Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

Identity Awareness Issues after resetting AD service account

Hello All,

 

I am running an environment with R80.10 and AD Query enabled for my gateways. All have been well till we had to perform a yearly password rotation for service accounts.

After the service account change, rules based on ID management and Mobile access authentication via AD stopped working.

I have updated the LDAP Account object with the new passwords, yet the issue still persist.

 

Output of adlog a DC show the gateways are connected to the DC's. Output of the Test_ad_Connectivity tool returns a success status.

 

At this point don't know what else to check, any ideas on how to resolve.

 

regards.

 

0 Kudos
5 Replies
Highlighted
Admin
Admin

Have you opened a TAC case by chance?
Possible @Royi_Priov has a suggestion.

0 Kudos
Highlighted
Ivory

Hi PhoneBoy,

 

Thanks for the response, I have logged a request with a checkpoint patner, who are our first level support, they insist the permissions on the account have changed, which is not the case.

To isolate the account permissions possibility, i have setup an identity collector, however the gateways are not identifying users.

 

regards.

0 Kudos
Highlighted

Sounds like something is stuck in pdpd.  Anything interesting getting logged into $FWDIR/log/pdpd.elg?  As a last resort try killing it with "fw kill pdpd" and letting cpwd automatically restart pdpd within 60 seconds.

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos
Highlighted
Ivory

Hi Tim,

Thanks for having a look, the only noticeable thing in pdpd.elg is that their are no user associations coming in. I have killed the process and restarted the gateway, stuck at same.

I have also deployed an IDC, issue still same, a snippet of pdpd.elg is shown below.

Anymore thoughts is welcomed.

 

 

 

[25936 4106254096]@fw-xxxx-[16 Jun 1:19:49] [TRACKER]: #3478674 -> OUTGOING -> IDENTITY_REVOKE -> to pep: 127.0.0.1 (ipv4); (ipv6), RevokeInformation dump:
Unique ID : cbdd72e9
Remove existing connections : no

[25936 4106254096]@fw-xxx[16 Jun 1:19:49] [TRACKER]: #3478675 -> OUTGOING -> IDENTITY_REVOKE -> to pep: 127.0.0.1 (ipv4); (ipv6), RevokeInformation dump:
Unique ID : a5f1ee1c
Remove existing connections : no

[25936 4106254096]@fw-xxx[16 Jun 1:19:54] [TRACKER]: #3478676 -> INCOMING -> AGENT_REQUEST -> ip: , type: IDCLogEvent
[25936 4106254096]@fw-xxx[16 Jun 1:19:54] [TRACKER]: #3478677 -> OUTGOING -> AGENT_RESPONSE -> ip: , type: IDCLogEvent, result: OK
[25936 4106254096]@fw-fw-xxx[16 Jun 1:19:54] [TRACKER]: #3478678 -> INCOMING -> AGENT_REQUEST -> ip: , type: IDCEvent
[25936 4106254096]@fw-xxx[16 Jun 1:19:54] [TRACKER]: #3478679 -> INCOMING -> IDCOLLECTOR_ASSOCIATION -> Ip: x.x.x.x; User: ; User Groups: ; User Roles: ; Machine: bitlocker02v; Machine Groups: ; Machine Roles: ; Domain: xxxx.com; Source Type: AD; TTL: 43200; IDC IP: x.x.x.x


0 Kudos
Highlighted
Employee+
Employee+

Hi @chuka ,

[25936 4106254096]@fw-xxx[16 Jun 1:19:54] [TRACKER]: #3478679 -> INCOMING -> IDCOLLECTOR_ASSOCIATION -> Ip: x.x.x.x; User: ; User Groups: ; User Roles: ; Machine: bitlocker02v; Machine Groups: ; Machine Roles: ; Domain: xxxx.com; Source Type: AD; TTL: 43200; IDC IP: x.x.x.x

 

This log means that IDC published an association to PDP for bitlocker02v machine in the specified domain.

The rest of Identity Awareness chain is:

  1. send LDAP request to receive the identity groups. 
  2. match the identity (user/machine) + LDAP groups with Check Point access roles.
  3. publish this identity to all relevant PEP gateways.

 

I do recommend addressing this with TAC, as it seems to be something in the configuration which needs to be tuned.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos