- Check for agent
- To check if the agent is connected and operational:
admin@anuragFW> show user user-id-agent statistics
Name Host Port Vsys State Ver Usage
---------------------------------------------------------------------------
LAB_UIA 10.21.56.14 5007 vsys1 conn:idle 5
Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, 'C': Credential Enforcement
A state of 'conn:idle' indicates the connected state. Usage would show blank if the User-ID agent is only furnishing user-ip mappings and no other services such as LDAP proxy, NTLM auth or credential enforcement.
- Check for details of connection
- To see the details of the connection between User-ID agent and the firewall:
-
admin@anuragFW> show user user-id-agent state
"LAB_UIA" LAB_UIA
all Show all user-id agents
<value> <name> agent name
admin@anuragFW> show user user-id-agent state all
Agent: LAB_UIA(vsys: vsys1) Host: 10.21.56.14(10.21.56.14):5007
Status : conn:idle
Version : 0x5
num of connection tried : 141
num of connection succeeded : 3
num of connection failed : 138
- View agent configuration on firewall
- View configuration of the agent from CLIl: show user user-id-agent config name <value>
-
admin@anuragFW> show user user-id-agent config name "LAB_UIA"
OS: Microsoft Windows Server 2008 R2 Datacenter Edition (build 7600), 64-bit
Product Version: 8.0.3
Protocol Version: 5
Agent Config:
<?xml version="1.0" encoding="UTF-8"?>
<user-id-agent-config>
<general-settings>
<authentication username="administrator@opxlab.pan" dnsdomain="opxlab.pan" netbiosdomain="opxlab" password=""/>
<server-monitor security-log-enabled="1" security-log-interval="1" session-enabled="0" session-interval="10" edir-interval="30"/>
<probing wmi-enabled="1" netbios-enabled="1" interval="20" init-retry-delay="3"/>
<timeout enabled="1" entry-timeout="45"/>
<listening-port>5007</listening-port>
<xml-api enabled="0" xml-api-port="5006"/>
<syslog-listening enabled="0" syslog-port="514"/>
<ip-cache enabled="1"/>
<edirectory base-dn="" bind-dn="" search-filter="(objectClass=Person)" domain-prefix="" login-name-attribute="uniqueID" login-address-attribute="networkAddress" login-time-attribute="loginT
ime" use-ssl="1" verify-certificate="0"/>
<credentials_path enabled="0" path=""/>
<credentials_rodc enabled="0" interval="" auto-discover-replication-policy="0" cacheable-dn=""/>
</general-settings>
<acl-settings>
</acl-settings>
<syslog-profiles>
</syslog-profiles>
<server-settings>
<server-entry name="win_svr62.opxlab.pan" type="active-directory" address="10.21.56.14" port="" syslog-profile="" default-domain="">
</server-entry>
</server-settings>
<include-exclude-settings>
</include-exclude-settings>
<custom-securitylog-formats>
</custom-securitylog-formats>
<vmmonitor-settings>
</vmmonitor-settings>
</user-id-agent-config>
Ignore Users:
- Set and view logging level
- There are two ways to set the logging level on the Agent and then view them. Default level is 'Info'.
f.

Use the scroll bar to view the latest logs
- From the Firewall's CLI enable debug on user-id agent: debug user-id agent <value> on debug
-
admin@anuragFW> debug user-id agent "LAB_UIA" on debug
Send debug message to agent LAB_UIA
admin@anuragFW> debug user-id agent "LAB_UIA" receive yes
Send debug message to agent LAB_UIA
- View and clear logs
- To view the logs, the following commands can be used as per the requirement:
less agent-log <value>
tail follow <yes|no> lines <1-65535> agent-log <value>
admin@anuragFW> less agent-log 1.LAB_UIA.log
08/01/17 07:28:30:045[Debug 3534]: Device thread 1 handle msg get:user_ip. bodylen 100 xml 1
08/01/17 07:28:30:045[Debug 691]: IP 192.168.140.125 is added for initial probing. jobid 2278
08/01/17 07:28:30:045[Debug 808]: Device thread 1 sent 0 user IP mapping entries
08/01/17 07:28:30:045[Debug 77]: tid 3032: Probing IP 192.168.140.125 for jobID 2278.
...
...
...truncated for brevity...
admin@anuragFW> tail lines 10 agent-log 1.LAB_UIA.log
08/01/17 07:35:01:532[Debug 472]: UserIpMap: IP (10.21.56.153) Username (opxlab\administrator) queued for xmission to firewall
08/01/17 07:35:03:544[Debug 284]: Reading 25 security logs takes 0 ms for DC win_svr62.opxlab.pan.
08/01/17 07:35:03:560[Debug 367]: Composed ip-users msg with 1 add and 0 delete.
08/01/17 07:35:03:560[Debug 1009]: update uids is sent. 1 add 0 del.
08/01/17 07:35:04:558[Debug 3534]: Device thread 1 handle msg get:user_ip. bodylen 98 xml 1
08/01/17 07:35:04:558[Debug 3534]: Device thread 6 handle msg get:user_ip. bodylen 98 xml 1
08/01/17 07:35:04:558[Debug 691]: IP 192.168.73.16 is added for initial probing. jobid 2324
08/01/17 07:35:04:558[Debug 808]: Device thread 1 sent 0 user IP mapping entries
08/01/17 07:35:04:558[Debug 77]: tid 5224: Probing IP 192.168.73.16 for jobID 2324.
- To clear the agent-log, use the following command:
admin@anuragFW> debug user-id agent LAB_UIA clear log
debug log for agent 'LAB_UIA'(vsys1) is truncated.
- View user-ip mappings
- To view the user-ip mappings from the agent, run the following command:
admin@anuragFW> show user ip-user-mapping all type UIA
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
10.21.56.138 vsys1 UIA opxlab\administrator 495 495
10.21.56.76 vsys1 UIA opxlab\dev22 332 332
10.21.2.31 vsys1 UIA opxlab\administrator 553 553
Total: 3 users
- Refresh user-ip mappings
- To refresh the user-ip mappings from the agent, run the following command:
admin@anuragFW> debug user-id refresh user-id agent
LAB_UIA LAB_UIA
all refretch from all user-id agent
<value> specify one agent
admin@anuragFW> debug user-id refresh user-id agent LAB_UIA
mark agent LAB_UIA(1) for refetching all
- Reset user-ip agent
- To reset (reconnect) the user-ip agent, run the following command: debug user-id reset user-id-agent <value>
admin@anuragFW> debug user-id reset user-id-agent LAB_UIA
User-ID Agent agent 'LAB_UIA' in vsys1 is marked for reset.
- View agent-related issues
- To view the logs in useridd.log regarding agent-related issues:
admin@anuragFW> debug user-id set agent basic
Debug level is info
admin@anuragFW> debug user-id on debug
debug level set to debug
admin@anuragFW> tail follow yes mp-log useridd.log
2017-08-01 07:40:12.995 +0530 Warning: pan_regip_reg(pan_reg_ip.c:1152): tag FROM_PING for ip 192.168.143.144 exists, ignore
2017-08-01 07:40:12.997 +0530 Error: cfgagent_doop_callback(pan_cfgagent.c:553): Failed to handle op command for agent:
useridd
2017-08-01 07:51:13.821 +0530 debug: pan_user_id_agent_uia_handle_msg(pan_user_id_uia_v5.c:1048): handling message status