This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
pnobels
Explorer
‎2022-06-22 03:20 AM

Identity Collector not receiving events

Hi,

using sk108235 and sk122686.

i installed Identity Collector 81.035.0000 on Windows Server 2019.

I am successfully connected to ADC servers.  I have created a query pool

I'm also successfully connected to one gw running R80.10.

Problem is i'm not seeing any events coming in from the ADC's in the IDC gui.  When i clicked on 'logins monitor' and start monitoring, also nothing shows up...

Firewall ports between the IDC server and ADC's are okay.  I even disabled fw's on both to be 100% sure.  The user account is member of the event log readers.

In the logs i see things like : 

[ 2200 4356]@SRV[22 Jun 12:00:07] [Event (NAC::IS::TD::Surprise)] UTILS::Event::wait: Timeout in the wait
[ 2200 4364]@SRV[22 Jun 12:00:07] [Event (NAC::IS::TD::Surprise)] UTILS::Event::wait: Timeout in the wait
[ 2200 4360]@SRV[22 Jun 12:00:07] [Event (NAC::IS::TD::Surprise)] UTILS::Event::wait: Timeout in the wait
[ 2200 4364]@SRV[22 Jun 12:00:07] [Exception (NAC::IS::TD::Critical)] UTILS::LoggingException::LoggingException: Operation Timed Out
[ 2200 4356]@SRV[22 Jun 12:00:07] [Exception (NAC::IS::TD::Critical)] UTILS::LoggingException::LoggingException: Operation Timed Out
[ 2200 4360]@SRV[22 Jun 12:00:07] [Exception (NAC::IS::TD::Critical)] UTILS::LoggingException::LoggingException: Operation Timed Out
[ 2200 4356]@SRV[22 Jun 12:00:07] [PDPChannel (TD::Important)] NAC::IDCOLLECTOR::PDPChannel::run: TimeOutException when waiting on notifiction lock
[ 2200 4360]@SRV[22 Jun 12:00:07] [PDPChannel (TD::Important)] NAC::IDCOLLECTOR::PDPChannel::run: TimeOutException when waiting on notifiction lock
[ 2200 4364]@SRV[22 Jun 12:00:07] [PDPChannel (TD::Important)] NAC::IDCOLLECTOR::PDPChannel::run: TimeOutException when waiting on notifiction lock

 

and

 

[ 2200 5492]@SRV[22 Jun 12:00:17] [WinHttpCCC (NAC::IS::TD::Surprise)] UTILS::WinHttpCCC::asyncCallbackMethod: STATUS_REQUEST_ERROR: error 12175 (async API 5) on request (id 1 - 1c1e838)

 

Anyone having an idea?

0 Kudos
3 Replies
Sorin_Gogean
Advisor
‎2022-06-22 04:07 AM

hey,

 

As we implemented IA with IC without issues on AD side (we had some glitches with ISE/pxGrid) I have some questions.

(preferably to answer each one 😊)

Do you have multiple AD domains/subdomains ?

The domain you are addressing does have log-in events ?

Is the account you use allowed to read AD log events ?

Do you use LDAPs or simple LDAP ? (have you changed the port/checkbox accordingly) 

 

Can you show s a screenshot of the IC with the AD server/servers you connect to - do you see events counting ?

Untitled.png

 

Ty,

0 Kudos
pnobels
Explorer
‎2022-06-22 07:04 AM
In response to Sorin_Gogean

Do you have multiple AD domains/subdomains ?  Only one domain.

The domain you are addressing does have log-in events ?  This might be the problem.  With log-in events, you mean eventid 4624?  I talked to the AD admin and the closest thing i can see is eventid 4776.  No 4624.

https://community.checkpoint.com/t5/Security-Gateways/Identity-Collector-not-getting-any-events/td-p...

This thread seems to suggest that indeed event IDs 4624, 4768, 4769, 4770 are needed.

Is the account you use allowed to read AD log events ?  Yes

Do you use LDAPs or simple LDAP ? (have you changed the port/checkbox accordingly)   Can't find this setting back but taking into account above this is probably not the issue.

0 Kudos
Sorin_Gogean
Advisor
‎2022-06-22 07:18 AM
In response to pnobels

Can you have a look here and see if the AD account is created properly , as I know the AD user requirements are like...

"

  • For AD integration - the Identity Collector requires an AD user that belongs to the default Event Log Readers group.
    No administrative role is required for this user. "

(https://community.checkpoint.com/t5/Security-Gateways/Identity-Collector-integration-design-guidelin... )

 

Mainly it should be (sk179544):

(4) Integrating to Identity Collector - Learning Login Events

Show / Hide the section

Watch the training video (2 min 30 sec).

This video is about:

  • Integrating Identity Collector to the Active Directory Domain
  • Defining Active Directory Domain as an Identity Source
  • Adding a Query Pool
  • Monitor Login Events

 

or 

 

(5) Migrating to Identity Collector as identity source in addition to AD Query

Show / Hide the section

Watch the training video (3 min 34 sec).

This video is about:

  • Integrating Identity Collector to the Active Directory Domain
  • Using ID Collector in parallel to AD Query
  • Connecting the ID Collector to the gateway
  • Monitor ID Sessions

 

Ty,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events