CLI Cheat Sheet: User-ID

Use the following commands to perform common User-ID configuration and monitoring tasks.
To see more comprehensive logging information enable debug mode on the agent using the debug user-id log-ip-user-mapping yes command. When you are done troubleshooting, disable debug mode using debug user-id log-ip-user-mapping no.
CLI Cheat Sheet: User-ID
View all User-ID agents configured to send user mappings to the Palo Alto Networks device:
  • To see all configured Windows-based agents:
> show user user-id-agent state all
  • To see if the PAN-OS-integrated agent is configured:
> show user server-monitor state all
View how many log messages came in from syslog senders and how many entries the User-ID agent successfully mapped:
> show user server-monitor statistics
View the configuration of a User-ID agent from the Palo Alto Networks device:
> show user user-id-agent config name <agent-name>
View group mapping information:
> show user group-mapping statistics 
> show user group-mapping state all 
> show user group list 
> show user group name <group-name>
View all user mappings on the Palo Alto Networks device:
> show user ip-user-mapping all
Show user mappings filtered by a username string (if the string includes the domain name, use two backslashes before the username):
> show user ip-user-mapping all | match <domain>\\<username-string>
Show user mappings for a specific IP address:
> show user ip-user-mapping ip <ip-address>
Show usernames:
> show user user-ids
View the most recent addresses learned from a particular User-ID agent:
> show log userid datasourcename equal <agent-name> direction equal backward
View mappings from a particular type of authentication service:
> show log userid datasourcetype equal <authentication-service>
where <authentication-service> can be authenticate, client-cert, directory-server, exchange-server, globalprotect, kerberos, netbios-probing, ntlm, unknown, vpn-client, or wmi-probing.
For example, to view all user mappings from the Kerberos server, you would enter the following command:
> show log userid datasourcetype equal kerberos
View mappings learned using a particular type of user mapping:
> show log userid datasource equal <datasource>
where <datasource> can be agent, captive-portal, event-log, ha, probing, server-session-monitor, ts-agent, unknown, vpn-client, or xml-api.
For example, to view all user mappings from the XML API, you would enter the following command:
> show log userid datasourcetype equal xml-api
Find a user mapping based on an email address:
> show user email-lookup 
+ base               Default base distinguished name (DN) to use for searches 
+ bind-dn            bind distinguished name 
+ bind-password      bind password 
+ domain             Domain name to be used for username 
+ group-object       group object class(comma-separated) 
+ name-attribute     name attribute 
+ proxy-agent        agent ip or host name. 
+ proxy-agent-port   user-id agent listening port, default is 5007 
+ use-ssl            use-ssl 
* email              email address 
> mail-attribute     mail attribute 
> server             ldap server ip or host name. 
> server-port        ldap server listening port 
For example:
> show user email-lookup base "DC=lab,DC=sg,DC=acme,DC=local" bind-dn "CN=Administrator,CN=Users,DC=lab,DC=sg,DC=acme,DC=local" bind-password acme use-ssl no email user1@lab.sg.acme.local mail-attribute mail server 10.1.1.1 server-port 389 labsg\user1
Clear the User-ID cache:
clear user-cache all
Clear a User-ID mapping for a specific IP address:
clear user-cache ip <ip-address/netmask>

Related Documentation