We would like to use multiple URL's to access our Palo with Multiple LDAP authentication.
We could also do like
Can anybody guide me to a solution so far support has not been super helpfull.
Another is portal.company
with authentication sequence but that requires more work for the users.
I am a little new to Palo could use help .
I'm looking to do something similar. I have 2 Palo's both with a GP gateways setup and I'm thinking of using DNS roundrobin to hit either one of them using a single Portal URL company.domain.
Not sure if this is the best way to do it or not. But basically i want clients to only have to configure 1 Portal URL on the client and then hit either one of my palo's.
Yes since I have 2 egress points in my network, each one with a Palo. In case of fail over or an outage at one location, i want my users to hit the other Palo and still have access to the network. I was hoping to achieve this by using a DNS entry with 2 ips pointing to each one of my Gateways. which would have the same name of course.
It's mainly going to be used during maintenance windows/outages really. Either Palo can handle all my VPN connections individually but i'm trying to give the highest VPN availability i can.
could you explain why you need seperate ldap auths for each company.
could you not just set an authentication order for all your ldap profiles and the user will auth to the correct one.
this will work as a good RR solution but load balancing will not be guaranteed, do you not have a "Gateway" license.
sorry i meant auth sequence.
so just add a new portal for each company, this will require an IP address for each one though.
then add LDAP profile to each portal. each portal will then have its own gateway on same ip address.
you can still use auth sequence on a single portal as it will try every ldap server until succesful.
also... ldap failed auth will not loch an account. you do not need to add domain info for this.
Actually he (@ChrisGapske) need to have users typing domain along their username.
As you pointed out Authentication Sequence will try to authenticate a user from top to bottom. This could be a problem if you have exact same usernames in multiple domains.
Starting from 8.1 (or even 8.0 not sure exactly) authentication sequence have option to use the typed domain to determine which profile to use from the list and jump straight to it, instead of going top to bottom.
Use domain to determine authentication profile Select this option (selected by default) if you want the firewall to match the domain name that a user enters during login with the User Domain or Kerberos Realm of an authentication profile associated with the sequence and then use that profile to authenticate the user. The user input that the firewall uses for matching can be the text preceding the username (with a backslash separator) or the text following the username (with a @ separator). If the firewall does not find a match, it tries the authentication profiles in the sequence in top-to-bottom order.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!