Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Access Rule - LDAP groups not working

Access Rule - LDAP groups not working

Inherited this setup from previous admin.

---

FW Setup

Have SW TZ500, FW = SonicOS Enhanced 6.5.4.9-93n

Setup 2 LDAP servers connections to 2 eDir servers

 - all 3 test pass and show correct info reading from eDir

Imported LDAP certain groups from eDir

Setup SSO with Directory connector to auth against 2 eDir servers

 - all 2 tests pass and show correct info reading from eDir

Under Users, Status

Can see User name, IP, Auth:SSO and the LDAP group user belongs to


create FW access Rule

 - LAN to WAN. action = allow

 - Source port = any, service = any, source = X0 Subnet (the LAN), destination = address object group, Users included = LDAP group 1, users excluded = none, schedule = on

create another FW rule for LDAP group 2

---

Issue description

If FW access rule with LDAP group 1 is a higher priority then LDAP group 2 then users in LDAP group 1 are allowed out BUT LDAP group 2 users are denied.

If FW access rule with LDAP group 2 is a higher priority then LDAP group 1 then users in LDAP group 2 are allowed out BUT LDAP group 1 users are denied.

Priority is set to auto

If priority is manually changed the access rules still allow the lower priority out and deny the higher higher priority

This access rule issue seems to only affect the LDAP groups, doesn't affect other rules with non LDAP groups.

---

What could the issue be? Suggestions?, Comments? Guesses?

Category: Entry Level Firewalls
Reply

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Nest your LDAP Groups in local groups, or use the Users Excluded option...

  • Kevin_VerbeekKevin_Verbeek Newbie ✭


    I think I have solved the issue. Changed all the LAN-WAN rules from 'manual' priority to 'auto' priority and also the WAN-LAN rules from 'manual' priority to 'auto' priority. This lets the SW TZ500 sort out the order of the access rules. Seems to be working now. The access rules let the LDAP groups out according the assigned LDAP groups from eDir with their assigned sites. And lets the systems out to the internet which are not part of an LDAP group but have a access rule just for them.

    The TZ500 put the LDAP group access rules as a lower priority then other rules.

    So far all people are allowed to their allowed sites.

    ---

    However, 1 LDAP group is lower then the other LDAP groups and is allowed to internet browse except to some sites - really odd.

    If this 1 LDAP group is manually put just above the other LDAP groups then they can fully internet browse to their sites and all the other LDAP groups can full browse too -- odd but it works.

    I'm trying to see what logic the auto priority uses to position the rule. Can't see any, alphabet - no? other criteria?

    Thanks for your suggestion.

Sign In or Register to comment.