Panorama Administrator's Guide
    : Configure LDAP Authentication for a Dedicated Log Collector
    Focus
    Download PDF
    Focus
    1. Home
    2. Panorama
    3. Panorama Administrator's Guide
    4. Manage Log Collection
    5. Configure Authentication for a Dedicated Log Collector
    6. Configure LDAP Authentication for a Dedicated Log Collector
    Download PDF

    Panorama Administrator's Guide

    Configure LDAP Authentication for a Dedicated Log Collector

    Table of Contents
    End-of-Life (EoL)

    Configure LDAP Authentication for a Dedicated Log Collector

    Configure LDAP authentication for a Dedicated Log Collector.
    You can use LDAP to authenticate end users who access Dedicated Log Collector web interface.
    1. Log in to the Panorama Web Interface.
    2. Configure a Managed Collector.
    3. Add an LDAP server profile.
      The profile defines how the Dedicated Log Collector connects to the LDAP server.
      Administrator accounts configured for LDAP authentication are required to have Superuser admin role privileges to successfully configure authentication for the Dedicated Log Collector.
      1. Select PanoramaServer ProfilesLDAP and Add a server profile.
      2. Enter a Profile Name to identify the server profile.
      3. Add the LDAP servers (up to four). For each server, enter a Name (to identify the server), LDAP Server IP address or FQDN, and server Port (default 389).
        If you use an FQDN address object to identify the server and you subsequently change the address, you must commit the change for the new server address to take effect.
      4. Select the server Type.
      5. Select the Base DN.
        To identify the Base DN of your directory, open the Active Directory Domains and Trusts Microsoft Management Console snap-in and use the name of the top-level domain.
      6. Enter the Bind DN and Password to enable the authentication service to authenticate the firewall.
        The Bind DN account must have permission to read the LDAP directory.
      7. Enter the Bind Timeout and Search Timeout in seconds (default is 30 for both).
      8. Enter the Retry Interval in seconds (default is 60).
      9. (Optional) If you want the endpoint to use SSL or TLS for a more secure connection with the directory server, enable the option to Require SSL/TLS secured connection (enabled by default). The protocol that the endpoint uses depends on the server port:
        • 389 (default)—TLS (Specifically, the Dedicated Log Collector uses the StartTLS operation, which upgrades the initial plaintext connection to TLS.)
        • 636—SSL
        • Any other port—The Dedicated Log Collector first attempts to use TLS. If the directory server doesn’t support TLS, the Dedicated Log Collector falls back to SSL.
      10. (Optional) For additional security, enable to the option to Verify Server Certificate for SSL sessions so that the endpoint verifies the certificate that the directory server presents for SSL/TLS connections. To enable verification, you must also enable the option to Require SSL/TLS secured connection. For verification to succeed, the certificate must meet one of the following conditions:
        • It is in the list of Panorama certificates: PanoramaCertificate ManagementCertificatesDevice Certificates. If necessary, import the certificate into Panorama.
        • The certificate signer is in the list of trusted certificate authorities: PanoramaCertificate ManagementCertificates.
      11. Click OK to save the server profile.
    4. Configure the authentication for the Dedicated Log Collector.
      1. Select PanoramaManaged Collectors and select the Dedicated Log Collector you previously added.
      2. Configure the authentication Timeout Configuration for the Dedicated Log Collector.
        1. Enter the number of Failed Attempts before a user is locked out of the Dedicated Log Collector CLI.
        2. Enter the Lockout Time, in minutes, for which the Dedicated Log Collector locks out a user account after that user reaches the configured number of Failed Attempts.
        3. Enter the Idle Timeout, in minutes, before the user account is automatically logged out due to inactivity.
        4. Enter the Max Session Count to set how many user accounts can simultaneously access the Dedicated Log Collector.
        5. Enter the Max Session Time the administrator can be logged in before being automatically logged out.
      3. Add the Dedicated Log Collector administrators.
        Administrators may either be added as a local administrator or as an imported Panorama administrator—but not both. Adding the same administrator as both a local administrator and as an imported Panorama administrator is not supported and causes the Panorama commit to fail. For example, the commit to Panorama fails if you add admin1 as both a local and Panorama administrator.
        • Configure the local administrators.
          Configure new administrators unique to the Dedicated Log Collector. These administrators are specific to the Dedicated Log Collector for which they are created and you manage these administrators from this table.
          1. Add one or more new local administrator.
          2. Enter a Name for the local administrator.
          3. Assign an Authentication Profile you previously created.
            LDAP authentication profiles are supported only for individual local administrators.
          4. Enable (check) Use Public Key Authentication (SSH) to import a public key file for authentication.
          5. Select a Password Profile to set the expiration parameters.
        • Import existing Panorama administrators
          Import existing administrators configured on Panorama. These administrators are configured and managed on Panorama and imported to Dedicated Log Collector.
        1. Add an existing Panorama administrator
      4. Click OK to save the Dedicated Log Collector authentication configuration.
    5. Configure the authentication for the Dedicated Log Collector.
      1. Select PanoramaManaged Collectors and select the Dedicated Log Collector you previously added.
      2. Select the Authentication Profile you configured in the previous step.
      3. Configure the authentication Timeout Configuration for the Dedicated Log Collector.
        1. Enter the number of Failed Attempts before a user is locked out of the Dedicated Log Collector CLI.
        2. Enter the Lockout Time, in minutes, for which the Dedicated Log Collector locks out a user account after that user reaches the configured number of Failed Attempts.
        3. Enter the Idle Timeout, in minutes, before the user account is automatically logged out due to inactivity.
        4. Enter the Max Session Count to set how many user accounts can simultaneously access the Dedicated Log Collector.
        5. Enter the Max Session Time the administrator can be logged in before being automatically logged out.
      4. Add the Dedicated Log Collector administrators.
        You must add the administrator (admin) as either a local administrator or as an imported Panorama administrator—but not both. The push to managed collectors fails if an administrator is not added or if the administrator is added as both a local administrator and as an imported Panorama administrator.
        1. Add and configure new administrators unique to the Dedicated Log Collector. These administrators are specific to the Dedicated Log Collector for which they are created and you manage these administrators from this table.
        2. Add any administrators configured on Panorama. These administrators are created on Panorama and imported to the Dedicated Log Collector.
      5. Click OK to save the Dedicated Log Collector authentication configuration.
    6. Commit and then Commit and Push your configuration changes.
    7. Log in to the Panorama CLI of the Dedicated Log Collector to verify you can successfully access the Dedicated Log Collector using the local admin user.

    © 2024 Palo Alto Networks, Inc. All rights reserved.