DATE: 9.21.2015
VERSION: Network Sentry version 7.0.x and above
Issue: Customers utilizing the "Remove Users deleted from the Directory" feature of Network Sentry are susceptible to the incorrect deletion of User records and potentially associated Host records during a directory synchronization.
Bradford has determined that during a directory synchronization, if the LDAP server returns an error indicating it is too busy to respond, Network Sentry incorrectly continues on with the synchronization process. With "Remove Users deleted from the Directory" enabled, Network Sentry User records not retrieved during the failed synchronization will be incorrectly deleted.
This can lead to one or more of the following results:
- Host records associated to the deleted User records may also be deleted, requiring those hosts to re-register.
- Policies may no longer match based upon criteria used in User/Host profiles. This can affect assigned network access and endpoint compliance policies.
WORKAROUND
Disable "Remove Users deleted from the Directory" in LDAP Settings.
SOLUTION
Addressed in Network Sentry releases 7.2.2, 7.3.1, 8.x, and all future releases.
Once updated to one of the above mentioned versions, re-enable "Remove Users deleted from the Directory" in LDAP Settings.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.