Palo Alto Networks Knowledgebase: How to Determine the Source of User Mappings
How to Determine the Source of User Mappings
Created On 02/07/19 23:48 PM - Last Updated 02/07/19 23:48 PM
For IP-to-user mappings, many networks have more than one monitored Active Directory or Domain Controller for data redundancy. Troubleshooting user mapping issues may be harder if the source of a particular user mapping is unknown. This document presents how to use the > show log userid command to obtain useful information regarding user mapping information, including how the user mapping was learned by the firewall.
As an example, one User-ID agent (Agent243) and one Agentless User-ID (Agentless243) are configured on the firewall.
Verify the configured sources from which you are learning user mappings.
For User-ID Agents hosted on a Windows machine, use the command:
> show user user-id-agent statistics
For agentless User-ID configured on the firewall, use the following command:
> show user server-monitor statistics
Verify the user mappings that are currently learned on the firewall, using either of these commands.
For all known mappings on the firewall:
> show user ip-user-mapping all
For user mappings to a specific IP - Example 188.8.131.52:
> show user ip-user-mapping ip 184.108.40.206
Once you know enough about the configured data sources or users, you can use the > show log userid command to derive more useful information about the user mappings. Note: Debug mode should be enabled on the User-ID process for in-depth logging
Enabled debug mode
> debug user-id log-ip-user-mapping yes
Disable debug mode after acquiring the desired logs
> debug user-id log-ip-user-mapping no
Examples of using the show log userid command:
Determine the most recent addresses learned from the agenless user-id source:
> show log userid datasourcename equal Agentless243 direction equal backward