Paloalto firewals use the user-ID agent to detect credential submission, prevent credential pishing etc. For this reason it should be important to monitor the user-ID agent status on the firewall to ensure that is working fine.
This can be done using SSH commands, so it should be nice to have a new mode “userid” on plugin network::paloalto::ssh::plugin to monitor this.
You can find details on this PA KB: Useful CLI Commands for Troubleshooting User-ID Agent - Knowledge Base - Palo Alto Networks:
To check if the agent is connected and operational:
admin@anuragFW> show user user-id-agent statisticsName Host Port Vsys State Ver Usage---------------------------------------------------------------------------LAB_UIA 10.21.56.14 5007 vsys1 conn:idle 5Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, 'C': Credential Enforcement
A state of 'conn:idle' indicates the connected state. Usage would show blank if the User-ID agent is only furnishing user-ip mappings and no other services such as LDAP proxy, NTLM auth or credential enforcement.
