This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nandhakumar
Contributor
‎2021-05-04 08:25 AM

Identity Rule Access Role issue

Hi,

 

We have firewall enabled with identity awareness blade. It collects identity from identity collector, which it makes communication to our internal domain controllers for fetching identities and forward to gateway.

We got requirement from user to add specific rule where user can access vendor link from any network (corporate IP only), any user but from particular server.

We created access rule for this requirement. However, its not working. If you suggest any troubleshooting steps, it would be much appreciated.

 

Could see traffic getting dropped in firewall when user tries to telnet to vendor portal from the allowed particular server/machine.

 

 

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2021-05-04 06:59 PM

Let’s start with exactly what you created in the rulebase versus what got logged when the user tried to access.
Might help to know version/JHF level as well.
Also maybe check in the CLI of the gateway if it’s associating the right roles using pdp monitor user username.

0 Kudos
Nandhakumar
Contributor
‎2021-05-04 08:40 PM
In response to PhoneBoy

I have created access role in source column like below

Network - Any

Users - Any

Machine - Specific Security Group created in AD (This group contains machines/servers not any user ID's)

Destination - Vendor Website IP address

Gateway version is R80.40/ JHF Accumulator take 91

When i run pdp monitor user username, I am not getting this access role but getting other access roles. Working fine If I create access role with any network, specific users and any machine (Not for this scenario for others i am saying).
Why with specific machine is not working?

Also, please let me know how can i make this service in running state and see logs in Login Monitor section of Identity collectors. Please see attached screenshot for details.

Preview file
106 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2021-05-04 09:38 PM
In response to Nandhakumar

Logins Monitor might be this: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

 

0 Kudos
Nandhakumar
Contributor
‎2021-05-04 10:18 PM
In response to PhoneBoy

We have added Domain Controller as identity source manually but still having same issues. 'Is Forwarded Log Event Collector' was already in disabled state.  This sk166076 doesn't resolve my issue. Do you know that we need to start any windows services for this to work?

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2021-05-05 12:00 AM

I don't think I quite understand the requirement here. 

Do you mean that the "vendor link"is a URL and accessed via browser?

In that case is it safe to assume that the "particular server"is a proxy?

So users would connect to proxy and proxy would make connection to the vendor?

0 Kudos
MartinTzvetanov
Advisor
‎2021-05-05 12:37 AM

How the users connect to this particular server RDP/SSH? Why don't you just create a rule with this server as IP, not by access role?

0 Kudos
Martin_Stolz
Participant
‎2021-05-05 11:22 AM

Important is the status in the "Identity Sources" tab, is your configured AD server listed green?
And if you see a higher number than 0 in column "Total Events Received" you are receiving events 🙂

On the identity collector you have great log file "C:\Windows\Temp\ia.log"

To have the events in the UI, you need to turn on the "Loging Monitor".
Please click on the small grey "power button" behind the "Loging Monitor" text and you will see the monitoring events.
Your screenshot is showing that the "Logins Monitor" is disabled.

By the way i think the question from Martin Tzvetanov is a valid one.
If any user should have access and you want to allow the system itself as source, 
why not creating a simple rule for allowing "YourServerIP" to vendors Website IP?

But sometimes the destination IP of a website could change,
so you could think about using FQDN object as destination instead of IP.

Preview file
649 KB
0 Kudos
Nandhakumar
Contributor
‎2021-05-05 08:09 PM
In response to Martin_Stolz

Yes we added AD domain controller and tested successfully. All displayed as Green in Identity sources dashboard. Yesterday only i have noticed that power like button for Login Monitor. After I turn on, I could see the event logs. 

 

I created rule using access role where I given specific machine group as source. In that group, as of now only one server added. In future, group owner may add many servers (That's the reason we haven't created IP base rule)

I asked user to check but he told that he still unable to telnet for that site. I ran debug on firewall and observed drops.

When I ran this command 'pdp monitor machine <machine name>', I am not getting any output. At this time, 'ignore machine identities' check box was in enabled state in IC.

I disabled 'ignore machine identities' would fix the issue. Now, I want to understand, How long this identity will be seen in gateway? 

Also, how would we force changes made in IC to forward to gateway? I hope, currently it keeps the association time to live for 720 minutes. So if that is case, can't the changes pushed to gateways until it get expire.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events