Why do we need step 3 mentioned in the KB below for the WB UI authentication with LDAP?:
Why do we need to create a local user? Won't Palo be an LDAP proxy (grabbing username/password and verifying it against LDAP server database)?
Palo Alto uses a more secure mentality for the Admin users on the firewalls. Calling out the users specificly is a lot more secure they refrenceing an AD group. Anyone with the right AD privlages could modify the AD group and give themselves superuser access to the firewalls.
Palo Alto only has this requirment for LDAP Authentication only when managing the device. You can use a RADIUS server with RADIUS authentication profile to allow management by AD group, and that works fine, so if you have Microsoft IAS, or other RADIUS server, that will work for allowing a group to authenticate to the firewall and/or panorama.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!