Ports Used for Active Directory Protocols and User-ID Communica... - Knowledge Base - Palo Alto Networks

Ports Used for Active Directory Protocols and User-ID Communications to Firewall

129524

Created On 09/26/18 13:50 PM - Last Modified 06/01/23 02:48 AM

User-ID

PAN-OS

Next-Generation Firewall

Resolution

The following information describes the ports used for communication between the Palo Alto Networks firewall,

User-ID Agent (as well as for agentless User-ID), and Active Directory Domain Controller communication

protocols.

Protocols

1. LDAP (Ports used to talk to > LDAP (for authentication and group mapping)

• TCP 389 > TCP port 389 and 636 for LDAPS (LDAP Secure)

• TCP 3268 > Global Catalog is available by default on ports 3268, and 3269 for LDAPs

2. RADIUS: UDP port 1812 is used for RADIUS authentication. Some network access servers might use

UDP port 1645 for RADIUS authentication messages

3. Kerberos: Uses UDP port 88 by default

User-ID (Ports used to talk to User-ID Agent)

• TCP 5007 (The default Windows User-ID Agent service port number is 5007, though it is

changeable)

Ports Used for Active Directory Protocols and User-ID Communications to Firewall

User+ID+Agent.jpg

Agentless

• Agentless User-ID uses WMI to pull security logs that initially use port 389, but then negotiate

using dynamic random ports for data. Hence, allow all ports need to be allowed.

31 May 23 (Vijay) - Old article and needs update. Adding product category for the project.

PAN-OS Software Updates