Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Test command does not work

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Test command does not work

L2 Linker

Hello, team.

I have a problem.
I have a couple of users created for read mode administration of the Palo Alto Firewall Cluster (they are local users).

When I try to test the Test Authentication Server Connectivity (I follow the documentation to the letter), I am constantly getting the same error when testing with the local users.

T2.pngT1.png


Any idea how to solve this, please?

I just want to "prove" to the end users, that the credentials "do work" without problems.

Thanks for the feedback.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

set system setting target-vsys vsys1

Help the community: Like helpful comments and mark solutions.

View solution in original post

15 REPLIES 15

Community Team Member

Hi @Matlu_NN ,

 

Are these users created in the Local User Database or users created via External Authentication like Radius, SAML, LDAP, etc..

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hello,

They are local users.

Is there any way to successfully perform the test command to validate if the credentials are working or not?

Greetings.

Cyber Elite
Cyber Elite

Hi @Matlu_NN ,

 

I don't see you setting the target vsys.  Have you followed these steps?  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/test-the-configurati...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hello,

You need to configure the "<vsys-name>"????

I have a Firewalls Cluster, and I do not see anything in the configuration of the equipment that makes me "recognize" if I have configured or not the "vsys".


Is this something that comes active by default or is it something that must be activated????

Working with vsys, can impact on the configuration that has the Cluster of equipment?

Greetings.

Cyber Elite
Cyber Elite

Hi @Matlu_NN ,

 

The CLI command is not configuring anything on the NGFW, but rather setting the context for your CLI test command.  As the doc says in step 1, "Specify which virtual system contains the authentication profile you want to test. This is only necessary if you are testing an authentication profile that is specific to a single virtual system (that is, you do not need to do this if the authentication profile is shared)."

 

This command only applies to the current CLI session.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hello,

Actually, I don't know what is the correct syntax of the command.
I am applying what I can understand from the shared document, but I always get the same result.

IM3.pngIM2.pngIM1.png

 

 

Can you tell me what you think is the error I am having in applying the command?

Note:
It is important to mention, that this is a local account created on the Palo Alto Firewall itself.

Thanks

Cyber Elite
Cyber Elite

set system setting target-vsys vsys1

Help the community: Like helpful comments and mark solutions.

Hello, friend.

And in the command:

test authentication authentication-profile <authentication-profile-name> username <username> password.

What should I put in the <authentication-profile>?

My local users have not created an "Authentication-Profile".

Is it optional?

Cyber Elite
Cyber Elite

Hi @Matlu_NN ,

 

Great question!  Since you have no local authentication profile, I assume the "local users" are under Device > Administrators and not Device > Local User Database > Users.

 

You cannot use the "test" command to test for local administrators.  You would test by logging into the GUI or CLI with each username.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hello,

Then the command "test", would only be useful to test the "local users", that are inside the option "LOCAL USER DATABASE" ????


Greetings.

Cyber Elite
Cyber Elite

Hi @Matlu_NN ,

 

That is correct.  When you create an administrator you can configure an authentication profile for that administrator.  Your admins could authenticate with their AD credentials (LDAP) if you want.  In order to use the local user database, you would create an authentication profile with a Type:  Local Database.  Then you could use the test command.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hello, my friend.

Can I create a test user in "Local User Database" -> "Users" and apply the command?

For example, create an account like the following:

Username: jchampion
Password: 1234abc#

I can run the "Test" command without having a security policy, can't I?


The command would be something like this:

test authentication authentication-profile Local Database username jchamion password 1234abc#

This is the flow it should follow, and the command should be successful, right?
Or is there any observation on your part?

Thanks for your help.

Cyber Elite
Cyber Elite

Hi @Matlu_NN ,

 

You can create a test user as you described and test.  You would need to create an authentication profile with a Type: Local Database, and test against that authentication profile.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

It is not necessary to have a firewall rule to test this, right?

And the VSYS, would be the VSYS1, according to the scenario I could show you, right?

  • 1 accepted solution
  • 4186 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!