PALO ALTO NETWORKS CLI QUICK REFERENCE

PAN-OS CLI

A DS

PAN-OS CLI

General System Health

Display the systems management IP, serial #, and code version.
show system info

debug dataplane packet-diag set capture off

Capture PCAP on management interface.

tcpdump filter src net
<ip/netmask> view-pcap mgmtpcap mgmt.pcap

Display when commits, downloads, upgrades, etc are completed.

show jobs processed

Display percent usage of disk partitions.

show system disk-space

Display the maximum log file sizes.

show system logdb-quota

Display running processes.

A DS

Turn off packet capture and filter.

Log/Forward Device issues

Display the log statistics, like logging incoming rate, log written
rate, corrupted packets and logs discarded due to full queue.
debug log-receiver statistics

show system software status

Display debug logging issues on the device.

less mp-log logrcvr.log

Monitor CPUs
Display processes running in the Management Plane.

Restart log-receiver process.

debug software restart log-receiver

show system resources

Display the resource utilization in the Dataplane.

show running resource-monitor

Dropped Packet Troubleshooting

Ping from a specified device source interface to destination IP.
ping source <IP_addr_src_int> host <IP_addr_host>

Ping from the management interface.

ping host <IP>

Display the specific sessions in the session table that match the
source and destination IPs.
show session all filter source <source-IP> destination

Display session usage, pps rates, etc.

Monitor Management or Device Server

Display management server messages for commit failures,
updates, licenses, link status, policy details, etc.
show system resources follow
tail follow yes mp-log ms.log

Display device server message for commit failures, updates,

licenses, link status, policy details, etc.
tail follow yes mp-log devsrv.log

Authentication Logs
Display the detail authentication logs on the device.
less mp-log authd.log

show session info

Display session details by entering the session ID number.

show session id <id-number>

NAT
Display current NAT policy table.
show running nat-policy

Packet Filters and C pt r

WARNING: Running debug commands on a production device may
cause undesirable results.
Clear/delete settings and files previously created.
debug dataplane packet-diag clear all
debug dataplane packet-diag clear log log

Remove all files.

Display NAT pool leaks.

show running ippool
show running global-ippool

Routing
Display routing table.
show routing route

delete debug-filter file *

Set filter with the source IP and destination IP to capture packets

from/to.
debug dataplane packet-diag set filter match source
x.x.x.x destination y.y.y.y
debug dataplane packet-diag set filter match source
y.y.y.y destination x.x.x.x
debug dataplane packet-diag set filter on

Configure the different stage of capture types to be executed.

debug dataplane packet-diag
file pantac-rx.pcap
debug dataplane packet-diag
file pantac-tx.pcap
debug dataplane packet-diag
pantac-drop.pcap
debug dataplane packet-diag
file pantac-fw.pcap
debug dataplane packet-diag

set capture stage receive

set capture stage transmit
set capture stage drop file
set capture stage firewall
set capture on

Verify packet capture is setup correctly.

debug dataplane packet-diag show setting

While test is running, run the command every 2-3 seconds for 20
seconds and save the output to a text file.
show counter global filter packet-filter yes delta yes

Policies
Display current policy set.
show running security-policy

User-ID Agent
Display agents status. Status should be connected OK and there
should be numbers shown under users, groups and IPs.
show user user-id-agent state all
show user user-id-agent statistics

Display the groups pulled from User-ID Agent.

show
show
show
show
show

user
user
user
user
user

user-IDs
group-mapping state all
group-mapping statistics
group list
group name <value>

Display IP to username mappings.

show user ip-user-mapping

Clear the user-ID cache.

clear user-cache all
clear user-cache ip <ip/netmask>

Reset the devices connection to the specified agent.

debug user-id reset user-id-agent <name>

Feb14

PAN-OS CLI

A DS

PAN-OS CLI

A DS

Log Viewing/Deleting
Go to the beginning/end of a log.

Display the URL log, most recent entries first.

show log [system | traffic | threat] direction equal

[forward

Test connectivity to the BrightCloud servers.

Note: Arguments shown with square brackets and pipe symbol

mean choose one of the arguments listed.
IPSEC
The following commands display VPN configuration.
Display encap/decap counters.
show vpn flow

Display list of IKE gateway configurations.

show vpn gateway

Display IKE Phase 1 SA.

show vpn ike-sa

Display IPSec Phase 2 SA.

show vpn ipsec-sa

Display list of auto-key IPSec tunnel configurations.

show vpn tunnel

Display detail debug information for IPSec tunneling.

show log system subtype equal vpn direction equal
backward
debug ike global on debug
less mp-log ikemgr.log

show log url direction equal backward

ping host service.brightcloud.com

PAN-DB URL Filtering

Check URL cloud status.
show url-cloud status

Test categorization of a URL

On Dataplane cache
test url-resolve-path <url>

On Management Plane cache

test url-info-host <url>

On Cloud
test url-info-cloud <url>

Delete URLs from the a he

On Dataplane cache
clear url-cache url <url>

On Management Plane cache

delete url-database url <url>

Show statistics on URL a he

On Dataplane cache
show running url-cache statistics

High Availability
Display the HA state of the device.
show high-availability state

Display the HA settings configured on the device and peer.

show high-availability all

Display if the devices are synchronized.

show high-availability state-synchronization

Suspend active device and make passive device active.

request high-availability state suspend

Change the state from suspend to passive.

request high-availability state functional

Software, Content and Licenses

Reboot the system.
request restart system

Upgrade content.
request content upgrade
> check
Gets info from Palo Alto Networks server.
Downloads content packages.
Displays available content packages info.
Installs content packages.

Downgrade to previous content version.

request content downgrade install previous

Display the license installed on the device.

request license info

Delete a license file.

delete license key

Note: If having issues and want to retrieve new licenses, use

question mark to list file names then delete the specific file.

On Management Plane cache

debug device-server pan-url-db show-stats

Miscellaneous
Ignore SYN when creating sessions.
configure
set deviceconfig setting session tcp-reject-non-syn no
commit

Confirm command took effect.

show session info

Make all packets go through CPU, otherwise all fastpath packets go

through the chip. Turns off session offload to fastpath.
configure
set deviceconfig setting session offload no
commit

Confirm command too effect.

show session info

Display the different dataplane buffers and see if the system is

nearing capacity.
debug dataplane pool statistics

Show statistics on Panorama

Displays pushed template and local config merge
show config merged

Displays shared polic

policy pushed to the device
show config pushed-shared-policy

Displays template pushed to the device

show config pushed-template

URL
Test the categorization of a URL on the device.
test url <url or IP>

Display the BrightCloud database update logs.

tail follow yes mp-log pan_bc_download.log

Display statistics on the URL cache.

debug dataplane show url-cache statistics

Clear URL cache.

clear url-cache all
clear url-cache url (value>

Note:: Cache contains 100k of the most popular URLs on the

network.

Feb14

4401 Great America Parkway

Santa Clara, CA 95054
Main: +1.408.753.4000
Sales: +1.866.320.4788
Support: +1.866.898.9087
www.paloaltonetworks.com
Copyright 2014,Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto
Networks Logo, PAN OS, App ID, and Panorama are trademarks of Palo Alto Networks, Inc. All
specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for
any inaccuracies in this document or for any obligation to update information in this document. Palo
Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication
without notice.