Useful CLI Commands for Troubleshooting User-ID Agent

Useful CLI Commands for Troubleshooting User-ID Agent

258876
Created On 09/25/18 18:50 PM - Last Modified 12/15/22 20:59 PM


Environment


  • PAN-OS 8.0 and above
  • User-ID Agent


Resolution


  1. Check for agent
    1. To check if the agent is connected and operational:
admin@anuragFW> show user user-id-agent statistics

Name          Host            Port    Vsys     State         Ver    Usage
---------------------------------------------------------------------------
LAB_UIA       10.21.56.14     5007    vsys1    conn:idle     5

Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, 'C': Credential Enforcement

A state of 'conn:idle' indicates the connected state. Usage would show blank if the User-ID agent is only furnishing user-ip mappings and no other services such as LDAP proxy, NTLM auth or credential enforcement.

  1. Check for details of connection
    1. To see the details of the connection between User-ID agent and the firewall:
    2. admin@anuragFW> show user user-id-agent state
       "LAB_UIA"         LAB_UIA
       all               Show all user-id agents
       <value> <name> agent name
      
      admin@anuragFW> show user user-id-agent state all
      
      Agent: LAB_UIA(vsys: vsys1) Host: 10.21.56.14(10.21.56.14):5007
       Status                                                   : conn:idle
       Version                                                  : 0x5
       num of connection tried                                  : 141
       num of connection succeeded                              : 3
       num of connection failed                                 : 138
  2. View agent configuration on firewall
    1. View configuration of the agent from CLIl: show user user-id-agent config name <value>
    2. admin@anuragFW> show user user-id-agent config name "LAB_UIA"
      
      OS: Microsoft Windows Server 2008 R2 Datacenter Edition (build 7600), 64-bit
      Product Version: 8.0.3
      Protocol Version: 5
      
      Agent Config:
      <?xml version="1.0" encoding="UTF-8"?>
      <user-id-agent-config>
      <general-settings>
      <authentication username="administrator@opxlab.pan" dnsdomain="opxlab.pan" netbiosdomain="opxlab" password=""/>
      <server-monitor security-log-enabled="1" security-log-interval="1" session-enabled="0" session-interval="10" edir-interval="30"/>
      <probing wmi-enabled="1" netbios-enabled="1" interval="20" init-retry-delay="3"/>
      <timeout enabled="1" entry-timeout="45"/>
      <listening-port>5007</listening-port>
      <xml-api enabled="0" xml-api-port="5006"/>
      <syslog-listening enabled="0" syslog-port="514"/>
      <ip-cache enabled="1"/>
      <edirectory base-dn="" bind-dn="" search-filter="(objectClass=Person)" domain-prefix="" login-name-attribute="uniqueID" login-address-attribute="networkAddress" login-time-attribute="loginT
      ime" use-ssl="1" verify-certificate="0"/>
      <credentials_path enabled="0" path=""/>
      <credentials_rodc enabled="0" interval="" auto-discover-replication-policy="0" cacheable-dn=""/>
      </general-settings>
      <acl-settings>
      </acl-settings>
      <syslog-profiles>
      </syslog-profiles>
      <server-settings>
      <server-entry name="win_svr62.opxlab.pan" type="active-directory" address="10.21.56.14" port="" syslog-profile="" default-domain="">
      </server-entry>
      </server-settings>
      <include-exclude-settings>
      </include-exclude-settings>
      <custom-securitylog-formats>
      </custom-securitylog-formats>
      <vmmonitor-settings>
      </vmmonitor-settings>
      </user-id-agent-config>
      Ignore Users:
  3. Set and view logging level
    1. There are two ways to set the logging level on the Agent and then view them. Default level is 'Info'.
f.UIA.JPG
Use the scroll bar to view the latest logs
  1. From the Firewall's CLI enable debug on user-id agent: debug user-id agent <value> on debug
    1. admin@anuragFW> debug user-id agent "LAB_UIA" on debug
      Send debug message to agent LAB_UIA
      
      admin@anuragFW> debug user-id agent "LAB_UIA" receive yes
      Send debug message to agent LAB_UIA
  2. View and clear logs
    1. To view the logs, the following commands can be used as per the requirement:
less agent-log <value>
tail follow <yes|no> lines <1-65535> agent-log <value>
admin@anuragFW> less agent-log 1.LAB_UIA.log
08/01/17 07:28:30:045[Debug 3534]: Device thread 1 handle msg get:user_ip. bodylen 100 xml 1
08/01/17 07:28:30:045[Debug 691]: IP 192.168.140.125 is added for initial probing. jobid 2278
08/01/17 07:28:30:045[Debug 808]: Device thread 1 sent 0 user IP mapping entries
08/01/17 07:28:30:045[Debug 77]: tid 3032: Probing IP 192.168.140.125 for jobID 2278.
...
...
...truncated for brevity...
admin@anuragFW> tail lines 10 agent-log 1.LAB_UIA.log
08/01/17 07:35:01:532[Debug 472]: UserIpMap: IP (10.21.56.153) Username (opxlab\administrator) queued for xmission to firewall
08/01/17 07:35:03:544[Debug 284]: Reading 25 security logs takes 0 ms for DC win_svr62.opxlab.pan.
08/01/17 07:35:03:560[Debug 367]: Composed ip-users msg with 1 add and 0 delete.
08/01/17 07:35:03:560[Debug 1009]: update uids is sent. 1 add 0 del.
08/01/17 07:35:04:558[Debug 3534]: Device thread 1 handle msg get:user_ip. bodylen 98 xml 1
08/01/17 07:35:04:558[Debug 3534]: Device thread 6 handle msg get:user_ip. bodylen 98 xml 1
08/01/17 07:35:04:558[Debug 691]: IP 192.168.73.16 is added for initial probing. jobid 2324
08/01/17 07:35:04:558[Debug 808]: Device thread 1 sent 0 user IP mapping entries
08/01/17 07:35:04:558[Debug 77]: tid 5224: Probing IP 192.168.73.16 for jobID 2324.
  1. To clear the agent-log, use the following command:
admin@anuragFW> debug user-id agent LAB_UIA clear log
debug log for agent 'LAB_UIA'(vsys1) is truncated.
  1. View user-ip mappings
    1. To view the user-ip mappings from the agent, run the following command:
admin@anuragFW> show user ip-user-mapping all type UIA

IP              Vsys     From     User                    IdleTimeout(s)  MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
10.21.56.138    vsys1    UIA      opxlab\administrator    495             495
10.21.56.76     vsys1    UIA      opxlab\dev22            332             332
10.21.2.31      vsys1    UIA      opxlab\administrator    553             553
Total: 3 users
  1. Refresh user-ip mappings
    1. To refresh the user-ip mappings from the agent, run the following command:
admin@anuragFW> debug user-id refresh user-id agent
 LAB_UIA       LAB_UIA
 all           refretch from all user-id agent
 <value>       specify one agent

admin@anuragFW> debug user-id refresh user-id agent LAB_UIA

mark agent LAB_UIA(1) for refetching all
  1. Reset user-ip agent
    1. To reset (reconnect) the user-ip agent, run the following command: debug user-id reset user-id-agent <value>
admin@anuragFW> debug user-id reset user-id-agent LAB_UIA
User-ID Agent agent 'LAB_UIA' in vsys1 is marked for reset.
  1. View agent-related issues
    1. To view the logs in useridd.log regarding agent-related issues:
admin@anuragFW> debug user-id set agent basic
Debug level is info

admin@anuragFW> debug user-id on debug
debug level set to debug
admin@anuragFW> tail follow yes mp-log useridd.log
2017-08-01 07:40:12.995 +0530 Warning: pan_regip_reg(pan_reg_ip.c:1152): tag FROM_PING for ip 192.168.143.144 exists, ignore
2017-08-01 07:40:12.997 +0530 Error: cfgagent_doop_callback(pan_cfgagent.c:553): Failed to handle op command for agent:
useridd
2017-08-01 07:51:13.821 +0530 debug: pan_user_id_agent_uia_handle_msg(pan_user_id_uia_v5.c:1048): handling message status
 

 

 

 



Additional Information


User-ID Agent Setup tips

User-ID Resource list



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClR1CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language