This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex_Sykes
Participant
‎2019-11-27 05:58 AM

IA with Identity Collector issues

Hi,

We are deploying two new gateways and Mgmt servers running R80.20 and the policy is heavily reliant on IA.

We have two Identity Collectors (80.87.0000 - recently upgraded from 80.85.0000) running on Windows 2016 servers.

We have about 15 users behind the gateways testing the policy and are running into problems where users randomly stop being authenticated and therefore the policy drops the connection.  To get them working again we run the ‘pdp control revoke_ip’ command.

In addition to the above, we have another user who has all the required access and being accepted by the policy and then starts getting dropped the by the policy.  I have found an event in the logs that immediately precedes the dropped connections, which is: Authentication Status:  Access Roles updated

As with the other issue, running pdp control revoke_ip gets them working again.

Have any of you come across these issues before?  And, if so, what was the fix?

We will be putting 1500+ users behind these gateways, so you can imagine the potential problems we'll face if these issues are not fixed.

I am in contact with CP TAC and have uploaded multiple pdp and pep debugs, but still don't have a fix and I wanted to see if anyone else had some advice.

Many thanks

Alex

 

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2019-11-27 10:36 AM

Please send me the TAC SR in a PM. Also tagging @Royi_Priov.

0 Kudos
mdjmcnally
Advisor
‎2019-11-27 10:40 AM

Is the User Logging into Multiple Machines?

 

Do you have the Automatically exclude user which are logged into more than

xx machines simultaneously 

enabled.

0 Kudos
Alex_Sykes
Participant
‎2019-11-28 12:27 AM
In response to mdjmcnally

Hi,

Thanks for your response.

It depends on the user.  Some users may be logged into multiple machines (some IT staff) and others not, however, we don't have AD Query enabled, so that option is not enabled.

I have added certain accounts to the exclusion list on the Identity Collectors though.

Kind regards

Alex

 

0 Kudos
MartinTzvetanov
Advisor
‎2020-07-29 01:49 PM
In response to Alex_Sykes

Hi,

 

Any update here?

 

I have a similar case with a customer.

0 Kudos
Steve_Cotter1
Explorer
‎2020-09-15 06:44 AM
In response to MartinTzvetanov

Was there any response to this as we are having the exact same issue.

0 Kudos
MartinTzvetanov
Advisor
‎2020-09-18 12:31 AM
In response to Steve_Cotter1

did you contact TAC for this? I did it almost a 1.5 months ago, changed 3 engineers, few escalations and the only things we did was to ignore machine identities and advice to upgrade the collector and install the latest hotfix. It works at the moment and no one can tell us what happened.

0 Kudos
Alex_Sykes
Participant
‎2020-09-18 01:15 AM
In response to MartinTzvetanov

Hi Martin,

Sorry for not replying sooner.

Since this post we have made a number of changes:

We have upgraded to R80.40 on our gateways and Mgmt platform.
We have upgraded the Identity Collector software to 80.119.0000.

However, the changes we made where we saw the most positive impact to our issues were:

The filters in the Indentity Collector software:

Network Filter: Included all of our user IP ranges
Identity Filter: Excluded all of our service accounts and domain admin accounts (accounts where users are likely to be connected to more than one machine).
Domain Filter: Excluded a short name/alias of our real domain as the collectors were seeing duplicate entries and immediately logged users out.

Two changes we made to the gateways:

pdp nested_groups __set_state 2
pdp update update_rate set 500

These were the best changes for us in our environment, and these may differ for you so I would take TACs advice on this, but these certainly helped us.

I wish you the best of luck.

0 Kudos
MartinTzvetanov
Advisor
‎2020-09-18 01:28 AM
In response to Alex_Sykes

Hi Alex,

I'll keep in mind your answers. In my case the problem is sporadic and I can't trace where it comes from GW site, IDC site or AD site. My deployment is a flat one - 2 clusters of 2 members, 2 IDCs and 4 AD servers, no filters applied. At some point the user is not recognized in pdp but has a correct binding in IDCs and users get dropped, at some other point is the opposite - missing user binding in IDCs but correct info in pdp and users get accepted.  

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events