This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
amith_rao
Contributor
‎2021-01-11 02:18 AM

Unable to enforce user-based policy(AD query) from Security Gateway

Hi All

We have integrated the CheckPoint with Active Directory to enforce user-based policy through an AD query. Post integration, we are able to fetch all user information through the dashboard therby create access role objects and also push the user-based policy to the Gateway. But the main problem here is that the Gateway is not able to enforce this user-based policy. 

Setup details:

Management server: Baremetal server R80.20

Gateway: 44k Chassis R80.20sp

AD server: Windows 2012

AD user for integration: Not Administrator but followed sk93938

Observation:

"#adlog a dc" command shows "has connection" to all the domain controllers.

  wbemtest results show success for the user that is used to integrate with AD.

No firewall between Gateway and Domain controllers to block DCE-PRC protocol port negotiation.

No drop logs in the Gateway where AD query is running for traffic towards Domain controller except for the occasional TCP out of state drops(traffic is symmetric checked).

Able to see user information from "adlog a query ip/user" command output.

Only able to see failed authentication and logout logs for the users in the CheckPoint smartlog.

test_ad_connectivity -x <customer domain> -o my_test.txt output is shown below.

[Expert@Checkpoint-ch01-01:0]# more my_test.txt
(
:status (SUCCESS_WMI)
:err_msg ("ADLOG_SUCCESS;LDAP_PROTOCOL_ERROR")
:ldap_status (LDAP_PROTOCOL_ERROR)
:wmi_status (ADLOG_SUCCESS)
:timestamp ("Fri Jan 8 17:14:28 2021")

My Analysis:

Chances are that the domain controller is not sending user login event logs to CheckPoint.

OR

The Gateway is not able to extract the information for the logs pulled from the Domain controller.

 

Need your expertise to proceed further!

 

Thanks

Amith Gururaj Rao

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2021-01-11 08:30 PM

Is there a TCP connection between the AD Servers and the gateway?

0 Kudos
amith_rao
Contributor
‎2021-01-11 09:42 PM
In response to PhoneBoy

Yes, I can see traffic on ports 135 and 389 between Gateway and AD server.

Just to give more background we are doing a Migration from PAN to CheckPoint. A similar user-based policy is properly being enforced by the existing PAN gateway but only to note they are using user-id agent server for AD query and the credential used by them is super admin.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-01-12 01:40 PM

What we do with AD Query is subscribe to very specific events, which the AD Server is supposed to send us.
The gateway then looks up the groups via LDAP.
That said, for anything more than a few hundred users, Identity Collector is probably a better solution than AD Query. 

Recommend a TAC case to troubleshoot this.

0 Kudos
amith_rao
Contributor
‎2021-01-12 10:48 PM
In response to PhoneBoy

Thanks for the valuable input Dameon and also we will consider moving it to the TAC.

Meanwhile, during yesterdays troubleshooting it was observed that the AD server is not enabled with Success & Failure for both "Audit Account logon events" and "Audit Logon Events" as per sk60501. 

So before going ahead with the enablement of these settings can the below two options work?
 
1. Considering the integration with an Administrator account, will it have the privilege to read the Audit logs even though the "success & failure for Audit account logon event and Audit logon event is not enabled" in the AD server.

2. Will the Identity collector be of any help in this scenario? the reason for this question is we don't have enough information on the querying method of the identity collector and how different it is from the typical AD query.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-01-13 09:12 PM
In response to amith_rao

@Royi_Priov will have to comment on your first question, but I suspect the answer is no.

Identity Collector is generally recommended in larger AD environments (more than a few hundred users).
It uses the Windows Event Log API for fetching the DC's security logs, which is in contrast to AD Query which uses WMI, with the identities pushed from the Active Directory server.
More details here: https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&so...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events