: Configure LDAP Authentication for a Dedicated Log Collector
Focus
Focus

Configure LDAP Authentication for a Dedicated Log Collector

Table of Contents

Configure LDAP Authentication for a Dedicated Log Collector

Configure LDAP authentication for a Dedicated Log Collector.
You can use LDAP to authenticate end users who access Dedicated Log Collector web interface.
  1. Add an LDAP server profile.
    The profile defines how the Dedicated Log Collector connects to the LDAP server.
    Only Superuser administrators are supported when configuring an administrative account for a Dedicated Log Collector. Local or Panorama Administrators with any other admin role type is not supported.
    1. Select
      Panorama
      Server Profiles
      LDAP
      and
      Add
      a server profile.
    2. Enter a
      Profile Name
      to identify the server profile.
    3. Add
      the LDAP servers (up to four). For each server, enter a
      Name
      (to identify the server),
      LDAP Server
      IP address or FQDN, and server
      Port
      (default 389).
      If you use an FQDN address object to identify the server and you subsequently change the address, you must commit the change for the new server address to take effect.
    4. Select the server
      Type
      .
    5. Select the
      Base DN
      .
      To identify the Base DN of your directory, open the
      Active Directory Domains and Trusts
      Microsoft Management Console snap-in and use the name of the top-level domain.
    6. Enter the
      Bind DN
      and
      Password
      to enable the authentication service to authenticate the firewall.
      The Bind DN account must have permission to read the LDAP directory.
    7. Enter the
      Bind Timeout
      and
      Search Timeout
      in seconds (default is 30 for both).
    8. Enter the
      Retry Interval
      in seconds (default is 60).
    9. (
      Optional
      ) If you want the endpoint to use SSL or TLS for a more secure connection with the directory server, enable the option to
      Require SSL/TLS secured connection
      (enabled by default). The protocol that the endpoint uses depends on the server port:
      • 389 (default)—TLS (Specifically, the Dedicated Log Collector uses the StartTLS operation, which upgrades the initial plaintext connection to TLS.)
      • 636—SSL
      • Any other port—The Dedicated Log Collector first attempts to use TLS. If the directory server doesn’t support TLS, the Dedicated Log Collector falls back to SSL.
    10. (
      Optional
      ) For additional security, enable to the option to
      Verify Server Certificate for SSL sessions
      so that the endpoint verifies the certificate that the directory server presents for SSL/TLS connections. To enable verification, you must also enable the option to
      Require SSL/TLS secured connection
      . For verification to succeed, the certificate must meet one of the following conditions:
      • It is in the list of Panorama certificates:
        Panorama
        Certificate Management
        Certificates
        Device Certificates.
        If necessary, import the certificate into Panorama.
      • The certificate signer is in the list of trusted certificate authorities:
        Panorama
        Certificate Management
        Certificates
        .
    11. Click
      OK
      to save the server profile.
  2. Configure the authentication for the Dedicated Log Collector.
    1. Select
      Panorama
      Managed Collectors
      and select the Dedicated Log Collector you previously added.
    2. Configure the authentication
      Timeout Configuration
      for the Dedicated Log Collector.
      1. Enter the number of
        Failed Attempt
        s before a user is locked out of the Dedicated Log Collector CLI.
      2. Enter the
        Lockout Time
        , in minutes, for which the Dedicated Log Collector locks out a user account after that user reaches the configured number of
        Failed Attempts
        .
      3. Enter the
        Idle Timeout
        , in minutes, before the user account is automatically logged out due to inactivity.
      4. Enter the
        Max Session Count
        to set how many user accounts can simultaneously access the Dedicated Log Collector.
      5. Enter the
        Max Session Time
        the administrator can be logged in before being automatically logged out.
    3. Add the Dedicated Log Collector administrators.
      Administrators may either be added as a local administrator or as an imported Panorama administrator—but not both. Adding the same administrator as both a local administrator and as an imported Panorama administrator is not supported and causes the Panorama commit to fail. For example, the commit to Panorama fails if you add
      admin1
      as both a local and Panorama administrator.
      • Configure the local administrators.
        Configure new administrators unique to the Dedicated Log Collector. These administrators are specific to the Dedicated Log Collector for which they are created and you manage these administrators from this table.
        1. Add
          one or more new local administrator.
        2. Enter a
          Name
          for the local administrator.
        3. Assign an
          Authentication Profile
          you previously created.
          LDAP authentication profiles are supported only for individual local administrators.
        4. Enable (check)
          Use Public Key Authentication (SSH)
          to import a public key file for authentication.
        5. Select a
          Password Profile
          to set the expiration parameters.
      • Import existing Panorama administrators
        Import existing administrators configured on Panorama. These administrators are configured and managed on Panorama and imported to Dedicated Log Collector.
      1. Add
        an existing Panorama administrator
    4. Click
      OK
      to save the Dedicated Log Collector authentication configuration.
  3. Configure the authentication for the Dedicated Log Collector.
    1. Select
      Panorama
      Managed Collectors
      and select the Dedicated Log Collector you previously added.
    2. Select the
      Authentication Profile
      you configured in the previous step.
    3. Configure the authentication
      Timeout Configuration
      for the Dedicated Log Collector.
      1. Enter the number of
        Failed Attempt
        s before a user is locked out of the Dedicated Log Collector CLI.
      2. Enter the
        Lockout Time
        , in minutes, for which the Dedicated Log Collector locks out a user account after that user reaches the configured number of
        Failed Attempts
        .
      3. Enter the
        Idle Timeout
        , in minutes, before the user account is automatically logged out due to inactivity.
      4. Enter the
        Max Session Count
        to set how many user accounts can simultaneously access the Dedicated Log Collector.
      5. Enter the
        Max Session Time
        the administrator can be logged in before being automatically logged out.
    4. Add the Dedicated Log Collector administrators.
      You must add the administrator (
      admin
      ) as either a local administrator or as an imported Panorama administrator—but not both. The push to managed collectors fails if an administrator is not added or if the administrator is added as both a local administrator and as an imported Panorama administrator.
      1. Add
        and configure new administrators unique to the Dedicated Log Collector. These administrators are specific to the Dedicated Log Collector for which they are created and you manage these administrators from this table.
      2. Add
        any administrators configured on Panorama. These administrators are created on Panorama and imported to the Dedicated Log Collector.
    5. Click
      OK
      to save the Dedicated Log Collector authentication configuration.
  4. Commit
    and then
    Commit and Push
    your configuration changes.
  5. Log in to the Panorama CLI of the Dedicated Log Collector to verify you can successfully access the Dedicated Log Collector using the local admin user.

Recommended For You