Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michalis89
Contributor

Identity Awareness for the same user is working on one VS but not to another

Hi team,

I am facing a very strange issue with Identity Awareness. I want to make a new implementation where a remote access user will have access to AWS through a site-to-site VPN. I am using Identity Collector.

The flow of the user is like this 

User --> External VS.1 (Identity Awareness Rule)--> External VS.2 (Identity Awareness Rule) --> AWS

 

The site-to-site vpn is established on External VS.2.

The strange behavior is that the user matches the identity rule at External VS.1 but not at the External VS.2. As a result i am dropping at the drop rule and i cannot connect to my resources at AWS.

 

Do you have any idea why identity awareness rules is matching only at one of my two VS;

I have Identity Awareness blade active on both firewalls

Thank you!

0 Kudos
7 Replies
the_rock
Legend
Legend

Can you check pdp.elg and pep.elg on that VS and compare with working one? That may give us some ideas why its failing.

Andy

0 Kudos
Michalis89
Contributor

Hi, thank you for your answer! We compare both outputs and are exactly the same.

One strange issue that we saw is that while at External VS.1(which is the firewall where the identity rule is ok) and after issuing the command ''pdp monitor user x'' at the Groups section, the proper AD Group is appearing. 

When we issue the same command at External VS.2(which is the firewall where the identity rule is not matching) at the Groups section, there is not the AD group of the user.

So for some reason the firewall do not get the AD Group for this user...Any Idea;

0 Kudos
the_rock
Legend
Legend

One quick thing I would try is disable/re-enable identity awareness blade on that fw, if you can...unless its referenced in lots of places. Have you tried command pdp update all? Can you reboot it? If none helps, then I would suggest debugs...I could send you debugs TAC gave me once for IA blade.

0 Kudos
Michalis89
Contributor

Unfortunately i can only issue the command pdp update user x because the Firewall is operational. Also Identity access rules can be matched by other accounts.

The only difference between the users that that matches the identity rules is the OU.

Do you believe that this can cause the problem;

0 Kudos
the_rock
Legend
Legend

Wait a second...how is OU different?? Arent those exact same users? Yes, that would explain the issue.

0 Kudos
Michalis89
Contributor

Yes the users that we have belongs to another OU from the users that they do not face any problem with the Identity rules.

My question is where can we distinguish which OU will match the Identity rules in a Checkpoint Firewall;

0 Kudos
the_rock
Legend
Legend

Thats all determined by access roles...if access roles are configured properly to reflect right OU in AD, then there is really no reason why it would fails. I pasted below the debug you can run. Do you have TAC case open for this?

Andy

 

(•)•) Identity awareness debugs
# cd $FWDIR/log
# rm pdpd.elg.*
# echo "=debug_start=" >> $FWDIR/log/pdpd.elg
(•) To turn pdp debug on:
# adlog a d on
# pdp debug on
# pep debug on
# pdp debug set all all
(•) Replicate the issue
(•) To turn them off:
# adlog a d off
# pdp debug unset all all
# pdp debug off
# pep debug off
# pdp d reset
# pep d unset all all
Collect debug:
$FWDIR/log/pdpd.elg
# tar zcvf pdpd_debugs.tgz pdpd.elg*
# tar zcvf pepd_debugs.tgz pepd.elg*

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events