Print Download PDF Send Feedback

Previous

Next

Configuring AD Query

Enabling AD Query

You must enable RADIUS Accounting on Security Gateways before they can work as a RADIUS Accounting server.

To enable AD Query for a Security Gateway:

  1. In the SmartConsole Gateways & Servers view, open the Security Gateway.
  2. On the General Properties page, make sure that Identity Awareness is enabled.
  3. On the Identity Awareness page, select AD Query.

Single User Assumption

You can configure AD Query to allow only one active account per IP address. When user A logs out before the timeout and user B logs in, the user A session closes automatically and his permissions are canceled. User B is the only active user account and only his permissions are valid. This feature is called Single User Assumption.

Before you activate Single User Assumption, you must exclude all service accounts used by user computers.

Note - Another way to keep these issues to a minimum is to increase the DHCP lease time.

To activate single user assumption:

  1. Exclude service accounts.
  2. On the Identity Awareness page, select Settings for AD Query.
  3. Select Assume that only one user is connected per computer.
  4. Click OK.

To deactivate Single User Assumption, clear Assume that only one user is connected per computer.

Excluding Users, Computers and Networks

You can manually exclude service accounts, users, computers and networks from the AD Query scan. You can also configure AD Query to automatically detect and exclude suspected service accounts. Identity Awareness identifies service accounts as user accounts that are logged in to more than a specified number of computers at the same time.

To exclude objects from Active Directory queries:

  1. From the Security Gateway object Identity Awareness page, select Active Directory Query > Settings.
  2. Click Advanced.
  3. In the Excluded Users / Computers section, enter the user or computer account name. You can use the * and ? wildcard characters or regular expressions to select more than one account. Use this syntax for regular expressions: regexp:<regular expression>.
  4. Optional: Select Automatically exclude users which are logged into more than n machines simultaneously. Enter the threshold number of computers in the related field.
  5. In the Excluded Networks section:
    • Click the plus sign (+) and select a network to add the Excluded Network list.
    • Select an excluded network and click the minus sign (-) to remove a network from the list.
  6. Click Add.
  7. Click OK.

Managing the Suspected Service Account List

When automatic exclusion is enabled, Identity Awareness looks for suspected service accounts every 10 minutes. Suspected service accounts are saved to a persistent database that survives reboot. When a new service account is detected, a message shows in Logs & Monitor > Logs.

Use these commands to see and manage the suspected service account database:

To show all suspected service accounts, run:

adlog a control srv_accounts show

To run the service accounts scan immediately, run:

adlog a control srv_accounts find

This command is useful before you enable the Assume that only one user is connected option.

To remove an account from the service account database, run:

adlog a control srv_accounts unmark <account name>

To remove all accounts from the suspected service account database, run:

adlog a control srv_accounts clear

Important - When you use the adlog a control command, you must run this command to save the configuration:

adlog a control reconf

Using AD Query with NTLMv2

NTLMv2 for AD Query is supported by Identity Awareness Gateway R76 and above. Earlier releases support only NTLM.

By default, NTLMv2 support is disabled.

To enable NTLMv2 support for AD Query:

  1. In SmartConsole, enable Identity Awareness without using the Identity Awareness Configuration wizard:
    1. Open the Security Gateway or Cluster object.
    2. On General Properties tab, click Network Security tab.
    3. Enable Identity Awareness.

      The Identity Awareness Configuration window that opens.

    4. Click Cancel.
    5. Make sure Identity Awareness is enabled.
    6. Click OK.
    7. Install the Access Policy on the Security Gateway or Cluster object.
  2. On the Security Management Server:
    1. Connect to the command line.
    2. Log in to Expert mode.
    3. Run:

      adlogconfig a

    4. Enter the number of this option:

      Use NTLMv2

    5. Enter the number of this option:

      Exit and save

  3. In SmartConsole, restart the Identity Awareness Configuration wizard and continue configuring Identity Awareness.
    1. Open the Security Gateway or Cluster object.
    2. On General Properties tab, click Network Security tab.
    3. Disable Identity Awareness. Do not click OK.
    4. Enable Identity Awareness.

      The Identity Awareness Configuration window opens.

    5. Continue configuring Identity Awareness in this wizard.
    6. Click OK.
    7. Install the Access Policy on the Security Gateway or Cluster object.

Automatic LDAP Group Update

Identity Awareness automatically recognizes changes to LDAP group membership and updates identity information, including Access Roles.

When you add, move or remove an LDAP nested group, the system recalculates LDAP group membership for ALL users in ALL Groups. Be very careful when you deactivate user-related notifications.

LDAP Group Update is activated by default. You can manually deactivate LDAP Group Update with the CLI.

Important - Automatic LDAP group update works only with Microsoft Active Directory when AD Query is activated.

To deactivate automatic LDAP group update:

  1. From the Security Gateway command line, run:

    adlogconfig a

    The adlog status screen and menu opens.

  2. Select Turn LDAP groups update on/off.

    LDAP groups update notifications status changes to [ ] (not active). If you enter Turn LDAP groups update on/off when automatic LDAP group update is not active, LDAP groups update notifications status changes to [X] (active).

  3. Enter Exit and save to save this setting and close the adlogconfig tool.
  4. Install the Access Policy.

You can use adlogconfig to set the time between LDAP change notifications and to send notifications only for user related changes.

To configure LDAP group notification options:

  1. From the Security Gateway command line, run:

    adlogconfig a

    The adlog status screen and menu opens.

  2. Enter the Notifications accumulation time to set the time between LDAP change notifications.
  3. Enter the time between notifications in seconds (default = 10).
  4. Enter Update only user-related LDAP changes to/not to send notifications only for user related changes.

    Be very careful when you deactivate only user-related notifications. This can cause excessive gateway CPU load.

  5. Enter Exit and save to save these settings and close the adlogconfig tool.
  6. Install the Access Policy.

Automatic LDAP Group Update does not occur immediately because Identity Awareness looks for users and groups in the LDAP cache first. The information in the cache does not contain the updated LDAP Groups. By default, the cache contains 1,000 users and cached user information is updated every 15 minutes.

You must deactivate the LDAP cache to get automatic LDAP Group Update assignments immediately. This action can cause Identity Awareness to work slower.

To deactivate the LDAP cache:

  1. In SmartConsole, go to Menu > Global properties...
  2. In the left navigation tree, click User Directory.
  3. Change Timeout on cached users to zero.
  4. Change Cache size to zero.
  5. Install the Access Policy.

Specifying Domain Controllers per Security Gateway

An organization Active Directory can have several sites, where each site has its own domain controllers that are protected by a Security Gateway. When all of the domain controllers belong to the same Active Directory, one LDAP Account Unit is created in SmartConsole.

When AD Query is enabled on Security Gateways, you may want to configure each Security Gateway to communicate with only some of the domain controllers.

This is configured in the User Directory page of the Gateway Properties. For each domain controller that is to be ignored, the default priority of the Account Unit must be set to a value higher than 1000.

For example, let us say that the LDAP Account Unit ad.mycompany.com has 5 domain controllers - dc1, dc2, dc3, dc4, and dc5.

On the Identity Awareness Gateway, we want to enable AD Query only for domain controllers dc2 and dc3. This means that priority of all other domain controllers (dc1, dc4 and dc5) must be set to a number greater than 1000 in the Identity Awareness Gateway object properties.

To specify domain controllers for each Identity Awareness Gateway:

  1. Log in to SmartConsole.
  2. From the Navigation Toolbar, click Gateways & Servers.
  3. Open the Identity Awareness Gateway object.
  4. In the left tree, click on the [+] near the Other > click User Directory.
  5. Select the option Selected Account Units list.
  6. Click Add.
  7. Select your Account Unit and click OK.
  8. Clear the option Use default priorities.
  9. Set the priority 1001 to dc1, dc4 and dc5:
    1. Select the domain controller.
    2. In the Priority field, enter 1001.
    3. Click Set.
  10. Click OK.
  11. Install the Access Policy.

Checking the Status of Domain Controllers

You can make sure that the domain controllers are set properly by using the adlog CLI. You can see the domain controllers that the Security Gateway is set to communicate with as well as the domain controllers it ignores.

The CLI command is:

adlog a dc

17 October 2020
Was this helpful?
Incorrect information Not what I'm looking for Too much information Confusing information
© 2020 Check Point Software Technologies Ltd. All rights reserved.