Access Rule - LDAP groups not working
Access Rule - LDAP groups not working
Inherited this setup from previous admin.
---
FW Setup
Have SW TZ500, FW = SonicOS Enhanced 6.5.4.9-93n
Setup 2 LDAP servers connections to 2 eDir servers
- all 3 test pass and show correct info reading from eDir
Imported LDAP certain groups from eDir
Setup SSO with Directory connector to auth against 2 eDir servers
- all 2 tests pass and show correct info reading from eDir
Under Users, Status
Can see User name, IP, Auth:SSO and the LDAP group user belongs to
create FW access Rule
- LAN to WAN. action = allow
- Source port = any, service = any, source = X0 Subnet (the LAN), destination = address object group, Users included = LDAP group 1, users excluded = none, schedule = on
create another FW rule for LDAP group 2
---
Issue description
If FW access rule with LDAP group 1 is a higher priority then LDAP group 2 then users in LDAP group 1 are allowed out BUT LDAP group 2 users are denied.
If FW access rule with LDAP group 2 is a higher priority then LDAP group 1 then users in LDAP group 2 are allowed out BUT LDAP group 1 users are denied.
Priority is set to auto
If priority is manually changed the access rules still allow the lower priority out and deny the higher higher priority
This access rule issue seems to only affect the LDAP groups, doesn't affect other rules with non LDAP groups.
---
What could the issue be? Suggestions?, Comments? Guesses?
Answers
Nest your LDAP Groups in local groups, or use the Users Excluded option...
I think I have solved the issue. Changed all the LAN-WAN rules from 'manual' priority to 'auto' priority and also the WAN-LAN rules from 'manual' priority to 'auto' priority. This lets the SW TZ500 sort out the order of the access rules. Seems to be working now. The access rules let the LDAP groups out according the assigned LDAP groups from eDir with their assigned sites. And lets the systems out to the internet which are not part of an LDAP group but have a access rule just for them.
The TZ500 put the LDAP group access rules as a lower priority then other rules.
So far all people are allowed to their allowed sites.
---
However, 1 LDAP group is lower then the other LDAP groups and is allowed to internet browse except to some sites - really odd.
If this 1 LDAP group is manually put just above the other LDAP groups then they can fully internet browse to their sites and all the other LDAP groups can full browse too -- odd but it works.
I'm trying to see what logic the auto priority uses to position the rule. Can't see any, alphabet - no? other criteria?
Thanks for your suggestion.
Further update on this issue
Wondering if you can help with an TZ500 Firewall access rule issue.
We have several LDAP groups and each group is assigned certain sites they can browse to. - one site is google maps - which is the problem site.
If I set all the FW rules with auto priority (LAn TO wan), then LDAP group 1 is put below some of the other LDAP groups and cannot surf to the google maps site with an error of
'This site can’t be reached'
& 'maps.google.com refused to connect.'
& the TZ500 Packet monitor shows a dropped connection with the reason of
---
Ethernet Header
Ether Type: IP(0x800), Src=[d8:cb:8a:cf:f1:42], Dst=[1a:b1:69:77:d5:10]
IP Packet Header
IP Type: TCP(0x6), Src=[172.16.150.6], Dst=[142.250.217.110]
TCP Packet Header
TCP Flags = [SYN,], Src=[53082], Dst=[80], Checksum=0x615b
Application Header
HTTP
Value:[1]
DROPPED, Drop Code: 726(Packet dropped - Policy drop), Module Id: 27(policy), (Ref.Id: _2251_rqnke{Ejgem) 2:2)
--
I have allowed the google IP network of 142.250.0.0/255.254.0.0 out.
google.com, google.ca, maps.google.ca, maps.google.com are all allowed
The TZ500 has no content filter license - therefore no content policies are being use/looked at/enforced - right?
But the other LDAP groups can surf to this site (or at least 1 that I'm using as a test).
*************
If I set LDAP group 1 FW rule priority to manual just above the other LDAP group rules, then LDAP group 1 can surf to google maps but the other LDAP groups cannot. - with the same drop code.
***
About getting to google maps;
The user really clicks on a map icon within an app, which opens up the browser to the google maps site with a url of
http://maps.google.com/maps?q=54.459169,+-110.231827
which google receives and changes to
https://www.google.com/maps/place/54%C2%B027'33.0%22N+110%C2%B013'54.6%22W/@54.459169,-110.2340157,17z/data=!3m1!4b1!4m5!3m4!1s0x0:0x911f11c2b5fcf0b4!8m2!3d54.459169!4d-110.231827
- notice the http://maps.google.com changes to https://www.google.com
***
ALSO: If the user receives the browser error of
'This site can’t be reached'
& 'maps.google.com refused to connect.'
with the url of
http://maps.google.com/maps?q=54.459169,+-110.231827
& manually change the url form http to https to
https://maps.google.com/maps?q=54.459169,+-110.231827
then the FW does not block/drop the session and allows this session for google changes the url to
https://www.google.com/maps/place/54%C2%B027'33.0%22N+110%C2%B013'54.6%22W/@54.459169,-110.2340157,17z/data=!3m1!4b1!4m5!3m4!1s0x0:0x911f11c2b5fcf0b4!8m2!3d54.459169!4d-110.231827
and can view the google map.
***
I trust this makes sense.
Hope you can help.
Would be great to see the rules applies to the session to see which rules are being check and which rule is dropping the session.
And, the drop code state a policy not a rule. - is it a policy or a rule that drops the session?
Also, I'm trying to see what logic the auto priority uses to position the rule. Can't see any, alphabet - no? other criteria?
Thanks for your help in this matter.
could you show access rules screen shot and check all access rule filter cleared. default and customize rules.
Screen shot of LAN to WAN FW Access Rules
FW Access rule PG 1
FW Access rule PG2 - Manual priority to above the other LDAP groups
LDAP Group-Internet-OCC1 allowed to browse, LDAP group Group-Internet-Corporate2 not allowed
Its rule # 28 Group-Internet-OCC1 Auto priority to belowthe other LDAP groups
LDAP Group-Internet-Corporate2 allowed to browse, LDAP group Group-Internet-OCC1 not allowed
I trust this helps
Could you set to X0 Subnet to Any ?
check user default groups. because some users have a lots of group membership and sonicwall checks default group membership. apply all security policies for default groups rules.
Thanks for the suggestion
For each LDAP group FW rule, I change the source from 'X0 Subnet' to 'Any'. The SW changed all the LDAP group FW rule priority from Auto to Manual, change them all back to Auto, Still the same issue of the 1 LDAP group receive the browser error of 'This site can’t be reached' when going to http://maps.google.com. Then changed the 1 LDAP group priority to Manual above the other LDAP groups, and That group can browse to google maps via the app button.
---
LDAP groups set to Auto priority & source to Any.
LDAP Group-Internet-Corporate2 allowed to browse, LDAP group Group-Internet-OCC1 not allowed
LDAP Group-Internet-OCC1 priority set to manual above the other LDAP groups
LDAP Group-Internet-OCC1 allowed to browse, LDAP group Group-Internet-Corporate2 not allowed
---
As for the users default group membership (= default LDAP group membership). So the user belongs to several groups within eDir, but only 1 group is imported to the SW, the Group-Internet-xxx groups and the users only belong to 1 Group-Internet-xxx group, so this means the SW with its SSO auth finds the user with only 1 LDAP group defined. (eDir doesn't have a default group setting)
---
Also I have another issue with changing 1 LDAP group, changing the source from 'X0 Subnet' to Any, I receive an 'Error:Policy Action: Rule overlap, rule not added.'. Yet this is the only rule with this LDAP group. I'll address this in another question.
A bit more information
Had another user belonging to another LDAP group. Received an email to goto one of their allowed sites but was refused with the error of 'This site can’t be reached' . The link in the email was to http://eml-trck.pb.com. The site should see the http request and change it (rewrite it/ redirect it/whatever) to the https://eml-trck.pb.com site, but it did not. Manually changed the url from http to https and all is well for user and can fully browse the site.
Are we looking at the wrong area to fix, since this issue of going to the http site and the FW drops the packets for some reason and not allowing the url site (rewrite it/ redirect it) rules to change the url ??
What do you think.
could you disable all rules and step by step set to enable.
Done this step and made no difference.