Useful CLI Commands for Troubleshooting User-ID Agent
329468
Created On 09/25/18 18:50 PM - Last Modified 12/15/22 20:59 PM
Environment
- PAN-OS 8.0 and above
- User-ID Agent
Resolution
- Check for agent
- To check if the agent is connected and operational:
admin@anuragFW> show user user-id-agent statistics Name Host Port Vsys State Ver Usage --------------------------------------------------------------------------- LAB_UIA 10.21.56.14 5007 vsys1 conn:idle 5 Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, 'C': Credential Enforcement
A state of 'conn:idle' indicates the connected state. Usage would show blank if the User-ID agent is only furnishing user-ip mappings and no other services such as LDAP proxy, NTLM auth or credential enforcement.
- Check for details of connection
- To see the details of the connection between User-ID agent and the firewall:
-
admin@anuragFW> show user user-id-agent state "LAB_UIA" LAB_UIA all Show all user-id agents <value> <name> agent name admin@anuragFW> show user user-id-agent state all Agent: LAB_UIA(vsys: vsys1) Host: 10.21.56.14(10.21.56.14):5007 Status : conn:idle Version : 0x5 num of connection tried : 141 num of connection succeeded : 3 num of connection failed : 138
- View agent configuration on firewall
- View configuration of the agent from CLIl: show user user-id-agent config name <value>
-
admin@anuragFW> show user user-id-agent config name "LAB_UIA" OS: Microsoft Windows Server 2008 R2 Datacenter Edition (build 7600), 64-bit Product Version: 8.0.3 Protocol Version: 5 Agent Config: <?xml version="1.0" encoding="UTF-8"?> <user-id-agent-config> <general-settings> <authentication username="administrator@opxlab.pan" dnsdomain="opxlab.pan" netbiosdomain="opxlab" password=""/> <server-monitor security-log-enabled="1" security-log-interval="1" session-enabled="0" session-interval="10" edir-interval="30"/> <probing wmi-enabled="1" netbios-enabled="1" interval="20" init-retry-delay="3"/> <timeout enabled="1" entry-timeout="45"/> <listening-port>5007</listening-port> <xml-api enabled="0" xml-api-port="5006"/> <syslog-listening enabled="0" syslog-port="514"/> <ip-cache enabled="1"/> <edirectory base-dn="" bind-dn="" search-filter="(objectClass=Person)" domain-prefix="" login-name-attribute="uniqueID" login-address-attribute="networkAddress" login-time-attribute="loginT ime" use-ssl="1" verify-certificate="0"/> <credentials_path enabled="0" path=""/> <credentials_rodc enabled="0" interval="" auto-discover-replication-policy="0" cacheable-dn=""/> </general-settings> <acl-settings> </acl-settings> <syslog-profiles> </syslog-profiles> <server-settings> <server-entry name="win_svr62.opxlab.pan" type="active-directory" address="10.21.56.14" port="" syslog-profile="" default-domain=""> </server-entry> </server-settings> <include-exclude-settings> </include-exclude-settings> <custom-securitylog-formats> </custom-securitylog-formats> <vmmonitor-settings> </vmmonitor-settings> </user-id-agent-config> Ignore Users:
- Set and view logging level
- There are two ways to set the logging level on the Agent and then view them. Default level is 'Info'.
f.
Use the scroll bar to view the latest logs
Use the scroll bar to view the latest logs
- From the Firewall's CLI enable debug on user-id agent: debug user-id agent <value> on debug
-
admin@anuragFW> debug user-id agent "LAB_UIA" on debug Send debug message to agent LAB_UIA admin@anuragFW> debug user-id agent "LAB_UIA" receive yes Send debug message to agent LAB_UIA
-
- View and clear logs
- To view the logs, the following commands can be used as per the requirement:
less agent-log <value> tail follow <yes|no> lines <1-65535> agent-log <value>
admin@anuragFW> less agent-log 1.LAB_UIA.log 08/01/17 07:28:30:045[Debug 3534]: Device thread 1 handle msg get:user_ip. bodylen 100 xml 1 08/01/17 07:28:30:045[Debug 691]: IP 192.168.140.125 is added for initial probing. jobid 2278 08/01/17 07:28:30:045[Debug 808]: Device thread 1 sent 0 user IP mapping entries 08/01/17 07:28:30:045[Debug 77]: tid 3032: Probing IP 192.168.140.125 for jobID 2278. ... ... ...truncated for brevity...
admin@anuragFW> tail lines 10 agent-log 1.LAB_UIA.log 08/01/17 07:35:01:532[Debug 472]: UserIpMap: IP (10.21.56.153) Username (opxlab\administrator) queued for xmission to firewall 08/01/17 07:35:03:544[Debug 284]: Reading 25 security logs takes 0 ms for DC win_svr62.opxlab.pan. 08/01/17 07:35:03:560[Debug 367]: Composed ip-users msg with 1 add and 0 delete. 08/01/17 07:35:03:560[Debug 1009]: update uids is sent. 1 add 0 del. 08/01/17 07:35:04:558[Debug 3534]: Device thread 1 handle msg get:user_ip. bodylen 98 xml 1 08/01/17 07:35:04:558[Debug 3534]: Device thread 6 handle msg get:user_ip. bodylen 98 xml 1 08/01/17 07:35:04:558[Debug 691]: IP 192.168.73.16 is added for initial probing. jobid 2324 08/01/17 07:35:04:558[Debug 808]: Device thread 1 sent 0 user IP mapping entries 08/01/17 07:35:04:558[Debug 77]: tid 5224: Probing IP 192.168.73.16 for jobID 2324.
- To clear the agent-log, use the following command:
admin@anuragFW> debug user-id agent LAB_UIA clear log debug log for agent 'LAB_UIA'(vsys1) is truncated.
- View user-ip mappings
- To view the user-ip mappings from the agent, run the following command:
admin@anuragFW> show user ip-user-mapping all type UIA IP Vsys From User IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 10.21.56.138 vsys1 UIA opxlab\administrator 495 495 10.21.56.76 vsys1 UIA opxlab\dev22 332 332 10.21.2.31 vsys1 UIA opxlab\administrator 553 553 Total: 3 users
- Refresh user-ip mappings
- To refresh the user-ip mappings from the agent, run the following command:
admin@anuragFW> debug user-id refresh user-id agent LAB_UIA LAB_UIA all refretch from all user-id agent <value> specify one agent admin@anuragFW> debug user-id refresh user-id agent LAB_UIA mark agent LAB_UIA(1) for refetching all
- Reset user-ip agent
- To reset (reconnect) the user-ip agent, run the following command: debug user-id reset user-id-agent <value>
admin@anuragFW> debug user-id reset user-id-agent LAB_UIA User-ID Agent agent 'LAB_UIA' in vsys1 is marked for reset.
- View agent-related issues
- To view the logs in useridd.log regarding agent-related issues:
admin@anuragFW> debug user-id set agent basic Debug level is info admin@anuragFW> debug user-id on debug debug level set to debug
admin@anuragFW> tail follow yes mp-log useridd.log 2017-08-01 07:40:12.995 +0530 Warning: pan_regip_reg(pan_reg_ip.c:1152): tag FROM_PING for ip 192.168.143.144 exists, ignore 2017-08-01 07:40:12.997 +0530 Error: cfgagent_doop_callback(pan_cfgagent.c:553): Failed to handle op command for agent: useridd 2017-08-01 07:51:13.821 +0530 debug: pan_user_id_agent_uia_handle_msg(pan_user_id_uia_v5.c:1048): handling message status