PAN-OS 2.1 CLI Reference Guide

PAN-OS Command Line Interface Reference Guide
Release 2.1
PAN-OS Command Line Interface Reference Guide

Release 2.1
11/4/08 Final Review Draft- Palo Alto Networks COMPANY CONFIDENTIAL
Palo Alto Networks, Inc. www.paloaltonetworks.com 2008 Palo Alto Networks. All rights reserved. Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks are the property of their respective owners Part number: 810-000033-00A
November 4, 2008 - Palo Alto Networks COMPANY CONFIDENTIAL
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Typographical Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Notes, Cautions, and Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Obtaining More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7 7 7 8 9 9 9 9
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
Understanding the PAN-OS CLI Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Accessing the PAN-OS CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Understanding the PAN-OS CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . 13 Understanding the PAN-OS CLI Command Conventions . . . . . . . . . . . . . . . . . . . . 13 Understanding Command Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Using Operational and Configuration Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Displaying the PAN-OS CLI Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Using Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Understanding Command Option Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Restricting Command Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Understanding Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Referring to Firewall Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 2 Understanding CLI Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
Understanding Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Using Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Understanding the Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Navigating Through the Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Understanding Operational Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Palo Alto Networks
Chapter 3 Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
Chapter 4 Operational Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug captive-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug cpld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug dataplane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug device-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug dhcpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug ez . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug high-availability-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug ike . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug keymgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug log-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug management-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug master-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug netconfig-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug swm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug tac-login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug vardata-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . grep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . less . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request content upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 51 52 54 55 56 57 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 79 80 82 83 84
Palo Alto Networks
request restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 request support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 request system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 scp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 set application dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 set cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 set logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 set serial-number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 set session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 set target-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 set zip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 show admins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 show chassis-ready . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 show cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 show clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 show config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 show counter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 show ctd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 show device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 show device-messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 show devicegroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 show dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 show high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 show interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 show jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 show location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 show log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 show logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 show mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 show management-clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 show multi-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 show pan-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 show proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 show query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 show report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 show routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 show route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 show session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 show statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 show system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 show target-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 show threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 show virtual-wire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 show vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 show vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 show zip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 show zone-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 tail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Palo Alto Networks
test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . view-pcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
145 146 148 150
Appendix A Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
153
Firewall Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Panorama Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Appendix B PAN-OS CLI Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
249 253
Palo Alto Networks
Preface
This preface contains the following sections:
About This Guide in the next section Organization on page 7 Typographical Conventions on page 8 Related Documentation on page 9 Obtaining More Information on page 9 Technical Support on page 9
About This Guide

This guide provides an overview of the PAN-OS command line interface (CLI), describes how to access and use the CLI, and provides command reference pages for each of the CLI commands. This guide is intended for system administrators responsible for deploying, operating, and maintaining the firewall and who require reference information about the PAN-OS CLI commands that they want to execute on a per-device basis. For an explanation of features and concepts, refer to the Palo Alto Networks Administrators Guide.
Organization
This guide is organized as follows:
Chapter 1, IntroductionIntroduces and describes how to use the PAN-OS CLI. Chapter 2, Understanding CLI Command ModesDescribes the modes used to interact with the PAN-OS CLI. Chapter 3, Configuration Mode CommandsContains command reference pages for Configuration mode commands. Chapter 4, Operational Mode CommandsContains command reference pages for Operational mode commands.
Palo Alto Networks
Preface 7
Appendix A, Configuration HierarchyContains command reference pages for Operational mode commands. Appendix B, PAN-OS CLI Keyboard ShortcutsDescribes the keyboard shortcuts supported in the PAN-OS CLI.
Typographical Conventions
This guide uses the following typographical conventions for special terms and instructions.
Convention
boldface
Meaning
Names of commands, keywords, and selectable items in the web interface Name of variables, files, configuration elements, directories, or Uniform Resource Locators (URLs) Command syntax, code examples, and screen output
Example
Use the configure command to enter Configuration mode. The address of the Palo Alto Networks home page is http://www.paloaltonetworks.com. element2 is a required variable for the move command. The show arp all command yields this output: username@hostname> show arp all maximum of entries supported: 8192 default timeout: 1800 seconds total ARP entries in table: 0 total ARP entries shown: 0 status: s - static, c - complete, i - incomplete Enter the following command to exit from the current PAN-OS CLI level: # exit In the following command, 8bit and port are optional parameters. > telnet [8bit] [port] host <tab> indicates that the tab key is pressed. > delete core <control-plane | data-plane> file filename The request support command includes options to get support information from the update server or show downloaded support information: > request support [check | info]
italics
courier font
courier bold font
Text that you enter at the command prompt Optional parameters.
[ ] (text enclosed in angle brackets) < > (text enclosed in square brackets) | (pipe symbol)
Special keys or choice of required options. Choice of values, indicated by a pipe symbol-separated list.
8 Preface
Palo Alto Networks
Notes, Cautions, and Warnings

This guide uses the following symbols for notes, cautions, and warnings.
Symbol
Description
NOTE Indicates helpful suggestions or supplementary information. CAUTION Indicates information about which the reader should be careful to avoid data loss or equipment failure. WARNING Indicates potential danger that could involve bodily injury.
Related Documentation
The following additional documentation is provided with the firewall:
Quick Start Hardware Reference Guide Palo Alto Networks Administrators Guide
Obtaining More Information

To obtain more information about the firewall, refer to:
Palo Alto Networks websiteGo to http://www.paloaltonetworks.com. Online helpClick Help in the upper right corner of the GUI to access the online help system.
Technical Support
For technical support, use the following methods:
Go to http://support.paloaltonetworks.com. Call 1-866-898-9087 (U.S, Canada, and Mexico). Email us at: support@paloaltonetworks.com.
Palo Alto Networks
Preface 9
10 Preface
Palo Alto Networks
Chapter 1
Introduction
This chapter introduces and describes how to use the PAN-OS command line interface (CLI):
Understanding the PAN-OS CLI Structure in the next section Getting Started on page 12 Understanding the PAN-OS CLI Commands on page 13
Understanding the PAN-OS CLI Structure

The PAN-OS CLI allows you to access the firewall, view status and configuration information, and modify the configuration. Access to the PAN-OS CLI is provided through SSH, Telnet, or direct console access. The PAN-OS CLI operates in two modes:
Operational modeView the state of the system, navigate the PAN-OS CLI, and enter configuration mode. Configuration modeView and modify the configuration hierarchy.
Chapter 3 describes each mode in detail.
Palo Alto Networks
Introduction 11
Getting Started
This section describes how to access and begin using the PAN-OS CLI:
Before You Begin in the next section Accessing the PAN-OS CLI on page 12
Before You Begin

Verify that the firewall is installed and that a SSH, Telnet, or direct console connection is established. Note: Refer to the Hardware Reference Guide for hardware installation information and to the Quick Start for information on initial device configuration.
Use the following settings for direct console connection:
Data rate: 9600 Data bits: 8 Parity: none Stop bits: 1 Flow control: None
Accessing the PAN-OS CLI

To access the PAN-OS CLI: 1. 2. 3. 4. Open the console connection. Enter the administrative user name. The default is admin. Enter the administrative password. The default is admin. The PAN-OS CLI opens in Operational mode, and the CLI prompt is displayed:
username@hostname>
12 Introduction
Palo Alto Networks
Understanding the PAN-OS CLI Commands

This section describes how to use the PAN-OS CLI commands and display command options:
Understanding the PAN-OS CLI Command Conventions in the next section Understanding Command Messages on page 14 Using Operational and Configuration Modes on page 15 Displaying the PAN-OS CLI Command Options on page 15 Using Keyboard Shortcuts on page 16 Understanding Command Option Symbols on page 17 Understanding Privilege Levels on page 18 Referring to Firewall Interfaces on page 19
Understanding the PAN-OS CLI Command Conventions

The basic command prompt incorporates the user name and model of the firewall:
username@hostname>
Example:
username@hostname>
When you enter Configuration mode, the prompt changes from > to #:
username@hostname> (Operational mode) username@hostname> configure Entering configuration mode [edit] (Configuration mode) username@hostname#
In Configuration mode, the current hierarchy context is shown by the [edit...] banner presented in square brackets when a command is issued. Refer to Using the Edit Command on page 26 for additional information on the edit command.
Palo Alto Networks
Introduction 13
Understanding Command Messages

Messages may be displayed when you issue a command. The messages provide context information and can help in correcting invalid commands. In the following examples, the message is shown in bold. Example: Unknown command
username@hostname# application-group Unknown command: application-group [edit network] username@hostname#
Example: Changing modes

username@hostname# exit Exiting configuration mode username@hostname>
Example: Invalid syntax

username@hostname> debug 17 Unrecognized command Invalid syntax. username@hostname>
Each time you enter a command the syntax is checked. If the syntax is correct, the command is executed, and the candidate hierarchy changes are recorded. If the syntax is incorrect, an invalid syntax message is presented, as in the following example:
username@hostname# set zone application 1.1.2.2 Unrecognized command Invalid syntax. [edit] username@hostname#
14 Introduction
Palo Alto Networks
Using Operational and Configuration Modes

When you log in, the PAN-OS CLI opens in Operational mode. You can move between Operational and Configuration modes at any time.
To enter Configuration mode from Operational mode, use the configure command:
username@hostname> configure Entering configuration mode [edit] username@hostname#
To leave Configuration mode and return to Operational mode, use the quit or exit command:
username@hostname# quit Exiting configuration mode username@hostname>
To enter an Operational mode command while in Configuration mode, use the run command, as described in run on page 39.
Displaying the PAN-OS CLI Command Options

Use ? (or Meta-H) to display a list of command option, based on context:
To display a list of operational commands, enter ? at the command prompt.

username@hostname> ? clear Clear runtime parameters configure Manipulate software configuration information debug Debug and diagnose exit Exit this session grep Searches file for lines containing a pattern match less Examine debug file content ping Ping hosts and networks quit Exit this session request Make system-level requests scp Use ssh to copy file to another host set Set operational parameters show Show operational parameters ssh Start a secure shell to another host tail Print the last 10 lines of debug file content telnet Start a telnet session to another host username@hostname>
Palo Alto Networks
Introduction 15
To display the available options for a specified command, enter the command followed by ?. Example:
admin@localhost> ping ? username@hostname> ping + bypass-routing Bypass routing table, use specified interface + count Number of requests to send (1..2000000000 packets) + do-not-fragment Don't fragment echo request packets (IPv4) + inet Force to IPv4 destination + interface Source interface (multicast, all-ones, unrouted packets) + interval Delay between requests (seconds) + no-resolve Don't attempt to print addresses symbolically + pattern Hexadecimal fill pattern + record-route Record and report packet's path (IPv4) + size Size of request packets (0..65468 bytes) + source Source address of echo request + tos IP type-of-service value (0..255) + ttl IP time-to-live value (IPv6 hop-limit value) (0..255 hops) + verbose Display detailed output + wait Delay after sending last packet (seconds) <host> Hostname or IP address of remote host username@hostname> ping
Using Keyboard Shortcuts

The PAN-OS CLI supports a variety of keyboard shortcuts. For a complete list, refer to Appendix B, PAN-OS CLI Keyboard Shortcuts. Note: Some shortcuts depend upon the SSH client that is used to access the PAN-OS CLI. For some clients, the Meta key is the Control key; for some it is the Esc key.
16 Introduction
Palo Alto Networks
Understanding Command Option Symbols

The symbol preceding an option can provide additional information about command syntax, as described in Table 1.
Table 1. Option Symbols Symbol

* > +
Description
This option is required. There are additional nested options for this command. There are additional command options for this command at this level.
The following example shows how these symbols are used. Example: In the following command, the keyword from is required:
username@hostname> scp import configuration ? + remote-port SSH port number on remote host * from Source (username@host:path) username@hostname> scp import configuration
Example: This command output shows options designated with + and >.
username@hostname# set + action + application + description + destination + disabled + from + log-end + log-setting + log-start + negate-destination + negate-source + schedule + service + source + to > profiles <Enter> [edit] username@hostname# set rulebase security rules rule1 ? action application description destination disabled from log-end log-setting log-start negate-destination negate-source schedule service source to profiles Finish input rulebase security rules rule1
Each option listed with + can be added to the command. The profiles keyword (with >) has additional options:
username@hostname# set rulebase security rules rule1 profiles ? + virus Help string for virus + spyware Help string for spyware + vulnerability Help string for vulnerability + group Help string for group <Enter> Finish input [edit] username@hostname# set rulebase security rules rule1 profiles
Palo Alto Networks
Introduction 17
Restricting Command Output

Some operational commands include an option to restrict the displayed output. To restrict the output, enter a pipe symbol followed by except or match and the value that is to be excluded or included:
Example: The following sample output is for the show system info command:
username@hostname> show system info hostname: PA-HDF ip-address: 10.1.7.10 netmask: 255.255.0.0 default-gateway: 10.1.0.1 mac-address: 00:15:E9:2E:34:33 time: Fri Aug 17 13:51:49 2007 uptime: 0 days, 23:19:23 devicename: PA-HDF family: i386 model: pa-4050 serial: unknown sw-version: 1.5.0.0-519 app-version: 25-150 threat-version: 0 url-filtering-version: 0 logdb-version: 1.0.8 username@hostname>
The following sample displays only the system model information:

username@hostname> show system info | match model model: pa-4050 username@hostname>
Understanding Privilege Levels

Privilege levels determine which commands the user is permitted to execute and the information the user is permitted to view. Table 2 describes the PAN-OS CLI privilege levels.
Table 2. Privilege Levels Level

superuser superreader vsysadmin vsysreader
Description
Has full access to the firewall and can define new administrator accounts and virtual systems. Has complete read-only access to the firewall. Has full access to a selected virtual system on the firewall. Has read-only access to a selected virtual system on the firewall.
18 Introduction
Palo Alto Networks
Referring to Firewall Interfaces

The Ethernet interfaces are numbered from left to right and top to bottom on the firewall, as shown in Figure 1.
ethernet1/1
1 3 5 7 9 11 13
ethernet1/15
15
10
12
14
16
ethernet1/2
ethernet1/16
Figure 1. Firewall Ethernet Interfaces

Use these names when referring to the Ethernet interfaces within the PAN-OS CLI commands, as in the following example:
username@hostname# set network interface ethernet ethernet1/4 virtual-wire
Palo Alto Networks
Introduction 19
20 Introduction
Palo Alto Networks
Chapter 2
Understanding CLI Command Modes

This chapter describes the modes used to interact with the PAN-OS CLI
Understanding Configuration Mode in the next section Understanding Operational Mode on page 27
Understanding Configuration Mode

When you enter Configuration mode and enter commands to configure the firewall, you are modifying the candidate configuration. The modified candidate configuration is stored in firewall memory and maintained while the firewall is running. Each configuration command involves an action, and may also include keywords, options, and values. Entering a command makes changes to the candidate configuration. This section describes Configuration mode and the configuration hierarchy:
Using Configuration Mode Commands in the next section Understanding the Configuration Hierarchy on page 23 Navigating Through the Hierarchy on page 25
Using Configuration Mode Commands

Use the following commands to store and apply configuration changes (see Figure 2):
save commandSaves the candidate configuration in firewall non-volatile storage. The saved configuration is retained until overwritten by subsequent save commands. Note that this command does not make the configuration active. commit commandApplies the candidate configuration to the firewall. A committed configuration becomes the active configuration for the device. set commandChanges a value in the candidate configuration. load commandAssigns the last saved configuration or a specified configuration to be the candidate configuration.
Palo Alto Networks
Understanding CLI Command Modes 21
Example: Make and save a configuration change.

username@hostname# rename zone untrust to untrust1
command)
[edit] username@hostname# save config to snapshot.xml Config saved to .snapshot.xml [edit] username@hostname#
(enter a configuration
Example: Make a change to the candidate configuration.

[edit] username@hostname# set network interface vlan ip 1.1.1.4/24 [edit] username@hostname#
Example: Make the candidate configuration active on the device.

[edit] username@hostname# commit [edit] username@hostname#
Note: If you exit Configuration mode without issuing the save or commit command, your configuration changes could be lost if power is lost to the firewall.
Active Configuration
Candidate Configuration
Saved Configuration
Commit
Save Load Set
Figure 2. Configuration Mode Command Relationship
22 Understanding CLI Command Modes
Palo Alto Networks
Maintaining a candidate configuration and separating the save and commit steps confers important advantages when compared with traditional CLI architectures:
Distinguishing between the save and commit concepts allows multiple changes to be made at the same time and reduces system vulnerability. For example, if you want to remove an existing security policy and add a new one, using a traditional CLI command structure would leave the system vulnerable for the period of time between removal of the existing security policy and addition of the new one. With the PAN-OS approach, you configure the new security policy before the existing policy is removed, and then implement the new policy without leaving a window of vulnerability.
You can easily adapt commands for similar functions. For example, if you are configuring two Ethernet interfaces, each with a different IP address, you can edit the configuration for the first interface, copy the command, modify only the interface and IP address, and then apply the change to the second interface.
The command structure is always consistent. Because the candidate configuration is always unique, all the authorized changes to the candidate configuration will be consistent with each other.
Understanding the Configuration Hierarchy

The configuration for the firewall is organized in a hierarchical structure. To display a segment of the current hierarchy, use the show command. Entering show displays the complete hierarchy, while entering show with keywords displays a segment of the hierarchy. For example, the following command displays the configuration hierarchy for the ethernet interface segment of the hierarchy:
username@hostname# show network interface ethernet ethernet { ethernet1/1 { virtual-wire; } ethernet1/2 { virtual-wire; } ethernet1/3 { layer2 { units { ethernet1/3.1; } } } ethernet1/4; } [edit] username@hostname#
Palo Alto Networks
Understanding Hierarchy Paths

When you enter a command, path is traced through the hierarchy, as shown in Figure 3.
network
profiles interface
vlan
virtual-wire virtual-router
...
ethernet
...
...
...
loopback
aggregate-ethernet vlan
...
...
...
ethernet1/1
ethernet1/2
ethernet1/3 ethernet1/4
link-duplex auto
link-state up
virtual-wire link-speed 1000
Figure 3. Sample Hierarchy Segment

For example, the following command assigns the IP address/netmask 10.1.1.12/24 to the Layer 3 interface for the Ethernet port ethernet1/4:
[edit] username@hostname# set network interface ethernet ethernet1/4 layer3 ip 10.1.1.12/24 [edit] username@hostname#
This command generates a new element in the hierarchy, as shown in Figure 4 and in the output of the following show command:
[edit] username@hostname# show network interface ethernet ethernet1/4 ethernet1/4 { layer3 { ip { 10.1.1.12/24; } } } [edit] username@hostname#
Palo Alto Networks
network
profiles interface
vlan
virtual-wire virtual-router
...
ethernet
...
...
...
loopback
aggregate-ethernet vlan
...
...
...
ethernet1/1
ethernet1/2
ethernet1/3 ethernet1/4
ip
10.1.1.12/24
Figure 4. Sample Hierarchy Segment
Navigating Through the Hierarchy

The [edit...] banner presented below the Configure mode command prompt line shows the current hierarchy context. For example, the banner
[edit]
indicates that the relative context is the top level of the hierarchy, whereas
[edit network profiles]
indicates that the relative context is at the network profiles node. Use the commands listed in Table 3 to navigate through the configuration hierarchy.
Table 3. Navigation Commands Command

edit up top
Description
Sets the context for configuration within the command hierarchy. Changes the context to the next higher level in the hierarchy. Changes the context to the highest level in the hierarchy.
Palo Alto Networks
Using the Edit Command

Use the edit command to change context to lower levels of the hierarchy, as in the following examples:
Move from the top level to a lower level:

[edit] (top level) username@hostname# edit network [edit network] username@hostname# (now at the network [edit network]
level)
Move from one level to a lower level:

[edit network] (network level) username@hostname# edit interface [edit network interface] admin@abce# (now at the network
interface level)
Using the Up and Top Commands

Use the up and top commands to move to higher levels in the hierarchy:
upchanges the context to one level up in the hierarchy. Example:

[edit network interface] admin@abce# up [edit network] username@hostname#
(network level)
(now at the network level)
topchanges context to the top level of the hierarchy. Example:

[edit network interface vlan] username@hostname# top [edit] username@hostname#
(network vlan level)
(now at network vlan level)
Note: The set command issued after using the up and top commands starts from the new context.
Palo Alto Networks
Understanding Operational Mode

When you first log in, the PAN-OS CLI opens in Operational mode. Operational mode commands involve actions that are executed immediately. They do not involve changes to the configuration, and do not need to be saved or committed. Operational mode commands are of several types:
Network accessOpen a window to another host. Includes ssh and telnet commands. Monitoring and troubleshootingPerform diagnosis and analysis. Includes debug and ping commands. Display commandsDisplay or clear current information. Includes clear and show commands. PAN-OS CLI navigation commandsEnter Configure mode or exit the PAN-OS CLI. Includes configure, exit, and quit commands. System commandsMake system-level requests or restart. Includes set and request commands.
Palo Alto Networks
Palo Alto Networks
Chapter 3
Configuration Mode Commands

This chapter contains command reference pages for the following Configuration mode command types:
commit on page 30 copy on page 31 delete on page 32 edit on page 33 exit on page 34 load on page 35 move on page 36 quit on page 37 rename on page 38 run on page 39 save on page 40 set on page 41 show on page 42 top on page 43 up on page 44
Palo Alto Networks
Configuration Mode Commands 29
commit
commit
Make the current candidate configuration the active configuration on the firewall.
Syntax
commit
Options
None
Sample Output
The following command makes the current candidate configuration the active configuration.
# commit
Required Privilege Level

superuser, vsysadmin, deviceadmin
30 Configuration Mode Commands
Palo Alto Networks
copy
copy
Make a copy of a node in the hierarchy along with its children, and add the copy to the same hierarchy level.
Syntax
copy [node1] to [node2]
Options
node1 node2 Specifies the node to be copied. Specifies the name of the copy.
Sample Output
The following command, executed from the rule base security level of the hierarchy, makes a copy of rule1, called rule2.
[edit rulebase security] username@hostname# copy rules rule1 to rule2 [edit rulebase security] username@hostname#
The following command shows the location of the new rule in the hierarchy.
[edit rulebase security] username@hostname# show security { rules {s rule1 { source [ any 1.1.1.1/32 ]; destination 1.1.1.2/32; } rule2 { source [ any 1.1.1.1/32 ]; destination 1.1.1.2/32; } } }

Palo Alto Networks
delete
delete
Remove a node from the candidate configuration along with all its children. Note: No confirmation is requested when this command is entered.
Syntax
delete [node]
Options
node
Specifies the hierarchy node to delete.
Sample Output
The following command deletes the application myapp from the candidate configuration.
username@hostname# delete application myapp [edit] username@hostname#

Palo Alto Networks
edit
edit
Change context to a lower level in the configuration hierarchy.
Syntax
edit [context]
Options
context
Specifies a path through the hierarchy.
Sample Output
The following command changes context from the top level to the network profiles level of the hierarchy.
[edit] username@hostname# edit rulebase [edit rulebase] username@hostname#

Palo Alto Networks
exit
exit
Exit from the current PAN-OS CLI level.
From Operational modeExits the PAN-OS CLI. From Configuration mode, top hierarchy levelExits Configuration mode, returning to Operational mode. From Configuration mode, lower hierarchy levelsChanges context to one level up in the hierarchy. Provides the same result as the up command. Note: The exit command is the same as the quit command.
Syntax
exit
Options
None
Sample Output
The following command changes context from the network interface level to the network level.
[edit network interface] username@hostname# exit [edit network] username@hostname#
The following command changes from Configuration mode to Operational mode.

[edit] username@hostname# exit Exiting configuration mode username@hostname>

All
Palo Alto Networks
load
load
Assigns the last saved configuration or a specified configuration to be the candidate configuration.
Syntax
load config [from filename]
Options
filename Specifies the filename from which the configuration will be loaded.
Sample Output
The following command assigns output.xml to be the candidate configuration.
[edit] username@hostname# load config from output.xml command succeeded [edit] username@hostname#

Palo Alto Networks
move
move
Relocate a node in the hierarchy along with its children to be at another location at the same hierarchy level.
Syntax
move element [bottom | top | after element | before element]
Options
element element placement Specifies the items to be moved. Specifies the new location of the element: Option bottom top after before Description Makes the element the last entry of the hierarchy level. Makes the element the first entry of the hierarchy level. Moves element to be after element2. Moves element to be before element2.
element2
Indicates the element after or before which element1 will be placed.
Sample Output
The following command moves the security rule rule1 to the top of the rule base.
username@hostname# move rulebase security rules rule1 top [edit] username@hostname#

Palo Alto Networks
quit
quit
Exit from the current PAN-OS CLI level.
From Operational modeExits the PAN-OS CLI. From Configuration mode, top hierarchy levelExits Configuration mode, returning to Operational mode. From Configuration mode, lower hierarchy levelsChanges context to one level up in the hierarchy. Provides the same result as the up command. Note: The exit and quit commands are interchangeable.
Syntax
quit
Options
None
Sample Output
The following command changes context from the network interface level to the network level.
[edit log-settings] username@hostname# quit [edit] username@hostname#
The following command changes from Configuration mode to Operational mode.

[edit] username@hostname# quit Exiting configuration mode username@hostname>

All
Palo Alto Networks
rename
rename
Change the name of a node in the hierarchy.
Syntax
rename [node1] to [node2]
Options
node1 node2
Indicates the original node name. Indicates the new node name.
Sample Output
The following command changes the name of a node in the hierarchy from 1.1.1.1/24 to 1.1.1.2/24.
username@hostname# rename network interface vlan ip 1.1.1.1/24 to 1.1.1.2/24

Palo Alto Networks
run
run
Execute an Operational mode command while in Configuration mode.
Syntax
run [command]
Options
command Specifies an Operational mode command.
Sample Output
The following command executes a ping command to the IP address 1.1.1.2 from Configuration mode.
username@hostname# run ping 1.1.1.2 PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. ... username@hostname#

Palo Alto Networks
save
save
Saves a snapshot of the firewall configuration. Note: This command saves the configuration on the firewall, but does not make the configuration active. Use the commit command to make the current candidate configuration active.
Syntax
save config [to filename]
Options
filename Specifies the filename to store the configuration. The filename cannot include a hyphen (-).
Sample Output
The following command saves a copy of the configuration to the file savefile.
[edit] username@hostname# save config to savefile Config saved to savefile [edit] username@hostname#

Palo Alto Networks
set
set
Changes a value in the candidate configuration. Changes are retained while the firewall is powered until overwritten. Note: To save the candidate configuration in non-volatile storage, use the save command. To make the candidate configuration active, use the commit command.
Syntax
set [context]
Options
context
Specifies a path through the hierarchy.
Sample Output
The following command assigns the ethernet1/4 interface to be a virtual wire interface.
[edit] username@hostname# set network interface ethernet ethernet1/1 virtual-wire
[edit] username@hostname#
The following command sets the VLAN IP address to 1.1.1.4/32 from the network interface vlan level of the hierarchy.
[edit network interface vlan] username@hostname# set ip 1.1.1.4/32 [edit network interface vlan] username@hostname#
The following command locks an administrative user out for 15 minutes after 5 failed login attempts.
username@hostname# set deviceconfig setting management admin-lockout 5 lockout-time 15

Palo Alto Networks
show
show
Display information about the current candidate configuration.
Syntax
show [context]
Options
context Specifies a path through the hierarchy.
Sample Output
The following command shows the full candidate hierarchy.
username@hostname# show
The following commands can be used to display the hierarchy segment for network interface.
Specify context on the command line:

show network interface
Use the edit command to move to the level of the hierarchy, and then use the show command without specifying context:
edit network interface [edit network interface] show

Palo Alto Networks
top
top
Change context to the top hierarchy level.
Syntax
top
Options
None
Sample Output
The following command changes context from the network level of the hierarchy to the top level.
[edit network] username@hostname# top [edit] username@hostname#

All
Palo Alto Networks
up
up
Change context to the next higher hierarchy level.
Syntax
up
Options
None
Sample Output
The following command changes context from the network interface level of the hierarchy to the network level.
[edit network interface] username@hostname# up [edit network] username@hostname#

All
Palo Alto Networks
Chapter 4
Operational Mode Commands

This chapter contains command reference pages for the following operational mode commands:
clear on page 49 configure on page 51 delete on page 52 debug captive-portal on page 54 debug cli on page 55 debug cpld on page 56 debug dataplane on page 57 debug device-server on page 59 debug dhcpd on page 60 debug ez on page 61 debug high-availability-agent on page 62 debug ike on page 63 debug keymgr on page 64 debug log-receiver on page 65 debug management-server on page 66 debug master-service on page 67 debug netconfig-agent on page 68 debug routing on page 69 debug software on page 70 debug swm on page 71
Palo Alto Networks
Operational Mode Commands 45
debug tac-login on page 72 debug vardata-receiver on page 73 exit on page 74 grep on page 75 less on page 76 ping on page 77 quit on page 79 request certificate on page 80 request content upgrade on page 82 request high-availability on page 83 request license on page 84 request restart on page 85 request support on page 86 request system on page 87 scp on page 88 set application dump on page 90 set cli on page 91 set logging on page 92 set serial-number on page 93 set session on page 94 set target-vsys on page 95 set zip on page 96 show admins on page 97 show arp on page 98 show chassis-ready on page 99 show cli on page 100 show clock on page 101 show config on page 102 show counter on page 103 show ctd on page 104 show device on page 105
46 Operational Mode Commands
Palo Alto Networks
show device-messages on page 106 show devicegroups on page 107 show dhcp on page 108 show high-availability on page 109 show interface on page 110 show jobs on page 111 show location on page 112 show log on page 113 show logging on page 115 show mac on page 116 show management-clients on page 117 show multi-vsys on page 118 show pan-agent on page 119 show proxy on page 120 show query on page 121 show report on page 122 show routing on page 123 show route on page 127 show session on page 128 show statistics on page 130 show system on page 132 show target-vsys on page 134 show threat on page 135 show vlan on page 137 show vpn on page 138 show zip on page 140 show zone-protection on page 141 ssh on page 142 tail on page 143 telnet on page 144 test on page 145
Palo Alto Networks
tftp on page 146 traceroute on page 148 view-pcap on page 150
Palo Alto Networks
clear
clear
Reset information, counters, sessions, or statistics.
Syntax
clear application-signature statistics clear arp <all | interfacename> clear counter <all | global | interface> clear dhcp lease <all | interface name interfacename [ip ipaddr]> clear high-availability control-link statistics clear job jobid clear log type clear mac <value | all> clear query <all-by-session | id queryid> clear report <all-by-session | id reportid> clear session <id sessionid | all [filter rule]> clear statistics clear vpn <flow [tunnel-id tunnelid] | ike-sa [gateway gatewayid] | ipsec-sa [tunnel tunnelid]>
Palo Alto Networks
clear
Options
applicationsignature statistics arp counter dhcp lease job log mac session statistics vpn Clears application-signature statistics.
Clears Address Resolution Protocol (ARP) information for a specified interface, loopback, or VLAN, or all. Clears interface counters. Specify all counters, global counters, or interface counters. Clears DHCP leases. Specify all or specify an interface and optional IP address. Clears download jobs. Specify the job id. Remove log files from disk. Specify the log type: acc, config, system, threat, or traffic. Clears MAC address information for a specified VLAN or all addresses. Clears a specified session or all sessions. Refer to show session on page 128 for a description of the filter options when clearing all sessions. Clears all statistics. Clears IKE or IPSec VPN run-time objects: flow Clears the VPN tunnel on the data plane. Specify the tunnel or press Enter to apply to all tunnels. Removes the active IKE SA and stops all ongoing key negotiations. Specify the gateway or press Enter to apply to all gateways. Deactivate the IPsec SA for a tunnel or all tunnels. Specify the tunnel or press Enter to apply to all tunnels.
ike-sa
ipsec-sa
Sample Output
The following command clears the session with ID 2245.
username@hostname> clear session id 2245 Session 2245 cleared username@hostname>

Palo Alto Networks
configure
configure
Enter Configuration mode.
Syntax
configure
Options
None
Sample Output
To enter Configuration mode from Operational mode, enter the following command.
username@hostname> configure Entering configuration mode [edit] username@hostname#

Palo Alto Networks
delete
delete
Remove files from disk or restores default comfort pages, which are presented when files or URLs are blocked.
Syntax
delete item
Options
item Specifies the type of file to be deleted. Option captive-portal-text config saved filename content update filename core <control-plane | dataplan> file filename debug-filter file filename file-block-page license key filename pcap file filename policy-cache reverse-key file filename root-certificate file filename software image imagename spyware-block-page Description Text included in a captive portal. Saved configuration file. Content updates. Control or data plane cores. Debugging capture files. Page presented to users when files are blocked. Restores default page. License key file. Packet capture files. Cached policy compilations SSL reverse proxy keys. Root certificates. Software image. Page presented to users when web pages are blocked due to spyware. Restores default page. Page presented to users when a web session is to be decrypted. Restores default page. Threat packet capture files in a specified directory. Packet capture files for unknown sessions. Page presented to users when web pages are blocked. Restores default page. SSH known hosts file. Page presented to users when web pages are blocked. Restores default page.
ssl-optout-text threat-pcap directory directoryname unknown-pcap url-block-page user-file ssh-known-hosts virus-block-page
Palo Alto Networks
delete
Sample Output
The following command deletes the custom page presented to users when web pages are blocked due to spyware.
username@hostname> delete spyware-block-page username@hostname>

Palo Alto Networks
debug captive-portal
debug captive-portal
Define settings for debugging the captive portal daemon.
Syntax
debug captive-portal option
Options
show off on Shows whether this command is on or off. Turns the debugging option off. Turns the debugging option on.
Sample Output
The following command turns the debugging option on.
admin@PA-HDF> debug captive-portal on admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug cli
debug cli
Define settings and display information for debugging the CLI connection.
Syntax
debug cli option
Options
detail show off on Shows details information about the CLI connection. Shows whether this command is on or off. Turns the debugging option off. Turns the debugging option on.
Sample Output
The following command shows details of the CLI connection.
admin@PA-HDF> debug cli detail Environment variables : (USER . admin) (LOGNAME . admin) (HOME . /home/admin) (PATH . /usr/local/bin:/bin:/usr/bin) (MAIL . /var/mail/admin) (SHELL . /bin/bash) (SSH_CLIENT . 10.31.1.104 1109 22) (SSH_CONNECTION . 10.31.1.104 1109 10.1.7.2 22) (SSH_TTY . /dev/pts/0) (TERM . vt100) (LINES . 24) (COLUMNS . 80) (PAN_BASE_DIR . /opt/pancfg/mgmt) PAN_BUILD_TYPE : DEVELOPMENT
Total Heap : 7.00 M Used : 5.51 M Nursery : 0.12 M admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug cpld
debug cpld
Debug the complex programmable logic device (CPLD).
Syntax
debug cpld
Options
None
Sample Output
N/A

superuser vsysadmin
Palo Alto Networks
debug dataplane
debug dataplane
Configure settings for debugging the data plane.
Syntax
debug dataplane option
Options
The available sub-options depend on the specified option.
clear device drop-filter filter fpga get internal memory mode off on pool pow process reset set show task-heartbeat unset Clear all dataplane debug logs. Debug dataplane hardware component. Define a filter to capture dropped packets. Determine the packets to capture or send to a debug log file. Debug the field programmable gate array (FPGA). Show current dataplane debug settings. Debug the dataplane internal state. Examine dataplane memory. Control dataplane debug logging mode. Turn off dataplane debug logging. Turn on dataplane debug logging. Debug buffer pools, including checks of hardware and software utilization and buffer pool statistics. Debug packet scheduling engine. Debug the dataplane process for the high-availability agent (ha-agent) and management plane relay agent (mprelay). Reset settings for debugging the data plane. Specify parameters for dataplane debugging Show dataplane running information. Debug dataplane task heartbeat. Clear the previously-set parameters for dataplane debugging
Sample Output
The following command shows the statistics for the dataplane buffer pools.
admin@PA-HDF> debug dataplane pool statistics
The following command turns dataplane filtering on and sets filter parameters.
admin@PA-HDF> debug dataplane filter on admin@PA-HDF> debug dataplane filter set source 10.1 11.2.3 file abc.pcap
Palo Alto Networks
debug dataplane

superuser vsysadmin
Palo Alto Networks
debug device-server
debug device-server
Configure settings for debugging the device server.
Syntax
debug device-server option
Options
clear dump off on reset set show test uset Clear all debug logs. Dump the debug data. Turn off debug logging. Turn on debug logging. Clear logging data. Set debugging values. Display current debug log settings. Test the current settings. Remove current settings.
Sample Output
The following command turns off debug logging for the device server.
admin@PA-HDF> debug device-server off tdb is on admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug dhcpd
debug dhcpd
Configure settings for debugging the Dynamic Host Configuration Protocol (DHCP) daemon.
Syntax
debug dhcpd option
Options
global pcap Define settings for the global DHCP daemon. Define settings for debugging packet capture.
Sample Output
The following command shows current global DHCP daemon settings.
admin@PA-HDF> debug dhcpd global show tdb is on admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug ez
debug ez
Configure settings for debugging the EZ chip.
Syntax
debug ez option
Options
disable enable set show Turn EZ debugging off. Turn EZ debugging on. Set parameters for EZ debugging. Show EZ debugging information.
Sample Output
The following command disables debugging of the EZ chip.
admin@PA-HDF> debug ez enable tdb is on admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug high-availability-agent
debug high-availability-agent
Configure settings for debugging the high availability agent.
Syntax
debug high-availability-agent option
Options
clear internal-dump model-check off on show Clear the debug logs. Dump the internal state of the agent to its log. Turn model checking with the peer on or off. Turns the debugging option off. Turns the debugging option on. Shows whether this command is on or off.
Sample Output
The following command turns modeling checking on for the high availability agent.
admin@PA-HDF> debug high-availability-agent model-check on tdb is on admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug ike
debug ike
Configure settings for debugging Internet Key Exchange (IKE) daemon.
Syntax
debug ike option
Options
global pcap socket stat Configure global settings. Configure packet capture settings. Configure socket settings. Show IKE daemon statistics.
Sample Output
The following command turns on the global options for debugging the IKE daemon.
admin@PA-HDF> debug ike global on tdb is on admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug keymgr
debug keymgr
Configure settings for debugging the key manager daemon.
Syntax
debug keymgr option
Options
list-sa off on show Lists the IPSec security associations (SAs) that are stored in the key manager daemon. Turn the settings off. Turn the settings on. Show key manager daemon information.
Sample Output
The following command shows the current information on the key manager daemon.
admin@PA-HDF> debug keymgr show sw.keymgr.debug.global: normal admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug log-receiver
debug log-receiver
Configure settings for debugging the log receiver daemon.
Syntax
debug log-receiver option
Options
off on show statistics Turns the debugging option off. Turns the debugging option on. Shows whether this command is on or off. Show log receiver daemon statistics.
Sample Output
The following command turns log receiver debugging on.
admin@PA-HDF> debug log-receiver on tdb is on admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug management-server
debug management-server
Configure settings for debugging the management server.
Syntax
debug management-server option
Options
clear client off on show Clear all debug logs. Debug the management server client. Turn debugging off Turn debugging on. Show management server debug statistics.
Sample Output
The following example turns management server debugging on.
admin@PA-HDF> debug management-server on (null) admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug master-service
debug master-service
Configure settings for debugging the master service.
Syntax
debug master-service option
Options
clear internal-dump off on show Clear all debug logs. Dump the internal state of the server to the log. Turn debugging off Turn debugging on. Show debug settings.
Sample Output
The following command dumps the internal state of the master server to the log.
admin@PA-HDF> debug master-service internal-dump tdb is on admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug netconfig-agent
debug netconfig-agent
Configure settings for debugging the network configuration agent.
Syntax
debug netconfig-agent option
Options
show off on Show whether this command is on or off. Turn the debugging option off. Turn the debugging option on.
Sample Output
The following command shows the debug settings for the network configuration agent.
admin@PA-HDF> debug netconfig-agent show sw.netconfig-agent.debug: off admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug routing
debug routing
Configure settings for debugging the route daemon.
Syntax
debug routing option
Options
fib global Turn on debugging for the forwarding table. Turn on global debugging.
list-mib Show the routing list with management information base (MIB) names. mib pcap socket Show the MIB tables. Show packet capture data. Show socket data.
Sample Output
The following command displays the MIB tables for routing.
admin@PA-HDF> debug routing list-mib i3EmuTable (1 entries) ========================== sckTable (0 entries) sckSimInterfaceTable (0 entries) sckEiTable (0 entries) sckEaTable (0 entries) i3Table (0 entries) i3EiTable (0 entries) i3EaTable (0 entries) i3EtTable (0 entries) i3EmTable (0 entries) dcSMLocationTable (0 entries) dcSMHMTestActionObjects (0 entries) siNode (0 entries) siOSFailures (0 entries) siTraceControl (0 entries) siExecAction (0 entries) ... admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug software
debug software
Restart software processes to aid debugging.
Syntax
debug software restart option
Options
device-server management-server web-server Restart the device server. Restart the management server. Restart the web server.
Sample Output
The following command restarts the web server.
admin@PA-HDF> debug software restart web-server tdb is on admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug swm
debug swm
Configure settings for debugging the Palo Alto Networks software manager.
Syntax
debug swm option
Options
command history list refresh revert status unlock Run a software manager command. Show the history of software installation operations. List software versions that are available for installation. Revert back to the last successfully installed content. Revert back to the last successfully installed software. Show the status of the software manager. Unlock the software manager.
Sample Output
The following command shows the list of available software versions.
admin@PA-HDF> debug swm list 2.1.0-c4.dev 2.1.0-c1.dev_base 2.0.0-c207 2.0.0-c206 admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug tac-login
debug tac-login
Configure settings for debugging the Palo Alto Networks Technical Assistance Center (TAC) connection.
Syntax
debug tac-login option
Options
enable disable permanently-disable Enable TAC login. Disable TAC login. Turn off TAC login debugging permanently.
Sample Output
The following command turns TAC login debugging on.
admin@PA-HDF> debug tac-login on admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug vardata-receiver
debug vardata-receiver
Configure settings for debugging the variable data daemon.
Syntax
debug vardata-receiver option
Options
off on show statistics Turns the debugging option off. Turns the debugging option on. Shows whether this command is on or off. Show log receiver daemon statistics.
Sample Output
The following command shows statistics for the variable data daemon.
admin@PA-HDF> debug vardata-receiver statistics tdb is on admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
exit
exit
Exit the PAN-OS CLI. Note: The exit command is the same as the quit command.
Syntax
exit
Options
None
Sample Output
N/A

All
Palo Alto Networks
grep
grep
Find and list lines from log files that match a specified pattern.
Syntax
grep [after-context number] [before-context number] [context number] [count] [ignore-case] [invert-match] [line-number] [max-count] [nofilename] [with-filename] pattern file
Options
after-context before-context context count ignore-case invert-match line-number max-count no-filename with-filename pattern file Prints the matching lines plus the specified number of lines that follow the matching lines. Prints the matching lines plus the specified number of lines that precede the matching lines. Prints the specified number of lines in the file for output context. Prints a count of matching files for each input file. Ignores case distinctions. Selects non-matching lines instead of matching lines. Adds the line number at the beginning of each line of output. Stops reading a file after the specified number of matching lines. Does not add the filename prefix for output. Prints the file name for each match. Indicates the string to be matched. Indicates the log file to be searched.
Sample Output
The following command searches the ms.log file for occurrences of the string id:admin.
username@hostname> grep id:admin /var/log/pan/ms.log username@hostname>

All
Palo Alto Networks
less
less
Find and l List the contents of the specified log file.
Syntax
less file
Options
file Indicates the log file to be searched.
Sample Output
The following command lists the contents of the web application log.
username@hostname> less ? /var/log/pan/appWeb.log /var/log/pan/devsrv.log /var/log/pan/masterd.log /var/log/pan/ms.log /var/log/pan/pan_netconfig_agent.log ... 1249 65009 2092 166 749

All
Palo Alto Networks
ping
ping
Check network connectivity to a host.
Syntax
ping [bypass-routing] [count] [do-not-fragment] [inet] [no resolve] [pattern] [record-route] [size] [source] [tos] [ttl] [wait] host
Options
bypass-routing count do-not-fragment inet interval no-resolve pattern Sends the ping request directly to the host on a direct attached network, bypassing usual routing table. Specifies the number of ping requests to be sent. Prevents packet fragmentation by use of the do-not-fragment bit in the packets IP header. Specifies that the ping packets will use IP version 4. Specifies how often the ping packets are sent (0 to 2000000000 seconds). Provides IP address only without resolving to hostnames. Specifies a custom string to include in the ping request. You can specify up to 12 padding bytes to fill out the packet that is sent as an aid in diagnosing datadependent problems. Requests a report on the path traveled by the ping packets. Specifies the size of the ping packets. Specifies the source IP address for the ping command. Specifies the type of service (TOS) treatment for the packets by way of the TOS bit for the IP header in the ping packet. Specifies the time-to-live (TTL) value for the ping packet (IPv6 hop-limit value) (0-255 hops). Requests complete details of the ping request. Specifies a delay in transmission of the ping request (seconds). Specifies the host name or IP address of the remote host.
record-route size source tos ttl verbose wait host
Sample Output
The following command checks network connectivity to the host 66.102.7.104, specifying 4 ping packets and complete details of the transmission.
username@hostname> ping count 4 verbose 66.102.7.104 PING 66.102.7.104 (66.102.7.104) 56(84) bytes of data. 64 bytes from 66.102.7.104: icmp_seq=0 ttl=243 time=316 64 bytes from 66.102.7.104: icmp_seq=1 ttl=243 time=476 64 bytes from 66.102.7.104: icmp_seq=2 ttl=243 time=376 64 bytes from 66.102.7.104: icmp_seq=3 ttl=243 time=201
ms ms ms ms
--- 66.102.7.104 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 3023ms
Palo Alto Networks
ping
rtt min/avg/max/mdev = 201.718/342.816/476.595/99.521 ms, pipe 2 username@hostname>

Palo Alto Networks
quit
quit
Exit the current session for the firewall. Note: The quit command is the same as the exit command.
Syntax
quit
Options
None
Sample Output
N/A

All
Palo Alto Networks
request certificate
request certificate
Generate a self-signed security certificate.
Syntax
request certificate [install for-use-by purpose | self-signed option for-use-by purpose]
Options
install self-signed option Installs the generated certificate. Generates the self-signed certificate. Specifies information to include in the certificate. Multiple options are supported. country-code email locality nbits value organization organization unit state name passphrase Two-character code for the country in which the certificate will be used. Email address of the contact person. City, campus, or other local area. Number of bits in the certificate (512 or 1024). Organization using the certificate. Department using the certificate. Two-character code for the state or province in which the certificate will be used. IP address or fully qualified domain name (FQDN) to appear on the certificate. Passphrase for encrypting the private key.
purpose
Requests the certificate for the specified purpose. panorama-server Panorama server machine (used by Panorama to communicate with managed devices). Embedded web interface.
web-interface
Sample Output
The following command requests a self-signed certificate for the web interface with length 1024 and IP address 1.1.1.1.
username@hostname> request certificate self-signed nbits 1024 name 1.1.1.1 for-use-by web-interface
Palo Alto Networks
request certificate

Palo Alto Networks
request content upgrade
request content upgrade

Perform application level upgrade operations.
Syntax
request content upgrade [check | download latest | info | install latest]
Options
check download latest info install latest Obtain information from the Palo Alto Networks server. Download application identification packages. Show information about available application ID packages. Install application identification packages.
Sample Output
The following command lists information about the firewall server software.
username@hostname> request content upgrade check Version Size Released on Downloaded
------------------------------------------------------------------------13-25 username@hostname> 10MB 2007/04/19 15:25:02 yes

Palo Alto Networks
request high-availability
request high-availability
Perform operations related to high availability.
Syntax
request high-availability clear-alarm-led request high-availability state <functional | suspend> request high-availability sync-to-remote <candidate-config | clock | disk-state | running-config | runtime-state>
Options
clearalarm-led state Clear the high-availability alarm LED. Set the high availability state of the device: functionalSet the device to the functioning state. suspendSet the device to the suspended state. sync-toremote Perform configuration synchronization operations: candidate-configSynchronize the candidate configuration to the peer device. clockSynchronize the local time and date to the peer device. disk-stateSynchronize the required on-disk state to the peer device. running-configSynchronize the running configuration to the peer device. runtime-stateSynchronize the runtime synchronization state to the peer device.
Sample Output
The following command sets the high-availability state of the device to suspend.
username@hostname> request high-availability state suspend

Palo Alto Networks
request license
request license
Perform license-related operations.
Syntax
request license [fetch [auth-code] | info | install]
Options
fetch info install Gets a new license key using an authentication code. Displays information about currently owned licenses. Installs a license key.
Sample Output
The following command requests a new license key with the authentication code 123456.
username@hostname> request fetch auth-code 123456

Palo Alto Networks
request restart
request restart
Restart the system or software modules. CAUTION: Using this command causes the firewall to reboot, resulting in the temporary disruption of network traffic. Unsaved or uncommitted changes will be lost.
Syntax
request restart [dataplane | software | system]
Options
dataplane software system Restarts the dataplane software. Restarts all system software Reboots the system.
Sample Output
The following command restarts all the firewall software.
username@hostname> request restart software

Palo Alto Networks
request support
request support
Obtain technical support information.
Syntax
request support [check | info]
Options
check info Get support information from the Palo Alto Networks update server. Show downloaded support information.
Sample Output
The following command restarts the firewall software.
username@hostname> request support info

Palo Alto Networks
request system
request system
Download system software or request information about available software packages.
Syntax
request system [factory-reset | software [check | download [file | version] name] | info | install [file | version] name]]
Options
factoryreset check download info install file version name Resets the configuration to factory defaults. Gets information from the Palo Alto Networks server. Downloads software packages. Shows information about available software packages. Downgrades to a downloaded software package. Specifies the file to download or install. Specifies the software version to download or install. Specifies the file or version name.
Sample Output
The following command requests information about the software packages that are available for download.
username@hostname> request system software info Version Filename Size Released Downloaded ------------------------------------------------------------------------1.0.1 panos.4050-1.0.1.tar.gz 127MB 2007/02/07 00:00:00 no 1.0.2 panos.4050-1.0.2.tar.gz 127MB 2007/02/07 00:00:00 no 1.0.0-20 PANOS-QA-20.tar.gz 122MB 2007/02/13 00:00:00 no 1.0.0-1746 PANOS-DEV-1746.tgz 122MB 2007/02/13 00:00:00 no username@hostname>

Palo Alto Networks
scp
scp
Copy files between the firewall and another host. Enables downloading of a customizable HTML replacement message (comfort page) in place of a malware infected file.
Syntax
scp export export-option [control-plane | data-plane] to target from source [remote-port portnumber] [source-ip address] scp import import-option [source-ip address] [remote-port portnumber] from source
Options
export export- Specifies the type of file to export to the other host. option Option application captive-portaltext configuration core-file debug pcap file-block-page filter log-file log-db packet-log spyware-blockpage ssl-optout-text tech-support trusted-cacertificate url-block-page virus-block-page web-interfacecertificate Description Application packet capture file. Text to be included in a captive portal. Configuration file. Core file. IKE negotiation packet capture file. File containing comfort pages to be presented when files are blocked. Filter definitions. Log files. Log database. Logs of packet data. Comfort page to be presented when files are blocked due to spyware. SSL optout text. Technical support information. Certificate Authority (CA) security certificate. Comfort page to be presented when files are blocked due to a blocked URL. Comfort page to be presented when files are blocked due to a virus. Web interface certificate.
Palo Alto Networks
scp
import import- Specifies the type of file to import from the other host. option Option Description application captive-portaltext configuration core-file file-block-page filter ike-pcapc-file log-file log-db packet-log spyware-blockpage ssl-optout-text tech-support trusted-cacertificate url-block-page Application packet capture file. Text to be included in a captive portal. Configuration file. Core file. File containing comfort pages to be presented when files are blocked. Filter definitions. IKE negotiation packet capture file. Log files. Log database. Logs of packet data. Comfort page to be presented when files are blocked due to spyware. SSL optout text. Technical support information. Certificate Authority (CA) security certificate. Comfort page to be presented when files are blocked due to a blocked URL.
control-plane data-plane remote-port portnumber source-ip address to from
Indicates that the file contains control information. Indicates that the file contains information about data traffic. Specifies the port number on the remote host. Specifies the source IP address. Specifies the destination user in the format username@host:path. Specifies the source user in the format username@host:path.
Sample Output
The following command imports a license file from a file in user1s account on the machine with IP address 10.0.3.4.
username@hostname> scp import ssl-certificate from user1@10.0.3.4:/tmp/ certificatefile

Palo Alto Networks
set application dump
set application dump

Captures session packets for unknown applications.
Syntax
set application dump [off | [on [application appname][destination destname][destination-port destport] [destination-user destuser] [from zone zonename][limit value][protocol protnumber][source-port sourcename][source-port sourceport][source-user sourceuser][to zone zonename]
off on application appname destination destname destinationuser destuser destinationport destport zone zonename protocol protname limit value source sourcename source-user sourceuser source-port sourceport Turns application dump off. Turns application dump on. Specifies the application. Specifies the destination IP address. Specifies the destination user. Specifies the destination port. Specifies the zone. Specifies the protocol. Specifies the limit. Specifies the source IP address. Specifies the source user. Specifies the source port.
Sample Output
The following command turns packet capture for unknown applications off.
username@hostname> set application dump off username@hostname>

Palo Alto Networks
set cli
set cli
Set scripting and pager options for the PAN-OS CLI.
Syntax
set cli [scripting-mode | pager | timeout [idle idle-value] [session session-value]] off | on
Options
scripting-mode pager timeout idle-value session-value off on Enables or disables scripting mode. Enables or disables pages. Sets administrative session timeout values. Specifies the idle timeout (0-86400 seconds). Specifies the administrative session timeout (0-86400 seconds). Turns the option off. Turns the option on.
Sample Output
The following command turns the PAN-OS CLI pager option off.
username@hostname> set cli pager off username@hostname>

Palo Alto Networks
set logging
set logging
Set logging options for traffic and event logging.
Syntax
set logging option value
Options
option Determines which of the following logging options is set. Option default log-suppression [yes | no] max-packet-rate max-log-rate Description Restores all log settings to default. Enables or disables suppression of log information. Specifies the maximum packet rate (0-5120 KB/s) Specifies the maximum logging rate (0-5120 KB/s)
Note: max-packet-rate and max-log rate both affect the rate at which log messages are forwarded. Generated log messages are kept in priority queues, and the log forwarding engine forwards the generated logs based on the log and packet rates. If the rates are set too low, the queues may build up and eventually drop log messages.
value Sets the value of the rate for the logging option: 0-5120
Sample Output
The following command sets the logging rate to be a maximum of 1000 KB/second.
username@hostname> set logging max-log-rate 1000 Logging rate changed to 1000 KB/s username@hostname>

Palo Alto Networks
set serial-number
set serial-number
(Panorama only) Configure the serial number of the Panorama machine. The serial number must be set for Panorama to connect to the update server.
Syntax
set serial-number value
Options
value Specifies the serial number or software license key.
Sample Output
The following command sets the Panorama serial number to 123456.
username@hostname> set serial-number 123456 username@hostname>

superuser, superuser (read only), Panorama admin
Palo Alto Networks
set session
set session
Set parameters for the networking session.
Syntax
set session [default | item value]
Options
default item value Restores all session settings to the default values. Specifies the debugging target or level. Option acceleratedaging-enable acceleratedaging-scalingfactor acceleratedaging-threshold tcp-reject-nonsyn timeout-default Value no | yes Power of 2 Description Enables or disables accelerated session aging. Sets the accelerated session aging scaling factor (power of 2). Sets the accelerated aging threshold as a percentage of session utilization. Rejects non-synchronized TCP packets for session setup. Sets the session default timeout value in seconds. Sets the session timeout value for ICMP commands. Sets the session timeout value for TCP commands. Sets the session TCP wait timeout value in seconds. Sets the session timeout value for UDP commands.
Power of 2 (1-100)
no | yes Number of seconds
timeout-icmp timeout-tcp timeout-tcpwait timeout-udp
1-15999999 1-15999999 Number of seconds 1-15999999
Sample Output
The following command sets the TCP timeout to 1 second.
username@hostname> set session timeout-tcpwait 1 username@hostname>

Palo Alto Networks
set target-vsys
set target-vsys
Sets the target virtual system. Note: When the target virtual system is set, the CLI prompt incorporates the vsys name. In this mode, if any command is executed, it executes for the vsys, if possible. For example, if you use secure copy to import or export a comfort page, the page is imported or exported for the vsys. Commands that are not virtual-system-specific continue to work normally.
Syntax
set target-vsys vsys
Options
vsys Specifies the name of the target virtual system.
Sample Output
The following command shows information about target virtual systems.
username@hostname> set target-vsys vsys1 Session target vsys changed to vsys1 username@hostname vsys1>>

Palo Alto Networks
set zip
set zip
Determines whether zipped files are automatically unzipped and policies are applied to the unzipped contents.
Syntax
set zip enable <yes | no>
Options
yes no Enables automatic unzipping and inspection of zipped files. Disables automatic unzipping and inspection of zipped files.
Sample Output
The following command enables automatic unzipping and inspection of zipped files.
username@hostname> set zip enable yes username@hostname>

superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
show admins
show admins
Display information about the active firewall administrators.
Syntax
show admins [all]
Options
all Lists the names of all administrators.
Sample Output
The following command displays administrator information for the 10.0.0.32 firewall.
username@hostname> show admins | match 10.0.0 Admin From Type Session-start Idle-for -------------------------------------------------------------------------admin 10.0.0.132 Web 02/19 09:33:07 00:00:12s username@hostname>

Palo Alto Networks
show arp
show arp
Shows current Address Resolution Protocol (ARP) entries.
Syntax
show arp interface
Options
interface Specifies the interface for which the ARP table is displayed. all ethernetn/m loopback vlan Shows information for all ARP tables. Shows information for the specified interface. Shows loopback information. Shows VLAN information.
Sample Output
The following command displays ARP information for the ethernet1/1 interface.
username@hostname> show arp ethernet1/1 maximum of entries supported : default timeout: total ARP entries in table : total ARP entries shown : status: s - static, c - complete, i username@hostname> 8192 1800 seconds 0 0 - incomplete

Palo Alto Networks
show chassis-ready
show chassis-ready
Shows whether the dataplane has a running policy.
Syntax
show chassis-ready
Options
None
Sample Output
The following command shows that the dataplane has a currently running policy.
username@hostname> show chassis-ready yes username@hostname>

Palo Alto Networks
show cli
show cli
Shows information about the current CLI session.
Syntax
show cli info
Options
None
Sample Output
The following command shows information about the current CLI session.
username@hostname> show cli info Process ID : 2045 Pager : enabled Vsys configuration mode : disabled username@hostname>

Palo Alto Networks
show clock
show clock
Shows the current time on the firewall.
Syntax
show clock
Options
None
Sample Output
The following command shows the current time.
username@hostname> show clock Sun Feb 18 10:49:31 PST 2007 username@hostname>

Palo Alto Networks
show config
show config
Shows the active configuration.
Syntax
show config
Options
None
Sample Output
The following command shows the configuration lines that pertain to VLANs.
username@hostname> show config | match vlan vlan { vlan; username@hostname>

Palo Alto Networks
show counter
show counter
Display system counter information.
Syntax
show counter [global | interface]
Options
global interface Shows global system counter information. Shows system counter information grouped by interface.
Sample Output
The following command displays all configuration counter information grouped according to interface.
username@hostname> show counter interface
hardware interface counters: -----------------------------------------------------------------------interface: ethernet1/1 -----------------------------------------------------------------------bytes received 0 bytes transmitted 0 packets received 0 packets transmitted 0 receive errors 0 packets dropped 0 -----------------------------------------------------------------------... username@hostname>

Palo Alto Networks
show ctd
show ctd
Show the threat signature information on the system.
Syntax
show ctd threat threat_id application appid profile pfid
Options
threat_id application appid profile pfid Uniquely identifies the threat. Shows the action of the threat action in the application. Identifies the profile.
Sample Output
The following command shows an example with the default threat action.
username@hostname> show ctd threat 100000 application 109 profile 1 Profile 1 appid 109 , action 0 action 0 means default action.
The following command shows an example with the no threat action.

admin@PA-HDF> show ctd threat 100000 application 108 profile 1 Profile 1 appid 108 , action ffff action ffff means no action. username@hostname>

Palo Alto Networks
show device
show device
(Panorama only) Show the state of managed devices.
Syntax
show device-messages [all | connected]
Options
all connected Shows information for all managed devices. Shows information for all connected devices.
Sample Output
The following command shows information for connected devices.
username@hostname> show devices connected Serial Hostname IP Connected -------------------------------------------------------------------------PA04070001 pan-mgmt2 10.1.7.2 yes last push state: none
username@hostname>

Palo Alto Networks
show device-messages
show device-messages
(Panorama only) Show information on the policy messages for devices.
Syntax
show device-messages [device] [group]
Options
device group Shows the messages only for the specified device. Shows the messages only for the specified device group.
Sample Output
The following command shows the device messages for the device pan-mgmt2 and the group dg1.
username@hostname> show device-messages device pan-mgmt2 group dg1 username@hostname>

Palo Alto Networks
show devicegroups
show devicegroups
(Panorama only) Show information on device groups.
Syntax
show devicegroups [name]
Options
name Shows the information only for the specified device group.
Sample Output
The following command shows information for the device group dg1.
username@hostname> show devicegroups dg1 ========================================================================== Group: dg3 Shared policy md5sum:dfc61be308c23e54e5cde039689e9d46 Serial Hostname IP Connected -------------------------------------------------------------------------PA04070001 pan-mgmt2 10.1.7.2 yes last push state: push succeeded vsys3 shared policy md5sum:dfc61be308c23e54e5cde039689e9d46(In Sync) username@hostname>

Palo Alto Networks
show dhcp
show dhcp
Show information on Dynamic Host Control Protocol (DHCP) leases.
Syntax
show dhcp lease <value | all>
Options
value all Identifies the interface (ethernetn/m) Shows all the lease information.
Sample Output
The following command shows all lease information.
username@hostname> show dhcp all interface: ethernet1/9 ip mac expire 66.66.66.1 00:15:c5:60:a5:b0 Tue Mar 11 16:12:09 2008 66.66.66.2 00:15:c5:e1:0d:b0 Tue Mar 11 16:08:01 2008 username@hostname>

Palo Alto Networks
show high-availability
show high-availability
Show runtime information for the high-availability subsystem.
Syntax
show high-availability [all | control-link statistics| linkmonitoring | path-monitoring | state | state-synchronization]
Options
all control-link statistics link-monitoring path-monitoring state statesynchronization Shows all high-availability information. Shows control-link statistic information. Shows the link-monitoring state. Shows path-monitoring statistics. Shows high-availability state information. Shows state synchronization statistics.
Sample Output
The following command information for the high-availability subsystem.
username@hostname> show high-availability path-monitoring ---------------------------------------------------------------------------path monitoring: disabled total paths monitored: 0 ---------------------------------------------------------------------------username@hostname>

Palo Alto Networks
show interface
show interface
Display information about system interfaces.
Syntax
show interface interface
Options
element Specifies the interface. all ethernetn/m hardware logical loopback vlan Shows information for all ARP tables. Shows information for the specified interface. Shows hardware information. Shows logical interface information. Shows loopback information. Shows VLAN information.
Sample Output
The following command displays information about the ethernet1/2 interface.
username@hostname> show interface ethernet1/2 ---------------------------------------------------------------------------Name: ethernet1/2, ID: 17 Link status: Runtime link speed/duplex/state: auto/auto/auto Configured link speed/duplex/state: auto/auto/auto MAC address: Port MAC address 0:f:b7:20:2:11 Operation mode: virtual-wire ---------------------------------------------------------------------------Name: ethernet1/2, ID: 17 Operation mode: virtual-wire Virtual wire: default-vwire, peer interface: ethernet1/1 Interface management profile: N/A Zone: trust, virtual system: (null) username@hostname>

Palo Alto Networks
show jobs
show jobs
Display information about current system processes.
Syntax
show jobs [all | id number | pending | processed]
Options
all id number pending processed Shows information for all jobs. Identifies the process by number. Shows recent jobs that are waiting to be executed. Shows recent jobs that have been processed.
Sample Output
The following command lists jobs that have been processed in the current session.
username@hostname> show jobs processed Enqueued ID Type Status Result Completed -------------------------------------------------------------------------2007/02/18 09:34:39 2 AutoCom FIN OK 2007/02/18 09:34:40 2007/02/18 09:33:00 1 AutoCom FIN FAIL 2007/02/18 09:33:54 username@hostname>

Palo Alto Networks
show location
show location
Show the geographic location of a firewall.
Syntax
show location ip address
Options
address Specifies the IP address of the firewall.
Sample Output
The following command shows location information for the firewall 10.1.1.1.
username@hostname> show location ip 10.1.1.1 show location ip 201.52.0.0 201.52.0.0 Brazil username@hostname>

Palo Alto Networks
show log
show log
Display system logs.
Syntax
show log [threat | config | system | traffic] [equal | not-equal] option value
Options
threat config system traffic option value Displays threat logs. Displays configuration logs. Displays system logs. Displays traffic logs. Restricts the output (the available options depend upon the keyword used in the command (threat, config, system, traffic). Option action app client command dport dst from receivetime in result rule severity sport src to Description Type of alarm action (alert, allow, or drop) Application. Type of client (CLI or web). Command. Destination port. Destination IP address. Source zone. Time interval in which the information was received. Result of the action (failed, succeeded, or unauthorized). Rule name. Level of importance (critical, high, medium, low, informational) Source port. Source IP address. Destination zone.
greater-thanor-equal less-than-orequal equal not-equal
Indicates that the option is equal to the specified value. Indicates that the option is not equal to the specified value. Indicates that the option is equal to the specified value. Indicates that the option is not equal to the specified value.
Palo Alto Networks
show log
Sample Output
The following command shows the configuration log.
username@hostname> show log config Time Host Command Admin Client Result ============================================================================ === 03/05 22:04:16 10.0.0.135 edit admin Web Succeeded 03/05 22:03:22 10.0.0.135 edit admin Web Succeeded 03/05 22:03:22 10.0.0.135 create admin Web Succeeded 03/05 21:56:58 10.0.0.135 edit admin Web Succeeded ... username@hostname>

Palo Alto Networks
show logging
show logging
Show whether logging is enabled.
Syntax
show logging
Options
None
Sample Output
The following command shows that logging is enabled.
username@hostname> show logging on username@hostname>

Palo Alto Networks
show mac
show mac
Display MAC address information.
Syntax
show mac [value | all]
Options
value all Specifies a MAC address (aa:bb:cc:dd:ee:ff format). MAC address (aa:bb:cc:dd:ee:ff format).
Sample Output
The following command lists all currently MAC address information.
username@hostname> show mac all maximum of entries supported : 8192 default timeout : 1800 seconds total MAC entries in table : 4 total MAC entries shown : 4 status: s - static, c - complete, i - incomplete vlan hw address interface status ttl --------------------------------------------------------------------------Vlan56 0:0:1:0:0:3 ethernet1/5 c 1087 Vlan56 0:0:1:0:0:4 ethernet1/6 c 1087 Vlan11-12 0:0:1:0:0:9 ethernet1/12 c 487 Vlan11-12 0:0:1:0:0:10 ethernet1/11 c 487 username@hostname>

Palo Alto Networks
show management-clients
Show information about internal management server clients.
Syntax
Options
None
Sample Output
The following command shows information about the internal management server clients.
username@hostname> show management-clients Client PRI State Progress ------------------------------------------------------------------------routed 30 P2-ok 100 device 20 P2-ok 100 ikemgr 10 P2-ok 100 keymgr 10 init 0 (op cmds only) dhcpd 10 P2-ok 100 ha_agent 10 P2-ok 100 npagent 10 P2-ok 100 exampled 10 init 0 (op cmds only) Overall status: P2-ok. Progress: 0 Warnings: Errors:

Palo Alto Networks
show multi-vsys
show multi-vsys
Show if multiple virtual system mode is set.
Syntax
show multi-vsys
Options
None
Sample Output
The following command shows the current status of multiple virtual systems.
username@hostname> show multi-vsys on username@hostname>

Palo Alto Networks
show pan-agent
show pan-agent
Show statistics or user information for the Palo Alto Networks agent.
Syntax
show pan-agent <statistics | user-IDs>
Options
statistics user-IDs Displays full information about the Palo Alto Networks agent. Displays user information for the Palo Alto Networks agent.
Sample Output
The following command shows information about the Palo Alto Networks agent.
username@hostname> show pan-agent statistics IP Address Port Vsys State Users Grps IPs Recei ved Pkts ---------------------------------------------------------------------------10.0.0.100 2011 vsys1 connected, ok 134 77 95 5757 10.1.200.22 2009 vsys1 connected, ok 5 864 2 1097

Palo Alto Networks
show proxy
show proxy
Displays information about the proxy that is used for the Secure Socket Layer (SSL) decryption function.
Syntax
show [certificate-cache | notify-cache | setting]
Options
certificate-cache notify-cache setting Displays the proxy certificate cache. Displays the proxy notification cache. Displays the current proxy settings.
Sample Output
The following command shows the current proxy settings.
username@hostname> show proxy setting Ready: Enable proxy: Enable ssl: Notify user: no yes yes yes
username@hostname>

Palo Alto Networks
show query
show query
Show information about query jobs.
Syntax
show query <jobs | id value>
Options
jobs id value Displays all job information. Displays job information for the specified ID.
Sample Output
The following command shows information about all current query jobs.
username@hostname> show query jobs Enqueued ID Last Upd -------------------------------------------------------------------------13:58:19 16 13:58:19 Type ID Dequeued? -----------------------------------------------------

Palo Alto Networks
show report
show report
Displays information about process jobs.
Syntax
show [id number | jobs]
Options
id number jobs Displays information about the job with the specified ID number. Displays information on all jobs.
Sample Output
The following command shows the current jobs.
username@hostname> show report jobs Enqueued ID Last Updated dev/skip/req/resp/proc -------------------------------------------------------------------------username@hostname> username@hostname>

Palo Alto Networks
show routing
show routing
Display routing run-time objects.
Syntax
show routing fib [virtual-router name] show routing protocol [virtual-router name] ospf <area | dumplsdb | interface | lsdb | neighbor | summary | virt-link | virt-neighbor> show routing protocol [virtual-router name] redist <all | ospf | rip> show routing protocol [virtual-router name] rip <database | interface | peer | summary> show routing resource show routing route [destination ip/netmask][interface interfacename] [nexthop ip/netmask][type <connect | ospf | rip | static>] [virtual-router name] show routing summary
Options
fib protocol ospf Shows forwarding table entries. Specify an individual virtual router or all. Shows OSPF information. Specify one of the following (virtual router is optional). area dumplsdb interface lsdb neighbor summary virt-link virt-neighbor Show OSPF area status. Shows the OSPF LS database details. Shows OSPF interface status. Shows the LS database status. Shows neighbor status. Shows OSPF summary status. Shows status of virtual links. Shows OSPF virtual neighbor status.
protocol redist
Shows redistribution rule entries. Specify one of the following (virtual router is optional). ospf rip all Shows OSPF rules Shows RIP rules. Shows all redistribution rules.
Palo Alto Networks
show routing
protocol rip
Shows RIP information. Specify one of the following options (virtual router is optional). database interface peer summary Shows RIP route database. Shows RIP interface status. Shows RIP peer status. Shows the RIP summary information.
resources route
Shows resource usage.
Shows route entries. Optionally specify any of the following options.

destination interface nexthop type virtual-router Restricts the result to a specified subnet (IP address/mask). Restricts the result to a specified network interface. Restricts the result to a the next hop from the firewall (IP address/mask). Restricts the result according to type of route: connect and host routes, ospf, rip, or static. Restrict the result to a specified virtual router.
summary
Shows summary information.
Sample Output
The following command shows summary routing information for the virtual router vrl.
username@hostname> show routing summary virtual-router vr1 VIRTUAL ROUTER: vr1 (id 1) ========== OSPF area id: 0.0.0.0 interface: 192.168.6.254 interface: 200.1.1.2 dynamic neighbors: IP 200.1.1.1 ID 200.1.1.1 area id: 1.1.1.1 interface: 1.1.1.1 interface: 1.1.2.1 interface: 1.1.3.1 interface: 2.1.1.1 static neighbor: IP 65.54.5.33 ID *down* static neighbor: IP 65.54.77.88 ID *down* interface: 22.22.22.22 interface: 35.1.15.40 interface: 192.168.7.254 dynamic neighbors: IP 35.1.15.1 ID 35.35.35.35 ========== RIP interface: 2.1.1.1
Palo Alto Networks
show routing
interface: interface: interface: interface: ========== INTERFACE ========== interface name: interface index: virtual router: operation status: IPv4 address: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address: IPv4 address: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address: username@hostname>
22.22.22.22 35.1.15.40 192.168.6.254 200.1.1.2
ethernet1/1 16 vr1 up 22.22.22.22/24 35.1.15.40/24 ethernet1/3 18 vr1 up 200.1.1.2/24 ethernet1/7 22 vr1 up 1.1.1.1/24 1.1.2.1/24 1.1.3.1/24 ethernet1/15 30 vr1 up 192.168.6.254/24 ethernet1/16 31 vr1 up 192.168.7.254/24 ethernet1/18 33 vr1 down 2.1.1.1/24
Palo Alto Networks
show routing
The following command shows dynamic routing protocol information for RIP.
username@hostname> show routing protocol rip summary ========== virtual router: reject default route: interval seconds: update intervals: expire intervals: delete intervals: interface: interface: interface: interface: interface: ========== virtual router: reject default route: interval seconds: update intervals: expire intervals: delete intervals: interface: interface: interface:
vr1 yes 1 30 180 120 2.1.1.1 22.22.22.22 35.1.15.40 192.168.6.254 200.1.1.2 newr yes 1 30 180 120 0.0.0.0 30.30.30.31 151.152.153.154

Palo Alto Networks
show route
show route
Display current Secure Socket Layer (SSL) proxy settings.
Syntax
show route ip address virtual-router name
Options
ip address virtual-router name Specifies the destination IP address. Specifies the name of the virtual router.
Sample Output
The following command shows the current SSL proxy settings for the virtual router vrouter.
username@hostname> show route ip address virtual-router vrouter on username@hostname>

Palo Alto Networks
show session
show session
Show session information.
Syntax
show session [all | info] [filter [application appname][destination destname][destination-port destport][destination-user destuser][from zone zonename][limit value][protocol protnumber][source-port sourcename][source-user sourceuser][state state]] [type type]]
Options
all info application appname destination destname destination-port destport destination-user destuser from protocol protname source sourcename source-port sourceport source-user sourceuser state state to type type Displays all active sessions. Displays session statistics. Specifies the application. Specifies the destination IP address. Specifies the destination port. Specifies the destination user name. Specifies the source. Specifies the protocol. Specifies the sourced IP address. Specifies the source port. Specifies the source user name. Specifies the condition for the filter (active, closed, closing, discard, initial, or opening). Specifies the destination. Specifies the flow type (regular or predict).
Sample Output
The following command displays summary statistics about current sessions.
username@hostname> show session info ------------------------------------------------------------------------number of sessions supported: 2097151 number of active sessions: 8 session table utilization: 0% number of sessions created since system bootup: 21
Palo Alto Networks
show session
--------------------------------------------------------------------------session timeout TCP default timeout: 3600 seconds TCP session timeout after FIN/RST: 5 seconds UDP default timeout: 600 seconds ICMP default timeout: 6 seconds other IP default timeout: 1800 seconds ---------------------------------------------------------------------------session accelerated aging: enabled accelerated aging threshold: 80% of utilization scaling factor: 2 X --------------------------------------------------------------------------session setup TCP - reject non-SYN first packet: yes ---------------------------------------------------------------------------
The following command lists all current sessions.

username@hostname> show session all number of sessions: 8 ID/vsys src[sport]/zone/proto dest[dport]/zone state type 19 192.168.10.199[2219]/1/6 10.10.10.10[6667]/2 ACTIVE FLOW 20 192.168.10.191[4069]/1/6 192.168.10.199[139]/2 DISCARD FLOW 22 192.168.10.199[2261]/1/6 10.10.10.10[6667]/2 ACTIVE FLOW 4 192.168.10.191[138]/1/17 192.168.10.255[138]/2 ACTIVE FLOW 6 192.168.10.199[138]/1/17 192.168.10.255[138]/2 ACTIVE FLOW 21 192.168.10.199[1025]/1/17 4.2.2.1[53]/2 CLOSING FLOW 9 192.168.10.199[2187]/1/6 10.10.10.10[6667]/2 ACTIVE FLOW 13 192.168.10.199[2195]/1/6 10.10.10.10[6667]/2 ACTIVE FLOW
app. 0 ms-ds-smb 0 netbios-dg netbios-dg dns 0 0

Palo Alto Networks
show statistics
show statistics
Show firewall statistics.
Syntax
show statistics
Options
None
Sample Output
The following command displays firewall statistics.
username@hostname> show statistics TASK PID N_PACKETS CONTINUE ERROR DROP BYPASS TERMINATE 0 0 0 0 0 0 0 0 1 806 6180587 6179536 39 0 0 1012 2 807 39312 37511 0 0 0 1801 3 808 176054840 173273080 2289 2777524 0 1947 4 809 112733251 111536151 1744 1194906 0 450 5 810 66052142 65225559 1271 825010 0 302 6 811 49682445 49028991 909 652227 0 318 7 812 43618777 43030638 712 587129 0 298 8 813 41255949 40706957 708 548031 0 253 9 814 42570163 42010404 714 558773 0 272 10 815 7332493 7332494 0 0 0 0 11 816 19620028 19620028 0 0 0 0 12 817 12335557 12335557 0 0 0 0 13 818 0 0 0 0 0 0 14 819 6105056 6105056 0 0 0 0 task 1(pid: 806) flow_mgmt task 2(pid: 807) flow_ctrl flow_host task 3(pid: 808) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 4(pid: 809) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 5(pid: 810) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 6(pid: 811) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 7(pid: 812) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 8(pid: 813) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 9(pid: 814) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 10(pid: 815) appid_result task 11(pid: 816) ctd_nac ctd_token ctd_detector task 12(pid: 817) ctd_nac ctd_token ctd_detector task 13(pid: 818) proxy_packet task 14(pid: 819) pktlog_forwarding
Palo Alto Networks
show statistics

Palo Alto Networks
show system
show system
Show system information.
Syntax
show system type
Options
type Specifies the type of system information to be displayed. info services software status state [browser | filter | value] Shows network address and security information. Shows the current system services and whether they are running. Shows software version information. Shows the system tree. The browser displays the information in a text-mode browser. The filter option allows you to limit the information that is displayed. The * wildcard can be used. Shows device, packet rate, throughput, and session information. Enter q to quit or h to get help.
statistics
Sample Output
The following command displays system information.
username@hostname> show system info hostname: mgmt-device ip-address: 10.1.7.1 netmask: 255.255.0.0 default-gateway: 10.1.0.1 radius-server: 127.0.0.1 radius-secret: xxxxxxxx
Palo Alto Networks
show system
The following command displays the system tree entries that begin with the string
cfg.env.slot1. username@hostname> show system state filter cfg.env.slot1* cfg.env.slot1.power0.high-limit: 1.26 cfg.env.slot1.power0.low-limit: 1.0 cfg.env.slot1.power1.high-limit: 1.26 cfg.env.slot1.power1.low-limit: 1.14 cfg.env.slot1.power2.high-limit: 1.575 cfg.env.slot1.power2.low-limit: 1.425 cfg.env.slot1.power3.high-limit: 1.89 cfg.env.slot1.power3.low-limit: 1.71 ...

Palo Alto Networks
show target-vsys
show target-vsys
Show information about the target virtual systems.
Syntax
show target-vsys
Options
None
Sample Output
The following command shows information about target virtual systems.
username@hostname> show target-vsys vsys1 username@hostname>

Palo Alto Networks
show threat
show threat
Show threat ID descriptions.
Syntax
show threat id value
Options
value Specifies the threat ID.
Sample Output
The following command shows threat ID descriptions for ID 11172.
username@hostname> show threat id 11172 This signature detects the runtime behavior of the spyware MiniBug. MiniBug, also known as Weatherbug, installs other spyware, such as WeatherBug, and My Web Search Bar. It is also adware program that displays advertisements in its application window. medium http://www.spywareguide.com/product_show.php?id=2178 http://www.spyany.com/program/article_spw_rm_Minibug.htm username@hostname>

Palo Alto Networks
show virtual-wire
show virtual-wire
Show information about virtual wire interfaces.
Syntax
show virtual-wire [value | all]
Options
value all Specifies a virtual wire interface. Shows information for all virtual wire interfaces.
Sample Output
The following command displays information for the default virtual wire interface.
username@hostname> show virtual-wire default-vwire
total virtual-wire shown :
name interface1 interface2 -----------------------------------------------------------------------------default-vwire ethernet1/1 ethernet1/2 username@hostname>

Palo Alto Networks
show vlan
show vlan
Show VLAN information.
Syntax
show vlan [value | all]
Options
value all Specifies a virtual wire interface. Shows information for all virtual wire interfaces.
Sample Output
The following command displays information for all VLANs.
username@hostname> show vlan all vlan { Vlan56 { interface [ stp { enabled } rstp { enabled } } Vlan11-12 { interface [ stp { enabled } rstp { enabled } } } username@hostname>
ethernet1/5 ethernet1/6 ]; no;
no;
ethernet1/11 ethernet1/12 ]; no;
no;

Palo Alto Networks
show vpn
show vpn
Show VPN information.
Syntax
show show show show show vpn vpn vpn vpn vpn flow [tunnel-id tunnelid] gateway [gateway gatewayid] ike-sa [gateway gatewayid] ipsec-sa [tunnel tunnelid] tunnel [name tunnelid]
Options
flow gateway ike-sa ipsec-sa tunnel name Shows information about the VPN tunnel on the data plane. Specify the tunnel or press Enter to apply to all tunnels. Shows IKE gateway information. Specify the gateway or press Enter to apply to all gateways. Shows information about the active IKE SA. Specify the gateway or press Enter to apply to all gateways. Shows information about IPsec SA tunnels. Specify the tunnel or press Enter to apply to all tunnels. Shows information about auto-key IPSec tunnels. Specify the tunnel or press Enter to apply to all tunnels. Shows information about the VPN tunnel. Specify the tunnel or press Enter to apply to all tunnels.
Sample Output
The following command shows VPN information for the auto key IPsec tunnel k1.
username@hostname> show vpn tunnel name k1 TnID Name(Gateway) Local Proxy ID Local Proxy ID Proposals ------------------------------------------7 pan5gt(pan-5gt) 0.0.0.0/0 0.0.0.0/0 ESP tunl [DH2][AES128,3DES][SHA1] 90-sec Total 1 tunnels found, 0 ipsec sa found, 0 error username@hostname>
The following command shows VPN information for the IKE gateway g2.
username@hostname> show vpn tunnel name g2 GwID Name Peer Address/ID Local Address/ID ---- --------------------------------3 falcon-kestrel 35.1.15.1 35.1.15.40 [PSK][DH2][AES128,3DES][SHA1] 28800-sec Total 1 gateways found, 0 ike sa found, 0 error. username@hostname> Protocol Proposals ---------------Auto(main)
Palo Alto Networks
show vpn

Palo Alto Networks
show zip
show zip
Shows whether ability to unzip a file and apply the policy on the uncompressed content is enabled. The default is enable.
Syntax
show zip setting
Options
None
Sample Output
The following command shows that the unzip option is enabled.
username@hostname> show zip setting zip engine is enabled username@hostname>

Palo Alto Networks
show zone-protection
show zone-protection
Shows the running configuration status and run time statistics for zone protection elements.
Syntax
show zone-protection [zone zonename]
Options
zonename Specifies the name of a zone.
Sample Output
The following command shows statistics for the trust zone.
username@hostname> show zone-protection zone trust --------------------------------------------------------------------------Zone trust, vsys vsys1, profile custom-zone-protection ---------------------------------------------------------------------------tcp-syn enabled: no ---------------------------------------------------------------------------udp RED enabled: no ---------------------------------------------------------------------------icmp RED enabled: no ---------------------------------------------------------------------------other-ip RED enabled: no ---------------------------------------------------------------------------packet filter: discard-ip-spoof: enabled: no discard-ip-frag: enabled: no discard-icmp-ping-zero-id: enabled: no discard-icmp-frag: enabled: no discard-icmp-large-packet: enabled: no reply-icmp-timeexceeded: enabled: no username@hostname>

Palo Alto Networks
ssh
ssh
Open a secure shell (SSH) connection to another host.
Syntax
ssh [inet] [port number] [source address] [v1 | v2] [user@]host
Options
inet port source version user@ host Specifies that IP version 4 be used. Specifies a port on the other host. (default 22) Specifies a source IP address. Specifies SSH version 1 or 2 (default is version 2) Specifies a user name on the other host. Specifies the IP address of the other host.
Sample Output
The following command opens an SSH connection to host 10.0.0.250 using SSH version 2.
username@hostname> ssh v2 user@10.0.0.250 user@10.0.0.250's password: #

Palo Alto Networks
tail
tail
Print the last 10 lines of a debug file.
Syntax
tail [follow] [lines] file
Options
follow lines file Adds appended data as the file grows. Lists the last N lines, instead of the last 10. Specifies the debug file.
Sample Output
The following command displays the last 10 lines of the /var/log/pan/masterd.log file.
username@hostname> tail /var/log/pan/masterd.log [09:32:46] Successfully started process 'mgmtsrvr' instance '1' [09:32:47] Successfully started process 'appWeb' instance '1' [09:32:47] Started group 'pan' start script 'octeon' with options 'start' [09:32:48] Process 'appWeb' instance '1' exited normally with status '7' [09:32:48] Process 'appWeb' instance '1' has no further exit rules [09:32:53] Successfully started process 'pan-ez-agent' instance '1' [09:32:53] Process 'pan-ez-agent' instance '1' exited normally with status '0' [09:32:53] Process 'pan-ez-agent' instance '1' has no further exit rules [09:32:54] Successfully started process 'pan_netconfig_agent' instance '1' [09:32:54] Finished initial start of all processes username@hostname>

Palo Alto Networks
telnet
telnet
Open a Telnet session to another host.
Syntax
telnet [8bit] [port] host
Options
8bit port host Indicates that 8-bit data will be used. Specifies the port number for the other host. Specifies the IP address of the other host.
Sample Output
The following command opens a Telnet session to the host 1.2.5.5 using 8-bit data.
username@hostname> telnet 8bit 1.2.5.5

Palo Alto Networks
test
test
Run tests based on installed security policies.
Syntax
test nat policy-match source src-ip destination dst-ip destination-port port protocol protocol from zone1 to zone2 test nat policy-match application name source src-ip destination dst-ip destination-port port protocol protocol from zone1 to zone2 test routing fib-lookup ip ipaddress virtual router virtualrouterid test vpn flow [ike-sa [gateway gatewayid] | ipsec-sa [tunnel tunnelid]>
Options
name src-ip dst-ip port zone1 zone2 fib-lookup ike-sa ipsec-sa Specifies the name of an application. Enter any to include all applications. Specifies the source IP address for the test. Specifies the destination IP address for the test. Specifies the destination port for the test. Specifies the source security zone. Specifies the destination security zone. Specifies the route to test within the active routing table. Specify an IP address and virtual router. Performs the tests only for the negotiated IKE SA. Specify a gateway or press Enter to run the test for all gateways. Performs the tests for IPsec SA (and IKE SA if necessary). Specify a tunnel or press Enter to run the test for all tunnels.
Sample Output
The following command tests whether the set of criteria will match any of the existing rules in the security rule base.
username@hostname> test security-policy-match from trust to untrust application google-talk source 10.0.0.1 destination 192.168.0.1 protocol 6 destination-port 80 source-user known-user Matched rule: 'rule1' action: allow username@hostname>

Palo Alto Networks
tftp
tftp
Use Trivial File Transfer Protocol (TFTP) to copy files between the firewall and another host.
Syntax
tftp [export export-option [control-plane | data-plane] to target | import import-option] [remote-port portnumber] [from source]
Options
export export- Specifies the type of file to export to the other host. option Option application captive-portaltext configuration core-file debug-pcap file-block-page filter log-file log-db packet-log spyware-blockpage ssl-optout-text tech-support trusted-cacertificate url-block-page virus-block-page web-interfacecertificate Description Application packet capture file. Text to be included in a captive portal. Configuration file. Core file. IKE negotiation packet capture file. File containing comfort pages to be presented when files are blocked. Filter definitions. Log files. Log database. Logs of packet data. Comfort page to be presented when files are blocked due to spyware. SSL optout text. Technical support information. Certificate Authority (CA) security certificate. Comfort page to be presented when files are blocked due to a blocked URL. Comfort page to be presented when files are blocked due to a virus. Web interface certificate
Palo Alto Networks
tftp
import import- Specifies the type of file to import from the other host. option Option Description captive-portal-text configuration content file-block-page license private-key software spyware-block-page ssl-decryptioncertificate ssl-optout-text trusted-cacertificate url-block-page virus-block-page web-interfacecertificate Text to be included in a captive portal. Configuration file. Database content. File containing comfort pages to be presented when files are blocked. License key file. SSL private key file. Software package. Comfort page to be presented when files are blocked due to spyware. SSL decryption certificate. SSL optout text. Certificate Authority (CA) security certificate. Comfort page to be presented when files are blocked due to a blocked URL. Comfort page to be presented when files are blocked due to a virus. Web interface certificate
control-plane data-plane port-number target source
Indicates that the file contains control information. Indicates that the file contains information about data traffic. Specifies the port number on the remote host. Specifies the destination in the format username@host:path. Specifies the file to be copied in the format username@host:path.
The following command imports a license file from a file in user1s account on the machine with IP address 10.0.3.4.
username@hostname> tftp import ssl-certificate from user1@10.0.3.4:/tmp/ certificatefile

Palo Alto Networks
traceroute
traceroute
Display information about the route packet taken to another host.
Syntax
traceroute [base-udp-port port][bypass-routing][debug-socket][do-notfragment][first-ttl ttl][gateway][icmp-echo][max-ttl ttl][noresolve][pause][source ip][toggle-ip-checksums][tos][verbose][wait] host
Options
base-udp-port port bypass-routing debug-socket do-not-fragment first-ttl ttl gateway icmp-echo max-ttl ttl no-resolve pause source ip toggle-ipchecksums tos verbose wait host Specifies the base UDP port used in probes (default is 33434). Sends the request directly to the host on a direct attached network, bypassing usual routing table. Enables socket level debugging. Sets the do-not-fragment bit. Sets the time-to-live in the first outgoing probe packet in number of hops. Specifies a loose source router gateway (maximum 8). Uses ICMP ECHO requests instead of UDP datagrams. Sets the maximum time-to-live in number of hops. Does not attempt to print resolved domain names. Sets the time to pause between probes (milliseconds). Specifies the source IP address for the command. Toggles the IP checksum of the outgoing packets for the traceroute command. Specifies the type of service (TOS) treatment for the packets by way of the TOS bit for the IP header in the ping packet (0-255). Requests complete details of the traceroute request. Specifies a delay in transmission of the traceroute request (seconds). Specifies the IP address or domain name of the other host.
Palo Alto Networks
traceroute
Sample Output
The following command displays information about the route from the firewall to www.google.com.
username@hostname> traceroute www.paloaltonetworks.com traceroute to www.paloaltonetworks.com (72.32.199.53), 30 hops max, 38 byte packets 1 10.1.0.1 (10.1.0.1) 0.399 ms 1.288 ms 0.437 ms 2 64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.910 ms dsl027-186189.sfo1.dsl.speakeasy.net (216.27.186.189) 1.012 ms 64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.865 ms 3 dsl027-182-001.sfo1.dsl.speakeasy.net (216.27.182.1) 16.768 ms 581.420 ms 64.3.142.37.ptr.us.xo.net (64.3.142.37) 219.190 ms 4 ge5-0-0.mar2.fremont-ca.us.xo.net (207.88.80.21) 228.551 ms 110.ge-0-00.cr1.sfo1.speakeasy.net (69.17.83.189) 12.352 ms ge5-0-0.mar2.fremontca.us.xo.net (207.88.80.21) 218.547 ms 5 ge-5-3-0.mpr3.pao1.us.above.net (209.249.11.177) 13.212 ms p4-00.rar2.sanjose-ca.us.xo.net (65.106.5.137) 273.935 ms 221.313 ms 6 p1-0.ir1.paloalto-ca.us.xo.net (65.106.5.178) 139.212 ms so-1-21.mpr1.sjc2.us.above.net (64.125.28.141) 13.348 ms p1-0.ir1.paloaltoca.us.xo.net (65.106.5.178) 92.795 ms 7 so-0-0-0.mpr2.sjc2.us.above.net (64.125.27.246) 12.069 ms 206.111.12.146.ptr.us.xo.net (206.111.12.146) 93.278 ms so-0-00.mpr2.sjc2.us.above.net (64.125.27.246) 556.033 ms 8 tbr1p013201.sffca.ip.att.net (12.123.13.66) 52.726 ms so-3-20.cr1.dfw2.us.above.net (64.125.29.54) 61.875 ms tbr1p013201.sffca.ip.att.net (12.123.13.66) 58.462 ms MPLS Label=32537 CoS=0 TTL=1 S=1 9 64.124.12.6.available.above.net (64.124.12.6) 74.828 ms tbr1cl3.la2ca.ip.att.net (12.122.10.26) 62.533 ms 64.124.12.6.available.above.net (64.124.12.6) 60.537 ms 10 tbr1cl20.dlstx.ip.att.net (12.122.10.49) 60.617 ms vlan901.core1.dfw1.rackspace.com (72.3.128.21) 59.881 ms 60.429 ms 11 gar1p360.dlrtx.ip.att.net (12.123.16.169) 108.713 ms aggr5a.dfw1.rackspace.net (72.3.129.19) 58.049 ms gar1p360.dlrtx.ip.att.net (12.123.16.169) 173.102 ms 12 72.32.199.53 (72.32.199.53) 342.977 ms 557.097 ms 60.899 ms username@hostname>

Palo Alto Networks
view-pcap
view-pcap
Examine the content of packet capture files.
Syntax
view-pcap option filename
Options
option Specifies the type of information to report. Option absolute-seq delta hex hex-ascii hex-ascii-link hex-link link-header no-dns-lookup no-port-lookup no-qualification timestamp undecoded-nfs unformattedtimestamp verbose verbose+ verbose++ filename Description Displays absolute TCP sequence numbers. Displays a delta (in micro-seconds) between current and previous line. Displays each packet (minus link header) in hex. Displays each packet (minus link header) in hex and ASCII. Displays each packet (including link header) in hex and ASCII. Displays each packet (including link header) in hex. Displays the link-level header on each dump line. Does not convert host addresses to names. Does not convert protocol and port numbers to names. Does not print domain name qualification of host names. Displays timestamp proceeded by date. Displays undecoded NFS handles. Displays an unformatted timestamp. Displays verbose output. Displays more verbose output. Displays the maximum output details..
Name of the packet capture file.
Palo Alto Networks
view-pcap
Sample Output
The following command displays the contents of the packet capture file /var/session/pan/ filters/syslog.pcap in ASCII and hex formats.
username@hostname> view-pcap hex-ascii /var/session/pan/filters/syslog.pcap reading from file /var/session/pan/filters/syslog.pcap, link-type EN10MB (Ethernet) 08:34:31.922899 IP 10.0.0.244.32884 > jdoe.paloaltonetworks.local.syslog: UDP, length 314 0x0000: 4500 0156 0000 4000 4011 2438 0a00 00f4 E..V..@.@.$8.... 0x0010: 0a00 006c 8074 0202 0142 d163 3c31 3137 ...l.t...B.c<117 0x0020: 3e41 7072 2020 3233 2030 383a 3334 3a33 >Apr..23.08:34:3 0x0030: 3420 312c 3034 2f32 3320 3038 3a33 343a 4.1,04/23.08:34: 0x0040: 3334 2c54 4852 4541 542c 7572 6c2c 312c 34,THREAT,url,1, 0x0050: 3034 2f32 3320 3038 3a33 343a 3235 2c31 04/23.08:34:25,1 0x0060: 302e 302e 302e 3838 2c32 3039 2e31 3331 0.0.0.88,209.131 0x0070: 2e33 362e 3135 382c 302e 302e 302e 302c .36.158,0.0.0.0, 0x0080: 302e 302e 302e 302c 6c32 2d6c 616e 2d6f 0.0.0.0,l2-lan-o 0x0090: 7574 2c77 6562 2d62 726f 7773 696e 672c ut,web-browsing, 0x00a0: 7673 7973 312c 6c32 2d6c 616e 2d74 7275 vsys1,l2-lan-tru 0x00b0: 7374 2c6c 322d 6c61 6e2d 756e 7472 7573 st,l2-lan-untrus 0x00c0: 742c 6574 6865 726e 6574 312f 3132 2c65 t,ethernet1/12,e 0x00d0: 7468 6572 6e65 7431 2f31 312c 466f 7277 thernet1/11,Forw 0x00e0: 6172 6420 746f 204d 696b 652c 3034 2f32 ard.to.Mike,04/2 0x00f0: 3320 3038 3a33 343a 3334 2c38 3336 3435 3.08:34:34,83645 0x0100: 372c 322c 3438 3632 2c38 302c 302c 302c 7,2,4862,80,0,0, 0x0110: 3078 302c 7463 7028 3629 2c61 6c65 7274 0x0,tcp(6),alert 0x0120: 2c77 7777 2e79 6168 6f6f 2e63 6f6d 2f70 ,www.yahoo.com/p 0x0130: 2e67 6966 3f2c 2c73 6561 7263 682d 656e .gif?,,search-en 0x0140: 6769 6e65 732c 696e 666f 726d 6174 696f gines,informatio 0x0150: 6e61 6c2c 3000 nal,0.

Palo Alto Networks
view-pcap
Palo Alto Networks
Appendix A CONFIGURATION HIERARCHY

This appendix presents the complete firewall configuration hierarchies for the application identification firewall and for Panorama:
Firewall Hierarchy in the next section Panorama Hierarchy on page 245
Firewall Hierarchy
shared { signature { REPEAT... <name> { engine-version <value>; application <value>; protocol <value>; rules { REPEAT... <name> { direction client-to-server|server-to-client|any; match { string { pattern <value>; ignore-case yes|no; offset 0-1000000; depth 0-10000; per-packet-match yes|no; payload-length-validate { byte-offset 0-65535; discount 1-65535; number-of-bytes 1|2|4; endian little|big; } } OR... header { source-ip <value>; destination-ip <value>; source-port <value>; destination-port <value>; l3-payload-length <value>; l4-payload-length <value>;
Palo Alto Networks
153
} } } rule-match match-in-order|match-all|match-any; } } } allowed-applications { enable-all { except [ <except1> <except2>... ]; } OR... disable-all { except [ <except1> <except2>... ]; } } address { REPEAT... <name> { ip-netmask <ip/netmask>; OR... ip-range <ip-range>; } } address-group { REPEAT... <name> [ <entry1> <entry2>... ]; } application { REPEAT... <name> { default { port [ <port1> <port2>... ]; OR... ident-by-ip-protocol 0-255; } category <value>; subcategory <value>; technology <value>; description <value>; timeout 0-604800; tcp-timeout 0-604800; udp-timeout 0-604800; risk 1-5; evasive-behavior yes|no; consume-big-bandwidth yes|no; used-by-malware yes|no; able-to-transfer-file yes|no; has-known-vulnerability yes|no; tunnel-other-application yes|no; prone-to-misuse yes|no; pervasive-use yes|no; } } application-filter { REPEAT... <name> { category [ <category1> <category2>... ]; subcategory [ <subcategory1> <subcategory2>... ];
154
Palo Alto Networks
technology [ <technology1> <technology2>... ]; evasive yes; excessive-bandwidth-use yes; used-by-malware yes; transfers-files yes; has-known-vulnerabilities yes; tunnels-other-apps yes; prone-to-misuse yes; pervasive yes; risk [ <risk1> <risk2>... ]; } } application-group { REPEAT... <name> [ <entry1> <entry2>... ]; } service { REPEAT... <name> { protocol { tcp { port <0-65535,...>; } OR... udp { port <0-65535,...>; } } } } service-group { REPEAT... <name> [ <entry1> <entry2>... ]; } log-settings { snmptrap { REPEAT... <name> { manager <ip>; community <value>; } } syslog { REPEAT... <name> { server <ip>; port 1-65535; facility LOG_USER|LOG_LOCAL0|LOG_LOCAL1|LOG_LOCAL2|LOG_LOCAL3|LOG_LOCAL4|LOG_LOCAL5|L OG_LOCAL6|LOG_LOCAL7; } } email { REPEAT... <name> { display-name <value>; from <value>; to <value>; and-also-to <value>;
Palo Alto Networks
155
gateway <value>; } } system { informational { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } low { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } medium { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } high { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } critical { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>;
156
Palo Alto Networks
} send-syslog { using-syslog-setting <value>; } } } config { any { send-to-panorama yes|no; send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } } profiles { REPEAT... <name> { alarm { informational { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } low { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } medium { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } high { send-to-panorama yes|no;
Palo Alto Networks
157
send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } critical { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } } traffic { any { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } } } } } profiles { virus { REPEAT... <name> { description <value>; packet-capture yes|no; decoder { REPEAT... <name> { action default|allow|alert|block; } } application { REPEAT... <name> { action default|allow|alert|block; } } }
158
Palo Alto Networks
} spyware { REPEAT... <name> { description <value>; download-protection { decoder { REPEAT... <name> { spyware default|allow|alert|block; adware default|allow|alert|block; } } application { REPEAT... <name> { spyware default|allow|alert|block; adware default|allow|alert|block; } } } packet-capture yes|no; phone-home-detection { simple { packet-capture yes|no; critical default|allow|alert|block; high default|allow|alert|block; medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } OR... custom { REPEAT... <name> { packet-capture yes|no; action default|alert|drop|drop-all-packets|reset-both|resetclient|reset-server; } } } } } vulnerability { REPEAT... <name> { description <value>; simple { packet-capture yes|no; client { critical default|allow|alert|block; high default|allow|alert|block; medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } server { critical default|allow|alert|block; high default|allow|alert|block;
Palo Alto Networks
159
medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } } OR... custom { REPEAT... <name> { packet-capture yes|no; action default|alert|drop|drop-all-packets|reset-both|resetclient|reset-server; } } } } url-filtering { REPEAT... <name> { description <value>; license-expired block|allow; action block|continue|override|alert; block-list [ <block-list1> <block-list2>... ]; allow-list [ <allow-list1> <allow-list2>... ]; alert [ <alert1> <alert2>... ]; block [ <block1> <block2>... ]; continue [ <continue1> <continue2>... ]; override [ <override1> <override2>... ]; } } file-blocking { REPEAT... <name> { description <value>; rules { REPEAT... <name> { application [ <application1> <application2>... ]; file-type [ <file-type1> <file-type2>... ]; direction upload|download|both; action alert|block; } } } } data-objects { REPEAT... <name> { description <value>; credit-card-numbers { weight 1-255; } social-security-numbers { weight 1-255; } pattern { REPEAT... <name> { regex <value>;
160
Palo Alto Networks
weight 1-255; } } } } data-filtering { REPEAT... <name> { description <value>; data-capture yes|no; rules { REPEAT... <name> { data-object <value>; application [ <application1> <application2>... ]; file-type [ <file-type1> <file-type2>... ]; direction upload|download|both; alert-threshold 1-65535; block-threshold 1-65535; } } } } } admin-role { REPEAT... <name> { description <value>; role { device { webui { acc enable|disable; monitor { app-scope enable|disable; logs { traffic enable|disable; threat enable|disable; url enable|disable; configuration enable|disable; system enable|disable; } pdf-reports enable|disable; custom-reports { application-statistics enable|disable; threat-log enable|disable; threat-summary enable|disable; traffic-log enable|disable; traffic-summary enable|disable; } application-reports enable|disable; threat-reports enable|disable; url-filtering-reports enable|disable; traffic-reports enable|disable; } policies { security-rulebase enable|read-only|disable; nat-rulebase enable|read-only|disable; ssl-decryption-rulebase enable|read-only|disable; application-override-rulebase enable|read-only|disable;
Palo Alto Networks
161
captive-portal-rulebase enable|read-only|disable; } objects { addresses enable|read-only|disable; address-groups enable|read-only|disable; applications enable|read-only|disable; application-groups enable|read-only|disable; application-filters enable|read-only|disable; services enable|read-only|disable; service-groups enable|read-only|disable; data-objects enable|read-only|disable; security-profiles { antivirus enable|read-only|disable; anti-spyware enable|read-only|disable; vulnerability-protection enable|read-only|disable; url-filtering enable|read-only|disable; file-blocking enable|read-only|disable; log-forwarding enable|read-only|disable; data-filtering enable|read-only|disable; } security-profile-groups enable|read-only|disable; schedules enable|read-only|disable; } network { interfaces enable|read-only|disable; zones enable|read-only|disable; vlans enable|read-only|disable; virtual-wires enable|read-only|disable; virtual-routers enable|read-only|disable; ipsec-tunnels enable|read-only|disable; dhcp enable|read-only|disable; network-profiles { ike-gateways enable|read-only|disable; ipsec-crypt enable|read-only|disable; ike-crypt enable|read-only|disable; tunnel-monitor enable|read-only|disable; interface-mgmt enable|read-only|disable; zone-protection enable|read-only|disable; } } device { setup enable|read-only|disable; config-audit enable|read-only|disable; administrators enable|read-only|disable; data-protection enable|read-only|disable; virtual-systems enable|read-only|disable; user-identification enable|read-only|disable; high-availability enable|read-only|disable; certificates enable|read-only|disable; block-pages enable|read-only|disable; log-settings { system enable|read-only|disable; config enable|read-only|disable; } log-destinations { snmp-trap enable|read-only|disable; syslog enable|read-only|disable; email enable|read-only|disable; }
162
Palo Alto Networks
software enable|read-only|disable; dynamic-updates enable|read-only|disable; licenses enable|read-only|disable; support enable|read-only|disable; } commit enable|disable; } cli superuser|superreader|deviceadmin|devicereader; } OR... vsys { webui { policies { security-rulebase enable|read-only|disable; nat-rulebase enable|read-only|disable; ssl-decryption-rulebase enable|read-only|disable; application-override-rulebase enable|read-only|disable; captive-portal-rulebase enable|read-only|disable; } objects { addresses enable|read-only|disable; addresse-groups enable|read-only|disable; applications enable|read-only|disable; application-groups enable|read-only|disable; application-filters enable|read-only|disable; services enable|read-only|disable; service-groups enable|read-only|disable; data-objects enable|read-only|disable; security-profiles { antivirus enable|read-only|disable; anti-spyware enable|read-only|disable; vulnerability-protection enable|read-only|disable; url-filtering enable|read-only|disable; file-blocking enable|read-only|disable; log-forwarding enable|read-only|disable; data-filtering enable|read-only|disable; } security-profile-groups enable|read-only|disable; schedules enable|read-only|disable; } network { zones enable|read-only|disable; } device { setup read-only|disable; config-audit enable|read-only|disable; administrators enable|read-only|disable; data-protection enable|read-only|disable; user-identification read-only|disable; high-availability read-only|disable; block-pages enable|read-only|disable; log-settings { system read-only|disable; config read-only|disable; } log-destinations { snmp-trap enable|read-only|disable; syslog enable|read-only|disable; email enable|read-only|disable;
Palo Alto Networks
163
} } commit enable|disable; } cli vsysadmin|vsysreader; } } } } profile-group { REPEAT... <name> { virus [ <virus1> <virus2>... ]; spyware [ <spyware1> <spyware2>... ]; vulnerability [ <vulnerability1> <vulnerability2>... ]; url-filtering [ <url-filtering1> <url-filtering2>... ]; file-blocking [ <file-blocking1> <file-blocking2>... ]; data-filtering [ <data-filtering1> <data-filtering2>... ]; } } schedule { REPEAT... <name> { recurring { weekly { sunday [ <sunday1> <sunday2>... ]; monday [ <monday1> <monday2>... ]; tuesday [ <tuesday1> <tuesday2>... ]; wednesday [ <wednesday1> <wednesday2>... ]; thursday [ <thursday1> <thursday2>... ]; friday [ <friday1> <friday2>... ]; saturday [ <saturday1> <saturday2>... ]; } OR... daily [ <daily1> <daily2>... ]; } OR... non-recurring [ <non-recurring1> <non-recurring2>... ]; } } pdf-summary-report { REPEAT... <name> { header { caption <value>; } footer { note <value>; } predefined-widget { REPEAT... <name> { chart-type pie|line|bar|table; row 1-6; column 1-3; } } custom-widget { REPEAT...
164
Palo Alto Networks
<name> { chart-type pie|line|bar|table; row 1-6; column 1-3; } } } } pdf-email-profile { REPEAT... <name> { predefined-report [ <predefined-report1> <predefined-report2>... ]; custom-report [ <custom-report1> <custom-report2>... ]; summary-report [ <summary-report1> <summary-report2>... ]; display-name <value>; from <value>; to <value>; and-also-to <value>; gateway <value>; recurring { daily; OR... weekly sunday|monday|tuesday|wednesday|thursday|friday|saturday; } } } reports { REPEAT... <name> { disabled yes|no; query <value>; caption <value>; frequency daily|weekly; start-time <value>; end-time <value>; delta 1-65535; period last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-calendar-day|last-7-days|last-7-calendar-days|last-calendarweek|last-30-days; topn 1-50; type { appstat { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby nbytes|npkts|nsess|nthreats; } OR... threat { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby repeatcnt; } OR... thsum { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby count; } OR...
Palo Alto Networks
165
traffic { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby bytes|elapsed|packets|repeatcnt; } OR... trsum { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby bytes|sessions; } } } } ssl-exclude-cert { REPEAT... <name>; } } vsys { REPEAT... <name> { import { network { interface [ <interface1> <interface2>... ]; virtual-wire [ <virtual-wire1> <virtual-wire2>... ]; vlan [ <vlan1> <vlan2>... ]; virtual-router [ <virtual-router1> <virtual-router2>... ]; } resource { max-sessions 0-2097151; } } pan-agent { REPEAT... <name> { ip-address <ip>; port 1-65535; } } captive-portal { enable-captive-portal yes|no; domain <name>; timer 5-1440; radius-server { REPEAT... <name> { ip-address <ip>; secret <value>; } } ntlm-auth { pan-agent <value>; hostname <value>; } } url-admin-override { password <value>;
166
Palo Alto Networks
} ssl-exclude-cert { REPEAT... <name>; } zone { REPEAT... <name> { enable-user-identification yes|no; network { zone-protection-profile <value>; log-setting <value>; tap [ <tap1> <tap2>... ]; OR... virtual-wire [ <virtual-wire1> <virtual-wire2>... ]; OR... layer2 [ <layer21> <layer22>... ]; OR... layer3 [ <layer31> <layer32>... ]; } user-acl { include-list [ <include-list1> <include-list2>... ]; exclude-list [ <exclude-list1> <exclude-list2>... ]; } } } address { REPEAT... <name> { ip-netmask <ip/netmask>; OR... ip-range <ip-range>; } } address-group { REPEAT... <name> [ <entry1> <entry2>... ]; } log-settings { snmptrap { REPEAT... <name> { manager <ip>; community <value>; } } syslog { REPEAT... <name> { server <ip>; port 1-65535; facility LOG_USER|LOG_LOCAL0|LOG_LOCAL1|LOG_LOCAL2|LOG_LOCAL3|LOG_LOCAL4|LOG_LOCAL5|L OG_LOCAL6|LOG_LOCAL7; } } email { REPEAT... <name> {
Palo Alto Networks
167
display-name <value>; from <value>; to <value>; and-also-to <value>; gateway <value>; } } profiles { REPEAT... <name> { alarm { informational { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } low { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } medium { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } high { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } }
168
Palo Alto Networks
critical { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } } traffic { any { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } } } } } schedule { REPEAT... <name> { recurring { weekly { sunday [ <sunday1> <sunday2>... ]; monday [ <monday1> <monday2>... ]; tuesday [ <tuesday1> <tuesday2>... ]; wednesday [ <wednesday1> <wednesday2>... ]; thursday [ <thursday1> <thursday2>... ]; friday [ <friday1> <friday2>... ]; saturday [ <saturday1> <saturday2>... ]; } OR... daily [ <daily1> <daily2>... ]; } OR... non-recurring [ <non-recurring1> <non-recurring2>... ]; } } rulebase { security { rules { REPEAT... <name> { from <value>; to <value>; source [ <source1> <source2>... ]; source-user [ <source-user1> <source-user2>... ];
Palo Alto Networks
169
destination [ <destination1> <destination2>... ]; service [ <service1> <service2>... ]; application [ <application1> <application2>... ]; action deny|allow; log-setting <value>; schedule <value>; negate-source yes|no; negate-destination yes|no; profile-setting { profiles { url-filtering [ <url-filtering1> <url-filtering2>... ]; data-filtering [ <data-filtering1> <data-filtering2>... ]; file-blocking [ <file-blocking1> <file-blocking2>... ]; virus [ <virus1> <virus2>... ]; spyware [ <spyware1> <spyware2>... ]; vulnerability [ <vulnerability1> <vulnerability2>... ]; } OR... group [ <group1> <group2>... ]; } qos { marking { ip-dscp |||||||||||||||||||||<value>; OR... ip-precedence ||||||||<value>; } } disabled yes|no; log-start yes|no; log-end yes|no; description <value>; } } } nat { rules { REPEAT... <name> { from <value>; to <value>; source [ <source1> <source2>... ]; destination [ <destination1> <destination2>... ]; service <value>; source-translation { translated-address <ip-range>|<value>; pool dynamic-ip|dynamic-ip-and-port|static-ip; } destination-translation { translated-address <ip/netmask>; translated-port 1-65535; } disabled yes|no; description <value>; } } } application-override { rules { REPEAT...
170
Palo Alto Networks
<name> { from <value>; to <value>; source [ <source1> <source2>... ]; destination [ <destination1> <destination2>... ]; protocol tcp|udp; port <0-65535,...>; application <value>; disabled yes|no; description <value>; } } } ssl-decryption { rules { REPEAT... <name> { from <value>; to <value>; source [ <source1> <source2>... ]; source-user [ <source-user1> <source-user2>... ]; destination [ <destination1> <destination2>... ]; category [ <category1> <category2>... ]; action decrypt|no-decrypt; negate-source yes|no; negate-destination yes|no; disabled yes|no; description <value>; reverse-key <value>; } } } captive-portal { rules { REPEAT... <name> { from <value>; to <value>; source [ <source1> <source2>... ]; destination [ <destination1> <destination2>... ]; action captive-portal|no-captive-portal|ntlm-auth; negate-source yes|no; negate-destination yes|no; disabled yes|no; description <value>; } } } } application { REPEAT... <name> { default { port [ <port1> <port2>... ]; OR... ident-by-ip-protocol 0-255; } category <value>; subcategory <value>;
Palo Alto Networks
171
technology <value>; description <value>; timeout 0-604800; tcp-timeout 0-604800; udp-timeout 0-604800; risk 1-5; evasive-behavior yes|no; consume-big-bandwidth yes|no; used-by-malware yes|no; able-to-transfer-file yes|no; has-known-vulnerability yes|no; tunnel-other-application yes|no; prone-to-misuse yes|no; pervasive-use yes|no; } } application-filter { REPEAT... <name> { category [ <category1> <category2>... ]; subcategory [ <subcategory1> <subcategory2>... ]; technology [ <technology1> <technology2>... ]; evasive yes; excessive-bandwidth-use yes; used-by-malware yes; transfers-files yes; has-known-vulnerabilities yes; tunnels-other-apps yes; prone-to-misuse yes; pervasive yes; risk [ <risk1> <risk2>... ]; } } application-group { REPEAT... <name> [ <entry1> <entry2>... ]; } service { REPEAT... <name> { protocol { tcp { port <0-65535,...>; } OR... udp { port <0-65535,...>; } } } } service-group { REPEAT... <name> [ <entry1> <entry2>... ]; } profiles { virus { REPEAT... <name> {
172
Palo Alto Networks
description <value>; packet-capture yes|no; decoder { REPEAT... <name> { action default|allow|alert|block; } } application { REPEAT... <name> { action default|allow|alert|block; } } } } spyware { REPEAT... <name> { description <value>; download-protection { decoder { REPEAT... <name> { spyware default|allow|alert|block; adware default|allow|alert|block; } } application { REPEAT... <name> { spyware default|allow|alert|block; adware default|allow|alert|block; } } } packet-capture yes|no; phone-home-detection { simple { packet-capture yes|no; critical default|allow|alert|block; high default|allow|alert|block; medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } OR... custom { REPEAT... <name> { packet-capture yes|no; action default|alert|drop|drop-all-packets|reset-both|resetclient|reset-server; } } } } } vulnerability {
Palo Alto Networks
173
REPEAT... <name> { description <value>; simple { packet-capture yes|no; client { critical default|allow|alert|block; high default|allow|alert|block; medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } server { critical default|allow|alert|block; high default|allow|alert|block; medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } } OR... custom { REPEAT... <name> { packet-capture yes|no; action default|alert|drop|drop-all-packets|reset-both|resetclient|reset-server; } } } } url-filtering { REPEAT... <name> { description <value>; license-expired block|allow; action block|continue|override|alert; block-list [ <block-list1> <block-list2>... ]; allow-list [ <allow-list1> <allow-list2>... ]; alert [ <alert1> <alert2>... ]; block [ <block1> <block2>... ]; continue [ <continue1> <continue2>... ]; override [ <override1> <override2>... ]; } } file-blocking { REPEAT... <name> { description <value>; rules { REPEAT... <name> { application [ <application1> <application2>... ]; file-type [ <file-type1> <file-type2>... ]; direction upload|download|both; action alert|block; } } }
174
Palo Alto Networks
} data-objects { REPEAT... <name> { description <value>; credit-card-numbers { weight 1-255; } social-security-numbers { weight 1-255; } pattern { REPEAT... <name> { regex <value>; weight 1-255; } } } } data-filtering { REPEAT... <name> { description <value>; data-capture yes|no; rules { REPEAT... <name> { data-object <value>; application [ <application1> <application2>... ]; file-type [ <file-type1> <file-type2>... ]; direction upload|download|both; alert-threshold 1-65535; block-threshold 1-65535; } } } } } profile-group { REPEAT... <name> { virus [ <virus1> <virus2>... ]; spyware [ <spyware1> <spyware2>... ]; vulnerability [ <vulnerability1> <vulnerability2>... ]; url-filtering [ <url-filtering1> <url-filtering2>... ]; file-blocking [ <file-blocking1> <file-blocking2>... ]; data-filtering [ <data-filtering1> <data-filtering2>... ]; } } } } deviceconfig { system { hostname <value>; domain <value>; ip-address <ip>; netmask <ip>;
Palo Alto Networks
175
default-gateway <ip>; ipv6-address <value>; ipv6-default-gateway <value>; radius-server <ip>; radius-secret <value>; dns-primary <ip>; dns-secondary <ip>; panorama-server <ip>; ntp-server-1 <value>; location <value>; contact <value>; ntp-server-2 <value>; update-server <value>; secure-proxy-server <value>; secure-proxy-port 1-65535; secure-proxy-user <value>; secure-proxy-password <value>; geo-location { latitude <value>; longitude <value>; } service { disable-http yes|no; disable-https yes|no; disable-telnet yes|no; disable-ssh yes|no; disable-icmp yes|no; disable-snmp yes|no; } permitted-ip { REPEAT... <name>; } route { service { REPEAT... <name> { source-address <value>; } } destination { REPEAT... <name> { source-address <value>; } } } update-schedule { threats { recurring { daily { at <value>; action download-only|download-and-install; } OR... weekly { day-of-week sunday|monday|tuesday|wednesday|thursday|friday|saturday; at <value>;
176
Palo Alto Networks
action download-only|download-and-install; } } } url-database { recurring { daily { at <value>; action download-and-install; } OR... weekly { day-of-week sunday|monday|tuesday|wednesday|thursday|friday|saturday; at <value>; action download-and-install; } } } } timezone W-SU|CST6CDT|Japan|Portugal|Hongkong|Mideast|Mideast/ Riyadh87|Mideast/Riyadh88|Mideast/Riyadh89|Eire|Poland|Factory|GBEire|America|America/Port_of_Spain|America/Indiana|America/Indiana/ Vevay|America/Indiana/Indianapolis|America/Indiana/Marengo|America/Indiana/ Knox|America/St_Johns|America/Grand_Turk|America/Tijuana|America/ Toronto|America/Araguaina|America/Virgin|America/El_Salvador|America/ Coral_Harbour|America/Jujuy|America/Mexico_City|America/Guyana|America/ Cayman|America/Ensenada|America/Fortaleza|America/Iqaluit|America/ Boa_Vista|America/Chihuahua|America/Nome|America/Cancun|America/ Cayenne|America/Recife|America/Panama|America/Caracas|America/ Costa_Rica|America/Cambridge_Bay|America/Martinique|America/ Yellowknife|America/Godthab|America/Sao_Paulo|America/Edmonton|America/ Fort_Wayne|America/Danmarkshavn|America/Barbados|America/Dawson|America/ Thunder_Bay|America/Tegucigalpa|America/Chicago|America/Guadeloupe|America/ Grenada|America/Anguilla|America/Kentucky|America/Kentucky/ Monticello|America/Kentucky/Louisville|America/Argentina|America/Argentina/ Jujuy|America/Argentina/Ushuaia|America/Argentina/Catamarca|America/ Argentina/San_Juan|America/Argentina/Mendoza|America/Argentina/ La_Rioja|America/Argentina/Buenos_Aires|America/Argentina/Tucuman|America/ Argentina/ComodRivadavia|America/Argentina/Cordoba|America/Argentina/ Rio_Gallegos|America/Mazatlan|America/Regina|America/Montevideo|America/ Catamarca|America/Los_Angeles|America/Campo_Grande|America/Aruba|America/ Manaus|America/Knox_IN|America/Rosario|America/St_Lucia|America/ Hermosillo|America/Denver|America/Detroit|America/Santiago|America/ Shiprock|America/Cuiaba|America/Dominica|America/Porto_Acre|America/ Curacao|America/Belize|America/Merida|America/Swift_Current|America/ Antigua|America/Adak|America/Indianapolis|America/Belem|America/ Miquelon|America/Louisville|America/Bogota|America/New_York|America/ Boise|America/Scoresbysund|America/Mendoza|America/Goose_Bay|America/ Yakutat|America/Eirunepe|America/Winnipeg|America/Buenos_Aires|America/ Menominee|America/Paramaribo|America/Thule|America/Montreal|America/ Jamaica|America/Monterrey|America/St_Thomas|America/Rio_Branco|America/ Lima|America/Juneau|America/La_Paz|America/Vancouver|America/ Rankin_Inlet|America/Puerto_Rico|America/St_Kitts|America/Halifax|America/ Guayaquil|America/Inuvik|America/Noronha|America/Nassau|America/Port-auPrince|America/Guatemala|America/Glace_Bay|America/Nipigon|America/ Cordoba|America/Bahia|America/Asuncion|America/Maceio|America/Atka|America/ North_Dakota|America/North_Dakota/Center|America/Managua|America/ Anchorage|America/Montserrat|America/Tortola|America/Dawson_Creek|America/
Palo Alto Networks
177
Santo_Domingo|America/Pangnirtung|America/Whitehorse|America/ St_Vincent|America/Porto_Velho|America/Havana|America/Phoenix|America/ Rainy_River|Indian|Indian/Christmas|Indian/Reunion|Indian/Comoro|Indian/ Cocos|Indian/Mauritius|Indian/Antananarivo|Indian/Mahe|Indian/ Mayotte|Indian/Kerguelen|Indian/Chagos|Indian/Maldives|GMT0|Canada|Canada/ Yukon|Canada/Saskatchewan|Canada/Central|Canada/Eastern|Canada/EastSaskatchewan|Canada/Atlantic|Canada/Pacific|Canada/Mountain|Canada/ Newfoundland|MET|ROK|US|US/Alaska|US/East-Indiana|US/Central|US/Eastern|US/ Samoa|US/Arizona|US/Pacific|US/Aleutian|US/Hawaii|US/Mountain|US/ Michigan|US/Indiana-Starke|MST|Mexico|Mexico/BajaSur|Mexico/General|Mexico/ BajaNorte|EST5EDT|Atlantic|Atlantic/Madeira|Atlantic/Cape_Verde|Atlantic/ St_Helena|Atlantic/Stanley|Atlantic/South_Georgia|Atlantic/ Jan_Mayen|Atlantic/Azores|Atlantic/Reykjavik|Atlantic/Canary|Atlantic/ Faeroe|Atlantic/Bermuda|HST|Antarctica|Antarctica/McMurdo|Antarctica/ Davis|Antarctica/South_Pole|Antarctica/Vostok|Antarctica/Rothera|Antarctica/ Mawson|Antarctica/DumontDUrville|Antarctica/Palmer|Antarctica/ Casey|Antarctica/Syowa|UTC|Iceland|Pacific|Pacific/Honolulu|Pacific/ Truk|Pacific/Niue|Pacific/Wake|Pacific/Apia|Pacific/Majuro|Pacific/ Norfolk|Pacific/Efate|Pacific/Enderbury|Pacific/Palau|Pacific/ Saipan|Pacific/Nauru|Pacific/Kiritimati|Pacific/Tahiti|Pacific/Guam|Pacific/ Tongatapu|Pacific/Fiji|Pacific/Rarotonga|Pacific/Samoa|Pacific/ Fakaofo|Pacific/Guadalcanal|Pacific/Port_Moresby|Pacific/Midway|Pacific/ Galapagos|Pacific/Yap|Pacific/Johnston|Pacific/Marquesas|Pacific/ Noumea|Pacific/Auckland|Pacific/Gambier|Pacific/Kwajalein|Pacific/ Kosrae|Pacific/Wallis|Pacific/Easter|Pacific/Chatham|Pacific/ Funafuti|Pacific/Pago_Pago|Pacific/Tarawa|Pacific/Pitcairn|Pacific/ Ponape|EET|EST|Greenwich|GMT|Cuba|Brazil|Brazil/Acre|Brazil/East|Brazil/ DeNoronha|Brazil/West|Turkey|Arctic|Arctic/Longyearbyen|NZCHAT|Zulu|Israel|Jamaica|Etc|Etc/GMT-14|Etc/GMT+6|Etc/GMT-10|Etc/GMT-2|Etc/ GMT-8|Etc/GMT+4|Etc/GMT0|Etc/GMT-12|Etc/GMT+11|Etc/GMT-11|Etc/GMT+12|Etc/ UTC|Etc/GMT-3|Etc/Greenwich|Etc/GMT-9|Etc/GMT|Etc/GMT+2|Etc/Zulu|Etc/GMT4|Etc/GMT+7|Etc/GMT+1|Etc/GMT+8|Etc/GMT-7|Etc/GMT-6|Etc/GMT+10|Etc/GMT5|Etc/GMT+0|Etc/GMT-1|Etc/GMT+3|Etc/GMT+5|Etc/GMT-13|Etc/UCT|Etc/ Universal|Etc/GMT+9|Etc/GMT-0|NZ|Europe|Europe/Vienna|Europe/Athens|Europe/ Tiraspol|Europe/Lisbon|Europe/Rome|Europe/Bratislava|Europe/Andorra|Europe/ Sofia|Europe/Kaliningrad|Europe/Zurich|Europe/Belfast|Europe/Oslo|Europe/ Samara|Europe/Malta|Europe/Chisinau|Europe/Moscow|Europe/Paris|Europe/ Minsk|Europe/Zaporozhye|Europe/Amsterdam|Europe/Tallinn|Europe/ Uzhgorod|Europe/Brussels|Europe/Vatican|Europe/Vaduz|Europe/ San_Marino|Europe/Nicosia|Europe/Berlin|Europe/Vilnius|Europe/Monaco|Europe/ Istanbul|Europe/Belgrade|Europe/Stockholm|Europe/Riga|Europe/Madrid|Europe/ Gibraltar|Europe/Copenhagen|Europe/Skopje|Europe/Budapest|Europe/ Dublin|Europe/Bucharest|Europe/Helsinki|Europe/Prague|Europe/ Sarajevo|Europe/London|Europe/Tirane|Europe/Zagreb|Europe/Kiev|Europe/ Warsaw|Europe/Ljubljana|Europe/Simferopol|Europe/Mariehamn|Europe/ Luxembourg|Singapore|ROC|Kwajalein|Egypt|PST8PDT|GMT+0|Asia|Asia/ Kuwait|Asia/Kamchatka|Asia/Thimphu|Asia/Macau|Asia/Gaza|Asia/Thimbu|Asia/ Pyongyang|Asia/Vladivostok|Asia/Katmandu|Asia/Sakhalin|Asia/Muscat|Asia/ Ashkhabad|Asia/Ulan_Bator|Asia/Riyadh|Asia/Riyadh87|Asia/Calcutta|Asia/ Yerevan|Asia/Shanghai|Asia/Baghdad|Asia/Makassar|Asia/Oral|Asia/ Hong_Kong|Asia/Jayapura|Asia/Omsk|Asia/Almaty|Asia/Saigon|Asia/Magadan|Asia/ Chungking|Asia/Hovd|Asia/Brunei|Asia/Novosibirsk|Asia/Dacca|Asia/Qatar|Asia/ Ulaanbaatar|Asia/Krasnoyarsk|Asia/Kuching|Asia/Qyzylorda|Asia/Karachi|Asia/ Anadyr|Asia/Yakutsk|Asia/Seoul|Asia/Choibalsan|Asia/Macao|Asia/ Samarkand|Asia/Yekaterinburg|Asia/Aqtobe|Asia/Riyadh88|Asia/Nicosia|Asia/ Pontianak|Asia/Urumqi|Asia/Irkutsk|Asia/Taipei|Asia/Harbin|Asia/ Istanbul|Asia/Colombo|Asia/Tel_Aviv|Asia/Jakarta|Asia/Amman|Asia/ Bahrain|Asia/Tokyo|Asia/Chongqing|Asia/Ashgabat|Asia/Singapore|Asia/ Aqtau|Asia/Baku|Asia/Bishkek|Asia/Dili|Asia/Tbilisi|Asia/Beirut|Asia/
178
Palo Alto Networks
Riyadh89|Asia/Damascus|Asia/Aden|Asia/Dubai|Asia/Manila|Asia/Vientiane|Asia/ Tehran|Asia/Kashgar|Asia/Dushanbe|Asia/Kabul|Asia/Bangkok|Asia/Rangoon|Asia/ Jerusalem|Asia/Dhaka|Asia/Kuala_Lumpur|Asia/Tashkent|Asia/Phnom_Penh|Asia/ Ujung_Pandang|CET|PRC|Africa|Africa/Kinshasa|Africa/Ndjamena|Africa/ Mbabane|Africa/Lagos|Africa/El_Aaiun|Africa/Douala|Africa/Kampala|Africa/ Mogadishu|Africa/Tripoli|Africa/Conakry|Africa/Niamey|Africa/Asmera|Africa/ Khartoum|Africa/Lubumbashi|Africa/Kigali|Africa/Johannesburg|Africa/ Blantyre|Africa/Malabo|Africa/Gaborone|Africa/Lome|Africa/Algiers|Africa/ Addis_Ababa|Africa/Brazzaville|Africa/Dakar|Africa/Nairobi|Africa/ Cairo|Africa/Banjul|Africa/Bamako|Africa/Bissau|Africa/Libreville|Africa/ Sao_Tome|Africa/Casablanca|Africa/Timbuktu|Africa/Nouakchott|Africa/ Freetown|Africa/Monrovia|Africa/Ceuta|Africa/Dar_es_Salaam|Africa/ Lusaka|Africa/Abidjan|Africa/Bujumbura|Africa/Maseru|Africa/Bangui|Africa/ Windhoek|Africa/Accra|Africa/Djibouti|Africa/Ouagadougou|Africa/PortoNovo|Africa/Tunis|Africa/Maputo|Africa/Harare|Africa/ Luanda|UCT|GB|Universal|Australia|Australia/Hobart|Australia/ Lord_Howe|Australia/Perth|Australia/South|Australia/Yancowinna|Australia/ Currie|Australia/Tasmania|Australia/Queensland|Australia/NSW|Australia/ Lindeman|Australia/Melbourne|Australia/Adelaide|Australia/ Victoria|Australia/Canberra|Australia/West|Australia/Brisbane|Australia/ Broken_Hill|Australia/Darwin|Australia/ACT|Australia/North|Australia/ Sydney|Australia/LHI|Iran|WET|Libya|MST7MDT|Chile|Chile/EasterIsland|Chile/ Continental|GMT-0|Navajo; } setting { application { cache yes|no; supernode yes|no; heuristics yes|no; notify-user yes|no; } ctd { url-coach-timeout 1-86400; url-admin-timeout 1-86400; url-lockout-timeout 1-86400; } proxy { url-proxy yes|no; notify-user yes|no; answer-timeout 1-86400; } session { timeout-tcp 1-15999999; timeout-udp 1-15999999; timeout-icmp 1-15999999; timeout-default 1-15999999; timeout-tcpinit 1-60; timeout-tcpwait 1-60; timeout-scan 5-30; scan-threshold 50-99; scan-scaling-factor 2-16; accelerated-aging-enable yes|no; accelerated-aging-threshold 50-99; accelerated-aging-scaling-factor 2-16; tcp-reject-non-syn yes|no; offload yes|no; } zip { enable yes|no;
Palo Alto Networks
179
sw yes|no; } config { rematch yes|no; } logging { max-log-rate 0-2560; max-packet-rate 0-2560; log-suppression yes|no; } management { idle-timeout 1-1440|; admin-lockout { failed-attempts 0-10; lockout-time 0-60; } max-rows-in-csv-export 1-1048576; panorama-tcp-receive-timeout 1-120; panorama-tcp-send-timeout 1-120; panorama-ssl-send-retries 1-64; } } high-availability { enabled yes|no; interface { ha1 { port <value>; encryption { enabled yes|no; passphrase <value>; } ip-address <ip/netmask>; netmask <ip>; } ha2 { port <value>; } } group { REPEAT... <name> { description <value>; election-option { device-priority 0-255; preemptive yes|no; passive-hold-time 0-60000; hello-interval 8000-60000; hello-interval 1000-60000; passive-link-state shutdown|auto; } peer-ip <ip>; state-synchronization { enabled yes|no; } monitoring { path-monitoring { enabled yes|no; failure-condition any|all; path-group {
180
Palo Alto Networks
virtual-wire { REPEAT... <name> { enabled yes|no; failure-condition any|all; source-ip <ip>; destination-ip [ <destination-ip1> <destination-ip2>... ]; } } vlan { REPEAT... <name> { enabled yes|no; failure-condition any|all; source-ip <ip>; destination-ip [ <destination-ip1> <destination-ip2>... ]; } } virtual-router { REPEAT... <name> { enabled yes|no; failure-condition any|all; destination-ip [ <destination-ip1> <destination-ip2>... ]; } } } } link-monitoring { enabled yes|no; failure-condition any|all; link-group { REPEAT... <name> { enabled yes|no; failure-condition any|all; interface [ <interface1> <interface2>... ]; } } } } } } } } mgt-config { users { REPEAT... <name> { phash <value>; remote-authentication radius; preferences { disable-dns yes|no; saved-log-query { traffic { REPEAT... <name> { query <value>;
Palo Alto Networks
181
} } threat { REPEAT... <name> { query <value>; } } config { REPEAT... <name> { query <value>; } } system { REPEAT... <name> { query <value>; } } } } permissions { role-based { vsysreader { REPEAT... <name> { vsys <name>; } } OR... vsysadmin { REPEAT... <name> { vsys <name>; } } OR... devicereader [ <devicereader1> <devicereader2>... ]; OR... deviceadmin [ <deviceadmin1> <deviceadmin2>... ]; OR... superreader yes; OR... superuser yes; OR... custom { profile <name>; vsys <name>; } } } } } devices { REPEAT... <name> { ip <ip>; vsys {
182
Palo Alto Networks
REPEAT... <name>; } } } } predefined { signature { REPEAT... <name> { application <value>; protocol <value>; description <value>; dynamic yes|no; rules { REPEAT... <name> { direction client-to-server|server-to-client|any; match { string { pattern <value>; encrypt yes|no; ignore-case yes|no; offset 0-1000000; depth 0-10000; per-packet-match yes|no; payload-length-validate { byte-offset 0-65535; discount 0-65535; number-of-bytes 1|2|3|4; endian little|big; } source-port-validate { byte-offset 0-65535; endian little|big; } } header { source-ip <value>; destination-ip <value>; source-port <value>; destination-port <value>; l3-payload-length <value>; l4-payload-length <value>; packet-sequence <value>; } } } } rule-match match-in-order|match-all|match-any; } } application-type { REPEAT... category { <name> { description <value>; }
Palo Alto Networks
183
} technology { <name> { description <value>; } } } url-categories { REPEAT... <name> { malware yes|no; description <value>; } } private-application { REPEAT... <name> { correlate { key-by [ <key-by1> <key-by2>... ]; rule-match match-all|match-any; interval 1-65535; rules { REPEAT... entry { protocol tcp|udp; interval 1-65535; threshold 1-65535; track-by [ <track-by1> <track-by2>... ]; } } } default { port [ <port1> <port2>... ]; OR... ident-by-ip-protocol <0-255,...>; } tunnel-applications [ <tunnel-applications1> <tunnel-applications2>... ]; deny-action drop|drop-reset; use-applications [ <use-applications1> <use-applications2>... ]; alg yes|no; appident yes|no; virus-ident yes|no; spyware-ident yes|no; child <value>; decode <value>; threat-id <1-4294967295,...>; per-direction-regex yes|no; enable-ssl-decryption yes|no; enable-source-cache yes|no; preemptive yes|no; ident-by-sport yes|no; ident-by-port yes|no; ident-by-dport yes|no; source-cache-timeout 0-255; source-cache-threshold 0-255; risk 1-5; type <value>; category <value>;
184
Palo Alto Networks
description <value>; timeout 0-604800; tcp-timeout 0-604800; udp-timeout 0-604800; evasive-behavior yes|no; consume-big-bandwidth yes|no; carry-malware yes|no; used-by-malware yes|no; able-to-transfer-file yes|no; has-known-vulnerability yes|no; tunnel-other-application yes|no; report-as <value>; prone-to-misuse yes|no; pervasive-use yes|no; references { REPEAT... <name> { link <value>; } } reference <value>; } } application { REPEAT... <name> { correlate { key-by [ <key-by1> <key-by2>... ]; rule-match match-all|match-any; interval 1-65535; rules { REPEAT... entry { protocol tcp|udp; interval 1-65535; threshold 1-65535; track-by [ <track-by1> <track-by2>... ]; } } } default { port [ <port1> <port2>... ]; OR... ident-by-ip-protocol <0-255,...>; } tunnel-applications [ <tunnel-applications1> <tunnel-applications2>... ]; deny-action drop|drop-reset; use-applications [ <use-applications1> <use-applications2>... ]; alg yes|no; appident yes|no; virus-ident yes|no; spyware-ident yes|no; decode <value>; threat-id <1-4294967295,...>; per-direction-regex yes|no; preemptive yes|no; ident-by-sport yes|no; ident-by-port yes|no;
Palo Alto Networks
185
ident-by-dport yes|no; risk 1-5; type <value>; category <value>; subcategory <value>; technology <value>; description <value>; timeout 0-604800; tcp-timeout 0-604800; udp-timeout 0-604800; evasive-behavior yes|no; consume-big-bandwidth yes|no; carry-malware yes|no; used-by-malware yes|no; able-to-transfer-file yes|no; has-known-vulnerability yes|no; tunnel-other-application yes|no; prone-to-misuse yes|no; pervasive-use yes|no; references { REPEAT... <name> { link <value>; } } reference <value>; } } application-group { REPEAT... <name> { member <value>; } } profiles { virus { REPEAT... <name> { description <value>; decoder { REPEAT... <name> { action default|allow|alert|block; } } application { REPEAT... <name> { action default|allow|alert|block; } } } } spyware { REPEAT... <name> { description <value>; download-protection { decoder {
186
Palo Alto Networks
REPEAT... <name> { adware default|allow|alert|block; spyware default|allow|alert|block; } } application { REPEAT... <name> { adware default|allow|alert|block; spyware default|allow|alert|block; } } } phone-home-detection { simple { critical default|allow|alert|block; high default|allow|alert|block; medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } OR... custom { REPEAT... <name> { packet-capture yes|no; action default|alert|drop|drop-all-packets|reset-both|resetclient|reset-server; } } } } } vulnerability { REPEAT... <name> { description <value>; simple { client { critical default|allow|alert|block; high default|allow|alert|block; medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } server { critical default|allow|alert|block; high default|allow|alert|block; medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } } OR... custom { REPEAT... <name> { packet-capture yes|no;
Palo Alto Networks
187
action default|alert|drop|drop-all-packets|reset-both|resetclient|reset-server; } } } } url-filtering { REPEAT... <name> { description <value>; license-expired block|allow; action block|continue|override|alert; block-list [ <block-list1> <block-list2>... ]; allow-list [ <allow-list1> <allow-list2>... ]; alert [ <alert1> <alert2>... ]; block [ <block1> <block2>... ]; continue [ <continue1> <continue2>... ]; override [ <override1> <override2>... ]; } } } profile-group { REPEAT... <name> { virus [ <virus1> <virus2>... ]; spyware [ <spyware1> <spyware2>... ]; vulnerability [ <vulnerability1> <vulnerability2>... ]; url-filtering [ <url-filtering1> <url-filtering2>... ]; } } service { REPEAT... <name> { protocol { any; OR... tcp { port <0-65535,...>; } OR... udp { port <0-65535,...>; } OR... ip { ip-protocol <0-255,...>; } } } } service-group { REPEAT... <name> [ <entry1> <entry2>... ]; } reports { REPEAT... <name> { disabled yes|no; query <value>;
188
Palo Alto Networks
caption <value>; frequency daily|weekly; start-time <value>; end-time <value>; delta 1-65535; period last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-calendar-day|last-7-days|last-7-calendar-days|last-calendarweek|last-30-days; topn 1-50; type { appstat { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby nbytes|npkts|nsess|nthreats; } OR... threat { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby repeatcnt; } OR... thsum { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby count; } OR... traffic { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby bytes|elapsed|packets|repeatcnt; } OR... trsum { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby bytes|sessions; } } } } threats { phone-home { REPEAT... <name> { category <value>; severity critical|high|medium|low|informational; host client|server; app <value>; } } vulnerability { REPEAT... <name> { category code-execution|overflow|sql-injection|info-leak|emailworm|net-worm|adware|keylogger|datatheft|phishing|spam|botnet|rootkit|trojan|backdoor|virus|emailflooder|spamtool|hacktool|dos|suspicious|other-malware|user-defined;
Palo Alto Networks
189
severity critical|high|medium|low|informational; affected-host { client yes|no; server yes|no; } } } ssl-exclude-cert { REPEAT... <name>; } } }
operations { schedule { commit; } OR... clear { application-signature { statistics; } OR... arp |<value>; OR... counter { interface; OR... global { filter { category <value>; severity <value>; aspect <value>; } OR... name <value>; } OR... all; } OR... dhcp { lease { all; OR... interface { name <value>; ip <ip>; mac <mac-address>; } } } OR... high-availability { control-link { statistics; }
190
Palo Alto Networks
} OR... job { id 0-4294967295; } OR... log { traffic; OR... threat; OR... config; OR... system; OR... acc; } OR... mac |<value>; OR... query { all-by-session; OR... id 0-4294967295; } OR... report { all-by-session; OR... id 0-4294967295; } OR... session { all { filter { nat none|source|destination|both; proxy yes|no; type flow|predict; state initial|opening|active|discard|closing|closed; from <value>; to <value>; source <value>; destination <value>; source-user <value>; destination-user <value>; source-port 1-65535; destination-port 1-65535; protocol 1-255; application <value>; rule <value>; nat-rule <value>; } } OR... id 1-2147483648; } OR... statistics; OR...
Palo Alto Networks
191
vpn { ike-sa { gateway <value>; } OR... ipsec-sa { tunnel <value>; } OR... flow { tunnel-id 1-2147483648; } } } OR... delete { admin-sessions; OR... application-block-page; OR... captive-portal-text; OR... config { saved <value>; } OR... config-audit-history; OR... content { update <value>; } OR... core { data-plane { file <value>; } OR... control-plane { file <value>; } } OR... debug-filter { file <value>; } OR... file-block-page; OR... license { key <value>; } OR... pcap { file <value>; } OR... policy-cache; OR... reverse-key {
192
Palo Alto Networks
file <value>; } OR... root-certificate { file <value>; } OR... software { image <value>; OR... version <value>; } OR... spyware-block-page; OR... ssl-optout-text; OR... threat-pcap { directory <value>; } OR... unknown-pcap { file <value>; } OR... url-block-page; OR... url-coach-text; OR... url-coach-text; OR... user-file { ssh-known-hosts; } OR... virus-block-page; } OR... show { admins { all; } OR... arp |<value>; OR... chassis-ready; OR... cli { info; OR... idle-timeout; } OR... clock; OR... config { diff; OR... running {
Palo Alto Networks
193
xpath <value>; } OR... synced; OR... candidate; OR... audit { info; OR... base-version <value>; OR... version <value>; } OR... saved <value>; } OR... counter { management-server; OR... global { filter { category <value>; severity <value>; aspect <value>; delta yes|no; value all|non-zero; } OR... name <value>; } OR... interface |<value>; } OR... ctd { url-block-cache; OR... threat { id 1-4294967295; application 0-4294967295; profile 0-4294967295; } } OR... dhcp { lease |<value>; } OR... high-availability { all; OR... state; OR... link-monitoring; OR... path-monitoring; OR...
194
Palo Alto Networks
state-synchronization; OR... control-link { statistics; } } OR... interface |||<value>; OR... jobs { all; OR... pending; OR... processed; OR... id 1-4294967296; } OR... location { ip <ip>; } OR... log { traffic { direction { equal forward|backward; } csv-output { equal yes|no; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } start-time { equal <value>; } end-time { equal <value>; } src { in <ip/netmask>; OR... not-in <ip/netmask>; } dst { in <ip/netmask>; OR... not-in <ip/netmask>; } rule { equal <value>; OR... not-equal <value>; } app { equal <value>; OR...
Palo Alto Networks
195
not-equal <value>; } from { equal <value>; OR... not-equal <value>; } to { equal <value>; OR... not-equal <value>; } sport { equal 1-65535; OR... not-equal 1-65535; } dport { equal 1-65535; OR... not-equal 1-65535; } action { equal allow|deny|drop; OR... not-equal allow|deny|drop; } srcuser { equal <value>; } dstuser { equal <value>; } } OR... threat { suppress-threatid-mapping { equal yes|no; } direction { equal forward|backward; } csv-output { equal yes|no; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } start-time { equal <value>; } end-time { equal <value>; } src { in <ip/netmask>; OR... not-in <ip/netmask>;
196
Palo Alto Networks
} dst { in <ip/netmask>; OR... not-in <ip/netmask>; } rule { equal <value>; OR... not-equal <value>; } app { equal <value>; OR... not-equal <value>; } from { equal <value>; OR... not-equal <value>; } to { equal <value>; OR... not-equal <value>; } sport { equal 1-65535; OR... not-equal 1-65535; } dport { equal 1-65535; OR... not-equal 1-65535; } action { equal alert|allow|deny|drop|drop-all-packets|reset-client|resetserver|reset-both|block-url; OR... not-equal alert|allow|deny|drop|drop-all-packets|resetclient|reset-server|reset-both|block-url; } srcuser { equal <value>; } dstuser { equal <value>; } category { equal adult-or-sexually-explicit|advertisements-and-popups|alcoholand-tobacco|arts|blogs-and-forums|business|chat|computing-andinternet|criminal-activity|downloads|education|entertainment|fashion-andbeauty|finance-and-investment|food-anddining|gambling|games|government|hacking|health-and-medicine|hobbies-andrecreation|hosting-sites|illegal-drugs|infrastructure|intimate-apparel-andswimwear|intolerance-and-hate|job-search-and-career-development|kidssites|motor-vehicles|news|peer-to-peer|personals-and-dating|philanthropicand-professional-orgs|phishing-and-fraud|phising-and-fraud|photo-
Palo Alto Networks
197
searches|politics|proxies-and-translators|realestate|reference|religion|ringtones-or-mobile-phone-downloads|searchengines|sex-education|shopping|society-and-culture|spamurls|sports|spyware|streaming-media|tasteless-andoffensive|travel|unknown|violence|weapons|web-based-e-mail; OR... not-equal adult-or-sexually-explicit|advertisements-andpopups|alcohol-and-tobacco|arts|blogs-and-forums|business|chat|computingand-internet|criminal-activity|downloads|education|entertainment|fashionand-beauty|finance-and-investment|food-anddining|gambling|games|government|hacking|health-and-medicine|hobbies-andrecreation|hosting-sites|illegal-drugs|infrastructure|intimate-apparel-andswimwear|intolerance-and-hate|job-search-and-career-development|kidssites|motor-vehicles|news|peer-to-peer|personals-and-dating|philanthropicand-professional-orgs|phishing-and-fraud|phising-and-fraud|photosearches|politics|proxies-and-translators|realestate|reference|religion|ringtones-or-mobile-phone-downloads|searchengines|sex-education|shopping|society-and-culture|spamurls|sports|spyware|streaming-media|tasteless-andoffensive|travel|unknown|violence|weapons|web-based-e-mail; } subtype { equal url|file; } } OR... config { direction { equal forward|backward; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } start-time { equal <value>; } end-time { equal <value>; } client { equal web|cli; OR... not-equal web|cli; } cmd { equal add|clone|commit|create|delete|edit|get|load-fromdisk|move|rename|save-to-disk|set; OR... not-equal add|clone|commit|create|delete|edit|get|load-fromdisk|move|rename|save-to-disk|set; } result { equal succeeded|failed|unauthorized; OR... not-equal succeeded|failed|unauthorized;
198
Palo Alto Networks
} } OR... system { direction { equal forward|backward; } opaque { contains <value>; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } start-time { equal <value>; } end-time { equal <value>; } severity { equal critical|high|medium|low|informational; OR... not-equal critical|high|medium|low|informational; OR... greater-than-or-equal critical|high|medium|low|informational; OR... less-than-or-equal critical|high|medium|low|informational; } subtype { equal <value>; OR... not-equal <value>; } object { equal <value>; OR... not-equal <value>; } eventid { equal <value>; OR... not-equal <value>; } id { equal <value>; OR... not-equal <value>; } } OR... appstat { direction { equal forward|backward; } receive_time {
Palo Alto Networks
199
in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } start-time { equal <value>; } end-time { equal <value>; } name { equal <value>; OR... not-equal <value>; } type { equal <value>; OR... not-equal <value>; } risk { equal 1|2|3|4|5; OR... not-equal 1|2|3|4|5; OR... greater-than-or-equal 1|2|3|4|5; OR... less-than-or-equal 1|2|3|4|5; } } OR... trsum { direction { equal forward|backward; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } start-time { equal <value>; } end-time { equal <value>; } app { equal <value>; OR... not-equal <value>; } src { in <value>; } dst {
200
Palo Alto Networks
in <value>; } rule { equal <value>; OR... not-equal <value>; } srcuser { equal <value>; OR... not-equal <value>; } dstuser { equal <value>; OR... not-equal <value>; } srcloc { equal <value>; OR... not-equal <value>; OR... greater-than-or-equal <value>; OR... less-than-or-equal <value>; } dstloc { equal <value>; OR... not-equal <value>; OR... greater-than-or-equal <value>; OR... less-than-or-equal <value>; } } OR... thsum { direction { equal forward|backward; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } start-time { equal <value>; } end-time { equal <value>; } app { equal <value>; OR... not-equal <value>; }
Palo Alto Networks
201
src { in <value>; } dst { in <value>; } rule { equal <value>; OR... not-equal <value>; } srcuser { equal <value>; OR... not-equal <value>; } dstuser { equal <value>; OR... not-equal <value>; } srcloc { equal <value>; OR... not-equal <value>; OR... greater-than-or-equal <value>; OR... less-than-or-equal <value>; } dstloc { equal <value>; OR... not-equal <value>; OR... greater-than-or-equal <value>; OR... less-than-or-equal <value>; } threatid { equal <value>; OR... not-equal <value>; OR... greater-than-or-equal <value>; OR... less-than-or-equal <value>; } subtype { equal <value>; OR... not-equal <value>; } } } OR... logging; OR... mac |<value>;
202
Palo Alto Networks
OR... management-clients; OR... multi-vsys; OR... object { ip <ip>; vsys <value>; } OR... pan-agent { statistics; OR... user-IDs; } OR... proxy { setting; OR... certificate-cache; OR... certificate; OR... notify-cache; } OR... query { id 1-4294967296; OR... jobs; } OR... report { id 1-4294967296; OR... jobs; OR... predefined { name { equal top-attackers|top-victims|top-attackers-by-countries|topvictims-by-countries|top-sources|top-destinations|top-destinationcountries|top-source-countries|top-connections|top-ingress-interfaces|topegress-interfaces|top-ingress-zones|top-egress-zones|top-applications|tophttp-applications|top-rules|top-attacks|top-spyware-threats|top-viruses|topvulnerabilities|top-websites|top-url-categories|top-url-users|top-url-userbehavior|unknown-tcp-connections|unknown-udp-connections|top-deniedsources|top-denied-destinations|top-denied-applications; } start-time { equal <value>; } end-time { equal <value>; } } OR... custom { database { equal appstat|threat|thsum|traffic|trsum;
Palo Alto Networks
203
} topn { equal <value>; } receive_time { in last-hour|last-12-hrs|last-24-hrs|last-7-days|last-30-days; } query { equal <value>; } aggregate-fields { equal <value>; } value-fields { equal <value>; } } } OR... routing { resource; OR... summary { virtual-router <value>; } OR... fib { virtual-router <value>; } OR... route { destination <ip/netmask>; interface <value>; nexthop <ip/netmask>; type static|connect|ospf|rip; virtual-router <value>; } OR... protocol { redist all|ospf|rip; OR... ospf summary|area|interface|virt-link|neighbor|virtneighbor|lsdb|dumplsdb; OR... rip summary|interface|peer|database; virtual-router <value>; } } OR... session { start-at 1-2097152; OR... info; OR... meter; OR... all { filter { nat none|source|destination|both;
204
Palo Alto Networks
proxy yes|no; type flow|predict; state initial|opening|active|discard|closing|closed; from <value>; to <value>; source <value>; destination <value>; source-user <value>; destination-user <value>; source-port 1-65535; destination-port 1-65535; protocol 1-255; application <value>; rule <value>; nat-rule <value>; } } OR... id 1-2147483648; } OR... shared-policy; OR... statistics; OR... system { software { status; } OR... info; OR... services; OR... state { filter <value>; OR... filter-pretty <value>; OR... browser; } OR... statistics; OR... resources; OR... disk-space; OR... logdb-quota; OR... files; } OR... target-vsys; OR... threat { id 1-4294967296; } OR...
Palo Alto Networks
205
virtual-wire |<value>; OR... vlan |<value>; OR... vpn { gateway { name <value>; } OR... tunnel { name <value>; } OR... ike-sa { gateway <value>; } OR... ipsec-sa { tunnel <value>; } OR... flow { tunnel-id 1-2147483648; } } OR... zip { setting; } OR... zone-protection { zone <value>; } } OR... debug { captive-portal { on { normal; OR... debug; } OR... off; OR... show; } OR... cli on|off|detail|show; OR... cpld; OR... dataplane { get; OR... show { user { all; OR...
206
Palo Alto Networks
ip <ip/netmask>; } OR... nat-rule-cache; OR... global-ippool; OR... ippool; OR... security-policy; OR... nat-policy; OR... captive-portal-policy; OR... ssl-policy; OR... application-override-policy; OR... application-signature { statistics; } OR... log-queue { statistics; } OR... application { dump-setting; } OR... resource-monitor { second { last 1-60; } OR... minute { last 1-60; } OR... hour { last 1-24; } OR... day { last 1-7; } OR... week { last 1-13; } } OR... logging; OR... url-cache { statistics; } OR...
Palo Alto Networks
207
top-urls { top 1-10000; category adult-or-sexually-explicit|advertisements-andpopups|alcohol-and-tobacco|arts|blogs-and-forums|business|chat|computingand-internet|criminal-activity|downloads|education|entertainment|fashionand-beauty|finance-and-investment|food-anddining|gambling|games|government|hacking|health-and-medicine|hobbies-andrecreation|hosting-sites|illegal-drugs|infrastructure|intimate-apparel-andswimwear|intolerance-and-hate|job-search-and-career-development|kidssites|motor-vehicles|news|peer-to-peer|personals-and-dating|philanthropicand-professional-orgs|phishing-and-fraud|phising-and-fraud|photosearches|politics|proxies-and-translators|realestate|reference|religion|ringtones-or-mobile-phone-downloads|searchengines|sex-education|shopping|society-and-culture|spamurls|sports|spyware|streaming-media|tasteless-andoffensive|travel|unknown|violence|weapons|web-based-e-mail; } } OR... reset { user-cache { all; OR... ip <ip/netmask>; } OR... url-cache; OR... logging; OR... pow; OR... appid { unknown-cache { destination <ip/netmask>; } } OR... proxy { host-certificate-cache; OR... certificate-cache; OR... notify-cache { source <ip/netmask>; } } OR... ctd { url-block-cache { lockout; } } } OR... mode sync|no-sync; OR... on error|warn|info|debug; OR...
208
Palo Alto Networks
off; OR... clear; OR... drop-filter { on; OR... off; OR... set { ingress <value>; file <value>; source <value>; destination <value>; source-port 1-65535; destination-port 1-65535; protocol 1-255; packet-count 1-20000; byte-count 1-2000000; } OR... unset 1-4; } OR... filter { on; OR... off; OR... set { ingress <value>; file <value>; source <value>; destination <value>; source-port 1-65535; destination-port 1-65535; protocol 1-255; packet-count 1-20000; byte-count 1-2000000; } OR... unset 1-4; OR... close 1-4; } OR... pool { statistics; OR... check { hardware 0-255; OR... software 0-255; } } OR... pow { status; OR...
Palo Alto Networks
209
performance { all; } } OR... memory { status; } OR... internal { pci-access { sample; OR... register <value>; } OR... vif { address; OR... link; OR... rule; OR... vr; OR... route 0-255; } OR... dt { lion { rd 0-4294967295; OR... igr { show drops|flow|internal|packets|queues; OR... iftbl; OR... mymac; OR... port; } OR... egr { show counts|queues; OR... route; OR... nexthop; } OR... mac { stats { clear; } } OR... spi { stats { clear;
210
Palo Alto Networks
} } } OR... oct { csr { rd <value>; } OR... gmx { stats; } OR... pip { stats; } OR... pko { disp; OR... stats; } OR... pow { dump; } } } } OR... fpga { set { sw_aho yes|no; OR... sw_dfa yes|no; } OR... state; } OR... device { switch-dx { uplink; OR... register { read 0-4294967295; } OR... vlan-table { dump; OR... index 0-4095; } OR... port-based-vlan { port 0-32; } OR... fdb {
Palo Alto Networks
211
dump; OR... index 0-65535; } } } OR... process { mprelay { on { dump; OR... debug; OR... info; OR... warn; OR... error; } OR... off; OR... show; } OR... ha-agent { on { dump; OR... debug; OR... info; OR... warn; OR... error; } OR... off; OR... show; } } OR... task-heartbeat { on; OR... off; OR... show; } OR... set { tcp reass|fptcp|all; OR... ssl basic|all; OR... proxy basic|all;
212
Palo Alto Networks
OR... pow basic|all; OR... misc misc|all; OR... flow basic|ager|ha|np|arp|receive|all; OR... tunnel flow|ager; OR... ctd basic|sml|url|detector|all; OR... appid agt|basic|policy|dfa|all; OR... all; } OR... unset { tcp reass|fptcp|all; OR... ssl basic|all; OR... proxy basic|all; OR... pow basic|all; OR... misc misc|all; OR... flow basic|ager|np|ha|arp|receive|all; OR... tunnel flow|ager; OR... ctd basic|sml|url|detector|all; OR... appid basic|policy|dfa|all; OR... all; } } OR... device-server { set { agent basic|conn|ntlm|group|detail|ha|all; OR... misc basic|all; OR... url basic|all; OR... config basic|tdb|fpga|all; OR... all; } OR... unset { agent basic|conn|detail|ha|all; OR... misc basic|all; OR... url basic|all; OR...
Palo Alto Networks
213
config basic|tdb|fpga|all; OR... all; } OR... test { url <value>; OR... url-category 1-4192; OR... admin-override-password <value>; } OR... reset { logging { statistics; } OR... pan-agent { all; } OR... captive-portal { ip-address <ip/netmask>; } OR... id-manager; } OR... dump { idmgr { type { zone { all; OR... id 1-4294967295; OR... name <value>; } OR... vsys { all; OR... id 1-4294967295; OR... name <value>; } OR... global-tunnel { all; OR... id 1-; OR... name <value>; } OR... global-interface { all; OR...
214
Palo Alto Networks
id 1-4294967295; OR... name <value>; } OR... global-vlan-domain { all; OR... id 1-4294967295; OR... name <value>; } OR... global-vlan { all; OR... id 1-4294967295; OR... name <value>; } OR... global-vrouter { all; OR... id 1-4294967295; OR... name <value>; } OR... global-rib-instance { all; OR... id 1-4294967295; OR... name <value>; } OR... shared-application { all; OR... id 1-4294967295; OR... name <value>; } OR... custom-url-filter { all; OR... id 1-4294967295; OR... name <value>; } OR... user { all; OR... id 1-4294967295; OR... name <value>;
Palo Alto Networks
215
} OR... user-group { all; OR... id 1-4294967295; OR... name <value>; } OR... custom-application { all; OR... id 1-4096; OR... name <value>; } OR... security-rule { all; OR... id 1-4096; OR... name <value>; } OR... nat-rule { all; OR... id 1-4096; OR... name <value>; } OR... ssl-rule { all; OR... id 1-4096; OR... name <value>; } OR... ike-gateway { all; OR... id 1-4096; OR... name <value>; } } } OR... logging { statistics; } } OR... on error|warn|info|debug|dump; OR...
216
Palo Alto Networks
off; OR... clear; OR... show; } OR... dhcpd { global { on { error; OR... warn; OR... info; OR... debug; OR... dump; } OR... off; OR... show; } OR... pcap { show; OR... on { virtualrouter <value>; } OR... off; OR... delete; OR... view; } } OR... ez { enable; OR... disable; OR... show { counter { index 0-4194304; num-counters 0-40; } OR... session-counter { index 0-4194304; num-counters 0-40; } OR... port { index 0-32;
Palo Alto Networks
217
} OR... throughput; OR... arp; OR... route; OR... session; OR... drop_flag; } OR... set { drop 0|1; } } OR... high-availability-agent { on error|warn|info|debug|dump; OR... off; OR... clear; OR... show; OR... internal-dump; OR... model-check on|off; } OR... ike { global { on { normal; OR... debug; OR... dump; } OR... off; OR... show; } OR... pcap { show; OR... on; OR... off; OR... delete; OR... view; } OR...
218
Palo Alto Networks
socket; OR... stat; } OR... keymgr { on { normal; OR... debug; OR... dump; } OR... off; OR... show; OR... list-sa; } OR... log-receiver { on { normal; OR... debug; OR... dump; } OR... off; OR... show; OR... statistics; } OR... management-server { on error|warn|info|debug|dump; OR... off; OR... clear; OR... show; OR... phased-commit enable|disable|show; OR... client { disable device|ikemgr|dhcpd|ha_agent|routed|npagent|modhttpd; OR... enable device|ikemgr|dhcpd|ha_agent|routed|npagent|modhttpd; } } OR... master-service { on error|warn|info|debug|dump; OR... off;
Palo Alto Networks
219
OR... clear; OR... show; OR... internal-dump; } OR... netconfig-agent { on { dump; OR... debug; OR... info; OR... warn; OR... error; } OR... off; OR... show; } OR... routing { mib <value>; OR... list-mib; OR... fib { flush; OR... stats; } OR... global { on { error; OR... warn; OR... info; OR... debug; OR... dump; } OR... off; OR... show; } OR... pcap { show; OR... ospf {
220
Palo Alto Networks
on { virtualrouter <value>; } OR... off; OR... delete; OR... view; } OR... rip { on { virtualrouter <value>; } OR... off; OR... delete; OR... view; } OR... all { on { virtualrouter <value>; } OR... off; OR... delete; OR... view; } } OR... socket; } OR... software { restart { device-server; OR... management-server; OR... web-server; } } OR... swm { list; OR... command <value>; OR... history; OR... status; OR... unlock;
Palo Alto Networks
221
OR... revert; OR... refresh { content; } } OR... tac-login { permanently-disable; OR... disable; OR... enable; } OR... vardata-receiver { on { normal; OR... debug; OR... dump; } OR... off; OR... show; OR... statistics; } } OR... set { application { dump-unknown on|off; OR... dump { on { limit 1-5000; from <value>; to <value>; source <value>; destination <value>; source-user <value>; destination-user <value>; source-port 1-65535; destination-port 1-65535; protocol 1-255; application <value>; rule <value>; } OR... off; } OR... cache yes|no; OR... supernode yes|no;
222
Palo Alto Networks
OR... heuristics yes|no; OR... notify-user yes|no; } OR... cli { pager on|off; OR... scripting-mode on|off; OR... timeout { idle |1-1440; } OR... terminal { type aaa|aaa+dec|aaa+rv|aaa+unk|aaa-18|aaa-18-rv|aaa-20|aaa-22|aaa24|aaa-24-rv|aaa-26|aaa-28|aaa-30-ctxt|aaa-30-rv|aaa-30-rv-ctxt|aaa-30s|aaa-30-s-rv|aaa-36|aaa-36-rv|aaa-40|aaa-40-rv|aaa-48|aaa-48-rv|aaa-60|aaa60-dec-rv|aaa-60-rv|aaa-60-s|aaa-60-s-rv|aaa-db|aaa-rv-unk|aaa-s-ctxt|aaa-srv-ctxt|aas1901|abm80|abm85|abm85e|abm85h|abm85hold|act4|act5|addrinfo|adds980|adm+sgr|adm11|adm1178|adm12|adm1a|adm2|adm20| adm21|adm22|adm3|adm31|adm31-old|adm36|adm3a|adm3a+|adm42|adm42ns|adm5|aepro|aixterm|aixterm-m|aixterm-m-old|aj510|aj830|altoh19|altos2|altos3|altos4|altos7|altos7pc|amiga|amiga-8bit|amiga-h|amigavnc|ampex175|ampex175b|ampex210|ampex219|ampex219w|ampex232|ampex232w|ampex80|annarbor4080|ansi|a nsi+arrows|ansi+csr|ansi+cup|ansi+erase|ansi+idc|ansi+idl|ansi+idl1|ansi+ini ttabs|ansi+local|ansi+local1|ansi+pp|ansi+rca|ansi+rep|ansi+sgr|ansi+sgrbold |ansi+sgrdim|ansi+sgrso|ansi+sgrul|ansi+tabs|ansi-color-2-emx|ansi-color-3emx|ansi-emx|ansi-generic|ansi-m|ansi-mini|ansi-mr|ansi-mtabs|ansint|ansi.sys|ansi.sysold|ansi.sysk|ansi77|apollo|apollo_15P|apollo_19L|apollo_color|apple80|apple-ae|apple-soroc|apple-uterm|apple-uterm-vb|apple-videx|applevidex2|apple-videx3|apple-vm80|apple2e|apple2ep|apple80p|appleII|appleIIgs|arm100|arm100w|atari|att2300|att2350|att4410|att4410v1-w|att4415|att4415+nl|att4415nl|att4415-rv|att4415-rv-nl|att4415-w|att4415-w-nl|att4415-w-rv|att4415-wrv-n|att4418|att4418-w|att4420|att4424|att44241|att4424m|att4426|att500|att505|att505-24|att510a|att510d|att5310|att5410w|att5410v1|att5420_2|att5420_2-w|att5425|att5425-nl|att5425w|att5620|att5620-1|att5620-24|att5620-34|att5620-s|att605|att605-pc|att605w|att610|att610-103k|att610-103k-w|att610-w|att615|att615-103k|att615-103kw|att615-w|att620|att620-103k|att620-103k-w|att620-w|att630|att63024|att6386|att700|att730|att730-24|att730-41|att7300|att730r|att730r24|att730r-41|avatar|avatar0|avatar0+|avt|avt+s|avt-ns|avt-rv|avt-rv-ns|avtw|avt-w-ns|avt-w-rv|avt-w-rvns|aws|awsc|bantam|basis|beacon|beehive|beehive3|beehive4|beterm|bg1.25|bg1. 25nv|bg1.25rv|bg2.0|bg2.0rv|bitgraph|blit|bobcat|bq300|bq300-8|bq300-8pc|bq300-8-pc-rv|bq300-8-pc-w|bq300-8-pc-w-rv|bq300-8rv|bq300-8w|bq300pc|bq300-pc-rv|bq300-pc-w|bq300-pc-w-rv|bq300-rv|bq300-w|bq300-w-8rv|bq300w-rv|bsdos-pc|bsdos-pc-m|bsdos-pc-nobold|bsdos-ppc|bsdos-sparc|c100|c100rv|c108|c108-4p|c108-rv|c108-rv-4p|c108-w|ca22851|cad68-2|cad683|cbblit|cbunix|cci|cdc456|cdc721|cdc721esc|cdc721ll|cdc752|cdc756|cg7900|cit101|cit101e|cit101e-132|cit101en|cit101e-n132|cit101e-rv|cit500|cit80|citoh|citoh-6lpi|citoh-8lpi|citohcomp|citoh-elite|citoh-pica|citohprop|coco3|color_xterm|commodore|cons25|cons25-m|cons25l1|cons25l1m|cons25r|cons25r-m|cons25w|cons30|cons30-m|cons43|cons43-m|cons50|cons50-
Palo Alto Networks
223
m|cons50l1|cons50l1-m|cons50r|cons50r-m|cons60|cons60-m|cons60l1|cons60l1m|cons60r|cons60r-m|contel300|contel301|cops10|crt|cs10|cs10w|ct8500|ctrm|cyb110|cyb83|cygwin|cygwinB19|cygwinDBG|d132|d200|d210|d210dg|d211|d211-7b|d211-dg|d216-dg|d216-unix|d216-unix-25|d217-unix|d217-unix25|d220|d220-7b|d220-dg|d230c|d230c-dg|d400|d410|d410-7b|d410-7b-w|d410dg|d410-w|d412-dg|d412-unix|d412-unix-25|d412-unix-s|d412-unix-sr|d412-unixw|d413-unix|d413-unix-25|d413-unix-s|d413-unix-sr|d413-unix-w|d414unix|d414-unix-25|d414-unix-s|d414-unix-sr|d414-unix-w|d430c-dg|d430c-dgccc|d430c-unix|d430c-unix-25|d430c-unix-25-ccc|d430c-unix-ccc|d430c-unixs|d430c-unix-s-ccc|d430c-unix-sr|d430c-unix-sr-ccc|d430c-unix-w|d430c-unixw-ccc|d470c|d470c-7b|d470c-dg|d555|d555-7b|d555-7b-w|d555-dg|d555w|d577|d577-7b|d577-7b-w|d577-dg|d577-w|d578|d578-7b|d800|ddr|dec-vt100|decvt220|decansi|delta|dg+ccc|dg+color|dg+color8|dg+fixed|dggeneric|dg200|dg210|dg211|dg450|dg460-ansi|dg6053|dg6053old|dgkeys+11|dgkeys+15|dgkeys+7b|dgkeys+8b|dgmode+color|dgmode+color8|dguni x+ccc|dgunix+fixed|diablo1620|diablo1620-m8|diablo1640|diablo1640lm|diablo1740-lm|digilog|djgpp|djgpp203|djgpp204|dku7003|dku7003dumb|dku7102old|dku7202|dm1520|dm2500|dm3025|dm3045|dm80|dm80w|dmchat|dmterm|dp3360|dp82 42|dt100|dt100w|dt110|dt80sas|dtc300s|dtc382|dtterm|dumb|dw1|dw2|dw3|dw4|dwk|ecma+color|ecma+sgr|elks| elks-ansi|elks-glasstty|elks-vt52|emu|emu-220|emxbase|env230|ep40|ep48|ergo4000|esprit|espritam|Eterm|eterm|ex155|excel62|excel62-rv|excel62-w|f100|f100-rv|f110|f11014|f110-14w|f110-w|f1720|f200|f200-w|f200vi|f200vi-w|falco|falcop|fos|fox|gator|gator-52|gator-52t|gator-t|gigi|glasstty|gnome|gnomerh62|gnome-rh72|gnome-rh80|gnome-rh90|go140|go140w|go225|graphos|graphos30|gs6300|gsi|gt40|gt42|guru|guru+rv|guru+s|guru-24|guru-44|guru-44-s|guru76|guru-76-lp|guru-76-s|guru-76-w|guru-76-w-s|guru-76-wm|guru-nctxt|gururv|guru-s|h19|h19-a|h19-bs|h19-g|h19-u|h19us|h19k|ha8675|ha8686|hazel|hds200|hft-c|hft-c-old|hftold|hirez100|hirez100w|hmod1|hp+arrows|hp+color|hp+labels|hp+pfk+arrows|hp+pfk+cr|hp+pfkcr|hp+printer|hp110|hp150|hp2|hp236|hp2382a|hp2392|hp2397a|hp2621|hp262148|hp2621-a|hp2621-ba|hp2621-fl|hp2621-k45|hp2621-nl|hp2621nt|hp2621b|hp2621b-kx|hp2621b-kx-p|hp2621b-p|hp2621p|hp2621pa|hp2622|hp2623|hp2624|hp2624-10p|hp2624b-10p-p|hp2624b-p|hp2626|hp262612|hp2626-12-s|hp2626-12x40|hp2626-ns|hp2626-s|hp2626-x40|hp2627a|hp2627arev|hp2627c|hp262x|hp2640a|hp2640b|hp2641a|hp2645|hp2648|hp300h|hp700wy|hp70092|hp9837|hp9845|hp98550|hpansi|hpex|hpgeneric|hpsub|hpterm|hurd|hz1 000|hz1420|hz1500|hz1510|hz1520|hz1520-noesc|hz1552|hz1552rv|hz2000|i100|i400|ibcs2|ibm+16color|ibm+color|ibm-apl|ibm-pc|ibmsystem1|ibm3101|ibm3151|ibm3161|ibm3161C|ibm3162|ibm3164|ibm327x|ibm5081|ibm5081-c|ibm5151|ibm5154|ibm6153|ibm615340|ibm6153-90|ibm6154|ibm6155|ibm8503|ibm8512|ibm8514|ibm8514c|ibmaed|ibmapa8c|ibmapa8c-c|ibmega|ibmegac|ibmmono|ibmpc|ibmpc3|ibmpcx|ibmvga|ibmvga-c|icl6404|icl6404-w|ifmr|imsansi|ims950|ims950-b|ims950-rv|infoton|interix|interixnti|intertube|intertube2|intext|intext2|iris-ansi|iris-ansi-ap|iriscolor|jaixterm|jaixterm-m|kaypro|kermit|kermitam|klone+acs|klone+color|klone+koi8acs|klone+sgr|klone+sgrdumb|konsole|konsole-16color|konsole-base|konsole-linux|konsolevt100|konsole-vt420pc|konsole-xf3x|konsole-xf4x|kt7|kt7ix|kterm|ktermcolor|kvt|lft|linux|linux-basic|linux-c|linux-c-nc|linux-koi8|linuxkoi8r|linux-lat|linux-m|linux-nic|linux-vt|lisa|lisaterm|lisatermw|liswb|ln03|ln03-w|lpr|luna|m2-nam|mac|mac-w|mach|mach-bold|machcolor|mai|masscomp|masscomp1|masscomp2|megatek|memhp|mgr|mgr-linux|mgrsun|mgterm|microb|mime|mime-fb|mime-hb|mime2a|mime2as|mime314|mime3a|mime3ax|minitel1|minitel1b|minitel1b-80|minix|minix-
224
Palo Alto Networks
old|minix-old-am|mlterm|mm340|modgraph|modgraph2|modgraph48|monoemx|morphos|ms-vt-utf8|ms-vt100|ms-vt100+|ms-vt100color|msk227|msk22714|msk227am|mt4520-rv|mt70|mterm|mtermansi|MtxOrb|MtxOrb162|MtxOrb204|mvterm|nansi.sys|nansi.sysk|ncr160vppp|ncr16 0vpwpp|ncr160vt100an|ncr160vt100pp|ncr160vt100wan|ncr160vt100wpp|ncr160vt200 an|ncr160vt200pp|ncr160vt200wan|ncr160vt200wpp|ncr160vt300an|ncr160vt300pp|n cr160vt300wan|ncr160vt300wpp|ncr160wy50+pp|ncr160wy50+wpp|ncr160wy60pp|ncr16 0wy60wpp|ncr260intan|ncr260intpp|ncr260intwan|ncr260intwpp|ncr260vppp|ncr260 vpwpp|ncr260vt100an|ncr260vt100pp|ncr260vt100wan|ncr260vt100wpp|ncr260vt200a n|ncr260vt200pp|ncr260vt200wan|ncr260vt200wpp|ncr260vt300an|ncr260vt300pp|nc r260vt300wan|NCR260VT300WPP|ncr260wy325pp|ncr260wy325wpp|ncr260wy350pp|ncr26 0wy350wpp|ncr260wy50+pp|ncr260wy50+wpp|ncr260wy60pp|ncr260wy60wpp|ncr7900i|n cr7900iv|ncr7901|ncrvt100an|ncrvt100wan|ncsa|ncsa-m|ncsa-m-ns|ncsa-ns|ncsavt220|nec5520|newhp|newhpkeyboard|news-29|news-29-euc|news-29-sjis|news33|news-33-euc|news-33-sjis|news-42|news-42-euc|news-42-sjis|news-oldunk|newsunk|news28|news29|next|nextshell|northstar|nsterm|nsterm+7|nsterm+acs|nsterm +c|nsterm+c41|nsterm+mac|nsterm+s|nsterm-7|nsterm-7-c|nsterm-acs|nstermc|nsterm-c-acs|nsterm-c-s|nsterm-c-s-7|nsterm-c-s-acs|nsterm-m|nsterm-m7|nsterm-m-acs|nsterm-m-s|nsterm-m-s-7|nsterm-m-s-acs|nsterm-s|nsterm-s7|nsterm-s-acs|nwp511|nwp512|nwp512-a|nwp512-o|nwp513|nwp513-a|nwp513o|nwp517|nwp517-w|oblit|oc100|ofcons|oldpc3|oldsun|omron|opennt-100|opennt100-nti|opennt-35|opennt-35-nti|opennt-35-w|opennt-50|opennt-50-nti|opennt50-w|opennt-60|opennt-60-nti|opennt-60-w|opennt-w|opennt-wvt|opus3n1+|origpc3|osborne|osbornew|osexec|otek4112|otek4115|owl|p19|p8gl|pc-coherent|pc-minix|pcvenix|pc3|pc6300plus|pcansi|pcansi-25|pcansi-25-m|pcansi-33|pcansi-33m|pcansi-43|pcansi-43-m|pcansim|pccons|pcix|pckermit|pckermit120|pcmw|pcplot|pcvt25|pcvt25color|pcvt25w|pcvt28|pcvt28w|pcvt35|pcvt35w|pcvt40|pcvt40w|pcvt43|pcvt43w|pc vt50|pcvt50w|pcvtXX|pe1251|pe7000c|pe7000m|pilot|pmcons|prism12|prism12m|prism12-m-w|prism12-w|prism14|prism14-m|prism14-m-w|prism14w|prism2|prism4|prism5|prism7|prism8|prism8-w|prism9|prism9-8|prism9-8w|prism9-w|pro350|ps300|psterm|psterm-80x24|psterm-90x28|psterm96x48|psterm-fast|pt100|pt100w|pt210|pt250|pt250w|pty|putty|qansi|qansig|qansi-m|qansi-t|qansiw|qdss|qnx|qnxm|qnxt|qnxt2|qnxtmono|qnxw|qume5|qvt101|qvt101+|qvt102|qvt103| qvt103-w|qvt119+|qvt119+-25|qvt119+-25-w|qvt119+-w|qvt203|qvt203-25|qvt20325-w|qvt203-w|rbcomm|rbcomm-nam|rbcomm-w|rca|rcons|rconscolor|regent|regent100|regent20|regent25|regent40|regent40+|regent60|rt6221| rt6221-w|rtpc|rxvt|rxvt+pcfkeys|rxvt-16color|rxvt-basic|rxvt-color|rxvtcygwin|rxvt-cygwin-native|rxvt-xpm|sb1|sb2|sbi|scanset|scoansi|scoansinew|scoansi-old|screen|screen-bce|screen-s|screenw|screen.linux|screen.teraterm|screen.xterm-r6|screen.xtermxfree86|screen2|screen3|screwpoint|scrhp|sibo|simterm|soroc120|soroc140|st52 |sun|sun-1|sun-12|sun-17|sun-24|sun-34|sun-48|sun-c|sun-cgsix|sun-e|sun-es|sun-il|sun-s|sun-type4|superbeexsb|superbeeic|superbrain|swtp|synertek|t10|t1061|t1061f|t16|t3700|t3800|tab 132|tab132-rv|tab132-w|tab132-wrv|tandem6510|tandem653|tek|tek4013|tek4014|tek4014-sm|tek4015|tek4015sm|tek4023|tek4024|tek4025-17|tek4025-17-ws|tek4025-cr|tek4025ex|tek4025a|tek4025ex|tek4105|tek410530|tek4105a|tek4106brl|tek4107|tek4112|tek4112-5|tek4112-nd|tek4113|tek411334|tek4113-nd|tek4115|tek4125|tek4205|tek4207|tek4207s|tek4404|teletec|teraterm|terminet1200|ti700|ti916|ti916-132|ti916-8|ti9168-132|ti924|ti924-8|ti924-8w|ti924w|ti926|ti926-8|ti928|ti9288|ti931|ti_ansi|trs16|trs2|ts100|ts100-ctxt|tt|tt50522|tty33|tty37|tty40|tty43|tvi803|tvi9065|tvi910|tvi910+|tvi912|tvi912b|tvi9 12b+2p|tvi912b+dim|tvi912b+mc|tvi912b+printer|tvi912b+vb|tvi912b-2p|tvi912b-
Palo Alto Networks
225
2p-mc|tvi912b-2p-p|tvi912b-2p-unk|tvi912b-mc|tvi912b-p|tvi912b-unk|tvi912bvb|tvi912b-vb-mc|tvi912b-vb-p|tvi912b-vbunk|tvi912cc|tvi920b|tvi920b+fn|tvi920b-2p|tvi920b-2p-mc|tvi920b-2pp|tvi920b-2p-unk|tvi920b-mc|tvi920b-p|tvi920b-unk|tvi920b-vb|tvi920b-vbmc|tvi920b-vb-p|tvi920b-vb-unk|tvi921|tvi924|tvi925|tvi925hi|tvi92B|tvi92D|tvi950|tvi950-2p|tvi950-4p|tvi950-rv|tvi950-rv-2p|tvi950rv-4p|tvi955|tvi955-hb|tvi955-w|tvi970|tvi970-2p|tvi970-vb|tvipt|twsgeneric|tws2102-sna|tws2103|tws2103sna|uniterm|unknown|uts30|uwin|v3220|v5410|vanilla|vc303|vc303a|vc404|vc404s|vc414|vc415|versaterm|vi200|vi200-f|vi200-rv|vi300|vi300old|vi50|vi500|vi50adm|vi55|vi550|vi603|viewpoint|vip|vip-H|vip-Hw|vipw|visa50|vp3a+|vp60|vp90|vremote|vsc|vt100|vt100+fnkeys|vt100+keypad|vt100+p fkeys|vt100-nav|vt100-nav-w|vt100-putty|vt100-s|vt100-s-bot|vt100-vb|vt100w|vt100-w-nam|vt100nam|vt102|vt102-nsgr|vt102-w|vt125|vt131|vt132|vt200js|vt220|vt220+keypad|vt220-8bit|vt220-nam|vt220-old|vt220w|vt220d|vt320|vt320-k3|vt320-k311|vt320-nam|vt320-w|vt320-wnam|vt320nam|vt340|vt400|vt420|vt420f|vt420pc|vt420pcdos|vt50|vt50h|vt510|vt 510pc|vt510pcdos|vt52|vt520|vt525|vt61|wsiris|wsvt25|wsvt25m|wy100|wy100q|wy 120|wy120-25|wy120-25-w|wy120-vb|wy120-w|wy120-w-vb|wy160|wy160-25|wy160-25w|wy160-42|wy160-42-w|wy160-43|wy160-43-w|wy160-tek|wy160-vb|wy160-w|wy160w-vb|wy185|wy185-24|wy185-vb|wy185-w|wy185-wvb|wy30|wy30-mc|wy30vb|wy325|wy325-25|wy325-25w|wy325-42|wy325-42w|wy325-42w-vb|wy325-43|wy32543w|wy325-43w-vb|wy325-vb|wy325-w|wy325-w-vb|wy350|wy350-vb|wy350-w|wy350wvb|wy370|wy370-105k|wy370-EPC|wy370-nk|wy370-rv|wy370-tek|wy370-vb|wy370w|wy370-wvb|wy50|wy50-mc|wy50-vb|wy50-w|wy50-wvb|wy520|wy520-24|wy52036|wy520-36pc|wy520-36w|wy520-36wpc|wy520-48|wy520-48pc|wy520-48w|wy52048wpc|wy520-epc|wy520-epc-24|wy520-epc-vb|wy520-epc-w|wy520-epc-wvb|wy520vb|wy520-w|wy520-wvb|wy60|wy60-25|wy60-25-w|wy60-42|wy60-42-w|wy60-43|wy6043-w|wy60-vb|wy60-w|wy60-w-vb|wy75|wy75-mc|wy75-vb|wy75-w|wy75wvb|wy75ap|wy85|wy85-8bit|wy85-vb|wy85-w|wy85-wvb|wy99-ansi|wy99aansi|wy99f|wy99fa|wy99gt|wy99gt-25|wy99gt-25-w|wy99gt-tek|wy99gt-vb|wy99gtw|wy99gt-w-vb|wysevp|x10term|x68k|xerox1720|xerox820|xnuppc|xnuppc+100x37|xnuppc+112x37|xnuppc +128x40|xnuppc+128x48|xnuppc+144x48|xnuppc+160x64|xnuppc+200x64|xnuppc+200x7 5|xnuppc+256x96|xnuppc+80x25|xnuppc+80x30|xnuppc+90x30|xnuppc+b|xnuppc+basic |xnuppc+c|xnuppc+f|xnuppc+f2|xnuppc-100x37|xnuppc-100x37-m|xnuppc112x37|xnuppc-112x37-m|xnuppc-128x40|xnuppc-128x40-m|xnuppc-128x48|xnuppc128x48-m|xnuppc-144x48|xnuppc-144x48-m|xnuppc-160x64|xnuppc-160x64-m|xnuppc200x64|xnuppc-200x64-m|xnuppc-200x75|xnuppc-200x75-m|xnuppc-256x96|xnuppc256x96-m|xnuppc-80x25|xnuppc-80x25-m|xnuppc-80x30|xnuppc-80x30-m|xnuppc90x30|xnuppc-90x30-m|xnuppc-b|xnuppc-f|xnuppc-f2|xnuppc-m|xnuppc-m-b|xnuppcm-f|xnuppc-m-f2|xtalk|xterm|xterm+pcfkeys|xterm+sl|xterm+sl-twm|xterm1002|xterm-1003|xterm-16color|xterm-24|xterm-256color|xterm-88color|xterm8bit|xterm-basic|xterm-bold|xterm-color|xterm-hp|xterm-new|xterm-nic|xtermnoapp|xterm-pcolor|xterm-r5|xterm-r6|xterm-sco|xterm-sun|xterm-vt220|xtermvt52|xterm-xf86-v32|xterm-xf86-v33|xterm-xf86-v333|xterm-xf86-v40|xtermxf86-v43|xterm-xf86-v44|xterm-xfree86|xterm-xi|xterm1|xtermc|xtermm|xtermssun|z100|z100bw|z29|z29a|z29a-kc-uc|z29a-nkc-bc|z29a-nkc-uc|z340|z340nam|z39-a|zen30|zen50|ztx; OR... width 1-500; OR... height 1-500; } } OR... clock { date <value>; time <value>;
226
Palo Alto Networks
} OR... data-access-password <value>; OR... logging { max-log-rate 0-50000; OR... max-packet-rate 0-2560; OR... log-suppression yes|no; OR... default; } OR... management-server { unlock { admin <value>; } OR... logging on|off|import-start|import-end; } OR... multi-vsys on|off; OR... panorama on|off; OR... password; OR... proxy { skip-proxy yes|no; OR... skip-ssl yes|no; OR... answer-timeout 1-86400; OR... notify-user yes|no; } OR... session { timeout-tcp 1-15999999; OR... timeout-udp 1-15999999; OR... timeout-icmp 1-15999999; OR... timeout-default 1-15999999; OR... timeout-tcpinit 1-60; OR... timeout-tcpwait 1-60; OR... timeout-scan 5-30; OR... scan-threshold 50-99; OR... scan-scaling-factor 2-16; OR... accelerated-aging-enable yes|no; OR...
Palo Alto Networks
227
accelerated-aging-threshold 50-99; OR... accelerated-aging-scaling-factor 2-16; OR... tcp-reject-non-syn yes|no; OR... offload yes|no; OR... default; } OR... shared-policy enable|disable|import-and-disable; OR... target-vsys <value>; OR... zip { enable yes|no; } } OR... request { certificate { self-signed { for-use-by web-interface|ssl-decryption|ssl-untrusted; passphrase <value>; name <value>; nbits 1024|512; country-code <value>; state <value>; locality <value>; organization <value>; organization-unit <value>; email <value>; } OR... install { for-use-by { web-interface { passphrase <value>; key <value>; certificate <value>; } OR... ssl-decryption { passphrase <value>; key <value>; certificate <value>; } OR... ssl-untrusted { passphrase <value>; key <value>; certificate <value>; } OR... reverse-proxy { passphrase <value>; key <value>; certificate <value>;
228
Palo Alto Networks
name <value>; } } } OR... verify { for-use-by { web-interface { passphrase <value>; key <value>; certificate <value>; } } } } OR... comfort-page { install application-block-page|url-block-page|spyware-block-page|virusblock-page|file-block-page; } OR... content { downgrade { install <value>; } OR... upgrade { info; OR... check; OR... download latest; OR... install { latest { no-commit; } OR... file <value>; } } } OR... data-filtering { access-password { create { password <value>; } OR... modify { old-password <value>; new-password <value>; } OR... delete; } } OR... device-registration {
Palo Alto Networks
229
username <value>; password <value>; } OR... high-availability { sync-to-remote { candidate-config; OR... running-config; OR... disk-state; OR... runtime-state; OR... clock; } OR... state { suspend; OR... functional; } OR... clear-alarm-led; } OR... license { info; OR... fetch { auth-code <value>; } OR... install <value>; } OR... restart { system; OR... software; OR... dataplane; } OR... ssl-optout-text { install; } OR... support { info; OR... check; } OR... system { software { info; OR... check;
230
Palo Alto Networks
OR... download { version <value>; OR... file <value>; } OR... install { version <value>; OR... file <value>; } } OR... factory-reset; } OR... url-filtering { upgrade; } } OR... check { data-access-passwd { system; } OR... pending-changes; } OR... save { config { to <value>; } } OR... scp { export { configuration { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... packet-log { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... pdf-reports { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR...
Palo Alto Networks
231
filter { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... application { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... trusted-ca-certificate { to <value>; remote-port 1-65535; source-ip <ip>; } OR... web-interface-certificate { to <value>; remote-port 1-65535; source-ip <ip>; } OR... logdb { to <value>; remote-port 1-65535; source-ip <ip>; } OR... log { traffic { start-time { equal <value>; } end-time { equal <value>; } to <value>; remote-port 1-65535; source-ip <ip>; } OR... threat { start-time { equal <value>; } end-time { equal <value>; } to <value>; remote-port 1-65535; source-ip <ip>; } } OR... stats-dump {
232
Palo Alto Networks
to <value>; remote-port 1-65535; source-ip <ip>; } OR... tech-support { to <value>; remote-port 1-65535; source-ip <ip>; } OR... core-file { control-plane { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... data-plane { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } } OR... log-file { control-plane { to <value>; remote-port 1-65535; source-ip <ip>; } OR... data-plane { to <value>; remote-port 1-65535; source-ip <ip>; } } OR... ssl-optout-text { to <value>; remote-port 1-65535; source-ip <ip>; } OR... captive-portal-text { to <value>; remote-port 1-65535; source-ip <ip>; } OR... url-coach-text { to <value>; remote-port 1-65535; source-ip <ip>; } OR...
Palo Alto Networks
233
file-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... application-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... url-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... virus-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... spyware-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... debug-pcap { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } } OR... import { configuration { from <value>; remote-port 1-65535; source-ip <ip>; } OR... ssl-decryption-certificate { from <value>; remote-port 1-65535; source-ip <ip>; } OR... private-key { from <value>; remote-port 1-65535; source-ip <ip>; } OR... web-interface-certificate { from <value>;
234
Palo Alto Networks
remote-port 1-65535; source-ip <ip>; } OR... trusted-ca-certificate { from <value>; remote-port 1-65535; source-ip <ip>; } OR... logdb { from <value>; remote-port 1-65535; source-ip <ip>; } OR... license { from <value>; remote-port 1-65535; source-ip <ip>; } OR... content { from <value>; remote-port 1-65535; source-ip <ip>; } OR... software { from <value>; remote-port 1-65535; source-ip <ip>; } OR... reverse-proxy-key { from <value>; remote-port 1-65535; source-ip <ip>; } OR... ssl-optout-text { from <value>; remote-port 1-65535; source-ip <ip>; } OR... captive-portal-text { from <value>; remote-port 1-65535; source-ip <ip>; } OR... url-coach-text { from <value>; remote-port 1-65535; source-ip <ip>; } OR... application-block-page {
Palo Alto Networks
235
from <value>; remote-port 1-65535; source-ip <ip>; } OR... url-block-page { from <value>; remote-port 1-65535; source-ip <ip>; } OR... file-block-page { from <value>; remote-port 1-65535; source-ip <ip>; } OR... virus-block-page { from <value>; remote-port 1-65535; source-ip <ip>; } OR... spyware-block-page { from <value>; remote-port 1-65535; source-ip <ip>; } } } OR... tftp { export { configuration { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... packet-log { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... filter { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... application { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>;
236
Palo Alto Networks
} OR... trusted-ca-certificate { to <value>; remote-port 1-65535; source-ip <ip>; } OR... web-interface-certificate { to <value>; remote-port 1-65535; source-ip <ip>; } OR... stats-dump { to <value>; remote-port 1-65535; source-ip <ip>; } OR... tech-support { to <value>; remote-port 1-65535; source-ip <ip>; } OR... core-file { control-plane { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... data-plane { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } } OR... log-file { control-plane { to <value>; remote-port 1-65535; source-ip <ip>; } OR... data-plane { to <value>; remote-port 1-65535; source-ip <ip>; } } OR... ssl-optout-text { to <value>; remote-port 1-65535;
Palo Alto Networks
237
source-ip <ip>; } OR... captive-portal-text { to <value>; remote-port 1-65535; source-ip <ip>; } OR... url-coach-text { to <value>; remote-port 1-65535; source-ip <ip>; } OR... file-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... application-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... url-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... virus-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... spyware-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... debug-pcap { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } } OR... import { configuration { from <value>; file <value>; remote-port 1-65535; source-ip <ip>;
238
Palo Alto Networks
} OR... ssl-decryption-certificate { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... private-key { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... web-interface-certificate { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... trusted-ca-certificate { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... license { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... content { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... software { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... ssl-optout-text { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... captive-portal-text {
Palo Alto Networks
239
from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... url-coach-text { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... file-block-page { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... application-block-page { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... url-block-page { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... virus-block-page { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... spyware-block-page { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } } } OR... load { config { from <value>; OR... version <value>; } } OR... download {
240
Palo Alto Networks
custom-report { report-name <value>; file-name <value>|; format csv|pdf|xml; } OR... dlplog { file <value>; } OR... generic { file <value>; } OR... pktlog { file <value>; } OR... report { report-name <value>; file-name <value>|; format csv|pdf|xml; } OR... summary-report { report-name <value>; file-name <value>|; } } OR... test { cp-policy-match { from <value>; to <value>; source <value>; destination <value>; } OR... nat-policy-match { from <value>; to <value>; source <value>; destination <value>; protocol 1-255; source-port 1-65535; destination-port 1-65535; protocol 1-255; } OR... routing { fib-lookup { ip <ip>; virtual-router <value>; } } OR... security-policy-match { from <value>; to <value>;
Palo Alto Networks
241
source <value>; destination <value>; destination-port 1-65535; source-user <value>; protocol 1-255; show-all yes|no; application <value>; } OR... ssl-policy-match { from <value>; to <value>; source <value>; destination <value>; category <value>; } OR... vpn { ike-sa { gateway <value>; } OR... ipsec-sa { tunnel <value>; } } } OR... less { mp-log <pathname>; OR... dp-log <pathname>; OR... mp-backtrace <pathname>; OR... dp-backtrace <pathname>; OR... webserver-log <pathname>; OR... custom-page <pathname>; } OR... grep { mp-log <pathname>; OR... dp-log <pathname>; after-context 1-65535; before-context 1-65535; context 1-65535; count yes|no; ignore-case yes|no; invert-match yes|no; line-number yes|no; max-count 1-65535; no-filename yes|no; pattern <value>; } OR... ping {
242
Palo Alto Networks
bypass-routing yes|no; count 1-2000000000; do-not-fragment yes|no; host <value>; inet yes|no; interval 1-2000000000; no-resolve yes|no; pattern <value>; record-route yes|no; size 0-65468; source <value>; tos 1-255; ttl 1-255; verbose yes|no; wait 1-99999; } OR... ssh { host <value>; inet yes|no; port 0-65535; source <value>; v1 yes|no; v2 yes|no; } OR... tail { mp-log <pathname>; OR... dp-log <pathname>; OR... webserver-log <pathname>; follow yes|no; lines 1-65535; } OR... view-pcap { application-pcap <pathname>; OR... filter-pcap <pathname>; OR... threat-pcap <pathname>; OR... debug-pcap <pathname>; absolute-seq yes|no; delta yes|no; hex yes|no; hex-ascii yes|no; hex-ascii-link yes|no; hex-link yes|no; link-header yes|no; no-dns-lookup yes|no; no-port-lookup yes|no; no-qualification yes|no; no-timestamp yes|no; timestamp yes|no; undecoded-NFS yes|no; unformatted-timestamp yes|no; verbose yes|no;
Palo Alto Networks
243
verbose+ yes|no; verbose++ yes|no; } OR... telnet { 8bit yes|no; host <value>; port 0-65535; } OR... traceroute { base-udp-port 1-65535; bypass-routing yes|no; debug-socket yes|no; do-not-fragment yes|no; first-ttl 1-255; gateway <ip/netmask>; host <value>; max-ttl 1-255; no-resolve yes|no; pause 1-2000000000; source <value>; toggle-ip-checksums yes|no; tos 1-255; verbose yes|no; wait 1-99999; } OR... netstat { all yes|no; cache yes|no; continuous yes|no; extend yes|no; fib yes|no; groups yes|no; interfaces yes|no; listening yes|no; masquerade yes|no; numeric yes|no; numeric-hosts yes|no; numeric-ports yes|no; numeric-users yes|no; programs yes|no; route yes|no; statistics yes|no; symbolic yes|no; timers yes|no; verbose yes|no; } }
244
Palo Alto Networks
Panorama Hierarchy
config { predefined; mgt-config { users { REPEAT... <name> { phash <value>; remote-authentication radius; preferences { disable-dns yes|no; } permissions { role-based { superreader yes; OR... superuser yes; OR... panorama-admin yes; } } } } devices { REPEAT... <name> { hostname <value>; ip <ip>; } } } devices { REPEAT... <name> { deviceconfig { system { hostname <value>; domain <value>; ip-address <ip>; netmask <ip>; default-gateway <ip>; radius-server <ip>; radius-secret <value>; dns-primary <ip>; dns-secondary <ip>; ntp-server-1 <value>; ntp-server-2 <value>; update-server <value>; secure-proxy-server <value>; secure-proxy-port 1-65535; service { disable-http yes|no; disable-https yes|no; disable-telnet yes|no; disable-ssh yes|no; disable-icmp yes|no; }
Palo Alto Networks
245
timezone W-SU|CST6CDT|Japan|Portugal|Hongkong|Mideast|Mideast/ Riyadh87|Mideast/Riyadh88|Mideast/Riyadh89|Eire|Poland|Factory|GBEire|America|America/Port_of_Spain|America/Indiana|America/Indiana/ Vevay|America/Indiana/Indianapolis|America/Indiana/Marengo|America/Indiana/ Knox|America/St_Johns|America/Grand_Turk|America/Tijuana|America/ Toronto|America/Araguaina|America/Virgin|America/El_Salvador|America/ Coral_Harbour|America/Jujuy|America/Mexico_City|America/Guyana|America/ Cayman|America/Ensenada|America/Fortaleza|America/Iqaluit|America/ Boa_Vista|America/Chihuahua|America/Nome|America/Cancun|America/ Cayenne|America/Recife|America/Panama|America/Caracas|America/ Costa_Rica|America/Cambridge_Bay|America/Martinique|America/ Yellowknife|America/Godthab|America/Sao_Paulo|America/Edmonton|America/ Fort_Wayne|America/Danmarkshavn|America/Barbados|America/Dawson|America/ Thunder_Bay|America/Tegucigalpa|America/Chicago|America/Guadeloupe|America/ Grenada|America/Anguilla|America/Kentucky|America/Kentucky/ Monticello|America/Kentucky/Louisville|America/Argentina|America/Argentina/ Jujuy|America/Argentina/Ushuaia|America/Argentina/Catamarca|America/ Argentina/San_Juan|America/Argentina/Mendoza|America/Argentina/ La_Rioja|America/Argentina/Buenos_Aires|America/Argentina/Tucuman|America/ Argentina/ComodRivadavia|America/Argentina/Cordoba|America/Argentina/ Rio_Gallegos|America/Mazatlan|America/Regina|America/Montevideo|America/ Catamarca|America/Los_Angeles|America/Campo_Grande|America/Aruba|America/ Manaus|America/Knox_IN|America/Rosario|America/St_Lucia|America/ Hermosillo|America/Denver|America/Detroit|America/Santiago|America/ Shiprock|America/Cuiaba|America/Dominica|America/Porto_Acre|America/ Curacao|America/Belize|America/Merida|America/Swift_Current|America/ Antigua|America/Adak|America/Indianapolis|America/Belem|America/ Miquelon|America/Louisville|America/Bogota|America/New_York|America/ Boise|America/Scoresbysund|America/Mendoza|America/Goose_Bay|America/ Yakutat|America/Eirunepe|America/Winnipeg|America/Buenos_Aires|America/ Menominee|America/Paramaribo|America/Thule|America/Montreal|America/ Jamaica|America/Monterrey|America/St_Thomas|America/Rio_Branco|America/ Lima|America/Juneau|America/La_Paz|America/Vancouver|America/ Rankin_Inlet|America/Puerto_Rico|America/St_Kitts|America/Halifax|America/ Guayaquil|America/Inuvik|America/Noronha|America/Nassau|America/Port-auPrince|America/Guatemala|America/Glace_Bay|America/Nipigon|America/ Cordoba|America/Bahia|America/Asuncion|America/Maceio|America/Atka|America/ North_Dakota|America/North_Dakota/Center|America/Managua|America/ Anchorage|America/Montserrat|America/Tortola|America/Dawson_Creek|America/ Santo_Domingo|America/Pangnirtung|America/Whitehorse|America/ St_Vincent|America/Porto_Velho|America/Havana|America/Phoenix|America/ Rainy_River|Indian|Indian/Christmas|Indian/Reunion|Indian/Comoro|Indian/ Cocos|Indian/Mauritius|Indian/Antananarivo|Indian/Mahe|Indian/ Mayotte|Indian/Kerguelen|Indian/Chagos|Indian/Maldives|GMT0|Canada|Canada/ Yukon|Canada/Saskatchewan|Canada/Central|Canada/Eastern|Canada/EastSaskatchewan|Canada/Atlantic|Canada/Pacific|Canada/Mountain|Canada/ Newfoundland|MET|ROK|US|US/Alaska|US/East-Indiana|US/Central|US/Eastern|US/ Samoa|US/Arizona|US/Pacific|US/Aleutian|US/Hawaii|US/Mountain|US/ Michigan|US/Indiana-Starke|MST|Mexico|Mexico/BajaSur|Mexico/General|Mexico/ BajaNorte|EST5EDT|Atlantic|Atlantic/Madeira|Atlantic/Cape_Verde|Atlantic/ St_Helena|Atlantic/Stanley|Atlantic/South_Georgia|Atlantic/ Jan_Mayen|Atlantic/Azores|Atlantic/Reykjavik|Atlantic/Canary|Atlantic/ Faeroe|Atlantic/Bermuda|HST|Antarctica|Antarctica/McMurdo|Antarctica/ Davis|Antarctica/South_Pole|Antarctica/Vostok|Antarctica/Rothera|Antarctica/ Mawson|Antarctica/DumontDUrville|Antarctica/Palmer|Antarctica/ Casey|Antarctica/Syowa|UTC|Iceland|Pacific|Pacific/Honolulu|Pacific/ Truk|Pacific/Niue|Pacific/Wake|Pacific/Apia|Pacific/Majuro|Pacific/ Norfolk|Pacific/Efate|Pacific/Enderbury|Pacific/Palau|Pacific/ Saipan|Pacific/Nauru|Pacific/Kiritimati|Pacific/Tahiti|Pacific/Guam|Pacific/
246
Palo Alto Networks
Tongatapu|Pacific/Fiji|Pacific/Rarotonga|Pacific/Samoa|Pacific/ Fakaofo|Pacific/Guadalcanal|Pacific/Port_Moresby|Pacific/Midway|Pacific/ Galapagos|Pacific/Yap|Pacific/Johnston|Pacific/Marquesas|Pacific/ Noumea|Pacific/Auckland|Pacific/Gambier|Pacific/Kwajalein|Pacific/ Kosrae|Pacific/Wallis|Pacific/Easter|Pacific/Chatham|Pacific/ Funafuti|Pacific/Pago_Pago|Pacific/Tarawa|Pacific/Pitcairn|Pacific/ Ponape|EET|EST|Greenwich|GMT|Cuba|Brazil|Brazil/Acre|Brazil/East|Brazil/ DeNoronha|Brazil/West|Turkey|Arctic|Arctic/Longyearbyen|NZCHAT|Zulu|Israel|Jamaica|Etc|Etc/GMT-14|Etc/GMT+6|Etc/GMT-10|Etc/GMT-2|Etc/ GMT-8|Etc/GMT+4|Etc/GMT0|Etc/GMT-12|Etc/GMT+11|Etc/GMT-11|Etc/GMT+12|Etc/ UTC|Etc/GMT-3|Etc/Greenwich|Etc/GMT-9|Etc/GMT|Etc/GMT+2|Etc/Zulu|Etc/GMT4|Etc/GMT+7|Etc/GMT+1|Etc/GMT+8|Etc/GMT-7|Etc/GMT-6|Etc/GMT+10|Etc/GMT5|Etc/GMT+0|Etc/GMT-1|Etc/GMT+3|Etc/GMT+5|Etc/GMT-13|Etc/UCT|Etc/ Universal|Etc/GMT+9|Etc/GMT-0|NZ|Europe|Europe/Vienna|Europe/Athens|Europe/ Tiraspol|Europe/Lisbon|Europe/Rome|Europe/Bratislava|Europe/Andorra|Europe/ Sofia|Europe/Kaliningrad|Europe/Zurich|Europe/Belfast|Europe/Oslo|Europe/ Samara|Europe/Malta|Europe/Chisinau|Europe/Moscow|Europe/Paris|Europe/ Minsk|Europe/Zaporozhye|Europe/Amsterdam|Europe/Tallinn|Europe/ Uzhgorod|Europe/Brussels|Europe/Vatican|Europe/Vaduz|Europe/ San_Marino|Europe/Nicosia|Europe/Berlin|Europe/Vilnius|Europe/Monaco|Europe/ Istanbul|Europe/Belgrade|Europe/Stockholm|Europe/Riga|Europe/Madrid|Europe/ Gibraltar|Europe/Copenhagen|Europe/Skopje|Europe/Budapest|Europe/ Dublin|Europe/Bucharest|Europe/Helsinki|Europe/Prague|Europe/ Sarajevo|Europe/London|Europe/Tirane|Europe/Zagreb|Europe/Kiev|Europe/ Warsaw|Europe/Ljubljana|Europe/Simferopol|Europe/Mariehamn|Europe/ Luxembourg|Singapore|ROC|Kwajalein|Egypt|PST8PDT|GMT+0|Asia|Asia/ Kuwait|Asia/Kamchatka|Asia/Thimphu|Asia/Macau|Asia/Gaza|Asia/Thimbu|Asia/ Pyongyang|Asia/Vladivostok|Asia/Katmandu|Asia/Sakhalin|Asia/Muscat|Asia/ Ashkhabad|Asia/Ulan_Bator|Asia/Riyadh|Asia/Riyadh87|Asia/Calcutta|Asia/ Yerevan|Asia/Shanghai|Asia/Baghdad|Asia/Makassar|Asia/Oral|Asia/ Hong_Kong|Asia/Jayapura|Asia/Omsk|Asia/Almaty|Asia/Saigon|Asia/Magadan|Asia/ Chungking|Asia/Hovd|Asia/Brunei|Asia/Novosibirsk|Asia/Dacca|Asia/Qatar|Asia/ Ulaanbaatar|Asia/Krasnoyarsk|Asia/Kuching|Asia/Qyzylorda|Asia/Karachi|Asia/ Anadyr|Asia/Yakutsk|Asia/Seoul|Asia/Choibalsan|Asia/Macao|Asia/ Samarkand|Asia/Yekaterinburg|Asia/Aqtobe|Asia/Riyadh88|Asia/Nicosia|Asia/ Pontianak|Asia/Urumqi|Asia/Irkutsk|Asia/Taipei|Asia/Harbin|Asia/ Istanbul|Asia/Colombo|Asia/Tel_Aviv|Asia/Jakarta|Asia/Amman|Asia/ Bahrain|Asia/Tokyo|Asia/Chongqing|Asia/Ashgabat|Asia/Singapore|Asia/ Aqtau|Asia/Baku|Asia/Bishkek|Asia/Dili|Asia/Tbilisi|Asia/Beirut|Asia/ Riyadh89|Asia/Damascus|Asia/Aden|Asia/Dubai|Asia/Manila|Asia/Vientiane|Asia/ Tehran|Asia/Kashgar|Asia/Dushanbe|Asia/Kabul|Asia/Bangkok|Asia/Rangoon|Asia/ Jerusalem|Asia/Dhaka|Asia/Kuala_Lumpur|Asia/Tashkent|Asia/Phnom_Penh|Asia/ Ujung_Pandang|CET|PRC|Africa|Africa/Kinshasa|Africa/Ndjamena|Africa/ Mbabane|Africa/Lagos|Africa/El_Aaiun|Africa/Douala|Africa/Kampala|Africa/ Mogadishu|Africa/Tripoli|Africa/Conakry|Africa/Niamey|Africa/Asmera|Africa/ Khartoum|Africa/Lubumbashi|Africa/Kigali|Africa/Johannesburg|Africa/ Blantyre|Africa/Malabo|Africa/Gaborone|Africa/Lome|Africa/Algiers|Africa/ Addis_Ababa|Africa/Brazzaville|Africa/Dakar|Africa/Nairobi|Africa/ Cairo|Africa/Banjul|Africa/Bamako|Africa/Bissau|Africa/Libreville|Africa/ Sao_Tome|Africa/Casablanca|Africa/Timbuktu|Africa/Nouakchott|Africa/ Freetown|Africa/Monrovia|Africa/Ceuta|Africa/Dar_es_Salaam|Africa/ Lusaka|Africa/Abidjan|Africa/Bujumbura|Africa/Maseru|Africa/Bangui|Africa/ Windhoek|Africa/Accra|Africa/Djibouti|Africa/Ouagadougou|Africa/PortoNovo|Africa/Tunis|Africa/Maputo|Africa/Harare|Africa/ Luanda|UCT|GB|Universal|Australia|Australia/Hobart|Australia/ Lord_Howe|Australia/Perth|Australia/South|Australia/Yancowinna|Australia/ Currie|Australia/Tasmania|Australia/Queensland|Australia/NSW|Australia/ Lindeman|Australia/Melbourne|Australia/Adelaide|Australia/ Victoria|Australia/Canberra|Australia/West|Australia/Brisbane|Australia/
Palo Alto Networks
247
Broken_Hill|Australia/Darwin|Australia/ACT|Australia/North|Australia/ Sydney|Australia/LHI|Iran|WET|Libya|MST7MDT|Chile|Chile/EasterIsland|Chile/ Continental|GMT-0|Navajo; } } } } }
248
Palo Alto Networks
Appendix B PAN-OS CLI KEYBOARD SHORTCUTS

This appendix lists the supported keyboard shortcuts and Editor Macros (EMACS) commands supported in the PAN-OS CLI. Note: Some shortcuts depend upon the SSH client that is used to access the PAN-OS CLI. For some clients, the Meta key is the Control key; for some it is the Esc key.
Table 4 lists the keyboard shortcuts.
Table 4. Keyboard Shortcuts Item

Commands for Moving beginning-of-line (C-a) end-of-line (C-e) forward-char (C-f) backward-char (C-b) forward-word (M-f) backward-word (M-b) Move to the start of the current line. Move to the end of the line. Move forward a character. Move back a character. Move forward to the end of the next word. Words consist of alphanumeric characters (letters and digits). Move back to the start of this, or the previous, word. Words consist of alphanumeric characters (letters and digits). Clear the screen and place the current line at the top of the screen. If an argument is included, refresh the current line without clearing the screen.
Description
clear-screen (C-l)
Commands for Manipulating Command History accept-line (Newline, Return) Accept the line regardless of where the cursor is. If the line is nonempty, add it to the history list. If the line is a modified history line, then restore the history line to its original state. Fetch the previous command from the history list, moving back in the list. Fetch the next command from the history list, moving forward in the list. Move to the first line in the history.
previous-history (C-p) next-history (C-n) beginning-of-history (M-<)
Palo Alto Networks
249
Table 4. Keyboard Shortcuts (Continued) Item

end-of-history (M->) reverse-search-history (C-r) forward-search-history (C-s) non-incremental-reversesearch-history (M-p) non-incremental-forwardsearch-history (M-n) Commands for Changing Text delete-char (C-d) backward-delete-char (backspace) transpose-chars (C-t) Delete the character under the cursor. If point is at the beginning of the line, there are no characters in the line, and the last character typed was not C-d, then return EOF. Delete the character behind the cursor. Drag the character before point forward over the character at point. Point moves forward as well. If point is at the end of the line, then transpose the two characters before point. Drag the word behind the cursor past the word in front of the cursor moving the cursor over that word as well. Make the current (or following) word uppercase. With a negative argument, do the previous word, but do not move point. Make the current (or following) word lowercase. With a negative argument, change the previous word, but do not move point. Capitalize the current (or following) word. With a negative argument, do the previous word, but do not move point.
Description
Move to the end of the input history (the line currently being entered). Search backward starting at the current line and moving up through the history as necessary. This is an incremental search. Search forward starting at the current line and moving down through the history as necessary. This is an incremental search. Search backward through the history starting at the current line using a non-incremental search for a string supplied by the user. Search forward through the history using a non-incremental search for a string supplied by the user.
transpose-words (M-t) upcase-word (M-u) downcase-word (M-l) capitalize-word (M-c) Deleting and Yanking Text kill-line (C-k) backward-kill-line (Cx backspace) unix-line-discard (Cu) kill-word (M-d) backward-kill-word (Mbackspace) unix-word-backspace (C-w) yank (C-y)
Delete the text from the current cursor position to the end of the line. Delete backward to the beginning of the line. Delete backward from point to the beginning of the line Delete from the cursor to the end of the current word, or if between words, to the end of the next word. Word boundaries are the same as those used by forward-word. Delete the word behind the cursor. Word boundaries are the same as those used by backward-word. Delete the word behind the cursor, using white space as a word boundary. The word boundaries are different from backward-killword. Place the top of the deleted section into the buffer at the cursor.
250
Palo Alto Networks
Table 4. Keyboard Shortcuts (Continued) Item

yank-pop (M-y) Completing Commands complete (TAB) possible-completions (?) Attempt to perform completion on the text before point. List the possible completions of the text before point.
Description
Rotate the kill-ring, and yank the new top. Only works following yank or yank-pop.
Performing Miscellaneous Functions undo (C-_, C-x C-u) revert-line (M-r) Perform an incremental undo, separately remembered for each line. Undo all changes made to this line. This is like typing the undo command enough times to return the line to its initial state.
Table 5 lists the EMACS commands.
Table 5. EMACS Commands Command

C-A C-B C-D C-E C-F C-G C-H C-I C-J C-K C-L C-M C-N C-P C-R C-S C-T C-U C-W C-Y C-_
Description
beginning-of-line backward-char delete-char end-of-line forward-char abort backward-delete-char complete accept-line kill-line clear-screen accept-line next-history previous-history reverse-search-history forward-search-history transpose-chars unix-line-discard unix-word-backspace yank undo
Emacs Standard bindings
Palo Alto Networks
251
Table 5. EMACS Commands (Continued) Command

M-C-H M-C-R M-< M-> ? M-B M-C M-D M-F M-L M-N M-P M-R M-T M-U M-Y
Description
backward-kill-word revert-line beginning-of-history end-of-history possible-completions backward-word capitalize-word kill-word forward-word downcase-word non-incremental-forward-search-history non-incremental-reverse-search-history revert-line transpose-words upcase-word yank-pop
Emacs Meta bindings
252
Palo Alto Networks
Index
Symbols
# prompt 13 + option symbol 17 > option symbol 17 > prompt 13 ? symbol 15 configuration mode hierarchy 23 prompt 13 understanding 21 configure command 51 control key 16 conventions, typographical 8 copy command 31
A
accessing the CLI 12
D
debug captive-portal command 54 debug cli command 55 debug cpld command 56 debug dataplane command 57 debug device-server command 59 debug dhcpd command 60 debug ez command 61 debug high-availability-agent command 62 debug ike command 63 debug keymgr command 64 debug log-receiver command 65 debug management-server command 66 debug master-service command 67 debug netconfig-agent command 68 debug routing command 69 debug software command 70 debug swm command 71 debug tac-login command 72 debug vardata-receiver command 73 delete command 32, 52
B
banner 13, 25
C
changing modes 15 changing modes 14 clear command 49 CLI accessing 12 configuration mode 11 EMACS commands commands 251 keyboard shortcuts 249 operational model 11 prompt 13 structure 11 commands 27 conventions 13 display 27 messages 14 monitoring and troubleshooting 27 navigation 27 network access 27 option symbols 17 options 15 understanding 13 commit command 21, 30 configuration hierarchy 23 hierarchy paths 24
E
edit banner 25 edit command banner 13 using 26, 33 esc key 16 Ethernet interfaces 19 ethernet1/n 19 exit command 34, 74
G
getting started 12 grep command 75
253 Index
Palo Alto Networks
H
hierarchy complete 153 configuration 23 navigating 25 new elements 24 paths 24 hostname 13
S
save command 21, 40 scp command 88 set application dump command 90 set cli command 91 set command 41 set logging command 92 set serial-number command 93 set session command 94 set target-vsys command 95 set zip command 96 shortcuts 16 show admins command 97 show arp command 98 show cli command 99, 100 show clock command 101 show command 23, 42 show config command 102 show counter command 103 show ctd command 104 show device command 105 show devicegroups command 107 show device-messages command 106 show dhcp command 108 show high-availability command 109 show interface command 110 show jobs command 111 show location command 112, 115 show log command 113 show mac command 116 show management-clients command 117 show multi-vsys command 118 show pan-agent command 119 show proxy command 120 show query command 121 show report command 122 show route command 127 show routing command 123 show session command 128 show statistics command 130 show system command 132 show target-vsys command 134 show threat command 135 show virtual-wire command 136 show vlan command 137 show vpn command 138, 140 show zone-protection command 141 ssh command 142 syntax checking 14 system 27
I
interfaces 19
K
keyboard shortcuts 16, 249
L
less command 76
M
meta key 16 modes changing 14, 15 configuration 21 operational 27 move command 36
N
navigating hierarchy 25
O
operational mode command types 27 prompt 13 using 27
P
ping command 77 privilege levels 18
Q
quit command 37, 79
R
rename command 38 request certificate command 80 request content upgrade command 82 request high-availability command 83 request license command 84 request restart command 85 request support command 86 request system command 87 run command 39
254 Index
Palo Alto Networks
T
tail command 143 telnet command 144 test command 145 tftp command 146 top command 25, 26, 43 traceroute command 148 typographical conventions 8
U
up command 25, 26, 44 user name 13 user privileges 18
V
view-pccap command 150
Palo Alto Networks
Index 255
256 Index
Palo Alto Networks

PAN-OS 2.1 CLI Reference Guide

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

PAN-OS 2.1 CLI Reference Guide

Загружено:

Авторское право:

Доступные форматы

PAN-OS Command Line Interface Reference Guide

PAN-OS Command Line Interface Reference Guide

11/4/08 Final Review Draft- Palo Alto Networks COMPANY CONFIDENTIAL

November 4, 2008 - Palo Alto Networks COMPANY CONFIDENTIAL

Understanding the PAN-OS CLI Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Chapter 2 Understanding CLI Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Understanding Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Palo Alto Networks

Chapter 3 Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Chapter 4 Operational Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Palo Alto Networks

Palo Alto Networks

145 146 148 150

Appendix A Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Firewall Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Panorama Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Appendix B PAN-OS CLI Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Palo Alto Networks

November 4, 2008 - Palo Alto Networks COMPANY CONFIDENTIAL

About This Guide

Palo Alto Networks

courier bold font

Text that you enter at the command prompt Optional parameters.

Palo Alto Networks

Notes, Cautions, and Warnings

Obtaining More Information

Palo Alto Networks

Palo Alto Networks

November 4, 2008 - Palo Alto Networks COMPANY CONFIDENTIAL

Understanding the PAN-OS CLI Structure

Chapter 3 describes each mode in detail.

Palo Alto Networks

Before You Begin

Use the following settings for direct console connection:

Accessing the PAN-OS CLI

Palo Alto Networks

Understanding the PAN-OS CLI Commands

Understanding the PAN-OS CLI Command Conventions

Palo Alto Networks

Understanding Command Messages

Example: Changing modes

Example: Invalid syntax

Palo Alto Networks

Using Operational and Configuration Modes

Displaying the PAN-OS CLI Command Options

To display a list of operational commands, enter ? at the command prompt.

Palo Alto Networks

Using Keyboard Shortcuts

Palo Alto Networks

Understanding Command Option Symbols

Table 1. Option Symbols Symbol

Palo Alto Networks

Restricting Command Output

The following sample displays only the system model information:

Understanding Privilege Levels

Table 2. Privilege Levels Level

Palo Alto Networks

Referring to Firewall Interfaces

Figure 1. Firewall Ethernet Interfaces

Palo Alto Networks

Palo Alto Networks

November 4, 2008 - Palo Alto Networks COMPANY CONFIDENTIAL

Understanding CLI Command Modes

Understanding Configuration Mode