The Palo Alto Networks LDAP Proxy feature sources LDAP traffic destined for the firewall's configured LDAP server addresses (Windows Active Directory, eDirectory, LDAP) from a User-ID agent installed on a Windows server. Without LDAP proxy, this traffic is sourced directly from the management interface or configured service route.
When LDAP proxy is enabled, the firewall communicates with the User-ID agent via the standard SSL connection between the User-ID agent and the Palo Alto Networks firewall. The agent then performs the LDAP queries requested by the firewall and sends the replies back to the firewall.
All the configuration for this feature is on the firewall if connecting to a Windows domain controller. Configure both an LDAP server profile and group mapping profile just as if the firewall will be sourcing the LDAP traffic. After creating those profiles, check Use as LDAP Proxy and commit.
GUI: Device > User Identification > User-ID Agents
After a commit, all LDAP traffic normally sourced from the firewall will be sourced from the configured User-ID agent.