PDA

View Full Version : Check Point Appliance 620 AD user awareness with Windows Server 2012R2 Essentials



xanadu.dm
2016-01-20, 17:21
I知 trying to setup AD User awareness: (connecting to a Windows Server 2012R2 Essentials)
All is setup and I cannot browse through user groups when adding objects, however no LDAP user reporting is being done.

The domain controller gives Audit success messages. I also restarted WMI service according to this article: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk60501

The firewall log itself states a "communication problem @ 192.168.0.242" (which is the ip adress of my Windows Server 2012R2 Essentials).
Anyone a clue how I can have this issue resolved?

mrbbs
2016-01-26, 15:19
I知 trying to setup AD User awareness: (connecting to a Windows Server 2012R2 Essentials)
All is setup and I cannot browse through user groups when adding objects, however no LDAP user reporting is being done.

The domain controller gives Audit success messages. I also restarted WMI service according to this article: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk60501

The firewall log itself states a "communication problem @ 192.168.0.242" (which is the ip adress of my Windows Server 2012R2 Essentials).
Anyone a clue how I can have this issue resolved?

I'm experiencing the exact same issue. No one which can point us in the right direction?

jflemingeds
2016-01-27, 10:38
I'm experiencing the exact same issue. No one which can point us in the right direction?

Any luck with this issue? I'll try to replicate tonight. My guess is not many people use this feature since most of the time there is a management server where this is all setup and then pushed down to the gateway. I've never tried it with a 600 before.

ShadowPeak.com
2016-01-27, 11:38
I知 trying to setup AD User awareness: (connecting to a Windows Server 2012R2 Essentials)
All is setup and I cannot browse through user groups when adding objects, however no LDAP user reporting is being done.

The domain controller gives Audit success messages. I also restarted WMI service according to this article: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk60501

The firewall log itself states a "communication problem @ 192.168.0.242" (which is the ip adress of my Windows Server 2012R2 Essentials).
Anyone a clue how I can have this issue resolved?

Please post output of "adlog a dc" from 600 CLI expert mode, pretty sure that command will work on a 600. You may have to crank up a tcpdump looking for traffic heading to the AD controller to see what is up assuming the firewall is attempting to talk to it.

jflemingeds
2016-01-27, 23:04
So this is what working looks like. I created a network and put a AD controller running 2012 on it. Ran through the wizard. BTW this is a 1100 not a 600. I don't have access to a 600 at the moment, however my 1100 is not managed by a management server so it should be a pretty close replication assuming its not a license issue.

10.128.0.5 is my lab AD controller i just created.

[Expert@STUFF!]# adlog a dc
Domain controllers:
Domain Name IP Address Connection state Events in the last hour
================================================== =============================================
lab.spikefishsolutions.com; 10.128.0.5; has connection; 6

Ignored domain controllers on this gateway:
No ignored domain controllers found.

[Expert@STUFF!]#

I was able to pick a user for VPN access without issue.

Can both of you explain your topology?

I should point out the follow.

Workstation i'm admining firewall with and AD controller are on the inside of the firewall (behind same interface).

BTW this is what i'm running.

This is Check Point 1100 Appliance R75.20.71 - Build 120

xanadu.dm
2016-01-28, 06:22
Thank you all for your reply.

Output from expert mode:

[Expert@firewall]# adlog a dc
Domain controllers:
Domain Name IP Address Events (last hour) Connection state
================================================== ================================================== ========
sne.local 192.168.0.242 0 has connection

Ignored domain controllers on this gateway:
No ignored domain controllers found.

[Expert@firewall]# adlog a statistics
Number of NT event log received since last reconf (618 minutes ago):
192.168.0.242 0
TOTAL 0

Number of known IP addresses: 0

Adlog is currently running

[Expert@firewall]# adlog a query all
the result of database query has no records

I still receive daily notifications in the log:

Connected domain controller <[192.168.0.242]> did not send AD Query related events in the last 5 minutes. Refer to sk60501 to make sure the necessary events are audited on the domain controller.


Running : This is Check Point's 600 Appliance R77.20.11 - Build 471


On the domain controller itself I can see following messages in the Security Log:

The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: checkpoint
Source Workstation: FIREWALL
Error Code: 0x0

Where "checkpoint" is the user which I used to configure the AD connection from the firewall. No other messages show up.

xanadu.dm
2016-01-28, 07:06
This is what I found in the /var/log/log/test_ad_connectivity.elg logfile: (probably after enabling extended debug mode for ad logging)

[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiLogicLayer::analyze: analyzing data: info: END_OF_OUTPUT
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiLogicLayer::handleInfo: end of output marker found
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiBasicProtocol::DataReceived: logic layer reported that output has ended
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiTransport::handleQueryEngineDown: called with: 0
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::Events)] ADLOG::DcomWmiTransport::goingDownAsyncCB: called
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiTransport::goingDownLogic: called: m_QueryFinishReason: 0 m_eConnIpVersion: 1
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::Events)] ADLOG::DcomWmiTransport::stop: called
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::Important)] ADLOG::ProtocolLayerProxy::stop: stopped proxying for real event handler 0x2bc48bc
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::Events)] ADLOG::DcomWmiTransport::stop: stopping basic transport @ 2be5d08
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::Utils::killProcessWrapper: pid: 5881 killed!
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiTransport::reportToObserverThatQuery Finished: reporting to my observer -> 0
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG (TD::Important)] ADLOG::DcConnCheck::performNTEventsLogQueryChecked : Performing NT events log query permissions check
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG (NAC::IS::TD::Important)] ADLOG::DcConnCheck::performNTEventsLogQueryChecked : query string : SELECT * from __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'WIN32_NTLogEvent'
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::Events)] ADLOG::DcomWmiTransport::performQuery: query = SELECT * from __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'WIN32_NTLogEvent' AND (TargetInstance.SourceN
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: before: -U
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: after: LVU=
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: before: sne.local/checkpoint% **xrz'%#U
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: after: c25lLmxvY2FsL2NoZWNrcG9pbnQlICoqeHJ6JyUjVQ==
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: before: //192.168.0.242
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: after: Ly8xOTIuMTY4LjAuMjQy
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: before: SELECT * from __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'WIN32_NTLogEvent' AND (TargetInstance.SourceName='Se
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: after: U0VMRUNUICogZnJvbSBfX0luc3RhbmNlQ3JlYXRpb25FdmVudC BXSVRISU4gMSBXSEVSRSBUYXJnZXRJbnN0YW5jZSBJU0EgJ1dJ TjMyX05UTG9nRXZlbnQnIEFORC
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: before: //mode
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: after: Ly9tb2Rl
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: before: async
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: after: YXN5bmM=
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: before: //class
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: after: Ly9jbGFzcw==
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: before: win32_ntlogevent
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: after: d2luMzJfbnRsb2dldmVudA==
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: before: //number_of_objects
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: after: Ly9udW1iZXJfb2Zfb2JqZWN0cw==
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: before: 100
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: after: MTAw
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: before: //is_ntlm2
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: after: Ly9pc19udGxtMg==
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: before: 0
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_UTILS (TD::All)] ADLOG::Utils::base64StringEncode: after: MA==
[ 5876 1087644816]@firewall[28 Jan 11:36:32] CpAsyncPipeSessionOpen: called
[ 5876 1088246928]@firewall[28 Jan 11:36:32] pipe_thread: called info=0x2bf28b8
[ 5876 1087644816]@firewall[28 Jan 11:36:32] CpAsyncPipeSessionOpen: incremented num threads to 2
[ 5876 1087644816]@firewall[28 Jan 11:36:32] CpAsyncPipeSessionOpen: created info=0x2bf28b8
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [Proc (TD::Important)] NAC::IS::ProcessTransport::ProcessTransport: command line: '/opt/fw1/bin/wmic LVU= c25lLmxvY2FsL2NoZWNrcG9pbnQlICoqeHJ6JyUjVQ== Ly8xOTIuMTY4LjAuMjQy U0VMRUNUICogZnJvbSB
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [Proc (TD::Important)] NAC::IS::S_ProcessExecuter::ExecuteProcess: Command line '/opt/fw1/bin/wmic LVU= c25lLmxvY2FsL2NoZWNrcG9pbnQlICoqeHJ6JyUjVQ== Ly8xOTIuMTY4LjAuMjQy U0VMRUNUICogZnJvbSBfX
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::Events)] ADLOG::DcomWmiTransport::performQuery: basic transport created @ 2bf0e88
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::Important)] ADLOG::ProtocolLayerProxy::registerRealHandler: registered real event handler 0x2bc49c4
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiParsingLayer::DcomWmiParsingLayer: c'tor is called
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiLogicLayer::DcomWmiLogicLayer: c'tor is called
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiBasicProtocol::DcomWmiBasicProtocol: c'tor is called
[ 5876 1087644816]@firewall[28 Jan 11:36:32] pipe_free_data: free data=0x2bf0748
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiBasicProtocol::~DcomWmiBasicProtocol : d'tor is called
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiLogicLayer::~DcomWmiLogicLayer: d'tor is called
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiParsingLayer::~DcomWmiParsingLayer: d'tor is called
[ 5876 1087644816]@firewall[28 Jan 11:36:32] CpAsyncPipeSessionClose: called info=0x2be5c70
[ 5876 1088246928]@firewall[28 Jan 11:36:32] pipe_thread: sending data for info=0x2bf28b8
[ 5876 1087644816]@firewall[28 Jan 11:36:32] T_event_mainloop_iter_select: select reports 1 events
[ 5876 1087644816]@firewall[28 Jan 11:36:32] T_event_trigger_call_ordered_handler: called for event 5
[ 5876 1087644816]@firewall[28 Jan 11:36:32] pipe_new_data_handler: called info=0x2bf28b8
[ 5876 1087644816]@firewall[28 Jan 11:36:32] pipe_new_data_handler: calling app data-handler
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::Important)] ADLOG::DcomWmiBasicProtocol::DataReceived: received data from query engine:
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiLogicLayer::analyze: analyzing data: info: pid = 5884
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiLogicLayer::handleInfo: m_uiEnginePID = 5884
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiTransport::handleQueryEnginePID: called with: 5884
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::Important)] ADLOG::DcomWmiBasicProtocol::DataReceived: received data from query engine:
$$START$$ info: is_ntlm2 = false $$END$$


[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiLogicLayer::analyze: analyzing data: info: is_ntlm2 = false
[ 5876 1087644816]@firewall[28 Jan 11:36:32] pipe_free_data: free data=0x2bc4698
[ 5876 1087906960]@firewall[28 Jan 11:36:32] pipe_thread: sending close info=0x2be5c70
[ 5876 1087644816]@firewall[28 Jan 11:36:32] T_event_mainloop_iter_select: select reports 1 events
[ 5876 1087644816]@firewall[28 Jan 11:36:32] T_event_trigger_call_ordered_handler: called for event 6
[ 5876 1087644816]@firewall[28 Jan 11:36:32] pipe_end_handler: called info=0x2be5c70
[ 5876 1087644816]@firewall[28 Jan 11:36:32] pipe_free_info: free info=0x2be5c70
[ 5876 1087906960]@firewall[28 Jan 11:36:32] pipe_thread: decremented num threads to 1
[ 5876 1088246928]@firewall[28 Jan 11:36:32] pipe_thread: sending data for info=0x2bf28b8
[ 5876 1087644816]@firewall[28 Jan 11:36:32] T_event_mainloop_iter_select: select reports 1 events
[ 5876 1087644816]@firewall[28 Jan 11:36:32] T_event_trigger_call_ordered_handler: called for event 5
[ 5876 1087644816]@firewall[28 Jan 11:36:32] pipe_new_data_handler: called info=0x2bf28b8
[ 5876 1087644816]@firewall[28 Jan 11:36:32] pipe_new_data_handler: calling app data-handler
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::Important)] ADLOG::DcomWmiBasicProtocol::DataReceived: received data from query engine:
$$START$$ info: WBEM_ConnectServer() OK. $$END$$


[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiLogicLayer::analyze: analyzing data: info: WBEM_ConnectServer() OK.
[ 5876 1087644816]@firewall[28 Jan 11:36:32] pipe_free_data: free data=0x2bc4698
[ 5876 1088246928]@firewall[28 Jan 11:36:32] pipe_thread: sending data for info=0x2bf28b8
[ 5876 1087644816]@firewall[28 Jan 11:36:32] T_event_mainloop_iter_select: select reports 1 events
[ 5876 1087644816]@firewall[28 Jan 11:36:32] T_event_trigger_call_ordered_handler: called for event 5
[ 5876 1087644816]@firewall[28 Jan 11:36:32] pipe_new_data_handler: called info=0x2bf28b8
[ 5876 1087644816]@firewall[28 Jan 11:36:32] pipe_new_data_handler: calling app data-handler
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::Important)] ADLOG::DcomWmiBasicProtocol::DataReceived: received data from query engine:
$$START$$ info: sending query: SELECT * from __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'WIN32_NTLogEvent' AND (TargetInstance.SourceName='Security' or TargetInstance.LogFile='Security') $$END$$


[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiLogicLayer::analyze: analyzing data: info: sending query: SELECT * from __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'WIN32_NTLogEvent' AND (
[ 5876 1087644816]@firewall[28 Jan 11:36:32] pipe_free_data: free data=0x2bc4698
[ 5876 1088246928]@firewall[28 Jan 11:36:32] pipe_thread: sending data for info=0x2bf28b8
[ 5876 1087644816]@firewall[28 Jan 11:36:32] T_event_mainloop_iter_select: select reports 1 events
[ 5876 1087644816]@firewall[28 Jan 11:36:32] T_event_trigger_call_ordered_handler: called for event 5
[ 5876 1087644816]@firewall[28 Jan 11:36:32] pipe_new_data_handler: called info=0x2bf28b8
[ 5876 1087644816]@firewall[28 Jan 11:36:32] pipe_new_data_handler: calling app data-handler
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::Important)] ADLOG::DcomWmiBasicProtocol::DataReceived: received data from query engine:
$$START$$ info: sendQueryInAsyncMode() OK. $$END$$


[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiLogicLayer::analyze: analyzing data: info: sendQueryInAsyncMode() OK.
[ 5876 1087644816]@firewall[28 Jan 11:36:32] pipe_free_data: free data=0x2bc4698
[ 5876 1088246928]@firewall[28 Jan 11:36:32] pipe_thread: sending data for info=0x2bf28b8
[ 5876 1087644816]@firewall[28 Jan 11:36:32] T_event_mainloop_iter_select: select reports 1 events
[ 5876 1087644816]@firewall[28 Jan 11:36:32] T_event_trigger_call_ordered_handler: called for event 5
[ 5876 1087644816]@firewall[28 Jan 11:36:32] pipe_new_data_handler: called info=0x2bf28b8
[ 5876 1087644816]@firewall[28 Jan 11:36:32] pipe_new_data_handler: calling app data-handler
[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::Important)] ADLOG::DcomWmiBasicProtocol::DataReceived: received data from query engine:
$$START$$ info: number of objects per iteration 100 $$END$$


[ 5876 1087644816]@firewall[28 Jan 11:36:32] [ADLOG_DCOM (TD::All)] ADLOG::DcomWmiLogicLayer::analyze: analyzing data: info: number of objects per iteration 100
[ 5876 1087644816]@firewall[28 Jan 11:36:32] pipe_free_data: free data=0x2bc4698
[ 5876 1087644816]@firewall[28 Jan 11:36:32] pipe_free_data: free data=0x2bc4698
[ 5876 1073876624]@firewall[28 Jan 11:36:37] [Main (TD::Events)] AD_Connection_Tester::Finalize: Called after 6000 msec
[ 5876 1073876624]@firewall[28 Jan 11:36:37] [ADLOG (TD::Important)] ADLOG::DcConnCheck::isConnected: isConnected called
[ 5876 1073876624]@firewall[28 Jan 11:36:37] [Main (TD::Important)] AD_Connection_Tester::Finalize: the tester was timed out probably when waiting for nt events because the connection to AD succeeded
[ 5876 1073876624]@firewall[28 Jan 11:36:37] [Main (TD::Events)] AD_Connection_Tester::SetTestResult: test #1 got result 0
[ 5876 1073876624]@firewall[28 Jan 11:36:37] [Main (TD::Events)] AD_Connection_Tester::SetTestResult: Finished testing successfully
[ 5876 1073876624]@firewall[28 Jan 11:36:37] [Main (TD::Events)] AD_Connection_Tester::TestResultReporter::WriteSet ToFile: successfully written tests results to file /fwtmp/writers/wpiw.tmp.kjjEbL
[ 5876 1073876624]@firewall[28 Jan 11:36:37] [SIC (TD::Events)] NAC::IS::MultiSicDB::~MultiSicDB: d'tor is called
[ 5876 1073876624]@firewall[28 Jan 11:36:37] [ADLOG_THREAD (TD::All)] ADLOG::MainLoopThread::~MainLoopThread: d'tor is called
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::remove: deleting className: GaiaPortal(0x2bab2a8)
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::remove: deleting className: PortalRegistrationInfo(0x2baaa80)
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::remove: deleting className: Portal(0x2baaa60)
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::remove: deleting className: ListRequest(0x2bab058)
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::remove: deleting className: DebugRequest(0x2bab028)
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::remove: deleting className: StartAllRequest(0x2baaff8)
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::remove: deleting className: StopAllRequest(0x2baafc8)
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::remove: deleting className: RestartPortalRequest(0x2baaf88)
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::remove: deleting className: GetPortalDataRequest(0x2baaf48)
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::remove: deleting className: RereadConfigurationRequest(0x2baaf08)
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::remove: deleting className: UnregisterPortalRequest(0x2baaec8)
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::remove: deleting className: StopPortalRequest(0x2baae98)
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::remove: deleting className: StartPortalRequest(0x2baae68)
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::remove: deleting className: IsPortalRunningRequest(0x2baae28)
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::remove: deleting className: RegisterPortalRequest(0x2baade8)
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::remove: deleting className: ListResponse(0x2baadb8)
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::remove: deleting className: PortalDataResponse(0x2baad88)
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::remove: deleting className: IsPortalRunningResponse(0x2baac30)
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::remove: deleting className: SimpleResponse(0x2baac50)
[ 5876 1073876624]@firewall[28 Jan 11:36:37] IDeserializable::SafeMap::~SafeMap: m_ht=0x2baac78

xanadu.dm
2016-01-28, 09:05
When I configure Browser based authentication User awareness does work. However the customer doesn't want to use a portal before users can browse the internet.

Also information on the URL below couldn't help me:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk60301#Step%202%20&%203:%20Extraction%20of%20the%20user/machine%20to%20IP%20Association%20and%20filtering% 20undesirable%20association

ShadowPeak.com
2016-01-28, 09:35
When I configure Browser based authentication User awareness does work. However the customer doesn't want to use a portal before users can browse the internet.

Also information on the URL below couldn't help me:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk60301#Step%202%20&%203:%20Extraction%20of%20the%20user/machine%20to%20IP%20Association%20and%20filtering% 20undesirable%20association

First off make sure the following events are actually being logged in the Security Log on the domain controller the firewall is connected to:

4624, 4768, 4769 and 4770

However more ominously I don't think that Windows Server 2012 is supported by version R75.20. The first reference to Identity Awareness being supported with Windows Server 2012 that I can find is in the R77 release notes. Windows Server 2012 is not listed as a supported OS for anything including SmartConsole in the R75.20 release notes, and the relevant Security Log codes for 2012 differ from 2008/2003. So I suspect your version doesn't know to be looking for the above events in its WMI connection to your 2012 server.

mrbbs
2016-01-28, 10:07
That could be correct. I'm only receiving one event on the DC: 4776: The domain controller attempted to validate the credentials for an account.

I'm running the most up-to-date version for the appliance: R77.20.11 - Build 471

jflemingeds
2016-01-28, 13:20
I haven't tried adding a workstation to the domain yet and testing ad query. Is your AD pretty vanilla or have you made changes to it?

I'll try ad query later today.

mrbbs
2016-01-28, 13:52
Nice to see some help here! Greatly appreciated!

No progress here.

Windows Server 2012R2 setup is plain vanilla. It's a new setup.
Looking forward to your test.

jflemingeds
2016-01-28, 19:42
ok i added a box called WebServer to lab.spikefishsolutions.com.

I then logged into webserver.lab.spikefishsolutions.com as lab.spikefishsolutions.com\administrator and this is what i see from the output of
pdp monitor all

BTW webserver.lab.spikefishsolutions.com is 10.128.0.100.


This isn't all the output, just the bits to show its working with R75.20 on a 2012 domain server.

[Expert@STUFF!]# pdp monitor all

Session Id: a2b34f5b
Session UUID: {8734F7CC-A83F-6EBA-D000-BCFB7A669D36}
Ip: 10.128.0.100
User Name: administrator
User Domain: lab.spikefishsolutions.com
User Groups: AD_Remote_Access_Group__;All Users;ad_group_2;ad_group_25;ad_group_26;ad_group_ 28;ad_group_31
User Authentication Method: User Identity Propagation
User Next Reauthentication: Fri Jan 29 06:32:26 2016
Machine Name: webserver
Machine Domain: lab.spikefishsolutions.com
Machine Groups: All Machines
Machine Authentication Method: Machine Identity Propagation
Machine Next Reauthentication: Fri Jan 29 06:32:26 2016
Identity Roles: -
Packet Tagging Status: Not Active
Client Type: AD Query
Client Version: -
Connect Time: Thu Jan 28 18:31:56 2016
Next Connectivity Check: Fri Jan 29 06:32:26 2016
Published Gateways: Local

Looks like it works. I haven't touched anything in the DC config. Just took all the defaults.

Have you look at the audit events in that SK? maybe those are disabled?

jflemingeds
2016-01-28, 19:52
I知 trying to setup AD User awareness: (connecting to a Windows Server 2012R2 Essentials)
All is setup and I cannot browse through user groups when adding objects, however no LDAP user reporting is being done.

The domain controller gives Audit success messages. I also restarted WMI service according to this article: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk60501

The firewall log itself states a "communication problem @ 192.168.0.242" (which is the ip adress of my Windows Server 2012R2 Essentials).
Anyone a clue how I can have this issue resolved?

Can you explain your topology? What IP is the firewall on and how does the firewall get to your domain controller (192.168.0.242 i'm assuming). Is it directly connected?

Could also try this. SSH enter expert mode and run this right after you try to browse users.

netstat -an | grep 192.168.0.242

do it as quickly as possible after opening the browse users window.

xanadu.dm
2016-01-29, 08:56
firewall ip: 192.168.0.1
It's on the same switch as the DC (192.168.0.242), a real straightforward setup.

What do you mean by browsing users?

I can find AD users when I make access policies. But users don't appear when looking in the logs for browsing behaviour, nor in the reports.

I'm afraid Windows Server 2012R2 isn't supported as it generates different event id's than Windows Server 2012:

I'm only receiving one event on the DC: 4776: The domain controller attempted to validate the credentials for an account.

jflemingeds
2016-01-29, 10:33
Same thing you said here or did you mean to say you can browse through user groups?


All is setup and I cannot browse through user groups when adding objects

I must not be using the R2 version. Thought that is what I installed but from what everyone is saying it sounds like I tested 2012 (no R2).

I'll check it out again later today.

mrbbs
2016-01-29, 11:18
Same thing you said here or did you mean to say you can browse through user groups?



I must not be using the R2 version. Thought that is what I installed but from what everyone is saying it sounds like I tested 2012 (no R2).

I'll check it out again later today.

Sorry, I CAN browse through user groups in Active Directory and thus can configure access policies.

However the appliance doesn't report which user is browsing where, or what item is blocked. Also the reports does not differentiate users.

ShadowPeak.com
2016-01-29, 12:18
Sorry, I CAN browse through user groups in Active Directory and thus can configure access policies.

However the appliance doesn't report which user is browsing where, or what item is blocked. Also the reports does not differentiate users.

Right, there are 2 main aspects to Identity Awareness:

1) Enumeration/Discovery of users and groups, both by the firewall and SmartDashboard. This doesn't tend to change much between Windows versions and will typically work even when the second element isn't.

2) Mapping of IP addresses to usernames. This definitely has differences between different major versions of Windows, as the Security Log event numbers are changed. I'd be surprised if they changed from Windows Server 2012 to 2012r2, but I guess it is possible.

xanadu.dm
2016-01-29, 12:36
Right, there are 2 main aspects to Identity Awareness:

1) Enumeration/Discovery of users and groups, both by the firewall and SmartDashboard. This doesn't tend to change much between Windows versions and will typically work even when the second element isn't.

2) Mapping of IP addresses to usernames. This definitely has differences between different major versions of Windows, as the Security Log event numbers are changed. I'd be surprised if they changed from Windows Server 2012 to 2012r2, but I guess it is possible.

I can confirm they have changed as I receive one different eventid as stated in sk60501.

ShadowPeak.com
2016-01-29, 13:26
I can confirm they have changed as I receive one different eventid as stated in sk60501.

Good 'ol Microsoft making changes randomly...sigh

jflemingeds
2016-01-29, 14:15
I can confirm they have changed as I receive one different eventid as stated in sk60501.

If this really is the case it might be time to open a tech support case. Maybe this is not widely known at checkpoint.

mrbbs
2016-01-29, 15:22
Good 'ol Microsoft making changes randomly...sigh

What's next? Can we open a case @ Check Point?
It's a new device where I do have support for. Can someone point me to the procedure to open a case?

jflemingeds
2016-01-29, 17:32
972 444 6600 - get the mac address of WAN port handy.

mrbbs
2016-01-31, 07:23
Thanks for the assistance! I'll keep you in current as soon as I hear more from Check Point.

xanadu.dm
2016-02-01, 07:54
Fixed the issue by:

Edit Group Policy Management:

Default Domain Policy:
(Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy)
Audit Logon Events: Enable Success/Failure

Domain Controller Policy
(Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy)
Audit account logon events: Enable Success/Failure

ShadowPeak.com
2016-02-01, 09:05
Fixed the issue by:

Edit Group Policy Management:

Default Domain Policy:
(Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy)
Audit Logon Events: Enable Success/Failure

Domain Controller Policy
(Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy)
Audit account logon events: Enable Success/Failure

Great, thanks for the followup. So it looks like only authentication failures were being logged? Was this changed by your AD administrator or was it set this way in Windows 2012r2 by default?

xanadu.dm
2016-02-01, 11:41
This was the default Windows Server 2012R2 Essentials setup. I mentioned the solution to Check Point and they've added the information to their SK:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk60501

jflemingeds
2016-02-01, 11:51
hey thats awesome, thanks for all the follow up!

ShadowPeak.com
2016-02-01, 11:53
This was the default Windows Server 2012R2 Essentials setup. I mentioned the solution to Check Point and they've added the information to their SK:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk60501

Ah excellent, always looking for good real-world tidbits to mention while teaching Identity Awareness in a CCSA class. Thanks!