Basic Palo Alto User Agent/ID Troubleshooting


Verify your APP-ID User agents are connected and running:

show user user-id-agent statistics

Name             Host            Port  Vsys    State             Ver Usage
---------------------------------------------------------------------------
mia-pa-app01     172.10.200.11   5007  vsys1   conn:idle         5
nyc-pa-app01     172.20.200.11   5007  vsys1   conn:idle         5

Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, 'C': Credential Enforcement

Verify your user mappings:

show user ip-user-mapping all

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
10.80.10.112    vsys1  UIA     cordero\kcordero                  85086          85086
10.20.30.24     vsys1  UIA     cordero\jsmith                    22594          22594
....

NOTE:
The UIA above under “From” means the mappings are being retrieved from a User-ID Agent.
AD – The IP-user-mapping collected by the agentless service
UIA– The IP-user mapping retrieved from the User-ID Agent

Force group mapping:

debug user-id refresh group-mapping all

Test authentication for a user:

test authentication authentication-profile LDAP_Login username kcordero password
More Stories
Port Speed vs Access Speed