Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Access Rule - LDAP groups not working

Access Rule - LDAP groups not working

Inherited this setup from previous admin.

---

FW Setup

Have SW TZ500, FW = SonicOS Enhanced 6.5.4.9-93n

Setup 2 LDAP servers connections to 2 eDir servers

 - all 3 test pass and show correct info reading from eDir

Imported LDAP certain groups from eDir

Setup SSO with Directory connector to auth against 2 eDir servers

 - all 2 tests pass and show correct info reading from eDir

Under Users, Status

Can see User name, IP, Auth:SSO and the LDAP group user belongs to


create FW access Rule

 - LAN to WAN. action = allow

 - Source port = any, service = any, source = X0 Subnet (the LAN), destination = address object group, Users included = LDAP group 1, users excluded = none, schedule = on

create another FW rule for LDAP group 2

---

Issue description

If FW access rule with LDAP group 1 is a higher priority then LDAP group 2 then users in LDAP group 1 are allowed out BUT LDAP group 2 users are denied.

If FW access rule with LDAP group 2 is a higher priority then LDAP group 1 then users in LDAP group 2 are allowed out BUT LDAP group 1 users are denied.

Priority is set to auto

If priority is manually changed the access rules still allow the lower priority out and deny the higher higher priority

This access rule issue seems to only affect the LDAP groups, doesn't affect other rules with non LDAP groups.

---

What could the issue be? Suggestions?, Comments? Guesses?

Category: Entry Level Firewalls
Reply

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Nest your LDAP Groups in local groups, or use the Users Excluded option...

  • Kevin_VerbeekKevin_Verbeek Newbie ✭


    I think I have solved the issue. Changed all the LAN-WAN rules from 'manual' priority to 'auto' priority and also the WAN-LAN rules from 'manual' priority to 'auto' priority. This lets the SW TZ500 sort out the order of the access rules. Seems to be working now. The access rules let the LDAP groups out according the assigned LDAP groups from eDir with their assigned sites. And lets the systems out to the internet which are not part of an LDAP group but have a access rule just for them.

    The TZ500 put the LDAP group access rules as a lower priority then other rules.

    So far all people are allowed to their allowed sites.

    ---

    However, 1 LDAP group is lower then the other LDAP groups and is allowed to internet browse except to some sites - really odd.

    If this 1 LDAP group is manually put just above the other LDAP groups then they can fully internet browse to their sites and all the other LDAP groups can full browse too -- odd but it works.

    I'm trying to see what logic the auto priority uses to position the rule. Can't see any, alphabet - no? other criteria?

    Thanks for your suggestion.

  • Kevin_VerbeekKevin_Verbeek Newbie ✭

    Further update on this issue

    Wondering if you can help with an TZ500 Firewall access rule issue.

    We have several LDAP groups and each group is assigned certain sites they can browse to. - one site is google maps - which is the problem site.

    If I set all the FW rules with auto priority (LAn TO wan), then LDAP group 1 is put below some of the other LDAP groups and cannot surf to the google maps site with an error of

    'This site can’t be reached'

    & 'maps.google.com refused to connect.'

    & the TZ500 Packet monitor shows a dropped connection with the reason of

    ---

    Ethernet Header

    Ether Type: IP(0x800), Src=[d8:cb:8a:cf:f1:42], Dst=[1a:b1:69:77:d5:10]

    IP Packet Header

    IP Type: TCP(0x6), Src=[172.16.150.6], Dst=[142.250.217.110]

    TCP Packet Header

    TCP Flags = [SYN,], Src=[53082], Dst=[80], Checksum=0x615b

    Application Header

    HTTP

    Value:[1]

    DROPPED, Drop Code: 726(Packet dropped - Policy drop), Module Id: 27(policy), (Ref.Id: _2251_rqnke{Ejgem) 2:2)

    --

    I have allowed the google IP network of 142.250.0.0/255.254.0.0 out.

    google.com, google.ca, maps.google.ca, maps.google.com are all allowed

    The TZ500 has no content filter license - therefore no content policies are being use/looked at/enforced - right?


    But the other LDAP groups can surf to this site (or at least 1 that I'm using as a test).


    *************

    If I set LDAP group 1 FW rule priority to manual just above the other LDAP group rules, then LDAP group 1 can surf to google maps but the other LDAP groups cannot. - with the same drop code.


    ***

    About getting to google maps;

    The user really clicks on a map icon within an app, which opens up the browser to the google maps site with a url of

    http://maps.google.com/maps?q=54.459169,+-110.231827

    which google receives and changes to

    https://www.google.com/maps/place/54%C2%B027'33.0%22N+110%C2%B013'54.6%22W/@54.459169,-110.2340157,17z/data=!3m1!4b1!4m5!3m4!1s0x0:0x911f11c2b5fcf0b4!8m2!3d54.459169!4d-110.231827

    - notice the http://maps.google.com changes to https://www.google.com

    ***

    ALSO: If the user receives the browser error of

    'This site can’t be reached'

    & 'maps.google.com refused to connect.'

    with the url of

    http://maps.google.com/maps?q=54.459169,+-110.231827

    & manually change the url form http to https to

    https://maps.google.com/maps?q=54.459169,+-110.231827

    then the FW does not block/drop the session and allows this session for google changes the url to

    https://www.google.com/maps/place/54%C2%B027'33.0%22N+110%C2%B013'54.6%22W/@54.459169,-110.2340157,17z/data=!3m1!4b1!4m5!3m4!1s0x0:0x911f11c2b5fcf0b4!8m2!3d54.459169!4d-110.231827

    and can view the google map.

    ***

    I trust this makes sense.

    Hope you can help.

    Would be great to see the rules applies to the session to see which rules are being check and which rule is dropping the session.

    And, the drop code state a policy not a rule. - is it a policy or a rule that drops the session?

    Also, I'm trying to see what logic the auto priority uses to position the rule. Can't see any, alphabet - no? other criteria?

    Thanks for your help in this matter.

  • MitatOngeMitatOnge Cybersecurity Overlord ✭✭✭

    could you show access rules screen shot and check all access rule filter cleared. default and customize rules.

  • Kevin_VerbeekKevin_Verbeek Newbie ✭

    Screen shot of LAN to WAN FW Access Rules

    FW Access rule PG 1

    FW Access rule PG2 - Manual priority to above the other LDAP groups

    LDAP Group-Internet-OCC1 allowed to browse, LDAP group Group-Internet-Corporate2 not allowed

    Its rule # 28 Group-Internet-OCC1 Auto priority to belowthe other LDAP groups

    LDAP Group-Internet-Corporate2 allowed to browse, LDAP group Group-Internet-OCC1 not allowed

    I trust this helps

  • MitatOngeMitatOnge Cybersecurity Overlord ✭✭✭

    Could you set to X0 Subnet to Any ?

    check user default groups. because some users have a lots of group membership and sonicwall checks default group membership. apply all security policies for default groups rules.

  • Kevin_VerbeekKevin_Verbeek Newbie ✭

    Thanks for the suggestion

    For each LDAP group FW rule, I change the source from 'X0 Subnet' to 'Any'. The SW changed all the LDAP group FW rule priority from Auto to Manual, change them all back to Auto, Still the same issue of the 1 LDAP group receive the browser error of 'This site can’t be reached' when going to http://maps.google.com. Then changed the 1 LDAP group priority to Manual above the other LDAP groups, and That group can browse to google maps via the app button.

    ---

    LDAP groups set to Auto priority & source to Any.

    LDAP Group-Internet-Corporate2 allowed to browse, LDAP group Group-Internet-OCC1 not allowed

    LDAP Group-Internet-OCC1 priority set to manual above the other LDAP groups

    LDAP Group-Internet-OCC1 allowed to browse, LDAP group Group-Internet-Corporate2 not allowed

    ---

    As for the users default group membership (= default LDAP group membership). So the user belongs to several groups within eDir, but only 1 group is imported to the SW, the Group-Internet-xxx groups and the users only belong to 1 Group-Internet-xxx group, so this means the SW with its SSO auth finds the user with only 1 LDAP group defined. (eDir doesn't have a default group setting)


    ---

    Also I have another issue with changing 1 LDAP group, changing the source from 'X0 Subnet' to Any, I receive an 'Error:Policy Action: Rule overlap, rule not added.'. Yet this is the only rule with this LDAP group. I'll address this in another question.


  • Kevin_VerbeekKevin_Verbeek Newbie ✭

    A bit more information


    Had another user belonging to another LDAP group. Received an email to goto one of their allowed sites but was refused with the error of 'This site can’t be reached' . The link in the email was to http://eml-trck.pb.com. The site should see the http request and change it (rewrite it/ redirect it/whatever) to the https://eml-trck.pb.com site, but it did not. Manually changed the url from http to https and all is well for user and can fully browse the site.


    Are we looking at the wrong area to fix, since this issue of going to the http site and the FW drops the packets for some reason and not allowing the url site (rewrite it/ redirect it) rules to change the url ??

    What do you think.

  • MitatOngeMitatOnge Cybersecurity Overlord ✭✭✭

    could you disable all rules and step by step set to enable.

  • Kevin_VerbeekKevin_Verbeek Newbie ✭

    Done this step and made no difference.

Sign In or Register to comment.