A quick run through my configuration:
I am using LDAPS; In Device -> Server Profiles -> LDAP and Device -> User Identification -> Server I am using DNS A records instead of IPs for my Active Directory servers; this is to ensure the domains can be validated by my 3rd party SSL cert. Also, in the GP gateway config (Network -> GlobalProtect -> Gateways -> myprofile -> Client Configuration -> Network Services), I have configured my local DNS servers.
I have configured the DNS servers in Device -> Setup -> Services to point to my local DNS servers. Everything works, captive portal, agentless user-id etc. However, I have been trying to setup GP but have been having issues with authentication. A quick check of authd.log shows:
debug: pan_auth_service_start_auth(pan_auth_service_handle.c:671): can not send request to remote server win-dc1.site.org of server profile "win-ad-server-list" since it is down or in retry-interval
The server is not down and is working as expected. When I create a new LDAP:389 profile and use IPs instead of domain names, then the authenication works as expected. It looks like GP is not querying the local DNS servers for some reason and therefore cannot resolve the DNS records.
... View more