Solved: Re: Identity Awareness Multiple NIC's

Ryan_Ryan · ‎2024-07-24

Hi we have some servers with multi user agent on them, all works fine, now we added two additional nic's to these servers, can we have MUH agent bind all 3 IP addresses with the username?

Right now when we log in, we get an IA event against the first NIC only. Agree that makes sense but we have a use case for needing all 3 if there is a setting somewhere that would allow it?

PhoneBoy · ‎2024-07-29

I checked with R&D and appears we don't do this currently.
Likely possible to do in the future.
Suggest bringing this requirement through your local Check Point office.

View solution in original post

PhoneBoy · ‎2024-07-25

An actual topology diagram showing the use case might help.
Specifically, how will Check Point gateways “see” traffic originating from these IP addresses.

Ryan_Ryan · ‎2024-07-25

To put it simply, there are static routes on the source forcing certain traffic out of certain nics

so imagine webserver A goes out via nic1, and webserverB goes out via nic 2, we would like to lockdown both traffic flows with an IA rule, currently, we can only do this for nic1, as nic2 does not see any username associated with it.

the_rock · ‎2024-07-25

I had customer do this exact thing before, will check if I can find the setting for it tomorrow. I believe its somewhere in smart console, if I recall right.

Andy

the_rock · ‎2024-07-25

I will check to see if I can find some notes about it tomorrow. I looked in smart console, was mistaken, for sure, cant find anything about what you are looking for in there.

Andy

Ryan_Ryan · ‎2024-07-25

that would be great thanks, yes I checked in global properties nothing in there either. (maybe a registry change?)

emmap · ‎2024-07-25

Are you using MUH Agent v1 or v2? V2 tags the packets that are sent out with the ID information which may work regardless of egress NIC, though I've not tried it.

Ryan_Ryan · ‎2024-07-25

yes we are already running V2 agent

emmap · ‎2024-07-25

OK so all TCP and UDP traffic should be tagged with the user who originated the traffic, is this not reflected in the gateway logs from all 3 IPs?

Ryan_Ryan · ‎2024-07-25

Thats right, confirmed using my own account just now, the MUH is R81.041.0000 V2, gateway is r81.20 JHF65

Send two packets on tcp 8080, one dst went via nic1 and one via nic2, correct sources showing in log, only difference was the nic1 log had my username and nic2 log username was blank

emmap · ‎2024-07-26

Thanks for testing, seems like it only binds to the first NIC. This may end up being an RFE.

the_rock · ‎2024-07-26

I know 100% this can work, as customer made it work with help of TAC few years ago. They now manage their own CP environment, but I wont give up trying to find out how it was done. Sadly, I dont have TAC case handy to look up notes from it, but will see if I can dig out my own notes (hope I still have them, as I save pretty much everything lol)

Andy

the_rock

@Ryan_Ryan Man, Im so sorry, I looked through all my notes and cant find anything about this :(. I texted the customer and since its been a while, he could not recall either how it was done, he just remembered they had to do some changes in guidbedit and windows registry to make it work. But, since @PhoneBoy confirmed its not supported, I suppose thats the aswer mate.

Andy

PhoneBoy

The current code sends the IPv4 and IPv6 address already.
Adding support for additional addresses should theoretically be possible.
However…an RFE.
When you contact your local office, make sure they route this request via Solution Center.

PhoneBoy · ‎2024-07-29

I checked with R&D and appears we don't do this currently.
Likely possible to do in the future.
Suggest bringing this requirement through your local Check Point office.

Ryan_Ryan

thanks all for your responses! greatly appreciated 😁 Will look at getting an RFE put through.

Are you a member of CheckMates?

Identity Awareness Multiple NIC's