Useful CLI Commands for Troubleshooting User-ID Agent
298560
Created On 09/25/18 18:50 PM - Last Modified 12/15/22 20:59 PM
Environment
- PAN-OS 8.0 and above
- User-ID Agent
Resolution
- Check for agent
- To check if the agent is connected and operational:
admin@anuragFW> show user user-id-agent statistics Name Host Port Vsys State Ver Usage --------------------------------------------------------------------------- LAB_UIA 10.21.56.14 5007 vsys1 conn:idle 5 Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, 'C': Credential Enforcement
A state of 'conn:idle' indicates the connected state. Usage would show blank if the User-ID agent is only furnishing user-ip mappings and no other services such as LDAP proxy, NTLM auth or credential enforcement.
- Check for details of connection
- To see the details of the connection between User-ID agent and the firewall:
-
admin@anuragFW> show user user-id-agent state "LAB_UIA" LAB_UIA all Show all user-id agents <value> <name> agent name admin@anuragFW> show user user-id-agent state all Agent: LAB_UIA(vsys: vsys1) Host: 10.21.56.14(10.21.56.14):5007 Status : conn:idle Version : 0x5 num of connection tried : 141 num of connection succeeded : 3 num of connection failed : 138
- View agent configuration on firewall
- View configuration of the agent from CLIl: show user user-id-agent config name <value>
-
admin@anuragFW> show user user-id-agent config name "LAB_UIA" OS: Microsoft Windows Server 2008 R2 Datacenter Edition (build 7600), 64-bit Product Version: 8.0.3 Protocol Version: 5 Agent Config: <?xml version="1.0" encoding="UTF-8"?> <user-id-agent-config> <general-settings> <authentication username="administrator@opxlab.pan" dnsdomain="opxlab.pan" netbiosdomain="opxlab" password=""/> <server-monitor security-log-enabled="1" security-log-interval="1" session-enabled="0" session-interval="10" edir-interval="30"/> <probing wmi-enabled="1" netbios-enabled="1" interval="20" init-retry-delay="3"/> <timeout enabled="1" entry-timeout="45"/> <listening-port>5007</listening-port> <xml-api enabled="0" xml-api-port="5006"/> <syslog-listening enabled="0" syslog-port="514"/> <ip-cache enabled="1"/> <edirectory base-dn="" bind-dn="" search-filter="(objectClass=Person)" domain-prefix="" login-name-attribute="uniqueID" login-address-attribute="networkAddress" login-time-attribute="loginT ime" use-ssl="1" verify-certificate="0"/> <credentials_path enabled="0" path=""/> <credentials_rodc enabled="0" interval="" auto-discover-replication-policy="0" cacheable-dn=""/> </general-settings> <acl-settings> </acl-settings> <syslog-profiles> </syslog-profiles> <server-settings> <server-entry name="win_svr62.opxlab.pan" type="active-directory" address="10.21.56.14" port="" syslog-profile="" default-domain=""> </server-entry> </server-settings> <include-exclude-settings> </include-exclude-settings> <custom-securitylog-formats> </custom-securitylog-formats> <vmmonitor-settings> </vmmonitor-settings> </user-id-agent-config> Ignore Users:
- Set and view logging level
- There are two ways to set the logging level on the Agent and then view them. Default level is 'Info'.
f.
- From the Firewall's CLI enable debug on user-id agent: debug user-id agent <value> on debug
-
admin@anuragFW> debug user-id agent "LAB_UIA" on debug Send debug message to agent LAB_UIA admin@anuragFW> debug user-id agent "LAB_UIA" receive yes Send debug message to agent LAB_UIA
-
- View and clear logs
- To view the logs, the following commands can be used as per the requirement:
less agent-log <value> tail follow <yes|no> lines <1-65535> agent-log <value>
admin@anuragFW> less agent-log 1.LAB_UIA.log 08/01/17 07:28:30:045[Debug 3534]: Device thread 1 handle msg get:user_ip. bodylen 100 xml 1 08/01/17 07:28:30:045[Debug 691]: IP 192.168.140.125 is added for initial probing. jobid 2278 08/01/17 07:28:30:045[Debug 808]: Device thread 1 sent 0 user IP mapping entries 08/01/17 07:28:30:045[Debug 77]: tid 3032: Probing IP 192.168.140.125 for jobID 2278. ... ... ...truncated for brevity...
admin@anuragFW> tail lines 10 agent-log 1.LAB_UIA.log 08/01/17 07:35:01:532[Debug 472]: UserIpMap: IP (10.21.56.153) Username (opxlab\administrator) queued for xmission to firewall 08/01/17 07:35:03:544[Debug 284]: Reading 25 security logs takes 0 ms for DC win_svr62.opxlab.pan. 08/01/17 07:35:03:560[Debug 367]: Composed ip-users msg with 1 add and 0 delete. 08/01/17 07:35:03:560[Debug 1009]: update uids is sent. 1 add 0 del. 08/01/17 07:35:04:558[Debug 3534]: Device thread 1 handle msg get:user_ip. bodylen 98 xml 1 08/01/17 07:35:04:558[Debug 3534]: Device thread 6 handle msg get:user_ip. bodylen 98 xml 1 08/01/17 07:35:04:558[Debug 691]: IP 192.168.73.16 is added for initial probing. jobid 2324 08/01/17 07:35:04:558[Debug 808]: Device thread 1 sent 0 user IP mapping entries 08/01/17 07:35:04:558[Debug 77]: tid 5224: Probing IP 192.168.73.16 for jobID 2324.
- To clear the agent-log, use the following command:
admin@anuragFW> debug user-id agent LAB_UIA clear log debug log for agent 'LAB_UIA'(vsys1) is truncated.
- View user-ip mappings
- To view the user-ip mappings from the agent, run the following command:
admin@anuragFW> show user ip-user-mapping all type UIA IP Vsys From User IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 10.21.56.138 vsys1 UIA opxlab\administrator 495 495 10.21.56.76 vsys1 UIA opxlab\dev22 332 332 10.21.2.31 vsys1 UIA opxlab\administrator 553 553 Total: 3 users
- Refresh user-ip mappings
- To refresh the user-ip mappings from the agent, run the following command:
admin@anuragFW> debug user-id refresh user-id agent LAB_UIA LAB_UIA all refretch from all user-id agent <value> specify one agent admin@anuragFW> debug user-id refresh user-id agent LAB_UIA mark agent LAB_UIA(1) for refetching all
- Reset user-ip agent
- To reset (reconnect) the user-ip agent, run the following command: debug user-id reset user-id-agent <value>
admin@anuragFW> debug user-id reset user-id-agent LAB_UIA User-ID Agent agent 'LAB_UIA' in vsys1 is marked for reset.
- View agent-related issues
- To view the logs in useridd.log regarding agent-related issues:
admin@anuragFW> debug user-id set agent basic Debug level is info admin@anuragFW> debug user-id on debug debug level set to debug
admin@anuragFW> tail follow yes mp-log useridd.log 2017-08-01 07:40:12.995 +0530 Warning: pan_regip_reg(pan_reg_ip.c:1152): tag FROM_PING for ip 192.168.143.144 exists, ignore 2017-08-01 07:40:12.997 +0530 Error: cfgagent_doop_callback(pan_cfgagent.c:553): Failed to handle op command for agent: useridd 2017-08-01 07:51:13.821 +0530 debug: pan_user_id_agent_uia_handle_msg(pan_user_id_uia_v5.c:1048): handling message status