Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JustinLow
Contributor
Jump to solution

Access role object on threat prevention policy rule

Hi All,

 

Recently I tried to set the access role object as the Protected Scope under the Threat Prevention policy rule. However the policy installation is failed with Threat Prevention policy and succeeded with Access Control policy. The error message is as below,

--------------------------------------------------------------------------------
- Identity awareness changes were detected in the Anti Malware rule base. Access policy installation is required.
- Unknown user group 'ad_branch_Test'
- Operation was unsuccessful.
--------------------------------------------------------------------------------

 

Can anyone advice on this?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

The error message is pretty clear: use of an Access Role in a Threat Prevention policy requires installing the Access Policy.
First-time usage of an Access Role requires a full Access Policy installation prior to being used in the Threat Prevention policy.
You attempted to do both at the same time, which will fail since the Threat Prevention policy gets installed before the Access Policy in most cases.

I suspect if you perform another policy installation, it should succeed.

View solution in original post

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

The error message is pretty clear: use of an Access Role in a Threat Prevention policy requires installing the Access Policy.
First-time usage of an Access Role requires a full Access Policy installation prior to being used in the Threat Prevention policy.
You attempted to do both at the same time, which will fail since the Threat Prevention policy gets installed before the Access Policy in most cases.

I suspect if you perform another policy installation, it should succeed.

0 Kudos
JustinLow
Contributor

Hi PhoneBoy,

 

I see. That's why it is failed when install both at the same time. I reinstall the policy separately and now it is working fine. Thank you for your reply

 

 

0 Kudos
israelsc
Collaborator
Collaborator
Hi guys, I have the same error, I get the following output when trying to install a policy:
 
Status: Failed
- is_whitelist_domain_enable: is_ok_for_whitelist_domain_look_for_inactive() returned false for action
- Identity awareness changes were detected in the Anti Malware rule base. Access policy installation is required.
- Unknown user group 'ad_user_XYZ'
- Operation was unsuccessful.
--------------------------------------------------------------------------------
 
The difference is that my customer placed an "Access Role" object as a source in an exception rule of the Threat Prevention Rule.
It is also important to mention, that the firewall I am having policy installation error is a Quantum Spark Check Point 1570 Appliance R81.10.07 - Build 430.
 
Is there any limitation with the access role in the threat prevention rules for the quantum spark?

I tried to install both policies separately and both at the same time but I have same results: policity installation error.
 
Greetings!
0 Kudos
PhoneBoy
Admin
Admin

Did you install Access Policy after creating and publishing the relevant Access Role(s)? 
This is required before you can use an Access Role in a Threat Prevention policy.
The fact this is on an SMB appliance shouldn't matter.

0 Kudos
israelsc
Collaborator
Collaborator

Hello,

Yes, the customer installed Access Control Policy after creating exceptions in the Threat Prevention policy with Access Roles inside the rules source and it was the same result.

Just today, the customer told me that he removed these Access Roles from the Threat Prevention rules that applied to a Spark Firewall and after installing the policies (Access and TP policies), they could be installed correctly.

It seems that these Access Roles objects in Threat Prevention Policy cause an error in the installation in a SMB - Quantum firewall.

I can't find any documentation to confirm this theory, but that seems to have been the solution.

Regards!

0 Kudos
PhoneBoy
Admin
Admin

That may be true, but the limitation should be documented.
Recommend a TAC case to confirm it: https://help.checkpoint.com 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events