This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Cesar_Santos
Explorer
‎2020-11-17 10:49 AM
Jump to solution

Logs with multiple source users

Hi CheckMates,

I'm seeing a strange behaviour on the logs of my gateway cluster (R80.30). Basically, I'm seeing multiple users on the source username column of the traffic logs. 

Screenshot 2020-11-17 at 18.42.46.png

 

The problem with this is that the rules are not properly applied, because we're using access roles to manage the permissions. We're using the Identity Collector to see all the logon and logoff events in our microsoft AD. 

So, anyone knows a possible root cause for this? How can I solve this issue?

Regards

 

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Authority
Authority
‎2020-11-18 07:34 AM
In response to Cesar_Santos
Jump to solution

@Cesar_Santos 

I thought as much. If you use the "switch user" function you have two logged in user on this host. The same applies to "run as" feature. From Check Points identity view this is expected behaviour. You can solve this with defining your hosts as multiuser hosts like Terminal- or Citrixserver. For this you have to install the MUH-agent on these hosts.

Have a look at Identity Agent Incorrectly Assigns Users To IP When Using The "Switch User" Function On Windows Clie... 

and for MUH2 agent  Terminal Server Agent v2 (MUH2) - FAQ 

regards

Wolfgang

View solution in original post

0 Kudos
6 Replies
Wolfgang
Authority
Authority
‎2020-11-17 01:05 PM
Jump to solution

Is the source host a terminal- or Citrixserver with more then one user logged in?

Did you exclude all service accounts on your Identity collectors? Are there any software running on the source host with specific user accounts?

There are some possibilities that more then one user logged in on a host at the same time.

Wolfgang

0 Kudos
Cesar_Santos
Explorer
‎2020-11-18 12:59 AM
In response to Wolfgang
Jump to solution

Hi,

This an host terminal. We're are talking about a medical center in our national healthcare system. So, we've multiple machines in medical rooms that are used by multiple users, not at the same time, but one at a time. The end users, let say multiple doctors, they may or may not end their windows sessions. So, when the next doctor comes up to the end machine, they could have another user account logged in. So, this doctor will use the "Switch User Account" option on Windows to login in his session. From the Administrator point of view, we will have multiple sessions in the state of "Disconnected" and one session as in "Active" state. How will the Identity collector handle this? Will he use only the last logged in user, with the active session? That, at least, is what I expect. 

We've excluded all the service accounts from the Identity collectors. Regarding software running with specific user accounts, let's say that a Domain admin goes to one of these machines to install a new software. Instead of disconnect the session on the end user, the domain admin click the right button and uses the "Run as Administrator" feature to install the software. The Identity collector will send te new IP/user mapping to the gateways. The problem is that this is not a real new login event. So, these kind of events should be ignored. If they don't, we will have multiple access roles that are not properly applied. With that, we will have users with permissions to use some Apps or to access to some URLS that they shouldn't.

 

Regards   

0 Kudos
Wolfgang
Authority
Authority
‎2020-11-18 07:34 AM
In response to Cesar_Santos
Jump to solution

@Cesar_Santos 

I thought as much. If you use the "switch user" function you have two logged in user on this host. The same applies to "run as" feature. From Check Points identity view this is expected behaviour. You can solve this with defining your hosts as multiuser hosts like Terminal- or Citrixserver. For this you have to install the MUH-agent on these hosts.

Have a look at Identity Agent Incorrectly Assigns Users To IP When Using The "Switch User" Function On Windows Clie... 

and for MUH2 agent  Terminal Server Agent v2 (MUH2) - FAQ 

regards

Wolfgang

0 Kudos
Cesar_Santos
Explorer
‎2020-11-18 07:51 AM
In response to Wolfgang
Jump to solution

Hi Wolfgang,

Thanks a lot for your help. I've really appreciated.

Regards

0 Kudos
Cesar_Santos
Explorer
‎2020-11-18 09:30 AM
In response to Wolfgang
Jump to solution

Hi Wolfgang,

So, I've forgotten to ask you something. The MUH-Agent only works for Windows Server, right? Ate least that is my understanding of the documentation https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut....

Regards 

0 Kudos
Wolfgang
Authority
Authority
‎2020-11-18 10:35 PM
In response to Cesar_Santos
Jump to solution

Yes Cesar,

the agents are available only for Windows.

Wolfgang

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events