: CLI Cheat Sheet: User-ID
Focus
Focus

CLI Cheat Sheet: User-ID

Table of Contents
End-of-Life (EoL)

CLI Cheat Sheet: User-ID

Use the following commands to perform common User-ID configuration and monitoring tasks.
To see more comprehensive logging information enable debug mode on the agent using the
debug user-id log-ip-user-mapping yes
command. When you are done troubleshooting, disable debug mode using
debug user-id log-ip-user-mapping no
.
CLI Cheat Sheet: User-ID
View all User-ID agents configured to send user mappings to the Palo Alto Networks device:
  • To see all configured Windows-based agents:
>
show user user-id-agent state all
  • To see if the PAN-OS-integrated agent is configured:
>
show user server-monitor state all
View how many log messages came in from syslog senders and how many entries the User-ID agent successfully mapped:
>
show user server-monitor statistics
View the configuration of a User-ID agent from the Palo Alto Networks device:
>
show user user-id-agent config name
<agent-name>
View group mapping information:
>
show user group-mapping statistics
>
show user group-mapping state all
>
show user group list
>
show user group name
<group-name>
View all user mappings on the Palo Alto Networks device:
>
show user ip-user-mapping all
Show user mappings filtered by a username string (if the string includes the domain name, use two backslashes before the username):
>
show user ip-user-mapping all | match
<domain>
\\
<username-string>
Show user mappings for a specific IP address:
>
show user ip-user-mapping ip
<ip-address>
Show usernames:
>
show user user-ids
View the most recent addresses learned from a particular User-ID agent:
>
show log userid datasourcename equal
<agent-name>
direction equal backward
View mappings from a particular type of authentication service:
>
show log userid datasourcetype equal
<authentication-service>
where
<authentication-service>
can be
authenticate
,
client-cert
,
directory-server
,
exchange-server
,
globalprotect
,
kerberos
,
netbios-probing
,
ntlm
,
unknown
,
vpn-client
, or
wmi-probing
.
For example, to view all user mappings from the Kerberos server, you would enter the following command:
>
show log userid datasourcetype equal kerberos
View mappings learned using a particular type of user mapping:
>
show log userid datasource equal
<datasource>
where
<datasource>
can be
agent
,
captive-portal
,
event-log
,
ha
,
probing
,
server-session-monitor
,
ts-agent
,
unknown
,
vpn-client
, or
xml-api
.
For example, to view all user mappings from the XML API, you would enter the following command:
>
show log userid datasourcetype equal xml-api
Find a user mapping based on an email address:
>
show user email-lookup
+ base Default base distinguished name (DN) to use for searches + bind-dn bind distinguished name + bind-password bind password + domain Domain name to be used for username + group-object group object class(comma-separated) + name-attribute name attribute + proxy-agent agent ip or host name. + proxy-agent-port user-id agent listening port, default is 5007 + use-ssl use-ssl * email email address > mail-attribute mail attribute > server ldap server ip or host name. > server-port ldap server listening port
For example:
>
show user email-lookup base "DC=lab,DC=sg,DC=acme,DC=local" bind-dn "CN=Administrator,CN=Users,DC=lab,DC=sg,DC=acme,DC=local" bind-password acme use-ssl no email user1@lab.sg.acme.local mail-attribute mail server 10.1.1.1 server-port 389 labsg\user1
Clear the User-ID cache:
clear user-cache all
Clear a User-ID mapping for a specific IP address:
clear user-cache ip
<ip-address/netmask>

Recommended For You