Good day!
We have:
1. SG 81.20
2. IC 81.040
3. Cisco ISE 3.0
GW taking logs from Identity Collector -> Identity collector taking logs from Cisco ISE -> Cisco ISE taking Identites and logs from Active Directory
In SMS (Smarconsole):
1) We have LDAP account unit object of LDAP
2) We have only Identity Collector identity source
In IC:
1) We have only ISE group in the Query pool. ISE machine is green. Log collected with Username.
3) In GW
pdp don t take username, because of it rules don t work properly (ise-1 computer that admins ise, just example)
In smartconsole we see this on every login attempt:
I checked every setting on everything, but I still don’t understand what could be wrong.
I meant from ISE. What's the Username collected from ISE? sAMAccountName or UserPrincipalName?
PDP needs something to make ldap query for group membership resolution.
Error message from Smartlog in your post may point to the issue that the wrong one is used.
In case the Attr received leads to errors when trying to resolve group memberships, sometimes UserLoginAttr is to be modified in the Checkpoint Database using guidbedit.
In case pdp process queries using wrong attr, user cannot be found, leading to same error message as above.
To clarify, you might want to debug.
Then first enable debug on the PDP
fw debug fwd off PDP_LOG_SIZE=50000000
fw debug fwd off PDP_NUM_LOGS=20
fw kill pdpd
pdp debug off
pdp debug reset
pdp debug set all all
replicate issue
disable debug
fw debug fwd off PDP_LOG_SIZE=10000000
fw debug fwd off PDP_NUM_LOGS=10
pdp debug off
pdp debug reset
fw kill pdpd
and then you are able to analyse the collected files in $FWDIR/logs/pdpd.elg*
In case my idea is correct, you could see hints pointing to that.
Or maybe pointing to a different root cause.
| User | Count |
|---|---|
| 23 | |
| 17 | |
| 16 | |
| 13 | |
| 8 | |
| 8 | |
| 7 | |
| 5 | |
| 5 | |
| 5 |
Tue 12 Nov 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Tue 12 Nov 2024 @ 10:00 AM (CET)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (EMEA)Tue 12 Nov 2024 @ 02:00 PM (CET)
Part 1: Harnessing AI to Prevent Cyber Attacks and Enhance Defense - EMEATue 12 Nov 2024 @ 11:00 AM (EST)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (AMERICAS)Tue 12 Nov 2024 @ 02:00 PM (EST)
Part 1: Harnessing AI to Prevent Cyber Attacks and Enhance Defense - AmericasTue 12 Nov 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Tue 12 Nov 2024 @ 10:00 AM (CET)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (EMEA)Tue 12 Nov 2024 @ 02:00 PM (CET)
Part 1: Harnessing AI to Prevent Cyber Attacks and Enhance Defense - EMEATue 12 Nov 2024 @ 11:00 AM (EST)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (AMERICAS)Tue 12 Nov 2024 @ 02:00 PM (EST)
Part 1: Harnessing AI to Prevent Cyber Attacks and Enhance Defense - AmericasWed 20 Nov 2024 @ 05:00 PM (CET)
Under the Hood: DO NOT Renew your WAF without watching THIS!!Tue 19 Nov 2024 @ 12:00 PM (MST)
Salt Lake City: Infinity External Risk Management and Harmony SaaSWed 20 Nov 2024 @ 02:00 PM (MST)
Denver South: Infinity External Risk Management and Harmony SaaSThu 21 Nov 2024 @ 02:00 PM (MST)
Denver North: Infinity External Risk Management and Harmony SaaSTue 03 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 1: Cloud Risk Management Workshop
