From the CLI, enter the following operational command:
show user group-mapping statistics
Verify that user mapping is working.
If you are using the PAN-OS integrated User-ID agent, you
can verify this from the CLI using the following command:
show user ip-user-mapping-mp all
IP Vsys From User Timeout (sec)
192.168.201.1 vsys1 UIA acme\george 210
192.168.201.11 vsys1 UIA acme\duane 210
192.168.201.50 vsys1 UIA acme\betsy 210
192.168.201.10 vsys1 UIA acme\administrator 210
192.168.201.100 vsys1 AD acme\administrator 748
Total: 5 users
*: WMI probe succeeded
Test your Security policy rule.
From a machine in the zone where User-ID is enabled,
attempt to access sites and applications to test the rules you defined
in your policy and ensure that traffic is allowed and denied as
You can also troubleshoot the running configuration to determine
whether the policy is configured correctly. For example, suppose
you have a rule that blocks users from playing World of Warcraft;
you could test the policy as follows:
, and select
from the Select Test drop-down.
as the Source
and Destination IP addresses. This executes the policy match test
against any source and destination IP addresses.
Enter the Destination Port.
Enter the Protocol.
the security policy
Test your Authentication policy and Authentication Portal
From the same zone, go to a machine that
is not a member of your directory, such as a Mac OS system, and
try to ping to a system external to the zone. The ping should work
without requiring authentication.
From the same machine, open a browser and navigate
to a web site in a destination zone that matches an Authentication
rule you defined. The Authentication Portal web form should display
and prompt you for login credentials.
Log in using the correct credentials and confirm that
you are redirected to the requested page.
You can also test your Authentication policy using
command as follows:
test authentication-policy-match from corporate to internet source 192.168.201.10 destination 220.127.116.11