This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pedro_Boavida
Contributor
Contributor
‎2017-08-11 08:36 AM
Jump to solution

User Templates

Hi,

I've noticed that with R80.10 there was a loss of functionality in user templates, namely group membership option. Its no longer there.

As for today we cannot have the newly created user automatically added to a given set of user group(s), as defined by the user template, as it used to worked before (<R80)

Although it is not visible anymore on the user template properties it actually still worked after migration and until JHF take 24. So now its not visible AND doesn't work anymore.

Does it make sense to RFE a feature that existed previously ?

Best regards,

PB

1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor
‎2018-08-02 03:54 AM
In response to Matthew-Dale
Jump to solution

Available in the R80.20 Public EA and Production EA and the next available Management Feature Release. Not in R80.20.M1.

View solution in original post

13 Replies
PhoneBoy
Admin
Admin
‎2017-08-13 12:36 AM
Jump to solution

There are a few features in R77.30 that didn't make the cut in R80.10 for various reasons.

In some cases, the features are still there and just aren't visible in the GUI.

In other cases, the functionality is not there at all (e.g. SmartProvisioning).

The plan is to close those gaps in future versions, but that will take time.

As R&D participates actively here, posts like these do help bring visibility to the issue.

That said, the fact JHF 24 broke something that was previously working is probably worth a TAC case to see if that is intended behavior or not.

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2017-08-13 01:05 AM
Jump to solution

Hi Pedro, can you please elaborate on what exactly worked automatically after your upgrade? As far as I know in order to have a user automatically get added to a group, you still need to pick the group. Are you using some predefined script for this?

0 Kudos
PhoneBoy
Admin
Admin
‎2017-08-13 09:36 AM
In response to Tomer_Sole
Jump to solution

This was a feature that was present forever in the product prior to R80.

For example, I create a User Template called Test_Template:

When I create a user, I can based it off that template.

 

The user is automatically in the groups I created in the template with no action required by the administrator.

You'll notice that when you create a template in R80.10 that the "Groups" tab is missing (a feature degradation IMO):

Which means it's not possible to set a list of default groups in a template created in R80.10.

Maybe it is through the magic of dbedit, but that's a separate conversation. Smiley Happy

However, what was working for Pedro Boavida‌ prior to applying JHF 24 was that templates created in R77.30 would still work as they did in R77.30 (i.e. they would automatically set the user's groups to the correct value when creating a user based on that template).

Does that make sense?

0 Kudos
Pedro_Boavida
Contributor
Contributor
‎2017-08-13 10:00 AM
In response to PhoneBoy
Jump to solution

Hi Daemon,

Thanks for your efforts explaining the issue more clearly. That's precisely my point!

After upgrade to R80.x the "groups" tab was no longer visible in user template...... but still worked in the sense that a user created from that template still received the group membership - like previously defined on R77.

Later, just after applying JHF 24 this stopped working, which means that newly created users stopped receiving group membership. 

Now I rely on pertaining users to groups manually, so my policy logic can work as established. 

I understand this is by design of new version, however I'm bringing this subject here because it was indeed a useful feature and I hope it can be restored / fixed in upcoming releases.

Best regards,

PB

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2017-08-13 11:53 PM
Jump to solution

Selecting user groups within the user editor or user template editor is a limitation of R80 and R80.10. It will be returned in our next releases.

Pedro - I was mostly interested with your description of the change since the Jumbo-Hotfix. The decision was that we will resolve this in the next releases.

Hope this helps

0 Kudos
PhoneBoy
Admin
Admin
‎2017-08-14 12:11 AM
In response to Tomer_Sole
Jump to solution

I assume if Pedro wants the pre-JHF 24 behavior, he should open a case with TAC, correct?

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2017-08-14 02:52 AM
In response to PhoneBoy
Jump to solution

Usually unintended changes within hotfixes of the Management will get fixed on their own as a regular quality check, but this case is a bit unique. Because at the moment the decision is to hold with that gap for our next releases, in case Pedro wants to restore the behavior pre-JHF 24 then a support case will help.

0 Kudos
Tobias_Moritz
Advisor
‎2018-06-19 03:10 AM
In response to Tomer_Sole
Jump to solution

We are facing the same issue since upgrading an environment to R80.10 (also past JHF 24).

This is a pain point for the daily ops team which creates new remote access users.

 

Workflow for new RAS-users with R77.30:

  1. Open "Create User"-wizard with Template.
  2. Enter User Name.
  3. Switch to Certificates tab.
  4. Create new certificate enrollment key.
  5. Click Ok.
  6. Save & Install Policy.

 

Workflow for new RAS-users with R80.10 past JHF24:

  1. Open "Create User"-wizard with Template.
  2. Enter User Name.
  3. Change color (only cosmetically, I know)
  4. Click Ok.
  5. Search Group in Object Explorer.
  6. Open Group.
  7. Add new user.
  8. Click Ok.
  9. Search User in Object Explorer.
  10. Switch to Certificates tab.
  11. Create new certificate enrollment key.
  12. Click Ok.
  13. Save & Install Policy.

 

Step 3 is needed, because in R80.10 the color of the template is ignored.

Steps 5 to 8 are needed, because group membership cannot be handled by template anymore (this was discussed above).

Step 9 is needed, because new cert enrollment keys cannot be created until the user object is created. While the old R77 Dashboard creates the user in background when you switch to the certificates tab, the new R80 SmartConsole does not do so. So we have to close this window with the okay button to let it create the user. Then we have to open it again to create the cert enrollment key.

 

We would be very happy to circumvent these new GUI limitations by using the new API.

Unfortunately, there are still some gaps in the new API and managing user objects seems to one of them.

 

Maybe someone here can help us out with the (as far as I know undocumented and unsupported) generic-object API calls (which are firing classic CPMI calls, if I'm right)‌? Tomer Sole

We would really appreciate your help.

 

Thank you and best regards,
Tobias Moritz.

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-06-19 11:33 AM
In response to Tobias_Moritz
Jump to solution

Hi,

steps 5-8 will not be needed with the upcoming R80.20. The next R80.20 Public EA (not the one that you can use right now) will contain automatically adding users to groups if the template defines that. There is also the option for R80.20 Production EA.

we will look into step 3.

Step 9 is a change in the product because we wanted to give a consistent experience - new objects are not created until you OK the editor, across the board. Unfortunately this meant that the User Object got that extra step.

Automating your security recipes is important. Which parts are you still missing out of the generic way (see its limtiations)? https://community.checkpoint.com/docs/DOC-2844 

0 Kudos
Tobias_Moritz
Advisor
‎2018-06-20 01:54 AM
In response to Tomer_Sole
Jump to solution

Thank you for this very fast and helpful response!
I wasn't aware of that DOC-2844, thank you for the link.

Is it also possible to create the certificate enrollment key from ICA for that new user by using the API?

This would be nice, because then we could automate this daily ops task completely without moving authentication away from ICA to something other.

0 Kudos
Matthew-Dale
Participant
Participant
‎2018-08-02 02:11 AM
Jump to solution

Is there an update to the inclusion of this?

I haven't installed R80.20M1 but I could not find a reference to it in the resolved issues or new features.

Thanks.

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-08-02 03:54 AM
In response to Matthew-Dale
Jump to solution

Available in the R80.20 Public EA and Production EA and the next available Management Feature Release. Not in R80.20.M1.

Matthew-Dale
Participant
Participant
‎2018-08-02 04:59 AM
Jump to solution

Ok great, thank you for the quick reply.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events