Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Stelios_Andreou
Contributor

Identity Awareness not matching the rule every time

Hi everyone,

 

I have a rule with AD group as a source of the rule.

In the meddle of the day as the user is working ok, the rule stops match for some users in the group.

 

My GW is R80.20

 

Thank you.

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

What version/JHF level?
What method are you using to acquire the user identities?
Maybe start here with troubleshooting: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
K_montalvo
Collaborator

Hello @Stelios_Andreou have you looked into the Event Viewer for any information?

0 Kudos
chatura
Employee
Employee

@Stelios_Andreou , I would start looking at the smart log first for Identity awareness logs. Filter by time of the issue and check here for login logs and no logoff events for the affected users.

Once there are no logoff logs, then check for Identity awareness LDAP fetch log for the user and confirm if the groups are correct per access role.

Running the following two commands on the firewalls during the issue will show any issues with Identity awareness gateway processes (PDPD and PEPD):

PDP Gateway:

pdp monitor user <affected user name>

PEP Gateway:

pep show user query usr <affected user name>

Opening a TAC case will help you to investigate this further.

 

 

 

 

0 Kudos
Timothy_Hall
Champion
Champion

So it sounds like the user gets their IP->User mapping successfully for group access when they log in, then they lose the mapping early.  There are several causes for this:

1) Watch out for automated service accounts firing up on the user's workstation, logging into the domain, and overwriting the user's mapping.  You should be able to see this in the logs for subsequent connections from that user's IP, and the user name will show up as "backups" or whatever the service account name is.  Make sure all service accounts like this are excluded from forming mappings on the gateway/cluster object under AD Query...Advanced...Excluded Users/Machines.

2) Check the gateway/cluster's User/IP Association timer and make sure it is greater than the kerberos reticketing interval for AD.  Usually the AD interval is 8 hours (with the firewall set for 10 or 12 hours) but I've seen cases when the AD administrator increases the reticketing timer to reduce load on the controller, and users lose their mappings early.

Note that if the user locks their screen and unlocks it with their domain credentials, their mapping should be reestablished and it is probably one of the issues above.  If that doesn't get their mapping back there are deeper issues at work here.

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos