This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
GigaYang
Collaborator
Collaborator
‎2023-08-21 05:31 AM
Jump to solution

Identity Collector

Hi All,

We tried to set up an Identity Collector host to replace the original AD Query function of the firewall.

After the erection is complete. We found it in the log column of "Source user name". No user account information appears. In the IA-related Log, we saw the following error message:
"Failed to get user groups for the domain.
Verify that this domain name is configured in your LDAP Account Unit."

We have closed the local firewall of the AD and Identity Collector hosts, but still cannot collect user information.

Our AD version is Windows Server 2019. Can someone who has encountered the same problem give guidance.

Thanks

Preview file
1664 KB
0 Kudos
3 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-08-21 08:09 AM
Jump to solution

Identity Collector changes how the gateways acquire users (using Security Logs instead of WMI).
The actual groups are still pulled the same way as with ADQuery: via LDAP queries from the relevant gateways.
Which means you should verify the information needed to perform these lookups is correct: https://support.checkpoint.com/results/sk/sk180392

View solution in original post

GigaYang
Collaborator
Collaborator
‎2023-08-21 09:05 AM
In response to PhoneBoy
Jump to solution

After I add a LDAP account unit object. The problem has been solved. 

View solution in original post

GigaYang
Collaborator
Collaborator
‎2023-09-10 09:31 PM
In response to the_rock
Jump to solution

Finally we found two problems:
1. PDP Problem: After we disable the AD Query function, the Monitor's device status will never change.
2. The VPN certificate has expired.

After weReboot the device and re-sign the certificate. The problem is solved.

View solution in original post

17 Replies
the_rock
MVP Diamond
MVP Diamond
‎2023-08-21 06:19 AM
Jump to solution

When you open IC software, does gateway show as connected status? Also, did you make sure AD query is fully off?

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-21 08:09 AM
Jump to solution

Identity Collector changes how the gateways acquire users (using Security Logs instead of WMI).
The actual groups are still pulled the same way as with ADQuery: via LDAP queries from the relevant gateways.
Which means you should verify the information needed to perform these lookups is correct: https://support.checkpoint.com/results/sk/sk180392

GigaYang
Collaborator
Collaborator
‎2023-08-21 09:05 AM
In response to PhoneBoy
Jump to solution

After I add a LDAP account unit object. The problem has been solved. 

the_rock
MVP Diamond
MVP Diamond
‎2023-08-21 09:10 AM
In response to GigaYang
Jump to solution

Good job!

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
GigaYang
Collaborator
Collaborator
‎2023-08-22 07:46 AM
In response to the_rock
Jump to solution

We made some architectural adjustments today. The Identity Collector host is placed on a different network segment from the Gateway management interface. As a result, the Identity Collector cannot establish a connection with the Gateway, but the Allow Log is displayed. Has anyone encountered such a situation?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-08-22 07:52 AM
In response to GigaYang
Jump to solution

Do you have proper rules configured? Does ping work back and forth?

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
GigaYang
Collaborator
Collaborator
‎2023-08-22 08:07 AM
In response to the_rock
Jump to solution

Yes,

We have set the firewall rule from IC to gateway over TCP 443. And ping is work well.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-08-22 08:08 AM
In response to GigaYang
Jump to solution

Does gateway show as green in IC software? Also, can you pull identity source on the software itself? I will send screenshots later of what Im referring to.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
This widget could not be displayed.
Identity_collector.docx

K, as promised, I attached document of what I was referring to.

 

Andy

Best,
Andy
"Have a great day and if its not, change it"
Identity_collector.docx
In response to GigaYang
In response to GigaYang
Jump to solution

Jump to solution

K, as promised, I attached document of what I was referring to.

 

Andy

Best,
Andy
"Have a great day and if its not, change it"
Identity_collector.docx

K, as promised, I attached document of what I was referring to.

 

Andy

Best,
Andy
"Have a great day and if its not, change it"
Identity_collector.docx
0 Kudos
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-08-22 09:07 AM
the_rock
MVP Diamond
MVP Diamond
‎2023-08-22 09:07 AM
In response to GigaYang
In response to GigaYang
Jump to solution

Jump to solution

That sort of makes sense, since as we all know, when hosts are on the same subnet, all that needs to happen is they know about one another's ARP, no routing needed, so its logical it works.

If it fails on different subnets, confirm the routing, as well as access policy. Do basic zdebug, as well as fw up_execute as well

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG...

Andy

Best,
Andy
"Have a great day and if its not, change it"

That sort of makes sense, since as we all know, when hosts are on the same subnet, all that needs to happen is they know about one another's ARP, no routing needed, so its logical it works.

If it fails on different subnets, confirm the routing, as well as access policy. Do basic zdebug, as well as fw up_execute as well

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG...

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
0 Kudos
GigaYang
Collaborator
Collaborator
‎2023-08-22 09:10 AM
GigaYang
Collaborator
Collaborator
‎2023-08-22 09:10 AM
In response to the_rock
In response to the_rock
Jump to solution

Jump to solution

Hi Rock, attach file is my setting.

Preview file
433 KB

Hi Rock, attach file is my setting.

Preview file
433 KB
0 Kudos
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-08-22 09:13 AM
the_rock
MVP Diamond
MVP Diamond
‎2023-08-22 09:13 AM
In response to GigaYang
In response to GigaYang
Jump to solution

Jump to solution

Right, so we need to find out WHY it fails, so only way to know is by running basic captures, simple debugs and see where its "stuck"

Andy

Best,
Andy
"Have a great day and if its not, change it"

Right, so we need to find out WHY it fails, so only way to know is by running basic captures, simple debugs and see where its "stuck"

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
0 Kudos
GigaYang
Collaborator
Collaborator
‎2023-08-22 09:33 AM
GigaYang
Collaborator
Collaborator
‎2023-08-22 09:33 AM
In response to the_rock
In response to the_rock
Jump to solution

Jump to solution

Attach file is fw monitor and zdebug result. I think the connection between the Gateway and the IC host is normal.

Preview file
365 KB
Preview file
1382 KB

Attach file is fw monitor and zdebug result. I think the connection between the Gateway and the IC host is normal.

Preview file
365 KB
Preview file
1382 KB
0 Kudos
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-08-22 09:34 AM
the_rock
MVP Diamond
MVP Diamond
‎2023-08-22 09:34 AM
In response to GigaYang
In response to GigaYang
Jump to solution

Jump to solution

I think quick remote session with TAC would probably solve your issue, I feel like its something basic thats missing.

Andy

Best,
Andy
"Have a great day and if its not, change it"

I think quick remote session with TAC would probably solve your issue, I feel like its something basic thats missing.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
0 Kudos
GigaYang
Collaborator
Collaborator
‎2023-09-10 09:31 PM
GigaYang
Collaborator
Collaborator
‎2023-09-10 09:31 PM
In response to the_rock
In response to the_rock
Jump to solution

Jump to solution

Finally we found two problems:
1. PDP Problem: After we disable the AD Query function, the Monitor's device status will never change.
2. The VPN certificate has expired.

After weReboot the device and re-sign the certificate. The problem is solved.

Finally we found two problems:
1. PDP Problem: After we disable the AD Query function, the Monitor's device status will never change.
2. The VPN certificate has expired.

After weReboot the device and re-sign the certificate. The problem is solved.

the_rock
MVP Diamond
MVP Diamond
‎2023-09-11 04:58 AM
the_rock
MVP Diamond
MVP Diamond
‎2023-09-11 04:58 AM
In response to GigaYang
In response to GigaYang
Jump to solution

Jump to solution

Good job!

Best,
Andy
"Have a great day and if its not, change it"

Good job!

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
0 Kudos