This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2021-03-08 03:17 PM
Jump to solution

Identity awareness question

Hello everyone, I know this may sound like a dumb question, but Im little confused as to why the output is the way it looks. So lets say you have 2 users logging into one PC (well mac in this case, but I dont think thats really relevant) and both are logged into it at the same time (lets call them user 1 and user2). Well, I was expecting when doing command on the firewall -> watch -d pdp monitor ip 10.10.10.55 (ip of the machine), output to show BOTH users logged in, NOT just one...what seems to be happening is that command keeps switching between 2 users every minute or so...is that normal?? The reason Im asking this is because in IA setting on the gateway, option assume only one user is connected per machine is unchecked. This is important to the customer because we are doing url blocking based on the users, NOT ip addresses. Anyway, maybe Im understanding this wrong...if someone could clarify, would be awesome. Tx Andy
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-03-08 05:03 PM
In response to the_rock
Jump to solution

The Identity Agent that runs on a regular PC or Mac "assumes" a single user is present, I believe.
If it's running on both users, that might explain what's going on.

View solution in original post

0 Kudos
5 Replies
Vladimir
Champion
Champion
‎2021-03-08 04:26 PM
Jump to solution

As per IA Architecture and Best Practices , bolow are the common mistakes (see the last point):

  • Forgetting to Exclude Services(see sk131792)–When using AD Query itis highly recommended to activate “assume only one user per device” or Identity Collector which “assumes one user per device”by defaultand exclude any non-user devices that may be inspected,such as Exchange servers or Citrix servers.
  • It’salso highly recommended to exclude all known service accounts. These are not used in the user-based policy and so they create an unnecessary overhead.
  • Forgetting to Exclude Multi-user Hosts–When using ADQuery orIdentity Collector.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-03-08 04:45 PM
Jump to solution

How are identities being acquired in this case?
Note that in general, you can expect erratic results on multi-user machines unless it's a terminal server and you install the appropriate agent.
That said, the identity shouldn't change like that, unless it's something unique with the Mac.

0 Kudos
the_rock
Legend
Legend
‎2021-03-08 04:58 PM
In response to PhoneBoy
Jump to solution

Thanks for the input gents, appreciated. I have to do bit more testing, but I was under impression that if multiple users I logging in to the same machine, pdp monitor would show that, but I dont believe thats the case. There is IA agent installed on MAC, so it authenticates to the gateway, which then goes to AD.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-03-08 05:03 PM
In response to the_rock
Jump to solution

The Identity Agent that runs on a regular PC or Mac "assumes" a single user is present, I believe.
If it's running on both users, that might explain what's going on.

0 Kudos
the_rock
Legend
Legend
‎2021-03-08 05:50 PM
In response to PhoneBoy
Jump to solution

Ok, correct, that makes sense then, as it is running and showing connected on both users logged in.

 

Tx!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events