Configure LDAP Authentication for a WildFire Cluster

Configure LDAP authentication for all WildFire appliances in a WildFire cluster.
You can use LDAP to authenticate end users to access the CLI of the WildFire appliances in a WildFire cluster.
  1. Add an LDAP server profile.
    The profile defines how a WildFire appliance connects to the LDAP server.
    Administrator accounts configured for LDAP authentication are required to have Superuser admin role privileges to successfully configure authentication for WildFire appliances in the WildFire cluster.
    1. Select
      Server Profiles
      a server profile.
    2. Enter a
      Profile Name
      to identify the server profile.
    3. Add
      the LDAP servers (up to four). For each server, enter a
      (to identify the server),
      LDAP Server
      IP address or FQDN, and server
      (default 389).
      If you use an FQDN address object to identify the server and you subsequently change the address, you must commit the change for the new server address to take effect.
    4. Select the server
    5. Select the
      Base DN
      To identify the Base DN of your directory, open the
      Active Directory Domains and Trusts
      Microsoft Management Console snap-in and use the name of the top-level domain.
    6. Enter the
      Bind DN
      to enable the authentication service to authenticate the firewall.
      The Bind DN account must have permission to read the LDAP directory.
    7. Enter the
      Bind Timeout
      Search Timeout
      in seconds (default is 30 for both).
    8. Enter the
      Retry Interval
      in seconds (default is 60).
    9. (
      ) If you want the endpoint to use SSL or TLS for a more secure connection with the directory server, enable the option to
      Require SSL/TLS secured connection
      (enabled by default). The protocol that the endpoint uses depends on the server port:
      • 389 (default)—TLS (Specifically, the WildFire appliance uses the StartTLS operation, which upgrades the initial plaintext connection to TLS.)
      • 636—SSL
      • Any other port—The WildFire appliance first attempts to use TLS. If the directory server doesn’t support TLS, the WildFire appliance falls back to SSL.
    10. (
      ) For additional security, enable to the option to
      Verify Server Certificate for SSL sessions
      so that the endpoint verifies the certificate that the directory server presents for SSL/TLS connections. To enable verification, you must also enable the option to
      Require SSL/TLS secured connection
      . For verification to succeed, the certificate must meet one of the following conditions:
      • It is in the list of Panorama certificates:
        Certificate Management
        Device Certificates.
        If necessary, import the certificate into Panorama.
      • The certificate signer is in the list of trusted certificate authorities:
        Certificate Management
    11. Click
      to save the server profile.
  2. Configure the authentication for the WildFire cluster.
    1. Select
      Managed WildFire Clusters
      and select the WildFire cluster you previously added.
    2. Configure the authentication
      Timeout Configuration
      for a WildFire appliance.
      1. Enter the number of
        Failed Attempt
        s before a user is locked out of a WildFire appliance CLI.
      2. Enter the
        Lockout Time
        , in minutes, for which a WildFire appliance locks out a user account after that user reaches the configured number of
        Failed Attempts
      3. Enter the
        Idle Timeout
        , in minutes, before the user account is automatically logged out due to inactivity.
      4. Enter the
        Max Session Count
        to set how many user accounts can simultaneously access a WildFire appliance.
      5. Enter the
        Max Session Time
        the administrator can be logged in before being automatically logged out.
    3. Add the WildFire appliance administrators.
      Administrators may either be added as a local administrator or as an imported Panorama administrator—but not both. Adding the same administrator as both a local administrator and as an imported Panorama administrator is not supported and causes the Panorama commit to fail. For example, the commit to Panorama fails if you add
      as both a local and Panorama administrator.
      • Configure the local administrators.
        Configure new administrators unique to the WildFire appliances in the WildFire cluster. These administrators are specific to the WildFire appliances in the WildFire cluster for which they are created and you manage these administrators from this table.
        1. Add
          one or more new local administrator.
        2. Enter a
          for the local administrator.
        3. Assign an
          Authentication Profile
          you previously created.
          LDAP authentication profiles are supported only for individual local administrators.
        4. Enable (check)
          Use Public Key Authentication (SSH)
          to import a public key file for authentication.
        5. Select a
          Password Profile
          to set the expiration parameters.
      • Import existing Panorama administrators
        Import existing administrators configured on Panorama. These administrators are configured and managed on Panorama and imported to all WildFire appliances in the WildFire cluster.
      1. Add
        an existing Panorama administrator
    4. Click
      to save the WildFire cluster authentication configuration.
  3. Commit
    and then
    Commit and Push
    your configuration changes.
  4. Access the WildFire appliance CLI to verify you can successfully access the WildFire appliance using the local admin user.

Recommended For You