This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Henrik_Oersnes_
Explorer
‎2021-06-21 11:28 PM

Identity collector and MUH agent - Ignores more than 7 Logins

Hi all Checkmates,

This is my first post, so first of all thanks for all the great post and knowledge sharing.

This weekend I change my FW setup from identity sharing to identity collector, for a simpler identity sharing between my firewalls
On the firewall clusters I also disabled "Active directory query" as this would be done on the ID Collector.


Now FWCLUS01/DMZ ignores more than 7 logins
"x.x.x.x with machine: Termial-Server100@domain.xzy, was marked as a multi user host IP. user login events for that IP will be ignored from now on"

It is ingnored when it hit's the native Multi-user host Detection Threshold = 7 . I have tried to change this threshold by using the cli configuration tool "adlogconfig a" and change the "Multi-user host Detection Threshold" to "10" and install policy.
This does not change the behavior.

Do any of you know if this setting is an option when running with Identity collector ?

The Firewall (FWCLUS02/WAN) collecting user from terminal server via MUH Agent is accepting the the increasement of "Multi-user host Detection Threshold" but I guess this is because the MUH Agent config is this FWCLUS02/WAN and it looks at the parameter. 

My firewall setup:
The user on the terminal server environment is auth with MUH agent against FWCLUS02/WAN=Blue line
Identity sharing is used on both FWCLUS01/DMZ and FWCLUS02/WAN shown as the = Green line
VDA User A is connecting to the DMZapplicaiton = red
All FW/SMS is running R80.40 Take 118

CHK Identity collector.jpg

When the VDA user A connects to DMZapplication and FWCLUS01/DMZ looks up the amount of user on the terminal server from identity collector and if it is above 7 it will add into this state "x.x.x.x with machine: Termial-Server100@domain.xzy, was marked as a multi user host IP. user login events for that IP will be ignored from now on"

It looks like when Identity collector is used it looks like i'm missing the parameter to increase "Multi-user host Detection Threshold" to more than 7.  

Hope someone in the checkmates community have been through the same and have a solution for it. 

 

 

 

/Henrik 

0 Kudos
5 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events