This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JPR
Contributor
‎2023-12-01 06:50 AM

Identity Collector and multiple accounts with different privileges on same machine

Hi there,

I'm experiencing some issues with the Identity Collector and firewall rules that are dependent on that service.

I will try to explain the issues in the following:

I log on to ip 1.2.3.4 with my accoount Y and Identity Collector tells that to the firewall (user Y is logged on to 1.2.3.4).

I have a rule that says if you're a member of AD group X, it can download executables etc. My account Y is member of that group, and can download.

So good so far.

Now I open a command prompt with my administrator account Z on the same machine with ip 1.2.3.4. The Identity Collector registers that account Z is now logged on to 1.2.3.4. If I now go and try to download an executable (e.g. a patch from somewhere) I can't because account Z is not member of the AD group that allows download.

So, it seems like the Identity Collector gets confused when I use different accounts on the some ip: I have logged on to Windows on the machine with ip 1.2.3.4 and account Y, but I need to use my administrator account Z on occasion and now the Identity Collector tells the firewall that Z is logged on to 1.2.3.4.

I don't know if that is by design, however, it is causing some issues for me an my team.

Have any of you experienced something similar and have you got an idea how to fix it so to say? Is there a way to get around this issue?

I hope it makes sense and 'm sorry if it all sounds a bit confusing. Please ask me to elaborate if necessary.

Thanks.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2023-12-01 06:57 AM

The only way you can differentiate multiple users with different levels of access on the same IP is to deploy MUH on the relevant workstation.
It is otherwise not possible for the gateway to determine which user at that IP is making the connection.
Therefore, this is expected behavior.

JPR
Contributor
‎2023-12-05 01:10 AM
In response to PhoneBoy

Okay, thanks. That's what I thought as well.

So, I tried marking my own computer as MUH, but now it doesn't recognize my account as being part of the allow download group.

The download rule is an inline rule at looks like this:

ruledl.png

But now when I try to download an executable I hit the above rule (as I should), however, it gets blocked by the clean up rule (209.4) and not accepted by the 209.1 (I am member of the AD group that allows download). Do you have any idea why that is and if I can do anything about that?

Thanks!

0 Kudos
PhoneBoy
Admin
Admin
‎2023-12-05 10:49 AM
In response to JPR

What version/JHF?
The log card for the drop should show the groups that were identified for that user.
Does the user show up in pdp monitor output?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events