Hey Konrad, For this one, you'll want to go to your Windows Servers, go to Start > type Event Viewer, and find the Event ID 2886 + 2889 events. To see the 2889 events, you'll need to turn on a certain logging level for Event ID 2889, and then find the Event ID 2889 events in Event Viewer. Any Event ID 2889 events in Event Viewer on Windows Server you see indicate that some device in your organization/network is performing LDAP bindings to the LDAP Server via a SASL bind without requesting signing or is performing simple binding over clear text. Here's how to turn on logging for and find the 2889 events: https://docs.microsoft.com/en-us/archive/blogs/russellt/identifying-clear-text-ldap-binds-to-your-dcs Example of that Event ID 2889 at 2:40 in below video: https://www.youtube.com/watch?v=rijhmYIzwwg So, if you see a 2889 Event ID which shows your Firewall is trying to connect to the Windows Server using an unsigned/simple bind, then you will want to implement LDAPS on your Firewall and Windows Server: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFVCA0 Event ID 2886 will also help you identify how many things total in your environment are binding to your LDAP using unsecured/simple/unsigned bindings. In case you need them for further investigation/guidance, here is the general info put out by Microsoft for the upcoming March 2020 change from LDAP to LDAPS or secure LDAP: https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
... View more
