Access Rule - LDAP groups not working

Answers

• TKWITS Community Legend ✭✭✭✭✭

  May 2022

  Nest your LDAP Groups in local groups, or use the Users Excluded option...

  0
• Kevin_Verbeek Newbie ✭

  May 2022

  
  

  I think I have solved the issue. Changed all the LAN-WAN rules from 'manual' priority to 'auto' priority and also the WAN-LAN rules from 'manual' priority to 'auto' priority. This lets the SW TZ500 sort out the order of the access rules. Seems to be working now. The access rules let the LDAP groups out according the assigned LDAP groups from eDir with their assigned sites. And lets the systems out to the internet which are not part of an LDAP group but have a access rule just for them.

  The TZ500 put the LDAP group access rules as a lower priority then other rules.

  So far all people are allowed to their allowed sites.

  ---

  However, 1 LDAP group is lower then the other LDAP groups and is allowed to internet browse except to some sites - really odd.

  If this 1 LDAP group is manually put just above the other LDAP groups then they can fully internet browse to their sites and all the other LDAP groups can full browse too -- odd but it works.

  I'm trying to see what logic the auto priority uses to position the rule. Can't see any, alphabet - no? other criteria?

  Thanks for your suggestion.

  0
• Kevin_Verbeek Newbie ✭

  June 2022

  Further update on this issue

  Wondering if you can help with an TZ500 Firewall access rule issue.

  We have several LDAP groups and each group is assigned certain sites they can browse to. - one site is google maps - which is the problem site.

  If I set all the FW rules with auto priority (LAn TO wan), then LDAP group 1 is put below some of the other LDAP groups and cannot surf to the google maps site with an error of

  'This site can’t be reached'

  & 'maps.google.com refused to connect.'

  & the TZ500 Packet monitor shows a dropped connection with the reason of

  ---

  Ethernet Header

  Ether Type: IP(0x800), Src=[d8:cb:8a:cf:f1:42], Dst=[1a:b1:69:77:d5:10]

  IP Packet Header

  IP Type: TCP(0x6), Src=[172.16.150.6], Dst=[142.250.217.110]

  TCP Packet Header

  TCP Flags = [SYN,], Src=[53082], Dst=[80], Checksum=0x615b

  Application Header

  HTTP

  Value:[1]

  DROPPED, Drop Code: 726(Packet dropped - Policy drop), Module Id: 27(policy), (Ref.Id: _2251_rqnke{Ejgem) 2:2)

  --

  I have allowed the google IP network of 142.250.0.0/255.254.0.0 out.

  google.com, google.ca, maps.google.ca, maps.google.com are all allowed

  The TZ500 has no content filter license - therefore no content policies are being use/looked at/enforced - right?

  
  

  But the other LDAP groups can surf to this site (or at least 1 that I'm using as a test).

  
  

  *************

  If I set LDAP group 1 FW rule priority to manual just above the other LDAP group rules, then LDAP group 1 can surf to google maps but the other LDAP groups cannot. - with the same drop code.

  
  

  ***

  About getting to google maps;

  The user really clicks on a map icon within an app, which opens up the browser to the google maps site with a url of

  http://maps.google.com/maps?q=54.459169,+-110.231827

  which google receives and changes to

  https://www.google.com/maps/place/54%C2%B027'33.0%22N+110%C2%B013'54.6%22W/@54.459169,-110.2340157,17z/data=!3m1!4b1!4m5!3m4!1s0x0:0x911f11c2b5fcf0b4!8m2!3d54.459169!4d-110.231827

  - notice the http://maps.google.com changes to https://www.google.com

  ***

  ALSO: If the user receives the browser error of

  'This site can’t be reached'

  & 'maps.google.com refused to connect.'

  with the url of

  http://maps.google.com/maps?q=54.459169,+-110.231827

  & manually change the url form http to https to

  https://maps.google.com/maps?q=54.459169,+-110.231827

  then the FW does not block/drop the session and allows this session for google changes the url to

  https://www.google.com/maps/place/54%C2%B027'33.0%22N+110%C2%B013'54.6%22W/@54.459169,-110.2340157,17z/data=!3m1!4b1!4m5!3m4!1s0x0:0x911f11c2b5fcf0b4!8m2!3d54.459169!4d-110.231827

  and can view the google map.

  ***

  I trust this makes sense.

  Hope you can help.

  Would be great to see the rules applies to the session to see which rules are being check and which rule is dropping the session.

  And, the drop code state a policy not a rule. - is it a policy or a rule that drops the session?

  Also, I'm trying to see what logic the auto priority uses to position the rule. Can't see any, alphabet - no? other criteria?

  Thanks for your help in this matter.

  0
• MitatOnge All-Knowing Sage ✭✭✭✭

  June 2022

  could you show access rules screen shot and check all access rule filter cleared. default and customize rules.

  0
• Kevin_Verbeek Newbie ✭

  June 2022

  Screen shot of LAN to WAN FW Access Rules

  FW Access rule PG 1

  

  FW Access rule PG2 - Manual priority to above the other LDAP groups

  LDAP Group-Internet-OCC1 allowed to browse, LDAP group Group-Internet-Corporate2 not allowed

  

  Its rule # 28 Group-Internet-OCC1 Auto priority to belowthe other LDAP groups

  LDAP Group-Internet-Corporate2 allowed to browse, LDAP group Group-Internet-OCC1 not allowed

  

  I trust this helps

  0
• MitatOnge All-Knowing Sage ✭✭✭✭

  June 2022

  Could you set to X0 Subnet to Any ?

  check user default groups. because some users have a lots of group membership and sonicwall checks default group membership. apply all security policies for default groups rules.

  0
• Kevin_Verbeek Newbie ✭

  June 2022

  Thanks for the suggestion

  For each LDAP group FW rule, I change the source from 'X0 Subnet' to 'Any'. The SW changed all the LDAP group FW rule priority from Auto to Manual, change them all back to Auto, Still the same issue of the 1 LDAP group receive the browser error of 'This site can’t be reached' when going to http://maps.google.com. Then changed the 1 LDAP group priority to Manual above the other LDAP groups, and That group can browse to google maps via the app button.

  ---

  LDAP groups set to Auto priority & source to Any.

  LDAP Group-Internet-Corporate2 allowed to browse, LDAP group Group-Internet-OCC1 not allowed

  

  LDAP Group-Internet-OCC1 priority set to manual above the other LDAP groups

  LDAP Group-Internet-OCC1 allowed to browse, LDAP group Group-Internet-Corporate2 not allowed

  

  ---

  As for the users default group membership (= default LDAP group membership). So the user belongs to several groups within eDir, but only 1 group is imported to the SW, the Group-Internet-xxx groups and the users only belong to 1 Group-Internet-xxx group, so this means the SW with its SSO auth finds the user with only 1 LDAP group defined. (eDir doesn't have a default group setting)

  
  

  ---

  Also I have another issue with changing 1 LDAP group, changing the source from 'X0 Subnet' to Any, I receive an 'Error:Policy Action: Rule overlap, rule not added.'. Yet this is the only rule with this LDAP group. I'll address this in another question.

  

  
  

  0
• Kevin_Verbeek Newbie ✭

  June 2022

  A bit more information

  
  

  Had another user belonging to another LDAP group. Received an email to goto one of their allowed sites but was refused with the error of 'This site can’t be reached' . The link in the email was to http://eml-trck.pb.com. The site should see the http request and change it (rewrite it/ redirect it/whatever) to the https://eml-trck.pb.com site, but it did not. Manually changed the url from http to https and all is well for user and can fully browse the site.

  
  

  Are we looking at the wrong area to fix, since this issue of going to the http site and the FW drops the packets for some reason and not allowing the url site (rewrite it/ redirect it) rules to change the url ??

  What do you think.

  0
• MitatOnge All-Knowing Sage ✭✭✭✭

  June 2022

  could you disable all rules and step by step set to enable.

  0
• Kevin_Verbeek Newbie ✭

  June 2022

  Done this step and made no difference.

  0