Name: #paloaltofirewalltraining | Day 46 | How to Configure Global Protect VPN with AD Authentication
Uploaded: 2026-01-29 20:41:36
Duration: 21 min 35 s

Question 1

How do I configure GlobalProtect VPN with Active Directory authentication on Palo Alto?

Accepted Answer

In this video I integrate the Palo Alto firewall with AD using an LDAP server profile, then I switch the GlobalProtect portal and gateway authentication profile to LDAP. The idea is simple: when the client enters credentials, the firewall goes to AD and asks if the username/password is correct. I tested it with a lab user and confirmed it connected successfully.

Question 2

What is Active Directory and why is it used for VPN authentication?

Accepted Answer

Active Directory is Microsoft directory services where an organization stores user information like username, password, email, and location. It also controls what users can do on their domain PCs. When I use AD for GlobalProtect, users can log in with the same corporate credentials, so we don’t need a separate VPN user database.

Question 3

What is the Base DN format for LDAP in Palo Alto for AD integration?

Accepted Answer

I used the standard DC format: for example DC=bikashtech,DC=com. If your domain is cisco.com, then it becomes DC=cisco,DC=com. This Base DN tells the firewall where to search in the directory.

Question 4

Do I need to change Service Route for LDAP/Kerberos/DNS when integrating AD with Palo Alto?

Accepted Answer

Yes, in my lab I changed the service route because by default services try to go via the management interface. In my topology, traffic needed to go out from ethernet1/1, so I customized DNS, Kerberos, and LDAP service routes. Without that, your firewall may not reach the domain controller properly.

Question 5

What user account is needed for Palo Alto to bind to Active Directory?

Accepted Answer

I created a dedicated user in AD and used it in the LDAP server profile as the bind credentials. This account is used by the firewall to query the directory and retrieve user/group information. In the video I also mention the trust requirement, so permissions matter if your environment needs it.

Question 6

How can I verify Palo Alto is actually authenticating to AD for GlobalProtect?

Accepted Answer

I verified it by taking a packet capture on the Palo Alto and checking the LDAP communication. You can see the bind request and it returning success for the GP test user. After that, the GlobalProtect client status shows connected and the user gets an IP address.

Question 7

Do I need to create specific AD users/groups for GlobalProtect login?

Accepted Answer

You need the user to exist in AD because the firewall will validate whatever credentials the client enters. In my lab I created a test user (GP test) and used that same username/password on the GlobalProtect client. For groups, I also showed how to retrieve groups via a user group mapping profile.

#paloaltofirewalltraining | Day 46 | How to Configure Global Protect VPN with AD Authentication

🛍️ Products Mentioned (2)

Paloaltonetworks Product

For Palo Alto Documentation

About This Video

Frequently Asked Questions

🎬 More from Bikash's Tech