This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dave
Contributor
‎2019-07-09 03:19 AM

Identity awareness access group problem

Hi,

We have Identity Awareness implemented for a lot of stuff, but it seems now that it got broken for one specific access rule.

RDP access to certain servers is controlled via IA and the access role is configured with a specific AD group, for which users in this group have access.

All of the sudden, it stopped working and users cannot RDP to these servers anymore.

Weird thing is that it was perfectly working before.

When basic troubleshooting this and removing the group access but adding the users separately, this works again and RDP is working fine again.

I'm fairly new to Checkpoint firewalls so any guidance how to pinpoint what the exact problem is would be highly appreciated.

Thanks!

0 Kudos
9 Replies
Maarten_Sjouw
Champion
Champion
‎2019-07-09 01:29 PM

You could try to remove publish and again add the group into the access role and publish and install.
Regards, Maarten
0 Kudos
Nick_Doropoulos
Advisor
‎2019-07-09 03:15 PM

Hi Dave,

To assist you fully, could you provide the following information please:

1) What is the version of your management server and that of your gateway?

2) What is the time stamp of when the issue first occurred?

3) What is the identity acquisition method used?

4) How many domain controllers does the gateway communicate with?

Thanks Dave.

0 Kudos
Dave
Contributor
‎2019-07-09 11:36 PM
In response to Nick_Doropoulos

Hi Nick,

1) mgmt and gateway are both running on R80.20

2)first occurence 4th of July

3)policy rule with access role used, where a nested AD group needs to be consulted, but only 2 deep and actual users are member of 3 different groups
Access role group name -> specific group added to grant access -> AD group

We got 4 DC but i'm not sure if all are used to communicate with the gateways.

Strange thing is that we have a bunch of other similar access roles set up also which do still work, only with this particular one we have a problem.
Also when i remove the AD group from the access role and add just the specific users, it just works....

 

Hope this helps, as i said, i'm fairly new into the game

Thanks a lot!

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2019-07-10 12:09 AM

You can always do basic checks that user/IP is actually assicoated with the role.

You can do it in both - SmartLog (use filter blade:"Identity Awareness" and IP / uername then look for log-in type event and see what role is associated with the user) or expert CLI

pep s u q cid x.x.x.x

pep s u q usr USERNAME

We had small issue after upgrade to R80.10 (from R77.30) - roles that had used both usernames and machine ID's in the same role stopped working, so we had to create two seperate roles - one for machine IDs and one for usernames

 

0 Kudos
Dave
Contributor
‎2019-07-10 01:01 AM
In response to Kaspars_Zibarts

The access role we are using only has one specific AD group assigned, and for some reason this access roles stopped working.

I did check IA via smartlog the way you described it and for this particular user, and when i correlate it with the access logs, i see a lot of Access Roles updates where it seems like the user sometimes is not part of the needed Access Role anymore.

Those were probably the moments i was playing with the config.

As a test, I created a new AD group, not nested with other permission groups but it only had 2 users in it.
When adding this new test group to a new test Access Role i created, the rule worked perfectly and the user could access the needed recources.

That leads me to believe there is only a problem for with a specific nested AD group, and it's only for this specific policy rule using the troublesome Access Role.
We use a lot of other Access Roles with nested AD groups and without issues.

I wonder how to get this working again. I'm puzzled.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-07-10 08:30 AM
In response to Dave

Did the DN of the problematic group get changed in AD?  Perhaps renamed or nested under a different OU?

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2019-07-10 08:47 AM
In response to Dave

you can check how deep gateway will dig using this command below

pdp nested status
Enabled - recursive. Depth: 20

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2019-07-10 08:49 AM
In response to Dave

Additionally check this SK
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Dave
Contributor
‎2019-07-18 01:23 AM
In response to Kaspars_Zibarts

To come back to this, it was a problem in R80.20 for which a hotfix needed to be installed in order to get a whole bunch of other stuff resolved as well.

With the R80.20 Jumbo HotFix - General Availability Take 87 installed, nested AD groups don't pose any problem no more ... for now 🙂

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events