problem with the operation of the user identification function in Checkpoint by domain accounts

May the 4th (+4)
Roadmap Session and Use Cases for
Cloud Security, SASE, and Email Security

SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend

Paradigm Shifts: Adventures Unleashed!
Capture Your Adventure for a Chance to WIN!

Join the Photo Contest!

Mastering Compliance
Unveiling the power of Compliance Blade

WATCH NOW

CPX 2024 Content
is Here!

Get What You Need

Harmony SaaS
The most advanced prevention
for SaaS-based threats

LEARN MORE

CheckMates Go:
CPX 2024 Recap

LISTEN NOW

Create a Post

We have rules for providing basic Internet access:
1. Through a group in the active directory (access role)
2. Through a group with ip addresses (network group)
In the access role, under the tab users there is a group AD <group> with more than 2000 users but normally only 300 users come through.
When checking the problem user in PDP, the output of the command shows that:
1. "Groups: All Users" (This user is a member of an AD group)
2. "Roles: -" (Access Role not defined)

Therefore the given user does not fall under our rule. At the same time the given user is a member of the AD group.
Conclusion: The traffic doesn't reach the target rule (with active directory), but it goes through other rules (not with active directory), because CheckPoint cannot correctly identify the AD group the user is in.
We tried sk106964.
We tried rules with access role raised above allowing rules by ip
These solutions did not solve our problems.
Also, we have rules where some users are given internet by active directory, the rules work but after some time internet access is lost, traffic stops going by the rule.
We have main domain and subdomains, users from subdomains are also present in the main domain
Please advise, have you faced such problems and were you able to solve them?