This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JozkoMrkvicka
Mentor
Mentor
‎2023-04-15 05:39 AM
Jump to solution

Identity Awareness - Identity Collector - Make sure the account exists in the AD

Hi guys,

I want to test in my home LAB the IDC solution. I didnt work with IA in the past, so asking for a help here 🙂

My goal is to allow connection based on Access Roles for specific users in order to allow them to reach the needed internal resources.

I have R81.10 gateway and MDS with Take 87. Windows Server 2019 is acting like DC and AD. IDC agent is installed on Windows Server. The connection between DC/AD and GW is working, all is green. I have created in AD some test users which are used to log-in to the Windows 7 machine over test domain. So far, all as expected. But once I want to check on Check Point GW if user was recognized as successfully logged to the Windows 7 machine, the firewall logs says that: "Group membership of the required account (user or machine) could not be retrieved from the AD. Make sure the account exists in the AD."

image.png

 

Logs for IA blade:

image.png

 

The same errors are seen for each and every user, doesnt matter if user was already created or created couple of minutes ago.
Looks like some configuration issue on FW which I didnt recognize yet.

There is only 1 Account Unit configured, with following settings:

image.png

image.png

image.png

image.png

I checked sk106133, but looks like I didnt find a match there...

Since this is my home LAB, I can do any debugs in order to figure out what is going on.

Anyone who is experienced with IA and IDC specifically, and is able to help me to fix the issue ?

Thanks for the help !

Kind regards,
Jozko Mrkvicka
1 Solution

Accepted Solutions
Sorin_Gogean
Advisor
‎2023-04-20 09:03 PM
Jump to solution

Hey @JozkoMrkvicka ,

 

In the 2nd LDAP screenshot, at LDAP Servers, you should have an user defined, and an Login DN as below example. That AD user that I'm using to read, it's a simple user, no specific rights.

Screenshot .png

Have a look on sk31841 as it might clarify it.

 

We have no issues with AD users, as the log-in events are learned and CheckPoint GW reads the user/machine groups properly.

 

Thank you,

 

View solution in original post

5 Replies
PhoneBoy
Admin
Admin
‎2023-04-18 03:12 PM
Jump to solution

Do you see the gateway try to do LDAP lookups at all (i.e. connections to the LDAP server)?
What does pdp debug on say? (Review $FWDIR/log/pdpd.elg) 

0 Kudos
JozkoMrkvicka
Mentor
Mentor
‎2023-04-20 06:51 AM
In response to PhoneBoy
Jump to solution

connection to LDAP (which is in fact DC) is established over port 389:

 
 

image.png

Did also tcpdump and connection over 389 is OK.

pdp debugs are attached.

Kind regards,
Jozko Mrkvicka
Preview file
8 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2023-04-20 03:04 PM
In response to JozkoMrkvicka
Jump to solution

Unfortunately, that doesn't have anything useful.
Maybe try the test_ad_connectivity tool: https://support.checkpoint.com/results/sk/sk100406
Make sure to use that -l (that's a lowercase L) to only perform the LDAP tests as WMI isn't relevant in this case.

0 Kudos
Sorin_Gogean
Advisor
‎2023-04-20 09:03 PM
Jump to solution

Hey @JozkoMrkvicka ,

 

In the 2nd LDAP screenshot, at LDAP Servers, you should have an user defined, and an Login DN as below example. That AD user that I'm using to read, it's a simple user, no specific rights.

Screenshot .png

Have a look on sk31841 as it might clarify it.

 

We have no issues with AD users, as the log-in events are learned and CheckPoint GW reads the user/machine groups properly.

 

Thank you,

 

JozkoMrkvicka
Mentor
Mentor
‎2023-04-21 02:03 AM
In response to Sorin_Gogean
Jump to solution

Hi @Sorin_Gogean ,

You were right. I left the Login DN blank which is the cause of the issues in my case.

I am using default Administrator user in LAB and forgot to fill "Login DN".

Once "Login DN" was filled and policy pushed, all users are correctly recognized by FW and associated Access Roles are assigned.

Thank you for help !

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events