CLI Commands for Troubleshooting Palo Alto Firewalls

When troubleshooting network and security issues on many different devices/platforms I am always missing some command options to do exactly what I want to do on the device I am currently working with. Therefore I list a few commands for the Palo Alto Networks firewalls to have a short reference / cheat sheet for myself. Maybe some other network professionals will find it useful.

However, since I am almost always using the GUI this quick reference only lists commands that are useful for the console while not present in the GUI.

This blog post will be a living document. Whenever I use some “new” commands for troubleshooting issues, I will update it. If there are any useful commands missing, please send me a comment!

For a complete list of all CLI commands, use the CLI Reference Guides from PAN. Or use the official Quick Reference Guide: Helpful Commands PDF.

Standard Show Commands

The following commands are really the basics and need no further description. I list them just as a reference:

 

Find

Since PAN-OS 6.0, the “find” command helps searching for the needed command in case you do not fully know the whole set of commands. With “find command”, all possible commands are displayed. With “find command keyword xyz”, all commands containing “xyz” are shown.

 

Ping, Traceroute, and DNS

A standard ping command looks like that:

Note that this ping request is issued from the management interface! To use a data interface as the source, the option source <ip-address>  can be used. To use IPv6, the option is inet6 yes . For example:

A traceroute command looks like that:

The source <ip-address>  can be used to specify the outgoing interface. However, for IPv6, the option is dissimilar to the ping command: ipv6 yes .

To resolve DNS names, e.g., to test the DNS server that is configured on the management interface, simply ping a name:

 

Routing

(For a “show” of the routing table refer to the “Standard Show Commands” above.) Debugging dynamic routing protocols functions like this:

Or follow the routed.log:

 

Test

The Palo offers some great test commands, e.g., for testing a route-lookup, a VPN connection, or a security policy match. Use the question mark to find out more about the test commands. Here are some useful examples:

 

Viewing Management-Plane Logs

In order to view the debug log files, “less” or “tail” can be used. The keyword “mp-log” links to the management-plane logs (similar to “dp-log” for the dataplane-logs). The tail command can be used with “follow yes” to have a live view of all logged messages. And as always: Use the question mark in order to display all possibilities.

Examples:

 

Capturing Management Packets

To view the traffic from the management port at least two console connections are needed. The first one executes the tcpdump command (with “snaplen 0” for capturing the whole packet, and a filter, if desired),

while the second console follows the live capture:

Test traffic can be generated with a third console session, e.g.:

Later on, the pcap file can be moved to another computer with the following command:

Alternatively, tftp can be used:

 

Live Viewing of Packet Captures

When using the Packet Capture feature on the Palo Alto, the filter settings can easily be made from the GUI (Monitor -> Packet Capture). These settings as well as the current size of the running packet capture files can be examined with:

Now, the current capturing in follow mode can be viewed with:

 

And for a really detailed analysis, the counters for these filtered packets can be viewed. This exactly reveals how many packets traversed which way, and so on. With the “delta yes” option, only the counter values since the last execution of this command are shown. The “packet-filter yes” option uses the packet filter from the GUI (Monitor -> Packet Capture) to filter the counters:

For example, here are the delta counters after a few DNS lookups:

Or, even more interesting, filtered on “drop” severity. (Note the reasons on the right-hand side):

 

Examining the Session Table

If a network connection failure is not found in the traffic log, the session table can be asked for sessions in DISCARD state, filtered based on its source, or whatever. This is useful at the console because the session browser in the GUI does not store the filter options and is therefore a bit unhandy. All commands start with “show session all filter …”, e.g.:

To have an overview of the number of sessions, configured timeouts, etc.:

For investigating a single session in more detail, use:

Watch out for the: “Hardware session offloading” line. If it is “true” you might want to disable the fastpath during troubleshooting (inside the config mode):

 

To see whether there are some “predict” sessions in which the Palo Alto uses a ALG (appliation layer gateway) to predict dynamic ports (e.g., SIP, active FTP), use this command:

A specific session can then be cleared with:

 

Reason for Session Close

[UPDATE] Since PAN-OS 6.1 the session end reason is a column within the GUI at Monitor -> Logs -> Traffic. Hence this is not needed anymore.[/UPDATE]

You cannot see the reason for a closed session in the traffic log in the GUI. For this purpose, find out the session id in the traffic log and type in the following command in the CLI (Named the “Session Tracker“). Note the last line in the output, e.g. “tracker stage firewall : Aged out” or “tracker stage firewall : TCP FIN”. This shows what reason the firewall sees when it ends a session:

Alternatively, the traffic log on the CLI can display the session tracker when used with the option “show-tracker equal yes” such as:

 

VPN Issues

The general show commands for VPN sessions are:

(Palo Alto: How to Troubleshoot VPN Connectivity Issues). Though you can find many reasons for not working site-to-site VPNs in the system log in the GUI, some more CLI commands might be useful. To reveal whether packets traverse through a VPN connection, use this: (it shows the number of encap/decap packets and bytes, i.e., the actual traffic flow)

Or use the counter values for ipsec issues:

 

And for a detailled debugging of IKE, enable the debug (without any more options)

then follow the pcap with

and do NOT forget to set the debugging off!

The complete ikemgr.pcap can be downloaded from the Palo with scp or tftp, e.g.:

 

To clear or to initiate an IPsec connection use the following commands for either phase 1 (IKE) or phase 2 (IPsec):

 

GlobalProtect

Current users and flow:

 

Displaying the Config in Set Mode

The XML output of the “show config running” command might be unpractical when troubleshooting at the console. That’s why the output format can be set to “set” mode:

Now, enter the  configure  mode and type show . This reveals the complete configuration with “set …” commands. (Click here for more information.) Here is a sample output of a particular show command:

The pipe (|) can be used to grep certain values with the “match” keyword, such as:

 

To show the complete config without breaks (which is “terminal length 0” on Cisco devices), the following command can be used (BEFORE the configure mode is entered):

To omit line breaks (carriage returns), use this one:

 

High Availability

Some show and request commands (even though present in the GUI):

 

Export/Import Files

To copy files from or to the Palo Alto firewall, scp or tftp can be used. The commands have both the same structure with “export … to” or “import … from”, e.g.:

 

User-IDs and Groups

State of the LDAP server connections incl. the listing of all groups:

Group mapping and user-id agent refresh (=update) and reset (=delete and reload):

Show the group memberships for a particular user:

Show the members of a particular group:

IP to User mapping for all users or for a particular user. (The match value does not work with a backslash, so the username must be specified without the domain):

User-ID cache clearance:

 

IP Addresses of FQDN Objects

When using objects with FQDNs, the current IP addresses are not shown in the GUI. The following command displays respectively refreshes them:

To set the refresh timer to another value, use the following commands:

To verify this setting you can “show” the configuration with pipe and match. If you are in the default cli config-output-format it looks like this:

When you are in the “cli” config-output-format it looks like that:

Now, as in my case I am updating the FQDNs every 600 s = 10 m, I can see the appropriate job every 10 minutes:

 

IP Addresses of External Dynamic Lists

Similar, the entries in a external dynamic (block) list can be viewed or refreshed with:

 

DNS Proxy

To verify the functionality of DNS proxy objects, at least two commands are useful. Both outputs should speak for themselves:

 

Active URL Vendor/Database

I had some issues with the two different URL databases “brightcloud” and “PAN-DB”. This is the command to show unambiguously which vendor is active on the PA (independent of the licenses):

The output is either brightcloud or paloaltonetworks. The standard URL DB up to PAN-OS 5.0 is brightcloud. Beginning with PAN-OS 6.0, the default is PAN-DB (refer to the release notes, section “Changes to Default Behavior”). To change the vendor (of course only if it is licensed), click the “Activate” link under licenses in the GUI.

PAN-DB URL Test & Cache

To show the category of a specific URL, use one of the following commands:

To display the current URL cache from the PAN-DB, two steps are required. The first one is the creation of a logfile which contains all entries and the second one is to display this logfile:

 

Fan Speed

Ok, this is not a troubleshooting command, but nevertheless very useful. It sets the fan speed to “auto” which immediately drops the noise of the fan, e.g. on a PA-200:

 

Defaults

Just for reference:

  • Default Management Interface IP: 192.168.1.1
  • Login: admin
  • Password: admin

To change the IP settings of the management inferface via the console:

To perform a factory reset without direct access to the firewall via a console cable, you can use this procedure.

62 thoughts on “CLI Commands for Troubleshooting Palo Alto Firewalls

  1. Hey I have one question, how can I disable or enable a static route using the CLI and not doing it on the GUI?

    1. Hi. You must go into the configure mode (“configure”) and specify a command similar to this:
      “set network virtual-router NAME-OF-THE-VR routing-table ip static-route NAME-OF-THE-ROUTE option no-install”. And don’t forget to “commit”. 😉

      1. So is the command you list “set network virtual-router NAME-OF-THE-VR routing-table ip static-route NAME-OF-THE-ROUTE option no-install”… the CLI command one would use to delete a pre-existing route (once committed)? OR is there another command to run besides the one you mention ?

        1. I listed the command to DISABLE an already installed route. The keyword here is the “no-insall” at the end. So, once committed, the NAME-OF-THE-ROUTE route is disabled.

          1. Ok, thanks. So what would the CLI command be to actually DELETE an already installed route ?

            I have worked with many firewalls, but for some reason, the CLI command to do this on a Palo Alto eludes me. Is it because the deleting of a route is only done through the GUI? Thank you for your help

  2. Occam’s razor strikes again! replace the “set” with “delete”.. It does surprise me though that such a simple, and different from other platforms, way of deleting, removing, unsetting or no to a command is not readily documented or discovered through out the Web or Palo Alto.. Just say’n!… had to figure it out solo..

  3. Hier noch einige Befehle, die ich öfter benötige.

    Zeigt den Status einzelner oder aller Gruppen-Mappings.

    Zeigt alle Benutzer in einer Gruppe an.

    Übersicht aller Prozesse auf der Firewall.

    Dynamic Address Groups einsehen

    Extrem nützlich ist folgender Befehl, welcher ein bestehendes Template innerhalb von Panorama clont.

  4. Hello all!

    Does anyone know if trace and ping are available on Palo Alto GUI?

    Thanks and regards,

  5. Nice post! Great for us who are transitioning from Cisco.

    Question: Is there an equivalent PA CLI command for “terminal length 0”?

    Thank you

  6. Hi all,

    Is there any option or command to delete a particular single Log / Particular IP traffic or URL Logs..

    Thanks.

  7. Like Show configuration | in “value”. is there any commands like this in Palo alto to see the particular config,

    For Ex : To see the configuration of IP ” 172.16.10.0/24″ we used this command in cisco “show run | in 172.16.10.0” it will show the configuration details.. please let me know the command in Palo alto for the same .

    Thanks
    Vishnu

    1. Hi Vishnu,
      yeah, good question. I just updated the correspondant section in this post for you: “Displaying the Config in Set Mode”.

      Note that you could use a similar command in the standard CLI view (not in the “configure” view):
      “show config running | match 192.168.120.2”
      However, this is not very useful since you onle get single XML lines without any context around the lines.

        1. Hello Marcin,

          Your CLI filter looks great. Do you have any document of it? I suppose the match filter support some level of regular expression?

        2. I just realized the match command is actually the grep command.
          The regular expression rule applies the same on match.
          Thanks anyway.

  8. Hello,

    Is there any command or script to schedule automatically backup Palo Alto firewall configuration.

    Thanks.

    1. On the Palo Alto, you don’t have this possibility. 🙁
      But you can use the API to download a config file from the device. Howver, I currently don’t have such a script. But maybe someone else has?

  9. How to configure Vlan in palo alto. My ISP gave me the wan IP and Vlan id . They asking me to configure in the interface where ISP connected. Could you help me. I need a sample configuration of Palo alto . Kindly sent to mail id : aravindramesh11@gmail.com

  10. What is the equivalent cli command on the Palo for the following Sidewinder command:

    acat -ae ‘(srcip 192.168.1.1 dstip 192.168.2.2) and dstport 53’

  11. Correction:
    What is the equivalent cli command on the Palo for the following Sidewinder command:

    acat -ae ‘(srcip 192.168.1.1 or dstip 192.168.2.2) and dstport 53′

  12. Hello,

    Is there a command to see which policy rules processed a traffic? I have an SSL inbound decryption rule that does not decrypt my traffic. Want to see if the traffic is processed by that rule

    Thanks

    Cid

    1. If client and server negotiates DH based cipher suites, then decryption is not possible. Also, there are certain RSA based cipher suites which PA is not going to decrypt. Check PA’s documents for list of RSA cipher which PA is not going to decypt.

      Take packet captures on client machine and if you see DH based cipher suites negotiated by server in server hello, then force the server to negotiate on RSA based cipher suites.

      Otherwise, I don;t any reason for decryption failure, if your decryption policy covers the interested traffic.

      Jugnu

  13. Hello,

    is there a command to find out if an object with IP a.b.c.d exist?

    And a command to find out if an object named “whatever” is included in any object group?

    Thanks.

    1. Why don’t you use the GUI for these requests? Simply type in the IP address or name or whatever in the search field. 😉
      However, if you want to use the CLI: set the output format to set “set cli config-output-format set”, go into the configure mode “configure” and grep the IP address or whatever “show | match 192.168.0.1”.

      1. I can’t see how to search in the output of the show command. I don’t thing you can place a pipe after “show” with o without space.

        May be if I could execute two commands in one line, I could launch the commands from a host and “grep” the output.

        Something like:
        $ ssh user@fw “set cli config-output-format set ; configure ; show address-group” | grep 1.2.3.4

        Do you thing it is possible?

        I only have to do such a thing, say once in a week, so I would like to have some scripts to find just that type of information with a command.

        Thanks for your help.

        1. Yes, you can pipe after a simple “show”. Here is my output. First I searched after an IPv4 address, then after the name to reveal the group:

          weberjoh@fd-wv-fw02# show | match 172.16.1.1
          set address h_fd-wv-fw01_trust ip-netmask 172.16.1.1
          [edit]
          weberjoh@fd-wv-fw02# show | match h_fd-wv-fw01_trust
          set address-group g_h_RouterFirewalls static [ h_fd-wv-fw01_trust h_fd-wv-fw01_trust_v6 h_fd-wv-fw01_untrust h_fd-wv-fw01_untrust_v6 h_fd-wv-fw02_untrust h_fd-wv-fw02_untrust_v6 h_fd-wv-fw03_outside h_fd-wv-fw03_outside_v6 h_fd-wv-ro01_inside h_fd-wv-ro01_inside_v6 h_fd-wv-ro02_outside h_fd-wv-ro02_outside_v6 h_fd-wv-ro03_outside h_fd-wv-ro03_outside_v6 ]
          set address h_fd-wv-fw01_trust ip-netmask 172.16.1.1
          [edit]
          weberjoh@fd-wv-fw02#

          I do not know whether you can call ssh with several commands behind it. I have not used such techniques until now.

          1. My output:

            antonio@fwpa1-con(active)> set cli config-output-format set
            antonio@fwpa1-con(active)> set cli pager off
            antonio@fwpa1-con(active)> configure
            Entering configuration mode
            [edit]
            antonio@fwpa1-con(active)# show | match 10.229.32.8

            Invalid syntax.
            [edit]
            antonio@fwpa1-con(active)#

            Maybe the version of PANOS.

            I’ll try some variety of expect.

            Thanks.

  14. Dear Johannes Weber,

    i am new to this firewall. kindly give the suggestion how to gain the good knowledge on this firewall. kindly provide the use full links url.

  15. Great blog.
    Few queries . May it covered in trail but still very helpful if someone respond:
    # in cli mode, how to check routing for 1 of tje destionation and accordingly i can see the interface from which it go out and finally i can see the zone binded with that interface.
    This is very basic to create policy in GUI mode.

    1. CLI command to test filter, policy, vpn, route, nat, …:
      type ‘test ?’ and pick an option

    1. Google is your friend. 😉 And the Palo Alto CLI Ref.
      Ok, here we go:
      configure
      set deviceconfig system snmp-setting access-setting version v2c snmp-community-string foobar
      commit

  16. I have AWS VPN, I would like to upload AWS VPN configuration file to palo alto using any commands lines or API call. Would it possible to do that. If yes could you please provide the details here.

    Thank you

    1. Puh, that should work, but its not that easy.
      Have a look at the Palo Alto CLI Reference. You’ll find some commands for, e.g.,:
      set network ike …

      Is AWS giving you a VPN template for Palo Alto? Or do you want to build it yourself? Maybe you can create a ticket at Palto Alto Support to solve that?

  17. One of our client using paloalto PA3050 model. They have a 50 mbps Vodafone lease line,its working fine when we directly connected to the router. but if we connected through our firewall then upload speed is come upto 2 mbps only.

  18. Hey how many silence features have you activated on the device and how much bandwidth license do you have on the device? have they implemented any QOS on the device?

  19. Hello

    I want to check which route is matching for some host IP like 10.155.7.33. When I run the command “show routing route destination 10.155.7.33/32” showing nothing. Although I have matching route 10.115.7.0/24 in the routing table. If does not match, it should show 0/0 default route

    1. Hi,

      yes, you are displaying only the mere routing table and not an “intelligent query”. Please try:
      “test routing fib-lookup virtual-router default ip 10.155.7.33”
      This will show you the exit interface and the next-hop of the route.

  20. Hi,
    Can someone let know what’s a good way (if there is one) to check what debugs were configured and if someone failed to turn them off, and the CPU spikes happen, there should be a nice way to turn those off after seeing what set them on.
    I was told it is virtually impossible to see the active debugs and there is no ‘undebug all” cisco-fashion command on PA I suppose.

  21. How to I delete/uninstall all the process related to Global Protect Palo Alto using command line. I think the command is set clean palo….. Not sure what exactly it is. Could you please provide me the command?

    Regards,
    Farhan

    1. Hi Farhan,
      I do not know what exactly you are searching for. Please use the “find” command to lookup all global-protect commands on the CLI:
      find command keyword global-protect

      If you want to change something on the configuration, enter the configuration mode with “configure” and display all global-protect configs with:
      show global-protect

      All commands are then under the following structure:
      set global-protect …

      However, it will be MUCH easier for you to do that within the GUI!
      Cheers,
      Johannes

  22. HI All ,

    Can any one tell me what is this dg-id when configuring device group from panorama CLI.

    Please find the below command.

    set device-group GNDC-GW-3050-Group external-list
    set device-group GNDC-GW-3050-Group pre-rulebase security rules
    set readonly dg-meta-data dginfo GNDC-GW-3050-Group dg-id 31
    set readonly dg-meta-data dginfo GNDC-GW-3050-Group parent-dg All-Perimeter-FW

    Regards
    ANANDHU

Leave a Reply

Your email address will not be published. Required fields are marked *