Re: CRL Download via LDAP with HTTP-Proxy

Andre91 · ‎2023-12-13

Hey Check Point team and community,

we set up our http(s)-proxy on our clusterXL. Now we have the following problem:

One of our endpoints wants to download crl-lists via ldap. He connects with the proxy-service on the checkpoint and gets dropped.

We added an access-role with service/application "Certificate Revocation List" and even added port tcp/389 to the application but the rule doesn´t get a hit.

A further rule with ldap in service/application-column doesn´t get a hit. just the drop rule matches.

How can I get this to work?

Thanks and best regards

Chris_Atkinson · ‎2023-12-13

Non web traffic wouldn't typically reference the check point proxy unless routed toward it via a default route.

What does the drop log tell you about why the traffic isn't matching?

CCSM R77/R80/ELITE

Andre91 · ‎2023-12-13

Hey @Chris_Atkinson and thanks for the quick reply.

We have multiple sublayers configured. If a source matches, it gets a layer deeper and goes over the allow-rules till it gets dropped. In this case I get two log-records for the drop-rule. One with blade url-filtering, one with firewall.

I try to send you the screenshot via private chat.

Regards

Chris_Atkinson · ‎2023-12-13

Replied to your message.

CCSM R77/R80/ELITE

Are you a member of CheckMates?

CRL Download via LDAP with HTTP-Proxy