Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
checkandmate
Explorer

Switching Identity Awareness AD - NTLMv1 to NTLMv2

Jump to solution

Hi All

Forgive me if this has been asked before, I could not find any posts which answered this... currently have Identity Awareness configured and using NTLMv1. Planning to migrate to NTLMv2.

Version R80.40 181

Reviewed ...

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_IdentityAwareness_AdminGuide...

Would like to confirm the steps for a platform already using IA.

After step ...

 

  • On the Security Management Server:

    1. Connect to the command line.

    2. Log in to the Expert mode.

    3. Run:

      adlogconfig a

    4. Enter the number of this option:

      Use NTLMv2

    5. Enter the number of this option:

      Exit and save

 

My concern is step (c). Do you need to disable / enable IA blade - then run back through the wizard to essentially reinstall IA?

Just need a little clarification.

Thanks in advance.

Shane

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Pretty sure this is not required.

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

Pretty sure this is not required.

View solution in original post

0 Kudos
checkandmate
Explorer

Thanks for the prompt response 🙂

0 Kudos
LazarusG
Explorer

how would you validate the change from the checkpoint estate? if disabling and re-enabling/configuring the blade isn't necessary can the instructions be updated?

0 Kudos
PhoneBoy
Admin
Admin

I assume you can see the changes reflected in the adlogconfig output.

0 Kudos
LazarusG
Explorer

indeed so - thank you, also seems you can revert the setting by choosing option 21 again from adlogconfig a

[ ] Override configuration
[ ] Enable Adlog
[ ] Enable log for login or logoff
[ ] Use log original creation time
Association timeout : 0
Full Name Query Interval (days, 0=disabled) : 0
Full Name Fetch Hour : 0
Multi-user host Detection Threshold: 7
Revoked user timeout interval : 14400
[X] Enable Multi-User Host persistence DB
Multi-User Host persistence machine timeout (minutes): 2592000
Service Account Detection Threshold: 10
[ ] Automatically Exclude Service Accounts
[ ] Override default communication parameters
Query Within count : 0
Query Max returned objects in each iteration: 0
[X] Disable password expiration check
[X] Use NTLMv2 <===========you are correct!
[ ] Single User Assumption
[ ] Don't report machines
[X] LDAP groups update notifications
Notifications accumulation time : 10 (sec)
[X] Notify only user-related LDAP changes
[ ] Prefer IPv6 DC addresses
[1] WMI query Type

====================================================

1 - Override file
2 - AD Log feature
3 - Enable log for login or logoff
4 - Use log original creation time
5 - Association timeout
6 - Full Name Query Interval
7 - Full Name Fetch Hour
8 - Add Domain name
9 - Delete Domain
10 - Username
11 - Password
12 - Domain Controllers
13 - Change Multi-User detection threshold
14 - Change Revoked User timeout interval
15 - Multi-User Host Persistence DB
16 - Multi-User Host Persistence machine timeout
17 - Override Default Communication Parameters
18 - Query Within interval
19 - Max returned objects in each iteration
20 - Password expiration check
21 - Use NTLMv2
22 - Single User Assumption
23 - Change Service Account Detection Threshold
24 - Ignore Events From Different Domains
25 - Automatically Exclude Service Accounts
26 - Don't report machines
27 - Turn LDAP groups update on/off
28 - Notifications accumulation time
29 - Update only user-related LDAP changes
30 - Prefer IPv6 DC addresses
31 - WMI Query Type
32 - Exit without saving
33 - Exit and save

Please enter your choice: 33
- Saving configuration file '/opt/CPsuite-R81.10/fw1/conf/ad_log_override.C'
Note: you can run 'adlogconfig a -test domainName' in order to test connectivity
[Expert@r81mgmt:0]# adlogconfig

adlogconfig usage:
adlogconfig l [-test domainName] - if you are using Identity Logging
adlogconfig a [-test domainName] - if you are using AD Query (Identity Awareness)

 

I do suspect the steps to disable and re-enable the identity awareness blade are necessary though and i expect we can only validate gateways are doing ntlmv2 in packet captures(?)

0 Kudos