Why Firewall is not detecting Active Directory?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Why Firewall is not detecting Active Directory?

Hello, 

 

I have configured the User-ID to authenticate Global Protect's users and for User Mapping.

 

But, the Firewall shows the LDAP as "host unreachable".

 

I don't have an MGT IP address, but I have changed the LDAP's service route to look for LDAP's request in the internal interface. Also, I have checked the User and Password in the Server Profile and everything is ok. 

 

Is there a step that I am missing or is it something related to the MGT interface?

 

Regards,

 

 

Highlighted
L3 Networker

Hi

 

1. Do a packet capture (under Monitor), add all 4 stages, filter by LDAP server destination IP and add it also in a second filter stage as source (for returning traffic from LDAP server).

2. Once filter & pcap are active try to simulate LDAP authentication

3. If you see a drop stage pcap file see if it contains LDAP/389/636 traffic

4. If not you can open the transmit pcap and check the Palo Alto MAC address against 'show interfaces hardware' in ssh to match the MAC address against the physical interface - this will verify packet are egressing as per your service route configuration

5. Also just validate you are not NAT'ing this traffic by mistake

6. lastly, check security policy for a rule to match this traffic, Override the 'intrazone-default' & 'interzone-default' to add 'log at session end' so you'll see EVERYTHING (the default for these two is no log at all so you will not see monitor logs for hits on these 2 rules)

 

Hope this helps,

Shai

Highlighted
Cyber Elite

Hello,

My guess is that the user-id agent cannot talk to Active Directory for some reason. Perhaps the service account you are using does not have the proper permissions or its a routing issue. Here are a few links that may help out.

 

Configuring and troubleshooting

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5bCAC

 

Best Practices for securing user-id:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVPCA0

 

Hope that helps.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!