This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
KM1895
Collaborator
Collaborator
‎2023-04-18 12:41 AM

PEP not enforcing all roles

 

hi,

 

We are currently experiencing issues with Identity Awareness. PEP gateways arent enforcing access roles for all users. This seems to be affecting various amounts of users, and a workaround has been to restart the pep daemon, which is not a proper fix.

 

The setup is pretty standard, with 3 pdp gateways feeding identities to some pep gateways. This has been working quite well, but last week, we noticed an increase in users losing access to resourcec, where the rules are based on access roles. 

Identity source is identity collector, and service accounts are excluded. Identity collectors appear to be working fine, and i see plenty of events being registered, same with users and machines.

Not sure if there are problems with cache, time to live or other of the settings? What would be the potential risk of changing any of these values, and if so, are there any recommendation on what to set?

 

We are running r81.10, t66

 

0 Kudos
6 Replies
Vincent_Bacher
Advisor
Advisor
‎2023-04-18 01:51 AM

Hi,

did you check for problematic users if the session is visible at the pep using pep s u q usr <loginname> ?
If yes, are the roles listed? If not, do you see any role calculation issues maybe with AD controllers?

br

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
KM1895
Collaborator
Collaborator
‎2023-04-18 02:37 AM
In response to Vincent_Bacher

hi,

I havent checked, but i think someone else checked this earlier. We are suspecting full pdp and pep kernel tables, as the gateways are still on the default 30.000. The main pdp currently has 42k identified users and machines. so we will probably try to expand these, and clear the tables.

0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2023-04-18 06:00 AM
In response to KM1895

Yes, i would then as well recommend extending the tables, we have this issue as well whenever we forget to set the table sizes accordingly when deploying new devices using ia.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2023-04-18 07:50 AM
In response to Vincent_Bacher

Just in case what i am usually setting:

Ia_max_authenticated_users

200000

Ia_max_enforced_identities

200000

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
the_rock
Legend
Legend
‎2023-04-18 07:50 AM

I attached debug TAC gave me while ago for pdp/pep debugs, so might be worth doing those (well, just pep in your case)

Andy

 

IA_fw_debug_procedure.txt
Preview file
1 KB
0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2023-04-18 07:56 AM
In response to the_rock

In addition because of possible very high amount of logs, i increase log size and number of rotated elg before starting debug and resetting same afterwards

before:

 

fw debug fwd off PDP_LOG_SIZE=50000000
fw debug fwd off PDP_NUM_LOGS=20
fw debug fwd off PEP_LOG_SIZE=50000000
fw debug fwd off PEP_NUM_LOGS=20

fw kill pdpd
fw kill pepd


after


fw debug fwd off PDP_LOG_SIZE=10000000
fw debug fwd off PDP_NUM_LOGS=10
fw debug fwd off PEP_LOG_SIZE=10000000
fw debug fwd off PEP_NUM_LOGS=10

fw kill pdpd
fw kill pepd
and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top