Palo Alto Networks Knowledgebase: User-ID Agent as LDAP Proxy for Group Mapping and Authentication

User-ID Agent as LDAP Proxy for Group Mapping and Authentication

Created On 09/25/18 17:46 PM - Last Updated 02/07/19 23:56 PM



The Palo Alto Networks LDAP Proxy feature sources LDAP traffic destined for the firewall's configured LDAP server addresses (Windows Active Directory, eDirectory, LDAP) from a User-ID agent installed on a Windows server. Without LDAP proxy, this traffic is sourced directly from the management interface or configured service route.


When LDAP proxy is enabled, the firewall communicates with the User-ID agent via the standard SSL connection between the User-ID agent and the Palo Alto Networks firewall. The agent then performs the LDAP queries requested by the firewall and sends the replies back to the firewall.


With PAN-OS 4.1 and later, all the configuration for this feature is on the firewall, if connecting to a Windows domain controller.  Configure both an LDAP server profile and group mapping profile just as if the firewall will be sourcing the LDAP traffic. After creating those profiles, check Use as LDAP Proxy and commit.




After a commit, all LDAP traffic normally sourced from the firewall will be sourced from the configured User-ID agent.


owner: dbraswell

  • Print
  • Copy Link

Choose Language