Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
mbeyerlein
Participant
Jump to solution

Disable implied rules for LDAP

Hi everybody,

We are facing the following issue:
We have a centrally managed Quantum Spark 1595 appliance (referred to as gw-smb) that is connected via cellular radio and uses a dynamic IP address. gw-smb is connected to our headquarters gateway (gw-main) via an IPSec VPN.

On gw-smb, we want to use Identity Awareness. Therefore, we reconfigured our Identity Collectors to send identities not only to gw-main, but also to gw-smb. According to the Identity Collectors, the connection to gw-smb was successfully established — so that part is working.

When the gateways receive an identity from the collector, they perform an LDAP query to the domain controllers defined in the LDAP Account Unit. There is no domain controller at the gw-smb location, so the gateway should use a domain controller at headquarters. However, whenever gw-smb performs an LDAP query, it does not use the IPSec tunnel.

I followed sk26059 to disable the implied rule for LDAP, but the traffic is still sent unencrypted. Then I enabled logging of informative implied rules as described in sk110218. I noticed that the implied rule "enable_ldap_queries" is still being used for the LDAP traffic.

To test whether the implied rule was removed, I added a remote domain controller to the LDAP Account Unit and tested the behavior on gw-main. When I commented out the LDAP server entry as described in sk26059, the traffic between gw-main and the remote domain controller was sent via the IPSec tunnel. When I reverted to the default settings, the traffic was sent directly. So sk26059 works for me on a non-SMB gateway.ldap-ssl-vpn-encrypted.png

I then searched CheckMates and found an article about changing implied_rules.def on locally managed SMBs. I modified the implied_rules.def file under the following paths:

  • /pfrm2.0/config1/fw1/lib/
  • /pfrm2.0/opt/fw1/lib/
  • $FWDIR/lib/

None of these changes worked, even after rebooting gw-smb. The traffic is still sent directly and not via the IPSec tunnel.ldap-ssl-direct.png

Interestingly, when I use telnet on gw-smb to connect to other ports on the domain controller, the connection is routed through the IPSec tunnel. So I assume the encryption domain is not the issue.

What else can I try, or what might I have overlooked?


System Information:

  • Security Management Server and gw-main: R81.20 Take 99
  • gw-smb: R81.10.10 (996002993)
0 Kudos
1 Solution

Accepted Solutions
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP

To ensure that LDAP queries on your Quantum Spark 1595 appliance (gw-smb) use the IPSec VPN, try disabling the implied rule for LDAP and creating an explicit rule. 

1. Edit the Implied Rules Definition:
- Connect to the command line on your Security Management Server > Expert
- Backup the implied_rules.def file. Refer to sk92281 for guidance on creating customized implied rules.
- Edit the implied_rules.def file and search for the line `#define ENABLE_LDAP_SERVER`.
- Change this line to `/* #define ENABLE_LDAP_SERVER */` to comment it out.
- Save the changes.

 

2. Create Explicit Rules:
- In SmartConsole >Access Control policy > Define an explicit rule that allows LDAP traffic between the relevant Security Gateways and the LDAP servers.
- Ensure that the rule specifies the use of the IPSec VPN for this traffic.

3. Install the Security Policy:
- After defining the explicit rule, install the Security Policy on the relevant gateways.

 

4. Verify the Configuration:
- Enable logging for the rule to verify that LDAP traffic is now using the IPSec VPN.

 

If you continue to experience issues, consider checking the encryption domain configuration to ensure it includes the necessary networks. 

View solution in original post

6 Replies
the_rock
MVP Gold
MVP Gold

I was never big fan of disabling implied rules to begin with. They are there for a reason, but if you absolutely need to do it, I would consult with TAC.

Andy

0 Kudos
(1)
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP

To ensure that LDAP queries on your Quantum Spark 1595 appliance (gw-smb) use the IPSec VPN, try disabling the implied rule for LDAP and creating an explicit rule. 

1. Edit the Implied Rules Definition:
- Connect to the command line on your Security Management Server > Expert
- Backup the implied_rules.def file. Refer to sk92281 for guidance on creating customized implied rules.
- Edit the implied_rules.def file and search for the line `#define ENABLE_LDAP_SERVER`.
- Change this line to `/* #define ENABLE_LDAP_SERVER */` to comment it out.
- Save the changes.

 

2. Create Explicit Rules:
- In SmartConsole >Access Control policy > Define an explicit rule that allows LDAP traffic between the relevant Security Gateways and the LDAP servers.
- Ensure that the rule specifies the use of the IPSec VPN for this traffic.

3. Install the Security Policy:
- After defining the explicit rule, install the Security Policy on the relevant gateways.

 

4. Verify the Configuration:
- Enable logging for the rule to verify that LDAP traffic is now using the IPSec VPN.

 

If you continue to experience issues, consider checking the encryption domain configuration to ensure it includes the necessary networks. 

the_rock
MVP Gold
MVP Gold

Perfect explanation @Tal_Paz-Fridman 

0 Kudos
mbeyerlein
Participant

I have followed your instructions and created an explicit rule for the LDAPS traffic. In the VPN column, I tried both the VPN Community and All_GwToGw. Unfortunately, the result is the same. Connections from the Quantum Spark 1595 appliance to the LDAPS port of the Domain Controllers are still sent outside the IPSec tunnel. On a "full Gaia" gateway, it works:ldap-ssl-log.png

I will follow @the_rock's advice and consult with TAC.

the_rock
MVP Gold
MVP Gold

I would definitely do so.

Andy

0 Kudos
mbeyerlein
Participant

I should have read the sk92281 more carefully. According to the Security Management Administrator Guide, I needed to edit the implied_rules.def file located at /opt/CPSFWR81CMP-R81.20/lib/implied_rules.def.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events