IA (Identity Awareness) can be a pain, here are some short notes that helps in the troubleshoting. Check the smartlog that there is full access between the AD DC and the FW Gateway as the DCE-RPC uses dynamic high ports to communicate.
## Debug PFP on
pdp d s all all
## Debug PDP Off
pdp debug off
# Check logfile
tail -f /$FWDIR/log/pdpd.elg
# Check if PDPD is running
ps aux -| grep pdpd
# Try to restart it by killing, it will autorestart
killall pdpd
# Verify connectivity to AD (LDAP and WMI) that runs over DCE-RPC.
Solution Title: How to use test_ad_connectivity to troubleshoot AD Query connectivity.
Solution ID: sk100406
Solution Link: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100406
# Check pdp
pdp connections pep
# check pep
pep s pdp a
# View and control the AD Query (ADQ) status.
adlog a dc - Displays a table specifying which Domain Controllers this Security Gateway is connected to, their connectivity status and the number of events fetched in the last hour
adlog a query all - (or 'adlog a q a' for short) - Displays all of the identity information currently known by AD Query (ADQ)
If this shows error kill the pdpd and verify that it restarts. see above
adlog a query ip 1.1.1.1 - (or 'adlog a q i 1.1.1.1' for short) - Displays the information currently known for 1.1.1.1
## Debug PFP on
pdp d s all all
## Debug PDP Off
pdp debug off
# Check logfile
tail -f /$FWDIR/log/pdpd.elg
# Check if PDPD is running
ps aux -| grep pdpd
# Try to restart it by killing, it will autorestart
killall pdpd
# Verify connectivity to AD (LDAP and WMI) that runs over DCE-RPC.
Solution Title: How to use test_ad_connectivity to troubleshoot AD Query connectivity.
Solution ID: sk100406
Solution Link: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100406
# Check pdp
pdp connections pep
# check pep
pep s pdp a
# View and control the AD Query (ADQ) status.
adlog a dc - Displays a table specifying which Domain Controllers this Security Gateway is connected to, their connectivity status and the number of events fetched in the last hour
adlog a query all - (or 'adlog a q a' for short) - Displays all of the identity information currently known by AD Query (ADQ)
If this shows error kill the pdpd and verify that it restarts. see above
adlog a query ip 1.1.1.1 - (or 'adlog a q i 1.1.1.1' for short) - Displays the information currently known for 1.1.1.1