topic Re: Is there a way to allow LDAP StartTLS While blocking normal unencrypted LDAP? in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/is-there-a-way-to-allow-ldap-starttls-while-blocking-normal/m-p/566027#M2116 <P>You could create a custom app for it. I've never done a capture to see what it looks like but you can use wireshark on an endpoint or use the native capture tools to inspect the traffic and create an app.</P> Thu, 16 Nov 2023 17:15:30 GMT rmfalconer 2023-11-16T17:15:30Z Is there a way to allow LDAP StartTLS While blocking normal unencrypted LDAP? https://live.paloaltonetworks.com/t5/next-generation-firewall/is-there-a-way-to-allow-ldap-starttls-while-blocking-normal/m-p/565824#M2097 <P>Is there a way to allow LDAP StartTLS While&nbsp;blocking normal unencrypted LDAP?</P> Wed, 15 Nov 2023 13:12:43 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/is-there-a-way-to-allow-ldap-starttls-while-blocking-normal/m-p/565824#M2097 Ankit1Singh 2023-11-15T13:12:43Z Re: Is there a way to allow LDAP StartTLS While blocking normal unencrypted LDAP? https://live.paloaltonetworks.com/t5/next-generation-firewall/is-there-a-way-to-allow-ldap-starttls-while-blocking-normal/m-p/565909#M2111 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/290696">@Ankit1Singh</a></P> <P>&nbsp;</P> <P>LDAPS is using by default port TCP 636 while LDAP is using TCP 389. You could allow in policy only ports TCP 636 / 3269 used by LDAPS to filter out unsecured LDAP.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Thu, 16 Nov 2023 02:51:11 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/is-there-a-way-to-allow-ldap-starttls-while-blocking-normal/m-p/565909#M2111 PavelK 2023-11-16T02:51:11Z Re: Is there a way to allow LDAP StartTLS While blocking normal unencrypted LDAP? https://live.paloaltonetworks.com/t5/next-generation-firewall/is-there-a-way-to-allow-ldap-starttls-while-blocking-normal/m-p/566027#M2116 <P>You could create a custom app for it. I've never done a capture to see what it looks like but you can use wireshark on an endpoint or use the native capture tools to inspect the traffic and create an app.</P> Thu, 16 Nov 2023 17:15:30 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/is-there-a-way-to-allow-ldap-starttls-while-blocking-normal/m-p/566027#M2116 rmfalconer 2023-11-16T17:15:30Z