This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
saulosouza
Explorer
‎2021-03-24 06:14 AM

AD Query in Remote Access connection

We migrate from R80.30 to R80.40. In R80.30 Remote Access uses AD Query information, now the information is not processed.

The AD Query is working fine for the other contexts, but it's not applied to VPN connection.

In PDPd and PEPd logs I can see the AD connection for the machine in the VPN, but I think it's not processed by the identity Awareness.

[25387 4059584320]@CPFW01[24 Mar 9:15:20] [TRACKER]: #40148 -> INCOMING -> ADQUERY_ASSOCIATION ->
Association
ip: 10.18.172.35
user:
machine: d580-55931
domain: interno.trt18.jus.br
reason: 0

In the PDPd log I found this:

[25387 4059584320]@CPFW01[24 Mar 9:15:20] [SESSION_UTILS (TD::Events)] pdp::PDPSessionConciliation::shouldOverrideSuperSessionByPriority: existing super session 6bd521f4 office mode IP score (1) > new association office mode IP score (0) - reject new association


Is there a way for identity awareness to use AD Query Data in Remote Access connection? 

Thanks in advance!

(1)
4 Replies
PhoneBoy
Admin
Admin
‎2021-03-24 09:18 AM

Remote Access clients don't require AD Query because we're authenticating the user directly.
However, it needs to be enabled as an identity source on the gateway object (it's not by default).

saulosouza
Explorer
‎2021-03-24 09:27 AM
In response to PhoneBoy

Thank you, I have already enabled Remote access as a source. The login is fine, what I want is the information of AD query, when is available. 

PhoneBoy
Admin
Admin
‎2021-03-25 02:49 PM
In response to saulosouza

What’s happening is explained here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Specifically “Some identity sources such as Identity Agent, Terminal Server, Captive Portal, and Remote Access VPN cannot be appended to others. In these cases, the conciliation decision is only override or reject.”
Note this is new behavior as of R80.40.
Not 100% sure you can change this, a TAC case will be required.

fjulianom
Advisor
Friday
In response to PhoneBoy

Hi PhoneBoy,

 

Old post but I am in a similar situation. Then do you mean that Remote Access clients authenticate directly against the AD and not through AD Query which uses WMI to look into Active Directory Security Event Logs?

 

Regards,

Julián

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events