This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
flachance
MVP Silver
MVP Silver
‎2024-11-25 06:57 AM

rule based on a group not working anymore

The management and gateways are R81.20 JHF take 76

 

We made two rules for application access similar to this

1.access_role_exception to Facebook Allow

2.access_role_blockFB to Facebook Drop

 

access_role_exceptions contains AD group FB_exception

access_role_blockFB contains AD group Org_group

 

Everybody is in Org_group and some are also in FB_exception

This worked well as of last Friday. This morning everybody is blocked even if they are in FB_exception.

I can see in the logs that the correct groups are associated with the correct users.

What could cause this? Why won't it match rule 1 anymore?

 

thanks

Francis

0 Kudos
5 Replies
flachance
MVP Silver
MVP Silver
‎2024-11-25 07:06 AM

So in SmartLog I see the correct group in one gateway but not all. In CLI on the gateway that would require the correct info running pep s u q usr username returns User Groups:<Unavailable>. We're using Identity Collector. In the Identity Collector gui everything looks fine

 

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-11-25 08:14 AM
In response to flachance

If problem is only present on one gateway. I don’t think there is an issue on IDC or AD. Worth running basic health check like hcp maybe some important daemon is crashed like pdp or pep. If it is a cluster maybe do failover and reboot. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
flachance
MVP Silver
MVP Silver
‎2024-11-25 10:06 AM
In response to Lesley

so for one user I tried pdp update specific username and it updated is Identity Roles properly.

I have another one with the issue when I do a pep s u q user username for him I see two entries (two different IPs) the oldest one has the correct Identity Roles but the newest one doesn't.

I also tried pdp update specific username for him but it changed nothing

 

0 Kudos
flachance
MVP Silver
MVP Silver
‎2024-11-25 10:10 AM
In response to flachance

I tried pdp update specific machinename for him and it's ok now.

I'm not sure I understand how often this should update on its own.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-11-25 05:37 PM
In response to flachance

I would try test like this...instead of access role group, use subnet in the rule and see if it works by an IP. If it does, then you know 100% without any doubt its role association thats the issue.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events