- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-11-2023 09:00 AM
Hello, team.
I have a problem.
I have a couple of users created for read mode administration of the Palo Alto Firewall Cluster (they are local users).
When I try to test the Test Authentication Server Connectivity (I follow the documentation to the letter), I am constantly getting the same error when testing with the local users.
Any idea how to solve this, please?
I just want to "prove" to the end users, that the credentials "do work" without problems.
Thanks for the feedback.
07-18-2023 01:18 PM
set system setting target-vsys vsys1
07-11-2023 08:57 PM
Hi @Matlu_NN ,
Are these users created in the Local User Database or users created via External Authentication like Radius, SAML, LDAP, etc..
07-14-2023 10:06 AM
Hello,
They are local users.
Is there any way to successfully perform the test command to validate if the credentials are working or not?
Greetings.
07-16-2023 06:54 PM
Hi @Matlu_NN ,
I don't see you setting the target vsys. Have you followed these steps? https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/test-the-configurati...
Thanks,
Tom
07-18-2023 08:05 AM
Hello,
You need to configure the "<vsys-name>"????
I have a Firewalls Cluster, and I do not see anything in the configuration of the equipment that makes me "recognize" if I have configured or not the "vsys".
Is this something that comes active by default or is it something that must be activated????
Working with vsys, can impact on the configuration that has the Cluster of equipment?
Greetings.
07-18-2023 10:48 AM
Hi @Matlu_NN ,
The CLI command is not configuring anything on the NGFW, but rather setting the context for your CLI test command. As the doc says in step 1, "Specify which virtual system contains the authentication profile you want to test. This is only necessary if you are testing an authentication profile that is specific to a single virtual system (that is, you do not need to do this if the authentication profile is shared)."
This command only applies to the current CLI session.
Thanks,
Tom
07-18-2023 01:14 PM - edited 07-18-2023 01:18 PM
Hello,
Actually, I don't know what is the correct syntax of the command.
I am applying what I can understand from the shared document, but I always get the same result.
Can you tell me what you think is the error I am having in applying the command?
Note:
It is important to mention, that this is a local account created on the Palo Alto Firewall itself.
Thanks
07-18-2023 01:18 PM
set system setting target-vsys vsys1
07-18-2023 01:21 PM
Hello, friend.
And in the command:
test authentication authentication-profile <authentication-profile-name> username <username> password.
What should I put in the <authentication-profile>?
My local users have not created an "Authentication-Profile".
Is it optional?
07-18-2023 01:35 PM
Hi @Matlu_NN ,
Great question! Since you have no local authentication profile, I assume the "local users" are under Device > Administrators and not Device > Local User Database > Users.
You cannot use the "test" command to test for local administrators. You would test by logging into the GUI or CLI with each username.
Thanks,
Tom
07-18-2023 01:42 PM
Hello,
Then the command "test", would only be useful to test the "local users", that are inside the option "LOCAL USER DATABASE" ????
Greetings.
07-18-2023 01:47 PM
Hi @Matlu_NN ,
That is correct. When you create an administrator you can configure an authentication profile for that administrator. Your admins could authenticate with their AD credentials (LDAP) if you want. In order to use the local user database, you would create an authentication profile with a Type: Local Database. Then you could use the test command.
Thanks,
Tom
07-18-2023 02:13 PM
Hello, my friend.
Can I create a test user in "Local User Database" -> "Users" and apply the command?
For example, create an account like the following:
Username: jchampion
Password: 1234abc#
I can run the "Test" command without having a security policy, can't I?
The command would be something like this:
test authentication authentication-profile Local Database username jchamion password 1234abc#
This is the flow it should follow, and the command should be successful, right?
Or is there any observation on your part?
Thanks for your help.
07-18-2023 02:16 PM
Hi @Matlu_NN ,
You can create a test user as you described and test. You would need to create an authentication profile with a Type: Local Database, and test against that authentication profile.
Thanks,
Tom
07-18-2023 02:20 PM
It is not necessary to have a firewall rule to test this, right?
And the VSYS, would be the VSYS1, according to the scenario I could show you, right?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!