Weberblog.net CLI Commands for Troubleshooting Palo Alto Firewalls 02013:21-21 memorandum, PaloAto Networks # Cheat Sheet CL, Palo Alto Networks, Quick Relerence,Tovbleshooting Johannes Weber \When troubleshoating network and security sues on many eiferentdevices/patforms lam always missing some command options odo exactly what wants do onthe device 1am currently working with Theretore Ita few commands forthe Palo Alto Networks firewallstohave short reference cheat sheet for smysell. Maye seme oter network professionals wil fing ituseul However, since lam almost aways using the GU this quick reference onl sts commands that are useful for the console while not present in the UL ‘This blogpost wil bea ving document. Whenever use some “new” commands for woubleshooting sues, | This webs!Fer acomolotelist ofall commands. uc the Refoonce rence Guide: Helpful Commands PDF. vos nm PAN. Ouse the ofall Rf- Standard Show & Restart Commands ‘The ollowng commands ar relly the basis andneed n further description. st them just as aefeence: Show system info 77aons the wpkine, serve rarer, 2 show system environmental Urerg. power supply Failures 3 show np 4 Show session info Lpacket rate, rutber of sessions, fostpath |S Show sesston ta cids 6 show interface {all | } | 7 Show routing’ route Zrouting tabte all routes) & Show routing Fb ‘“ierwaraing taole (only used routes) | 2 show routing protocol. 30 show arp { all | } 11 show netghoor interface {ell | } //1P¥6 neighbor cache 2 show mac atl /vonly with Layer 2 interfaces | 23 stow Jobs 2t1 16 Shon Jobs ia |25 show running resource-monitor //resource statistics 16 show system resource follow U/Seap" PU sage and processes | 27 Shon System atsk-space Wat 3B debug Software restart //Restart a ce 19 request. cestart system ain process [Reboot the wrote device Live Session ‘n Application Statistics ‘These are two handy commands to get somelive stats about the current session or aplication usageon 2 Palo Rito, While you're inthis tive mage, you con toggle the view via “or session a3 for applieation. Quit with’ or get some" help Start with ether: 1 show system statistics application This website uses cookies to imarove your experience. Well assume you're akwith ths, butyou can opt-out ifyou wish. os mebeelpneletcarmandeteseishstacingoao-atoseele Read More,ema cuttin Chick To Expand Code Problems with SFPs ‘To woubleshoot SF problems use the flloning command such s shown here, where 0osthe slot and vrvis the por: show sytem state AUTRer=pretty sys. SHOP oh ‘Sample output with ne nen functional and one functional SF in por ethernet/19, [Ciek Te fxpand Cogs ‘Since PAN-08 6.0, the “fino” command helps searching forthe needed command incase you donot lly now the whole se of commands. With-fin command’ al possible commanes are splayed. With "ind command keyword 2" all commands cntaning 39 are shown, 1 Find command 2 Find command keyword Ping, Traceroute, and DNS This website uses cookies to imarove your experience. Well assume you're akwith ths, butyou can opt-out ifyou wish. os nebeolpneletearmendeteseshstacing ao-atosreale Read More,1 ping host 8.8.8.8 "Note that this ing request ssued fom the management interface! Tous a data interface a the source, theoption source can beused, TouselPV6,the options inet yes .For example: ping inet yes source 2003;S1:6012:520;1% host 2000:1450:4008;g00: i017 traceroute command looks ke thot Traceroute host 8.8.8 ‘The Source | can be used to specify the outgoing nerace, However for V6, the onions Gissiilarto the png command: ipv6 yes ‘Toreralve NS names, ¢¢, 10 test the DNS serve that ie configured onthe management interface, imply pinga name: I ping fest ip wabarnetz net Routing (arash of the ruting table refer tothe “Standard Show Commands" above) Debugging dynamic rout Ing protocols functions tke tis: T debug routing peap on 2 debug routing peop shon 53 debug routing peep vien 4 debug routing peep off 5. debug routing peap crouting-protacsl: delete Orfoliow the routesiog: oil fellow yes mp-og routed This website uses cookies to imarove your experience. Well assume you're akwith ths, butyou can opt-out ifyou wish. os nebeolpneleearmandeteseishtacing ae-atosreale Read More,1, show routing path-nonitor 2 debug routing pothenonitor Test ‘The Palo fers some greatest commands, e.g for tering a route-lookup, a VPN connection, ora secu- tity olley match Usethe question matkto find out more abou the est commands. Here aresome use cramps: [TeRt rouling FIB- lookup virtual router default Wp ape] fest von ipsec-sa tunnel ‘est security-policy-natch ? ‘est securisy-polieyonatch rom trans-internet to pa-trust-server source 192.16 2186.5 destination 292,268.128.2 pratocol 6 appl icetion ssi destinesion-port 44 2 Viewing Management-Plane Logs Inorder to vew the debug og files, “less” or "ail can be use The keyword “mp-tog" inks othe manage ‘ment lanelogs (similar 0 “ Packet Capture These settings as wells he curentsize ofthe unning packet capture fs can be eraminee with T debug dataplan packet-diag show setting Nou thecurent capturing fellow mode can be viewed wth This website uses cookies to imarove your experience. Well assume you're akwith ths, butyou can opt-out ifyou wish. hosinebeolpneletearmandeteseshtacing ao-atosreale Read More,socucas Li cermands er Irtoimacing Palo At Firewaa| Menanogst And foe a ely detailed analy, the cunts fo thee fied packetscaa he vowed. Thi oxaty veal hhow many packets traversed which way, andso on. With he “delta yes" option nly the counter values ‘since the last execution ofthis command are shown. The"packefier yes" option uses he packet filer fromthe GUI (Monitor Packet Capture) ofltr the counters: haw counter global Filter packet: Fiear yer delta yee Forevample, here ae the deli counters ater afew ONS ookups: ick To Expand Code ‘r.even moreinteresting filtered on “drop” severity Note thereasonson the right-hand sie) ick To Expand Code Zone Protection Logging Beginning with PAN-0S 8.1.2 you can enable an option to generate threat log enty fr dropped packets due to zone protection profiles Hore Information ner. You must enable the feature through the Cu. (Hopafly, ‘ewillbedefautata later date) {set ysten setting edaitional-threat-leg on Examining the Session Table tra network connection aur snot fund athe tafficog, the session tale canbe asked for sessions in DISCARD state, ered based ont source, or whatever. This is useful atthe console because the ression browserin the GUI doesnot store the iter options ands, therefore, bit unhandy. Al commands star vith show session allie... This website uses cookies to imarove your experience. Well assume you're akwith ths, butyou can opt-out ifyou wish. os nebeolpneleearmandeteseishtacing ae-atosrealesosacas Li cermands er Irtsimnacing Palo At Frew] Menanogst 3. show session oll filter fron trust to untrust opplication ssl state active ‘Tohave.n overview ofthe number of sessions, configured timeouts, et: [7 Show Session tafe Forimvestgatng a single session in more deal use: 1 Fi eso > Watch ou forthe: “Hardware session ofladin” tne. itis "rue" you might want to dsablete fastpath uring troubleshooting inside the config mode T set session offload no) 2 Set deviceconfig setting session offload no __//= persistent, even after reboot ‘osce whether there ae some pred” sessions in which the Palo Ato uses an ALG appliatin layer gate ay to predict dynamic ports (e.g, SIP, active FT}, usethis command 3 Hiow seston al] ter pe pradlee > specific session can then be eleared wth clear session id olue> Reason for Session Close [UPDATE] Since PAN-OS 6: the seeson end reasons acolumnwithin the GUlat Monitor > Logs > Trae Hence hiss not needed anymare/UPDATE] ‘You annot se the reason for cased session nthe taficlgin the GUL Fo ths purpose ind out thes sion i in the waffc log and type nthe following command inthe CU (Names the “Session Tracker) Mote This website uses cookies to imarove your experience. Well assume you're akwith ths, butyou can opt-out ifyou wish. os nebeolpneleearmandeteseishtacing ae-atosreale Read More,1. show session id ‘Te complete ikem pcap cn be downloaded rom the Palo with scp ort scp igor debug-peop fron Tkengr peop to 53 fest von ike-sa gateway 4 test von ipsec-sa tunnel value> GlobalProtect Current users nd flow 4 “Ghow global -protect-gatenay current—user 2 show globol-protect-gatency flow Manlarina tha Canfia in Cnt Mada This website uses cookies ta imarove your experience. Well assume you're akwith ths, butyou can opt-out ifyou wish. hosinebeolpneletearmandeteseshtacing ao-atosreale Read More,‘The Xl output ofthe “chow cafigruning” command might he unpractical when teblechooting at the Console. That’s why the output format can be st to “set” mode: set eli config-ovtput-format set NNowentethe configure! mode andtype hom. This reveals the complete configuration with “set. commands. (Click here fr mor information} Hereisa sample output o2 particular show command [Tneberjoht¥a-wy-fwb2F anon network interface ethernet ethermeti/i 2 set sesmork interface ethernet ethernesi/1 layer3 ip 172.16.1,2/28 | 5 See setnork interface ethernet ethernesi/ layers urtagged-sub-interface 90 4 Set netnork interface ethernet etherneti/1 layers interface-nanagenent-profile 9) |5 set nesnork interface ethernet ethemes:/1 Tink-speed axto, 5 Set retnork interface ethernet etherneti/1 Link-duplex auto 7 sot netmork Interface ethernet ethernesi/i Linkestate auto ‘The pipe (canbe used to gre certain values with the “mateh* keyword, sch as: T weber joheta-w-#wi2i show 1 natch 192,168. 120.2 2 Set deviceconfig syste (p-address 292,168.120.2 3 set eddress h.fd-w-fwa2.tant ip-neteask 192,168.120.2 ‘Toshow the complete config without breaks (hich sterinal length 0” on Cisco device), the following command can be used [BEFORE the configure mode's entered ‘Tocomitline breaks carriage returns}, usethis one: 1 Set <1 terminal width 50 High Availability This website uses cookies ta imarove your experience. Well assume you're akwith ths, butyou can opt-out ifyou wish. os nebeolpnelecarmandeleseshsocing ao-atoseeate Read More,sosacas Li cermands er Irtsimacing Palo A Frew] Menanogst 1 show high-availabitity ? 2 ‘show Migh-ovaiLaviliey al? 5 show high-availopilivy state 4 show nigh-ova‘LopiLity Linkenonstoring | Shom nigh-ovaitaDiLiey path-nonstoring 6 show high-ovailobility controt-Link stotistics |? stom migh-avatLaoiLiey state-syncnrontzation thon high-ovaiopility flapsstatistice ‘The elloing request canbe used to trigger an MA alove either forte ocal devie or the "peer eve: T request high-avoilability seate suspend 2 request high-avai lability state funetconal 5 requess igh-ava\ lability seate peer suspena 4 request high-avallability state peer functional ‘Toverty the session synchronization HA], youcan ether usethe show high-availabitity state- synehronizetion_as shown above on bath devices (overly that “seat” isinereasing onthe active unit nl receives increasingon the passive uit) or you can lok atthe session browser onthe passive de ‘vice whether there ae the same count of sessions as onthe active deve. Followingisa democoutputof the "state-synchronization” from both devicesin a cluster: Export/Import Files ‘To copy files from or tothe Palo Alto firewall spor tp can be used. The commands have bath thesame structure wth “export. to" or “import... rome, “Sep export Tog system to —] Sep import software fren Eftp cxpors consigurotion Fron running.contig.xel to ‘Show the members ofa particular group: Shon veer group_nane *AD\none-of-the-group™ for allusersor fora patcular user. The match value doesnot work ith backslash, so the usemamemust be specified without the domain 1 “Show user Ip-user-nopping at 2 show user ip-user-nopping all. | match ‘User tD cache clearance Note that you must clear both, the dataplane AND the management plane. to really delete an P mapping Since the MP pushes the mapping to th OP you shoul lar the MP fist. More inf her, 3 Clear weer-cache-ap aIT 2 clear user-eache-np sp 5 clear user-cache all 5 clear user-eache 1p 3 corm “Tower his setting you can “show” the configuration with pie and match Hyou are inthe default cor ‘iroutputformatit looks tke this: T weberJohipai show | watch Fadn-reF 2 radn-reFresh- tine 600; 3 teased When you rein the el confi-outputformatitoks tik that T weberjehipat show 1 natch FaancreF 2 Set uevicecontig systen faan-rerresh-tine 608 3 [eait] "Now, as in ry ease, 2m updating the FQDNs every 6005= 10m, can see the appropratajob every 10, T weberjehipa> show jobs alt 2 3 Enauewed Dequeved 10 Positioning |5 zoxzvez/22 09:55:35 85 fi & 2017/02/22 09:48:32 cr Fi |? eorrv0n/22 09:35:28 183 ri 4% 2017/02/22 09:25:24 182 F 381 i This website uses cookies ta imarove your experience. Well assume you're akwith ths, butyou can opt-out ifyou wish. hosinebeolpneletearmandeteseshtacing ao-atosreale Read More,Sina tho ontvicin an extemal dynam nor It ano viewed ar rfched with 43 Fequest systes external-list show type {IpTnane url} nae 2 request syster external-List refresh tye {iolnanelurt} nave -nawe-of the-list> DNS Proxy ‘overly the functionality of ONS pron objects, atleast two commands are useful. oth outputs should speakfor themselves: 1 Show dhs-prow seatiseics at 2 show dns-proxy cache all Active URL Vendor/Database "had some sues withthe te diferent URL databases bightloud”and“PAN-DB" This the command ta show unambiguously which vendors active on he PA (independent ofthe icense 2. Shaw yea Sete gor database > ‘The outputis ether bighteloud or paloatonetworks. The standard URL DB upto PAN-OS 50s brightloud ‘Beginning with PAN-OS 6.0, the default isPAN-D8 (refer tothe reease notes, section “CAanges to Deloult Se havior To change the vendor ofcourse only it's icensea), clk he “Actvate' link under canes the ut PAN-DB URL Test & Cache To show thecatezoryofa specific URL, use one of he following commands: This website uses cookies ta imarove your experience. Well assume you're akwith ths, butyou can opt-out ifyou wish. os nebeolpneleearmandeteseishtacing ae-atosreale3 test url-info-host ‘To dsplay thecutent URL cache from the PAN-08, two steps ae required. Thef¥st ones the creation of Logfile which contain al entries anc the second one ito csp this loge: T show aysten setting url-cache att 2 Less dp-lo9 dp.url_08. loa Fan Speed (k,thisis nota toubleshocting command, but nevertheless er useful sets the fan speed to “auto” which immediately drops the noise ofthe fan, e.g. 07 9 PR.206 set yston setting fancnode auto Defaults ust fr reference + Default Management interface 192166.11, * Login: sein Password din ‘Tochange the static P settings of the management interface vi the console: T configure 2 set ceviceconfig system ip-address 282.168.1.5 netmask 255.255.255.0 default-ga ‘Eenay 192.168, 1.1 dns-setting servers primary 8.8.8-5 3 come. This website uses cookies ta imarove your experience. Well assume you're akwith ths, butyou can opt-out ifyou wish. os nebeolpneleearmandeteseishtacing ae-atosrealewosucas Li cermands er Irtsimacing Palo Ao Frew] Menanogst 2 set deviceconfia system type dhcp-client send-hostnane yes send-client-id no o¢ ept-ahep-danain no accept chep-hostnane ne 3 commie ‘and waitfora console message such DHCP: new ip 10.100.20.175 = mask 255.255.255.128 (Otherwise, you con show the management address vis show interface manogenent you, later On, want to change backta state IP adcreses you must nat nly use the st commane above (othe mere IP a res) butaleo change thetype backto state: set devicecortig systen type static ‘Topertrma factory reset without direct acess tothe frewallvia a console cable, you con ue this pro Featured inage-\Wench atcha oo set” by Marco Verh stcensed under CC BY 20 108 thoughts on “CLI Commands for Troubleshooting Palo Alto Firewalls” Hey Ihave one question, now can desbeor enables staticroute using the CLI and rnotdoingitontheGuP Jesus Hi You mus goto the configure mode (configure) and spect 3 command similar to thi: This website uses cookies toimarove your experi ce. Well assume you're ok with hs, ut youcan optoutifyouwish, scoops Read More hosinebeolpneletearmandeteseshtacing ao-atosreale 81