Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Reference Guide
Release 3.0
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 2
Understanding CLI Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Chapter 4
Operational Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
debug captive-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
debug cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
debug cpld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
debug dataplane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
debug device-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
debug dhcpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
debug high-availability-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
debug ike . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
debug keymgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
debug log-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
debug management-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
debug master-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
debug rasmgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
debug routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
debug software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
debug swm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
debug tac-login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
debug vardata-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
grep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
less . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
request certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
request comfort-page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
request content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Chapter 5
Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Appendix A
Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Firewall Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Panorama Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Appendix B
PAN-OS CLI Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Preface
This preface contains the following sections:
• “About This Guide” in the next section
• “Organization” on page 7
This guide is intended for system administrators responsible for deploying, operating, and
maintaining the firewall and who require reference information about the PAN-OS CLI
commands that they want to execute on a per-device basis. For an explanation of features and
concepts, refer to the Palo Alto Networks Administrator’s Guide.
Organization
This guide is organized as follows:
• Chapter 1, “Introduction”—Introduces and describes how to use the PAN-OS CLI.
Typographical Conventions
This guide uses the following typographical conventions for special terms and instructions.
Symbol Description
NOTE
Indicates helpful suggestions or supplementary information.
CAUTION
Indicates information about which the reader should be careful to avoid data loss or
equipment failure.
WARNING
Indicates potential danger that could involve bodily injury.
Related Documentation
The following additional documentation is provided with the firewall:
• Quick Start
• Online help—Click Help in the upper right corner of the GUI to access the online help
system.
Technical Support
For technical support, use the following methods:
• Go to http://support.paloaltonetworks.com.
Chapter 1
Introduction
This chapter introduces and describes how to use the PAN-OS command line interface (CLI):
• “Understanding the PAN-OS CLI Structure” in the next section
• Data bits: 8
• Parity: none
• Stop bits: 1
4. The PAN-OS CLI opens in Operational mode, and the CLI prompt is displayed:
username@hostname>
Example:
username@hostname>
When you enter Configuration mode, the prompt changes from > to #:
username@hostname>
Each time you enter a command the syntax is checked. If the syntax is correct, the command is
executed, and the candidate hierarchy changes are recorded. If the syntax is incorrect, an
invalid syntax message is presented, as in the following example:
username@hostname# set zone application 1.1.2.2
Unrecognized command
Invalid syntax.
[edit]
username@hostname#
[edit]
username@hostname#
• To leave Configuration mode and return to Operational mode, use the quit or exit
command:
username@hostname# quit
Exiting configuration mode
username@hostname>
• To enter an Operational mode command while in Configuration mode, use the run
command, as described in “run” on page 40.
Example:
admin@localhost> ping ?
username@hostname> ping
+ bypass-routing Bypass routing table, use specified interface
+ count Number of requests to send (1..2000000000 packets)
+ do-not-fragment Don't fragment echo request packets (IPv4)
+ inet Force to IPv4 destination
+ interface Source interface (multicast, all-ones, unrouted
packets)
+ interval Delay between requests (seconds)
+ no-resolve Don't attempt to print addresses symbolically
+ pattern Hexadecimal fill pattern
+ record-route Record and report packet's path (IPv4)
+ size Size of request packets (0..65468 bytes)
+ source Source address of echo request
+ tos IP type-of-service value (0..255)
+ ttl IP time-to-live value (IPv6 hop-limit value) (0..255
hops)
+ verbose Display detailed output
+ wait Delay after sending last packet (seconds)
<host> Hostname or IP address of remote host
username@hostname> ping
Note: Some shortcuts depend upon the SSH client that is used to access the
PAN-OS CLI. For some clients, the Meta key is the Control key; for some it is the
Esc key.
Example: This command output shows options designated with + and >.
username@hostname# set rulebase security rules rule1 ?
+ action action
+ application application
+ description description
+ destination destination
+ disabled disabled
+ from from
+ log-end log-end
+ log-setting log-setting
+ log-start log-start
+ negate-destination negate-destination
+ negate-source negate-source
+ schedule schedule
+ service service
+ source source
+ to to
> profiles profiles
<Enter> Finish input
[edit]
username@hostname# set rulebase security rules rule1
hostname: PA-HDF
ip-address: 10.1.7.10
netmask: 255.255.0.0
default-gateway: 10.1.0.1
mac-address: 00:15:E9:2E:34:33
time: Fri Aug 17 13:51:49 2007
username@hostname>
username@hostname>
ethernet1/1 ethernet1/15
1 3 5 7 9 11 13 15
2 4 6 8 10 12 14 16
ethernet1/2 ethernet1/16
Use these names when referring to the Ethernet interfaces within the PAN-OS CLI commands,
as in the following example:
username@hostname# set network interface ethernet ethernet1/4 virtual-wire
Chapter 2
Understanding CLI Command Modes
This chapter describes the modes used to interact with the PAN-OS CLI:
• “Understanding Configuration Mode” in the next section
Each configuration command involves an action, and may also include keywords, options,
and values. Entering a command makes changes to the candidate configuration.
Note: If you exit Configuration mode without issuing the save or commit
command, your configuration changes could be lost if power is lost to the firewall.
Commit Save
Load
Set
For example, if you want to remove an existing security policy and add a new one, using
a traditional CLI command structure would leave the system vulnerable for the period of
time between removal of the existing security policy and addition of the new one. With
the PAN-OS approach, you configure the new security policy before the existing policy is
removed, and then implement the new policy without leaving a window of vulnerability.
For example, if you are configuring two Ethernet interfaces, each with a different IP
address, you can edit the configuration for the first interface, copy the command, modify
only the interface and IP address, and then apply the change to the second interface.
Because the candidate configuration is always unique, all the authorized changes to the
candidate configuration will be consistent with each other.
For example, the following command displays the configuration hierarchy for the ethernet
interface segment of the hierarchy:
username@hostname# show network interface ethernet
ethernet {
ethernet1/1 {
virtual-wire;
}
ethernet1/2 {
virtual-wire;
}
ethernet1/3 {
layer2 {
units {
ethernet1/3.1;
}
}
}
ethernet1/4;
}
[edit]
username@hostname#
network
ethernet aggregate-ethernet
vlan loopback
For example, the following command assigns the IP address/netmask 10.1.1.12/24 to the
Layer 3 interface for the Ethernet port ethernet1/4:
[edit]
username@hostname# set network interface ethernet ethernet1/4 layer3 ip
10.1.1.12/24
[edit]
username@hostname#
This command generates a new element in the hierarchy, as shown in Figure 4 and in the
output of the following show command:
[edit]
username@hostname# show network interface ethernet ethernet1/4
ethernet1/4 {
layer3 {
ip {
10.1.1.12/24;
}
}
}
[edit]
username@hostname#
ethernet aggregate-ethernet
vlan loopback
ip
10.1.1.12/24
indicates that the relative context is the top level of the hierarchy, whereas
[edit network profiles]
Use the commands listed in Table 3 to navigate through the configuration hierarchy.
[edit network]
Example:
[edit network interface] (network level)
admin@abce# up
[edit network]
username@hostname# (now at the network level)
Example:
[edit network interface vlan] (network vlan level)
username@hostname# top
[edit]
username@hostname# (now at network vlan level)
Note: The set command issued after using the up and top commands starts from
the new context.
• PAN-OS CLI navigation commands—Enter Configure mode or exit the PAN-OS CLI.
Includes configure, exit, and quit commands.
Chapter 3
Configuration Mode Commands
This chapter contains command reference pages for the following Configuration mode
command types:
• “check” on page 30
• “commit” on page 31
• “copy” on page 32
• “delete” on page 33
• “edit” on page 34
• “exit” on page 35
• “load” on page 36
• “move” on page 37
• “quit” on page 38
• “rename” on page 39
• “run” on page 40
• “save” on page 41
• “set” on page 42
• “show” on page 43
• “top” on page 44
• “up” on page 45
check
Check configuration status.
Syntax
check option
Options
data-access-passwd Check data access authentication status for this session.
pending-changes Check for uncommitted changes.
Sample Output
The following command shows that there are currently no uncommitted changes.
username@hostname# check pending-changes
no
[edit]
username@hostname#
commit
Make the current candidate configuration the active configuration on the firewall.
Syntax
commit
Options
None
Sample Output
The following command makes the current candidate configuration the active configuration.
# commit
copy
Make a copy of a node in the hierarchy along with its children, and add the copy to the same
hierarchy level.
Syntax
copy [node1] to [node2]
Options
node1 Specifies the node to be copied.
node2 Specifies the name of the copy.
Sample Output
The following command, executed from the rule base security level of the hierarchy, makes a
copy of rule1, called rule2.
[edit rulebase security]
username@hostname# copy rules rule1 to rule2
[edit rulebase security]
username@hostname#
The following command shows the location of the new rule in the hierarchy.
security {
rules {
rule1 {
source [ any 1.1.1.1/32 ];
destination 1.1.1.2/32;
}
rule2 {
source [ any 1.1.1.1/32 ];
destination 1.1.1.2/32;
}
}
}
delete
Remove a node from the candidate configuration along with all its children.
Syntax
delete [node]
Options
node Specifies the hierarchy node to delete.
Sample Output
The following command deletes the application myapp from the candidate configuration.
username@hostname# delete application myapp
[edit]
username@hostname#
edit
Change context to a lower level in the configuration hierarchy.
Syntax
edit [context]
Options
context Specifies a path through the hierarchy.
Sample Output
The following command changes context from the top level to the network profiles level of
the hierarchy.
[edit]
username@hostname# edit rulebase
[edit rulebase]
username@hostname#
exit
Exit from the current PAN-OS CLI level.
• From Operational mode—Exits the PAN-OS CLI.
• From Configuration mode, lower hierarchy levels—Changes context to one level up in the
hierarchy. Provides the same result as the up command.
Syntax
exit
Options
None
Sample Output
The following command changes context from the network interface level to the network
level.
[edit network interface]
username@hostname# exit
[edit network]
username@hostname#
username@hostname>
load
Assigns the last saved configuration or a specified configuration to be the candidate
configuration.
Syntax
load config [from filename]
Options
filename Specifies the filename from which the configuration will be loaded.
Sample Output
The following command assigns output.xml to be the candidate configuration.
[edit]
username@hostname# load config from output.xml
command succeeded
[edit]
username@hostname#
move
Relocate a node in the hierarchy along with its children to be at another location at the same
hierarchy level.
Syntax
move element [bottom | top | after element | before element]
Options
element Specifies the items to be moved.
element Specifies the new location of the element:
placement
Option Description
bottom Makes the element the last entry of the hierarchy level.
top Makes the element the first entry of the hierarchy level.
after Moves element to be after element2.
before Moves element to be before element2.
element2 Indicates the element after or before which element1 will be placed.
Sample Output
The following command moves the security rule rule1 to the top of the rule base.
username@hostname# move rulebase security rules rule1 top
[edit]
username@hostname#
quit
Exit from the current PAN-OS CLI level.
• From Operational mode—Exits the PAN-OS CLI.
• From Configuration mode, lower hierarchy levels—Changes context to one level up in the
hierarchy. Provides the same result as the up command.
Syntax
quit
Options
None
Sample Output
The following command changes context from the network interface level to the network
level.
[edit log-settings]
username@hostname# quit
[edit]
username@hostname#
username@hostname>
rename
Change the name of a node in the hierarchy.
Syntax
rename [node1] to [node2]
Options
node1 Indicates the original node name.
node2 Indicates the new node name.
Sample Output
The following command changes the name of a node in the hierarchy from 1.1.1.1/24 to
1.1.1.2/24.
username@hostname# rename network interface vlan ip 1.1.1.1/24 to 1.1.1.2/24
run
Execute an Operational mode command while in Configuration mode.
Syntax
run [command]
Options
command Specifies an Operational mode command.
Sample Output
The following command executes a ping command to the IP address 1.1.1.2 from
Configuration mode.
username@hostname# run ping 1.1.1.2
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
...
username@hostname#
save
Saves a snapshot of the firewall configuration.
Note: This command saves the configuration on the firewall, but does not make
the configuration active. Use the commit command to make the current candidate
configuration active.
Syntax
save config [to filename]
Options
filename Specifies the filename to store the configuration. The filename cannot include
a hyphen (-).
Sample Output
The following command saves a copy of the configuration to the file savefile.
[edit]
username@hostname# save config to savefile
Config saved to savefile
[edit]
username@hostname#
set
Changes a value in the candidate configuration. Changes are retained while the firewall is
powered until overwritten.
Note: To save the candidate configuration in non-volatile storage, use the save
command. To make the candidate configuration active, use the commit command.
Syntax
set [context]
Options
context Specifies a path through the hierarchy.
Sample Output
The following command assigns the ethernet1/4 interface to be a virtual wire interface.
[edit]
username@hostname# set network interface ethernet ethernet1/1 virtual-wire
[edit]
username@hostname#
The following command sets the VLAN IP address to 1.1.1.4/32 from the network interface
vlan level of the hierarchy.
[edit network interface vlan]
username@hostname# set ip 1.1.1.4/32
The following command locks an administrative user out for 15 minutes after 5 failed login
attempts.
username@hostname# set deviceconfig setting management admin-lockout 5
lockout-time 15
show
Display information about the current candidate configuration.
Syntax
show [context]
Options
context Specifies a path through the hierarchy.
Sample Output
The following command shows the full candidate hierarchy.
username@hostname# show
The following commands can be used to display the hierarchy segment for network interface.
• Specify context on the command line:
show network interface
• Use the edit command to move to the level of the hierarchy, and then use the show
command without specifying context:
edit network interface
[edit network interface] show
top
Change context to the top hierarchy level.
Syntax
top
Options
None
Sample Output
The following command changes context from the network level of the hierarchy to the top
level.
[edit network]
username@hostname# top
[edit]
username@hostname#
up
Change context to the next higher hierarchy level.
Syntax
up
Options
None
Sample Output
The following command changes context from the network interface level of the hierarchy to
the network level.
[edit network interface]
username@hostname# up
[edit network]
username@hostname#
Chapter 4
Operational Mode Commands
This chapter contains command reference pages for the following operational mode
commands:
• “clear” on page 51
• “configure” on page 53
• “exit” on page 75
• “grep” on page 76
• “less” on page 77
• “netstat” on page 78
• “ping” on page 79
• “quit” on page 81
• “scp” on page 99
clear
Reset information, counters, sessions, or statistics.
Syntax
clear application-signature statistics
clear arp <all | interfacename>
clear counter <all | global | interface>
clear dhcp lease <all | interface name interfacename [ip ipaddr]>
clear high-availability control-link statistics
clear job jobid
clear log type
clear mac <value | all>
clear query <all-by-session | id queryid>
clear report <all-by-session | id reportid>
clear session <id sessionid | all [filter rule]>
clear statistics
clear vpn <flow [tunnel-id tunnelid] | ike-sa [gateway gatewayid] |
ipsec-sa [tunnel tunnelid]>
Options
application- Clears application-signature statistics.
signature
statistics
arp Clears Address Resolution Protocol (ARP) information for a specified
interface, loopback, or VLAN, or all.
counter Clears interface counters. Specify all counters, global counters, or
interface counters.
dhcp lease Clears DHCP leases. Specify all or specify an interface and optional IP
address.
job Clears download jobs. Specify the job id.
log Remove log files from disk. Specify the log type: acc, config, system,
threat, or traffic.
mac Clears MAC address information for a specified VLAN or all addresses.
session Clears a specified session or all sessions. Refer to “show session” on
page 154 for a description of the filter options when clearing all sessions.
Sample Output
The following command clears the session with ID 2245.
username@hostname> clear session id 2245
Session 2245 cleared
username@hostname>
configure
Enter Configuration mode.
Syntax
configure
Options
None
Sample Output
To enter Configuration mode from Operational mode, enter the following command.
username@hostname> configure
Entering configuration mode
[edit]
username@hostname#
debug captive-portal
Define settings for debugging the captive portal daemon.
Syntax
debug captive-portal option
Options
show Shows whether this command is on or off.
off Turns the debugging option off.
on Turns the debugging option on.
Sample Output
The following command turns the debugging option on.
admin@PA-HDF> debug captive-portal on
admin@PA-HDF>
debug cli
Define settings and display information for debugging the CLI connection.
Syntax
debug cli option
Options
detail Shows details information about the CLI connection.
show Shows whether this command is on or off.
off Turns the debugging option off.
on Turns the debugging option on.
Sample Output
The following command shows details of the CLI connection.
admin@PA-HDF> debug cli detail
Environment variables :
(USER . admin)
(LOGNAME . admin)
(HOME . /home/admin)
(PATH . /usr/local/bin:/bin:/usr/bin)
(MAIL . /var/mail/admin)
(SHELL . /bin/bash)
(SSH_CLIENT . 10.31.1.104 1109 22)
(SSH_CONNECTION . 10.31.1.104 1109 10.1.7.2 22)
(SSH_TTY . /dev/pts/0)
(TERM . vt100)
(LINES . 24)
(COLUMNS . 80)
(PAN_BASE_DIR . /opt/pancfg/mgmt)
PAN_BUILD_TYPE : DEVELOPMENT
debug cpld
Debug the complex programmable logic device (CPLD).
Syntax
debug cpld
Options
None
Sample Output
N/A
debug dataplane
Configure settings for debugging the data plane.
Syntax
debug dataplane option
Options
The available sub-options depend on the specified option.
Sample Output
The following command shows the statistics for the dataplane buffer pools.
admin@PA-HDF> debug dataplane pool statistics
The following command turns dataplane filtering on and sets filter parameters.
admin@PA-HDF> debug dataplane filter on
admin@PA-HDF> debug dataplane filter set source 10.1 11.2.3 file abc.pcap
debug device-server
Configure settings for debugging the device server.
Syntax
debug device-server option
Options
clear Clear all debug logs.
dump Dump the debug data.
off Turn off debug logging.
on Turn on debug logging.
refresh Refresh the user-group data.
reset Clear logging data.
set Set debugging values.
show Display current debug log settings.
test Test the current settings.
uset Remove current settings.
Sample Output
The following command turns off debug logging for the device server.
admin@PA-HDF> debug device-server off
admin@PA-HDF>
debug dhcpd
Configure settings for debugging the Dynamic Host Configuration Protocol (DHCP) daemon.
Syntax
debug dhcpd option
Options
global Define settings for the global DHCP daemon.
pcap Define settings for debugging packet capture.
Sample Output
The following command shows current global DHCP daemon settings.
admin@PA-HDF> debug dhcpd global show
sw.dhcpd.runtime.debug.level: debug
admin@PA-HDF>
debug high-availability-agent
Configure settings for debugging the high availability agent.
Syntax
debug high-availability-agent option
Options
clear Clear the debug logs.
internal-dump Dump the internal state of the agent to its log.
model-check Turn model checking with the peer on or off.
off Turns the debugging option off.
on Turns the debugging option on.
show Shows whether this command is on or off.
Sample Output
The following command turns modeling checking on for the high availability agent.
admin@PA-HDF> debug high-availability-agent model-check on
admin@PA-HDF>
debug ike
Configure settings for debugging Internet Key Exchange (IKE) daemon.
Syntax
debug ike option
Options
global Configure global settings.
pcap Configure packet capture settings.
socket Configure socket settings.
stat Show IKE daemon statistics.
Sample Output
The following command turns on the global options for debugging the IKE daemon.
admin@PA-HDF> debug ike global on
admin@PA-HDF>
debug keymgr
Configure settings for debugging the key manager daemon.
Syntax
debug keymgr option
Options
list-sa Lists the IPSec security associations (SAs) that are stored in the key manager
daemon.
off Turn the settings off.
on Turn the settings on.
show Show key manager daemon information.
Sample Output
The following command shows the current information on the key manager daemon.
admin@PA-HDF> debug keymgr show
sw.keymgr.debug.global: normal
admin@PA-HDF>
debug log-receiver
Configure settings for debugging the log receiver daemon.
Syntax
debug log-receiver option
Options
off Turns the debugging option off.
on Turns the debugging option on.
show Shows whether this command is on or off.
statistics Show log receiver daemon statistics.
Sample Output
The following command turns log receiver debugging on.
admin@PA-HDF> debug log-receiver on
admin@PA-HDF>
debug management-server
Configure settings for debugging the management server.
Syntax
debug management-server option
Options
clear Clear all debug logs.
client Debug the management server client.
off Turn debugging off
on Turn debugging on.
phased-commit Set experimental mode for committing in phases.
show Show management server debug statistics.
Sample Output
The following example turns management server debugging on.
admin@PA-HDF> debug management-server on
(null)
admin@PA-HDF>
debug master-service
Configure settings for debugging the master service.
Syntax
debug master-service option
Options
clear Clear all debug logs.
internal-dump Dump the internal state of the server to the log.
off Turn debugging off
on Turn debugging on.
show Show debug settings.
Sample Output
The following command dumps the internal state of the master server to the log.
admin@PA-HDF> debug master-service internal-dump
admin@PA-HDF>
debug rasmgr
Configure settings for debugging the remote access service daemon.
Syntax
debug rasmgr option
Options
show Show whether this command is on or off.
off Turn the debugging option off.
on Turn the debugging option on.
Sample Output
The following command shows the debug settings for the remote access service daemon.
admin@PA-HDF> debug rasmgr show
sw.rasmgr.debug.global: normal
admin@PA-HDF>
debug routing
Configure settings for debugging the route daemon.
Syntax
debug routing option
Options
fib Turn on debugging for the forwarding table.
global Turn on global debugging.
list-mib Show the routing list with management information base (MIB) names.
mib Show the MIB tables.
pcap Show packet capture data.
socket Show socket data.
Sample Output
The following command displays the MIB tables for routing.
admin@PA-HDF> debug routing list-mib
i3EmuTable (1 entries)
==========================
sckTable (0 entries)
sckSimInterfaceTable (0 entries)
sckEiTable (0 entries)
sckEaTable (0 entries)
i3Table (0 entries)
i3EiTable (0 entries)
i3EaTable (0 entries)
i3EtTable (0 entries)
i3EmTable (0 entries)
dcSMLocationTable (0 entries)
dcSMHMTestActionObjects (0 entries)
siNode (0 entries)
siOSFailures (0 entries)
siTraceControl (0 entries)
siExecAction (0 entries)
...
admin@PA-HDF>
debug software
Restart software processes to aid debugging.
Syntax
debug software restart option
Options
device-server Restart the device server.
management-server Restart the management server.
web-server Restart the web server.
Sample Output
The following command restarts the web server.
admin@PA-HDF> debug software restart web-server
admin@PA-HDF>
debug swm
Configure settings for debugging the Palo Alto Networks software manager.
Syntax
debug swm option
Options
command Run a software manager command.
history Show the history of software installation operations.
list List software versions that are available for installation.
refresh Revert back to the last successfully installed content.
revert Revert back to the last successfully installed software.
status Show the status of the software manager.
unlock Unlock the software manager.
Sample Output
The following command shows the list of available software versions.
admin@PA-HDF> debug swm list
3.0.0-c4.dev
3.0.0-c1.dev_base
2.0.0-c207
2.0.0-c206
admin@PA-HDF>
debug tac-login
Configure settings for debugging the Palo Alto Networks Technical Assistance Center (TAC)
connection.
Syntax
debug tac-login option
Options
enable Enable TAC login.
disable Disable TAC login.
permanently-disable Turn off TAC login debugging permanently.
Sample Output
The following command turns TAC login debugging on.
admin@PA-HDF> debug tac-login on
admin@PA-HDF>
debug vardata-receiver
Configure settings for debugging the variable data daemon.
Syntax
debug vardata-receiver option
Options
off Turns the debugging option off.
on Turns the debugging option on.
show Shows whether this command is on or off.
statistics Show log receiver daemon statistics.
Sample Output
The following command shows statistics for the variable data daemon.
admin@PA-HDF> debug vardata-receiver statistics
admin@PA-HDF>
delete
Remove files from disk or restore default comfort pages, which are presented when files or
URLs are blocked.
Syntax
delete item
Options
item Specifies the type of file to be deleted.
Option Description
captive-portal-text Text included in a captive portal.
config saved filename Saved configuration file.
content update filename Content updates.
core <control-plane | Control or data plane cores.
dataplan> file filename
data-capture directoryname Data capture files.
debug-filter file filename Debugging packet capture files on disk.
file-block-page Page presented to users when files are
blocked. Restores default page.
inbound-key filename SSL inbound proxy keys on disk.
license key filename License key file.
logo Custom logo file.
pcap file filename Packet capture files.
policy-cache Cached policy compilations
report <custom | predefined Specified report with file name and report
| summary> file-name name.
filename report-name report
root-certificate file Root certificates.
filename
Option Description
software image imagename Software image.
version versionname
spyware-block-page Page presented to users when web pages are
blocked due to spyware. Restores default
page.
ssl-optout-text Page presented to users when a web session
is to be decrypted. Restores default page.
threat-pcap directory Threat packet capture files in a specified
directoryname directory.
unknown-pcap directory Packet capture files for unknown sessions.
directoryname
url-block-page Page presented to users when web pages are
blocked. Restores default page.
url-coach-text Page presented to users. Restores default
page.
user-file ssh-known-hosts SSH known hosts file.
virus-block-page Page presented to users when web pages are
blocked. Restores default page.
Sample Output
The following command deletes the custom page presented to users when web pages are
blocked due to spyware.
username@hostname> delete spyware-block-page
username@hostname>
exit
Exit the PAN-OS CLI.
Syntax
exit
Options
None
Sample Output
N/A
grep
Find and list lines from log files that match a specified pattern.
Syntax
grep [after-context number] [before-context number] [context number]
[count] [ignore-case] [invert-match] [line-number] [max-count] [no-
filename] [with-filename] pattern file
Options
after-context Prints the matching lines plus the specified number of lines that follow the
matching lines.
before-context Prints the matching lines plus the specified number of lines that precede the
matching lines.
context Prints the specified number of lines in the file for output context.
count Prints a count of matching files for each input file.
ignore-case Ignores case distinctions.
invert-match Selects non-matching lines instead of matching lines.
line-number Adds the line number at the beginning of each line of output.
max-count Stops reading a file after the specified number of matching lines.
no-filename Does not add the filename prefix for output.
with-filename Prints the file name for each match.
pattern Indicates the string to be matched.
file Indicates the log file to be searched.
Sample Output
The following command searches the ms.log file for occurrences of the string id:admin.
username@hostname> grep id:admin /var/log/pan/ms.log
username@hostname>
less
List the contents of the specified log file.
Syntax
less type file
Options
type Indicates the type of log file to be searched:
• custom-page
• dp-backtrace
• dp-log
• mp-backtrace
• mp-log
• webserver-log
file Indicates the log file to be searched:
Sample Output
The following command lists the contents of the web server error log.
username@hostname> less webserver-log error.log
default:2 main Configuration for Mbedthis Appweb
default:2 main --------------------------------------------
default:2 main Host: pan-mgmt2
default:2 main CPU: i686
default:2 main OS: LINUX
default:2 main Distribution: unknown Unknown
default:2 main OS: LINUX
default:2 main Version: 2.4.0.0
default:2 main BuildType: RELEASE
default:2 main Started at: Mon Mar 2 12
...
netstat
Displays packet capture file content.
Syntax
netstat type <no | yes>
Options
type Indicates the packet capture file type:
• all—Display all sockets (default: connected).
• cache—Display routing cache instead of Forwarding Information Base (FIB).
• continuous—Continuous listing.
• extend—Display other/more information.
• fib—Display FIB (default).
• groups—Display multicast group memberships.
• interfaces—Display interface table.
• listening—Display listening server sockets.
• numeric—Do not resolve names.
• numeric-hosts—Do not resolve host names.
• numeric-ports—Do not resolve port names.
• numeric-users—Do not resolve user names.
• programs—Display PID/Program name for sockets.
• route—Display routing table.
• statistics—Display networking statistics (like SNMP).
• symbolic—Resolve hardware names.
• timers—Display timers.
• verbose—Display full details.
no | yes Indicates whether the specified option is included in the output.
Sample Output
The following command shows an excerpt from the output of the netstat command.
username@hostname> netstat all yes
...
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 5366 /tmp/ssh-lClRtS1936/
agent.1936
unix 2 [ ] DGRAM 959 @/org/kernel/udev/udevd
unix 18 [ ] DGRAM 4465 /dev/log
...
ping
Check network connectivity to a host.
Syntax
ping [bypass-routing] [count] [do-not-fragment] [inet] [no resolve]
[pattern] [size] [source] [tos] [ttl] host
Options
bypass-routing Sends the ping request directly to the host on a direct attached network,
bypassing usual routing table.
count Specifies the number of ping requests to be sent.
do-not-fragment Prevents packet fragmentation by use of the do-not-fragment bit in the
packet’s IP header.
inet Specifies that the ping packets will use IP version 4.
interval Specifies how often the ping packets are sent (0 to 2000000000 seconds).
no-resolve Provides IP address only without resolving to hostnames.
pattern Specifies a custom string to include in the ping request. You can specify up to
12 padding bytes to fill out the packet that is sent as an aid in diagnosing data-
dependent problems.
size Specifies the size of the ping packets.
source Specifies the source IP address for the ping command.
tos Specifies the type of service (TOS) treatment for the packets by way of the TOS
bit for the IP header in the ping packet.
ttl Specifies the time-to-live (TTL) value for the ping packet (IPv6 hop-limit
value) (0-255 hops).
verbose Requests complete details of the ping request.
host Specifies the host name or IP address of the remote host.
Sample Output
The following command checks network connectivity to the host 66.102.7.104, specifying 4
ping packets and complete details of the transmission.
username@hostname> ping count 4 verbose 66.102.7.104
PING 66.102.7.104 (66.102.7.104) 56(84) bytes of data.
64 bytes from 66.102.7.104: icmp_seq=0 ttl=243 time=316 ms
64 bytes from 66.102.7.104: icmp_seq=1 ttl=243 time=476 ms
64 bytes from 66.102.7.104: icmp_seq=2 ttl=243 time=376 ms
64 bytes from 66.102.7.104: icmp_seq=3 ttl=243 time=201 ms
username@hostname>
quit
Exit the current session for the firewall.
Syntax
quit
Options
None
Sample Output
N/A
request certificate
Generate a self-signed security certificate.
Syntax
request certificate [install for-use-by purpose | self-signed option
for-use-by purpose]
Options
install Installs the generated certificate.
self-signed Generates the self-signed certificate.
option Specifies information to include in the certificate. Multiple options are
supported.
Sample Output
The following command requests a self-signed certificate for the web interface with length
1024 and IP address 1.1.1.1.
username@hostname> request certificate self-signed nbits 1024 name 1.1.1.1
for-use-by web-interface
request comfort-page
Installs a user-defined comfort page.
Syntax
request comfort page install option
Options
option Specifies the type of file to export to the other host.
Option Description
application- Application packet capture file.
block-page
file-block-page File containing comfort pages to be presented
when files are blocked.
spyware-block- Comfort page to be presented when files are
page blocked due to spyware.
url-block-page Comfort page to be presented when files are
blocked due to a blocked URL.
virus-block-page Comfort page to be presented when files are
blocked due to a virus.
request content
Perform application level upgrade operations.
Syntax
request content upgrade [check | download latest | info | install
latest]
Options
check Obtain information from the Palo Alto Networks server.
download latest Download application identification packages.
info Show information about the available application ID packages.
install latest Install application identification packages.
Sample Output
The following command lists information about the firewall server software.
username@hostname> request content upgrade check
-------------------------------------------------------------------------
username@hostname>
request data-filtering
Assign passwords for data filtering.
Syntax
request data-filtering access-password option
Options
option Specifies one of the following options.
Option Description
create password Creates the specified password.
pword
modify old- Changes the specified old password to the
password oldpwd new password.
new-password
newpwd o
delete Deletes the data filtering password. When
this command is issued, the system prompts
for confirmation and warns that logged data
will be deleted and logging will be stopped.
Sample Output
The following command assigns the specified password for data filtering.
username@hostname> request data-filtering access-password create password
mypwd
username@hostname>
request device-registration
Perform device registration.
Syntax
request device-registration username user password pwd
Options
username Specify the user name for device access.
user
password Specify the password for device access.
pwd
Sample Output
The following command registers the device with the specified user name and password.
username@hostname> request device-registration username admin password
adminpwd
username@hostname>
request high-availability
Perform high-availability operations.
Syntax
request high-availability option
Options
option Specifies one of the following options.
Option Description
clear-alarm-led Clears the high-availability alarm LED.
state Changes the state to operational (functional) or suspended.
<functional |
suspended>
sync-to-remote Performs synchronization operations:
option • candidate-config—Synchronize the candidate configura-
tion to peer.
• clock—Synchronize the local time and date to the peer.
• disk-state—Synchronize required on-disk state to peer.
• running-config—Synchronize the running configuration
to peer.
• runtime-state—Synchronize the runtime synchronization
state to peer.
Sample Output
The following command sets the high-availability state of the device to the suspended state.
username@hostname> request high-availability state suspend
username@hostname>
request license
Perform license-related operations.
Syntax
request license [fetch [auth-code] | info | install]
Options
fetch Gets a new license key using an authentication code.
info Displays information about currently owned licenses.
install Installs a license key.
Sample Output
The following command requests a new license key with the authentication code 123456.
username@hostname> request fetch auth-code 123456
username@hostname>
request password-hash
Generate a hashed string for the user password.
Syntax
request password-hash password pwd
Options
pwd Specify the clear text password that requires the hash string.
Sample Output
The following command generates a hash of the specified password.
username@hostname> request password-hash password mypassword
$1$flhvdype$qupuRAx4SWWuZcjhxn0ED.
request restart
Restart the system or software modules.
CAUTION: Using this command causes the firewall to reboot, resulting in the
temporary disruption of network traffic. Unsaved or uncommitted changes will be
lost.
Syntax
request restart [dataplane | software | system]
Options
dataplane Restarts the dataplane software.
software Restarts all system software
system Reboots the system.
Sample Output
The following command restarts all the firewall software.
username@hostname> request restart software
request ssl-output-text
Install user-defined Secure Socket Layer (SSL) output text.
Syntax
request ssl-option-text install
Options
None
Sample Output
The following command installs SSL output text.
username@hostname> request ssl-optout-text install
request ssl-vpn
Forces logout from a Secure Socket Layer (SSL) virtual private network (VPN) session.
Syntax
request ssl-vpn client-logout option
Options
option Specify the following required options:
• portal—Specify the SSL VPN portal name.
• domain—Specify the user’s domain name.
• reason force-logout—Specify to indicate that the logout is administrator-initiated.
• user—Specify the user name.
Sample Output
The following command forces a logout of the specified user.
username@hostname> request ssl-vpn client-logout domain paloaltonetworks.com
port sslportal user ssmith reason force-logout
request support
Obtain technical support information.
Syntax
request support [check | info]
Options
check Get support information from the Palo Alto Networks update server.
info Show downloaded support information.
Sample Output
The following command shows downloaded support information.
username@hostname> request support info
0
Support Home
https://support.paloaltonetworks.com
Manage Cases
https://support.paloaltonetworks.com/pa-portal/
index.php?option=com_pan&task=vie
wcases&Itemid=100
Download User Identification Agent
https://support.paloaltonetworks.com/pa-portal/
index.php?option=com_pan&task=sw_
updates&Itemid=135
866-898-9087
support@paloaltonetworks.com
November 07, 2009
Standard
10 x 5 phone support; repair and replace hardware service
username@hostname>
request system
Download system software or request information about the available software packages.
Syntax
request system [factory-reset | software [check | download [file |
version] name] | info | install [file | version] name]]
Options
check Gets information from the Palo Alto Networks server.
download Downloads software packages.
info Shows information about the available software packages.
install Downgrades to a downloaded software package.
Sample Output
The following command requests information about the software packages that are available
for download.
username@hostname> request system software info
username@hostname>
request tech-support
Obtain information to assist technical support in troubleshooting.
Syntax
request technical support dump
Options
None
Sample Output
The following command creates a dump for technical support.
username@hostname> request tech-support dump
request url-filtering
Perform URL filtering operations
Syntax
request url-filtering option
Options
upgrade Upgrade to latest version. Optionally specify brightcloud to update the
BrightCloud database.
download Show status of information download for URL filtering.
status
Sample Output
The following command upgrades the BrightCloud database.
username@hostname> request url-filtering upgrade brightcloud
request vpn-client
Perform VPN client package operations.
Syntax
request vpn-client software option
Options
check Obtain information from the Palo Alto Networks server.
download Download software packages. Specify one of the following:
• file—Name of the file containing the software package.
• version—Specified software version.
info Show downloaded support information.
install Install the software as specified:
• file—Name of the file containing the software package.
• version—Specified software version.
Sample Output
The following command displays information about the available software packages.
username@hostname> request vpnclient software info
scp
Copy files between the firewall and another host. Enables downloading of a customizable
HTML replacement message (comfort page) in place of a malware infected file.
Syntax
scp export export-option [control-plane | data-plane] to target from
source [remote-port portnumber] [source-ip address]
Options
export export- Specifies the type of file to export to the other host.
option
Option Description
application Application packet capture file.
captive-portal- Text to be included in a captive portal.
text
configuration Configuration file.
core-file Core file.
debug pcap IKE negotiation packet capture file.
file-block-page File containing comfort pages to be presented when
files are blocked.
filter Filter definitions.
log-file Log files.
log-db Log database.
packet-log Logs of packet data.
spyware-block- Comfort page to be presented when files are blocked
page due to spyware.
ssl-optout-text SSL optout text.
tech-support Technical support information.
trusted-ca- Certificate Authority (CA) security certificate.
certificate
url-block-page Comfort page to be presented when files are blocked
due to a blocked URL.
virus-block-page Comfort page to be presented when files are blocked
due to a virus.
web-interface- Web interface certificate.
certificate
import import- Specifies the type of file to import from the other host.
option
Option Description
application Application packet capture file.
captive-portal- Text to be included in a captive portal.
text
configuration Configuration file.
core-file Core file.
file-block-page File containing comfort pages to be presented
when files are blocked.
filter Filter definitions.
ike-pcapc-file IKE negotiation packet capture file.
log-file Log files.
log-db Log database.
packet-log Logs of packet data.
spyware-block- Comfort page to be presented when files are
page blocked due to spyware.
ssl-optout-text SSL optout text.
tech-support Technical support information.
trusted-ca- Certificate Authority (CA) security certificate.
certificate
url-block-page Comfort page to be presented when files are
blocked due to a blocked URL.
Sample Output
The following command imports a license file from a file in user1’s account on the machine
with IP address 10.0.3.4.
username@hostname> scp import ssl-certificate from user1@10.0.3.4:/tmp/
certificatefile
set application
Set parameters for system behavior when applications are blocked.
Syntax
set application option
Options
cache <yes | no> Enables (yes) or disables (no) the application cache.
dump <off | on option> Enables (on) or disables (off) the application packet capture. The
following options determine the contents of the dump:
• application —Specified application.
• destination—Destination IP address of the session.
• destination-user—Destination user.
• destination-port —Destination port.
• zone—Specified zone.
• protocol—Specified protocol.
• limit —Maximum number of sessions to capture.
• source—Source IP address for the session.
• source-user—Specified source user.
• source-port—Specified source port.
dump-unknown <yes | no> Enables (yes) or disables (no) capture of unknown applications.
heuristics <yes | no> Enables (yes) or disables (no) heuristics detection for applications.
notify-user <yes | no> Enables (yes) or disables (no) user notification when an application
is blocked.
supernode <yes | no> Enables (yes) or disables (no) detection of super nodes for peer-to-
peer applications that have designated supernodes on the Internet.
Sample Output
The following command turns packet capture for unknown applications off.
username@hostname>
set cli
Set scripting and pager options for the PAN-OS CLI.
Syntax
set cli [scripting-mode | pager | timeout [idle idle-value] [session
session-value]] off | on
Options
scripting-mode Enables or disables scripting mode.
pager Enables or disables pages.
timeout Sets administrative session timeout values.
idle-value Specifies the idle timeout (0-86400 seconds).
session-value Specifies the administrative session timeout (0-86400 seconds).
off Turns the option off.
on Turns the option on.
Sample Output
The following command turns the PAN-OS CLI pager option off.
username@hostname> set cli pager off
username@hostname>
set clock
Set the system date and time.
Syntax
set clock option
Options
date YYYY/MM/DD Specify the date in yyyy/mm/dd format.
time hh:mm:ss Specify the time in hh:mm:ss format (hh: 0-23, mm: 0-59, ss: 0-59).
Sample Output
The following command sets the system date and time.
username@hostname> set clock date 2009/03/20 time 14:32:00
username@hostname>
set ctd
Show content-related information on the Content-based Threat Detection (CTD) engine.
Syntax
set ctd x-forwarded-for <no | yes>
Options
no Disable parsing of the x-forwarded-for attribute.
yes Enable parsing of the x-forwarded-for attribute.
Sample Output
The following command enables parsing of the attribute.
username@hostname> set ctd x-forwarded-for yes
username@hostname>
set data-access-password
Set the access password for the data filtering logs.
Syntax
set data-access-password pwd
Options
pwd Specifies the password.
Sample Output
The following command sets the password for data filtering logs.
username@hostname> set data-access password 12345678
username@hostname>
set logging
Set logging options for traffic and event logging.
Syntax
set logging option value
Options
Options
default Restores all log settings to default.
log-suppression Enables or disables suppression of log information.
<yes | no>
Note: max-packet-rate and max-log rate both affect the rate at which log messages
are forwarded. Generated log messages are kept in priority queues, and the log
forwarding engine forwards the generated logs based on the log and packet rates. If
the rates are set too low, the queues may build up and eventually drop log
messages.
Sample Output
The following command sets the logging rate to be a maximum of 1000 KB/second.
username@hostname>
set management-server
Set parameters for the management server, which manages configuration, reports, and
authentication for the firewall.
Syntax
set management-server option
Options
logging option Sets the following logging options:
• import-end—Exit import mode.
• import-start—Enter import mode.
• off—Disable logging.
• on—Allow logging.
unlock Specifies the serial number or software license key.
Sample Output
The following command enables logging on the management server.
username@hostname> set management-server logging on
username@hostname>
set multi-vsys
Enable or disable multiple virtual system functionality on the firewall.
Syntax
set multi-vsys <off | on>
Options
on Enables support for multiple virtual systems.
off Disables support for multiple virtual systems.
Sample Output
The following command enables multiple virtual system functionality on the firewall.
username@hostname> set multi-vsys on
username@hostname>
set panorama
Enable or disable connection between the firewall and Panorama.
Syntax
set panorama <off | on>
Options
on Enables the connection between the firewall and Panorama.
off Disables the connection between the firewall and Panorama.
Sample Output
The following command disables the connection between the firewall and Panorama.
username@hostname> set panorama off
username@hostname>
set password
Set the firewall password. When you issue this command, the system prompts you to enter
the old and new password and to confirm the new password.
Syntax
set password
Options
None
Sample Output
The following example shows how to reset the firewall password.
username@hostname> set password
Enter old password : (enter the old password)
Enter new password : (enter the new password0
Confirm password : (reenter the new password)
Password changed
username@hostname>
set proxy
Sets the proxy parameter. The firewall can act as a proxy for the client, as a forward proxy for
outbound traffic, and as an inbound proxy for traffic coming to the clients.
Syntax
set proxy option
Options
answer-timeout Sets the timeout value for communication with the proxy server
(1-86400 seconds).
notify-user <yes | no> Enables or disables the user notification web page.
Sample Output
The following command disables SSL decryption.
username@hostname> set proxy skip-ssl yes
username@hostname>
set serial-number
(Panorama™ only) Configure the serial number of the Panorama machine. The serial number
must be set for Panorama to connect to the update server.
Syntax
set serial-number value
Options
value Specifies the serial number or software license key.
Sample Output
The following command sets the Panorama serial number to 123456.
username@hostname> set serial-number 123456
username@hostname>
set session
Set parameters for the networking session.
Syntax
set session [default | item value]
Options
default Restores all session settings to the default values.
item Specifies the debugging target or level.
value
Option Value Description
accelerated- no | yes Enables or disables accelerated session
aging-enable aging.
accelerated- Power of 2 Sets the accelerated session aging
aging-scaling- scaling factor (power of 2).
factor
accelerated- Power of 2 (1-100) Sets the accelerated aging threshold as
aging-threshold a percentage of session utilization.
Sample Output
The following command sets the TCP timeout to 1 second.
username@hostname> set session timeout-tcpwait 1
username@hostname>
set shared-policy
Set shared policy management behavior with Panorama.
Syntax
set shared-policy option
Options
disable Disables Panorama shared policy management.
enable Enable Panorama shared policy management.
import-and-disable Imports and then disallows shared policies.
<yes | no>
Sample Output
The following command enables shared policies with Panorama.
username@hostname> set shared-policy enable
username@hostname>
set ssl-vpn
Enable Secure Socket Layer (SSL) virtual private network (VPN) for a specified user.
Syntax
set ssl-vpn unlock auth-profile profilename user uname vsys vsysname
Options
profilename Specifies the authentication profile that applies to the user.
uname Specifies the name of the user.
vsysname Specifies the name of the target virtual system.
Sample Output
The following command applies an authentication profile, user and virtual system for SSL-
VPN access.
username@hostname> set ssl-vpn auth-profile profile_1 user ssmith vsysname
vsys_a
username@hostname >
set target-vsys
Sets the target virtual system.
Note: When the target virtual system is set, the CLI prompt incorporates the vsys
name. In this mode, if any command is executed, it executes for the vsys, if possible.
For example, if you use secure copy to import or export a comfort page, the page is
imported or exported for the vsys. Commands that are not virtual-system-specific
continue to work normally.
Syntax
set target-vsys vsys
Options
vsys Specifies the name of the target virtual system.
Sample Output
The following command shows information about target virtual systems.
username@hostname> set target-vsys vsys1
Session target vsys changed to vsys1
username@hostname vsys1>>
set ts-agent
Sets the Terminal Services (TS) agent parameters.
Syntax
set ts-agent name name ip-address ipaddr port portnum ip-list iplist
Options
name Specifies the user name.
ipaddr Specifies the IP address of the Windows PC on which the TS agent is installed. You can
also specify alternative IP addresses using the ip-list parameter.
portnum Specifies the port number for communication between the terminal server and the TS
agent.
iplist Specifies 0-8 additional IP addresses for Windows PCs on which the TS agent is
installed.
Sample Output
The following command sets the TS agent parameters for the user ssmith with the specified
port and IP addresses.
username@hostname> set ts-agent user ssmith ip-address 192.168.3.4 port 772
ip-list 192.168.5.5 192.168.9.3
username@hostname>
set url-database
Set the database for URL resolution in support of URL filtering. The available selections
depend on the URL license available on the firewall.
Syntax
set url-database dbasename
Options
dbasename Uses a database with the specified name: surfcontrol or brightcloud.
Sample Output
The following command switches the database from surfcontrol to brightcloud.
admin@PA-4050> set url-database
surfcontrol surfcontrol
<value> URL database
username@hostname> set url-database brightcloud
username@hostname>
set zip
Determines whether zipped files are automatically unzipped and policies are applied to the
unzipped contents.
Syntax
set zip enable <yes | no>
Options
yes Enables automatic unzipping and inspection of zipped files.
no Disables automatic unzipping and inspection of zipped files.
Sample Output
The following command enables automatic unzipping and inspection of zipped files.
username@hostname> set zip enable yes
username@hostname>
show admins
Display information about the active firewall administrators.
Syntax
show admins [all]
Options
all Lists the names of all administrators.
Sample Output
The following command displays administrator information for the 10.0.0.32 firewall.
username@hostname> show admins | match 10.0.0
username@hostname>
show arp
Shows current Address Resolution Protocol (ARP) entries.
Syntax
show arp interface
Options
interface Specifies the interface for which the ARP table is displayed.
Sample Output
The following command displays ARP information for the ethernet1/1 interface.
username@hostname> show arp ethernet1/1
username@hostname>
show authentication
Shows authentication information.
Syntax
show authentication option
Options
interface Specifies the following authentication information.
• allowlist—Shows the authentication allow list.
• groupdb—Lists the group authentication databases.
• groupnames—Lists the distinct group names.
Sample Output
The following command shows the list of users that are allowed to access the firewall.
username@hostname> show authentication allowlist
username@hostname>
show chassis-ready
Shows whether the dataplane has a running policy.
Syntax
show chassis-ready
Options
None
Sample Output
The following command shows that the dataplane has a currently running policy.
username@hostname> show chassis-ready
yes
username@hostname>
show cli
Shows information about the current CLI session.
Syntax
show cli info
Options
None
Sample Output
The following command shows information about the current CLI session.
username@hostname> show cli info
Process ID : 2045
Pager : enabled
Vsys configuration mode : disabled
username@hostname>
show clock
Shows the current time on the firewall.
Syntax
show clock
Options
None
Sample Output
The following command shows the current time.
username@hostname> show clock
username@hostname>
show config
Shows the active configuration.
Syntax
show config
Options
None
Sample Output
The following command shows the configuration lines that pertain to VLANs.
username@hostname> show config | match vlan
vlan {
vlan;
username@hostname>
show counter
Display system counter information.
Syntax
show counter [global | interface]
Options
global Shows global system counter information.
interface Shows system counter information grouped by interface.
Sample Output
The following command displays all configuration counter information grouped according to
interface.
username@hostname> show counter interface
interface: ethernet1/1
------------------------------------------------------------------------
bytes received 0
bytes transmitted 0
packets received 0
packets transmitted 0
receive errors 0
packets dropped 0
------------------------------------------------------------------------
...
username@hostname>
show ctd
Show the threat signature information on the system.
Syntax
show ctd threat threat_id application appid profile pfid
Options
threat_id Uniquely identifies the threat.
application Shows the action of the threat action in the application.
appid
profile pfid Identifies the profile.
Sample Output
The following command shows an example with the default threat action.
username@hostname> show ctd threat 100000 application 109 profile 1
Profile 1 appid 109 , action 0
action 0 means “default” action.
show device
(Panorama only) Show the state of managed devices.
Syntax
show device-messages [all | connected]
Options
all Shows information for all managed devices.
connected Shows information for all connected devices.
Sample Output
The following command shows information for connected devices.
username@hostname> show devices connected
username@hostname>
show device-messages
(Panorama only) Show information on the policy messages for devices.
Syntax
show device-messages [device] [group]
Options
device Shows the messages only for the specified device.
group Shows the messages only for the specified device group.
Sample Output
The following command shows the device messages for the device pan-mgmt2 and the group
dg1.
username@hostname> show device-messages device pan-mgmt2 group dg1
username@hostname>
show devicegroups
(Panorama only) Show information on device groups.
Syntax
show devicegroups [name]
Options
name Shows the information only for the specified device group.
Sample Output
The following command shows information for the device group dg1.
username@hostname> show devicegroups dg1
==========================================================================
Group: dg3 Shared policy md5sum:dfc61be308c23e54e5cde039689e9d46
username@hostname>
show dhcp
Show information on Dynamic Host Control Protocol (DHCP) leases.
Syntax
show dhcp lease <value | all>
Options
value Identifies the interface (ethernetn/m)
all Shows all the lease information.
Sample Output
The following command shows all lease information.
username@hostname> show dhcp all
interface: ethernet1/9
ip mac expire
66.66.66.1 00:15:c5:60:a5:b0 Tue Mar 11 16:12:09 2008
66.66.66.2 00:15:c5:e1:0d:b0 Tue Mar 11 16:08:01 2008
username@hostname>
show high-availability
Show runtime information for the high-availability subsystem.
Syntax
show high-availability [all | control-link statistics| link-
monitoring | path-monitoring | state | state-synchronization]
Options
all Shows all high-availability information.
control-link Shows control-link statistic information.
statistics
link-monitoring Shows the link-monitoring state.
path-monitoring Shows path-monitoring statistics.
state Shows high-availability state information.
state- Shows state synchronization statistics.
synchronization
Sample Output
The following command information for the high-availability subsystem.
username@hostname> show high-availability path-monitoring
----------------------------------------------------------------------------
path monitoring: disabled
total paths monitored: 0
----------------------------------------------------------------------------
username@hostname>
show interface
Display information about system interfaces.
Syntax
show interface interface
Options
element Specifies the interface.
Sample Output
The following command displays information about the ethernet1/2 interface.
username@hostname> show interface ethernet1/2
----------------------------------------------------------------------------
Name: ethernet1/2, ID: 17
Link status:
Runtime link speed/duplex/state: auto/auto/auto
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address 0:f:b7:20:2:11
Operation mode: virtual-wire
----------------------------------------------------------------------------
Name: ethernet1/2, ID: 17
Operation mode: virtual-wire
Virtual wire: default-vwire, peer interface: ethernet1/1
Interface management profile: N/A
Zone: trust, virtual system: (null)
username@hostname>
show jobs
Display information about current system processes.
Syntax
show jobs [all | id number | pending | processed]
Options
all Shows information for all jobs.
id number Identifies the process by number.
pending Shows recent jobs that are waiting to be executed.
processed Shows recent jobs that have been processed.
Sample Output
The following command lists jobs that have been processed in the current session.
username@hostname> show jobs processed
username@hostname>
show local-user-db
Display information about the local user database on the firewall.
Syntax
show local-user-db [disabled <yes | no>] [username user]
[vsys vsysname]
Options
disabled Filters the information according to whether the user accounts are enabled or
<yes | no> disabled:
• yes—Displays users that are administratively disabled.
• no—Displays users that are administratively active.
username Shows information for the specified user.
user
vsys Shows information for the specified virtual system.
vsysname
Sample Output
The following command lists the local user database.
username@hostname> show local-user-db
vsys1 user1 no
vsys1 user2 no
username@hostname>
show location
Show the geographic location of a firewall.
Syntax
show location ip address
Options
address Specifies the IP address of the firewall.
Sample Output
The following command shows location information for the firewall 10.1.1.1.
username@hostname> show location ip 10.1.1.1
show location ip 201.52.0.0
201.52.0.0
Brazil
username@hostname>
show log
Display system logs.
Syntax
show log [threat | config | system | traffic] [equal | not-equal]
option value
Options
Option Description
action Type of alarm action (alert, allow, or drop)
app Application.
client Type of client (CLI or web).
command Command.
dport Destination port.
dst Destination IP address.
from Source zone.
receive- Time interval in which the information was received.
time in
result Result of the action (failed, succeeded, or unauthorized).
rule Rule name.
severity Level of importance (critical, high, medium, low, informational)
sport Source port.
src Source IP address.
to Destination zone.
Sample Output
The following command shows the configuration log.
username@hostname> show log config
Time Host Command Admin Client Result
============================================================================
===
03/05 22:04:16 10.0.0.135 edit admin Web Succeeded
03/05 22:03:22 10.0.0.135 edit admin Web Succeeded
03/05 22:03:22 10.0.0.135 create admin Web Succeeded
03/05 21:56:58 10.0.0.135 edit admin Web Succeeded
...
username@hostname>
show logging
Show whether logging is enabled.
Syntax
show logging
Options
None
Sample Output
The following command shows that logging is enabled.
username@hostname> show logging
on
username@hostname>
show mac
Display MAC address information.
Syntax
show mac [value | all]
Options
value Specifies a MAC address (aa:bb:cc:dd:ee:ff format).
all MAC address (aa:bb:cc:dd:ee:ff format).
Sample Output
The following command lists all currently MAC address information.
username@hostname> show mac all
username@hostname>
show management-clients
Show information about internal management server clients.
Syntax
show management-clients
Options
None
Sample Output
The following command shows information about the internal management server clients.
username@hostname> show management-clients
show multi-vsys
Show if multiple virtual system mode is set.
Syntax
show multi-vsys
Options
None
Sample Output
The following command shows the current status of multiple virtual systems.
username@hostname> show multi-vsys
on
username@hostname>
show pan-agent
Show statistics or user information for the Palo Alto Networks agent.
Syntax
show pan-agent <statistics | user-IDs>
Options
statistics Displays full information about the Palo Alto Networks agent.
user-IDs Displays user information for the Palo Alto Networks agent.
Sample Output
The following command shows information about the Palo Alto Networks agent.
username@hostname> show pan-agent statistics
show pan-ntlm-agent
Display status information about the Palo Alto Networks user identification agent for NT
LAN Manager (NTLM). The firewall uses the user identification agent to provide Microsoft
NTLM authentication for the captive portal.
Syntax
show pan-ntlm-agent statistics
Options
None
Sample Output
The following command displays information about the NTLM agent.
username@hostname> show pan-ntlm-agent statistics
username@hostname>
show proxy
Displays information about the proxy that is used for the Secure Socket Layer (SSL)
decryption function.
Syntax
show [certificate-cache | notify-cache | setting]
Options
certificate-cache Displays the proxy certificate cache.
notify-cache Displays the proxy notification cache.
Sample Output
The following command shows the current proxy settings.
username@hostname> show proxy setting
Ready: no
Enable proxy: yes
Enable ssl: yes
Notify user: yes
username@hostname>
show query
Show information about query jobs.
Syntax
show query <jobs | id value>
Options
jobs Displays all job information.
id value Displays job information for the specified ID.
Sample Output
The following command shows information about all current query jobs.
username@hostname> show query jobs
Enqueued ID Last Upd
--------------------------------------------------------------------------
13:58:19 16 13:58:19
Type ID Dequeued?
-----------------------------------------------------
show report
Displays information about process jobs.
Syntax
show [id number | jobs]
Options
id number Displays information about the job with the specified ID number.
jobs Displays information on all jobs.
Sample Output
The following command shows the current jobs.
username@hostname> show report jobs
username@hostname>
username@hostname>
show routing
Display routing run-time objects.
Syntax
show routing fib [virtual-router name]
Options
fib Shows forwarding table entries. Specify an individual virtual router or all.
protocol ospf Shows OSPF information. Specify one of the following (virtual router is
optional).
protocol redist Shows redistribution rule entries. Specify one of the following (virtual router is
optional).
protocol rip Shows RIP information. Specify one of the following options (virtual router is
optional).
Sample Output
The following command shows summary routing information for the virtual router vrl.
username@hostname> show routing summary virtual-router vr1
interface: 22.22.22.22
interface: 35.1.15.40
interface: 192.168.6.254
interface: 200.1.1.2
==========
INTERFACE
==========
interface name: ethernet1/1
interface index: 16
virtual router: vr1
operation status: up
IPv4 address: 22.22.22.22/24
IPv4 address: 35.1.15.40/24
==========
interface name: ethernet1/3
interface index: 18
virtual router: vr1
operation status: up
IPv4 address: 200.1.1.2/24
==========
interface name: ethernet1/7
interface index: 22
virtual router: vr1
operation status: up
IPv4 address: 1.1.1.1/24
IPv4 address: 1.1.2.1/24
IPv4 address: 1.1.3.1/24
==========
interface name: ethernet1/15
interface index: 30
virtual router: vr1
operation status: up
IPv4 address: 192.168.6.254/24
==========
interface name: ethernet1/16
interface index: 31
virtual router: vr1
operation status: up
IPv4 address: 192.168.7.254/24
==========
interface name: ethernet1/18
interface index: 33
virtual router: vr1
operation status: down
IPv4 address: 2.1.1.1/24
username@hostname>
The following command shows dynamic routing protocol information for RIP.
username@hostname> show routing protocol rip summary
==========
virtual router: vr1
reject default route: yes
interval seconds: 1
update intervals: 30
expire intervals: 180
delete intervals: 120
interface: 2.1.1.1
interface: 22.22.22.22
interface: 35.1.15.40
interface: 192.168.6.254
interface: 200.1.1.2
==========
virtual router: newr
reject default route: yes
interval seconds: 1
update intervals: 30
expire intervals: 180
delete intervals: 120
interface: 0.0.0.0
interface: 30.30.30.31
interface: 151.152.153.154
show session
Show session information.
Syntax
show session [all | info] [filter [application appname][destination
destname][destination-port destport][destination-user destuser][from
zone zonename][limit value][protocol protnumber][source-port
sourcename][source-user sourceuser][state state]] [type type]]
Options
all Displays all active sessions.
info Displays session statistics.
application Specifies the application.
appname
destination Specifies the destination IP address.
destname
destination-port Specifies the destination port.
destport
destination-user Specifies the destination user name.
destuser
from Specifies the source.
protocol protname Specifies the protocol.
source sourcename Specifies the sourced IP address.
source-port Specifies the source port.
sourceport
source-user Specifies the source user name.
sourceuser
state state Specifies the condition for the filter (active, closed, closing, discard, initial,
or opening).
to Specifies the destination.
type type Specifies the flow type (regular or predict).
Sample Output
The following command displays summary statistics about current sessions.
username@hostname> show session info
-------------------------------------------------------------------------
number of sessions supported: 2097151
number of active sessions: 8
session table utilization: 0%
number of sessions created since system bootup: 21
---------------------------------------------------------------------------
session timeout
TCP default timeout: 3600 seconds
TCP session timeout after FIN/RST: 5 seconds
UDP default timeout: 600 seconds
ICMP default timeout: 6 seconds
other IP default timeout: 1800 seconds
----------------------------------------------------------------------------
session accelerated aging: enabled
accelerated aging threshold: 80% of utilization
scaling factor: 2 X
---------------------------------------------------------------------------
session setup
TCP - reject non-SYN first packet: yes
---------------------------------------------------------------------------
number of sessions: 8
ID/vsys src[sport]/zone/proto dest[dport]/zone app.
state type
19 192.168.10.199[2219]/1/6 10.10.10.10[6667]/2 0
ACTIVE FLOW
20 192.168.10.191[4069]/1/6 192.168.10.199[139]/2 ms-ds-smb
DISCARD FLOW
22 192.168.10.199[2261]/1/6 10.10.10.10[6667]/2 0
ACTIVE FLOW
4 192.168.10.191[138]/1/17 192.168.10.255[138]/2 netbios-dg
ACTIVE FLOW
6 192.168.10.199[138]/1/17 192.168.10.255[138]/2 netbios-dg
ACTIVE FLOW
21 192.168.10.199[1025]/1/17 4.2.2.1[53]/2 dns
CLOSING FLOW
9 192.168.10.199[2187]/1/6 10.10.10.10[6667]/2 0
ACTIVE FLOW
13 192.168.10.199[2195]/1/6 10.10.10.10[6667]/2 0
ACTIVE FLOW
show shared-policy
Show the current shared policy status.
Syntax
show shared-policy
Options
None
Sample Output
The following command displays the current shared policy status.
username@hostname> show shared-policy
disabled
username@hostname>
show ssl-vpn
Show Secure Socket Layer (SSL) virtual private network (VPN) runtime objects.
Syntax
show ssl-vpn option
Options
flow Displays dataplane SSL-VPN tunnel information.
portal Displays the SSL-VPN configuration.
user uname domain Specifies the user, domain, and portal.
domname portal
portalname
Sample Output
The following command displays information on SSL-VPN tunnels.
username@hostname> show ssl-vpn flow
----------------------------------------------------------------------------
----------------------------------------------------------------------------
s1 2 tunnel.7 10.1.6.105 tunnel.7
rad 11 tunnel.8 10.1.6.106 tunnel.8
---------------------------------------------------------------------------
username@hostname>
show statistics
Show firewall statistics.
Syntax
show statistics
Options
None
Sample Output
The following command displays firewall statistics.
username@hostname> show statistics
show system
Show system information.
Syntax
show system type
Options
type Specifies the type of system information to be displayed.
Sample Output
The following command displays system information.
username@hostname> show system info
hostname: mgmt-device
ip-address: 10.1.7.1
netmask: 255.255.0.0
default-gateway: 10.1.0.1
radius-server: 127.0.0.1
radius-secret: xxxxxxxx
The following command displays the system tree entries that begin with the string
cfg.env.slot1.
username@hostname> show system state filter cfg.env.slot1*
cfg.env.slot1.power0.high-limit: “1.26”
cfg.env.slot1.power0.low-limit: “1.0”
cfg.env.slot1.power1.high-limit: “1.26”
cfg.env.slot1.power1.low-limit: “1.14”
cfg.env.slot1.power2.high-limit: “1.575”
cfg.env.slot1.power2.low-limit: “1.425”
cfg.env.slot1.power3.high-limit: “1.89”
cfg.env.slot1.power3.low-limit: “1.71”
...
show target-vsys
Show information about the target virtual systems.
Syntax
show target-vsys
Options
None
Sample Output
The following command shows information about target virtual systems.
username@hostname> show target-vsys
vsys1
username@hostname>
show threat
Show threat ID descriptions.
Syntax
show threat id value
Options
value Specifies the threat ID.
Sample Output
The following command shows threat ID descriptions for ID 11172.
username@hostname> show threat id 11172
This signature detects the runtime behavior of the spyware MiniBug. MiniBug,
also known as Weatherbug, installs other spyware, such as WeatherBug, and My
Web Search Bar. It is also adware program that displays advertisements in its
application window.
medium
http://www.spywareguide.com/product_show.php?id=2178
http://www.spyany.com/program/article_spw_rm_Minibug.htm
username@hostname>
show ts-agent
Show information about the Terminal Services agent (TS agent).
Syntax
show ts-agent option
Options
statistics Displays information about the TS agent configuration.
user-IDs Displays information about the users who are connected through the
TS agent.
Sample Output
The following command displays information about the users who are connecting through
the TS agent.
username@hostname> show ts-agent statistics
username@hostname>
show url-database
Displays the name of the database that is being used for URL filtering.
Syntax
show url-database
Options
None
Sample Output
The following command displays the name of the URL database.
admin@PA-HDF> show url-database
brightcloud
admin@PA-HDF>
show virtual-wire
Show information about virtual wire interfaces.
Syntax
show virtual-wire [value | all]
Options
value Specifies a virtual wire interface.
all Shows information for all virtual wire interfaces.
Sample Output
The following command displays information for the default virtual wire interface.
username@hostname> show virtual-wire default-vwire
username@hostname>
show vlan
Show VLAN information.
Syntax
show vlan [value | all]
Options
value Specifies a virtual wire interface.
all Shows information for all virtual wire interfaces.
Sample Output
The following command displays information for all VLANs.
username@hostname> show vlan all
vlan {
Vlan56 {
interface [ ethernet1/5 ethernet1/6 ];
stp {
enabled no;
}
rstp {
enabled no;
}
}
Vlan11-12 {
interface [ ethernet1/11 ethernet1/12 ];
stp {
enabled no;
}
rstp {
enabled no;
}
}
}
username@hostname>
show vpn
Show VPN information.
Syntax
show vpn flow [tunnel-id tunnelid]
show vpn gateway [gateway gatewayid]
show vpn ike-sa [gateway gatewayid]
show vpn ipsec-sa [tunnel tunnelid]
show vpn tunnel [name tunnelid]
Options
flow Shows information about the VPN tunnel on the data plane. Specify the tunnel or press
Enter to apply to all tunnels.
gateway Shows IKE gateway information. Specify the gateway or press Enter to apply to all
gateways.
ike-sa Shows information about the active IKE SA. Specify the gateway or press Enter to apply
to all gateways.
ipsec-sa Shows information about IPsec SA tunnels. Specify the tunnel or press Enter to apply to
all tunnels.
tunnel Shows information about auto-key IPSec tunnels. Specify the tunnel or press Enter to
apply to all tunnels.
name Shows information about the VPN tunnel. Specify the tunnel or press Enter to apply to
all tunnels.
Sample Output
The following command shows VPN information for the auto key IPsec tunnel k1.
username@hostname> show vpn tunnel name k1
TnID Name(Gateway) Local Proxy ID Local Proxy ID Proposals
-------------- -------------- --------- ---------
7 pan5gt(pan-5gt) 0.0.0.0/0 0.0.0.0/0 ESP tunl
[DH2][AES128,3DES][SHA1] 90-sec
Total 1 tunnels found, 0 ipsec sa found, 0 error
username@hostname>
The following command shows VPN information for the IKE gateway g2.
username@hostname> show vpn tunnel name g2
GwID Name Peer Address/ID Local Address/ID Protocol Proposals
---- ---- --------------- ---------------- -------- ---------
3 falcon-kestrel 35.1.15.1 35.1.15.40 Auto(main)
[PSK][DH2][AES128,3DES][SHA1] 28800-sec
show zip
Shows whether ability to unzip a file and apply the policy on the uncompressed content is
enabled. The default is enable.
Syntax
show zip setting
Options
None
Sample Output
The following command shows that the unzip option is enabled.
username@hostname> show zip setting
show zone-protection
Shows the running configuration status and run time statistics for zone protection elements.
Syntax
show zone-protection [zone zonename]
Options
zonename Specifies the name of a zone.
Sample Output
The following command shows statistics for the trust zone.
username@hostname> show zone-protection zone trust
---------------------------------------------------------------------------
Zone trust, vsys vsys1, profile custom-zone-protection
----------------------------------------------------------------------------
tcp-syn enabled: no
----------------------------------------------------------------------------
udp RED enabled: no
----------------------------------------------------------------------------
icmp RED enabled: no
----------------------------------------------------------------------------
other-ip RED enabled: no
----------------------------------------------------------------------------
packet filter:
discard-ip-spoof: enabled: no
discard-ip-frag: enabled: no
discard-icmp-ping-zero-id: enabled: no
discard-icmp-frag: enabled: no
discard-icmp-large-packet: enabled: no
reply-icmp-timeexceeded: enabled: no
username@hostname>
ssh
Open a secure shell (SSH) connection to another host.
Syntax
ssh [inet] [port number] [source address] [v1 | v2] [user@]host
Options
inet Specifies that IP version 4 be used.
port Specifies a port on the other host. (default 22)
source Specifies a source IP address.
version Specifies SSH version 1 or 2 (default is version 2)
user@ Specifies a user name on the other host.
host Specifies the IP address of the other host.
Sample Output
The following command opens an SSH connection to host 10.0.0.250 using SSH version 2.
username@hostname> ssh v2 user@10.0.0.250
user@10.0.0.250's password:
tail
Print the last 10 lines of a debug file.
Syntax
tail [follow] [lines] file
Options
follow Adds appended data as the file grows.
lines Lists the last N lines, instead of the last 10.
file Specifies the debug file.
Sample Output
The following command displays the last 10 lines of the /var/log/pan/masterd.log file.
username@hostname> tail /var/log/pan/masterd.log
[09:32:46] Successfully started process 'mgmtsrvr' instance '1'
[09:32:47] Successfully started process 'appWeb' instance '1'
[09:32:47] Started group 'pan' start script 'octeon' with options 'start'
[09:32:48] Process 'appWeb' instance '1' exited normally with status '7'
[09:32:48] Process 'appWeb' instance '1' has no further exit rules
[09:32:53] Successfully started process 'pan-ez-agent' instance '1'
[09:32:53] Process 'pan-ez-agent' instance '1' exited normally with status
'0'
[09:32:53] Process 'pan-ez-agent' instance '1' has no further exit rules
[09:32:54] Successfully started process 'pan_netconfig_agent' instance '1'
[09:32:54] Finished initial start of all processes
username@hostname>
telnet
Open a Telnet session to another host.
Syntax
telnet [8bit] [port] host
Options
8bit Indicates that 8-bit data will be used.
port Specifies the port number for the other host.
host Specifies the IP address of the other host.
Sample Output
The following command opens a Telnet session to the host 1.2.5.5 using 8-bit data.
username@hostname> telnet 8bit 1.2.5.5
test
Run tests based on installed security policies.
Syntax
test nat policy-match source src-ip destination dst-ip destination-port port
protocol protocol from zone1 to zone2
Options
name Specifies the name of an application. Enter any to include all
applications.
src-ip Specifies the source IP address for the test.
dst-ip Specifies the destination IP address for the test.
port Specifies the destination port for the test.
zone1 Specifies the source security zone.
zone2 Specifies the destination security zone.
fib-lookup Specifies the route to test within the active routing table.
Specify an IP address and virtual router.
ike-sa Performs the tests only for the negotiated IKE SA. Specify a
gateway or press Enter to run the test for all gateways.
ipsec-sa Performs the tests for IPsec SA (and IKE SA if necessary).
Specify a tunnel or press Enter to run the test for all tunnels.
Sample Output
The following command tests whether the set of criteria will match any of the existing rules in
the security rule base.
username@hostname> test security-policy-match from trust to untrust
application google-talk source 10.0.0.1 destination 192.168.0.1 protocol 6
destination-port 80 source-user known-user
username@hostname>
tftp
Use Trivial File Transfer Protocol (TFTP) to copy files between the firewall and another host.
Syntax
tftp [export export-option [control-plane | data-plane] to target |
import import-option] [remote-port portnumber] [from source]
Options
export export- Specifies the type of file to export to the other host.
option
Option Description
application Application packet capture file.
captive-portal- Text to be included in a captive portal.
text
configuration Configuration file.
core-file Core file.
debug-pcap IKE negotiation packet capture file.
file-block-page File containing comfort pages to be presented when
files are blocked.
filter Filter definitions.
log-file Log files.
log-db Log database.
packet-log Logs of packet data.
spyware-block- Comfort page to be presented when files are blocked
page due to spyware.
ssl-optout-text SSL optout text.
tech-support Technical support information.
trusted-ca- Certificate Authority (CA) security certificate.
certificate
url-block-page Comfort page to be presented when files are blocked
due to a blocked URL.
virus-block-page Comfort page to be presented when files are blocked
due to a virus.
web-interface- Web interface certificate
certificate
import import- Specifies the type of file to import from the other host.
option
Option Description
captive-portal-text Text to be included in a captive portal.
configuration Configuration file.
content Database content.
file-block-page File containing comfort pages to be presented
when files are blocked.
license License key file.
private-key SSL private key file.
software Software package.
spyware-block-page Comfort page to be presented when files are
blocked due to spyware.
ssl-decryption- SSL decryption certificate.
certificate
ssl-optout-text SSL optout text.
trusted-ca- Certificate Authority (CA) security certificate.
certificate
url-block-page Comfort page to be presented when files are
blocked due to a blocked URL.
virus-block-page Comfort page to be presented when files are
blocked due to a virus.
web-interface- Web interface certificate
certificate
The following command imports a license file from a file in user1’s account on the machine
with IP address 10.0.3.4.
traceroute
Display information about the route packet taken to another host.
Syntax
traceroute [base-udp-port port][bypass-routing][debug-socket][do-not-
fragment][first-ttl ttl][gateway][icmp-echo][max-ttl ttl][no-
resolve][pause][source ip][toggle-ip-checksums][tos][verbose][wait]
host
Options
base-udp-port Specifies the base UDP port used in probes (default is 33434).
port
bypass-routing Sends the request directly to the host on a direct attached network, bypassing
usual routing table.
debug-socket Enables socket level debugging.
do-not-fragment Sets the do-not-fragment bit.
first-ttl ttl Sets the time-to-live in the first outgoing probe packet in number of hops.
gateway Specifies a loose source router gateway (maximum 8).
icmp-echo Uses ICMP ECHO requests instead of UDP datagrams.
max-ttl ttl Sets the maximum time-to-live in number of hops.
no-resolve Does not attempt to print resolved domain names.
pause Sets the time to pause between probes (milliseconds).
source ip Specifies the source IP address for the command.
toggle-ip- Toggles the IP checksum of the outgoing packets for the traceroute command.
checksums
tos Specifies the type of service (TOS) treatment for the packets by way of the TOS
bit for the IP header in the ping packet (0-255).
verbose Requests complete details of the traceroute request.
wait Specifies a delay in transmission of the traceroute request (seconds).
host Specifies the IP address or domain name of the other host.
Sample Output
The following command displays information about the route from the firewall to
www.google.com.
username@hostname> traceroute www.paloaltonetworks.com
traceroute to www.paloaltonetworks.com (72.32.199.53), 30 hops max, 38 byte
packets
1 10.1.0.1 (10.1.0.1) 0.399 ms 1.288 ms 0.437 ms
2 64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.910 ms dsl027-186-
189.sfo1.dsl.speakeasy.net (216.27.186.189) 1.012 ms
64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.865 ms
3 dsl027-182-001.sfo1.dsl.speakeasy.net (216.27.182.1) 16.768 ms 581.420
ms 64.3.142.37.ptr.us.xo.net (64.3.142.37) 219.190 ms
4 ge5-0-0.mar2.fremont-ca.us.xo.net (207.88.80.21) 228.551 ms 110.ge-0-0-
0.cr1.sfo1.speakeasy.net (69.17.83.189) 12.352 ms ge5-0-0.mar2.fremont-
ca.us.xo.net (207.88.80.21) 218.547 ms
5 ge-5-3-0.mpr3.pao1.us.above.net (209.249.11.177) 13.212 ms p4-0-
0.rar2.sanjose-ca.us.xo.net (65.106.5.137) 273.935 ms 221.313 ms
6 p1-0.ir1.paloalto-ca.us.xo.net (65.106.5.178) 139.212 ms so-1-2-
1.mpr1.sjc2.us.above.net (64.125.28.141) 13.348 ms p1-0.ir1.paloalto-
ca.us.xo.net (65.106.5.178) 92.795 ms
7 so-0-0-0.mpr2.sjc2.us.above.net (64.125.27.246) 12.069 ms
206.111.12.146.ptr.us.xo.net (206.111.12.146) 93.278 ms so-0-0-
0.mpr2.sjc2.us.above.net (64.125.27.246) 556.033 ms
8 tbr1p013201.sffca.ip.att.net (12.123.13.66) 52.726 ms so-3-2-
0.cr1.dfw2.us.above.net (64.125.29.54) 61.875 ms
tbr1p013201.sffca.ip.att.net (12.123.13.66) 58.462 ms
username@hostname>
view-pcap
Examine the content of packet capture files.
Syntax
view-pcap option filename
Options
option Specifies the type of information to report.
Option Description
absolute-seq Displays absolute TCP sequence numbers.
delta Displays a delta (in micro-seconds) between current and
previous line.
hex Displays each packet (minus link header) in hex.
hex-ascii Displays each packet (minus link header) in hex and ASCII.
hex-ascii-link Displays each packet (including link header) in hex and
ASCII.
hex-link Displays each packet (including link header) in hex.
link-header Displays the link-level header on each dump line.
no-dns-lookup Does not convert host addresses to names.
no-port-lookup Does not convert protocol and port numbers to names.
no-qualification Does not print domain name qualification of host names.
timestamp Displays timestamp proceeded by date.
undecoded-nfs Displays undecoded NFS handles.
unformatted- Displays an unformatted timestamp.
timestamp
verbose Displays verbose output.
verbose+ Displays more verbose output.
verbose++ Displays the maximum output details..
Sample Output
The following command displays the contents of the packet capture file /var/session/pan/filters/
syslog.pcap in ASCII and hex formats.
Chapter 5
Maintenance Mode
Maintenance mode provides support for error recovery and diagnostics, and allows you to
reset the firewall to factory defaults.
• Secure Socket Layer (SSL). SSL access is supported if the firewall has already entered
Maintenance mode (either automatically or explicitly during bootup).
2. Press any key on your keyboard when prompted to stop the automatic boot, and then
select Maint as the booting partition.
Some of the options are password protected to prevent accidental changes that could leave the
system in an inoperative state. The password is intended as a safeguard and it not meant to be
secret. The password is MA1NT (numeral 1).
Appendix A
CONFIGURATION HIERARCHY
This appendix presents the complete firewall configuration hierarchies for the application
identification firewall and for Panorama:
• “Firewall Hierarchy” in the next section
Firewall Hierarchy
operations {
schedule {
commit;
OR...
uar-report {
user <value>;
title <value>;
period <value>;
start-time <value>;
end-time <value>;
}
}
OR...
clear {
application-signature {
statistics;
}
OR...
arp |<value>;
OR...
counter {
interface;
OR...
global {
filter {
category <value>;
severity <value>;
aspect <value>;
}
OR...
name <value>;
}
OR...
Appendix B
PAN-OS CLI KEYBOARD SHORTCUTS
This appendix lists the supported keyboard shortcuts and Editor Macros (EMACS) commands
supported in the PAN-OS CLI.
Note: Some shortcuts depend upon the SSH client that is used to access the PAN-OS CLI. For
some clients, the Meta key is the Control key; for some it is the Esc key.
Index
Symbols configuration mode
# prompt 13 hierarchy 23
+ option symbol 17 prompt 13
> option symbol 17 understanding 21
> prompt 13 configure command 53
? symbol 15 control key 16
conventions, typographical 8
copy command 32
A critical errors, switching to maintenance mode 185
accessing the CLI 12
D
B debug captive-portal command 54
banner 13, 25 debug cli command 55
bootloader recovery 187 debug cpld command 56
bootup 184 debug dataplane command 57
debug device-server command 59
C debug dhcpd command 60
changing modes 14 debug high-availability-agent command 61
check command 30 debug ike command 62
clear command 51 debug keymgr command 63
CLI debug log-receiver command 64
accessing 12 debug management-server command 65
configuration mode 11 debug master-service command 66
EMACS commands 257 debug rasmgr command 67
keyboard shortcuts 255 debug routing command 68
operational model 11 debug software command 69
prompt 13 debug swm command 70
structure 11 debug tac-login command 71
commands 27 debug vardata-receiver command 72
conventions 13 delete command 33, 54
display 27 diagnostics 187
messages 14 disk image 187
monitoring and troubleshooting 27
navigation 27 E
network access 27 edit banner 25
option symbols 17 edit command
options 15 banner 13
understanding 13 using 26, 34
commit command 21, 31 errors, switching to maintenance mode 185
configuration esc key 16
hierarchy 23 Ethernet interfaces 19
hierarchy paths 24 ethernet1/n 19
exit command 35, 75
H R
hierarchy rename command 39
complete 189 request certificate command 82
configuration 23 request content upgrade command 85
navigating 25 request data-filtering command 86
new elements 24 request device-registration command 87
paths 24 request high-availability command 88
hostname 13 request license command 89
request password-hash command 90
I request restart command 91
request ssl-output-text command 92
interfaces 19
request ssl-vpn command 93
request support command 94, 96
K request system command 95
keyboard shortcuts 16, 255 request url-filtering command 97
request vpn-client command 98
L rollback 187
less command 77 run command 40
M S
maintenance mode save command 21, 41
about 183 scp command 99
diagnostics 187 serial console
entering automatically 185 maintenance mode 183
entering upon bootup 184 message 185
password 187 set application dump command 101
serial console message 185 set cli command 102, 104, 105
SSH message 186 set clock command 103
web interface message 185 set command 42
meta key 16 set logging command 106
modes set management-server command 107
changing 14, 15 set multi-vsys command 108
configuration 21 set panorama command 109
operational 27 set password command 110
move command 37 set proxy command 111
set serial-number command 112
set session command 113
N set ssl-vpn command 116
navigating hierarchy 25 set target-vsys command 115, 117
netstat command 78 set ts-agent command 118
set url-database command 119
O set zip command 120
operational mode shortcuts 16
command types 27 show admins command 121
prompt 13 show arp command 122
using 27 show authentication command 123
show cli command 124, 125
show clock command 126
show command 23, 43
T
tail command 173
telnet command 174
test command 175
tftp command 84, 176
top command 25, 26, 44
traceroute command 178
typographical conventions 8
U
up command 25, 26, 45
user name 13
user privileges 18
V
view-pccap command 180