Troubleshooting for AD Query

If you experience connectivity problems between your domain controllers and Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway/Log Servers, perform the following troubleshooting steps:

1. Resolve Connectivity Issues

   1. Ping the domain controller from the Identity Awareness Gateway and Log Server Dedicated Check Point server that runs Check Point software to store and process logs..

   2. Ping the Identity Awareness Gateway and Log Server from your domain controller.

   3. Perform standard network diagnostics as necessary.

   4. Check the Logs tab of the Logs & Monitor view and see if there are drops between a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. defined with AD Query Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server. (Source) and the domain controller (Destination). If there are drops, see Configuring the Firewall and sk58881.

2. Use Microsoft wbemtest utility to verify WMI is functional and accessible:

   1. Connect to the Utility

      1. Click Start > Run.

      2. Enter wbemtest.exe in the Run window.

      3. In the Windows Management Instrumentation Tester window, click Connect.

      4. In the Connect window, in the first field, enter the Domain controller, in this format: \\<IP address>\root\cimv2

      5. In the Credentials > User field, enter the fully qualified AD user name. For example: ad.company.com\admin

      6. Enter a password for the user.

      7. Click Connect.

      8. If the Windows Management Instrumentation Tester window re-appears with its buttons enabled, WMI is fully functional.

      If the connection fails, or you get an error message, check for these conditions:

      • Connectivity problems (see Resolve Connectivity Issues)

      • Incorrect domain administrator credentials (see Verify your domain administrator credentials).

      • WMI service is not running (see Verify the WMI Service on the Domain Controller).

      • A Firewall is blocking traffic between the Identity Awareness Gateway or Log Server and domain controller (see Configuring the Firewall).

   2. Verify your domain administrator credentials

      1. Click Start > Run.

      2. In the Run window, enter \\<domain controller IP address>\c$

         For example: \\11.22.33.44\c$

      3. In the Logon window, enter your domain administrator user name and password.

      4. If the domain controller root directory appears, this indicates that your domain administrator account has sufficient privileges. An error message may indicate that:

         1. If the user does not have sufficient privileges, this indicates that he is not defined as a domain administrator. Obtain a domain administrator credentials.

         2. You entered the incorrect user name or password. Check and retry.

         3. The domain controller IP address is incorrect or you are experiencing connectivity issues.

   3. Verify the WMI Service on the Domain Controller

      1. Click Start > Run.

      2. Enter services.msc in the Run window.

      3. Find the Windows Management Instrumentation service and see that the service started.

         If it did not start, right-click this service and select Start.

   4. Configuring the Firewall

      If a Firewall is located between the Identity Awareness Gateway or Log Server, and the Active Directory controller, configure the Firewall to allow WMI traffic.

      To create Firewall rules for WMI traffic:

      1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., from the Security Policies view, open the Access Control Policy.

      2. Create a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that allows ALL_DCE_RPC traffic:

         • Source = Security Gateway that run AD Query

         • Destination = Domain Controllers

         • Service = ALL_DCE_RPC

         • Action = Accept

      3. Save the policy and install it on Security Gateway.

         Note - If there are connectivity issues on DCE RPC traffic after this policy is installed, see sk37453 for a solution.

3. Confirm that Security Event Logs are Recorded:

   If you have checked connectivity (see Resolve Connectivity Issues) but still do not see identity information in logs, make sure that the necessary event logs are being recorded to the Security Event Log.

   AD Query reads these events from the Security Event log:

   • For Windows Server 2003 domain controllers - 672, 673, 674

   • For Windows Server 2008 and above domain controllers - 4624, 4769, 4768, 4770

   Make sure you see the applicable events in the Event Viewer on the domain controller (My computer > Manage > Event Viewer > Security).

   If the domain controller does not generate these events (by default they are generated), refer to Microsoft Active Directory documentation for instructions on how to configure these events.