This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Stefano_Cappell
Participant
‎2020-11-16 08:02 AM

Identity awareness Users limit

Hi

Can someone help me interpret this logs?

2020-11-16 16_17_37-poller - 172.20.3.2 - Connessione Desktop remoto.png

(note that this has been filtered with the ip 10.0.4.80)

The person who is complaining about the malfunctioning Identity awareness told me that he logged into the machine 10.0.4.80 with his user and from that machine he used other credentials (that can be seen expiring alltogether at 16:53.05) to log into other machines for example in RDP. The malfunctioning that he's experiencing is that the url-filtering doesn't let him into pages permitted for his user.

 

Now it seems like those credentials have been detected by the Identity awareness and, at some point, the highlighted alert popped up (Machine (machine name) at (IP address) has 1 users (or more) currently connected to it, and will be automatically ignored).

Now I've read something about that message, and it seems to me that the outcome of reaching that threshold should not be a ban.

 

Is there anything suspicious that could have caused the reported malfunctionig or is this actually ok?

 

Thanks

0 Kudos
2 Replies
Kaspars_Zibarts
Employee Employee
Employee
‎2020-11-16 11:34 AM

@Royi_Priov why would IA expire all 7 sessions at once there? I thought it would simply disallow 8th user IP association on the same machine.

0 Kudos
Royi_Priov
Employee
Employee
‎2020-11-17 12:02 AM

Hi @Stefano_Cappell ,

From what I understand, all the users logged in to this machine are service accounts (besides the real user).

I do recommend filtering out service accounts as it will both save GW resources and not process them, and also avoid such scenarios.

Please read about service accounts under sk86441 ("Filter-out service accounts").

 

@Kaspars_Zibarts - once we understand that more than 7 users were logged into one machine, all these identities are revoked as we are tagging this machine as MUH machine. According to our decision, having too many users (and access roles, due to that) on one machine can cause permission escalated to some of the users, and we would like to avoid that). Thanks for tagging me btw 8)

Thanks,
Royi Priov
R&D Group manager, Infinity Identity

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top