Focus

Panorama Administrator's Guide

Configure LDAP Authentication for a WildFire Appliance

Table of Contents

Configure LDAP Authentication for a WildFire Appliance

Configure LDAP authentication for a WildFire appliance.

You can use LDAP to authenticate end users who access the WildFire appliance CLI.

Log in to the Panorama Web Interface.
Add Standalone WildFire Appliances to Manage with Panorama.
Add an LDAP server profile.
The profile defines how the WildFire appliance connects to the LDAP server.

Administrator accounts configured for LDAP authentication are required to have Superuser admin role privileges to successfully configure authentication for the WildFire appliance.
1. Select PanoramaServer ProfilesLDAP and Add a server profile.
2. Enter a Profile Name to identify the server profile.
3. Add the LDAP servers (up to four). For each server, enter a Name (to identify the server), LDAP Server IP address or FQDN, and server Port (default 389).
  
  If you use an FQDN address object to identify the server and you subsequently change the address, you must commit the change for the new server address to take effect.
4. Select the server Type.
5. Select the Base DN.
  To identify the Base DN of your directory, open the Active Directory Domains and Trusts Microsoft Management Console snap-in and use the name of the top-level domain.
6. Enter the Bind DN and Password to enable the authentication service to authenticate the firewall.
  
  The Bind DN account must have permission to read the LDAP directory.
7. Enter the Bind Timeout and Search Timeout in seconds (default is 30 for both).
8. Enter the Retry Interval in seconds (default is 60).
9. (Optional) If you want the endpoint to use SSL or TLS for a more secure connection with the directory server, enable the option to Require SSL/TLS secured connection (enabled by default). The protocol that the endpoint uses depends on the server port:
  - 389 (default)—TLS (Specifically, the WildFire appliance uses the StartTLS operation, which upgrades the initial plaintext connection to TLS.)
  - 636—SSL
  - Any other port—The WildFire appliance first attempts to use TLS. If the directory server doesn’t support TLS, the WildFire appliance falls back to SSL.
10. (Optional) For additional security, enable to the option to Verify Server Certificate for SSL sessions so that the endpoint verifies the certificate that the directory server presents for SSL/TLS connections. To enable verification, you must also enable the option to Require SSL/TLS secured connection. For verification to succeed, the certificate must meet one of the following conditions:
  - It is in the list of Panorama certificates: PanoramaCertificate ManagementCertificatesDevice Certificates. If necessary, import the certificate into Panorama.
  - The certificate signer is in the list of trusted certificate authorities: PanoramaCertificate ManagementCertificates.
11. Click OK to save the server profile.
Configure the authentication for the WildFire appliance.
1. Select PanoramaManaged WildFire Appliance and select the WildFire appliance you previously added.
2. Configure the authentication Timeout Configuration for the WildFire appliance.
  1. Enter the number of Failed Attempts before a user is locked out of the WildFire appliance CLI.
  2. Enter the Lockout Time, in minutes, for which the WildFire appliance locks out a user account after that user reaches the configured number of Failed Attempts.
  3. Enter the Idle Timeout, in minutes, before the user account is automatically logged out due to inactivity.
  4. Enter the Max Session Count to set how many user accounts can simultaneously access the WildFire appliance.
  5. Enter the Max Session Time the administrator can be logged in before being automatically logged out.
3. Add the WildFire appliance administrators.
  Administrators may either be added as a local administrator or as an imported Panorama administrator—but not both. Adding the same administrator as both a local administrator and as an imported Panorama administrator is not supported and causes the Panorama commit to fail. For example, the commit to Panorama fails if you add admin1 as both a local and Panorama administrator.
  - Configure the local administrators.
    Configure new administrators unique to the WildFire appliances. These administrators are specific to the WildFire appliance for which they are created and you manage these administrators from this table.
    1. Add one or more new local administrator.
    2. Enter a Name for the local administrator.
    3. Assign an Authentication Profile you previously created.
      
      LDAP authentication profiles are supported only for individual local administrators.
    4. Enable (check) Use Public Key Authentication (SSH) to import a public key file for authentication.
    5. Select a Password Profile to set the expiration parameters.
  - Import existing Panorama administrators
    Import existing administrators configured on Panorama. These administrators are configured and managed on Panorama and imported to WildFire appliance.
  1. Add an existing Panorama administrator
4. Click OK to save the WildFire appliance authentication configuration.
Commit and then Commit and Push your configuration changes.
Access the WildFire appliance CLI to verify you can successfully access the WildFire appliance using the local admin user.

Configure TACACS+ Authentication for a WildFire Appliance

Set Up Authentication Using Custom Certificates on WildFire Appliances and Clusters