A Palo Alto Networks firewall running PAN-OS 5.0 is configured to collect IP-user mapping from a User-ID Agent and through the agentless User-ID feature. There are 2 types of mapping collected in this scenario:
- AD - The IP-user-mapping collected by the agentless service
- UIA- The IP-user mapping retrieved from the User-ID Agent
The command, show user ip-user-mapping all type <value>, displays mapping only for the given type. Use 'UIA' or 'AD' as the <value> to display the desired mapping information.
The max timeout for UIA learned mapping is 3600 seconds, and the max timeout for AD learned mapping is 86400 seconds.
For example, to view the IP-user mapping collected from a 4.1.x User-ID Agent:
admin>show user ip-user-mapping all type UIA
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- --------------------------- -------------- -------------
192.168.135.200 vsys1 UIA pantac\user1 3549 3549
Total: 1 users
To view the IP-user mapping collected from the agentless User-ID service:
admin>show user ip-user-mapping all type AD
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- --------------------------- -------------- -------------
172.17.132.52 vsys1 AD plano2003\administrator 2690 2689
Total: 1 users
Verify the source of the IP-user mapping using the command: show log useridd
admin> show log userid
1,2013/06/21 15:50:33,0006C114479,USERID,login,69,2013/06/21 15:50:33,vsys1,192.168.135.200,pantac\user1,dc,0,1,3600,0,0,agent,unknown,3387,0x0
1,2013/06/21 16:06:28,0006C114479,USERID,login,73,2013/06/21 16:06:28,vsys1,172.17.132.52,plano2003\administrator,dc,0,1,2700,0,0,active-directory,unknown,3388,0x0
In the example output above, the log entry having the word 'agent' indicates the User-ID agent as the origin. The term 'active-directory' indicates that the the entry was directly queried Active Directory from the agentless User-ID service on the firewall.
owner: kprakash