CLI Cheat Sheet: User-ID
Use the following commands to perform common User-ID configuration and monitoring tasks.
To see more comprehensive logging information enable debug mode on the agent using the debug user-id log-ip-user-mapping yes command. When you are done troubleshooting, disable debug mode using debug user-id log-ip-user-mapping no.
CLI Cheat Sheet: User-ID
View all User-ID agents configured to send user mappings to the Palo Alto Networks device:
> show user user-id-agent state all
> show user server-monitor state all
View how many log messages came in from syslog senders and how many entries the User-ID agent successfully mapped:
> show user server-monitor statistics
View the configuration of a User-ID agent from the Palo Alto Networks device:
> show user user-id-agent config name <agent-name>
View group mapping information:
> show user group-mapping statistics > show user group-mapping state all > show user group list > show user group name <group-name>
View all user mappings on the Palo Alto Networks device:
> show user ip-user-mapping allShow user mappings filtered by a username string (if the string includes the domain name, use two backslashes before the username):
> show user ip-user-mapping all | match <domain>\\<username-string>Show user mappings for a specific IP address:
> show user ip-user-mapping ip <ip-address>Show usernames:
> show user user-ids
View the most recent addresses learned from a particular User-ID agent:
> show log userid datasourcename equal <agent-name> direction equal backward
View mappings from a particular type of authentication service:
> show log userid datasourcetype equal <authentication-service>where <authentication-service> can be authenticate, client-cert, directory-server, exchange-server, globalprotect, kerberos, netbios-probing, ntlm, unknown, vpn-client, or wmi-probing.
For example, to view all user mappings from the Kerberos server, you would enter the following command:
> show log userid datasourcetype equal kerberos
View mappings learned using a particular type of user mapping:
> show log userid datasource equal <datasource>where <datasource> can be agent, captive-portal, event-log, ha, probing, server-session-monitor, ts-agent, unknown, vpn-client, or xml-api.
For example, to view all user mappings from the XML API, you would enter the following command:
> show log userid datasourcetype equal xml-api
Find a user mapping based on an email address:
> show user email-lookup + base Default base distinguished name (DN) to use for searches + bind-dn bind distinguished name + bind-password bind password + domain Domain name to be used for username + group-object group object class(comma-separated) + name-attribute name attribute + proxy-agent agent ip or host name. + proxy-agent-port user-id agent listening port, default is 5007 + use-ssl use-ssl * email email address > mail-attribute mail attribute > server ldap server ip or host name. > server-port ldap server listening port
> show user email-lookup base "DC=lab,DC=sg,DC=acme,DC=local" bind-dn "CN=Administrator,CN=Users,DC=lab,DC=sg,DC=acme,DC=local" bind-password acme use-ssl no email firstname.lastname@example.org mail-attribute mail server 10.1.1.1 server-port 389 labsg\user1
Clear the User-ID cache:
clear user-cache allClear a User-ID mapping for a specific IP address:
clear user-cache ip <ip-address/netmask>
CLI Cheat Sheet: VSYS
CLI Cheat Sheet: VSYS Use the following commands to administer a Palo Alto Networks firewall with multiple virtual system (multi-vsys) capability. You must have superuser, ...
Panorama and Log Collectors as User-ID Redistribution Points
Panorama and Log Collectors as User-ID Redistribution Points You can now leverage your Panorama and distributed log collection infrastructure to redistribute User-ID mappings in large-scale ...
Configure User-ID Redistribution
Configure User-ID Redistribution Before you configure User-ID redistribution: Plan the redistribution architecture. Some factors to consider are: Which firewalls will enforce policies for all users ...
User-ID Syslog Monitoring Enhancements
User-ID Syslog Monitoring Enhancements The following enhancements improve the accuracy of User-ID mappings and simplify monitoring syslog senders for mapping information: Automatic deletion of user ...
Redistribute User-ID Information to Managed Firewalls
Redistribute User-ID Information to Managed Firewalls To ensure all the firewalls that enforce policies and generate reports have the required IP address-to-username mappings and authentication ...
CLI Cheat Sheets
CLI Cheat Sheets CLI Cheat Sheet: Device Management CLI Cheat Sheet: User-ID CLI Cheat Sheet: Networking CLI Cheat Sheet: VSYS CLI Cheat Sheet: Panorama ...
Configure the Windows User-ID Agent as a Syslog Listener
Configure the Windows User-ID Agent as a Syslog Listener To configure the Windows-based User-ID agent to create new user mappings and remove outdated mappings through ...
Configure User-ID to Monitor Syslog Senders for User Mappin...
Configure User-ID to Monitor Syslog Senders for User Mapping To obtain IP address-to-username mappings from existing network services that authenticate users, you can configure the ...
Firewall Deployment for User-ID Redistribution
Firewall Deployment for User-ID Redistribution To aggregate User-ID information, organize the redistribution sequence in layers, where each layer has one or more firewalls. In the ...