This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Test command does not work

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Test command does not work

Go to solution
Matlu_NN
L2 Linker

‎07-11-2023 09:00 AM

Hello, team.

I have a problem.
I have a couple of users created for read mode administration of the Palo Alto Firewall Cluster (they are local users).

When I try to test the Test Authentication Server Connectivity (I follow the documentation to the letter), I am constantly getting the same error when testing with the local users.

T2.pngT1.png


Any idea how to solve this, please?

I just want to "prove" to the end users, that the credentials "do work" without problems.

Thanks for the feedback.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎07-18-2023 01:18 PM

set system setting target-vsys vsys1

Help the community: Like helpful comments and mark solutions.

View solution in original post

0 Likes Likes
15 REPLIES 15

Go to solution
JayGolf
Community Team Member

‎07-11-2023 08:57 PM

Hi @Matlu_NN ,

 

Are these users created in the Local User Database or users created via External Authentication like Radius, SAML, LDAP, etc..

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

Go to solution
Matlu_NN
L2 Linker
In response to JayGolf

‎07-14-2023 10:06 AM

Hello,

They are local users.

Is there any way to successfully perform the test command to validate if the credentials are working or not?

Greetings.

0 Likes Likes

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎07-16-2023 06:54 PM

Hi @Matlu_NN ,

 

I don't see you setting the target vsys.  Have you followed these steps?  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/test-the-configurati...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
Matlu_NN
L2 Linker
In response to TomYoung

‎07-18-2023 08:05 AM

Hello,

You need to configure the "<vsys-name>"????

I have a Firewalls Cluster, and I do not see anything in the configuration of the equipment that makes me "recognize" if I have configured or not the "vsys".


Is this something that comes active by default or is it something that must be activated????

Working with vsys, can impact on the configuration that has the Cluster of equipment?

Greetings.

0 Likes Likes

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎07-18-2023 10:48 AM

Hi @Matlu_NN ,

 

The CLI command is not configuring anything on the NGFW, but rather setting the context for your CLI test command.  As the doc says in step 1, "Specify which virtual system contains the authentication profile you want to test. This is only necessary if you are testing an authentication profile that is specific to a single virtual system (that is, you do not need to do this if the authentication profile is shared)."

 

This command only applies to the current CLI session.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
Matlu_NN
L2 Linker
In response to TomYoung

‎07-18-2023 01:14 PM - edited ‎07-18-2023 01:18 PM

Hello,

Actually, I don't know what is the correct syntax of the command.
I am applying what I can understand from the shared document, but I always get the same result.

IM3.pngIM2.pngIM1.png

 

 

Can you tell me what you think is the error I am having in applying the command?

Note:
It is important to mention, that this is a local account created on the Palo Alto Firewall itself.

Thanks

0 Likes Likes

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎07-18-2023 01:18 PM

set system setting target-vsys vsys1

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
Matlu_NN
L2 Linker
In response to TomYoung

‎07-18-2023 01:21 PM

Hello, friend.

And in the command:

test authentication authentication-profile <authentication-profile-name> username <username> password.

What should I put in the <authentication-profile>?

My local users have not created an "Authentication-Profile".

Is it optional?

0 Likes Likes

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎07-18-2023 01:35 PM

Hi @Matlu_NN ,

 

Great question!  Since you have no local authentication profile, I assume the "local users" are under Device > Administrators and not Device > Local User Database > Users.

 

You cannot use the "test" command to test for local administrators.  You would test by logging into the GUI or CLI with each username.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
Matlu_NN
L2 Linker
In response to TomYoung

‎07-18-2023 01:42 PM

Hello,

Then the command "test", would only be useful to test the "local users", that are inside the option "LOCAL USER DATABASE" ????


Greetings.

0 Likes Likes

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎07-18-2023 01:47 PM

Hi @Matlu_NN ,

 

That is correct.  When you create an administrator you can configure an authentication profile for that administrator.  Your admins could authenticate with their AD credentials (LDAP) if you want.  In order to use the local user database, you would create an authentication profile with a Type:  Local Database.  Then you could use the test command.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
Matlu_NN
L2 Linker
In response to TomYoung

‎07-18-2023 02:13 PM

Hello, my friend.

Can I create a test user in "Local User Database" -> "Users" and apply the command?

For example, create an account like the following:

Username: jchampion
Password: 1234abc#

I can run the "Test" command without having a security policy, can't I?


The command would be something like this:

test authentication authentication-profile Local Database username jchamion password 1234abc#

This is the flow it should follow, and the command should be successful, right?
Or is there any observation on your part?

Thanks for your help.

0 Likes Likes

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎07-18-2023 02:16 PM

Hi @Matlu_NN ,

 

You can create a test user as you described and test.  You would need to create an authentication profile with a Type: Local Database, and test against that authentication profile.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
Matlu_NN
L2 Linker
In response to TomYoung

‎07-18-2023 02:20 PM

It is not necessary to have a firewall rule to test this, right?

And the VSYS, would be the VSYS1, according to the scenario I could show you, right?

0 Likes Likes
  • 1 accepted solution
  • 4281 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks