Enter a name to identify the profile (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Select the scope in which the profile is available. In the context of a firewall that has more than one virtual system (vsys), select a vsys or select
(all virtual systems). In any other context, you can’t select the
; its value is predefined as Shared (for firewalls) or as Panorama. After you save the profile, you can’t change its
Administrator Use Only
Select this option to specify that only administrator accounts can use the profile for authentication. For firewalls that have multiple virtual systems, this option appears only if the
For each LDAP server, click
and enter the host
Name, IP address or FQDN (
LDAP Server), and
(default is 389).
Choose the server type from the drop-down.
Specify the root context in the directory server to narrow the search for user or group information.
Specify the login name (Distinguished Name) for the directory server.
Specify the bind account password. The agent saves the encrypted password in the configuration file.
Specify the time limit imposed when connecting to the directory server (1-30 seconds; default 30 seconds).
Specify the time limit imposed when performing directory searches (1-30 seconds; default 30 seconds).
Specify the interval in seconds after which the system will try to connect to the LDAP server after a previous failed attempt (range is 1–3,600; default is 60).
Require SSL/TLS secured connection
Select this option if you want the firewall to use SSL or
TLS for communications with the directory server. The protocol depends on the server port:
389 (default)—TLS (Specifically, the firewall uses the Start TLS operation, which upgrades the initial plaintext connection to TLS.)
Any other port—The firewall first attempts to use TLS. If the directory server doesn’t support TLS, the firewall falls back to SSL.
This option is selected by default.
Verify Server Certificate for SSL sessions
Select this option (it is cleared by default) if you want the firewall to verify the certificate that the directory server presents for SSL/TLS connections. The firewall verifies the certificate in two respects:
The certificate is trusted and valid. For the firewall to trust the certificate, its root certificate authority (CA) and any intermediate certificates must be in the certificate store under
Device > Certificate Management > Certificates > Device Certificates.
The certificate name must match the host
of the LDAP server. The firewall first checks the certificate attribute Subject AltName for matching, then tries the attribute Subject DN. If the certificate uses the FQDN of the directory server, you must use the FQDN in the
field for the name matching to succeed.
If the verification fails, the connection fails. To enable this verification, you must also select
Require SSL/TLS secured connection.
Enable Two-Factor Authentication Using Certificate and Auth...
Enable Two-Factor Authentication Using Certificate and Authentication Profiles The following workflow describes how to configure GlobalProtect client authentication requiring the user to authenticate both to ...
Enable Group Mapping
Enable Group Mapping Because the agent or app running on your end-user systems requires the user to successfully authenticate before being granted access to GlobalProtect, ...
Configure an LDAP Server Profile
Configure an LDAP Server Profile An LDAP server profile enables you to: Authenticate administrators and end users of Palo Alto Networks firewalls and Panorama. Define ...
Set Up External Authentication
Set Up External Authentication The following workflow describes how to set up the GlobalProtect portal and gateways to use an external authentication service. The supported ...
Basic LSVPN Configuration with Static Routing
Basic LSVPN Configuration with Static Routing This quick config shows the fastest way to get up and running with LSVPN. In this example, a single ...
Configure the Portal to Authenticate Satellites
Configure the Portal to Authenticate Satellites In order to register with the LSVPN, each satellite must establish an SSL/TLS connection with the portal. After establishing ...
Device > Certificate Management > SSL/TLS Service Profile
Device > Certificate Management > SSL/TLS Service Profile Device > Certificate Management > SSL/TLS Service Profile Panorama > Certificate Management > SSL/TLS Service Profile SSL/TLS ...
Map IP Addresses to Usernames Using Captive Portal
Map IP Addresses to Usernames Using Captive Portal If the firewall receives a request from a security zone that has User-ID enabled and the source ...
Enable SSL Between GlobalProtect LSVPN Components
Enable SSL Between GlobalProtect LSVPN Components All interaction between the GlobalProtect components occurs over an SSL/TLS connection. Therefore, you must generate and/or install the required ...
Configure an SSL/TLS Service Profile
Configure an SSL/TLS Service Profile Palo Alto Networks firewalls and Panorama use SSL/TLS service profiles to specify a certificate and the allowed protocol versions for ...