Thanks for the prompt response 🙂

how would you validate the change from the checkpoint estate? if disabling and re-enabling/configuring the blade isn't necessary can the instructions be updated?

I assume you can see the changes reflected in the adlogconfig output.

indeed so - thank you, also seems you can revert the setting by choosing option 21 again from adlogconfig a

[ ] Override configuration
[ ] Enable Adlog
[ ] Enable log for login or logoff
[ ] Use log original creation time
Association timeout : 0
Full Name Query Interval (days, 0=disabled) : 0
Full Name Fetch Hour : 0
Multi-user host Detection Threshold: 7
Revoked user timeout interval : 14400
[X] Enable Multi-User Host persistence DB
Multi-User Host persistence machine timeout (minutes): 2592000
Service Account Detection Threshold: 10
[ ] Automatically Exclude Service Accounts
[ ] Override default communication parameters
Query Within count : 0
Query Max returned objects in each iteration: 0
[X] Disable password expiration check
[X] Use NTLMv2 <===========you are correct!
[ ] Single User Assumption
[ ] Don't report machines
[X] LDAP groups update notifications
Notifications accumulation time : 10 (sec)
[X] Notify only user-related LDAP changes
[ ] Prefer IPv6 DC addresses
[1] WMI query Type

====================================================

1 - Override file
2 - AD Log feature
3 - Enable log for login or logoff
4 - Use log original creation time
5 - Association timeout
6 - Full Name Query Interval
7 - Full Name Fetch Hour
8 - Add Domain name
9 - Delete Domain
10 - Username
11 - Password
12 - Domain Controllers
13 - Change Multi-User detection threshold
14 - Change Revoked User timeout interval
15 - Multi-User Host Persistence DB
16 - Multi-User Host Persistence machine timeout
17 - Override Default Communication Parameters
18 - Query Within interval
19 - Max returned objects in each iteration
20 - Password expiration check
21 - Use NTLMv2
22 - Single User Assumption
23 - Change Service Account Detection Threshold
24 - Ignore Events From Different Domains
25 - Automatically Exclude Service Accounts
26 - Don't report machines
27 - Turn LDAP groups update on/off
28 - Notifications accumulation time
29 - Update only user-related LDAP changes
30 - Prefer IPv6 DC addresses
31 - WMI Query Type
32 - Exit without saving
33 - Exit and save

Please enter your choice: 33
- Saving configuration file '/opt/CPsuite-R81.10/fw1/conf/ad_log_override.C'
Note: you can run 'adlogconfig a -test domainName' in order to test connectivity
[Expert@r81mgmt:0]# adlogconfig

adlogconfig usage:
adlogconfig l [-test domainName] - if you are using Identity Logging
adlogconfig a [-test domainName] - if you are using AD Query (Identity Awareness)

I do suspect the steps to disable and re-enable the identity awareness blade are necessary though and i expect we can only validate gateways are doing ntlmv2 in packet captures(?)

This was extremely helpful for me. Thank you.

Hi, Can you please confirm if this apply for R80.30 too. Thanks

After I made the initial change / tested, we confirmed IA was still reaching out to AD via NTLMv1. We are utilising R81.

Reaching out to TAC they recommended reinstalling IA, ie.. general properties, disable / reenable IA (without OK) and follow the wizard. This has now been done on CP, and Im waiting from monitoring back from Server.

Once I have the results.. .I will post again.

Hi @checkandmate,

I'm looking at the same thing, did this work for you? Can you share your feedback on the procedure?

Thanks!

Update

After performing the above procedure we still found NTLMv1 traffic reaching out to the DC's. Another ticket was raised with TAC and confirmed this is expected behavior. See CP reply :-

"As we discussed over the phone,  even you move to NTLMv2, the gateway will still show the NTLMv1. Even if the GW is set to use v2, it still tries v1 before anything else. If  the SMS output of "adlogconfig" shows Use NTLMv2, then the database will be pushed to FW to use NTLMv2

Regards,"