This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
clement_leconte
Explorer
‎2022-03-31 02:05 AM
Jump to solution

Rules containing an Access Role which is a group containing a user from another AD does not match

Hello everyone, 

 

I didn't found the location for Identity Awareness issues, therefore I picked General Topics but if anyone knows what is the right location please let me know,

 

The title is a bit long and maybe will not be clear enough so here's my case : 

First the architecture : 

  • I have one checkpoint Gateway (4400) on standalone configuration with the R80.40 release
  • I have 2 Active Directories (let's say A and B) which are on different VLANs (respectively 1 and 2) which are on a trust relationship (I can log on a computer being in domain A with an account of domain B)
  • I have one computer which is in VLAN 1 and registered in domain B

The main purpose of this architecture is to test Identity Awareness and its abilities, 

I've decided to use the terminal agents (light version) and managed to make kerberos logging in for both domain, I've set up rules to test both users from A and B and everything is fine so far. 

 

But when I've tried to create a rule with an Access Role containing a local group created on A that is containing users of B the users of B aren't matched on the rule while users of A that are in the same local group are matched by the rule,

 

Actually we won't have the access on B to create and manage groups, I know that we can do the same thing by creating an Access Role on the SmartConsole and adding the groups / users to it and it should be working fine but this will be tedious as all groups/OU... are already created on A

Is there anything that I can do to fix this or am I missing something ? 

 

I know that it may not be clear so feel free to ask any question you have,

Thanks in advance for your help and your time,

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2022-04-04 08:25 AM
Jump to solution

The group information for a user is only obtained by querying the relevant AD domain via LDAP.
Since you're not querying the users of B (and only A), the users from B won't be part of the relevant group.
This seems like expected behavior.

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2022-04-04 08:25 AM
Jump to solution

The group information for a user is only obtained by querying the relevant AD domain via LDAP.
Since you're not querying the users of B (and only A), the users from B won't be part of the relevant group.
This seems like expected behavior.

0 Kudos
clement_leconte
Explorer
‎2022-04-04 08:32 AM
In response to PhoneBoy
Jump to solution

Thanks for your answer, 

So even if the user is in the group, the rule won't match because they are not created on the same AD domain ? 
There is no other solution to counter this than creating Access Roles containing both users/groups of A and B ? 

0 Kudos
PhoneBoy
Admin
Admin
‎2022-04-04 09:58 AM
In response to clement_leconte
Jump to solution

Right, because the underlying LDAP query is likely only getting the users from the domain in which it is queried, not the ones from the cross-trust relationship.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events