This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
lzl
Participant
‎2025-09-02 07:50 AM

Multiple Users in Source User Name

I have running Identity Awareness by using Identity Collector method to collect the info.

I had login a PC via multiple user. In log, the source username show both name.

 

Based on below article, it can solved by tick ""Assume that only one user...". but this is using AD Query method.

https://community.checkpoint.com/t5/Security-Gateways/Identity-Awareness-Multiple-Users-as-Source-Us...

 

so now i using Identity Collector, what setting i can change to solve this issue? 

 

 

0 Kudos
6 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-09-02 10:40 AM

Is option I pointed to checked?

Andy

Best,
Andy
Preview file
46 KB
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-09-02 07:00 PM

IDC as far as I know should already assume a single user per computer, per:

https://support.checkpoint.com/results/sk/sk105889

You can check the current state of that option on your gateway with: pdp conciliation idc_multiple_users stat

If it's already disabled but you're still seeing multiple users per machine, best raise a TAC case for investigation.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-09-02 07:04 PM
In response to emmap

Never seen that sk, thank you for that!

Andy

Best,
Andy
0 Kudos
lzl
Participant
‎2025-09-02 08:28 PM
In response to emmap

Hi Emmap,

Thanks for sharing.

My setup requirement also is allow one user can login into a decvice at once. Just the PC will be use by multiple people. So the PC will login by multiple users. So in the "source name", i will see the username who had login to this PC. 

In identity collector, when select the IP related, i can see many username logged in the list. I try tick the "Ignore revoked user" to check it work or not. 

As i asking this is to confirm even though there have 2 username showed, but only the latest user will used by gateway when go through the rule right? because i have some issue (seem latest logged user can using previous user rights asboth users in different group ) when do the testing.

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-09-02 11:03 PM
In response to lzl

You'll see in the traffic logs who the gateway is associating with which IP address. If there's only the one user there, then that's already ensuring that only the latest user to log in is associated with the IP address.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-09-03 08:40 AM
In response to lzl

For a computer where multiple people are logged in at the same time, consider using the Multi-User Host agent, which can actually differentiate access by multiple users from the same computer.

When not using MUH and not, if multiple identities are associated with an IP due to configuration (e.g. pdp conciliation idc_multiple_users is enabled), all of the identities will apply to the IP. 
Which explains the behavior you are seeing precisely.
Note all of this is described in sk105889 though it doesn't list the command to disable it (e.g. pdp conciliation idc_multiple_users disable), which is what you need to do here to get the behavior you desire.
I assume pdp c

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events