This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
marcyn
Collaborator
Collaborator
‎2024-03-11 06:15 AM

Smart-1 Cloud + VTI + LDAP

Hello CheckMates,

One of our Partners has interesting issue with Smart-1 Cloud and LDAP.

He has couple of SGs (Quantum and Quantum Spark).
He wants that SGs should see users - and because of that he used Identity Collector on AD.
Identity Collector collects login events and then sends them to SG - everything is fine at this point.
But then, as we all know, SG should connect to AD to get group associations for users.
At this point there is an issue, because this AD is located in AWS, and connection between SGs and AD is via VTI.

With this type of connection traffic hits implied rule - this one:
[Expert@CP-SMS:0]# grep LDAP /opt/CPsuite-R81.20/fw1/lib/implied_rules.def
#define ENABLE_LDAP_SERVER

And ... because of that it doesn't go encrypted to VTI ... but instead it goes as clear text to WAN interface.

There is a solution (that is also described in sk26059) - simple modification of implied_rules.def file by commenting LDAP line, and then create its own in explicit firewall.
Simple ... but not possible in Smart-1 Cloud as user doesn't have access to CLI 🙂

TAC can modify this file - and we asked for this - problem is gone.... but only for Quantum ... not for Quantum Edge (Spark).

Because of that we've checked implied_rules.def file in Spark - this line was not commented out - as if modification of this file in Smart-1 Cloud has no impact for Sparks.
But ... we've checked if we can modify this file manually and if policy install will not overwrite this change.
It looks like file was not overwritten ... but even if this line for LDAP is commented traffic still goes as clear text to WAN, instead of being encrypted and sent to VTI.

Did you faced this issue ?
Do you know how to deal with it ?

--
Best
m.

0 Kudos
5 Replies
the_rock
Legend
Legend
‎2024-03-11 07:07 AM

Hey @marcyn 

I read your post very carefully and let me just make sure Im not missing anything. You are saying TAC modified implied_rules.def file on S1C instance and that worked for regular fw, but for SMB appliance it does not work at the moment?

File was modified locally on smb appliance, but no change? If so, would you mind just confirm what exactly was modified and maybe send a file if possible?

Best,

Andy

0 Kudos
marcyn
Collaborator
Collaborator
‎2024-03-11 07:40 AM
In response to the_rock

Hi the_rock,

Exactly as you wrote.

But maybe I will clarify this a little bit.

1) In Smart-1 Cloud user can modify couple of .def files:
infport.png

 

 

 

 

 

 

 

As you can see no implied_rules.def ... unfortunately.

2) That's why only TAC can do it, because users don't have access to CLI in case of Smart-1 Cloud management.

3) If you will take a look at what this file contains, you will notice that it contains a lot of "#define ..." lines - one of them is "#define ENABLE_LDAP_SERVER". And with this entry traffic goes as clear text to WAN, instead of being encrypted and send into VTI. So the only solution AFAIK is to comment this line and make your own in explicit firewall.
You can't just modify this file directly on SG, because every policy install will overwrite this file ... so it must be done directly on SMS

4) Unfortunately after this chage it has no impact for SMB devices, it looks like it only works for regular Quantum (normal Gaia).

5) Using the method of "try & check" we decided to check what will happen if we manually modify file /pfrm2.0/opt/fw1/lib/implied_rules.def on Spark (because it still has this #define ENABLE_LDAP_SERVER not commented out). If this file will be overwritten after policy install or not ... And it looks like it policy install does not overwrite this change, but anyway it has no impact neither...

 

I hope everything is clear now 🙂

--
Best
m.

0 Kudos
the_rock
Legend
Legend
‎2024-03-11 07:44 AM
In response to marcyn

K, EVERYTHING is clear...EXCEPT point 5 🙂

So, just to make sure about last point you made, is that line commented our or not at the moment?

Andy

0 Kudos
marcyn
Collaborator
Collaborator
‎2024-03-11 08:04 AM
In response to the_rock

Of course it is commented out right now 😉

After TAC modified this file on Smart-1 Cloud by commenting out "#define ENABLE_LDAP_SERVER" once admin will do policy install on SG (full Gaia) - this change is sent to SGs and file is being modified in their configuration and problem is gone.

Unfortunately on SMB there is no change at all - file implied_rules.def is not modified by policy install and traffic to AD still goes as clear text.

And now we decided to modify this file manually to check if by doing this and them by installing policy (from Smart-1 Cloud) this change will be overwritten or not. And to our surprise it was not overwritten and we were "happy" ... but then we noticed that even if this line was commented out, it didn't change anything ... traffic still goes as clear text to WAN.

So it looks like this "hack" does not work for Spark ... for us.

And question is what can be done in Sparks to deal with this "issue" ?

 

So yes right now file implied_rules.def on Spark has "/* #define ENABLE_LDAP_SERVER */" ... but with or without this comment it works the same if we install policy.

--
Best
m.

 

0 Kudos
the_rock
Legend
Legend
‎2024-03-11 08:22 AM
In response to marcyn

K, I think I have the FULL picture now 🙂

Not sure mate, sorry...the only other thing I can think of would be to check if there any other ldap lines in that file that could be commented out.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events