Paloalto firewals use the user-ID agent to detect credential submission, prevent credential pishing etc. For this reason it should be important to monitor the user-ID agent status on the firewall to ensure that is working fine.

This can be done using SSH commands, so it should be nice to have a new mode “userid” on plugin network::paloalto::ssh::plugin to monitor this.

You can find details on this PA KB: Useful CLI Commands for Troubleshooting User-ID Agent - Knowledge Base - Palo Alto Networks:

To check if the agent is connected and operational:

admin@anuragFW> show user user-id-agent statisticsName          Host            Port    Vsys     State         Ver    Usage---------------------------------------------------------------------------LAB_UIA       10.21.56.14     5007    vsys1    conn:idle     5Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, 'C': Credential Enforcement

A state of 'conn:idle' indicates the connected state. Usage would show blank if the User-ID agent is only furnishing user-ip mappings and no other services such as LDAP proxy, NTLM auth or credential enforcement.