Palo Alto Networks Knowledgebase: Using More than Four LDAP Servers in a Palo Alto Networks Configuration

Using More than Four LDAP Servers in a Palo Alto Networks Configuration

Created On 02/07/19 23:46 PM - Last Updated 02/07/19 23:46 PM


There is a limited number of LDAP servers that can be configured on one LDAP Profile on Palo Alto Networks assets. Four LDAP servers are supported in an LDAP Profile.



Usually four LDAP servers are more than enough to authenticate all the users in the domain, and to provide redundancy in case a LDAP server goes down. Sometimes, larger companies have more than four LDAP servers with distributed environments in which users connect to dedicated LDAP servers. Users may contact LDAP servers that are not one of the four servers, and will try to authenticate to them.


If adding four LDAP servers in the LDAP Profile (under Device > Server Profiles > LDAP) the "plus" button will be greyed out, and it will not be possible to add more servers in the profile.

Screen Shot 2014-08-18 at 4.43.49 PM.png


This limitation for authentication with only four LDAP servers can be overcome with the use of another LDAP Profile, which includes the rest of the LDAP servers. For example:
Screen Shot 2014-08-18 at 4.46.12 PM.png


Screen Shot 2014-08-18 at 4.46.20 PM.png


Create authentication profiles for both of the LDAP Profiles, Under Device > Authentication Profile.

Screen Shot 2014-08-18 at 4.48.10 PM.png


Authentication profiles can be combined in an authentication sequence. If a user is not found on one of the LDAP servers in the first authentication profile it will attempt the next one, which should result in a successful authentication attempt as a whole on the firewall. This is configured under Device > Authentication Sequence:

Screen Shot 2014-08-18 at 4.48.40 PM.png


This sequence can now be used for any purpose, such as GlobalProtect authentication:

Screen Shot 2014-08-18 at 8.09.12 PM.png


owner: ialeksov

  • Print
  • Copy Link

Choose Language