PAN-OS 5.0 CLI Reference Guide

PAN-OS™ Command Line Interface Reference Guide Release 3.0

5/30/09 Final Review Draft- Palo Alto Networks COMPANY CONFIDENTIAL

Palo Alto Networks, Inc. www.paloaltonetworks.com © 2009 Palo Alto Networks. All rights reserved. Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks are the property of their respective owners Part number: 810-000043-00A

May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL

Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Typographical Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Notes, Cautions, and Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Obtaining More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7 7 8 9 9 9 9

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11

Understanding the PAN-OS CLI Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Accessing the PAN-OS CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Understanding the PAN-OS CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . 13 Understanding the PAN-OS CLI Command Conventions . . . . . . . . . . . . . . . . . . . . 13 Understanding Command Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Using Operational and Configuration Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Displaying the PAN-OS CLI Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Using Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Understanding Command Option Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Restricting Command Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Understanding Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Referring to Firewall Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 2 Understanding CLI Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . .

21

Understanding Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Using Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Understanding the Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Navigating Through the Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Understanding Operational Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Palo Alto Networks

• 3

Chapter 3 Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45

Chapter 4 Operational Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug captive-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug cpld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug dataplane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug device-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug dhcpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug high-availability-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug ike . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug keymgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug log-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug management-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug master-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug rasmgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug swm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug tac-login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug vardata-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . grep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . less . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request comfort-page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4 •

51 53 54 55 56 57 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 75 76 77 78 79 81 82 84 85

Palo Alto Networks

request data-filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 request device-registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 request high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 request license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 request password-hash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 request restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 request ssl-output-text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 request ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 request support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 request system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 request tech-support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 request url-filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 request vpn-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 scp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 set application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 set cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 set clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 set ctd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 set data-access-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 set logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 set management-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 set multi-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 set panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 set password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 set proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 set serial-number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 set session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 set shared-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 set ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 set target-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 set ts-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 set url-database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 set zip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 show admins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 show authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 show chassis-ready . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 show cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 show clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 show config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 show counter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 show ctd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 show device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 show device-messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 show devicegroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 show dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 show high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 show interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 show jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 show local-user-db . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 show location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 show log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 show logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 show mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Palo Alto Networks

• 5

show management-clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show multi-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show pan-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show pan-ntlm-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show shared-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show target-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ts-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show url-database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show virtual-wire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show zip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show zone-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . view-pcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

143 144 145 146 147 148 149 150 154 156 157 158 160 162 163 164 165 166 167 168 170 171 172 173 174 175 176 178 180

Chapter 5 Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

183

Entering Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Using

Entering Maintenance Mode Upon Bootup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Entering Maintenance Mode Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Appendix A Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

189

Firewall Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Panorama Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Appendix B PAN-OS CLI Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

255

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

259

6 •

Palo Alto Networks


Preface This preface contains the following sections:

•

“About This Guide” in the next section

•

“Organization” on page 7

•

“Typographical Conventions” on page 8

•

“Related Documentation” on page 9

•

“Obtaining More Information” on page 9

•

“Technical Support” on page 9

About This Guide This guide provides an overview of the PAN-OS™ command line interface (CLI), describes how to access and use the CLI, and provides command reference pages for each of the CLI commands. This guide is intended for system administrators responsible for deploying, operating, and maintaining the firewall and who require reference information about the PAN-OS CLI commands that they want to execute on a per-device basis. For an explanation of features and concepts, refer to the Palo Alto Networks Administrator’s Guide.

Organization This guide is organized as follows:

•

Chapter 1, “Introduction”—Introduces and describes how to use the PAN-OS CLI.

•

Chapter 2, “Understanding CLI Command Modes”—Describes the modes used to interact with the PAN-OS CLI.

•

Chapter 3, “Configuration Mode Commands”—Contains command reference pages for Configuration mode commands.

•

Chapter 4, “Operational Mode Commands”—Contains command reference pages for Operational mode commands.

Palo Alto Networks

Preface • 7

•

Chapter 5, “Maintenance Mode”—Describes how to enter Maintenance mode and use the Maintenance mode options.

•

Appendix A, “Configuration Hierarchy”—Contains command reference pages for Operational mode commands.

•

Appendix B, “PAN-OS CLI Keyboard Shortcuts”—Describes the keyboard shortcuts supported in the PAN-OS CLI.

Typographical Conventions This guide uses the following typographical conventions for special terms and instructions.

Convention

Meaning

Example

boldface

Names of commands, keywords, and selectable items in the web interface

Use the configure command to enter Configuration mode.

italics

Name of variables, files, configuration elements, directories, or Uniform Resource Locators (URLs)

The address of the Palo Alto Networks home page is http://www.paloaltonetworks.com.

courier font

courier bold font

element2 is a required variable for the move command.

Command syntax, code examples, and screen output

The show arp all command yields this output:

Text that you enter at the command prompt

Enter the following command to exit from the current PAN-OS CLI level:

username@hostname> show arp all maximum of entries supported: 8192 default timeout: 1800 seconds total ARP entries in table: 0 total ARP entries shown: 0 status: s - static, c - complete, i - incomplete

# exit [ ] (text enclosed in angle brackets)

Optional parameters.

In the following command, 8bit and port are optional parameters. > telnet [8bit] [port] host

< > (text enclosed in square brackets)

Special keys or choice of required options.

indicates that the tab key is pressed.

| (pipe symbol)

Choice of values, indicated by a pipe symbol-separated list.

The request support command includes options to get support information from the update server or show downloaded support information:

> delete core file filename

> request support [check | info]

8 • Preface

Palo Alto Networks

Notes, Cautions, and Warnings This guide uses the following symbols for notes, cautions, and warnings.

Symbol

Description NOTE Indicates helpful suggestions or supplementary information. CAUTION Indicates information about which the reader should be careful to avoid data loss or equipment failure. WARNING Indicates potential danger that could involve bodily injury.

Related Documentation The following additional documentation is provided with the firewall:

•

Quick Start

•

Hardware Reference Guide

•

Palo Alto Networks Administrator’s Guide

Obtaining More Information To obtain more information about the firewall, refer to:

•

Palo Alto Networks website—Go to http://www.paloaltonetworks.com.

•

Online help—Click Help in the upper right corner of the GUI to access the online help system.

Technical Support For technical support, use the following methods:

•

Go to http://support.paloaltonetworks.com.

•

Call 1-866-898-9087 (U.S, Canada, and Mexico).

•

Email us at: [email protected].

Palo Alto Networks

Preface • 9

10 • Preface

Palo Alto Networks


Chapter 1

Introduction This chapter introduces and describes how to use the PAN-OS command line interface (CLI):

•

“Understanding the PAN-OS CLI Structure” in the next section

•

“Getting Started” on page 12

•

“Understanding the PAN-OS CLI Commands” on page 13

Understanding the PAN-OS CLI Structure The PAN-OS CLI allows you to access the firewall, view status and configuration information, and modify the configuration. Access to the PAN-OS CLI is provided through SSH, Telnet, or direct console access. The PAN-OS CLI operates in two modes:

•

Operational mode—View the state of the system, navigate the PAN-OS CLI, and enter configuration mode.

•

Configuration mode—View and modify the configuration hierarchy.

Chapter 3 describes each mode in detail.

Palo Alto Networks

Introduction • 11

Getting Started This section describes how to access and begin using the PAN-OS CLI:

•

“Before You Begin” in the next section

•

“Accessing the PAN-OS CLI” on page 12

Before You Begin Verify that the firewall is installed and that a SSH, Telnet, or direct console connection is established. Note: Refer to the Hardware Reference Guide for hardware installation information and to the Quick Start for information on initial device configuration.

Use the following settings for direct console connection:

•

Data rate: 9600

•

Data bits: 8

•

Parity: none

•

Stop bits: 1

•

Flow control: None

Accessing the PAN-OS CLI To access the PAN-OS CLI: 1.

Open the console connection.

2.

Enter the administrative user name. The default is admin.

3.

Enter the administrative password. The default is admin.

4.

The PAN-OS CLI opens in Operational mode, and the CLI prompt is displayed: username@hostname>

12 • Introduction

Palo Alto Networks

Understanding the PAN-OS CLI Commands This section describes how to use the PAN-OS CLI commands and display command options:

•

“Understanding the PAN-OS CLI Command Conventions” in the next section

•

“Understanding Command Messages” on page 14

•

“Using Operational and Configuration Modes” on page 15

•

“Displaying the PAN-OS CLI Command Options” on page 15

•

“Using Keyboard Shortcuts” on page 16

•

“Understanding Command Option Symbols” on page 17

•

“Understanding Privilege Levels” on page 18

•

“Referring to Firewall Interfaces” on page 19

Understanding the PAN-OS CLI Command Conventions The basic command prompt incorporates the user name and model of the firewall: username@hostname>

Example: username@hostname>

When you enter Configuration mode, the prompt changes from > to #: username@hostname> (Operational mode) username@hostname> configure Entering configuration mode [edit] (Configuration mode) username@hostname#

In Configuration mode, the current hierarchy context is shown by the [edit...] banner presented in square brackets when a command is issued. Refer to “Using the Edit Command” on page 26 for additional information on the edit command.

Palo Alto Networks

Introduction • 13

Understanding Command Messages Messages may be displayed when you issue a command. The messages provide context information and can help in correcting invalid commands. In the following examples, the message is shown in bold. Example: Unknown command username@hostname# application-group Unknown command: application-group [edit network] username@hostname#

Example: Changing modes username@hostname# exit Exiting configuration mode username@hostname>

Example: Invalid syntax username@hostname> debug 17 Unrecognized command Invalid syntax. username@hostname>

Each time you enter a command the syntax is checked. If the syntax is correct, the command is executed, and the candidate hierarchy changes are recorded. If the syntax is incorrect, an invalid syntax message is presented, as in the following example: username@hostname# set zone application 1.1.2.2 Unrecognized command Invalid syntax. [edit] username@hostname#

14 • Introduction

Palo Alto Networks

Using Operational and Configuration Modes When you log in, the PAN-OS CLI opens in Operational mode. You can move between Operational and Configuration modes at any time.

•

To enter Configuration mode from Operational mode, use the configure command: username@hostname> configure Entering configuration mode [edit] username@hostname#

•

To leave Configuration mode and return to Operational mode, use the quit or exit command: username@hostname# quit Exiting configuration mode username@hostname>

•

To enter an Operational mode command while in Configuration mode, use the run command, as described in “run” on page 40.

Displaying the PAN-OS CLI Command Options Use ? (or Meta-H) to display a list of command option, based on context:

•

To display a list of operational commands, enter ? at the command prompt. username@hostname> ? clear Clear runtime parameters configure Manipulate software configuration information debug Debug and diagnose exit Exit this session grep Searches file for lines containing a pattern match less Examine debug file content ping Ping hosts and networks quit Exit this session request Make system-level requests scp Use ssh to copy file to another host set Set operational parameters show Show operational parameters ssh Start a secure shell to another host tail Print the last 10 lines of debug file content telnet Start a telnet session to another host username@hostname>

Palo Alto Networks

Introduction • 15

•

To display the available options for a specified command, enter the command followed by ?. Example: admin@localhost> ping ? username@hostname> ping + bypass-routing Bypass routing table, use specified interface + count Number of requests to send (1..2000000000 packets) + do-not-fragment Don't fragment echo request packets (IPv4) + inet Force to IPv4 destination + interface Source interface (multicast, all-ones, unrouted packets) + interval Delay between requests (seconds) + no-resolve Don't attempt to print addresses symbolically + pattern Hexadecimal fill pattern + record-route Record and report packet's path (IPv4) + size Size of request packets (0..65468 bytes) + source Source address of echo request + tos IP type-of-service value (0..255) + ttl IP time-to-live value (IPv6 hop-limit value) (0..255 hops) + verbose Display detailed output + wait Delay after sending last packet (seconds) Hostname or IP address of remote host username@hostname> ping

Using Keyboard Shortcuts The PAN-OS CLI supports a variety of keyboard shortcuts. For a complete list, refer to Appendix B, “PAN-OS CLI Keyboard Shortcuts”. Note: Some shortcuts depend upon the SSH client that is used to access the PAN-OS CLI. For some clients, the Meta key is the Control key; for some it is the Esc key.

16 • Introduction

Palo Alto Networks

Understanding Command Option Symbols The symbol preceding an option can provide additional information about command syntax, as described in Table 1.

Table 1. Option Symbols Symbol

Description

*

This option is required.

>

There are additional nested options for this command.

+

There are additional command options for this command at this level.

The following example shows how these symbols are used. Example: In the following command, the keyword from is required: username@hostname> scp import configuration ? + remote-port SSH port number on remote host * from Source (username@host:path) username@hostname> scp import configuration

Example: This command output shows options designated with + and >. username@hostname# set + action + application + description + destination + disabled + from + log-end + log-setting + log-start + negate-destination + negate-source + schedule + service + source + to > profiles [edit] username@hostname# set

rulebase security rules rule1 ? action application description destination disabled from log-end log-setting log-start negate-destination negate-source schedule service source to profiles Finish input rulebase security rules rule1

Each option listed with + can be added to the command. The profiles keyword (with >) has additional options: username@hostname# set rulebase security rules rule1 profiles ? + virus Help string for virus + spyware Help string for spyware + vulnerability Help string for vulnerability + group Help string for group Finish input [edit] username@hostname# set rulebase security rules rule1 profiles

Palo Alto Networks

Introduction • 17

Restricting Command Output Some operational commands include an option to restrict the displayed output. To restrict the output, enter a pipe symbol followed by except or match and the value that is to be excluded or included:

Example: The following sample output is for the show system info command: username@hostname> show system info hostname: PA-HDF ip-address: 10.1.7.10 netmask: 255.255.0.0 default-gateway: 10.1.0.1 mac-address: 00:15:E9:2E:34:33 time: Fri Aug 17 13:51:49 2007 uptime: 0 days, 23:19:23 devicename: PA-HDF family: i386 model: pa-4050 serial: unknown sw-version: 1.5.0.0-519 app-version: 25-150 threat-version: 0 url-filtering-version: 0 logdb-version: 1.0.8 username@hostname>

The following sample displays only the system model information: username@hostname> show system info | match model model: pa-4050 username@hostname>

Understanding Privilege Levels Privilege levels determine which commands the user is permitted to execute and the information the user is permitted to view. Table 2 describes the PAN-OS CLI privilege levels.

Table 2. Privilege Levels Level

Description

superuser

Has full access to the firewall and can define new administrator accounts and virtual systems.

superreader

Has complete read-only access to the firewall.

vsysadmin

Has full access to a selected virtual system on the firewall.

vsysreader

Has read-only access to a selected virtual system on the firewall.

18 • Introduction

Palo Alto Networks

Referring to Firewall Interfaces The Ethernet interfaces are numbered from left to right and top to bottom on the firewall, as shown in Figure 1. ethernet1/1

ethernet1/15

1

3

5

7

9

11

13

15

2

4

6

8

10

12

14

16

ethernet1/2

ethernet1/16

Figure 1. Firewall Ethernet Interfaces Use these names when referring to the Ethernet interfaces within the PAN-OS CLI commands, as in the following example: username@hostname# set network interface ethernet ethernet1/4 virtual-wire

Palo Alto Networks

Introduction • 19

20 • Introduction

Palo Alto Networks


Chapter 2

Understanding CLI Command Modes This chapter describes the modes used to interact with the PAN-OS CLI:

•

“Understanding Configuration Mode” in the next section

•

“Understanding Operational Mode” on page 27

Understanding Configuration Mode When you enter Configuration mode and enter commands to configure the firewall, you are modifying the candidate configuration. The modified candidate configuration is stored in firewall memory and maintained while the firewall is running. Each configuration command involves an action, and may also include keywords, options, and values. Entering a command makes changes to the candidate configuration. This section describes Configuration mode and the configuration hierarchy:

•

“Using Configuration Mode Commands” in the next section

•

“Understanding the Configuration Hierarchy” on page 23

•

“Navigating Through the Hierarchy” on page 25

Using Configuration Mode Commands Use the following commands to store and apply configuration changes (see Figure 2):

•

save command—Saves the candidate configuration in firewall non-volatile storage. The saved configuration is retained until overwritten by subsequent save commands. Note that this command does not make the configuration active.

•

commit command—Applies the candidate configuration to the firewall. A committed configuration becomes the active configuration for the device.

•

set command—Changes a value in the candidate configuration.

•

load command—Assigns the last saved configuration or a specified configuration to be the candidate configuration.

Palo Alto Networks

Understanding CLI Command Modes • 21

Example: Make and save a configuration change. username@hostname# rename zone untrust to untrust1

command)

(enter a configuration

[edit] username@hostname# save config to snapshot.xml Config saved to .snapshot.xml [edit] username@hostname#

Example: Make a change to the candidate configuration. [edit] username@hostname# set network interface vlan ip 1.1.1.4/24 [edit] username@hostname#

Example: Make the candidate configuration active on the device. [edit] username@hostname# commit [edit] username@hostname#

Note: If you exit Configuration mode without issuing the save or commit command, your configuration changes could be lost if power is lost to the firewall.

Active Configuration

Saved Configuration

Candidate Configuration

Commit

Save Load Set

Figure 2. Configuration Mode Command Relationship

22 • Understanding CLI Command Modes

Palo Alto Networks

Maintaining a candidate configuration and separating the save and commit steps confers important advantages when compared with traditional CLI architectures:

•

Distinguishing between the save and commit concepts allows multiple changes to be made at the same time and reduces system vulnerability. For example, if you want to remove an existing security policy and add a new one, using a traditional CLI command structure would leave the system vulnerable for the period of time between removal of the existing security policy and addition of the new one. With the PAN-OS approach, you configure the new security policy before the existing policy is removed, and then implement the new policy without leaving a window of vulnerability.

•

You can easily adapt commands for similar functions. For example, if you are configuring two Ethernet interfaces, each with a different IP address, you can edit the configuration for the first interface, copy the command, modify only the interface and IP address, and then apply the change to the second interface.

•

The command structure is always consistent. Because the candidate configuration is always unique, all the authorized changes to the candidate configuration will be consistent with each other.

Understanding the Configuration Hierarchy The configuration for the firewall is organized in a hierarchical structure. To display a segment of the current hierarchy, use the show command. Entering show displays the complete hierarchy, while entering show with keywords displays a segment of the hierarchy. For example, the following command displays the configuration hierarchy for the ethernet interface segment of the hierarchy: username@hostname# show network interface ethernet ethernet { ethernet1/1 { virtual-wire; } ethernet1/2 { virtual-wire; } ethernet1/3 { layer2 { units { ethernet1/3.1; } } } ethernet1/4; } [edit] username@hostname#

Palo Alto Networks


Understanding Hierarchy Paths When you enter a command, path is traced through the hierarchy, as shown in Figure 3. network

profiles interface

...

vlan

... ethernet

virtual-wire virtual-router

...

aggregate-ethernet vlan

...

ethernet1/1

link-duplex auto

... loopback

...

ethernet1/2

ethernet1/3 ethernet1/4

link-state up

virtual-wire link-speed 1000

...

Figure 3. Sample Hierarchy Segment For example, the following command assigns the IP address/netmask 10.1.1.12/24 to the Layer 3 interface for the Ethernet port ethernet1/4: [edit] username@hostname# set network interface ethernet ethernet1/4 layer3 ip 10.1.1.12/24 [edit] username@hostname#

This command generates a new element in the hierarchy, as shown in Figure 4 and in the output of the following show command: [edit] username@hostname# show network interface ethernet ethernet1/4 ethernet1/4 { layer3 { ip { 10.1.1.12/24; } } } [edit] username@hostname#


Palo Alto Networks

network

profiles interface

...

vlan

... ethernet

virtual-wire virtual-router

...

aggregate-ethernet vlan

...

ethernet1/1

ethernet1/2

... loopback

...

...

ethernet1/3 ethernet1/4

ip

10.1.1.12/24

Figure 4. Sample Hierarchy Segment

Navigating Through the Hierarchy The [edit...] banner presented below the Configure mode command prompt line shows the current hierarchy context. For example, the banner [edit]

indicates that the relative context is the top level of the hierarchy, whereas [edit network profiles]

indicates that the relative context is at the network profiles node. Use the commands listed in Table 3 to navigate through the configuration hierarchy.

Table 3. Navigation Commands Command

Description

edit

Sets the context for configuration within the command hierarchy.

up

Changes the context to the next higher level in the hierarchy.

top

Changes the context to the highest level in the hierarchy.

Palo Alto Networks


Using the Edit Command Use the edit command to change context to lower levels of the hierarchy, as in the following examples:

•

Move from the top level to a lower level: [edit] (top level) username@hostname# edit network [edit network] username@hostname# (now at the network

level)

[edit network]

•

Move from one level to a lower level: [edit network] (network level) username@hostname# edit interface [edit network interface] admin@abce# (now at the network

interface level)

Using the Up and Top Commands Use the up and top commands to move to higher levels in the hierarchy:

•

up—changes the context to one level up in the hierarchy. Example: [edit network interface] admin@abce# up [edit network] username@hostname#

•

(network level)

(now at the network level)

top—changes context to the top level of the hierarchy. Example: [edit network interface vlan] username@hostname# top [edit] username@hostname#

(network vlan level)

(now at network vlan level)

Note: The set command issued after using the up and top commands starts from the new context.


Palo Alto Networks

Understanding Operational Mode When you first log in, the PAN-OS CLI opens in Operational mode. Operational mode commands involve actions that are executed immediately. They do not involve changes to the configuration, and do not need to be saved or committed. Operational mode commands are of several types:

•

Network access—Open a window to another host. Includes ssh and telnet commands.

•

Monitoring and troubleshooting—Perform diagnosis and analysis. Includes debug and ping commands.

•

Display commands—Display or clear current information. Includes clear and show commands.

•

PAN-OS CLI navigation commands—Enter Configure mode or exit the PAN-OS CLI. Includes configure, exit, and quit commands.

•

System commands—Make system-level requests or restart. Includes set and request commands.

Palo Alto Networks



Palo Alto Networks


Chapter 3

Configuration Mode Commands This chapter contains command reference pages for the following Configuration mode command types:

•

“check” on page 30

•

“commit” on page 31

•

“copy” on page 32

•

“delete” on page 33

•

“edit” on page 34

•

“exit” on page 35

•

“load” on page 36

•

“move” on page 37

•

“quit” on page 38

•

“rename” on page 39

•

“run” on page 40

•

“save” on page 41

•

“set” on page 42

•

“show” on page 43

•

“top” on page 44

•

“up” on page 45

Palo Alto Networks

Configuration Mode Commands • 29

check

check Check configuration status.

Syntax check option

Options data-access-passwd

Check data access authentication status for this session.

pending-changes

Check for uncommitted changes.

Sample Output The following command shows that there are currently no uncommitted changes. username@hostname# check pending-changes no [edit] username@hostname#

Required Privilege Level superuser, vsysadmin, deviceadmin

30 • Configuration Mode Commands

Palo Alto Networks

commit

commit Make the current candidate configuration the active configuration on the firewall.

Syntax commit

Options None

Sample Output The following command makes the current candidate configuration the active configuration. # commit


Palo Alto Networks


copy

copy Make a copy of a node in the hierarchy along with its children, and add the copy to the same hierarchy level.

Syntax copy [node1] to [node2]

Options node1

Specifies the node to be copied.

node2

Specifies the name of the copy.

Sample Output The following command, executed from the rule base security level of the hierarchy, makes a copy of rule1, called rule2. [edit rulebase security] username@hostname# copy rules rule1 to rule2 [edit rulebase security] username@hostname#

The following command shows the location of the new rule in the hierarchy. [edit rulebase security] username@hostname# show security { rules { rule1 { source [ any 1.1.1.1/32 ]; destination 1.1.1.2/32; } rule2 { source [ any 1.1.1.1/32 ]; destination 1.1.1.2/32; } } }



Palo Alto Networks

delete

delete Remove a node from the candidate configuration along with all its children. Note: No confirmation is requested when this command is entered.

Syntax delete [node]

Options node

Specifies the hierarchy node to delete.

Sample Output The following command deletes the application myapp from the candidate configuration. username@hostname# delete application myapp [edit] username@hostname#


Palo Alto Networks


edit

edit Change context to a lower level in the configuration hierarchy.

Syntax edit [context]

Options context

Specifies a path through the hierarchy.

Sample Output The following command changes context from the top level to the network profiles level of the hierarchy. [edit] username@hostname# edit rulebase [edit rulebase] username@hostname#



Palo Alto Networks

exit

exit Exit from the current PAN-OS CLI level.

•

From Operational mode—Exits the PAN-OS CLI.

•

From Configuration mode, top hierarchy level—Exits Configuration mode, returning to Operational mode.

•

From Configuration mode, lower hierarchy levels—Changes context to one level up in the hierarchy. Provides the same result as the up command. Note: The exit command is the same as the quit command.

Syntax exit

Options None

Sample Output The following command changes context from the network interface level to the network level. [edit network interface] username@hostname# exit [edit network] username@hostname#

The following command changes from Configuration mode to Operational mode. [edit] username@hostname# exit Exiting configuration mode username@hostname>

Required Privilege Level All

Palo Alto Networks


load

load Assigns the last saved configuration or a specified configuration to be the candidate configuration.

Syntax load config [from filename]

Options filename

Specifies the filename from which the configuration will be loaded.

Sample Output The following command assigns output.xml to be the candidate configuration. [edit] username@hostname# load config from output.xml command succeeded [edit] username@hostname#



Palo Alto Networks

move

move Relocate a node in the hierarchy along with its children to be at another location at the same hierarchy level.

Syntax move element [bottom | top | after element | before element]

Options element

Specifies the items to be moved.

element placement

Specifies the new location of the element:

element2

Option

Description

bottom

Makes the element the last entry of the hierarchy level.

top

Makes the element the first entry of the hierarchy level.

after

Moves element to be after element2.

before

Moves element to be before element2.

Indicates the element after or before which element1 will be placed.

Sample Output The following command moves the security rule rule1 to the top of the rule base. username@hostname# move rulebase security rules rule1 top [edit] username@hostname#


Palo Alto Networks


quit

quit Exit from the current PAN-OS CLI level.

•

From Operational mode—Exits the PAN-OS CLI.

•

From Configuration mode, top hierarchy level—Exits Configuration mode, returning to Operational mode.

•

From Configuration mode, lower hierarchy levels—Changes context to one level up in the hierarchy. Provides the same result as the up command. Note: The exit and quit commands are interchangeable.

Syntax quit

Options None

Sample Output The following command changes context from the network interface level to the network level. [edit log-settings] username@hostname# quit [edit] username@hostname#

The following command changes from Configuration mode to Operational mode. [edit] username@hostname# quit Exiting configuration mode username@hostname>



Palo Alto Networks

rename

rename Change the name of a node in the hierarchy.

Syntax rename [node1] to [node2]

Options node1

Indicates the original node name.

node2

Indicates the new node name.

Sample Output The following command changes the name of a node in the hierarchy from 1.1.1.1/24 to 1.1.1.2/24. username@hostname# rename network interface vlan ip 1.1.1.1/24 to 1.1.1.2/24


Palo Alto Networks


run

run Execute an Operational mode command while in Configuration mode.

Syntax run [command]

Options command

Specifies an Operational mode command.

Sample Output The following command executes a ping command to the IP address 1.1.1.2 from Configuration mode. username@hostname# run ping 1.1.1.2 PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. ... username@hostname#



Palo Alto Networks

save

save Saves a snapshot of the firewall configuration. Note: This command saves the configuration on the firewall, but does not make the configuration active. Use the commit command to make the current candidate configuration active.

Syntax save config [to filename]

Options filename

Specifies the filename to store the configuration. The filename cannot include a hyphen (-).

Sample Output The following command saves a copy of the configuration to the file savefile. [edit] username@hostname# save config to savefile Config saved to savefile [edit] username@hostname#


Palo Alto Networks


set

set Changes a value in the candidate configuration. Changes are retained while the firewall is powered until overwritten. Note: To save the candidate configuration in non-volatile storage, use the save command. To make the candidate configuration active, use the commit command.

Syntax set [context]

Options context


Sample Output The following command assigns the ethernet1/4 interface to be a virtual wire interface. [edit] username@hostname# set network interface ethernet ethernet1/1 virtual-wire

[edit] username@hostname#

The following command sets the VLAN IP address to 1.1.1.4/32 from the network interface vlan level of the hierarchy. [edit network interface vlan] username@hostname# set ip 1.1.1.4/32 [edit network interface vlan] username@hostname#

The following command locks an administrative user out for 15 minutes after 5 failed login attempts. username@hostname# set deviceconfig setting management admin-lockout 5 lockout-time 15



Palo Alto Networks

show

show Display information about the current candidate configuration.

Syntax show [context]

Options context


Sample Output The following command shows the full candidate hierarchy. username@hostname# show

The following commands can be used to display the hierarchy segment for network interface.

•

Specify context on the command line: show network interface

•

Use the edit command to move to the level of the hierarchy, and then use the show command without specifying context: edit network interface [edit network interface] show


Palo Alto Networks


top

top Change context to the top hierarchy level.

Syntax top

Options None

Sample Output The following command changes context from the network level of the hierarchy to the top level. [edit network] username@hostname# top [edit] username@hostname#



Palo Alto Networks

up

up Change context to the next higher hierarchy level.

Syntax up

Options None

Sample Output The following command changes context from the network interface level of the hierarchy to the network level. [edit network interface] username@hostname# up [edit network] username@hostname#


Palo Alto Networks


up


Palo Alto Networks


Chapter 4

Operational Mode Commands This chapter contains command reference pages for the following operational mode commands:

•

“clear” on page 51

•

“configure” on page 53

•

“debug captive-portal” on page 54

•

“debug cli” on page 55

•

“debug cpld” on page 56

•

“debug dataplane” on page 57

•

“debug device-server” on page 59

•

“debug dhcpd” on page 60

•

“debug high-availability-agent” on page 61

•

“debug ike” on page 62

•

“debug keymgr” on page 63

•

“debug log-receiver” on page 64

•

“debug management-server” on page 65

•

“debug master-service” on page 66

•

“debug rasmgr” on page 67

•

“debug routing” on page 68

•

“debug software” on page 69

•

“debug swm” on page 70

•

“debug tac-login” on page 71

•

“debug vardata-receiver” on page 72

Palo Alto Networks

Operational Mode Commands • 47

•

“delete” on page 73

•

“exit” on page 75

•

“grep” on page 76

•

“less” on page 77

•

“netstat” on page 78

•

“ping” on page 79

•

“quit” on page 81

•

“request certificate” on page 82

•

“request comfort-page” on page 84

•

“request content” on page 85

•

“request data-filtering” on page 86

•

“request device-registration” on page 87

•

“request high-availability” on page 88

•

“request license” on page 89

•

“request password-hash” on page 90

•

“request restart” on page 91

•

“request ssl-output-text” on page 92

•

“request ssl-vpn” on page 93

•

“request support” on page 94

•

“request system” on page 95

•

“request tech-support” on page 96

•

“request url-filtering” on page 97

•

“request vpn-client” on page 98

•

“scp” on page 99

•

“set application” on page 101

•

“set cli” on page 102

•

“set clock” on page 103

•

“set ctd” on page 104

•

“set data-access-password” on page 105

•

“set logging” on page 106

•

“set management-server” on page 107

48 • Operational Mode Commands

Palo Alto Networks

•

“set multi-vsys” on page 108

•

“set panorama” on page 109

•

“set password” on page 110

•

“set proxy” on page 111

•

“set serial-number” on page 112

•

“set session” on page 113

•

“set shared-policy” on page 115

•

“set ssl-vpn” on page 116

•

“set target-vsys” on page 117

•

“set ts-agent” on page 118

•

“set url-database” on page 119

•

“set zip” on page 120

•

“show admins” on page 121

•

“show arp” on page 122

•

“show authentication” on page 123

•

“show chassis-ready” on page 124

•

“show cli” on page 125

•

“show clock” on page 126

•

“show config” on page 127

•

“show counter” on page 128

•

“show ctd” on page 129

•

“show device” on page 130

•

“show device-messages” on page 131

•

“show devicegroups” on page 132

•

“show dhcp” on page 133

•

“show high-availability” on page 134

•

“show interface” on page 135

•

“show jobs” on page 136

•

“show local-user-db” on page 137

•

“show location” on page 138

•

“show log” on page 139

Palo Alto Networks


•

“show logging” on page 141

•

“show mac” on page 142

•

“show management-clients” on page 143

•

“show multi-vsys” on page 144

•

“show pan-agent” on page 145

•

“show pan-ntlm-agent” on page 146

•

“show proxy” on page 147

•

“show query” on page 148

•

“show report” on page 149

•

“show routing” on page 150

•

“show session” on page 154

•

“show ssl-vpn” on page 157

•

“show statistics” on page 158

•

“show system” on page 160

•

“show target-vsys” on page 162

•

“show threat” on page 163

•

“show ts-agent” on page 164

•

“show url-database” on page 165

•

“show virtual-wire” on page 166

•

“show vlan” on page 167

•

“show vpn” on page 168

•

“show zip” on page 170

•

“show zone-protection” on page 171

•

“ssh” on page 172

•

“tail” on page 173

•

“telnet” on page 174

•

“test” on page 175

•

“tftp” on page 176

•

“traceroute” on page 178

•

“view-pcap” on page 180


Palo Alto Networks

clear

clear Reset information, counters, sessions, or statistics.

Syntax clear application-signature statistics clear arp clear counter clear dhcp lease clear high-availability control-link statistics clear job jobid clear log type clear mac clear query clear report clear session clear statistics clear vpn

Options applicationsignature statistics

Clears application-signature statistics.

arp

Clears Address Resolution Protocol (ARP) information for a specified interface, loopback, or VLAN, or all.

counter

Clears interface counters. Specify all counters, global counters, or interface counters.

dhcp lease

Clears DHCP leases. Specify all or specify an interface and optional IP address.

job

Clears download jobs. Specify the job id.

log

Remove log files from disk. Specify the log type: acc, config, system, threat, or traffic.

mac

Clears MAC address information for a specified VLAN or all addresses.

session

Clears a specified session or all sessions. Refer to “show session” on page 154 for a description of the filter options when clearing all sessions.

Palo Alto Networks


clear

statistics

Clears all statistics.

vpn

Clears IKE or IPSec VPN run-time objects: flow

Clears the VPN tunnel on the data plane. Specify the tunnel or press Enter to apply to all tunnels.

ike-sa

Removes the active IKE SA and stops all ongoing key negotiations. Specify the gateway or press Enter to apply to all gateways.

ipsec-sa

Deactivate the IPsec SA for a tunnel or all tunnels. Specify the tunnel or press Enter to apply to all tunnels.

Sample Output The following command clears the session with ID 2245. username@hostname> clear session id 2245 Session 2245 cleared username@hostname>



Palo Alto Networks

configure

configure Enter Configuration mode.

Syntax configure

Options None

Sample Output To enter Configuration mode from Operational mode, enter the following command. username@hostname> configure Entering configuration mode [edit] username@hostname#


Palo Alto Networks


debug captive-portal

debug captive-portal Define settings for debugging the captive portal daemon.

Syntax debug captive-portal option

Options show

Shows whether this command is on or off.

off

Turns the debugging option off.

on

Turns the debugging option on.

Sample Output The following command turns the debugging option on. admin@PA-HDF> debug captive-portal on admin@PA-HDF>

Required Privilege Level superuser vsysadmin


Palo Alto Networks

debug cli

debug cli Define settings and display information for debugging the CLI connection.

Syntax debug cli option

Options detail

Shows details information about the CLI connection.

show


off


on


Sample Output The following command shows details of the CLI connection. admin@PA-HDF> debug cli detail Environment variables : (USER . admin) (LOGNAME . admin) (HOME . /home/admin) (PATH . /usr/local/bin:/bin:/usr/bin) (MAIL . /var/mail/admin) (SHELL . /bin/bash) (SSH_CLIENT . 10.31.1.104 1109 22) (SSH_CONNECTION . 10.31.1.104 1109 10.1.7.2 22) (SSH_TTY . /dev/pts/0) (TERM . vt100) (LINES . 24) (COLUMNS . 80) (PAN_BASE_DIR . /opt/pancfg/mgmt) PAN_BUILD_TYPE : DEVELOPMENT

Total Heap : 7.00 M Used : 5.51 M Nursery : 0.12 M admin@PA-HDF>


Palo Alto Networks


debug cpld

debug cpld Debug the complex programmable logic device (CPLD).

Syntax debug cpld

Options None

Sample Output N/A



Palo Alto Networks

debug dataplane

debug dataplane Configure settings for debugging the data plane.

Syntax debug dataplane option

Options The available sub-options depend on the specified option. clear

Clear all dataplane debug logs.

device

Debug dataplane hardware component.

drop-filter

Define a filter to capture dropped packets.

filter

Determine the packets to capture or send to a debug log file.

fpga

Debug the field programmable gate array (FPGA).

get

Show current dataplane debug settings.

internal

Debug the dataplane internal state.

memory

Examine dataplane memory.

mode

Control dataplane debug logging mode.

off

Turn off dataplane debug logging.

on

Turn on dataplane debug logging.

pool

Debug buffer pools, including checks of hardware and software utilization and buffer pool statistics.

pow

Debug packet scheduling engine.

process

Debug the dataplane process for the high-availability agent (ha-agent) and management plane relay agent (mprelay).

reset

Reset settings for debugging the data plane.

set

Specify parameters for dataplane debugging

show

Show dataplane running information.

task-heartbeat

Debug dataplane task heartbeat.

unset

Clear the previously-set parameters for dataplane debugging

Palo Alto Networks


debug dataplane

Sample Output The following command shows the statistics for the dataplane buffer pools. admin@PA-HDF> debug dataplane pool statistics

The following command turns dataplane filtering on and sets filter parameters. admin@PA-HDF> debug dataplane filter on admin@PA-HDF> debug dataplane filter set source 10.1 11.2.3 file abc.pcap



Palo Alto Networks

debug device-server

debug device-server Configure settings for debugging the device server.

Syntax debug device-server option

Options clear

Clear all debug logs.

dump

Dump the debug data.

off

Turn off debug logging.

on

Turn on debug logging.

refresh

Refresh the user-group data.

reset

Clear logging data.

set

Set debugging values.

show

Display current debug log settings.

test

Test the current settings.

uset

Remove current settings.

Sample Output The following command turns off debug logging for the device server. admin@PA-HDF> debug device-server off admin@PA-HDF>


Palo Alto Networks


debug dhcpd

debug dhcpd Configure settings for debugging the Dynamic Host Configuration Protocol (DHCP) daemon.

Syntax debug dhcpd option

Options global

Define settings for the global DHCP daemon.

pcap

Define settings for debugging packet capture.

Sample Output The following command shows current global DHCP daemon settings. admin@PA-HDF> debug dhcpd global show sw.dhcpd.runtime.debug.level: debug admin@PA-HDF>



Palo Alto Networks

debug high-availability-agent

debug high-availability-agent Configure settings for debugging the high availability agent.

Syntax debug high-availability-agent option

Options clear

Clear the debug logs.

internal-dump

Dump the internal state of the agent to its log.

model-check

Turn model checking with the peer on or off.

off


on


show


Sample Output The following command turns modeling checking on for the high availability agent. admin@PA-HDF> debug high-availability-agent model-check on admin@PA-HDF>


Palo Alto Networks


debug ike

debug ike Configure settings for debugging Internet Key Exchange (IKE) daemon.

Syntax debug ike option

Options global

Configure global settings.

pcap

Configure packet capture settings.

socket

Configure socket settings.

stat

Show IKE daemon statistics.

Sample Output The following command turns on the global options for debugging the IKE daemon. admin@PA-HDF> debug ike global on admin@PA-HDF>



Palo Alto Networks

debug keymgr

debug keymgr Configure settings for debugging the key manager daemon.

Syntax debug keymgr option

Options list-sa

Lists the IPSec security associations (SAs) that are stored in the key manager daemon.

off

Turn the settings off.

on

Turn the settings on.

show

Show key manager daemon information.

Sample Output The following command shows the current information on the key manager daemon. admin@PA-HDF> debug keymgr show sw.keymgr.debug.global: normal admin@PA-HDF>


Palo Alto Networks


debug log-receiver

debug log-receiver Configure settings for debugging the log receiver daemon.

Syntax debug log-receiver option

Options off


on


show


statistics

Show log receiver daemon statistics.

Sample Output The following command turns log receiver debugging on. admin@PA-HDF> debug log-receiver on admin@PA-HDF>



Palo Alto Networks

debug management-server

debug management-server Configure settings for debugging the management server.

Syntax debug management-server option

Options clear


client

Debug the management server client.

off

Turn debugging off

on

Turn debugging on.

phased-commit

Set experimental mode for committing in phases.

show

Show management server debug statistics.

Sample Output The following example turns management server debugging on. admin@PA-HDF> debug management-server on (null) admin@PA-HDF>


Palo Alto Networks


debug master-service

debug master-service Configure settings for debugging the master service.

Syntax debug master-service option

Options clear


internal-dump

Dump the internal state of the server to the log.

off

Turn debugging off

on

Turn debugging on.

show

Show debug settings.

Sample Output The following command dumps the internal state of the master server to the log. admin@PA-HDF> debug master-service internal-dump admin@PA-HDF>



Palo Alto Networks

debug rasmgr

debug rasmgr Configure settings for debugging the remote access service daemon.

Syntax debug rasmgr option

Options show

Show whether this command is on or off.

off

Turn the debugging option off.

on

Turn the debugging option on.

Sample Output The following command shows the debug settings for the remote access service daemon. admin@PA-HDF> debug rasmgr show sw.rasmgr.debug.global: normal admin@PA-HDF>


Palo Alto Networks


debug routing

debug routing Configure settings for debugging the route daemon.

Syntax debug routing option

Options fib

Turn on debugging for the forwarding table.

global

Turn on global debugging.

list-mib Show the routing list with management information base (MIB) names. mib

Show the MIB tables.

pcap

Show packet capture data.

socket

Show socket data.

Sample Output The following command displays the MIB tables for routing. admin@PA-HDF> debug routing list-mib i3EmuTable (1 entries) ========================== sckTable (0 entries) sckSimInterfaceTable (0 entries) sckEiTable (0 entries) sckEaTable (0 entries) i3Table (0 entries) i3EiTable (0 entries) i3EaTable (0 entries) i3EtTable (0 entries) i3EmTable (0 entries) dcSMLocationTable (0 entries) dcSMHMTestActionObjects (0 entries) siNode (0 entries) siOSFailures (0 entries) siTraceControl (0 entries) siExecAction (0 entries) ... admin@PA-HDF>



Palo Alto Networks

debug software

debug software Restart software processes to aid debugging.

Syntax debug software restart option

Options device-server

Restart the device server.

management-server

Restart the management server.

web-server

Restart the web server.

Sample Output The following command restarts the web server. admin@PA-HDF> debug software restart web-server admin@PA-HDF>


Palo Alto Networks


debug swm

debug swm Configure settings for debugging the Palo Alto Networks software manager.

Syntax debug swm option

Options command

Run a software manager command.

history

Show the history of software installation operations.

list

List software versions that are available for installation.

refresh

Revert back to the last successfully installed content.

revert

Revert back to the last successfully installed software.

status

Show the status of the software manager.

unlock

Unlock the software manager.

Sample Output The following command shows the list of available software versions. admin@PA-HDF> debug swm list 3.0.0-c4.dev 3.0.0-c1.dev_base 2.0.0-c207 2.0.0-c206 admin@PA-HDF>



Palo Alto Networks

debug tac-login

debug tac-login Configure settings for debugging the Palo Alto Networks Technical Assistance Center (TAC) connection.

Syntax debug tac-login option

Options enable

Enable TAC login.

disable

Disable TAC login.

permanently-disable

Turn off TAC login debugging permanently.

Sample Output The following command turns TAC login debugging on. admin@PA-HDF> debug tac-login on admin@PA-HDF>


Palo Alto Networks


debug vardata-receiver

debug vardata-receiver Configure settings for debugging the variable data daemon.

Syntax debug vardata-receiver option

Options off


on


show


statistics

Show log receiver daemon statistics.

Sample Output The following command shows statistics for the variable data daemon. admin@PA-HDF> debug vardata-receiver statistics admin@PA-HDF>



Palo Alto Networks

delete

delete Remove files from disk or restore default comfort pages, which are presented when files or URLs are blocked.

Syntax delete item

Options item

Palo Alto Networks

Specifies the type of file to be deleted. Option

Description

captive-portal-text

Text included in a captive portal.

config saved filename

Saved configuration file.

content update filename

Content updates.

core file filename

Control or data plane cores.

data-capture directoryname

Data capture files.

debug-filter file filename

Debugging packet capture files on disk.

file-block-page

Page presented to users when files are blocked. Restores default page.

inbound-key filename

SSL inbound proxy keys on disk.

license key filename

License key file.

logo

Custom logo file.

pcap file filename

Packet capture files.

policy-cache

Cached policy compilations

report file-name filename report-name report

Specified report with file name and report name.

root-certificate file filename

Root certificates.


delete

item (cont’d)

Specifies the type of file to be deleted. Option

Description

software image imagename version versionname

Software image.

spyware-block-page

Page presented to users when web pages are blocked due to spyware. Restores default page.

ssl-optout-text

Page presented to users when a web session is to be decrypted. Restores default page.

threat-pcap directory directoryname

Threat packet capture files in a specified directory.

unknown-pcap directory directoryname

Packet capture files for unknown sessions.

url-block-page

Page presented to users when web pages are blocked. Restores default page.

url-coach-text

Page presented to users. Restores default page.

user-file ssh-known-hosts

SSH known hosts file.

virus-block-page

Page presented to users when web pages are blocked. Restores default page.

Sample Output The following command deletes the custom page presented to users when web pages are blocked due to spyware. username@hostname> delete spyware-block-page username@hostname>



Palo Alto Networks

exit

exit Exit the PAN-OS CLI. Note: The exit command is the same as the quit command.

Syntax exit

Options None

Sample Output N/A


Palo Alto Networks


grep

grep Find and list lines from log files that match a specified pattern.

Syntax grep [after-context number] [before-context number] [context number] [count] [ignore-case] [invert-match] [line-number] [max-count] [nofilename] [with-filename] pattern file

Options after-context

Prints the matching lines plus the specified number of lines that follow the matching lines.

before-context

Prints the matching lines plus the specified number of lines that precede the matching lines.

context

Prints the specified number of lines in the file for output context.

count

Prints a count of matching files for each input file.

ignore-case

Ignores case distinctions.

invert-match

Selects non-matching lines instead of matching lines.

line-number

Adds the line number at the beginning of each line of output.

max-count

Stops reading a file after the specified number of matching lines.

no-filename

Does not add the filename prefix for output.

with-filename

Prints the file name for each match.

pattern

Indicates the string to be matched.

file

Indicates the log file to be searched.

Sample Output The following command searches the ms.log file for occurrences of the string id:admin. username@hostname> grep id:admin /var/log/pan/ms.log username@hostname>



Palo Alto Networks

less

less List the contents of the specified log file.

Syntax less type file

Options type

Indicates the type of log file to be searched: • custom-page • dp-backtrace • dp-log • mp-backtrace • mp-log • webserver-log

file

Indicates the log file to be searched:

Sample Output The following command lists the contents of the web server error log. username@hostname> default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main ...

less webserver-log error.log Configuration for Mbedthis Appweb -------------------------------------------Host: pan-mgmt2 CPU: i686 OS: LINUX Distribution: unknown Unknown OS: LINUX Version: 2.4.0.0 BuildType: RELEASE Started at: Mon Mar 2 12


Palo Alto Networks


netstat

netstat Displays packet capture file content.

Syntax netstat type

Options type

Indicates the packet capture file type: • all—Display all sockets (default: connected). • cache—Display routing cache instead of Forwarding Information Base (FIB). • continuous—Continuous listing. • extend—Display other/more information. • fib—Display FIB (default). • groups—Display multicast group memberships. • interfaces—Display interface table. • listening—Display listening server sockets. • numeric—Do not resolve names. • numeric-hosts—Do not resolve host names. • numeric-ports—Do not resolve port names. • numeric-users—Do not resolve user names. • programs—Display PID/Program name for sockets. • route—Display routing table. • statistics—Display networking statistics (like SNMP). • symbolic—Resolve hardware names. • timers—Display timers. • verbose—Display full details.

no | yes

Indicates whether the specified option is included in the output.

Sample Output The following command shows an excerpt from the output of the netstat command. username@hostname> netstat all yes ... Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 5366 /tmp/ssh-lClRtS1936/ agent.1936 unix 2 [ ] DGRAM 959 @/org/kernel/udev/udevd unix 18 [ ] DGRAM 4465 /dev/log ...



Palo Alto Networks

ping

ping Check network connectivity to a host.

Syntax ping [bypass-routing] [count] [do-not-fragment] [inet] [no resolve] [pattern] [size] [source] [tos] [ttl] host

Options bypass-routing

Sends the ping request directly to the host on a direct attached network, bypassing usual routing table.

count

Specifies the number of ping requests to be sent.

do-not-fragment

Prevents packet fragmentation by use of the do-not-fragment bit in the packet’s IP header.

inet

Specifies that the ping packets will use IP version 4.

interval

Specifies how often the ping packets are sent (0 to 2000000000 seconds).

no-resolve

Provides IP address only without resolving to hostnames.

pattern

Specifies a custom string to include in the ping request. You can specify up to 12 padding bytes to fill out the packet that is sent as an aid in diagnosing datadependent problems.

size

Specifies the size of the ping packets.

source

Specifies the source IP address for the ping command.

tos

Specifies the type of service (TOS) treatment for the packets by way of the TOS bit for the IP header in the ping packet.

ttl

Specifies the time-to-live (TTL) value for the ping packet (IPv6 hop-limit value) (0-255 hops).

verbose

Requests complete details of the ping request.

host

Specifies the host name or IP address of the remote host.

Sample Output The following command checks network connectivity to the host 66.102.7.104, specifying 4 ping packets and complete details of the transmission. username@hostname> ping count 4 verbose 66.102.7.104 PING 66.102.7.104 (66.102.7.104) 56(84) bytes of data. 64 bytes from 66.102.7.104: icmp_seq=0 ttl=243 time=316 64 bytes from 66.102.7.104: icmp_seq=1 ttl=243 time=476 64 bytes from 66.102.7.104: icmp_seq=2 ttl=243 time=376 64 bytes from 66.102.7.104: icmp_seq=3 ttl=243 time=201

ms ms ms ms

--- 66.102.7.104 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 3023ms rtt min/avg/max/mdev = 201.718/342.816/476.595/99.521 ms, pipe 2 username@hostname>

Palo Alto Networks


ping



Palo Alto Networks

quit

quit Exit the current session for the firewall. Note: The quit command is the same as the exit command.

Syntax quit

Options None

Sample Output N/A


Palo Alto Networks


request certificate

request certificate Generate a self-signed security certificate.

Syntax request certificate [install for-use-by purpose | self-signed option for-use-by purpose]

Options install

Installs the generated certificate.

self-signed

Generates the self-signed certificate.

option

Specifies information to include in the certificate. Multiple options are supported.

purpose

country-code

Two-character code for the country in which the certificate will be used.

email

Email address of the contact person.

locality

City, campus, or other local area.

nbits value

Number of bits in the certificate (512 or 1024).

organization

Organization using the certificate.

organization unit

Department using the certificate.

state

Two-character code for the state or province in which the certificate will be used.

name

IP address or fully qualified domain name (FQDN) to appear on the certificate.

passphrase

Passphrase for encrypting the private key.

Requests the certificate for the specified purpose. panorama-server

Panorama server machine (used by Panorama to communicate with managed devices).

web-interface

Embedded web interface.

Sample Output The following command requests a self-signed certificate for the web interface with length 1024 and IP address 1.1.1.1. username@hostname> request certificate self-signed nbits 1024 name 1.1.1.1 for-use-by web-interface


Palo Alto Networks

request certificate


Palo Alto Networks


request comfort-page

request comfort-page Installs a user-defined comfort page.

Syntax request comfort page install option

Options option

Specifies the type of file to export to the other host. Option

Description

applicationblock-page

Application packet capture file.

file-block-page

File containing comfort pages to be presented when files are blocked.

spyware-blockpage

Comfort page to be presented when files are blocked due to spyware.

url-block-page

Comfort page to be presented when files are blocked due to a blocked URL.

virus-block-page

Comfort page to be presented when files are blocked due to a virus.

The following command installs an application block page. username@hostname> request comfort-page install application-block-page Shared application-block-page installed successfully! username@hostname>



Palo Alto Networks

request content

request content Perform application level upgrade operations.

Syntax request content upgrade [check | download latest | info | install latest]

Options check

Obtain information from the Palo Alto Networks server.

download latest

Download application identification packages.

info

Show information about the available application ID packages.

install latest

Install application identification packages.

Sample Output The following command lists information about the firewall server software. username@hostname> request content upgrade check Version

Size

Released on Downloaded

------------------------------------------------------------------------13-25

10MB 2007/04/19

15:25:02

yes

username@hostname>


Palo Alto Networks


request data-filtering

request data-filtering Assign passwords for data filtering.

Syntax request data-filtering access-password option

Options option

Specifies one of the following options. Option

Description

create password pword

Creates the specified password.

modify oldpassword oldpwd new-password newpwd o

Changes the specified old password to the new password.

delete

Deletes the data filtering password. When this command is issued, the system prompts for confirmation and warns that logged data will be deleted and logging will be stopped.

Sample Output The following command assigns the specified password for data filtering. username@hostname> request data-filtering access-password create password mypwd username@hostname>



Palo Alto Networks

request device-registration

request device-registration Perform device registration.

Syntax request device-registration username user password pwd

Options username user

Specify the user name for device access.

password pwd

Specify the password for device access.

Sample Output The following command registers the device with the specified user name and password. username@hostname> request device-registration username admin password adminpwd username@hostname>


Palo Alto Networks


request high-availability

request high-availability Perform high-availability operations.

Syntax request high-availability option

Options option

Specifies one of the following options. Option

Description

clear-alarm-led

Clears the high-availability alarm LED.

state

Changes the state to operational (functional) or suspended.

sync-to-remote option

Performs synchronization operations: • candidate-config—Synchronize the candidate configuration to peer. • clock—Synchronize the local time and date to the peer. • disk-state—Synchronize required on-disk state to peer. • running-config—Synchronize the running configuration to peer. • runtime-state—Synchronize the runtime synchronization state to peer.

Sample Output The following command sets the high-availability state of the device to the suspended state. username@hostname> request high-availability state suspend username@hostname>



Palo Alto Networks

request license

request license Perform license-related operations.

Syntax request license [fetch [auth-code] | info | install]

Options fetch

Gets a new license key using an authentication code.

info

Displays information about currently owned licenses.

install

Installs a license key.

Sample Output The following command requests a new license key with the authentication code 123456. username@hostname> request fetch auth-code 123456

username@hostname>


Palo Alto Networks


request password-hash

request password-hash Generate a hashed string for the user password.

Syntax request password-hash password pwd

Options pwd

Specify the clear text password that requires the hash string.

Sample Output The following command generates a hash of the specified password. username@hostname> request password-hash password mypassword $1$flhvdype$qupuRAx4SWWuZcjhxn0ED.



Palo Alto Networks

request restart

request restart Restart the system or software modules. CAUTION: Using this command causes the firewall to reboot, resulting in the temporary disruption of network traffic. Unsaved or uncommitted changes will be lost.

Syntax request restart [dataplane | software | system]

Options dataplane

Restarts the dataplane software.

software

Restarts all system software

system

Reboots the system.

Sample Output The following command restarts all the firewall software. username@hostname> request restart software


Palo Alto Networks


request ssl-output-text

request ssl-output-text Install user-defined Secure Socket Layer (SSL) output text.

Syntax request ssl-option-text install

Options None

Sample Output The following command installs SSL output text. username@hostname> request ssl-optout-text install Shared ssl optout text installed successfully!



Palo Alto Networks

request ssl-vpn

request ssl-vpn Forces logout from a Secure Socket Layer (SSL) virtual private network (VPN) session.

Syntax request ssl-vpn client-logout option

Options option

Specify the following required options: • portal—Specify the SSL VPN portal name. • domain—Specify the user’s domain name. • reason force-logout—Specify to indicate that the logout is administrator-initiated. • user—Specify the user name.

Sample Output The following command forces a logout of the specified user. username@hostname> request ssl-vpn client-logout domain paloaltonetworks.com port sslportal user ssmith reason force-logout


Palo Alto Networks


request support

request support Obtain technical support information.

Syntax request support [check | info]

Options check

Get support information from the Palo Alto Networks update server.

info

Show downloaded support information.

Sample Output The following command shows downloaded support information. username@hostname> request support info 0 Support Home https://support.paloaltonetworks.com Manage Cases https://support.paloaltonetworks.com/pa-portal/ index.php?option=com_pan&task=vie wcases&Itemid=100 Download User Identification Agent https://support.paloaltonetworks.com/pa-portal/ index.php?option=com_pan&task=sw_ updates&Itemid=135 866-898-9087 [email protected] November 07, 2009 Standard 10 x 5 phone support; repair and replace hardware service username@hostname>



Palo Alto Networks

request system

request system Download system software or request information about the available software packages.

Syntax request system [factory-reset | software [check | download [file | version] name] | info | install [file | version] name]]

Options check

Gets information from the Palo Alto Networks server.

download

Downloads software packages.

info

Shows information about the available software packages.

install

Downgrades to a downloaded software package.

Sample Output The following command requests information about the software packages that are available for download. username@hostname> request system software info Version Filename Size Released Downloaded ------------------------------------------------------------------------1.0.1 panos.4050-1.0.1.tar.gz 127MB 2007/02/07 00:00:00 no 1.0.2 panos.4050-1.0.2.tar.gz 127MB 2007/02/07 00:00:00 no 1.0.0-20 PANOS-QA-20.tar.gz 122MB 2007/02/13 00:00:00 no 1.0.0-1746 PANOS-DEV-1746.tgz 122MB 2007/02/13 00:00:00 no username@hostname>


Palo Alto Networks


request tech-support

request tech-support Obtain information to assist technical support in troubleshooting.

Syntax request technical support dump

Options None

Sample Output The following command creates a dump for technical support. username@hostname> request tech-support dump Exec job enqueued with jobid 1 1



Palo Alto Networks

request url-filtering

request url-filtering Perform URL filtering operations

Syntax request url-filtering option

Options upgrade

Upgrade to latest version. Optionally specify brightcloud to update the BrightCloud database.

download status

Show status of information download for URL filtering.

Sample Output The following command upgrades the BrightCloud database. username@hostname> request url-filtering upgrade brightcloud


Palo Alto Networks


request vpn-client

request vpn-client Perform VPN client package operations.

Syntax request vpn-client software option

Options check

Obtain information from the Palo Alto Networks server.

download

Download software packages. Specify one of the following: • file—Name of the file containing the software package. • version—Specified software version.

info

Show downloaded support information.

install

Install the software as specified: • file—Name of the file containing the software package. • version—Specified software version.

Sample Output The following command displays information about the available software packages. username@hostname> request vpnclient software info Version Size Released on Downloaded ------------------------------------------------------------------------1.0.0-c54 916KB 2009/03/04 15:04:33 no 1.0.0-c53 916KB 2009/03/04 14:09:17 no 1.0.0-c52 916KB 2009/03/04 11:49:51 no 1.0.0-c51 916KB 2009/03/03 16:45:38 no



Palo Alto Networks

scp

scp Copy files between the firewall and another host. Enables downloading of a customizable HTML replacement message (comfort page) in place of a malware infected file.

Syntax scp export export-option [control-plane | data-plane] to target from source [remote-port portnumber] [source-ip address] scp import import-option [source-ip address] [remote-port portnumber] from source

Options export export- Specifies the type of file to export to the other host. option

Palo Alto Networks

Option

Description

application


captive-portaltext

Text to be included in a captive portal.

configuration

Configuration file.

core-file

Core file.

debug pcap

IKE negotiation packet capture file.

file-block-page


filter

Filter definitions.

log-file

Log files.

log-db

Log database.

packet-log

Logs of packet data.

spyware-blockpage


ssl-optout-text

SSL optout text.

tech-support

Technical support information.

trusted-cacertificate

Certificate Authority (CA) security certificate.

url-block-page


virus-block-page


web-interfacecertificate

Web interface certificate.


scp

import import- Specifies the type of file to import from the other host. option Option Description application


captive-portaltext


configuration

Configuration file.

core-file

Core file.

file-block-page


filter

Filter definitions.

ike-pcapc-file


log-file

Log files.

log-db

Log database.

packet-log


spyware-blockpage


ssl-optout-text

SSL optout text.

tech-support




url-block-page


control-plane

Indicates that the file contains control information.

data-plane

Indicates that the file contains information about data traffic.

remote-port portnumber

Specifies the port number on the remote host.

source-ip address

Specifies the source IP address.

to

Specifies the destination user in the format username@host:path.

from

Specifies the source user in the format username@host:path.

Sample Output The following command imports a license file from a file in user1’s account on the machine with IP address 10.0.3.4. username@hostname> scp import ssl-certificate from [email protected]:/tmp/ certificatefile



Palo Alto Networks

set application

set application Set parameters for system behavior when applications are blocked.

Syntax set application option

Options cache

Enables (yes) or disables (no) the application cache.

dump

Enables (on) or disables (off) the application packet capture. The following options determine the contents of the dump: • application —Specified application. • destination—Destination IP address of the session. • destination-user—Destination user. • destination-port —Destination port. • zone—Specified zone. • protocol—Specified protocol. • limit —Maximum number of sessions to capture. • source—Source IP address for the session. • source-user—Specified source user. • source-port—Specified source port.

dump-unknown

Enables (yes) or disables (no) capture of unknown applications.

heuristics

Enables (yes) or disables (no) heuristics detection for applications.

notify-user

Enables (yes) or disables (no) user notification when an application is blocked.

supernode

Enables (yes) or disables (no) detection of super nodes for peer-topeer applications that have designated supernodes on the Internet.

Sample Output The following command turns packet capture for unknown applications off. username@hostname> set application dump off username@hostname>


Palo Alto Networks


set cli

set cli Set scripting and pager options for the PAN-OS CLI.

Syntax set cli [scripting-mode | pager | timeout [idle idle-value] [session session-value]] off | on

Options scripting-mode

Enables or disables scripting mode.

pager

Enables or disables pages.

timeout

Sets administrative session timeout values.

idle-value

Specifies the idle timeout (0-86400 seconds).

session-value

Specifies the administrative session timeout (0-86400 seconds).

off

Turns the option off.

on

Turns the option on.

Sample Output The following command turns the PAN-OS CLI pager option off. username@hostname> set cli pager off username@hostname>



Palo Alto Networks

set clock

set clock Set the system date and time.

Syntax set clock option

Options date YYYY/MM/DD

Specify the date in yyyy/mm/dd format.

time hh:mm:ss

Specify the time in hh:mm:ss format (hh: 0-23, mm: 0-59, ss: 0-59).

Sample Output The following command sets the system date and time. username@hostname> set clock date 2009/03/20 time 14:32:00 username@hostname>


Palo Alto Networks


set ctd

set ctd Show content-related information on the Content-based Threat Detection (CTD) engine.

Syntax set ctd x-forwarded-for

Options no

Disable parsing of the x-forwarded-for attribute.

yes

Enable parsing of the x-forwarded-for attribute.

Sample Output The following command enables parsing of the attribute. username@hostname> set ctd x-forwarded-for yes username@hostname>



Palo Alto Networks

set data-access-password

set data-access-password Set the access password for the data filtering logs.

Syntax set data-access-password pwd

Options pwd

Specifies the password.

Sample Output The following command sets the password for data filtering logs. username@hostname> set data-access password 12345678 username@hostname>


Palo Alto Networks


set logging

set logging Set logging options for traffic and event logging.

Syntax set logging option value

Options Options default

Restores all log settings to default.

log-suppression

Enables or disables suppression of log information.

max-packet-rate value

Specifies the maximum packet rate (0-5120 KB/s)

max-log-rate value

Specifies the maximum logging rate (0-5120 KB/s)

Note: max-packet-rate and max-log rate both affect the rate at which log messages are forwarded. Generated log messages are kept in priority queues, and the log forwarding engine forwards the generated logs based on the log and packet rates. If the rates are set too low, the queues may build up and eventually drop log messages.

Sample Output The following command sets the logging rate to be a maximum of 1000 KB/second. username@hostname> set logging max-log-rate 1000 Logging rate changed to 1000 KB/s username@hostname>



Palo Alto Networks

set management-server

set management-server Set parameters for the management server, which manages configuration, reports, and authentication for the firewall.

Syntax set management-server option

Options logging option

Sets the following logging options: • import-end—Exit import mode. • import-start—Enter import mode. • off—Disable logging. • on—Allow logging.

unlock

Specifies the serial number or software license key.

Sample Output The following command enables logging on the management server. username@hostname> set management-server logging on username@hostname>


Palo Alto Networks


set multi-vsys

set multi-vsys Enable or disable multiple virtual system functionality on the firewall.

Syntax set multi-vsys

Options on

Enables support for multiple virtual systems.

off

Disables support for multiple virtual systems.

Sample Output The following command enables multiple virtual system functionality on the firewall. username@hostname> set multi-vsys on username@hostname>



Palo Alto Networks

set panorama

set panorama Enable or disable connection between the firewall and Panorama.

Syntax set panorama

Options on

Enables the connection between the firewall and Panorama.

off

Disables the connection between the firewall and Panorama.

Sample Output The following command disables the connection between the firewall and Panorama. username@hostname> set panorama off username@hostname>


Palo Alto Networks


set password

set password Set the firewall password. When you issue this command, the system prompts you to enter the old and new password and to confirm the new password.

Syntax set password

Options None

Sample Output The following example shows how to reset the firewall password. username@hostname> Enter old password Enter new password Confirm password

set password : (enter the old password) : (enter the new password0 : (reenter the new password)

Password changed username@hostname>



Palo Alto Networks

set proxy

set proxy Sets the proxy parameter. The firewall can act as a proxy for the client, as a forward proxy for outbound traffic, and as an inbound proxy for traffic coming to the clients.

Syntax set proxy option

Options answer-timeout

Sets the timeout value for communication with the proxy server (1-86400 seconds).

notify-user

Enables or disables the user notification web page.

skip-proxy

Disables or enable the proxy function.

skip-ssl

Disables or enables Secure Socket Layer (SSL) decryption.

Sample Output The following command disables SSL decryption. username@hostname> set proxy skip-ssl yes username@hostname>


Palo Alto Networks


set serial-number

set serial-number (Panorama™ only) Configure the serial number of the Panorama machine. The serial number must be set for Panorama to connect to the update server.

Syntax set serial-number value

Options value

Specifies the serial number or software license key.

Sample Output The following command sets the Panorama serial number to 123456. username@hostname> set serial-number 123456 username@hostname>



Palo Alto Networks

set session

set session Set parameters for the networking session.

Syntax set session [default | item value]

Options default

Restores all session settings to the default values.

item value

Specifies the debugging target or level.

Palo Alto Networks

Option

Value

Description

acceleratedaging-enable

no | yes

Enables or disables accelerated session aging.

acceleratedaging-scalingfactor

Power of 2

Sets the accelerated session aging scaling factor (power of 2).

acceleratedaging-threshold

Power of 2 (1-100)

Sets the accelerated aging threshold as a percentage of session utilization.

offload

no | yes

Enables or disables hardware session offload. Some firewall models have specialized hardware to manage TCP, UDP, and ICMP sessions. This option command enables or disables this capability. If it is disabled, the sessions are managed by the firewall software.

tcp-reject-nonsyn

no | yes

Rejects non-synchronized TCP packets for session setup.

timeout-default

Number of seconds

Sets the session default timeout value in seconds.

timeout-icmp

1-15999999

Sets the session timeout value for ICMP commands.

timeout-tcp

1-15999999

Sets the session timeout value for TCP commands.

timeout-tcpinit

Number of seconds

Sets the initial TCP timeout value in seconds.

timeout-tcpwait

Number of seconds

Sets the session TCP wait timeout value in seconds.

timeout-udp

1-15999999

Sets the session timeout value for UDP commands.


set session

Sample Output The following command sets the TCP timeout to 1 second. username@hostname> set session timeout-tcpwait 1 username@hostname>



Palo Alto Networks

set shared-policy

set shared-policy Set shared policy management behavior with Panorama.

Syntax set shared-policy option

Options disable

Disables Panorama shared policy management.

enable

Enable Panorama shared policy management.

import-and-disable

Imports and then disallows shared policies.

Sample Output The following command enables shared policies with Panorama. username@hostname> set shared-policy enable username@hostname>


Palo Alto Networks


set ssl-vpn

set ssl-vpn Enable Secure Socket Layer (SSL) virtual private network (VPN) for a specified user.

Syntax set ssl-vpn unlock auth-profile profilename user uname vsys vsysname

Options profilename

Specifies the authentication profile that applies to the user.

uname

Specifies the name of the user.

vsysname

Specifies the name of the target virtual system.

Sample Output The following command applies an authentication profile, user and virtual system for SSLVPN access. username@hostname> set ssl-vpn auth-profile profile_1 user ssmith vsysname vsys_a username@hostname >



Palo Alto Networks

set target-vsys

set target-vsys Sets the target virtual system. Note: When the target virtual system is set, the CLI prompt incorporates the vsys name. In this mode, if any command is executed, it executes for the vsys, if possible. For example, if you use secure copy to import or export a comfort page, the page is imported or exported for the vsys. Commands that are not virtual-system-specific continue to work normally.

Syntax set target-vsys vsys

Options vsys

Specifies the name of the target virtual system.

Sample Output The following command shows information about target virtual systems. username@hostname> set target-vsys vsys1 Session target vsys changed to vsys1 username@hostname vsys1>>


Palo Alto Networks


set ts-agent

set ts-agent Sets the Terminal Services (TS) agent parameters.

Syntax set ts-agent name name ip-address ipaddr port portnum ip-list iplist

Options name

Specifies the user name.

ipaddr

Specifies the IP address of the Windows PC on which the TS agent is installed. You can also specify alternative IP addresses using the ip-list parameter.

portnum

Specifies the port number for communication between the terminal server and the TS agent.

iplist

Specifies 0-8 additional IP addresses for Windows PCs on which the TS agent is installed.

Sample Output The following command sets the TS agent parameters for the user ssmith with the specified port and IP addresses. username@hostname> set ts-agent user ssmith ip-address 192.168.3.4 port 772 ip-list 192.168.5.5 192.168.9.3 username@hostname>



Palo Alto Networks

set url-database

set url-database Set the database for URL resolution in support of URL filtering. The available selections depend on the URL license available on the firewall.

Syntax set url-database dbasename

Options dbasename

Uses a database with the specified name: surfcontrol or brightcloud.

Sample Output The following command switches the database from surfcontrol to brightcloud. admin@PA-4050> set url-database surfcontrol surfcontrol URL database username@hostname> set url-database brightcloud username@hostname>


Palo Alto Networks


set zip

set zip Determines whether zipped files are automatically unzipped and policies are applied to the unzipped contents.

Syntax set zip enable

Options yes

Enables automatic unzipping and inspection of zipped files.

no

Disables automatic unzipping and inspection of zipped files.

Sample Output The following command enables automatic unzipping and inspection of zipped files. username@hostname> set zip enable yes username@hostname>

Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader


Palo Alto Networks

show admins

show admins Display information about the active firewall administrators.

Syntax show admins [all]

Options all

Lists the names of all administrators.

Sample Output The following command displays administrator information for the 10.0.0.32 firewall. username@hostname> show admins | match 10.0.0 Admin From Type Session-start Idle-for -------------------------------------------------------------------------admin 10.0.0.132 Web 02/19 09:33:07 00:00:12s username@hostname>


Palo Alto Networks


show arp

show arp Shows current Address Resolution Protocol (ARP) entries.

Syntax show arp interface

Options interface

Specifies the interface for which the ARP table is displayed. all

Shows information for all ARP tables.

ethernetn/m

Shows information for the specified interface.

loopback

Shows loopback information.

vlan

Shows VLAN information.

Sample Output The following command displays ARP information for the ethernet1/1 interface. username@hostname> show arp ethernet1/1 maximum of entries supported : default timeout: total ARP entries in table : total ARP entries shown : status: s - static, c - complete, i

8192 1800 seconds 0 0 - incomplete

username@hostname>



Palo Alto Networks

show authentication

show authentication Shows authentication information.

Syntax show authentication option

Options interface

Specifies the following authentication information. • allowlist—Shows the authentication allow list. • groupdb—Lists the group authentication databases. • groupnames—Lists the distinct group names.

Sample Output The following command shows the list of users that are allowed to access the firewall. username@hostname> show authentication allowlist vsysname ---------vsys1 vsys1

profilename ----------SSLVPN wtam-SSLVPN

username ---------------------------paloaltonetwork\domain users group1

username@hostname>


Palo Alto Networks


show chassis-ready

show chassis-ready Shows whether the dataplane has a running policy.

Syntax show chassis-ready

Options None

Sample Output The following command shows that the dataplane has a currently running policy. username@hostname> show chassis-ready yes username@hostname>



Palo Alto Networks

show cli

show cli Shows information about the current CLI session.

Syntax show cli info

Options None

Sample Output The following command shows information about the current CLI session. username@hostname> show cli info Process ID : 2045 Pager : enabled Vsys configuration mode : disabled username@hostname>


Palo Alto Networks


show clock

show clock Shows the current time on the firewall.

Syntax show clock

Options None

Sample Output The following command shows the current time. username@hostname> show clock Sun Feb 18 10:49:31 PST 2007 username@hostname>



Palo Alto Networks

show config

show config Shows the active configuration.

Syntax show config

Options None

Sample Output The following command shows the configuration lines that pertain to VLANs. username@hostname> show config | match vlan vlan { vlan; username@hostname>


Palo Alto Networks


show counter

show counter Display system counter information.

Syntax show counter [global | interface]

Options global

Shows global system counter information.

interface

Shows system counter information grouped by interface.

Sample Output The following command displays all configuration counter information grouped according to interface. username@hostname> show counter interface

hardware interface counters: -----------------------------------------------------------------------interface: ethernet1/1 -----------------------------------------------------------------------bytes received 0 bytes transmitted 0 packets received 0 packets transmitted 0 receive errors 0 packets dropped 0 -----------------------------------------------------------------------... username@hostname>



Palo Alto Networks

show ctd

show ctd Show the threat signature information on the system.

Syntax show ctd threat threat_id application appid profile pfid

Options threat_id

Uniquely identifies the threat.

application appid

Shows the action of the threat action in the application.

profile pfid

Identifies the profile.

Sample Output The following command shows an example with the default threat action. username@hostname> show ctd threat 100000 application 109 profile 1 Profile 1 appid 109 , action 0 action 0 means “default” action.

The following command shows an example with the no threat action. admin@PA-HDF> show ctd threat 100000 application 108 profile 1 Profile 1 appid 108 , action ffff action “ffff” means “no” action. username@hostname>


Palo Alto Networks


show device

show device (Panorama only) Show the state of managed devices.

Syntax show device-messages [all | connected]

Options all

Shows information for all managed devices.

connected

Shows information for all connected devices.

Sample Output The following command shows information for connected devices. username@hostname> show devices connected Serial Hostname IP Connected -------------------------------------------------------------------------PA04070001 pan-mgmt2 10.1.7.2 yes last push state: none

username@hostname>

Required Privilege Level superuser, superuser (read only), Panorama admin


Palo Alto Networks

show device-messages

show device-messages (Panorama only) Show information on the policy messages for devices.

Syntax show device-messages [device] [group]

Options device

Shows the messages only for the specified device.

group

Shows the messages only for the specified device group.

Sample Output The following command shows the device messages for the device pan-mgmt2 and the group dg1. username@hostname> show device-messages device pan-mgmt2 group dg1 username@hostname>


Palo Alto Networks


show devicegroups

show devicegroups (Panorama only) Show information on device groups.

Syntax show devicegroups [name]

Options name

Shows the information only for the specified device group.

Sample Output The following command shows information for the device group dg1. username@hostname> show devicegroups dg1 ========================================================================== Group: dg3 Shared policy md5sum:dfc61be308c23e54e5cde039689e9d46 Serial Hostname IP Connected -------------------------------------------------------------------------PA04070001 pan-mgmt2 10.1.7.2 yes last push state: push succeeded vsys3 shared policy md5sum:dfc61be308c23e54e5cde039689e9d46(In Sync) username@hostname>



Palo Alto Networks

show dhcp

show dhcp Show information on Dynamic Host Control Protocol (DHCP) leases.

Syntax show dhcp lease

Options value

Identifies the interface (ethernetn/m)

all

Shows all the lease information.

Sample Output The following command shows all lease information. username@hostname> show dhcp all interface: ethernet1/9 ip mac expire 66.66.66.1 00:15:c5:60:a5:b0 Tue Mar 11 16:12:09 2008 66.66.66.2 00:15:c5:e1:0d:b0 Tue Mar 11 16:08:01 2008 username@hostname>


Palo Alto Networks


show high-availability

show high-availability Show runtime information for the high-availability subsystem.

Syntax show high-availability [all | control-link statistics| linkmonitoring | path-monitoring | state | state-synchronization]

Options all

Shows all high-availability information.

control-link statistics

Shows control-link statistic information.

link-monitoring

Shows the link-monitoring state.

path-monitoring

Shows path-monitoring statistics.

state

Shows high-availability state information.

statesynchronization

Shows state synchronization statistics.

Sample Output The following command information for the high-availability subsystem. username@hostname> show high-availability path-monitoring ---------------------------------------------------------------------------path monitoring: disabled total paths monitored: 0 ---------------------------------------------------------------------------username@hostname>



Palo Alto Networks

show interface

show interface Display information about system interfaces.

Syntax show interface interface

Options element

Specifies the interface. all

Shows information for all ARP tables.

ethernetn/m

Shows information for the specified interface.

hardware

Shows hardware information.

logical

Shows logical interface information.

loopback

Shows loopback information.

vlan

Shows VLAN information.

Sample Output The following command displays information about the ethernet1/2 interface. username@hostname> show interface ethernet1/2 ---------------------------------------------------------------------------Name: ethernet1/2, ID: 17 Link status: Runtime link speed/duplex/state: auto/auto/auto Configured link speed/duplex/state: auto/auto/auto MAC address: Port MAC address 0:f:b7:20:2:11 Operation mode: virtual-wire ---------------------------------------------------------------------------Name: ethernet1/2, ID: 17 Operation mode: virtual-wire Virtual wire: default-vwire, peer interface: ethernet1/1 Interface management profile: N/A Zone: trust, virtual system: (null) username@hostname>


Palo Alto Networks


show jobs

show jobs Display information about current system processes.

Syntax show jobs [all | id number | pending | processed]

Options all

Shows information for all jobs.

id number

Identifies the process by number.

pending

Shows recent jobs that are waiting to be executed.

processed

Shows recent jobs that have been processed.

Sample Output The following command lists jobs that have been processed in the current session. username@hostname> show jobs processed Enqueued ID Type Status Result Completed -------------------------------------------------------------------------2007/02/18 09:34:39 2 AutoCom FIN OK 2007/02/18 09:34:40 2007/02/18 09:33:00 1 AutoCom FIN FAIL 2007/02/18 09:33:54 username@hostname>



Palo Alto Networks

show local-user-db

show local-user-db Display information about the local user database on the firewall.

Syntax show local-user-db [disabled ] [username user] [vsys vsysname]

Options disabled

Filters the information according to whether the user accounts are enabled or disabled: • yes—Displays users that are administratively disabled. • no—Displays users that are administratively active.

username user

Shows information for the specified user.

vsys vsysname

Shows information for the specified virtual system.

Sample Output The following command lists the local user database. username@hostname> show local-user-db Vsys

User

vsys1 vsys1

user1 user2

Disabled no no

username@hostname>


Palo Alto Networks


show location

show location Show the geographic location of a firewall.

Syntax show location ip address

Options address

Specifies the IP address of the firewall.

Sample Output The following command shows location information for the firewall 10.1.1.1. username@hostname> show location ip 10.1.1.1 show location ip 201.52.0.0 201.52.0.0 Brazil username@hostname>



Palo Alto Networks

show log

show log Display system logs.

Syntax show log [threat | config | system | traffic] [equal | not-equal] option value

Options threat

Displays threat logs.

config

Displays configuration logs.

system

Displays system logs.

traffic

Displays traffic logs.

option value

Restricts the output (the available options depend upon the keyword used in the command (threat, config, system, traffic). Option

Description

action

Type of alarm action (alert, allow, or drop)

app

Application.

client

Type of client (CLI or web).

command

Command.

dport

Destination port.

dst

Destination IP address.

from

Source zone.

receivetime in

Time interval in which the information was received.

result

Result of the action (failed, succeeded, or unauthorized).

rule

Rule name.

severity

Level of importance (critical, high, medium, low, informational)

sport

Source port.

src

Source IP address.

to

Destination zone.

greater-thanor-equal

Indicates that the option is equal to the specified value.

less-than-orequal

Indicates that the option is not equal to the specified value.

equal

Indicates that the option is equal to the specified value.

not-equal

Indicates that the option is not equal to the specified value.

Palo Alto Networks


show log

Sample Output The following command shows the configuration log. username@hostname> show log config Time Host Command Admin Client Result ============================================================================ === 03/05 22:04:16 10.0.0.135 edit admin Web Succeeded 03/05 22:03:22 10.0.0.135 edit admin Web Succeeded 03/05 22:03:22 10.0.0.135 create admin Web Succeeded 03/05 21:56:58 10.0.0.135 edit admin Web Succeeded ... username@hostname>



Palo Alto Networks

show logging

show logging Show whether logging is enabled.

Syntax show logging

Options None

Sample Output The following command shows that logging is enabled. username@hostname> show logging on username@hostname>


Palo Alto Networks


show mac

show mac Display MAC address information.

Syntax show mac [value | all]

Options value

Specifies a MAC address (aa:bb:cc:dd:ee:ff format).

all

MAC address (aa:bb:cc:dd:ee:ff format).

Sample Output The following command lists all currently MAC address information. username@hostname> show mac all maximum of entries supported : 8192 default timeout : 1800 seconds total MAC entries in table : 4 total MAC entries shown : 4 status: s - static, c - complete, i - incomplete vlan hw address interface status ttl --------------------------------------------------------------------------Vlan56 0:0:1:0:0:3 ethernet1/5 c 1087 Vlan56 0:0:1:0:0:4 ethernet1/6 c 1087 Vlan11-12 0:0:1:0:0:9 ethernet1/12 c 487 Vlan11-12 0:0:1:0:0:10 ethernet1/11 c 487 username@hostname>



Palo Alto Networks

show management-clients

show management-clients Show information about internal management server clients.

Syntax show management-clients

Options None

Sample Output The following command shows information about the internal management server clients. username@hostname> show management-clients Client PRI State Progress ------------------------------------------------------------------------routed 30 P2-ok 100 device 20 P2-ok 100 ikemgr 10 P2-ok 100 keymgr 10 init 0 (op cmds only) dhcpd 10 P2-ok 100 ha_agent 10 P2-ok 100 npagent 10 P2-ok 100 exampled 10 init 0 (op cmds only) Overall status: P2-ok. Progress: 0 Warnings: Errors:


Palo Alto Networks


show multi-vsys

show multi-vsys Show if multiple virtual system mode is set.

Syntax show multi-vsys

Options None

Sample Output The following command shows the current status of multiple virtual systems. username@hostname> show multi-vsys on username@hostname>



Palo Alto Networks

show pan-agent

show pan-agent Show statistics or user information for the Palo Alto Networks agent.

Syntax show pan-agent

Options statistics

Displays full information about the Palo Alto Networks agent.

user-IDs

Displays user information for the Palo Alto Networks agent.

Sample Output The following command shows information about the Palo Alto Networks agent. username@hostname> show pan-agent statistics IP Address Port Vsys State Users Grps IPs Recei ved Pkts ---------------------------------------------------------------------------10.0.0.100 2011 vsys1 connected, ok 134 77 95 5757 10.1.200.22 2009 vsys1 connected, ok 5 864 2 1097


Palo Alto Networks


show pan-ntlm-agent

show pan-ntlm-agent Display status information about the Palo Alto Networks user identification agent for NT LAN Manager (NTLM). The firewall uses the user identification agent to provide Microsoft NTLM authentication for the captive portal.

Syntax show pan-ntlm-agent statistics

Options None

Sample Output The following command displays information about the NTLM agent. username@hostname> show pan-ntlm-agent statistics IP Address Port Vsys State ---------------------------------------------------10.16.3.249 2010 vsys1 trying to connect username@hostname>



Palo Alto Networks

show proxy

show proxy Displays information about the proxy that is used for the Secure Socket Layer (SSL) decryption function.

Syntax show [certificate-cache | notify-cache | setting]

Options certificate-cache

Displays the proxy certificate cache.

notify-cache

Displays the proxy notification cache.

setting

Displays the current proxy settings.

Sample Output The following command shows the current proxy settings. username@hostname> show proxy setting Ready: Enable proxy: Enable ssl: Notify user:

no yes yes yes

username@hostname>


Palo Alto Networks


show query

show query Show information about query jobs.

Syntax show query

Options jobs

Displays all job information.

id value

Displays job information for the specified ID.

Sample Output The following command shows information about all current query jobs. username@hostname> show query jobs Enqueued ID Last Upd -------------------------------------------------------------------------13:58:19 16 13:58:19 Type ID Dequeued? -----------------------------------------------------



Palo Alto Networks

show report

show report Displays information about process jobs.

Syntax show [id number | jobs]

Options id number

Displays information about the job with the specified ID number.

jobs

Displays information on all jobs.

Sample Output The following command shows the current jobs. username@hostname> show report jobs Enqueued ID Last Updated dev/skip/req/resp/proc -------------------------------------------------------------------------username@hostname> username@hostname>


Palo Alto Networks


show routing

show routing Display routing run-time objects.

Syntax show routing fib [virtual-router name] show routing protocol [virtual-router name] ospf show routing protocol [virtual-router name] redist show routing protocol [virtual-router name] rip show routing resource show routing route [destination ip/netmask][interface interfacename] [nexthop ip/netmask][type ] [virtual-router name] show routing summary

Options fib

Shows forwarding table entries. Specify an individual virtual router or all.

protocol ospf

Shows OSPF information. Specify one of the following (virtual router is optional).

protocol redist


area

Show OSPF area status.

dumplsdb

Shows the OSPF LS database details.

interface

Shows OSPF interface status.

lsdb

Shows the LS database status.

neighbor

Shows neighbor status.

summary

Shows OSPF summary status.

virt-link

Shows status of virtual links.

virt-neighbor

Shows OSPF virtual neighbor status.

Shows redistribution rule entries. Specify one of the following (virtual router is optional). ospf

Shows OSPF rules

rip

Shows RIP rules.

all

Shows all redistribution rules.

Palo Alto Networks

show routing

protocol rip

Shows RIP information. Specify one of the following options (virtual router is optional). database

Shows RIP route database.

interface

Shows RIP interface status.

peer

Shows RIP peer status.

summary

Shows the RIP summary information.

resources

Shows resource usage.

route

Shows route entries. Optionally specify any of the following options.

summary

destination

Restricts the result to a specified subnet (IP address/mask).

interface

Restricts the result to a specified network interface.

nexthop

Restricts the result to a the next hop from the firewall (IP address/mask).

type

Restricts the result according to type of route: connect and host routes, ospf, rip, or static.

virtual-router

Restrict the result to a specified virtual router.

Shows summary information.

Sample Output The following command shows summary routing information for the virtual router vrl. username@hostname> show routing summary virtual-router vr1 VIRTUAL ROUTER: vr1 (id 1) ========== OSPF area id: 0.0.0.0 interface: 192.168.6.254 interface: 200.1.1.2 dynamic neighbors: IP 200.1.1.1 ID 200.1.1.1 area id: 1.1.1.1 interface: 1.1.1.1 interface: 1.1.2.1 interface: 1.1.3.1 interface: 2.1.1.1 static neighbor: IP 65.54.5.33 ID *down* static neighbor: IP 65.54.77.88 ID *down* interface: 22.22.22.22 interface: 35.1.15.40 interface: 192.168.7.254 dynamic neighbors: IP 35.1.15.1 ID 35.35.35.35 ========== RIP interface: 2.1.1.1

Palo Alto Networks


show routing

interface: interface: interface: interface: ========== INTERFACE ========== interface name: interface index: virtual router: operation status: IPv4 address: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address: IPv4 address: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address:

22.22.22.22 35.1.15.40 192.168.6.254 200.1.1.2

ethernet1/1 16 vr1 up 22.22.22.22/24 35.1.15.40/24 ethernet1/3 18 vr1 up 200.1.1.2/24 ethernet1/7 22 vr1 up 1.1.1.1/24 1.1.2.1/24 1.1.3.1/24 ethernet1/15 30 vr1 up 192.168.6.254/24 ethernet1/16 31 vr1 up 192.168.7.254/24 ethernet1/18 33 vr1 down 2.1.1.1/24

username@hostname>


Palo Alto Networks

show routing

The following command shows dynamic routing protocol information for RIP. username@hostname> show routing protocol rip summary ========== virtual router: reject default route: interval seconds: update intervals: expire intervals: delete intervals: interface: interface: interface: interface: interface: ========== virtual router: reject default route: interval seconds: update intervals: expire intervals: delete intervals: interface: interface: interface:

vr1 yes 1 30 180 120 2.1.1.1 22.22.22.22 35.1.15.40 192.168.6.254 200.1.1.2 newr yes 1 30 180 120 0.0.0.0 30.30.30.31 151.152.153.154


Palo Alto Networks


show session

show session Show session information.

Syntax show session [all | info] [filter [application appname][destination destname][destination-port destport][destination-user destuser][from zone zonename][limit value][protocol protnumber][source-port sourcename][source-user sourceuser][state state]] [type type]]

Options all

Displays all active sessions.

info

Displays session statistics.

application appname

Specifies the application.

destination destname

Specifies the destination IP address.

destination-port destport

Specifies the destination port.

destination-user destuser

Specifies the destination user name.

from

Specifies the source.

protocol protname

Specifies the protocol.

source sourcename

Specifies the sourced IP address.

source-port sourceport

Specifies the source port.

source-user sourceuser

Specifies the source user name.

state state

Specifies the condition for the filter (active, closed, closing, discard, initial, or opening).

to

Specifies the destination.

type type

Specifies the flow type (regular or predict).

Sample Output The following command displays summary statistics about current sessions. username@hostname> show session info ------------------------------------------------------------------------number of sessions supported: 2097151 number of active sessions: 8 session table utilization: 0% number of sessions created since system bootup: 21


Palo Alto Networks

show session

--------------------------------------------------------------------------session timeout TCP default timeout: 3600 seconds TCP session timeout after FIN/RST: 5 seconds UDP default timeout: 600 seconds ICMP default timeout: 6 seconds other IP default timeout: 1800 seconds ---------------------------------------------------------------------------session accelerated aging: enabled accelerated aging threshold: 80% of utilization scaling factor: 2 X --------------------------------------------------------------------------session setup TCP - reject non-SYN first packet: yes ---------------------------------------------------------------------------

The following command lists all current sessions. username@hostname> show session all number of sessions: 8 ID/vsys src[sport]/zone/proto dest[dport]/zone state type 19 192.168.10.199[2219]/1/6 10.10.10.10[6667]/2 ACTIVE FLOW 20 192.168.10.191[4069]/1/6 192.168.10.199[139]/2 DISCARD FLOW 22 192.168.10.199[2261]/1/6 10.10.10.10[6667]/2 ACTIVE FLOW 4 192.168.10.191[138]/1/17 192.168.10.255[138]/2 ACTIVE FLOW 6 192.168.10.199[138]/1/17 192.168.10.255[138]/2 ACTIVE FLOW 21 192.168.10.199[1025]/1/17 4.2.2.1[53]/2 CLOSING FLOW 9 192.168.10.199[2187]/1/6 10.10.10.10[6667]/2 ACTIVE FLOW 13 192.168.10.199[2195]/1/6 10.10.10.10[6667]/2 ACTIVE FLOW

app. 0 ms-ds-smb 0 netbios-dg netbios-dg dns 0 0


Palo Alto Networks


show shared-policy

show shared-policy Show the current shared policy status.

Syntax show shared-policy

Options None

Sample Output The following command displays the current shared policy status. username@hostname> show shared-policy disabled username@hostname>



Palo Alto Networks

show ssl-vpn

show ssl-vpn Show Secure Socket Layer (SSL) virtual private network (VPN) runtime objects.

Syntax show ssl-vpn option

Options flow

Displays dataplane SSL-VPN tunnel information.

portal

Displays the SSL-VPN configuration.

user uname domain domname portal portalname

Specifies the user, domain, and portal.

Sample Output The following command displays information on SSL-VPN tunnels. username@hostname> show ssl-vpn flow ---------------------------------------------------------------------------total tunnels configured:

10

filter - type SSL-VPN, state any total SSL-VPN tunnel configured:

2

total SSL-VPN tunnel shown:

2

name

id

local-i/f

local-ip

tunnel-i/f

---------------------------------------------------------------------------s1 2 tunnel.7 10.1.6.105 tunnel.7 rad 11 tunnel.8 10.1.6.106 tunnel.8 --------------------------------------------------------------------------username@hostname>


Palo Alto Networks


show statistics

show statistics Show firewall statistics.

Syntax show statistics

Options None

Sample Output The following command displays firewall statistics. username@hostname> show statistics TASK PID N_PACKETS CONTINUE ERROR DROP BYPASS TERMINATE 0 0 0 0 0 0 0 0 1 806 6180587 6179536 39 0 0 1012 2 807 39312 37511 0 0 0 1801 3 808 176054840 173273080 2289 2777524 0 1947 4 809 112733251 111536151 1744 1194906 0 450 5 810 66052142 65225559 1271 825010 0 302 6 811 49682445 49028991 909 652227 0 318 7 812 43618777 43030638 712 587129 0 298 8 813 41255949 40706957 708 548031 0 253 9 814 42570163 42010404 714 558773 0 272 10 815 7332493 7332494 0 0 0 0 11 816 19620028 19620028 0 0 0 0 12 817 12335557 12335557 0 0 0 0 13 818 0 0 0 0 0 0 14 819 6105056 6105056 0 0 0 0 task 1(pid: 806) flow_mgmt task 2(pid: 807) flow_ctrl flow_host task 3(pid: 808) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 4(pid: 809) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 5(pid: 810) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 6(pid: 811) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 7(pid: 812) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 8(pid: 813) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 9(pid: 814) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 10(pid: 815) appid_result task 11(pid: 816) ctd_nac ctd_token ctd_detector task 12(pid: 817) ctd_nac ctd_token ctd_detector task 13(pid: 818) proxy_packet task 14(pid: 819) pktlog_forwarding


Palo Alto Networks

show statistics


Palo Alto Networks


show system

show system Show system information.

Syntax show system type

Options type

Specifies the type of system information to be displayed. info

Shows network address and security information.

services

Shows the current system services and whether they are running.

software status

Shows software version information.

state [browser | filter | value]

Shows the system tree. The browser displays the information in a text-mode browser. The filter option allows you to limit the information that is displayed. The * wildcard can be used.

statistics

Shows device, packet rate, throughput, and session information. Enter q to quit or h to get help.

Sample Output The following command displays system information. username@hostname> show system info hostname: mgmt-device ip-address: 10.1.7.1 netmask: 255.255.0.0 default-gateway: 10.1.0.1 radius-server: 127.0.0.1 radius-secret: xxxxxxxx


Palo Alto Networks

show system

The following command displays the system tree entries that begin with the string cfg.env.slot1. username@hostname> show system state filter cfg.env.slot1* cfg.env.slot1.power0.high-limit: “1.26” cfg.env.slot1.power0.low-limit: “1.0” cfg.env.slot1.power1.high-limit: “1.26” cfg.env.slot1.power1.low-limit: “1.14” cfg.env.slot1.power2.high-limit: “1.575” cfg.env.slot1.power2.low-limit: “1.425” cfg.env.slot1.power3.high-limit: “1.89” cfg.env.slot1.power3.low-limit: “1.71” ...


Palo Alto Networks


show target-vsys

show target-vsys Show information about the target virtual systems.

Syntax show target-vsys

Options None

Sample Output The following command shows information about target virtual systems. username@hostname> show target-vsys vsys1 username@hostname>



Palo Alto Networks

show threat

show threat Show threat ID descriptions.

Syntax show threat id value

Options value

Specifies the threat ID.

Sample Output The following command shows threat ID descriptions for ID 11172. username@hostname> show threat id 11172 This signature detects the runtime behavior of the spyware MiniBug. MiniBug, also known as Weatherbug, installs other spyware, such as WeatherBug, and My Web Search Bar. It is also adware program that displays advertisements in its application window. medium http://www.spywareguide.com/product_show.php?id=2178 http://www.spyany.com/program/article_spw_rm_Minibug.htm username@hostname>


Palo Alto Networks


show ts-agent

show ts-agent Show information about the Terminal Services agent (TS agent).

Syntax show ts-agent option

Options statistics

Displays information about the TS agent configuration.

user-IDs

Displays information about the users who are connected through the TS agent.

Sample Output The following command displays information about the users who are connecting through the TS agent. username@hostname> show ts-agent statistics IP Address Port Vsys State Users ------------------------------------------------------------10.1.200.1 5009 vsys1 connected 8 10.16.3.249 5009 vsys1 connected 10 username@hostname>



Palo Alto Networks

show url-database

show url-database Displays the name of the database that is being used for URL filtering.

Syntax show url-database

Options None

Sample Output The following command displays the name of the URL database. admin@PA-HDF> show url-database brightcloud admin@PA-HDF>


Palo Alto Networks


show virtual-wire

show virtual-wire Show information about virtual wire interfaces.

Syntax show virtual-wire [value | all]

Options value

Specifies a virtual wire interface.

all

Shows information for all virtual wire interfaces.

Sample Output The following command displays information for the default virtual wire interface. username@hostname> show virtual-wire default-vwire

total virtual-wire shown :

1

name interface1 interface2 -----------------------------------------------------------------------------default-vwire ethernet1/1 ethernet1/2 username@hostname>



Palo Alto Networks

show vlan

show vlan Show VLAN information.

Syntax show vlan [value | all]

Options value

Specifies a virtual wire interface.

all

Shows information for all virtual wire interfaces.

Sample Output The following command displays information for all VLANs. username@hostname> show vlan all vlan { Vlan56 { interface [ stp { enabled } rstp { enabled } } Vlan11-12 { interface [ stp { enabled } rstp { enabled } } }

ethernet1/5 ethernet1/6 ]; no;

no;

ethernet1/11 ethernet1/12 ]; no;

no;

username@hostname>


Palo Alto Networks


show vpn

show vpn Show VPN information.

Syntax show show show show show

vpn vpn vpn vpn vpn

flow [tunnel-id tunnelid] gateway [gateway gatewayid] ike-sa [gateway gatewayid] ipsec-sa [tunnel tunnelid] tunnel [name tunnelid]

Options flow

Shows information about the VPN tunnel on the data plane. Specify the tunnel or press Enter to apply to all tunnels.

gateway

Shows IKE gateway information. Specify the gateway or press Enter to apply to all gateways.

ike-sa

Shows information about the active IKE SA. Specify the gateway or press Enter to apply to all gateways.

ipsec-sa

Shows information about IPsec SA tunnels. Specify the tunnel or press Enter to apply to all tunnels.

tunnel

Shows information about auto-key IPSec tunnels. Specify the tunnel or press Enter to apply to all tunnels.

name

Shows information about the VPN tunnel. Specify the tunnel or press Enter to apply to all tunnels.

Sample Output The following command shows VPN information for the auto key IPsec tunnel k1. username@hostname> show vpn tunnel name k1 TnID Name(Gateway) Local Proxy ID Local Proxy ID Proposals ------------------------------------------7 pan5gt(pan-5gt) 0.0.0.0/0 0.0.0.0/0 ESP tunl [DH2][AES128,3DES][SHA1] 90-sec Total 1 tunnels found, 0 ipsec sa found, 0 error username@hostname>

The following command shows VPN information for the IKE gateway g2. username@hostname> show vpn tunnel name g2 GwID Name Peer Address/ID Local Address/ID ---- --------------------------------3 falcon-kestrel 35.1.15.1 35.1.15.40 [PSK][DH2][AES128,3DES][SHA1] 28800-sec

Protocol Proposals ---------------Auto(main)

Total 1 gateways found, 0 ike sa found, 0 error. username@hostname>


Palo Alto Networks

show vpn


Palo Alto Networks


show zip

show zip Shows whether ability to unzip a file and apply the policy on the uncompressed content is enabled. The default is enable.

Syntax show zip setting

Options None

Sample Output The following command shows that the unzip option is enabled. username@hostname> show zip setting zip engine is enabled username@hostname>



Palo Alto Networks

show zone-protection

show zone-protection Shows the running configuration status and run time statistics for zone protection elements.

Syntax show zone-protection [zone zonename]

Options zonename

Specifies the name of a zone.

Sample Output The following command shows statistics for the trust zone. username@hostname> show zone-protection zone trust --------------------------------------------------------------------------Zone trust, vsys vsys1, profile custom-zone-protection ---------------------------------------------------------------------------tcp-syn enabled: no ---------------------------------------------------------------------------udp RED enabled: no ---------------------------------------------------------------------------icmp RED enabled: no ---------------------------------------------------------------------------other-ip RED enabled: no ---------------------------------------------------------------------------packet filter: discard-ip-spoof: enabled: no discard-ip-frag: enabled: no discard-icmp-ping-zero-id: enabled: no discard-icmp-frag: enabled: no discard-icmp-large-packet: enabled: no reply-icmp-timeexceeded: enabled: no username@hostname>


Palo Alto Networks


ssh

ssh Open a secure shell (SSH) connection to another host.

Syntax ssh [inet] [port number] [source address] [v1 | v2] [user@]host

Options inet

Specifies that IP version 4 be used.

port

Specifies a port on the other host. (default 22)

source

Specifies a source IP address.

version

Specifies SSH version 1 or 2 (default is version 2)

user@

Specifies a user name on the other host.

host

Specifies the IP address of the other host.

Sample Output The following command opens an SSH connection to host 10.0.0.250 using SSH version 2. username@hostname> ssh v2 [email protected] [email protected]'s password: #



Palo Alto Networks

tail

tail Print the last 10 lines of a debug file.

Syntax tail [follow] [lines] file

Options follow

Adds appended data as the file grows.

lines

Lists the last N lines, instead of the last 10.

file

Specifies the debug file.

Sample Output The following command displays the last 10 lines of the /var/log/pan/masterd.log file. username@hostname> tail /var/log/pan/masterd.log [09:32:46] Successfully started process 'mgmtsrvr' instance '1' [09:32:47] Successfully started process 'appWeb' instance '1' [09:32:47] Started group 'pan' start script 'octeon' with options 'start' [09:32:48] Process 'appWeb' instance '1' exited normally with status '7' [09:32:48] Process 'appWeb' instance '1' has no further exit rules [09:32:53] Successfully started process 'pan-ez-agent' instance '1' [09:32:53] Process 'pan-ez-agent' instance '1' exited normally with status '0' [09:32:53] Process 'pan-ez-agent' instance '1' has no further exit rules [09:32:54] Successfully started process 'pan_netconfig_agent' instance '1' [09:32:54] Finished initial start of all processes username@hostname>


Palo Alto Networks


telnet

telnet Open a Telnet session to another host.

Syntax telnet [8bit] [port] host

Options 8bit

Indicates that 8-bit data will be used.

port

Specifies the port number for the other host.

host

Specifies the IP address of the other host.

Sample Output The following command opens a Telnet session to the host 1.2.5.5 using 8-bit data. username@hostname> telnet 8bit 1.2.5.5



Palo Alto Networks

test

test Run tests based on installed security policies.

Syntax test nat policy-match source src-ip destination dst-ip destination-port port protocol protocol from zone1 to zone2 test nat policy-match application name source src-ip destination dst-ip destination-port port protocol protocol from zone1 to zone2 test routing fib-lookup ip ipaddress virtual router virtualrouterid test vpn flow [ike-sa [gateway gatewayid] | ipsec-sa [tunnel tunnelid]>

Options name

Specifies the name of an application. Enter any to include all applications.

src-ip

Specifies the source IP address for the test.

dst-ip

Specifies the destination IP address for the test.

port

Specifies the destination port for the test.

zone1

Specifies the source security zone.

zone2

Specifies the destination security zone.

fib-lookup

Specifies the route to test within the active routing table. Specify an IP address and virtual router.

ike-sa

Performs the tests only for the negotiated IKE SA. Specify a gateway or press Enter to run the test for all gateways.

ipsec-sa

Performs the tests for IPsec SA (and IKE SA if necessary). Specify a tunnel or press Enter to run the test for all tunnels.

Sample Output The following command tests whether the set of criteria will match any of the existing rules in the security rule base. username@hostname> test security-policy-match from trust to untrust application google-talk source 10.0.0.1 destination 192.168.0.1 protocol 6 destination-port 80 source-user known-user Matched rule: 'rule1' action: allow username@hostname>


Palo Alto Networks


tftp

tftp Use Trivial File Transfer Protocol (TFTP) to copy files between the firewall and another host.

Syntax tftp [export export-option [control-plane | data-plane] to target | import import-option] [remote-port portnumber] [from source]

Options export export- Specifies the type of file to export to the other host. option Option

Description

application


captive-portaltext


configuration

Configuration file.

core-file

Core file.

debug-pcap


file-block-page


filter

Filter definitions.

log-file

Log files.

log-db

Log database.

packet-log


spyware-blockpage


ssl-optout-text

SSL optout text.

tech-support




url-block-page


virus-block-page



Web interface certificate


Palo Alto Networks

tftp

import import- Specifies the type of file to import from the other host. option Option Description captive-portal-text


configuration

Configuration file.

content

Database content.

file-block-page


license

License key file.

private-key

SSL private key file.

software

Software package.

spyware-block-page


ssl-decryptioncertificate

SSL decryption certificate.

ssl-optout-text

SSL optout text.



url-block-page


virus-block-page



Web interface certificate

control-plane

Indicates that the file contains control information.

data-plane

Indicates that the file contains information about data traffic.

port-number

Specifies the port number on the remote host.

target

Specifies the destination in the format username@host:path.

source

Specifies the file to be copied in the format username@host:path.

The following command imports a license file from a file in user1’s account on the machine with IP address 10.0.3.4. username@hostname> tftp import ssl-certificate from [email protected]:/tmp/ certificatefile


Palo Alto Networks


traceroute

traceroute Display information about the route packet taken to another host.

Syntax traceroute [base-udp-port port][bypass-routing][debug-socket][do-notfragment][first-ttl ttl][gateway][icmp-echo][max-ttl ttl][noresolve][pause][source ip][toggle-ip-checksums][tos][verbose][wait] host

Options base-udp-port port

Specifies the base UDP port used in probes (default is 33434).

bypass-routing

Sends the request directly to the host on a direct attached network, bypassing usual routing table.

debug-socket

Enables socket level debugging.

do-not-fragment

Sets the do-not-fragment bit.

first-ttl ttl

Sets the time-to-live in the first outgoing probe packet in number of hops.

gateway

Specifies a loose source router gateway (maximum 8).

icmp-echo

Uses ICMP ECHO requests instead of UDP datagrams.

max-ttl ttl

Sets the maximum time-to-live in number of hops.

no-resolve

Does not attempt to print resolved domain names.

pause

Sets the time to pause between probes (milliseconds).

source ip

Specifies the source IP address for the command.

toggle-ipchecksums

Toggles the IP checksum of the outgoing packets for the traceroute command.

tos

Specifies the type of service (TOS) treatment for the packets by way of the TOS bit for the IP header in the ping packet (0-255).

verbose

Requests complete details of the traceroute request.

wait

Specifies a delay in transmission of the traceroute request (seconds).

host

Specifies the IP address or domain name of the other host.


Palo Alto Networks

traceroute

Sample Output The following command displays information about the route from the firewall to www.google.com. username@hostname> traceroute www.paloaltonetworks.com traceroute to www.paloaltonetworks.com (72.32.199.53), 30 hops max, 38 byte packets 1 10.1.0.1 (10.1.0.1) 0.399 ms 1.288 ms 0.437 ms 2 64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.910 ms dsl027-186189.sfo1.dsl.speakeasy.net (216.27.186.189) 1.012 ms 64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.865 ms 3 dsl027-182-001.sfo1.dsl.speakeasy.net (216.27.182.1) 16.768 ms 581.420 ms 64.3.142.37.ptr.us.xo.net (64.3.142.37) 219.190 ms 4 ge5-0-0.mar2.fremont-ca.us.xo.net (207.88.80.21) 228.551 ms 110.ge-0-00.cr1.sfo1.speakeasy.net (69.17.83.189) 12.352 ms ge5-0-0.mar2.fremontca.us.xo.net (207.88.80.21) 218.547 ms 5 ge-5-3-0.mpr3.pao1.us.above.net (209.249.11.177) 13.212 ms p4-00.rar2.sanjose-ca.us.xo.net (65.106.5.137) 273.935 ms 221.313 ms 6 p1-0.ir1.paloalto-ca.us.xo.net (65.106.5.178) 139.212 ms so-1-21.mpr1.sjc2.us.above.net (64.125.28.141) 13.348 ms p1-0.ir1.paloaltoca.us.xo.net (65.106.5.178) 92.795 ms 7 so-0-0-0.mpr2.sjc2.us.above.net (64.125.27.246) 12.069 ms 206.111.12.146.ptr.us.xo.net (206.111.12.146) 93.278 ms so-0-00.mpr2.sjc2.us.above.net (64.125.27.246) 556.033 ms 8 tbr1p013201.sffca.ip.att.net (12.123.13.66) 52.726 ms so-3-20.cr1.dfw2.us.above.net (64.125.29.54) 61.875 ms tbr1p013201.sffca.ip.att.net (12.123.13.66) 58.462 ms MPLS Label=32537 CoS=0 TTL=1 S=1 9 64.124.12.6.available.above.net (64.124.12.6) 74.828 ms tbr1cl3.la2ca.ip.att.net (12.122.10.26) 62.533 ms 64.124.12.6.available.above.net (64.124.12.6) 60.537 ms 10 tbr1cl20.dlstx.ip.att.net (12.122.10.49) 60.617 ms vlan901.core1.dfw1.rackspace.com (72.3.128.21) 59.881 ms 60.429 ms 11 gar1p360.dlrtx.ip.att.net (12.123.16.169) 108.713 ms aggr5a.dfw1.rackspace.net (72.3.129.19) 58.049 ms gar1p360.dlrtx.ip.att.net (12.123.16.169) 173.102 ms 12 72.32.199.53 (72.32.199.53) 342.977 ms 557.097 ms 60.899 ms username@hostname>


Palo Alto Networks


view-pcap

view-pcap Examine the content of packet capture files.

Syntax view-pcap option filename

Options option

filename

Specifies the type of information to report. Option

Description

absolute-seq

Displays absolute TCP sequence numbers.

delta

Displays a delta (in micro-seconds) between current and previous line.

hex

Displays each packet (minus link header) in hex.

hex-ascii

Displays each packet (minus link header) in hex and ASCII.

hex-ascii-link

Displays each packet (including link header) in hex and ASCII.

hex-link

Displays each packet (including link header) in hex.

link-header

Displays the link-level header on each dump line.

no-dns-lookup

Does not convert host addresses to names.

no-port-lookup

Does not convert protocol and port numbers to names.

no-qualification

Does not print domain name qualification of host names.

timestamp

Displays timestamp proceeded by date.

undecoded-nfs

Displays undecoded NFS handles.

unformattedtimestamp

Displays an unformatted timestamp.

verbose

Displays verbose output.

verbose+

Displays more verbose output.

verbose++

Displays the maximum output details..

Name of the packet capture file.


Palo Alto Networks

view-pcap

Sample Output The following command displays the contents of the packet capture file /var/session/pan/filters/ syslog.pcap in ASCII and hex formats. username@hostname> view-pcap hex-ascii /var/session/pan/filters/syslog.pcap reading from file /var/session/pan/filters/syslog.pcap, link-type EN10MB (Ethernet) 08:34:31.922899 IP 10.0.0.244.32884 > jdoe.paloaltonetworks.local.syslog: UDP, length 314 0x0000: 4500 0156 0000 4000 4011 2438 0a00 00f4 E..V..@.@.$8.... 0x0010: 0a00 006c 8074 0202 0142 d163 3c31 3137 ...l.t...B.c<117 0x0020: 3e41 7072 2020 3233 2030 383a 3334 3a33 >Apr..23.08:34:3 0x0030: 3420 312c 3034 2f32 3320 3038 3a33 343a 4.1,04/23.08:34: 0x0040: 3334 2c54 4852 4541 542c 7572 6c2c 312c 34,THREAT,url,1, 0x0050: 3034 2f32 3320 3038 3a33 343a 3235 2c31 04/23.08:34:25,1 0x0060: 302e 302e 302e 3838 2c32 3039 2e31 3331 0.0.0.88,209.131 0x0070: 2e33 362e 3135 382c 302e 302e 302e 302c .36.158,0.0.0.0, 0x0080: 302e 302e 302e 302c 6c32 2d6c 616e 2d6f 0.0.0.0,l2-lan-o 0x0090: 7574 2c77 6562 2d62 726f 7773 696e 672c ut,web-browsing, 0x00a0: 7673 7973 312c 6c32 2d6c 616e 2d74 7275 vsys1,l2-lan-tru 0x00b0: 7374 2c6c 322d 6c61 6e2d 756e 7472 7573 st,l2-lan-untrus 0x00c0: 742c 6574 6865 726e 6574 312f 3132 2c65 t,ethernet1/12,e 0x00d0: 7468 6572 6e65 7431 2f31 312c 466f 7277 thernet1/11,Forw 0x00e0: 6172 6420 746f 204d 696b 652c 3034 2f32 ard.to.Mike,04/2 0x00f0: 3320 3038 3a33 343a 3334 2c38 3336 3435 3.08:34:34,83645 0x0100: 372c 322c 3438 3632 2c38 302c 302c 302c 7,2,4862,80,0,0, 0x0110: 3078 302c 7463 7028 3629 2c61 6c65 7274 0x0,tcp(6),alert 0x0120: 2c77 7777 2e79 6168 6f6f 2e63 6f6d 2f70 ,www.yahoo.com/p 0x0130: 2e67 6966 3f2c 2c73 6561 7263 682d 656e .gif?,,search-en 0x0140: 6769 6e65 732c 696e 666f 726d 6174 696f gines,informatio 0x0150: 6e61 6c2c 3000 nal,0.


Palo Alto Networks


view-pcap


Palo Alto Networks


Chapter 5

Maintenance Mode Maintenance mode provides support for error recovery and diagnostics, and allows you to reset the firewall to factory defaults. This chapter describes how to enter Maintenance mode:

•

“Entering Maintenance Mode” in the next section

•

“Using Maintenance Mode” on page 186

Entering Maintenance Mode The system enters Maintenance mode automatically if a critical error is discovered, or you can enter Maintenance mode explicitly when booting the firewall. Critical failure can be due to service errors, bootloader corruption, or disk filesystem errors. You can enter Maintenance mode in either of the following ways:

•

Serial cable to the serial port on the firewall. For serial cable specifications, refer to the Hardware Reference Guide for your firewall model.

•

Secure Socket Layer (SSL). SSL access is supported if the firewall has already entered Maintenance mode (either automatically or explicitly during bootup).

Palo Alto Networks

Maintenance Mode • 183

Entering Maintenance Mode Upon Bootup To enter Maintenance mode upon bootup: 1.

Press m when prompted by the bootloader.

2.

Press any key on your keyboard when prompted to stop the automatic boot, and then select Maint as the booting partition.

184 • Maintenance Mode

Palo Alto Networks

Entering Maintenance Mode Automatically If the system detects a critical error it will automatically fail over to Maintenance mode. When the firewall enters Maintenance mode, messages are displayed on the serial console, web interface, and CLI interface. The serial console displays the following message.

The web interface displays the following message.

Palo Alto Networks


The SSH interface displays the following message. ATTENTION: A critical error has been detected preventing proper boot up of the device. Please contact Palo Alto Networks to resolve this issue at 866-898-9087 or [email protected]. The system is in maintenance mode. Connect via serial console or with user 'maint' through ssh to access the recovery tool.

Using Maintenance Mode The Maintenance mode main menu displays the following options.


Palo Alto Networks

The following table describes the Maintenance mode selections that are accessible without entering a password.

Table 4. General Maintenance Mode Options Option

Description

Maintenance Entry Reason

Indicates why the system entered Maintenance mode and includes possible recovery steps.

Get System Info

Displays basic information about the system. This information is useful when obtaining assistance from Customer Support.

FSCK (Disk Check)

Provides the ability to run a file system check (FSCK) on various partitions.

Log Files

Allows viewing and copying of log files from the system.

Disk Image

Allows the system to revert back to the previously installed software version.

Content Rollback

Allows a rollback to the previously installed content version.

Reboot

Reboots the firewall.

Some of the options are password protected to prevent accidental changes that could leave the system in an inoperative state. The password is intended as a safeguard and it not meant to be secret. The password is MA1NT (numeral 1).

Table 5. General Maintenance Mode Options Option

Description

Factory Reset

Returns the firewall into the factory default state. The reset includes an option to scrub the Config and Log partitions using a National Nuclear Security Administration (NNSA) or Department of Defense (DOD) compliant scrubbing algorithm. Note: Scrubbing can take up to six hours to complete.

Bootloader Recovery

Reprograms the main bootloader with the latest bootloader image on the system. Use this option if the failsafe bootloader is running and recovery of the main bootloader is required. (PA-2000 and PA-500 systems only)

Disk Image Advanced

These options provide greater granularity and control over installation, including status, history, bootstrapping, and other commands.

Diagnostics

Tests the dataplane booting and dataplane memory, and run disk performance with bonnie++.

Palo Alto Networks



Palo Alto Networks


Appendix A CONFIGURATION HIERARCHY This appendix presents the complete firewall configuration hierarchies for the application identification firewall and for Panorama:

•

“Firewall Hierarchy” in the next section

•

“Panorama Hierarchy” on page 251

Firewall Hierarchy operations { schedule { commit; OR... uar-report { user ; title ; period ; start-time ; end-time ; } } OR... clear { application-signature { statistics; } OR... arp |; OR... counter { interface; OR... global { filter { category ; severity ; aspect ; } OR... name ; } OR...

Palo Alto Networks

• 189

all; } OR... dhcp { lease { all; OR... interface { name ; ip ; mac ; } } } OR... high-availability { control-link { statistics; } } OR... job { id 0-4294967295; } OR... log { traffic; OR... threat; OR... config; OR... system; OR... acc; } OR... mac |; OR... query { all-by-session; OR... id 0-4294967295; } OR... report { all-by-session; OR... id 0-4294967295; } OR... session { all { filter { nat none|source|destination|both; proxy yes|no; type flow|predict; state initial|opening|active|discard|closing|closed; from ;

190 •

Palo Alto Networks

to ; source ; destination ; source-user ; destination-user ; source-port 1-65535; destination-port 1-65535; protocol 1-255; application ; rule ; nat-rule ; } } OR... id 1-2147483648; } OR... statistics; OR... vpn { ike-sa { gateway ; } OR... ipsec-sa { tunnel ; } OR... flow { tunnel-id 1-2147483648; } } } OR... delete { admin-sessions; OR... application-block-page; OR... captive-portal-text; OR... config { saved ; } OR... config-audit-history; OR... content { update ; } OR... core { data-plane { file ; } OR... control-plane { file ; }

Palo Alto Networks

• 191

} OR... data-capture { directory ; } OR... debug-filter { file ; } OR... file-block-page; OR... inbound-key { file ; } OR... license { key ; } OR... logo; OR... pcap { directory ; } OR... policy-cache; OR... report { predefined { report-name ; file-name ; } OR... custom { report-name ; file-name ; } OR... summary { report-name ; file-name ; } } OR... root-certificate { file ; } OR... software { image ; OR... version ; } OR... spyware-block-page; OR... ssl-optout-text; OR...

192 •

Palo Alto Networks

threat-pcap { directory ; } OR... unknown-pcap { directory ; } OR... url-block-page; OR... url-coach-text; OR... url-coach-text; OR... user-file { ssh-known-hosts; } OR... virus-block-page; } OR... show { admins { all; } OR... arp ||; OR... chassis-ready; OR... cli { info; OR... idle-timeout; } OR... clock; OR... config { diff; OR... running { xpath ; } OR... synced; OR... candidate; OR... pushed { vsys ; } OR... audit { info; OR... base-version |; OR... base-version-no-deletes |;

Palo Alto Networks

• 193

OR... version |; } OR... saved ; } OR... counter { management-server; OR... global { filter { category ; severity ; aspect ; delta yes|no; value all|non-zero; } OR... name ; } OR... interface |; } OR... ctd { state; OR... threat { id 1-4294967295; application 0-4294967295; profile 0-4294967295; } OR... url-block-cache; } OR... dhcp { lease |; } OR... high-availability { all; OR... state; OR... link-monitoring; OR... path-monitoring; OR... state-synchronization; OR... control-link { statistics; } } OR... interface |||; OR...

194 •

Palo Alto Networks

jobs { all; OR... pending; OR... processed; OR... id 1-4294967296; } OR... local-user-db { vsys ; username ; disabled yes|no; } OR... location { ip ; } OR... log { traffic { direction { equal forward|backward; } csv-output { equal yes|no; } query { equal ; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } start-time { equal ; } end-time { equal ; } src { in ; OR... not-in ; } dst { in ; OR... not-in ; } rule { equal ; OR... not-equal ; } app { equal ; OR...

Palo Alto Networks

• 195

not-equal ; } from { equal ; OR... not-equal ; } to { equal ; OR... not-equal ; } sport { equal 1-65535; OR... not-equal 1-65535; } dport { equal 1-65535; OR... not-equal 1-65535; } action { equal allow|deny|drop; OR... not-equal allow|deny|drop; } srcuser { equal ; } dstuser { equal ; } } OR... threat { suppress-threatid-mapping { equal yes|no; } direction { equal forward|backward; } csv-output { equal yes|no; } query { equal ; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } start-time { equal ; } end-time { equal ; } src {

196 •

Palo Alto Networks

in ; OR... not-in ; } dst { in ; OR... not-in ; } rule { equal ; OR... not-equal ; } app { equal ; OR... not-equal ; } from { equal ; OR... not-equal ; } to { equal ; OR... not-equal ; } sport { equal 1-65535; OR... not-equal 1-65535; } dport { equal 1-65535; OR... not-equal 1-65535; } action { equal alert|allow|deny|drop|drop-all-packets|reset-client|resetserver|reset-both|block-url; OR... not-equal alert|allow|deny|drop|drop-all-packets|resetclient|reset-server|reset-both|block-url; } srcuser { equal ; } dstuser { equal ; } category { equal ; OR... not-equal ; } subtype { equal url|file;

Palo Alto Networks

• 197

} } OR... config { direction { equal forward|backward; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } query { equal ; } start-time { equal ; } end-time { equal ; } client { equal web|cli; OR... not-equal web|cli; } cmd { equal add|clone|commit|create|delete|edit|get|load-fromdisk|move|rename|save-to-disk|set; OR... not-equal add|clone|commit|create|delete|edit|get|load-fromdisk|move|rename|save-to-disk|set; } result { equal succeeded|failed|unauthorized; OR... not-equal succeeded|failed|unauthorized; } } OR... system { direction { equal forward|backward; } opaque { contains ; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } query { equal ; }

198 •

Palo Alto Networks

start-time { equal ; } end-time { equal ; } severity { equal critical|high|medium|low|informational; OR... not-equal critical|high|medium|low|informational; OR... greater-than-or-equal critical|high|medium|low|informational; OR... less-than-or-equal critical|high|medium|low|informational; } subtype { equal ; OR... not-equal ; } object { equal ; OR... not-equal ; } eventid { equal ; OR... not-equal ; } id { equal ; OR... not-equal ; } } OR... appstat { direction { equal forward|backward; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } query { equal ; } start-time { equal ; } end-time { equal ; } name { equal ;

Palo Alto Networks

• 199

OR... not-equal ; } type { equal ; OR... not-equal ; } risk { equal 1|2|3|4|5; OR... not-equal 1|2|3|4|5; OR... greater-than-or-equal 1|2|3|4|5; OR... less-than-or-equal 1|2|3|4|5; } } OR... trsum { direction { equal forward|backward; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } query { equal ; } start-time { equal ; } end-time { equal ; } app { equal ; OR... not-equal ; } src { in ; } dst { in ; } rule { equal ; OR... not-equal ; } srcuser { equal ; OR... not-equal ;

200 •

Palo Alto Networks

} dstuser { equal ; OR... not-equal ; } srcloc { equal ; OR... not-equal ; OR... greater-than-or-equal ; OR... less-than-or-equal ; } dstloc { equal ; OR... not-equal ; OR... greater-than-or-equal ; OR... less-than-or-equal ; } } OR... thsum { direction { equal forward|backward; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } query { equal ; } start-time { equal ; } end-time { equal ; } app { equal ; OR... not-equal ; } src { in ; } dst { in ; } rule { equal ;

Palo Alto Networks

• 201

OR... not-equal ; } srcuser { equal ; OR... not-equal ; } dstuser { equal ; OR... not-equal ; } srcloc { equal ; OR... not-equal ; OR... greater-than-or-equal ; OR... less-than-or-equal ; } dstloc { equal ; OR... not-equal ; OR... greater-than-or-equal ; OR... less-than-or-equal ; } threatid { equal ; OR... not-equal ; OR... greater-than-or-equal ; OR... less-than-or-equal ; } subtype { equal ; OR... not-equal ; } } } OR... logging; OR... mac |; OR... management-clients; OR... multi-vsys; OR... object { ip ; vsys ;

202 •

Palo Alto Networks

} OR... pan-agent { statistics; OR... user-IDs; } OR... pan-ntlm-agent { statistics; } OR... proxy { setting; OR... certificate-cache; OR... certificate; OR... notify-cache; OR... exclude-cache; OR... memory { detail; } } OR... query { id 1-4294967296; OR... jobs; } OR... report { id 1-4294967296; OR... jobs; OR... predefined { name { equal top-attackers|top-victims|top-attackers-by-countries|topvictims-by-countries|top-sources|top-destinations|top-destinationcountries|top-source-countries|top-connections|top-ingress-interfaces|topegress-interfaces|top-ingress-zones|top-egress-zones|top-applications|tophttp-applications|top-rules|top-attacks|top-spyware-threats|top-viruses|topvulnerabilities|top-websites|top-url-categories|top-url-users|top-url-userbehavior|unknown-tcp-connections|unknown-udp-connections|top-deniedsources|top-denied-destinations|top-denied-applications; } start-time { equal ; } end-time { equal ; } } OR... custom {

Palo Alto Networks

• 203

database { equal appstat|threat|thsum|traffic|trsum; } topn { equal ; } receive_time { in last-hour|last-12-hrs|last-24-hrs|last-7-days|last-30-days; } query { equal ; } aggregate-fields { equal ; } value-fields { equal ; } } } OR... routing { resource; OR... summary { virtual-router ; } OR... fib { virtual-router ; } OR... route { destination ; interface ; nexthop ; type static|connect|ospf|rip; virtual-router ; } OR... protocol { redist all|ospf|rip; OR... ospf summary|area|interface|virt-link|neighbor|virtneighbor|lsdb|dumplsdb; OR... rip summary|interface|peer|database; virtual-router ; } } OR... session { start-at 1-2097152; OR... info; OR... meter; OR... all {

204 •

Palo Alto Networks

filter { nat none|source|destination|both; proxy yes|no; type flow|predict; state initial|opening|active|discard|closing|closed; from ; to ; source ; destination ; source-user ; destination-user ; source-port 1-65535; destination-port 1-65535; protocol 1-255; application ; rule ; nat-rule ; } } OR... id 1-2147483648; } OR... shared-policy; OR... ssl-vpn { portal { name ; } OR... user { portal ; domain ; user ; } OR... flow { name ; OR... tunnel-id 1-2147483648; } } OR... statistics; OR... system { software { status; } OR... info; OR... services; OR... state { filter ; OR... filter-pretty ; OR...

Palo Alto Networks

• 205

browser; } OR... statistics; OR... resources { follow; } OR... disk-space; OR... logdb-quota; OR... files; } OR... target-vsys; OR... threat { id <1-4294967296,...>; } OR... ts-agent { statistics; OR... user-IDs; } OR... url-database; OR... virtual-wire |; OR... vlan |; OR... vpn { gateway { name ; } OR... tunnel { name ; } OR... ike-sa { gateway ; } OR... ipsec-sa { tunnel ; } OR... flow { name ; OR... tunnel-id 1-2147483648; } } OR... zip {

206 •

Palo Alto Networks

setting; } OR... zone-protection { zone ; } } OR... debug { captive-portal { on { normal; OR... debug; } OR... off; OR... show; } OR... cli on|off|detail|show|enable-internal-command; OR... cpld; OR... dataplane { get; OR... show { url-license; OR... user { all; OR... ip ; } OR... ts-agent-data { all; OR... ip ; } OR... nat-rule-cache; OR... global-ippool; OR... ippool; OR... security-policy; OR... nat-policy; OR... captive-portal-policy; OR... ssl-policy; OR... qos-policy; OR...

Palo Alto Networks

• 207

application-override-policy; OR... policy-based-forwarding-policy; OR... application-signature { statistics; } OR... application { dump-setting; } OR... resource-monitor { second { last 1-60; } OR... minute { last 1-60; } OR... hour { last 1-24; } OR... day { last 1-7; } OR... week { last 1-13; } } OR... logging; OR... url-cache { statistics; } OR... top-urls { top 1-10000; category ; } OR... ssl-cert-cn; } OR... reset { user-cache { all; OR... ip ; } OR... url-cache; OR... logging; OR...

208 •

Palo Alto Networks

pow; OR... appid { unknown-cache { destination ; } } OR... proxy { host-certificate-cache; OR... certificate-cache; OR... exclude-cache; OR... notify-cache { source ; } } OR... ctd { url-block-cache { lockout; } } } OR... mode sync|no-sync; OR... on error|warn|info|debug; OR... off; OR... clear; OR... drop-filter { on; OR... off; OR... set { ingress ; file ; source ; destination ; source-port 1-65535; destination-port 1-65535; protocol 1-255; packet-count 1-20000; byte-count 1-2000000; } OR... unset 1-4; } OR... filter { on; OR... off;

Palo Alto Networks

• 209

OR... set { ingress ; file ; source ; destination ; source-port 1-65535; destination-port 1-65535; protocol 1-255; packet-count 1-20000; byte-count 1-2000000; } OR... unset 1-4; OR... close 1-4; } OR... pool { statistics; OR... check { hardware 0-255; OR... software 0-255; } } OR... pow { status; OR... performance { all; } } OR... memory { status; } OR... tcp { state; } OR... internal { pci-access { sample; OR... register ; } OR... vif { address; OR... link; OR... rule; OR... vr;

210 •

Palo Alto Networks

OR... route 0-255; } OR... dt { lion { rd 0-4294967295; OR... igr { show drops|flow|internal|packets|queues; OR... iftbl; OR... mymac; OR... port; } OR... egr { show counts|queues; OR... route; OR... nexthop; } OR... mac { stats { clear; } } OR... spi { stats { clear; } } } OR... oct { csr { rd ; } OR... gmx { stats; } OR... pip { stats; } OR... pko { disp; OR... stats; } OR... pow {

Palo Alto Networks

• 211

dump; } } } } OR... fpga { set { sw_aho yes|no; OR... sw_dfa yes|no; OR... sw_dlp yes|no; } OR... state; } OR... device { switch-dx { uplink; OR... register { read 0-4294967295; } OR... vlan-table { dump; OR... index 0-4095; } OR... port-based-vlan { port 0-32; } OR... fdb { dump; OR... index 0-65535; } } } OR... process { mprelay { on { dump; OR... debug; OR... info; OR... warn; OR... error; } OR... off;

212 •

Palo Alto Networks

OR... show; } OR... ha-agent { on { dump; OR... debug; OR... info; OR... warn; OR... error; } OR... off; OR... show; } } OR... task-heartbeat { on; OR... off; OR... show; } OR... monitor { detail { on; OR... off; OR... show; } } OR... set { tcp reass|fptcp|all; OR... ssl basic|all; OR... proxy basic|all; OR... pow basic|all; OR... zip basic|all; OR... misc misc|all; OR... module aho|dfa|scan|url|all; OR... flow basic|ager|ha|np|arp|receive|all; OR... tunnel flow|ager;

Palo Alto Networks

• 213

OR... ctd basic|sml|url|detector|all; OR... appid agt|basic|policy|dfa|all; OR... all; } OR... unset { tcp reass|fptcp|all; OR... ssl basic|all; OR... proxy basic|all; OR... pow basic|all; OR... misc misc|all; OR... flow basic|ager|np|ha|arp|receive|all; OR... tunnel flow|ager; OR... ctd basic|sml|url|detector|all; OR... appid basic|policy|dfa|all; OR... all; } } OR... device-server { set { agent basic|conn|ntlm|group|sslvpn|detail|ha|tsa|all; OR... misc basic|all; OR... base config|all; OR... url basic|stat|all; OR... config basic|tdb|fpga|all; OR... tdb basic|aho|all; OR... all; } OR... unset { agent basic|conn|detail|sslvpn|ha|tsa|all; OR... base config|all; OR... misc basic|all; OR... url basic|all; OR... config basic|tdb|fpga|all; OR...

214 •

Palo Alto Networks

tdb basic|aho|all; OR... all; } OR... test { dynamic-url ; OR... url ; OR... url-category 1-4192; OR... admin-override-password ; } OR... delete { dynamic-url { host { all; OR... name ; } } } OR... reset { brightcloud-database; OR... url { dynamic-url-timeout 1-43200; OR... dynamic-url-size 10-1000000; } OR... logging { statistics; } OR... pan-ntlm-agent { all; } OR... pan-agent { all; } OR... captive-portal { ip-address ; } OR... id-manager; OR... url-cache; } OR... save { dynamic-url { database; }

Palo Alto Networks

• 215

} OR... dump { dynamic-url { database { start-from 1-1000000; category ; } OR... statistics; } OR... user-group { name ; } OR... ts-agent { config; } OR... idmgr { type { zone { all; OR... id 1-4294967295; OR... name ; } OR... vsys { all; OR... id 1-4294967295; OR... name ; } OR... global-tunnel { all; OR... id 1-; OR... name ; } OR... global-interface { all; OR... id 1-4294967295; OR... name ; } OR... global-vlan-domain { all; OR... id 1-4294967295; OR...

216 •

Palo Alto Networks

name ; } OR... global-vlan { all; OR... id 1-4294967295; OR... name ; } OR... global-vrouter { all; OR... id 1-4294967295; OR... name ; } OR... global-rib-instance { all; OR... id 1-4294967295; OR... name ; } OR... shared-application { all; OR... id 1-4294967295; OR... name ; } OR... custom-url-filter { all; OR... id 1-4294967295; OR... name ; } OR... user { all; OR... id 1-4294967295; OR... name ; } OR... user-group { all; OR... id 1-4294967295; OR... name ; } OR...

Palo Alto Networks

• 217

custom-application { all; OR... id 1-4096; OR... name ; } OR... security-rule { all; OR... id 1-4096; OR... name ; } OR... nat-rule { all; OR... id 1-4096; OR... name ; } OR... ssl-rule { all; OR... id 1-4096; OR... name ; } OR... ike-gateway { all; OR... id 1-4096; OR... name ; } } } OR... logging { statistics; } } OR... on error|warn|info|debug|dump; OR... off; OR... clear; OR... show; OR... refresh { user-group; } }

218 •

Palo Alto Networks

OR... dhcpd { global { on { error; OR... warn; OR... info; OR... debug; OR... dump; } OR... off; OR... show; } OR... pcap { show; OR... on { virtualrouter ; } OR... off; OR... delete; OR... view; } } OR... ez { enable; OR... disable; OR... show { counter { index 0-4194304; num-counters 0-40; } OR... session-counter { index 0-4194304; num-counters 0-40; } OR... port { index 0-32; } OR... throughput; OR... arp; OR...

Palo Alto Networks

• 219

route; OR... session; OR... drop_flag; OR... freerfd; OR... register { index 0-4294967295; count 0-40; } OR... tm-stats; } OR... set { drop 0|1; } } OR... high-availability-agent { on error|warn|info|debug|dump; OR... off; OR... show; OR... internal-dump; OR... model-check on|off; OR... commit-ex-hello on|off; } OR... ike { global { on { normal; OR... debug; OR... dump; } OR... off; OR... show; } OR... pcap { show; OR... on; OR... off; OR... delete; OR...

220 •

Palo Alto Networks

view; } OR... socket; OR... stat; } OR... keymgr { on { normal; OR... debug; OR... dump; } OR... off; OR... show; OR... list-sa; } OR... log-receiver { on { normal; OR... debug; OR... dump; } OR... off; OR... show; OR... statistics; OR... fwd { on; OR... off; OR... show; } } OR... management-server { on error|warn|info|debug|dump; OR... off; OR... clear; OR... show; OR... phased-commit enable|disable|show; OR...

Palo Alto Networks

• 221

client { disable device|ikemgr|dhcpd|ha_agent|routed|npagent|modhttpd|rasmgr; OR... enable device|ikemgr|dhcpd|ha_agent|routed|npagent|modhttpd|rasmgr; } } OR... master-service { on error|warn|info|debug|dump; OR... off; OR... show; OR... internal-dump; } OR... netconfig-agent { on { dump; OR... debug; OR... info; OR... warn; OR... error; } OR... off; OR... show; } OR... rasmgr { on { normal; OR... debug; OR... dump; } OR... off; OR... show; } OR... routing { mib ; OR... list-mib; OR... fib { flush; OR... stats; }

222 •

Palo Alto Networks

OR... global { on { error; OR... warn; OR... info; OR... debug; OR... dump; } OR... off; OR... show; } OR... pcap { show; OR... ospf { on { virtualrouter ; } OR... off; OR... delete; OR... view; } OR... rip { on { virtualrouter ; } OR... off; OR... delete; OR... view; } OR... all { on { virtualrouter ; } OR... off; OR... delete; OR... view; } } OR...

Palo Alto Networks

• 223

socket; } OR... software { restart { pan-comm; OR... device-server; OR... management-server; OR... web-server; } } OR... swm { list; OR... log; OR... history; OR... status; OR... unlock; OR... revert; OR... refresh { content; } } OR... tac-login { permanently-disable; OR... disable; OR... enable; } OR... vardata-receiver { on { normal; OR... debug; OR... dump; } OR... off; OR... show; OR... statistics; } } OR... set {

224 •

Palo Alto Networks

application { dump-unknown yes|no; OR... dump { on { limit 1-5000; from ; to ; source ; destination ; source-user ; destination-user ; source-port 1-65535; destination-port 1-65535; protocol 1-255; application ; rule ; } OR... off; } OR... cache yes|no; OR... supernode yes|no; OR... heuristics yes|no; OR... notify-user yes|no; } OR... cli { pager on|off; OR... confirmation-prompt on|off; OR... scripting-mode on|off; OR... timeout { idle |1-1440; } OR... terminal { type aaa|aaa+dec|aaa+rv|aaa+unk|aaa-18|aaa-18-rv|aaa-20|aaa-22|aaa24|aaa-24-rv|aaa-26|aaa-28|aaa-30-ctxt|aaa-30-rv|aaa-30-rv-ctxt|aaa-30s|aaa-30-s-rv|aaa-36|aaa-36-rv|aaa-40|aaa-40-rv|aaa-48|aaa-48-rv|aaa-60|aaa60-dec-rv|aaa-60-rv|aaa-60-s|aaa-60-s-rv|aaa-db|aaa-rv-unk|aaa-s-ctxt|aaa-srv-ctxt|aas1901|abm80|abm85|abm85e|abm85h|abm85hold|act4|act5|addrinfo|adds980|adm+sgr|adm11|adm1178|adm12|adm1a|adm2|adm20| adm21|adm22|adm3|adm31|adm31-old|adm36|adm3a|adm3a+|adm42|adm42ns|adm5|aepro|aixterm|aixterm-m|aixterm-m-old|aj510|aj830|altoh19|altos2|altos3|altos4|altos7|altos7pc|amiga|amiga-8bit|amiga-h|amigavnc|ampex175|ampex175b|ampex210|ampex219|ampex219w|ampex232|ampex232w|ampex80|annarbor4080|ansi|a nsi+arrows|ansi+csr|ansi+cup|ansi+erase|ansi+idc|ansi+idl|ansi+idl1|ansi+ini ttabs|ansi+local|ansi+local1|ansi+pp|ansi+rca|ansi+rep|ansi+sgr|ansi+sgrbold |ansi+sgrdim|ansi+sgrso|ansi+sgrul|ansi+tabs|ansi-color-2-emx|ansi-color-3emx|ansi-emx|ansi-generic|ansi-m|ansi-mini|ansi-mr|ansi-mtabs|ansint|ansi.sys|ansi.sys-

Palo Alto Networks

• 225

old|ansi.sysk|ansi77|apollo|apollo_15P|apollo_19L|apollo_color|apple80|apple-ae|apple-soroc|apple-uterm|apple-uterm-vb|apple-videx|applevidex2|apple-videx3|apple-vm80|apple2e|apple2ep|apple80p|appleII|appleIIgs|arm100|arm100w|atari|att2300|att2350|att4410|att4410v1-w|att4415|att4415+nl|att4415nl|att4415-rv|att4415-rv-nl|att4415-w|att4415-w-nl|att4415-w-rv|att4415-wrv-n|att4418|att4418-w|att4420|att4424|att44241|att4424m|att4426|att500|att505|att505-24|att510a|att510d|att5310|att5410w|att5410v1|att5420_2|att5420_2-w|att5425|att5425-nl|att5425w|att5620|att5620-1|att5620-24|att5620-34|att5620-s|att605|att605-pc|att605w|att610|att610-103k|att610-103k-w|att610-w|att615|att615-103k|att615-103kw|att615-w|att620|att620-103k|att620-103k-w|att620-w|att630|att63024|att6386|att700|att730|att730-24|att730-41|att7300|att730r|att730r24|att730r-41|avatar|avatar0|avatar0+|avt|avt+s|avt-ns|avt-rv|avt-rv-ns|avtw|avt-w-ns|avt-w-rv|avt-w-rvns|aws|awsc|bantam|basis|beacon|beehive|beehive3|beehive4|beterm|bg1.25|bg1. 25nv|bg1.25rv|bg2.0|bg2.0rv|bitgraph|blit|bobcat|bq300|bq300-8|bq300-8pc|bq300-8-pc-rv|bq300-8-pc-w|bq300-8-pc-w-rv|bq300-8rv|bq300-8w|bq300pc|bq300-pc-rv|bq300-pc-w|bq300-pc-w-rv|bq300-rv|bq300-w|bq300-w-8rv|bq300w-rv|bsdos-pc|bsdos-pc-m|bsdos-pc-nobold|bsdos-ppc|bsdos-sparc|c100|c100rv|c108|c108-4p|c108-rv|c108-rv-4p|c108-w|ca22851|cad68-2|cad683|cbblit|cbunix|cci|cdc456|cdc721|cdc721esc|cdc721ll|cdc752|cdc756|cg7900|cit101|cit101e|cit101e-132|cit101en|cit101e-n132|cit101e-rv|cit500|cit80|citoh|citoh-6lpi|citoh-8lpi|citohcomp|citoh-elite|citoh-pica|citohprop|coco3|color_xterm|commodore|cons25|cons25-m|cons25l1|cons25l1m|cons25r|cons25r-m|cons25w|cons30|cons30-m|cons43|cons43-m|cons50|cons50m|cons50l1|cons50l1-m|cons50r|cons50r-m|cons60|cons60-m|cons60l1|cons60l1m|cons60r|cons60r-m|contel300|contel301|cops10|crt|cs10|cs10w|ct8500|ctrm|cyb110|cyb83|cygwin|cygwinB19|cygwinDBG|d132|d200|d210|d210dg|d211|d211-7b|d211-dg|d216-dg|d216-unix|d216-unix-25|d217-unix|d217-unix25|d220|d220-7b|d220-dg|d230c|d230c-dg|d400|d410|d410-7b|d410-7b-w|d410dg|d410-w|d412-dg|d412-unix|d412-unix-25|d412-unix-s|d412-unix-sr|d412-unixw|d413-unix|d413-unix-25|d413-unix-s|d413-unix-sr|d413-unix-w|d414unix|d414-unix-25|d414-unix-s|d414-unix-sr|d414-unix-w|d430c-dg|d430c-dgccc|d430c-unix|d430c-unix-25|d430c-unix-25-ccc|d430c-unix-ccc|d430c-unixs|d430c-unix-s-ccc|d430c-unix-sr|d430c-unix-sr-ccc|d430c-unix-w|d430c-unixw-ccc|d470c|d470c-7b|d470c-dg|d555|d555-7b|d555-7b-w|d555-dg|d555w|d577|d577-7b|d577-7b-w|d577-dg|d577-w|d578|d578-7b|d800|ddr|dec-vt100|decvt220|decansi|delta|dg+ccc|dg+color|dg+color8|dg+fixed|dggeneric|dg200|dg210|dg211|dg450|dg460-ansi|dg6053|dg6053old|dgkeys+11|dgkeys+15|dgkeys+7b|dgkeys+8b|dgmode+color|dgmode+color8|dguni x+ccc|dgunix+fixed|diablo1620|diablo1620-m8|diablo1640|diablo1640lm|diablo1740-lm|digilog|djgpp|djgpp203|djgpp204|dku7003|dku7003dumb|dku7102old|dku7202|dm1520|dm2500|dm3025|dm3045|dm80|dm80w|dmchat|dmterm|dp3360|dp82 42|dt100|dt100w|dt110|dt80sas|dtc300s|dtc382|dtterm|dumb|dw1|dw2|dw3|dw4|dwk|ecma+color|ecma+sgr|elks| elks-ansi|elks-glasstty|elks-vt52|emu|emu-220|emxbase|env230|ep40|ep48|ergo4000|esprit|espritam|Eterm|eterm|ex155|excel62|excel62-rv|excel62-w|f100|f100-rv|f110|f11014|f110-14w|f110-w|f1720|f200|f200-w|f200vi|f200vi-w|falco|falcop|fos|fox|gator|gator-52|gator-52t|gator-t|gigi|glasstty|gnome|gnomerh62|gnome-rh72|gnome-rh80|gnome-rh90|go140|go140w|go225|graphos|graphos30|gs6300|gsi|gt40|gt42|guru|guru+rv|guru+s|guru-24|guru-44|guru-44-s|guru76|guru-76-lp|guru-76-s|guru-76-w|guru-76-w-s|guru-76-wm|guru-nctxt|gururv|guru-s|h19|h19-a|h19-bs|h19-g|h19-u|h19us|h19k|ha8675|ha8686|hazel|hds200|hft-c|hft-c-old|hftold|hirez100|hirez100-

226 •

Palo Alto Networks

w|hmod1|hp+arrows|hp+color|hp+labels|hp+pfk+arrows|hp+pfk+cr|hp+pfkcr|hp+printer|hp110|hp150|hp2|hp236|hp2382a|hp2392|hp2397a|hp2621|hp262148|hp2621-a|hp2621-ba|hp2621-fl|hp2621-k45|hp2621-nl|hp2621nt|hp2621b|hp2621b-kx|hp2621b-kx-p|hp2621b-p|hp2621p|hp2621pa|hp2622|hp2623|hp2624|hp2624-10p|hp2624b-10p-p|hp2624b-p|hp2626|hp262612|hp2626-12-s|hp2626-12x40|hp2626-ns|hp2626-s|hp2626-x40|hp2627a|hp2627arev|hp2627c|hp262x|hp2640a|hp2640b|hp2641a|hp2645|hp2648|hp300h|hp700wy|hp70092|hp9837|hp9845|hp98550|hpansi|hpex|hpgeneric|hpsub|hpterm|hurd|hz1 000|hz1420|hz1500|hz1510|hz1520|hz1520-noesc|hz1552|hz1552rv|hz2000|i100|i400|ibcs2|ibm+16color|ibm+color|ibm-apl|ibm-pc|ibmsystem1|ibm3101|ibm3151|ibm3161|ibm3161C|ibm3162|ibm3164|ibm327x|ibm5081|ibm5081-c|ibm5151|ibm5154|ibm6153|ibm615340|ibm6153-90|ibm6154|ibm6155|ibm8503|ibm8512|ibm8514|ibm8514c|ibmaed|ibmapa8c|ibmapa8c-c|ibmega|ibmegac|ibmmono|ibmpc|ibmpc3|ibmpcx|ibmvga|ibmvga-c|icl6404|icl6404-w|ifmr|imsansi|ims950|ims950-b|ims950-rv|infoton|interix|interixnti|intertube|intertube2|intext|intext2|iris-ansi|iris-ansi-ap|iriscolor|jaixterm|jaixterm-m|kaypro|kermit|kermitam|klone+acs|klone+color|klone+koi8acs|klone+sgr|klone+sgrdumb|konsole|konsole-16color|konsole-base|konsole-linux|konsolevt100|konsole-vt420pc|konsole-xf3x|konsole-xf4x|kt7|kt7ix|kterm|ktermcolor|kvt|lft|linux|linux-basic|linux-c|linux-c-nc|linux-koi8|linuxkoi8r|linux-lat|linux-m|linux-nic|linux-vt|lisa|lisaterm|lisatermw|liswb|ln03|ln03-w|lpr|luna|m2-nam|mac|mac-w|mach|mach-bold|machcolor|mai|masscomp|masscomp1|masscomp2|megatek|memhp|mgr|mgr-linux|mgrsun|mgterm|microb|mime|mime-fb|mime-hb|mime2a|mime2as|mime314|mime3a|mime3ax|minitel1|minitel1b|minitel1b-80|minix|minixold|minix-old-am|mlterm|mm340|modgraph|modgraph2|modgraph48|monoemx|morphos|ms-vt-utf8|ms-vt100|ms-vt100+|ms-vt100color|msk227|msk22714|msk227am|mt4520-rv|mt70|mterm|mtermansi|MtxOrb|MtxOrb162|MtxOrb204|mvterm|nansi.sys|nansi.sysk|ncr160vppp|ncr16 0vpwpp|ncr160vt100an|ncr160vt100pp|ncr160vt100wan|ncr160vt100wpp|ncr160vt200 an|ncr160vt200pp|ncr160vt200wan|ncr160vt200wpp|ncr160vt300an|ncr160vt300pp|n cr160vt300wan|ncr160vt300wpp|ncr160wy50+pp|ncr160wy50+wpp|ncr160wy60pp|ncr16 0wy60wpp|ncr260intan|ncr260intpp|ncr260intwan|ncr260intwpp|ncr260vppp|ncr260 vpwpp|ncr260vt100an|ncr260vt100pp|ncr260vt100wan|ncr260vt100wpp|ncr260vt200a n|ncr260vt200pp|ncr260vt200wan|ncr260vt200wpp|ncr260vt300an|ncr260vt300pp|nc r260vt300wan|NCR260VT300WPP|ncr260wy325pp|ncr260wy325wpp|ncr260wy350pp|ncr26 0wy350wpp|ncr260wy50+pp|ncr260wy50+wpp|ncr260wy60pp|ncr260wy60wpp|ncr7900i|n cr7900iv|ncr7901|ncrvt100an|ncrvt100wan|ncsa|ncsa-m|ncsa-m-ns|ncsa-ns|ncsavt220|nec5520|newhp|newhpkeyboard|news-29|news-29-euc|news-29-sjis|news33|news-33-euc|news-33-sjis|news-42|news-42-euc|news-42-sjis|news-oldunk|newsunk|news28|news29|next|nextshell|northstar|nsterm|nsterm+7|nsterm+acs|nsterm +c|nsterm+c41|nsterm+mac|nsterm+s|nsterm-7|nsterm-7-c|nsterm-acs|nstermc|nsterm-c-acs|nsterm-c-s|nsterm-c-s-7|nsterm-c-s-acs|nsterm-m|nsterm-m7|nsterm-m-acs|nsterm-m-s|nsterm-m-s-7|nsterm-m-s-acs|nsterm-s|nsterm-s7|nsterm-s-acs|nwp511|nwp512|nwp512-a|nwp512-o|nwp513|nwp513-a|nwp513o|nwp517|nwp517-w|oblit|oc100|ofcons|oldpc3|oldsun|omron|opennt-100|opennt100-nti|opennt-35|opennt-35-nti|opennt-35-w|opennt-50|opennt-50-nti|opennt50-w|opennt-60|opennt-60-nti|opennt-60-w|opennt-w|opennt-wvt|opus3n1+|origpc3|osborne|osbornew|osexec|otek4112|otek4115|owl|p19|p8gl|pc-coherent|pc-minix|pcvenix|pc3|pc6300plus|pcansi|pcansi-25|pcansi-25-m|pcansi-33|pcansi-33m|pcansi-43|pcansi-43-m|pcansim|pccons|pcix|pckermit|pckermit120|pcmw|pcplot|pcvt25|pcvt25color|pcvt25w|pcvt28|pcvt28w|pcvt35|pcvt35w|pcvt40|pcvt40w|pcvt43|pcvt43w|pc vt50|pcvt50w|pcvtXX|pe1251|pe7000c|pe7000m|pilot|pmcons|prism12|prism12m|prism12-m-w|prism12-w|prism14|prism14-m|prism14-m-w|prism14-

Palo Alto Networks

• 227

w|prism2|prism4|prism5|prism7|prism8|prism8-w|prism9|prism9-8|prism9-8w|prism9-w|pro350|ps300|psterm|psterm-80x24|psterm-90x28|psterm96x48|psterm-fast|pt100|pt100w|pt210|pt250|pt250w|pty|putty|qansi|qansig|qansi-m|qansi-t|qansiw|qdss|qnx|qnxm|qnxt|qnxt2|qnxtmono|qnxw|qume5|qvt101|qvt101+|qvt102|qvt103| qvt103-w|qvt119+|qvt119+-25|qvt119+-25-w|qvt119+-w|qvt203|qvt203-25|qvt20325-w|qvt203-w|rbcomm|rbcomm-nam|rbcomm-w|rca|rcons|rconscolor|regent|regent100|regent20|regent25|regent40|regent40+|regent60|rt6221| rt6221-w|rtpc|rxvt|rxvt+pcfkeys|rxvt-16color|rxvt-basic|rxvt-color|rxvtcygwin|rxvt-cygwin-native|rxvt-xpm|sb1|sb2|sbi|scanset|scoansi|scoansinew|scoansi-old|screen|screen-bce|screen-s|screenw|screen.linux|screen.teraterm|screen.xterm-r6|screen.xtermxfree86|screen2|screen3|screwpoint|scrhp|sibo|simterm|soroc120|soroc140|st52 |sun|sun-1|sun-12|sun-17|sun-24|sun-34|sun-48|sun-c|sun-cgsix|sun-e|sun-es|sun-il|sun-s|sun-type4|superbeexsb|superbeeic|superbrain|swtp|synertek|t10|t1061|t1061f|t16|t3700|t3800|tab 132|tab132-rv|tab132-w|tab132-wrv|tandem6510|tandem653|tek|tek4013|tek4014|tek4014-sm|tek4015|tek4015sm|tek4023|tek4024|tek4025-17|tek4025-17-ws|tek4025-cr|tek4025ex|tek4025a|tek4025ex|tek4105|tek410530|tek4105a|tek4106brl|tek4107|tek4112|tek4112-5|tek4112-nd|tek4113|tek411334|tek4113-nd|tek4115|tek4125|tek4205|tek4207|tek4207s|tek4404|teletec|teraterm|terminet1200|ti700|ti916|ti916-132|ti916-8|ti9168-132|ti924|ti924-8|ti924-8w|ti924w|ti926|ti926-8|ti928|ti9288|ti931|ti_ansi|trs16|trs2|ts100|ts100-ctxt|tt|tt50522|tty33|tty37|tty40|tty43|tvi803|tvi9065|tvi910|tvi910+|tvi912|tvi912b|tvi9 12b+2p|tvi912b+dim|tvi912b+mc|tvi912b+printer|tvi912b+vb|tvi912b-2p|tvi912b2p-mc|tvi912b-2p-p|tvi912b-2p-unk|tvi912b-mc|tvi912b-p|tvi912b-unk|tvi912bvb|tvi912b-vb-mc|tvi912b-vb-p|tvi912b-vbunk|tvi912cc|tvi920b|tvi920b+fn|tvi920b-2p|tvi920b-2p-mc|tvi920b-2pp|tvi920b-2p-unk|tvi920b-mc|tvi920b-p|tvi920b-unk|tvi920b-vb|tvi920b-vbmc|tvi920b-vb-p|tvi920b-vb-unk|tvi921|tvi924|tvi925|tvi925hi|tvi92B|tvi92D|tvi950|tvi950-2p|tvi950-4p|tvi950-rv|tvi950-rv-2p|tvi950rv-4p|tvi955|tvi955-hb|tvi955-w|tvi970|tvi970-2p|tvi970-vb|tvipt|twsgeneric|tws2102-sna|tws2103|tws2103sna|uniterm|unknown|uts30|uwin|v3220|v5410|vanilla|vc303|vc303a|vc404|vc404s|vc414|vc415|versaterm|vi200|vi200-f|vi200-rv|vi300|vi300old|vi50|vi500|vi50adm|vi55|vi550|vi603|viewpoint|vip|vip-H|vip-Hw|vipw|visa50|vp3a+|vp60|vp90|vremote|vsc|vt100|vt100+fnkeys|vt100+keypad|vt100+p fkeys|vt100-nav|vt100-nav-w|vt100-putty|vt100-s|vt100-s-bot|vt100-vb|vt100w|vt100-w-nam|vt100nam|vt102|vt102-nsgr|vt102-w|vt125|vt131|vt132|vt200js|vt220|vt220+keypad|vt220-8bit|vt220-nam|vt220-old|vt220w|vt220d|vt320|vt320-k3|vt320-k311|vt320-nam|vt320-w|vt320-wnam|vt320nam|vt340|vt400|vt420|vt420f|vt420pc|vt420pcdos|vt50|vt50h|vt510|vt 510pc|vt510pcdos|vt52|vt520|vt525|vt61|wsiris|wsvt25|wsvt25m|wy100|wy100q|wy 120|wy120-25|wy120-25-w|wy120-vb|wy120-w|wy120-w-vb|wy160|wy160-25|wy160-25w|wy160-42|wy160-42-w|wy160-43|wy160-43-w|wy160-tek|wy160-vb|wy160-w|wy160w-vb|wy185|wy185-24|wy185-vb|wy185-w|wy185-wvb|wy30|wy30-mc|wy30vb|wy325|wy325-25|wy325-25w|wy325-42|wy325-42w|wy325-42w-vb|wy325-43|wy32543w|wy325-43w-vb|wy325-vb|wy325-w|wy325-w-vb|wy350|wy350-vb|wy350-w|wy350wvb|wy370|wy370-105k|wy370-EPC|wy370-nk|wy370-rv|wy370-tek|wy370-vb|wy370w|wy370-wvb|wy50|wy50-mc|wy50-vb|wy50-w|wy50-wvb|wy520|wy520-24|wy52036|wy520-36pc|wy520-36w|wy520-36wpc|wy520-48|wy520-48pc|wy520-48w|wy52048wpc|wy520-epc|wy520-epc-24|wy520-epc-vb|wy520-epc-w|wy520-epc-wvb|wy520vb|wy520-w|wy520-wvb|wy60|wy60-25|wy60-25-w|wy60-42|wy60-42-w|wy60-43|wy6043-w|wy60-vb|wy60-w|wy60-w-vb|wy75|wy75-mc|wy75-vb|wy75-w|wy75wvb|wy75ap|wy85|wy85-8bit|wy85-vb|wy85-w|wy85-wvb|wy99-ansi|wy99aansi|wy99f|wy99fa|wy99gt|wy99gt-25|wy99gt-25-w|wy99gt-tek|wy99gt-vb|wy99gtw|wy99gt-w-vb|wyse-

228 •

Palo Alto Networks

vp|x10term|x68k|xerox1720|xerox820|xnuppc|xnuppc+100x37|xnuppc+112x37|xnuppc +128x40|xnuppc+128x48|xnuppc+144x48|xnuppc+160x64|xnuppc+200x64|xnuppc+200x7 5|xnuppc+256x96|xnuppc+80x25|xnuppc+80x30|xnuppc+90x30|xnuppc+b|xnuppc+basic |xnuppc+c|xnuppc+f|xnuppc+f2|xnuppc-100x37|xnuppc-100x37-m|xnuppc112x37|xnuppc-112x37-m|xnuppc-128x40|xnuppc-128x40-m|xnuppc-128x48|xnuppc128x48-m|xnuppc-144x48|xnuppc-144x48-m|xnuppc-160x64|xnuppc-160x64-m|xnuppc200x64|xnuppc-200x64-m|xnuppc-200x75|xnuppc-200x75-m|xnuppc-256x96|xnuppc256x96-m|xnuppc-80x25|xnuppc-80x25-m|xnuppc-80x30|xnuppc-80x30-m|xnuppc90x30|xnuppc-90x30-m|xnuppc-b|xnuppc-f|xnuppc-f2|xnuppc-m|xnuppc-m-b|xnuppcm-f|xnuppc-m-f2|xtalk|xterm|xterm+pcfkeys|xterm+sl|xterm+sl-twm|xterm1002|xterm-1003|xterm-16color|xterm-24|xterm-256color|xterm-88color|xterm8bit|xterm-basic|xterm-bold|xterm-color|xterm-hp|xterm-new|xterm-nic|xtermnoapp|xterm-pcolor|xterm-r5|xterm-r6|xterm-sco|xterm-sun|xterm-vt220|xtermvt52|xterm-xf86-v32|xterm-xf86-v33|xterm-xf86-v333|xterm-xf86-v40|xtermxf86-v43|xterm-xf86-v44|xterm-xfree86|xterm-xi|xterm1|xtermc|xtermm|xtermssun|z100|z100bw|z29|z29a|z29a-kc-uc|z29a-nkc-bc|z29a-nkc-uc|z340|z340nam|z39-a|zen30|zen50|ztx; OR... width 1-500; OR... height 1-500; } } OR... clock { date ; time ; } OR... ctd { x-forwarded-for yes|no; } OR... data-access-password ; OR... logging { max-log-rate 0-50000; OR... max-packet-rate 0-2560; OR... log-suppression yes|no; OR... default; } OR... management-server { unlock { admin ; } OR... logging on|off|import-start|import-end; } OR... multi-vsys on|off; OR... panorama on|off; OR... password; OR...

Palo Alto Networks

• 229

proxy { skip-proxy yes|no; OR... skip-ssl yes|no; OR... answer-timeout 1-86400; OR... notify-user yes|no; } OR... session { timeout-tcp 1-15999999; OR... timeout-udp 1-15999999; OR... timeout-icmp 1-15999999; OR... timeout-default 1-15999999; OR... timeout-tcpinit 1-60; OR... timeout-tcpwait 1-60; OR... timeout-scan 5-30; OR... scan-threshold 50-99; OR... scan-scaling-factor 2-16; OR... accelerated-aging-enable yes|no; OR... accelerated-aging-threshold 50-99; OR... accelerated-aging-scaling-factor 2-16; OR... tcp-reject-non-syn yes|no; OR... offload yes|no; OR... default; } OR... shared-policy enable|disable|import-and-disable; OR... ssl-vpn { unlock { vsys ; auth-profile ; user ; } } OR... target-vsys ; OR... url-database ; OR... zip { enable yes|no; }

230 •

Palo Alto Networks

} OR... request { certificate { self-signed { for-use-by web-interface|ssl-decryption|ssl-untrusted|inbound-proxy; passphrase ; name ; nbits 1024|512; country-code ; state ; locality ; organization ; organization-unit ; email ; filename ; } OR... install { for-use-by { web-interface { passphrase ; key ; certificate ; } OR... ssl-decryption { passphrase ; key ; certificate ; } OR... ssl-untrusted { passphrase ; key ; certificate ; } OR... inbound-proxy { passphrase ; key ; certificate ; name ; } } } OR... verify { for-use-by { web-interface { passphrase ; key ; certificate ; } } } } OR... comfort-page {

Palo Alto Networks

• 231

install application-block-page|url-block-page|spyware-block-page|virusblock-page|file-block-page; } OR... content { downgrade { install ; } OR... upgrade { info; OR... check; OR... download latest; OR... install { version latest; OR... file ; commit yes|no; } } } OR... data-filtering { access-password { create { password ; } OR... modify { old-password ; new-password ; } OR... delete; } } OR... device-registration { username ; password ; } OR... high-availability { sync-to-remote { candidate-config; OR... running-config; OR... disk-state; OR... runtime-state; OR... clock; } OR... state {

232 •

Palo Alto Networks

suspend; OR... functional; } OR... clear-alarm-led; } OR... license { info; OR... fetch { auth-code ; } OR... install ; } OR... password-hash { password ; } OR... restart { system; OR... software; OR... dataplane; } OR... ssl-optout-text { install; } OR... ssl-vpn { client-register { portal ; domain ; user ; } OR... client-logout { portal ; domain ; user ; authcookie ; reason |||||||||; } OR... client-config { portal ; user ; authcookie ; client-type 1-100000; os-version ; app-version ; protocol-version |; existing-ip ; existing-mtu 1-32000;

Palo Alto Networks

• 233

preferred-ip ; } OR... ssl-switch { portal ; user ; authcookie ; conn-c-ip ; conn-c-port 1-65535; conn-s-ip ; conn-s-port 1-65535; } } OR... support { info; OR... check; } OR... system { software { info; OR... check; OR... download { version ; OR... file ; } OR... install { version ; OR... file ; } } OR... factory-reset; } OR... tech-support { dump; } OR... url-filtering { upgrade { brightcloud; } OR... download { status; } } OR... vpnclient { software { info;

234 •

Palo Alto Networks

OR... check; OR... download { version ; OR... file ; } OR... install { version ; OR... file ; } } } } OR... check { data-access-passwd { system; } OR... pending-changes; } OR... save { config { to ; } } OR... scp { export { configuration { from ; to ; remote-port 1-65535; source-ip ; } OR... packet-log { from ; to ; remote-port 1-65535; source-ip ; } OR... pdf-reports { from ; to ; remote-port 1-65535; source-ip ; } OR... filter { from ; to ; remote-port 1-65535;

Palo Alto Networks

• 235

source-ip ; } OR... application { from ; to ; remote-port 1-65535; source-ip ; } OR... ssl-decryption-certificate { to ; remote-port 1-65535; source-ip ; } OR... web-interface-certificate { to ; remote-port 1-65535; source-ip ; } OR... logdb { to ; remote-port 1-65535; source-ip ; } OR... log { traffic { max-log-count 0-65535; unexported-only { equal yes|no; } start-time { equal ; } end-time { equal ; } query ; to ; remote-port 1-65535; source-ip ; } OR... threat { max-log-count 0-65535; unexported-only { equal yes|no; } start-time { equal ; } end-time { equal ; } query ; to ;

236 •

Palo Alto Networks

remote-port 1-65535; source-ip ; } } OR... stats-dump { to ; remote-port 1-65535; source-ip ; } OR... tech-support { to ; remote-port 1-65535; source-ip ; } OR... core-file { control-plane { from ; to ; remote-port 1-65535; source-ip ; } OR... data-plane { from ; to ; remote-port 1-65535; source-ip ; } } OR... log-file { control-plane { to ; remote-port 1-65535; source-ip ; } OR... data-plane { to ; remote-port 1-65535; source-ip ; } } OR... ssl-optout-text { to ; remote-port 1-65535; source-ip ; } OR... captive-portal-text { to ; remote-port 1-65535; source-ip ; } OR...

Palo Alto Networks

• 237

url-coach-text { to ; remote-port 1-65535; source-ip ; } OR... file-block-page { to ; remote-port 1-65535; source-ip ; } OR... application-block-page { to ; remote-port 1-65535; source-ip ; } OR... url-block-page { to ; remote-port 1-65535; source-ip ; } OR... virus-block-page { to ; remote-port 1-65535; source-ip ; } OR... spyware-block-page { to ; remote-port 1-65535; source-ip ; } OR... debug-pcap { from ; to ; remote-port 1-65535; source-ip ; } } OR... import { configuration { from ; remote-port 1-65535; source-ip ; } OR... ssl-decryption-certificate { from ; remote-port 1-65535; source-ip ; } OR... private-key { from ;

238 •

Palo Alto Networks

remote-port 1-65535; source-ip ; } OR... web-interface-certificate { from ; remote-port 1-65535; source-ip ; } OR... trusted-ca-certificate { from ; remote-port 1-65535; source-ip ; } OR... logdb { from ; remote-port 1-65535; source-ip ; } OR... license { from ; remote-port 1-65535; source-ip ; } OR... content { from ; remote-port 1-65535; source-ip ; } OR... software { from ; remote-port 1-65535; source-ip ; } OR... inbound-proxy-key { from ; remote-port 1-65535; source-ip ; } OR... ssl-optout-text { from ; remote-port 1-65535; source-ip ; } OR... captive-portal-text { from ; remote-port 1-65535; source-ip ; } OR... url-coach-text {

Palo Alto Networks

• 239

from ; remote-port 1-65535; source-ip ; } OR... application-block-page { from ; remote-port 1-65535; source-ip ; } OR... url-block-page { from ; remote-port 1-65535; source-ip ; } OR... file-block-page { from ; remote-port 1-65535; source-ip ; } OR... virus-block-page { from ; remote-port 1-65535; source-ip ; } OR... spyware-block-page { from ; remote-port 1-65535; source-ip ; } OR... sslvpn-custom-login-page { profile ; from ; remote-port 1-65535; source-ip ; } } } OR... ftp { export { log { traffic { unexported-only { equal yes|no; } passive-mode { equal yes|no; } start-time { equal ; } end-time { equal ;

240 •

Palo Alto Networks

} query ; max-log-count 0-65535; to ; remote-port 1-65535; } OR... threat { unexported-only { equal yes|no; } passive-mode { equal yes|no; } start-time { equal ; } end-time { equal ; } query ; max-log-count 0-65535; to ; remote-port 1-65535; } } } } OR... tftp { export { configuration { from ; to ; remote-port 1-65535; source-ip ; } OR... packet-log { from ; to ; remote-port 1-65535; source-ip ; } OR... filter { from ; to ; remote-port 1-65535; source-ip ; } OR... application { from ; to ; remote-port 1-65535; source-ip ; } OR...

Palo Alto Networks

• 241

ssl-decryption-certificate { to ; remote-port 1-65535; source-ip ; } OR... web-interface-certificate { to ; remote-port 1-65535; source-ip ; } OR... stats-dump { to ; remote-port 1-65535; source-ip ; } OR... tech-support { to ; remote-port 1-65535; source-ip ; } OR... core-file { control-plane { from ; to ; remote-port 1-65535; source-ip ; } OR... data-plane { from ; to ; remote-port 1-65535; source-ip ; } } OR... log-file { control-plane { to ; remote-port 1-65535; source-ip ; } OR... data-plane { to ; remote-port 1-65535; source-ip ; } } OR... ssl-optout-text { to ; remote-port 1-65535; source-ip ; }

242 •

Palo Alto Networks

OR... captive-portal-text { to ; remote-port 1-65535; source-ip ; } OR... url-coach-text { to ; remote-port 1-65535; source-ip ; } OR... file-block-page { to ; remote-port 1-65535; source-ip ; } OR... application-block-page { to ; remote-port 1-65535; source-ip ; } OR... url-block-page { to ; remote-port 1-65535; source-ip ; } OR... virus-block-page { to ; remote-port 1-65535; source-ip ; } OR... spyware-block-page { to ; remote-port 1-65535; source-ip ; } OR... debug-pcap { from ; to ; remote-port 1-65535; source-ip ; } } OR... import { configuration { from ; file ; remote-port 1-65535; source-ip ; } OR...

Palo Alto Networks

• 243

ssl-decryption-certificate { from ; file ; remote-port 1-65535; source-ip ; } OR... private-key { from ; file ; remote-port 1-65535; source-ip ; } OR... web-interface-certificate { from ; file ; remote-port 1-65535; source-ip ; } OR... trusted-ca-certificate { from ; file ; remote-port 1-65535; source-ip ; } OR... license { from ; file ; remote-port 1-65535; source-ip ; } OR... content { from ; file ; remote-port 1-65535; source-ip ; } OR... software { from ; file ; remote-port 1-65535; source-ip ; } OR... ssl-optout-text { from ; file ; remote-port 1-65535; source-ip ; } OR... captive-portal-text { from ; file ;

244 •

Palo Alto Networks

remote-port 1-65535; source-ip ; } OR... url-coach-text { from ; file ; remote-port 1-65535; source-ip ; } OR... file-block-page { from ; file ; remote-port 1-65535; source-ip ; } OR... application-block-page { from ; file ; remote-port 1-65535; source-ip ; } OR... url-block-page { from ; file ; remote-port 1-65535; source-ip ; } OR... virus-block-page { from ; file ; remote-port 1-65535; source-ip ; } OR... spyware-block-page { from ; file ; remote-port 1-65535; source-ip ; } OR... sslvpn-custom-login-page { profile ; from ; file ; remote-port 1-65535; source-ip ; } } } OR... load { config { last-saved;

Palo Alto Networks

• 245

OR... from ; OR... version ; OR... partial { from ; from-xpath ; to-xpath ; mode merge|replace; } } } OR... test { cp-policy-match { from ; to ; source ; destination ; } OR... dlp { pattern ; OR... ccn ; OR... ssn ; } OR... nat-policy-match { from ; to ; source ; destination ; protocol 1-255; source-port 1-65535; destination-port 1-65535; protocol 1-255; } OR... policy-based-forwarding-policy-match { from ; source ; destination ; destination-port 1-65535; source-user ; protocol 1-255; } OR... qos-policy-match { from ; to ; source ; destination ; destination-port 1-65535; source-user ; protocol 1-255; application ;

246 •

Palo Alto Networks

} OR... routing { fib-lookup { ip ; virtual-router ; } } OR... security-policy-match { from ; to ; source ; destination ; destination-port 1-65535; source-user ; protocol 1-255; show-all yes|no; application ; } OR... ssl-policy-match { from ; to ; source ; destination ; category ; } OR... vpn { ike-sa { gateway ; } OR... ipsec-sa { tunnel ; } } } OR... less { mp-log ; OR... dp-log ; OR... mp-backtrace ; OR... dp-backtrace ; OR... webserver-log ; OR... custom-page ; OR... global ; OR... content ; } OR... grep {

Palo Alto Networks

• 247

mp-log ; OR... dp-log ; after-context 1-65535; before-context 1-65535; context 1-65535; count yes|no; ignore-case yes|no; invert-match yes|no; line-number yes|no; max-count 1-65535; no-filename yes|no; pattern ; } OR... ping { bypass-routing yes|no; count 1-2000000000; do-not-fragment yes|no; host ; inet6 yes|no; interval 1-2000000000; no-resolve yes|no; pattern ; size 0-65468; source ; tos 1-255; ttl 1-255; verbose yes|no; } OR... ssh { host ; inet yes|no; port 0-65535; source ; v1 yes|no; v2 yes|no; } OR... tail { mp-log ; OR... dp-log ; OR... webserver-log ; follow yes|no; lines 1-65535; } OR... view-pcap { application-pcap ; OR... filter-pcap ; OR... threat-pcap ; OR... debug-pcap ; absolute-seq yes|no;

248 •

Palo Alto Networks

delta yes|no; follow yes|no; hex yes|no; hex-ascii yes|no; hex-ascii-link yes|no; hex-link yes|no; link-header yes|no; no-dns-lookup yes|no; no-port-lookup yes|no; no-qualification yes|no; no-timestamp yes|no; timestamp yes|no; undecoded-NFS yes|no; unformatted-timestamp yes|no; verbose yes|no; verbose+ yes|no; verbose++ yes|no; } OR... telnet { 8bit yes|no; host ; port 0-65535; } OR... traceroute { bypass-routing yes|no; debug-socket yes|no; do-not-fragment yes|no; first-ttl 1-255; gateway ; host ; ipv4 yes|no; ipv6 yes|no; max-ttl 1-255; no-resolve yes|no; pause 1-2000000000; port 1-65535; source ; tos 1-255; wait 1-99999; } OR... netstat { all yes|no; cache yes|no; continuous yes|no; extend yes|no; fib yes|no; groups yes|no; interfaces yes|no; listening yes|no; numeric yes|no; numeric-hosts yes|no; numeric-ports yes|no; numeric-users yes|no; programs yes|no; route yes|no; statistics yes|no;

Palo Alto Networks

• 249

symbolic yes|no; timers yes|no; verbose yes|no; } }

250 •

Palo Alto Networks

Panorama Hierarchy config { predefined; mgt-config { users { REPEAT... { phash ; remote-authentication radius; preferences { disable-dns yes|no; } permissions { role-based { superreader yes; OR... superuser yes; OR... panorama-admin yes; } } } } devices { REPEAT... { hostname ; ip ; } } } devices { REPEAT... { deviceconfig { system { hostname ; domain ; ip-address ; netmask ; default-gateway ; radius-server ; radius-secret ; dns-primary ; dns-secondary ; ntp-server-1 ; ntp-server-2 ; update-server ; secure-proxy-server ; secure-proxy-port 1-65535; service { disable-http yes|no; disable-https yes|no; disable-telnet yes|no; disable-ssh yes|no; disable-icmp yes|no; }

Palo Alto Networks

• 251

timezone W-SU|CST6CDT|Japan|Portugal|Hongkong|Mideast|Mideast/ Riyadh87|Mideast/Riyadh88|Mideast/Riyadh89|Eire|Poland|Factory|GBEire|America|America/Port_of_Spain|America/Indiana|America/Indiana/ Vevay|America/Indiana/Indianapolis|America/Indiana/Marengo|America/Indiana/ Knox|America/St_Johns|America/Grand_Turk|America/Tijuana|America/ Toronto|America/Araguaina|America/Virgin|America/El_Salvador|America/ Coral_Harbour|America/Jujuy|America/Mexico_City|America/Guyana|America/ Cayman|America/Ensenada|America/Fortaleza|America/Iqaluit|America/ Boa_Vista|America/Chihuahua|America/Nome|America/Cancun|America/ Cayenne|America/Recife|America/Panama|America/Caracas|America/ Costa_Rica|America/Cambridge_Bay|America/Martinique|America/ Yellowknife|America/Godthab|America/Sao_Paulo|America/Edmonton|America/ Fort_Wayne|America/Danmarkshavn|America/Barbados|America/Dawson|America/ Thunder_Bay|America/Tegucigalpa|America/Chicago|America/Guadeloupe|America/ Grenada|America/Anguilla|America/Kentucky|America/Kentucky/ Monticello|America/Kentucky/Louisville|America/Argentina|America/Argentina/ Jujuy|America/Argentina/Ushuaia|America/Argentina/Catamarca|America/ Argentina/San_Juan|America/Argentina/Mendoza|America/Argentina/ La_Rioja|America/Argentina/Buenos_Aires|America/Argentina/Tucuman|America/ Argentina/ComodRivadavia|America/Argentina/Cordoba|America/Argentina/ Rio_Gallegos|America/Mazatlan|America/Regina|America/Montevideo|America/ Catamarca|America/Los_Angeles|America/Campo_Grande|America/Aruba|America/ Manaus|America/Knox_IN|America/Rosario|America/St_Lucia|America/ Hermosillo|America/Denver|America/Detroit|America/Santiago|America/ Shiprock|America/Cuiaba|America/Dominica|America/Porto_Acre|America/ Curacao|America/Belize|America/Merida|America/Swift_Current|America/ Antigua|America/Adak|America/Indianapolis|America/Belem|America/ Miquelon|America/Louisville|America/Bogota|America/New_York|America/ Boise|America/Scoresbysund|America/Mendoza|America/Goose_Bay|America/ Yakutat|America/Eirunepe|America/Winnipeg|America/Buenos_Aires|America/ Menominee|America/Paramaribo|America/Thule|America/Montreal|America/ Jamaica|America/Monterrey|America/St_Thomas|America/Rio_Branco|America/ Lima|America/Juneau|America/La_Paz|America/Vancouver|America/ Rankin_Inlet|America/Puerto_Rico|America/St_Kitts|America/Halifax|America/ Guayaquil|America/Inuvik|America/Noronha|America/Nassau|America/Port-auPrince|America/Guatemala|America/Glace_Bay|America/Nipigon|America/ Cordoba|America/Bahia|America/Asuncion|America/Maceio|America/Atka|America/ North_Dakota|America/North_Dakota/Center|America/Managua|America/ Anchorage|America/Montserrat|America/Tortola|America/Dawson_Creek|America/ Santo_Domingo|America/Pangnirtung|America/Whitehorse|America/ St_Vincent|America/Porto_Velho|America/Havana|America/Phoenix|America/ Rainy_River|Indian|Indian/Christmas|Indian/Reunion|Indian/Comoro|Indian/ Cocos|Indian/Mauritius|Indian/Antananarivo|Indian/Mahe|Indian/ Mayotte|Indian/Kerguelen|Indian/Chagos|Indian/Maldives|GMT0|Canada|Canada/ Yukon|Canada/Saskatchewan|Canada/Central|Canada/Eastern|Canada/EastSaskatchewan|Canada/Atlantic|Canada/Pacific|Canada/Mountain|Canada/ Newfoundland|MET|ROK|US|US/Alaska|US/East-Indiana|US/Central|US/Eastern|US/ Samoa|US/Arizona|US/Pacific|US/Aleutian|US/Hawaii|US/Mountain|US/ Michigan|US/Indiana-Starke|MST|Mexico|Mexico/BajaSur|Mexico/General|Mexico/ BajaNorte|EST5EDT|Atlantic|Atlantic/Madeira|Atlantic/Cape_Verde|Atlantic/ St_Helena|Atlantic/Stanley|Atlantic/South_Georgia|Atlantic/ Jan_Mayen|Atlantic/Azores|Atlantic/Reykjavik|Atlantic/Canary|Atlantic/ Faeroe|Atlantic/Bermuda|HST|Antarctica|Antarctica/McMurdo|Antarctica/ Davis|Antarctica/South_Pole|Antarctica/Vostok|Antarctica/Rothera|Antarctica/ Mawson|Antarctica/DumontDUrville|Antarctica/Palmer|Antarctica/ Casey|Antarctica/Syowa|UTC|Iceland|Pacific|Pacific/Honolulu|Pacific/ Truk|Pacific/Niue|Pacific/Wake|Pacific/Apia|Pacific/Majuro|Pacific/ Norfolk|Pacific/Efate|Pacific/Enderbury|Pacific/Palau|Pacific/ Saipan|Pacific/Nauru|Pacific/Kiritimati|Pacific/Tahiti|Pacific/Guam|Pacific/

252 •

Palo Alto Networks

Tongatapu|Pacific/Fiji|Pacific/Rarotonga|Pacific/Samoa|Pacific/ Fakaofo|Pacific/Guadalcanal|Pacific/Port_Moresby|Pacific/Midway|Pacific/ Galapagos|Pacific/Yap|Pacific/Johnston|Pacific/Marquesas|Pacific/ Noumea|Pacific/Auckland|Pacific/Gambier|Pacific/Kwajalein|Pacific/ Kosrae|Pacific/Wallis|Pacific/Easter|Pacific/Chatham|Pacific/ Funafuti|Pacific/Pago_Pago|Pacific/Tarawa|Pacific/Pitcairn|Pacific/ Ponape|EET|EST|Greenwich|GMT|Cuba|Brazil|Brazil/Acre|Brazil/East|Brazil/ DeNoronha|Brazil/West|Turkey|Arctic|Arctic/Longyearbyen|NZCHAT|Zulu|Israel|Jamaica|Etc|Etc/GMT-14|Etc/GMT+6|Etc/GMT-10|Etc/GMT-2|Etc/ GMT-8|Etc/GMT+4|Etc/GMT0|Etc/GMT-12|Etc/GMT+11|Etc/GMT-11|Etc/GMT+12|Etc/ UTC|Etc/GMT-3|Etc/Greenwich|Etc/GMT-9|Etc/GMT|Etc/GMT+2|Etc/Zulu|Etc/GMT4|Etc/GMT+7|Etc/GMT+1|Etc/GMT+8|Etc/GMT-7|Etc/GMT-6|Etc/GMT+10|Etc/GMT5|Etc/GMT+0|Etc/GMT-1|Etc/GMT+3|Etc/GMT+5|Etc/GMT-13|Etc/UCT|Etc/ Universal|Etc/GMT+9|Etc/GMT-0|NZ|Europe|Europe/Vienna|Europe/Athens|Europe/ Tiraspol|Europe/Lisbon|Europe/Rome|Europe/Bratislava|Europe/Andorra|Europe/ Sofia|Europe/Kaliningrad|Europe/Zurich|Europe/Belfast|Europe/Oslo|Europe/ Samara|Europe/Malta|Europe/Chisinau|Europe/Moscow|Europe/Paris|Europe/ Minsk|Europe/Zaporozhye|Europe/Amsterdam|Europe/Tallinn|Europe/ Uzhgorod|Europe/Brussels|Europe/Vatican|Europe/Vaduz|Europe/ San_Marino|Europe/Nicosia|Europe/Berlin|Europe/Vilnius|Europe/Monaco|Europe/ Istanbul|Europe/Belgrade|Europe/Stockholm|Europe/Riga|Europe/Madrid|Europe/ Gibraltar|Europe/Copenhagen|Europe/Skopje|Europe/Budapest|Europe/ Dublin|Europe/Bucharest|Europe/Helsinki|Europe/Prague|Europe/ Sarajevo|Europe/London|Europe/Tirane|Europe/Zagreb|Europe/Kiev|Europe/ Warsaw|Europe/Ljubljana|Europe/Simferopol|Europe/Mariehamn|Europe/ Luxembourg|Singapore|ROC|Kwajalein|Egypt|PST8PDT|GMT+0|Asia|Asia/ Kuwait|Asia/Kamchatka|Asia/Thimphu|Asia/Macau|Asia/Gaza|Asia/Thimbu|Asia/ Pyongyang|Asia/Vladivostok|Asia/Katmandu|Asia/Sakhalin|Asia/Muscat|Asia/ Ashkhabad|Asia/Ulan_Bator|Asia/Riyadh|Asia/Riyadh87|Asia/Calcutta|Asia/ Yerevan|Asia/Shanghai|Asia/Baghdad|Asia/Makassar|Asia/Oral|Asia/ Hong_Kong|Asia/Jayapura|Asia/Omsk|Asia/Almaty|Asia/Saigon|Asia/Magadan|Asia/ Chungking|Asia/Hovd|Asia/Brunei|Asia/Novosibirsk|Asia/Dacca|Asia/Qatar|Asia/ Ulaanbaatar|Asia/Krasnoyarsk|Asia/Kuching|Asia/Qyzylorda|Asia/Karachi|Asia/ Anadyr|Asia/Yakutsk|Asia/Seoul|Asia/Choibalsan|Asia/Macao|Asia/ Samarkand|Asia/Yekaterinburg|Asia/Aqtobe|Asia/Riyadh88|Asia/Nicosia|Asia/ Pontianak|Asia/Urumqi|Asia/Irkutsk|Asia/Taipei|Asia/Harbin|Asia/ Istanbul|Asia/Colombo|Asia/Tel_Aviv|Asia/Jakarta|Asia/Amman|Asia/ Bahrain|Asia/Tokyo|Asia/Chongqing|Asia/Ashgabat|Asia/Singapore|Asia/ Aqtau|Asia/Baku|Asia/Bishkek|Asia/Dili|Asia/Tbilisi|Asia/Beirut|Asia/ Riyadh89|Asia/Damascus|Asia/Aden|Asia/Dubai|Asia/Manila|Asia/Vientiane|Asia/ Tehran|Asia/Kashgar|Asia/Dushanbe|Asia/Kabul|Asia/Bangkok|Asia/Rangoon|Asia/ Jerusalem|Asia/Dhaka|Asia/Kuala_Lumpur|Asia/Tashkent|Asia/Phnom_Penh|Asia/ Ujung_Pandang|CET|PRC|Africa|Africa/Kinshasa|Africa/Ndjamena|Africa/ Mbabane|Africa/Lagos|Africa/El_Aaiun|Africa/Douala|Africa/Kampala|Africa/ Mogadishu|Africa/Tripoli|Africa/Conakry|Africa/Niamey|Africa/Asmera|Africa/ Khartoum|Africa/Lubumbashi|Africa/Kigali|Africa/Johannesburg|Africa/ Blantyre|Africa/Malabo|Africa/Gaborone|Africa/Lome|Africa/Algiers|Africa/ Addis_Ababa|Africa/Brazzaville|Africa/Dakar|Africa/Nairobi|Africa/ Cairo|Africa/Banjul|Africa/Bamako|Africa/Bissau|Africa/Libreville|Africa/ Sao_Tome|Africa/Casablanca|Africa/Timbuktu|Africa/Nouakchott|Africa/ Freetown|Africa/Monrovia|Africa/Ceuta|Africa/Dar_es_Salaam|Africa/ Lusaka|Africa/Abidjan|Africa/Bujumbura|Africa/Maseru|Africa/Bangui|Africa/ Windhoek|Africa/Accra|Africa/Djibouti|Africa/Ouagadougou|Africa/PortoNovo|Africa/Tunis|Africa/Maputo|Africa/Harare|Africa/ Luanda|UCT|GB|Universal|Australia|Australia/Hobart|Australia/ Lord_Howe|Australia/Perth|Australia/South|Australia/Yancowinna|Australia/ Currie|Australia/Tasmania|Australia/Queensland|Australia/NSW|Australia/ Lindeman|Australia/Melbourne|Australia/Adelaide|Australia/ Victoria|Australia/Canberra|Australia/West|Australia/Brisbane|Australia/

Palo Alto Networks

• 253

Broken_Hill|Australia/Darwin|Australia/ACT|Australia/North|Australia/ Sydney|Australia/LHI|Iran|WET|Libya|MST7MDT|Chile|Chile/EasterIsland|Chile/ Continental|GMT-0|Navajo; } } } } }

254 •

Palo Alto Networks


Appendix B PAN-OS CLI KEYBOARD SHORTCUTS This appendix lists the supported keyboard shortcuts and Editor Macros (EMACS) commands supported in the PAN-OS CLI. Note: Some shortcuts depend upon the SSH client that is used to access the PAN-OS CLI. For some clients, the Meta key is the Control key; for some it is the Esc key.

Table 6 lists the keyboard shortcuts.

Table 6. Keyboard Shortcuts Item

Description

Commands for Moving beginning-of-line (C-a)

Move to the start of the current line.

end-of-line (C-e)

Move to the end of the line.

forward-char (C-f)

Move forward a character.

backward-char (C-b)

Move back a character.

forward-word (M-f)

Move forward to the end of the next word. Words consist of alphanumeric characters (letters and digits).

backward-word (M-b)

Move back to the start of this, or the previous, word. Words consist of alphanumeric characters (letters and digits).

clear-screen (C-l)

Clear the screen and place the current line at the top of the screen. If an argument is included, refresh the current line without clearing the screen.

Commands for Manipulating Command History accept-line (Newline, Return)

Accept the line regardless of where the cursor is. If the line is nonempty, add it to the history list. If the line is a modified history line, then restore the history line to its original state.

previous-history (C-p)

Fetch the previous command from the history list, moving back in the list.

next-history (C-n)

Fetch the next command from the history list, moving forward in the list.

beginning-of-history (M-<)

Move to the first line in the history.

Palo Alto Networks

• 255

Table 6. Keyboard Shortcuts (Continued) Item

Description

end-of-history (M->)

Move to the end of the input history (the line currently being entered).

reverse-search-history (C-r)

Search backward starting at the current line and moving up through the history as necessary. This is an incremental search.

forward-search-history (C-s)

Search forward starting at the current line and moving down through the history as necessary. This is an incremental search.

non-incremental-reversesearch-history (M-p)

Search backward through the history starting at the current line using a non-incremental search for a string supplied by the user.

non-incremental-forwardsearch-history (M-n)

Search forward through the history using a non-incremental search for a string supplied by the user.

Commands for Changing Text delete-char (C-d) backward-delete-char (backspace)

Delete the character under the cursor. If point is at the beginning of the line, there are no characters in the line, and the last character typed was not C-d, then return EOF. Delete the character behind the cursor.

transpose-chars (C-t)

Drag the character before point forward over the character at point. Point moves forward as well. If point is at the end of the line, then transpose the two characters before point.

transpose-words (M-t)

Drag the word behind the cursor past the word in front of the cursor moving the cursor over that word as well.

upcase-word (M-u)

Make the current (or following) word uppercase. With a negative argument, do the previous word, but do not move point.

downcase-word (M-l)

Make the current (or following) word lowercase. With a negative argument, change the previous word, but do not move point.

capitalize-word (M-c)

Capitalize the current (or following) word. With a negative argument, do the previous word, but do not move point.

Deleting and Yanking Text kill-line (C-k)

256 •

Delete the text from the current cursor position to the end of the line.

backward-kill-line (Cx backspace)

Delete backward to the beginning of the line.

unix-line-discard (Cu)

Delete backward from point to the beginning of the line

kill-word (M-d)

Delete from the cursor to the end of the current word, or if between words, to the end of the next word. Word boundaries are the same as those used by forward-word.

backward-kill-word (Mbackspace)

Delete the word behind the cursor. Word boundaries are the same as those used by backward-word.

unix-word-backspace (C-w)

Delete the word behind the cursor, using white space as a word boundary. The word boundaries are different from backward-killword.

yank (C-y)

Place the top of the deleted section into the buffer at the cursor.

Palo Alto Networks

Table 6. Keyboard Shortcuts (Continued) Item

Description

yank-pop (M-y)

Rotate the kill-ring, and yank the new top. Only works following yank or yank-pop.

Completing Commands complete (TAB)

Attempt to perform completion on the text before point.

possible-completions (?)

List the possible completions of the text before point.

Performing Miscellaneous Functions undo (C-_, C-x C-u)

Perform an incremental undo, separately remembered for each line.

revert-line (M-r)

Undo all changes made to this line. This is like typing the undo command enough times to return the line to its initial state.

Table 7 lists the EMACS commands.

Table 7. EMACS Commands Command

Description

Emacs Standard bindings C-A

beginning-of-line

C-B

backward-char

C-D

delete-char

C-E

end-of-line

C-F

forward-char

C-G

abort

C-H

backward-delete-char

C-I

complete

C-J

accept-line

C-K

kill-line

C-L

clear-screen

C-M

accept-line

C-N

next-history

C-P

previous-history

C-R

reverse-search-history

C-S

forward-search-history

C-T

transpose-chars

C-U

unix-line-discard

C-W

unix-word-backspace

C-Y

yank

C-_

undo

Palo Alto Networks

• 257

Table 7. EMACS Commands (Continued) Command

Description

Emacs Meta bindings

258 •

M-C-H

backward-kill-word

M-C-R

revert-line

M-<

beginning-of-history

M->

end-of-history

?

possible-completions

M-B

backward-word

M-C

capitalize-word

M-D

kill-word

M-F

forward-word

M-L

downcase-word

M-N

non-incremental-forward-search-history

M-P

non-incremental-reverse-search-history

M-R

revert-line

M-T

transpose-words

M-U

upcase-word

M-Y

yank-pop

Palo Alto Networks


Index Symbols # prompt 13 + option symbol 17 > option symbol 17 > prompt 13 ? symbol 15

A accessing the CLI 12

B banner 13, 25 bootloader recovery 187 bootup 184

C changing modes 14 check command 30 clear command 51 CLI accessing 12 configuration mode 11 EMACS commands 257 keyboard shortcuts 255 operational model 11 prompt 13 structure 11 commands 27 conventions 13 display 27 messages 14 monitoring and troubleshooting 27 navigation 27 network access 27 option symbols 17 options 15 understanding 13 commit command 21, 31 configuration hierarchy 23 hierarchy paths 24

259 • Index

configuration mode hierarchy 23 prompt 13 understanding 21 configure command 53 control key 16 conventions, typographical 8 copy command 32 critical errors, switching to maintenance mode 185

D debug captive-portal command 54 debug cli command 55 debug cpld command 56 debug dataplane command 57 debug device-server command 59 debug dhcpd command 60 debug high-availability-agent command 61 debug ike command 62 debug keymgr command 63 debug log-receiver command 64 debug management-server command 65 debug master-service command 66 debug rasmgr command 67 debug routing command 68 debug software command 69 debug swm command 70 debug tac-login command 71 debug vardata-receiver command 72 delete command 33, 54 diagnostics 187 disk image 187

E edit banner 25 edit command banner 13 using 26, 34 errors, switching to maintenance mode 185 esc key 16 Ethernet interfaces 19 ethernet1/n 19 exit command 35, 75

Palo Alto Networks

F

P

factory reset 187 file system check (FSCK) 187

password, maintenance mode 187 ping command 79 privilege levels 18

G getting started 12 grep command 76

Q quit command 38, 81

H

R

hierarchy complete 189 configuration 23 navigating 25 new elements 24 paths 24 hostname 13

less command 77

rename command 39 request certificate command 82 request content upgrade command 85 request data-filtering command 86 request device-registration command 87 request high-availability command 88 request license command 89 request password-hash command 90 request restart command 91 request ssl-output-text command 92 request ssl-vpn command 93 request support command 94, 96 request system command 95 request url-filtering command 97 request vpn-client command 98 rollback 187 run command 40

M

S

I interfaces 19

K keyboard shortcuts 16, 255

L

maintenance mode about 183 diagnostics 187 entering automatically 185 entering upon bootup 184 password 187 serial console message 185 SSH message 186 web interface message 185 meta key 16 modes changing 14, 15 configuration 21 operational 27 move command 37

N navigating hierarchy 25 netstat command 78

O operational mode command types 27 prompt 13 using 27

260 • Index

save command 21, 41 scp command 99 serial console maintenance mode 183 message 185 set application dump command 101 set cli command 102, 104, 105 set clock command 103 set command 42 set logging command 106 set management-server command 107 set multi-vsys command 108 set panorama command 109 set password command 110 set proxy command 111 set serial-number command 112 set session command 113 set ssl-vpn command 116 set target-vsys command 115, 117 set ts-agent command 118 set url-database command 119 set zip command 120 shortcuts 16 show admins command 121 show arp command 122 show authentication command 123 show cli command 124, 125 show clock command 126 show command 23, 43

Palo Alto Networks

show config command 127 show counter command 128 show ctd command 129 show device command 130 show devicegroups command 132 show device-messages command 131 show dhcp command 133 show high-availability command 134 show interface command 135 show jobs command 136 show local-user-db command 137 show location command 138, 141 show log command 139 show mac command 142 show management-clients command 143 show multi-vsys command 144 show pan-agent command 145 show pan-ntlm-agent command 146 show proxy command 147 show query command 148 show report command 149 show routing command 150 show session command 154 show shared-policy command 156 show ssl-vpn command 157 show statistics command 158 show system command 160 show target-vsys command 162 show threat command 163 show ts-agent command 164 show updates command 165 show virtual-wire command 166 show vlan command 167 show vpn command 168, 170 show zone-protection command 171 ssh command 172 syntax checking 14 system 27 system information 187

T tail command 173 telnet command 174 test command 175 tftp command 84, 176 top command 25, 26, 44 traceroute command 178 typographical conventions 8

U up command 25, 26, 45 user name 13 user privileges 18

V view-pccap command 180

Palo Alto Networks

Index • 261

262 • Index

Palo Alto Networks

PAN-OS 5.0 CLI Reference Guide

Recommend Documents