Support Center > Search Results > SecureKnowledge Details
Nested LDAP groups are not enforced correctly in Identity Awareness
Symptoms
  • When an LDAP group is nested in another LDAP group, and the parent group is used in an 'AccessRole', users in the nested group will not be identified as part of the parent group and will not be assigned to this 'AccessRole'.
    As a result, enforcement based on this 'AccessRole' (within Firewall, Application Control, etc. policies) will be incorrect.

    Example:
    • User John belongs to group 'Org_IT'
    • 'Org_IT' is a member of group 'Org_ALL'
    • 'Org_ALL' is assigned to 'AccessRole_1'
    • The issue: John will not be matched as being part of 'AccessRole_1'

    Note: There is no issue with matching users that are part of a group that is directly included in an 'AccessRole'. In the above example, users of group 'Org_ALL' will be matched to 'AccessRole_1' as expected.
Solution

This problem was fixed. The fix is included in:

Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway / upgrade VSX / upgrade Security Management Server / upgrade Multi-Domain Security Management Server).

 

For R77.10 version, Check Point offers a hotfix for this issue.

 

Note: In cluster environment, this procedure must be performed on all members of the cluster.

  • Show / Hide hotfix installation instructions - Gaia OS using CPUSE (Check Point Update Service Engine)

    We recommend using CPUSE to install this hotfix.

    Note: Hotfix has to be installed on Security Gateway / each cluster member.

    • In Gaia Portal:

      Important Note for VSX mode: Gaia Portal is not supported on Security Gateway in VSX mode. Users must use the Clish.

      1. Connect to the Gaia Portal on your machine.

      2. Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out').

      3. Navigate to the 'Software Updates' - 'Status and Actions' pane.

      4. Go to the 'Updates' tab to see the published hotfixes available for download.

      5. Select the Check_Point_R77.10_Hotfix_sk98328.tgz package - right-click on it - click on 'Download' (this will download the hotfix to your machine).

      6. Right-click on the Check_Point_R77.10_Hotfix_sk98328.tgz package - click on 'Install' (this will install the hotfix on the machine and display the installation status).

      7. When prompted for reboot (a pop up window appears), confirm to reboot the machine.


    • In Clish:

      Important Note for VSX mode: Gaia Portal is not supported on Security Gateway in VSX mode. Users must use the Clish.

      1. Connect to Gaia command line (over SSH, or console).

      2. Log in to Clish shell.

      3. See the list of available packages for download:

        HostName> show installer available_packages

      4. Download this hotfix:

        HostName> installer download Check_Point_R77.10_Hotfix_sk98328.tgz

      5. Check the download progress by repeatedly running this command:

        HostName> show installer package_status
        Outputs for example:
        Check_Point_R77.10_Hotfix_sk98328.tgz - Downloading (2.95 MB/s)   - Progress: 6%
        Check_Point_R77.10_Hotfix_sk98328.tgz - Available for install
        
      6. See the list of available packages for install:

        HostName> show installer available_local_packages

      7. Install this hotfix:

        HostName> installer install Check_Point_R77.10_Hotfix_sk98328.tgz

      8. Check the installation progress by repeatedly running this command:

        HostName> show installer package_status
        Outputs for example:
        Check_Point_R77.10_Hotfix_sk98328.tgz - Installing                - Progress: 3%
        Check_Point_R77.10_Hotfix_sk98328.tgz - installed
        
      9. Machine will be rebooted automatically.

    Contact Check Point Support for any assistance.



  • Show / Hide hotfix installation instructions - Gaia / SecurePlatform / Linux OS

    Contact Check Point Support for any assistance.

    1. Hotfix has to be installed on Security Gateway / each cluster member.

    2. Download the relevant hotfix package:

      Platform R77.10
      Gaia / SecurePlatform / Linux (TGZ)


    3. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).

    4. Unpack the hotfix package:

      [Expert@HostName]# cd /some_path_to_fix/
      [Expert@HostName]# tar zxvf Check_Point_R77.10_Hotfix_sk98328.tgz

    5. Install the hotfix:

      [Expert@HostName]# ./fw1_wrapper_HOTFIX_NAME

      Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.

    6. Reboot the machine.


  • Show / Hide hotfix installation instructions - IPSO OS

    Contact Check Point Support for any assistance.

    1. Hotfix has to be installed on Security Gateway / each cluster member.

    2. Download the relevant hotfix package:

      Platform R77.10
      IPSO (TGZ)


    3. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).

    4. Unpack the hotfix package:

      [Expert@HostName]# cd /some_path_to_fix/
      [Expert@HostName]# tar zxvf Check_Point_R77.10_Hotfix_IPSO6_sk98328.tgz

    5. Install the hotfix:

      [Expert@HostName]# ./fw1_wrapper_HOTFIX_NAME

      Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.

    6. Reboot the machine.


  • Show / Hide hotfix installation instructions - Windows OS

    Contact Check Point Support for any assistance.

    1. Hotfix has to be installed on Security Gateway / each cluster member.

    2. Download the relevant hotfix package:

      Platform R77.10
      Windows (EXE)


    3. Transfer the hotfix package to the machine (into some directory, e.g., C:\some_path_to_fix\).

    4. Install the hotfix:

      Right-click on the Check_Point_R77.10_Hotfix_Win_sk98328.exe file - click on 'Run as administrator'.

      Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.

    5. Reboot the machine.


  • Show / Hide hotfix Uninstall Instructions

    Contact Check Point Support for any assistance.

    1. Hotfix has to be uninstalled from Security Gateway / each cluster member.

    2. Stop all of Check Point services on Security Gateway / each cluster member:

      • On Gaia / SecurePlatform / Linux / IPSO OS:

        [Expert@HostName]# cpstop

      • On Windows OS:

        Open Windows Command Prompt and run the cpstop command.


    3. UnInstall the hotfix:
      • On Gaia / SecurePlatform / Linux / IPSO OS:

        [Expert@HostName]# cd /opt/CPsuite-R77/
        [Expert@HostName]# ./uninstall_fw1_wrapper_HOTFIX_GULLI_HF_HA10_031

      • On Windows OS:

        1. Open Windows Control Panel.
        2. Select the Check Point R77.10_GULLI_HF_HA10_031.
        3. Click on 'Uninstall' button.


    4. Reboot the machine.
Applies To:
  • 01350837 , 01352695 , 01353620 , 01353766

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment