cheat sheet - useful cli commands 4.0
DESCRIPTION
Cheat Sheet - Useful CLI Commands 4.0TRANSCRIPT
-
Useful CLI Commands in PANOS 4.0
1
This document provides a list of some useful CLI commands to verify and troubleshoot the operation of a Palo Alto Networks firewall. General system health
show system info provides the systems management IP, serial number and code version show system statistics shows the real time throughput on the device show system software status shows whether various system processes are running show jobs processed used to see when commits, downloads, upgrades, etc. are
completed show system disk-space- show percent usage of disk partitions show system logdb-quota shows the maximum log file sizes debug dataplane internal vif link show management interface (eth0) counters
To monitor CPUs
show system resources - shows processes running in the management plane similar to top command
show running resource-monitor used to see the resource utilization in the data plane, such as dataplane CPU utilization
less mp-log mp-monitor.log Every 15 minutes the system runs a script to monitor management plane resource usage, output is stored in this file.
less dp-log dp-monitor.log - Every 15 minutes the system runs a script to monitor dataplane resource usage, output is stored in this file.
General dropped packet troubleshooting
ping source host - allows to ping from the specified FW source interface
ping host - ping from the MGT interface show session all | match used to show specific sessions in the session table. You can
enter any text after the word match. A good example would be a source or destination IP or an application
show session all | filter destination dest-port - shows all sessions going to a particular dest IP and port
show session id shows the specifics behind a particular session by entering the ID number after the word id
show counter interface shows interface counters show counter global | match drop used to troubleshoot dropped packets show counter global delta yes | match [ drop | error | frag ] show counter changes
since last time ran this command, filter on particular keyword NAT
show running nat-policy- shows current NAT policy table show running ippool- use to see if NAT pool leak test nat-policy-match simulate traffic going through the device, what NAT policy will it
match?
-
Useful CLI Commands in PANOS 4.0
2
Routing show routing route displays the routing table test routing fib-lookup virtual-router ip - finds which
route in the routing table will be used to reach the IP address that you are testing Policies
show running security-policy shows the current policy set test security-policy-match from trust to untrust destination - simulate a packet going
through the system, which policy will it match? PAN Agent
show user pan-agent statistics used to see if the agent is connected and operational. Status should be connected OK and you should see numbers under users, groups and IPs.
show pan-agent user-IDs - used to see if the FW has pulled groups from the PANAgent show user ip-user-mapping used to see IP to username mappings on the FW clear user-cache all clears the user-ID cache debug device-server reset pan-agent - reset the firewalls connection to the
specified agent URL
test url used to test the categorization of a URL on the FW tail follow yes mp-log pan_bc_download.log shows the BrightCloud database update
logs request url-filtering download status shows the status of the database download
(essentially the very last line from the pan_bc_download.log file) debug dataplane show url-cache statistics shows statistics on the URL cache show counter global | match url shows statistics on URL processing clear url-cache used to clear the URL cache- cache contains 100k of the most popular
URLs on this network show log url direction equal backward- view the URL log, most recent entries first To test connectivity to the BrightCloud servers:
o ping host service.brightcloud.com o ping host database.brightcloud.com
Log viewing / deleting1
show log [ system | traffic | threat ] direction equal backward will take you to the end of the specified log
show log [ system | traffic | threat ] direction equal forward will take you to beginning of the specified log
clear log [ traffic | threat | acc ] clear everything in the specified log 1 Arguments that are shown with square braces and pipe symbol mean that you choose one of the arguments listed. For example, [ arg1 | arg2 | arg3 ] means you select either arg1 or arg2 or arg3.
-
Useful CLI Commands in PANOS 4.0
3
IPSec To view detailed debug information for IPSec tunneling:
1. debug ike global on debug 2. less mp-log ikemgr.log
HA show high-availability state shows the HA state of the FW you are on show high-availability state-synchronization shows if the FWs are synced show high-availability path-monitoring shows the status of path monitoring request high-availability state suspend this will suspend active box and make the
current passive device active request high-availability clear-alarm-led this will clear the HA failover alarm on the unit
Software, Content, and Licenses To upgrade the software on the FW:
1. tftp import software from file 2. request system software install file 3. request restart system
request system software [info | check | download | install ] manipulate PANOS software from the CLI
To upgrade the content on the FW: 1. tftp import content from file 2. request content upgrade install file
request content downgrade install previous downgrade to the previous content version request system private-data-reset- to clear config and logs/reports debug swm [ status | list | revert ] will show possible code to install, or code that was
installed. revert is used to revert to last running OS version without having to do a factory reset (such as from 4.0 to back to 3.1)
request license info shows the license installed on the device delete license key ? use to delete a license file if having issues and want to retrieve new
licenses, use question mark to list file names, only delete the files you see fit
Config diff/force/cli format show config diff- compares two versions of the config commit force- perform a commit, even if there are errors set cli config-output-format set- use to view the config in set format from within the
configure prompt (#)
Misc set deviceconfig setting session tcp-reject-non-syn no used to ignore SYN when creating
sessions; confirm command took effect with show session info set deviceconfig setting session offload no - makes all packets go through CPU, otherwise
all fastpath packets just go through EZ chip (turns off session offload to fastpath); confirm command took effect with show session info
debug dataplane pool statistics - this will show the different dataplane buffers and can e used to see if the system is nearing capacity in certain functionality.