This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jonathan
Collaborator
‎2020-08-10 03:22 AM

user details from MAB don't propegate to other blades

Hi,

We have two gateways, one behind the other. Let's call them FrontGW and BackGW.

Users connect from home to FrontGW using SSLVPN and identify with an ActiveDirectory username.

They need to have RDP access to a server that is behind the BackGW.

On the FrontGW we configured a Native Application that allow RDP access to the server and created a rule based on Identity Awareness.

On the BackGW I want to allow access also based on Identity Awareness, but in the logs I see the BackGW doesn't recognize the username, only the FrontGW does.

What am I missing here?

Thanks

0 Kudos
4 Replies
Timothy_Hall
Legend Legend
Legend
‎2020-08-10 11:20 AM

1) Make sure the "Remote Access" checkbox is set on the IA screen of the FrontGW gateway/cluster object

2) On the IA...Identity Sharing screen make sure "Share local identities with other gateways" is checked on FrontGW, and that "Get Identities from other gateways" is checked and configured on BackGW

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Jonathan
Collaborator
‎2020-08-11 02:48 AM
In response to Timothy_Hall

Thanks Timothy, the "Get Identities from other gateways" checkbox was really missing. 

Now i see the usernames in the logs from the BackGW.

However, now for some reason the BackGW ignores the access rule I created using an Access Role object with the same user, and drops the traffic on the cleanup block rule.

Needless to say, if I create the access rule using IP address is works.

0 Kudos
Jonathan
Collaborator
‎2020-08-11 11:44 PM
In response to Timothy_Hall

Well, apparently, after enabling the "Get identities..." on the BackGW, it stopped processing IA from terminal servers we have with agents installed.

In the checkpoint logs I didn't see any data in the Source User column.

Only after disabling the "Get identities" feature on the BackGW and pushing policy on both GW did the problem resolved.

TS agents are configured to access the BackGW, so I don't see why there should be any conflict.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-08-14 11:34 AM
In response to Jonathan

What release are you running?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events