Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kevin_Vargo
Collaborator
Jump to solution

Access Role and Machine name

Hi - I am setting up an access role.  I want to add the users AD name and their machine name to the access role.  Will this result in the rule looking at both the username and machine name to allow traffic to a dest?  I was hoping so.  Essentially I want to allow a specific user and their specific machine name, not one or the other.  I read that the access role is all combined so I feel like this is how it works, but am not 100%  Thanks.

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
Yes that’s exactly how it works.
If you specify AD host, AD group, and network, all three much match.

View solution in original post

19 Replies
PhoneBoy
Admin
Admin
Yes that’s exactly how it works.
If you specify AD host, AD group, and network, all three much match.
Steve_Bihari
Contributor

Interesting post...I am trying the understand the opposite scenario. If I want the Access Role to just restrict a particular AD Group, containing just machines, will the user and network settings of the access role also trigger the rule to match? For example, Any Network - Any User - Specific AD Machine Group.

I find that this scenario also maps the user to the same role and causes the rule to trigger even if the AD Machine Group is empty. This is not the behaviour I was hoping for.

0 Kudos
PhoneBoy
Admin
Admin

In general, an Access Role will be associated when a given session matches all four criteria (user/network/machine/VPN client).
However, you've presented an interesting situation: what happens when an particular AD group is empty.
What you describe sounds like a bug to me, but I'll let @Royi_Priov confirm one way or the other.
Possible we may need a TAC case here.

Steve_Bihari
Contributor

I'm still testing this in our DEV environment. What I've seen thus far is that the Identity Role is still attached to the machine and user when the machine is removed from the AD Group and left empty. It may just be a matter of triggering a new event (i.e. lock / unlock machine screen) for the Identity Role to unbind; thus bypassing the access rule.

 

Thanks for the feedback. I'll provide an update when I've done more testing.

0 Kudos
PhoneBoy
Admin
Admin

We do cache the information, and it's possible it will refresh on its own after a period of time.

Steve_Bihari
Contributor

So it's been over one hour since the machine has been removed from the AD Group. The Identity Role is still pinned to the machine even after a reboot of the machine.

[Expert@xxx]# pep s u q cid x.x.x.x
Command: root->show->user->query


PDP: <127.0.0.1, 00000000>; UID: <b0ff06e7>
==================================================
Client ID : <x.x.x.x, 00000000>
Authentication Key : <Unavailable>
Brute force counter: 0
Username : xxxxxxxxxxx
Machine name : xxxxxxxxxxx
User groups : <Unavailable>
Machine groups : <Unavailable>
Compliance : <Unavailable>
Identity Role : <AD_Deny_Machines> <---- Here
Time to live : 43230
Cached time : 86400
TTL counter : 43170
Time left : 39366

0 Kudos
Kevin_Vargo
Collaborator

Not sure if it helps, but my experience requires a couple resolution steps.  After starting this thread we did end up creating a rule as described above.  Here is the catch, if a user or machine is moved to a different OU in AD, we have to remove the machine and/or user from the firewall rule, publish (not push) the policy and then add the user or machine back - then publish and push policy.  This happens often, especially when there are name changes.  My guess is you have a machine in an AD group, it is blocked, the machine is removed in AD but still shows up in the rule.  I might remove your AD group, publish, add the AD group back, publish and push policy.  Note that I am no where near an expert......  and this potential fix is what I would try.

0 Kudos
Royi_Priov
Employee
Employee

Hi @Kevin_Vargo ,

I believe you are describing sk105494.

It will be resolved in R81.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
Kevin_Vargo
Collaborator

Hi @Royi_Priov  - yes, that issue is pretty close.  I would add though this isn't just about moving to a different OU.  If a user's name changes in AD after being added to an Access Role that user would still need removed and re-added, then the policy needs pushed.  In short, if there is any change to the object in AD after adding to an Access Role that work needs to be undone and then re-done (so to speak).

Steve_Bihari
Contributor

That is my experience so far too. Otherwise you just have to wait out 24 hours for the cache timer to elapse.

0 Kudos
Steve_Bihari
Contributor

Interesting tidbit from sk105494 which explains the behaviour:

 

“We currently do not support having a constant connection from the Management server to all the DCs, so that the Access Roles get automatically updated.”

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Steve_Bihari
Contributor

Waited about 16 hours and Identity Role still did not unbind from Machine. I deleted access-role and recreated / pushed. Un-binded right away.

The default cache setting is 86,400 seconds (24 hours). I think just waiting this out for 24 hours between adding / removing machines from AD Group will bind / unbind the role from the machine. I suspect, and hope, there is a way to tweak this to a more reasonable cache period.

0 Kudos
Royi_Priov
Employee
Employee

Hi @Steve_Bihari 

If I understand correctly, there are 2 separate issues reported here:

  1. When configuring {network: any network, user: any user, machine: AD group} -> it will be applied also if the user is the one belongs to this group. it means, you have a PDP session of user from this AD group, and a machine which is not from this AD group -> AR is still matched on this session. if this is indeed the case, I will appreciate if you could investigate this with TAC. we will need pdp debug to understand it better.
    • to enable debug: "pdp d s all all"
    • replicate the issue (user+machine logs associated. please note, machine session is created only after machine is booted)
    • turn off debugs "pdp d u all"
    • debugs are under $FWDIR/log/pdpd.elg*.
  2. when a user is removed from AD group, there is no update about it on the gw. which identity source are you using?
Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
Steve_Bihari
Contributor

Hi Royi,

No, the user is not a member of the AD group. Just the machine.

0 Kudos
Steve_Bihari
Contributor

This is exactly the issue:

"2. when a user is removed from AD group, there is no update about it on the gw. which identity source are you using?"

We're using AD Query with IA.

 

0 Kudos
Steve_Bihari
Contributor

#pdp update all (fixes it)

Last resort, this can be scheduled as a CRON job

Some relevant SK's:

sk103881

sk105165

 

0 Kudos
Kevin_Vargo
Collaborator

Running pdp update all after a change to an AD object resolves changes in IA without a push?  Is that accurate? 

I assume that is only the case if a user/machine is already defined in a rule, not if I add or remove and user/PC.  That I would still expect requires a push.

0 Kudos
Steve_Bihari
Contributor

Hi Kevin.

Correct. "pdp update all" does not require a push to take effect.

0 Kudos
Steve_Bihari
Contributor

Any Access Role that is currently used in your rulebase using AD Query should not require a PUSH when moving machines/users within that AD group.

However, see the SK's I referenced.

"pdp update all" should fix it every time as a last resort.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events