We have rules for providing basic Internet access:
1. Through a group in the active directory (access role)
2. Through a group with ip addresses (network group)
In the access role, under the tab users there is a group AD <group> with more than 2000 users but normally only 300 users come through.
When checking the problem user in PDP, the output of the command shows that:
1. "Groups: All Users" (This user is a member of an AD group)
2. "Roles: -" (Access Role not defined)
Therefore the given user does not fall under our rule. At the same time the given user is a member of the AD group.
Conclusion: The traffic doesn't reach the target rule (with active directory), but it goes through other rules (not with active directory), because CheckPoint cannot correctly identify the AD group the user is in.
We tried sk106964.
We tried rules with access role raised above allowing rules by ip
These solutions did not solve our problems.
Also, we have rules where some users are given internet by active directory, the rules work but after some time internet access is lost, traffic stops going by the rule.
We have main domain and subdomains, users from subdomains are also present in the main domain
Please advise, have you faced such problems and were you able to solve them?