troubleshooting Identity Collector: https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics-IA-Client... 

0 Kudos
RemoteUser
Advisor
‎2025-06-24 08:51 AM
In response to PhoneBoy

Myabe this one:
https://support.checkpoint.com/results/sk/sk114096

0 Kudos
the_rock
Legend
Legend
‎2025-06-24 09:11 AM
In response to RemoteUser

If you run pdp update all command, what does it show?

Andy

0 Kudos
RemoteUser
Advisor
‎2025-06-25 06:09 AM
In response to the_rock

it's seemes issue related to domain controller

0 Kudos
RemoteUser
Advisor
‎2025-06-26 07:47 AM
In response to the_rock

pdp update all
output > update operation may take a few minutes

0 Kudos
the_rock
Legend
Legend
‎2025-06-26 07:57 AM
In response to RemoteUser

So command did work, but not sure if it did much. Does pdp monitor user work for ANY user at all?

Andy

0 Kudos
RemoteUser
Advisor
‎2025-06-26 07:59 AM
In response to the_rock

take for example a user john.
qunado i do the:
pdp m u john
sometimes i get
sometimes i don't
sometimes i get an incorrect ip..

0 Kudos
the_rock
Legend
Legend
‎2025-06-26 08:04 AM
In response to RemoteUser

What about any other user?

Andy

0 Kudos
RemoteUser
Advisor
‎2025-06-26 08:05 AM
In response to the_rock

it's randomic but same behavior

 

0 Kudos
the_rock
Legend
Legend
‎2025-06-26 08:08 AM
In response to RemoteUser

Have you tried cprestart or reboot? Or if its a cluster,a failover?

Andy

0 Kudos
RemoteUser
Advisor
‎2025-06-26 08:09 AM
In response to the_rock

yes no fortune

0 Kudos
the_rock
Legend
Legend
‎2025-06-26 08:26 AM
In response to RemoteUser

Here is what TAC gave me while ago for IA debugs, maybe give it a go and see if anything useful is there.

Andy

(•)•) Identity awareness debugs
# cd $FWDIR/log
# rm pdpd.elg.*
# echo "=debug_start=" >> $FWDIR/log/pdpd.elg
(•) To turn pdp debug on:
# adlog a d on
# pdp debug on
# pep debug on
# pdp debug set all all
(•) Replicate the issue
(•) To turn them off:
# adlog a d off
# pdp debug unset all all
# pdp debug off
# pep debug off
# pdp d reset
# pep d unset all all
Collect debug:
$FWDIR/log/pdpd.elg
# tar zcvf pdpd_debugs.tgz pdpd.elg*
# tar zcvf pepd_debugs.tgz pepd.elg*

garrod
Contributor
‎2025-06-24 11:33 PM

Verify the AD Permission as well

https://support.checkpoint.com/results/sk/sk43874

https://support.checkpoint.com/results/sk/sk93938

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events