This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Stephen_Ware
Participant
‎2023-04-14 01:23 AM
Jump to solution

Identity Collector and CrowdStrike

Hi CheckMates

Is anyone having issue with Identity Collectors when CrowdStrike is running on the domain controllers?

I'm running Identity Collectors on two dedicated servers (so not directly on the domain controllers) but since CrowdStrike has been installed on the domain controllers the id collectors stop receiving events from the DCs at least once per day. The Status Description for each DC remains 'connected' but the events stop incrementing. Restarting the Id Collector service on the Collectors kick-starts the process and they start receiving AD events again.

CrowdStrike technical support have reported that this is a known issue because it interrupts the Identity Collector's connection to AD and no RST packet is sent by the domain controller to reset the tcp session.

One suggested workaround is to configure Task Scheduler on the Collectors to periodically restart the service (say, every 6 hours) but this is not ideal.

Is Check Point R&D aware of the problem (hi, Royi Priov) and is there a better solution to keep the Id Collectors running?

Thanks,

Steve

Labels
0 Kudos
1 Solution

Accepted Solutions
Royi_Priov
Employee
Employee
‎2023-04-16 11:59 PM
Jump to solution

Hi,

Thanks for tagging me.

Yes, there is a known issue, where crowdstrike is closing IDC connection to DC.

It was addressed in bug ID IDA-5232 from our side.

It will be added to the next GA of IDC, but as for now please use the fix from IDA-5232.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity

View solution in original post

(1)
10 Replies
the_rock
Legend
Legend
‎2023-04-14 05:39 AM
Jump to solution

I had someone tell me they had CP case open for this, but no resolution was given. I can ask them what happened with it and report back.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-04-14 06:57 AM
Jump to solution

Was any context provided for why the communication is interrupted?

 

@Royi_Priov 

CCSM R77/R80/ELITE
0 Kudos
Royi_Priov
Employee
Employee
‎2023-04-16 11:59 PM
Jump to solution

Hi,

Thanks for tagging me.

Yes, there is a known issue, where crowdstrike is closing IDC connection to DC.

It was addressed in bug ID IDA-5232 from our side.

It will be added to the next GA of IDC, but as for now please use the fix from IDA-5232.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity
(1)
Stephen_Ware
Participant
‎2023-04-17 03:20 AM
In response to Royi_Priov
Jump to solution

Hi Royi,

Thanks for the update, I will try the bug fix.

Kind regards

Steve

0 Kudos
r1der
Advisor
‎2023-05-19 03:07 PM
In response to Stephen_Ware
Jump to solution

Did that fix your issue? I was going to say we aren't having any problems with it, but CrowdStrike was not installed on the server I have Identity Collector running on. It is installed on the DC however. I also have one other server where both are installed and running fine. 

Has this been fixed in Identity Collector version R81.040? Where do I get IDA-5232?
I can't seem to find that, if I end up running into issues after installing CS on another server.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-05-19 07:51 PM
In response to r1der
Jump to solution

Next release of IDC is not yet available, contact TAC in the interim. 

CCSM R77/R80/ELITE
Stephen_Ware
Participant
‎2023-05-22 08:22 AM
In response to r1der
Jump to solution

Hi r1der,

My Identity Collectors run on two servers that are separate from my DCs. It's possible that you are not seeing the problem because your Identity Collectors are running on your DCs.
The workaround I used was to set up a task in Windows Task Scheduler on the Identity Collectors that restarts the CP Id Collector service every 6 hours regardless of whether or not it has failed. And the restart schedule is offset by 6 hours between the two Collectors so they do not both restart the service at the same time.

This workaround has been successful so far so I'll keep using it until the fix is rolled into the GA updates.

You might be able to use something similar if you have multiple ID Collectors for resilience.

the_rock
Legend
Legend
‎2023-05-22 10:25 AM
In response to Stephen_Ware
Jump to solution

Thanks for sharing that @Stephen_Ware 👍

0 Kudos
r1der
Advisor
‎2023-05-31 01:55 PM
In response to Stephen_Ware
Jump to solution

Thanks for the update! Good to know the service and that you can just restart it to get it running again.

0 Kudos
Maurice_Conway
Employee
Employee
‎2023-06-19 11:12 AM
In response to Royi_Priov
Jump to solution

Hi Royi,

Was it ever determined what on Crowdstrike was closing the connection? 

Thanks,

Maurice

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events