Palo Alto start up queries

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto start up queries

Not applicable

Hi everyone,

Just have some queries on Palo Alto firewalls posting some questions. Help on these is much appreciated.

  1. what does the following  command do

   > show neighbour all

Does this function like Cisco discovery protocol to identify the peer CISCO devices or for OSPF neighbour or some other purpose?

2. how to see interface physical and admin status both from cli

3. What is the exact path where OS gets installed

4. what is neighbour discovery in Palo alto devices?

is it OSPF discovery or all devices which run on PAN ( This is pretty much similar to first question )

5. We created a role called Student on the firewall explicitly, only authenticaiton is happening but authorization is not happening, that is Student role  is not getting picked up from radius server or on the firewall .What changes can we do on radius server for the role mapping to be picked from radius.

6. Any specific use cases where we use Tap mode and Vwire mode for interfaces?

7. When do we need Vwire sub interfaces exactly and L2 sub interface ?

8.We are not able to bind ethernet1/2.1 with ethernet1/2.2 in the same Vwire object  and we are able to bind ethernet1/2.1 and ethernet1/1 into same vwire object

9. What type of encapsulation does interfaces on  palo alto devices support?

10. What is ND entries under advanced tab for interface when you are configuring Layer 3 interface?

11.I am able to commit the configuration even though i did not enable USER ID on the zone but i defined some random IPs on include list and exclude list for USER ID for that zone

12. What is CRL status in Service route configuration , i want to explicitly define service route then i find this option?

WHat is destination and source address in the same source Route option field.

13. THere will be limited no of policies that we can configure on any firewall

what about NAT , QOS and captive portal rules how many can we configure?

14. How to delete the snapshots of the configs that you loaded into the device?

Hoping to see some response on this thanks for the support


L3 Networker



It shows neither CDP neighbours nor OSPF neighbours. It's used to display IPv6 neighbours. From the V5.0 CLI guide:

show neighbor

Displays IPv6 neighbor information.


show neighbor {all | mgt | <interface_name>}


all — Displays all IPv6 neighbor information

mgt — Displays host IPv6 neighbor information

<interface_name> — Displays IPv6 neighbor information for the specified interface


To display the the interface status from the CLI, use the command:

show interface all

or for more detailed information on the individual interfaces:

show interface ethernet1/x - replace the x with the interface number you are looking for.


The path is not normally visible as OS installation/upgrades are handled by the OS. Why do you wish to know the path?


Neighbor discovery is for IPv6.


Are you talking about user roles when accessing the firewall or for controlling identified users traffic passing through the device via groups?

Firewall authentication

To use RADIUS to authenticate a user you first need to create a RADIUS server profile containing the RADIUS IP and shared secret. Following that create an Authentication Profile and set the authentication to RADIUS and specify the server profile as the RADIUS server profile that you just created. Once that is done, you can create an admin role with the preferences you want, then create an admin with the authentication profile previously created and the role that you created. When the user logs into the firewall it will authenticate them against the RADIUS server and if successful will only provide them with the specified role.

Controlling users traffic

The RADIUS server profile cannot pass back user-group mappings. To get the users groups to control their access you need to create a LDAP server profile and then add the group mappings under Device-> User Identification-> Group Mapping, click add and on the first tab specify the LDAP profile, then on the second tab, either leave the right hand panel blank (which will pull in all groups), or only specify the groups you are interested in. This will populate the users and groups into the user-group cache, so that when traffic from an IP that has an IP-User Mapping then as long as the username matches between the IP-user mapping cache and the user-group cache then you will able to control their traffic via policy.


Tap mode is used when you want to investigate the traffic flowing through a swtich without affecting an existing deployment. It is typically used either for evaluation purposes for identifying traffic before going inline.

Vwire is used when you want to use the features of the PAN device, such as NAT, app-ID, user-ID, content-ID but do not need it to function at L2 or L3. An example of this would be putting it in as an interior firewall between the exterior firewall and the internal switch/router.


VWire interfaces and L2 sub-interfaces are used to control traffic from different VLANs. You can create a different vwire/L2 sub-interface for each VLAN tag and then put it into a different security zone so that you can create better control traffic with policy.


This is a misunderstanding of how VWire objects work. You do not bind the sub-interfaces together, you bind the physical interfaces together and the sub-interfaces will automatically use the VWire object.


IKE only to my knowledge.


To identify IPv6 addresses and MAC address of IPv6 neighbours to be added for discovery.


I'm not sure what you're trying to suggest with this point. That is perfectly acceptable configuration. It simply won't be used because User-ID is not enabled.


If a certificate authority revokes a certificate then the PAN device needs to make itself aware of it which it does by checking the CRL of the certificate authorities. The CRL status service route is the route that the PAN device takes for validating SSL certificates.

The source and destination in service routes are used for creating an explicit route for a specific destination, this overrides the configured server routes on the left side of the service route configuration. An example of why you would do this would be if you set a service route for your syslog but had another syslog down another interface and wanted syslog messages to that server to come from that interface.


There is a limit on security policies, NAT policies and QoS policies. The limit is model dependent. Please check the platform specsheets found at PA-5000 Series for your model of firewall.


From the CLI, type the command:

delete config saved <config name>

If you have not already, I highly recommend that you attend the 201 training course as most of the questions that you have asked are covered under that course.



  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!