This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
CP-NDA
Collaborator
‎2023-01-24 03:54 AM
Jump to solution

IA Rule not matching with PDP & PEP on Maestro

Hi,

 

We migrated a traditionnal cluster to a Maestro infra last weekend. R81.10 T81

Everything worked as expected but after a while some IA Rule stop matching on one of the member. Identity is acquired via Identity Agent. Users connect to PDP which is the Security Group running in Maestro

In the logs the same trafic is accepter on Member 1_2 but dropped on Member 1_1.

"pdp monitor ip x.x.x.x" returns the correct Roles on both members but rules is not matched. If we change source by IP everything is ok.

I know that Seucurity Group are not the best way to do PDP but in this sutuation we don't have other GW to play taht role. Also it's never metionned that it's not supported (only not recommended in the Maesto limitations SK)

Do you have any idea of what could be the cause ? Any similar problem on your side ?

TAC is already involved but has not provided relevant info right now.

Thank you

 

0 Kudos
1 Solution

Accepted Solutions
CP-NDA
Collaborator
‎2023-01-31 08:01 AM
In response to CP-NDA
Jump to solution

Please see the solution found with R&D

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

View solution in original post

0 Kudos
8 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2023-01-24 04:41 AM
Jump to solution

I believe the need for a separate gateway to perform IA functions for a Maestro Security Group is a consequence of the Single Management Object (SMO) approach to management, and I don't see how you will able to work around that.  I also assume you  are familiar with sk175587: Identity Based Access Control and Threat Prevention - Design Guidelines - Quantum Maestro.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
CP-NDA
Collaborator
‎2023-01-24 04:43 AM
In response to Timothy_Hall
Jump to solution

Hi,

 

Thank you for the reply

Yes we are familiar with this SK

Unfortunately we don't have the option to do PDP outside SG... If it's a clear limitation I wondering why it's not clearly mentionned that we should not implement this. Also this should be reported in Maestro limitations SK don't you think ?

 

Thank you

0 Kudos
CP-NDA
Collaborator
‎2023-01-24 04:53 AM
In response to Timothy_Hall
Jump to solution

Support suggested to use this exception for IA trafic

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Maestro_AdminGuide/Topics-Ma...

 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2023-01-24 05:34 AM
In response to CP-NDA
Jump to solution

Right to keep the distribution algorithm from messing with the IA traffic and ensuring symmetry by always sending it to the SMO, makes sense.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
CP-NDA
Collaborator
‎2023-01-24 06:14 AM
In response to Timothy_Hall
Jump to solution

Seems to be a good idea but I don't know if trafic for IA is considered as a local connection

 

You can configure the Security Group

 

 

 to forward specific inbound connections to the SMO Security Group Member.

 

 

Important:

  • This command supports only IPv4 connections.

  • This command does not support local connections.

  • In VSX mode, you must run this command in the context of the applicable Virtual System.

  • This command supports a maximum of 15 exceptions

    (in VSX mode, this limit is global for all Virtual Systems).

  • These exceptions are saved in the $FWDIR/tmp/tmp_exception_entries.txt file (IPv4 addresses are converted to a special format).

Machine_Head
Advisor
Advisor
‎2023-01-25 02:01 AM
In response to CP-NDA
Jump to solution

just out of curiosity could you elaborate on what seems to be the issue here?
For my understanding..

 

if you do pep show user all you see the relevant user in both modules?

Is it not marked down as service account by any chance?

0 Kudos
CP-NDA
Collaborator
‎2023-01-31 08:01 AM
In response to CP-NDA
Jump to solution

Please see the solution found with R&D

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Machine_Head
Advisor
Advisor
‎2023-01-31 08:07 AM
In response to CP-NDA
Jump to solution

Very interesting. And well written sk.

 

Thanks

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events