CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: Association is Found but App/URL Filtering is not working

  1. #1
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Association is Found but App/URL Filtering is not working

    Hi there,

    I have issue going on where everything is working fine from AD end as well as I see association working on firewall. I can confirm that with adlog a dc as well as pdp monitor all, pdp query all.

    I see proper mapping on firewall but somehow App/URL filtering is not working user wise even user names are not appearing in Tracker. I have done all the debugging with PDP and even that shows the mapping is fine. but dang not sure why the firewall is not detecting the users.

    I also have Capsule Work-space running on the same box which is working fine, agree it does not work through WMI but wondering what went wrong that my App/URL filtering is not working :(

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    14

    Default Re: Association is Found but App/URL Filtering is not working

    Quote Originally Posted by blason View Post
    Hi there,

    I have issue going on where everything is working fine from AD end as well as I see association working on firewall. I can confirm that with adlog a dc as well as pdp monitor all, pdp query all.

    I see proper mapping on firewall but somehow App/URL filtering is not working user wise even user names are not appearing in Tracker. I have done all the debugging with PDP and even that shows the mapping is fine. but dang not sure why the firewall is not detecting the users.

    I also have Capsule Work-space running on the same box which is working fine, agree it does not work through WMI but wondering what went wrong that my App/URL filtering is not working :(
    Is Identity Awareness not working for one or a small set of users, or not working for all users on that firewall?

    If it is not working for any users, try adding your own user to IP mapping like this:

    pdp ad associate ip 10.1.1.201 u Administrator d alpha.cp m ADSERVER0 s

    Substitute the IP address, user name, domain, and machine name in the command above. Does that work? I suspect there is something wrong in the mappings that are being formed automatically.

    Does authenticating through the captive portal make things start working? I assume you are seeing "log in" events in the Tracker?
    --
    Third Edition of my "Max Power 2020" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  3. #3
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: Association is Found but App/URL Filtering is not working

    Hey there,

    Well my AD query association is working perfectly and I could see using adlog and pdp monitor but App/URL filtering is not working neither I am seeing usernames in smart View Tracker. This is very peculiar issue, well I have other firewall being managed by same mgmt server but in a geographically dispersed location having same AD & AD Server and there everything works perfectly.

    I have not yet tested the captive portal but I am sure that would work since I am seeing association in pdpd.elg as well as adlog a query all.

  4. #4
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    14

    Default Re: Association is Found but App/URL Filtering is not working

    Quote Originally Posted by blason View Post
    Hey there,

    Well my AD query association is working perfectly and I could see using adlog and pdp monitor but App/URL filtering is not working neither I am seeing usernames in smart View Tracker. This is very peculiar issue, well I have other firewall being managed by same mgmt server but in a geographically dispersed location having same AD & AD Server and there everything works perfectly.

    I have not yet tested the captive portal but I am sure that would work since I am seeing association in pdpd.elg as well as adlog a query all.
    All modern firewall licenses have Identity Awareness included, is it possible that the license generated for this particular firewall is very old (pre-R75) and doesn't include IA? You should see string CPSB-IA somewhere in the output of "cplic print" run from the gateway.
    --
    Third Edition of my "Max Power 2020" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  5. #5
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: Association is Found but App/URL Filtering is not working

    Well nah..It was working well before I upgrade it to Capsule DOCS [77.30.01] and applied Reverse Proxy Patch on Firewall. Case is raised with GTAC lets see how does this go but still no luck so far.

  6. #6
    Join Date
    2012-08-16
    Posts
    182
    Rep Power
    8

    Default Re: Association is Found but App/URL Filtering is not working

    One thing to keep in mind is that IA does not keep up with AD user group changes or OU renames or any AD edits really. So if you created an IA group for the capsule portion somewhat recently it may reflect any changes made whereas the other URL filtering IA group may not. Just something to check out.

  7. #7
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: Association is Found but App/URL Filtering is not working

    well nah again even this wasnt the case. I guess one of my engineer have mistakely created another AD object somehow [ i guess I found that it was configured on Mgmt server as well] and it was being used in rule base. Even we removed that later and associated all the users from that AD object which were used in Rule based to the old one.

    And that seems to have broken something. But the thing is I could see all the associations from command line users are being picked up but gossh users are not being shown in Tracker neither my App/URL filtering working user wise.

Similar Threads

  1. R77.30 and strongswan site to site security association issues
    By cpdre in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2016-12-05, 16:43
  2. clear user/IP association
    By Irek_Romaniuk in forum Identity Awareness Blade
    Replies: 5
    Last Post: 2016-01-30, 21:34
  3. sta.dll could not be found
    By tofke in forum SNX - SSL Network Extender
    Replies: 0
    Last Post: 2010-01-08, 04:50
  4. found fix
    By hotice_ in forum Mobile Access Blade (Formerly Connectra)
    Replies: 0
    Last Post: 2008-01-17, 16:34
  5. Please help Out ( Nothing can be found on this )
    By ngfwadmin in forum Miscellaneous
    Replies: 1
    Last Post: 2005-12-29, 05:57

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •