https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-decrypt-LDAPs-packets-captured-with-tcpdump-or-fwmonitor/m-p/154650#M26243 <P>Maybe you can start from other way around. You can check what is LDAP query which firewall is sending. You can then be 100% sure if that answer from LDAP is correct or not. You will need to enable VPN debugs on the firewall and examine vpnd.elg file.</P> <P>Another option to confirm where is the problem is to use "ldapsearch" command to query needed user groups and see the answer from LDAP.</P> <P>Sometimes it is better to open vendor case and get official answer from the vendor in order to convince the other end that the issue is/ is not on their end <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sat, 06 Aug 2022 05:21:06 GMT JozkoMrkvicka 2022-08-06T05:21:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-decrypt-LDAPs-packets-captured-with-tcpdump-or-fwmonitor/m-p/154636#M26237 <P>Hi,</P><P>we have configured an LDAP account unit with two server using port tcp 636. We need understand if the LDAP servers answer to our query with the correct user_group. We did a tcpdump (or fwmonitor) but all packets collected are encrypted.</P><P>Is it possibile decrypt them?</P><P>Let me know</P><P>Massimiliano</P> Fri, 05 Aug 2022 11:48:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-decrypt-LDAPs-packets-captured-with-tcpdump-or-fwmonitor/m-p/154636#M26237 Massimiliano 2022-08-05T11:48:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-decrypt-LDAPs-packets-captured-with-tcpdump-or-fwmonitor/m-p/154637#M26238 <P>Use WireShark:</P> <P><A href="https://ask.wireshark.org/question/2553/can-wireshark-decode-a-ldaps-conversation/" target="_blank" rel="noopener">https://ask.wireshark.org/question/2553/can-wireshark-decode-a-ldaps-conversation/</A></P> <P><A href="https://www.golinuxcloud.com/analyze-ldap-traffic-with-wireshark/#Decrypting_LDAP_traffic" target="_blank" rel="noopener">https://www.golinuxcloud.com/analyze-ldap-traffic-with-wireshark/#Decrypting_LDAP_traffic</A></P> Fri, 05 Aug 2022 13:09:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-decrypt-LDAPs-packets-captured-with-tcpdump-or-fwmonitor/m-p/154637#M26238 G_W_Albrecht 2022-08-05T13:09:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-decrypt-LDAPs-packets-captured-with-tcpdump-or-fwmonitor/m-p/154640#M26240 <P>Sorry, but how I can recover the <STRONG>keylog</STRONG> of the Security gateway? The LDAP connection is not between my pc and the LDAP server, but between FW and LDAP server.</P> Fri, 05 Aug 2022 12:48:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-decrypt-LDAPs-packets-captured-with-tcpdump-or-fwmonitor/m-p/154640#M26240 Massimiliano 2022-08-05T12:48:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-decrypt-LDAPs-packets-captured-with-tcpdump-or-fwmonitor/m-p/154641#M26241 <P>I think it would be much easier just to see LDAP logs</P> Fri, 05 Aug 2022 13:16:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-decrypt-LDAPs-packets-captured-with-tcpdump-or-fwmonitor/m-p/154641#M26241 _Val_ 2022-08-05T13:16:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-decrypt-LDAPs-packets-captured-with-tcpdump-or-fwmonitor/m-p/154642#M26242 <P>Yea, but from the log I saw the user_group "all_users"; so it seems that the LDAP server didn't send the correct user group. I need the packet capture, because the Microsoft guy (ower of the LDAP server) didn't saw any problem from his side. I need understand where is the issue and the logs is not enough.</P> Fri, 05 Aug 2022 13:21:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-decrypt-LDAPs-packets-captured-with-tcpdump-or-fwmonitor/m-p/154642#M26242 Massimiliano 2022-08-05T13:21:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-decrypt-LDAPs-packets-captured-with-tcpdump-or-fwmonitor/m-p/154650#M26243 <P>Maybe you can start from other way around. You can check what is LDAP query which firewall is sending. You can then be 100% sure if that answer from LDAP is correct or not. You will need to enable VPN debugs on the firewall and examine vpnd.elg file.</P> <P>Another option to confirm where is the problem is to use "ldapsearch" command to query needed user groups and see the answer from LDAP.</P> <P>Sometimes it is better to open vendor case and get official answer from the vendor in order to convince the other end that the issue is/ is not on their end <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sat, 06 Aug 2022 05:21:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-decrypt-LDAPs-packets-captured-with-tcpdump-or-fwmonitor/m-p/154650#M26243 JozkoMrkvicka 2022-08-06T05:21:06Z