This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kamilazat
Advisor
‎2023-12-15 12:53 AM
Jump to solution

Is it possible to create an alert when the MAC address associated to an AD user changes?

Greetings everyone!

I want to know if it is possible to get a notification when the MAC address associated to an AD user changes. We're dealing with R81.10 with Remote Access.

 

https://community.checkpoint.com/t5/Management/Identity-awareness-Access-role-based-on-MAC-address/t...

 

In the conversation above @Timothy_Hall mentions that L2 header gets stripped off by the time the packet reaches the INSPECT engine. However, in the same conversation there is a mention of an RFE for an External Tag. I tried to google about this, but to no avail so far.

 

I thought about a script that will read pep and pdp logs and make a notification when MAC of a user changes, but it looks like it would be quite resource heavy as our network activity is very high. On the other hand, I'm completely open to using 3rd party resources to gather that kind of information.

 

Thank you!

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-12-15 10:30 AM
Jump to solution

The feature mentioned in the thread is called Identity Tags: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_IdentityAwareness_AdminGuide...
The tags are assigned by Cisco ISE or a SAML provider.

In any case, Identity Awareness does not track Layer 2 information, at least not in a way that would be easy to query.
Therefore, you'd have to use an external system (the identity provider itself) to get this information. 

View solution in original post

(1)
3 Replies
PhoneBoy
Admin
Admin
‎2023-12-15 10:30 AM
Jump to solution

The feature mentioned in the thread is called Identity Tags: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_IdentityAwareness_AdminGuide...
The tags are assigned by Cisco ISE or a SAML provider.

In any case, Identity Awareness does not track Layer 2 information, at least not in a way that would be easy to query.
Therefore, you'd have to use an external system (the identity provider itself) to get this information. 

(1)
kamilazat
Advisor
‎2023-12-17 01:53 AM
In response to PhoneBoy
Jump to solution

Thank you @PhoneBoy. It was really helpful clarifying the possibilities within Identity Awareness.

Though I was reading about SmartEvent and started wondering if it can help me in this context. Apparently it can provide a wide variety of information, but I'm not sure if MAC changes of AD users is within its scope.

 

Edit: I will, of course, resort to Cisco ISE or a SAML if need be. But, I want to be able to solve this without using any service other than CheckPoint if possible.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-12-18 05:35 AM
In response to kamilazat
Jump to solution

We don't use MAC addresses in policy decisions, so there's not really a mechanism designed to track this in the product.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events