When troubleshooting network and security issues on many different devices/platforms I am always missing some command options to do exactly what I want to do on the device I am currently working with. Therefore I list a few commands for the Palo Alto Networks firewalls to have a short reference/cheat sheet for myself. Maybe some other network professionals will find it useful.
However, since I am almost always using the GUI this quick reference only lists commands that are useful for the console while not present in the GUI.
This blog post will be a living document. Whenever I use some “new” commands for troubleshooting issues, I will update it. If there are any useful commands missing, please send me a comment!
For a complete list of all CLI commands, use the CLI Reference Guides from PAN. Or use the official Quick Reference Guide: Helpful Commands PDF.
Standard Show & Restart Commands
The following commands are really the basics and need no further description. I list them just as a reference:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
show system info //shows the uptime, serial number, ... show system environmentals //e.g. power supply failures show ntp show session info //packet rate, number of sessions, fastpath active, etc. show session id <id> show interface { all | <interface-name> } show routing route //routing table (all routes) show routing fib //forwarding table (only used routes) show routing protocol <protocol> ... show arp { all | <interface-name> } show neighbor interface { all | <interface-name> } //IPv6 neighbor cache show mac all //only with layer 2 interfaces show jobs all show jobs id <id> show running resource-monitor //resource statistics show system resource follow //="top", CPU usage and processes show system disk-space //="df -h" debug software restart <service> //Restart a certain process request restart system //Reboot the whole device |
Live Session ‘n Application Statistics
These are two handy commands to get some live stats about the current session or application usage on a Palo Alto. While you’re in this live mode, you can toggle the view via
‘s’ for session of ‘a’ for application. Quit with ‘q’ or get some ‘h’ help. Start with either:
1 2 |
show system statistics session show system statistics application |
Demo output sessions:
1 2 3 4 5 6 7 8 9 |
System Statistics: ('q' to quit, 'h' for help) Device is up : 45 days 7 hours 3 mins 51 sec Packet rate : 1218/s Throughput : 9890 Kbps Total active sessions : 137 Active TCP sessions : 45 Active UDP sessions : 88 Active ICMP sessions : 3 |
Demo output applications:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
Top 20 Application Statistics: ('q' to quit, 'h' for help) Virtual System: vsys1 application sessions packets bytes -------------------------------- ---------- ------------ ------------ ssl 38638 2142072 1538873557 apt-get 163 359134 352174998 ssh 4712 186837 31146268 snmpv2 10378 94154 13782215 web-browsing 1485 29975 9750108 ntp 23841 43332 4544044 sip 3482 3489 1577813 dns 3945 11347 1219361 snmp-base 201 2838 295602 smtp 24 859 258658 acme-protocol 10 500 219932 ping 1288 2576 183814 |
Problems with SFPs
To troubleshoot SFP problems use the following command as shown here, where XXX is the slot and YYY the port:
1 |
show system state filter-pretty sys.sXXX.pYYY.phy |
Sample output with one non-functional and one functional SFP in port ethernet1/19:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
admin@MakeFirewallGreatAgain(active)> show system state filter-pretty sys.s1.p19.phy sys.s1.p19.phy: { link-partner: { }, media: SFP-Plus-Fiber, sfp: { connector: LC, encoding: Reserved, identifier: SFP, transceiver: OC48-SR,1000B-SX,100 MBytes, vendor-name: P<A1><A1>o<A1><A1><A1><A1>o<A1>O<A1><A1><A1><A1><A1>, vendor-part-number: SF<A1><A1>G<A1><A1><A1><A1><A1>C<A1><A1><A1><A1><A1>, vendor-part-rev: <A1><A1><A1><A1>, }, type: Ethernet, } admin@MakeFirewallGreatAgain(active)> admin@MakeFirewallGreatAgain(active)> admin@MakeFirewallGreatAgain(active)> show system state filter-pretty sys.s1.p19.phy sys.s1.p19.phy: { link-partner: { }, media: SFP-Fiber, sfp: { connector: LC, encoding: 8B10B, identifier: SFP, transceiver: 1000B-SX,I dist,SN, vendor-name: AVAGO , vendor-part-number: AFBR-5715PZ-JU1 , vendor-part-rev: , }, type: Ethernet, } |
Find
Since PAN-OS 6.0, the “find” command helps searching for the needed command in case you do not fully know the whole set of commands. With “find command”, all possible commands are displayed. With “find command keyword xyz”, all commands containing “xyz” are shown.
1 2 |
find command find command keyword <word-to-search-for> |
Ping, Traceroute, and DNS
A standard ping command looks like this:
1 |
ping host 8.8.8.8 |
Note that this ping request is issued from the management interface! To use a data interface as the source, the option source <ip-address> can be used. To use IPv6, the option is inet6 yes. For example:
1 |
ping inet6 yes source 2003:51:6012:120::1 host 2a00:1450:4008:800::1017 |
A traceroute command looks like that:
1 |
traceroute host 8.8.8.8 |
The source <ip-address> can be used to specify the outgoing interface. However, for IPv6, the option is dissimilar to the ping command: ipv6 yes.
To resolve DNS names, e.g., to test the DNS server that is configured on the management interface, simply ping a name:
1 |
ping host ip.webernetz.net |
Routing
(For a “show” of the routing table refer to the “Standard Show Commands” above.) Debugging dynamic routing protocols functions like this:
1 2 3 4 5 |
debug routing pcap <routing-protocol> on debug routing pcap show debug routing pcap <routing-protocol> view debug routing pcap <routing-protocol> off debug routing pcap <routing-protocol> delete |
Or follow the routed.log:
1 |
tail follow yes mp-log routed.log |
If you are using the path monitoring features for static routes, you can display some further information with these commands:
1 2 |
show routing path-monitor debug routing path-monitor |
Test
The Palo offers some great test commands, e.g., for testing a route-lookup, a VPN connection, or a security policy match. Use the question mark to find out more about the test commands. Here are some useful examples:
1 2 3 4 |
test routing fib-lookup virtual-router default ip <ip> test vpn ipsec-sa tunnel <value> test security-policy-match ? test security-policy-match from trans-internet to pa-trust-server source 192.168.86.5 destination 192.168.120.2 protocol 6 application ssl destination-port 443 |
Viewing Management-Plane Logs
In order to view the debug log files, “less” or “tail” can be used. The keyword “mp-log” links to the management-plane logs (similar to “dp-log” for the dataplane-logs). The tail command can be used with “follow yes” to have a live view of all logged messages. And as always: Use the question mark in order to display all possibilities.
Examples:
1 2 3 4 |
less mp-log ? less mp-log dnsproxyd.log tail follow yes mp-log dhcpd.log tail follow yes mp-log routed.log |
Capturing Management Packets
To view the traffic from the management port at least two console connections are needed. The first one executes the tcpdump command (with “snaplen 0” for capturing the whole packet, and a filter, if desired),
1 |
tcpdump snaplen 0 filter "port 53" |
while the second console follows the live capture:
1 |
view-pcap follow yes mgmt-pcap mgmt.pcap |
Test traffic can be generated with a third console session, e.g.:
1 |
ping host webernetz.net |
Later on, the pcap file can be moved to another computer with the following command:
1 |
scp export mgmt-pcap from mgmt.pcap to <username@host:path> |
Alternatively, tftp can be used:
1 |
tftp export mgmt-pcap from mgmt.pcap to <host> |
Live Viewing of Packet Captures
When using the Packet Capture feature on the Palo Alto, the filter settings can easily be made from the GUI (Monitor -> Packet Capture). These settings as well as the current size of the running packet capture files can be examined with:
1 |
debug dataplane packet-diag show setting |
Now, the current capturing in follow mode can be viewed with:
1 |
view-pcap follow yes filter-pcap |
And for a really detailed analysis, the counters for these filtered packets can be viewed. This exactly reveals how many packets traversed which way, and so on. With the “delta yes” option, only the counter values since the last execution of this command are shown. The “packet-filter yes” option uses the packet filter from the GUI (Monitor -> Packet Capture) to filter the counters:
1 |
show counter global filter packet-filter yes delta yes |
For example, here are the delta counters after a few DNS lookups:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
weberjoh@fd-wv-fw02> show counter global filter packet-filter yes delta yes Global counters: Elapsed time since last sampling: 44.689 seconds name value rate severity category aspect description -------------------------------------------------------------------------------- pkt_sent 24 0 info packet pktproc Packets transmitted pkt_outstanding 24 0 info packet pktproc Outstanding packet to be transmitted pkt_alloc 120 2 info packet resource Packets allocated session_allocated 19 0 info session resource Sessions allocated session_installed 19 0 info session resource Sessions installed flow_host_pkt_xmt 144 3 info flow mgmt Packets transmitted to control plane flow_host_service_allow 24 0 info flow mgmt Device management session allowed appid_ident_by_dport_first 19 0 info appid pktproc Application identified by L4 dport first dfa_sw 48 1 info dfa pktproc The total number of dfa match using software ctd_sml_vm_check_domain 24 0 info ctd pktproc sml vm check domain ctd_bloom_filter_nohit 24 0 info ctd pktproc The number of no match for virus bloom filter aho_sw 48 1 info aho pktproc The total usage of software for AHO ctd_pkt_slowpath 48 1 info ctd pktproc Packets processed by slowpath -------------------------------------------------------------------------------- Total counters shown: 13 -------------------------------------------------------------------------------- |
Or, even more interesting, filtered on “drop” severity. (Note the reasons on the right-hand side):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
weberjoh@fd-wv-fw02> show counter global filter delta yes severity drop Global counters: Elapsed time since last sampling: 166.755 seconds name value rate severity category aspect description -------------------------------------------------------------------------------- flow_rcv_dot1q_tag_err 726 4 drop flow parse Packets dropped: 802.1q tag not configured flow_no_interface 726 4 drop flow parse Packets dropped: invalid interface flow_ipv6_disabled 1 0 drop flow parse Packets dropped: IPv6 disabled on interface flow_tcp_non_syn_drop 50 0 drop flow session Packets dropped: non-SYN TCP without session match flow_fwd_l3_mcast_drop 50 0 drop flow forward Packets dropped: no route for IP multicast flow_fwd_l3_ttl_zero 9 0 drop flow forward Packets dropped: IP TTL reaches zero flow_fwd_zonechange 8 0 drop flow forward Packets dropped: forwarded to different zone flow_dos_pf_ipspoof 17 0 drop flow dos Packets dropped: Zone protection option 'discard-ip-spoof' flow_dos_pf_noreplyttl 6 0 drop flow dos Packets dropped: Zone protection option 'suppress-icmp-timeexceeded' -------------------------------------------------------------------------------- Total counters shown: 9 -------------------------------------------------------------------------------- |
Zone Protection Logging
Beginning with PAN-OS 8.1.2 you can enable an option to generate a threat log entry for dropped packets due to zone protection profiles. More information here. You must enable this feature through the CLI. (Hopefully, it will be the default in upcoming releases.)
1 |
set system setting additional-threat-log on |
Examining the Session Table
If a network connection failure is not found in the traffic log, the session table can be asked for sessions in DISCARD state, filtered based on its source, or whatever. This is useful at the console because the session browser in the GUI does not store the filter options and is, therefore, a bit unhandy. All commands start with “show session all filter …”, e.g.:
1 2 3 4 |
show session all filter state discard show session all filter application dns-base destination 8.8.8.8 show session all filter application dns-base destination 8.8.8.8 count yes show session all filter from trust to untrust application ssl state active |
To have an overview of the number of sessions, configured timeouts, etc.:
1 |
show session info |
For investigating a single session in more detail, use:
1 |
show session id <id> |
Watch out for the: “Hardware session offloading” line. If it is “true” you might want to disable the fastpath during troubleshooting (inside the config mode):
1 2 |
set session offload no set deviceconfig setting session offload no //= persistent, even after reboot. CAUTION! |
To see whether there are some “predict” sessions in which the Palo Alto firewall uses an ALG (application layer gateway) to predict dynamic ports (e.g., SIP, active FTP), use this command:
1 |
show session all filter type predict |
A specific session can then be cleared with:
1 |
clear session id <value> |
VPN Issues
The general show commands for VPN sessions are:
1 2 |
show vpn gateway show vpn ike-sa |
(Palo Alto: How to Troubleshoot VPN Connectivity Issues). Though you can find many reasons for not working site-to-site VPNs in the system log in the GUI, some more CLI commands might be useful. To reveal whether packets traverse through a VPN connection, use this: (it shows the number of encap/decap packets and bytes, i.e., the actual traffic flow)
1 |
show vpn flow name <value> |
Or use the counter values for ipsec issues:
1 |
show counter global filter delta yes | match ipsec |
Or have a look at the tunnel interface, whether packets are received but dropped (replace ID with the number of your tunnel interface, e.g. “tunnel.1”):
1 |
show counter interface tunnel.ID |
And for a detailed debugging of IKE, enable the debug (without any more options)
1 |
debug ike pcap on |
then follow the pcap with
1 |
view-pcap follow yes debug-pcap ikemgr.pcap |
and do NOT forget to set the debugging off!
1 |
debug ike pcap off |
The complete ikemgr.pcap can be downloaded from the Palo with scp or tftp, e.g.:
1 |
scp export debug-pcap from ikemgr.pcap to <username@host:path> |
To clear or initiate an IPsec connection use the following commands for either phase 1 (IKE) or phase 2 (IPsec):
1 2 3 4 |
clear vpn ike-sa gateway <value> clear vpn ipsec-sa tunnel <value> test vpn ike-sa gateway <value> test vpn ipsec-sa tunnel <value> |
GlobalProtect
Current users and flow:
1 2 |
show global-protect-gateway current-user show global-protect-gateway flow |
Displaying the Config in Set Mode
The XML output of the “show config running” command might be impractical when troubleshooting at the console. That’s why the output format can be set to “set” mode:
1 |
set cli config-output-format set |
Now, enter the configure mode and type show. This reveals the complete configuration with “set …” commands. (Click here for more information.) Here is a sample output of a particular show command:
1 2 3 4 5 6 7 |
weberjoh@fd-wv-fw02# show network interface ethernet ethernet1/1 set network interface ethernet ethernet1/1 layer3 ip 172.16.1.2/24 set network interface ethernet ethernet1/1 layer3 untagged-sub-interface no set network interface ethernet ethernet1/1 layer3 interface-management-profile ping set network interface ethernet ethernet1/1 link-speed auto set network interface ethernet ethernet1/1 link-duplex auto set network interface ethernet ethernet1/1 link-state auto |
The pipe (|) can be used to grep certain values with the “match” keyword, such as:
1 2 3 |
weberjoh@fd-wv-fw02# show | match 192.168.120.2 set deviceconfig system ip-address 192.168.120.2 set address h_fd-wv-fw02_mgmt ip-netmask 192.168.120.2 |
To show the complete config without breaks (which is “terminal length 0” on Cisco devices), the following command can be used (BEFORE the configure mode is entered):
1 |
set cli pager off |
To omit line breaks (carriage returns), use this one:
1 |
set cli terminal width 500 |
High Availability
Some show commands for the HA:
1 2 3 4 5 6 7 8 |
show high-availability ? show high-availability all show high-availability state show high-availability link-monitoring show high-availability path-monitoring show high-availability control-link statistics show high-availability state-synchronization show high-availability flap-statistics |
The following request can be used to trigger an HA failover, either for the local device or the “peer” device:
1 2 3 4 |
request high-availability state suspend request high-availability state functional request high-availability state peer suspend request high-availability state peer functional |
To verify the session synchronization (HA2), you can either use the show high-availability state-synchronization as shown above on both devices (to verify that “sent” is increasing on the active unit while “received” is increasing on the passive unit) or you can look at the session browser on the passive device whether there are the same count of sessions as on the active device.
Following is a demo output of the “state-synchronization” from both devices in a cluster:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
admin@ThisIsTheFirstFirewall(active)> show high-availability state-synchronization -------------------------------------------------------------------------------- State Synchronization Status: Complete -------------------------------------------------------------------------------- state synchronization to peer device enabled: yes -------------------------------------------------------------------------------- state synchronization messages processed since system up message enable version sent received -------------------------------------------------------------------------------- session setup yes 9 12291 0 session teardown yes 9 12727 0 session update yes 9 271340 0 predict session add yes 9 523 0 predict session delete yes 9 501 0 predict session update yes 9 12 0 ARP update yes 1 415 0 ARP delete yes 1 0 0 MAC update yes 1 0 0 MAC delete yes 1 0 0 IPSec sequence number update yes 3 0 0 ND update yes 1 0 0 ND delete yes 1 0 0 DoS Aggregate entry update yes 1 0 0 DoS Class Tbl IP update yes 1 0 0 DoS Class Tbl IP delete yes 1 0 0 DoS Block Tbl IP update yes 1 0 0 DoS Block Tbl IP delete yes 1 0 0 A/A session setup no 9 0 0 A/A session statistics no 9 0 0 A/A packet forward using HA2 no 9 0 0 Return MAC Update yes 1 0 0 Return MAC Delete yes 1 0 0 V6 Return MAC Update yes 1 0 0 V6 Return MAC Delete yes 1 0 0 HA2 monitor message yes 1 0 0 predict session modify yes 9 0 0 -------------------------------------------------------------------------------- admin@ThisIsTheFirstFirewall(active)> admin@ThisIsTheSecondFirewall(passive)> show high-availability state-synchronization -------------------------------------------------------------------------------- State Synchronization Status: Complete -------------------------------------------------------------------------------- state synchronization to peer device enabled: no (device not in active state) -------------------------------------------------------------------------------- state synchronization messages processed since system up message enable version sent received -------------------------------------------------------------------------------- session setup yes 9 0 1429 session teardown yes 9 0 1719 session update yes 9 0 13495 predict session add yes 9 0 187 predict session delete yes 9 0 157 predict session update yes 9 0 4 ARP update yes 1 0 36 ARP delete yes 1 0 0 MAC update yes 1 0 0 MAC delete yes 1 0 0 IPSec sequence number update yes 3 0 0 ND update yes 1 0 0 ND delete yes 1 0 0 DoS Aggregate entry update yes 1 0 0 DoS Class Tbl IP update yes 1 0 0 DoS Class Tbl IP delete yes 1 0 0 DoS Block Tbl IP update yes 1 0 0 DoS Block Tbl IP delete yes 1 0 0 A/A session setup no 9 0 0 A/A session statistics no 9 0 0 A/A packet forward using HA2 no 9 0 0 Return MAC Update yes 1 0 0 Return MAC Delete yes 1 0 0 V6 Return MAC Update yes 1 0 0 V6 Return MAC Delete yes 1 0 0 HA2 monitor message yes 1 0 0 predict session modify yes 9 0 0 -------------------------------------------------------------------------------- |
Export/Import Files
To copy files from or to the Palo Alto firewall, scp or tftp can be used:
1 2 3 4 |
scp export log system to <username@host:path_to_destination_filename> scp import software from <username@host:path> tftp export configuration from running-config.xml to <tftp-host> tftp import url-block-page from <tftp-host> |
User-IDs and Groups
State of the LDAP server connections incl. the listing of all groups:
1 |
show user group-mapping state all |
Group mapping and user-id agent refresh (=update) and reset (=delete and reload):
1 2 3 4 5 |
debug user-id refresh group-mapping all debug user-id refresh user-id agent all debug user-id reset group-mapping all debug user-id reset user-id-agent all |
Show the group memberships for a particular user:
1 |
show user user-IDs match-user <value> |
Show the members of a particular group:
1 |
show user group name "AD\name-of-the-group" |
IP to User mapping for all users or for a particular user. (The match value does not work with a backslash, so the username must be specified without the domain):
1 2 |
show user ip-user-mapping all show user ip-user-mapping all | match <username> |
User-ID cache clearance. Note that you must clear both, the dataplane AND the management plane (…-mp), to really delete an IP mapping. Since the MP pushes the mapping to the DP you should clear the MP first. More info here.
1 2 3 4 5 |
clear user-cache-mp all clear user-cache-mp ip <ip> clear user-cache all clear user-cache ip <ip> |
IP Addresses of FQDN Objects
When using objects with FQDNs, the current IP addresses are not shown in the GUI. The following command displays respectively refreshes them:
1 |
request system fqdn { show | refresh } |
[UPDATE] On newer PAN-OS version you can set this setting in the GUI at Device -> Setup -> Services -> FQDN Refresh Time.[/UPDATE] To set the refresh timer to another value, use the following commands:
1 2 3 |
configure set deviceconfig system fqdn-refresh-time <600-14399> commit |
To verify this setting you can “show” the configuration with pipe and match. If you are in the default cli config-output-format it looks like this:
1 2 3 |
weberjoh@pa# show | match fqdn-ref fqdn-refresh-time 600; [edit] |
When you are in the “cli” config-output-format it looks like that:
1 2 3 |
weberjoh@pa# show | match fqdn-ref set deviceconfig system fqdn-refresh-time 600 [edit] |
Now, as in my case, I am updating the FQDNs every 600 s = 10 m, I can see the appropriate job every 10 minutes:
1 2 3 4 5 6 7 8 9 |
weberjoh@pa> show jobs all Enqueued Dequeued ID PositionInQ Type Status Result Completed ------------------------------------------------------------------------------------------------------------------------------------------ 2017/02/22 09:55:35 09:55:35 185 FqdnRefresh FIN OK 09:55:37 2017/02/22 09:45:31 09:45:31 184 FqdnRefresh FIN OK 09:45:32 2017/02/22 09:35:28 09:35:28 183 FqdnRefresh FIN OK 09:35:31 2017/02/22 09:25:24 09:25:24 182 FqdnRefresh FIN OK 09:25:25 2017/02/22 09:15:21 09:15:21 181 FqdnRefresh FIN OK 09:15:21 |
IP Addresses of External Dynamic Lists
Similarly, the entries in an external dynamic (block) list can be viewed or refreshed with:
1 2 |
request system external-list show type {ip|name|url} name <name-of-the-list> request system external-list refresh type {ip|name|url} name <name-of-the-list> |
DNS Proxy
To verify the functionality of DNS proxy objects, at least two commands are useful. Both outputs should speak for themselves:
1 2 |
show dns-proxy statistics all show dns-proxy cache all |
PAN-DB URL Test & Cache
To show the category of a specific URL, use one of the following commands:
1 2 3 |
test url <fqdn> test url-info-cloud <fqdn> test url-info-host <fqdn> |
To display the current URL cache from the PAN-DB, two steps are required. The first one is the creation of a logfile which contains all entries and the second one is to display this logfile:
1 2 |
show system setting url-cache all less dp-log dp_url_DB.log |
Fan Speed
Ok, this is not a troubleshooting command, but nevertheless very useful. It sets the fan speed to “auto” which immediately drops the noise of the fan, e.g. on a PA-200:
1 |
set system setting fan-mode auto |
Defaults
Just for reference:
- Default Management Interface IP: 192.168.1.1
- Login: admin
- Password: admin
To change the static IP settings of the management interface via the console:
1 2 3 |
configure set deviceconfig system ip-address 192.168.1.5 netmask 255.255.255.0 default-gateway 192.168.1.1 dns-setting servers primary 8.8.8.8 commit |
Or to change it to a DHCP client (of the management interface), use this:
1 2 3 |
configure set deviceconfig system type dhcp-client send-hostname yes send-client-id no accept-dhcp-domain no accept-dhcp-hostname no commit |
And wait for a console message such as DHCP: new ip 10.100.20.175 : mask 255.255.255.128 . Otherwise, you can show the management IP address via show interface management . If you, later on, want to change back to static IP addresses you must not only use the set command above (for the mere IP address) but also change the type back to static: set deviceconfig system type static.
Perform a Factory Reset
In some cases, such as an RMA, you want to factory reset your device. You should perform the following steps for this:
1) Delete all saved configurations via
1 |
delete config saved ? delete config saved <name-of-every-single-config> |
2) Remove all logs and restore the default configuration with
1 |
request system private-data-reset |
3) Perform the actual factory reset: reboot the device, enter the “maint” mode via a console cable, and select “Factory Reset”.
To perform a factory reset without direct access to the firewall via a console cable, you can use this procedure: “How to SSH into Maintenance Mode“.
Featured image “Wrench ratchet tool set” by Marco Verch is licensed under CC BY 2.0.
Hey I have one question, how can I disable or enable a static route using the CLI and not doing it on the GUI?
Hi. You must go into the configure mode (“configure”) and specify a command similar to this:
“set network virtual-router NAME-OF-THE-VR routing-table ip static-route NAME-OF-THE-ROUTE option no-install”. And don’t forget to “commit”. ;)
So is the command you list “set network virtual-router NAME-OF-THE-VR routing-table ip static-route NAME-OF-THE-ROUTE option no-install”… the CLI command one would use to delete a pre-existing route (once committed)? OR is there another command to run besides the one you mention ?
I listed the command to DISABLE an already installed route. The keyword here is the “no-insall” at the end. So, once committed, the NAME-OF-THE-ROUTE route is disabled.
Ok, thanks. So what would the CLI command be to actually DELETE an already installed route ?
I have worked with many firewalls, but for some reason, the CLI command to do this on a Palo Alto eludes me. Is it because the deleting of a route is only done through the GUI? Thank you for your help
Great info. Thank you so much
Occam’s razor strikes again! replace the “set” with “delete”.. It does surprise me though that such a simple, and different from other platforms, way of deleting, removing, unsetting or no to a command is not readily documented or discovered through out the Web or Palo Alto.. Just say’n!… had to figure it out solo..
Yeah. I am also missing the RFC for structured CLI commands. ;)
Hier noch einige Befehle, die ich öfter benötige.
Zeigt den Status einzelner oder aller Gruppen-Mappings.
Zeigt alle Benutzer in einer Gruppe an.
Übersicht aller Prozesse auf der Firewall.
Dynamic Address Groups einsehen
Extrem nützlich ist folgender Befehl, welcher ein bestehendes Template innerhalb von Panorama clont.
Hello all!
Does anyone know if trace and ping are available on Palo Alto GUI?
Thanks and regards,
Hi Oscar,
as far as I know, those both tools are only available via the CLI.
Nice post! Great for us who are transitioning from Cisco.
Question: Is there an equivalent PA CLI command for “terminal length 0”?
Thank you
Thanks, Steve.
Yes, the command is: “set cli pager off”. I updated the section (Displaying the Config in Set Mode), thanks for the hint.
Johannes
Its great to know the CLI Commands ,,,
Thanks
Hi all,
Is there any option or command to delete a particular single Log / Particular IP traffic or URL Logs..
Thanks.
Like Show configuration | in “value”. is there any commands like this in Palo alto to see the particular config,
For Ex : To see the configuration of IP ” 172.16.10.0/24″ we used this command in cisco “show run | in 172.16.10.0” it will show the configuration details.. please let me know the command in Palo alto for the same .
Thanks
Vishnu
Hi Vishnu,
yeah, good question. I just updated the correspondant section in this post for you: “Displaying the Config in Set Mode”.
Note that you could use a similar command in the standard CLI view (not in the “configure” view):
“show config running | match 192.168.120.2”
However, this is not very useful since you onle get single XML lines without any context around the lines.
Thanks Johannes.. !! :)
Use this
show running security-policy | match {\|destination{\|192.168.120.2
Hello Marcin,
Your CLI filter looks great. Do you have any document of it? I suppose the match filter support some level of regular expression?
I just realized the match command is actually the grep command.
The regular expression rule applies the same on match.
Thanks anyway.
Hello,
Is there any command or script to schedule automatically backup Palo Alto firewall configuration.
Thanks.
On the Palo Alto, you don’t have this possibility. :(
But you can use the API to download a config file from the device. Howver, I currently don’t have such a script. But maybe someone else has?
It’s pretty simple. You need to use the XML API: https://live.paloaltonetworks.com/docs/DOC-1714
– create an API key with an admin user
– download the firewall config via REST (you can use a linux script with curl or wget and create a cronjob)
How to configure Vlan in palo alto. My ISP gave me the wan IP and Vlan id . They asking me to configure in the interface where ISP connected. Could you help me. I need a sample configuration of Palo alto . Kindly sent to mail id : aravindramesh11@gmail.com
You should read the documentation ;-)
Correct answer. ;)
haha sure… but atlst help first maybe its urgent then later point it on useful pages on the same.
What is the equivalent cli command on the Palo for the following Sidewinder command:
acat -ae ‘(srcip 192.168.1.1 dstip 192.168.2.2) and dstport 53’
Correction:
What is the equivalent cli command on the Palo for the following Sidewinder command:
acat -ae ‘(srcip 192.168.1.1 or dstip 192.168.2.2) and dstport 53′
Hi. Do you want to analyze traffice logs? Then this could help:
https://live.paloaltonetworks.com/docs/DOC-5704
–> show log traffic query equal “(( addr.src in 192.168.1.1 ) or ( addr.dst in 192.168.2.2 )) and ( port.dst eq 53 )”
Here is another link: http://lmgtfy.com/?q=palo+alto+show+log+traffic
;)
Hello,
Is there a command to see which policy rules processed a traffic? I have an SSL inbound decryption rule that does not decrypt my traffic. Want to see if the traffic is processed by that rule
Thanks
Cid
If client and server negotiates DH based cipher suites, then decryption is not possible. Also, there are certain RSA based cipher suites which PA is not going to decrypt. Check PA’s documents for list of RSA cipher which PA is not going to decypt.
Take packet captures on client machine and if you see DH based cipher suites negotiated by server in server hello, then force the server to negotiate on RSA based cipher suites.
Otherwise, I don;t any reason for decryption failure, if your decryption policy covers the interested traffic.
Jugnu
Hello,
is there a command to find out if an object with IP a.b.c.d exist?
And a command to find out if an object named “whatever” is included in any object group?
Thanks.
Why don’t you use the GUI for these requests? Simply type in the IP address or name or whatever in the search field. ;)
However, if you want to use the CLI: set the output format to set “set cli config-output-format set”, go into the configure mode “configure” and grep the IP address or whatever “show | match 192.168.0.1”.
I’ll try.
Thanks.
I can’t see how to search in the output of the show command. I don’t thing you can place a pipe after “show” with o without space.
May be if I could execute two commands in one line, I could launch the commands from a host and “grep” the output.
Something like:
$ ssh user@fw “set cli config-output-format set ; configure ; show address-group” | grep 1.2.3.4
Do you thing it is possible?
I only have to do such a thing, say once in a week, so I would like to have some scripts to find just that type of information with a command.
Thanks for your help.
Yes, you can pipe after a simple “show”. Here is my output. First I searched after an IPv4 address, then after the name to reveal the group:
weberjoh@fd-wv-fw02# show | match 172.16.1.1
set address h_fd-wv-fw01_trust ip-netmask 172.16.1.1
[edit]
weberjoh@fd-wv-fw02# show | match h_fd-wv-fw01_trust
set address-group g_h_RouterFirewalls static [ h_fd-wv-fw01_trust h_fd-wv-fw01_trust_v6 h_fd-wv-fw01_untrust h_fd-wv-fw01_untrust_v6 h_fd-wv-fw02_untrust h_fd-wv-fw02_untrust_v6 h_fd-wv-fw03_outside h_fd-wv-fw03_outside_v6 h_fd-wv-ro01_inside h_fd-wv-ro01_inside_v6 h_fd-wv-ro02_outside h_fd-wv-ro02_outside_v6 h_fd-wv-ro03_outside h_fd-wv-ro03_outside_v6 ]
set address h_fd-wv-fw01_trust ip-netmask 172.16.1.1
[edit]
weberjoh@fd-wv-fw02#
I do not know whether you can call ssh with several commands behind it. I have not used such techniques until now.
My output:
antonio@fwpa1-con(active)> set cli config-output-format set
antonio@fwpa1-con(active)> set cli pager off
antonio@fwpa1-con(active)> configure
Entering configuration mode
[edit]
antonio@fwpa1-con(active)# show | match 10.229.32.8
Invalid syntax.
[edit]
antonio@fwpa1-con(active)#
Maybe the version of PANOS.
I’ll try some variety of expect.
Thanks.
Another great job as the vpn one. :)
Dear Johannes Weber,
i am new to this firewall. kindly give the suggestion how to gain the good knowledge on this firewall. kindly provide the use full links url.
Does anyone know which mp-log (or other) will show BGP debug info?
Would it not be mp-log routed.log? Since BGP is routing.
Great blog.
Few queries . May it covered in trail but still very helpful if someone respond:
# in cli mode, how to check routing for 1 of tje destionation and accordingly i can see the interface from which it go out and finally i can see the zone binded with that interface.
This is very basic to create policy in GUI mode.
CLI command to test filter, policy, vpn, route, nat, …:
type ‘test ?’ and pick an option
What is the CLI command to configure SNMP server ?
Google is your friend. ;) And the Palo Alto CLI Ref.
Ok, here we go:
configure
set deviceconfig system snmp-setting access-setting version v2c snmp-community-string foobar
commit
I have AWS VPN, I would like to upload AWS VPN configuration file to palo alto using any commands lines or API call. Would it possible to do that. If yes could you please provide the details here.
Thank you
Puh, that should work, but its not that easy.
Have a look at the Palo Alto CLI Reference. You’ll find some commands for, e.g.,:
set network ike …
Is AWS giving you a VPN template for Palo Alto? Or do you want to build it yourself? Maybe you can create a ticket at Palto Alto Support to solve that?
Thanks fot this post! You write very well.
One of our client using paloalto PA3050 model. They have a 50 mbps Vodafone lease line,its working fine when we directly connected to the router. but if we connected through our firewall then upload speed is come upto 2 mbps only.
please help me to resolve this
Hey how many silence features have you activated on the device and how much bandwidth license do you have on the device? have they implemented any QOS on the device?
Hello
I want to check which route is matching for some host IP like 10.155.7.33. When I run the command “show routing route destination 10.155.7.33/32” showing nothing. Although I have matching route 10.115.7.0/24 in the routing table. If does not match, it should show 0/0 default route
Hi,
yes, you are displaying only the mere routing table and not an “intelligent query”. Please try:
“test routing fib-lookup virtual-router default ip 10.155.7.33”
This will show you the exit interface and the next-hop of the route.
You are the man!
Superb..very useful. thanks for the good work!
Hi,
Can someone let know what’s a good way (if there is one) to check what debugs were configured and if someone failed to turn them off, and the CPU spikes happen, there should be a nice way to turn those off after seeing what set them on.
I was told it is virtually impossible to see the active debugs and there is no ‘undebug all” cisco-fashion command on PA I suppose.
How to I delete/uninstall all the process related to Global Protect Palo Alto using command line. I think the command is set clean palo….. Not sure what exactly it is. Could you please provide me the command?
Regards,
Farhan
Hi Farhan,
I do not know what exactly you are searching for. Please use the “find” command to lookup all global-protect commands on the CLI:
find command keyword global-protect
If you want to change something on the configuration, enter the configuration mode with “configure” and display all global-protect configs with:
show global-protect
All commands are then under the following structure:
set global-protect …
However, it will be MUCH easier for you to do that within the GUI!
Cheers,
Johannes
HI All ,
Can any one tell me what is this dg-id when configuring device group from panorama CLI.
Please find the below command.
set device-group GNDC-GW-3050-Group external-list
set device-group GNDC-GW-3050-Group pre-rulebase security rules
set readonly dg-meta-data dginfo GNDC-GW-3050-Group dg-id 31
set readonly dg-meta-data dginfo GNDC-GW-3050-Group parent-dg All-Perimeter-FW
Regards
ANANDHU
Sorry Anandhu, I have no idea. (But I can verify that I have the same commands in my Panorama, too.) Have never used them so far.
Please open a ticket @PAN and tell us later on what it is for. ;)
Same has been done but the problem is even TAC is not able to answer on this query.
Hi all,
If my panorama is restarted or shutdown, then could i find the reason of that..??
is there any cli..??
Hey Swapnil,
it is quite abnormal that panorama reboots by itself. You should open a support case @ PAN.
Anyway, you can use the “less ?” command on the CLI to display many different logs such as “less mp-log sysd.log”.
Or you can try to use scp to export certain logs such as “scp export core-file management-plane from crashinfo to user@host:path”.
Cheers,
Johannes
Hi, nice job. This is really usefull to day-to-day work. I have a little issue, I hope you could help me: I want to get the name of all vsys with a command, not by pressing ‘tab’ or ‘?’ as in next sentence: “set system setting target-vsys “. Is there some command to get this info?
Regards,
Mike
Wuah, good question Mike. I don’t know. ;( Google brought me to this doc from PAN, which you know already: https://www.paloaltonetworks.com/documentation/80/pan-os/cli-gsg/cli-cheat-sheets/cli-cheat-sheet-vsys
Hello,
gradient post you made, very useful
I do not speak English , I support the google translator :(((
I need to set up an “alarm” to notify me when it reaches 80% of my ISP’s bandwidth.
know any way to do this work?
Uh, I am sorry, but I don’t know if this is possible at all.
To my mind you must use SNMP with some third party tools to generate an alarm.
Hi, We are from Cisco ASA background and facing difficulty while troubleshooting communication issues. Please help if we can test application reachability from PA by doing telnet to destination server on defined ports (telnet 10.10.10.10 443) or ping tcp 10.10.10.10 443
Hi Sameer,
since Palo Alto recognizes the application rather than the port you won’t be able to “telnet x.y.z.t 443”. Palo will recognize this as “telnet on port 443” rather than “ssl on 443”. Hence, you really must test the *real* application you allowed/blocked within your policies.
(If you are facing network issues you can additionally allow “telnet” on port “any” and give it a try. But you should delete this after your tests.)
Or you simply allow ping/icmp/traceroute to test the underlying network infrastructure.
Cheers,
Johannes
Thank you for your reply. My requirement is to test application availability from firewall. We don’t have access to servers and we get tickets saying application is inaccessible. Server default gateway is hosted on Palo Alto and we need to check whether server is responding on desired ports. Ports are different from 443 and I mentioned 443 as an example
I don’t know how to test something like this *from* the firewall itself. This won’t really solve your problem since it would only be a test and not your real scenario.
Check the following:
– Look at your Traffic Log. You must see incoming connections according to your tickets. Are the sessios allowed or blocked? Which application is detected? Maybe you have to look at the “default deny” rule to see which application the Palo Alto detects. (Note that the default deny rule has logging DISabled by default. You must override it to enabled logging.)
– Check the “Bytes sent / Bytes received” on the Traffic Log. If only bytes are sent but NOT received, then your server isn’t answering.
– Check the ARP cache (IPv4) or Neighbor cache (IPv6): Is the server really on the correct subnet/vlan?
Hellow Mr. Weber, I hope you see my comment to this old post. I have a question: What does “Bytes sent/ Bytes received” mean in ACC screen of Palo Alto firewall? I mean, if 500MB of packets are sent from a source device and go through a firewall, get permitted to reach the destination, then the firewall should not see the packets as “sent” or “received”; the firewall just “processes” the packets regardless of the direction, I suppose. Does it have to do with trust and untrust zones (traffic coming from trust is “sent”, for example), or does it have to do with some flags such as TCP syn, syn/ack and ack? Thank you!
Hey Takumi.
Yo, this is quite a good question. Indeed the firewall never receives or sends packets directly to/from itself, but rather processes packets. (Ok, there are exceptions such as management access via ping, ssh, https to a data interface or IPsec traffic to the WAN interface or OSPF to an internal interface.)
However, all the “sent/received” values are based on the source -> destination connection aka client -> server. That is: for both, UDP and TCP, the client always establishes the connection to the server. For TCP, the client sends the very first TCP SYN packet. –> That is: the “sent/received” is ALWAYS from the clients perspective!
To give an example: An SSH connection is made from a client to a server. The IP address from the client is the source, while the IP address from the server is the destination. If this SSH connection is used by SCP in which the client uploads a 1 GB file to the server, this 1 GB is listed as “sent”. If in another session the same client downloads a 1 GB file from the server, the “source” and “destination” IP addresses are still the same (since the same client has started the session), while this 1 GB is counted as “received”.
Thank you very much Mr. Weber for your reply and my sincere apology for taking forever to thank you here! I just found out you made a post out of my comment. I’ll brag it to my colleagues, cheers!
You’re very welcome!
Hi – I would like to know if it’s possible to make the standby as active mode via CLI from standby firewall? My firewall running on sw-version: 7.1.8 and has no option to run cli against peer.
I have a situation where the active firewall on high CPU not allowing access via Gui not SSH.
Uh, good question. I do not know anything like that. The only option I know is to click the “suspend” button in the GUI on the active unit. (And of course you can power off the active device ;))
Under High-availability/ Election Settings/ Device priority you could try and give the passive fw a higher number than the currently active fw. I believe that should elect the passive to become the active.
Hello. Do you know of a way to verify a Path Monitor BEFORE it is enabled on a static route? For example, if this were Cisco, I could check the status of the track before applying it to a static route. Thanks.
Uh, that’s a good point. I don’t know. I cannot find a way to prove that when the monitor is enabled.
However, you can use two workarounds:
1) Configure two path monitor destinations for your route, one that succeeds and the other one that you want to test. When you set the failure condition to “all” then your route will stay active since the first destination still works.
2) Configure a dummy route entry with the path monitor you want to test.
To verify the path monitoring from the CLI use the following command:
show routing path-monitor
very nice document to t-shoot.
hi joha,
i have pa-500 box. while committing config it stop at 90%. on my primary t- shoot i get to know that the user id demon was stuck at 70% which causing the issue . In order to resolve the issue we have to restart the demon and also i have the cli command as well . my question is {is there any impact on my network while running the command or we required a down time to do this ?}
Hi SWOPNENDU.
At first: I am not quite sure! Please consider opening a ticket at Palo Alto Networks. They should help you.
However, to my mind, a restart of the User-ID should not affect your network, but *might* affact your User-IP-Mappings for certain amount of time. BUT: I am not sure that this single restart will completely help you. Maybe this is just the first problem you have. I am having lots of problems with my PA-200 during the last few months. In many cases a complete reboot was the only solution. ;(
Hello,
Some recommended practice for creating custom applications.
I’m about to migrate to a data center and I see that this is my biggest problem.
regards.
THANKS FOR THE REPLAY .LET ME CHECK WITH TAC
Its very useful commands that I don’t know some commands, Now I learn a lot after seeing this BLOG.
Hi,
Excellent work, thank you.
Is there any way to find out which NAT rule is applied to a specific connection? Either CLI or GUI.
Regards,
Ben
Hey Ben. This is a very good question. AFAIK this cannot be done. ;( I was searching for a similar solution when I wanted to know which security profiles were used by some connections. I ended in looking at the security policies to find the appropriate security profiles. (But this doens’t help you at all.)
My PA 200 firewall has rebooted and I need to know if it was soft or hard reboot…
Any CLI command for that…
Hi, could you tell me what the “show inventory” cli in Palo Alto is?
Hey Pablo.
What are you searching for? The serial number? Then it’s “show system info”.
Cheers
Johannes
I have a PA-500 still in the 7.x code. I recently did a reboot, and it took a while but finally completed the reboot and started functioning, passing traffic, etc. This was in preparation to do a code upgrade to latest version of 7.x and then up to the latest 8.x code. Since then, I’ve not been able to access it via Web interface. It shows the TLS Handshake, and then just sits there until it times out. I want to console into it, but don’t know any CLI commands for troubleshooting the web interface. Before anyone asks, I’ve rebooted it again (by physically powering it off and back on again) and still the same results. It’s still passing traffic, sending logs to the SIEM, and still reporting status via SNMP in Solarwinds, but still cannot access the web interface. Any help would be appreciated.
Hi Norman,
I’m sorry, but I have no idea. According to the Hardware End-of-Life Dates (https://www.paloaltonetworks.com/services/support/end-of-life-announcements/hardware-end-of-life-dates) you should be able to use PAN-OS 8.1. Hence you should open a TAC case at PAN.
Johannes
Is there a set of CLI commands that I can use to restart the web interface?
Hi Norman,
you can always use the “find command keyword BLABLABLA” command to find appropriate commands. E.g., I just did a “find command keyword restart” and came to this one:
debug software restart process <crypto|dhcp|device-server|ikemgr|keymgr|management-server|web-server|web-backend|l3-service|sslvpn-web-server|rasmgr|log-receiver|routed|user-id|vardata-receiver|pppoe|satd|sslmgr|dnsproxy|l2ctrl|ntp|authd|snmpd|cord|pan-comm|ifmgr> core <yes>
Hence you can try “debug software restart process web-backend” or “… web-server”.
Cheers
Johannes
Damn useful…thank you very much!!
You can also do #show jobs all to see if there are any pending stuff like auto-commit
You can also do #debug software restart process management-server
So I gots me a PA-220! However cannot for the life of me get it to upgrade from 8.0.3
It appears a have successfully imported 8.0.3-h4, but when I [ request system software install version xxxxxx ] it tells me it doesn’t exist.
Then I try to run [ scp import file ] and it tells me it already exist!
P3rplExinG!
same thing trying to upload content —- arggghhh I hate being a newbie@!!!
admin@PA-220> scp import software from rpfutrell@192.168.1.9:/Users/rpfutrell/Downloads/panupv2-all-contents-8278-6109
rpfutrell@192.168.1.9’s password:
panupv2-all-contents-8278-6109 100% 51MB 12.7MB/s 00:04
panupv2-all-contents-8278-6109 saved
admin@PA-220> request system software install version panupv2-all-contents-8278-6109
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n)
Server error : version panupv2-all-contents-8278-6109 not downloaded/uploaded
admin@PA-220>
Hey fieldmonkey,
well, I have never done any installation via the CLI in all those years. ;) Just some quick notes:
– You always need the “zero” version in order to install any update. For example, you need to download the 8.1.0 image in order to install 8.1.x.
– Every PAN-OS requires at least version xy from the content package. To my mind this is specified in the release notes.
– You can only upgrade to major version by major version. That is: No jump from 7.0 to 9.0 directly, or the like.
– My recommendiation: factory reset, login to the GUI, “Check Now” at the software, upgrade to the latest displayed version, install, reboot, check now again, and so on.
Cheers
Johannes
lovely dissection. Great job!
What is the command to know which switch or device connected to Palo Alto firewall
You have to use LLDP for this. Have a look: https://weberblog.net/palo-alto-lldp-neighbors/
Hi John,
First thanks for the post. Could VPN Client block by copy paste from corporate network? Also can we stop network folders like NAS sharing?
Hi John,
Have we got any options here that VPN Clients stop coping files from Corparate network to own machines? Maybe out of the box solution.
Hey Sam. You’re talking about a DLP solution, don’t you? Well, that’s a WHOLE new topic at all and not easy to solve.
What Palo can do out of the box is to block file transfers such as NFS, CIFS, SMB, whatever. But this won’t solve your problem. Consider file transfers over an RDP session, and so on.
Hi,
HSRP used by cisco, NSRP used by juniper, so what HA protocol does Palo alto uses.
Palo does NOT use the concept of a first-hop redundancy protocol (which is in short: both routers are actively participating in the network, building their own routing tables, and negotiating the primary/secondary role for every single layer 3 virtual IP address)
BUT: Palo uses the concept of high availability for the WHOLE box. That is: using two same appliances you are forming an active/passive cluster. Only one unit is active and does all the network stuff, while the other one is completely passive and not participating in any network protocols. In case of a failure, the cluster swaps the active/passive roles. The formerly passive appliance takes the active role and continues with all protocols and currently active sessions, VPNs, etc.
Hi
Useful commands, thanks!
Did you already deploy VM-series in Azure via Orchestration mode?
I have a connection issue between firewalls and Panorama. See the post in PA https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/vm-series-firewall-and-panorama-connection/m-p/475598/highlight/true#M1517
Is there any command in Panorama to check the number of policy rules configured in my managed device, say i have 500 rules and just want to see in cli by a command which just shows me the output as 500 (total count of rules)
Hey Mayank. I’m not aware of any command for this. Of course, you can have a look at the GUI in the upper right when you’re at the Policies tab. This will show you the number of rules within the Pre Rules or Post Rules or Default Rules.
Error: Failed to get vsys config, already allocated (2097152 bytes)
failed to handle CONFIG_UPDATE_START
getting this error on auto commit after restart of the firewall
can someone tell me how to resolve this
Uh, I haven’t seen this one. What is TAC saying about this? Have you already opened a support ticket at PAN?
Yes TAC is investigating the issue from last 6hr but they are still didn’t find anything
Due to this DataPlane is not coming up , we are using software version 10.0.8-h8
Now we resolved this issue, it is coming due EDL’s , due this policy cache limit is exceeded and it through this error CONFIG_UPDATE_START for any type of commit.
we disabled the EDL rules in panorama then commit and push got successful