Instructions on how to synchronize users from AD with User-ID on Palo Alto

1. Mục đích bài viết

This article will show us how to synchronize users from AD with Palo Alto firewall device so that we can easily manage users through the user they are using.

2. Network diagram, configuration scenarios, and steps to take

2.1 Network Diagram

The network map will have the following devices:

  • Palo Alto firewall with Ethernet1 / 1 port is connected to the internet via PPPoE protocol with dynamic ip and Ethernet1 / 3 port with ip will be the port that is connected to devices on the LAN.
  • Inside the LAN we have 1 AD server named and ip and 1 Windows 10 desktop with ip, john domain and logging in with the michael account in the Support group, and this group is currently in the IT OU.

2.2 Configuration scenarios

We will synchronize users from AD server to Palo Alto and configure policies to allow internet access based on the synchronized users.

2.3 What to do.

  • Configure Service Features
  • Enable User Identification on zone LAN.
  • Configure LDAP Server Profile.
  • Configure User Mapping.
  • Configure Group Mapping Settings
  • Configure Authentication Profile
  • Create Security Policy và result.

3. Configuration

3.1 Configure Service Features

First we need to configure Service Features to route some services to the port connecting to the AD server.

Here we will routing services such as DNS, Kerberos, LDAP, UID Agent.

To open these services we visit the Palo Alto configuration page. Go to Device> Setup> Service> Service Features> Service Route Configuration.

The Service Route Configuration panel appears, select Customize.

To configure the service we left click on the service to be configured, here we choose DNS, the Service Route Source table appears, we will select the port ethernet1 / 3 in the Source Interface and in the Source Address will automatically show up the IP of port ethernet1 / 3 is 172.16.16./24.

Click OK to save.

The rest of the services we also do the same.

Click OK in the Service Route Configuration panel to save.

3.2 Enable User Identification trên zone LAN

To be able to synchronize users from the AD server we need to enable the User Identification feature on the zone containing the domain name of the client, here we will enable this feature on the LAN zone.

To turn on Network> Zones> left click on zone LAN> Zone panel pops up> we will check the box Enable User Identification in the User Identification ACL section.

Click OK để lưu.

3.3 Configure LDAP Server Profile

To create, go to Device> Server Profiles> LDAP> Click Add and create the following information:

  • Profile Name : lab-active-directory
  • Server List : click Add, type Name is DC01, LDAP Server is the ip of the server and the Port is 389.
  • In Server Settings :
  • Type : select active-directory
  • Base DN : DC=testlab,DC=com
  • Bind DN :
  • Password và Confirm Password : enter administrator’s password.
  • Bind Timeout : 30
  • Search Timeout : 30
  • Retry Interval : 60
  • Required SSL/TLS secured connection : uncheck.
  • Click OK to save.

3.4 Configure User Mapping

To configure go to Device > User Identification > User Mapping.

Here we have 3 parts that need to be configured: Palo Alto Networks User-ID Agent Setup, Server Monitoring, Include / Exclude Networks.

In the Palo Alto Networks User-ID Agent Setup section to configure, we click on the wheel icon on the right, a configuration panel will appear and need to configure the following parameters.

Tab Server Monitor Account :

  • User Name :\Administrator
  • Password và Confirm Passoword : enter administrator’s password
  • Kerberos Server Profile : None

Tab Server Monitor :

  • Enable Security Log : check
  • Server Log Monitor Frequency (sec) : 2
  • Enable Session : uncheck
  • Server Session Read Frequency (sec) : 10
  • Novell eDirectory Query Interval (sec) : 30
  • Syslog Service Profile : None

Tab Client Probing :

  • Enable Probing : check
  • Probe Interval (min) : 5

Tab Cache :

  • Enable User Identification Timeout : check
  • User Identification Timeout (min) : 120
  • Allow matching usernames without domains : uncheck
  • Click OK để save.

Next we will configure the Server Monitoring, click Add the User Identification Monitored Server panel that appears and configure the following parameters:

  • Name : TESTLAB
  • Check Enable
  • Type : Microsoft Active Directory
  • Transport Protocol : WMI
  • Network Address :
  • Click OK to save.

Finally, the Include / Exclude Networks section, click Add the Include Exclude Network panel appears and configure the following parameters:

  • Name : All
  • Check Enable
  • Discovery : Include
  • Network Address :
  • Click OK to save.

After the configuration is complete we notice on the Server Monitoring section, the status of the server that we are connected to shows Connected.

3.5 Configure Group Mapping Settings

To configure, go to Device> User Identification> Group Mapping Settings> Click Add Group Mapping panel appears and we will configure Server Profile, Group Incude List.

Tab Server Profile :

  • Name : TESTLAB
  • Server Profile : select lab-active-directory
  • User Domain :
  • Object Class (Gourp Object) : group
  • Object Class (User Object) : person
  • Check Enable

Tab Group Include List :

  • We will press the arrow in the DC = testlab, DC = com so that it displays a list of OU, Group which it had signed with the AD then select the OU or Group you want to use and then press the “+” to move it to Include Group panel.
  • Here I will synchronize the group supports in the IT OU.
  • Click OK to save.

3.6 Configure Identification Profile

To configure on Device> Authentication Profile> Click Add, the Authentication Profile table appears and we need to configure 2 parts: Authentication and Advanced.

Tab Authentication :

  • Name : AD TESTLAB
  • Type : LDAP
  • Server Profile : select lab-active-directory

Tab Advanced :

  • Click Add tai Allow List và chọn All
  • Click OK to save.

3.7 Create Security Policy and result

After performing the sync successfully, we will create a Security Policy that allows internet access based on the synchronized user.

First, when not creating a policy, both the Server and the client computer that are logged in with Michael’s account cannot access the internet.

In order for these two machines to connect to the internet, we need to create a Security Policy, go to Policies> Security and click Add and then enter the following information:

Tab General :

  • Name : Allow_Internet_Micheal
  • Rule Type : universal (default)

Tab Source :

  • Source Zone : select LAN.

Tab User :

  • Source User : select 2 accounts testlab\administrator và testlab\michael.

Tab Destination :

  • Destination Zone : select WAN

Tab Application select Any

Tab Service/URL Categoty :

  • Service : Any
  • URL Category : Any

Tab Action :

  • Action : Allow
  • Log Setting : Log at Session End
  • Click OK to save.

After saving, we will go to 2 servers and client to check the results.

As shown above, both machines are connected to the internet.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.