End-of-Life (EoL)

Configure an LDAP Server Profile

An LDAP server profile enables you to:
  • Authenticate administrators and end users of Palo Alto Networks firewalls and Panorama.
  • Define security rules based on user or user group. The LDAP server profile instructs the firewall how to connect and authenticate to the server and how to search the directory for user and group information. You must also configure User-ID to Map Users to Groups. Then you can select users or groups when defining policy rules.
  1. Add an LDAP server profile.
    1. Select
      Server Profiles
      and click
    2. Enter a
      Profile Name
      to identify the server profile.
    3. For a firewall with more than one virtual system (vsys), select the
      (vsys or
      ) where the profile is available.
    4. For each LDAP server (up to four), click
      and enter a
      (to identify the server), server IP address (
      LDAP Server
      field), and server
      (default 389).
    5. Select the server
      from the drop-down:
      , or
    6. If you want the firewall or Panorama to use SSL or TLS for a more secure connection with the directory server, select the
      Require SSL/TLS secured connection
      check box (it is selected by default). The protocol that the firewall or Panorama uses depends on the server
      • 389 (default)—TLS (Specifically, the firewall or Panorama uses the Start TLS operation, which upgrades the initial plaintext connection to TLS.)
      • 636—SSL
      • Any other port—The firewall or Panorama first tries to use TLS. If the directory server doesn’t support TLS, the firewall or Panorama falls back to SSL.
    7. To improve security, you can select the
      Verify Server Certificate for SSL sessions
      check box (it is cleared by default) so that the firewall or Panorama verifies the certificate that the directory server presents for SSL/TLS connections. If the verification fails, the connection fails. To enable verification, you must also select the
      Require SSL/TLS secured connection
      check box. The firewall or Panorama verifies the certificate in two respects:
      • The certificate is trusted and valid. For the firewall or Panorama to trust the certificate, its root certificate authority (CA) and any intermediate certificates must be in the certificate store under
        Certificate Management
        Device Certificates
        . Import the certificate if necessary: see Import a Certificate and Private Key.
      • The certificate name must match the host
        of the LDAP server. The firewall or Panorama first checks the certificate attribute Subject AltName for matching, then tries the attribute Subject DN. If the certificate uses the FQDN of the directory server, you must enter that FQDN in the
        LDAP Server
        field for the name matching to succeed.
    8. Click
  2. Implement the LDAP server profile.
    1. Assign the LDAP server profile to an authentication profile or sequence.
    2. Test an LDAP Authentication Profile to verify that the firewall or Panorama can connect to the LDAP server.
    3. Commit
      your changes.

Recommended For You