AD membership sync - particular group - syncs also account outside that group

Ahoj,

A user object is not deleted from the UTM if the user is deleted in AD.  How do you know that the UTM still considers this user to be a member of the AD Backend Group - what do you see that leads you to that conclusion?

Cheers - Bob

Hello BAlfson,

your feedback is much appreciated. To prove my statements, shortly about the problem being solved:

There is a clerk in the shopfloor who certainly shouldn't be able to access the internet. Yet, he is and I am twisting my head around why. There is a transparent proxy that ALLOWS the users or REJECTS them in terms of internet access based on AD group membership.

The group used for internet access is called GLB_U_S_InternetAccess

When I list the "MemberOf" in ActiveDirectory, the user is member of 6 groups, yet none of them is GLB_U_S_InternetAccess. This change has been done ages ago (user has been removed). From AD side, all clear then.

When I ask Sophos, whether this user does have internet access, the user does have access indeed:

Let's take a look into the policy: 

And also at the user group:

And let's take a look at the user details:

If you want, I can also share the screenshot of the "Member Of" attribute of the user from AD, I however hope I am not that goofy to not see GLB_U_S_InternetUsers among 6 other groups.

My presumption was: I have an AD group and with that group, I can manage who can and cannot access the internet. It worked till I met this peculiar account.

Thank you in advance BAlfson for your expert-insight, take care.

Hi szcz7977,

If you take tcpdump -s0 for 389(LDAP) and the IP of the AD server authenticating that user, you should see the memberOf response from the server to confirm which group that AD server is telling the UTM the user is part of. The packet capture and Wireshark should show all of that as long as you are not using LDAP over SSL(636). Or you could also maybe do a manual synchronization of AD group membership from Definition & Users > Authentication Services > Advanced
and check the logs; maybe that will show some information. 

Thanks,

szcz7977 said:

There is a clerk in the shopfloor who certainly shouldn't be able to access the internet. Yet, he is

Please show a line from the Web Filtering log where this user made an access that should have been blocked.

Cheers - Bob

szcz7977 said:

There is a clerk in the shopfloor who certainly shouldn't be able to access the internet. Yet, he is

Please show a line from the Web Filtering log where this user made an access that should have been blocked.

Cheers - Bob

Hello Bob, sorry for late reply, there has been a public holiday after the weekend. So, for example, this line (on behalf of the user, I attempted to access imageboard forum 9gag.com and succeded). Some details (e.g. company name) have been redacted from the log line.

Now the log line:

2020:09:29-09:11:17 w17nfw001-2 httpproxy[7182]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.17.12.37" dstip="104.16.103.144" user="xxx.xratxxx" group="" ad_domain="(redacted)" statuscode="200" cached="0" profile="REF_HttProContaInterLan3 ((redacted) transparent proxy)" filteraction="REF_HttCff(redacted)filte ((redacted)_Filter(local&Sandstorm))" size="24998" request="0xc9450a00" url="">https://9gag.com/" referer="" error="" authtime="1273" dnstime="41818" aptptime="53" cattime="96" avscantime="0" fullreqtime="95501892" device="1" auth="2" ua="" exceptions="" category="179" reputation="trusted" categoryname="Media Sharing" application="9gag" app-id="1662"

szcz7977 said:

group=""

That means he's not identified as a member of a Backend Group defined by an AD Security Group, so there's some other reason he qualified for that filteraction.

Cheers - Bob

I thought, for qualifying for filteraction, one first has to quality for web filter profile (with the network where that request is coming from) , then qualify for filter policy (in my case, that's based on the AD group membership) and then whichever policy has the user qualified for, appropriate filter action is used.

How can one qualify for filteraction when in the chain of preceding conditions, at least one condition is not met? In other words, how come the chain Profile->Policy->FilterAction is not followed ?

In my case, the user qualifies for filter profile based on the network he is in. Then, based on policy helpdesk, he qualifies for the policy (although he should not! - he is not the member of the appropriate AD groups) and then, filter action kicks in. Cofusion of the highest order.

Thanks for hearing me out, take care.

Due to spending way more time on this issue than it deserves, I have decided to delete that account from Sophos - the account is not that important anyway. This dialog popped up when deleting the account. If this is not an evidence of Sophos still incorrectly thinking that account in question is member of the GLB_U_S_InternetUsers group, then I don't know what is.

Let's see if deletion of the user object in Sophos (not in AD!) worked out.

... after deleting the user from sophos and running AD sync several times, the user has not been recreated and is now denied internet access.

That'll do for me.

Have a beautiful day, all of you.