Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Paolo_Francese
Contributor

rule with access role that not match

Hi,

I've made a rule where the source is an access role containing an Active Directory user, but this rule is never matched.

I've other rules containing access roles that works as expected.

I've also check that pdp knows about this user with the command

  pdp monitor user user_name

and the user is known to pdp.

Is there a way to understand why the rule does not match?

 

thanks in advance

 

0 Kudos
5 Replies
Chris_Atkinson
Employee
Employee

There are some version / hotfix level specific issues of this nature in earlier releases, quickest path will be to seek help from TAC to investigate & correlate with any known issues vs config etc.

0 Kudos
Paolo_Francese
Contributor

I better investigate this issue and I discovered that identity is get from an Identity Collector that send username and IP to the gateways, but between the user and the gateways there is a router that NAT the connections, so the traffic generated by the user reaches the gateway with a source IP that is not the one reported by Identity Collector.

I think that the rule mismatch is caused because of this IP mismatch due to NAT.
What do you think?

Thanks in advance

0 Kudos
_Val_
Admin
Admin

Can be the case

0 Kudos
MartinTzvetanov
Collaborator

How does the access role looks like? If it's for a specific user/group from AD and ANY machines, the only needed info is the username, so I'm not so sure that NAT is causing the problem.

0 Kudos
Paolo_Francese
Contributor

Access role object is populated only with one active directory user, other field are set to default values.

 

0 Kudos