Hello CheckMates,
One of our Partners has interesting issue with Smart-1 Cloud and LDAP.
He has couple of SGs (Quantum and Quantum Spark).
He wants that SGs should see users - and because of that he used Identity Collector on AD.
Identity Collector collects login events and then sends them to SG - everything is fine at this point.
But then, as we all know, SG should connect to AD to get group associations for users.
At this point there is an issue, because this AD is located in AWS, and connection between SGs and AD is via VTI.
With this type of connection traffic hits implied rule - this one:
[Expert@CP-SMS:0]# grep LDAP /opt/CPsuite-R81.20/fw1/lib/implied_rules.def
#define ENABLE_LDAP_SERVER
And ... because of that it doesn't go encrypted to VTI ... but instead it goes as clear text to WAN interface.
There is a solution (that is also described in sk26059) - simple modification of implied_rules.def file by commenting LDAP line, and then create its own in explicit firewall.
Simple ... but not possible in Smart-1 Cloud as user doesn't have access to CLI 🙂
TAC can modify this file - and we asked for this - problem is gone.... but only for Quantum ... not for Quantum Edge (Spark).
Because of that we've checked implied_rules.def file in Spark - this line was not commented out - as if modification of this file in Smart-1 Cloud has no impact for Sparks.
But ... we've checked if we can modify this file manually and if policy install will not overwrite this change.
It looks like file was not overwritten ... but even if this line for LDAP is commented traffic still goes as clear text to WAN, instead of being encrypted and sent to VTI.
Did you faced this issue ?
Do you know how to deal with it ?
--
Best
m.