Authenticate administrators and end users of Palo Alto Networks firewalls and Panorama.
Define security rules based on user or user group. The LDAP server profile instructs the firewall how to connect and authenticate to the server and how to search the directory for user and group information. You must also configure User-ID to
Map Users to Groups. Then you can select users or groups when defining policy rules.
Configure an LDAP Server Profile
Add an LDAP server profile.
Device > Server Profiles > LDAP
to identify the server profile.
For a firewall with more than one virtual system (vsys), select the
Shared) where the profile is available.
For each LDAP server (up to four), click
and enter a
(to identify the server), server IP address (
field), and server
Select the server
from the drop-down:
If you want the firewall or Panorama to use SSL or TLS for a more secure connection with the directory server, select the
Require SSL/TLS secured connection
check box (it is selected by default). The protocol that the firewall or Panorama uses depends on the server
389 (default)—TLS (Specifically, the firewall or Panorama uses the Start TLS operation, which upgrades the initial plaintext connection to TLS.)
Any other port—The firewall or Panorama first tries to use TLS. If the directory server doesn’t support TLS, the firewall or Panorama falls back to SSL.
To improve security, you can select the
Verify Server Certificate for SSL sessions
check box (it is cleared by default) so that the firewall or Panorama verifies the certificate that the directory server presents for SSL/TLS connections. If the verification fails, the connection fails. To enable verification, you must also select the
Require SSL/TLS secured connection
check box. The firewall or Panorama verifies the certificate in two respects:
The certificate is trusted and valid. For the firewall or Panorama to trust the certificate, its root certificate authority (CA) and any intermediate certificates must be in the certificate store under
Device > Certificate Management > Certificates > Device Certificates. Import the certificate if necessary: see
Import a Certificate and Private Key.
The certificate name must match the host
of the LDAP server. The firewall or Panorama first checks the certificate attribute Subject AltName for matching, then tries the attribute Subject DN. If the certificate uses the FQDN of the directory server, you must enter that FQDN in the
field for the name matching to succeed.
Device > Server Profiles > LDAP Device > Server Profiles > LDAP Panorama > Server Profiles > LDAP Select Device > Server Profiles > LDAP ...
Enable Group Mapping
Enable Group Mapping Because the agent or app running on your end-user systems requires the user to successfully authenticate before being granted access to GlobalProtect, ...
Enable Two-Factor Authentication Using Certificate and Auth...
Enable Two-Factor Authentication Using Certificate and Authentication Profiles The following workflow describes how to configure GlobalProtect client authentication requiring the user to authenticate both to ...
Set Up External Authentication
Set Up External Authentication The following workflow describes how to set up the GlobalProtect portal and gateways to use an external authentication service. The supported ...
Basic LSVPN Configuration with Static Routing
Basic LSVPN Configuration with Static Routing This quick config shows the fastest way to get up and running with LSVPN. In this example, a single ...
Configure the Portal to Authenticate Satellites
Configure the Portal to Authenticate Satellites In order to register with the LSVPN, each satellite must establish an SSL/TLS connection with the portal. After establishing ...
Map IP Addresses to Usernames Using Captive Portal
Map IP Addresses to Usernames Using Captive Portal If the firewall receives a request from a security zone that has User-ID enabled and the source ...
Configure an SSL/TLS Service Profile
Configure an SSL/TLS Service Profile Palo Alto Networks firewalls and Panorama use SSL/TLS service profiles to specify a certificate and the allowed protocol versions for ...
Enable SSL Between GlobalProtect LSVPN Components
Enable SSL Between GlobalProtect LSVPN Components All interaction between the GlobalProtect components occurs over an SSL/TLS connection. Therefore, you must generate and/or install the required ...
Device > Certificate Management > SSL/TLS Service Profile
Device > Certificate Management > SSL/TLS Service Profile Device > Certificate Management > SSL/TLS Service Profile Panorama > Certificate Management > SSL/TLS Service Profile SSL/TLS ...