Knowledge BaseSecurity - Don't let perfect the enemy of good: Sophos Firewall [XG/XGS, Cyberoam]Support for Active Directory grou …

Bitte , um Beiträge und Themen zu erstellen.

Support for Active Directory group memberships

#1 · 17. Juli 2024, 14:01

Zitat von mpachmann am 17. Juli 2024, 14:01 Uhr
https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/Servers/AD/AuthenticationADMultipleGroupMembershipSupport/index.html

FAQ

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/Servers/AD/AuthenticationActiveDirectoryGroupBehavior/index.html#using-ad-with-endpoint-sign-ins

Some rules and policies support multiple Active Directory (AD) group memberships for users.

Some rules and policies only support the user's main group in the firewall.

For main and other group membership FAQs, see FAQs for Active Directory users and groups.

Rules and policies

Rules and policies Support for multiple group membership Description

Firewall rules Yes Applies the matching rule's settings to the user groups selected in the rule.

Example: User belongs to Group X (main group) and Group Y (other group membership).

If the rule with Group Y matches the traffic first, the rule is applied to the user.

SSL/TLS inspection rules Yes Applies the matching rule's settings to the user groups selected in the rule.

Example: User belongs to Group X (main group) and Group Y (other group membership).

If the rule with Group Y matches the traffic first, the rule is applied to the user.

WAF rules No Only supports the main group. Make sure the main group or the user is configured in the policy.

Currently, if it's turned on for any of the user's other groups, the user's policy shows Enable, but users aren't allowed access based on their Other group memberships.

SD-WAN routes Yes Applies the matching route to the user groups selected in the route.

Example: User belongs to Group X (main group) and Group Y (other group membership).

If the route with Group Y matches the traffic first, the route is applied to the user.

Web policies Yes The firewall rule matches first and selects the web policy to use. The web filter applies the first rule in the web policy rule that matches both the user and the website.

Example: User belongs to Group X (main group) and Group Y (other group membership). The user tries to visit a sports website.

Web policy rules are in the following order:

Block sports for Group Y.

Allow news for Group X.

The firewall blocks the sports website for the user.

IPS policies Yes Applies the matching rule's IPS policy to the user groups specified in the rule.

Application control policies Yes Applies the matching rule's application control policy to the user groups specified in the firewall rule.

My policy overrides No Only applies to AD users' main group and to individual users. It doesn't apply to their other group memberships.

Remote access VPN

Remote access VPN Support for multiple group membership Description

Remote access SSL VPN Yes Applies the permissions of all the full and split tunnel remote access SSL VPN policies of the user and the user's groups.

If the user or the user's groups are part of full tunnel policies, the firewall always establishes a full tunnel.

Clientless SSL VPN Yes Applies the permissions of all the clientless SSL VPN policies to which any of the user's groups belong.

L2TP No Only supports the main group. Make sure the main group or the user is in the allowed list.

Currently, if it's turned on for any of the user's groups, the user's policy shows Enable, but users aren't allowed access based on their Other group membership.

PPTP No Only supports the main group. Make sure the main group or the user is in the allowed list.

Currently, if it's turned on for any of the user's groups, the user's policy shows Enable, but users aren't allowed access based on their Other group membership.

Remote access IPsec VPN No Only supports the main group. Make sure the main group or the user is in the allowed list.

Currently, if it's turned on for any of the user's groups, the user's policy shows Enable, but users aren't allowed access based on their Other group membership.

Hotspots and Policy test

Other policies Support for multiple group membership Description

Hotspots No Only supports the user's main group.

The user portal shows all the hotspots the main group is part of.

Policy test Yes Supports all the user's groups that match the rules and policies it tests.

User's policies and other settings

User's policies and other settings Support for multiple group membership Description

Surfing quota

Access time

Network traffic

Traffic shaping
No Only supports the user's main group. Alternatively, you can select a different policy for the user.

Quarantine digest

MAC binding
No Only supports the user's main group. Alternatively, you can select a different setting for the user.

Sign-in restriction No Only supports the user's main group. Alternatively, you can select a different setting for the user.

Other policies	Support for multiple group membership	Description
Hotspots	No	Only supports the user's main group. The user portal shows all the hotspots the main group is part of.
Policy test	Yes	Supports all the user's groups that match the rules and policies it tests.

User's policies and other settings	Support for multiple group membership	Description
Surfing quota Access time Network traffic Traffic shaping	No	Only supports the user's main group. Alternatively, you can select a different policy for the user.
Quarantine digest MAC binding	No	Only supports the user's main group. Alternatively, you can select a different setting for the user.
Sign-in restriction	No	Only supports the user's main group. Alternatively, you can select a different setting for the user.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/Servers/AD/AuthenticationADMultipleGroupMembershipSupport/index.html

FAQ

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/Servers/AD/AuthenticationActiveDirectoryGroupBehavior/index.html#using-ad-with-endpoint-sign-ins

Some rules and policies support multiple Active Directory (AD) group memberships for users.

Some rules and policies only support the user's main group in the firewall.

For main and other group membership FAQs, see FAQs for Active Directory users and groups.

Rules and policies

Rules and policies	Support for multiple group membership	Description
Firewall rules	Yes	Applies the matching rule's settings to the user groups selected in the rule. Example: User belongs to Group X (main group) and Group Y (other group membership). If the rule with Group Y matches the traffic first, the rule is applied to the user.
SSL/TLS inspection rules	Yes	Applies the matching rule's settings to the user groups selected in the rule. Example: User belongs to Group X (main group) and Group Y (other group membership). If the rule with Group Y matches the traffic first, the rule is applied to the user.
WAF rules	No	Only supports the main group. Make sure the main group or the user is configured in the policy. Currently, if it's turned on for any of the user's other groups, the user's policy shows Enable, but users aren't allowed access based on their Other group memberships.
SD-WAN routes	Yes	Applies the matching route to the user groups selected in the route. Example: User belongs to Group X (main group) and Group Y (other group membership). If the route with Group Y matches the traffic first, the route is applied to the user.
Web policies	Yes	The firewall rule matches first and selects the web policy to use. The web filter applies the first rule in the web policy rule that matches both the user and the website. Example: User belongs to Group X (main group) and Group Y (other group membership). The user tries to visit a sports website. Web policy rules are in the following order: Block sports for Group Y. Allow news for Group X. The firewall blocks the sports website for the user.
IPS policies	Yes	Applies the matching rule's IPS policy to the user groups specified in the rule.
Application control policies	Yes	Applies the matching rule's application control policy to the user groups specified in the firewall rule.
My policy overrides	No	Only applies to AD users' main group and to individual users. It doesn't apply to their other group memberships.

Remote access VPN

Remote access VPN	Support for multiple group membership	Description
Remote access SSL VPN	Yes	Applies the permissions of all the full and split tunnel remote access SSL VPN policies of the user and the user's groups. If the user or the user's groups are part of full tunnel policies, the firewall always establishes a full tunnel.
Clientless SSL VPN	Yes	Applies the permissions of all the clientless SSL VPN policies to which any of the user's groups belong.
L2TP	No	Only supports the main group. Make sure the main group or the user is in the allowed list. Currently, if it's turned on for any of the user's groups, the user's policy shows Enable, but users aren't allowed access based on their Other group membership.
PPTP	No	Only supports the main group. Make sure the main group or the user is in the allowed list. Currently, if it's turned on for any of the user's groups, the user's policy shows Enable, but users aren't allowed access based on their Other group membership.
Remote access IPsec VPN	No	Only supports the main group. Make sure the main group or the user is in the allowed list. Currently, if it's turned on for any of the user's groups, the user's policy shows Enable, but users aren't allowed access based on their Other group membership.

Hotspots and Policy test

Other policies	Support for multiple group membership	Description
Hotspots	No	Only supports the user's main group. The user portal shows all the hotspots the main group is part of.
Policy test	Yes	Supports all the user's groups that match the rules and policies it tests.

Other policies

Support for multiple group membership

Description

Hotspots

Only supports the user's main group.

The user portal shows all the hotspots the main group is part of.

Policy test

Yes

Supports all the user's groups that match the rules and policies it tests.

User's policies and other settings

User's policies and other settings	Support for multiple group membership	Description
Surfing quota Access time Network traffic Traffic shaping	No	Only supports the user's main group. Alternatively, you can select a different policy for the user.
Quarantine digest MAC binding	No	Only supports the user's main group. Alternatively, you can select a different setting for the user.
Sign-in restriction	No	Only supports the user's main group. Alternatively, you can select a different setting for the user.

User's policies and other settings

Support for multiple group membership

Description

Surfing quota

Access time

Network traffic

Traffic shaping

Only supports the user's main group. Alternatively, you can select a different policy for the user.

Quarantine digest

MAC binding

Only supports the user's main group. Alternatively, you can select a different setting for the user.

Sign-in restriction

Only supports the user's main group. Alternatively, you can select a different setting for the user.

Knowledge Base

Support for Active Directory group memberships

Rules and policies

Remote access VPN

Hotspots and Policy test

User's policies and other settings

Rules and policies

Remote access VPN

Hotspots and Policy test

User's policies and other settings

ISP-Service

Quick Links

Informationen