84 Getting Started Guide
Verify the User-ID Configuration Configure User Identification
Verify the User-ID Configuration
After you configure User Identification and enable User-ID on your security policies and Captive Portal policies,
you should verify that it is working properly.
Verify the User Identification Configuration
Step 1 Verify that group mapping is working. From the CLI, enter the following command:
admin@PA-200>show user group-mapping statistics
Step 2 Verify that user mapping is working. If you are using the on-device User-ID agent, you can verify this
from the CLI using the following command:
admin@PA-200>show user ip-user-mapping-mp all
IP Vsys From User Timeout (sec)
--------------------------------------------------------------
192.168.201.1 vsys1 UIA acme\louis 210
192.168.201.11 vsys1 UIA acme\eileen 210
192.168.201.50 vsys1 UIA acme\kimberly 210
192.168.201.10 vsys1 UIA acme\administrator 210
192.168.201.100 vsys1 AD acme\administrator 748
Total: 5 users
*: WMI probe succeeded
Step 3 Test your security policy. • From a machine in the zone where User-ID is enabled, attempt to
access sites and applications to test the rules you have defined in
your policy and ensure that traffic is being allowed and denied as
expected.
• You can also use the test security-policy-match
command to determine whether the policy is configured correctly.
For example, suppose you have a rule that blocks user duane from
playing World of Warcraft, you could test the policy as follows:
test security-policy-match application worldofwarcraft
source-user acme\svogt source any destination any
destination-port any protocol 6
"deny worldofwarcraft" {
from corporate;
source any;
source-region any;
to internet;
destination any;
destination-region any;
user acme\duane;
category any;
application/service worldofwarcraft;
action deny;
terminal no;
}
Comments to this Manuals