This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dehaasm
Collaborator
‎2023-03-29 04:36 AM

Identity awareness collector changes user identity for same IP while connecting to RDP

Hi All we have something strange with Identity Awareness collector installed on server, let me explain;

A client with IP 10.0.0.1 (example) connects to the gateway and the Idenitity awareness collector identifies the user as nick. When the same user/client IP established a RDP connection to external server 192.168.1.1 (example) and logs into that remote server as nick-admin the gateway receives an identity update from the identity awareness collector indicating that 10.0.0.1 is nick-admin which is obviously not correct. We would expect the external server IP 192.168.1.1 to be nick-admin and the 10.0.0.1 to remain nick.

How is this possible that the IA collector is identifying the user incorrectly on the laptop?

note: this issue is easy to reproduce and I wonder if we need to open TAC case and/or understand if there is somehing we need to adjust on the IA collector?

0 Kudos
(1)
35 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-03-29 04:46 AM

Within the Identity Collector Advanced configuration how is the following option currently set?

"Ignore RDP events"

Also which IDC version is installed?

 

Refer also:

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_IdentityAwareness_AdminGuide...

CCSM R77/R80/ELITE
0 Kudos
dehaasm
Collaborator
‎2023-03-29 05:45 AM
In response to Chris_Atkinson

Hi Chris,

Yes it is enabled see screenshot and we have build 81.0.40.0000, should we open TAC case as it is not behaving "as designed" correct?

Preview file
39 KB
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-03-29 05:54 AM
In response to dehaasm

Based on the limited info available I would say it warrants an SR with TAC for further investigation, yes.

CCSM R77/R80/ELITE
0 Kudos
dede79
Contributor
‎2023-10-13 02:23 AM
In response to Chris_Atkinson

Hello,

I have excatly the same issue that the identity of the remotedesktop client is change with the user that is used for rdp.

I have the setting enabled but it says that it is only relevant for "RDP to Domain Controllers" - in my case we have RDP to clients and various servers.

Can this event be filtered in any other way?

0 Kudos
Jimmy_Noel
Participant
‎2024-03-06 10:56 PM
In response to dede79

Are there any updates in this case?
We have the same problem. RDP-Login triggers an Eventlog (Event ID 4769) for the local IP and remote User.
(We have IC Build 81.028.0000, with enabled option "Ignore events of RDP to Domain Controllers")
Is there any possibility to ignore this event id?

0 Kudos
RK91
Explorer
‎2024-06-12 09:22 AM
In response to Chris_Atkinson

Hi Any News? We have the same issue.  RDP login to a remote Server triggers an Login Event on the RDP Client

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-06-12 05:58 PM
In response to RK91

Sorry I'm not aware of the outcome of the above.

If you are seeing issues with IDC R81.069.0000 please report the problem to TAC.

CCSM R77/R80/ELITE
0 Kudos
dehaasm
Collaborator
‎2024-06-13 01:55 AM
In response to Chris_Atkinson

Hi Guys it was some time ago but we never resolved the issue, I didn't escalate it to TAC but I believe that is the right thing to do for this.

0 Kudos
RK91
Explorer
‎2024-06-26 04:45 AM
In response to dehaasm

Hi dehaasm, do you escaltet it ? 

Thanks & regards

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2024-07-11 01:44 PM
In response to RK91

are you running latest IDC version? i've just upgraded from a very old version and no more rdp events are triggered

0 Kudos
RK91
Explorer
‎2024-07-11 02:27 PM
In response to CheckPointerXL

we are running Build: 81.069.0000 

0 Kudos
RK91
Explorer
‎2024-07-11 02:46 PM
In response to RK91

Always when I log in from the Source "host A" (logged in with User A)  to a Destination "host B" (with user B), it also triggers an login on "host A" with "user B". That is very annoying.

After some time or do some work or lock "host A" and unlock "host A" with "user A" it triggers the login agian back to "user A"

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-07-11 05:56 PM
In response to RK91

As above if you already have the "Ignore RDP events" option configured and are using IDC 81.069.0000 I would recommend engaging with TAC to troubleshoot the issue.

CCSM R77/R80/ELITE
0 Kudos
Daniel_Hainich
Advisor
‎2024-11-14 05:16 AM
In response to Chris_Atkinson

i have the same Problem. problem still exists in IDC 81.069.0000 and also R82.002.0000. Checkbox for ignoring RDP-Events is checked. 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-11-14 06:24 AM
In response to Daniel_Hainich

Is it for a terminal server or a standard PC ?

For non-DC machines you would typically explore either configuring an exclusion or use of the terminal server / MUH identity agent.

CCSM R77/R80/ELITE
0 Kudos
Daniel_Hainich
Advisor
‎2024-11-14 07:01 AM
In response to Chris_Atkinson

this is for all rdp-connections. either to an pc or an server. if i open the windows rdp-client and connect to an rdp-enabled windows-device, the identity of my local device is changed to the user which iam using for remote access.

event type 10 is logged within domain-controller, but not filtered from identity collector.

0 Kudos
dehaasm
Collaborator
‎2024-11-14 07:03 AM
In response to Daniel_Hainich

yes correct i had the same issue as you described it is probably a bug

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-11-14 07:27 AM
In response to Daniel_Hainich

Are you certain that the event type 10 is seen at the DC level and not just at the endpoint itself?

CCSM R77/R80/ELITE
0 Kudos
Daniel_Hainich
Advisor
‎2024-11-17 10:51 PM
In response to Chris_Atkinson

hi, yes i can confirm that logontype 10 is generated on DC.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-11-18 05:33 AM
In response to Daniel_Hainich

For awareness Harmony Endpoint will also provide an option for overcoming such scenarios in future.

CCSM R77/R80/ELITE
0 Kudos
Daniel_Hainich
Advisor
‎2024-11-18 06:14 AM
In response to Chris_Atkinson

nice, but its not an solution for the identity collector. i opened an support case. 

0 Kudos
RK91
Explorer
‎2024-11-18 06:49 AM
In response to Daniel_Hainich

OK, thank you, let us know if you have any news about this, we would certainly be interested in that too - because the problem is really very annoying

0 Kudos
Daniel_Hainich
Advisor
‎2024-11-18 07:20 AM
In response to RK91

the case was escalated to an TAC for further assistance... stay tuned!

0 Kudos
PhoneBoy
Admin
Admin
‎2024-11-18 03:39 PM

The problem is that these events are seen in AD...which is consumed by IDC...and we see them.
To the best of my knowledge, there is currently no way for us to differentiate these events in IDC.
Therefore, the problem you have.

In the future, using Infinity Identity, we will be able to handle this use case.
Specifically, it will require an agent (Harmony Endpoint in the EA, others in the future) that will see the Type 10 login event on the Endpoint itself...and properly ignore it. 

Hopefully I explained this right @Royi_Priov 🙂 

Daniel_Hainich
Advisor
‎2024-11-18 10:44 PM
In response to PhoneBoy

hi dameon,

from checkpoint idc adv. config guide:

 

Ignore RDP events

During Remote Desktop login, two login events occur in the Domain Controller. The two login events have the same username but two different IP addresses: the computer where the user logs in and the computer that the user accesses remotely.

In this option, the Identity Collector ignores the IP address of the computer where the user logs in because it is redundant. This is the default option.

The Event ID of the ignored event is 4624.

The Type of the ignored event is 10.

 

so why the event id and logon typ is not ignored? whats the function of this option?

0 Kudos
RK91
Explorer
‎2024-11-19 02:28 AM
In response to Daniel_Hainich

Yes then I don't know why the option "ignore RDP events" even exists?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-11-19 10:51 AM
In response to Daniel_Hainich

I'm guessing the reason this new functionality is being developed is because this isn't sufficient in all cases.

Have you confirmed that you are receiving an event ID of 4624 of type 10?
If so, then you should open a TAC case.

 

0 Kudos
Daniel_Hainich
Advisor
‎2024-11-24 11:45 PM
In response to PhoneBoy

Hi, here is the answer from Checkpoint.

 


There is no possibility to ignore all RDP events (only RDP for the DC side) while using the Identity collector.
 
You can try to use an identity agent as a workaround which is not based on events.

 
I'm proceeding with closing this service request as there is no technical issue and this is an expected behavior.
If you require any assistance with the identity agent - you can contact your local office for further assistance.

 

i dont know why they wont ignore all event ID of 4624 of type 10. this shouldnt be a huge problem. why only for rdp to dc´s?

iam trying to escalate my ticket.

0 Kudos
(1)
RK91
Explorer
‎2024-11-25 12:36 AM
In response to Daniel_Hainich

OK, thanks, let us know if anything happens - in my opinion it should be possible to ignore these events without any problems. Above all, the problem can actually be reproduced.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events