CLI Cheat Sheet: User-ID
Table of Contents
PAN.OS 11.1 & Later
Expand all | Collapse all
-
- Set Commands Introduced in PAN-OS 11.1
- Set Commands Removed in PAN-OS 11.1
- Show Commands Introduced in PAN-OS 11.1
- Set Commands Introduced in PAN-OS 11.2
- Set Commands Changed in PAN-OS 11.2
- Set Commands Removed in PAN-OS 11.2
- Show Commands Introduced in PAN-OS 11.2
- Show Commands Removed in PAN-OS 11.2
CLI Cheat Sheet: User-ID
Use the following commands to perform common User-ID configuration
and monitoring tasks.
To see more comprehensive logging information
enable debug mode on the agent using the debug user-id log-ip-user-mapping yes command.
When you are done troubleshooting, disable debug mode using debug user-id log-ip-user-mapping no.
CLI Cheat Sheet:
User-ID |
|---|
View all User-ID agents configured to send
user mappings to the Palo Alto Networks device:
> show user user-id-agent state all
> show user server-monitor state all |
View how many log messages came in from
syslog senders and how many entries the User-ID agent successfully
mapped: > show user server-monitor statistics |
View the configuration of a User-ID agent
from the Palo Alto Networks device: > show user user-id-agent config name <agent-name> |
View group mapping information: > show user group-mapping statistics > show user group-mapping state all > show user group list > show user group name <group-name> |
View all user mappings on the Palo Alto
Networks device: > show user ip-user-mapping allShow
user mappings filtered by a username string (if the string includes
the domain name, use two backslashes before the username):> show user ip-user-mapping all | match <domain>\\<username-string>Show
user mappings for a specific IP address:> show user ip-user-mapping ip <ip-address>Show
usernames:> show user user-ids |
View the most recent addresses learned from
a particular User-ID agent: > show log userid datasourcename equal <agent-name> direction equal backward |
View mappings from a particular type of
authentication service: > show log userid datasourcetype equal <authentication-service>where <authentication-service> can
be authenticate, client-cert, directory-server, exchange-server, globalprotect, kerberos, netbios-probing, ntlm, unknown, vpn-client,
or wmi-probing.For example, to view all
user mappings from the Kerberos server, you would enter the following
command: > show log userid datasourcetype equal kerberos |
View mappings learned using a particular
type of user mapping: > show log userid datasource equal <datasource>where <datasource> can
be agent, captive-portal, event-log, ha, probing, server-session-monitor, ts-agent, unknown, vpn-client,
or xml-api.For example, to view all user
mappings from the XML API, you would enter the following command: > show log userid datasourcetype equal xml-api |
Find a user mapping based on an email address: > show user email-lookup
+ base Default base distinguished name (DN) to use for searches
+ bind-dn bind distinguished name
+ bind-password bind password
+ domain Domain name to be used for username
+ group-object group object class(comma-separated)
+ name-attribute name attribute
+ proxy-agent agent ip or host name.
+ proxy-agent-port user-id agent listening port, default is 5007
+ use-ssl use-ssl
* email email address
> mail-attribute mail attribute
> server ldap server ip or host name.
> server-port ldap server listening port For
example: > show user email-lookup base "DC=lab,DC=sg,DC=acme,DC=local" bind-dn "CN=Administrator,CN=Users,DC=lab,DC=sg,DC=acme,DC=local" bind-password acme use-ssl no email user1@lab.sg.acme.local mail-attribute mail server 10.1.1.1 server-port 389 labsg\user1
|
Clear the User-ID cache: clear user-cache allClear
a User-ID mapping for a specific IP address:clear user-cache ip <ip-address/netmask> |