This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
vlw38
Explorer
‎2021-06-21 03:03 PM

UserCheck/WebBlocked messages accessing all Internet sites

(2) 5000 appliances in HA active/passive - R80.30

 

6/17: User A: suddenly receiving UserCheck/WebBlocked messages accessing ANY/ALL Internet sites.

  IT support rebooted workstation,  logged in using their own credentials and they also got the UserCheck/WebBlocked messaged.  IT support installed USB-Ethernet Adapter to try to fix issue (?):, user acquired another ip on same subnet and was able to access Internet.  About a day later, USB-Ethernet Adapter removed  , user connection normalized. User able to access Internet. No other services (email, etc) impacted.

6/16: User B: suddenly receiving UserCheck/WebBlocked messages accessing ANY/ALL Internet sites

IT Support changed user over to WIFI (?) and user was able to access Internet. No other services (email, etc) impacted.

 All Internet access rules based on IdentityAwareness/AD query/. UserA/UserB log shows their requests  matching on a BlockedMessage rule which uses ip address only and action= deny for all Internet access.  Seems like User_A/B have "lost" their AD group mappings so their Internet access doesn't match on  rules based on IdentityAwareness/AD query and matches on the rule based on ip address, action=deny...Checking  pepd/ pdpd logs and AD server but nothing yet.  No recent changes - IA/AD query/UserCheck configs all active for 1 year+ w/no issues.   Any suggestions?

 

0 Kudos
3 Replies
the_rock
Legend
Legend
‎2021-06-21 05:18 PM

What do your https inspection rules look like? When you have user belonging to say access role that would get blocked to for example, gambling sites, do you see block page and if you run command pdp monitor user username, what does it show? Say user ID is johnwayne, what would pdp monitor user johnwayne show you? Does it show that user belong to the right groups? Have you tried doing pdp update all?

Is this brand new issue, has been happening for some time?

0 Kudos
vlw38
Explorer
‎2021-06-22 06:41 AM
In response to the_rock

Thank you for responding.  HTTPS inspection not enabled. Ran PDP monitor and both users(s) belong to the correct groups. Have not tried pdp update all.  This is brand new issue. 

0 Kudos
the_rock
Legend
Legend
‎2021-06-22 06:46 AM
In response to vlw38

Thats a bit odd that users would get blocked page is https inspection is off. Can you send a screenshot if possible?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events