Palo Alto -Active Directory Integration(v9) Part1
Configuration Challenges
Intergrating the Palo Alto Firewall with Active Directory can be challenging. Sucessfully configuring the Firewall to connect with the Windows 2016 Server and getting the right credentials on the server can be troublesome. I hope this record of the configurations make it easier.
Palo Alto Management access
Device > Services> Service Route Configuration
LDAP
UID Agent
Active Directory access account
On the Windows Server 2016 Active Directory. Create a Service user account that will be used by the Pal Alto Firewall. This allows the Firewall to communicate directly with the Active Directory service.
Update permissions using wmimgmt.msc
On the Windows Server 2016. Use the search function to find wimimgmt.msc. This will open up a window.
On the WMI Control (Local) right click mouse and select properties.
Security Tab > [+] Root > CIMV2 >Security Button
Select [ panalto ] (AccessAccount) > Allow = Enable Account & Remote Enable
LDAP Server Profile
Device > Server Profiles > LDAP > [ AD-Profile-winsrv ]
Authentication Profile
Device > Authentication Profile > Login Attribute [ sAMAccountName ]
Group Mapping
Device > User Identification > Group Mapping Settings > [winserver] >Group Mapping > Server Profile | Group Include List
User ID Agent Setup
Device > User Identification > Palo Alto Networks User-ID AgentSetup (Click the configuration STAR * )
LDAP Server Monitor
Device > User Identification > Server Monitoring > [ Add ]
If you make any changes it may be necessary to recreate this server monitoring configuration. I have found that it pulls its data from various sources and changing anything can create a misconfigured monitor. Also do the commit before re-creating the monitor then commit again.
I hope this has been of some help. Thanks for looking.