Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Identity awareness Access Rules

Jump to solution

Hello

We are using Identity awareness with identity collector. When we create a access rule within the access policy in order to block a group of computers from accessing the internet, however this does not work, the traffic doesnt even match this rule. Creating a simular rule for users from the AD works just fine but not the computers. 

Any ideas?

Running version R80.20 HFA Take 91 

 

//Johan

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Bronze

By default it is 4 hours. You have to change it if you want more frequent active directory fetch for group membership. You can do manually by using following command:

 

pdp update

Command: root->update

Available options:
all - recalculate all users and machines group membership
specific - recalculate group membership for a user/machine
refetch_interval - LDAP user info refetch interval
update_rate - the max number of sessions updated within a minute

View solution in original post

7 Replies
Highlighted
Admin
Admin
What does the Access Role you’ve configured look like?
0 Kudos
Highlighted
It is a AD Group configured under Machine in the Access Role
0 Kudos
Highlighted
Bronze

probably there is no match for this access role. When you select specific workstations, which setting you have for "users" section?

Is your workstation exist here?

pep s u q mchn <workstation_name>

Highlighted

Are the computers you are trying to block part of the AD domain? or are they standalone? 

R80 CCSA / CCSE
Highlighted

I remember I had to split "mixed"roles after upgrade to R80.x as machine IDs stopped working if the same role also had user IDs.

Try using role that has machine IDs / groups only if you have not done that

0 Kudos
Highlighted

We resolved this problem by rebooting the management server, now the rule works!

 

However from the moment when a computer is added to the AD group it takes X hours before the rule deny the traffic, why is that so?

 

//Johan

0 Kudos
Highlighted
Bronze

By default it is 4 hours. You have to change it if you want more frequent active directory fetch for group membership. You can do manually by using following command:

 

pdp update

Command: root->update

Available options:
all - recalculate all users and machines group membership
specific - recalculate group membership for a user/machine
refetch_interval - LDAP user info refetch interval
update_rate - the max number of sessions updated within a minute

View solution in original post