05-22-2025 03:07 AM - edited 05-22-2025 03:10 AM
Dear all
We need to replace our old ldap server config to a new ldap server on PA firewall and panorama, I want to know if I add a new ldap server config on PA firewall and panorama, how can I test the healthy of the new ldap server? I try to use telnet command to connect the new ldap server's 636 or 389 port, but I found there is no telnet command on PA firewall and panorama...
On PA firewall maybe I can use the "group include list" function in "user identification", but it doesn't work on panorama, need you give me a favor~
Best wishes
Cat
05-22-2025 08:52 AM
Hi @459768405 ,
Not only can you test the initial LDAP connection as described by @Raido_Rattameister above, but you can create a new authentication profile for the new LDAP server and test authentication to it via the CLI. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/use-the-cli/test-the-configurat...
Thanks,
Tom
05-22-2025 06:44 AM
@459768405 wrote:
Dear all
We need to replace our old ldap server config to a new ldap server on PA firewall and panorama, I want to know if I add a new ldap server config on PA firewall and panorama, how can I test the healthy of the new ldap server? I try to use telnet command to connect the new ldap server's 636 or 389 port, but I found there is no telnet command on PA firewall and panorama...
On PA firewall maybe I can use the "group include list" function in "user identification", but it doesn't work on panorama, need you give me a favor~
Best wishes
Cat
I don't have access to the PAN or FW UI right now, but is there a "test connection" button in the GUI? I don't know of an easy way to test, but in the system logs the firewall's ability to connect/contact a LDAP server shows up. So if a server goes offline there will be a log for that. Also I don't believe Panorama will "connect" to the servers in your LDAP profile, that only happens from the firewalls themselves. So if you're already executed the group include list command from the FW and it's working, that should be enough to tell you it is. Especially if you're not seeing any system log error messages.
05-22-2025 07:46 AM
In firewall add new LDAP profile.
Enter server into "Server List"
Add Bind DN and password.
If "Base DN" droppdown populates then connection to LDAP server is successful.
05-22-2025 08:52 AM
Hi @459768405 ,
Not only can you test the initial LDAP connection as described by @Raido_Rattameister above, but you can create a new authentication profile for the new LDAP server and test authentication to it via the CLI. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/use-the-cli/test-the-configurat...
Thanks,
Tom
05-22-2025 06:54 PM
Thank you for you help, I try it on firewall. it worked. But in panorama, there is not a dropdown populates in Base DN, it's strange
05-23-2025 06:13 AM - edited 05-23-2025 06:14 AM
Yes only firewall has droppdown. Panorama don't have it.
You can just click on "Clone" button on LDAP profile pushed from Panorama and test droppdown. After test just delete cloned profile from firewall and adjust profile in Panorama as needed.
05-25-2025 06:48 PM
thank you! but I mean the ldap on panorama is used on panorama's own self, it will be using on authentication
manager to login the webui or cli of panorama, but that's ok, I have tried the method that TomYoung saied, it worked
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
