Overview
| CLI Basics | |
|---|---|
| configure | Enter the configuration mode. |
| exit | Exit the configuration mode and go back to the operational mode. |
| set cli config-output-format [default | json | set | xml] | Run the command in the operational mode to change the output format |
| set cli pager off | disable the page function to show the entire output. |
| find command | Use command without any parameters to display the entire command hierarchy in the current command mode. |
| find command <keyword> | Use command to locate all commands that have a specified keyword. |
| System Defaults and Management Interface | |
|---|---|
| admin / admin | Default login. The predefined password must be change after the first login.
|
| 192.168.1.1/24 or DHCP | PA hardware firewalls have a static IP on the MGT interface. VM-Series get an IP on the MGT interface via DHCP. |
| 9600-8-N-1 (Hardware flow control is disabled) |
Default serial console port settings. |
| set deviceconfig system type [dhcp-client | static] | Switch the interface type of the MGT interface between static or DHCP. |
| set deviceconfig system ip-address <ip-address> netmask <netmask> default-gateway <default gateway> dns-setting servers primary <DNS ip address> | Use the command to set the IP address of the management interface. |
| Software, Updates and License | |
|---|---|
| debug swm status | Show status of PAN Software Manager. |
| debug swm status | Display info on current or specified image. |
| debug swm history | Show history of software install operations. |
| debug swm revert | Revert back to previous running software packages. |
| request content upgrade info | Show information about available threat packages. |
| request content upgrade install version latest | Installs most recently downloaded threat package. |
| request anti-virus upgrade info | Show information about available antivirus packages. |
| request anti-virus upgrade install version latest | Installs most recently downloaded antivirus package. |
| debug swm rebuild-content-db | Rebuild content databas. |
| Reboot and Shutdown | |
|---|---|
| request restart system | Restart the device |
| request shutdown system | Shutdown the device |
| Configuration Mode | |
|---|---|
| run | Use in configure mode to execute commands from operional mode e.g. show commands |
| configure | Enter the configuration mode |
| exit | Exit the configuration mode |
| commit | Commit the changes in the candidate configuration |
| set cli config-output-format [default | json | set | xml] | Run the command in the operational mode to change the output format |
| set cli pager off | Disable the page function to show the entire output. |
| Maintenance Mode | |
|---|---|
| maint | Enter maintenance mode while bootup process |
| debug system maintenance-mode | The device will reboot immediately into maintenance mode when the command is issued. |
| MA1NT | Password needed sometimes in the maintenance mode. |
| Maintenance Mode Optiions |
|
| Commit Configuration | |
|---|---|
| check pending-changes | Check for any uncommitted changes to the candidate configuration. |
| show config diff | To see the changes between the running configuration and candidate configuration |
| commit | Commit the changes in the candidate configuration |
| commit partial <username> | Run the command in the operational mode to change the output format |
| show config list changes <username> | List of changed objects, is not raw config rather the xpath of the changed object. |
| show config candidate | View any non-committed saved or unsaved changes (XML only). |
| validate [ full | partial ] | Validate commit. Validate command creates a job with a job ID. |
| show system last-commit-info | More detailed info can be gathered on the last commit, this includes things such as the phases it goes through and the processes it touches. |
| revert | save | load | export | import | Configuration management. |
| show jobs [ all | id <id> ] | View the validation results as overview or using the job id for more details. |
| show jobs pending | Display pending jobs. |
| show jobs processed | Display finished jobs. |
| Packet Capturing | |
|---|---|
| debug dataplane packet-diag clear all | Clear existing settings. |
| debug dataplane packet-diag set filter match <filter> | Define capture filter |
| debug dataplane packet-diag set filter on | Turn on filtering. (since PANOS 10.1 enabled per default) |
| debug dataplane packet-diag set capture stage [ receive | transmit | firewall | drop ] <filename> | Add stages and filenames. |
| debug dataplane packet-diag show setting | Review your settings. |
| debug dataplane packet-diag set capture on | Turn on packet capture. |
| debug dataplane packet-diag set capture off | Turn off packet capture . |
| view-pcap <options> no-dns-lookup yes filter-pcap | View packet capture. |
| [ tftp | scp ] export filter-pcap from <filename> to [ tftp-ip | user@ip-address:path ] | Export packet capture file. |
| debug dataplane packet-diag clear capture stage [ all | receive | firewall | drop | transmit ] | Delete capture files. |
| debug dataplane packet-diag set filter -offload -disable | Filter-based offloading – disables offloading only for traffic that matches that filter (since PANOS 10.1). |
| > set session offload [ yes | no ] | Enable/Disable Session offloading (non-persistent). |
| # set deviceconfig setting session offload [ yes | no ] | Enable/Disable Session offloading (persistent). |
| set application dump-unknown yes | If the unknown capture setting option is off, enable it.Verify with show running application setting | match “Unknown capture” |
| et application dump on application rule | Turn on the application packet capture and define filters. |
| set application dump off | Turn off application packet capture. |
| [ tftp | scp ] export application-pcap from <filename> to [ tftp-ip | user@ip-address:path ] | Export application packet capture file. |
| debug pcap [ on | off | … ] | Enable/Disable daemon packet capture. |
| [ tftp | scp ] export debug-pcap from <filename> to [ tftp-ip | user@ip-address:path ] | Export daemon packet capture file. |
| tcpdump filter “<filter>“ | Packet Capture (tcpdump) On Management Interface. |
| [ tftp | scp ] export mgmt-pcap from <filename> to [ tftp-ip | user@ip-address:path ] | Export management packet capture file. |
| System Overview | |
|---|---|
| show admins | Display the administrators who are currently logged in to the web interface, CLI, or API. |
| show admins all | Display the administrators who can access the web interface, CLI, or API, regardless of the login status. |
| show config-locks | Displays the list of administrators who hold configuration locks. |
| show commit-locks | Displays the list of administrators who hold commit locks. |
| request config-lock remove | To force removal of the configuration lock, use the following CLI command. |
| request commit-lock remove | To force removal of the commit lock, use the following CLI command. |
| show system info | Display basic device information (PANOS, Serial No, Content Version, CPU, Memory,…). |
| show system software status [ | match <service-name> ] | Status of all services running on the device. |
| debug software restart process <process-name> | Restart process |
| show chassis-ready | Display if the dataplane is ready to process sessions. |
| show netstat all yes | Display all listening and established connections on the management plane, per process. |
| request license [ fetch | info ] | Retrieves and shows currently active licenses. |
| show system state | State information of the entire device. |
| show system state filter env.* | Display system core temperatures and power levels. |
| show system state | match fan | System state for any line containing ‘fan’ to find fan speeds. |
| show system state | match cfg.general.max | Returns the maximum number of configurable objects the system supports. |
| show system state filter-pretty sys.s1.* | Display information about all the interfaces in slot 1. |
| show system logdb-quota | Show the maximum log file size. |
| show system disk-space files | Show percent usage of disk partitions. |
| show running logging | Show log and packet logging rate. |
| Services Overview | |
|---|---|
| less [ mp-log | dp-log ] <log-name> | Service log listing for service logs as listed below. |
| tail follow yes [ mp-log | dp-log ] <log-name> | End of service log with automatic refresh. |
| grep [ mp-log | dp-log ] <log-name> pattern <value> | Search for specific pattern in service logs. |
| debug software restart process <process-name> | Restart process. |
| show system software status | [ match <service-name> ] | Check if process is running. |
| show system files | Check for Core files. |
| less dp-backtrace or less mp-backtrace | Check for backtrace files.Use less dp-backtrace on platforms,with a dedicated Data Plane. |
| debug software logging-level show level service all-services | Show current log levels. |
| debug software logging-level set level <level> service <servicename> | Set log level for specific service. Debug levels:
|
| debug software logging-level set level default service <servicename> | Reset log level for specific service to default. |
| authd.log | Manages all firewall and Authentication policy-initiated user authentication, locks accounts, etc. Proccess/Daemon: authd |
| devsrvr.log | Device Server for configuration push and communication with data plane. Proccess/Daemon: device-server |
| ha-agent.log | High availability status. Proccess/Daemon: high-availability |
| ikemgr.log keymgr.log |
Contains ISAKMP and IPsec service logs. Proccess/Daemon: ikemgr and keymgr |
| tund.log | IPsec logs (Re-keying events and next hop updates). Proccess/Daemon: tund |
| logcvr.log | Records traffic logs sent from the data plane. Proccess/Daemon: log-receiver |
| mgmt_httpd_access.log mgmt._httpd_error.log |
Management user interface and XML APi requests. Proccess/Daemon: web-backend |
| ms.log | Management Server for configuration management. Proccess/Daemon: management-server |
| rasmgr.log | Provides logs for GlobalProtect remote access. Proccess/Daemon: rasmgr |
| routed.log | Provides static and dynamic routing service information. Proccess/Daemon: routing |
| sslvpn-acces.log sslvpn_error.log |
Service log for GlobalProtect web-based features. Proccess/Daemon: ssl-vpn |
| syslog-ng.log | Handles log forwarding. Proccess/Daemon: syslog-ng/td> |
| userid.log | Manages User-ID features. Proccess/Daemon: user-id |
| varcvr.log | Records URL logs and pcaps sent from the data plane. Proccess/Daemon: vardata.receiver |
| appweb3-websrvr.log | Handles a subset of API calls and uploads (runs as “nginx”). Proccess/Daemon: websrvr |
| appweb3-l3svc.log | Implements captive portal, NTLM authentications, URL block pages, and admin override for URL filtering (runs as “nginx”). Proccess/Daemon: l3svc |
| cryptod.log | Encrypts and decrypts passwords, private keys, etc., to enable them to be included as part of a config file. Proccess/Daemon: cryptod |
| sslmgr.log | Fulfills OCSP and CRL queries from management-plane and data-plane services; manages the OCSP and CRL repository. Proccess/Daemon: sslmgr |
| dagger.log | . Proccess/Daemon: |
| show system logdb-quota | Show the maximum log file size. |
| show system disk-space files | Show percent usage of disk partitions. |
| show running logging | Show log and packet logging rate. |
| show system ressources [follow] | Ressource Monitoring Management Plane (CPU, Memory,..). |
| show running ressource-monitor | Ressource Monitoring Data Plane. |
| show management-clients | Show internal management server clients. |
| High-Availability | |
|---|---|
| show high-availability [ state | all |state-synchronization ] | Display High-Availability status (Peer’s HA condition, All HA information and HA statistics. |
| show high-availability session-reestablish-status | Shows when HA1 and HA1-backup links were last reestablished. |
| show high-availability transitions | Indicates how many times a device has transitioned between HA states. |
| show high-availability flap statistics | Details about preemptions ‘flaps’ (preemption activates device, error encountered again, device non-funct, recovers, preempt activates, error encountered again, etc.). |
| show high-availability control-link statistics | Detailed information about HA1 messages. |
| request high-availability sessions-reestablish force | Reestablishes HA1 link if link was lost, use ‘force’ if HA1 backup is not configured. |
| request high-availability sync-to-remote running-config manually | Syncs running configuration to peer, in case automatic sync failed or if status is out-of-sync. |
| request high-availability state [ functional | suspend ] | Suspend or activate local device. |
| request high-availability state peer [ functional | suspend ] | Suspend or activate peer device. |
| show log system subtype equal ha | Display events only, based on High-Availability. |
| Routing | |
|---|---|
| show routing route | Display the routing table. |
| show routing fib | Display the forwarding table. |
| test routing fib-lookup virtual-router <name> | match <x.x.x.x/Y> | Look at routes for a specific destination. |
| test routing fib-lookup virtual-router <name> ip <ip> | Check FIB for a specific ip address. |
| ping host <destination ip address> | Ping from the management (MGT) interface to a destination IP address. |
| ping source <ip address on dataplane> host <destination ip address> | Indicates how many times a device has transitioned between HA states. |
| show routing protocol bgp summary | Display BGP router ids. |
| debug routing restart | Restart routing service. |
| debug routing global on <level> | Turn on routing debug logging.
|
| debug software logging-level set level default service routed | Set logging level back to default. |
| tail follow yes mp-log routed.log | Check routed logs. |
| debug routing pcap <routing protcol> on | Enable packet capturing. |
| debug routing pcap <routing protcol> off | Disable packet capturing. |
| Session Information | |
|---|---|
| show session info | Numbers of active sessions, statistics throughput timers and TCP/UDP settings. |
| show session all | Shows when HA1 and HA1-backup links were last reestablished. |
| show session id <id> | Show all the information for a specific session ID. |
| clear session id <id> | Clear active session. |
| show system statistics | View the current throughput and statistics. |
| show session all filter [ define filter options ] | Display sessoions based on the define filter ex. source ip. |
| IPsec VPN | |
|---|---|
| show vpn ike-sa [ detail | gateway | match ] | Show IKE SA (IKE Phase I). |
| show vpn ipsec-sa [ match | summary | tunnel ] | Show IPSec SA (IKE Phase II). |
| show vpn tunnel [ match | name ] | Show for given VPN tunnel. |
| show vpn gateway [ match | name ] | Show list of IKE gateway configuration. |
| show vpn flow | Show dataplane IPSec-VPN tunnel information. |
| show vpn flow tunnel-id <id> | Show for given VPN tunnel. |
| show vpn flow name <tunnel.id/tunnel.name> | Show specific tunnel information. |
| show session all filter protocol 50 | Show sessions for ESP packets. |
| test vpn ike-sa gateway <gateway-name> | Initiate Phase 1 for a specific gateway. |
| test vpn ipsec sa tunnel <tunnel-name> | Initiate Phase 2 for a specific tunnel without generating traffic. |
| clear vpn ike-sa gateway <gateway-name> | Clear for given IKE gateway. |
| clear vpn ipsec-sa tunnel <tunnel-name> | Clear for given VPN tunnel. |
| clear vpn flow tunnel-id <tunnel id-number> | Clear specific tunnel. |
| debug ike stat [ ipsec | isakmp | … ] | Show IKE daemon statistics. |
| debug ike global on <level> | Turn on ikemgr debug logging.
|
| debug ike global off | Turn off ikemgr debug logging. |
| less mp-log ikemgr.log | Review detail logging information, based on the logging debug level. |
| debug ike pcap on | To view the main/aggressive and quick mode negotiations, it is possible to turn on pcaps for capturing these negotiations. Messages 5 and 6 onwards in the main mode and all the packets in the quick mode have their data payload encrypted. |
| debug ike pcap off | Turn off packet capturing. |
| debug ike pcap delete | Delete pcap existing pcap files. |
| view-pcap <options debug-pcap ikemgr.pcap | View the content from the pcap file on the cli. |
| [ tftp | scp ]scp export debug-pcap <filename> | Export pcap files via tftp or scp. |
| SSL Decryption | |
|---|---|
| show system setting ssl-decrypt setting | Show ssl-decryption settings. |
| show system setting ssl-decrypt certificate | Display the list of ssl-decrypt certificates loaded on the dataplane. |
| show system setting ssl-decrypt certificate-cache | Display the list of cached certificates loaded on the dataplane. |
| show system setting ssl-decrypt dns-cache | Display the list of cached DNS entries. |
| show system setting ssl-decrypt memory | Show the SSL decryption memory usage. |
| show system setting ssl-decrypt exclude-cache | Display the list of cached servers excluded from decryption. |
| debug dataplane reset ssldecrypt exclude-cache application <application-name> | Clear all exclude cache in dataplane based on application. |
| debug dataplane reset ssldecrypt exclude-cache server <IP-address:port> | Clear all exclude cache in dataplane based on IPs. |
| set system setting ssl-decrypt skip-ssl-decrypt yes | Temporarily disable SSL decryption. |
| set system setting ssl-decrypt skip-ssl-decrypt no | Re-enable SSL decryption. |
| User-ID | |
|---|---|
| show user user-id-agent state all | Display all configured Windows-based agents. |
| show user server-monitor state all | Display the PAN-OS-integrated agent is configuration. |
| show user server-monitor statistics | Display how many log messages came in from syslog senders and how many entries the User-ID agent successfully mapped. |
| show user user-id-agent config name <agent-name> | Display the configuration of a User-ID agent from the Palo Alto Networks device. |
| show user group-mapping statistics | Show group mapping statistics. |
| show user group-mapping state all | Show state of one or all group mapping data. |
| show user group list | List All groups. |
| show user group name <group-name> | Show group’s members. |
| show user ip-user-mapping all | Display all user mappings on the Palo Alto Networks device. |
| show user ip-user-mapping all | match \\<username-string> | Show user mappings filtered by a username string (if the string includes the domain name, use two backslashes before the username). |
| show user ip-user-mapping ip <ip-address> | Show user mappings for a specific IP address. |
| show user user-ids | Display usernames. |
| show log userid datasourcetype equal <authentication-service> | Display mappings from a particular type of authentication service. |
| show log userid datasourcename equal <agent-name> direction equal backward | View the most recent addresses learned from a particular User-ID agent. |
| clear user-cache all | Clear the User-ID cache. |
| clear user-cache ip <ip-address/netmask> | Clear a User-ID mapping for a specific IP address. |
| Global Protect | |
|---|---|
| show global-protect-gateway current-satellite | Show current GlobalProtect gateway satellites. |
| show global-protect-gateway current-user | Show current GlobalProtect gateway users. |
| show global-protect-gateway flow | Show dataplane GlobalProtect gateway tunnel information. |
| show global-protect-gateway flow-site-to-site | Show dataplane GlobalProtect site-to-site gateway tunnel information. |
| show global-protect-gateway gateway | Show list of GlobalProtect gateway configuration. |
| show global-protect-gateway previous-satellite | Show previous GlobalProtect gateway satellites. |
| show global-protect-gateway previous-user | Show previous user session for GlobalProtect gateway users. |
| show global-protect-gateway statistics | Show statistics of current GlobalProtect gateway users. |
| show global-protect global-protect | Show settings for GlobalProtect. |
| show global-protect global-protect-gateway | Show GlobalProtect gateway run-time objects. |
| show global-protect global-protect-mdm | Show settings for GlobalProtect MDM. |
| show global-protect global-protect-portal | Show gloabl protect poral user session info. |
| show global-protect global-protect-satellite | Show GlobalProtect satellite run-time objects. |
| PanGPS.log | PanGPS contains the GlobalProtect service/daemon events (Global Protect Agent). |
| PanGPA.log | PanGPA is contains the GlobalProtect UI events (Global Protect Agent). |
| Security Profiles | |
|---|---|
| test url | Test the categorization of a URL on the device. URL Filtering |
| test url-info-cloud | Test the categorization of a URL in the cloud. URL Filtering |
| show log url direction equal backward | Display the URL log, most recent entries first. URL Filtering |
| show url-cloud status | Check URL cloud status. URL Filtering |
| debug dataplane show url-cache statistic | Display statistics on the URL cache. URL Filtering |
| clear url-cache all | Clear URL cache. URL Filtering |
| clear url-cache url | Clear specific entry from cache. URL Filtering |
| debug wildfire upload-log show | Verify file submission. Wildfire |
| request wildfire registration | Ensure the management port is able to communicate with the WildFire Wildfire. |
| show wildfire status | Verify WildFire operation. Wildfire |
| show wildfire statistics | view the detail of the file forwarding statistics in each file types. Wildfire |
| show wildfire cloud-info | Show Wildfire Cloud Info (Private and Public Cloud, Supported File Types. |
| [ less | tail | grep ] mp-log wildfire-upload.log | Display the Wildfire logs. Wildfire |
| show wildfire status channel public | shows the selected best server as well as the registration status. Wildfire |
| show wildfire-realtime-cache | Show WildFire Realtime virus cache entries. Wildfire |
| show wildfire-realtime-cloud-status | Show WildFire Realtime cloud status. Wildfire |
| show wildfire-realtime-stats | Show WildFire Realtime statistics. Wildfire |
| show bad-custom-signature | Show bad performance custom signatures. |