Palo Alto Networks Knowledgebase: Useful CLI Commands for Troubleshooting User-ID Agent

Useful CLI Commands for Troubleshooting User-ID Agent

17877
Created On 02/07/19 23:51 PM - Last Updated 02/07/19 23:51 PM
Resolution

This document aims to familiarizes users and admins to the CLI commands (on PAN-OS 8.0) relevant to User-ID agent running on Windows server.

 

Check for agent

  • To check if the agent is connected and operational:

 

admin@anuragFW> show user user-id-agent statistics

Name Host Port Vsys State Ver Usage
---------------------------------------------------------------------------
LAB_UIA 10.21.56.14 5007 vsys1 conn:idle 5

Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, 'C': Credential Enforcement

A state of 'conn:idle' indicates the connected state. Usage would show blank if the User-ID agent is only furnishing user-ip mappings and no other services such as LDAP proxy, NTLM auth or credential enforcement.

 

Check for details of connection

  • To see the details of the connection between User-ID agent and the firewall:

 

admin@anuragFW> show user user-id-agent state
"LAB_UIA" LAB_UIA
all Show all user-id agents
<value> <name> agent name

admin@anuragFW> show user user-id-agent state all

Agent: LAB_UIA(vsys: vsys1) Host: 10.21.56.14(10.21.56.14):5007
Status : conn:idle
Version : 0x5
num of connection tried : 141
num of connection succeeded : 3
num of connection failed : 138
num of status msgs rcvd : 2972
num of request of status msgs sent : 2972
num of request of ip mapping msgs sent : 0
num of request of new ip mapping msgs sent : 0
num of request of all ip mapping msgs sent : 3
num of user ip mapping msgs rcvd : 1085
num of ip msgs rcvd but failed to proc : 0
num of user ip mapping add entries rcvd : 1693
num of user ip mapping del entries rcvd : 28
num of request of group msgs sent : 0
num of group msgs rcvd : 0
num of group msgs recvd buf fail to proc : 0
num of xml data msgs rcvd : 0
num of xml data msgs rcvd but failed to proc : 0
num of sync digest messages sent : 0
num of sync digest messages received : 0
num of sync group messages sent : 0
num of sync group messages received : 0
num of sync users messages sent : 0
num of sync users messages received : 0
num of bloomfilter requests sent : 0
num of bloomfilter response received : 0
num of bloomfilter response failed to proc : 0
num of bloomfilter resize requests sent : 0
Last heard(seconds ago) : 2
Messages State:
Job ID : 0
Sent messages : 2978
Rcvd messages : 4061
Rcvd rate(msgs/s) : 0
Rcvd peak rate(msgs/s) : 1
Lost messages : 0
Failed to send messages : 0
Failed to enqueue messages : 0
Queued sending msgs with priority 0 : 0
Queued sending msgs with priority 1 : 0
Queued rcvring msgs with priority 0 : 0
Queued rcvring msgs with priority 1 : 0
Credential Enforcement Status : Disabled

 

View agent configuration on firewall

  • To view the configuration of the agent on the firewall:
admin@anuragFW> show user user-id-agent config name
"LAB_UIA" LAB_UIA
<value> user-id-agent name

admin@anuragFW> show user user-id-agent config name "LAB_UIA"

OS: Microsoft Windows Server 2008 R2 Datacenter Edition (build 7600), 64-bit
Product Version: 8.0.3
Protocol Version: 5

Agent Config:
<?xml version="1.0" encoding="UTF-8"?>
<user-id-agent-config>
<general-settings>
<authentication username="administrator@opxlab.pan" dnsdomain="opxlab.pan" netbiosdomain="opxlab" password=""/>
<server-monitor security-log-enabled="1" security-log-interval="1" session-enabled="0" session-interval="10" edir-interval="30"/>
<probing wmi-enabled="1" netbios-enabled="1" interval="20" init-retry-delay="3"/>
<timeout enabled="1" entry-timeout="45"/>
<listening-port>5007</listening-port>
<xml-api enabled="0" xml-api-port="5006"/>
<syslog-listening enabled="0" syslog-port="514"/>
<ip-cache enabled="1"/>
<edirectory base-dn="" bind-dn="" search-filter="(objectClass=Person)" domain-prefix="" login-name-attribute="uniqueID" login-address-attribute="networkAddress" login-time-attribute="loginT
ime" use-ssl="1" verify-certificate="0"/>
<credentials_path enabled="0" path=""/>
<credentials_rodc enabled="0" interval="" auto-discover-replication-policy="0" cacheable-dn=""/>
</general-settings>
<acl-settings>
</acl-settings>
<syslog-profiles>
</syslog-profiles>
<server-settings>
<server-entry name="win_svr62.opxlab.pan" type="active-directory" address="10.21.56.14" port="" syslog-profile="" default-domain="">
</server-entry>
</server-settings>
<include-exclude-settings>
</include-exclude-settings>
<custom-securitylog-formats>
</custom-securitylog-formats>
<vmmonitor-settings>
</vmmonitor-settings>
</user-id-agent-config>
Ignore Users:

 

Set and view logging level

  • There are two ways to set the logging level on the Agent and then view them. Default level is 'Info'.
    1. From the Agent itself.UIA.JPGUse the scroll bar to view the latest logs
    2. From the firewall's CLI
admin@anuragFW> debug user-id agent
"LAB_UIA" LAB_UIA
<value> specify one agent

admin@anuragFW> debug user-id agent "LAB_UIA" on
debug Output error, warning, info and debug logs
error Only output error logs
info Only output error, warning and info logs
verbose Output error, warning, info, debug and verbose logs
warn Only output error and warning logs

admin@anuragFW> debug user-id agent "LAB_UIA" on debug

Send debug message to agent LAB_UIA

admin@anuragFW> debug user-id agent "LAB_UIA" receive yes

Send debug message to agent LAB_UIA

 

View and clear logs

  • To view the logs, the following commands can be used as per the requirement:
less agent-log <value>
tail follow <yes|no> lines <1-65535> agent-log <value>

Example - 

admin@anuragFW> less agent-log 1.LAB_UIA.log
08/01/17 07:28:30:045[Debug 3534]: Device thread 1 handle msg get:user_ip. bodylen 100 xml 1
08/01/17 07:28:30:045[Debug 691]: IP 192.168.140.125 is added for initial probing. jobid 2278
08/01/17 07:28:30:045[Debug 808]: Device thread 1 sent 0 user IP mapping entries
08/01/17 07:28:30:045[Debug 77]: tid 3032: Probing IP 192.168.140.125 for jobID 2278.
...
...
...truncated for brevity...

 

admin@anuragFW> tail lines 10 agent-log 1.LAB_UIA.log
08/01/17 07:35:01:532[Debug 472]: UserIpMap: IP (10.21.56.153) Username (opxlab\administrator) queued for xmission to firewall
08/01/17 07:35:03:544[Debug 284]: Reading 25 security logs takes 0 ms for DC win_svr62.opxlab.pan.
08/01/17 07:35:03:560[Debug 367]: Composed ip-users msg with 1 add and 0 delete.
08/01/17 07:35:03:560[Debug 1009]: update uids is sent. 1 add 0 del.
08/01/17 07:35:04:558[Debug 3534]: Device thread 1 handle msg get:user_ip. bodylen 98 xml 1
08/01/17 07:35:04:558[Debug 3534]: Device thread 6 handle msg get:user_ip. bodylen 98 xml 1
08/01/17 07:35:04:558[Debug 691]: IP 192.168.73.16 is added for initial probing. jobid 2324
08/01/17 07:35:04:558[Debug 808]: Device thread 1 sent 0 user IP mapping entries
08/01/17 07:35:04:558[Debug 77]: tid 5224: Probing IP 192.168.73.16 for jobID 2324.

 

  • To clear the agent-log, use the following command:
admin@anuragFW> debug user-id agent LAB_UIA clear log

debug log for agent 'LAB_UIA'(vsys1) is truncated.

 

View user-ip mappings

  • To view the user-ip mappings from the agent, run the following command:
admin@anuragFW> show user ip-user-mapping all type UIA

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
10.21.56.138 vsys1 UIA opxlab\administrator 495 495
10.21.56.76 vsys1 UIA opxlab\dev22 332 332
10.21.2.31 vsys1 UIA opxlab\administrator 553 553
Total: 3 users

 

Refresh user-ip mappings

  • To refresh the user-ip mappings from the agent, run the following command:
admin@anuragFW> debug user-id refresh user-id agent
LAB_UIA LAB_UIA
all refretch from all user-id agent
<value> specify one agent

admin@anuragFW> debug user-id refresh user-id agent LAB_UIA

mark agent LAB_UIA(1) for refetching all

 

Reset user-ip agent

  • To reset (reconnect) the user-ip agent, run the following command:
admin@anuragFW> debug user-id reset user-id-agent
LAB_UIA LAB_UIA
all reconnect all user-id agent
<value> specify one agent

admin@anuragFW> debug user-id reset user-id-agent LAB_UIA

User-ID Agent agent 'LAB_UIA' in vsys1 is marked for reset.

 

View agent-related issues

  • To view the logs in useridd.log regarding agent-related issues:
admin@anuragFW> debug user-id set agent
all all
basic basic
conn conn
detail detail
group group
ntlm ntlm
sslvpn sslvpn
tsa tsa

admin@anuragFW> debug user-id set agent basic

Debug level is info

admin@anuragFW> debug user-id on debug

debug level set to debug

admin@anuragFW> tail follow yes mp-log useridd.log
2017-08-01 07:40:12.995 +0530 Warning: pan_regip_reg(pan_reg_ip.c:1152): tag FROM_PING for ip 192.168.143.144 exists, ignore
2017-08-01 07:40:12.997 +0530 Error: cfgagent_doop_callback(pan_cfgagent.c:553): Failed to handle op command for agent:
useridd
2017-08-01 07:51:13.821 +0530 debug: pan_user_id_agent_uia_handle_msg(pan_user_id_uia_v5.c:1048): handling message status

 

See also

User-ID Agent Setup tips

User-ID Agent Installation and setup

User-ID Resource list

 

 

owner: ansharma



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClR1CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language