- Products
- Learn
- Local User Groups
- Partners
- More
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hi everybody,
We are facing the following issue:
We have a centrally managed Quantum Spark 1595 appliance (referred to as gw-smb) that is connected via cellular radio and uses a dynamic IP address. gw-smb is connected to our headquarters gateway (gw-main) via an IPSec VPN.
On gw-smb, we want to use Identity Awareness. Therefore, we reconfigured our Identity Collectors to send identities not only to gw-main, but also to gw-smb. According to the Identity Collectors, the connection to gw-smb was successfully established — so that part is working.
When the gateways receive an identity from the collector, they perform an LDAP query to the domain controllers defined in the LDAP Account Unit. There is no domain controller at the gw-smb location, so the gateway should use a domain controller at headquarters. However, whenever gw-smb performs an LDAP query, it does not use the IPSec tunnel.
I followed sk26059 to disable the implied rule for LDAP, but the traffic is still sent unencrypted. Then I enabled logging of informative implied rules as described in sk110218. I noticed that the implied rule "enable_ldap_queries" is still being used for the LDAP traffic.
To test whether the implied rule was removed, I added a remote domain controller to the LDAP Account Unit and tested the behavior on gw-main. When I commented out the LDAP server entry as described in sk26059, the traffic between gw-main and the remote domain controller was sent via the IPSec tunnel. When I reverted to the default settings, the traffic was sent directly. So sk26059 works for me on a non-SMB gateway.
I then searched CheckMates and found an article about changing implied_rules.def on locally managed SMBs. I modified the implied_rules.def file under the following paths:
- /pfrm2.0/config1/fw1/lib/
- /pfrm2.0/opt/fw1/lib/
- $FWDIR/lib/
None of these changes worked, even after rebooting gw-smb. The traffic is still sent directly and not via the IPSec tunnel.
Interestingly, when I use telnet on gw-smb to connect to other ports on the domain controller, the connection is routed through the IPSec tunnel. So I assume the encryption domain is not the issue.
What else can I try, or what might I have overlooked?
System Information:
- Security Management Server and gw-main: R81.20 Take 99
- gw-smb: R81.10.10 (996002993)
1 Solution
Accepted Solutions
I have followed your instructions and created an explicit rule for the LDAPS traffic. In the VPN column, I tried both the VPN Community and All_GwToGw. Unfortunately, the result is the same. Connections from the Quantum Spark 1595 appliance to the LDAPS port of the Domain Controllers are still sent outside the IPSec tunnel. On a "full Gaia" gateway, it works:
I will follow @the_rock's advice and consult with TAC.
Fri 12 Dec 2025 @ 10:00 AM (CET)
Check Mates Live Netherlands: #41 AI & Multi Context ProtocolTue 16 Dec 2025 @ 05:00 PM (CET)
Under the Hood: CloudGuard Network Security for Oracle Cloud - Config and Autoscaling!Fri 12 Dec 2025 @ 10:00 AM (CET)
Check Mates Live Netherlands: #41 AI & Multi Context ProtocolTue 16 Dec 2025 @ 05:00 PM (CET)
Under the Hood: CloudGuard Network Security for Oracle Cloud - Config and Autoscaling!Thu 18 Dec 2025 @ 10:00 AM (CET)
Cloud Architect Series - Building a Hybrid Mesh Security Strategy across clouds