This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Niels_van_Sluis
Contributor
‎2021-03-31 01:05 AM

Identity awareness and ADS machine identity propagation

Hi,

In our setup we are using the Identity Awareness blade on a R80.40 Security Gateway, which receives identities from an Identity Collector. The Identity Collector itself collects the identities from a pool of Microsoft Active Directory servers.

Everything seems to be working fine for some time now, but I've noticed that for the Active Directory servers themselfs the Security Gateway isn't receiving Machine Identity Propagation login or updates. Is this by design? 

Kind regards,

     --Niels

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2021-03-31 08:35 AM

You mean when someone logs into the AD server itself?
Note only AD users are acquired, no local users will be acquired.

Niels_van_Sluis
Contributor
‎2021-03-31 09:04 AM
In response to PhoneBoy

Hi Phoneboy,

No, it is for the AD server itself. For other non-AD-servers I see log entries like shown below.

Id: 0a6000f1-b607-a64b-6064-724300000001
Marker: @A@@B@1617193489@C@911804
Log Server Origin: x.x.x.x
Time: 2021-03-31T12:59:47Z
Id Generated By Indexer:false
First: true
Sequencenum: 87
Domain Name: example.com
Source: y.y.y.y
Endpoint IP: y.y.y.y
Authentication Status: Successful Login
Identity Source: Identity Collector (Active Directory)
Session ID: 66d6b3c5
Source Machine Name: servername
Source Machine Group: All Machines; ad_group_my_servers;
Authentication Method: Machine Identity Propagation
Identity Type: machine
Authentication Trial: this is a reauthentication for session xxxxxx
Roles: My_Servers
Action: Update
Type: Log
Blade: Identity Awareness
Origin: FW-A
Product Family: Network
Logid: 131073
Description: Successful Login 

Updates like these are not being received for the AD servers themself. 

PhoneBoy
Admin
Admin
‎2021-03-31 05:46 PM
In response to Niels_van_Sluis

But you're using an actual AD account to log in, correct?
Maybe @Adi_Babai or @Royi_Priov know here.

0 Kudos
Niels_van_Sluis
Contributor
‎2021-04-01 03:58 AM
In response to PhoneBoy

Well as far as I know, it is the AD server itself. I think the 'Machine Identity Propagation' update is send when a system itself is domain joined en authenticates itself to the AD server or domain. Maybe the AD represents the domain itself, and therefore doesn't join the domain like non-ADS servers do. That could be the reason that I don't see updates on the Security Gateway.  

PhoneBoy
Admin
Admin
‎2021-04-01 01:19 PM
In response to Niels_van_Sluis

Your explanation seems reasonable to me, at least.

0 Kudos
alexander_ae
Explorer
‎2021-05-20 07:33 AM
In response to Niels_van_Sluis

Hi Niels,

 

summary: it appears only the AD Servers , selected as an identity source that appear to be affected.

 

long:

We have the same behaviour in our environment. (1st time posting on checkpoint.... hooray.)
> other domain controllers,   NOT in the Identity Collector as sources are registering just fine here.

It's only those  that are enlisted as "Identity Collector Sources"  that are not registering as "machine identity". Exactly what you described.

 

Was this fixed for you somehow recently? or still an open question? Wondering if we should open a case @ CP for this or not.
Honestly we don't know if it has always been like this - but considering the Ruleset we stumbled upon a couple issues - and narrowed it down to the fact those specific Domain Controllers are not having their machine identity updated towards our Security Gateway.

 

 

0 Kudos
Daniel_Kavan
Advisor
‎2022-04-29 05:57 AM

I'm wondering if machine identity propagation can be turned off when it's not being used.   We're just using network and user authentication to validate access not machine identity.  

 

Also, the domain controllers its trying to get to are not configured in our LDAP account unit by design.   We are only using domain controllers in domain A, not B or C to validate users.    Those domain controllers exist for off site customers.

 

In the case I did want to use those other domain controllers from other domains, I assume I would have to use MDS for management (multiple domains).   IOW, if someone LDAP used a domain from domain B, a DC in domain A wouldn't find it even if I had it listed as a DC.  You can't control which DC is used for each rule.  Maybe, that will change in R81.20?

0 Kudos