topic Re: Global Domain Install database in Firewall and Security Management

Global Domain Install database

Maarten_Sjouw — Tue, 22 Oct 2019 08:24:47 GMT

I'm currently working on getting the AD authentication working on our MDS and I have been able to setup the AD LDAP account unit in our Global domain.

However the connection is not working the way it should, when I try to change anything in the account unit, I can Publish the changes but in the end I know it does not take any effect. There was a mentioning that the Install Database was automatic when you close the SmartConsole to the Global domain, however this also does not seem to work.

Example of a change was to change the access to the AD servers from plain LDAP (389) to LDAPS (636). Using tcpdump to see what was sent to the AD server revealed in before and after traces that 389 was used all the time. Not even an attempt to use 636 instead.

Anybody any Ideas?

Re: Global Domain Install database

PhoneBoy — Thu, 24 Oct 2019 17:05:24 GMT

Going to ask a dumb question here: can you do an Install Database manually in the Global Domain?

Re: Global Domain Install database

Maarten_Sjouw — Thu, 24 Oct 2019 21:31:29 GMT

I wish I could, that would instantly solve issue, the problem also goes for globally installed SmartEvent servers, there I know it works by closing the Smartconsole.
However for AD configuration that just does not work.

Re: Global Domain Install database

PhoneBoy — Fri, 25 Oct 2019 01:39:04 GMT

Is there just no GUI option for it?
What about fwm dbload on the CLI?

Re: Global Domain Install database

Maarten_Sjouw — Fri, 25 Oct 2019 05:26:07 GMT

Indeed there is no GUI option in the Global domain. Never tried the cli command, it's worth a try.

Re: Global Domain Install database

Kaspars_Zibarts — Wed, 06 Nov 2019 22:16:12 GMT

All I remember is that we tried to use AD LDAP account unit created in Global domain in local domains for IA but it never worked and there was a thread somewhere here about it.. can't find it anymore

Re: Global Domain Install database

CheckPointerXL — Tue, 04 Jun 2024 19:55:20 GMT

hello Zib

is this limitation still valid? i'm tying to do same thing, but i got:

An error was detected while trying to authenticate against the AD server.
It may be a problem of bad configuration or connectivity.
Please refer to the troubleshooting guide for more help

same LDAP AU configured locally, instead, it works

Re: Global Domain Install database

Kaspars_Zibarts — Wed, 05 Jun 2024 05:22:16 GMT

I'm afraid I have left my last employer and have no ability to confirm 100% but I doubt that you can connect from Global Domain. You should wait till Q3 when big news are coming regarding IA. @Royi_Priov are there any public materials available already now about those? I don't want to steal the thunder 🙂

Re: Global Domain Install database

CheckPointerXL — Wed, 05 Jun 2024 05:29:10 GMT

thanks or your reply!

my question of course is, what is useful global LDAP AU for? it seems they cannot work properly..

anyway, from logs, i can see that FW queries by LDAP the AD inside the Global LDAP AU, but no answer....

Re: Global Domain Install database

Kaspars_Zibarts — Wed, 05 Jun 2024 06:22:11 GMT

Discussion here is about using Global Domain within CP Multi Domain Management environment. Seems like you are mixing it up with AD AU?

If you are using MDM to manage large single organisation, than ability to use Global Domain would remove the need to connect every single management domain (aka CMA) to AD separately.

Re: Global Domain Install database

CheckPointerXL — Wed, 05 Jun 2024 13:35:35 GMT

ok sorry for the wrong thread

anyway the goal here is to use Global LDAP AU from FW to perform the ldap queries to AD, and this is what is not working here

TAC Case just opened