This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dehaasm
Collaborator
‎2023-03-29 04:36 AM

Identity awareness collector changes user identity for same IP while connecting to RDP

Hi All we have something strange with Identity Awareness collector installed on server, let me explain;

A client with IP 10.0.0.1 (example) connects to the gateway and the Idenitity awareness collector identifies the user as nick. When the same user/client IP established a RDP connection to external server 192.168.1.1 (example) and logs into that remote server as nick-admin the gateway receives an identity update from the identity awareness collector indicating that 10.0.0.1 is nick-admin which is obviously not correct. We would expect the external server IP 192.168.1.1 to be nick-admin and the 10.0.0.1 to remain nick.

How is this possible that the IA collector is identifying the user incorrectly on the laptop?

note: this issue is easy to reproduce and I wonder if we need to open TAC case and/or understand if there is somehing we need to adjust on the IA collector?

0 Kudos
(1)
5 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-03-29 04:46 AM

Within the Identity Collector Advanced configuration how is the following option currently set?

"Ignore RDP events"

Also which IDC version is installed?

 

Refer also:

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_IdentityAwareness_AdminGuide...

CCSM R77/R80/ELITE
0 Kudos
dehaasm
Collaborator
‎2023-03-29 05:45 AM
In response to Chris_Atkinson

Hi Chris,

Yes it is enabled see screenshot and we have build 81.0.40.0000, should we open TAC case as it is not behaving "as designed" correct?

Preview file
39 KB
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-03-29 05:54 AM
In response to dehaasm

Based on the limited info available I would say it warrants an SR with TAC for further investigation, yes.

CCSM R77/R80/ELITE
0 Kudos
dede79
Contributor
‎2023-10-13 02:23 AM
In response to Chris_Atkinson

Hello,

I have excatly the same issue that the identity of the remotedesktop client is change with the user that is used for rdp.

I have the setting enabled but it says that it is only relevant for "RDP to Domain Controllers" - in my case we have RDP to clients and various servers.

Can this event be filtered in any other way?

0 Kudos
Jimmy_Noel
Explorer
‎2024-03-06 10:56 PM
In response to dede79

Are there any updates in this case?
We have the same problem. RDP-Login triggers an Eventlog (Event ID 4769) for the local IP and remote User.
(We have IC Build 81.028.0000, with enabled option "Ignore events of RDP to Domain Controllers")
Is there any possibility to ignore this event id?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events