End-of-Life (EoL)

Verify the User-ID Configuration

After you configure group mapping and user mapping and enable User-ID on your security rules and Captive Portal rules, you should verify that it is working properly.
  1. Verify that group mapping is working.
    From the CLI, enter the following operational command:
    > show user group-mapping statistics
  2. Verify that user mapping is working.
    If you are using the PAN-OS integrated User-ID agent, you can verify this from the CLI using the following command:
    > show user ip-user-mapping-mp all IP              Vsys  From  User         Timeout (sec) ------------------------------------------------------ vsys1 UIA   acme\george            210 vsys1 UIA   acme\duane             210 vsys1 UIA   acme\betsy             210 vsys1 UIA   acme\administrator     210 vsys1 AD    acme\administrator     748 Total: 5 users *: WMI probe succeeded
  3. Test your security rule.
    • From a machine in the zone where User-ID is enabled, attempt to access sites and applications to test the rules you defined in your policy and ensure that traffic is allowed and denied as expected.
    • You can also use the
      test security-policy-match
      operational command to determine whether the policy is configured correctly. For example, suppose you have a rule that blocks user duane from playing World of Warcraft; you could test the policy as follows:
    > test security-policy-match application worldofwarcraft source-user acme\duane source any destination any destination-port any protocol 6 "deny worldofwarcraft" { from corporate; source any; source-region any; to internet; destination any; destination-region any; user acme\duane; category any; application/service worldofwarcraft; action deny; terminal no; }
  4. Test your Captive Portal configuration.
    1. From the same zone, go to a machine that is not a member of your directory, such as a Mac OS system, and try to ping to a system external to the zone. The ping should work without requiring authentication.
    2. From the same machine, open a browser and navigate to a web site in a destination zone that matches a Captive Portal rule you defined. The Captive Portal web form should display and prompt you for login credentials.
    3. Log in using the correct credentials and confirm that you are redirected to the requested page.
    4. You can also test your Captive Portal policy using the
      test cp-policy-match
      operational command as follows:
      > test cp-policy-match from corporate to internet source destination Matched rule: 'captive portal' action: web-form
  5. Verify that the log files display usernames.
    Select a logs page (for example,
    ) and verify that the Source User column displays usernames.
  6. Verify that reports display usernames.
    1. Select
    2. Select a report type that includes usernames. For example, the Denied Applications report, Source User column, should display a list of the users who attempted to access the applications.

Recommended For You