Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

Access Role and Machine name

Jump to solution

Hi - I am setting up an access role.  I want to add the users AD name and their machine name to the access role.  Will this result in the rule looking at both the username and machine name to allow traffic to a dest?  I was hoping so.  Essentially I want to allow a specific user and their specific machine name, not one or the other.  I read that the access role is all combined so I feel like this is how it works, but am not 100%  Thanks.

1 Solution

Accepted Solutions
Highlighted
Admin
Admin
Yes that’s exactly how it works.
If you specify AD host, AD group, and network, all three much match.

View solution in original post

15 Replies
Highlighted
Admin
Admin
Yes that’s exactly how it works.
If you specify AD host, AD group, and network, all three much match.

View solution in original post

Highlighted
Participant

Interesting post...I am trying the understand the opposite scenario. If I want the Access Role to just restrict a particular AD Group, containing just machines, will the user and network settings of the access role also trigger the rule to match? For example, Any Network - Any User - Specific AD Machine Group.

I find that this scenario also maps the user to the same role and causes the rule to trigger even if the AD Machine Group is empty. This is not the behaviour I was hoping for.

0 Kudos
Highlighted
Admin
Admin

In general, an Access Role will be associated when a given session matches all four criteria (user/network/machine/VPN client).
However, you've presented an interesting situation: what happens when an particular AD group is empty.
What you describe sounds like a bug to me, but I'll let @Royi_Priov confirm one way or the other.
Possible we may need a TAC case here.

Highlighted
Participant

I'm still testing this in our DEV environment. What I've seen thus far is that the Identity Role is still attached to the machine and user when the machine is removed from the AD Group and left empty. It may just be a matter of triggering a new event (i.e. lock / unlock machine screen) for the Identity Role to unbind; thus bypassing the access rule.

 

Thanks for the feedback. I'll provide an update when I've done more testing.

0 Kudos
Highlighted
Admin
Admin

We do cache the information, and it's possible it will refresh on its own after a period of time.

Highlighted
Participant

So it's been over one hour since the machine has been removed from the AD Group. The Identity Role is still pinned to the machine even after a reboot of the machine.

[Expert@xxx]# pep s u q cid x.x.x.x
Command: root->show->user->query


PDP: <127.0.0.1, 00000000>; UID: <b0ff06e7>
==================================================
Client ID : <x.x.x.x, 00000000>
Authentication Key : <Unavailable>
Brute force counter: 0
Username : xxxxxxxxxxx
Machine name : xxxxxxxxxxx
User groups : <Unavailable>
Machine groups : <Unavailable>
Compliance : <Unavailable>
Identity Role : <AD_Deny_Machines> <---- Here
Time to live : 43230
Cached time : 86400
TTL counter : 43170
Time left : 39366

0 Kudos
Highlighted
Contributor

Not sure if it helps, but my experience requires a couple resolution steps.  After starting this thread we did end up creating a rule as described above.  Here is the catch, if a user or machine is moved to a different OU in AD, we have to remove the machine and/or user from the firewall rule, publish (not push) the policy and then add the user or machine back - then publish and push policy.  This happens often, especially when there are name changes.  My guess is you have a machine in an AD group, it is blocked, the machine is removed in AD but still shows up in the rule.  I might remove your AD group, publish, add the AD group back, publish and push policy.  Note that I am no where near an expert......  and this potential fix is what I would try.

0 Kudos
Highlighted
Employee+
Employee+

Hi @Kevin_Vargo ,

I believe you are describing sk105494.

It will be resolved in R81.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
Highlighted
Contributor

Hi @Royi_Priov  - yes, that issue is pretty close.  I would add though this isn't just about moving to a different OU.  If a user's name changes in AD after being added to an Access Role that user would still need removed and re-added, then the policy needs pushed.  In short, if there is any change to the object in AD after adding to an Access Role that work needs to be undone and then re-done (so to speak).

Highlighted
Participant

That is my experience so far too. Otherwise you just have to wait out 24 hours for the cache timer to elapse.

0 Kudos
Highlighted
Participant

Interesting tidbit from sk105494 which explains the behaviour:

 

“We currently do not support having a constant connection from the Management server to all the DCs, so that the Access Roles get automatically updated.”

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Highlighted
Participant

Waited about 16 hours and Identity Role still did not unbind from Machine. I deleted access-role and recreated / pushed. Un-binded right away.

The default cache setting is 86,400 seconds (24 hours). I think just waiting this out for 24 hours between adding / removing machines from AD Group will bind / unbind the role from the machine. I suspect, and hope, there is a way to tweak this to a more reasonable cache period.

0 Kudos
Highlighted
Employee+
Employee+

Hi @Steve_Bihari 

If I understand correctly, there are 2 separate issues reported here:

  1. When configuring {network: any network, user: any user, machine: AD group} -> it will be applied also if the user is the one belongs to this group. it means, you have a PDP session of user from this AD group, and a machine which is not from this AD group -> AR is still matched on this session. if this is indeed the case, I will appreciate if you could investigate this with TAC. we will need pdp debug to understand it better.
    • to enable debug: "pdp d s all all"
    • replicate the issue (user+machine logs associated. please note, machine session is created only after machine is booted)
    • turn off debugs "pdp d u all"
    • debugs are under $FWDIR/log/pdpd.elg*.
  2. when a user is removed from AD group, there is no update about it on the gw. which identity source are you using?
Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
Highlighted
Participant

Hi Royi,

No, the user is not a member of the AD group. Just the machine.

0 Kudos
Highlighted
Participant

This is exactly the issue:

"2. when a user is removed from AD group, there is no update about it on the gw. which identity source are you using?"

We're using AD Query with IA.

 

0 Kudos