Device > Server Profiles > LDAP
to configure settings for the Lightweight Directory Access Protocol (LDAP) servers that authentication profiles reference (see Device > Authentication Profile). You can use LDAP to authenticate end users who access your network resources (through GlobalProtect or Captive Portal) and administrators defined locally on the firewall or Panorama.
LDAP Server Settings
Enter a name to identify the profile (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Select the scope in which the profile is available. In the context of a firewall that has more than one virtual system (vsys), select a vsys or select
Shared(all virtual systems). In any other context, you can’t select the
Location; its value is predefined as Shared (
firewalls) or as Panorama. After you save the profile, you can’t change its
Administrator Use Only
Select this option to specify that only administrator accounts can use the profile for authentication. For firewalls that have multiple virtual systems, this option appears only if the
For each LDAP server, click
Addand enter the host
Name, IP address or FQDN (
LDAP Server), and
Port(default is 389).
Configure at least two LDAP servers to provide redundancy.
Choose the server type from the drop-down.
Specify the root context in the directory server to narrow the search for user or group information.
Specify the login name (Distinguished Name) for the directory server.
Specify the bind account password. The agent saves the encrypted password in the configuration file.
Specify the time limit (in seconds) imposed when connecting to the directory server (range is 1 to 30; default is 30).
Specify the time limit (in seconds) imposed when performing directory searches (range is 1 to 30; default is 30).
Specify the interval (in seconds) after which the system will try to connect to the LDAP server after a previous failed attempt (range is 1 to 3,600; default is 60).
Require SSL/TLS secured connection
Select this option if you want the firewall to use SSL or TLS for communications with the directory server. The protocol depends on the server port:
This option is a best practice because it increases security and is selected by default.
Verify Server Certificate for SSL sessions
Select this option (cleared by default) if you want the firewall to verify the certificate that the directory server presents for SSL/TLS connections. The firewall verifies the certificate in two respects:
If the verification fails, the connection fails. To enable this verification, you must also select
Require SSL/TLS secured connection.
Enable the firewall to verify the server certificate for SSL sessions to increase security.
Enable Group Mapping
Enable Group Mapping Because the agent or app running on your end-user systems requires the user to successfully authenticate before being granted access to GlobalProtect, ...
Enable Two-Factor Authentication Using Certificate and Auth...
Enable Two-Factor Authentication Using Certificate and Authentication Profiles The following workflow describes how to configure GlobalProtect to require users to authenticate to both a certificate ...
Set Up LDAP Authentication
Set Up LDAP Authentication LDAP is often used by organizations as an authentication service and a central repository for user information. It can also be ...
Configure User-ID for Numerous Mapping Information Sources
Configure User-ID for Numerous Mapping Information Sources Configure Windows Log Forwarding on the member servers that will collect login events. Configure Windows Log Forwarding . ...
Basic LSVPN Configuration with Static Routing
Basic LSVPN Configuration with Static Routing This quick config shows the fastest way to get up and running with LSVPN. In this example, a single ...
Configure Captive Portal
Configure Captive Portal The following procedure shows how to set up Captive Portal authentication by configuring the PAN-OS integrated User-ID agent to redirect web requests ...
Device > Certificate Management > SSL/TLS Service Profile
Device > Certificate Management > SSL/TLS Service Profile Device > Certificate Management > SSL/TLS Service Profile Panorama > Certificate Management > SSL/TLS Service Profile SSL/TLS ...
Configure the Portal to Authenticate Satellites
Configure the Portal to Authenticate Satellites In order to register with the LSVPN, each satellite must establish an SSL/TLS connection with the portal. After establishing ...
Map Users to Groups
Map Users to Groups Defining policy rules based on user group membership rather than individual users simplifies administration because you don’t have to update the ...