Sei sulla pagina 1di 262

PAN-OS™ Command Line Interface

Reference Guide
Release 3.0

5/30/09 Final Review Draft- Palo Alto Networks


COMPANY CONFIDENTIAL
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2009 Palo Alto Networks. All rights reserved.
Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks are
the property of their respective owners
Part number: 810-000043-00A
May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL

Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7


Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Typographical Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Notes, Cautions, and Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Obtaining More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Understanding the PAN-OS CLI Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . 11


Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Accessing the PAN-OS CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Understanding the PAN-OS CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . 13
Understanding the PAN-OS CLI Command Conventions . . . . . . . . . . . . . . . . . . . . 13
Understanding Command Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Using Operational and Configuration Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Displaying the PAN-OS CLI Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Using Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Understanding Command Option Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Restricting Command Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Understanding Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Referring to Firewall Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 2
Understanding CLI Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Understanding Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21


Using Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Understanding the Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Navigating Through the Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Understanding Operational Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Palo Alto Networks • 3


Chapter 3
Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Chapter 4
Operational Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
debug captive-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
debug cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
debug cpld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
debug dataplane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
debug device-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
debug dhcpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
debug high-availability-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
debug ike . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
debug keymgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
debug log-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
debug management-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
debug master-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
debug rasmgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
debug routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
debug software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
debug swm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
debug tac-login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
debug vardata-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
grep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
less . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
request certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
request comfort-page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
request content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

4 • Palo Alto Networks


request data-filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
request device-registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
request high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
request license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
request password-hash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
request restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
request ssl-output-text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
request ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
request support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
request system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
request tech-support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
request url-filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
request vpn-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
scp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
set application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
set cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
set clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
set ctd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
set data-access-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
set logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
set management-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
set multi-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
set panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
set password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
set proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
set serial-number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
set session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
set shared-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
set ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
set target-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
set ts-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
set url-database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
set zip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
show admins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
show authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
show chassis-ready . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
show cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
show clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
show config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
show counter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
show ctd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
show device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
show device-messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
show devicegroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
show dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
show high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
show interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
show jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
show local-user-db . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
show location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
show log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
show logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
show mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Palo Alto Networks • 5


show management-clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
show multi-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
show pan-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
show pan-ntlm-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
show proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
show query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
show report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
show routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
show session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
show shared-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
show ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
show statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
show system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
show target-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
show threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
show ts-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
show url-database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
show virtual-wire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
show vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
show vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
show zip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
show zone-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
tail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
tftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
view-pcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Chapter 5
Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Entering Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183


Entering Maintenance Mode Upon Bootup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Entering Maintenance Mode Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Using Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Appendix A
Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Firewall Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Panorama Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Appendix B
PAN-OS CLI Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

6 • Palo Alto Networks


May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL

Preface
This preface contains the following sections:
• “About This Guide” in the next section

• “Organization” on page 7

• “Typographical Conventions” on page 8

• “Related Documentation” on page 9

• “Obtaining More Information” on page 9

• “Technical Support” on page 9

About This Guide


This guide provides an overview of the PAN-OS™ command line interface (CLI), describes
how to access and use the CLI, and provides command reference pages for each of the CLI
commands.

This guide is intended for system administrators responsible for deploying, operating, and
maintaining the firewall and who require reference information about the PAN-OS CLI
commands that they want to execute on a per-device basis. For an explanation of features and
concepts, refer to the Palo Alto Networks Administrator’s Guide.

Organization
This guide is organized as follows:
• Chapter 1, “Introduction”—Introduces and describes how to use the PAN-OS CLI.

• Chapter 2, “Understanding CLI Command Modes”—Describes the modes used to


interact with the PAN-OS CLI.

• Chapter 3, “Configuration Mode Commands”—Contains command reference pages for


Configuration mode commands.

• Chapter 4, “Operational Mode Commands”—Contains command reference pages for


Operational mode commands.

Palo Alto Networks Preface • 7


• Chapter 5, “Maintenance Mode”—Describes how to enter Maintenance mode and use the
Maintenance mode options.

• Appendix A, “Configuration Hierarchy”—Contains command reference pages for


Operational mode commands.

• Appendix B, “PAN-OS CLI Keyboard Shortcuts”—Describes the keyboard shortcuts


supported in the PAN-OS CLI.

Typographical Conventions
This guide uses the following typographical conventions for special terms and instructions.

Convention Meaning Example


boldface Names of commands, Use the configure command to enter
keywords, and selectable Configuration mode.
items in the web interface
italics Name of variables, files, The address of the Palo Alto Networks home
configuration elements, page is
directories, or Uniform http://www.paloaltonetworks.com.
Resource Locators (URLs) element2 is a required variable for the move
command.
courier font Command syntax, code The show arp all command yields this output:
examples, and screen output username@hostname> show arp all
maximum of entries supported: 8192
default timeout: 1800 seconds
total ARP entries in table: 0
total ARP entries shown: 0
status: s - static, c - complete, i
- incomplete
courier bold Text that you enter at the Enter the following command to exit from the
font command prompt current PAN-OS CLI level:
# exit
[ ] (text enclosed Optional parameters. In the following command, 8bit and port are
in angle brackets) optional parameters.
> telnet [8bit] [port] host
< > (text enclosed Special keys or choice of <tab> indicates that the tab key is pressed.
in square required options. > delete core <control-plane |
brackets) data-plane> file filename
| (pipe symbol) Choice of values, indicated by The request support command includes
a pipe symbol-separated list. options to get support information from the
update server or show downloaded support
information:
> request support [check | info]

8 • Preface Palo Alto Networks


Notes, Cautions, and Warnings
This guide uses the following symbols for notes, cautions, and warnings.

Symbol Description
NOTE
Indicates helpful suggestions or supplementary information.

CAUTION
Indicates information about which the reader should be careful to avoid data loss or
equipment failure.
WARNING
Indicates potential danger that could involve bodily injury.

Related Documentation
The following additional documentation is provided with the firewall:
• Quick Start

• Hardware Reference Guide

• Palo Alto Networks Administrator’s Guide

Obtaining More Information


To obtain more information about the firewall, refer to:
• Palo Alto Networks website—Go to http://www.paloaltonetworks.com.

• Online help—Click Help in the upper right corner of the GUI to access the online help
system.

Technical Support
For technical support, use the following methods:
• Go to http://support.paloaltonetworks.com.

• Call 1-866-898-9087 (U.S, Canada, and Mexico).

• Email us at: support@paloaltonetworks.com.

Palo Alto Networks Preface • 9


10 • Preface Palo Alto Networks
May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL

Chapter 1
Introduction

This chapter introduces and describes how to use the PAN-OS command line interface (CLI):
• “Understanding the PAN-OS CLI Structure” in the next section

• “Getting Started” on page 12

• “Understanding the PAN-OS CLI Commands” on page 13

Understanding the PAN-OS CLI Structure


The PAN-OS CLI allows you to access the firewall, view status and configuration information,
and modify the configuration. Access to the PAN-OS CLI is provided through SSH, Telnet, or
direct console access.

The PAN-OS CLI operates in two modes:


• Operational mode—View the state of the system, navigate the PAN-OS CLI, and enter
configuration mode.

• Configuration mode—View and modify the configuration hierarchy.

Chapter 3 describes each mode in detail.

Palo Alto Networks Introduction • 11


Getting Started
This section describes how to access and begin using the PAN-OS CLI:
• “Before You Begin” in the next section

• “Accessing the PAN-OS CLI” on page 12

Before You Begin


Verify that the firewall is installed and that a SSH, Telnet, or direct console connection is
established.

Note: Refer to the Hardware Reference Guide for hardware installation


information and to the Quick Start for information on initial device configuration.

Use the following settings for direct console connection:


• Data rate: 9600

• Data bits: 8

• Parity: none

• Stop bits: 1

• Flow control: None

Accessing the PAN-OS CLI


To access the PAN-OS CLI:
1. Open the console connection.

2. Enter the administrative user name. The default is admin.

3. Enter the administrative password. The default is admin.

4. The PAN-OS CLI opens in Operational mode, and the CLI prompt is displayed:
username@hostname>

12 • Introduction Palo Alto Networks


Understanding the PAN-OS CLI Commands
This section describes how to use the PAN-OS CLI commands and display command options:
• “Understanding the PAN-OS CLI Command Conventions” in the next section

• “Understanding Command Messages” on page 14

• “Using Operational and Configuration Modes” on page 15

• “Displaying the PAN-OS CLI Command Options” on page 15

• “Using Keyboard Shortcuts” on page 16

• “Understanding Command Option Symbols” on page 17

• “Understanding Privilege Levels” on page 18

• “Referring to Firewall Interfaces” on page 19

Understanding the PAN-OS CLI Command Conventions


The basic command prompt incorporates the user name and model of the firewall:
username@hostname>

Example:
username@hostname>

When you enter Configuration mode, the prompt changes from > to #:

username@hostname> (Operational mode)


username@hostname> configure
Entering configuration mode
[edit]
username@hostname# (Configuration mode)
In Configuration mode, the current hierarchy context is shown by the [edit...] banner
presented in square brackets when a command is issued. Refer to “Using the Edit Command”
on page 26 for additional information on the edit command.

Palo Alto Networks Introduction • 13


Understanding Command Messages
Messages may be displayed when you issue a command. The messages provide context
information and can help in correcting invalid commands. In the following examples, the
message is shown in bold.

Example: Unknown command


username@hostname# application-group
Unknown command: application-group
[edit network]
username@hostname#

Example: Changing modes


username@hostname# exit
Exiting configuration mode

username@hostname>

Example: Invalid syntax


username@hostname> debug 17
Unrecognized command
Invalid syntax.
username@hostname>

Each time you enter a command the syntax is checked. If the syntax is correct, the command is
executed, and the candidate hierarchy changes are recorded. If the syntax is incorrect, an
invalid syntax message is presented, as in the following example:
username@hostname# set zone application 1.1.2.2
Unrecognized command
Invalid syntax.
[edit]
username@hostname#

14 • Introduction Palo Alto Networks


Using Operational and Configuration Modes
When you log in, the PAN-OS CLI opens in Operational mode. You can move between
Operational and Configuration modes at any time.
• To enter Configuration mode from Operational mode, use the configure command:
username@hostname> configure
Entering configuration mode

[edit]
username@hostname#

• To leave Configuration mode and return to Operational mode, use the quit or exit
command:
username@hostname# quit
Exiting configuration mode

username@hostname>

• To enter an Operational mode command while in Configuration mode, use the run
command, as described in “run” on page 40.

Displaying the PAN-OS CLI Command Options


Use ? (or Meta-H) to display a list of command option, based on context:
• To display a list of operational commands, enter ? at the command prompt.
username@hostname> ?
clear Clear runtime parameters
configure Manipulate software configuration information
debug Debug and diagnose
exit Exit this session
grep Searches file for lines containing a pattern match
less Examine debug file content
ping Ping hosts and networks
quit Exit this session
request Make system-level requests
scp Use ssh to copy file to another host
set Set operational parameters
show Show operational parameters
ssh Start a secure shell to another host
tail Print the last 10 lines of debug file content
telnet Start a telnet session to another host
username@hostname>

Palo Alto Networks Introduction • 15


• To display the available options for a specified command, enter the command followed
by ?.

Example:
admin@localhost> ping ?
username@hostname> ping
+ bypass-routing Bypass routing table, use specified interface
+ count Number of requests to send (1..2000000000 packets)
+ do-not-fragment Don't fragment echo request packets (IPv4)
+ inet Force to IPv4 destination
+ interface Source interface (multicast, all-ones, unrouted
packets)
+ interval Delay between requests (seconds)
+ no-resolve Don't attempt to print addresses symbolically
+ pattern Hexadecimal fill pattern
+ record-route Record and report packet's path (IPv4)
+ size Size of request packets (0..65468 bytes)
+ source Source address of echo request
+ tos IP type-of-service value (0..255)
+ ttl IP time-to-live value (IPv6 hop-limit value) (0..255
hops)
+ verbose Display detailed output
+ wait Delay after sending last packet (seconds)
<host> Hostname or IP address of remote host
username@hostname> ping

Using Keyboard Shortcuts


The PAN-OS CLI supports a variety of keyboard shortcuts. For a complete list, refer to
Appendix B, “PAN-OS CLI Keyboard Shortcuts”.

Note: Some shortcuts depend upon the SSH client that is used to access the
PAN-OS CLI. For some clients, the Meta key is the Control key; for some it is the
Esc key.

16 • Introduction Palo Alto Networks


Understanding Command Option Symbols
The symbol preceding an option can provide additional information about command syntax,
as described in Table 1.

Table 1. Option Symbols


Symbol Description
* This option is required.
> There are additional nested options for this command.
+ There are additional command options for this command at this level.

The following example shows how these symbols are used.

Example: In the following command, the keyword from is required:


username@hostname> scp import configuration ?
+ remote-port SSH port number on remote host
* from Source (username@host:path)
username@hostname> scp import configuration

Example: This command output shows options designated with + and >.
username@hostname# set rulebase security rules rule1 ?
+ action action
+ application application
+ description description
+ destination destination
+ disabled disabled
+ from from
+ log-end log-end
+ log-setting log-setting
+ log-start log-start
+ negate-destination negate-destination
+ negate-source negate-source
+ schedule schedule
+ service service
+ source source
+ to to
> profiles profiles
<Enter> Finish input
[edit]
username@hostname# set rulebase security rules rule1

Each option listed with + can be added to the command.

The profiles keyword (with >) has additional options:


username@hostname# set rulebase security rules rule1 profiles ?
+ virus Help string for virus
+ spyware Help string for spyware
+ vulnerability Help string for vulnerability
+ group Help string for group
<Enter> Finish input
[edit]
username@hostname# set rulebase security rules rule1 profiles

Palo Alto Networks Introduction • 17


Restricting Command Output
Some operational commands include an option to restrict the displayed output. To restrict the
output, enter a pipe symbol followed by except or match and the value that is to be excluded
or included:
Example:
The following sample output is for the show system info command:
username@hostname> show system info

hostname: PA-HDF
ip-address: 10.1.7.10
netmask: 255.255.0.0
default-gateway: 10.1.0.1
mac-address: 00:15:E9:2E:34:33
time: Fri Aug 17 13:51:49 2007

uptime: 0 days, 23:19:23


devicename: PA-HDF
family: i386
model: pa-4050
serial: unknown
sw-version: 1.5.0.0-519
app-version: 25-150
threat-version: 0
url-filtering-version: 0
logdb-version: 1.0.8

username@hostname>

The following sample displays only the system model information:


username@hostname> show system info | match model
model: pa-4050

username@hostname>

Understanding Privilege Levels


Privilege levels determine which commands the user is permitted to execute and the
information the user is permitted to view. Table 2 describes the PAN-OS CLI privilege levels.

Table 2. Privilege Levels


Level Description
superuser Has full access to the firewall and can define new administrator accounts and
virtual systems.
superreader Has complete read-only access to the firewall.
vsysadmin Has full access to a selected virtual system on the firewall.
vsysreader Has read-only access to a selected virtual system on the firewall.

18 • Introduction Palo Alto Networks


Referring to Firewall Interfaces
The Ethernet interfaces are numbered from left to right and top to bottom on the firewall, as
shown in Figure 1.

ethernet1/1 ethernet1/15
1 3 5 7 9 11 13 15

2 4 6 8 10 12 14 16

ethernet1/2 ethernet1/16

Figure 1. Firewall Ethernet Interfaces

Use these names when referring to the Ethernet interfaces within the PAN-OS CLI commands,
as in the following example:
username@hostname# set network interface ethernet ethernet1/4 virtual-wire

Palo Alto Networks Introduction • 19


20 • Introduction Palo Alto Networks
May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL

Chapter 2
Understanding CLI Command Modes

This chapter describes the modes used to interact with the PAN-OS CLI:
• “Understanding Configuration Mode” in the next section

• “Understanding Operational Mode” on page 27

Understanding Configuration Mode


When you enter Configuration mode and enter commands to configure the firewall, you are
modifying the candidate configuration. The modified candidate configuration is stored in
firewall memory and maintained while the firewall is running.

Each configuration command involves an action, and may also include keywords, options,
and values. Entering a command makes changes to the candidate configuration.

This section describes Configuration mode and the configuration hierarchy:


• “Using Configuration Mode Commands” in the next section

• “Understanding the Configuration Hierarchy” on page 23

• “Navigating Through the Hierarchy” on page 25

Using Configuration Mode Commands


Use the following commands to store and apply configuration changes (see Figure 2):
• save command—Saves the candidate configuration in firewall non-volatile storage. The
saved configuration is retained until overwritten by subsequent save commands. Note
that this command does not make the configuration active.

• commit command—Applies the candidate configuration to the firewall. A committed


configuration becomes the active configuration for the device.

• set command—Changes a value in the candidate configuration.

• load command—Assigns the last saved configuration or a specified configuration to be


the candidate configuration.

Palo Alto Networks Understanding CLI Command Modes • 21


Example: Make and save a configuration change.
username@hostname# rename zone untrust to untrust1 (enter a configuration
command)
[edit]
username@hostname# save config to snapshot.xml
Config saved to .snapshot.xml
[edit]
username@hostname#

Example: Make a change to the candidate configuration.


[edit]
username@hostname# set network interface vlan ip 1.1.1.4/24
[edit]
username@hostname#

Example: Make the candidate configuration active on the device.


[edit]
username@hostname# commit
[edit]
username@hostname#

Note: If you exit Configuration mode without issuing the save or commit
command, your configuration changes could be lost if power is lost to the firewall.

Active Candidate Saved


Configuration Configuration Configuration

Commit Save

Load
Set

Figure 2. Configuration Mode Command Relationship

22 • Understanding CLI Command Modes Palo Alto Networks


Maintaining a candidate configuration and separating the save and commit steps confers
important advantages when compared with traditional CLI architectures:
• Distinguishing between the save and commit concepts allows multiple changes to be
made at the same time and reduces system vulnerability.

For example, if you want to remove an existing security policy and add a new one, using
a traditional CLI command structure would leave the system vulnerable for the period of
time between removal of the existing security policy and addition of the new one. With
the PAN-OS approach, you configure the new security policy before the existing policy is
removed, and then implement the new policy without leaving a window of vulnerability.

• You can easily adapt commands for similar functions.

For example, if you are configuring two Ethernet interfaces, each with a different IP
address, you can edit the configuration for the first interface, copy the command, modify
only the interface and IP address, and then apply the change to the second interface.

• The command structure is always consistent.

Because the candidate configuration is always unique, all the authorized changes to the
candidate configuration will be consistent with each other.

Understanding the Configuration Hierarchy


The configuration for the firewall is organized in a hierarchical structure. To display a
segment of the current hierarchy, use the show command. Entering show displays the
complete hierarchy, while entering show with keywords displays a segment of the hierarchy.

For example, the following command displays the configuration hierarchy for the ethernet
interface segment of the hierarchy:
username@hostname# show network interface ethernet
ethernet {
ethernet1/1 {
virtual-wire;
}
ethernet1/2 {
virtual-wire;
}
ethernet1/3 {
layer2 {
units {
ethernet1/3.1;
}
}
}
ethernet1/4;
}
[edit]
username@hostname#

Palo Alto Networks Understanding CLI Command Modes • 23


Understanding Hierarchy Paths
When you enter a command, path is traced through the hierarchy, as shown in Figure 3.

network

profiles interface vlan virtual-wire virtual-router

... ... ... ...

ethernet aggregate-ethernet
vlan loopback

... ... ...

ethernet1/1 ethernet1/2 ethernet1/3 ethernet1/4

link-duplex link-state virtual-wire link-speed


auto up 1000

Figure 3. Sample Hierarchy Segment

For example, the following command assigns the IP address/netmask 10.1.1.12/24 to the
Layer 3 interface for the Ethernet port ethernet1/4:
[edit]
username@hostname# set network interface ethernet ethernet1/4 layer3 ip
10.1.1.12/24

[edit]
username@hostname#

This command generates a new element in the hierarchy, as shown in Figure 4 and in the
output of the following show command:
[edit]
username@hostname# show network interface ethernet ethernet1/4
ethernet1/4 {
layer3 {
ip {
10.1.1.12/24;
}
}
}
[edit]
username@hostname#

24 • Understanding CLI Command Modes Palo Alto Networks


network

profiles interface vlan virtual-wire virtual-router

... ... ... ...

ethernet aggregate-ethernet
vlan loopback

... ... ...

ethernet1/1 ethernet1/2 ethernet1/3 ethernet1/4

ip

10.1.1.12/24

Figure 4. Sample Hierarchy Segment

Navigating Through the Hierarchy


The [edit...] banner presented below the Configure mode command prompt line shows the
current hierarchy context. For example, the banner
[edit]

indicates that the relative context is the top level of the hierarchy, whereas
[edit network profiles]

indicates that the relative context is at the network profiles node.

Use the commands listed in Table 3 to navigate through the configuration hierarchy.

Table 3. Navigation Commands


Command Description
edit Sets the context for configuration within the command hierarchy.
up Changes the context to the next higher level in the hierarchy.
top Changes the context to the highest level in the hierarchy.

Palo Alto Networks Understanding CLI Command Modes • 25


Using the Edit Command
Use the edit command to change context to lower levels of the hierarchy, as in the following
examples:
• Move from the top level to a lower level:
[edit] (top level)
username@hostname# edit network
[edit network]
username@hostname# (now at the network level)

[edit network]

• Move from one level to a lower level:


[edit network] (network level)
username@hostname# edit interface

[edit network interface]


admin@abce# (now at the network interface level)

Using the Up and Top Commands


Use the up and top commands to move to higher levels in the hierarchy:
• up—changes the context to one level up in the hierarchy.

Example:
[edit network interface] (network level)
admin@abce# up

[edit network]
username@hostname# (now at the network level)

• top—changes context to the top level of the hierarchy.

Example:
[edit network interface vlan] (network vlan level)
username@hostname# top

[edit]
username@hostname# (now at network vlan level)
Note: The set command issued after using the up and top commands starts from
the new context.

26 • Understanding CLI Command Modes Palo Alto Networks


Understanding Operational Mode
When you first log in, the PAN-OS CLI opens in Operational mode. Operational mode
commands involve actions that are executed immediately. They do not involve changes to the
configuration, and do not need to be saved or committed.

Operational mode commands are of several types:


• Network access—Open a window to another host. Includes ssh and telnet commands.

• Monitoring and troubleshooting—Perform diagnosis and analysis. Includes debug and


ping commands.

• Display commands—Display or clear current information. Includes clear and show


commands.

• PAN-OS CLI navigation commands—Enter Configure mode or exit the PAN-OS CLI.
Includes configure, exit, and quit commands.

• System commands—Make system-level requests or restart. Includes set and request


commands.

Palo Alto Networks Understanding CLI Command Modes • 27


28 • Understanding CLI Command Modes Palo Alto Networks
May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL

Chapter 3
Configuration Mode Commands

This chapter contains command reference pages for the following Configuration mode
command types:
• “check” on page 30

• “commit” on page 31

• “copy” on page 32

• “delete” on page 33

• “edit” on page 34

• “exit” on page 35

• “load” on page 36

• “move” on page 37

• “quit” on page 38

• “rename” on page 39

• “run” on page 40

• “save” on page 41

• “set” on page 42

• “show” on page 43

• “top” on page 44

• “up” on page 45

Palo Alto Networks Configuration Mode Commands • 29


check

check
Check configuration status.

Syntax
check option

Options
data-access-passwd Check data access authentication status for this session.
pending-changes Check for uncommitted changes.

Sample Output
The following command shows that there are currently no uncommitted changes.
username@hostname# check pending-changes
no
[edit]
username@hostname#

Required Privilege Level


superuser, vsysadmin, deviceadmin

30 • Configuration Mode Commands Palo Alto Networks


commit

commit
Make the current candidate configuration the active configuration on the firewall.

Syntax
commit

Options
None

Sample Output
The following command makes the current candidate configuration the active configuration.
# commit

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Configuration Mode Commands • 31


copy

copy
Make a copy of a node in the hierarchy along with its children, and add the copy to the same
hierarchy level.

Syntax
copy [node1] to [node2]

Options
node1 Specifies the node to be copied.
node2 Specifies the name of the copy.

Sample Output
The following command, executed from the rule base security level of the hierarchy, makes a
copy of rule1, called rule2.
[edit rulebase security]
username@hostname# copy rules rule1 to rule2
[edit rulebase security]
username@hostname#

The following command shows the location of the new rule in the hierarchy.

[edit rulebase security]


username@hostname# show

security {
rules {
rule1 {
source [ any 1.1.1.1/32 ];
destination 1.1.1.2/32;
}

rule2 {
source [ any 1.1.1.1/32 ];
destination 1.1.1.2/32;
}
}
}

Required Privilege Level


superuser, vsysadmin, deviceadmin

32 • Configuration Mode Commands Palo Alto Networks


delete

delete
Remove a node from the candidate configuration along with all its children.

Note: No confirmation is requested when this command is entered.

Syntax
delete [node]

Options
node Specifies the hierarchy node to delete.

Sample Output
The following command deletes the application myapp from the candidate configuration.
username@hostname# delete application myapp
[edit]
username@hostname#

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Configuration Mode Commands • 33


edit

edit
Change context to a lower level in the configuration hierarchy.

Syntax
edit [context]

Options
context Specifies a path through the hierarchy.

Sample Output
The following command changes context from the top level to the network profiles level of
the hierarchy.
[edit]
username@hostname# edit rulebase

[edit rulebase]
username@hostname#

Required Privilege Level


superuser, vsysadmin, deviceadmin

34 • Configuration Mode Commands Palo Alto Networks


exit

exit
Exit from the current PAN-OS CLI level.
• From Operational mode—Exits the PAN-OS CLI.

• From Configuration mode, top hierarchy level—Exits Configuration mode, returning to


Operational mode.

• From Configuration mode, lower hierarchy levels—Changes context to one level up in the
hierarchy. Provides the same result as the up command.

Note: The exit command is the same as the quit command.

Syntax
exit

Options
None

Sample Output
The following command changes context from the network interface level to the network
level.
[edit network interface]
username@hostname# exit
[edit network]
username@hostname#

The following command changes from Configuration mode to Operational mode.


[edit]
username@hostname# exit
Exiting configuration mode

username@hostname>

Required Privilege Level


All

Palo Alto Networks Configuration Mode Commands • 35


load

load
Assigns the last saved configuration or a specified configuration to be the candidate
configuration.

Syntax
load config [from filename]

Options
filename Specifies the filename from which the configuration will be loaded.

Sample Output
The following command assigns output.xml to be the candidate configuration.
[edit]
username@hostname# load config from output.xml

command succeeded

[edit]
username@hostname#

Required Privilege Level


superuser, vsysadmin, deviceadmin

36 • Configuration Mode Commands Palo Alto Networks


move

move
Relocate a node in the hierarchy along with its children to be at another location at the same
hierarchy level.

Syntax
move element [bottom | top | after element | before element]

Options
element Specifies the items to be moved.
element Specifies the new location of the element:
placement

Option Description
bottom Makes the element the last entry of the hierarchy level.
top Makes the element the first entry of the hierarchy level.
after Moves element to be after element2.
before Moves element to be before element2.

element2 Indicates the element after or before which element1 will be placed.

Sample Output
The following command moves the security rule rule1 to the top of the rule base.
username@hostname# move rulebase security rules rule1 top

[edit]
username@hostname#

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Configuration Mode Commands • 37


quit

quit
Exit from the current PAN-OS CLI level.
• From Operational mode—Exits the PAN-OS CLI.

• From Configuration mode, top hierarchy level—Exits Configuration mode, returning to


Operational mode.

• From Configuration mode, lower hierarchy levels—Changes context to one level up in the
hierarchy. Provides the same result as the up command.

Note: The exit and quit commands are interchangeable.

Syntax
quit

Options
None

Sample Output
The following command changes context from the network interface level to the network
level.
[edit log-settings]
username@hostname# quit

[edit]
username@hostname#

The following command changes from Configuration mode to Operational mode.


[edit]
username@hostname# quit
Exiting configuration mode

username@hostname>

Required Privilege Level


All

38 • Configuration Mode Commands Palo Alto Networks


rename

rename
Change the name of a node in the hierarchy.

Syntax
rename [node1] to [node2]

Options
node1 Indicates the original node name.
node2 Indicates the new node name.

Sample Output
The following command changes the name of a node in the hierarchy from 1.1.1.1/24 to
1.1.1.2/24.
username@hostname# rename network interface vlan ip 1.1.1.1/24 to 1.1.1.2/24

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Configuration Mode Commands • 39


run

run
Execute an Operational mode command while in Configuration mode.

Syntax
run [command]

Options
command Specifies an Operational mode command.

Sample Output
The following command executes a ping command to the IP address 1.1.1.2 from
Configuration mode.
username@hostname# run ping 1.1.1.2
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
...
username@hostname#

Required Privilege Level


superuser, vsysadmin, deviceadmin

40 • Configuration Mode Commands Palo Alto Networks


save

save
Saves a snapshot of the firewall configuration.

Note: This command saves the configuration on the firewall, but does not make
the configuration active. Use the commit command to make the current candidate
configuration active.

Syntax
save config [to filename]

Options
filename Specifies the filename to store the configuration. The filename cannot include
a hyphen (-).

Sample Output
The following command saves a copy of the configuration to the file savefile.
[edit]
username@hostname# save config to savefile
Config saved to savefile

[edit]
username@hostname#

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Configuration Mode Commands • 41


set

set
Changes a value in the candidate configuration. Changes are retained while the firewall is
powered until overwritten.

Note: To save the candidate configuration in non-volatile storage, use the save
command. To make the candidate configuration active, use the commit command.

Syntax
set [context]

Options
context Specifies a path through the hierarchy.

Sample Output
The following command assigns the ethernet1/4 interface to be a virtual wire interface.
[edit]
username@hostname# set network interface ethernet ethernet1/1 virtual-wire

[edit]
username@hostname#

The following command sets the VLAN IP address to 1.1.1.4/32 from the network interface
vlan level of the hierarchy.
[edit network interface vlan]
username@hostname# set ip 1.1.1.4/32

[edit network interface vlan]


username@hostname#

The following command locks an administrative user out for 15 minutes after 5 failed login
attempts.
username@hostname# set deviceconfig setting management admin-lockout 5
lockout-time 15

Required Privilege Level


superuser, vsysadmin, deviceadmin

42 • Configuration Mode Commands Palo Alto Networks


show

show
Display information about the current candidate configuration.

Syntax
show [context]

Options
context Specifies a path through the hierarchy.

Sample Output
The following command shows the full candidate hierarchy.
username@hostname# show

The following commands can be used to display the hierarchy segment for network interface.
• Specify context on the command line:
show network interface

• Use the edit command to move to the level of the hierarchy, and then use the show
command without specifying context:
edit network interface
[edit network interface] show

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Configuration Mode Commands • 43


top

top
Change context to the top hierarchy level.

Syntax
top

Options
None

Sample Output
The following command changes context from the network level of the hierarchy to the top
level.
[edit network]
username@hostname# top

[edit]
username@hostname#

Required Privilege Level


All

44 • Configuration Mode Commands Palo Alto Networks


up

up
Change context to the next higher hierarchy level.

Syntax
up

Options
None

Sample Output
The following command changes context from the network interface level of the hierarchy to
the network level.
[edit network interface]
username@hostname# up

[edit network]
username@hostname#

Required Privilege Level


All

Palo Alto Networks Configuration Mode Commands • 45


up

46 • Configuration Mode Commands Palo Alto Networks


May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL

Chapter 4
Operational Mode Commands

This chapter contains command reference pages for the following operational mode
commands:
• “clear” on page 51

• “configure” on page 53

• “debug captive-portal” on page 54

• “debug cli” on page 55

• “debug cpld” on page 56

• “debug dataplane” on page 57

• “debug device-server” on page 59

• “debug dhcpd” on page 60

• “debug high-availability-agent” on page 61

• “debug ike” on page 62

• “debug keymgr” on page 63

• “debug log-receiver” on page 64

• “debug management-server” on page 65

• “debug master-service” on page 66

• “debug rasmgr” on page 67

• “debug routing” on page 68

• “debug software” on page 69

• “debug swm” on page 70

• “debug tac-login” on page 71

• “debug vardata-receiver” on page 72

Palo Alto Networks Operational Mode Commands • 47


• “delete” on page 73

• “exit” on page 75

• “grep” on page 76

• “less” on page 77

• “netstat” on page 78

• “ping” on page 79

• “quit” on page 81

• “request certificate” on page 82

• “request comfort-page” on page 84

• “request content” on page 85

• “request data-filtering” on page 86

• “request device-registration” on page 87

• “request high-availability” on page 88

• “request license” on page 89

• “request password-hash” on page 90

• “request restart” on page 91

• “request ssl-output-text” on page 92

• “request ssl-vpn” on page 93

• “request support” on page 94

• “request system” on page 95

• “request tech-support” on page 96

• “request url-filtering” on page 97

• “request vpn-client” on page 98

• “scp” on page 99

• “set application” on page 101

• “set cli” on page 102

• “set clock” on page 103

• “set ctd” on page 104

• “set data-access-password” on page 105

• “set logging” on page 106

• “set management-server” on page 107

48 • Operational Mode Commands Palo Alto Networks


• “set multi-vsys” on page 108

• “set panorama” on page 109

• “set password” on page 110

• “set proxy” on page 111

• “set serial-number” on page 112

• “set session” on page 113

• “set shared-policy” on page 115

• “set ssl-vpn” on page 116

• “set target-vsys” on page 117

• “set ts-agent” on page 118

• “set url-database” on page 119

• “set zip” on page 120

• “show admins” on page 121

• “show arp” on page 122

• “show authentication” on page 123

• “show chassis-ready” on page 124

• “show cli” on page 125

• “show clock” on page 126

• “show config” on page 127

• “show counter” on page 128

• “show ctd” on page 129

• “show device” on page 130

• “show device-messages” on page 131

• “show devicegroups” on page 132

• “show dhcp” on page 133

• “show high-availability” on page 134

• “show interface” on page 135

• “show jobs” on page 136

• “show local-user-db” on page 137

• “show location” on page 138

• “show log” on page 139

Palo Alto Networks Operational Mode Commands • 49


• “show logging” on page 141

• “show mac” on page 142

• “show management-clients” on page 143

• “show multi-vsys” on page 144

• “show pan-agent” on page 145

• “show pan-ntlm-agent” on page 146

• “show proxy” on page 147

• “show query” on page 148

• “show report” on page 149

• “show routing” on page 150

• “show session” on page 154

• “show ssl-vpn” on page 157

• “show statistics” on page 158

• “show system” on page 160

• “show target-vsys” on page 162

• “show threat” on page 163

• “show ts-agent” on page 164

• “show url-database” on page 165

• “show virtual-wire” on page 166

• “show vlan” on page 167

• “show vpn” on page 168

• “show zip” on page 170

• “show zone-protection” on page 171

• “ssh” on page 172

• “tail” on page 173

• “telnet” on page 174

• “test” on page 175

• “tftp” on page 176

• “traceroute” on page 178

• “view-pcap” on page 180

50 • Operational Mode Commands Palo Alto Networks


clear

clear
Reset information, counters, sessions, or statistics.

Syntax
clear application-signature statistics
clear arp <all | interfacename>
clear counter <all | global | interface>
clear dhcp lease <all | interface name interfacename [ip ipaddr]>
clear high-availability control-link statistics
clear job jobid
clear log type
clear mac <value | all>
clear query <all-by-session | id queryid>
clear report <all-by-session | id reportid>
clear session <id sessionid | all [filter rule]>
clear statistics
clear vpn <flow [tunnel-id tunnelid] | ike-sa [gateway gatewayid] |
ipsec-sa [tunnel tunnelid]>

Options
application- Clears application-signature statistics.
signature
statistics
arp Clears Address Resolution Protocol (ARP) information for a specified
interface, loopback, or VLAN, or all.
counter Clears interface counters. Specify all counters, global counters, or
interface counters.
dhcp lease Clears DHCP leases. Specify all or specify an interface and optional IP
address.
job Clears download jobs. Specify the job id.
log Remove log files from disk. Specify the log type: acc, config, system,
threat, or traffic.
mac Clears MAC address information for a specified VLAN or all addresses.
session Clears a specified session or all sessions. Refer to “show session” on
page 154 for a description of the filter options when clearing all sessions.

Palo Alto Networks Operational Mode Commands • 51


clear

statistics Clears all statistics.


vpn Clears IKE or IPSec VPN run-time objects:

flow Clears the VPN tunnel on the data


plane. Specify the tunnel or press
Enter to apply to all tunnels.
ike-sa Removes the active IKE SA and
stops all ongoing key negotiations.
Specify the gateway or press Enter
to apply to all gateways.
ipsec-sa Deactivate the IPsec SA for a tunnel
or all tunnels. Specify the tunnel or
press Enter to apply to all tunnels.

Sample Output
The following command clears the session with ID 2245.
username@hostname> clear session id 2245
Session 2245 cleared
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

52 • Operational Mode Commands Palo Alto Networks


configure

configure
Enter Configuration mode.

Syntax
configure

Options
None

Sample Output
To enter Configuration mode from Operational mode, enter the following command.
username@hostname> configure
Entering configuration mode

[edit]
username@hostname#

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 53


debug captive-portal

debug captive-portal
Define settings for debugging the captive portal daemon.

Syntax
debug captive-portal option

Options
show Shows whether this command is on or off.
off Turns the debugging option off.
on Turns the debugging option on.

Sample Output
The following command turns the debugging option on.
admin@PA-HDF> debug captive-portal on
admin@PA-HDF>

Required Privilege Level


superuser vsysadmin

54 • Operational Mode Commands Palo Alto Networks


debug cli

debug cli
Define settings and display information for debugging the CLI connection.

Syntax
debug cli option

Options
detail Shows details information about the CLI connection.
show Shows whether this command is on or off.
off Turns the debugging option off.
on Turns the debugging option on.

Sample Output
The following command shows details of the CLI connection.
admin@PA-HDF> debug cli detail
Environment variables :
(USER . admin)
(LOGNAME . admin)
(HOME . /home/admin)
(PATH . /usr/local/bin:/bin:/usr/bin)
(MAIL . /var/mail/admin)
(SHELL . /bin/bash)
(SSH_CLIENT . 10.31.1.104 1109 22)
(SSH_CONNECTION . 10.31.1.104 1109 10.1.7.2 22)
(SSH_TTY . /dev/pts/0)
(TERM . vt100)
(LINES . 24)
(COLUMNS . 80)
(PAN_BASE_DIR . /opt/pancfg/mgmt)

PAN_BUILD_TYPE : DEVELOPMENT

Total Heap : 7.00 M


Used : 5.51 M
Nursery : 0.12 M
admin@PA-HDF>

Required Privilege Level


superuser vsysadmin

Palo Alto Networks Operational Mode Commands • 55


debug cpld

debug cpld
Debug the complex programmable logic device (CPLD).

Syntax
debug cpld

Options
None

Sample Output
N/A

Required Privilege Level


superuser vsysadmin

56 • Operational Mode Commands Palo Alto Networks


debug dataplane

debug dataplane
Configure settings for debugging the data plane.

Syntax
debug dataplane option

Options
The available sub-options depend on the specified option.

clear Clear all dataplane debug logs.


device Debug dataplane hardware component.
drop-filter Define a filter to capture dropped packets.
filter Determine the packets to capture or send to a debug log file.
fpga Debug the field programmable gate array (FPGA).
get Show current dataplane debug settings.
internal Debug the dataplane internal state.
memory Examine dataplane memory.
mode Control dataplane debug logging mode.
off Turn off dataplane debug logging.
on Turn on dataplane debug logging.
pool Debug buffer pools, including checks of hardware and software
utilization and buffer pool statistics.
pow Debug packet scheduling engine.
process Debug the dataplane process for the high-availability agent (ha-agent)
and management plane relay agent (mprelay).
reset Reset settings for debugging the data plane.
set Specify parameters for dataplane debugging
show Show dataplane running information.
task-heartbeat Debug dataplane task heartbeat.
unset Clear the previously-set parameters for dataplane debugging

Palo Alto Networks Operational Mode Commands • 57


debug dataplane

Sample Output
The following command shows the statistics for the dataplane buffer pools.
admin@PA-HDF> debug dataplane pool statistics

The following command turns dataplane filtering on and sets filter parameters.
admin@PA-HDF> debug dataplane filter on
admin@PA-HDF> debug dataplane filter set source 10.1 11.2.3 file abc.pcap

Required Privilege Level


superuser vsysadmin

58 • Operational Mode Commands Palo Alto Networks


debug device-server

debug device-server
Configure settings for debugging the device server.

Syntax
debug device-server option

Options
clear Clear all debug logs.
dump Dump the debug data.
off Turn off debug logging.
on Turn on debug logging.
refresh Refresh the user-group data.
reset Clear logging data.
set Set debugging values.
show Display current debug log settings.
test Test the current settings.
uset Remove current settings.

Sample Output
The following command turns off debug logging for the device server.
admin@PA-HDF> debug device-server off
admin@PA-HDF>

Required Privilege Level


superuser vsysadmin

Palo Alto Networks Operational Mode Commands • 59


debug dhcpd

debug dhcpd
Configure settings for debugging the Dynamic Host Configuration Protocol (DHCP) daemon.

Syntax
debug dhcpd option

Options
global Define settings for the global DHCP daemon.
pcap Define settings for debugging packet capture.

Sample Output
The following command shows current global DHCP daemon settings.
admin@PA-HDF> debug dhcpd global show

sw.dhcpd.runtime.debug.level: debug

admin@PA-HDF>

Required Privilege Level


superuser vsysadmin

60 • Operational Mode Commands Palo Alto Networks


debug high-availability-agent

debug high-availability-agent
Configure settings for debugging the high availability agent.

Syntax
debug high-availability-agent option

Options
clear Clear the debug logs.
internal-dump Dump the internal state of the agent to its log.
model-check Turn model checking with the peer on or off.
off Turns the debugging option off.
on Turns the debugging option on.
show Shows whether this command is on or off.

Sample Output
The following command turns modeling checking on for the high availability agent.
admin@PA-HDF> debug high-availability-agent model-check on

admin@PA-HDF>

Required Privilege Level


superuser vsysadmin

Palo Alto Networks Operational Mode Commands • 61


debug ike

debug ike
Configure settings for debugging Internet Key Exchange (IKE) daemon.

Syntax
debug ike option

Options
global Configure global settings.
pcap Configure packet capture settings.
socket Configure socket settings.
stat Show IKE daemon statistics.

Sample Output
The following command turns on the global options for debugging the IKE daemon.
admin@PA-HDF> debug ike global on
admin@PA-HDF>

Required Privilege Level


superuser vsysadmin

62 • Operational Mode Commands Palo Alto Networks


debug keymgr

debug keymgr
Configure settings for debugging the key manager daemon.

Syntax
debug keymgr option

Options
list-sa Lists the IPSec security associations (SAs) that are stored in the key manager
daemon.
off Turn the settings off.
on Turn the settings on.
show Show key manager daemon information.

Sample Output
The following command shows the current information on the key manager daemon.
admin@PA-HDF> debug keymgr show

sw.keymgr.debug.global: normal

admin@PA-HDF>

Required Privilege Level


superuser vsysadmin

Palo Alto Networks Operational Mode Commands • 63


debug log-receiver

debug log-receiver
Configure settings for debugging the log receiver daemon.

Syntax
debug log-receiver option

Options
off Turns the debugging option off.
on Turns the debugging option on.
show Shows whether this command is on or off.
statistics Show log receiver daemon statistics.

Sample Output
The following command turns log receiver debugging on.
admin@PA-HDF> debug log-receiver on
admin@PA-HDF>

Required Privilege Level


superuser vsysadmin

64 • Operational Mode Commands Palo Alto Networks


debug management-server

debug management-server
Configure settings for debugging the management server.

Syntax
debug management-server option

Options
clear Clear all debug logs.
client Debug the management server client.
off Turn debugging off
on Turn debugging on.
phased-commit Set experimental mode for committing in phases.
show Show management server debug statistics.

Sample Output
The following example turns management server debugging on.
admin@PA-HDF> debug management-server on
(null)
admin@PA-HDF>

Required Privilege Level


superuser vsysadmin

Palo Alto Networks Operational Mode Commands • 65


debug master-service

debug master-service
Configure settings for debugging the master service.

Syntax
debug master-service option

Options
clear Clear all debug logs.
internal-dump Dump the internal state of the server to the log.
off Turn debugging off
on Turn debugging on.
show Show debug settings.

Sample Output
The following command dumps the internal state of the master server to the log.
admin@PA-HDF> debug master-service internal-dump

admin@PA-HDF>

Required Privilege Level


superuser vsysadmin

66 • Operational Mode Commands Palo Alto Networks


debug rasmgr

debug rasmgr
Configure settings for debugging the remote access service daemon.

Syntax
debug rasmgr option

Options
show Show whether this command is on or off.
off Turn the debugging option off.
on Turn the debugging option on.

Sample Output
The following command shows the debug settings for the remote access service daemon.
admin@PA-HDF> debug rasmgr show

sw.rasmgr.debug.global: normal

admin@PA-HDF>

Required Privilege Level


superuser vsysadmin

Palo Alto Networks Operational Mode Commands • 67


debug routing

debug routing
Configure settings for debugging the route daemon.

Syntax
debug routing option

Options
fib Turn on debugging for the forwarding table.
global Turn on global debugging.
list-mib Show the routing list with management information base (MIB) names.
mib Show the MIB tables.
pcap Show packet capture data.
socket Show socket data.

Sample Output
The following command displays the MIB tables for routing.
admin@PA-HDF> debug routing list-mib

i3EmuTable (1 entries)
==========================
sckTable (0 entries)
sckSimInterfaceTable (0 entries)
sckEiTable (0 entries)
sckEaTable (0 entries)
i3Table (0 entries)
i3EiTable (0 entries)
i3EaTable (0 entries)
i3EtTable (0 entries)
i3EmTable (0 entries)
dcSMLocationTable (0 entries)
dcSMHMTestActionObjects (0 entries)
siNode (0 entries)
siOSFailures (0 entries)
siTraceControl (0 entries)
siExecAction (0 entries)
...
admin@PA-HDF>

Required Privilege Level


superuser vsysadmin

68 • Operational Mode Commands Palo Alto Networks


debug software

debug software
Restart software processes to aid debugging.

Syntax
debug software restart option

Options
device-server Restart the device server.
management-server Restart the management server.
web-server Restart the web server.

Sample Output
The following command restarts the web server.
admin@PA-HDF> debug software restart web-server

admin@PA-HDF>

Required Privilege Level


superuser vsysadmin

Palo Alto Networks Operational Mode Commands • 69


debug swm

debug swm
Configure settings for debugging the Palo Alto Networks software manager.

Syntax
debug swm option

Options
command Run a software manager command.
history Show the history of software installation operations.
list List software versions that are available for installation.
refresh Revert back to the last successfully installed content.
revert Revert back to the last successfully installed software.
status Show the status of the software manager.
unlock Unlock the software manager.

Sample Output
The following command shows the list of available software versions.
admin@PA-HDF> debug swm list

3.0.0-c4.dev
3.0.0-c1.dev_base
2.0.0-c207
2.0.0-c206
admin@PA-HDF>

Required Privilege Level


superuser vsysadmin

70 • Operational Mode Commands Palo Alto Networks


debug tac-login

debug tac-login
Configure settings for debugging the Palo Alto Networks Technical Assistance Center (TAC)
connection.

Syntax
debug tac-login option

Options
enable Enable TAC login.
disable Disable TAC login.
permanently-disable Turn off TAC login debugging permanently.

Sample Output
The following command turns TAC login debugging on.
admin@PA-HDF> debug tac-login on

admin@PA-HDF>

Required Privilege Level


superuser vsysadmin

Palo Alto Networks Operational Mode Commands • 71


debug vardata-receiver

debug vardata-receiver
Configure settings for debugging the variable data daemon.

Syntax
debug vardata-receiver option

Options
off Turns the debugging option off.
on Turns the debugging option on.
show Shows whether this command is on or off.
statistics Show log receiver daemon statistics.

Sample Output
The following command shows statistics for the variable data daemon.
admin@PA-HDF> debug vardata-receiver statistics

admin@PA-HDF>

Required Privilege Level


superuser vsysadmin

72 • Operational Mode Commands Palo Alto Networks


delete

delete
Remove files from disk or restore default comfort pages, which are presented when files or
URLs are blocked.

Syntax
delete item

Options
item Specifies the type of file to be deleted.

Option Description
captive-portal-text Text included in a captive portal.
config saved filename Saved configuration file.
content update filename Content updates.
core <control-plane | Control or data plane cores.
dataplan> file filename
data-capture directoryname Data capture files.
debug-filter file filename Debugging packet capture files on disk.
file-block-page Page presented to users when files are
blocked. Restores default page.
inbound-key filename SSL inbound proxy keys on disk.
license key filename License key file.
logo Custom logo file.
pcap file filename Packet capture files.
policy-cache Cached policy compilations
report <custom | predefined Specified report with file name and report
| summary> file-name name.
filename report-name report
root-certificate file Root certificates.
filename

Palo Alto Networks Operational Mode Commands • 73


delete

item Specifies the type of file to be deleted.


(cont’d)

Option Description
software image imagename Software image.
version versionname
spyware-block-page Page presented to users when web pages are
blocked due to spyware. Restores default
page.
ssl-optout-text Page presented to users when a web session
is to be decrypted. Restores default page.
threat-pcap directory Threat packet capture files in a specified
directoryname directory.
unknown-pcap directory Packet capture files for unknown sessions.
directoryname
url-block-page Page presented to users when web pages are
blocked. Restores default page.
url-coach-text Page presented to users. Restores default
page.
user-file ssh-known-hosts SSH known hosts file.
virus-block-page Page presented to users when web pages are
blocked. Restores default page.

Sample Output
The following command deletes the custom page presented to users when web pages are
blocked due to spyware.
username@hostname> delete spyware-block-page
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

74 • Operational Mode Commands Palo Alto Networks


exit

exit
Exit the PAN-OS CLI.

Note: The exit command is the same as the quit command.

Syntax
exit

Options
None

Sample Output
N/A

Required Privilege Level


All

Palo Alto Networks Operational Mode Commands • 75


grep

grep
Find and list lines from log files that match a specified pattern.

Syntax
grep [after-context number] [before-context number] [context number]
[count] [ignore-case] [invert-match] [line-number] [max-count] [no-
filename] [with-filename] pattern file

Options
after-context Prints the matching lines plus the specified number of lines that follow the
matching lines.
before-context Prints the matching lines plus the specified number of lines that precede the
matching lines.
context Prints the specified number of lines in the file for output context.
count Prints a count of matching files for each input file.
ignore-case Ignores case distinctions.
invert-match Selects non-matching lines instead of matching lines.
line-number Adds the line number at the beginning of each line of output.
max-count Stops reading a file after the specified number of matching lines.
no-filename Does not add the filename prefix for output.
with-filename Prints the file name for each match.
pattern Indicates the string to be matched.
file Indicates the log file to be searched.

Sample Output
The following command searches the ms.log file for occurrences of the string id:admin.
username@hostname> grep id:admin /var/log/pan/ms.log

username@hostname>

Required Privilege Level


All

76 • Operational Mode Commands Palo Alto Networks


less

less
List the contents of the specified log file.

Syntax
less type file

Options
type Indicates the type of log file to be searched:
• custom-page
• dp-backtrace
• dp-log
• mp-backtrace
• mp-log
• webserver-log
file Indicates the log file to be searched:

Sample Output
The following command lists the contents of the web server error log.
username@hostname> less webserver-log error.log
default:2 main Configuration for Mbedthis Appweb
default:2 main --------------------------------------------
default:2 main Host: pan-mgmt2
default:2 main CPU: i686
default:2 main OS: LINUX
default:2 main Distribution: unknown Unknown
default:2 main OS: LINUX
default:2 main Version: 2.4.0.0
default:2 main BuildType: RELEASE
default:2 main Started at: Mon Mar 2 12
...

Required Privilege Level


All

Palo Alto Networks Operational Mode Commands • 77


netstat

netstat
Displays packet capture file content.

Syntax
netstat type <no | yes>

Options
type Indicates the packet capture file type:
• all—Display all sockets (default: connected).
• cache—Display routing cache instead of Forwarding Information Base (FIB).
• continuous—Continuous listing.
• extend—Display other/more information.
• fib—Display FIB (default).
• groups—Display multicast group memberships.
• interfaces—Display interface table.
• listening—Display listening server sockets.
• numeric—Do not resolve names.
• numeric-hosts—Do not resolve host names.
• numeric-ports—Do not resolve port names.
• numeric-users—Do not resolve user names.
• programs—Display PID/Program name for sockets.
• route—Display routing table.
• statistics—Display networking statistics (like SNMP).
• symbolic—Resolve hardware names.
• timers—Display timers.
• verbose—Display full details.
no | yes Indicates whether the specified option is included in the output.

Sample Output
The following command shows an excerpt from the output of the netstat command.
username@hostname> netstat all yes
...
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 5366 /tmp/ssh-lClRtS1936/
agent.1936
unix 2 [ ] DGRAM 959 @/org/kernel/udev/udevd
unix 18 [ ] DGRAM 4465 /dev/log
...

Required Privilege Level


All

78 • Operational Mode Commands Palo Alto Networks


ping

ping
Check network connectivity to a host.

Syntax
ping [bypass-routing] [count] [do-not-fragment] [inet] [no resolve]
[pattern] [size] [source] [tos] [ttl] host

Options
bypass-routing Sends the ping request directly to the host on a direct attached network,
bypassing usual routing table.
count Specifies the number of ping requests to be sent.
do-not-fragment Prevents packet fragmentation by use of the do-not-fragment bit in the
packet’s IP header.
inet Specifies that the ping packets will use IP version 4.
interval Specifies how often the ping packets are sent (0 to 2000000000 seconds).
no-resolve Provides IP address only without resolving to hostnames.
pattern Specifies a custom string to include in the ping request. You can specify up to
12 padding bytes to fill out the packet that is sent as an aid in diagnosing data-
dependent problems.
size Specifies the size of the ping packets.
source Specifies the source IP address for the ping command.
tos Specifies the type of service (TOS) treatment for the packets by way of the TOS
bit for the IP header in the ping packet.
ttl Specifies the time-to-live (TTL) value for the ping packet (IPv6 hop-limit
value) (0-255 hops).
verbose Requests complete details of the ping request.
host Specifies the host name or IP address of the remote host.

Sample Output
The following command checks network connectivity to the host 66.102.7.104, specifying 4
ping packets and complete details of the transmission.
username@hostname> ping count 4 verbose 66.102.7.104
PING 66.102.7.104 (66.102.7.104) 56(84) bytes of data.
64 bytes from 66.102.7.104: icmp_seq=0 ttl=243 time=316 ms
64 bytes from 66.102.7.104: icmp_seq=1 ttl=243 time=476 ms
64 bytes from 66.102.7.104: icmp_seq=2 ttl=243 time=376 ms
64 bytes from 66.102.7.104: icmp_seq=3 ttl=243 time=201 ms

--- 66.102.7.104 ping statistics ---


4 packets transmitted, 4 received, 0% packet loss, time 3023ms
rtt min/avg/max/mdev = 201.718/342.816/476.595/99.521 ms, pipe 2

username@hostname>

Palo Alto Networks Operational Mode Commands • 79


ping

Required Privilege Level


superuser, vsysadmin, deviceadmin

80 • Operational Mode Commands Palo Alto Networks


quit

quit
Exit the current session for the firewall.

Note: The quit command is the same as the exit command.

Syntax
quit

Options
None

Sample Output
N/A

Required Privilege Level


All

Palo Alto Networks Operational Mode Commands • 81


request certificate

request certificate
Generate a self-signed security certificate.

Syntax
request certificate [install for-use-by purpose | self-signed option
for-use-by purpose]

Options
install Installs the generated certificate.
self-signed Generates the self-signed certificate.
option Specifies information to include in the certificate. Multiple options are
supported.

country-code Two-character code for the country in which the


certificate will be used.
email Email address of the contact person.
locality City, campus, or other local area.
nbits value Number of bits in the certificate (512 or 1024).
organization Organization using the certificate.
organization Department using the certificate.
unit
state Two-character code for the state or province in
which the certificate will be used.
name IP address or fully qualified domain name
(FQDN) to appear on the certificate.
passphrase Passphrase for encrypting the private key.

purpose Requests the certificate for the specified purpose.

panorama-server Panorama server machine (used by


Panorama to communicate with managed
devices).
web-interface Embedded web interface.

Sample Output
The following command requests a self-signed certificate for the web interface with length
1024 and IP address 1.1.1.1.
username@hostname> request certificate self-signed nbits 1024 name 1.1.1.1
for-use-by web-interface

82 • Operational Mode Commands Palo Alto Networks


request certificate

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 83


request comfort-page

request comfort-page
Installs a user-defined comfort page.

Syntax
request comfort page install option

Options
option Specifies the type of file to export to the other host.

Option Description
application- Application packet capture file.
block-page
file-block-page File containing comfort pages to be presented
when files are blocked.
spyware-block- Comfort page to be presented when files are
page blocked due to spyware.
url-block-page Comfort page to be presented when files are
blocked due to a blocked URL.
virus-block-page Comfort page to be presented when files are
blocked due to a virus.

The following command installs an application block page.

username@hostname> request comfort-page install application-block-page

Shared application-block-page installed successfully!


username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

84 • Operational Mode Commands Palo Alto Networks


request content

request content
Perform application level upgrade operations.

Syntax
request content upgrade [check | download latest | info | install
latest]

Options
check Obtain information from the Palo Alto Networks server.
download latest Download application identification packages.
info Show information about the available application ID packages.
install latest Install application identification packages.

Sample Output
The following command lists information about the firewall server software.
username@hostname> request content upgrade check

Version Size Released on Downloaded

-------------------------------------------------------------------------

13-25 10MB 2007/04/19 15:25:02 yes

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 85


request data-filtering

request data-filtering
Assign passwords for data filtering.

Syntax
request data-filtering access-password option

Options
option Specifies one of the following options.

Option Description
create password Creates the specified password.
pword
modify old- Changes the specified old password to the
password oldpwd new password.
new-password
newpwd o
delete Deletes the data filtering password. When
this command is issued, the system prompts
for confirmation and warns that logged data
will be deleted and logging will be stopped.

Sample Output
The following command assigns the specified password for data filtering.
username@hostname> request data-filtering access-password create password
mypwd

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

86 • Operational Mode Commands Palo Alto Networks


request device-registration

request device-registration
Perform device registration.

Syntax
request device-registration username user password pwd

Options
username Specify the user name for device access.
user
password Specify the password for device access.
pwd

Sample Output
The following command registers the device with the specified user name and password.
username@hostname> request device-registration username admin password
adminpwd

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 87


request high-availability

request high-availability
Perform high-availability operations.

Syntax
request high-availability option

Options
option Specifies one of the following options.

Option Description
clear-alarm-led Clears the high-availability alarm LED.
state Changes the state to operational (functional) or suspended.
<functional |
suspended>
sync-to-remote Performs synchronization operations:
option • candidate-config—Synchronize the candidate configura-
tion to peer.
• clock—Synchronize the local time and date to the peer.
• disk-state—Synchronize required on-disk state to peer.
• running-config—Synchronize the running configuration
to peer.
• runtime-state—Synchronize the runtime synchronization
state to peer.

Sample Output
The following command sets the high-availability state of the device to the suspended state.
username@hostname> request high-availability state suspend

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

88 • Operational Mode Commands Palo Alto Networks


request license

request license
Perform license-related operations.

Syntax
request license [fetch [auth-code] | info | install]

Options
fetch Gets a new license key using an authentication code.
info Displays information about currently owned licenses.
install Installs a license key.

Sample Output
The following command requests a new license key with the authentication code 123456.
username@hostname> request fetch auth-code 123456

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 89


request password-hash

request password-hash
Generate a hashed string for the user password.

Syntax
request password-hash password pwd

Options
pwd Specify the clear text password that requires the hash string.

Sample Output
The following command generates a hash of the specified password.
username@hostname> request password-hash password mypassword

$1$flhvdype$qupuRAx4SWWuZcjhxn0ED.

Required Privilege Level


superuser, vsysadmin, deviceadmin

90 • Operational Mode Commands Palo Alto Networks


request restart

request restart
Restart the system or software modules.

CAUTION: Using this command causes the firewall to reboot, resulting in the
temporary disruption of network traffic. Unsaved or uncommitted changes will be
lost.

Syntax
request restart [dataplane | software | system]

Options
dataplane Restarts the dataplane software.
software Restarts all system software
system Reboots the system.

Sample Output
The following command restarts all the firewall software.
username@hostname> request restart software

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 91


request ssl-output-text

request ssl-output-text
Install user-defined Secure Socket Layer (SSL) output text.

Syntax
request ssl-option-text install

Options
None

Sample Output
The following command installs SSL output text.
username@hostname> request ssl-optout-text install

Shared ssl optout text installed successfully!

Required Privilege Level


superuser, vsysadmin, deviceadmin

92 • Operational Mode Commands Palo Alto Networks


request ssl-vpn

request ssl-vpn
Forces logout from a Secure Socket Layer (SSL) virtual private network (VPN) session.

Syntax
request ssl-vpn client-logout option

Options
option Specify the following required options:
• portal—Specify the SSL VPN portal name.
• domain—Specify the user’s domain name.
• reason force-logout—Specify to indicate that the logout is administrator-initiated.
• user—Specify the user name.

Sample Output
The following command forces a logout of the specified user.
username@hostname> request ssl-vpn client-logout domain paloaltonetworks.com
port sslportal user ssmith reason force-logout

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 93


request support

request support
Obtain technical support information.

Syntax
request support [check | info]

Options
check Get support information from the Palo Alto Networks update server.
info Show downloaded support information.

Sample Output
The following command shows downloaded support information.
username@hostname> request support info
0
Support Home
https://support.paloaltonetworks.com
Manage Cases
https://support.paloaltonetworks.com/pa-portal/
index.php?option=com_pan&task=vie
wcases&Itemid=100
Download User Identification Agent
https://support.paloaltonetworks.com/pa-portal/
index.php?option=com_pan&task=sw_
updates&Itemid=135
866-898-9087
support@paloaltonetworks.com
November 07, 2009
Standard
10 x 5 phone support; repair and replace hardware service

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

94 • Operational Mode Commands Palo Alto Networks


request system

request system
Download system software or request information about the available software packages.

Syntax
request system [factory-reset | software [check | download [file |
version] name] | info | install [file | version] name]]

Options
check Gets information from the Palo Alto Networks server.
download Downloads software packages.
info Shows information about the available software packages.
install Downgrades to a downloaded software package.

Sample Output
The following command requests information about the software packages that are available
for download.
username@hostname> request system software info

Version Filename Size Released Downloaded


-------------------------------------------------------------------------
1.0.1 panos.4050-1.0.1.tar.gz 127MB 2007/02/07 00:00:00
no
1.0.2 panos.4050-1.0.2.tar.gz 127MB 2007/02/07 00:00:00
no
1.0.0-20 PANOS-QA-20.tar.gz 122MB 2007/02/13 00:00:00
no
1.0.0-1746 PANOS-DEV-1746.tgz 122MB 2007/02/13 00:00:00
no

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 95


request tech-support

request tech-support
Obtain information to assist technical support in troubleshooting.

Syntax
request technical support dump

Options
None

Sample Output
The following command creates a dump for technical support.
username@hostname> request tech-support dump

Exec job enqueued with jobid 1


1

Required Privilege Level


superuser, vsysadmin, deviceadmin

96 • Operational Mode Commands Palo Alto Networks


request url-filtering

request url-filtering
Perform URL filtering operations

Syntax
request url-filtering option

Options
upgrade Upgrade to latest version. Optionally specify brightcloud to update the
BrightCloud database.
download Show status of information download for URL filtering.
status

Sample Output
The following command upgrades the BrightCloud database.
username@hostname> request url-filtering upgrade brightcloud

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 97


request vpn-client

request vpn-client
Perform VPN client package operations.

Syntax
request vpn-client software option

Options
check Obtain information from the Palo Alto Networks server.
download Download software packages. Specify one of the following:
• file—Name of the file containing the software package.
• version—Specified software version.
info Show downloaded support information.
install Install the software as specified:
• file—Name of the file containing the software package.
• version—Specified software version.

Sample Output
The following command displays information about the available software packages.
username@hostname> request vpnclient software info

Version Size Released on Downloaded


-------------------------------------------------------------------------
1.0.0-c54 916KB 2009/03/04 15:04:33 no
1.0.0-c53 916KB 2009/03/04 14:09:17 no
1.0.0-c52 916KB 2009/03/04 11:49:51 no
1.0.0-c51 916KB 2009/03/03 16:45:38 no

Required Privilege Level


superuser, vsysadmin, deviceadmin

98 • Operational Mode Commands Palo Alto Networks


scp

scp
Copy files between the firewall and another host. Enables downloading of a customizable
HTML replacement message (comfort page) in place of a malware infected file.

Syntax
scp export export-option [control-plane | data-plane] to target from
source [remote-port portnumber] [source-ip address]

scp import import-option [source-ip address] [remote-port portnumber]


from source

Options
export export- Specifies the type of file to export to the other host.
option
Option Description
application Application packet capture file.
captive-portal- Text to be included in a captive portal.
text
configuration Configuration file.
core-file Core file.
debug pcap IKE negotiation packet capture file.
file-block-page File containing comfort pages to be presented when
files are blocked.
filter Filter definitions.
log-file Log files.
log-db Log database.
packet-log Logs of packet data.
spyware-block- Comfort page to be presented when files are blocked
page due to spyware.
ssl-optout-text SSL optout text.
tech-support Technical support information.
trusted-ca- Certificate Authority (CA) security certificate.
certificate
url-block-page Comfort page to be presented when files are blocked
due to a blocked URL.
virus-block-page Comfort page to be presented when files are blocked
due to a virus.
web-interface- Web interface certificate.
certificate

Palo Alto Networks Operational Mode Commands • 99


scp

import import- Specifies the type of file to import from the other host.
option
Option Description
application Application packet capture file.
captive-portal- Text to be included in a captive portal.
text
configuration Configuration file.
core-file Core file.
file-block-page File containing comfort pages to be presented
when files are blocked.
filter Filter definitions.
ike-pcapc-file IKE negotiation packet capture file.
log-file Log files.
log-db Log database.
packet-log Logs of packet data.
spyware-block- Comfort page to be presented when files are
page blocked due to spyware.
ssl-optout-text SSL optout text.
tech-support Technical support information.
trusted-ca- Certificate Authority (CA) security certificate.
certificate
url-block-page Comfort page to be presented when files are
blocked due to a blocked URL.

control-plane Indicates that the file contains control information.


data-plane Indicates that the file contains information about data traffic.
remote-port Specifies the port number on the remote host.
portnumber
source-ip Specifies the source IP address.
address
to Specifies the destination user in the format username@host:path.
from Specifies the source user in the format username@host:path.

Sample Output
The following command imports a license file from a file in user1’s account on the machine
with IP address 10.0.3.4.
username@hostname> scp import ssl-certificate from user1@10.0.3.4:/tmp/
certificatefile

Required Privilege Level


superuser, vsysadmin, deviceadmin

100 • Operational Mode Commands Palo Alto Networks


set application

set application
Set parameters for system behavior when applications are blocked.

Syntax
set application option

Options
cache <yes | no> Enables (yes) or disables (no) the application cache.
dump <off | on option> Enables (on) or disables (off) the application packet capture. The
following options determine the contents of the dump:
• application —Specified application.
• destination—Destination IP address of the session.
• destination-user—Destination user.
• destination-port —Destination port.
• zone—Specified zone.
• protocol—Specified protocol.
• limit —Maximum number of sessions to capture.
• source—Source IP address for the session.
• source-user—Specified source user.
• source-port—Specified source port.
dump-unknown <yes | no> Enables (yes) or disables (no) capture of unknown applications.

heuristics <yes | no> Enables (yes) or disables (no) heuristics detection for applications.
notify-user <yes | no> Enables (yes) or disables (no) user notification when an application
is blocked.
supernode <yes | no> Enables (yes) or disables (no) detection of super nodes for peer-to-
peer applications that have designated supernodes on the Internet.

Sample Output
The following command turns packet capture for unknown applications off.

username@hostname> set application dump off

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 101


set cli

set cli
Set scripting and pager options for the PAN-OS CLI.

Syntax
set cli [scripting-mode | pager | timeout [idle idle-value] [session
session-value]] off | on

Options
scripting-mode Enables or disables scripting mode.
pager Enables or disables pages.
timeout Sets administrative session timeout values.
idle-value Specifies the idle timeout (0-86400 seconds).
session-value Specifies the administrative session timeout (0-86400 seconds).
off Turns the option off.
on Turns the option on.

Sample Output
The following command turns the PAN-OS CLI pager option off.
username@hostname> set cli pager off
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

102 • Operational Mode Commands Palo Alto Networks


set clock

set clock
Set the system date and time.

Syntax
set clock option

Options
date YYYY/MM/DD Specify the date in yyyy/mm/dd format.
time hh:mm:ss Specify the time in hh:mm:ss format (hh: 0-23, mm: 0-59, ss: 0-59).

Sample Output
The following command sets the system date and time.
username@hostname> set clock date 2009/03/20 time 14:32:00
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 103


set ctd

set ctd
Show content-related information on the Content-based Threat Detection (CTD) engine.

Syntax
set ctd x-forwarded-for <no | yes>

Options
no Disable parsing of the x-forwarded-for attribute.
yes Enable parsing of the x-forwarded-for attribute.

Sample Output
The following command enables parsing of the attribute.
username@hostname> set ctd x-forwarded-for yes
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

104 • Operational Mode Commands Palo Alto Networks


set data-access-password

set data-access-password
Set the access password for the data filtering logs.

Syntax
set data-access-password pwd

Options
pwd Specifies the password.

Sample Output
The following command sets the password for data filtering logs.
username@hostname> set data-access password 12345678
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 105


set logging

set logging
Set logging options for traffic and event logging.

Syntax
set logging option value

Options

Options
default Restores all log settings to default.
log-suppression Enables or disables suppression of log information.
<yes | no>

max-packet-rate value Specifies the maximum packet rate (0-5120 KB/s)

max-log-rate value Specifies the maximum logging rate (0-5120 KB/s)

Note: max-packet-rate and max-log rate both affect the rate at which log messages
are forwarded. Generated log messages are kept in priority queues, and the log
forwarding engine forwards the generated logs based on the log and packet rates. If
the rates are set too low, the queues may build up and eventually drop log
messages.

Sample Output
The following command sets the logging rate to be a maximum of 1000 KB/second.

username@hostname> set logging max-log-rate 1000


Logging rate changed to 1000 KB/s

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

106 • Operational Mode Commands Palo Alto Networks


set management-server

set management-server
Set parameters for the management server, which manages configuration, reports, and
authentication for the firewall.

Syntax
set management-server option

Options
logging option Sets the following logging options:
• import-end—Exit import mode.
• import-start—Enter import mode.
• off—Disable logging.
• on—Allow logging.
unlock Specifies the serial number or software license key.

Sample Output
The following command enables logging on the management server.
username@hostname> set management-server logging on
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 107


set multi-vsys

set multi-vsys
Enable or disable multiple virtual system functionality on the firewall.

Syntax
set multi-vsys <off | on>

Options
on Enables support for multiple virtual systems.
off Disables support for multiple virtual systems.

Sample Output
The following command enables multiple virtual system functionality on the firewall.
username@hostname> set multi-vsys on
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

108 • Operational Mode Commands Palo Alto Networks


set panorama

set panorama
Enable or disable connection between the firewall and Panorama.

Syntax
set panorama <off | on>

Options
on Enables the connection between the firewall and Panorama.
off Disables the connection between the firewall and Panorama.

Sample Output
The following command disables the connection between the firewall and Panorama.
username@hostname> set panorama off
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 109


set password

set password
Set the firewall password. When you issue this command, the system prompts you to enter
the old and new password and to confirm the new password.

Syntax
set password

Options
None

Sample Output
The following example shows how to reset the firewall password.
username@hostname> set password
Enter old password : (enter the old password)
Enter new password : (enter the new password0
Confirm password : (reenter the new password)

Password changed

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

110 • Operational Mode Commands Palo Alto Networks


set proxy

set proxy
Sets the proxy parameter. The firewall can act as a proxy for the client, as a forward proxy for
outbound traffic, and as an inbound proxy for traffic coming to the clients.

Syntax
set proxy option

Options
answer-timeout Sets the timeout value for communication with the proxy server
(1-86400 seconds).
notify-user <yes | no> Enables or disables the user notification web page.

skip-proxy <yes | no> Disables or enable the proxy function.


skip-ssl <yes | no> Disables or enables Secure Socket Layer (SSL) decryption.

Sample Output
The following command disables SSL decryption.
username@hostname> set proxy skip-ssl yes
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 111


set serial-number

set serial-number
(Panorama™ only) Configure the serial number of the Panorama machine. The serial number
must be set for Panorama to connect to the update server.

Syntax
set serial-number value

Options
value Specifies the serial number or software license key.

Sample Output
The following command sets the Panorama serial number to 123456.
username@hostname> set serial-number 123456
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

112 • Operational Mode Commands Palo Alto Networks


set session

set session
Set parameters for the networking session.

Syntax
set session [default | item value]

Options
default Restores all session settings to the default values.
item Specifies the debugging target or level.
value
Option Value Description
accelerated- no | yes Enables or disables accelerated session
aging-enable aging.
accelerated- Power of 2 Sets the accelerated session aging
aging-scaling- scaling factor (power of 2).
factor
accelerated- Power of 2 (1-100) Sets the accelerated aging threshold as
aging-threshold a percentage of session utilization.

offload no | yes Enables or disables hardware session


offload. Some firewall models have
specialized hardware to manage TCP,
UDP, and ICMP sessions. This option
command enables or disables this
capability. If it is disabled, the sessions
are managed by the firewall software.
tcp-reject-non- no | yes Rejects non-synchronized TCP packets
syn for session setup.
timeout-default Number of seconds Sets the session default timeout value
in seconds.

timeout-icmp 1-15999999 Sets the session timeout value for


ICMP commands.
timeout-tcp 1-15999999 Sets the session timeout value for TCP
commands.
timeout-tcpinit Number of seconds Sets the initial TCP timeout value in
seconds.
timeout-tcpwait Number of seconds Sets the session TCP wait timeout
value in seconds.
timeout-udp 1-15999999 Sets the session timeout value for UDP
commands.

Palo Alto Networks Operational Mode Commands • 113


set session

Sample Output
The following command sets the TCP timeout to 1 second.
username@hostname> set session timeout-tcpwait 1
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

114 • Operational Mode Commands Palo Alto Networks


set shared-policy

set shared-policy
Set shared policy management behavior with Panorama.

Syntax
set shared-policy option

Options
disable Disables Panorama shared policy management.
enable Enable Panorama shared policy management.
import-and-disable Imports and then disallows shared policies.
<yes | no>

Sample Output
The following command enables shared policies with Panorama.
username@hostname> set shared-policy enable
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 115


set ssl-vpn

set ssl-vpn
Enable Secure Socket Layer (SSL) virtual private network (VPN) for a specified user.

Syntax
set ssl-vpn unlock auth-profile profilename user uname vsys vsysname

Options
profilename Specifies the authentication profile that applies to the user.
uname Specifies the name of the user.
vsysname Specifies the name of the target virtual system.

Sample Output
The following command applies an authentication profile, user and virtual system for SSL-
VPN access.
username@hostname> set ssl-vpn auth-profile profile_1 user ssmith vsysname
vsys_a

username@hostname >

Required Privilege Level


superuser, vsysadmin, deviceadmin

116 • Operational Mode Commands Palo Alto Networks


set target-vsys

set target-vsys
Sets the target virtual system.

Note: When the target virtual system is set, the CLI prompt incorporates the vsys
name. In this mode, if any command is executed, it executes for the vsys, if possible.
For example, if you use secure copy to import or export a comfort page, the page is
imported or exported for the vsys. Commands that are not virtual-system-specific
continue to work normally.

Syntax
set target-vsys vsys

Options
vsys Specifies the name of the target virtual system.

Sample Output
The following command shows information about target virtual systems.
username@hostname> set target-vsys vsys1
Session target vsys changed to vsys1

username@hostname vsys1>>

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 117


set ts-agent

set ts-agent
Sets the Terminal Services (TS) agent parameters.

Syntax
set ts-agent name name ip-address ipaddr port portnum ip-list iplist

Options
name Specifies the user name.
ipaddr Specifies the IP address of the Windows PC on which the TS agent is installed. You can
also specify alternative IP addresses using the ip-list parameter.
portnum Specifies the port number for communication between the terminal server and the TS
agent.
iplist Specifies 0-8 additional IP addresses for Windows PCs on which the TS agent is
installed.

Sample Output
The following command sets the TS agent parameters for the user ssmith with the specified
port and IP addresses.
username@hostname> set ts-agent user ssmith ip-address 192.168.3.4 port 772
ip-list 192.168.5.5 192.168.9.3

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

118 • Operational Mode Commands Palo Alto Networks


set url-database

set url-database
Set the database for URL resolution in support of URL filtering. The available selections
depend on the URL license available on the firewall.

Syntax
set url-database dbasename

Options
dbasename Uses a database with the specified name: surfcontrol or brightcloud.

Sample Output
The following command switches the database from surfcontrol to brightcloud.
admin@PA-4050> set url-database
surfcontrol surfcontrol
<value> URL database
username@hostname> set url-database brightcloud
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 119


set zip

set zip
Determines whether zipped files are automatically unzipped and policies are applied to the
unzipped contents.

Syntax
set zip enable <yes | no>

Options
yes Enables automatic unzipping and inspection of zipped files.
no Disables automatic unzipping and inspection of zipped files.

Sample Output
The following command enables automatic unzipping and inspection of zipped files.
username@hostname> set zip enable yes

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

120 • Operational Mode Commands Palo Alto Networks


show admins

show admins
Display information about the active firewall administrators.

Syntax
show admins [all]

Options
all Lists the names of all administrators.

Sample Output
The following command displays administrator information for the 10.0.0.32 firewall.
username@hostname> show admins | match 10.0.0

Admin From Type Session-start Idle-for


--------------------------------------------------------------------------
admin 10.0.0.132 Web 02/19 09:33:07 00:00:12s

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 121


show arp

show arp
Shows current Address Resolution Protocol (ARP) entries.

Syntax
show arp interface

Options
interface Specifies the interface for which the ARP table is displayed.

all Shows information for all ARP tables.


ethernetn/m Shows information for the specified interface.
loopback Shows loopback information.
vlan Shows VLAN information.

Sample Output
The following command displays ARP information for the ethernet1/1 interface.
username@hostname> show arp ethernet1/1

maximum of entries supported : 8192


default timeout: 1800 seconds
total ARP entries in table : 0
total ARP entries shown : 0
status: s - static, c - complete, i - incomplete

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

122 • Operational Mode Commands Palo Alto Networks


show authentication

show authentication
Shows authentication information.

Syntax
show authentication option

Options
interface Specifies the following authentication information.
• allowlist—Shows the authentication allow list.
• groupdb—Lists the group authentication databases.
• groupnames—Lists the distinct group names.

Sample Output
The following command shows the list of users that are allowed to access the firewall.
username@hostname> show authentication allowlist

vsysname profilename username


---------- ----------- ----------------------------
vsys1 SSLVPN paloaltonetwork\domain users
vsys1 wtam-SSLVPN group1

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 123


show chassis-ready

show chassis-ready
Shows whether the dataplane has a running policy.

Syntax
show chassis-ready

Options
None

Sample Output
The following command shows that the dataplane has a currently running policy.
username@hostname> show chassis-ready
yes

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

124 • Operational Mode Commands Palo Alto Networks


show cli

show cli
Shows information about the current CLI session.

Syntax
show cli info

Options
None

Sample Output
The following command shows information about the current CLI session.
username@hostname> show cli info
Process ID : 2045
Pager : enabled
Vsys configuration mode : disabled

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 125


show clock

show clock
Shows the current time on the firewall.

Syntax
show clock

Options
None

Sample Output
The following command shows the current time.
username@hostname> show clock

Sun Feb 18 10:49:31 PST 2007

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

126 • Operational Mode Commands Palo Alto Networks


show config

show config
Shows the active configuration.

Syntax
show config

Options
None

Sample Output
The following command shows the configuration lines that pertain to VLANs.
username@hostname> show config | match vlan
vlan {
vlan;

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 127


show counter

show counter
Display system counter information.

Syntax
show counter [global | interface]

Options
global Shows global system counter information.
interface Shows system counter information grouped by interface.

Sample Output
The following command displays all configuration counter information grouped according to
interface.
username@hostname> show counter interface

hardware interface counters:


------------------------------------------------------------------------

interface: ethernet1/1
------------------------------------------------------------------------
bytes received 0
bytes transmitted 0
packets received 0
packets transmitted 0
receive errors 0
packets dropped 0
------------------------------------------------------------------------

...

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

128 • Operational Mode Commands Palo Alto Networks


show ctd

show ctd
Show the threat signature information on the system.

Syntax
show ctd threat threat_id application appid profile pfid

Options
threat_id Uniquely identifies the threat.
application Shows the action of the threat action in the application.
appid
profile pfid Identifies the profile.

Sample Output
The following command shows an example with the default threat action.
username@hostname> show ctd threat 100000 application 109 profile 1
Profile 1 appid 109 , action 0
action 0 means “default” action.

The following command shows an example with the no threat action.


admin@PA-HDF> show ctd threat 100000 application 108 profile 1
Profile 1 appid 108 , action ffff
action “ffff” means “no” action.
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 129


show device

show device
(Panorama only) Show the state of managed devices.

Syntax
show device-messages [all | connected]

Options
all Shows information for all managed devices.
connected Shows information for all connected devices.

Sample Output
The following command shows information for connected devices.
username@hostname> show devices connected

Serial Hostname IP Connected


--------------------------------------------------------------------------
PA04070001 pan-mgmt2 10.1.7.2 yes
last push state: none

username@hostname>

Required Privilege Level


superuser, superuser (read only), Panorama admin

130 • Operational Mode Commands Palo Alto Networks


show device-messages

show device-messages
(Panorama only) Show information on the policy messages for devices.

Syntax
show device-messages [device] [group]

Options
device Shows the messages only for the specified device.
group Shows the messages only for the specified device group.

Sample Output
The following command shows the device messages for the device pan-mgmt2 and the group
dg1.
username@hostname> show device-messages device pan-mgmt2 group dg1

username@hostname>

Required Privilege Level


superuser, superuser (read only), Panorama admin

Palo Alto Networks Operational Mode Commands • 131


show devicegroups

show devicegroups
(Panorama only) Show information on device groups.

Syntax
show devicegroups [name]

Options
name Shows the information only for the specified device group.

Sample Output
The following command shows information for the device group dg1.
username@hostname> show devicegroups dg1
==========================================================================
Group: dg3 Shared policy md5sum:dfc61be308c23e54e5cde039689e9d46

Serial Hostname IP Connected


--------------------------------------------------------------------------
PA04070001 pan-mgmt2 10.1.7.2 yes
last push state: push succeeded
vsys3 shared policy md5sum:dfc61be308c23e54e5cde039689e9d46(In Sync)

username@hostname>

Required Privilege Level


superuser, superuser (read only), Panorama admin

132 • Operational Mode Commands Palo Alto Networks


show dhcp

show dhcp
Show information on Dynamic Host Control Protocol (DHCP) leases.

Syntax
show dhcp lease <value | all>

Options
value Identifies the interface (ethernetn/m)
all Shows all the lease information.

Sample Output
The following command shows all lease information.
username@hostname> show dhcp all
interface: ethernet1/9
ip mac expire
66.66.66.1 00:15:c5:60:a5:b0 Tue Mar 11 16:12:09 2008
66.66.66.2 00:15:c5:e1:0d:b0 Tue Mar 11 16:08:01 2008

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 133


show high-availability

show high-availability
Show runtime information for the high-availability subsystem.

Syntax
show high-availability [all | control-link statistics| link-
monitoring | path-monitoring | state | state-synchronization]

Options
all Shows all high-availability information.
control-link Shows control-link statistic information.
statistics
link-monitoring Shows the link-monitoring state.
path-monitoring Shows path-monitoring statistics.
state Shows high-availability state information.
state- Shows state synchronization statistics.
synchronization

Sample Output
The following command information for the high-availability subsystem.
username@hostname> show high-availability path-monitoring

----------------------------------------------------------------------------
path monitoring: disabled
total paths monitored: 0
----------------------------------------------------------------------------

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

134 • Operational Mode Commands Palo Alto Networks


show interface

show interface
Display information about system interfaces.

Syntax
show interface interface

Options
element Specifies the interface.

all Shows information for all ARP tables.


ethernetn/m Shows information for the specified interface.
hardware Shows hardware information.
logical Shows logical interface information.
loopback Shows loopback information.
vlan Shows VLAN information.

Sample Output
The following command displays information about the ethernet1/2 interface.
username@hostname> show interface ethernet1/2
----------------------------------------------------------------------------
Name: ethernet1/2, ID: 17
Link status:
Runtime link speed/duplex/state: auto/auto/auto
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address 0:f:b7:20:2:11
Operation mode: virtual-wire
----------------------------------------------------------------------------
Name: ethernet1/2, ID: 17
Operation mode: virtual-wire
Virtual wire: default-vwire, peer interface: ethernet1/1
Interface management profile: N/A
Zone: trust, virtual system: (null)
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 135


show jobs

show jobs
Display information about current system processes.

Syntax
show jobs [all | id number | pending | processed]

Options
all Shows information for all jobs.
id number Identifies the process by number.
pending Shows recent jobs that are waiting to be executed.
processed Shows recent jobs that have been processed.

Sample Output
The following command lists jobs that have been processed in the current session.
username@hostname> show jobs processed

Enqueued ID Type Status Result Completed


--------------------------------------------------------------------------
2007/02/18 09:34:39 2 AutoCom FIN OK 2007/02/18 09:34:40
2007/02/18 09:33:00 1 AutoCom FIN FAIL 2007/02/18 09:33:54

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

136 • Operational Mode Commands Palo Alto Networks


show local-user-db

show local-user-db
Display information about the local user database on the firewall.

Syntax
show local-user-db [disabled <yes | no>] [username user]
[vsys vsysname]

Options
disabled Filters the information according to whether the user accounts are enabled or
<yes | no> disabled:
• yes—Displays users that are administratively disabled.
• no—Displays users that are administratively active.
username Shows information for the specified user.
user
vsys Shows information for the specified virtual system.
vsysname

Sample Output
The following command lists the local user database.
username@hostname> show local-user-db

Vsys User Disabled

vsys1 user1 no
vsys1 user2 no

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 137


show location

show location
Show the geographic location of a firewall.

Syntax
show location ip address

Options
address Specifies the IP address of the firewall.

Sample Output
The following command shows location information for the firewall 10.1.1.1.
username@hostname> show location ip 10.1.1.1
show location ip 201.52.0.0
201.52.0.0

Brazil
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

138 • Operational Mode Commands Palo Alto Networks


show log

show log
Display system logs.

Syntax
show log [threat | config | system | traffic] [equal | not-equal]
option value

Options

threat Displays threat logs.


config Displays configuration logs.
system Displays system logs.
traffic Displays traffic logs.
option value Restricts the output (the available options depend upon the keyword used in the
command (threat, config, system, traffic).

Option Description
action Type of alarm action (alert, allow, or drop)
app Application.
client Type of client (CLI or web).
command Command.
dport Destination port.
dst Destination IP address.
from Source zone.
receive- Time interval in which the information was received.
time in
result Result of the action (failed, succeeded, or unauthorized).
rule Rule name.
severity Level of importance (critical, high, medium, low, informational)
sport Source port.
src Source IP address.
to Destination zone.

greater-than- Indicates that the option is equal to the specified value.


or-equal
less-than-or- Indicates that the option is not equal to the specified value.
equal
equal Indicates that the option is equal to the specified value.
not-equal Indicates that the option is not equal to the specified value.

Palo Alto Networks Operational Mode Commands • 139


show log

Sample Output
The following command shows the configuration log.
username@hostname> show log config
Time Host Command Admin Client Result
============================================================================
===
03/05 22:04:16 10.0.0.135 edit admin Web Succeeded
03/05 22:03:22 10.0.0.135 edit admin Web Succeeded
03/05 22:03:22 10.0.0.135 create admin Web Succeeded
03/05 21:56:58 10.0.0.135 edit admin Web Succeeded
...

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

140 • Operational Mode Commands Palo Alto Networks


show logging

show logging
Show whether logging is enabled.

Syntax
show logging

Options
None

Sample Output
The following command shows that logging is enabled.
username@hostname> show logging

on
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 141


show mac

show mac
Display MAC address information.

Syntax
show mac [value | all]

Options
value Specifies a MAC address (aa:bb:cc:dd:ee:ff format).
all MAC address (aa:bb:cc:dd:ee:ff format).

Sample Output
The following command lists all currently MAC address information.
username@hostname> show mac all

maximum of entries supported : 8192


default timeout : 1800 seconds
total MAC entries in table : 4
total MAC entries shown : 4
status: s - static, c - complete, i - incomplete
vlan hw address interface status ttl
---------------------------------------------------------------------------
Vlan56 0:0:1:0:0:3 ethernet1/5 c 1087
Vlan56 0:0:1:0:0:4 ethernet1/6 c 1087
Vlan11-12 0:0:1:0:0:9 ethernet1/12 c 487
Vlan11-12 0:0:1:0:0:10 ethernet1/11 c 487

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

142 • Operational Mode Commands Palo Alto Networks


show management-clients

show management-clients
Show information about internal management server clients.

Syntax
show management-clients

Options
None

Sample Output
The following command shows information about the internal management server clients.
username@hostname> show management-clients

Client PRI State Progress


-------------------------------------------------------------------------
routed 30 P2-ok 100
device 20 P2-ok 100
ikemgr 10 P2-ok 100
keymgr 10 init 0 (op cmds only)
dhcpd 10 P2-ok 100
ha_agent 10 P2-ok 100
npagent 10 P2-ok 100
exampled 10 init 0 (op cmds only)

Overall status: P2-ok. Progress: 0


Warnings:
Errors:

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 143


show multi-vsys

show multi-vsys
Show if multiple virtual system mode is set.

Syntax
show multi-vsys

Options
None

Sample Output
The following command shows the current status of multiple virtual systems.
username@hostname> show multi-vsys

on

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

144 • Operational Mode Commands Palo Alto Networks


show pan-agent

show pan-agent
Show statistics or user information for the Palo Alto Networks agent.

Syntax
show pan-agent <statistics | user-IDs>

Options
statistics Displays full information about the Palo Alto Networks agent.
user-IDs Displays user information for the Palo Alto Networks agent.

Sample Output
The following command shows information about the Palo Alto Networks agent.
username@hostname> show pan-agent statistics

IP Address Port Vsys State Users Grps IPs Recei


ved Pkts
----------------------------------------------------------------------------
10.0.0.100 2011 vsys1 connected, ok 134 77 95 5757
10.1.200.22 2009 vsys1 connected, ok 5 864 2 1097

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 145


show pan-ntlm-agent

show pan-ntlm-agent
Display status information about the Palo Alto Networks user identification agent for NT
LAN Manager (NTLM). The firewall uses the user identification agent to provide Microsoft
NTLM authentication for the captive portal.

Syntax
show pan-ntlm-agent statistics

Options
None

Sample Output
The following command displays information about the NTLM agent.
username@hostname> show pan-ntlm-agent statistics

IP Address Port Vsys State


----------------------------------------------------
10.16.3.249 2010 vsys1 trying to connect

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

146 • Operational Mode Commands Palo Alto Networks


show proxy

show proxy
Displays information about the proxy that is used for the Secure Socket Layer (SSL)
decryption function.

Syntax
show [certificate-cache | notify-cache | setting]

Options
certificate-cache Displays the proxy certificate cache.
notify-cache Displays the proxy notification cache.

setting Displays the current proxy settings.

Sample Output
The following command shows the current proxy settings.
username@hostname> show proxy setting

Ready: no
Enable proxy: yes
Enable ssl: yes
Notify user: yes

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 147


show query

show query
Show information about query jobs.

Syntax
show query <jobs | id value>

Options
jobs Displays all job information.
id value Displays job information for the specified ID.

Sample Output
The following command shows information about all current query jobs.
username@hostname> show query jobs
Enqueued ID Last Upd
--------------------------------------------------------------------------
13:58:19 16 13:58:19

Type ID Dequeued?
-----------------------------------------------------

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

148 • Operational Mode Commands Palo Alto Networks


show report

show report
Displays information about process jobs.

Syntax
show [id number | jobs]

Options
id number Displays information about the job with the specified ID number.
jobs Displays information on all jobs.

Sample Output
The following command shows the current jobs.
username@hostname> show report jobs

Enqueued ID Last Updated dev/skip/req/resp/proc


--------------------------------------------------------------------------

username@hostname>
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 149


show routing

show routing
Display routing run-time objects.

Syntax
show routing fib [virtual-router name]

show routing protocol [virtual-router name] ospf <area | dumplsdb |


interface | lsdb | neighbor | summary | virt-link | virt-neighbor>

show routing protocol [virtual-router name] redist <all | ospf | rip>

show routing protocol [virtual-router name] rip <database | interface


| peer | summary>

show routing resource

show routing route [destination ip/netmask][interface interfacename]


[nexthop ip/netmask][type <connect | ospf | rip | static>]
[virtual-router name]

show routing summary

Options
fib Shows forwarding table entries. Specify an individual virtual router or all.
protocol ospf Shows OSPF information. Specify one of the following (virtual router is
optional).

area Show OSPF area status.


dumplsdb Shows the OSPF LS database details.
interface Shows OSPF interface status.
lsdb Shows the LS database status.
neighbor Shows neighbor status.
summary Shows OSPF summary status.
virt-link Shows status of virtual links.
virt-neighbor Shows OSPF virtual neighbor status.

protocol redist Shows redistribution rule entries. Specify one of the following (virtual router is
optional).

ospf Shows OSPF rules


rip Shows RIP rules.
all Shows all redistribution rules.

150 • Operational Mode Commands Palo Alto Networks


show routing

protocol rip Shows RIP information. Specify one of the following options (virtual router is
optional).

database Shows RIP route database.


interface Shows RIP interface status.
peer Shows RIP peer status.
summary Shows the RIP summary information.

resources Shows resource usage.


route Shows route entries. Optionally specify any of the following options.

destination Restricts the result to a specified subnet (IP


address/mask).
interface Restricts the result to a specified network
interface.
nexthop Restricts the result to a the next hop from the
firewall (IP address/mask).
type Restricts the result according to type of route:
connect and host routes, ospf, rip, or static.
virtual-router Restrict the result to a specified virtual router.

summary Shows summary information.

Sample Output
The following command shows summary routing information for the virtual router vrl.
username@hostname> show routing summary virtual-router vr1

VIRTUAL ROUTER: vr1 (id 1)


==========
OSPF
area id: 0.0.0.0
interface: 192.168.6.254
interface: 200.1.1.2
dynamic neighbors:
IP 200.1.1.1 ID 200.1.1.1
area id: 1.1.1.1
interface: 1.1.1.1
interface: 1.1.2.1
interface: 1.1.3.1
interface: 2.1.1.1
static neighbor: IP 65.54.5.33 ID *down*
static neighbor: IP 65.54.77.88 ID *down*
interface: 22.22.22.22
interface: 35.1.15.40
interface: 192.168.7.254
dynamic neighbors:
IP 35.1.15.1 ID 35.35.35.35
==========
RIP
interface: 2.1.1.1

Palo Alto Networks Operational Mode Commands • 151


show routing

interface: 22.22.22.22
interface: 35.1.15.40
interface: 192.168.6.254
interface: 200.1.1.2
==========
INTERFACE
==========
interface name: ethernet1/1
interface index: 16
virtual router: vr1
operation status: up
IPv4 address: 22.22.22.22/24
IPv4 address: 35.1.15.40/24
==========
interface name: ethernet1/3
interface index: 18
virtual router: vr1
operation status: up
IPv4 address: 200.1.1.2/24
==========
interface name: ethernet1/7
interface index: 22
virtual router: vr1
operation status: up
IPv4 address: 1.1.1.1/24
IPv4 address: 1.1.2.1/24
IPv4 address: 1.1.3.1/24
==========
interface name: ethernet1/15
interface index: 30
virtual router: vr1
operation status: up
IPv4 address: 192.168.6.254/24
==========
interface name: ethernet1/16
interface index: 31
virtual router: vr1
operation status: up
IPv4 address: 192.168.7.254/24
==========
interface name: ethernet1/18
interface index: 33
virtual router: vr1
operation status: down
IPv4 address: 2.1.1.1/24

username@hostname>

152 • Operational Mode Commands Palo Alto Networks


show routing

The following command shows dynamic routing protocol information for RIP.
username@hostname> show routing protocol rip summary

==========
virtual router: vr1
reject default route: yes
interval seconds: 1
update intervals: 30
expire intervals: 180
delete intervals: 120
interface: 2.1.1.1
interface: 22.22.22.22
interface: 35.1.15.40
interface: 192.168.6.254
interface: 200.1.1.2
==========
virtual router: newr
reject default route: yes
interval seconds: 1
update intervals: 30
expire intervals: 180
delete intervals: 120
interface: 0.0.0.0
interface: 30.30.30.31
interface: 151.152.153.154

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 153


show session

show session
Show session information.

Syntax
show session [all | info] [filter [application appname][destination
destname][destination-port destport][destination-user destuser][from
zone zonename][limit value][protocol protnumber][source-port
sourcename][source-user sourceuser][state state]] [type type]]

Options
all Displays all active sessions.
info Displays session statistics.
application Specifies the application.
appname
destination Specifies the destination IP address.
destname
destination-port Specifies the destination port.
destport
destination-user Specifies the destination user name.
destuser
from Specifies the source.
protocol protname Specifies the protocol.
source sourcename Specifies the sourced IP address.
source-port Specifies the source port.
sourceport
source-user Specifies the source user name.
sourceuser
state state Specifies the condition for the filter (active, closed, closing, discard, initial,
or opening).
to Specifies the destination.
type type Specifies the flow type (regular or predict).

Sample Output
The following command displays summary statistics about current sessions.
username@hostname> show session info

-------------------------------------------------------------------------
number of sessions supported: 2097151
number of active sessions: 8
session table utilization: 0%
number of sessions created since system bootup: 21

154 • Operational Mode Commands Palo Alto Networks


show session

---------------------------------------------------------------------------
session timeout
TCP default timeout: 3600 seconds
TCP session timeout after FIN/RST: 5 seconds
UDP default timeout: 600 seconds
ICMP default timeout: 6 seconds
other IP default timeout: 1800 seconds
----------------------------------------------------------------------------
session accelerated aging: enabled
accelerated aging threshold: 80% of utilization
scaling factor: 2 X
---------------------------------------------------------------------------
session setup
TCP - reject non-SYN first packet: yes
---------------------------------------------------------------------------

The following command lists all current sessions.


username@hostname> show session all

number of sessions: 8
ID/vsys src[sport]/zone/proto dest[dport]/zone app.
state type
19 192.168.10.199[2219]/1/6 10.10.10.10[6667]/2 0
ACTIVE FLOW
20 192.168.10.191[4069]/1/6 192.168.10.199[139]/2 ms-ds-smb
DISCARD FLOW
22 192.168.10.199[2261]/1/6 10.10.10.10[6667]/2 0
ACTIVE FLOW
4 192.168.10.191[138]/1/17 192.168.10.255[138]/2 netbios-dg
ACTIVE FLOW
6 192.168.10.199[138]/1/17 192.168.10.255[138]/2 netbios-dg
ACTIVE FLOW
21 192.168.10.199[1025]/1/17 4.2.2.1[53]/2 dns
CLOSING FLOW
9 192.168.10.199[2187]/1/6 10.10.10.10[6667]/2 0
ACTIVE FLOW
13 192.168.10.199[2195]/1/6 10.10.10.10[6667]/2 0
ACTIVE FLOW

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 155


show shared-policy

show shared-policy
Show the current shared policy status.

Syntax
show shared-policy

Options
None

Sample Output
The following command displays the current shared policy status.
username@hostname> show shared-policy

disabled
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

156 • Operational Mode Commands Palo Alto Networks


show ssl-vpn

show ssl-vpn
Show Secure Socket Layer (SSL) virtual private network (VPN) runtime objects.

Syntax
show ssl-vpn option

Options
flow Displays dataplane SSL-VPN tunnel information.
portal Displays the SSL-VPN configuration.
user uname domain Specifies the user, domain, and portal.
domname portal
portalname

Sample Output
The following command displays information on SSL-VPN tunnels.
username@hostname> show ssl-vpn flow

----------------------------------------------------------------------------

total tunnels configured: 10

filter - type SSL-VPN, state any

total SSL-VPN tunnel configured: 2

total SSL-VPN tunnel shown: 2

name id local-i/f local-ip tunnel-i/f

----------------------------------------------------------------------------
s1 2 tunnel.7 10.1.6.105 tunnel.7
rad 11 tunnel.8 10.1.6.106 tunnel.8
---------------------------------------------------------------------------
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 157


show statistics

show statistics
Show firewall statistics.

Syntax
show statistics

Options
None

Sample Output
The following command displays firewall statistics.
username@hostname> show statistics

TASK PID N_PACKETS CONTINUE ERROR DROP BYPASS TERMINATE


0 0 0 0 0 0 0 0
1 806 6180587 6179536 39 0 0 1012
2 807 39312 37511 0 0 0 1801
3 808 176054840 173273080 2289 2777524 0 1947
4 809 112733251 111536151 1744 1194906 0 450
5 810 66052142 65225559 1271 825010 0 302
6 811 49682445 49028991 909 652227 0 318
7 812 43618777 43030638 712 587129 0 298
8 813 41255949 40706957 708 548031 0 253
9 814 42570163 42010404 714 558773 0 272
10 815 7332493 7332494 0 0 0 0
11 816 19620028 19620028 0 0 0 0
12 817 12335557 12335557 0 0 0 0
13 818 0 0 0 0 0 0
14 819 6105056 6105056 0 0 0 0
task 1(pid: 806) flow_mgmt
task 2(pid: 807) flow_ctrl flow_host
task 3(pid: 808) flow_lookup flow_fastpath flow_slowpath flow_forwarding
flow_np
task 4(pid: 809) flow_lookup flow_fastpath flow_slowpath flow_forwarding
flow_np
task 5(pid: 810) flow_lookup flow_fastpath flow_slowpath flow_forwarding
flow_np
task 6(pid: 811) flow_lookup flow_fastpath flow_slowpath flow_forwarding
flow_np
task 7(pid: 812) flow_lookup flow_fastpath flow_slowpath flow_forwarding
flow_np
task 8(pid: 813) flow_lookup flow_fastpath flow_slowpath flow_forwarding
flow_np
task 9(pid: 814) flow_lookup flow_fastpath flow_slowpath flow_forwarding
flow_np
task 10(pid: 815) appid_result
task 11(pid: 816) ctd_nac ctd_token ctd_detector
task 12(pid: 817) ctd_nac ctd_token ctd_detector
task 13(pid: 818) proxy_packet
task 14(pid: 819) pktlog_forwarding

158 • Operational Mode Commands Palo Alto Networks


show statistics

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 159


show system

show system
Show system information.

Syntax
show system type

Options
type Specifies the type of system information to be displayed.

info Shows network address and security information.


services Shows the current system services and whether they
are running.
software status Shows software version information.
state [browser | Shows the system tree. The browser displays the
filter | value] information in a text-mode browser. The filter option
allows you to limit the information that is displayed.
The * wildcard can be used.
statistics Shows device, packet rate, throughput, and session
information. Enter q to quit or h to get help.

Sample Output
The following command displays system information.
username@hostname> show system info

hostname: mgmt-device
ip-address: 10.1.7.1
netmask: 255.255.0.0
default-gateway: 10.1.0.1
radius-server: 127.0.0.1
radius-secret: xxxxxxxx

160 • Operational Mode Commands Palo Alto Networks


show system

The following command displays the system tree entries that begin with the string
cfg.env.slot1.
username@hostname> show system state filter cfg.env.slot1*

cfg.env.slot1.power0.high-limit: “1.26”
cfg.env.slot1.power0.low-limit: “1.0”
cfg.env.slot1.power1.high-limit: “1.26”
cfg.env.slot1.power1.low-limit: “1.14”
cfg.env.slot1.power2.high-limit: “1.575”
cfg.env.slot1.power2.low-limit: “1.425”
cfg.env.slot1.power3.high-limit: “1.89”
cfg.env.slot1.power3.low-limit: “1.71”

...

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 161


show target-vsys

show target-vsys
Show information about the target virtual systems.

Syntax
show target-vsys

Options
None

Sample Output
The following command shows information about target virtual systems.
username@hostname> show target-vsys
vsys1
username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

162 • Operational Mode Commands Palo Alto Networks


show threat

show threat
Show threat ID descriptions.

Syntax
show threat id value

Options
value Specifies the threat ID.

Sample Output
The following command shows threat ID descriptions for ID 11172.
username@hostname> show threat id 11172
This signature detects the runtime behavior of the spyware MiniBug. MiniBug,
also known as Weatherbug, installs other spyware, such as WeatherBug, and My
Web Search Bar. It is also adware program that displays advertisements in its
application window.

medium

http://www.spywareguide.com/product_show.php?id=2178

http://www.spyany.com/program/article_spw_rm_Minibug.htm

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 163


show ts-agent

show ts-agent
Show information about the Terminal Services agent (TS agent).

Syntax
show ts-agent option

Options
statistics Displays information about the TS agent configuration.

user-IDs Displays information about the users who are connected through the
TS agent.

Sample Output
The following command displays information about the users who are connecting through
the TS agent.
username@hostname> show ts-agent statistics

IP Address Port Vsys State Users


-------------------------------------------------------------
10.1.200.1 5009 vsys1 connected 8
10.16.3.249 5009 vsys1 connected 10

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

164 • Operational Mode Commands Palo Alto Networks


show url-database

show url-database
Displays the name of the database that is being used for URL filtering.

Syntax
show url-database

Options
None

Sample Output
The following command displays the name of the URL database.
admin@PA-HDF> show url-database

brightcloud
admin@PA-HDF>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 165


show virtual-wire

show virtual-wire
Show information about virtual wire interfaces.

Syntax
show virtual-wire [value | all]

Options
value Specifies a virtual wire interface.
all Shows information for all virtual wire interfaces.

Sample Output
The following command displays information for the default virtual wire interface.
username@hostname> show virtual-wire default-vwire

total virtual-wire shown : 1

name interface1 interface2


----------------------------------------------------------------------------
---
default-vwire ethernet1/1 ethernet1/2

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

166 • Operational Mode Commands Palo Alto Networks


show vlan

show vlan
Show VLAN information.

Syntax
show vlan [value | all]

Options
value Specifies a virtual wire interface.
all Shows information for all virtual wire interfaces.

Sample Output
The following command displays information for all VLANs.
username@hostname> show vlan all

vlan {
Vlan56 {
interface [ ethernet1/5 ethernet1/6 ];
stp {
enabled no;
}
rstp {
enabled no;
}
}
Vlan11-12 {
interface [ ethernet1/11 ethernet1/12 ];
stp {
enabled no;
}
rstp {
enabled no;
}
}
}

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 167


show vpn

show vpn
Show VPN information.

Syntax
show vpn flow [tunnel-id tunnelid]
show vpn gateway [gateway gatewayid]
show vpn ike-sa [gateway gatewayid]
show vpn ipsec-sa [tunnel tunnelid]
show vpn tunnel [name tunnelid]

Options
flow Shows information about the VPN tunnel on the data plane. Specify the tunnel or press
Enter to apply to all tunnels.
gateway Shows IKE gateway information. Specify the gateway or press Enter to apply to all
gateways.
ike-sa Shows information about the active IKE SA. Specify the gateway or press Enter to apply
to all gateways.
ipsec-sa Shows information about IPsec SA tunnels. Specify the tunnel or press Enter to apply to
all tunnels.
tunnel Shows information about auto-key IPSec tunnels. Specify the tunnel or press Enter to
apply to all tunnels.
name Shows information about the VPN tunnel. Specify the tunnel or press Enter to apply to
all tunnels.

Sample Output
The following command shows VPN information for the auto key IPsec tunnel k1.
username@hostname> show vpn tunnel name k1
TnID Name(Gateway) Local Proxy ID Local Proxy ID Proposals
-------------- -------------- --------- ---------
7 pan5gt(pan-5gt) 0.0.0.0/0 0.0.0.0/0 ESP tunl
[DH2][AES128,3DES][SHA1] 90-sec
Total 1 tunnels found, 0 ipsec sa found, 0 error
username@hostname>

The following command shows VPN information for the IKE gateway g2.
username@hostname> show vpn tunnel name g2
GwID Name Peer Address/ID Local Address/ID Protocol Proposals
---- ---- --------------- ---------------- -------- ---------
3 falcon-kestrel 35.1.15.1 35.1.15.40 Auto(main)
[PSK][DH2][AES128,3DES][SHA1] 28800-sec

Total 1 gateways found, 0 ike sa found, 0 error.


username@hostname>

168 • Operational Mode Commands Palo Alto Networks


show vpn

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 169


show zip

show zip
Shows whether ability to unzip a file and apply the policy on the uncompressed content is
enabled. The default is enable.

Syntax
show zip setting

Options
None

Sample Output
The following command shows that the unzip option is enabled.
username@hostname> show zip setting

zip engine is enabled


username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

170 • Operational Mode Commands Palo Alto Networks


show zone-protection

show zone-protection
Shows the running configuration status and run time statistics for zone protection elements.

Syntax
show zone-protection [zone zonename]

Options
zonename Specifies the name of a zone.

Sample Output
The following command shows statistics for the trust zone.
username@hostname> show zone-protection zone trust

---------------------------------------------------------------------------
Zone trust, vsys vsys1, profile custom-zone-protection
----------------------------------------------------------------------------
tcp-syn enabled: no
----------------------------------------------------------------------------
udp RED enabled: no
----------------------------------------------------------------------------
icmp RED enabled: no
----------------------------------------------------------------------------
other-ip RED enabled: no
----------------------------------------------------------------------------
packet filter:
discard-ip-spoof: enabled: no
discard-ip-frag: enabled: no
discard-icmp-ping-zero-id: enabled: no
discard-icmp-frag: enabled: no
discard-icmp-large-packet: enabled: no
reply-icmp-timeexceeded: enabled: no

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin, superreader, vsysreader

Palo Alto Networks Operational Mode Commands • 171


ssh

ssh
Open a secure shell (SSH) connection to another host.

Syntax
ssh [inet] [port number] [source address] [v1 | v2] [user@]host

Options
inet Specifies that IP version 4 be used.
port Specifies a port on the other host. (default 22)
source Specifies a source IP address.
version Specifies SSH version 1 or 2 (default is version 2)
user@ Specifies a user name on the other host.
host Specifies the IP address of the other host.

Sample Output
The following command opens an SSH connection to host 10.0.0.250 using SSH version 2.
username@hostname> ssh v2 user@10.0.0.250
user@10.0.0.250's password:

Required Privilege Level


superuser, vsysadmin, deviceadmin

172 • Operational Mode Commands Palo Alto Networks


tail

tail
Print the last 10 lines of a debug file.

Syntax
tail [follow] [lines] file

Options
follow Adds appended data as the file grows.
lines Lists the last N lines, instead of the last 10.
file Specifies the debug file.

Sample Output
The following command displays the last 10 lines of the /var/log/pan/masterd.log file.
username@hostname> tail /var/log/pan/masterd.log
[09:32:46] Successfully started process 'mgmtsrvr' instance '1'
[09:32:47] Successfully started process 'appWeb' instance '1'
[09:32:47] Started group 'pan' start script 'octeon' with options 'start'
[09:32:48] Process 'appWeb' instance '1' exited normally with status '7'
[09:32:48] Process 'appWeb' instance '1' has no further exit rules
[09:32:53] Successfully started process 'pan-ez-agent' instance '1'
[09:32:53] Process 'pan-ez-agent' instance '1' exited normally with status
'0'
[09:32:53] Process 'pan-ez-agent' instance '1' has no further exit rules
[09:32:54] Successfully started process 'pan_netconfig_agent' instance '1'
[09:32:54] Finished initial start of all processes

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 173


telnet

telnet
Open a Telnet session to another host.

Syntax
telnet [8bit] [port] host

Options
8bit Indicates that 8-bit data will be used.
port Specifies the port number for the other host.
host Specifies the IP address of the other host.

Sample Output
The following command opens a Telnet session to the host 1.2.5.5 using 8-bit data.
username@hostname> telnet 8bit 1.2.5.5

Required Privilege Level


superuser, vsysadmin, deviceadmin

174 • Operational Mode Commands Palo Alto Networks


test

test
Run tests based on installed security policies.

Syntax
test nat policy-match source src-ip destination dst-ip destination-port port
protocol protocol from zone1 to zone2

test nat policy-match application name source src-ip destination dst-ip


destination-port port protocol protocol from zone1 to zone2

test routing fib-lookup ip ipaddress virtual router virtualrouterid

test vpn flow [ike-sa [gateway gatewayid] | ipsec-sa [tunnel tunnelid]>

Options
name Specifies the name of an application. Enter any to include all
applications.
src-ip Specifies the source IP address for the test.
dst-ip Specifies the destination IP address for the test.
port Specifies the destination port for the test.
zone1 Specifies the source security zone.
zone2 Specifies the destination security zone.
fib-lookup Specifies the route to test within the active routing table.
Specify an IP address and virtual router.
ike-sa Performs the tests only for the negotiated IKE SA. Specify a
gateway or press Enter to run the test for all gateways.
ipsec-sa Performs the tests for IPsec SA (and IKE SA if necessary).
Specify a tunnel or press Enter to run the test for all tunnels.

Sample Output
The following command tests whether the set of criteria will match any of the existing rules in
the security rule base.
username@hostname> test security-policy-match from trust to untrust
application google-talk source 10.0.0.1 destination 192.168.0.1 protocol 6
destination-port 80 source-user known-user

Matched rule: 'rule1' action: allow

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 175


tftp

tftp
Use Trivial File Transfer Protocol (TFTP) to copy files between the firewall and another host.

Syntax
tftp [export export-option [control-plane | data-plane] to target |
import import-option] [remote-port portnumber] [from source]

Options
export export- Specifies the type of file to export to the other host.
option
Option Description
application Application packet capture file.
captive-portal- Text to be included in a captive portal.
text
configuration Configuration file.
core-file Core file.
debug-pcap IKE negotiation packet capture file.
file-block-page File containing comfort pages to be presented when
files are blocked.
filter Filter definitions.
log-file Log files.
log-db Log database.
packet-log Logs of packet data.
spyware-block- Comfort page to be presented when files are blocked
page due to spyware.
ssl-optout-text SSL optout text.
tech-support Technical support information.
trusted-ca- Certificate Authority (CA) security certificate.
certificate
url-block-page Comfort page to be presented when files are blocked
due to a blocked URL.
virus-block-page Comfort page to be presented when files are blocked
due to a virus.
web-interface- Web interface certificate
certificate

176 • Operational Mode Commands Palo Alto Networks


tftp

import import- Specifies the type of file to import from the other host.
option
Option Description
captive-portal-text Text to be included in a captive portal.
configuration Configuration file.
content Database content.
file-block-page File containing comfort pages to be presented
when files are blocked.
license License key file.
private-key SSL private key file.
software Software package.
spyware-block-page Comfort page to be presented when files are
blocked due to spyware.
ssl-decryption- SSL decryption certificate.
certificate
ssl-optout-text SSL optout text.
trusted-ca- Certificate Authority (CA) security certificate.
certificate
url-block-page Comfort page to be presented when files are
blocked due to a blocked URL.
virus-block-page Comfort page to be presented when files are
blocked due to a virus.
web-interface- Web interface certificate
certificate

control-plane Indicates that the file contains control information.


data-plane Indicates that the file contains information about data traffic.
port-number Specifies the port number on the remote host.
target Specifies the destination in the format username@host:path.
source Specifies the file to be copied in the format username@host:path.

The following command imports a license file from a file in user1’s account on the machine
with IP address 10.0.3.4.

username@hostname> tftp import ssl-certificate from user1@10.0.3.4:/tmp/


certificatefile

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 177


traceroute

traceroute
Display information about the route packet taken to another host.

Syntax
traceroute [base-udp-port port][bypass-routing][debug-socket][do-not-
fragment][first-ttl ttl][gateway][icmp-echo][max-ttl ttl][no-
resolve][pause][source ip][toggle-ip-checksums][tos][verbose][wait]
host

Options
base-udp-port Specifies the base UDP port used in probes (default is 33434).
port
bypass-routing Sends the request directly to the host on a direct attached network, bypassing
usual routing table.
debug-socket Enables socket level debugging.
do-not-fragment Sets the do-not-fragment bit.
first-ttl ttl Sets the time-to-live in the first outgoing probe packet in number of hops.
gateway Specifies a loose source router gateway (maximum 8).
icmp-echo Uses ICMP ECHO requests instead of UDP datagrams.
max-ttl ttl Sets the maximum time-to-live in number of hops.
no-resolve Does not attempt to print resolved domain names.
pause Sets the time to pause between probes (milliseconds).
source ip Specifies the source IP address for the command.
toggle-ip- Toggles the IP checksum of the outgoing packets for the traceroute command.
checksums
tos Specifies the type of service (TOS) treatment for the packets by way of the TOS
bit for the IP header in the ping packet (0-255).
verbose Requests complete details of the traceroute request.
wait Specifies a delay in transmission of the traceroute request (seconds).
host Specifies the IP address or domain name of the other host.

178 • Operational Mode Commands Palo Alto Networks


traceroute

Sample Output
The following command displays information about the route from the firewall to
www.google.com.
username@hostname> traceroute www.paloaltonetworks.com
traceroute to www.paloaltonetworks.com (72.32.199.53), 30 hops max, 38 byte
packets
1 10.1.0.1 (10.1.0.1) 0.399 ms 1.288 ms 0.437 ms
2 64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.910 ms dsl027-186-
189.sfo1.dsl.speakeasy.net (216.27.186.189) 1.012 ms
64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.865 ms
3 dsl027-182-001.sfo1.dsl.speakeasy.net (216.27.182.1) 16.768 ms 581.420
ms 64.3.142.37.ptr.us.xo.net (64.3.142.37) 219.190 ms
4 ge5-0-0.mar2.fremont-ca.us.xo.net (207.88.80.21) 228.551 ms 110.ge-0-0-
0.cr1.sfo1.speakeasy.net (69.17.83.189) 12.352 ms ge5-0-0.mar2.fremont-
ca.us.xo.net (207.88.80.21) 218.547 ms
5 ge-5-3-0.mpr3.pao1.us.above.net (209.249.11.177) 13.212 ms p4-0-
0.rar2.sanjose-ca.us.xo.net (65.106.5.137) 273.935 ms 221.313 ms
6 p1-0.ir1.paloalto-ca.us.xo.net (65.106.5.178) 139.212 ms so-1-2-
1.mpr1.sjc2.us.above.net (64.125.28.141) 13.348 ms p1-0.ir1.paloalto-
ca.us.xo.net (65.106.5.178) 92.795 ms
7 so-0-0-0.mpr2.sjc2.us.above.net (64.125.27.246) 12.069 ms
206.111.12.146.ptr.us.xo.net (206.111.12.146) 93.278 ms so-0-0-
0.mpr2.sjc2.us.above.net (64.125.27.246) 556.033 ms
8 tbr1p013201.sffca.ip.att.net (12.123.13.66) 52.726 ms so-3-2-
0.cr1.dfw2.us.above.net (64.125.29.54) 61.875 ms
tbr1p013201.sffca.ip.att.net (12.123.13.66) 58.462 ms

MPLS Label=32537 CoS=0 TTL=1 S=1

9 64.124.12.6.available.above.net (64.124.12.6) 74.828 ms


tbr1cl3.la2ca.ip.att.net (12.122.10.26) 62.533 ms
64.124.12.6.available.above.net (64.124.12.6) 60.537 ms
10 tbr1cl20.dlstx.ip.att.net (12.122.10.49) 60.617 ms
vlan901.core1.dfw1.rackspace.com (72.3.128.21) 59.881 ms 60.429 ms
11 gar1p360.dlrtx.ip.att.net (12.123.16.169) 108.713 ms
aggr5a.dfw1.rackspace.net (72.3.129.19) 58.049 ms gar1p360.dlrtx.ip.att.net
(12.123.16.169) 173.102 ms
12 72.32.199.53 (72.32.199.53) 342.977 ms 557.097 ms 60.899 ms

username@hostname>

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 179


view-pcap

view-pcap
Examine the content of packet capture files.

Syntax
view-pcap option filename

Options
option Specifies the type of information to report.

Option Description
absolute-seq Displays absolute TCP sequence numbers.
delta Displays a delta (in micro-seconds) between current and
previous line.
hex Displays each packet (minus link header) in hex.
hex-ascii Displays each packet (minus link header) in hex and ASCII.
hex-ascii-link Displays each packet (including link header) in hex and
ASCII.
hex-link Displays each packet (including link header) in hex.
link-header Displays the link-level header on each dump line.
no-dns-lookup Does not convert host addresses to names.
no-port-lookup Does not convert protocol and port numbers to names.
no-qualification Does not print domain name qualification of host names.
timestamp Displays timestamp proceeded by date.
undecoded-nfs Displays undecoded NFS handles.
unformatted- Displays an unformatted timestamp.
timestamp
verbose Displays verbose output.
verbose+ Displays more verbose output.
verbose++ Displays the maximum output details..

filename Name of the packet capture file.

180 • Operational Mode Commands Palo Alto Networks


view-pcap

Sample Output
The following command displays the contents of the packet capture file /var/session/pan/filters/
syslog.pcap in ASCII and hex formats.

username@hostname> view-pcap hex-ascii /var/session/pan/filters/syslog.pcap


reading from file /var/session/pan/filters/syslog.pcap, link-type EN10MB
(Ethernet)
08:34:31.922899 IP 10.0.0.244.32884 > jdoe.paloaltonetworks.local.syslog:
UDP, length 314
0x0000: 4500 0156 0000 4000 4011 2438 0a00 00f4 E..V..@.@.$8....
0x0010: 0a00 006c 8074 0202 0142 d163 3c31 3137 ...l.t...B.c<117
0x0020: 3e41 7072 2020 3233 2030 383a 3334 3a33 >Apr..23.08:34:3
0x0030: 3420 312c 3034 2f32 3320 3038 3a33 343a 4.1,04/23.08:34:
0x0040: 3334 2c54 4852 4541 542c 7572 6c2c 312c 34,THREAT,url,1,
0x0050: 3034 2f32 3320 3038 3a33 343a 3235 2c31 04/23.08:34:25,1
0x0060: 302e 302e 302e 3838 2c32 3039 2e31 3331 0.0.0.88,209.131
0x0070: 2e33 362e 3135 382c 302e 302e 302e 302c .36.158,0.0.0.0,
0x0080: 302e 302e 302e 302c 6c32 2d6c 616e 2d6f 0.0.0.0,l2-lan-o
0x0090: 7574 2c77 6562 2d62 726f 7773 696e 672c ut,web-browsing,
0x00a0: 7673 7973 312c 6c32 2d6c 616e 2d74 7275 vsys1,l2-lan-tru
0x00b0: 7374 2c6c 322d 6c61 6e2d 756e 7472 7573 st,l2-lan-untrus
0x00c0: 742c 6574 6865 726e 6574 312f 3132 2c65 t,ethernet1/12,e
0x00d0: 7468 6572 6e65 7431 2f31 312c 466f 7277 thernet1/11,Forw
0x00e0: 6172 6420 746f 204d 696b 652c 3034 2f32 ard.to.Mike,04/2
0x00f0: 3320 3038 3a33 343a 3334 2c38 3336 3435 3.08:34:34,83645
0x0100: 372c 322c 3438 3632 2c38 302c 302c 302c 7,2,4862,80,0,0,
0x0110: 3078 302c 7463 7028 3629 2c61 6c65 7274 0x0,tcp(6),alert
0x0120: 2c77 7777 2e79 6168 6f6f 2e63 6f6d 2f70 ,www.yahoo.com/p
0x0130: 2e67 6966 3f2c 2c73 6561 7263 682d 656e .gif?,,search-en
0x0140: 6769 6e65 732c 696e 666f 726d 6174 696f gines,informatio
0x0150: 6e61 6c2c 3000 nal,0.

Required Privilege Level


superuser, vsysadmin, deviceadmin

Palo Alto Networks Operational Mode Commands • 181


view-pcap

182 • Operational Mode Commands Palo Alto Networks


May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL

Chapter 5
Maintenance Mode

Maintenance mode provides support for error recovery and diagnostics, and allows you to
reset the firewall to factory defaults.

This chapter describes how to enter Maintenance mode:


• “Entering Maintenance Mode” in the next section

• “Using Maintenance Mode” on page 186

Entering Maintenance Mode


The system enters Maintenance mode automatically if a critical error is discovered, or you can
enter Maintenance mode explicitly when booting the firewall. Critical failure can be due to
service errors, bootloader corruption, or disk filesystem errors.

You can enter Maintenance mode in either of the following ways:


• Serial cable to the serial port on the firewall. For serial cable specifications, refer to the
Hardware Reference Guide for your firewall model.

• Secure Socket Layer (SSL). SSL access is supported if the firewall has already entered
Maintenance mode (either automatically or explicitly during bootup).

Palo Alto Networks Maintenance Mode • 183


Entering Maintenance Mode Upon Bootup
To enter Maintenance mode upon bootup:
1. Press m when prompted by the bootloader.

2. Press any key on your keyboard when prompted to stop the automatic boot, and then
select Maint as the booting partition.

184 • Maintenance Mode Palo Alto Networks


Entering Maintenance Mode Automatically
If the system detects a critical error it will automatically fail over to Maintenance mode. When
the firewall enters Maintenance mode, messages are displayed on the serial console, web
interface, and CLI interface.

The serial console displays the following message.

The web interface displays the following message.

Palo Alto Networks Maintenance Mode • 185


The SSH interface displays the following message.
ATTENTION: A critical error has been detected preventing proper boot up
of the device. Please contact Palo Alto Networks to resolve this issue at
866-898-9087 or support@paloaltonetworks.com.
The system is in maintenance mode. Connect via serial console or with user
'maint' through ssh to access the recovery tool.

Using Maintenance Mode


The Maintenance mode main menu displays the following options.

186 • Maintenance Mode Palo Alto Networks


The following table describes the Maintenance mode selections that are accessible without
entering a password.

Table 4. General Maintenance Mode Options


Option Description
Maintenance Entry Indicates why the system entered Maintenance mode and includes possible
Reason recovery steps.
Displays basic information about the system. This information is useful when
Get System Info
obtaining assistance from Customer Support.
FSCK (Disk Check) Provides the ability to run a file system check (FSCK) on various partitions.
Log Files Allows viewing and copying of log files from the system.
Disk Image Allows the system to revert back to the previously installed software version.
Content Rollback Allows a rollback to the previously installed content version.
Reboot Reboots the firewall.

Some of the options are password protected to prevent accidental changes that could leave the
system in an inoperative state. The password is intended as a safeguard and it not meant to be
secret. The password is MA1NT (numeral 1).

Table 5. General Maintenance Mode Options


Option Description
Returns the firewall into the factory default state. The reset includes an option
Factory Reset to scrub the Config and Log partitions using a National Nuclear Security
Administration (NNSA) or Department of Defense (DOD) compliant scrubbing
algorithm.
Note: Scrubbing can take up to six hours to complete.
Reprograms the main bootloader with the latest bootloader image on the
Bootloader
system. Use this option if the failsafe bootloader is running and recovery of the
Recovery
main bootloader is required. (PA-2000 and PA-500 systems only)
Disk Image These options provide greater granularity and control over installation,
Advanced including status, history, bootstrapping, and other commands.
Tests the dataplane booting and dataplane memory, and run disk performance
Diagnostics
with bonnie++.

Palo Alto Networks Maintenance Mode • 187


188 • Maintenance Mode Palo Alto Networks
May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL

Appendix A
CONFIGURATION HIERARCHY

This appendix presents the complete firewall configuration hierarchies for the application
identification firewall and for Panorama:
• “Firewall Hierarchy” in the next section

• “Panorama Hierarchy” on page 251

Firewall Hierarchy
operations {
schedule {
commit;
OR...
uar-report {
user <value>;
title <value>;
period <value>;
start-time <value>;
end-time <value>;
}
}
OR...
clear {
application-signature {
statistics;
}
OR...
arp |<value>;
OR...
counter {
interface;
OR...
global {
filter {
category <value>;
severity <value>;
aspect <value>;
}
OR...
name <value>;
}
OR...

Palo Alto Networks • 189


all;
}
OR...
dhcp {
lease {
all;
OR...
interface {
name <value>;
ip <ip>;
mac <mac-address>;
}
}
}
OR...
high-availability {
control-link {
statistics;
}
}
OR...
job {
id 0-4294967295;
}
OR...
log {
traffic;
OR...
threat;
OR...
config;
OR...
system;
OR...
acc;
}
OR...
mac |<value>;
OR...
query {
all-by-session;
OR...
id 0-4294967295;
}
OR...
report {
all-by-session;
OR...
id 0-4294967295;
}
OR...
session {
all {
filter {
nat none|source|destination|both;
proxy yes|no;
type flow|predict;
state initial|opening|active|discard|closing|closed;
from <value>;

190 • Palo Alto Networks


to <value>;
source <value>;
destination <value>;
source-user <value>;
destination-user <value>;
source-port 1-65535;
destination-port 1-65535;
protocol 1-255;
application <value>;
rule <value>;
nat-rule <value>;
}
}
OR...
id 1-2147483648;
}
OR...
statistics;
OR...
vpn {
ike-sa {
gateway <value>;
}
OR...
ipsec-sa {
tunnel <value>;
}
OR...
flow {
tunnel-id 1-2147483648;
}
}
}
OR...
delete {
admin-sessions;
OR...
application-block-page;
OR...
captive-portal-text;
OR...
config {
saved <value>;
}
OR...
config-audit-history;
OR...
content {
update <value>;
}
OR...
core {
data-plane {
file <value>;
}
OR...
control-plane {
file <value>;
}

Palo Alto Networks • 191


}
OR...
data-capture {
directory <value>;
}
OR...
debug-filter {
file <value>;
}
OR...
file-block-page;
OR...
inbound-key {
file <value>;
}
OR...
license {
key <value>;
}
OR...
logo;
OR...
pcap {
directory <value>;
}
OR...
policy-cache;
OR...
report {
predefined {
report-name <value>;
file-name <value>;
}
OR...
custom {
report-name <value>;
file-name <value>;
}
OR...
summary {
report-name <value>;
file-name <value>;
}
}
OR...
root-certificate {
file <value>;
}
OR...
software {
image <value>;
OR...
version <value>;
}
OR...
spyware-block-page;
OR...
ssl-optout-text;
OR...

192 • Palo Alto Networks


threat-pcap {
directory <value>;
}
OR...
unknown-pcap {
directory <value>;
}
OR...
url-block-page;
OR...
url-coach-text;
OR...
url-coach-text;
OR...
user-file {
ssh-known-hosts;
}
OR...
virus-block-page;
}
OR...
show {
admins {
all;
}
OR...
arp ||<value>;
OR...
chassis-ready;
OR...
cli {
info;
OR...
idle-timeout;
}
OR...
clock;
OR...
config {
diff;
OR...
running {
xpath <value>;
}
OR...
synced;
OR...
candidate;
OR...
pushed {
vsys <value>;
}
OR...
audit {
info;
OR...
base-version <value>|;
OR...
base-version-no-deletes <value>|;

Palo Alto Networks • 193


OR...
version <value>|;
}
OR...
saved <value>;
}
OR...
counter {
management-server;
OR...
global {
filter {
category <value>;
severity <value>;
aspect <value>;
delta yes|no;
value all|non-zero;
}
OR...
name <value>;
}
OR...
interface |<value>;
}
OR...
ctd {
state;
OR...
threat {
id 1-4294967295;
application 0-4294967295;
profile 0-4294967295;
}
OR...
url-block-cache;
}
OR...
dhcp {
lease |<value>;
}
OR...
high-availability {
all;
OR...
state;
OR...
link-monitoring;
OR...
path-monitoring;
OR...
state-synchronization;
OR...
control-link {
statistics;
}
}
OR...
interface |||<value>;
OR...

194 • Palo Alto Networks


jobs {
all;
OR...
pending;
OR...
processed;
OR...
id 1-4294967296;
}
OR...
local-user-db {
vsys <value>;
username <value>;
disabled yes|no;
}
OR...
location {
ip <ip>;
}
OR...
log {
traffic {
direction {
equal forward|backward;
}
csv-output {
equal yes|no;
}
query {
equal <value>;
}
receive_time {
in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-
hrs|last-7-days|last-30-days;
}
start-time {
equal <value>;
}
end-time {
equal <value>;
}
src {
in <ip/netmask>;
OR...
not-in <ip/netmask>;
}
dst {
in <ip/netmask>;
OR...
not-in <ip/netmask>;
}
rule {
equal <value>;
OR...
not-equal <value>;
}
app {
equal <value>;
OR...

Palo Alto Networks • 195


not-equal <value>;
}
from {
equal <value>;
OR...
not-equal <value>;
}
to {
equal <value>;
OR...
not-equal <value>;
}
sport {
equal 1-65535;
OR...
not-equal 1-65535;
}
dport {
equal 1-65535;
OR...
not-equal 1-65535;
}
action {
equal allow|deny|drop;
OR...
not-equal allow|deny|drop;
}
srcuser {
equal <value>;
}
dstuser {
equal <value>;
}
}
OR...
threat {
suppress-threatid-mapping {
equal yes|no;
}
direction {
equal forward|backward;
}
csv-output {
equal yes|no;
}
query {
equal <value>;
}
receive_time {
in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-
hrs|last-7-days|last-30-days;
}
start-time {
equal <value>;
}
end-time {
equal <value>;
}
src {

196 • Palo Alto Networks


in <ip/netmask>;
OR...
not-in <ip/netmask>;
}
dst {
in <ip/netmask>;
OR...
not-in <ip/netmask>;
}
rule {
equal <value>;
OR...
not-equal <value>;
}
app {
equal <value>;
OR...
not-equal <value>;
}
from {
equal <value>;
OR...
not-equal <value>;
}
to {
equal <value>;
OR...
not-equal <value>;
}
sport {
equal 1-65535;
OR...
not-equal 1-65535;
}
dport {
equal 1-65535;
OR...
not-equal 1-65535;
}
action {
equal alert|allow|deny|drop|drop-all-packets|reset-client|reset-
server|reset-both|block-url;
OR...
not-equal alert|allow|deny|drop|drop-all-packets|reset-
client|reset-server|reset-both|block-url;
}
srcuser {
equal <value>;
}
dstuser {
equal <value>;
}
category {
equal <value>;
OR...
not-equal <value>;
}
subtype {
equal url|file;

Palo Alto Networks • 197


}
}
OR...
config {
direction {
equal forward|backward;
}
receive_time {
in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-
hrs|last-7-days|last-30-days;
}
csv-output {
equal yes|no;
}
query {
equal <value>;
}
start-time {
equal <value>;
}
end-time {
equal <value>;
}
client {
equal web|cli;
OR...
not-equal web|cli;
}
cmd {
equal add|clone|commit|create|delete|edit|get|load-from-
disk|move|rename|save-to-disk|set;
OR...
not-equal add|clone|commit|create|delete|edit|get|load-from-
disk|move|rename|save-to-disk|set;
}
result {
equal succeeded|failed|unauthorized;
OR...
not-equal succeeded|failed|unauthorized;
}
}
OR...
system {
direction {
equal forward|backward;
}
opaque {
contains <value>;
}
receive_time {
in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-
hrs|last-7-days|last-30-days;
}
csv-output {
equal yes|no;
}
query {
equal <value>;
}

198 • Palo Alto Networks


start-time {
equal <value>;
}
end-time {
equal <value>;
}
severity {
equal critical|high|medium|low|informational;
OR...
not-equal critical|high|medium|low|informational;
OR...
greater-than-or-equal critical|high|medium|low|informational;
OR...
less-than-or-equal critical|high|medium|low|informational;
}
subtype {
equal <value>;
OR...
not-equal <value>;
}
object {
equal <value>;
OR...
not-equal <value>;
}
eventid {
equal <value>;
OR...
not-equal <value>;
}
id {
equal <value>;
OR...
not-equal <value>;
}
}
OR...
appstat {
direction {
equal forward|backward;
}
receive_time {
in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-
hrs|last-7-days|last-30-days;
}
csv-output {
equal yes|no;
}
query {
equal <value>;
}
start-time {
equal <value>;
}
end-time {
equal <value>;
}
name {
equal <value>;

Palo Alto Networks • 199


OR...
not-equal <value>;
}
type {
equal <value>;
OR...
not-equal <value>;
}
risk {
equal 1|2|3|4|5;
OR...
not-equal 1|2|3|4|5;
OR...
greater-than-or-equal 1|2|3|4|5;
OR...
less-than-or-equal 1|2|3|4|5;
}
}
OR...
trsum {
direction {
equal forward|backward;
}
receive_time {
in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-
hrs|last-7-days|last-30-days;
}
csv-output {
equal yes|no;
}
query {
equal <value>;
}
start-time {
equal <value>;
}
end-time {
equal <value>;
}
app {
equal <value>;
OR...
not-equal <value>;
}
src {
in <value>;
}
dst {
in <value>;
}
rule {
equal <value>;
OR...
not-equal <value>;
}
srcuser {
equal <value>;
OR...
not-equal <value>;

200 • Palo Alto Networks


}
dstuser {
equal <value>;
OR...
not-equal <value>;
}
srcloc {
equal <value>;
OR...
not-equal <value>;
OR...
greater-than-or-equal <value>;
OR...
less-than-or-equal <value>;
}
dstloc {
equal <value>;
OR...
not-equal <value>;
OR...
greater-than-or-equal <value>;
OR...
less-than-or-equal <value>;
}
}
OR...
thsum {
direction {
equal forward|backward;
}
receive_time {
in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-
hrs|last-7-days|last-30-days;
}
csv-output {
equal yes|no;
}
query {
equal <value>;
}
start-time {
equal <value>;
}
end-time {
equal <value>;
}
app {
equal <value>;
OR...
not-equal <value>;
}
src {
in <value>;
}
dst {
in <value>;
}
rule {
equal <value>;

Palo Alto Networks • 201


OR...
not-equal <value>;
}
srcuser {
equal <value>;
OR...
not-equal <value>;
}
dstuser {
equal <value>;
OR...
not-equal <value>;
}
srcloc {
equal <value>;
OR...
not-equal <value>;
OR...
greater-than-or-equal <value>;
OR...
less-than-or-equal <value>;
}
dstloc {
equal <value>;
OR...
not-equal <value>;
OR...
greater-than-or-equal <value>;
OR...
less-than-or-equal <value>;
}
threatid {
equal <value>;
OR...
not-equal <value>;
OR...
greater-than-or-equal <value>;
OR...
less-than-or-equal <value>;
}
subtype {
equal <value>;
OR...
not-equal <value>;
}
}
}
OR...
logging;
OR...
mac |<value>;
OR...
management-clients;
OR...
multi-vsys;
OR...
object {
ip <ip>;
vsys <value>;

202 • Palo Alto Networks


}
OR...
pan-agent {
statistics;
OR...
user-IDs;
}
OR...
pan-ntlm-agent {
statistics;
}
OR...
proxy {
setting;
OR...
certificate-cache;
OR...
certificate;
OR...
notify-cache;
OR...
exclude-cache;
OR...
memory {
detail;
}
}
OR...
query {
id 1-4294967296;
OR...
jobs;
}
OR...
report {
id 1-4294967296;
OR...
jobs;
OR...
predefined {
name {
equal top-attackers|top-victims|top-attackers-by-countries|top-
victims-by-countries|top-sources|top-destinations|top-destination-
countries|top-source-countries|top-connections|top-ingress-interfaces|top-
egress-interfaces|top-ingress-zones|top-egress-zones|top-applications|top-
http-applications|top-rules|top-attacks|top-spyware-threats|top-viruses|top-
vulnerabilities|top-websites|top-url-categories|top-url-users|top-url-user-
behavior|unknown-tcp-connections|unknown-udp-connections|top-denied-
sources|top-denied-destinations|top-denied-applications;
}
start-time {
equal <value>;
}
end-time {
equal <value>;
}
}
OR...
custom {

Palo Alto Networks • 203


database {
equal appstat|threat|thsum|traffic|trsum;
}
topn {
equal <value>;
}
receive_time {
in last-hour|last-12-hrs|last-24-hrs|last-7-days|last-30-days;
}
query {
equal <value>;
}
aggregate-fields {
equal <value>;
}
value-fields {
equal <value>;
}
}
}
OR...
routing {
resource;
OR...
summary {
virtual-router <value>;
}
OR...
fib {
virtual-router <value>;
}
OR...
route {
destination <ip/netmask>;
interface <value>;
nexthop <ip/netmask>;
type static|connect|ospf|rip;
virtual-router <value>;
}
OR...
protocol {
redist all|ospf|rip;
OR...
ospf summary|area|interface|virt-link|neighbor|virt-
neighbor|lsdb|dumplsdb;
OR...
rip summary|interface|peer|database;
virtual-router <value>;
}
}
OR...
session {
start-at 1-2097152;
OR...
info;
OR...
meter;
OR...
all {

204 • Palo Alto Networks


filter {
nat none|source|destination|both;
proxy yes|no;
type flow|predict;
state initial|opening|active|discard|closing|closed;
from <value>;
to <value>;
source <value>;
destination <value>;
source-user <value>;
destination-user <value>;
source-port 1-65535;
destination-port 1-65535;
protocol 1-255;
application <value>;
rule <value>;
nat-rule <value>;
}
}
OR...
id 1-2147483648;
}
OR...
shared-policy;
OR...
ssl-vpn {
portal {
name <value>;
}
OR...
user {
portal <value>;
domain <value>;
user <value>;
}
OR...
flow {
name <value>;
OR...
tunnel-id 1-2147483648;
}
}
OR...
statistics;
OR...
system {
software {
status;
}
OR...
info;
OR...
services;
OR...
state {
filter <value>;
OR...
filter-pretty <value>;
OR...

Palo Alto Networks • 205


browser;
}
OR...
statistics;
OR...
resources {
follow;
}
OR...
disk-space;
OR...
logdb-quota;
OR...
files;
}
OR...
target-vsys;
OR...
threat {
id <1-4294967296,...>;
}
OR...
ts-agent {
statistics;
OR...
user-IDs;
}
OR...
url-database;
OR...
virtual-wire |<value>;
OR...
vlan |<value>;
OR...
vpn {
gateway {
name <value>;
}
OR...
tunnel {
name <value>;
}
OR...
ike-sa {
gateway <value>;
}
OR...
ipsec-sa {
tunnel <value>;
}
OR...
flow {
name <value>;
OR...
tunnel-id 1-2147483648;
}
}
OR...
zip {

206 • Palo Alto Networks


setting;
}
OR...
zone-protection {
zone <value>;
}
}
OR...
debug {
captive-portal {
on {
normal;
OR...
debug;
}
OR...
off;
OR...
show;
}
OR...
cli on|off|detail|show|enable-internal-command;
OR...
cpld;
OR...
dataplane {
get;
OR...
show {
url-license;
OR...
user {
all;
OR...
ip <ip/netmask>;
}
OR...
ts-agent-data {
all;
OR...
ip <ip/netmask>;
}
OR...
nat-rule-cache;
OR...
global-ippool;
OR...
ippool;
OR...
security-policy;
OR...
nat-policy;
OR...
captive-portal-policy;
OR...
ssl-policy;
OR...
qos-policy;
OR...

Palo Alto Networks • 207


application-override-policy;
OR...
policy-based-forwarding-policy;
OR...
application-signature {
statistics;
}
OR...
application {
dump-setting;
}
OR...
resource-monitor {
second {
last 1-60;
}
OR...
minute {
last 1-60;
}
OR...
hour {
last 1-24;
}
OR...
day {
last 1-7;
}
OR...
week {
last 1-13;
}
}
OR...
logging;
OR...
url-cache {
statistics;
}
OR...
top-urls {
top 1-10000;
category <value>;
}
OR...
ssl-cert-cn;
}
OR...
reset {
user-cache {
all;
OR...
ip <ip/netmask>;
}
OR...
url-cache;
OR...
logging;
OR...

208 • Palo Alto Networks


pow;
OR...
appid {
unknown-cache {
destination <ip/netmask>;
}
}
OR...
proxy {
host-certificate-cache;
OR...
certificate-cache;
OR...
exclude-cache;
OR...
notify-cache {
source <ip/netmask>;
}
}
OR...
ctd {
url-block-cache {
lockout;
}
}
}
OR...
mode sync|no-sync;
OR...
on error|warn|info|debug;
OR...
off;
OR...
clear;
OR...
drop-filter {
on;
OR...
off;
OR...
set {
ingress <value>;
file <value>;
source <value>;
destination <value>;
source-port 1-65535;
destination-port 1-65535;
protocol 1-255;
packet-count 1-20000;
byte-count 1-2000000;
}
OR...
unset 1-4;
}
OR...
filter {
on;
OR...
off;

Palo Alto Networks • 209


OR...
set {
ingress <value>;
file <value>;
source <value>;
destination <value>;
source-port 1-65535;
destination-port 1-65535;
protocol 1-255;
packet-count 1-20000;
byte-count 1-2000000;
}
OR...
unset 1-4;
OR...
close 1-4;
}
OR...
pool {
statistics;
OR...
check {
hardware 0-255;
OR...
software 0-255;
}
}
OR...
pow {
status;
OR...
performance {
all;
}
}
OR...
memory {
status;
}
OR...
tcp {
state;
}
OR...
internal {
pci-access {
sample;
OR...
register <value>;
}
OR...
vif {
address;
OR...
link;
OR...
rule;
OR...
vr;

210 • Palo Alto Networks


OR...
route 0-255;
}
OR...
dt {
lion {
rd 0-4294967295;
OR...
igr {
show drops|flow|internal|packets|queues;
OR...
iftbl;
OR...
mymac;
OR...
port;
}
OR...
egr {
show counts|queues;
OR...
route;
OR...
nexthop;
}
OR...
mac {
stats {
clear;
}
}
OR...
spi {
stats {
clear;
}
}
}
OR...
oct {
csr {
rd <value>;
}
OR...
gmx {
stats;
}
OR...
pip {
stats;
}
OR...
pko {
disp;
OR...
stats;
}
OR...
pow {

Palo Alto Networks • 211


dump;
}
}
}
}
OR...
fpga {
set {
sw_aho yes|no;
OR...
sw_dfa yes|no;
OR...
sw_dlp yes|no;
}
OR...
state;
}
OR...
device {
switch-dx {
uplink;
OR...
register {
read 0-4294967295;
}
OR...
vlan-table {
dump;
OR...
index 0-4095;
}
OR...
port-based-vlan {
port 0-32;
}
OR...
fdb {
dump;
OR...
index 0-65535;
}
}
}
OR...
process {
mprelay {
on {
dump;
OR...
debug;
OR...
info;
OR...
warn;
OR...
error;
}
OR...
off;

212 • Palo Alto Networks


OR...
show;
}
OR...
ha-agent {
on {
dump;
OR...
debug;
OR...
info;
OR...
warn;
OR...
error;
}
OR...
off;
OR...
show;
}
}
OR...
task-heartbeat {
on;
OR...
off;
OR...
show;
}
OR...
monitor {
detail {
on;
OR...
off;
OR...
show;
}
}
OR...
set {
tcp reass|fptcp|all;
OR...
ssl basic|all;
OR...
proxy basic|all;
OR...
pow basic|all;
OR...
zip basic|all;
OR...
misc misc|all;
OR...
module aho|dfa|scan|url|all;
OR...
flow basic|ager|ha|np|arp|receive|all;
OR...
tunnel flow|ager;

Palo Alto Networks • 213


OR...
ctd basic|sml|url|detector|all;
OR...
appid agt|basic|policy|dfa|all;
OR...
all;
}
OR...
unset {
tcp reass|fptcp|all;
OR...
ssl basic|all;
OR...
proxy basic|all;
OR...
pow basic|all;
OR...
misc misc|all;
OR...
flow basic|ager|np|ha|arp|receive|all;
OR...
tunnel flow|ager;
OR...
ctd basic|sml|url|detector|all;
OR...
appid basic|policy|dfa|all;
OR...
all;
}
}
OR...
device-server {
set {
agent basic|conn|ntlm|group|sslvpn|detail|ha|tsa|all;
OR...
misc basic|all;
OR...
base config|all;
OR...
url basic|stat|all;
OR...
config basic|tdb|fpga|all;
OR...
tdb basic|aho|all;
OR...
all;
}
OR...
unset {
agent basic|conn|detail|sslvpn|ha|tsa|all;
OR...
base config|all;
OR...
misc basic|all;
OR...
url basic|all;
OR...
config basic|tdb|fpga|all;
OR...

214 • Palo Alto Networks


tdb basic|aho|all;
OR...
all;
}
OR...
test {
dynamic-url <value>;
OR...
url <value>;
OR...
url-category 1-4192;
OR...
admin-override-password <value>;
}
OR...
delete {
dynamic-url {
host {
all;
OR...
name <value>;
}
}
}
OR...
reset {
brightcloud-database;
OR...
url {
dynamic-url-timeout 1-43200;
OR...
dynamic-url-size 10-1000000;
}
OR...
logging {
statistics;
}
OR...
pan-ntlm-agent {
all;
}
OR...
pan-agent {
all;
}
OR...
captive-portal {
ip-address <ip/netmask>;
}
OR...
id-manager;
OR...
url-cache;
}
OR...
save {
dynamic-url {
database;
}

Palo Alto Networks • 215


}
OR...
dump {
dynamic-url {
database {
start-from 1-1000000;
category <value>;
}
OR...
statistics;
}
OR...
user-group {
name <value>;
}
OR...
ts-agent {
config;
}
OR...
idmgr {
type {
zone {
all;
OR...
id 1-4294967295;
OR...
name <value>;
}
OR...
vsys {
all;
OR...
id 1-4294967295;
OR...
name <value>;
}
OR...
global-tunnel {
all;
OR...
id 1-;
OR...
name <value>;
}
OR...
global-interface {
all;
OR...
id 1-4294967295;
OR...
name <value>;
}
OR...
global-vlan-domain {
all;
OR...
id 1-4294967295;
OR...

216 • Palo Alto Networks


name <value>;
}
OR...
global-vlan {
all;
OR...
id 1-4294967295;
OR...
name <value>;
}
OR...
global-vrouter {
all;
OR...
id 1-4294967295;
OR...
name <value>;
}
OR...
global-rib-instance {
all;
OR...
id 1-4294967295;
OR...
name <value>;
}
OR...
shared-application {
all;
OR...
id 1-4294967295;
OR...
name <value>;
}
OR...
custom-url-filter {
all;
OR...
id 1-4294967295;
OR...
name <value>;
}
OR...
user {
all;
OR...
id 1-4294967295;
OR...
name <value>;
}
OR...
user-group {
all;
OR...
id 1-4294967295;
OR...
name <value>;
}
OR...

Palo Alto Networks • 217


custom-application {
all;
OR...
id 1-4096;
OR...
name <value>;
}
OR...
security-rule {
all;
OR...
id 1-4096;
OR...
name <value>;
}
OR...
nat-rule {
all;
OR...
id 1-4096;
OR...
name <value>;
}
OR...
ssl-rule {
all;
OR...
id 1-4096;
OR...
name <value>;
}
OR...
ike-gateway {
all;
OR...
id 1-4096;
OR...
name <value>;
}
}
}
OR...
logging {
statistics;
}
}
OR...
on error|warn|info|debug|dump;
OR...
off;
OR...
clear;
OR...
show;
OR...
refresh {
user-group;
}
}

218 • Palo Alto Networks


OR...
dhcpd {
global {
on {
error;
OR...
warn;
OR...
info;
OR...
debug;
OR...
dump;
}
OR...
off;
OR...
show;
}
OR...
pcap {
show;
OR...
on {
virtualrouter <value>;
}
OR...
off;
OR...
delete;
OR...
view;
}
}
OR...
ez {
enable;
OR...
disable;
OR...
show {
counter {
index 0-4194304;
num-counters 0-40;
}
OR...
session-counter {
index 0-4194304;
num-counters 0-40;
}
OR...
port {
index 0-32;
}
OR...
throughput;
OR...
arp;
OR...

Palo Alto Networks • 219


route;
OR...
session;
OR...
drop_flag;
OR...
freerfd;
OR...
register {
index 0-4294967295;
count 0-40;
}
OR...
tm-stats;
}
OR...
set {
drop 0|1;
}
}
OR...
high-availability-agent {
on error|warn|info|debug|dump;
OR...
off;
OR...
show;
OR...
internal-dump;
OR...
model-check on|off;
OR...
commit-ex-hello on|off;
}
OR...
ike {
global {
on {
normal;
OR...
debug;
OR...
dump;
}
OR...
off;
OR...
show;
}
OR...
pcap {
show;
OR...
on;
OR...
off;
OR...
delete;
OR...

220 • Palo Alto Networks


view;
}
OR...
socket;
OR...
stat;
}
OR...
keymgr {
on {
normal;
OR...
debug;
OR...
dump;
}
OR...
off;
OR...
show;
OR...
list-sa;
}
OR...
log-receiver {
on {
normal;
OR...
debug;
OR...
dump;
}
OR...
off;
OR...
show;
OR...
statistics;
OR...
fwd {
on;
OR...
off;
OR...
show;
}
}
OR...
management-server {
on error|warn|info|debug|dump;
OR...
off;
OR...
clear;
OR...
show;
OR...
phased-commit enable|disable|show;
OR...

Palo Alto Networks • 221


client {
disable device|ikemgr|dhcpd|ha_agent|routed|npagent|modhttpd|rasmgr;
OR...
enable device|ikemgr|dhcpd|ha_agent|routed|npagent|modhttpd|rasmgr;
}
}
OR...
master-service {
on error|warn|info|debug|dump;
OR...
off;
OR...
show;
OR...
internal-dump;
}
OR...
netconfig-agent {
on {
dump;
OR...
debug;
OR...
info;
OR...
warn;
OR...
error;
}
OR...
off;
OR...
show;
}
OR...
rasmgr {
on {
normal;
OR...
debug;
OR...
dump;
}
OR...
off;
OR...
show;
}
OR...
routing {
mib <value>;
OR...
list-mib;
OR...
fib {
flush;
OR...
stats;
}

222 • Palo Alto Networks


OR...
global {
on {
error;
OR...
warn;
OR...
info;
OR...
debug;
OR...
dump;
}
OR...
off;
OR...
show;
}
OR...
pcap {
show;
OR...
ospf {
on {
virtualrouter <value>;
}
OR...
off;
OR...
delete;
OR...
view;
}
OR...
rip {
on {
virtualrouter <value>;
}
OR...
off;
OR...
delete;
OR...
view;
}
OR...
all {
on {
virtualrouter <value>;
}
OR...
off;
OR...
delete;
OR...
view;
}
}
OR...

Palo Alto Networks • 223


socket;
}
OR...
software {
restart {
pan-comm;
OR...
device-server;
OR...
management-server;
OR...
web-server;
}
}
OR...
swm {
list;
OR...
log;
OR...
history;
OR...
status;
OR...
unlock;
OR...
revert;
OR...
refresh {
content;
}
}
OR...
tac-login {
permanently-disable;
OR...
disable;
OR...
enable;
}
OR...
vardata-receiver {
on {
normal;
OR...
debug;
OR...
dump;
}
OR...
off;
OR...
show;
OR...
statistics;
}
}
OR...
set {

224 • Palo Alto Networks


application {
dump-unknown yes|no;
OR...
dump {
on {
limit 1-5000;
from <value>;
to <value>;
source <value>;
destination <value>;
source-user <value>;
destination-user <value>;
source-port 1-65535;
destination-port 1-65535;
protocol 1-255;
application <value>;
rule <value>;
}
OR...
off;
}
OR...
cache yes|no;
OR...
supernode yes|no;
OR...
heuristics yes|no;
OR...
notify-user yes|no;
}
OR...
cli {
pager on|off;
OR...
confirmation-prompt on|off;
OR...
scripting-mode on|off;
OR...
timeout {
idle |1-1440;
}
OR...
terminal {
type aaa|aaa+dec|aaa+rv|aaa+unk|aaa-18|aaa-18-rv|aaa-20|aaa-22|aaa-
24|aaa-24-rv|aaa-26|aaa-28|aaa-30-ctxt|aaa-30-rv|aaa-30-rv-ctxt|aaa-30-
s|aaa-30-s-rv|aaa-36|aaa-36-rv|aaa-40|aaa-40-rv|aaa-48|aaa-48-rv|aaa-60|aaa-
60-dec-rv|aaa-60-rv|aaa-60-s|aaa-60-s-rv|aaa-db|aaa-rv-unk|aaa-s-ctxt|aaa-s-
rv-ctxt|aas1901|abm80|abm85|abm85e|abm85h|abm85h-
old|act4|act5|addrinfo|adds980|adm+sgr|adm11|adm1178|adm12|adm1a|adm2|adm20|
adm21|adm22|adm3|adm31|adm31-old|adm36|adm3a|adm3a+|adm42|adm42-
ns|adm5|aepro|aixterm|aixterm-m|aixterm-m-old|aj510|aj830|alto-
h19|altos2|altos3|altos4|altos7|altos7pc|amiga|amiga-8bit|amiga-h|amiga-
vnc|ampex175|ampex175-
b|ampex210|ampex219|ampex219w|ampex232|ampex232w|ampex80|annarbor4080|ansi|a
nsi+arrows|ansi+csr|ansi+cup|ansi+erase|ansi+idc|ansi+idl|ansi+idl1|ansi+ini
ttabs|ansi+local|ansi+local1|ansi+pp|ansi+rca|ansi+rep|ansi+sgr|ansi+sgrbold
|ansi+sgrdim|ansi+sgrso|ansi+sgrul|ansi+tabs|ansi-color-2-emx|ansi-color-3-
emx|ansi-emx|ansi-generic|ansi-m|ansi-mini|ansi-mr|ansi-mtabs|ansi-
nt|ansi.sys|ansi.sys-

Palo Alto Networks • 225


old|ansi.sysk|ansi77|apollo|apollo_15P|apollo_19L|apollo_color|apple-
80|apple-ae|apple-soroc|apple-uterm|apple-uterm-vb|apple-videx|apple-
videx2|apple-videx3|apple-vm80|apple2e|apple2e-
p|apple80p|appleII|appleIIgs|arm100|arm100-
w|atari|att2300|att2350|att4410|att4410v1-w|att4415|att4415+nl|att4415-
nl|att4415-rv|att4415-rv-nl|att4415-w|att4415-w-nl|att4415-w-rv|att4415-w-
rv-n|att4418|att4418-w|att4420|att4424|att4424-
1|att4424m|att4426|att500|att505|att505-24|att510a|att510d|att5310|att5410-
w|att5410v1|att5420_2|att5420_2-w|att5425|att5425-nl|att5425-
w|att5620|att5620-1|att5620-24|att5620-34|att5620-s|att605|att605-pc|att605-
w|att610|att610-103k|att610-103k-w|att610-w|att615|att615-103k|att615-103k-
w|att615-w|att620|att620-103k|att620-103k-w|att620-w|att630|att630-
24|att6386|att700|att730|att730-24|att730-41|att7300|att730r|att730r-
24|att730r-41|avatar|avatar0|avatar0+|avt|avt+s|avt-ns|avt-rv|avt-rv-ns|avt-
w|avt-w-ns|avt-w-rv|avt-w-rv-
ns|aws|awsc|bantam|basis|beacon|beehive|beehive3|beehive4|beterm|bg1.25|bg1.
25nv|bg1.25rv|bg2.0|bg2.0rv|bitgraph|blit|bobcat|bq300|bq300-8|bq300-8-
pc|bq300-8-pc-rv|bq300-8-pc-w|bq300-8-pc-w-rv|bq300-8rv|bq300-8w|bq300-
pc|bq300-pc-rv|bq300-pc-w|bq300-pc-w-rv|bq300-rv|bq300-w|bq300-w-8rv|bq300-
w-rv|bsdos-pc|bsdos-pc-m|bsdos-pc-nobold|bsdos-ppc|bsdos-sparc|c100|c100-
rv|c108|c108-4p|c108-rv|c108-rv-4p|c108-w|ca22851|cad68-2|cad68-
3|cbblit|cbunix|cci|cdc456|cdc721|cdc721-
esc|cdc721ll|cdc752|cdc756|cg7900|cit101|cit101e|cit101e-132|cit101e-
n|cit101e-n132|cit101e-rv|cit500|cit80|citoh|citoh-6lpi|citoh-8lpi|citoh-
comp|citoh-elite|citoh-pica|citoh-
prop|coco3|color_xterm|commodore|cons25|cons25-m|cons25l1|cons25l1-
m|cons25r|cons25r-m|cons25w|cons30|cons30-m|cons43|cons43-m|cons50|cons50-
m|cons50l1|cons50l1-m|cons50r|cons50r-m|cons60|cons60-m|cons60l1|cons60l1-
m|cons60r|cons60r-m|contel300|contel301|cops10|crt|cs10|cs10-
w|ct8500|ctrm|cyb110|cyb83|cygwin|cygwinB19|cygwinDBG|d132|d200|d210|d210-
dg|d211|d211-7b|d211-dg|d216-dg|d216-unix|d216-unix-25|d217-unix|d217-unix-
25|d220|d220-7b|d220-dg|d230c|d230c-dg|d400|d410|d410-7b|d410-7b-w|d410-
dg|d410-w|d412-dg|d412-unix|d412-unix-25|d412-unix-s|d412-unix-sr|d412-unix-
w|d413-unix|d413-unix-25|d413-unix-s|d413-unix-sr|d413-unix-w|d414-
unix|d414-unix-25|d414-unix-s|d414-unix-sr|d414-unix-w|d430c-dg|d430c-dg-
ccc|d430c-unix|d430c-unix-25|d430c-unix-25-ccc|d430c-unix-ccc|d430c-unix-
s|d430c-unix-s-ccc|d430c-unix-sr|d430c-unix-sr-ccc|d430c-unix-w|d430c-unix-
w-ccc|d470c|d470c-7b|d470c-dg|d555|d555-7b|d555-7b-w|d555-dg|d555-
w|d577|d577-7b|d577-7b-w|d577-dg|d577-w|d578|d578-7b|d800|ddr|dec-vt100|dec-
vt220|decansi|delta|dg+ccc|dg+color|dg+color8|dg+fixed|dg-
generic|dg200|dg210|dg211|dg450|dg460-ansi|dg6053|dg6053-
old|dgkeys+11|dgkeys+15|dgkeys+7b|dgkeys+8b|dgmode+color|dgmode+color8|dguni
x+ccc|dgunix+fixed|diablo1620|diablo1620-m8|diablo1640|diablo1640-
lm|diablo1740-lm|digilog|djgpp|djgpp203|djgpp204|dku7003|dku7003-
dumb|dku7102-
old|dku7202|dm1520|dm2500|dm3025|dm3045|dm80|dm80w|dmchat|dmterm|dp3360|dp82
42|dt100|dt100w|dt110|dt80-
sas|dtc300s|dtc382|dtterm|dumb|dw1|dw2|dw3|dw4|dwk|ecma+color|ecma+sgr|elks|
elks-ansi|elks-glasstty|elks-vt52|emu|emu-220|emx-
base|env230|ep40|ep48|ergo4000|esprit|esprit-
am|Eterm|eterm|ex155|excel62|excel62-rv|excel62-w|f100|f100-rv|f110|f110-
14|f110-14w|f110-w|f1720|f200|f200-w|f200vi|f200vi-w|falco|falco-
p|fos|fox|gator|gator-52|gator-52t|gator-t|gigi|glasstty|gnome|gnome-
rh62|gnome-rh72|gnome-rh80|gnome-rh90|go140|go140w|go225|graphos|graphos-
30|gs6300|gsi|gt40|gt42|guru|guru+rv|guru+s|guru-24|guru-44|guru-44-s|guru-
76|guru-76-lp|guru-76-s|guru-76-w|guru-76-w-s|guru-76-wm|guru-nctxt|guru-
rv|guru-s|h19|h19-a|h19-bs|h19-g|h19-u|h19-
us|h19k|ha8675|ha8686|hazel|hds200|hft-c|hft-c-old|hft-
old|hirez100|hirez100-

226 • Palo Alto Networks


w|hmod1|hp+arrows|hp+color|hp+labels|hp+pfk+arrows|hp+pfk+cr|hp+pfk-
cr|hp+printer|hp110|hp150|hp2|hp236|hp2382a|hp2392|hp2397a|hp2621|hp2621-
48|hp2621-a|hp2621-ba|hp2621-fl|hp2621-k45|hp2621-nl|hp2621-
nt|hp2621b|hp2621b-kx|hp2621b-kx-p|hp2621b-p|hp2621p|hp2621p-
a|hp2622|hp2623|hp2624|hp2624-10p|hp2624b-10p-p|hp2624b-p|hp2626|hp2626-
12|hp2626-12-s|hp2626-12x40|hp2626-ns|hp2626-s|hp2626-x40|hp2627a|hp2627a-
rev|hp2627c|hp262x|hp2640a|hp2640b|hp2641a|hp2645|hp2648|hp300h|hp700-
wy|hp70092|hp9837|hp9845|hp98550|hpansi|hpex|hpgeneric|hpsub|hpterm|hurd|hz1
000|hz1420|hz1500|hz1510|hz1520|hz1520-noesc|hz1552|hz1552-
rv|hz2000|i100|i400|ibcs2|ibm+16color|ibm+color|ibm-apl|ibm-pc|ibm-
system1|ibm3101|ibm3151|ibm3161|ibm3161-
C|ibm3162|ibm3164|ibm327x|ibm5081|ibm5081-c|ibm5151|ibm5154|ibm6153|ibm6153-
40|ibm6153-90|ibm6154|ibm6155|ibm8503|ibm8512|ibm8514|ibm8514-
c|ibmaed|ibmapa8c|ibmapa8c-c|ibmega|ibmega-
c|ibmmono|ibmpc|ibmpc3|ibmpcx|ibmvga|ibmvga-c|icl6404|icl6404-w|ifmr|ims-
ansi|ims950|ims950-b|ims950-rv|infoton|interix|interix-
nti|intertube|intertube2|intext|intext2|iris-ansi|iris-ansi-ap|iris-
color|jaixterm|jaixterm-m|kaypro|kermit|kermit-
am|klone+acs|klone+color|klone+koi8acs|klone+sgr|klone+sgr-
dumb|konsole|konsole-16color|konsole-base|konsole-linux|konsole-
vt100|konsole-vt420pc|konsole-xf3x|konsole-xf4x|kt7|kt7ix|kterm|kterm-
color|kvt|lft|linux|linux-basic|linux-c|linux-c-nc|linux-koi8|linux-
koi8r|linux-lat|linux-m|linux-nic|linux-vt|lisa|lisaterm|lisaterm-
w|liswb|ln03|ln03-w|lpr|luna|m2-nam|mac|mac-w|mach|mach-bold|mach-
color|mai|masscomp|masscomp1|masscomp2|megatek|memhp|mgr|mgr-linux|mgr-
sun|mgterm|microb|mime|mime-fb|mime-hb|mime2a|mime2a-
s|mime314|mime3a|mime3ax|minitel1|minitel1b|minitel1b-80|minix|minix-
old|minix-old-am|mlterm|mm340|modgraph|modgraph2|modgraph48|mono-
emx|morphos|ms-vt-utf8|ms-vt100|ms-vt100+|ms-vt100-
color|msk227|msk22714|msk227am|mt4520-rv|mt70|mterm|mterm-
ansi|MtxOrb|MtxOrb162|MtxOrb204|mvterm|nansi.sys|nansi.sysk|ncr160vppp|ncr16
0vpwpp|ncr160vt100an|ncr160vt100pp|ncr160vt100wan|ncr160vt100wpp|ncr160vt200
an|ncr160vt200pp|ncr160vt200wan|ncr160vt200wpp|ncr160vt300an|ncr160vt300pp|n
cr160vt300wan|ncr160vt300wpp|ncr160wy50+pp|ncr160wy50+wpp|ncr160wy60pp|ncr16
0wy60wpp|ncr260intan|ncr260intpp|ncr260intwan|ncr260intwpp|ncr260vppp|ncr260
vpwpp|ncr260vt100an|ncr260vt100pp|ncr260vt100wan|ncr260vt100wpp|ncr260vt200a
n|ncr260vt200pp|ncr260vt200wan|ncr260vt200wpp|ncr260vt300an|ncr260vt300pp|nc
r260vt300wan|NCR260VT300WPP|ncr260wy325pp|ncr260wy325wpp|ncr260wy350pp|ncr26
0wy350wpp|ncr260wy50+pp|ncr260wy50+wpp|ncr260wy60pp|ncr260wy60wpp|ncr7900i|n
cr7900iv|ncr7901|ncrvt100an|ncrvt100wan|ncsa|ncsa-m|ncsa-m-ns|ncsa-ns|ncsa-
vt220|nec5520|newhp|newhpkeyboard|news-29|news-29-euc|news-29-sjis|news-
33|news-33-euc|news-33-sjis|news-42|news-42-euc|news-42-sjis|news-old-
unk|news-
unk|news28|news29|next|nextshell|northstar|nsterm|nsterm+7|nsterm+acs|nsterm
+c|nsterm+c41|nsterm+mac|nsterm+s|nsterm-7|nsterm-7-c|nsterm-acs|nsterm-
c|nsterm-c-acs|nsterm-c-s|nsterm-c-s-7|nsterm-c-s-acs|nsterm-m|nsterm-m-
7|nsterm-m-acs|nsterm-m-s|nsterm-m-s-7|nsterm-m-s-acs|nsterm-s|nsterm-s-
7|nsterm-s-acs|nwp511|nwp512|nwp512-a|nwp512-o|nwp513|nwp513-a|nwp513-
o|nwp517|nwp517-w|oblit|oc100|ofcons|oldpc3|oldsun|omron|opennt-100|opennt-
100-nti|opennt-35|opennt-35-nti|opennt-35-w|opennt-50|opennt-50-nti|opennt-
50-w|opennt-60|opennt-60-nti|opennt-60-w|opennt-w|opennt-w-
vt|opus3n1+|origpc3|osborne|osborne-
w|osexec|otek4112|otek4115|owl|p19|p8gl|pc-coherent|pc-minix|pc-
venix|pc3|pc6300plus|pcansi|pcansi-25|pcansi-25-m|pcansi-33|pcansi-33-
m|pcansi-43|pcansi-43-m|pcansi-
m|pccons|pcix|pckermit|pckermit120|pcmw|pcplot|pcvt25|pcvt25-
color|pcvt25w|pcvt28|pcvt28w|pcvt35|pcvt35w|pcvt40|pcvt40w|pcvt43|pcvt43w|pc
vt50|pcvt50w|pcvtXX|pe1251|pe7000c|pe7000m|pilot|pmcons|prism12|prism12-
m|prism12-m-w|prism12-w|prism14|prism14-m|prism14-m-w|prism14-

Palo Alto Networks • 227


w|prism2|prism4|prism5|prism7|prism8|prism8-w|prism9|prism9-8|prism9-8-
w|prism9-w|pro350|ps300|psterm|psterm-80x24|psterm-90x28|psterm-
96x48|psterm-fast|pt100|pt100w|pt210|pt250|pt250w|pty|putty|qansi|qansi-
g|qansi-m|qansi-t|qansi-
w|qdss|qnx|qnxm|qnxt|qnxt2|qnxtmono|qnxw|qume5|qvt101|qvt101+|qvt102|qvt103|
qvt103-w|qvt119+|qvt119+-25|qvt119+-25-w|qvt119+-w|qvt203|qvt203-25|qvt203-
25-w|qvt203-w|rbcomm|rbcomm-nam|rbcomm-w|rca|rcons|rcons-
color|regent|regent100|regent20|regent25|regent40|regent40+|regent60|rt6221|
rt6221-w|rtpc|rxvt|rxvt+pcfkeys|rxvt-16color|rxvt-basic|rxvt-color|rxvt-
cygwin|rxvt-cygwin-native|rxvt-xpm|sb1|sb2|sbi|scanset|scoansi|scoansi-
new|scoansi-old|screen|screen-bce|screen-s|screen-
w|screen.linux|screen.teraterm|screen.xterm-r6|screen.xterm-
xfree86|screen2|screen3|screwpoint|scrhp|sibo|simterm|soroc120|soroc140|st52
|sun|sun-1|sun-12|sun-17|sun-24|sun-34|sun-48|sun-c|sun-cgsix|sun-e|sun-e-
s|sun-il|sun-s|sun-type4|superbee-
xsb|superbeeic|superbrain|swtp|synertek|t10|t1061|t1061f|t16|t3700|t3800|tab
132|tab132-rv|tab132-w|tab132-w-
rv|tandem6510|tandem653|tek|tek4013|tek4014|tek4014-sm|tek4015|tek4015-
sm|tek4023|tek4024|tek4025-17|tek4025-17-ws|tek4025-cr|tek4025-
ex|tek4025a|tek4025ex|tek4105|tek4105-
30|tek4105a|tek4106brl|tek4107|tek4112|tek4112-5|tek4112-nd|tek4113|tek4113-
34|tek4113-nd|tek4115|tek4125|tek4205|tek4207|tek4207-
s|tek4404|teletec|teraterm|terminet1200|ti700|ti916|ti916-132|ti916-8|ti916-
8-132|ti924|ti924-8|ti924-8w|ti924w|ti926|ti926-8|ti928|ti928-
8|ti931|ti_ansi|trs16|trs2|ts100|ts100-ctxt|tt|tt505-
22|tty33|tty37|tty40|tty43|tvi803|tvi9065|tvi910|tvi910+|tvi912|tvi912b|tvi9
12b+2p|tvi912b+dim|tvi912b+mc|tvi912b+printer|tvi912b+vb|tvi912b-2p|tvi912b-
2p-mc|tvi912b-2p-p|tvi912b-2p-unk|tvi912b-mc|tvi912b-p|tvi912b-unk|tvi912b-
vb|tvi912b-vb-mc|tvi912b-vb-p|tvi912b-vb-
unk|tvi912cc|tvi920b|tvi920b+fn|tvi920b-2p|tvi920b-2p-mc|tvi920b-2p-
p|tvi920b-2p-unk|tvi920b-mc|tvi920b-p|tvi920b-unk|tvi920b-vb|tvi920b-vb-
mc|tvi920b-vb-p|tvi920b-vb-unk|tvi921|tvi924|tvi925|tvi925-
hi|tvi92B|tvi92D|tvi950|tvi950-2p|tvi950-4p|tvi950-rv|tvi950-rv-2p|tvi950-
rv-4p|tvi955|tvi955-hb|tvi955-w|tvi970|tvi970-2p|tvi970-vb|tvipt|tws-
generic|tws2102-sna|tws2103|tws2103-
sna|uniterm|unknown|uts30|uwin|v3220|v5410|vanilla|vc303|vc303a|vc404|vc404-
s|vc414|vc415|versaterm|vi200|vi200-f|vi200-rv|vi300|vi300-
old|vi50|vi500|vi50adm|vi55|vi550|vi603|viewpoint|vip|vip-H|vip-Hw|vip-
w|visa50|vp3a+|vp60|vp90|vremote|vsc|vt100|vt100+fnkeys|vt100+keypad|vt100+p
fkeys|vt100-nav|vt100-nav-w|vt100-putty|vt100-s|vt100-s-bot|vt100-vb|vt100-
w|vt100-w-nam|vt100nam|vt102|vt102-nsgr|vt102-w|vt125|vt131|vt132|vt200-
js|vt220|vt220+keypad|vt220-8bit|vt220-nam|vt220-old|vt220-
w|vt220d|vt320|vt320-k3|vt320-k311|vt320-nam|vt320-w|vt320-w-
nam|vt320nam|vt340|vt400|vt420|vt420f|vt420pc|vt420pcdos|vt50|vt50h|vt510|vt
510pc|vt510pcdos|vt52|vt520|vt525|vt61|wsiris|wsvt25|wsvt25m|wy100|wy100q|wy
120|wy120-25|wy120-25-w|wy120-vb|wy120-w|wy120-w-vb|wy160|wy160-25|wy160-25-
w|wy160-42|wy160-42-w|wy160-43|wy160-43-w|wy160-tek|wy160-vb|wy160-w|wy160-
w-vb|wy185|wy185-24|wy185-vb|wy185-w|wy185-wvb|wy30|wy30-mc|wy30-
vb|wy325|wy325-25|wy325-25w|wy325-42|wy325-42w|wy325-42w-vb|wy325-43|wy325-
43w|wy325-43w-vb|wy325-vb|wy325-w|wy325-w-vb|wy350|wy350-vb|wy350-w|wy350-
wvb|wy370|wy370-105k|wy370-EPC|wy370-nk|wy370-rv|wy370-tek|wy370-vb|wy370-
w|wy370-wvb|wy50|wy50-mc|wy50-vb|wy50-w|wy50-wvb|wy520|wy520-24|wy520-
36|wy520-36pc|wy520-36w|wy520-36wpc|wy520-48|wy520-48pc|wy520-48w|wy520-
48wpc|wy520-epc|wy520-epc-24|wy520-epc-vb|wy520-epc-w|wy520-epc-wvb|wy520-
vb|wy520-w|wy520-wvb|wy60|wy60-25|wy60-25-w|wy60-42|wy60-42-w|wy60-43|wy60-
43-w|wy60-vb|wy60-w|wy60-w-vb|wy75|wy75-mc|wy75-vb|wy75-w|wy75-
wvb|wy75ap|wy85|wy85-8bit|wy85-vb|wy85-w|wy85-wvb|wy99-ansi|wy99a-
ansi|wy99f|wy99fa|wy99gt|wy99gt-25|wy99gt-25-w|wy99gt-tek|wy99gt-vb|wy99gt-
w|wy99gt-w-vb|wyse-

228 • Palo Alto Networks


vp|x10term|x68k|xerox1720|xerox820|xnuppc|xnuppc+100x37|xnuppc+112x37|xnuppc
+128x40|xnuppc+128x48|xnuppc+144x48|xnuppc+160x64|xnuppc+200x64|xnuppc+200x7
5|xnuppc+256x96|xnuppc+80x25|xnuppc+80x30|xnuppc+90x30|xnuppc+b|xnuppc+basic
|xnuppc+c|xnuppc+f|xnuppc+f2|xnuppc-100x37|xnuppc-100x37-m|xnuppc-
112x37|xnuppc-112x37-m|xnuppc-128x40|xnuppc-128x40-m|xnuppc-128x48|xnuppc-
128x48-m|xnuppc-144x48|xnuppc-144x48-m|xnuppc-160x64|xnuppc-160x64-m|xnuppc-
200x64|xnuppc-200x64-m|xnuppc-200x75|xnuppc-200x75-m|xnuppc-256x96|xnuppc-
256x96-m|xnuppc-80x25|xnuppc-80x25-m|xnuppc-80x30|xnuppc-80x30-m|xnuppc-
90x30|xnuppc-90x30-m|xnuppc-b|xnuppc-f|xnuppc-f2|xnuppc-m|xnuppc-m-b|xnuppc-
m-f|xnuppc-m-f2|xtalk|xterm|xterm+pcfkeys|xterm+sl|xterm+sl-twm|xterm-
1002|xterm-1003|xterm-16color|xterm-24|xterm-256color|xterm-88color|xterm-
8bit|xterm-basic|xterm-bold|xterm-color|xterm-hp|xterm-new|xterm-nic|xterm-
noapp|xterm-pcolor|xterm-r5|xterm-r6|xterm-sco|xterm-sun|xterm-vt220|xterm-
vt52|xterm-xf86-v32|xterm-xf86-v33|xterm-xf86-v333|xterm-xf86-v40|xterm-
xf86-v43|xterm-xf86-v44|xterm-xfree86|xterm-xi|xterm1|xtermc|xtermm|xterms-
sun|z100|z100bw|z29|z29a|z29a-kc-uc|z29a-nkc-bc|z29a-nkc-uc|z340|z340-
nam|z39-a|zen30|zen50|ztx;
OR...
width 1-500;
OR...
height 1-500;
}
}
OR...
clock {
date <value>;
time <value>;
}
OR...
ctd {
x-forwarded-for yes|no;
}
OR...
data-access-password <value>;
OR...
logging {
max-log-rate 0-50000;
OR...
max-packet-rate 0-2560;
OR...
log-suppression yes|no;
OR...
default;
}
OR...
management-server {
unlock {
admin <value>;
}
OR...
logging on|off|import-start|import-end;
}
OR...
multi-vsys on|off;
OR...
panorama on|off;
OR...
password;
OR...

Palo Alto Networks • 229


proxy {
skip-proxy yes|no;
OR...
skip-ssl yes|no;
OR...
answer-timeout 1-86400;
OR...
notify-user yes|no;
}
OR...
session {
timeout-tcp 1-15999999;
OR...
timeout-udp 1-15999999;
OR...
timeout-icmp 1-15999999;
OR...
timeout-default 1-15999999;
OR...
timeout-tcpinit 1-60;
OR...
timeout-tcpwait 1-60;
OR...
timeout-scan 5-30;
OR...
scan-threshold 50-99;
OR...
scan-scaling-factor 2-16;
OR...
accelerated-aging-enable yes|no;
OR...
accelerated-aging-threshold 50-99;
OR...
accelerated-aging-scaling-factor 2-16;
OR...
tcp-reject-non-syn yes|no;
OR...
offload yes|no;
OR...
default;
}
OR...
shared-policy enable|disable|import-and-disable;
OR...
ssl-vpn {
unlock {
vsys <value>;
auth-profile <value>;
user <value>;
}
}
OR...
target-vsys <value>;
OR...
url-database <value>;
OR...
zip {
enable yes|no;
}

230 • Palo Alto Networks


}
OR...
request {
certificate {
self-signed {
for-use-by web-interface|ssl-decryption|ssl-untrusted|inbound-proxy;
passphrase <value>;
name <value>;
nbits 1024|512;
country-code <value>;
state <value>;
locality <value>;
organization <value>;
organization-unit <value>;
email <value>;
filename <value>;
}
OR...
install {
for-use-by {
web-interface {
passphrase <value>;
key <value>;
certificate <value>;
}
OR...
ssl-decryption {
passphrase <value>;
key <value>;
certificate <value>;
}
OR...
ssl-untrusted {
passphrase <value>;
key <value>;
certificate <value>;
}
OR...
inbound-proxy {
passphrase <value>;
key <value>;
certificate <value>;
name <value>;
}
}
}
OR...
verify {
for-use-by {
web-interface {
passphrase <value>;
key <value>;
certificate <value>;
}
}
}
}
OR...
comfort-page {

Palo Alto Networks • 231


install application-block-page|url-block-page|spyware-block-page|virus-
block-page|file-block-page;
}
OR...
content {
downgrade {
install <value>;
}
OR...
upgrade {
info;
OR...
check;
OR...
download latest;
OR...
install {
version latest;
OR...
file <value>;
commit yes|no;
}
}
}
OR...
data-filtering {
access-password {
create {
password <value>;
}
OR...
modify {
old-password <value>;
new-password <value>;
}
OR...
delete;
}
}
OR...
device-registration {
username <value>;
password <value>;
}
OR...
high-availability {
sync-to-remote {
candidate-config;
OR...
running-config;
OR...
disk-state;
OR...
runtime-state;
OR...
clock;
}
OR...
state {

232 • Palo Alto Networks


suspend;
OR...
functional;
}
OR...
clear-alarm-led;
}
OR...
license {
info;
OR...
fetch {
auth-code <value>;
}
OR...
install <value>;
}
OR...
password-hash {
password <value>;
}
OR...
restart {
system;
OR...
software;
OR...
dataplane;
}
OR...
ssl-optout-text {
install;
}
OR...
ssl-vpn {
client-register {
portal <value>;
domain <value>;
user <value>;
}
OR...
client-logout {
portal <value>;
domain <value>;
user <value>;
authcookie <value>;
reason |||||||||<value>;
}
OR...
client-config {
portal <value>;
user <value>;
authcookie <value>;
client-type 1-100000;
os-version <value>;
app-version <value>;
protocol-version |<value>;
existing-ip <value>;
existing-mtu 1-32000;

Palo Alto Networks • 233


preferred-ip <ip>;
}
OR...
ssl-switch {
portal <value>;
user <value>;
authcookie <value>;
conn-c-ip <ip>;
conn-c-port 1-65535;
conn-s-ip <ip>;
conn-s-port 1-65535;
}
}
OR...
support {
info;
OR...
check;
}
OR...
system {
software {
info;
OR...
check;
OR...
download {
version <value>;
OR...
file <value>;
}
OR...
install {
version <value>;
OR...
file <value>;
}
}
OR...
factory-reset;
}
OR...
tech-support {
dump;
}
OR...
url-filtering {
upgrade {
brightcloud;
}
OR...
download {
status;
}
}
OR...
vpnclient {
software {
info;

234 • Palo Alto Networks


OR...
check;
OR...
download {
version <value>;
OR...
file <value>;
}
OR...
install {
version <value>;
OR...
file <value>;
}
}
}
}
OR...
check {
data-access-passwd {
system;
}
OR...
pending-changes;
}
OR...
save {
config {
to <value>;
}
}
OR...
scp {
export {
configuration {
from <pathname>;
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
packet-log {
from <pathname>;
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
pdf-reports {
from <pathname>;
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
filter {
from <pathname>;
to <value>;
remote-port 1-65535;

Palo Alto Networks • 235


source-ip <ip>;
}
OR...
application {
from <pathname>;
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
ssl-decryption-certificate {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
web-interface-certificate {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
logdb {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
log {
traffic {
max-log-count 0-65535;
unexported-only {
equal yes|no;
}
start-time {
equal <value>;
}
end-time {
equal <value>;
}
query <value>;
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
threat {
max-log-count 0-65535;
unexported-only {
equal yes|no;
}
start-time {
equal <value>;
}
end-time {
equal <value>;
}
query <value>;
to <value>;

236 • Palo Alto Networks


remote-port 1-65535;
source-ip <ip>;
}
}
OR...
stats-dump {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
tech-support {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
core-file {
control-plane {
from <pathname>;
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
data-plane {
from <pathname>;
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
}
OR...
log-file {
control-plane {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
data-plane {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
}
OR...
ssl-optout-text {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
captive-portal-text {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...

Palo Alto Networks • 237


url-coach-text {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
file-block-page {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
application-block-page {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
url-block-page {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
virus-block-page {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
spyware-block-page {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
debug-pcap {
from <pathname>;
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
}
OR...
import {
configuration {
from <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
ssl-decryption-certificate {
from <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
private-key {
from <value>;

238 • Palo Alto Networks


remote-port 1-65535;
source-ip <ip>;
}
OR...
web-interface-certificate {
from <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
trusted-ca-certificate {
from <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
logdb {
from <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
license {
from <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
content {
from <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
software {
from <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
inbound-proxy-key {
from <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
ssl-optout-text {
from <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
captive-portal-text {
from <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
url-coach-text {

Palo Alto Networks • 239


from <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
application-block-page {
from <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
url-block-page {
from <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
file-block-page {
from <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
virus-block-page {
from <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
spyware-block-page {
from <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
sslvpn-custom-login-page {
profile <value>;
from <value>;
remote-port 1-65535;
source-ip <ip>;
}
}
}
OR...
ftp {
export {
log {
traffic {
unexported-only {
equal yes|no;
}
passive-mode {
equal yes|no;
}
start-time {
equal <value>;
}
end-time {
equal <value>;

240 • Palo Alto Networks


}
query <value>;
max-log-count 0-65535;
to <value>;
remote-port 1-65535;
}
OR...
threat {
unexported-only {
equal yes|no;
}
passive-mode {
equal yes|no;
}
start-time {
equal <value>;
}
end-time {
equal <value>;
}
query <value>;
max-log-count 0-65535;
to <value>;
remote-port 1-65535;
}
}
}
}
OR...
tftp {
export {
configuration {
from <pathname>;
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
packet-log {
from <pathname>;
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
filter {
from <pathname>;
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
application {
from <pathname>;
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...

Palo Alto Networks • 241


ssl-decryption-certificate {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
web-interface-certificate {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
stats-dump {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
tech-support {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
core-file {
control-plane {
from <pathname>;
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
data-plane {
from <pathname>;
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
}
OR...
log-file {
control-plane {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
data-plane {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
}
OR...
ssl-optout-text {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}

242 • Palo Alto Networks


OR...
captive-portal-text {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
url-coach-text {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
file-block-page {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
application-block-page {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
url-block-page {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
virus-block-page {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
spyware-block-page {
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
debug-pcap {
from <pathname>;
to <value>;
remote-port 1-65535;
source-ip <ip>;
}
}
OR...
import {
configuration {
from <value>;
file <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...

Palo Alto Networks • 243


ssl-decryption-certificate {
from <value>;
file <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
private-key {
from <value>;
file <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
web-interface-certificate {
from <value>;
file <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
trusted-ca-certificate {
from <value>;
file <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
license {
from <value>;
file <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
content {
from <value>;
file <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
software {
from <value>;
file <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
ssl-optout-text {
from <value>;
file <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
captive-portal-text {
from <value>;
file <value>;

244 • Palo Alto Networks


remote-port 1-65535;
source-ip <ip>;
}
OR...
url-coach-text {
from <value>;
file <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
file-block-page {
from <value>;
file <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
application-block-page {
from <value>;
file <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
url-block-page {
from <value>;
file <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
virus-block-page {
from <value>;
file <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
spyware-block-page {
from <value>;
file <value>;
remote-port 1-65535;
source-ip <ip>;
}
OR...
sslvpn-custom-login-page {
profile <value>;
from <value>;
file <value>;
remote-port 1-65535;
source-ip <ip>;
}
}
}
OR...
load {
config {
last-saved;

Palo Alto Networks • 245


OR...
from <value>;
OR...
version <value>;
OR...
partial {
from <value>;
from-xpath <value>;
to-xpath <value>;
mode merge|replace;
}
}
}
OR...
test {
cp-policy-match {
from <value>;
to <value>;
source <value>;
destination <value>;
}
OR...
dlp {
pattern <value>;
OR...
ccn <value>;
OR...
ssn <value>;
}
OR...
nat-policy-match {
from <value>;
to <value>;
source <value>;
destination <value>;
protocol 1-255;
source-port 1-65535;
destination-port 1-65535;
protocol 1-255;
}
OR...
policy-based-forwarding-policy-match {
from <value>;
source <value>;
destination <value>;
destination-port 1-65535;
source-user <value>;
protocol 1-255;
}
OR...
qos-policy-match {
from <value>;
to <value>;
source <value>;
destination <value>;
destination-port 1-65535;
source-user <value>;
protocol 1-255;
application <value>;

246 • Palo Alto Networks


}
OR...
routing {
fib-lookup {
ip <ip>;
virtual-router <value>;
}
}
OR...
security-policy-match {
from <value>;
to <value>;
source <value>;
destination <value>;
destination-port 1-65535;
source-user <value>;
protocol 1-255;
show-all yes|no;
application <value>;
}
OR...
ssl-policy-match {
from <value>;
to <value>;
source <value>;
destination <value>;
category <value>;
}
OR...
vpn {
ike-sa {
gateway <value>;
}
OR...
ipsec-sa {
tunnel <value>;
}
}
}
OR...
less {
mp-log <pathname>;
OR...
dp-log <pathname>;
OR...
mp-backtrace <pathname>;
OR...
dp-backtrace <pathname>;
OR...
webserver-log <pathname>;
OR...
custom-page <pathname>;
OR...
global <pathname>;
OR...
content <pathname>;
}
OR...
grep {

Palo Alto Networks • 247


mp-log <pathname>;
OR...
dp-log <pathname>;
after-context 1-65535;
before-context 1-65535;
context 1-65535;
count yes|no;
ignore-case yes|no;
invert-match yes|no;
line-number yes|no;
max-count 1-65535;
no-filename yes|no;
pattern <value>;
}
OR...
ping {
bypass-routing yes|no;
count 1-2000000000;
do-not-fragment yes|no;
host <value>;
inet6 yes|no;
interval 1-2000000000;
no-resolve yes|no;
pattern <value>;
size 0-65468;
source <value>;
tos 1-255;
ttl 1-255;
verbose yes|no;
}
OR...
ssh {
host <value>;
inet yes|no;
port 0-65535;
source <value>;
v1 yes|no;
v2 yes|no;
}
OR...
tail {
mp-log <pathname>;
OR...
dp-log <pathname>;
OR...
webserver-log <pathname>;
follow yes|no;
lines 1-65535;
}
OR...
view-pcap {
application-pcap <pathname>;
OR...
filter-pcap <pathname>;
OR...
threat-pcap <pathname>;
OR...
debug-pcap <pathname>;
absolute-seq yes|no;

248 • Palo Alto Networks


delta yes|no;
follow yes|no;
hex yes|no;
hex-ascii yes|no;
hex-ascii-link yes|no;
hex-link yes|no;
link-header yes|no;
no-dns-lookup yes|no;
no-port-lookup yes|no;
no-qualification yes|no;
no-timestamp yes|no;
timestamp yes|no;
undecoded-NFS yes|no;
unformatted-timestamp yes|no;
verbose yes|no;
verbose+ yes|no;
verbose++ yes|no;
}
OR...
telnet {
8bit yes|no;
host <value>;
port 0-65535;
}
OR...
traceroute {
bypass-routing yes|no;
debug-socket yes|no;
do-not-fragment yes|no;
first-ttl 1-255;
gateway <ip/netmask>;
host <value>;
ipv4 yes|no;
ipv6 yes|no;
max-ttl 1-255;
no-resolve yes|no;
pause 1-2000000000;
port 1-65535;
source <value>;
tos 1-255;
wait 1-99999;
}
OR...
netstat {
all yes|no;
cache yes|no;
continuous yes|no;
extend yes|no;
fib yes|no;
groups yes|no;
interfaces yes|no;
listening yes|no;
numeric yes|no;
numeric-hosts yes|no;
numeric-ports yes|no;
numeric-users yes|no;
programs yes|no;
route yes|no;
statistics yes|no;

Palo Alto Networks • 249


symbolic yes|no;
timers yes|no;
verbose yes|no;
}
}

250 • Palo Alto Networks


Panorama Hierarchy
config {
predefined;
mgt-config {
users {
REPEAT...
<name> {
phash <value>;
remote-authentication radius;
preferences {
disable-dns yes|no;
}
permissions {
role-based {
superreader yes;
OR...
superuser yes;
OR...
panorama-admin yes;
}
}
}
}
devices {
REPEAT...
<name> {
hostname <value>;
ip <ip>;
}
}
}
devices {
REPEAT...
<name> {
deviceconfig {
system {
hostname <value>;
domain <value>;
ip-address <ip>;
netmask <ip>;
default-gateway <ip>;
radius-server <ip>;
radius-secret <value>;
dns-primary <ip>;
dns-secondary <ip>;
ntp-server-1 <value>;
ntp-server-2 <value>;
update-server <value>;
secure-proxy-server <value>;
secure-proxy-port 1-65535;
service {
disable-http yes|no;
disable-https yes|no;
disable-telnet yes|no;
disable-ssh yes|no;
disable-icmp yes|no;
}

Palo Alto Networks • 251


timezone W-SU|CST6CDT|Japan|Portugal|Hongkong|Mideast|Mideast/
Riyadh87|Mideast/Riyadh88|Mideast/Riyadh89|Eire|Poland|Factory|GB-
Eire|America|America/Port_of_Spain|America/Indiana|America/Indiana/
Vevay|America/Indiana/Indianapolis|America/Indiana/Marengo|America/Indiana/
Knox|America/St_Johns|America/Grand_Turk|America/Tijuana|America/
Toronto|America/Araguaina|America/Virgin|America/El_Salvador|America/
Coral_Harbour|America/Jujuy|America/Mexico_City|America/Guyana|America/
Cayman|America/Ensenada|America/Fortaleza|America/Iqaluit|America/
Boa_Vista|America/Chihuahua|America/Nome|America/Cancun|America/
Cayenne|America/Recife|America/Panama|America/Caracas|America/
Costa_Rica|America/Cambridge_Bay|America/Martinique|America/
Yellowknife|America/Godthab|America/Sao_Paulo|America/Edmonton|America/
Fort_Wayne|America/Danmarkshavn|America/Barbados|America/Dawson|America/
Thunder_Bay|America/Tegucigalpa|America/Chicago|America/Guadeloupe|America/
Grenada|America/Anguilla|America/Kentucky|America/Kentucky/
Monticello|America/Kentucky/Louisville|America/Argentina|America/Argentina/
Jujuy|America/Argentina/Ushuaia|America/Argentina/Catamarca|America/
Argentina/San_Juan|America/Argentina/Mendoza|America/Argentina/
La_Rioja|America/Argentina/Buenos_Aires|America/Argentina/Tucuman|America/
Argentina/ComodRivadavia|America/Argentina/Cordoba|America/Argentina/
Rio_Gallegos|America/Mazatlan|America/Regina|America/Montevideo|America/
Catamarca|America/Los_Angeles|America/Campo_Grande|America/Aruba|America/
Manaus|America/Knox_IN|America/Rosario|America/St_Lucia|America/
Hermosillo|America/Denver|America/Detroit|America/Santiago|America/
Shiprock|America/Cuiaba|America/Dominica|America/Porto_Acre|America/
Curacao|America/Belize|America/Merida|America/Swift_Current|America/
Antigua|America/Adak|America/Indianapolis|America/Belem|America/
Miquelon|America/Louisville|America/Bogota|America/New_York|America/
Boise|America/Scoresbysund|America/Mendoza|America/Goose_Bay|America/
Yakutat|America/Eirunepe|America/Winnipeg|America/Buenos_Aires|America/
Menominee|America/Paramaribo|America/Thule|America/Montreal|America/
Jamaica|America/Monterrey|America/St_Thomas|America/Rio_Branco|America/
Lima|America/Juneau|America/La_Paz|America/Vancouver|America/
Rankin_Inlet|America/Puerto_Rico|America/St_Kitts|America/Halifax|America/
Guayaquil|America/Inuvik|America/Noronha|America/Nassau|America/Port-au-
Prince|America/Guatemala|America/Glace_Bay|America/Nipigon|America/
Cordoba|America/Bahia|America/Asuncion|America/Maceio|America/Atka|America/
North_Dakota|America/North_Dakota/Center|America/Managua|America/
Anchorage|America/Montserrat|America/Tortola|America/Dawson_Creek|America/
Santo_Domingo|America/Pangnirtung|America/Whitehorse|America/
St_Vincent|America/Porto_Velho|America/Havana|America/Phoenix|America/
Rainy_River|Indian|Indian/Christmas|Indian/Reunion|Indian/Comoro|Indian/
Cocos|Indian/Mauritius|Indian/Antananarivo|Indian/Mahe|Indian/
Mayotte|Indian/Kerguelen|Indian/Chagos|Indian/Maldives|GMT0|Canada|Canada/
Yukon|Canada/Saskatchewan|Canada/Central|Canada/Eastern|Canada/East-
Saskatchewan|Canada/Atlantic|Canada/Pacific|Canada/Mountain|Canada/
Newfoundland|MET|ROK|US|US/Alaska|US/East-Indiana|US/Central|US/Eastern|US/
Samoa|US/Arizona|US/Pacific|US/Aleutian|US/Hawaii|US/Mountain|US/
Michigan|US/Indiana-Starke|MST|Mexico|Mexico/BajaSur|Mexico/General|Mexico/
BajaNorte|EST5EDT|Atlantic|Atlantic/Madeira|Atlantic/Cape_Verde|Atlantic/
St_Helena|Atlantic/Stanley|Atlantic/South_Georgia|Atlantic/
Jan_Mayen|Atlantic/Azores|Atlantic/Reykjavik|Atlantic/Canary|Atlantic/
Faeroe|Atlantic/Bermuda|HST|Antarctica|Antarctica/McMurdo|Antarctica/
Davis|Antarctica/South_Pole|Antarctica/Vostok|Antarctica/Rothera|Antarctica/
Mawson|Antarctica/DumontDUrville|Antarctica/Palmer|Antarctica/
Casey|Antarctica/Syowa|UTC|Iceland|Pacific|Pacific/Honolulu|Pacific/
Truk|Pacific/Niue|Pacific/Wake|Pacific/Apia|Pacific/Majuro|Pacific/
Norfolk|Pacific/Efate|Pacific/Enderbury|Pacific/Palau|Pacific/
Saipan|Pacific/Nauru|Pacific/Kiritimati|Pacific/Tahiti|Pacific/Guam|Pacific/

252 • Palo Alto Networks


Tongatapu|Pacific/Fiji|Pacific/Rarotonga|Pacific/Samoa|Pacific/
Fakaofo|Pacific/Guadalcanal|Pacific/Port_Moresby|Pacific/Midway|Pacific/
Galapagos|Pacific/Yap|Pacific/Johnston|Pacific/Marquesas|Pacific/
Noumea|Pacific/Auckland|Pacific/Gambier|Pacific/Kwajalein|Pacific/
Kosrae|Pacific/Wallis|Pacific/Easter|Pacific/Chatham|Pacific/
Funafuti|Pacific/Pago_Pago|Pacific/Tarawa|Pacific/Pitcairn|Pacific/
Ponape|EET|EST|Greenwich|GMT|Cuba|Brazil|Brazil/Acre|Brazil/East|Brazil/
DeNoronha|Brazil/West|Turkey|Arctic|Arctic/Longyearbyen|NZ-
CHAT|Zulu|Israel|Jamaica|Etc|Etc/GMT-14|Etc/GMT+6|Etc/GMT-10|Etc/GMT-2|Etc/
GMT-8|Etc/GMT+4|Etc/GMT0|Etc/GMT-12|Etc/GMT+11|Etc/GMT-11|Etc/GMT+12|Etc/
UTC|Etc/GMT-3|Etc/Greenwich|Etc/GMT-9|Etc/GMT|Etc/GMT+2|Etc/Zulu|Etc/GMT-
4|Etc/GMT+7|Etc/GMT+1|Etc/GMT+8|Etc/GMT-7|Etc/GMT-6|Etc/GMT+10|Etc/GMT-
5|Etc/GMT+0|Etc/GMT-1|Etc/GMT+3|Etc/GMT+5|Etc/GMT-13|Etc/UCT|Etc/
Universal|Etc/GMT+9|Etc/GMT-0|NZ|Europe|Europe/Vienna|Europe/Athens|Europe/
Tiraspol|Europe/Lisbon|Europe/Rome|Europe/Bratislava|Europe/Andorra|Europe/
Sofia|Europe/Kaliningrad|Europe/Zurich|Europe/Belfast|Europe/Oslo|Europe/
Samara|Europe/Malta|Europe/Chisinau|Europe/Moscow|Europe/Paris|Europe/
Minsk|Europe/Zaporozhye|Europe/Amsterdam|Europe/Tallinn|Europe/
Uzhgorod|Europe/Brussels|Europe/Vatican|Europe/Vaduz|Europe/
San_Marino|Europe/Nicosia|Europe/Berlin|Europe/Vilnius|Europe/Monaco|Europe/
Istanbul|Europe/Belgrade|Europe/Stockholm|Europe/Riga|Europe/Madrid|Europe/
Gibraltar|Europe/Copenhagen|Europe/Skopje|Europe/Budapest|Europe/
Dublin|Europe/Bucharest|Europe/Helsinki|Europe/Prague|Europe/
Sarajevo|Europe/London|Europe/Tirane|Europe/Zagreb|Europe/Kiev|Europe/
Warsaw|Europe/Ljubljana|Europe/Simferopol|Europe/Mariehamn|Europe/
Luxembourg|Singapore|ROC|Kwajalein|Egypt|PST8PDT|GMT+0|Asia|Asia/
Kuwait|Asia/Kamchatka|Asia/Thimphu|Asia/Macau|Asia/Gaza|Asia/Thimbu|Asia/
Pyongyang|Asia/Vladivostok|Asia/Katmandu|Asia/Sakhalin|Asia/Muscat|Asia/
Ashkhabad|Asia/Ulan_Bator|Asia/Riyadh|Asia/Riyadh87|Asia/Calcutta|Asia/
Yerevan|Asia/Shanghai|Asia/Baghdad|Asia/Makassar|Asia/Oral|Asia/
Hong_Kong|Asia/Jayapura|Asia/Omsk|Asia/Almaty|Asia/Saigon|Asia/Magadan|Asia/
Chungking|Asia/Hovd|Asia/Brunei|Asia/Novosibirsk|Asia/Dacca|Asia/Qatar|Asia/
Ulaanbaatar|Asia/Krasnoyarsk|Asia/Kuching|Asia/Qyzylorda|Asia/Karachi|Asia/
Anadyr|Asia/Yakutsk|Asia/Seoul|Asia/Choibalsan|Asia/Macao|Asia/
Samarkand|Asia/Yekaterinburg|Asia/Aqtobe|Asia/Riyadh88|Asia/Nicosia|Asia/
Pontianak|Asia/Urumqi|Asia/Irkutsk|Asia/Taipei|Asia/Harbin|Asia/
Istanbul|Asia/Colombo|Asia/Tel_Aviv|Asia/Jakarta|Asia/Amman|Asia/
Bahrain|Asia/Tokyo|Asia/Chongqing|Asia/Ashgabat|Asia/Singapore|Asia/
Aqtau|Asia/Baku|Asia/Bishkek|Asia/Dili|Asia/Tbilisi|Asia/Beirut|Asia/
Riyadh89|Asia/Damascus|Asia/Aden|Asia/Dubai|Asia/Manila|Asia/Vientiane|Asia/
Tehran|Asia/Kashgar|Asia/Dushanbe|Asia/Kabul|Asia/Bangkok|Asia/Rangoon|Asia/
Jerusalem|Asia/Dhaka|Asia/Kuala_Lumpur|Asia/Tashkent|Asia/Phnom_Penh|Asia/
Ujung_Pandang|CET|PRC|Africa|Africa/Kinshasa|Africa/Ndjamena|Africa/
Mbabane|Africa/Lagos|Africa/El_Aaiun|Africa/Douala|Africa/Kampala|Africa/
Mogadishu|Africa/Tripoli|Africa/Conakry|Africa/Niamey|Africa/Asmera|Africa/
Khartoum|Africa/Lubumbashi|Africa/Kigali|Africa/Johannesburg|Africa/
Blantyre|Africa/Malabo|Africa/Gaborone|Africa/Lome|Africa/Algiers|Africa/
Addis_Ababa|Africa/Brazzaville|Africa/Dakar|Africa/Nairobi|Africa/
Cairo|Africa/Banjul|Africa/Bamako|Africa/Bissau|Africa/Libreville|Africa/
Sao_Tome|Africa/Casablanca|Africa/Timbuktu|Africa/Nouakchott|Africa/
Freetown|Africa/Monrovia|Africa/Ceuta|Africa/Dar_es_Salaam|Africa/
Lusaka|Africa/Abidjan|Africa/Bujumbura|Africa/Maseru|Africa/Bangui|Africa/
Windhoek|Africa/Accra|Africa/Djibouti|Africa/Ouagadougou|Africa/Porto-
Novo|Africa/Tunis|Africa/Maputo|Africa/Harare|Africa/
Luanda|UCT|GB|Universal|Australia|Australia/Hobart|Australia/
Lord_Howe|Australia/Perth|Australia/South|Australia/Yancowinna|Australia/
Currie|Australia/Tasmania|Australia/Queensland|Australia/NSW|Australia/
Lindeman|Australia/Melbourne|Australia/Adelaide|Australia/
Victoria|Australia/Canberra|Australia/West|Australia/Brisbane|Australia/

Palo Alto Networks • 253


Broken_Hill|Australia/Darwin|Australia/ACT|Australia/North|Australia/
Sydney|Australia/LHI|Iran|WET|Libya|MST7MDT|Chile|Chile/EasterIsland|Chile/
Continental|GMT-0|Navajo;
}
}
}
}
}

254 • Palo Alto Networks


May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL

Appendix B
PAN-OS CLI KEYBOARD SHORTCUTS

This appendix lists the supported keyboard shortcuts and Editor Macros (EMACS) commands
supported in the PAN-OS CLI.

Note: Some shortcuts depend upon the SSH client that is used to access the PAN-OS CLI. For
some clients, the Meta key is the Control key; for some it is the Esc key.

Table 6 lists the keyboard shortcuts.

Table 6. Keyboard Shortcuts


Item Description
Commands for Moving
beginning-of-line (C-a) Move to the start of the current line.
end-of-line (C-e) Move to the end of the line.
forward-char (C-f) Move forward a character.
backward-char (C-b) Move back a character.
Move forward to the end of the next word. Words consist of
forward-word (M-f)
alphanumeric characters (letters and digits).
Move back to the start of this, or the previous, word. Words consist
backward-word (M-b)
of alphanumeric characters (letters and digits).
Clear the screen and place the current line at the top of the screen. If
clear-screen (C-l) an argument is included, refresh the current line without clearing
the screen.
Commands for Manipulating Command History
Accept the line regardless of where the cursor is. If the line is non-
accept-line (Newline, Return) empty, add it to the history list. If the line is a modified history line,
then restore the history line to its original state.
Fetch the previous command from the history list, moving back in
previous-history (C-p)
the list.
Fetch the next command from the history list, moving forward in
next-history (C-n)
the list.
beginning-of-history (M-<) Move to the first line in the history.

Palo Alto Networks • 255


Table 6. Keyboard Shortcuts (Continued)
Item Description
Move to the end of the input history (the line currently being
end-of-history (M->)
entered).
Search backward starting at the current line and moving up
reverse-search-history (C-r)
through the history as necessary. This is an incremental search.
Search forward starting at the current line and moving down
forward-search-history (C-s)
through the history as necessary. This is an incremental search.
non-incremental-reverse- Search backward through the history starting at the current line
search-history (M-p) using a non-incremental search for a string supplied by the user.
non-incremental-forward- Search forward through the history using a non-incremental search
search-history (M-n) for a string supplied by the user.
Commands for Changing Text
Delete the character under the cursor. If point is at the beginning of
delete-char (C-d) the line, there are no characters in the line, and the last character
typed was not C-d, then return EOF.
backward-delete-char Delete the character behind the cursor.
(backspace)
Drag the character before point forward over the character at point.
transpose-chars (C-t) Point moves forward as well. If point is at the end of the line, then
transpose the two characters before point.
Drag the word behind the cursor past the word in front of the
transpose-words (M-t)
cursor moving the cursor over that word as well.
Make the current (or following) word uppercase. With a negative
upcase-word (M-u)
argument, do the previous word, but do not move point.
Make the current (or following) word lowercase. With a negative
downcase-word (M-l)
argument, change the previous word, but do not move point.
Capitalize the current (or following) word. With a negative
capitalize-word (M-c)
argument, do the previous word, but do not move point.
Deleting and Yanking Text
Delete the text from the current cursor position to the end of the
kill-line (C-k)
line.
backward-kill-line (C- Delete backward to the beginning of the line.
x backspace)
unix-line-discard (C- Delete backward from point to the beginning of the line
u)
Delete from the cursor to the end of the current word, or if between
kill-word (M-d) words, to the end of the next word. Word boundaries are the same
as those used by forward-word.
backward-kill-word (M- Delete the word behind the cursor. Word boundaries are the same
backspace) as those used by backward-word.
Delete the word behind the cursor, using white space as a word
unix-word-backspace
boundary. The word boundaries are different from backward-kill-
(C-w)
word.
yank (C-y) Place the top of the deleted section into the buffer at the cursor.

256 • Palo Alto Networks


Table 6. Keyboard Shortcuts (Continued)
Item Description
Rotate the kill-ring, and yank the new top. Only works following
yank-pop (M-y)
yank or yank-pop.
Completing Commands
complete (TAB) Attempt to perform completion on the text before point.
possible-completions List the possible completions of the text before point.
(?)
Performing Miscellaneous Functions
undo (C-_, C-x C-u) Perform an incremental undo, separately remembered for each line.
Undo all changes made to this line. This is like typing the undo
revert-line (M-r)
command enough times to return the line to its initial state.

Table 7 lists the EMACS commands.

Table 7. EMACS Commands


Command Description
Emacs Standard bindings
C-A beginning-of-line
C-B backward-char
C-D delete-char
C-E end-of-line
C-F forward-char
C-G abort
C-H backward-delete-char
C-I complete
C-J accept-line
C-K kill-line
C-L clear-screen
C-M accept-line
C-N next-history
C-P previous-history
C-R reverse-search-history
C-S forward-search-history
C-T transpose-chars
C-U unix-line-discard
C-W unix-word-backspace
C-Y yank
C-_ undo

Palo Alto Networks • 257


Table 7. EMACS Commands (Continued)
Command Description
Emacs Meta bindings
M-C-H backward-kill-word
M-C-R revert-line
M-< beginning-of-history
M-> end-of-history
? possible-completions
M-B backward-word
M-C capitalize-word
M-D kill-word
M-F forward-word
M-L downcase-word
M-N non-incremental-forward-search-history
M-P non-incremental-reverse-search-history
M-R revert-line
M-T transpose-words
M-U upcase-word
M-Y yank-pop

258 • Palo Alto Networks


May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL

Index
Symbols configuration mode
# prompt 13 hierarchy 23
+ option symbol 17 prompt 13
> option symbol 17 understanding 21
> prompt 13 configure command 53
? symbol 15 control key 16
conventions, typographical 8
copy command 32
A critical errors, switching to maintenance mode 185
accessing the CLI 12
D
B debug captive-portal command 54
banner 13, 25 debug cli command 55
bootloader recovery 187 debug cpld command 56
bootup 184 debug dataplane command 57
debug device-server command 59
C debug dhcpd command 60
changing modes 14 debug high-availability-agent command 61
check command 30 debug ike command 62
clear command 51 debug keymgr command 63
CLI debug log-receiver command 64
accessing 12 debug management-server command 65
configuration mode 11 debug master-service command 66
EMACS commands 257 debug rasmgr command 67
keyboard shortcuts 255 debug routing command 68
operational model 11 debug software command 69
prompt 13 debug swm command 70
structure 11 debug tac-login command 71
commands 27 debug vardata-receiver command 72
conventions 13 delete command 33, 54
display 27 diagnostics 187
messages 14 disk image 187
monitoring and troubleshooting 27
navigation 27 E
network access 27 edit banner 25
option symbols 17 edit command
options 15 banner 13
understanding 13 using 26, 34
commit command 21, 31 errors, switching to maintenance mode 185
configuration esc key 16
hierarchy 23 Ethernet interfaces 19
hierarchy paths 24 ethernet1/n 19
exit command 35, 75

259 • Index Palo Alto Networks


F P
factory reset 187 password, maintenance mode 187
file system check (FSCK) 187 ping command 79
privilege levels 18
G
getting started 12 Q
grep command 76 quit command 38, 81

H R
hierarchy rename command 39
complete 189 request certificate command 82
configuration 23 request content upgrade command 85
navigating 25 request data-filtering command 86
new elements 24 request device-registration command 87
paths 24 request high-availability command 88
hostname 13 request license command 89
request password-hash command 90
I request restart command 91
request ssl-output-text command 92
interfaces 19
request ssl-vpn command 93
request support command 94, 96
K request system command 95
keyboard shortcuts 16, 255 request url-filtering command 97
request vpn-client command 98
L rollback 187
less command 77 run command 40

M S
maintenance mode save command 21, 41
about 183 scp command 99
diagnostics 187 serial console
entering automatically 185 maintenance mode 183
entering upon bootup 184 message 185
password 187 set application dump command 101
serial console message 185 set cli command 102, 104, 105
SSH message 186 set clock command 103
web interface message 185 set command 42
meta key 16 set logging command 106
modes set management-server command 107
changing 14, 15 set multi-vsys command 108
configuration 21 set panorama command 109
operational 27 set password command 110
move command 37 set proxy command 111
set serial-number command 112
set session command 113
N set ssl-vpn command 116
navigating hierarchy 25 set target-vsys command 115, 117
netstat command 78 set ts-agent command 118
set url-database command 119
O set zip command 120
operational mode shortcuts 16
command types 27 show admins command 121
prompt 13 show arp command 122
using 27 show authentication command 123
show cli command 124, 125
show clock command 126
show command 23, 43

260 • Index Palo Alto Networks


show config command 127
show counter command 128
show ctd command 129
show device command 130
show devicegroups command 132
show device-messages command 131
show dhcp command 133
show high-availability command 134
show interface command 135
show jobs command 136
show local-user-db command 137
show location command 138, 141
show log command 139
show mac command 142
show management-clients command 143
show multi-vsys command 144
show pan-agent command 145
show pan-ntlm-agent command 146
show proxy command 147
show query command 148
show report command 149
show routing command 150
show session command 154
show shared-policy command 156
show ssl-vpn command 157
show statistics command 158
show system command 160
show target-vsys command 162
show threat command 163
show ts-agent command 164
show updates command 165
show virtual-wire command 166
show vlan command 167
show vpn command 168, 170
show zone-protection command 171
ssh command 172
syntax checking 14
system 27
system information 187

T
tail command 173
telnet command 174
test command 175
tftp command 84, 176
top command 25, 26, 44
traceroute command 178
typographical conventions 8

U
up command 25, 26, 45
user name 13
user privileges 18

V
view-pccap command 180

Palo Alto Networks Index • 261


262 • Index Palo Alto Networks