Palo Alto

Plao Alto LDAP Integration

Active Directory Integration
i wrote this a long time ago but the only issue i faced that i couldn’t see the user in monitoring screen no matter what i did and till the moment we received a new Palo Alto i test the same configuration and changed the Interface as this what the vendor ask but didn’t work and at the end it worked perfectly.

In earlier Blog Palo Alto to Internet we configure how to Allow users to go to the Internet. Now Active directory allow me to control who can have an access to internet Per User and also monitor exactly whom watching who and this is the configuration

First go to Device – Server Profiles – LDAP – add
choose name (MyLDAP)
in Server List add the IP of my Active Directory (
then in Sever Settings
choose type: Active Directory
Base DN: auto generate
Bind DN & Password : is my admin username and password
(this account must be a member of the built-in Server Operators group in AD)
Also uncheck the box Require SSL/TLS secured connection
Then we need to create an Authentication Profile
Go to Device – Authentication Profile – add
Name : My Authentication Profile
Type : LDAP
Server Profile: MyLDAP (Which i create in the first step)
Login Attribute: sAMAccountName
User Domain:
then Select Advanced tab and in the Allow list  select to add (All)3
Like that we done from Active Directory Integration
now we need to map and monitor our  server
So we go to Device – User Identification – Palo Alto Network user-ID Agent Setup – Click on settings button on the corner
in WMI Authentication i will use my Admin username and password3
Then Enable the Server Monitoring
Also Enable the Client Probing and press ok
After That i will add my Active directory Under the server Monitoring
Then the Domain Controllers will show with a status of Connected.
Second we create our group mappings, we can use these Active Directory groups in our security policies.
navigating to the Group Mapping Settings tab – Add new
Choose the Sever Profile: MyLDAP
User Domain: ccieroot
User Name: sAMAcountName
then go to the group include list tab at the top. as long you see the OU in your AD then it mean you can see everything correctly
Just for testing i Add the IT Staff7
Now Before you create a Policy Enable the User-ID on the inside Zone
Check the Enable User  Identification
Now on our Internet Rule Select under User tab and Add my user8
now as you can see under the Monitoring Tab i see my Username when i Access any website9



Active Directory, CUCM

CUCM integration with Active Directory

When you first finish installing the CUCM the Call Manager use it’s own LDAP Directory of End Users which is nice to use, but in case you work in a company with more than 1000 people it’s insane to add them all. so the preferred way is to integrate CUCM with a corporate LDAP weather it was Linux, OS or Windows. in our case i will show you how to integrate CUCM with Windows Active Directory

from Windows Side all what you need is a user with Administrator Right so you will be able to access the Active Directory

now back to CUCM

first activate the service that help you to Sync Between LDAP and CUCM



Then Go to Cisco Unified CM Administration > System > LDAP > LDAP System to identify what type of LDAP









Check the Box to Enable Sync from the LDAP Server








Now Go Click on System > LDAP > LDAP Directory and click Add New

in this example the Active Directory is my Domain CCIEROOT.COM
the admin user is : and i put the password for the authenticate with the LDAP
my LDAP Search Base is where i save the user it could be simple as under users. in my case i sync all the user in my domain

and my LDAP ip address is





















Click on System > LDAP > LDAP Authentication. This will authenticate CUCM End Users using Active Directory instead of the embedded CUCM directory.














at this point your CUCM is ready to Sync so go back to System > LDAP > LDAP Directory and Perform Full Sync10




After performing the synchronization the users which were created in Active Directory are now appearing in the CUCM End User



Open one of the users





That is it

Note. for the users that been created on the CUCM before the Sync they will be Disabled. to Solve this issue you need to create users for them in the LDAP Directory and Sync again and they will be hilighted.