This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2022-02-01 04:57 PM
Jump to solution

Identity awareness blade issue

Hey guys,

I hope someone can clarify this for me. I dont believe it ever worked properly for the customer. So, here is the situation. IA blade is enabled and there are few access roles configured. It does work for the most part, but one thing that fails is this...

So, if same user logs into multiple machines, then ONLY first machine they logged into will give them Internet access, not any sequential ones. So say user joesmith logs into windows box with IP 10.10.10.10, then to another windows with IP 10.10.10.11 and 3rd one 10.10.10.12...well, ONLY 10.10.10.10 IP machine will give them proper external access, not any other ones.

Option on gateway to assume that only one user is connected per machine is not checked, so logically, one would think that would allow same user to get access when connected to multiple machines. The drop we see on fw is that it comes to right layer and then explicit clean up rule drops the traffic, since it does not recognize access role association. We tried revoking IP, user, pdp update all...nothing worked.

Not sure if there is something else Im missing here?

Thanks as always!

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
‎2022-02-02 11:47 AM
Jump to solution

Just quick update guys...spoke with TAC and Harry had me do below options (we had checked internal users before, as well as all gateways directories). Once this was done, we pushed policy, but also had to install identity agent on windows machine we tested and then same user worked fine! I will still ask customer to test with few different users.

Screenshot_2.png

 

View solution in original post

0 Kudos
12 Replies
PhoneBoy
Admin
Admin
‎2022-02-01 10:51 PM
Jump to solution

What version/JHF level?

@Royi_Priov 

 

the_rock
Legend
Legend
‎2022-02-02 03:36 AM
In response to PhoneBoy
Jump to solution

R81.10 mgmt jumbo 9, R80.40 jumbo 120 gateway cluster

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-02-02 01:34 AM
Jump to solution

sk115776: Specific user is not identified by Identity Awareness

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
Legend
Legend
‎2022-02-02 03:37 AM
In response to G_W_Albrecht
Jump to solution

Thanks a lot G, will check this in a bit.

0 Kudos
the_rock
Legend
Legend
‎2022-02-02 05:50 AM
In response to G_W_Albrecht
Jump to solution

I really hope this works. I did the changes and will ask customer to test. Funny enough, I went to that gateway setting thats in sk yesterday, but totally omitted the part about "automatically exclude users...". My bad...will let you know for sure if this fixes it. Thanks as always brother, grateful for all the help.

the_rock
Legend
Legend
‎2022-02-02 07:10 AM
In response to G_W_Albrecht
Jump to solution

Sadly, did not help. I made changes and asked client to test, but same behavior, no access when same user logs into 2nd machine. I will call TAC later and see if we can do some tests, since we already have active case opened for this since the weekend.

lfar
Explorer
‎2022-02-02 07:59 AM
In response to the_rock
Jump to solution

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_IdentityAwareness_AdminGuide...

Try enabling any of the above, depending on the source from where your identities are being learned.

0 Kudos
the_rock
Legend
Legend
‎2022-02-02 08:10 AM
In response to lfar
Jump to solution

I ran it on both cluster members and asked client to test, so will see if any difference. Will keep you posted.

0 Kudos
the_rock
Legend
Legend
‎2022-02-02 08:23 AM
In response to lfar
Jump to solution

No luck, just tried.

0 Kudos
the_rock
Legend
Legend
‎2022-02-02 11:47 AM
Jump to solution

Just quick update guys...spoke with TAC and Harry had me do below options (we had checked internal users before, as well as all gateways directories). Once this was done, we pushed policy, but also had to install identity agent on windows machine we tested and then same user worked fine! I will still ask customer to test with few different users.

Screenshot_2.png

 

0 Kudos
Magnus-Holmberg
Advisor
Advisor
‎2022-02-02 03:05 PM
In response to the_rock
Jump to solution

Have had the issue that needed to install the identity agents if users roam quickly between wifi/lan to make sure update correctly.

https://www.youtube.com/c/MagnusHolmberg-NetSec
the_rock
Legend
Legend
‎2022-02-02 03:48 PM
In response to Magnus-Holmberg
Jump to solution

I never realized that before, but I guess IA agent is needed on windows in situation like this. Otherwise, if its only 1 user logged into 1 machine at the time, no need for IA agent. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events