Palo Alto Troubleshooting CLI Commands
Introduction
Palo Alto has been considered one of the most coveted and preferred Next generation Firewall considering its robust performance, deep level of packet inspection and myriad of features required in enterprise and service provider domain. When troubleshooting network and security issues for many different devices/platforms, an extensive set of commands with options are available which are great utilities in troubleshooting and fault finding, both in implementation and Operations phase.
Palo Alto Troubleshooting : CLI Commands
The following Palo Alto commands are really the basics and need no further explanation. Let’s have a look on below command table with description.
CLI COMMANDS | DESCRIPTION |
| show system info | -Shows session information |
| show system environmental show CPU usage show temperature show the statistics on application recognition | -Shows environmental health of system |
| show ntp | -Shows the network time server information |
| show arp {all | <interface-name>} show neighbor interface {all | <interface-name>} | -shows the ARP results |
| show mac all | -shows the mac table results |
| show jobs all show jobs id <id> show running resource-monitor | -Shows the processes running in the management plane |
| show system resource show system disk-space | – Shows the percent usage of disk partitions |
| request restart system | – Restart the device |
| show admins all show admins | -Shows the how many admin accounts are |
| show the uptime and the active sessions | -Shows the device uptime |
| show running security-policy | – Shows the running security policy |
| request license info | – Shows the licenses installed on the device |
| show vpn gateway
| -Shows the list of all IPSec gateways configured on device with configuration
|
| show vpn ike-sa | -Shows IKE phase 1 SAs |
| show vpn ipsec-sa | -Shows IKE phase 2 SAs |
| show vpn tunnel | -Shows a list of auto-key IPSec tunnel configurations |
| show vpn flow | -Shows the IPSec counters |
| show global-protect-gateway current-user show global-protect-gateway flow | GlobalProtect |
| show high-availability all | -Shows a summary of all HA runtime |
| show high-availability state show high-availability link-monitoring show high-availability path-monitoring show high-availability control-link statistics show high-availability state-synchronization | -Shows a local HA peer state |
| show high-availability flap-statistics | Shows a stats of sent and received messages. |
| scp export log system to <username@host:path_to_destination_filename> scp import software from <username@host:path> tftp export configuration from running-config.xml to <tftp-host> tftp import url-block-page from <tftp-host> | Export/Import Files
|
| show user group-mapping state all | User-IDs and Groups |
| request system fqdn {show | refresh} | IP Addresses of FQDN Objects |
| show dns-proxy statistics all show dns-proxy cache all | DNS Proxy |
| show system setting url-database
| Active URL Vendor/Database |
| show system setting url-cache all | PAN-DB URL Test & Cache |
| set system setting fan-mode auto | Fan Speed |
| show session id <id> | Reason for Session Close |
| show session all filter state discard show session all filter application dns destination 8.8.8.8 show session info show specific session | Examining the Session Table |
| set system setting additional-threat-log on
| Zone Protection Logging
|
| view-pcap follow yes filter-pcap
| Live Viewing of Packet Captures |
| tcpdump snaplen 0 filter “port 53” view-pcap follow yes mgmt-pcap mgmt.pcap | Capturing Management Packets |
| less mp-log | Viewing Management-Plane Logs |
| show routing table | -Display the routing table. |
| show routing fib show routing protocol <protocol> | -Look at routes for a specific destination |
| set system setting arp-cache-timeout <60-65536> | -Change the ARP cache timeout setting from default |
| show system setting arp-cache-timeout show routing path-monitor debug routing path-monitor | -View the ARP cache timeout setting |
| ping host X.X.X.X
| -Ping to a destination IP address
|
| traceroute host X.X.X.X | -Trace destination network |
| ping host ipwithease.com | -Ping fqdn |
| show netstat statistics | -Show network statistics |
| find command | Find |
| show system statistics application show system statistics session | Live Session ‘n Application Statistics |
| show interface {all | <interface-name>} show the interface state (speed/duplex/state/mac) show interface HW settings show interface zone settings show interface counters | Shows Interface Status and counters and config etc. |
| show running nat-policy | -Shows the NAT policy table
|
| test nat-policy-match | -Test the NAT policy |
| show running ippool show running global-ippool | -Shows NAT pool utilization |
| show routing bfd active-profile [<name>] | Shows BFD profiles |
| show routing bfd details [interface <name>] [local-ip <ip>] [multihop] [peer-ip <ip>] [session-id] [virtual-router <name>] | Shows BFD details |
| show routing bfd drop-counters session-id <session-id> | -Shows BFD statistics on dropped sessions. |
| show counter global | match bfd | -Show BFD packets.i.e. transmitted/received/dropped. |
| clear routing bfd counters session-id all | <1-1024> | -Clear counters of transmitted, received, and dropped BFD packets for particular session id. |
| clear routing bfd session-state session-id all | <1-1024> | -Clear BFD sessions for debugging purposes |
| show vlan all
show counter global | -Verify vlan configured on device
– Shows the counter of times the PVST |
| show system info | match system-mode | -Display the current operational mode |
| request system system-mode logger | – Changes from Panorama mode to Log Collector mode |
| show device groups name | – Shows the history of device group |
| show templates name <template-name> | – Shows the history of template |
| show config pushed-shared-policy | – Shows all the policy rules and objects pushed from Panorama to a firewall |
| show config pushed-template | -Shows all the template configured from Panorama to a firewall |
| show logging-status device <firewall-serial-number> | – Shows logging information to the Panorama |
 | |
Download the descriptive command table here.
Conclusion
Palo Alto Network troubleshooting CLI commands are used to verify the configuration and environmental health of PAN device, verify connectivity, license, VPN, Routing, HA, User-ID, logs, NAT, PVST, BFD and Panorama and others.
In case, you are preparing for your next interview, you may like to go through the following links-
Palo Alto Firewall Questions and Answers in PDF
Palo Alto Firewall Architecture
Also if you are reading more about Network Security and Firewall we also have a combo product covering the details of ASA Firewall, Palo Alto, Checkpoint Firewall, Juniper SRX Firewall, Proxy, CCNA Security, Cisco, IPS/IDS, VPN
Click here to buy the Network Security Combo
You may also like
Simplifying Power over Ethernet PoE Installation
What is Cloudflare? Working, Uses, Pros & Cons
