Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Arturxr
Explorer

problem with the operation of the user identification function in Checkpoint by domain accounts

We have rules for providing basic Internet access:
1. Through a group in the active directory (access role)
2. Through a group with ip addresses (network group)
In the access role, under the tab users there is a group AD <group> with more than 2000 users but normally only 300 users come through.
When checking the problem user in PDP, the output of the command shows that:
1. "Groups: All Users" (This user is a member of an AD group)
2. "Roles: -" (Access Role not defined)

Therefore the given user does not fall under our rule. At the same time the given user is a member of the AD group.
Conclusion: The traffic doesn't reach the target rule (with active directory), but it goes through other rules (not with active directory), because CheckPoint cannot correctly identify the AD group the user is in.
We tried sk106964.
We tried rules with access role raised above allowing rules by ip
These solutions did not solve our problems.
Also, we have rules where some users are given internet by active directory, the rules work but after some time internet access is lost, traffic stops going by the rule.
We have main domain and subdomains, users from subdomains are also present in the main domain
Please advise, have you faced such problems and were you able to solve them?

 

0 Kudos
6 Replies
Lesley
Leader Leader
Leader

Hello,

Do you use ADquery as source or IDC collectors? Also the rule with a  access role, does the rule not work at all or only for a limited amount of users? Did the rule ever worked before? How are the settings for the LDAP account unit? Everything looks correct over there? Are you able to fetch branches?

If you use ADquery I would recommend to use IDC collectors. This is the way to go now. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Arturxr
Explorer


1. We use IDC as source
2. Some rules work for a limited number of users, some do not work at all, did not work correctly before
3. Tell me, what settings should we check?

0 Kudos
Lesley
Leader Leader
Leader

3: Under LDAP account unit: check if the domain is correct. Try to fetch the branches from all DC's. If LDAPS is used, try to fetch fingerprint and see if they changed. 

Also what is the output of: pdp idc groups_update status on the gateways?

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Arturxr
Explorer

Checked that the domain is correct - everything is set up correctly
Tried to get branches from all dc
pdp idc groups_update status was disabled, turned it on, then checked with a command:
pep show user query usr <user>
The problem was not solved.

0 Kudos
_Val_
Admin
Admin

Please open a TAC request

0 Kudos
Arturxr
Explorer

We have opened a case in the TAC, but we still have not been offered any solution for a long time

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events