CLI Commands for Troubleshooting Palo Alto Firewalls

When troubleshooting network and security issues on many different devices/platforms I am always missing some command options to do exactly what I want to do on the device I am currently working with. Therefore I list a few commands for the Palo Alto Networks firewalls to have a short reference / cheat sheet for myself. Maybe some other network professionals will find it useful.

However, since I am almost always using the GUI this quick reference only lists commands that are useful for the console while not present in the GUI.

This blog post will be a living document. Whenever I use some “new” commands for troubleshooting issues, I will update it. If there are any useful commands missing, please send me a comment!

For a complete list of all CLI commands, use the CLI Reference Guides from PAN. Or use the official Quick Reference Guide: Helpful Commands PDF.

Standard Show & Restart Commands

The following commands are really the basics and need no further description. I list them just as a reference:

Live Session ‘n Application Statistics

These are two handy commands to get some live stats about the current session or application usage on a Palo Alto. While you’re in this live mode, you can toggle the view via
‘s’ for session of ‘a’ for application. Quit with ‘q’ or get some ‘h’ help. Start with either:

Demo output sessions:

Demo output applications:

 

Problems with SFPs

To troubleshoot SFP problems use the following command such as shown here:, where XXX is the slot and YYY is the port:

Sample output with one non functional and one functional SFP in port ethernet1/19:

 

Find

Since PAN-OS 6.0, the “find” command helps searching for the needed command in case you do not fully know the whole set of commands. With “find command”, all possible commands are displayed. With “find command keyword xyz”, all commands containing “xyz” are shown.

 

Ping, Traceroute, and DNS

A standard ping command looks like that:

Note that this ping request is issued from the management interface! To use a data interface as the source, the option source <ip-address> can be used. To use IPv6, the option is inet6 yes. For example:

A traceroute command looks like that:

The source <ip-address>  can be used to specify the outgoing interface. However, for IPv6, the option is dissimilar to the ping command: ipv6 yes.

To resolve DNS names, e.g., to test the DNS server that is configured on the management interface, simply ping a name:

 

Routing

(For a “show” of the routing table refer to the “Standard Show Commands” above.) Debugging dynamic routing protocols functions like this:

Or follow the routed.log:

If you are using the path monitoring features for static routes, you can display some further information with these commands:

 

Test

The Palo offers some great test commands, e.g., for testing a route-lookup, a VPN connection, or a security policy match. Use the question mark to find out more about the test commands. Here are some useful examples:

 

Viewing Management-Plane Logs

In order to view the debug log files, “less” or “tail” can be used. The keyword “mp-log” links to the management-plane logs (similar to “dp-log” for the dataplane-logs). The tail command can be used with “follow yes” to have a live view of all logged messages. And as always: Use the question mark in order to display all possibilities.

Examples:

 

Capturing Management Packets

To view the traffic from the management port at least two console connections are needed. The first one executes the tcpdump command (with “snaplen 0” for capturing the whole packet, and a filter, if desired),

while the second console follows the live capture:

Test traffic can be generated with a third console session, e.g.:

Later on, the pcap file can be moved to another computer with the following command:

Alternatively, tftp can be used:

 

Live Viewing of Packet Captures

When using the Packet Capture feature on the Palo Alto, the filter settings can easily be made from the GUI (Monitor -> Packet Capture). These settings as well as the current size of the running packet capture files can be examined with:

Now, the current capturing in follow mode can be viewed with:

And for a really detailed analysis, the counters for these filtered packets can be viewed. This exactly reveals how many packets traversed which way, and so on. With the “delta yes” option, only the counter values since the last execution of this command are shown. The “packet-filter yes” option uses the packet filter from the GUI (Monitor -> Packet Capture) to filter the counters:

For example, here are the delta counters after a few DNS lookups:

Or, even more interesting, filtered on “drop” severity. (Note the reasons on the right-hand side):

 

Zone Protection Logging

Beginning with PAN-OS 8.1.2 you can enable an option to generate a threat log entry for dropped packets due to zone protection profiles. More information here. You must enable this feature through the CLI. (Hopefully, it will be default at a later date.)

 

Examining the Session Table

If a network connection failure is not found in the traffic log, the session table can be asked for sessions in DISCARD state, filtered based on its source, or whatever. This is useful at the console because the session browser in the GUI does not store the filter options and is, therefore, a bit unhandy. All commands start with “show session all filter …”, e.g.:

To have an overview of the number of sessions, configured timeouts, etc.:

For investigating a single session in more detail, use:

Watch out for the: “Hardware session offloading” line. If it is “true” you might want to disable the fastpath during troubleshooting (inside the config mode):

 

To see whether there are some “predict” sessions in which the Palo Alto uses an ALG (appliation layer gateway) to predict dynamic ports (e.g., SIP, active FTP), use this command:

A specific session can then be cleared with:

 

Reason for Session Close

[UPDATE] Since PAN-OS 6.1 the session end reason is a column within the GUI at Monitor -> Logs -> Traffic. Hence this is not needed anymore.[/UPDATE]

You cannot see the reason for a closed session in the traffic log in the GUI. For this purpose, find out the session id in the traffic log and type in the following command in the CLI (Named the “Session Tracker“). Note the last line in the output, e.g. “tracker stage firewall : Aged out” or “tracker stage firewall : TCP FIN”. This shows what reason the firewall sees when it ends a session:

Alternatively, the traffic log on the CLI can display the session tracker when used with the option “show-tracker equal yes” such as:

 

VPN Issues

The general show commands for VPN sessions are:

(Palo Alto: How to Troubleshoot VPN Connectivity Issues). Though you can find many reasons for not working site-to-site VPNs in the system log in the GUI, some more CLI commands might be useful. To reveal whether packets traverse through a VPN connection, use this: (it shows the number of encap/decap packets and bytes, i.e., the actual traffic flow)

Or use the counter values for ipsec issues:

Or have a look at the tunnel interface, whether packets are received but dropped (replace ID with the number of your tunnel interface, e.g. “tunnel.1”):

 

And for a detailed debugging of IKE, enable the debug (without any more options)

then follow the pcap with

and do NOT forget to set the debugging off!

The complete ikemgr.pcap can be downloaded from the Palo with scp or tftp, e.g.:

 

To clear or to initiate an IPsec connection use the following commands for either phase 1 (IKE) or phase 2 (IPsec):

 

GlobalProtect

Current users and flow:

 

Displaying the Config in Set Mode

The XML output of the “show config running” command might be unpractical when troubleshooting at the console. That’s why the output format can be set to “set” mode:

Now, enter the  configure mode and type show. This reveals the complete configuration with “set …” commands. (Click here for more information.) Here is a sample output of a particular show command:

The pipe (|) can be used to grep certain values with the “match” keyword, such as:

 

To show the complete config without breaks (which is “terminal length 0” on Cisco devices), the following command can be used (BEFORE the configure mode is entered):

To omit line breaks (carriage returns), use this one:

 

High Availability

Some show commands for the HA:

The following request can be used to trigger an HA failover, either for the local device or the “peer” device:

To verify the session synchronization (HA2), you can either use the  show high-availability state-synchronization as shown above on both devices (to verify that “sent” is increasing on the active unit while “received” is increasing on the passive unit) or you can look at the session browser on the passive device whether there are the same count of sessions as on the active device.

Following is a demo output of the “state-synchronization” from both devices in a cluster:

Export/Import Files

To copy files from or to the Palo Alto firewall, scp or tftp can be used. The commands have both the same structure with “export … to” or “import … from”, e.g.:

 

User-IDs and Groups

State of the LDAP server connections incl. the listing of all groups:

Group mapping and user-id agent refresh (=update) and reset (=delete and reload):

Show the group memberships for a particular user:

Show the members of a particular group:

IP to User mapping for all users or for a particular user. (The match value does not work with a backslash, so the username must be specified without the domain):

User-ID cache clearance. Note that you must clear both, the dataplane AND the management plane (…-mp), to really delete an IP mapping. Since the MP pushes the mapping to the DP you should clear the MP first. More info here.

 

IP Addresses of FQDN Objects

When using objects with FQDNs, the current IP addresses are not shown in the GUI. The following command displays respectively refreshes them:

[UPDATE] On newer PAN-OS version you can set this setting in the GUI at Device -> Setup -> Services -> FQDN Refresh Time.[/UPDATE] To set the refresh timer to another value, use the following commands:

To verify this setting you can “show” the configuration with pipe and match. If you are in the default cli config-output-format it looks like this:

When you are in the “cli” config-output-format it looks like that:

Now, as in my case, I am updating the FQDNs every 600 s = 10 m, I can see the appropriate job every 10 minutes:

 

IP Addresses of External Dynamic Lists

Similar, the entries in an external dynamic (block) list can be viewed or refreshed with:

 

DNS Proxy

To verify the functionality of DNS proxy objects, at least two commands are useful. Both outputs should speak for themselves:

 

Active URL Vendor/Database

I had some issues with the two different URL databases “brightcloud” and “PAN-DB”. This is the command to show unambiguously which vendor is active on the PA (independent of the licenses):

The output is either brightcloud or paloaltonetworks. The standard URL DB up to PAN-OS 5.0 is brightcloud. Beginning with PAN-OS 6.0, the default is PAN-DB (refer to the release notes, section “Changes to Default Behavior”). To change the vendor (of course only if it is licensed), click the “Activate” link under licenses in the GUI.

PAN-DB URL Test & Cache

To show the category of a specific URL, use one of the following commands:

To display the current URL cache from the PAN-DB, two steps are required. The first one is the creation of a logfile which contains all entries and the second one is to display this logfile:

 

Fan Speed

Ok, this is not a troubleshooting command, but nevertheless very useful. It sets the fan speed to “auto” which immediately drops the noise of the fan, e.g. on a PA-200:

 

Defaults

Just for reference:

  • Default Management Interface IP: 192.168.1.1
  • Login: admin
  • Password: admin

To change the static IP settings of the management interface via the console:

Or to change it to a DHCP client (of the management interface), use this:

And wait for a console message such as DHCP: new ip 10.100.20.175 : mask 255.255.255.128 . Otherwise, you can show the management IP address via show interface management . If you, later on, want to change back to static IP addresses you must not only use the set command above (for the mere IP address) but also change the type back to static: set deviceconfig system type static.

Perform a Factory Reset

In some cases, such as an RMA, you want to factory reset your device. You should perform the following steps for this:

1) Delete all saved configurations via

2) Remove all logs and restore the default configuration with

3) Perform the actual factory reset: reboot the device, enter the “maint” mode via a console cable, select “Factory Reset”.

To perform a factory reset without direct access to the firewall via a console cable, you can use this procedure: “How to SSH into Maintenance Mode“.

Featured image “Wrench ratchet tool set” by Marco Verch is licensed under CC BY 2.0.

119 thoughts on “CLI Commands for Troubleshooting Palo Alto Firewalls

  1. Hey I have one question, how can I disable or enable a static route using the CLI and not doing it on the GUI?

    1. Hi. You must go into the configure mode (“configure”) and specify a command similar to this:
      “set network virtual-router NAME-OF-THE-VR routing-table ip static-route NAME-OF-THE-ROUTE option no-install”. And don’t forget to “commit”. ;)

      1. So is the command you list “set network virtual-router NAME-OF-THE-VR routing-table ip static-route NAME-OF-THE-ROUTE option no-install”… the CLI command one would use to delete a pre-existing route (once committed)? OR is there another command to run besides the one you mention ?

        1. I listed the command to DISABLE an already installed route. The keyword here is the “no-insall” at the end. So, once committed, the NAME-OF-THE-ROUTE route is disabled.

          1. Ok, thanks. So what would the CLI command be to actually DELETE an already installed route ?

            I have worked with many firewalls, but for some reason, the CLI command to do this on a Palo Alto eludes me. Is it because the deleting of a route is only done through the GUI? Thank you for your help

  2. Occam’s razor strikes again! replace the “set” with “delete”.. It does surprise me though that such a simple, and different from other platforms, way of deleting, removing, unsetting or no to a command is not readily documented or discovered through out the Web or Palo Alto.. Just say’n!… had to figure it out solo..

  3. Hier noch einige Befehle, die ich öfter benötige.

    Zeigt den Status einzelner oder aller Gruppen-Mappings.

    Zeigt alle Benutzer in einer Gruppe an.

    Übersicht aller Prozesse auf der Firewall.

    Dynamic Address Groups einsehen

    Extrem nützlich ist folgender Befehl, welcher ein bestehendes Template innerhalb von Panorama clont.

  4. Hello all!

    Does anyone know if trace and ping are available on Palo Alto GUI?

    Thanks and regards,

  5. Nice post! Great for us who are transitioning from Cisco.

    Question: Is there an equivalent PA CLI command for “terminal length 0”?

    Thank you

    1. Thanks, Steve.
      Yes, the command is: “set cli pager off”. I updated the section (Displaying the Config in Set Mode), thanks for the hint.
      Johannes

  6. Hi all,

    Is there any option or command to delete a particular single Log / Particular IP traffic or URL Logs..

    Thanks.

  7. Like Show configuration | in “value”. is there any commands like this in Palo alto to see the particular config,

    For Ex : To see the configuration of IP ” 172.16.10.0/24″ we used this command in cisco “show run | in 172.16.10.0” it will show the configuration details.. please let me know the command in Palo alto for the same .

    Thanks
    Vishnu

    1. Hi Vishnu,
      yeah, good question. I just updated the correspondant section in this post for you: “Displaying the Config in Set Mode”.

      Note that you could use a similar command in the standard CLI view (not in the “configure” view):
      “show config running | match 192.168.120.2”
      However, this is not very useful since you onle get single XML lines without any context around the lines.

        1. Hello Marcin,

          Your CLI filter looks great. Do you have any document of it? I suppose the match filter support some level of regular expression?

        2. I just realized the match command is actually the grep command.
          The regular expression rule applies the same on match.
          Thanks anyway.

  8. Hello,

    Is there any command or script to schedule automatically backup Palo Alto firewall configuration.

    Thanks.

    1. On the Palo Alto, you don’t have this possibility. :(
      But you can use the API to download a config file from the device. Howver, I currently don’t have such a script. But maybe someone else has?

  9. How to configure Vlan in palo alto. My ISP gave me the wan IP and Vlan id . They asking me to configure in the interface where ISP connected. Could you help me. I need a sample configuration of Palo alto . Kindly sent to mail id : aravindramesh11@gmail.com

  10. What is the equivalent cli command on the Palo for the following Sidewinder command:

    acat -ae ‘(srcip 192.168.1.1 dstip 192.168.2.2) and dstport 53’

  11. Correction:
    What is the equivalent cli command on the Palo for the following Sidewinder command:

    acat -ae ‘(srcip 192.168.1.1 or dstip 192.168.2.2) and dstport 53′

  12. Hello,

    Is there a command to see which policy rules processed a traffic? I have an SSL inbound decryption rule that does not decrypt my traffic. Want to see if the traffic is processed by that rule

    Thanks

    Cid

    1. If client and server negotiates DH based cipher suites, then decryption is not possible. Also, there are certain RSA based cipher suites which PA is not going to decrypt. Check PA’s documents for list of RSA cipher which PA is not going to decypt.

      Take packet captures on client machine and if you see DH based cipher suites negotiated by server in server hello, then force the server to negotiate on RSA based cipher suites.

      Otherwise, I don;t any reason for decryption failure, if your decryption policy covers the interested traffic.

      Jugnu

  13. Hello,

    is there a command to find out if an object with IP a.b.c.d exist?

    And a command to find out if an object named “whatever” is included in any object group?

    Thanks.

    1. Why don’t you use the GUI for these requests? Simply type in the IP address or name or whatever in the search field. ;)
      However, if you want to use the CLI: set the output format to set “set cli config-output-format set”, go into the configure mode “configure” and grep the IP address or whatever “show | match 192.168.0.1”.

      1. I can’t see how to search in the output of the show command. I don’t thing you can place a pipe after “show” with o without space.

        May be if I could execute two commands in one line, I could launch the commands from a host and “grep” the output.

        Something like:
        $ ssh user@fw “set cli config-output-format set ; configure ; show address-group” | grep 1.2.3.4

        Do you thing it is possible?

        I only have to do such a thing, say once in a week, so I would like to have some scripts to find just that type of information with a command.

        Thanks for your help.

        1. Yes, you can pipe after a simple “show”. Here is my output. First I searched after an IPv4 address, then after the name to reveal the group:

          weberjoh@fd-wv-fw02# show | match 172.16.1.1
          set address h_fd-wv-fw01_trust ip-netmask 172.16.1.1
          [edit]
          weberjoh@fd-wv-fw02# show | match h_fd-wv-fw01_trust
          set address-group g_h_RouterFirewalls static [ h_fd-wv-fw01_trust h_fd-wv-fw01_trust_v6 h_fd-wv-fw01_untrust h_fd-wv-fw01_untrust_v6 h_fd-wv-fw02_untrust h_fd-wv-fw02_untrust_v6 h_fd-wv-fw03_outside h_fd-wv-fw03_outside_v6 h_fd-wv-ro01_inside h_fd-wv-ro01_inside_v6 h_fd-wv-ro02_outside h_fd-wv-ro02_outside_v6 h_fd-wv-ro03_outside h_fd-wv-ro03_outside_v6 ]
          set address h_fd-wv-fw01_trust ip-netmask 172.16.1.1
          [edit]
          weberjoh@fd-wv-fw02#

          I do not know whether you can call ssh with several commands behind it. I have not used such techniques until now.

          1. My output:

            antonio@fwpa1-con(active)> set cli config-output-format set
            antonio@fwpa1-con(active)> set cli pager off
            antonio@fwpa1-con(active)> configure
            Entering configuration mode
            [edit]
            antonio@fwpa1-con(active)# show | match 10.229.32.8

            Invalid syntax.
            [edit]
            antonio@fwpa1-con(active)#

            Maybe the version of PANOS.

            I’ll try some variety of expect.

            Thanks.

  14. Dear Johannes Weber,

    i am new to this firewall. kindly give the suggestion how to gain the good knowledge on this firewall. kindly provide the use full links url.

  15. Great blog.
    Few queries . May it covered in trail but still very helpful if someone respond:
    # in cli mode, how to check routing for 1 of tje destionation and accordingly i can see the interface from which it go out and finally i can see the zone binded with that interface.
    This is very basic to create policy in GUI mode.

    1. CLI command to test filter, policy, vpn, route, nat, …:
      type ‘test ?’ and pick an option

    1. Google is your friend. ;) And the Palo Alto CLI Ref.
      Ok, here we go:
      configure
      set deviceconfig system snmp-setting access-setting version v2c snmp-community-string foobar
      commit

  16. I have AWS VPN, I would like to upload AWS VPN configuration file to palo alto using any commands lines or API call. Would it possible to do that. If yes could you please provide the details here.

    Thank you

    1. Puh, that should work, but its not that easy.
      Have a look at the Palo Alto CLI Reference. You’ll find some commands for, e.g.,:
      set network ike …

      Is AWS giving you a VPN template for Palo Alto? Or do you want to build it yourself? Maybe you can create a ticket at Palto Alto Support to solve that?

  17. One of our client using paloalto PA3050 model. They have a 50 mbps Vodafone lease line,its working fine when we directly connected to the router. but if we connected through our firewall then upload speed is come upto 2 mbps only.

  18. Hey how many silence features have you activated on the device and how much bandwidth license do you have on the device? have they implemented any QOS on the device?

  19. Hello

    I want to check which route is matching for some host IP like 10.155.7.33. When I run the command “show routing route destination 10.155.7.33/32” showing nothing. Although I have matching route 10.115.7.0/24 in the routing table. If does not match, it should show 0/0 default route

    1. Hi,

      yes, you are displaying only the mere routing table and not an “intelligent query”. Please try:
      “test routing fib-lookup virtual-router default ip 10.155.7.33”
      This will show you the exit interface and the next-hop of the route.

  20. Hi,
    Can someone let know what’s a good way (if there is one) to check what debugs were configured and if someone failed to turn them off, and the CPU spikes happen, there should be a nice way to turn those off after seeing what set them on.
    I was told it is virtually impossible to see the active debugs and there is no ‘undebug all” cisco-fashion command on PA I suppose.

  21. How to I delete/uninstall all the process related to Global Protect Palo Alto using command line. I think the command is set clean palo….. Not sure what exactly it is. Could you please provide me the command?

    Regards,
    Farhan

    1. Hi Farhan,
      I do not know what exactly you are searching for. Please use the “find” command to lookup all global-protect commands on the CLI:
      find command keyword global-protect

      If you want to change something on the configuration, enter the configuration mode with “configure” and display all global-protect configs with:
      show global-protect

      All commands are then under the following structure:
      set global-protect …

      However, it will be MUCH easier for you to do that within the GUI!
      Cheers,
      Johannes

  22. HI All ,

    Can any one tell me what is this dg-id when configuring device group from panorama CLI.

    Please find the below command.

    set device-group GNDC-GW-3050-Group external-list
    set device-group GNDC-GW-3050-Group pre-rulebase security rules
    set readonly dg-meta-data dginfo GNDC-GW-3050-Group dg-id 31
    set readonly dg-meta-data dginfo GNDC-GW-3050-Group parent-dg All-Perimeter-FW

    Regards
    ANANDHU

    1. Sorry Anandhu, I have no idea. (But I can verify that I have the same commands in my Panorama, too.) Have never used them so far.
      Please open a ticket @PAN and tell us later on what it is for. ;)

      1. Same has been done but the problem is even TAC is not able to answer on this query.

  23. Hi all,

    If my panorama is restarted or shutdown, then could i find the reason of that..??
    is there any cli..??

    1. Hey Swapnil,

      it is quite abnormal that panorama reboots by itself. You should open a support case @ PAN.
      Anyway, you can use the “less ?” command on the CLI to display many different logs such as “less mp-log sysd.log”.
      Or you can try to use scp to export certain logs such as “scp export core-file management-plane from crashinfo to user@host:path”.

      Cheers,
      Johannes

  24. Hi, nice job. This is really usefull to day-to-day work. I have a little issue, I hope you could help me: I want to get the name of all vsys with a command, not by pressing ‘tab’ or ‘?’ as in next sentence: “set system setting target-vsys “. Is there some command to get this info?

    Regards,
    Mike

  25. Hello,
    gradient post you made, very useful

    I do not speak English , I support the google translator :(((
    I need to set up an “alarm” to notify me when it reaches 80% of my ISP’s bandwidth.
    know any way to do this work?

    1. Uh, I am sorry, but I don’t know if this is possible at all.
      To my mind you must use SNMP with some third party tools to generate an alarm.

  26. Hi, We are from Cisco ASA background and facing difficulty while troubleshooting communication issues. Please help if we can test application reachability from PA by doing telnet to destination server on defined ports (telnet 10.10.10.10 443) or ping tcp 10.10.10.10 443

    1. Hi Sameer,

      since Palo Alto recognizes the application rather than the port you won’t be able to “telnet x.y.z.t 443”. Palo will recognize this as “telnet on port 443” rather than “ssl on 443”. Hence, you really must test the *real* application you allowed/blocked within your policies.
      (If you are facing network issues you can additionally allow “telnet” on port “any” and give it a try. But you should delete this after your tests.)
      Or you simply allow ping/icmp/traceroute to test the underlying network infrastructure.
      Cheers,
      Johannes

      1. Thank you for your reply. My requirement is to test application availability from firewall. We don’t have access to servers and we get tickets saying application is inaccessible. Server default gateway is hosted on Palo Alto and we need to check whether server is responding on desired ports. Ports are different from 443 and I mentioned 443 as an example

        1. I don’t know how to test something like this *from* the firewall itself. This won’t really solve your problem since it would only be a test and not your real scenario.

          Check the following:
          – Look at your Traffic Log. You must see incoming connections according to your tickets. Are the sessios allowed or blocked? Which application is detected? Maybe you have to look at the “default deny” rule to see which application the Palo Alto detects. (Note that the default deny rule has logging DISabled by default. You must override it to enabled logging.)
          – Check the “Bytes sent / Bytes received” on the Traffic Log. If only bytes are sent but NOT received, then your server isn’t answering.
          – Check the ARP cache (IPv4) or Neighbor cache (IPv6): Is the server really on the correct subnet/vlan?

          1. Hellow Mr. Weber, I hope you see my comment to this old post. I have a question: What does “Bytes sent/ Bytes received” mean in ACC screen of Palo Alto firewall? I mean, if 500MB of packets are sent from a source device and go through a firewall, get permitted to reach the destination, then the firewall should not see the packets as “sent” or “received”; the firewall just “processes” the packets regardless of the direction, I suppose. Does it have to do with trust and untrust zones (traffic coming from trust is “sent”, for example), or does it have to do with some flags such as TCP syn, syn/ack and ack? Thank you!

            1. Hey Takumi.

              Yo, this is quite a good question. Indeed the firewall never receives or sends packets directly to/from itself, but rather processes packets. (Ok, there are exceptions such as management access via ping, ssh, https to a data interface or IPsec traffic to the WAN interface or OSPF to an internal interface.)

              However, all the “sent/received” values are based on the source -> destination connection aka client -> server. That is: for both, UDP and TCP, the client always establishes the connection to the server. For TCP, the client sends the very first TCP SYN packet. –> That is: the “sent/received” is ALWAYS from the clients perspective!

              To give an example: An SSH connection is made from a client to a server. The IP address from the client is the source, while the IP address from the server is the destination. If this SSH connection is used by SCP in which the client uploads a 1 GB file to the server, this 1 GB is listed as “sent”. If in another session the same client downloads a 1 GB file from the server, the “source” and “destination” IP addresses are still the same (since the same client has started the session), while this 1 GB is counted as “received”.

              1. Thank you very much Mr. Weber for your reply and my sincere apology for taking forever to thank you here! I just found out you made a post out of my comment. I’ll brag it to my colleagues, cheers!

  27. Hi – I would like to know if it’s possible to make the standby as active mode via CLI from standby firewall? My firewall running on sw-version: 7.1.8 and has no option to run cli against peer.
    I have a situation where the active firewall on high CPU not allowing access via Gui not SSH.

    1. Uh, good question. I do not know anything like that. The only option I know is to click the “suspend” button in the GUI on the active unit. (And of course you can power off the active device ;))

    2. Under High-availability/ Election Settings/ Device priority you could try and give the passive fw a higher number than the currently active fw. I believe that should elect the passive to become the active.

  28. Hello. Do you know of a way to verify a Path Monitor BEFORE it is enabled on a static route? For example, if this were Cisco, I could check the status of the track before applying it to a static route. Thanks.

    1. Uh, that’s a good point. I don’t know. I cannot find a way to prove that when the monitor is enabled.

      However, you can use two workarounds:
      1) Configure two path monitor destinations for your route, one that succeeds and the other one that you want to test. When you set the failure condition to “all” then your route will stay active since the first destination still works.
      2) Configure a dummy route entry with the path monitor you want to test.

      To verify the path monitoring from the CLI use the following command:
      show routing path-monitor

  29. hi joha,
    i have pa-500 box. while committing config it stop at 90%. on my primary t- shoot i get to know that the user id demon was stuck at 70% which causing the issue . In order to resolve the issue we have to restart the demon and also i have the cli command as well . my question is {is there any impact on my network while running the command or we required a down time to do this ?}

    1. Hi SWOPNENDU.
      At first: I am not quite sure! Please consider opening a ticket at Palo Alto Networks. They should help you.

      However, to my mind, a restart of the User-ID should not affect your network, but *might* affact your User-IP-Mappings for certain amount of time. BUT: I am not sure that this single restart will completely help you. Maybe this is just the first problem you have. I am having lots of problems with my PA-200 during the last few months. In many cases a complete reboot was the only solution. ;(

  30. Hello,

    Some recommended practice for creating custom applications.
    I’m about to migrate to a data center and I see that this is my biggest problem.

    regards.

  31. Its very useful commands that I don’t know some commands, Now I learn a lot after seeing this BLOG.

  32. Hi,

    Excellent work, thank you.

    Is there any way to find out which NAT rule is applied to a specific connection? Either CLI or GUI.

    Regards,
    Ben

    1. Hey Ben. This is a very good question. AFAIK this cannot be done. ;( I was searching for a similar solution when I wanted to know which security profiles were used by some connections. I ended in looking at the security policies to find the appropriate security profiles. (But this doens’t help you at all.)

  33. My PA 200 firewall has rebooted and I need to know if it was soft or hard reboot…

    Any CLI command for that…

  34. I have a PA-500 still in the 7.x code. I recently did a reboot, and it took a while but finally completed the reboot and started functioning, passing traffic, etc. This was in preparation to do a code upgrade to latest version of 7.x and then up to the latest 8.x code. Since then, I’ve not been able to access it via Web interface. It shows the TLS Handshake, and then just sits there until it times out. I want to console into it, but don’t know any CLI commands for troubleshooting the web interface. Before anyone asks, I’ve rebooted it again (by physically powering it off and back on again) and still the same results. It’s still passing traffic, sending logs to the SIEM, and still reporting status via SNMP in Solarwinds, but still cannot access the web interface. Any help would be appreciated.

    1. Hi Norman,

      you can always use the “find command keyword BLABLABLA” command to find appropriate commands. E.g., I just did a “find command keyword restart” and came to this one:
      debug software restart process <crypto|dhcp|device-server|ikemgr|keymgr|management-server|web-server|web-backend|l3-service|sslvpn-web-server|rasmgr|log-receiver|routed|user-id|vardata-receiver|pppoe|satd|sslmgr|dnsproxy|l2ctrl|ntp|authd|snmpd|cord|pan-comm|ifmgr> core <yes>

      Hence you can try “debug software restart process web-backend” or “… web-server”.

      Cheers
      Johannes

  35. You can also do #show jobs all to see if there are any pending stuff like auto-commit
    You can also do #debug software restart process management-server

  36. So I gots me a PA-220! However cannot for the life of me get it to upgrade from 8.0.3

    It appears a have successfully imported 8.0.3-h4, but when I [ request system software install version xxxxxx ] it tells me it doesn’t exist.

    Then I try to run [ scp import file ] and it tells me it already exist!

    P3rplExinG!

    1. same thing trying to upload content —- arggghhh I hate being a newbie@!!!

      admin@PA-220> scp import software from rpfutrell@192.168.1.9:/Users/rpfutrell/Downloads/panupv2-all-contents-8278-6109
      rpfutrell@192.168.1.9’s password:
      panupv2-all-contents-8278-6109 100% 51MB 12.7MB/s 00:04

      panupv2-all-contents-8278-6109 saved

      admin@PA-220> request system software install version panupv2-all-contents-8278-6109
      Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n)

      Server error : version panupv2-all-contents-8278-6109 not downloaded/uploaded
      admin@PA-220>

      1. Hey fieldmonkey,

        well, I have never done any installation via the CLI in all those years. ;) Just some quick notes:
        – You always need the “zero” version in order to install any update. For example, you need to download the 8.1.0 image in order to install 8.1.x.
        – Every PAN-OS requires at least version xy from the content package. To my mind this is specified in the release notes.
        – You can only upgrade to major version by major version. That is: No jump from 7.0 to 9.0 directly, or the like.
        – My recommendiation: factory reset, login to the GUI, “Check Now” at the software, upgrade to the latest displayed version, install, reboot, check now again, and so on.

        Cheers
        Johannes

  37. What is the command to know which switch or device connected to Palo Alto firewall

  38. Hi John,
    First thanks for the post. Could VPN Client block by copy paste from corporate network? Also can we stop network folders like NAS sharing?

    1. Hi John,
      Have we got any options here that VPN Clients stop coping files from Corparate network to own machines? Maybe out of the box solution.

      1. Hey Sam. You’re talking about a DLP solution, don’t you? Well, that’s a WHOLE new topic at all and not easy to solve.

        What Palo can do out of the box is to block file transfers such as NFS, CIFS, SMB, whatever. But this won’t solve your problem. Consider file transfers over an RDP session, and so on.

  39. Hi,

    HSRP used by cisco, NSRP used by juniper, so what HA protocol does Palo alto uses.

    1. Palo does NOT use the concept of a first-hop redundancy protocol (which is in short: both routers are actively participating in the network, building their own routing tables, and negotiating the primary/secondary role for every single layer 3 virtual IP address)

      BUT: Palo uses the concept of high availability for the WHOLE box. That is: using two same appliances you are forming an active/passive cluster. Only one unit is active and does all the network stuff, while the other one is completely passive and not participating in any network protocols. In case of a failure, the cluster swaps the active/passive roles. The formerly passive appliance takes the active role and continues with all protocols and currently active sessions, VPNs, etc.

  40. Is there any command in Panorama to check the number of policy rules configured in my managed device, say i have 500 rules and just want to see in cli by a command which just shows me the output as 500 (total count of rules)

    1. Hey Mayank. I’m not aware of any command for this. Of course, you can have a look at the GUI in the upper right when you’re at the Policies tab. This will show you the number of rules within the Pre Rules or Post Rules or Default Rules.

  41. Error: Failed to get vsys config, already allocated (2097152 bytes)
    failed to handle CONFIG_UPDATE_START

    getting this error on auto commit after restart of the firewall

    can someone tell me how to resolve this

      1. Yes TAC is investigating the issue from last 6hr but they are still didn’t find anything

  42. Due to this DataPlane is not coming up , we are using software version 10.0.8-h8

  43. Now we resolved this issue, it is coming due EDL’s , due this policy cache limit is exceeded and it through this error CONFIG_UPDATE_START for any type of commit.

    we disabled the EDL rules in panorama then commit and push got successful

Leave a Reply

Your email address will not be published. Required fields are marked *