This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who rated this post

DaveCorwin
Not applicable

‎06-25-2014 11:18 AM

Here is a good list of CLI commands to help you out:

General system health

·         show system info –provides the system’s management IP, serial number and code version

·         show system statisticsshows the real time throughput on the device

·         show system software status – shows whether various system processes are running

·         show jobs processed – used to see when commits, downloads, upgrades, etc. are completed

·         show jobs all -show any jobs in progress

·         show job id <id#> -to show any warning/error in configuration

·         clear job id <id#> -to clear a hung job

·         show system disk-space- show percent usage of disk partitions

·         show system logdb-quota – shows the maximum log file sizes

·         debug dataplane internal vif link – show management interface (eth0) counters

·         show system state filter cfg.general.max* - To display the System Limits for objects, profiles, and policies

To monitor CPUs

·         show system resources -  shows processes running in the management plane similar to “top” command

·         show running resource-monitor – used to see the resource utilization in the data plane, such as dataplane CPU utilization

·         less mp-log mp-monitor.log – Every 15 minutes the system runs a script to monitor management plane resource usage, output is stored in this file.

·         less dp-log dp-monitor.log - Every 15 minutes the system runs a script to monitor dataplane resource usage, output is stored in this file.

General dropped packet troubleshooting

·         ping source <IP_addr_src_int> host <IP_addr_host> - allows to ping from the specified FW source interface

·         ping host <IP> - ping from the MGT interface

·         show session all | match – used to show specific sessions in the session table.  You can enter any text after the word match.  A good example would be a source or destination IP or an application

·         show session all | filter destination <IP> dest- shows all sessions going to a particular dest IP and port <port>- port

·         show session all filter type predict To show any pin-hole applications (e.g.FTP)

·         show session id – shows the specifics behind a particular session by entering the ID number after the word “id”

·         show counter interface – shows interface counters

·         show counter global | match drop – used to troubleshoot dropped packets

·         show counter global delta yes | match [source ip|dest ip| drop | error  | frag ] – show counter changes since last time ran this command, filter on particular keyword

·         show counter global filter packet-filter yes delta yes – show counter changes since last time ran this command, filter on debug filter

·         show counter global filter delta yes – show counter changes since last time ran this command

NAT

·         show running nat-policy- shows current NAT policy table

·         show running ippool- use to see if NAT pool leak

·         test nat-policy-match – simulate traffic going through the device, what NAT policy will it match?

Routing

·         show routing route – displays the routing table

·         test routing fib-lookup virtual-router <VR_name> ip <IP_addr_trying_reach> - finds which route in the routing table will be used to reach the IP address that you are testing

Routing Debug Commands

·         debug routing global on debug

·         less mp-log routed.log - To view the log

·         tail follow yes mp-log routed.log - To view the log in real time

Policies

·         show running security-policy – shows the current policy set

·         test security-policy-match from trust to untrust destination <IP>- simulate a packet going through the system, which policy will it match?

PAN Agent

·         show user pan-agent statistics – used to see if the agent is connected and operational.  Status should be connected OK and you should see numbers under users, groups and IPs.

·         show pan-agent user-IDs  - used to see if the FW has pulled groups from the PANAgent

·         show user ip-user-mapping – used to see IP to username mappings on the FW

·         clear user-cache all – clears the user-ID cache

·         debug device-server reset pan-agent <name> - reset the firewall’s connection to the specified agent

URL

·         request url-filtering upgrade brightcloud- If URL does not show up on dynamic updates page run this command

·         test url <url or IP> – used to test the categorization of a URL on the FW

·         tail follow yes mp-log pan_bc_download.log – shows the BrightCloud database update logs

·         request url-filtering download status – shows the status of the database download (essentially the very last line from the pan_bc_download.log file)

·         debug dataplane show url-cache statistics– shows statistics on the URL cache

·         show counter global | match url – shows statistics on URL processing

·         clear url-cache – used to clear the URL cache- cache contains 100k of the most popular URLs on this network

·         show log url direction equal backward- view the URL log, most recent entries first

·         To test connectivity to the BrightCloud servers:

o   ping host service.brightcloud.com

o   ping host database.brightcloud.com

Log viewing / deleting[1]

·         show log [ system | traffic | threat ] direction equal backward – will take you to the end of the specified log

·         show log [ system | traffic | threat ] direction equal forward – will take you to beginning of the specified log

·         clear log [ traffic | threat | acc ] – clear everything in the specified log

·         show log traffic receive_time in ? - pick a timeframe from the list

·         sho log traffic app equal gmail - show only gmail traffic in log

IPSec

·         To view detailed debug information for IPSec tunneling:

1.      debug ike global on debug

2.      less mp-log ikemgr.log

3.      test vpn ike-sa gateway <gw_name> - initiates traffic to bring up tunnel

4.      show vpn ike-sa gateway <gw_name> - to see if phase 1 is up

5.      show vpn ipsec-sa tunnel <tunnel name> - to see if phase 2 is up

6.      show vpn flow – to see all active tunnels

7.      sho vpn flow <name> or tunnel-id <id#>  -to see detailed info on the tunnel

HA

·         show high-availability state – shows the HA state of the FW you are on

·         show high-availability state-synchronization – shows if the FWs are synced

·         show high-availability path-monitoring – shows the status of path monitoring

·         request high-availability state suspend – this will suspend active box and make the current passive device active

·         request high-availability clear-alarm-led – this will clear the HA failover alarm on the unit

Vsys

·         set system setting target-vsys <vsys #> -to enter a vsys

·         set system setting target-vsys none – to exit a vsys

Software, Content, and Licenses

·         To upgrade the software on the FW:

1.      tftp import software from <IP_addr_tftp_server> file <filename>

2.      request system software install file <filename>

3.      request restart system

·         request system software [info | check | download | install ]manipulate PANOS software from the CLI

·         To upgrade the content on the FW:

1.      tftp import content from <IP_addr_tftp_server> file <filename>

2.      request content upgrade install file <filename>

·         request content downgrade install previous –downgrade to the previous content version

·         request system private-data-reset- to clear config and logs/reports

·         debug swm [ status | list | revert ] will show possible code to install, or code that was installed. “revert” is used to revert to last running OS version without having to do a factory reset (such as from 4.0 to back to 3.1)

·         request license info – shows the license installed on the device

·         delete license key ? use to delete a license file if having issues and want to retrieve new licenses, use question mark to list file names, only delete the files you see fit

Config diff/force/cli format

·         show config diff- compares two versions of the config

·         commit force- perform a commit, even if there are errors

·         set cli config-output-format set- use to view the config in “set” format from within the configure prompt (#)

Misc

·         set deviceconfig setting session tcp-reject-non-syn no – used to ignore SYN when creating sessions; confirm command took effect with show session info

·         set deviceconfig setting session offload no –- makes all packets go through CPU, otherwise all fastpath packets just go through EZ chip (turns off session offload to fastpath); confirm command took effect with show session info

·         set deviceconfig setting tcp drop-out-of-wnd <yes|no>; confirm command took effect with show running tcp state

·         debug dataplane pool statistics - this will show the different dataplane buffers and can be used to see if the system is nearing capacity in certain functionality.

·         show system state filter sys.s(x).p(x).phy -command to see physical media

·         set cli pager off - To disable the more function

·         delete network interface ethernet ethernet1/x- deletes any setting on the interface

·         request system private-data-reset- delete private data but keeps software,content installations

·         show system files- to see if FW generated any core-files

·         grep mp-log * pattern (what your searching for-name)- to search all logs for a specific word

·         less dp0-log brdagent.log- to check to see if you have physical errors on interface

·         less dp0-log mprelay.log- to check to see if you have physical errors on interface

·         show system state filter-pretty sw.comm.s1.*.session-info | match active- to see number of sessions on each data-plane

·         https://x.x.x.x/esp/restapi.esp?type=keygen&user=admin&password=admin – To generate a API key

Debug Commands

·         debug dataplane packet-diag show setting - to see if any filters or capture are set

·         debug dataplane packet-diag set filter on - to turn on filter

·         debug dataplane packet-diag set filter match source x.x.x.x destination x.x.x.x destination-port X file test.pcap

·         debug dataplane packet-diag set capture stage <receive,drop,firewall,transmit> file <file name>

·         debug dataplane packet-diag set caprture on - to turn capture on

·         view-pcap follow yes <filter-pcap,debug-pcap> test.pcap yes- this allows you to view the data real time

·         view-pcap filter-pcap <file name>

CLEAN UP COMMANDS:

·         debug dataplane packet-diag set capture off - to stop capturing data

·         debug dataplane packet-diag set filter off- shut off filter

·         delete debug-filter test.pcap - to delete the file

Debug Flow Basic

·         debug dataplane packet-diag filter on

·         debug dataplane packet-diag set filter source x.x.x.x dest y.y.y.y

·         debug dataplane packet-diag set log on

·         Generate traffic

·         less dp0-log pan_packet_diag.log

CLEAN UP COMMANDS:

·         debug dataplane packet-diag clear log log

·         debug dataplane packet-diag filter off

·         debug dataplane packet-diag set log off


[1] Arguments that are shown with square braces and pipe symbol mean that you choose one of the arguments listed. For example, [ arg1 | arg2 | arg3 ] means you select either “arg1” or “arg2” or “arg3”.

(2)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks