topic Re: Disable implied rules for LDAP in Spark Firewall (SMB)

Disable implied rules for LDAP

mbeyerlein — Thu, 03 Jul 2025 12:43:46 GMT

Hi everybody,

We are facing the following issue:
We have a centrally managed Quantum Spark 1595 appliance (referred to as gw-smb) that is connected via cellular radio and uses a dynamic IP address. gw-smb is connected to our headquarters gateway (gw-main) via an IPSec VPN.

On gw-smb, we want to use Identity Awareness. Therefore, we reconfigured our Identity Collectors to send identities not only to gw-main, but also to gw-smb. According to the Identity Collectors, the connection to gw-smb was successfully established — so that part is working.

When the gateways receive an identity from the collector, they perform an LDAP query to the domain controllers defined in the LDAP Account Unit. There is no domain controller at the gw-smb location, so the gateway should use a domain controller at headquarters. However, whenever gw-smb performs an LDAP query, it does not use the IPSec tunnel.

I followed sk26059 to disable the implied rule for LDAP, but the traffic is still sent unencrypted. Then I enabled logging of informative implied rules as described in sk110218. I noticed that the implied rule "enable_ldap_queries" is still being used for the LDAP traffic.

To test whether the implied rule was removed, I added a remote domain controller to the LDAP Account Unit and tested the behavior on gw-main. When I commented out the LDAP server entry as described in sk26059, the traffic between gw-main and the remote domain controller was sent via the IPSec tunnel. When I reverted to the default settings, the traffic was sent directly. So sk26059 works for me on a non-SMB gateway.

I then searched CheckMates and found an article about changing implied_rules.def on locally managed SMBs. I modified the implied_rules.def file under the following paths:

/pfrm2.0/config1/fw1/lib/
/pfrm2.0/opt/fw1/lib/
$FWDIR/lib/

None of these changes worked, even after rebooting gw-smb. The traffic is still sent directly and not via the IPSec tunnel.

Interestingly, when I use telnet on gw-smb to connect to other ports on the domain controller, the connection is routed through the IPSec tunnel. So I assume the encryption domain is not the issue.

What else can I try, or what might I have overlooked?

System Information:

Security Management Server and gw-main: R81.20 Take 99
gw-smb: R81.10.10 (996002993)

Re: Disable implied rules for LDAP

the_rock — Sat, 05 Jul 2025 14:19:31 GMT

I was never big fan of disabling implied rules to begin with. They are there for a reason, but if you absolutely need to do it, I would consult with TAC.

Andy

Re: Disable implied rules for LDAP

Tal_Paz-Fridman — Sat, 05 Jul 2025 14:41:19 GMT

To ensure that LDAP queries on your Quantum Spark 1595 appliance (gw-smb) use the IPSec VPN, try disabling the implied rule for LDAP and creating an explicit rule.

1. Edit the Implied Rules Definition:
- Connect to the command line on your Security Management Server > Expert
- Backup the implied_rules.def file. Refer to sk92281 for guidance on creating customized implied rules.
- Edit the implied_rules.def file and search for the line `#define ENABLE_LDAP_SERVER`.
- Change this line to `/* #define ENABLE_LDAP_SERVER */` to comment it out.
- Save the changes.

2. Create Explicit Rules:
- In SmartConsole >Access Control policy > Define an explicit rule that allows LDAP traffic between the relevant Security Gateways and the LDAP servers.
- Ensure that the rule specifies the use of the IPSec VPN for this traffic.

3. Install the Security Policy:
- After defining the explicit rule, install the Security Policy on the relevant gateways.

4. Verify the Configuration:
- Enable logging for the rule to verify that LDAP traffic is now using the IPSec VPN.

If you continue to experience issues, consider checking the encryption domain configuration to ensure it includes the necessary networks.

Re: Disable implied rules for LDAP

the_rock — Sat, 05 Jul 2025 15:28:33 GMT

Perfect explanation @Tal_Paz-Fridman

Re: Disable implied rules for LDAP

mbeyerlein — Tue, 08 Jul 2025 12:17:50 GMT

I have followed your instructions and created an explicit rule for the LDAPS traffic. In the VPN column, I tried both the VPN Community and All_GwToGw. Unfortunately, the result is the same. Connections from the Quantum Spark 1595 appliance to the LDAPS port of the Domain Controllers are still sent outside the IPSec tunnel. On a "full Gaia" gateway, it works:

I will follow @the_rock's advice and consult with TAC.

Re: Disable implied rules for LDAP

the_rock — Tue, 08 Jul 2025 12:25:55 GMT

I would definitely do so.

Andy

Re: Disable implied rules for LDAP

mbeyerlein — Tue, 08 Jul 2025 14:34:27 GMT

I should have read the sk92281 more carefully. According to the Security Management Administrator Guide, I needed to edit the implied_rules.def file located at /opt/CPSFWR81CMP-R81.20/lib/implied_rules.def.

Re: Disable implied rules for LDAP

Dre_CyPe — Mon, 13 Apr 2026 09:04:04 GMT

Interestingly, we have a similar case at the moment, but on a gaia-gateway. LDAP-ssl that is initiated by a remote gateway does not enter the VPN-community to the main office (both are on R81.20 T60). A tcptraceroute to port 444 enters the VPN, to port 636 goes outside the VPN. So probably not the encryption domain. This is currently a blocking issue for the implementation of Identity Awareness.
Disabling the implied rule and create an explicit rule will most likely affect all other gateways.
Consult with TAC, I presume?

Re: Disable implied rules for LDAP

PhoneBoy — Mon, 13 Apr 2026 17:42:24 GMT

Anytime you mess with implied rules via .def files, there is a potential to impact other gateways.
The impact of this particular implied rule is to exclude TCP 636 from being encapsulated in IPsec traffic.
Unless one of your gateways actually relies on this traffic not going through the VPN, I don't see there being a negative impact to other gateways.