Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
checkandmate
Participant
Jump to solution

Switching Identity Awareness AD - NTLMv1 to NTLMv2

Hi All

Forgive me if this has been asked before, I could not find any posts which answered this... currently have Identity Awareness configured and using NTLMv1. Planning to migrate to NTLMv2.

Version R80.40 181

Reviewed ...

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_IdentityAwareness_AdminGuide...

Would like to confirm the steps for a platform already using IA.

After step ...

 

  • On the Security Management Server:

    1. Connect to the command line.

    2. Log in to the Expert mode.

    3. Run:

      adlogconfig a

    4. Enter the number of this option:

      Use NTLMv2

    5. Enter the number of this option:

      Exit and save

 

My concern is step (c). Do you need to disable / enable IA blade - then run back through the wizard to essentially reinstall IA?

Just need a little clarification.

Thanks in advance.

Shane

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Pretty sure this is not required.

View solution in original post

0 Kudos
11 Replies
PhoneBoy
Admin
Admin

Pretty sure this is not required.

0 Kudos
checkandmate
Participant

Thanks for the prompt response 🙂

0 Kudos
LazarusG
Participant
Participant

how would you validate the change from the checkpoint estate? if disabling and re-enabling/configuring the blade isn't necessary can the instructions be updated?

0 Kudos
PhoneBoy
Admin
Admin

I assume you can see the changes reflected in the adlogconfig output.

0 Kudos
LazarusG
Participant
Participant

indeed so - thank you, also seems you can revert the setting by choosing option 21 again from adlogconfig a

[ ] Override configuration
[ ] Enable Adlog
[ ] Enable log for login or logoff
[ ] Use log original creation time
Association timeout : 0
Full Name Query Interval (days, 0=disabled) : 0
Full Name Fetch Hour : 0
Multi-user host Detection Threshold: 7
Revoked user timeout interval : 14400
[X] Enable Multi-User Host persistence DB
Multi-User Host persistence machine timeout (minutes): 2592000
Service Account Detection Threshold: 10
[ ] Automatically Exclude Service Accounts
[ ] Override default communication parameters
Query Within count : 0
Query Max returned objects in each iteration: 0
[X] Disable password expiration check
[X] Use NTLMv2 <===========you are correct!
[ ] Single User Assumption
[ ] Don't report machines
[X] LDAP groups update notifications
Notifications accumulation time : 10 (sec)
[X] Notify only user-related LDAP changes
[ ] Prefer IPv6 DC addresses
[1] WMI query Type

====================================================

1 - Override file
2 - AD Log feature
3 - Enable log for login or logoff
4 - Use log original creation time
5 - Association timeout
6 - Full Name Query Interval
7 - Full Name Fetch Hour
8 - Add Domain name
9 - Delete Domain
10 - Username
11 - Password
12 - Domain Controllers
13 - Change Multi-User detection threshold
14 - Change Revoked User timeout interval
15 - Multi-User Host Persistence DB
16 - Multi-User Host Persistence machine timeout
17 - Override Default Communication Parameters
18 - Query Within interval
19 - Max returned objects in each iteration
20 - Password expiration check
21 - Use NTLMv2
22 - Single User Assumption
23 - Change Service Account Detection Threshold
24 - Ignore Events From Different Domains
25 - Automatically Exclude Service Accounts
26 - Don't report machines
27 - Turn LDAP groups update on/off
28 - Notifications accumulation time
29 - Update only user-related LDAP changes
30 - Prefer IPv6 DC addresses
31 - WMI Query Type
32 - Exit without saving
33 - Exit and save

Please enter your choice: 33
- Saving configuration file '/opt/CPsuite-R81.10/fw1/conf/ad_log_override.C'
Note: you can run 'adlogconfig a -test domainName' in order to test connectivity
[Expert@r81mgmt:0]# adlogconfig

adlogconfig usage:
adlogconfig l [-test domainName] - if you are using Identity Logging
adlogconfig a [-test domainName] - if you are using AD Query (Identity Awareness)

 

I do suspect the steps to disable and re-enable the identity awareness blade are necessary though and i expect we can only validate gateways are doing ntlmv2 in packet captures(?)

AndreasD
Contributor

This was extremely helpful for me. Thank you.

0 Kudos
Edi
Explorer

Hi, Can you please confirm if this apply for R80.30 too. Thanks

0 Kudos
checkandmate
Participant

After I made the initial change / tested, we confirmed IA was still reaching out to AD via NTLMv1. We are utilising R81.

Reaching out to TAC they recommended reinstalling IA, ie.. general properties, disable / reenable IA (without OK) and follow the wizard. This has now been done on CP, and Im waiting from monitoring back from Server.

Once I have the results.. .I will post again.

0 Kudos
ThierryReboul
Explorer

Hi @checkandmate,

I'm looking at the same thing, did this work for you? Can you share your feedback on the procedure?

Thanks!

0 Kudos
checkandmate
Participant

Update

After performing the above procedure we still found NTLMv1 traffic reaching out to the DC's. Another ticket was raised with TAC and confirmed this is expected behavior. See CP reply :-


"As we discussed over the phone,  even you move to NTLMv2, the gateway will still show the NTLMv1. Even if the GW is set to use v2, it still tries v1 before anything else. If  the SMS output of "adlogconfig" shows Use NTLMv2, then the database will be pushed to FW to use NTLMv2

Regards,"

 

0 Kudos
frankcar
Contributor

I see this old post, but from my changes I been making on the mgmt via adlogconfig a or l i have to issue this command once exit and save to reconfigure with new settings.

adlog l control reconf

adlog a control reconf

 

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events