Palo Alto has a test authentication feature that enables you to verify whether the firewall can communicate with the authentication server specified in an authentication profile and whether an authentication request succeeds for a specific user. Please refer to the Palo Alto documentation for detailed instruction.
1- Log into the Palo Alto CLI
2- Define the target virtual system that the test command will access
This is required on firewalls with multiple virtual systems so that the test authentication command can locate the user you will test.
Define the target virtual system by entering:
admin@PAN5> set system setting target-vsys <vsys-name>
For example, if the user is defined in vsys2, enter:
admin@PAN5> set system setting target-vsys vsys2
3-Test the authentication profile by entering the following command:
admin@PAN5> test authentication authentication-profile VPN-twofactor-auth username mfa
For example, to test an authentication profile named "VPN-twofactor-auth" with a username "mfa", enter:
admin@PAN5> test authentication authentication-profile VPN-twofactor-auth username mfa
