Why Firewall is not detecting Active Directory?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Why Firewall is not detecting Active Directory?

L2 Linker

Hello, 

 

I have configured the User-ID to authenticate Global Protect's users and for User Mapping.

 

But, the Firewall shows the LDAP as "host unreachable".

 

I don't have an MGT IP address, but I have changed the LDAP's service route to look for LDAP's request in the internal interface. Also, I have checked the User and Password in the Server Profile and everything is ok. 

 

Is there a step that I am missing or is it something related to the MGT interface?

 

Regards,

 

 

2 REPLIES 2

L4 Transporter

Hi

 

1. Do a packet capture (under Monitor), add all 4 stages, filter by LDAP server destination IP and add it also in a second filter stage as source (for returning traffic from LDAP server).

2. Once filter & pcap are active try to simulate LDAP authentication

3. If you see a drop stage pcap file see if it contains LDAP/389/636 traffic

4. If not you can open the transmit pcap and check the Palo Alto MAC address against 'show interfaces hardware' in ssh to match the MAC address against the physical interface - this will verify packet are egressing as per your service route configuration

5. Also just validate you are not NAT'ing this traffic by mistake

6. lastly, check security policy for a rule to match this traffic, Override the 'intrazone-default' & 'interzone-default' to add 'log at session end' so you'll see EVERYTHING (the default for these two is no log at all so you will not see monitor logs for hits on these 2 rules)

 

Hope this helps,

Shai

Hello,

My guess is that the user-id agent cannot talk to Active Directory for some reason. Perhaps the service account you are using does not have the proper permissions or its a routing issue. Here are a few links that may help out.

 

Configuring and troubleshooting

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5bCAC

 

Best Practices for securing user-id:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVPCA0

 

Hope that helps.

  • 3327 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!