- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-14-2012 08:44 PM
I am trying to get my PA to talk to an LDAP server. I set up the LDAP server as described in the documentation User Identification Tech Note - PANOS 4.1.pdf) but it never is able to connect. I get this error:
ldap cfg mydomain failed to connect to server (10.10.10.10:389), source 10.10.252.4.
Now 10.10.252.4 is configured as my Management interface which is not connected. It should be using another interface (eth2). When I ssh to it and run this command:
me@PA-500> netstat route yes Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 127.1.1.0 * 255.255.255.0 U 0 0 0 eth2 10.10.252.0 * 255.255.255.0 U 0 0 0 eth0 127.3.0.0 * 255.255.0.0 U 0 0 0 eth3.251 127.2.0.0 * 255.255.0.0 U 0 0 0 eth3.1 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 default * 0.0.0.0 U 0 0 0 eth0 me@PA-500>
I have the virtual router set correctly but none of the static routes show up here. Policies go from one interface to another interface. Do I need a policy to go from inside the firewall to an interface?
Should I set the management interface with the same IP as one of the ethernet interfaces? How do I set the management interface to one of the ethernet interfaces? It seems to have chosen one for itself.
Or how do I set the real routes?
10-14-2012 09:08 PM
Found it: Device -> Services -> Service Route Configuration. It doesn't have a service line for LDAP but it has one for radius and user ID.
I'd still like to know if I should set my management interface to the same IP as one of my other interfaces.
10-14-2012 09:08 PM
Found it: Device -> Services -> Service Route Configuration. It doesn't have a service line for LDAP but it has one for radius and user ID.
I'd still like to know if I should set my management interface to the same IP as one of my other interfaces.
10-15-2012 07:56 PM
Could you paste your interface configuration (preferly from the running-config.xml) - dont forget to obscure any sensitive ip addresses (if any)?
Currently PA supports following service route configurations:
route |
{
destination <value> source-address <value> |
service
{
crl-status source-address <value> |
dns source-address <value> |
email source-address <value> |
netflow source-address <value> |
ntp source-address <value> |
paloalto-updates source-address <value> |
panorama source-address <value> |
proxy source-address <value> |
radius source-address <value> |
snmp source-address <value> |
syslog source-address <value> |
uid-agent source-address <value> |
url-updates source-address <value> |
wildfire source-address <value>
}
}
By best guess is that LDAP is included within uid-agent setting. So if you change uid-agent to use the interface you want it should work.
10-17-2012 07:36 PM
I don't know if uid-agent is the same as ldap. It seems to me on reading the documentation that uid agent is an agent on port 3127 or something like it and that is running a paloalto supplied program. The documentation says to use it if ldap doesn't work. Here is my service route fragment with IPs changed to protect the innocent. I added the address of the ldap server on the other side of the dialog and it now appears to work.
route { service { paloalto-updates { source-address 172.17.123.2/29; } ntp { source-address 172.17.123.2/29; } panorama { source-address 172.17.123.2/29; } url-updates { source-address 172.17.123.2/29; } wildfire { source-address 172.17.123.2/29; } uid-agent { source-address 10.123.2.1/24; } dns { source-address 10.123.2.1/24; } radius { source-address 10.123.2.1/24; } } destination { 10.123.2.10 { source-address 10.123.2.1/24; } } }
10-18-2012 05:47 AM
As you have already discovered
LDAP is not selectable as Service Route.
Only Solution for this is to put the LDAP Server IP under Destination Service Route (right Tab)
and source all requests for this IP on the selected L3-Interface
May be you would like to place a Feature Request with your SE
Regards
Marco
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!