Hi everybody,
We are facing the following issue:
We have a centrally managed Quantum Spark 1595 appliance (referred to as gw-smb) that is connected via cellular radio and uses a dynamic IP address. gw-smb is connected to our headquarters gateway (gw-main) via an IPSec VPN.
On gw-smb, we want to use Identity Awareness. Therefore, we reconfigured our Identity Collectors to send identities not only to gw-main, but also to gw-smb. According to the Identity Collectors, the connection to gw-smb was successfully established — so that part is working.
When the gateways receive an identity from the collector, they perform an LDAP query to the domain controllers defined in the LDAP Account Unit. There is no domain controller at the gw-smb location, so the gateway should use a domain controller at headquarters. However, whenever gw-smb performs an LDAP query, it does not use the IPSec tunnel.
I followed sk26059 to disable the implied rule for LDAP, but the traffic is still sent unencrypted. Then I enabled logging of informative implied rules as described in sk110218. I noticed that the implied rule "enable_ldap_queries" is still being used for the LDAP traffic.
To test whether the implied rule was removed, I added a remote domain controller to the LDAP Account Unit and tested the behavior on gw-main. When I commented out the LDAP server entry as described in sk26059, the traffic between gw-main and the remote domain controller was sent via the IPSec tunnel. When I reverted to the default settings, the traffic was sent directly. So sk26059 works for me on a non-SMB gateway.
I then searched CheckMates and found an article about changing implied_rules.def on locally managed SMBs. I modified the implied_rules.def file under the following paths:
None of these changes worked, even after rebooting gw-smb. The traffic is still sent directly and not via the IPSec tunnel.
Interestingly, when I use telnet on gw-smb to connect to other ports on the domain controller, the connection is routed through the IPSec tunnel. So I assume the encryption domain is not the issue.
What else can I try, or what might I have overlooked?
System Information:
| User | Count |
|---|---|
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Tue 08 Jul 2025 @ 03:00 PM (CEST)
The Rise of Hybrid SASE: Beyond Cloud-Only Security Solutions EMEATue 08 Jul 2025 @ 05:00 PM (CEST)
Under the Hood: CloudGuard WAF API Security - Overview, Onboarding, and Best PracticesWed 16 Jul 2025 @ 10:00 AM (CEST)
Master GCP Security with the Cloud Architects Series (Multilingual Webinar)Wed 16 Jul 2025 @ 04:00 PM (CEST)
Operationalizing Threat Intelligence, Part II: Threat Hunting & Incident ResponseTue 08 Jul 2025 @ 03:00 PM (CEST)
The Rise of Hybrid SASE: Beyond Cloud-Only Security Solutions EMEATue 08 Jul 2025 @ 05:00 PM (CEST)
Under the Hood: CloudGuard WAF API Security - Overview, Onboarding, and Best PracticesWed 16 Jul 2025 @ 04:00 PM (CEST)
Operationalizing Threat Intelligence, Part II: Threat Hunting & Incident ResponseTue 22 Jul 2025 @ 10:00 AM (CEST)
Cyber Security Training in the Era of AI Threats: Managed SmartAwareness Explained - EMEA
