- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Identity Rule Access Role issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Identity Rule Access Role issue
Hi,
We have firewall enabled with identity awareness blade. It collects identity from identity collector, which it makes communication to our internal domain controllers for fetching identities and forward to gateway.
We got requirement from user to add specific rule where user can access vendor link from any network (corporate IP only), any user but from particular server.
We created access rule for this requirement. However, its not working. If you suggest any troubleshooting steps, it would be much appreciated.
Could see traffic getting dropped in firewall when user tries to telnet to vendor portal from the allowed particular server/machine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let’s start with exactly what you created in the rulebase versus what got logged when the user tried to access.
Might help to know version/JHF level as well.
Also maybe check in the CLI of the gateway if it’s associating the right roles using pdp monitor user username.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have created access role in source column like below
Network - Any
Users - Any
Machine - Specific Security Group created in AD (This group contains machines/servers not any user ID's)
Destination - Vendor Website IP address
Gateway version is R80.40/ JHF Accumulator take 91
When i run pdp monitor user username, I am not getting this access role but getting other access roles. Working fine If I create access role with any network, specific users and any machine (Not for this scenario for others i am saying).
Why with specific machine is not working?
Also, please let me know how can i make this service in running state and see logs in Login Monitor section of Identity collectors. Please see attached screenshot for details.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Logins Monitor might be this: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have added Domain Controller as identity source manually but still having same issues. 'Is Forwarded Log Event Collector' was already in disabled state. This sk166076 doesn't resolve my issue. Do you know that we need to start any windows services for this to work?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think I quite understand the requirement here.
Do you mean that the "vendor link"is a URL and accessed via browser?
In that case is it safe to assume that the "particular server"is a proxy?
So users would connect to proxy and proxy would make connection to the vendor?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How the users connect to this particular server RDP/SSH? Why don't you just create a rule with this server as IP, not by access role?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Important is the status in the "Identity Sources" tab, is your configured AD server listed green?
And if you see a higher number than 0 in column "Total Events Received" you are receiving events 🙂
On the identity collector you have great log file "C:\Windows\Temp\ia.log"
To have the events in the UI, you need to turn on the "Loging Monitor".
Please click on the small grey "power button" behind the "Loging Monitor" text and you will see the monitoring events.
Your screenshot is showing that the "Logins Monitor" is disabled.
By the way i think the question from Martin Tzvetanov is a valid one.
If any user should have access and you want to allow the system itself as source,
why not creating a simple rule for allowing "YourServerIP" to vendors Website IP?
But sometimes the destination IP of a website could change,
so you could think about using FQDN object as destination instead of IP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes we added AD domain controller and tested successfully. All displayed as Green in Identity sources dashboard. Yesterday only i have noticed that power like button for Login Monitor. After I turn on, I could see the event logs.
I created rule using access role where I given specific machine group as source. In that group, as of now only one server added. In future, group owner may add many servers (That's the reason we haven't created IP base rule)
I asked user to check but he told that he still unable to telnet for that site. I ran debug on firewall and observed drops.
When I ran this command 'pdp monitor machine <machine name>', I am not getting any output. At this time, 'ignore machine identities' check box was in enabled state in IC.
I disabled 'ignore machine identities' would fix the issue. Now, I want to understand, How long this identity will be seen in gateway?
Also, how would we force changes made in IC to forward to gateway? I hope, currently it keeps the association time to live for 720 minutes. So if that is case, can't the changes pushed to gateways until it get expire.