check all debugging enabled on firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

check all debugging enabled on firewall

L1 Bithead

I am wondering if there is any way we can check all the enabled debugging on Palo Alto firewall. 

 

 

14 REPLIES 14

Cyber Elite
Cyber Elite

Please describe the use case of enabling all debugging.  This may degrade efficiency of the firewall, yet I think your query is interesting.  Please provide detail/context.

Help the community: Like helpful comments and mark solutions

L7 Applicator

I could not agree more what Steve said.. When you turn on ALL debugging, you run a risk of actually dropping or loosing traffic due to the load that is being placed on the machine/system.  And this has even caused outages in the past.. to the point where a lot of the Debugging information has been removed from LIVE, and it is difficult to find it because of that reason. 

 

So, I echo.. tell us what exactly is going on and we may be able to help out.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Well I don't want to disable ALL debugging. I saw recent increase in CPU and Memory utilization. So I am curious if there is way we can check if there is any type of debugging enabled,  something like show debugs 

Cyber Elite
Cyber Elite

@aggarwat,

I don't believe that there's a way to view logging levels at a system level. All of the logging levels that you can adjust will have a 'show' option to display the current log level, but I don't believe there's a "global" way of looking at every single log level. 

L1 Bithead

this is a a somewhat essential feature and lame that its not available. i understand what the OP wants. in cisco-land you can type "no debug all" to disable any trace of debug left by another user or to quickly kill all debugging. additionally, you can type "show debug" to see all levels of debug that are enabled. PAN firewall desperately needs this feature!

Oh, well if that is what they wanted, then they are simply needing this:

 

debug software logging-level show level service all-services

 and to bring the levels back to default

 

debug software logging-level set level default service all-services

 

Help the community: Like helpful comments and mark solutions

Thx for the tip!
If I turn on 2-3 debugs, can I turn them all off with the second command, without having to know which debugs are turned on?
Or does the turn off command:

debug software logging-level set level default service all-services
only work when every debug is turned on?

Cyber Elite
Cyber Elite

@anon4all   It was as you suggested... turn on whatever you want and the 2nd command will bring them all back to whatever the default settings are, without knowing which debugs are turned on.

Help the community: Like helpful comments and mark solutions

L1 Bithead

 For reference you can run the command below on firewalls.

>debug software logging-level show level service all-services

This will allow yo to see  "all-services" and the debug level currently turned on for them.

You can of course look at specific services by running 

>debug software logging-level show level service .....AND now hit TAB to get presented the services you can then choose.

 

To set all to default level run the following

> debug software logging-level set level default service all-services

 

This does not work on Panorama.

L1 Bithead

@aggarwat was asking about displaying the running debug similar to "show debug" and disabling all running debug such as "undebug all" it seems that PANOS doesnt have similar commands.
debug software logging-level show level service all-services, seems to display the SERVICE GLOBAL Logging level, but it doesn't show feature specific debugs. For example if we enable this debug "debug ike gateway extranet-ike-gateway on debug" the "debug software logging-level show level service ikemgr" will show level info. But if we enable this debug "debug ike global on debug", "debug software logging-level show level service ikemgr" will show level debug. Is there even a way to verify the status of a specific debug such as "debug ike gateway extranet-ike-gateway"
Regards,

Wafik

L1 Bithead

Any answers here. I have been troubleshooting over the last few months and really want a command that will show me if I have any debugs still active. Panorama and Firewalls.

To show:
>debug software logging-level show level service all-services

To reset all to default: 
>debug software logging-level set level default service all-services

 

 

As when you were running the command initially from the CLI, you can TAB through the options on a specific command sequence. If you were to run >debug ike global   ...and then TAB you will see the options below.

admin@Lab_PA-3250> debug ike global
> off   ....Turn off ikemgr debug logging
> on   ....Turn on ikemgr debug logging
> show   ....show ikemgr debug logging

 

Some commands you will need to validate within the specific command sequence. This can always be validated by using the contextual assistance in the CLI.

Thank you Mhuddleston!  Much appreciated!

Thanks - JM
  • 14883 Views
  • 14 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!