06-07-2020 08:51 PM
I have configured the User-ID to authenticate Global Protect's users and for User Mapping.
But, the Firewall shows the LDAP as "host unreachable".
I don't have an MGT IP address, but I have changed the LDAP's service route to look for LDAP's request in the internal interface. Also, I have checked the User and Password in the Server Profile and everything is ok.
Is there a step that I am missing or is it something related to the MGT interface?
06-08-2020 06:56 AM
1. Do a packet capture (under Monitor), add all 4 stages, filter by LDAP server destination IP and add it also in a second filter stage as source (for returning traffic from LDAP server).
2. Once filter & pcap are active try to simulate LDAP authentication
3. If you see a drop stage pcap file see if it contains LDAP/389/636 traffic
4. If not you can open the transmit pcap and check the Palo Alto MAC address against 'show interfaces hardware' in ssh to match the MAC address against the physical interface - this will verify packet are egressing as per your service route configuration
5. Also just validate you are not NAT'ing this traffic by mistake
6. lastly, check security policy for a rule to match this traffic, Override the 'intrazone-default' & 'interzone-default' to add 'log at session end' so you'll see EVERYTHING (the default for these two is no log at all so you will not see monitor logs for hits on these 2 rules)
Hope this helps,
06-08-2020 02:59 PM
My guess is that the user-id agent cannot talk to Active Directory for some reason. Perhaps the service account you are using does not have the proper permissions or its a routing issue. Here are a few links that may help out.
Configuring and troubleshooting
Best Practices for securing user-id:
Hope that helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!