This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kryten
Collaborator
‎2022-03-02 05:15 AM

Identity Awareness - AD Query: strange behaviour

Hello,

I am currently investigating an issue one of our customers has wih AD-Query in Identity Awareness.
Initially the problem reported was occurences of "A secondary session request was received from the same IP. This caused logout of the current session", in combination with users complaining about access problems. They were getting the blockpage instead of access that should be allowed for this user or group. The customer suspects that these secondary session logouts are causing the problems.

After looking at the logs, I think the problem might be something else, but I can not make sense of it(yet). I am still fairly new to Check Point, so maybe I am missing something here.

Here is one example of events from the logs, where the problem occured last week:

08:01:12: machine authentication(AD Query)
connections from machine, no user yet: access denied
08:02:38: user authentication(AD Query)
connections: access allowed based on user/group rules, source username in logs
08:02:54: A secondary session request was received from the same IP. This caused logout of the current session(AD Query)
connections: access still allowed, seeing source user name in logs
08:14:28: Machine authentication(AD Query)
connections: access denied, no source user name listed, only machine as source
08:21:58: "A secondary session request was received..."(AD Query)
connections: access allowed again, source user name in logs


To me it seems the user does not get logged out in between. The secondary Session notification says it does cause a logout, but shouldn't I see another user login on the same time then, the one that caused this?
I am confused by this and I would really like to understand what exactly is happening here. Is there any way to find out what exactly does cause these secondary session events or why the access for the user is not working anymore after the machine logs back in?

The customer already tried looking up the events in the Domain Controller, but while seeing them there, there is also no info on what exactly caused them.

Also this is not happening very often and cannot be reproduced manually, which makes debugging this a bit harder. Any help on how to find this out would be much appreciated.

 

 

Cheers,

Alex

 

0 Kudos
10 Replies
the_rock
Legend
Legend
‎2022-03-02 06:28 AM

Hey Alex,

Can you confirm below settings on IA tab of identity awareness on the firewall objects?

Andy

 

Screenshot_1.png

0 Kudos
Kryten
Collaborator
‎2022-03-02 06:54 AM
In response to the_rock

The first Option is checked, the second is not.

Are machine identities treated the same way as a user when it comes to sessions per IP? I would have thought that the first Option only applies to user identities, just as it says....

0 Kudos
the_rock
Legend
Legend
‎2022-03-02 07:04 AM
In response to Kryten

I think thats your problem...uncheck 1st option and push policy and test.

Andy

0 Kudos
Kryten
Collaborator
‎2022-03-02 07:55 AM
In response to the_rock

I will have to discuss this with the customer, but I think there is porobably a reason why it is configured like that and we do not want to break other things too easily 🙂

Also I would like to understand what exactly is happening and why before I change things. As I said, there is only one user using that machine, so I would naturally think that this option would do no harm....so what is the problem here?

0 Kudos
the_rock
Legend
Legend
‎2022-03-02 09:48 AM
In response to Kryten

Right, but...if you think about it logically, that setting says "assume that one user is connected per computer", meaning if 2nd person tried to connect to that same IP, it will not work.

Andy

0 Kudos
Kryten
Collaborator
‎2022-03-03 12:28 AM
In response to the_rock

But there is no second person involved here...only one user and his personal computer.

I understand that other things than a user logging into his computer can cause additional login events, like opening a captive portal (in this case we see "Source: Captive Portal" so that is not the case for this user here) or login to fileshares. I just want to know if there is a way to find out what exactly caused these events.

0 Kudos
the_rock
Legend
Legend
‎2022-03-03 05:14 AM
In response to Kryten

Sorry sorry, my bad, I did not realize it was just one user, apologies. So, you are saying just one user was attempting a connection and those logs came up? If so, I would involve TAC, because it makes no sense that log would say secondary session came from same IP. Is there identity agent involved here or no?

Andy

0 Kudos
Kryten
Collaborator
‎2022-03-04 07:45 AM
In response to the_rock

Only AD-Query so far, we tried using the Identity Agent for one affected user but saw no difference. Its hard to tell though, as this happens pretty rarely.
I know of a few cases where a secondary session can happen, thus I would like to be able to somehow find out exactly the cause for these. I start to fear that this is not possible without monitoing the user and his computer closely, which is also not possible 🙂

I guess a TAC Case it is then...

 

Thanks a lot so far!

Paul_Hagyard
Advisor
‎2022-06-02 09:30 PM
In response to Kryten

Service account login on the same device? Exclude service accounts under advanced settings if so.

0 Kudos
George_Casper
Collaborator
‎2022-06-03 07:51 AM
In response to Paul_Hagyard

Any chance the customer's Active Directory folks elevated CVE-2021-26414 to enforce ahead of next months Microsoft patches?  Checkpoint released jumbo's this past month or so to address the issue.   See sk176148

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events