topic Re: CRL Download via LDAP with HTTP-Proxy in Firewall and Security Management

CRL Download via LDAP with HTTP-Proxy

Andre91 — Wed, 13 Dec 2023 10:02:39 GMT

Hey Check Point team and community,

we set up our http(s)-proxy on our clusterXL. Now we have the following problem:

One of our endpoints wants to download crl-lists via ldap. He connects with the proxy-service on the checkpoint and gets dropped.

We added an access-role with service/application "Certificate Revocation List" and even added port tcp/389 to the application but the rule doesn´t get a hit.

A further rule with ldap in service/application-column doesn´t get a hit. just the drop rule matches.

How can I get this to work?

Thanks and best regards

Re: CRL Download via LDAP with HTTP-Proxy

Chris_Atkinson — Wed, 13 Dec 2023 10:09:14 GMT

Non web traffic wouldn't typically reference the check point proxy unless routed toward it via a default route.

What does the drop log tell you about why the traffic isn't matching?

Re: CRL Download via LDAP with HTTP-Proxy

Andre91 — Wed, 13 Dec 2023 10:27:54 GMT

Hey @Chris_Atkinson and thanks for the quick reply.

We have multiple sublayers configured. If a source matches, it gets a layer deeper and goes over the allow-rules till it gets dropped. In this case I get two log-records for the drop-rule. One with blade url-filtering, one with firewall.

I try to send you the screenshot via private chat.

Regards

Re: CRL Download via LDAP with HTTP-Proxy

Chris_Atkinson — Wed, 13 Dec 2023 12:09:14 GMT

Replied to your message.