Verify the User-ID Configuration
After you configure user and group mapping, enable User-ID in your Security policy, and configure Authentication policy, you should verify that User-ID works properly.
- Verify that group mapping is working.From the CLI, enter the following operational command:>show user group-mapping statistics
- Verify that user mapping is working.If you are using the PAN-OS integrated User-ID agent, you can verify this from the CLI using the following command:>show user ip-user-mapping-mp allIP Vsys From User Timeout (sec) ------------------------------------------------------ 192.168.201.1 vsys1 UIA acme\george 210 192.168.201.11 vsys1 UIA acme\duane 210 192.168.201.50 vsys1 UIA acme\betsy 210 192.168.201.10 vsys1 UIA acme\administrator 210 192.168.201.100 vsys1 AD acme\administrator 748 Total: 5 users *: WMI probe succeeded
- Test your Security policy rule.
- From a machine in the zone where User-ID is enabled, attempt to access sites and applications to test the rules you defined in your policy and ensure that traffic is allowed and denied as expected.
- You can also troubleshoot the running configuration to determine whether the policy is configured correctly. For example, suppose you have a rule that blocks user duane from playing World of Warcraft; you could test the policy as follows:
- Select, and selectDeviceTroubleshootingSecurity Policy Matchfrom the Select Test drop-down.
- Enter0.0.0.0as the Source and Destination IP addresses. This executes the policy match test against any source and destination IP addresses.
- Enter the Destination Port.
- Enter the Protocol.
- Executethe security policy match test.
- Test your Authentication policy and Captive Portal configuration.
- From the same zone, go to a machine that is not a member of your directory, such as a Mac OS system, and try to ping to a system external to the zone. The ping should work without requiring authentication.
- From the same machine, open a browser and navigate to a web site in a destination zone that matches an Authentication rule you defined. The Captive Portal web form should display and prompt you for login credentials.
- Log in using the correct credentials and confirm that you are redirected to the requested page.
- You can also test your Authentication policy using thetest cp-policy-matchoperational command as follows:>test cp-policy-match from corporate to internet source 192.168.201.10 destination 188.8.131.52Matched rule: 'captive portal' action: web-form
- Verify that the log files display usernames.Select a logs page (such as) and verify that the Source User column displays usernames.MonitorLogsTraffic
- Verify that reports display usernames.
- Select a report type that includes usernames. For example, the Denied Applications report, Source User column, should display a list of the users who attempted to access the applications.
Recommended For You
Recommended videos not found.