Professional Documents
Culture Documents
29
3 show ntp
6 show session info //packet rate, number of sessions, fastpath active, etc.
10
11
13
14
16
17
19
1
show system state filter-pretty sys.sXXX.pYYY.phy
Sample output with one non functional and one functional SFP in port ethernet1/19:
Click To Expand Code
Find
Since PAN-OS 6.0, the “find” command helps searching for the needed command in case
you do not fully know the whole set of commands. With “find command”, all possible
commands are displayed. With “find command keyword xyz”, all commands containing
“xyz” are shown.
find command
1
1
ping host 8.8.8.8
Note that this ping request is issued from the management interface! To use a data
interface as the source, the option source can be used. To use IPv6, the option is inet6
yes. For example:
1
ping inet6 yes source 2003:51:6012:120::1 host 2a00:1450:4008:800::1017
1
traceroute host 8.8.8.8
The source can be used to specify the outgoing interface. However, for IPv6, the option
is dissimilar to the ping command: ipv6 yes.
To resolve DNS names, e.g., to test the DNS server that is configured on the
management interface, simply ping a name:
1
ping host ip.webernetz.net
Routing
(For a “show” of the routing table refer to the “Standard Show Commands” above.)
Debugging dynamic routing protocols functions like this:
2
debug routing pcap <routing-protocol> on
3
5
debug routing pcap show
debug routing pcap <routing-protocol> view
1
tail follow yes mp-log routed.log
Test
The Palo offers some great test commands, e.g., for testing a route-lookup, a VPN
connection, or a security policy match. Use the question mark to find out more about
the test commands. Here are some useful examples:
3
test vpn ipsec-sa tunnel <value>
4
test security-policy-match ?
test security-policy-match from trans-internet to pa-trust-server source 192.168.86.5 destination 192.168.120.2 protocol
less mp-log ?
1
less mp-log dnsproxyd.log
2
4
tail follow yes mp-log dhcpd.log
1
tcpdump snaplen 0 filter "port 53"
1
view-pcap follow yes mgmt-pcap mgmt.pcap
1
ping host webernetz.net
Later on, the pcap file can be moved to another computer with the following command:
1
scp export mgmt-pcap from mgmt.pcap to <username@host:path>
1
tftp export mgmt-pcap from mgmt.pcap to <host>
1
debug dataplane packet-diag show setting
1
view-pcap follow yes filter-pcap
And for a really detailed analysis, the counters for these filtered packets can be viewed.
This exactly reveals how many packets traversed which way, and so on. With the “delta
yes” option, only the counter values since the last execution of this command are
shown. The “packet-filter yes” option uses the packet filter from the GUI (Monitor ->
Packet Capture) to filter the counters:
1
show counter global filter packet-filter yes delta yes
For example, here are the delta counters after a few DNS lookups:
Click To Expand Code
Or, even more interesting, filtered on “drop” severity. (Note the reasons on the right-
hand side):
Click To Expand Code
1
set system setting additional-threat-log on
2
show session all filter application dns destination 8.8.8.8
3
show session all filter from trust to untrust application ssl state active
1
show session info
Watch out for the: “Hardware session offloading” line. If it is “true” you might want to
disable the fastpath during troubleshooting (inside the config mode):
set deviceconfig setting session offload no //= persistent, even after reboot. CAUTION!
To see whether there are some “predict” sessions in which the Palo Alto uses a ALG
(appliation layer gateway) to predict dynamic ports (e.g., SIP, active FTP), use this
command:
1
show session all filter type predict
1
clear session id <value>
1
show session id <id>
Alternatively, the traffic log on the CLI can display the session tracker when used with
the option “show-tracker equal yes” such as:
2
show log traffic show-tracker equal yes direction equal backward
3
show log traffic show-tracker equal yes direction equal backward app equal ipv6-icmp from equal pa-ripe-atlas
VPN Issues
The general show commands for VPN sessions are:
1
show vpn flow name <value>
1
show counter global filter delta yes | match ipsec
And for a detailled debugging of IKE, enable the debug (without any more options)
1
debug ike pcap on
1
view-pcap follow yes debug-pcap ikemgr.pcap
1
debug ike pcap off
The complete ikemgr.pcap can be downloaded from the Palo with scp or tftp, e.g.:
1
scp export debug-pcap from ikemgr.pcap to <username@host:path>
To clear or to initiate an IPsec connection use the following commands for either
phase 1 (IKE) or phase 2 (IPsec):
1
clear vpn ipsec-sa tunnel <value>
2
4
test vpn ike-sa gateway <value>
GlobalProtect
Current users and flow:
1
show global-protect-gateway current-user
2
show global-protect-gateway flow
1
set cli config-output-format set
Now, enter the configure mode and type show. This reveals the complete configuration
with “set …” commands. (Click here for more information.) Here is a sample output of a
particular show command:
1
set network interface ethernet ethernet1/1 layer3 ip 172.16.1.2/24
2
4
set network interface ethernet ethernet1/1 layer3 untagged-sub-interface no
5
7
set network interface ethernet ethernet1/1 layer3 interface-management-profile ping
The pipe (|) can be used to grep certain values with the “match” keyword, such as:
2
set deviceconfig system ip-address 192.168.120.2
3
To show the complete config without breaks (which is “terminal length 0” on Cisco
devices), the following command can be used (BEFORE the configure mode is entered):
1
set cli pager off
1
set cli terminal width 500
High Availability
Some show commands for the HA:
show high-availability ?
1
show high-availability state
2
4
show high-availability link-monitoring
5
7
show high-availability path-monitoring
The following request can be used to trigger an HA failover, either for the local device or
the “peer” device:
1
To verify the session synchronization (HA2), you can either use the show high-
availability state-synchronization as shown above on both devices (to verify that “sent” is
increasing on the active unit while “received” is increasing on the passive unit) or you can
look at the session browser on the passive device whether there are the same count of
sessions as on the active device.
Following is a demo output of the “state-synchronization” from both devices in a cluster:
Click To Expand Code
Export/Import Files
To copy files from or to the Palo Alto firewall, scp or tftp can be used. The commands
have both the same structure with “export … to” or “import … from”, e.g.:
3
scp import software from <username@host:path>
4
1
show user group-mapping state all
Group mapping and user-id agent refresh (=update) and reset (=delete and reload):
1
show user group name "AD\name-of-the-group"
IP to User mapping for all users or for a particular user. (The match value does not work
with a backslash, so the username must be specified without the domain):
User-ID cache clearance. Note that you must clear both, the dataplane AND the
management plane (…-mp), to really delete an IP mapping. Since the MP pushes the
mapping to the DP you should clear the MP first. More info here.
3
clear user-cache-mp ip <ip>
4
5
clear user-cache all
1
request system fqdn { show | refresh }
To set the refresh timer to another value, use the following commands:
configure
2
set deviceconfig system fqdn-refresh-time <600-14399>
3
commit
To verify this setting you can “show” the configuration with pipe and match. If you are in
the default cli config-output-format it looks like this:
1
[edit]
2
set deviceconfig system fqdn-refresh-time 600
3
[edit]
Now, as in my case I am updating the FQDNs every 600 s = 10 m, I can see the
appropriate job every 10 minutes:
2
weberjoh@pa> show jobs all
3
7
Enqueued Dequeued ID PositionInQ Type Status Result Completed
8
9
------------------------------------------------------------------------------------------------------------------------------------------
1
show system setting url-database
2
3 test url <fqdn>
To display the current URL cache from the PAN-DB, two steps are required. The first one
is the creation of a logfile which contains all entries and the second one is to display this
logfile:
Fan Speed
Ok, this is not a troubleshooting command, but nevertheless very useful. It sets the fan
speed to “auto” which immediately drops the noise of the fan, e.g. on a PA-200:
1
set system setting fan-mode auto
Defaults
Just for reference:
Default Management Interface IP: 192.168.1.1
Login: admin
Password: admin
To change the static IP settings of the management inferface via the console:
configure
2 set deviceconfig system ip-address 192.168.1.5 netmask 255.255.255.0 default-gateway 192.168.1.1 dns-setting servers
3 primary 8.8.8.8
commit
configure
2 set deviceconfig system type dhcp-client send-hostname yes send-client-id no accept-dhcp-domain no accept-dhcp-host
3 name no
commit
And wait for a console message such as DHCP: new ip 10.100.20.175 : mask255.255.255.128 .
Otherwise you can show the management IP address via showinterface management . If you
later on want to change back to static IP addresses you must not only use the set
command above (for the mere IP address) but also change the type back to
static: set deviceconfig system type static.
To perform a factory reset without direct access to the firewall via a console cable,
you can use this procedure.
COMMAND DESCRIPTION
General System Health
Shows the system’s management IP, serial #, and
show system info
code version
Shows when commits, downloads, upgrades are
show jobs processed
completed
show system disk-space Shows percent usage of disk partitions
show system logdb-quota Shows the maximum log file sizes
show system software status Shows running processes
Monitor CPUs
Shows processes running in the Management
show system resources
Plane
show running resource-monitor Shows the resource utilization in the Dataplane
Dropped Packet Troubleshooting
Ping from a specified device source interface to
ping source host
destination IP
ping host Ping from the management interface
Shows specific sessions in the sessions table for
show session all filter source destination
source and destination IPs.
show session info Shows usage, pps rates, etc
Shows session details by entering the session ID
show session id
number.
Packet Filters and Capture - WARNING: Running debug commands on a production device may cause
instability or other undesirable results!
debug dataplane packet-diag clear all
Clear/delete settings and files previously created.
debug dataplane packet-diag clear log log
delete debug-filter file * Removes all packet capture files
debug dataplane packet-diag set filter match source
x.x.x.x destination y.y.y.y destination-port
Sets filter with the source IP, destination IP and
debug dataplane packet-diag set filter match source
port to capture from/to packets.
y.y.y.y destination x.x.x.x destination-port debug
dataplane packet-diag set filter on
debug dataplane packet-diag set capture stage receive
file pantacrx.pcap
debug dataplane packet-diag set capture stage
transmit file pantactx.pcap
Configures the different stage of capture types to
debug dataplane packet-diag set capture stage drop
be executed.
file pantacdrop.pcap
debug dataplane packet-diag set capture stage firewall
file pantacfw.pcap
debug dataplane packet-diag set capture on
debug dataplane pack-diag show setting Verifies packet filters are setup correctly.
While test is running, run the command 2-3 times
show counter global filter delta yes packet-filter yes
to verify filtered traffic is being captured.
debug dataplane packet-diag set capture off Turns off packet capture and filter
tcpdump filter “src net ”
tcpdump snaplen 1500 filter “src net ” Captures PCAP on management interface.
view-pcap mgmt-pcap mgmt.pcap
Packet Flow Logs - WARNING: Always set specific packet filters to minimize CPU usage. See above Packet
Filters and Capture commands.
debug dataplane packet-diag set log feature flow basic Set packet-diag log to capture flow basic
debug dataplane packet-diag set log on Turns on packet-diag log.
Capture traffic then immediately disable packet-
debug dataplane packet-diag set log off
diag log.
Aggregates pack-diag logs to a single file. After
debug dataplane packet-diag aggregate-logs disabling packet-diag log, wait 1-2 minutes before
running this command.
View packet-diag log output. Note: PA-5000 series
less dp-log pan_packet_diag.log
writes to individual dp0-log, dp1-log or dp2-log
Log/Forward Device Issues
Shows the log statistics, like logging incoming rate,
debug log-receiver statistics log written rate, corrupted packets and logs
discarded due to a full queue.
less mp-log logrcvr.log Shows debug logging issues on the device.
debug software restart log-receiver Restarts log-receiver process.
Log Viewing/Deleting
show log [system | traffic | threat] direction equal Goes to the beginning/end of a log. Note:
[forward | backward] Arguments shown with square bracket [] and pipe
| symbols mean choose one of the arguments
listed.
Monitor Management or Device Server
Shows management server messages for commit
show system resources follow
failures, updates, licenses, link status, policy
tail follow yes mp-log ms.log
details, etc.
Shows device server message for commit failures,
tail follow yes mp-log devsrv.log
updates, licenses, link status, policy details, etc.
Authentication Logs
Shows the detail authentication logs on the
less mp-log authd.log
device.
NAT
show running nat-policy Shows current NAT policy table.
show running ippool
Shows NAT pool utilization.
show running global-ippool
Routing
show routing route Shows routing table.
Policies
show running security-policy Shows current policy set.
User-ID Agent
Shows agent’s status. Status should be connected
show user user-id-agent state all
OK and there should be numbers shown under
show user user-id-agent statistics
users, groups, and IPS.
show user user-ids show user user-IDs
show user group-mapping state all
show user group-mapping statistics Shows the groups pulled from User-ID Agent.
show user group list
show user group name
show user ip-user-mapping all Shows IP to username mappings.
clear user-cache all
Clears user-ID cache.
clear user-cache ip
BrightCloud URL Filtering
test url Tests categorization of a URL on the device.
tail follow yes mp-log pan_bc_download.log Shows the BrightCloud database update logs.
debug dataplane show url-cache statistics Shows statistics on the URL cache
clear url-cache url Clears URL cache for a site.
Shows the URL log, most recent entries first.
show log url direction equal backward Note: Cache contains 100k of the most popular
URLs on the network.
ping host service.brightcloud.com Tests connectivity to the BrightCloud servers.
PAN-DB URL Filtering
show url-cloud status Check URL cloud status.
Tests categorization of a URL on Dataplane cache.
debug dataplane test url-resolve-path
Tests categorization of a URL on Management
test url-info-host
Plane cache.
test url-info-cloud
Tests categorization of a URL on Cloud.
clear url-cache url Clears URLs from the Dataplane cache.
delete url-database url Clears URLs from the Management Plane cache
show running url-cache statistics Show statistics on URL Dataplane cache.
debug device-server pan-url-db show-stats Show statistics on URL Management Plane cache
IPSEC
show vpn flow Shows encap/decap counters
show vpn gateway Shows list of IKE gateway configurations.
show vpn ike-sa Shows IKE Phase 1 SA
show vpn ipsec-sa Shows IPSEC Phase 2 SA.
show vpn tunnel Shows list of auto-key IPSec tunnel configurations.
show log system subtype equal vpn direction equal
backward Shows detail debug information for IPSec
debug ike global on debug tunneling.
less mp-log ikemgr.log
High Availability
show high-availability state Shows the HA state of the device.
Shows the HQ settings configured on the device
show high-availability all
and peer.
show high-availability state-synchronization Shows if the devices are synchronized
Suspends active device and makes passive device
request high-availability state suspend
active
request high-availability state functional Changes the state from suspend to passive.
Software, Content and Licenses
request restart system Reboots the system.
request content upgrade Upgrades content.
> check Gets info from Palo Alto Networks server.
> download Downloads content packages.
> info Displays available content packages info.
> install Installs content packages.
request content downgrade install previous Downgrades to previous content version
request license info Shows the license installed on the device.
delete license key Deletes a license file.
Miscellaneous
configure
set deviceconfig setting session tcp-reject-non-syn no Ignore SYN when creating sessions.
commit
show session info Confirms command took effect
configure Make all packets go through CPU, otherwise all
set deviceconfig setting session offload no fastpath packets go through the chip. Turns
commit session offload to fastpath.
show session info Confirms command took effect.
Shows the different dataplane buffers and
debug dataplane pool statistics
capacity
Posted 29th June 2018 by http://networksecurityknowledge2016.blogspot.com