This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Arturxr
Explorer
‎2022-11-23 01:54 AM

problem with the operation of the user identification function in Checkpoint by domain accounts

We have rules for providing basic Internet access:
1. Through a group in the active directory (access role)
2. Through a group with ip addresses (network group)
In the access role, under the tab users there is a group AD <group> with more than 2000 users but normally only 300 users come through.
When checking the problem user in PDP, the output of the command shows that:
1. "Groups: All Users" (This user is a member of an AD group)
2. "Roles: -" (Access Role not defined)

Therefore the given user does not fall under our rule. At the same time the given user is a member of the AD group.
Conclusion: The traffic doesn't reach the target rule (with active directory), but it goes through other rules (not with active directory), because CheckPoint cannot correctly identify the AD group the user is in.
We tried sk106964.
We tried rules with access role raised above allowing rules by ip
These solutions did not solve our problems.
Also, we have rules where some users are given internet by active directory, the rules work but after some time internet access is lost, traffic stops going by the rule.
We have main domain and subdomains, users from subdomains are also present in the main domain
Please advise, have you faced such problems and were you able to solve them?

 

0 Kudos
6 Replies
Lesley
MVP Gold
MVP Gold
‎2022-11-23 02:03 AM

Hello,

Do you use ADquery as source or IDC collectors? Also the rule with a  access role, does the rule not work at all or only for a limited amount of users? Did the rule ever worked before? How are the settings for the LDAP account unit? Everything looks correct over there? Are you able to fetch branches?

If you use ADquery I would recommend to use IDC collectors. This is the way to go now. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Arturxr
Explorer
‎2022-11-23 02:46 AM
In response to Lesley


1. We use IDC as source
2. Some rules work for a limited number of users, some do not work at all, did not work correctly before
3. Tell me, what settings should we check?

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2022-11-23 03:53 AM
In response to Arturxr

3: Under LDAP account unit: check if the domain is correct. Try to fetch the branches from all DC's. If LDAPS is used, try to fetch fingerprint and see if they changed. 

Also what is the output of: pdp idc groups_update status on the gateways?

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Arturxr
Explorer
‎2022-11-23 04:56 AM
In response to Lesley

Checked that the domain is correct - everything is set up correctly
Tried to get branches from all dc
pdp idc groups_update status was disabled, turned it on, then checked with a command:
pep show user query usr <user>
The problem was not solved.

0 Kudos
_Val_
Admin
Admin
‎2022-11-23 03:37 AM

Please open a TAC request

0 Kudos
Arturxr
Explorer
‎2022-11-23 04:57 AM
In response to _Val_

We have opened a case in the TAC, but we still have not been offered any solution for a long time

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events