Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Champion
Champion

Identity awareness blade issue

Jump to solution

Hey guys,

I hope someone can clarify this for me. I dont believe it ever worked properly for the customer. So, here is the situation. IA blade is enabled and there are few access roles configured. It does work for the most part, but one thing that fails is this...

So, if same user logs into multiple machines, then ONLY first machine they logged into will give them Internet access, not any sequential ones. So say user joesmith logs into windows box with IP 10.10.10.10, then to another windows with IP 10.10.10.11 and 3rd one 10.10.10.12...well, ONLY 10.10.10.10 IP machine will give them proper external access, not any other ones.

Option on gateway to assume that only one user is connected per machine is not checked, so logically, one would think that would allow same user to get access when connected to multiple machines. The drop we see on fw is that it comes to right layer and then explicit clean up rule drops the traffic, since it does not recognize access role association. We tried revoking IP, user, pdp update all...nothing worked.

Not sure if there is something else Im missing here?

Thanks as always!

0 Kudos
1 Solution

Accepted Solutions
the_rock
Champion
Champion

Just quick update guys...spoke with TAC and Harry had me do below options (we had checked internal users before, as well as all gateways directories). Once this was done, we pushed policy, but also had to install identity agent on windows machine we tested and then same user worked fine! I will still ask customer to test with few different users.

Screenshot_2.png

 

View solution in original post

0 Kudos
12 Replies
PhoneBoy
Admin
Admin

What version/JHF level?

@Royi_Priov 

 

the_rock
Champion
Champion

R81.10 mgmt jumbo 9, R80.40 jumbo 120 gateway cluster

0 Kudos
G_W_Albrecht
Legend
Legend
the_rock
Champion
Champion

Thanks a lot G, will check this in a bit.

0 Kudos
the_rock
Champion
Champion

I really hope this works. I did the changes and will ask customer to test. Funny enough, I went to that gateway setting thats in sk yesterday, but totally omitted the part about "automatically exclude users...". My bad...will let you know for sure if this fixes it. Thanks as always brother, grateful for all the help.

the_rock
Champion
Champion

Sadly, did not help. I made changes and asked client to test, but same behavior, no access when same user logs into 2nd machine. I will call TAC later and see if we can do some tests, since we already have active case opened for this since the weekend.

lfar
Explorer

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_IdentityAwareness_AdminGuide...

Try enabling any of the above, depending on the source from where your identities are being learned.

0 Kudos
the_rock
Champion
Champion

I ran it on both cluster members and asked client to test, so will see if any difference. Will keep you posted.

0 Kudos
the_rock
Champion
Champion

No luck, just tried.

0 Kudos
the_rock
Champion
Champion

Just quick update guys...spoke with TAC and Harry had me do below options (we had checked internal users before, as well as all gateways directories). Once this was done, we pushed policy, but also had to install identity agent on windows machine we tested and then same user worked fine! I will still ask customer to test with few different users.

Screenshot_2.png

 

0 Kudos
Magnus-Holmberg
Advisor

Have had the issue that needed to install the identity agents if users roam quickly between wifi/lan to make sure update correctly.

https://www.youtube.com/c/MagnusHolmberg-NetSec
the_rock
Champion
Champion

I never realized that before, but I guess IA agent is needed on windows in situation like this. Otherwise, if its only 1 user logged into 1 machine at the time, no need for IA agent.