Palo Alto Cheat Sheet – User-ID

View all User-ID agents configured to send user mappings to the Palo Alto Networks device:

To see all configured Windows-based agents:
> show user user-id-agent state all

To see if the PAN-OS-integrated agent is configured:
> show user server-monitor state all

View how many log messages came in from syslog senders and how many entries the User-ID agent successfully mapped:
> show user server-monitor statistics

View the configuration of a User-ID agent from the Palo Alto Networks device:
> show user user-id-agent config name

View group mapping information:
> show user group-mapping statistics
> show user group-mapping state all
> show user group list
> show user group name

View all user mappings on the Palo Alto Networks device:
> show user ip-user-mapping all

Show user mappings filtered by a username string (if the string includes the domain name, use two backslashes before the username):
> show user ip-user-mapping all | match \\

Show user mappings for a specific IP address:
> show user ip-user-mapping ip

Show usernames:
> show user user-ids

View the most recent addresses learned from a particular User-ID agent:
> show log userid datasourcename equal direction equal backward

View mappings from a particular type of authentication service:
> show log userid datasourcetype equal
where can be authenticate, client-cert, directory-server, exchange-server, globalprotect, kerberos, netbios-probing, ntlm, unknown, vpn-client, or wmi-probing.

For example, to view all user mappings from the Kerberos server, you would enter the following command:
> show log userid datasourcetype equal kerberos

View mappings learned using a particular type of user mapping:
> show log userid datasource equal
where can be agent, captive-portal, event-log, ha, probing, server-session-monitor, ts-agent, unknown, vpn-client, or xml-api.

For example, to view all user mappings from the XML API, you would enter the following command:
> show log userid datasourcetype equal xml-api

Find a user mapping based on an email address:
> show user email-lookup
+ base Default base distinguished name (DN) to use for searches
+ bind-dn bind distinguished name
+ bind-password bind password
+ domain Domain name to be used for username
+ group-object group object class(comma-separated)
+ name-attribute name attribute
+ proxy-agent agent ip or host name.
+ proxy-agent-port user-id agent listening port, default is 5007
+ use-ssl use-ssl
* email email address
> mail-attribute mail attribute
> server ldap server ip or host name.
> server-port ldap server listening port

For example:
> show user email-lookup base “DC=lab,DC=sg,DC=acme,DC=local” bind-dn “CN=Administrator,CN=Users,DC=lab,DC=sg,DC=acme,DC=local” bind-password acme use-ssl no email user1@lab.sg.acme.local mail-attribute mail server 10.1.1.1 server-port 389 labsg\user1

Clear the User-ID cache:
> clear user-cache all

Clear a User-ID mapping for a specific IP address:
> clear user-cache ip

Source:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-user-id.html

More Stories
Best practices and advanced features for VMware High Availability