How to Pull Group Using an LDAP Proxy - Knowledge Base - Palo Alto Networks

How to Pull Group Using an LDAP Proxy

31268

Created On 09/25/18 17:46 PM - Last Modified 01/31/25 20:32 PM

User-ID

Next-Generation Firewall

Procedure

Overview

When implementing User-ID with agent or agentless mode the group mapping settings are generally pulled by the Palo Alto Networks firewall through the details provided by the LDAP Profile configured under the Server Profile tab. However, bypassing this additional function can be done by implementing LDAP Proxy in the User-ID agent.

Details

Shown below are the working scenarios.

Without Using LDAP Proxy:

Here the Group Mapping information will be directly probed by the firewall to the Active Directory(AD) and only the User IP mapping information will happen through the agent.
Configure an LDAP Server profile and a group mapping profile.

Using LDAP Proxy:

Here both the group mapping information and the user IP mapping information will happen through the agent by enabling LDAP proxy.
An LDAP Server profile and a group mapping profile must also be configured.

Implementation

This can be implemented using the LDAP Proxy. Shown below are the steps in which it can be configured:

Go to the Device > Data Redistribution > Agents
Click on Add to create an Agent Configuration and enable the feature "Use As LDAP proxy":

Now the Group Mapping information will be pulled by the firewall through the agent rather than probing the AD directly, thus ensuring that all the communications from the firewall and the AD to happen through the agent.

owner: sbabu

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)