Configure LDAP Authentication for a WildFire Cluster
Configure LDAP authentication for all WildFire appliances in a WildFire cluster.
- Add an LDAP server profile.The profile defines how a WildFire appliance connects to the LDAP server.Administrator accounts configured for LDAP authentication are required to have Superuser admin role privileges to successfully configure authentication for WildFire appliances in the WildFire cluster.
- SelectandPanoramaServer ProfilesLDAPAdda server profile.
- Enter aProfile Nameto identify the server profile.
- Addthe LDAP servers (up to four). For each server, enter aName(to identify the server),LDAP ServerIP address or FQDN, and serverPort(default 389).If you use an FQDN address object to identify the server and you subsequently change the address, you must commit the change for the new server address to take effect.
- Select the serverType.
- Select theBase DN.To identify the Base DN of your directory, open theActive Directory Domains and TrustsMicrosoft Management Console snap-in and use the name of the top-level domain.
- Enter theBind DNandPasswordto enable the authentication service to authenticate the firewall.The Bind DN account must have permission to read the LDAP directory.
- Enter theBind TimeoutandSearch Timeoutin seconds (default is 30 for both).
- Enter theRetry Intervalin seconds (default is 60).
- (Optional) If you want the endpoint to use SSL or TLS for a more secure connection with the directory server, enable the option toRequire SSL/TLS secured connection(enabled by default). The protocol that the endpoint uses depends on the server port:
- Any other port—The WildFire appliance first attempts to use TLS. If the directory server doesn’t support TLS, the WildFire appliance falls back to SSL.
- (Optional) For additional security, enable to the option toVerify Server Certificate for SSL sessionsso that the endpoint verifies the certificate that the directory server presents for SSL/TLS connections. To enable verification, you must also enable the option toRequire SSL/TLS secured connection. For verification to succeed, the certificate must meet one of the following conditions:
- It is in the list of Panorama certificates:If necessary, import the certificate into Panorama.PanoramaCertificate ManagementCertificatesDevice Certificates.
- The certificate signer is in the list of trusted certificate authorities:.PanoramaCertificate ManagementCertificates
- ClickOKto save the server profile.
- Configure the authentication for the WildFire cluster.
- Selectand select the WildFire cluster you previously added.PanoramaManaged WildFire Clusters
- Configure the authenticationTimeout Configurationfor a WildFire appliance.
- Enter the number ofFailed Attempts before a user is locked out of a WildFire appliance CLI.
- Enter theLockout Time, in minutes, for which a WildFire appliance locks out a user account after that user reaches the configured number ofFailed Attempts.
- Enter theIdle Timeout, in minutes, before the user account is automatically logged out due to inactivity.
- Enter theMax Session Countto set how many user accounts can simultaneously access a WildFire appliance.
- Enter theMax Session Timethe administrator can be logged in before being automatically logged out.
- Add the WildFire appliance administrators.Administrators may either be added as a local administrator or as an imported Panorama administrator—but not both. Adding the same administrator as both a local administrator and as an imported Panorama administrator is not supported and causes the Panorama commit to fail. For example, the commit to Panorama fails if you addadmin1as both a local and Panorama administrator.
- Configure the local administrators.Configure new administrators unique to the WildFire appliances in the WildFire cluster. These administrators are specific to the WildFire appliances in the WildFire cluster for which they are created and you manage these administrators from this table.
- Addone or more new local administrator.
- Enter aNamefor the local administrator.
- Assign anAuthentication Profileyou previously created.LDAP authentication profiles are supported only for individual local administrators.
- Enable (check)Use Public Key Authentication (SSH)to import a public key file for authentication.
- Select aPassword Profileto set the expiration parameters.
- Import existing Panorama administratorsImport existing administrators configured on Panorama. These administrators are configured and managed on Panorama and imported to all WildFire appliances in the WildFire cluster.
- Addan existing Panorama administrator
- ClickOKto save the WildFire cluster authentication configuration.
- Commitand thenCommit and Pushyour configuration changes.
- Access the WildFire appliance CLI to verify you can successfully access the WildFire appliance using the local admin user.
Recommended For You
Recommended videos not found.