Active directory 2012 R2 integration with PAN os 5.0.9

cancel
Showing results for 
Search instead for 
Did you mean: 

Active directory 2012 R2 integration with PAN os 5.0.9

L3 Networker

Hi All,

I've Palo Alto 5050 Active/Active Vwire deployment. the deployment was integrated with Active directory 2008 R2, but now I installed Active directory 2012 R2.

but Palo Alto can't see the users in Acitve Directory 2012 R2.

Any help about that please..

Regards,

1 ACCEPTED SOLUTION

Accepted Solutions

There is no update documentation for server 2012.  And as you note, the global catalog really has not changed so there should be no difference for you.

this is the most recently updated User-id Best practices from March of 2014.  And you GC configuration does seem to match the example.

User-ID Best Practices - PAN-OS 5.0, 6.0

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

11 REPLIES 11

L7 Applicator

Which user-id method are you using to get the associations?

Are there any logs or messages in the server event log if you have the local agent, or on the firewall system logs?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hello Steven,

I'm using the PA Local agent

and the configuration is below

when I was using AD 2008 R2 all was working perfectly, but when I migrated to AD 2012 R2 nothing is working, even the Active directory administrators Login.

Regards,

Maher

If even the AD login does not work, I'm thinking this is on the Server side.

On a local install, was the installer run as administrator and the agent have administrator rights?

If queried from a remote computer to the AD, has the Windows Server built in firewall been configured to permit the connection?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

for the first point, actually that isn't server side issue. as the server supports the connection to all other Network and security appliances in our organization.

for the agent, I'm using the Local PA agent which resides on the appliance, and communicates with Active directory using admin account. and no firewall is enabled on the active directory.

Regards,

Try the IP of your AD as network Address instead of FQDN cealad02.centamin.local

maybe your Firewall cannot resolve the FQDN.

Although reenter your WMI Admin Credentials.

(not in LDAP Server Profile but in local User Agent)

If this does not help, open a Support Case.

Regards

Marco

Not applicable

did you try to enable SSL?

I also noticed that you use global catolog ports, is that intended? the LDAP ports are 389 and 636 (SSL)

Hello Marco,

I already tried to set the AD config using the IP address, and it didn't work too, although I tried to check reachability using the FQDN using ping and it works properly.

and for the Admin credentials, it's configured in both the LDAP profile and the Local Agent.

Regards,

Hi Alexa,

no I'm not using SSL on the servers, so I didn't configure the connection to use ssl. also I use the Global catalog ports because the LDAP server is GC.

Regards,

Maher

Dears,

I would like to know if OS 5.0.9 support integration with LDAP 2012 R2.

can any one provide any article?

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!