This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wei_Soon_Heng
Contributor
‎2022-06-08 02:42 AM

Access role is not map to AD user correctly

Hi Anybody,

Identify type is AD query.
Issue: A users which logged into two machine with two different IP
IP A: X.X.X.X
IP B: Y.Y.Y.Y

I created a new access role object with specific his user ID, then put as source in firewall rule followed by policy installation.
After two hours, only the access role is updated and tied to IP A.
The output of "pdp monitor user <ID>" AND "pep show user query usr <id>" shown the users has been recognized, and IP A is tied with created access role, but IP B has no access role tied.

Is gateway goes to talk to AD server to query specific user/group when every newly created access role with specific AD user? If AD server does not respond correctly, then it will not update the access role to that IP?

I assume "pdp update all" will be run in background when firewall policy installation, it should be able to update the access role.

Could someone faced the same issue before?

Thanks
WeiSoon

0 Kudos
5 Replies
_Val_
Admin
Admin
‎2022-06-08 02:56 AM

Let's start with the basics. Software version?

Also, in AD logs, do you see both logins, for A and B IPs?

 

0 Kudos
Wei_Soon_Heng
Contributor
‎2022-06-08 05:03 AM
In response to _Val_

GW and Mgmt version is R81 with jhf take 65.

I can see both login for A and B IPs.


0 Kudos
Sorin_Gogean
Advisor
‎2022-06-08 03:12 AM

So, you have an user, that is logged at the same time on 2 machines, and you only get the correct AD group mappings/roles to one of the IPs ? 

Are those 2 machines accessed by other users ? Like on the IP B, did someone else logged after your user ?

As we're also looking into putting into production the Identity Awareness, here is what I see on our environment.

Below you can see a coleague, being logged on several machines (Win and Linux) and the user AD roles and Machine Roles are populated accordingly.

Untitled.png

So how is that looking on your side for this particular user ?

 

Ty,

0 Kudos
Wei_Soon_Heng
Contributor
‎2022-06-08 05:03 AM
In response to Sorin_Gogean

I have other users that logged into two or more machine which is working fine.

0 Kudos
Sorin_Gogean
Advisor
‎2022-06-08 06:08 AM
In response to Wei_Soon_Heng

So only this one is luckier.... 

Does this happen only on those 2 machines, can you ask him to try and log on other 2 ? maybe is a machine thing and not an user thing....

Saddly I have no other ideea right now 🙄 .

Ty,

0 Kudos