LDAP communication is insecure-paloaltonetworks-panos

LDAP communication is insecure-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Indeni will alert if (Require SSL/TLS secured connection) is not checked.

Remediation Steps:
First, enable LDAP over SSL on the LDAP server. On Palo Alto Networks firewall, select Device => Server Profiles => LDAP, select the profile and select “Require SSL/TLS secured connection”. For more informaiton, please check this link: https://www.paloaltonetworks.com/documentation/81/pan-os/web-interface-help/device/device-server-profiles-ldap

How does this work?
This alert uses the Palo Alto Networks API interface to parse through LDAP profiles and alert the admin if SSL/TLS is not enabled.

Why is this important?
LDAP protocol is insecure and communication is in clear text. Firewalls should use SSL/TLS protocol to secure the communication with Ldap server and fetching the user group information.

Without Indeni how would you find this?
Login to the device’s web interface and click on “Device” -> “Server Profiles” -> “LDAP”.


Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/parsers/src/panw/panos/panos-secure-ldap/panos-secure-ldap.ind.yaml


Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/paloaltonetworks/PanosSecureLdapRule.scala