CFS + LDAP group synchronization
lowrider
Newbie ✭
I would like to know how Sonicwall os 6.5 handles ldap/ad group memberships.
I enabled mirrored groups. Synch each 5 minutes.
CFS policy uses domain user group for targeting. But it isn't working like I anticipated.
CFS policy structure:
1) block porn
2) allow all
3) block all
user "a" member of 1 and 2 should get all websites except for porn, no ?
If I remove member a from block porn group and retry 5 minutes later in Citrix it still blocks porn for this user.
If I use the ldap group import feature is this a one time copy of the group to the firewall or is ad group membership still checked for changes each time at AD level ? Or do you need the group mirroring feature for this to work?
Is there any in-depth documentation that explains the ldap integration in full detail ?
Thanks
Answers
Is It possible to have the targeted AD group consist of nested groups ?
AD group: Block porn
members: sales team /tech team /R&D team
@lowrider CFS Policy is First-Match, you always have to build a complete Policy. If you block something in 1) it will not be allowed in 2) if a match already happened.
I'am not sure about nested groups, IMHO it's not supported, you have to check at Monitor -> User Sessions -> Active Users and hover over the bubble to see which groups the firewall believes the user is a member of.
--Michael@BWC
@BWC so combining policies is not possible ? After first match it will stop checking the rest of the policies ?
So for example: policy 1: block porn + policy 2: allow weapons won't work ? Would be convenient to be able to combine policies taking into consideration that block always has priority over allow.
About the group membership: when testing LDAP user authentication it shows user a not being member of block porn group but still the block policy that is being applied to block porn group is triggered...
Edit: Apparently (after viewing a sonicwall tutorial: https://www.sonicwall.com/support/knowledge-base/content-filter-service-cfs-configurations/170503934230687/) Sonicwall uses least restrictive principle. So if something is allowed in CFS default policy it is allowed altogether...
@lowrider yes, First-Match means exactly that, combining Policies is not possible.
Are you sure that the block is caused by the block policy for block porn? It might get triggered by the Default Policy if left enabled.
--Michael@BWC
@BWC yes, the applied blocking policy shows block porn policy instead of cfs default policy. When I check monitor>active users it shows the user(SSO login) being member of the block porn group while in AD it is not...
What I don't understand when you say first match only is that this video "How to configure Per-policy Forbidden Domains with Multiple CFS Policies" https://www.sonicwall.com/support/knowledge-base/content-filter-service-cfs-configurations/170503934230687/
They speak about blocking a url in multiple policies because if the custom url isn't blocked in cfs default it won't be blocked by the custom policy custom url block (6:13)...So wouldn't that mean that multiple policies are being applied ? Or is it CFS default + 1 other policy (and not more than 1 other policy) ?
@lowrider no, it's really First match only. Please check the Admin Guide, on Page 97 there is a detailed description how CFS works.
About the group membership, is it possible that one of the groups the user is a member of, is a member of block porn group by itself? This would mean that nested groups are possible. Or did you modified the local groups on the Firewall after importing them from LDAP?
--Michael@BWC
@BWC no, I did not modify the local groups. I don't know if this is normal behaviour but you cannot see user objects in the groups.
The group is present 2 times:
1) as a local group (imported from ldap)
2) as mirrored group with domain as prefix in the object name
In the monitor it shows as being member of domain\block porn so I guess the mirrored group instead of local group...
For now the users are still direct members of the group, not nested.
Is it possible to check if something has gone wrong while syncing the mirrored groups ? Any log file that handles that ?