This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LazarusG
Contributor
Contributor
‎2023-01-09 04:48 AM

How to validate machine authentication?

Hi

I have configured it in my lab using the AD CA.

I think its working, but how to validate?

I have the following log card - is this the only method? Or is there a CLI command?

Id: c0a8c50a-b607-7836-63bb-f01100000000
Marker: @A@@B@1673222400@C@2394
Log Server Origin: 192.168.197.10
Time: 2023-01-09T10:44:33Z
Id Generated By Indexer:false
First: false
Sequencenum: 2
Client Name: Active Directory Query
Product Version: R81.10
Domain Name: lazarus.com
Source: 192.168.197.100
Endpoint IP: 192.168.197.100
Authentication Status: Successful Login
Identity Source: AD Query
Session ID: d1b85d8a
Source Machine Name: win10domain
Source Machine Group: All Machines; ad_group_machine_auth
Authentication Method: Machine Authentication (Active Directory)
Identity Type: machine
Roles: machine
Last Update Time: 2023-01-09T10:44:33Z
Action: Log In
Type: Log
Blade: Identity Awareness
Origin: r81_10_mgmt
Product Family: Network
Logid: 131073
Description: Successful Login: Machine Authentication (Active Directory)

I can see from the endpoint client that it is connected to the VPN Active Site and Danny's one liner shows 1 OM address consumed;

REMOTE ACCESS VPN STATS - Current
----------------------------------------------------------------------
Assigned OfficeMode IPs : 0 (Peak: 1)
Capsule/Endpoint VPN Users : 0 (Peak: 0) using Visitor Mode: 0
Capsule Workspace Users : 0 (Peak: 0)
MAB Portal Users : 0 (Peak: 0)
L2TP Users : 0 (Peak: 0)
SNX Users : 0 (Peak: 0)

LICENSES
----------------------------------------------------------------------
SecuRemote Users : 10000
Endpoint Connect Users : 0
Mobile Access Users : 100
SNX Users : 50

I dont see any users or tunnels under Smartview Monitor (possibly as Im enforcing machine auth only?);

Are there any other cli or gui validation methods?

Thanks in advance.

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2023-01-09 04:28 PM

Pretty sure you wouldn't get an Office Mode address if you weren't successfully authenticated.
Did you initiate any traffic into the encryption domain?

0 Kudos
the_rock
Legend
Legend
‎2023-01-09 05:13 PM

Phoneboy makes a good point, try send some traffic to enc domain and see.

0 Kudos
Howard_Gyton
Advisor
‎2023-01-25 07:57 AM
In response to the_rock

We have this working on Windows for both internal, and VPN connected traffic.  It was always working for internal traffic,. but to get it to work for VPN we had to make a couple of changes.

In the Access Role, we had tried using built-in "Domain Computers" group.  When we changed this to a user made security group, and populated that group with our test machines, rules using an Access Role with machine Machine Auth. started working.  Up to that point it probably always had been, but we couldn't tell because the test rule was not used.

I believe the reason why we could tell this was the case, and simultaneously being able to tell that machine auth. was indeed working was to look at one of the "Identity Awareness" records, and looking for the "Source Machine Group" section.  I don't think this exists for IA records where machine auth. doesn't occur.

We also inferred from this record that the reason why we thought that machine auth. was not working over VPN was because of the "Domain Computers" group never appeared in "Source Machine Group", therefore our test rules were never used as the traffic did not match the access role.  You can see below that only "All Machines" appears, not "Domain Computers".  Changing the access role to use the second of the two AD groups listed below worked for our test rule, adding a second indicator that machine auth. was working.

machine_auth_log.jpg

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events