Interesting post...I am trying the understand the opposite scenario. If I want the Access Role to just restrict a particular AD Group, containing just machines, will the user and network settings of the access role also trigger the rule to match? For example, Any Network - Any User - Specific AD Machine Group.

I find that this scenario also maps the user to the same role and causes the rule to trigger even if the AD Machine Group is empty. This is not the behaviour I was hoping for.

In general, an Access Role will be associated when a given session matches all four criteria (user/network/machine/VPN client).
However, you've presented an interesting situation: what happens when an particular AD group is empty.
What you describe sounds like a bug to me, but I'll let @Royi_Priov confirm one way or the other.
Possible we may need a TAC case here.

I'm still testing this in our DEV environment. What I've seen thus far is that the Identity Role is still attached to the machine and user when the machine is removed from the AD Group and left empty. It may just be a matter of triggering a new event (i.e. lock / unlock machine screen) for the Identity Role to unbind; thus bypassing the access rule.

Thanks for the feedback. I'll provide an update when I've done more testing.

We do cache the information, and it's possible it will refresh on its own after a period of time.

So it's been over one hour since the machine has been removed from the AD Group. The Identity Role is still pinned to the machine even after a reboot of the machine.

[Expert@xxx]# pep s u q cid x.x.x.x
Command: root->show->user->query

PDP: <127.0.0.1, 00000000>; UID: <b0ff06e7>
==================================================
Client ID : <x.x.x.x, 00000000>
Authentication Key : <Unavailable>
Brute force counter: 0
Username : xxxxxxxxxxx
Machine name : xxxxxxxxxxx
User groups : <Unavailable>
Machine groups : <Unavailable>
Compliance : <Unavailable>
Identity Role : <AD_Deny_Machines> <---- Here
Time to live : 43230
Cached time : 86400
TTL counter : 43170
Time left : 39366

Not sure if it helps, but my experience requires a couple resolution steps.  After starting this thread we did end up creating a rule as described above.  Here is the catch, if a user or machine is moved to a different OU in AD, we have to remove the machine and/or user from the firewall rule, publish (not push) the policy and then add the user or machine back - then publish and push policy.  This happens often, especially when there are name changes.  My guess is you have a machine in an AD group, it is blocked, the machine is removed in AD but still shows up in the rule.  I might remove your AD group, publish, add the AD group back, publish and push policy.  Note that I am no where near an expert......  and this potential fix is what I would try.

Hi @Kevin_Vargo ,

I believe you are describing sk105494.

It will be resolved in R81.

Hi @Royi_Priov  - yes, that issue is pretty close.  I would add though this isn't just about moving to a different OU.  If a user's name changes in AD after being added to an Access Role that user would still need removed and re-added, then the policy needs pushed.  In short, if there is any change to the object in AD after adding to an Access Role that work needs to be undone and then re-done (so to speak).

That is my experience so far too. Otherwise you just have to wait out 24 hours for the cache timer to elapse.

Interesting tidbit from sk105494 which explains the behaviour:

“We currently do not support having a constant connection from the Management server to all the DCs, so that the Access Roles get automatically updated.”

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Waited about 16 hours and Identity Role still did not unbind from Machine. I deleted access-role and recreated / pushed. Un-binded right away.

The default cache setting is 86,400 seconds (24 hours). I think just waiting this out for 24 hours between adding / removing machines from AD Group will bind / unbind the role from the machine. I suspect, and hope, there is a way to tweak this to a more reasonable cache period.

Hi @Steve_Bihari 

If I understand correctly, there are 2 separate issues reported here:

1. When configuring {network: any network, user: any user, machine: AD group} -> it will be applied also if the user is the one belongs to this group. it means, you have a PDP session of user from this AD group, and a machine which is not from this AD group -> AR is still matched on this session. if this is indeed the case, I will appreciate if you could investigate this with TAC. we will need pdp debug to understand it better.
   • to enable debug: "pdp d s all all"
   • replicate the issue (user+machine logs associated. please note, machine session is created only after machine is booted)
   • turn off debugs "pdp d u all"
   • debugs are under $FWDIR/log/pdpd.elg*.
2. when a user is removed from AD group, there is no update about it on the gw. which identity source are you using?

Hi Royi,

No, the user is not a member of the AD group. Just the machine.

This is exactly the issue:

"2. when a user is removed from AD group, there is no update about it on the gw. which identity source are you using?"

We're using AD Query with IA.

#pdp update all (fixes it)

Last resort, this can be scheduled as a CRON job

Some relevant SK's:

sk103881

sk105165

Running pdp update all after a change to an AD object resolves changes in IA without a push?  Is that accurate? 

I assume that is only the case if a user/machine is already defined in a rule, not if I add or remove and user/PC.  That I would still expect requires a push.

Hi Kevin.

Correct. "pdp update all" does not require a push to take effect.

Any Access Role that is currently used in your rulebase using AD Query should not require a PUSH when moving machines/users within that AD group.

However, see the SK's I referenced.

"pdp update all" should fix it every time as a last resort.