Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sanjay_S
Advisor

Identity Awareness for Remote Access Users

Hi All,

We have enabled Identity Awareness blade yesterday, This has been enabled mainly for the Remote Access VPN users. I am able to fetch the details from AD and created the Access role for the specific group in the AD and provided ANY access for that particular group. But it doesn't seem to be working. User able to connect to Remote Access(Ex: User Bob logs in to RA i can see the identity awareness blade shows the login and logout details but the problem is it is not hitting the Any rule configured. So the users are not able to have complete access which they required. Please let me know how to proceed further on this.

 

Below are the details:

GW: R77.30 Take 225

MDS: R80.10 Take 121

 

Let me know if you need anymore details on this.

Thank you in advance.

 

4 Replies
FedericoMeiners
Advisor

Hello,

First of all make sure that Identity Awareness blade is active on your firewall.

Please look into the logs and see which rule is hitting that access. You can also use packet mode to test your policy: Packet mode 

___

 

____________
https://www.linkedin.com/in/federicomeiners/
Nick_Doropoulos
Advisor

Hello,

Based on the information you have provided, I would try to identify the firewall rule that does match the interesting traffic. You could achieve that by doing either of the following:

- Consult the logs on the manager

- Run fw ctl zdebug | grep <ip address of the remote acess user you test with> on the gateway and see what policy is dropping the traffic

Failing the above, you can place the Identity Awareness firewall rule right at the top of the rule base just for testing purposes and try again.

Once you have done the above, please share with us your findings along with the error encountered on the client side if any.

I hope this helps.

Maarten_Sjouw
Champion
Champion

Could it be that you have a desktop policy that does not allow the traffic, in other words is the traffic reaching the gateway at all?
Regards, Maarten
Sanjay_S
Advisor

Hi All,

We found the issue, we should have communication from our jump server from where we manage the smart console to the customer AD. After getting the access allowed from Jump server to customer AD on all High Ports the IA blade started working as expected. Thank you all for looking into it and suggesting.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events