Configure an LDAP Server Profile
An LDAP server profile enables you to:
- Authenticate administrators and end users of Palo Alto Networks firewalls and Panorama.
- Define security rules based on user or user group. The LDAP server profile instructs the firewall how to connect and authenticate to the server and how to search the directory for user and group information. You must also configure User-ID to Map Users to Groups. Then you can select users or groups when defining policy rules.
- Add an LDAP server profile.
- Selectand clickDeviceServer ProfilesLDAPAdd.
- Enter aProfile Nameto identify the server profile.
- For a firewall with more than one virtual system (vsys), select theLocation(vsys orShared) where the profile is available.
- For each LDAP server (up to four), clickAddand enter aName(to identify the server), server IP address (LDAP Serverfield), and serverPort(default 389).
- Select the serverTypefrom the drop-down:active-directory,e-directory,sun, orother.
- If you want the firewall or Panorama to use SSL or TLS for a more secure connection with the directory server, select theRequire SSL/TLS secured connectioncheck box (it is selected by default). The protocol that the firewall or Panorama uses depends on the serverPort:
- Any other port—The firewall or Panorama first tries to use TLS. If the directory server doesn’t support TLS, the firewall or Panorama falls back to SSL.
- To improve security, you can select theVerify Server Certificate for SSL sessionscheck box (it is cleared by default) so that the firewall or Panorama verifies the certificate that the directory server presents for SSL/TLS connections. If the verification fails, the connection fails. To enable verification, you must also select theRequire SSL/TLS secured connectioncheck box. The firewall or Panorama verifies the certificate in two respects:
- The certificate is trusted and valid. For the firewall or Panorama to trust the certificate, its root certificate authority (CA) and any intermediate certificates must be in the certificate store under. Import the certificate if necessary: see Import a Certificate and Private Key.DeviceCertificate ManagementCertificatesDevice Certificates
- The certificate name must match the hostNameof the LDAP server. The firewall or Panorama first checks the certificate attribute Subject AltName for matching, then tries the attribute Subject DN. If the certificate uses the FQDN of the directory server, you must enter that FQDN in theLDAP Serverfield for the name matching to succeed.
- Implement the LDAP server profile.
Recommended For You
Recommended videos not found.