This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ryan_Ryan
Advisor
‎2024-07-24 10:20 PM
Jump to solution

Identity Awareness Multiple NIC's

Hi we have some servers with multi user agent on them, all works fine, now we added two additional nic's to these servers, can we have MUH agent bind all 3 IP addresses with the username?

Right now when we log in, we get an IA event against the first NIC only. Agree that makes sense but we have a use case for needing all 3 if there is a setting somewhere that would allow it?

Labels
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2024-07-29 04:44 AM
Jump to solution

I checked with R&D and appears we don't do this currently.
Likely possible to do in the future.
Suggest bringing this requirement through your local Check Point office.

View solution in original post

0 Kudos
15 Replies
PhoneBoy
Admin
Admin
‎2024-07-25 06:16 AM
Jump to solution

An actual topology diagram showing the use case might help.
Specifically, how will Check Point gateways “see” traffic originating from these IP addresses.

0 Kudos
Ryan_Ryan
Advisor
‎2024-07-25 02:25 PM
In response to PhoneBoy
Jump to solution

To put it simply, there are static routes on the source forcing certain traffic out of certain nics

so imagine webserver A goes out via nic1, and webserverB goes out via nic 2, we would like to lockdown both traffic flows with an IA rule, currently, we can only do this for nic1, as nic2 does not see any username associated with it.

0 Kudos
the_rock
Legend
Legend
‎2024-07-25 05:55 PM
Jump to solution

I had customer do this exact thing before, will check if I can find the setting for it tomorrow. I believe its somewhere in smart console, if I recall right.

Andy

the_rock
Legend
Legend
‎2024-07-25 07:00 PM
Jump to solution

I will check to see if I can find some notes about it tomorrow. I looked in smart console, was mistaken, for sure, cant find anything about what you are looking for in there.

Andy

0 Kudos
Ryan_Ryan
Advisor
‎2024-07-25 08:08 PM
In response to the_rock
Jump to solution

that would be great thanks, yes I checked in global properties nothing in there either. (maybe a registry change?)

0 Kudos
emmap
Employee
Employee
‎2024-07-25 08:19 PM
Jump to solution

Are you using MUH Agent v1 or v2? V2 tags the packets that are sent out with the ID information which may work regardless of egress NIC, though I've not tried it. 

0 Kudos
Ryan_Ryan
Advisor
‎2024-07-25 09:44 PM
In response to emmap
Jump to solution

yes we are already running V2 agent 

0 Kudos
emmap
Employee
Employee
‎2024-07-25 10:22 PM
In response to Ryan_Ryan
Jump to solution

OK so all TCP and UDP traffic should be tagged with the user who originated the traffic, is this not reflected in the gateway logs from all 3 IPs?

0 Kudos
Ryan_Ryan
Advisor
‎2024-07-25 10:47 PM
In response to emmap
Jump to solution

Thats right, confirmed using my own account just now, the MUH is R81.041.0000 V2, gateway is r81.20 JHF65

Send two packets on tcp 8080, one dst went via nic1 and one via nic2, correct sources showing in log, only difference was the nic1 log had my username and nic2 log username was blank

 

 

 

0 Kudos
emmap
Employee
Employee
‎2024-07-26 12:02 AM
In response to Ryan_Ryan
Jump to solution

Thanks for testing, seems like it only binds to the first NIC. This may end up being an RFE.

the_rock
Legend
Legend
‎2024-07-26 05:34 AM
In response to Ryan_Ryan
Jump to solution

I know 100% this can work, as customer made it work with help of TAC few years ago. They now manage their own CP environment, but I wont give up trying to find out how it was done. Sadly, I dont have TAC case handy to look up notes from it, but will see if I can dig out my own notes (hope I still have them, as I save pretty much everything lol)

Andy

(1)
the_rock
Legend
Legend
‎2024-07-29 03:53 PM
In response to the_rock
Jump to solution

@Ryan_Ryan Man, Im so sorry, I looked through all my notes and cant find anything about this :(. I texted the customer and since its been a while, he could not recall either how it was done, he just remembered they had to do some changes in guidbedit and windows registry to make it work. But, since @PhoneBoy confirmed its not supported, I suppose thats the aswer mate.

Andy

(1)
PhoneBoy
Admin
Admin
‎2024-07-29 04:31 PM
In response to the_rock
Jump to solution

The current code sends the IPv4 and IPv6 address already.
Adding support for additional addresses should theoretically be possible.
However…an RFE.
When you contact your local office, make sure they route this request via Solution Center.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-29 04:44 AM
Jump to solution

I checked with R&D and appears we don't do this currently.
Likely possible to do in the future.
Suggest bringing this requirement through your local Check Point office.

0 Kudos
Ryan_Ryan
Advisor
‎2024-07-29 04:33 PM
Jump to solution

thanks all for your responses! greatly appreciated 😁 Will look at getting an RFE put through.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events