PAN-OS™ Command Line Interface Reference Guide Release 3.0
5/30/09 Final Review Draft- Palo Alto Networks COMPANY CONFIDENTIAL
Palo Alto Networks, Inc. www.paloaltonetworks.com © 2009 Palo Alto Networks. All rights reserved. Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks are the property of their respective owners Part number: 810-000043-00A
May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL
Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Typographical Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Notes, Cautions, and Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Obtaining More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7 7 8 9 9 9 9
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
Understanding the PAN-OS CLI Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Accessing the PAN-OS CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Understanding the PAN-OS CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . 13 Understanding the PAN-OS CLI Command Conventions . . . . . . . . . . . . . . . . . . . . 13 Understanding Command Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Using Operational and Configuration Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Displaying the PAN-OS CLI Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Using Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Understanding Command Option Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Restricting Command Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Understanding Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Referring to Firewall Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 2 Understanding CLI Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
Understanding Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Using Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Understanding the Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Navigating Through the Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Understanding Operational Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Palo Alto Networks
• 3
Chapter 3 Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
Chapter 4 Operational Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug captive-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug cpld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug dataplane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug device-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug dhcpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug high-availability-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug ike . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug keymgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug log-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug management-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug master-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug rasmgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug swm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug tac-login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug vardata-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . grep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . less . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request comfort-page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4 •
51 53 54 55 56 57 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 75 76 77 78 79 81 82 84 85
Palo Alto Networks
request data-filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 request device-registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 request high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 request license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 request password-hash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 request restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 request ssl-output-text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 request ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 request support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 request system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 request tech-support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 request url-filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 request vpn-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 scp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 set application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 set cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 set clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 set ctd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 set data-access-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 set logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 set management-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 set multi-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 set panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 set password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 set proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 set serial-number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 set session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 set shared-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 set ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 set target-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 set ts-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 set url-database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 set zip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 show admins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 show authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 show chassis-ready . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 show cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 show clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 show config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 show counter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 show ctd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 show device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 show device-messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 show devicegroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 show dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 show high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 show interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 show jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 show local-user-db . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 show location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 show log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 show logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 show mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Palo Alto Networks
• 5
show management-clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show multi-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show pan-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show pan-ntlm-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show shared-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show target-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ts-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show url-database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show virtual-wire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show zip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show zone-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . view-pcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
143 144 145 146 147 148 149 150 154 156 157 158 160 162 163 164 165 166 167 168 170 171 172 173 174 175 176 178 180
Chapter 5 Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
183
Entering Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Using
Entering Maintenance Mode Upon Bootup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Entering Maintenance Mode Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Appendix A Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
189
Firewall Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Panorama Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Appendix B PAN-OS CLI Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
255
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
259
6 •
Palo Alto Networks
May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL
Preface This preface contains the following sections:
•
“About This Guide” in the next section
•
“Organization” on page 7
•
“Typographical Conventions” on page 8
•
“Related Documentation” on page 9
•
“Obtaining More Information” on page 9
•
“Technical Support” on page 9
About This Guide This guide provides an overview of the PAN-OS™ command line interface (CLI), describes how to access and use the CLI, and provides command reference pages for each of the CLI commands. This guide is intended for system administrators responsible for deploying, operating, and maintaining the firewall and who require reference information about the PAN-OS CLI commands that they want to execute on a per-device basis. For an explanation of features and concepts, refer to the Palo Alto Networks Administrator’s Guide.
Organization This guide is organized as follows:
•
Chapter 1, “Introduction”—Introduces and describes how to use the PAN-OS CLI.
•
Chapter 2, “Understanding CLI Command Modes”—Describes the modes used to interact with the PAN-OS CLI.
•
Chapter 3, “Configuration Mode Commands”—Contains command reference pages for Configuration mode commands.
•
Chapter 4, “Operational Mode Commands”—Contains command reference pages for Operational mode commands.
Palo Alto Networks
Preface • 7
•
Chapter 5, “Maintenance Mode”—Describes how to enter Maintenance mode and use the Maintenance mode options.
•
Appendix A, “Configuration Hierarchy”—Contains command reference pages for Operational mode commands.
•
Appendix B, “PAN-OS CLI Keyboard Shortcuts”—Describes the keyboard shortcuts supported in the PAN-OS CLI.
Typographical Conventions This guide uses the following typographical conventions for special terms and instructions.
Convention
Meaning
Example
boldface
Names of commands, keywords, and selectable items in the web interface
Use the configure command to enter Configuration mode.
italics
Name of variables, files, configuration elements, directories, or Uniform Resource Locators (URLs)
The address of the Palo Alto Networks home page is http://www.paloaltonetworks.com.
courier font
courier bold font
element2 is a required variable for the move command.
Command syntax, code examples, and screen output
The show arp all command yields this output:
Text that you enter at the command prompt
Enter the following command to exit from the current PAN-OS CLI level:
username@hostname> show arp all maximum of entries supported: 8192 default timeout: 1800 seconds total ARP entries in table: 0 total ARP entries shown: 0 status: s - static, c - complete, i - incomplete
# exit [ ] (text enclosed in angle brackets)
Optional parameters.
In the following command, 8bit and port are optional parameters. > telnet [8bit] [port] host
< > (text enclosed in square brackets)
Special keys or choice of required options.
indicates that the tab key is pressed.
| (pipe symbol)
Choice of values, indicated by a pipe symbol-separated list.
The request support command includes options to get support information from the update server or show downloaded support information:
> delete core file filename
> request support [check | info]
8 • Preface
Palo Alto Networks
Notes, Cautions, and Warnings This guide uses the following symbols for notes, cautions, and warnings.
Symbol
Description NOTE Indicates helpful suggestions or supplementary information. CAUTION Indicates information about which the reader should be careful to avoid data loss or equipment failure. WARNING Indicates potential danger that could involve bodily injury.
Related Documentation The following additional documentation is provided with the firewall:
•
Quick Start
•
Hardware Reference Guide
•
Palo Alto Networks Administrator’s Guide
Obtaining More Information To obtain more information about the firewall, refer to:
•
Palo Alto Networks website—Go to http://www.paloaltonetworks.com.
•
Online help—Click Help in the upper right corner of the GUI to access the online help system.
Technical Support For technical support, use the following methods:
•
Go to http://support.paloaltonetworks.com.
•
Call 1-866-898-9087 (U.S, Canada, and Mexico).
•
Email us at: [email protected].
Palo Alto Networks
Preface • 9
10 • Preface
Palo Alto Networks
May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL
Chapter 1
Introduction This chapter introduces and describes how to use the PAN-OS command line interface (CLI):
•
“Understanding the PAN-OS CLI Structure” in the next section
•
“Getting Started” on page 12
•
“Understanding the PAN-OS CLI Commands” on page 13
Understanding the PAN-OS CLI Structure The PAN-OS CLI allows you to access the firewall, view status and configuration information, and modify the configuration. Access to the PAN-OS CLI is provided through SSH, Telnet, or direct console access. The PAN-OS CLI operates in two modes:
•
Operational mode—View the state of the system, navigate the PAN-OS CLI, and enter configuration mode.
•
Configuration mode—View and modify the configuration hierarchy.
Chapter 3 describes each mode in detail.
Palo Alto Networks
Introduction • 11
Getting Started This section describes how to access and begin using the PAN-OS CLI:
•
“Before You Begin” in the next section
•
“Accessing the PAN-OS CLI” on page 12
Before You Begin Verify that the firewall is installed and that a SSH, Telnet, or direct console connection is established. Note: Refer to the Hardware Reference Guide for hardware installation information and to the Quick Start for information on initial device configuration.
Use the following settings for direct console connection:
•
Data rate: 9600
•
Data bits: 8
•
Parity: none
•
Stop bits: 1
•
Flow control: None
Accessing the PAN-OS CLI To access the PAN-OS CLI: 1.
Open the console connection.
2.
Enter the administrative user name. The default is admin.
3.
Enter the administrative password. The default is admin.
4.
The PAN-OS CLI opens in Operational mode, and the CLI prompt is displayed: username@hostname>
12 • Introduction
Palo Alto Networks
Understanding the PAN-OS CLI Commands This section describes how to use the PAN-OS CLI commands and display command options:
•
“Understanding the PAN-OS CLI Command Conventions” in the next section
•
“Understanding Command Messages” on page 14
•
“Using Operational and Configuration Modes” on page 15
•
“Displaying the PAN-OS CLI Command Options” on page 15
•
“Using Keyboard Shortcuts” on page 16
•
“Understanding Command Option Symbols” on page 17
•
“Understanding Privilege Levels” on page 18
•
“Referring to Firewall Interfaces” on page 19
Understanding the PAN-OS CLI Command Conventions The basic command prompt incorporates the user name and model of the firewall: username@hostname>
Example: username@hostname>
When you enter Configuration mode, the prompt changes from > to #: username@hostname> (Operational mode) username@hostname> configure Entering configuration mode [edit] (Configuration mode) username@hostname#
In Configuration mode, the current hierarchy context is shown by the [edit...] banner presented in square brackets when a command is issued. Refer to “Using the Edit Command” on page 26 for additional information on the edit command.
Palo Alto Networks
Introduction • 13
Understanding Command Messages Messages may be displayed when you issue a command. The messages provide context information and can help in correcting invalid commands. In the following examples, the message is shown in bold. Example: Unknown command username@hostname# application-group Unknown command: application-group [edit network] username@hostname#
Example: Changing modes username@hostname# exit Exiting configuration mode username@hostname>
Example: Invalid syntax username@hostname> debug 17 Unrecognized command Invalid syntax. username@hostname>
Each time you enter a command the syntax is checked. If the syntax is correct, the command is executed, and the candidate hierarchy changes are recorded. If the syntax is incorrect, an invalid syntax message is presented, as in the following example: username@hostname# set zone application 1.1.2.2 Unrecognized command Invalid syntax. [edit] username@hostname#
14 • Introduction
Palo Alto Networks
Using Operational and Configuration Modes When you log in, the PAN-OS CLI opens in Operational mode. You can move between Operational and Configuration modes at any time.
•
To enter Configuration mode from Operational mode, use the configure command: username@hostname> configure Entering configuration mode [edit] username@hostname#
•
To leave Configuration mode and return to Operational mode, use the quit or exit command: username@hostname# quit Exiting configuration mode username@hostname>
•
To enter an Operational mode command while in Configuration mode, use the run command, as described in “run” on page 40.
Displaying the PAN-OS CLI Command Options Use ? (or Meta-H) to display a list of command option, based on context:
•
To display a list of operational commands, enter ? at the command prompt. username@hostname> ? clear Clear runtime parameters configure Manipulate software configuration information debug Debug and diagnose exit Exit this session grep Searches file for lines containing a pattern match less Examine debug file content ping Ping hosts and networks quit Exit this session request Make system-level requests scp Use ssh to copy file to another host set Set operational parameters show Show operational parameters ssh Start a secure shell to another host tail Print the last 10 lines of debug file content telnet Start a telnet session to another host username@hostname>
Palo Alto Networks
Introduction • 15
•
To display the available options for a specified command, enter the command followed by ?. Example: admin@localhost> ping ? username@hostname> ping + bypass-routing Bypass routing table, use specified interface + count Number of requests to send (1..2000000000 packets) + do-not-fragment Don't fragment echo request packets (IPv4) + inet Force to IPv4 destination + interface Source interface (multicast, all-ones, unrouted packets) + interval Delay between requests (seconds) + no-resolve Don't attempt to print addresses symbolically + pattern Hexadecimal fill pattern + record-route Record and report packet's path (IPv4) + size Size of request packets (0..65468 bytes) + source Source address of echo request + tos IP type-of-service value (0..255) + ttl IP time-to-live value (IPv6 hop-limit value) (0..255 hops) + verbose Display detailed output + wait Delay after sending last packet (seconds) Hostname or IP address of remote host username@hostname> ping
Using Keyboard Shortcuts The PAN-OS CLI supports a variety of keyboard shortcuts. For a complete list, refer to Appendix B, “PAN-OS CLI Keyboard Shortcuts”. Note: Some shortcuts depend upon the SSH client that is used to access the PAN-OS CLI. For some clients, the Meta key is the Control key; for some it is the Esc key.
16 • Introduction
Palo Alto Networks
Understanding Command Option Symbols The symbol preceding an option can provide additional information about command syntax, as described in Table 1.
Table 1. Option Symbols Symbol
Description
*
This option is required.
>
There are additional nested options for this command.
+
There are additional command options for this command at this level.
The following example shows how these symbols are used. Example: In the following command, the keyword from is required: username@hostname> scp import configuration ? + remote-port SSH port number on remote host * from Source (username@host:path) username@hostname> scp import configuration
Example: This command output shows options designated with + and >. username@hostname# set + action + application + description + destination + disabled + from + log-end + log-setting + log-start + negate-destination + negate-source + schedule + service + source + to > profiles [edit] username@hostname# set
rulebase security rules rule1 ? action application description destination disabled from log-end log-setting log-start negate-destination negate-source schedule service source to profiles Finish input rulebase security rules rule1
Each option listed with + can be added to the command. The profiles keyword (with >) has additional options: username@hostname# set rulebase security rules rule1 profiles ? + virus Help string for virus + spyware Help string for spyware + vulnerability Help string for vulnerability + group Help string for group Finish input [edit] username@hostname# set rulebase security rules rule1 profiles
Palo Alto Networks
Introduction • 17
Restricting Command Output Some operational commands include an option to restrict the displayed output. To restrict the output, enter a pipe symbol followed by except or match and the value that is to be excluded or included:
Example: The following sample output is for the show system info command: username@hostname> show system info hostname: PA-HDF ip-address: 10.1.7.10 netmask: 255.255.0.0 default-gateway: 10.1.0.1 mac-address: 00:15:E9:2E:34:33 time: Fri Aug 17 13:51:49 2007 uptime: 0 days, 23:19:23 devicename: PA-HDF family: i386 model: pa-4050 serial: unknown sw-version: 1.5.0.0-519 app-version: 25-150 threat-version: 0 url-filtering-version: 0 logdb-version: 1.0.8 username@hostname>
The following sample displays only the system model information: username@hostname> show system info | match model model: pa-4050 username@hostname>
Understanding Privilege Levels Privilege levels determine which commands the user is permitted to execute and the information the user is permitted to view. Table 2 describes the PAN-OS CLI privilege levels.
Table 2. Privilege Levels Level
Description
superuser
Has full access to the firewall and can define new administrator accounts and virtual systems.
superreader
Has complete read-only access to the firewall.
vsysadmin
Has full access to a selected virtual system on the firewall.
vsysreader
Has read-only access to a selected virtual system on the firewall.
18 • Introduction
Palo Alto Networks
Referring to Firewall Interfaces The Ethernet interfaces are numbered from left to right and top to bottom on the firewall, as shown in Figure 1. ethernet1/1
ethernet1/15
1
3
5
7
9
11
13
15
2
4
6
8
10
12
14
16
ethernet1/2
ethernet1/16
Figure 1. Firewall Ethernet Interfaces Use these names when referring to the Ethernet interfaces within the PAN-OS CLI commands, as in the following example: username@hostname# set network interface ethernet ethernet1/4 virtual-wire
Palo Alto Networks
Introduction • 19
20 • Introduction
Palo Alto Networks
May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL
Chapter 2
Understanding CLI Command Modes This chapter describes the modes used to interact with the PAN-OS CLI:
•
“Understanding Configuration Mode” in the next section
•
“Understanding Operational Mode” on page 27
Understanding Configuration Mode When you enter Configuration mode and enter commands to configure the firewall, you are modifying the candidate configuration. The modified candidate configuration is stored in firewall memory and maintained while the firewall is running. Each configuration command involves an action, and may also include keywords, options, and values. Entering a command makes changes to the candidate configuration. This section describes Configuration mode and the configuration hierarchy:
•
“Using Configuration Mode Commands” in the next section
•
“Understanding the Configuration Hierarchy” on page 23
•
“Navigating Through the Hierarchy” on page 25
Using Configuration Mode Commands Use the following commands to store and apply configuration changes (see Figure 2):
•
save command—Saves the candidate configuration in firewall non-volatile storage. The saved configuration is retained until overwritten by subsequent save commands. Note that this command does not make the configuration active.
•
commit command—Applies the candidate configuration to the firewall. A committed configuration becomes the active configuration for the device.
•
set command—Changes a value in the candidate configuration.
•
load command—Assigns the last saved configuration or a specified configuration to be the candidate configuration.
Palo Alto Networks
Understanding CLI Command Modes • 21
Example: Make and save a configuration change. username@hostname# rename zone untrust to untrust1
command)
(enter a configuration
[edit] username@hostname# save config to snapshot.xml Config saved to .snapshot.xml [edit] username@hostname#
Example: Make a change to the candidate configuration. [edit] username@hostname# set network interface vlan ip 1.1.1.4/24 [edit] username@hostname#
Example: Make the candidate configuration active on the device. [edit] username@hostname# commit [edit] username@hostname#
Note: If you exit Configuration mode without issuing the save or commit command, your configuration changes could be lost if power is lost to the firewall.
Active Configuration
Saved Configuration
Candidate Configuration
Commit
Save Load Set
Figure 2. Configuration Mode Command Relationship
22 • Understanding CLI Command Modes
Palo Alto Networks
Maintaining a candidate configuration and separating the save and commit steps confers important advantages when compared with traditional CLI architectures:
•
Distinguishing between the save and commit concepts allows multiple changes to be made at the same time and reduces system vulnerability. For example, if you want to remove an existing security policy and add a new one, using a traditional CLI command structure would leave the system vulnerable for the period of time between removal of the existing security policy and addition of the new one. With the PAN-OS approach, you configure the new security policy before the existing policy is removed, and then implement the new policy without leaving a window of vulnerability.
•
You can easily adapt commands for similar functions. For example, if you are configuring two Ethernet interfaces, each with a different IP address, you can edit the configuration for the first interface, copy the command, modify only the interface and IP address, and then apply the change to the second interface.
•
The command structure is always consistent. Because the candidate configuration is always unique, all the authorized changes to the candidate configuration will be consistent with each other.
Understanding the Configuration Hierarchy The configuration for the firewall is organized in a hierarchical structure. To display a segment of the current hierarchy, use the show command. Entering show displays the complete hierarchy, while entering show with keywords displays a segment of the hierarchy. For example, the following command displays the configuration hierarchy for the ethernet interface segment of the hierarchy: username@hostname# show network interface ethernet ethernet { ethernet1/1 { virtual-wire; } ethernet1/2 { virtual-wire; } ethernet1/3 { layer2 { units { ethernet1/3.1; } } } ethernet1/4; } [edit] username@hostname#
Palo Alto Networks
Understanding CLI Command Modes • 23
Understanding Hierarchy Paths When you enter a command, path is traced through the hierarchy, as shown in Figure 3. network
profiles interface
...
vlan
... ethernet
virtual-wire virtual-router
...
aggregate-ethernet vlan
...
ethernet1/1
link-duplex auto
... loopback
...
ethernet1/2
ethernet1/3 ethernet1/4
link-state up
virtual-wire link-speed 1000
...
Figure 3. Sample Hierarchy Segment For example, the following command assigns the IP address/netmask 10.1.1.12/24 to the Layer 3 interface for the Ethernet port ethernet1/4: [edit] username@hostname# set network interface ethernet ethernet1/4 layer3 ip 10.1.1.12/24 [edit] username@hostname#
This command generates a new element in the hierarchy, as shown in Figure 4 and in the output of the following show command: [edit] username@hostname# show network interface ethernet ethernet1/4 ethernet1/4 { layer3 { ip { 10.1.1.12/24; } } } [edit] username@hostname#
24 • Understanding CLI Command Modes
Palo Alto Networks
network
profiles interface
...
vlan
... ethernet
virtual-wire virtual-router
...
aggregate-ethernet vlan
...
ethernet1/1
ethernet1/2
... loopback
...
...
ethernet1/3 ethernet1/4
ip
10.1.1.12/24
Figure 4. Sample Hierarchy Segment
Navigating Through the Hierarchy The [edit...] banner presented below the Configure mode command prompt line shows the current hierarchy context. For example, the banner [edit]
indicates that the relative context is the top level of the hierarchy, whereas [edit network profiles]
indicates that the relative context is at the network profiles node. Use the commands listed in Table 3 to navigate through the configuration hierarchy.
Table 3. Navigation Commands Command
Description
edit
Sets the context for configuration within the command hierarchy.
up
Changes the context to the next higher level in the hierarchy.
top
Changes the context to the highest level in the hierarchy.
Palo Alto Networks
Understanding CLI Command Modes • 25
Using the Edit Command Use the edit command to change context to lower levels of the hierarchy, as in the following examples:
•
Move from the top level to a lower level: [edit] (top level) username@hostname# edit network [edit network] username@hostname# (now at the network
level)
[edit network]
•
Move from one level to a lower level: [edit network] (network level) username@hostname# edit interface [edit network interface] admin@abce# (now at the network
interface level)
Using the Up and Top Commands Use the up and top commands to move to higher levels in the hierarchy:
•
up—changes the context to one level up in the hierarchy. Example: [edit network interface] admin@abce# up [edit network] username@hostname#
•
(network level)
(now at the network level)
top—changes context to the top level of the hierarchy. Example: [edit network interface vlan] username@hostname# top [edit] username@hostname#
(network vlan level)
(now at network vlan level)
Note: The set command issued after using the up and top commands starts from the new context.
26 • Understanding CLI Command Modes
Palo Alto Networks
Understanding Operational Mode When you first log in, the PAN-OS CLI opens in Operational mode. Operational mode commands involve actions that are executed immediately. They do not involve changes to the configuration, and do not need to be saved or committed. Operational mode commands are of several types:
•
Network access—Open a window to another host. Includes ssh and telnet commands.
•
Monitoring and troubleshooting—Perform diagnosis and analysis. Includes debug and ping commands.
•
Display commands—Display or clear current information. Includes clear and show commands.
•
PAN-OS CLI navigation commands—Enter Configure mode or exit the PAN-OS CLI. Includes configure, exit, and quit commands.
•
System commands—Make system-level requests or restart. Includes set and request commands.
Palo Alto Networks
Understanding CLI Command Modes • 27
28 • Understanding CLI Command Modes
Palo Alto Networks
May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL
Chapter 3
Configuration Mode Commands This chapter contains command reference pages for the following Configuration mode command types:
•
“check” on page 30
•
“commit” on page 31
•
“copy” on page 32
•
“delete” on page 33
•
“edit” on page 34
•
“exit” on page 35
•
“load” on page 36
•
“move” on page 37
•
“quit” on page 38
•
“rename” on page 39
•
“run” on page 40
•
“save” on page 41
•
“set” on page 42
•
“show” on page 43
•
“top” on page 44
•
“up” on page 45
Palo Alto Networks
Configuration Mode Commands • 29
check
check Check configuration status.
Syntax check option
Options data-access-passwd
Check data access authentication status for this session.
pending-changes
Check for uncommitted changes.
Sample Output The following command shows that there are currently no uncommitted changes. username@hostname# check pending-changes no [edit] username@hostname#
Required Privilege Level superuser, vsysadmin, deviceadmin
30 • Configuration Mode Commands
Palo Alto Networks
commit
commit Make the current candidate configuration the active configuration on the firewall.
Syntax commit
Options None
Sample Output The following command makes the current candidate configuration the active configuration. # commit
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Configuration Mode Commands • 31
copy
copy Make a copy of a node in the hierarchy along with its children, and add the copy to the same hierarchy level.
Syntax copy [node1] to [node2]
Options node1
Specifies the node to be copied.
node2
Specifies the name of the copy.
Sample Output The following command, executed from the rule base security level of the hierarchy, makes a copy of rule1, called rule2. [edit rulebase security] username@hostname# copy rules rule1 to rule2 [edit rulebase security] username@hostname#
The following command shows the location of the new rule in the hierarchy. [edit rulebase security] username@hostname# show security { rules { rule1 { source [ any 1.1.1.1/32 ]; destination 1.1.1.2/32; } rule2 { source [ any 1.1.1.1/32 ]; destination 1.1.1.2/32; } } }
Required Privilege Level superuser, vsysadmin, deviceadmin
32 • Configuration Mode Commands
Palo Alto Networks
delete
delete Remove a node from the candidate configuration along with all its children. Note: No confirmation is requested when this command is entered.
Syntax delete [node]
Options node
Specifies the hierarchy node to delete.
Sample Output The following command deletes the application myapp from the candidate configuration. username@hostname# delete application myapp [edit] username@hostname#
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Configuration Mode Commands • 33
edit
edit Change context to a lower level in the configuration hierarchy.
Syntax edit [context]
Options context
Specifies a path through the hierarchy.
Sample Output The following command changes context from the top level to the network profiles level of the hierarchy. [edit] username@hostname# edit rulebase [edit rulebase] username@hostname#
Required Privilege Level superuser, vsysadmin, deviceadmin
34 • Configuration Mode Commands
Palo Alto Networks
exit
exit Exit from the current PAN-OS CLI level.
•
From Operational mode—Exits the PAN-OS CLI.
•
From Configuration mode, top hierarchy level—Exits Configuration mode, returning to Operational mode.
•
From Configuration mode, lower hierarchy levels—Changes context to one level up in the hierarchy. Provides the same result as the up command. Note: The exit command is the same as the quit command.
Syntax exit
Options None
Sample Output The following command changes context from the network interface level to the network level. [edit network interface] username@hostname# exit [edit network] username@hostname#
The following command changes from Configuration mode to Operational mode. [edit] username@hostname# exit Exiting configuration mode username@hostname>
Required Privilege Level All
Palo Alto Networks
Configuration Mode Commands • 35
load
load Assigns the last saved configuration or a specified configuration to be the candidate configuration.
Syntax load config [from filename]
Options filename
Specifies the filename from which the configuration will be loaded.
Sample Output The following command assigns output.xml to be the candidate configuration. [edit] username@hostname# load config from output.xml command succeeded [edit] username@hostname#
Required Privilege Level superuser, vsysadmin, deviceadmin
36 • Configuration Mode Commands
Palo Alto Networks
move
move Relocate a node in the hierarchy along with its children to be at another location at the same hierarchy level.
Syntax move element [bottom | top | after element | before element]
Options element
Specifies the items to be moved.
element placement
Specifies the new location of the element:
element2
Option
Description
bottom
Makes the element the last entry of the hierarchy level.
top
Makes the element the first entry of the hierarchy level.
after
Moves element to be after element2.
before
Moves element to be before element2.
Indicates the element after or before which element1 will be placed.
Sample Output The following command moves the security rule rule1 to the top of the rule base. username@hostname# move rulebase security rules rule1 top [edit] username@hostname#
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Configuration Mode Commands • 37
quit
quit Exit from the current PAN-OS CLI level.
•
From Operational mode—Exits the PAN-OS CLI.
•
From Configuration mode, top hierarchy level—Exits Configuration mode, returning to Operational mode.
•
From Configuration mode, lower hierarchy levels—Changes context to one level up in the hierarchy. Provides the same result as the up command. Note: The exit and quit commands are interchangeable.
Syntax quit
Options None
Sample Output The following command changes context from the network interface level to the network level. [edit log-settings] username@hostname# quit [edit] username@hostname#
The following command changes from Configuration mode to Operational mode. [edit] username@hostname# quit Exiting configuration mode username@hostname>
Required Privilege Level All
38 • Configuration Mode Commands
Palo Alto Networks
rename
rename Change the name of a node in the hierarchy.
Syntax rename [node1] to [node2]
Options node1
Indicates the original node name.
node2
Indicates the new node name.
Sample Output The following command changes the name of a node in the hierarchy from 1.1.1.1/24 to 1.1.1.2/24. username@hostname# rename network interface vlan ip 1.1.1.1/24 to 1.1.1.2/24
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Configuration Mode Commands • 39
run
run Execute an Operational mode command while in Configuration mode.
Syntax run [command]
Options command
Specifies an Operational mode command.
Sample Output The following command executes a ping command to the IP address 1.1.1.2 from Configuration mode. username@hostname# run ping 1.1.1.2 PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. ... username@hostname#
Required Privilege Level superuser, vsysadmin, deviceadmin
40 • Configuration Mode Commands
Palo Alto Networks
save
save Saves a snapshot of the firewall configuration. Note: This command saves the configuration on the firewall, but does not make the configuration active. Use the commit command to make the current candidate configuration active.
Syntax save config [to filename]
Options filename
Specifies the filename to store the configuration. The filename cannot include a hyphen (-).
Sample Output The following command saves a copy of the configuration to the file savefile. [edit] username@hostname# save config to savefile Config saved to savefile [edit] username@hostname#
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Configuration Mode Commands • 41
set
set Changes a value in the candidate configuration. Changes are retained while the firewall is powered until overwritten. Note: To save the candidate configuration in non-volatile storage, use the save command. To make the candidate configuration active, use the commit command.
Syntax set [context]
Options context
Specifies a path through the hierarchy.
Sample Output The following command assigns the ethernet1/4 interface to be a virtual wire interface. [edit] username@hostname# set network interface ethernet ethernet1/1 virtual-wire
[edit] username@hostname#
The following command sets the VLAN IP address to 1.1.1.4/32 from the network interface vlan level of the hierarchy. [edit network interface vlan] username@hostname# set ip 1.1.1.4/32 [edit network interface vlan] username@hostname#
The following command locks an administrative user out for 15 minutes after 5 failed login attempts. username@hostname# set deviceconfig setting management admin-lockout 5 lockout-time 15
Required Privilege Level superuser, vsysadmin, deviceadmin
42 • Configuration Mode Commands
Palo Alto Networks
show
show Display information about the current candidate configuration.
Syntax show [context]
Options context
Specifies a path through the hierarchy.
Sample Output The following command shows the full candidate hierarchy. username@hostname# show
The following commands can be used to display the hierarchy segment for network interface.
•
Specify context on the command line: show network interface
•
Use the edit command to move to the level of the hierarchy, and then use the show command without specifying context: edit network interface [edit network interface] show
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Configuration Mode Commands • 43
top
top Change context to the top hierarchy level.
Syntax top
Options None
Sample Output The following command changes context from the network level of the hierarchy to the top level. [edit network] username@hostname# top [edit] username@hostname#
Required Privilege Level All
44 • Configuration Mode Commands
Palo Alto Networks
up
up Change context to the next higher hierarchy level.
Syntax up
Options None
Sample Output The following command changes context from the network interface level of the hierarchy to the network level. [edit network interface] username@hostname# up [edit network] username@hostname#
Required Privilege Level All
Palo Alto Networks
Configuration Mode Commands • 45
up
46 • Configuration Mode Commands
Palo Alto Networks
May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL
Chapter 4
Operational Mode Commands This chapter contains command reference pages for the following operational mode commands:
•
“clear” on page 51
•
“configure” on page 53
•
“debug captive-portal” on page 54
•
“debug cli” on page 55
•
“debug cpld” on page 56
•
“debug dataplane” on page 57
•
“debug device-server” on page 59
•
“debug dhcpd” on page 60
•
“debug high-availability-agent” on page 61
•
“debug ike” on page 62
•
“debug keymgr” on page 63
•
“debug log-receiver” on page 64
•
“debug management-server” on page 65
•
“debug master-service” on page 66
•
“debug rasmgr” on page 67
•
“debug routing” on page 68
•
“debug software” on page 69
•
“debug swm” on page 70
•
“debug tac-login” on page 71
•
“debug vardata-receiver” on page 72
Palo Alto Networks
Operational Mode Commands • 47
•
“delete” on page 73
•
“exit” on page 75
•
“grep” on page 76
•
“less” on page 77
•
“netstat” on page 78
•
“ping” on page 79
•
“quit” on page 81
•
“request certificate” on page 82
•
“request comfort-page” on page 84
•
“request content” on page 85
•
“request data-filtering” on page 86
•
“request device-registration” on page 87
•
“request high-availability” on page 88
•
“request license” on page 89
•
“request password-hash” on page 90
•
“request restart” on page 91
•
“request ssl-output-text” on page 92
•
“request ssl-vpn” on page 93
•
“request support” on page 94
•
“request system” on page 95
•
“request tech-support” on page 96
•
“request url-filtering” on page 97
•
“request vpn-client” on page 98
•
“scp” on page 99
•
“set application” on page 101
•
“set cli” on page 102
•
“set clock” on page 103
•
“set ctd” on page 104
•
“set data-access-password” on page 105
•
“set logging” on page 106
•
“set management-server” on page 107
48 • Operational Mode Commands
Palo Alto Networks
•
“set multi-vsys” on page 108
•
“set panorama” on page 109
•
“set password” on page 110
•
“set proxy” on page 111
•
“set serial-number” on page 112
•
“set session” on page 113
•
“set shared-policy” on page 115
•
“set ssl-vpn” on page 116
•
“set target-vsys” on page 117
•
“set ts-agent” on page 118
•
“set url-database” on page 119
•
“set zip” on page 120
•
“show admins” on page 121
•
“show arp” on page 122
•
“show authentication” on page 123
•
“show chassis-ready” on page 124
•
“show cli” on page 125
•
“show clock” on page 126
•
“show config” on page 127
•
“show counter” on page 128
•
“show ctd” on page 129
•
“show device” on page 130
•
“show device-messages” on page 131
•
“show devicegroups” on page 132
•
“show dhcp” on page 133
•
“show high-availability” on page 134
•
“show interface” on page 135
•
“show jobs” on page 136
•
“show local-user-db” on page 137
•
“show location” on page 138
•
“show log” on page 139
Palo Alto Networks
Operational Mode Commands • 49
•
“show logging” on page 141
•
“show mac” on page 142
•
“show management-clients” on page 143
•
“show multi-vsys” on page 144
•
“show pan-agent” on page 145
•
“show pan-ntlm-agent” on page 146
•
“show proxy” on page 147
•
“show query” on page 148
•
“show report” on page 149
•
“show routing” on page 150
•
“show session” on page 154
•
“show ssl-vpn” on page 157
•
“show statistics” on page 158
•
“show system” on page 160
•
“show target-vsys” on page 162
•
“show threat” on page 163
•
“show ts-agent” on page 164
•
“show url-database” on page 165
•
“show virtual-wire” on page 166
•
“show vlan” on page 167
•
“show vpn” on page 168
•
“show zip” on page 170
•
“show zone-protection” on page 171
•
“ssh” on page 172
•
“tail” on page 173
•
“telnet” on page 174
•
“test” on page 175
•
“tftp” on page 176
•
“traceroute” on page 178
•
“view-pcap” on page 180
50 • Operational Mode Commands
Palo Alto Networks
clear
clear Reset information, counters, sessions, or statistics.
Syntax clear application-signature statistics clear arp clear counter clear dhcp lease clear high-availability control-link statistics clear job jobid clear log type clear mac clear query clear report clear session clear statistics clear vpn
Options applicationsignature statistics
Clears application-signature statistics.
arp
Clears Address Resolution Protocol (ARP) information for a specified interface, loopback, or VLAN, or all.
counter
Clears interface counters. Specify all counters, global counters, or interface counters.
dhcp lease
Clears DHCP leases. Specify all or specify an interface and optional IP address.
job
Clears download jobs. Specify the job id.
log
Remove log files from disk. Specify the log type: acc, config, system, threat, or traffic.
mac
Clears MAC address information for a specified VLAN or all addresses.
session
Clears a specified session or all sessions. Refer to “show session” on page 154 for a description of the filter options when clearing all sessions.
Palo Alto Networks
Operational Mode Commands • 51
clear
statistics
Clears all statistics.
vpn
Clears IKE or IPSec VPN run-time objects: flow
Clears the VPN tunnel on the data plane. Specify the tunnel or press Enter to apply to all tunnels.
ike-sa
Removes the active IKE SA and stops all ongoing key negotiations. Specify the gateway or press Enter to apply to all gateways.
ipsec-sa
Deactivate the IPsec SA for a tunnel or all tunnels. Specify the tunnel or press Enter to apply to all tunnels.
Sample Output The following command clears the session with ID 2245. username@hostname> clear session id 2245 Session 2245 cleared username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
52 • Operational Mode Commands
Palo Alto Networks
configure
configure Enter Configuration mode.
Syntax configure
Options None
Sample Output To enter Configuration mode from Operational mode, enter the following command. username@hostname> configure Entering configuration mode [edit] username@hostname#
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 53
debug captive-portal
debug captive-portal Define settings for debugging the captive portal daemon.
Syntax debug captive-portal option
Options show
Shows whether this command is on or off.
off
Turns the debugging option off.
on
Turns the debugging option on.
Sample Output The following command turns the debugging option on. admin@PA-HDF> debug captive-portal on admin@PA-HDF>
Required Privilege Level superuser vsysadmin
54 • Operational Mode Commands
Palo Alto Networks
debug cli
debug cli Define settings and display information for debugging the CLI connection.
Syntax debug cli option
Options detail
Shows details information about the CLI connection.
show
Shows whether this command is on or off.
off
Turns the debugging option off.
on
Turns the debugging option on.
Sample Output The following command shows details of the CLI connection. admin@PA-HDF> debug cli detail Environment variables : (USER . admin) (LOGNAME . admin) (HOME . /home/admin) (PATH . /usr/local/bin:/bin:/usr/bin) (MAIL . /var/mail/admin) (SHELL . /bin/bash) (SSH_CLIENT . 10.31.1.104 1109 22) (SSH_CONNECTION . 10.31.1.104 1109 10.1.7.2 22) (SSH_TTY . /dev/pts/0) (TERM . vt100) (LINES . 24) (COLUMNS . 80) (PAN_BASE_DIR . /opt/pancfg/mgmt) PAN_BUILD_TYPE : DEVELOPMENT
Total Heap : 7.00 M Used : 5.51 M Nursery : 0.12 M admin@PA-HDF>
Required Privilege Level superuser vsysadmin
Palo Alto Networks
Operational Mode Commands • 55
debug cpld
debug cpld Debug the complex programmable logic device (CPLD).
Syntax debug cpld
Options None
Sample Output N/A
Required Privilege Level superuser vsysadmin
56 • Operational Mode Commands
Palo Alto Networks
debug dataplane
debug dataplane Configure settings for debugging the data plane.
Syntax debug dataplane option
Options The available sub-options depend on the specified option. clear
Clear all dataplane debug logs.
device
Debug dataplane hardware component.
drop-filter
Define a filter to capture dropped packets.
filter
Determine the packets to capture or send to a debug log file.
fpga
Debug the field programmable gate array (FPGA).
get
Show current dataplane debug settings.
internal
Debug the dataplane internal state.
memory
Examine dataplane memory.
mode
Control dataplane debug logging mode.
off
Turn off dataplane debug logging.
on
Turn on dataplane debug logging.
pool
Debug buffer pools, including checks of hardware and software utilization and buffer pool statistics.
pow
Debug packet scheduling engine.
process
Debug the dataplane process for the high-availability agent (ha-agent) and management plane relay agent (mprelay).
reset
Reset settings for debugging the data plane.
set
Specify parameters for dataplane debugging
show
Show dataplane running information.
task-heartbeat
Debug dataplane task heartbeat.
unset
Clear the previously-set parameters for dataplane debugging
Palo Alto Networks
Operational Mode Commands • 57
debug dataplane
Sample Output The following command shows the statistics for the dataplane buffer pools. admin@PA-HDF> debug dataplane pool statistics
The following command turns dataplane filtering on and sets filter parameters. admin@PA-HDF> debug dataplane filter on admin@PA-HDF> debug dataplane filter set source 10.1 11.2.3 file abc.pcap
Required Privilege Level superuser vsysadmin
58 • Operational Mode Commands
Palo Alto Networks
debug device-server
debug device-server Configure settings for debugging the device server.
Syntax debug device-server option
Options clear
Clear all debug logs.
dump
Dump the debug data.
off
Turn off debug logging.
on
Turn on debug logging.
refresh
Refresh the user-group data.
reset
Clear logging data.
set
Set debugging values.
show
Display current debug log settings.
test
Test the current settings.
uset
Remove current settings.
Sample Output The following command turns off debug logging for the device server. admin@PA-HDF> debug device-server off admin@PA-HDF>
Required Privilege Level superuser vsysadmin
Palo Alto Networks
Operational Mode Commands • 59
debug dhcpd
debug dhcpd Configure settings for debugging the Dynamic Host Configuration Protocol (DHCP) daemon.
Syntax debug dhcpd option
Options global
Define settings for the global DHCP daemon.
pcap
Define settings for debugging packet capture.
Sample Output The following command shows current global DHCP daemon settings. admin@PA-HDF> debug dhcpd global show sw.dhcpd.runtime.debug.level: debug admin@PA-HDF>
Required Privilege Level superuser vsysadmin
60 • Operational Mode Commands
Palo Alto Networks
debug high-availability-agent
debug high-availability-agent Configure settings for debugging the high availability agent.
Syntax debug high-availability-agent option
Options clear
Clear the debug logs.
internal-dump
Dump the internal state of the agent to its log.
model-check
Turn model checking with the peer on or off.
off
Turns the debugging option off.
on
Turns the debugging option on.
show
Shows whether this command is on or off.
Sample Output The following command turns modeling checking on for the high availability agent. admin@PA-HDF> debug high-availability-agent model-check on admin@PA-HDF>
Required Privilege Level superuser vsysadmin
Palo Alto Networks
Operational Mode Commands • 61
debug ike
debug ike Configure settings for debugging Internet Key Exchange (IKE) daemon.
Syntax debug ike option
Options global
Configure global settings.
pcap
Configure packet capture settings.
socket
Configure socket settings.
stat
Show IKE daemon statistics.
Sample Output The following command turns on the global options for debugging the IKE daemon. admin@PA-HDF> debug ike global on admin@PA-HDF>
Required Privilege Level superuser vsysadmin
62 • Operational Mode Commands
Palo Alto Networks
debug keymgr
debug keymgr Configure settings for debugging the key manager daemon.
Syntax debug keymgr option
Options list-sa
Lists the IPSec security associations (SAs) that are stored in the key manager daemon.
off
Turn the settings off.
on
Turn the settings on.
show
Show key manager daemon information.
Sample Output The following command shows the current information on the key manager daemon. admin@PA-HDF> debug keymgr show sw.keymgr.debug.global: normal admin@PA-HDF>
Required Privilege Level superuser vsysadmin
Palo Alto Networks
Operational Mode Commands • 63
debug log-receiver
debug log-receiver Configure settings for debugging the log receiver daemon.
Syntax debug log-receiver option
Options off
Turns the debugging option off.
on
Turns the debugging option on.
show
Shows whether this command is on or off.
statistics
Show log receiver daemon statistics.
Sample Output The following command turns log receiver debugging on. admin@PA-HDF> debug log-receiver on admin@PA-HDF>
Required Privilege Level superuser vsysadmin
64 • Operational Mode Commands
Palo Alto Networks
debug management-server
debug management-server Configure settings for debugging the management server.
Syntax debug management-server option
Options clear
Clear all debug logs.
client
Debug the management server client.
off
Turn debugging off
on
Turn debugging on.
phased-commit
Set experimental mode for committing in phases.
show
Show management server debug statistics.
Sample Output The following example turns management server debugging on. admin@PA-HDF> debug management-server on (null) admin@PA-HDF>
Required Privilege Level superuser vsysadmin
Palo Alto Networks
Operational Mode Commands • 65
debug master-service
debug master-service Configure settings for debugging the master service.
Syntax debug master-service option
Options clear
Clear all debug logs.
internal-dump
Dump the internal state of the server to the log.
off
Turn debugging off
on
Turn debugging on.
show
Show debug settings.
Sample Output The following command dumps the internal state of the master server to the log. admin@PA-HDF> debug master-service internal-dump admin@PA-HDF>
Required Privilege Level superuser vsysadmin
66 • Operational Mode Commands
Palo Alto Networks
debug rasmgr
debug rasmgr Configure settings for debugging the remote access service daemon.
Syntax debug rasmgr option
Options show
Show whether this command is on or off.
off
Turn the debugging option off.
on
Turn the debugging option on.
Sample Output The following command shows the debug settings for the remote access service daemon. admin@PA-HDF> debug rasmgr show sw.rasmgr.debug.global: normal admin@PA-HDF>
Required Privilege Level superuser vsysadmin
Palo Alto Networks
Operational Mode Commands • 67
debug routing
debug routing Configure settings for debugging the route daemon.
Syntax debug routing option
Options fib
Turn on debugging for the forwarding table.
global
Turn on global debugging.
list-mib Show the routing list with management information base (MIB) names. mib
Show the MIB tables.
pcap
Show packet capture data.
socket
Show socket data.
Sample Output The following command displays the MIB tables for routing. admin@PA-HDF> debug routing list-mib i3EmuTable (1 entries) ========================== sckTable (0 entries) sckSimInterfaceTable (0 entries) sckEiTable (0 entries) sckEaTable (0 entries) i3Table (0 entries) i3EiTable (0 entries) i3EaTable (0 entries) i3EtTable (0 entries) i3EmTable (0 entries) dcSMLocationTable (0 entries) dcSMHMTestActionObjects (0 entries) siNode (0 entries) siOSFailures (0 entries) siTraceControl (0 entries) siExecAction (0 entries) ... admin@PA-HDF>
Required Privilege Level superuser vsysadmin
68 • Operational Mode Commands
Palo Alto Networks
debug software
debug software Restart software processes to aid debugging.
Syntax debug software restart option
Options device-server
Restart the device server.
management-server
Restart the management server.
web-server
Restart the web server.
Sample Output The following command restarts the web server. admin@PA-HDF> debug software restart web-server admin@PA-HDF>
Required Privilege Level superuser vsysadmin
Palo Alto Networks
Operational Mode Commands • 69
debug swm
debug swm Configure settings for debugging the Palo Alto Networks software manager.
Syntax debug swm option
Options command
Run a software manager command.
history
Show the history of software installation operations.
list
List software versions that are available for installation.
refresh
Revert back to the last successfully installed content.
revert
Revert back to the last successfully installed software.
status
Show the status of the software manager.
unlock
Unlock the software manager.
Sample Output The following command shows the list of available software versions. admin@PA-HDF> debug swm list 3.0.0-c4.dev 3.0.0-c1.dev_base 2.0.0-c207 2.0.0-c206 admin@PA-HDF>
Required Privilege Level superuser vsysadmin
70 • Operational Mode Commands
Palo Alto Networks
debug tac-login
debug tac-login Configure settings for debugging the Palo Alto Networks Technical Assistance Center (TAC) connection.
Syntax debug tac-login option
Options enable
Enable TAC login.
disable
Disable TAC login.
permanently-disable
Turn off TAC login debugging permanently.
Sample Output The following command turns TAC login debugging on. admin@PA-HDF> debug tac-login on admin@PA-HDF>
Required Privilege Level superuser vsysadmin
Palo Alto Networks
Operational Mode Commands • 71
debug vardata-receiver
debug vardata-receiver Configure settings for debugging the variable data daemon.
Syntax debug vardata-receiver option
Options off
Turns the debugging option off.
on
Turns the debugging option on.
show
Shows whether this command is on or off.
statistics
Show log receiver daemon statistics.
Sample Output The following command shows statistics for the variable data daemon. admin@PA-HDF> debug vardata-receiver statistics admin@PA-HDF>
Required Privilege Level superuser vsysadmin
72 • Operational Mode Commands
Palo Alto Networks
delete
delete Remove files from disk or restore default comfort pages, which are presented when files or URLs are blocked.
Syntax delete item
Options item
Palo Alto Networks
Specifies the type of file to be deleted. Option
Description
captive-portal-text
Text included in a captive portal.
config saved filename
Saved configuration file.
content update filename
Content updates.
core file filename
Control or data plane cores.
data-capture directoryname
Data capture files.
debug-filter file filename
Debugging packet capture files on disk.
file-block-page
Page presented to users when files are blocked. Restores default page.
inbound-key filename
SSL inbound proxy keys on disk.
license key filename
License key file.
logo
Custom logo file.
pcap file filename
Packet capture files.
policy-cache
Cached policy compilations
report file-name filename report-name report
Specified report with file name and report name.
root-certificate file filename
Root certificates.
Operational Mode Commands • 73
delete
item (cont’d)
Specifies the type of file to be deleted. Option
Description
software image imagename version versionname
Software image.
spyware-block-page
Page presented to users when web pages are blocked due to spyware. Restores default page.
ssl-optout-text
Page presented to users when a web session is to be decrypted. Restores default page.
threat-pcap directory directoryname
Threat packet capture files in a specified directory.
unknown-pcap directory directoryname
Packet capture files for unknown sessions.
url-block-page
Page presented to users when web pages are blocked. Restores default page.
url-coach-text
Page presented to users. Restores default page.
user-file ssh-known-hosts
SSH known hosts file.
virus-block-page
Page presented to users when web pages are blocked. Restores default page.
Sample Output The following command deletes the custom page presented to users when web pages are blocked due to spyware. username@hostname> delete spyware-block-page username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
74 • Operational Mode Commands
Palo Alto Networks
exit
exit Exit the PAN-OS CLI. Note: The exit command is the same as the quit command.
Syntax exit
Options None
Sample Output N/A
Required Privilege Level All
Palo Alto Networks
Operational Mode Commands • 75
grep
grep Find and list lines from log files that match a specified pattern.
Syntax grep [after-context number] [before-context number] [context number] [count] [ignore-case] [invert-match] [line-number] [max-count] [nofilename] [with-filename] pattern file
Options after-context
Prints the matching lines plus the specified number of lines that follow the matching lines.
before-context
Prints the matching lines plus the specified number of lines that precede the matching lines.
context
Prints the specified number of lines in the file for output context.
count
Prints a count of matching files for each input file.
ignore-case
Ignores case distinctions.
invert-match
Selects non-matching lines instead of matching lines.
line-number
Adds the line number at the beginning of each line of output.
max-count
Stops reading a file after the specified number of matching lines.
no-filename
Does not add the filename prefix for output.
with-filename
Prints the file name for each match.
pattern
Indicates the string to be matched.
file
Indicates the log file to be searched.
Sample Output The following command searches the ms.log file for occurrences of the string id:admin. username@hostname> grep id:admin /var/log/pan/ms.log username@hostname>
Required Privilege Level All
76 • Operational Mode Commands
Palo Alto Networks
less
less List the contents of the specified log file.
Syntax less type file
Options type
Indicates the type of log file to be searched: • custom-page • dp-backtrace • dp-log • mp-backtrace • mp-log • webserver-log
file
Indicates the log file to be searched:
Sample Output The following command lists the contents of the web server error log. username@hostname> default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main ...
less webserver-log error.log Configuration for Mbedthis Appweb -------------------------------------------Host: pan-mgmt2 CPU: i686 OS: LINUX Distribution: unknown Unknown OS: LINUX Version: 2.4.0.0 BuildType: RELEASE Started at: Mon Mar 2 12
Required Privilege Level All
Palo Alto Networks
Operational Mode Commands • 77
netstat
netstat Displays packet capture file content.
Syntax netstat type
Options type
Indicates the packet capture file type: • all—Display all sockets (default: connected). • cache—Display routing cache instead of Forwarding Information Base (FIB). • continuous—Continuous listing. • extend—Display other/more information. • fib—Display FIB (default). • groups—Display multicast group memberships. • interfaces—Display interface table. • listening—Display listening server sockets. • numeric—Do not resolve names. • numeric-hosts—Do not resolve host names. • numeric-ports—Do not resolve port names. • numeric-users—Do not resolve user names. • programs—Display PID/Program name for sockets. • route—Display routing table. • statistics—Display networking statistics (like SNMP). • symbolic—Resolve hardware names. • timers—Display timers. • verbose—Display full details.
no | yes
Indicates whether the specified option is included in the output.
Sample Output The following command shows an excerpt from the output of the netstat command. username@hostname> netstat all yes ... Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 5366 /tmp/ssh-lClRtS1936/ agent.1936 unix 2 [ ] DGRAM 959 @/org/kernel/udev/udevd unix 18 [ ] DGRAM 4465 /dev/log ...
Required Privilege Level All
78 • Operational Mode Commands
Palo Alto Networks
ping
ping Check network connectivity to a host.
Syntax ping [bypass-routing] [count] [do-not-fragment] [inet] [no resolve] [pattern] [size] [source] [tos] [ttl] host
Options bypass-routing
Sends the ping request directly to the host on a direct attached network, bypassing usual routing table.
count
Specifies the number of ping requests to be sent.
do-not-fragment
Prevents packet fragmentation by use of the do-not-fragment bit in the packet’s IP header.
inet
Specifies that the ping packets will use IP version 4.
interval
Specifies how often the ping packets are sent (0 to 2000000000 seconds).
no-resolve
Provides IP address only without resolving to hostnames.
pattern
Specifies a custom string to include in the ping request. You can specify up to 12 padding bytes to fill out the packet that is sent as an aid in diagnosing datadependent problems.
size
Specifies the size of the ping packets.
source
Specifies the source IP address for the ping command.
tos
Specifies the type of service (TOS) treatment for the packets by way of the TOS bit for the IP header in the ping packet.
ttl
Specifies the time-to-live (TTL) value for the ping packet (IPv6 hop-limit value) (0-255 hops).
verbose
Requests complete details of the ping request.
host
Specifies the host name or IP address of the remote host.
Sample Output The following command checks network connectivity to the host 66.102.7.104, specifying 4 ping packets and complete details of the transmission. username@hostname> ping count 4 verbose 66.102.7.104 PING 66.102.7.104 (66.102.7.104) 56(84) bytes of data. 64 bytes from 66.102.7.104: icmp_seq=0 ttl=243 time=316 64 bytes from 66.102.7.104: icmp_seq=1 ttl=243 time=476 64 bytes from 66.102.7.104: icmp_seq=2 ttl=243 time=376 64 bytes from 66.102.7.104: icmp_seq=3 ttl=243 time=201
ms ms ms ms
--- 66.102.7.104 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 3023ms rtt min/avg/max/mdev = 201.718/342.816/476.595/99.521 ms, pipe 2 username@hostname>
Palo Alto Networks
Operational Mode Commands • 79
ping
Required Privilege Level superuser, vsysadmin, deviceadmin
80 • Operational Mode Commands
Palo Alto Networks
quit
quit Exit the current session for the firewall. Note: The quit command is the same as the exit command.
Syntax quit
Options None
Sample Output N/A
Required Privilege Level All
Palo Alto Networks
Operational Mode Commands • 81
request certificate
request certificate Generate a self-signed security certificate.
Syntax request certificate [install for-use-by purpose | self-signed option for-use-by purpose]
Options install
Installs the generated certificate.
self-signed
Generates the self-signed certificate.
option
Specifies information to include in the certificate. Multiple options are supported.
purpose
country-code
Two-character code for the country in which the certificate will be used.
email
Email address of the contact person.
locality
City, campus, or other local area.
nbits value
Number of bits in the certificate (512 or 1024).
organization
Organization using the certificate.
organization unit
Department using the certificate.
state
Two-character code for the state or province in which the certificate will be used.
name
IP address or fully qualified domain name (FQDN) to appear on the certificate.
passphrase
Passphrase for encrypting the private key.
Requests the certificate for the specified purpose. panorama-server
Panorama server machine (used by Panorama to communicate with managed devices).
web-interface
Embedded web interface.
Sample Output The following command requests a self-signed certificate for the web interface with length 1024 and IP address 1.1.1.1. username@hostname> request certificate self-signed nbits 1024 name 1.1.1.1 for-use-by web-interface
82 • Operational Mode Commands
Palo Alto Networks
request certificate
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 83
request comfort-page
request comfort-page Installs a user-defined comfort page.
Syntax request comfort page install option
Options option
Specifies the type of file to export to the other host. Option
Description
applicationblock-page
Application packet capture file.
file-block-page
File containing comfort pages to be presented when files are blocked.
spyware-blockpage
Comfort page to be presented when files are blocked due to spyware.
url-block-page
Comfort page to be presented when files are blocked due to a blocked URL.
virus-block-page
Comfort page to be presented when files are blocked due to a virus.
The following command installs an application block page. username@hostname> request comfort-page install application-block-page Shared application-block-page installed successfully! username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
84 • Operational Mode Commands
Palo Alto Networks
request content
request content Perform application level upgrade operations.
Syntax request content upgrade [check | download latest | info | install latest]
Options check
Obtain information from the Palo Alto Networks server.
download latest
Download application identification packages.
info
Show information about the available application ID packages.
install latest
Install application identification packages.
Sample Output The following command lists information about the firewall server software. username@hostname> request content upgrade check Version
Size
Released on Downloaded
------------------------------------------------------------------------13-25
10MB 2007/04/19
15:25:02
yes
username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 85
request data-filtering
request data-filtering Assign passwords for data filtering.
Syntax request data-filtering access-password option
Options option
Specifies one of the following options. Option
Description
create password pword
Creates the specified password.
modify oldpassword oldpwd new-password newpwd o
Changes the specified old password to the new password.
delete
Deletes the data filtering password. When this command is issued, the system prompts for confirmation and warns that logged data will be deleted and logging will be stopped.
Sample Output The following command assigns the specified password for data filtering. username@hostname> request data-filtering access-password create password mypwd username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
86 • Operational Mode Commands
Palo Alto Networks
request device-registration
request device-registration Perform device registration.
Syntax request device-registration username user password pwd
Options username user
Specify the user name for device access.
password pwd
Specify the password for device access.
Sample Output The following command registers the device with the specified user name and password. username@hostname> request device-registration username admin password adminpwd username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 87
request high-availability
request high-availability Perform high-availability operations.
Syntax request high-availability option
Options option
Specifies one of the following options. Option
Description
clear-alarm-led
Clears the high-availability alarm LED.
state
Changes the state to operational (functional) or suspended.
sync-to-remote option
Performs synchronization operations: • candidate-config—Synchronize the candidate configuration to peer. • clock—Synchronize the local time and date to the peer. • disk-state—Synchronize required on-disk state to peer. • running-config—Synchronize the running configuration to peer. • runtime-state—Synchronize the runtime synchronization state to peer.
Sample Output The following command sets the high-availability state of the device to the suspended state. username@hostname> request high-availability state suspend username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
88 • Operational Mode Commands
Palo Alto Networks
request license
request license Perform license-related operations.
Syntax request license [fetch [auth-code] | info | install]
Options fetch
Gets a new license key using an authentication code.
info
Displays information about currently owned licenses.
install
Installs a license key.
Sample Output The following command requests a new license key with the authentication code 123456. username@hostname> request fetch auth-code 123456
username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 89
request password-hash
request password-hash Generate a hashed string for the user password.
Syntax request password-hash password pwd
Options pwd
Specify the clear text password that requires the hash string.
Sample Output The following command generates a hash of the specified password. username@hostname> request password-hash password mypassword $1$flhvdype$qupuRAx4SWWuZcjhxn0ED.
Required Privilege Level superuser, vsysadmin, deviceadmin
90 • Operational Mode Commands
Palo Alto Networks
request restart
request restart Restart the system or software modules. CAUTION: Using this command causes the firewall to reboot, resulting in the temporary disruption of network traffic. Unsaved or uncommitted changes will be lost.
Syntax request restart [dataplane | software | system]
Options dataplane
Restarts the dataplane software.
software
Restarts all system software
system
Reboots the system.
Sample Output The following command restarts all the firewall software. username@hostname> request restart software
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 91
request ssl-output-text
request ssl-output-text Install user-defined Secure Socket Layer (SSL) output text.
Syntax request ssl-option-text install
Options None
Sample Output The following command installs SSL output text. username@hostname> request ssl-optout-text install Shared ssl optout text installed successfully!
Required Privilege Level superuser, vsysadmin, deviceadmin
92 • Operational Mode Commands
Palo Alto Networks
request ssl-vpn
request ssl-vpn Forces logout from a Secure Socket Layer (SSL) virtual private network (VPN) session.
Syntax request ssl-vpn client-logout option
Options option
Specify the following required options: • portal—Specify the SSL VPN portal name. • domain—Specify the user’s domain name. • reason force-logout—Specify to indicate that the logout is administrator-initiated. • user—Specify the user name.
Sample Output The following command forces a logout of the specified user. username@hostname> request ssl-vpn client-logout domain paloaltonetworks.com port sslportal user ssmith reason force-logout
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 93
request support
request support Obtain technical support information.
Syntax request support [check | info]
Options check
Get support information from the Palo Alto Networks update server.
info
Show downloaded support information.
Sample Output The following command shows downloaded support information. username@hostname> request support info 0 Support Home https://support.paloaltonetworks.com Manage Cases https://support.paloaltonetworks.com/pa-portal/ index.php?option=com_pan&task=vie wcases&Itemid=100 Download User Identification Agent https://support.paloaltonetworks.com/pa-portal/ index.php?option=com_pan&task=sw_ updates&Itemid=135 866-898-9087 [email protected] November 07, 2009 Standard 10 x 5 phone support; repair and replace hardware service username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
94 • Operational Mode Commands
Palo Alto Networks
request system
request system Download system software or request information about the available software packages.
Syntax request system [factory-reset | software [check | download [file | version] name] | info | install [file | version] name]]
Options check
Gets information from the Palo Alto Networks server.
download
Downloads software packages.
info
Shows information about the available software packages.
install
Downgrades to a downloaded software package.
Sample Output The following command requests information about the software packages that are available for download. username@hostname> request system software info Version Filename Size Released Downloaded ------------------------------------------------------------------------1.0.1 panos.4050-1.0.1.tar.gz 127MB 2007/02/07 00:00:00 no 1.0.2 panos.4050-1.0.2.tar.gz 127MB 2007/02/07 00:00:00 no 1.0.0-20 PANOS-QA-20.tar.gz 122MB 2007/02/13 00:00:00 no 1.0.0-1746 PANOS-DEV-1746.tgz 122MB 2007/02/13 00:00:00 no username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 95
request tech-support
request tech-support Obtain information to assist technical support in troubleshooting.
Syntax request technical support dump
Options None
Sample Output The following command creates a dump for technical support. username@hostname> request tech-support dump Exec job enqueued with jobid 1 1
Required Privilege Level superuser, vsysadmin, deviceadmin
96 • Operational Mode Commands
Palo Alto Networks
request url-filtering
request url-filtering Perform URL filtering operations
Syntax request url-filtering option
Options upgrade
Upgrade to latest version. Optionally specify brightcloud to update the BrightCloud database.
download status
Show status of information download for URL filtering.
Sample Output The following command upgrades the BrightCloud database. username@hostname> request url-filtering upgrade brightcloud
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 97
request vpn-client
request vpn-client Perform VPN client package operations.
Syntax request vpn-client software option
Options check
Obtain information from the Palo Alto Networks server.
download
Download software packages. Specify one of the following: • file—Name of the file containing the software package. • version—Specified software version.
info
Show downloaded support information.
install
Install the software as specified: • file—Name of the file containing the software package. • version—Specified software version.
Sample Output The following command displays information about the available software packages. username@hostname> request vpnclient software info Version Size Released on Downloaded ------------------------------------------------------------------------1.0.0-c54 916KB 2009/03/04 15:04:33 no 1.0.0-c53 916KB 2009/03/04 14:09:17 no 1.0.0-c52 916KB 2009/03/04 11:49:51 no 1.0.0-c51 916KB 2009/03/03 16:45:38 no
Required Privilege Level superuser, vsysadmin, deviceadmin
98 • Operational Mode Commands
Palo Alto Networks
scp
scp Copy files between the firewall and another host. Enables downloading of a customizable HTML replacement message (comfort page) in place of a malware infected file.
Syntax scp export export-option [control-plane | data-plane] to target from source [remote-port portnumber] [source-ip address] scp import import-option [source-ip address] [remote-port portnumber] from source
Options export export- Specifies the type of file to export to the other host. option
Palo Alto Networks
Option
Description
application
Application packet capture file.
captive-portaltext
Text to be included in a captive portal.
configuration
Configuration file.
core-file
Core file.
debug pcap
IKE negotiation packet capture file.
file-block-page
File containing comfort pages to be presented when files are blocked.
filter
Filter definitions.
log-file
Log files.
log-db
Log database.
packet-log
Logs of packet data.
spyware-blockpage
Comfort page to be presented when files are blocked due to spyware.
ssl-optout-text
SSL optout text.
tech-support
Technical support information.
trusted-cacertificate
Certificate Authority (CA) security certificate.
url-block-page
Comfort page to be presented when files are blocked due to a blocked URL.
virus-block-page
Comfort page to be presented when files are blocked due to a virus.
web-interfacecertificate
Web interface certificate.
Operational Mode Commands • 99
scp
import import- Specifies the type of file to import from the other host. option Option Description application
Application packet capture file.
captive-portaltext
Text to be included in a captive portal.
configuration
Configuration file.
core-file
Core file.
file-block-page
File containing comfort pages to be presented when files are blocked.
filter
Filter definitions.
ike-pcapc-file
IKE negotiation packet capture file.
log-file
Log files.
log-db
Log database.
packet-log
Logs of packet data.
spyware-blockpage
Comfort page to be presented when files are blocked due to spyware.
ssl-optout-text
SSL optout text.
tech-support
Technical support information.
trusted-cacertificate
Certificate Authority (CA) security certificate.
url-block-page
Comfort page to be presented when files are blocked due to a blocked URL.
control-plane
Indicates that the file contains control information.
data-plane
Indicates that the file contains information about data traffic.
remote-port portnumber
Specifies the port number on the remote host.
source-ip address
Specifies the source IP address.
to
Specifies the destination user in the format username@host:path.
from
Specifies the source user in the format username@host:path.
Sample Output The following command imports a license file from a file in user1’s account on the machine with IP address 10.0.3.4. username@hostname> scp import ssl-certificate from [email protected]:/tmp/ certificatefile
Required Privilege Level superuser, vsysadmin, deviceadmin
100 • Operational Mode Commands
Palo Alto Networks
set application
set application Set parameters for system behavior when applications are blocked.
Syntax set application option
Options cache
Enables (yes) or disables (no) the application cache.
dump
Enables (on) or disables (off) the application packet capture. The following options determine the contents of the dump: • application —Specified application. • destination—Destination IP address of the session. • destination-user—Destination user. • destination-port —Destination port. • zone—Specified zone. • protocol—Specified protocol. • limit —Maximum number of sessions to capture. • source—Source IP address for the session. • source-user—Specified source user. • source-port—Specified source port.
dump-unknown
Enables (yes) or disables (no) capture of unknown applications.
heuristics
Enables (yes) or disables (no) heuristics detection for applications.
notify-user
Enables (yes) or disables (no) user notification when an application is blocked.
supernode
Enables (yes) or disables (no) detection of super nodes for peer-topeer applications that have designated supernodes on the Internet.
Sample Output The following command turns packet capture for unknown applications off. username@hostname> set application dump off username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 101
set cli
set cli Set scripting and pager options for the PAN-OS CLI.
Syntax set cli [scripting-mode | pager | timeout [idle idle-value] [session session-value]] off | on
Options scripting-mode
Enables or disables scripting mode.
pager
Enables or disables pages.
timeout
Sets administrative session timeout values.
idle-value
Specifies the idle timeout (0-86400 seconds).
session-value
Specifies the administrative session timeout (0-86400 seconds).
off
Turns the option off.
on
Turns the option on.
Sample Output The following command turns the PAN-OS CLI pager option off. username@hostname> set cli pager off username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
102 • Operational Mode Commands
Palo Alto Networks
set clock
set clock Set the system date and time.
Syntax set clock option
Options date YYYY/MM/DD
Specify the date in yyyy/mm/dd format.
time hh:mm:ss
Specify the time in hh:mm:ss format (hh: 0-23, mm: 0-59, ss: 0-59).
Sample Output The following command sets the system date and time. username@hostname> set clock date 2009/03/20 time 14:32:00 username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 103
set ctd
set ctd Show content-related information on the Content-based Threat Detection (CTD) engine.
Syntax set ctd x-forwarded-for
Options no
Disable parsing of the x-forwarded-for attribute.
yes
Enable parsing of the x-forwarded-for attribute.
Sample Output The following command enables parsing of the attribute. username@hostname> set ctd x-forwarded-for yes username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
104 • Operational Mode Commands
Palo Alto Networks
set data-access-password
set data-access-password Set the access password for the data filtering logs.
Syntax set data-access-password pwd
Options pwd
Specifies the password.
Sample Output The following command sets the password for data filtering logs. username@hostname> set data-access password 12345678 username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 105
set logging
set logging Set logging options for traffic and event logging.
Syntax set logging option value
Options Options default
Restores all log settings to default.
log-suppression
Enables or disables suppression of log information.
max-packet-rate value
Specifies the maximum packet rate (0-5120 KB/s)
max-log-rate value
Specifies the maximum logging rate (0-5120 KB/s)
Note: max-packet-rate and max-log rate both affect the rate at which log messages are forwarded. Generated log messages are kept in priority queues, and the log forwarding engine forwards the generated logs based on the log and packet rates. If the rates are set too low, the queues may build up and eventually drop log messages.
Sample Output The following command sets the logging rate to be a maximum of 1000 KB/second. username@hostname> set logging max-log-rate 1000 Logging rate changed to 1000 KB/s username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
106 • Operational Mode Commands
Palo Alto Networks
set management-server
set management-server Set parameters for the management server, which manages configuration, reports, and authentication for the firewall.
Syntax set management-server option
Options logging option
Sets the following logging options: • import-end—Exit import mode. • import-start—Enter import mode. • off—Disable logging. • on—Allow logging.
unlock
Specifies the serial number or software license key.
Sample Output The following command enables logging on the management server. username@hostname> set management-server logging on username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 107
set multi-vsys
set multi-vsys Enable or disable multiple virtual system functionality on the firewall.
Syntax set multi-vsys
Options on
Enables support for multiple virtual systems.
off
Disables support for multiple virtual systems.
Sample Output The following command enables multiple virtual system functionality on the firewall. username@hostname> set multi-vsys on username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
108 • Operational Mode Commands
Palo Alto Networks
set panorama
set panorama Enable or disable connection between the firewall and Panorama.
Syntax set panorama
Options on
Enables the connection between the firewall and Panorama.
off
Disables the connection between the firewall and Panorama.
Sample Output The following command disables the connection between the firewall and Panorama. username@hostname> set panorama off username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 109
set password
set password Set the firewall password. When you issue this command, the system prompts you to enter the old and new password and to confirm the new password.
Syntax set password
Options None
Sample Output The following example shows how to reset the firewall password. username@hostname> Enter old password Enter new password Confirm password
set password : (enter the old password) : (enter the new password0 : (reenter the new password)
Password changed username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
110 • Operational Mode Commands
Palo Alto Networks
set proxy
set proxy Sets the proxy parameter. The firewall can act as a proxy for the client, as a forward proxy for outbound traffic, and as an inbound proxy for traffic coming to the clients.
Syntax set proxy option
Options answer-timeout
Sets the timeout value for communication with the proxy server (1-86400 seconds).
notify-user
Enables or disables the user notification web page.
skip-proxy
Disables or enable the proxy function.
skip-ssl
Disables or enables Secure Socket Layer (SSL) decryption.
Sample Output The following command disables SSL decryption. username@hostname> set proxy skip-ssl yes username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 111
set serial-number
set serial-number (Panorama™ only) Configure the serial number of the Panorama machine. The serial number must be set for Panorama to connect to the update server.
Syntax set serial-number value
Options value
Specifies the serial number or software license key.
Sample Output The following command sets the Panorama serial number to 123456. username@hostname> set serial-number 123456 username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
112 • Operational Mode Commands
Palo Alto Networks
set session
set session Set parameters for the networking session.
Syntax set session [default | item value]
Options default
Restores all session settings to the default values.
item value
Specifies the debugging target or level.
Palo Alto Networks
Option
Value
Description
acceleratedaging-enable
no | yes
Enables or disables accelerated session aging.
acceleratedaging-scalingfactor
Power of 2
Sets the accelerated session aging scaling factor (power of 2).
acceleratedaging-threshold
Power of 2 (1-100)
Sets the accelerated aging threshold as a percentage of session utilization.
offload
no | yes
Enables or disables hardware session offload. Some firewall models have specialized hardware to manage TCP, UDP, and ICMP sessions. This option command enables or disables this capability. If it is disabled, the sessions are managed by the firewall software.
tcp-reject-nonsyn
no | yes
Rejects non-synchronized TCP packets for session setup.
timeout-default
Number of seconds
Sets the session default timeout value in seconds.
timeout-icmp
1-15999999
Sets the session timeout value for ICMP commands.
timeout-tcp
1-15999999
Sets the session timeout value for TCP commands.
timeout-tcpinit
Number of seconds
Sets the initial TCP timeout value in seconds.
timeout-tcpwait
Number of seconds
Sets the session TCP wait timeout value in seconds.
timeout-udp
1-15999999
Sets the session timeout value for UDP commands.
Operational Mode Commands • 113
set session
Sample Output The following command sets the TCP timeout to 1 second. username@hostname> set session timeout-tcpwait 1 username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
114 • Operational Mode Commands
Palo Alto Networks
set shared-policy
set shared-policy Set shared policy management behavior with Panorama.
Syntax set shared-policy option
Options disable
Disables Panorama shared policy management.
enable
Enable Panorama shared policy management.
import-and-disable
Imports and then disallows shared policies.
Sample Output The following command enables shared policies with Panorama. username@hostname> set shared-policy enable username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 115
set ssl-vpn
set ssl-vpn Enable Secure Socket Layer (SSL) virtual private network (VPN) for a specified user.
Syntax set ssl-vpn unlock auth-profile profilename user uname vsys vsysname
Options profilename
Specifies the authentication profile that applies to the user.
uname
Specifies the name of the user.
vsysname
Specifies the name of the target virtual system.
Sample Output The following command applies an authentication profile, user and virtual system for SSLVPN access. username@hostname> set ssl-vpn auth-profile profile_1 user ssmith vsysname vsys_a username@hostname >
Required Privilege Level superuser, vsysadmin, deviceadmin
116 • Operational Mode Commands
Palo Alto Networks
set target-vsys
set target-vsys Sets the target virtual system. Note: When the target virtual system is set, the CLI prompt incorporates the vsys name. In this mode, if any command is executed, it executes for the vsys, if possible. For example, if you use secure copy to import or export a comfort page, the page is imported or exported for the vsys. Commands that are not virtual-system-specific continue to work normally.
Syntax set target-vsys vsys
Options vsys
Specifies the name of the target virtual system.
Sample Output The following command shows information about target virtual systems. username@hostname> set target-vsys vsys1 Session target vsys changed to vsys1 username@hostname vsys1>>
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 117
set ts-agent
set ts-agent Sets the Terminal Services (TS) agent parameters.
Syntax set ts-agent name name ip-address ipaddr port portnum ip-list iplist
Options name
Specifies the user name.
ipaddr
Specifies the IP address of the Windows PC on which the TS agent is installed. You can also specify alternative IP addresses using the ip-list parameter.
portnum
Specifies the port number for communication between the terminal server and the TS agent.
iplist
Specifies 0-8 additional IP addresses for Windows PCs on which the TS agent is installed.
Sample Output The following command sets the TS agent parameters for the user ssmith with the specified port and IP addresses. username@hostname> set ts-agent user ssmith ip-address 192.168.3.4 port 772 ip-list 192.168.5.5 192.168.9.3 username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
118 • Operational Mode Commands
Palo Alto Networks
set url-database
set url-database Set the database for URL resolution in support of URL filtering. The available selections depend on the URL license available on the firewall.
Syntax set url-database dbasename
Options dbasename
Uses a database with the specified name: surfcontrol or brightcloud.
Sample Output The following command switches the database from surfcontrol to brightcloud. admin@PA-4050> set url-database surfcontrol surfcontrol URL database username@hostname> set url-database brightcloud username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 119
set zip
set zip Determines whether zipped files are automatically unzipped and policies are applied to the unzipped contents.
Syntax set zip enable
Options yes
Enables automatic unzipping and inspection of zipped files.
no
Disables automatic unzipping and inspection of zipped files.
Sample Output The following command enables automatic unzipping and inspection of zipped files. username@hostname> set zip enable yes username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
120 • Operational Mode Commands
Palo Alto Networks
show admins
show admins Display information about the active firewall administrators.
Syntax show admins [all]
Options all
Lists the names of all administrators.
Sample Output The following command displays administrator information for the 10.0.0.32 firewall. username@hostname> show admins | match 10.0.0 Admin From Type Session-start Idle-for -------------------------------------------------------------------------admin 10.0.0.132 Web 02/19 09:33:07 00:00:12s username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 121
show arp
show arp Shows current Address Resolution Protocol (ARP) entries.
Syntax show arp interface
Options interface
Specifies the interface for which the ARP table is displayed. all
Shows information for all ARP tables.
ethernetn/m
Shows information for the specified interface.
loopback
Shows loopback information.
vlan
Shows VLAN information.
Sample Output The following command displays ARP information for the ethernet1/1 interface. username@hostname> show arp ethernet1/1 maximum of entries supported : default timeout: total ARP entries in table : total ARP entries shown : status: s - static, c - complete, i
8192 1800 seconds 0 0 - incomplete
username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
122 • Operational Mode Commands
Palo Alto Networks
show authentication
show authentication Shows authentication information.
Syntax show authentication option
Options interface
Specifies the following authentication information. • allowlist—Shows the authentication allow list. • groupdb—Lists the group authentication databases. • groupnames—Lists the distinct group names.
Sample Output The following command shows the list of users that are allowed to access the firewall. username@hostname> show authentication allowlist vsysname ---------vsys1 vsys1
profilename ----------SSLVPN wtam-SSLVPN
username ---------------------------paloaltonetwork\domain users group1
username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 123
show chassis-ready
show chassis-ready Shows whether the dataplane has a running policy.
Syntax show chassis-ready
Options None
Sample Output The following command shows that the dataplane has a currently running policy. username@hostname> show chassis-ready yes username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
124 • Operational Mode Commands
Palo Alto Networks
show cli
show cli Shows information about the current CLI session.
Syntax show cli info
Options None
Sample Output The following command shows information about the current CLI session. username@hostname> show cli info Process ID : 2045 Pager : enabled Vsys configuration mode : disabled username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 125
show clock
show clock Shows the current time on the firewall.
Syntax show clock
Options None
Sample Output The following command shows the current time. username@hostname> show clock Sun Feb 18 10:49:31 PST 2007 username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
126 • Operational Mode Commands
Palo Alto Networks
show config
show config Shows the active configuration.
Syntax show config
Options None
Sample Output The following command shows the configuration lines that pertain to VLANs. username@hostname> show config | match vlan vlan { vlan; username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 127
show counter
show counter Display system counter information.
Syntax show counter [global | interface]
Options global
Shows global system counter information.
interface
Shows system counter information grouped by interface.
Sample Output The following command displays all configuration counter information grouped according to interface. username@hostname> show counter interface
hardware interface counters: -----------------------------------------------------------------------interface: ethernet1/1 -----------------------------------------------------------------------bytes received 0 bytes transmitted 0 packets received 0 packets transmitted 0 receive errors 0 packets dropped 0 -----------------------------------------------------------------------... username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
128 • Operational Mode Commands
Palo Alto Networks
show ctd
show ctd Show the threat signature information on the system.
Syntax show ctd threat threat_id application appid profile pfid
Options threat_id
Uniquely identifies the threat.
application appid
Shows the action of the threat action in the application.
profile pfid
Identifies the profile.
Sample Output The following command shows an example with the default threat action. username@hostname> show ctd threat 100000 application 109 profile 1 Profile 1 appid 109 , action 0 action 0 means “default” action.
The following command shows an example with the no threat action. admin@PA-HDF> show ctd threat 100000 application 108 profile 1 Profile 1 appid 108 , action ffff action “ffff” means “no” action. username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 129
show device
show device (Panorama only) Show the state of managed devices.
Syntax show device-messages [all | connected]
Options all
Shows information for all managed devices.
connected
Shows information for all connected devices.
Sample Output The following command shows information for connected devices. username@hostname> show devices connected Serial Hostname IP Connected -------------------------------------------------------------------------PA04070001 pan-mgmt2 10.1.7.2 yes last push state: none
username@hostname>
Required Privilege Level superuser, superuser (read only), Panorama admin
130 • Operational Mode Commands
Palo Alto Networks
show device-messages
show device-messages (Panorama only) Show information on the policy messages for devices.
Syntax show device-messages [device] [group]
Options device
Shows the messages only for the specified device.
group
Shows the messages only for the specified device group.
Sample Output The following command shows the device messages for the device pan-mgmt2 and the group dg1. username@hostname> show device-messages device pan-mgmt2 group dg1 username@hostname>
Required Privilege Level superuser, superuser (read only), Panorama admin
Palo Alto Networks
Operational Mode Commands • 131
show devicegroups
show devicegroups (Panorama only) Show information on device groups.
Syntax show devicegroups [name]
Options name
Shows the information only for the specified device group.
Sample Output The following command shows information for the device group dg1. username@hostname> show devicegroups dg1 ========================================================================== Group: dg3 Shared policy md5sum:dfc61be308c23e54e5cde039689e9d46 Serial Hostname IP Connected -------------------------------------------------------------------------PA04070001 pan-mgmt2 10.1.7.2 yes last push state: push succeeded vsys3 shared policy md5sum:dfc61be308c23e54e5cde039689e9d46(In Sync) username@hostname>
Required Privilege Level superuser, superuser (read only), Panorama admin
132 • Operational Mode Commands
Palo Alto Networks
show dhcp
show dhcp Show information on Dynamic Host Control Protocol (DHCP) leases.
Syntax show dhcp lease
Options value
Identifies the interface (ethernetn/m)
all
Shows all the lease information.
Sample Output The following command shows all lease information. username@hostname> show dhcp all interface: ethernet1/9 ip mac expire 66.66.66.1 00:15:c5:60:a5:b0 Tue Mar 11 16:12:09 2008 66.66.66.2 00:15:c5:e1:0d:b0 Tue Mar 11 16:08:01 2008 username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 133
show high-availability
show high-availability Show runtime information for the high-availability subsystem.
Syntax show high-availability [all | control-link statistics| linkmonitoring | path-monitoring | state | state-synchronization]
Options all
Shows all high-availability information.
control-link statistics
Shows control-link statistic information.
link-monitoring
Shows the link-monitoring state.
path-monitoring
Shows path-monitoring statistics.
state
Shows high-availability state information.
statesynchronization
Shows state synchronization statistics.
Sample Output The following command information for the high-availability subsystem. username@hostname> show high-availability path-monitoring ---------------------------------------------------------------------------path monitoring: disabled total paths monitored: 0 ---------------------------------------------------------------------------username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
134 • Operational Mode Commands
Palo Alto Networks
show interface
show interface Display information about system interfaces.
Syntax show interface interface
Options element
Specifies the interface. all
Shows information for all ARP tables.
ethernetn/m
Shows information for the specified interface.
hardware
Shows hardware information.
logical
Shows logical interface information.
loopback
Shows loopback information.
vlan
Shows VLAN information.
Sample Output The following command displays information about the ethernet1/2 interface. username@hostname> show interface ethernet1/2 ---------------------------------------------------------------------------Name: ethernet1/2, ID: 17 Link status: Runtime link speed/duplex/state: auto/auto/auto Configured link speed/duplex/state: auto/auto/auto MAC address: Port MAC address 0:f:b7:20:2:11 Operation mode: virtual-wire ---------------------------------------------------------------------------Name: ethernet1/2, ID: 17 Operation mode: virtual-wire Virtual wire: default-vwire, peer interface: ethernet1/1 Interface management profile: N/A Zone: trust, virtual system: (null) username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 135
show jobs
show jobs Display information about current system processes.
Syntax show jobs [all | id number | pending | processed]
Options all
Shows information for all jobs.
id number
Identifies the process by number.
pending
Shows recent jobs that are waiting to be executed.
processed
Shows recent jobs that have been processed.
Sample Output The following command lists jobs that have been processed in the current session. username@hostname> show jobs processed Enqueued ID Type Status Result Completed -------------------------------------------------------------------------2007/02/18 09:34:39 2 AutoCom FIN OK 2007/02/18 09:34:40 2007/02/18 09:33:00 1 AutoCom FIN FAIL 2007/02/18 09:33:54 username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
136 • Operational Mode Commands
Palo Alto Networks
show local-user-db
show local-user-db Display information about the local user database on the firewall.
Syntax show local-user-db [disabled ] [username user] [vsys vsysname]
Options disabled
Filters the information according to whether the user accounts are enabled or disabled: • yes—Displays users that are administratively disabled. • no—Displays users that are administratively active.
username user
Shows information for the specified user.
vsys vsysname
Shows information for the specified virtual system.
Sample Output The following command lists the local user database. username@hostname> show local-user-db Vsys
User
vsys1 vsys1
user1 user2
Disabled no no
username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 137
show location
show location Show the geographic location of a firewall.
Syntax show location ip address
Options address
Specifies the IP address of the firewall.
Sample Output The following command shows location information for the firewall 10.1.1.1. username@hostname> show location ip 10.1.1.1 show location ip 201.52.0.0 201.52.0.0 Brazil username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
138 • Operational Mode Commands
Palo Alto Networks
show log
show log Display system logs.
Syntax show log [threat | config | system | traffic] [equal | not-equal] option value
Options threat
Displays threat logs.
config
Displays configuration logs.
system
Displays system logs.
traffic
Displays traffic logs.
option value
Restricts the output (the available options depend upon the keyword used in the command (threat, config, system, traffic). Option
Description
action
Type of alarm action (alert, allow, or drop)
app
Application.
client
Type of client (CLI or web).
command
Command.
dport
Destination port.
dst
Destination IP address.
from
Source zone.
receivetime in
Time interval in which the information was received.
result
Result of the action (failed, succeeded, or unauthorized).
rule
Rule name.
severity
Level of importance (critical, high, medium, low, informational)
sport
Source port.
src
Source IP address.
to
Destination zone.
greater-thanor-equal
Indicates that the option is equal to the specified value.
less-than-orequal
Indicates that the option is not equal to the specified value.
equal
Indicates that the option is equal to the specified value.
not-equal
Indicates that the option is not equal to the specified value.
Palo Alto Networks
Operational Mode Commands • 139
show log
Sample Output The following command shows the configuration log. username@hostname> show log config Time Host Command Admin Client Result ============================================================================ === 03/05 22:04:16 10.0.0.135 edit admin Web Succeeded 03/05 22:03:22 10.0.0.135 edit admin Web Succeeded 03/05 22:03:22 10.0.0.135 create admin Web Succeeded 03/05 21:56:58 10.0.0.135 edit admin Web Succeeded ... username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
140 • Operational Mode Commands
Palo Alto Networks
show logging
show logging Show whether logging is enabled.
Syntax show logging
Options None
Sample Output The following command shows that logging is enabled. username@hostname> show logging on username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 141
show mac
show mac Display MAC address information.
Syntax show mac [value | all]
Options value
Specifies a MAC address (aa:bb:cc:dd:ee:ff format).
all
MAC address (aa:bb:cc:dd:ee:ff format).
Sample Output The following command lists all currently MAC address information. username@hostname> show mac all maximum of entries supported : 8192 default timeout : 1800 seconds total MAC entries in table : 4 total MAC entries shown : 4 status: s - static, c - complete, i - incomplete vlan hw address interface status ttl --------------------------------------------------------------------------Vlan56 0:0:1:0:0:3 ethernet1/5 c 1087 Vlan56 0:0:1:0:0:4 ethernet1/6 c 1087 Vlan11-12 0:0:1:0:0:9 ethernet1/12 c 487 Vlan11-12 0:0:1:0:0:10 ethernet1/11 c 487 username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
142 • Operational Mode Commands
Palo Alto Networks
show management-clients
show management-clients Show information about internal management server clients.
Syntax show management-clients
Options None
Sample Output The following command shows information about the internal management server clients. username@hostname> show management-clients Client PRI State Progress ------------------------------------------------------------------------routed 30 P2-ok 100 device 20 P2-ok 100 ikemgr 10 P2-ok 100 keymgr 10 init 0 (op cmds only) dhcpd 10 P2-ok 100 ha_agent 10 P2-ok 100 npagent 10 P2-ok 100 exampled 10 init 0 (op cmds only) Overall status: P2-ok. Progress: 0 Warnings: Errors:
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 143
show multi-vsys
show multi-vsys Show if multiple virtual system mode is set.
Syntax show multi-vsys
Options None
Sample Output The following command shows the current status of multiple virtual systems. username@hostname> show multi-vsys on username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
144 • Operational Mode Commands
Palo Alto Networks
show pan-agent
show pan-agent Show statistics or user information for the Palo Alto Networks agent.
Syntax show pan-agent
Options statistics
Displays full information about the Palo Alto Networks agent.
user-IDs
Displays user information for the Palo Alto Networks agent.
Sample Output The following command shows information about the Palo Alto Networks agent. username@hostname> show pan-agent statistics IP Address Port Vsys State Users Grps IPs Recei ved Pkts ---------------------------------------------------------------------------10.0.0.100 2011 vsys1 connected, ok 134 77 95 5757 10.1.200.22 2009 vsys1 connected, ok 5 864 2 1097
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 145
show pan-ntlm-agent
show pan-ntlm-agent Display status information about the Palo Alto Networks user identification agent for NT LAN Manager (NTLM). The firewall uses the user identification agent to provide Microsoft NTLM authentication for the captive portal.
Syntax show pan-ntlm-agent statistics
Options None
Sample Output The following command displays information about the NTLM agent. username@hostname> show pan-ntlm-agent statistics IP Address Port Vsys State ---------------------------------------------------10.16.3.249 2010 vsys1 trying to connect username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
146 • Operational Mode Commands
Palo Alto Networks
show proxy
show proxy Displays information about the proxy that is used for the Secure Socket Layer (SSL) decryption function.
Syntax show [certificate-cache | notify-cache | setting]
Options certificate-cache
Displays the proxy certificate cache.
notify-cache
Displays the proxy notification cache.
setting
Displays the current proxy settings.
Sample Output The following command shows the current proxy settings. username@hostname> show proxy setting Ready: Enable proxy: Enable ssl: Notify user:
no yes yes yes
username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 147
show query
show query Show information about query jobs.
Syntax show query
Options jobs
Displays all job information.
id value
Displays job information for the specified ID.
Sample Output The following command shows information about all current query jobs. username@hostname> show query jobs Enqueued ID Last Upd -------------------------------------------------------------------------13:58:19 16 13:58:19 Type ID Dequeued? -----------------------------------------------------
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
148 • Operational Mode Commands
Palo Alto Networks
show report
show report Displays information about process jobs.
Syntax show [id number | jobs]
Options id number
Displays information about the job with the specified ID number.
jobs
Displays information on all jobs.
Sample Output The following command shows the current jobs. username@hostname> show report jobs Enqueued ID Last Updated dev/skip/req/resp/proc -------------------------------------------------------------------------username@hostname> username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 149
show routing
show routing Display routing run-time objects.
Syntax show routing fib [virtual-router name] show routing protocol [virtual-router name] ospf show routing protocol [virtual-router name] redist show routing protocol [virtual-router name] rip show routing resource show routing route [destination ip/netmask][interface interfacename] [nexthop ip/netmask][type ] [virtual-router name] show routing summary
Options fib
Shows forwarding table entries. Specify an individual virtual router or all.
protocol ospf
Shows OSPF information. Specify one of the following (virtual router is optional).
protocol redist
150 • Operational Mode Commands
area
Show OSPF area status.
dumplsdb
Shows the OSPF LS database details.
interface
Shows OSPF interface status.
lsdb
Shows the LS database status.
neighbor
Shows neighbor status.
summary
Shows OSPF summary status.
virt-link
Shows status of virtual links.
virt-neighbor
Shows OSPF virtual neighbor status.
Shows redistribution rule entries. Specify one of the following (virtual router is optional). ospf
Shows OSPF rules
rip
Shows RIP rules.
all
Shows all redistribution rules.
Palo Alto Networks
show routing
protocol rip
Shows RIP information. Specify one of the following options (virtual router is optional). database
Shows RIP route database.
interface
Shows RIP interface status.
peer
Shows RIP peer status.
summary
Shows the RIP summary information.
resources
Shows resource usage.
route
Shows route entries. Optionally specify any of the following options.
summary
destination
Restricts the result to a specified subnet (IP address/mask).
interface
Restricts the result to a specified network interface.
nexthop
Restricts the result to a the next hop from the firewall (IP address/mask).
type
Restricts the result according to type of route: connect and host routes, ospf, rip, or static.
virtual-router
Restrict the result to a specified virtual router.
Shows summary information.
Sample Output The following command shows summary routing information for the virtual router vrl. username@hostname> show routing summary virtual-router vr1 VIRTUAL ROUTER: vr1 (id 1) ========== OSPF area id: 0.0.0.0 interface: 192.168.6.254 interface: 200.1.1.2 dynamic neighbors: IP 200.1.1.1 ID 200.1.1.1 area id: 1.1.1.1 interface: 1.1.1.1 interface: 1.1.2.1 interface: 1.1.3.1 interface: 2.1.1.1 static neighbor: IP 65.54.5.33 ID *down* static neighbor: IP 65.54.77.88 ID *down* interface: 22.22.22.22 interface: 35.1.15.40 interface: 192.168.7.254 dynamic neighbors: IP 35.1.15.1 ID 35.35.35.35 ========== RIP interface: 2.1.1.1
Palo Alto Networks
Operational Mode Commands • 151
show routing
interface: interface: interface: interface: ========== INTERFACE ========== interface name: interface index: virtual router: operation status: IPv4 address: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address: IPv4 address: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address:
22.22.22.22 35.1.15.40 192.168.6.254 200.1.1.2
ethernet1/1 16 vr1 up 22.22.22.22/24 35.1.15.40/24 ethernet1/3 18 vr1 up 200.1.1.2/24 ethernet1/7 22 vr1 up 1.1.1.1/24 1.1.2.1/24 1.1.3.1/24 ethernet1/15 30 vr1 up 192.168.6.254/24 ethernet1/16 31 vr1 up 192.168.7.254/24 ethernet1/18 33 vr1 down 2.1.1.1/24
username@hostname>
152 • Operational Mode Commands
Palo Alto Networks
show routing
The following command shows dynamic routing protocol information for RIP. username@hostname> show routing protocol rip summary ========== virtual router: reject default route: interval seconds: update intervals: expire intervals: delete intervals: interface: interface: interface: interface: interface: ========== virtual router: reject default route: interval seconds: update intervals: expire intervals: delete intervals: interface: interface: interface:
vr1 yes 1 30 180 120 2.1.1.1 22.22.22.22 35.1.15.40 192.168.6.254 200.1.1.2 newr yes 1 30 180 120 0.0.0.0 30.30.30.31 151.152.153.154
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 153
show session
show session Show session information.
Syntax show session [all | info] [filter [application appname][destination destname][destination-port destport][destination-user destuser][from zone zonename][limit value][protocol protnumber][source-port sourcename][source-user sourceuser][state state]] [type type]]
Options all
Displays all active sessions.
info
Displays session statistics.
application appname
Specifies the application.
destination destname
Specifies the destination IP address.
destination-port destport
Specifies the destination port.
destination-user destuser
Specifies the destination user name.
from
Specifies the source.
protocol protname
Specifies the protocol.
source sourcename
Specifies the sourced IP address.
source-port sourceport
Specifies the source port.
source-user sourceuser
Specifies the source user name.
state state
Specifies the condition for the filter (active, closed, closing, discard, initial, or opening).
to
Specifies the destination.
type type
Specifies the flow type (regular or predict).
Sample Output The following command displays summary statistics about current sessions. username@hostname> show session info ------------------------------------------------------------------------number of sessions supported: 2097151 number of active sessions: 8 session table utilization: 0% number of sessions created since system bootup: 21
154 • Operational Mode Commands
Palo Alto Networks
show session
--------------------------------------------------------------------------session timeout TCP default timeout: 3600 seconds TCP session timeout after FIN/RST: 5 seconds UDP default timeout: 600 seconds ICMP default timeout: 6 seconds other IP default timeout: 1800 seconds ---------------------------------------------------------------------------session accelerated aging: enabled accelerated aging threshold: 80% of utilization scaling factor: 2 X --------------------------------------------------------------------------session setup TCP - reject non-SYN first packet: yes ---------------------------------------------------------------------------
The following command lists all current sessions. username@hostname> show session all number of sessions: 8 ID/vsys src[sport]/zone/proto dest[dport]/zone state type 19 192.168.10.199[2219]/1/6 10.10.10.10[6667]/2 ACTIVE FLOW 20 192.168.10.191[4069]/1/6 192.168.10.199[139]/2 DISCARD FLOW 22 192.168.10.199[2261]/1/6 10.10.10.10[6667]/2 ACTIVE FLOW 4 192.168.10.191[138]/1/17 192.168.10.255[138]/2 ACTIVE FLOW 6 192.168.10.199[138]/1/17 192.168.10.255[138]/2 ACTIVE FLOW 21 192.168.10.199[1025]/1/17 4.2.2.1[53]/2 CLOSING FLOW 9 192.168.10.199[2187]/1/6 10.10.10.10[6667]/2 ACTIVE FLOW 13 192.168.10.199[2195]/1/6 10.10.10.10[6667]/2 ACTIVE FLOW
app. 0 ms-ds-smb 0 netbios-dg netbios-dg dns 0 0
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 155
show shared-policy
show shared-policy Show the current shared policy status.
Syntax show shared-policy
Options None
Sample Output The following command displays the current shared policy status. username@hostname> show shared-policy disabled username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
156 • Operational Mode Commands
Palo Alto Networks
show ssl-vpn
show ssl-vpn Show Secure Socket Layer (SSL) virtual private network (VPN) runtime objects.
Syntax show ssl-vpn option
Options flow
Displays dataplane SSL-VPN tunnel information.
portal
Displays the SSL-VPN configuration.
user uname domain domname portal portalname
Specifies the user, domain, and portal.
Sample Output The following command displays information on SSL-VPN tunnels. username@hostname> show ssl-vpn flow ---------------------------------------------------------------------------total tunnels configured:
10
filter - type SSL-VPN, state any total SSL-VPN tunnel configured:
2
total SSL-VPN tunnel shown:
2
name
id
local-i/f
local-ip
tunnel-i/f
---------------------------------------------------------------------------s1 2 tunnel.7 10.1.6.105 tunnel.7 rad 11 tunnel.8 10.1.6.106 tunnel.8 --------------------------------------------------------------------------username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 157
show statistics
show statistics Show firewall statistics.
Syntax show statistics
Options None
Sample Output The following command displays firewall statistics. username@hostname> show statistics TASK PID N_PACKETS CONTINUE ERROR DROP BYPASS TERMINATE 0 0 0 0 0 0 0 0 1 806 6180587 6179536 39 0 0 1012 2 807 39312 37511 0 0 0 1801 3 808 176054840 173273080 2289 2777524 0 1947 4 809 112733251 111536151 1744 1194906 0 450 5 810 66052142 65225559 1271 825010 0 302 6 811 49682445 49028991 909 652227 0 318 7 812 43618777 43030638 712 587129 0 298 8 813 41255949 40706957 708 548031 0 253 9 814 42570163 42010404 714 558773 0 272 10 815 7332493 7332494 0 0 0 0 11 816 19620028 19620028 0 0 0 0 12 817 12335557 12335557 0 0 0 0 13 818 0 0 0 0 0 0 14 819 6105056 6105056 0 0 0 0 task 1(pid: 806) flow_mgmt task 2(pid: 807) flow_ctrl flow_host task 3(pid: 808) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 4(pid: 809) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 5(pid: 810) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 6(pid: 811) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 7(pid: 812) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 8(pid: 813) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 9(pid: 814) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 10(pid: 815) appid_result task 11(pid: 816) ctd_nac ctd_token ctd_detector task 12(pid: 817) ctd_nac ctd_token ctd_detector task 13(pid: 818) proxy_packet task 14(pid: 819) pktlog_forwarding
158 • Operational Mode Commands
Palo Alto Networks
show statistics
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 159
show system
show system Show system information.
Syntax show system type
Options type
Specifies the type of system information to be displayed. info
Shows network address and security information.
services
Shows the current system services and whether they are running.
software status
Shows software version information.
state [browser | filter | value]
Shows the system tree. The browser displays the information in a text-mode browser. The filter option allows you to limit the information that is displayed. The * wildcard can be used.
statistics
Shows device, packet rate, throughput, and session information. Enter q to quit or h to get help.
Sample Output The following command displays system information. username@hostname> show system info hostname: mgmt-device ip-address: 10.1.7.1 netmask: 255.255.0.0 default-gateway: 10.1.0.1 radius-server: 127.0.0.1 radius-secret: xxxxxxxx
160 • Operational Mode Commands
Palo Alto Networks
show system
The following command displays the system tree entries that begin with the string cfg.env.slot1. username@hostname> show system state filter cfg.env.slot1* cfg.env.slot1.power0.high-limit: “1.26” cfg.env.slot1.power0.low-limit: “1.0” cfg.env.slot1.power1.high-limit: “1.26” cfg.env.slot1.power1.low-limit: “1.14” cfg.env.slot1.power2.high-limit: “1.575” cfg.env.slot1.power2.low-limit: “1.425” cfg.env.slot1.power3.high-limit: “1.89” cfg.env.slot1.power3.low-limit: “1.71” ...
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 161
show target-vsys
show target-vsys Show information about the target virtual systems.
Syntax show target-vsys
Options None
Sample Output The following command shows information about target virtual systems. username@hostname> show target-vsys vsys1 username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
162 • Operational Mode Commands
Palo Alto Networks
show threat
show threat Show threat ID descriptions.
Syntax show threat id value
Options value
Specifies the threat ID.
Sample Output The following command shows threat ID descriptions for ID 11172. username@hostname> show threat id 11172 This signature detects the runtime behavior of the spyware MiniBug. MiniBug, also known as Weatherbug, installs other spyware, such as WeatherBug, and My Web Search Bar. It is also adware program that displays advertisements in its application window. medium http://www.spywareguide.com/product_show.php?id=2178 http://www.spyany.com/program/article_spw_rm_Minibug.htm username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 163
show ts-agent
show ts-agent Show information about the Terminal Services agent (TS agent).
Syntax show ts-agent option
Options statistics
Displays information about the TS agent configuration.
user-IDs
Displays information about the users who are connected through the TS agent.
Sample Output The following command displays information about the users who are connecting through the TS agent. username@hostname> show ts-agent statistics IP Address Port Vsys State Users ------------------------------------------------------------10.1.200.1 5009 vsys1 connected 8 10.16.3.249 5009 vsys1 connected 10 username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
164 • Operational Mode Commands
Palo Alto Networks
show url-database
show url-database Displays the name of the database that is being used for URL filtering.
Syntax show url-database
Options None
Sample Output The following command displays the name of the URL database. admin@PA-HDF> show url-database brightcloud admin@PA-HDF>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 165
show virtual-wire
show virtual-wire Show information about virtual wire interfaces.
Syntax show virtual-wire [value | all]
Options value
Specifies a virtual wire interface.
all
Shows information for all virtual wire interfaces.
Sample Output The following command displays information for the default virtual wire interface. username@hostname> show virtual-wire default-vwire
total virtual-wire shown :
1
name interface1 interface2 -----------------------------------------------------------------------------default-vwire ethernet1/1 ethernet1/2 username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
166 • Operational Mode Commands
Palo Alto Networks
show vlan
show vlan Show VLAN information.
Syntax show vlan [value | all]
Options value
Specifies a virtual wire interface.
all
Shows information for all virtual wire interfaces.
Sample Output The following command displays information for all VLANs. username@hostname> show vlan all vlan { Vlan56 { interface [ stp { enabled } rstp { enabled } } Vlan11-12 { interface [ stp { enabled } rstp { enabled } } }
ethernet1/5 ethernet1/6 ]; no;
no;
ethernet1/11 ethernet1/12 ]; no;
no;
username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 167
show vpn
show vpn Show VPN information.
Syntax show show show show show
vpn vpn vpn vpn vpn
flow [tunnel-id tunnelid] gateway [gateway gatewayid] ike-sa [gateway gatewayid] ipsec-sa [tunnel tunnelid] tunnel [name tunnelid]
Options flow
Shows information about the VPN tunnel on the data plane. Specify the tunnel or press Enter to apply to all tunnels.
gateway
Shows IKE gateway information. Specify the gateway or press Enter to apply to all gateways.
ike-sa
Shows information about the active IKE SA. Specify the gateway or press Enter to apply to all gateways.
ipsec-sa
Shows information about IPsec SA tunnels. Specify the tunnel or press Enter to apply to all tunnels.
tunnel
Shows information about auto-key IPSec tunnels. Specify the tunnel or press Enter to apply to all tunnels.
name
Shows information about the VPN tunnel. Specify the tunnel or press Enter to apply to all tunnels.
Sample Output The following command shows VPN information for the auto key IPsec tunnel k1. username@hostname> show vpn tunnel name k1 TnID Name(Gateway) Local Proxy ID Local Proxy ID Proposals ------------------------------------------7 pan5gt(pan-5gt) 0.0.0.0/0 0.0.0.0/0 ESP tunl [DH2][AES128,3DES][SHA1] 90-sec Total 1 tunnels found, 0 ipsec sa found, 0 error username@hostname>
The following command shows VPN information for the IKE gateway g2. username@hostname> show vpn tunnel name g2 GwID Name Peer Address/ID Local Address/ID ---- --------------------------------3 falcon-kestrel 35.1.15.1 35.1.15.40 [PSK][DH2][AES128,3DES][SHA1] 28800-sec
Protocol Proposals ---------------Auto(main)
Total 1 gateways found, 0 ike sa found, 0 error. username@hostname>
168 • Operational Mode Commands
Palo Alto Networks
show vpn
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 169
show zip
show zip Shows whether ability to unzip a file and apply the policy on the uncompressed content is enabled. The default is enable.
Syntax show zip setting
Options None
Sample Output The following command shows that the unzip option is enabled. username@hostname> show zip setting zip engine is enabled username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
170 • Operational Mode Commands
Palo Alto Networks
show zone-protection
show zone-protection Shows the running configuration status and run time statistics for zone protection elements.
Syntax show zone-protection [zone zonename]
Options zonename
Specifies the name of a zone.
Sample Output The following command shows statistics for the trust zone. username@hostname> show zone-protection zone trust --------------------------------------------------------------------------Zone trust, vsys vsys1, profile custom-zone-protection ---------------------------------------------------------------------------tcp-syn enabled: no ---------------------------------------------------------------------------udp RED enabled: no ---------------------------------------------------------------------------icmp RED enabled: no ---------------------------------------------------------------------------other-ip RED enabled: no ---------------------------------------------------------------------------packet filter: discard-ip-spoof: enabled: no discard-ip-frag: enabled: no discard-icmp-ping-zero-id: enabled: no discard-icmp-frag: enabled: no discard-icmp-large-packet: enabled: no reply-icmp-timeexceeded: enabled: no username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
Operational Mode Commands • 171
ssh
ssh Open a secure shell (SSH) connection to another host.
Syntax ssh [inet] [port number] [source address] [v1 | v2] [user@]host
Options inet
Specifies that IP version 4 be used.
port
Specifies a port on the other host. (default 22)
source
Specifies a source IP address.
version
Specifies SSH version 1 or 2 (default is version 2)
user@
Specifies a user name on the other host.
host
Specifies the IP address of the other host.
Sample Output The following command opens an SSH connection to host 10.0.0.250 using SSH version 2. username@hostname> ssh v2 [email protected] [email protected]'s password: #
Required Privilege Level superuser, vsysadmin, deviceadmin
172 • Operational Mode Commands
Palo Alto Networks
tail
tail Print the last 10 lines of a debug file.
Syntax tail [follow] [lines] file
Options follow
Adds appended data as the file grows.
lines
Lists the last N lines, instead of the last 10.
file
Specifies the debug file.
Sample Output The following command displays the last 10 lines of the /var/log/pan/masterd.log file. username@hostname> tail /var/log/pan/masterd.log [09:32:46] Successfully started process 'mgmtsrvr' instance '1' [09:32:47] Successfully started process 'appWeb' instance '1' [09:32:47] Started group 'pan' start script 'octeon' with options 'start' [09:32:48] Process 'appWeb' instance '1' exited normally with status '7' [09:32:48] Process 'appWeb' instance '1' has no further exit rules [09:32:53] Successfully started process 'pan-ez-agent' instance '1' [09:32:53] Process 'pan-ez-agent' instance '1' exited normally with status '0' [09:32:53] Process 'pan-ez-agent' instance '1' has no further exit rules [09:32:54] Successfully started process 'pan_netconfig_agent' instance '1' [09:32:54] Finished initial start of all processes username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 173
telnet
telnet Open a Telnet session to another host.
Syntax telnet [8bit] [port] host
Options 8bit
Indicates that 8-bit data will be used.
port
Specifies the port number for the other host.
host
Specifies the IP address of the other host.
Sample Output The following command opens a Telnet session to the host 1.2.5.5 using 8-bit data. username@hostname> telnet 8bit 1.2.5.5
Required Privilege Level superuser, vsysadmin, deviceadmin
174 • Operational Mode Commands
Palo Alto Networks
test
test Run tests based on installed security policies.
Syntax test nat policy-match source src-ip destination dst-ip destination-port port protocol protocol from zone1 to zone2 test nat policy-match application name source src-ip destination dst-ip destination-port port protocol protocol from zone1 to zone2 test routing fib-lookup ip ipaddress virtual router virtualrouterid test vpn flow [ike-sa [gateway gatewayid] | ipsec-sa [tunnel tunnelid]>
Options name
Specifies the name of an application. Enter any to include all applications.
src-ip
Specifies the source IP address for the test.
dst-ip
Specifies the destination IP address for the test.
port
Specifies the destination port for the test.
zone1
Specifies the source security zone.
zone2
Specifies the destination security zone.
fib-lookup
Specifies the route to test within the active routing table. Specify an IP address and virtual router.
ike-sa
Performs the tests only for the negotiated IKE SA. Specify a gateway or press Enter to run the test for all gateways.
ipsec-sa
Performs the tests for IPsec SA (and IKE SA if necessary). Specify a tunnel or press Enter to run the test for all tunnels.
Sample Output The following command tests whether the set of criteria will match any of the existing rules in the security rule base. username@hostname> test security-policy-match from trust to untrust application google-talk source 10.0.0.1 destination 192.168.0.1 protocol 6 destination-port 80 source-user known-user Matched rule: 'rule1' action: allow username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 175
tftp
tftp Use Trivial File Transfer Protocol (TFTP) to copy files between the firewall and another host.
Syntax tftp [export export-option [control-plane | data-plane] to target | import import-option] [remote-port portnumber] [from source]
Options export export- Specifies the type of file to export to the other host. option Option
Description
application
Application packet capture file.
captive-portaltext
Text to be included in a captive portal.
configuration
Configuration file.
core-file
Core file.
debug-pcap
IKE negotiation packet capture file.
file-block-page
File containing comfort pages to be presented when files are blocked.
filter
Filter definitions.
log-file
Log files.
log-db
Log database.
packet-log
Logs of packet data.
spyware-blockpage
Comfort page to be presented when files are blocked due to spyware.
ssl-optout-text
SSL optout text.
tech-support
Technical support information.
trusted-cacertificate
Certificate Authority (CA) security certificate.
url-block-page
Comfort page to be presented when files are blocked due to a blocked URL.
virus-block-page
Comfort page to be presented when files are blocked due to a virus.
web-interfacecertificate
Web interface certificate
176 • Operational Mode Commands
Palo Alto Networks
tftp
import import- Specifies the type of file to import from the other host. option Option Description captive-portal-text
Text to be included in a captive portal.
configuration
Configuration file.
content
Database content.
file-block-page
File containing comfort pages to be presented when files are blocked.
license
License key file.
private-key
SSL private key file.
software
Software package.
spyware-block-page
Comfort page to be presented when files are blocked due to spyware.
ssl-decryptioncertificate
SSL decryption certificate.
ssl-optout-text
SSL optout text.
trusted-cacertificate
Certificate Authority (CA) security certificate.
url-block-page
Comfort page to be presented when files are blocked due to a blocked URL.
virus-block-page
Comfort page to be presented when files are blocked due to a virus.
web-interfacecertificate
Web interface certificate
control-plane
Indicates that the file contains control information.
data-plane
Indicates that the file contains information about data traffic.
port-number
Specifies the port number on the remote host.
target
Specifies the destination in the format username@host:path.
source
Specifies the file to be copied in the format username@host:path.
The following command imports a license file from a file in user1’s account on the machine with IP address 10.0.3.4. username@hostname> tftp import ssl-certificate from [email protected]:/tmp/ certificatefile
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 177
traceroute
traceroute Display information about the route packet taken to another host.
Syntax traceroute [base-udp-port port][bypass-routing][debug-socket][do-notfragment][first-ttl ttl][gateway][icmp-echo][max-ttl ttl][noresolve][pause][source ip][toggle-ip-checksums][tos][verbose][wait] host
Options base-udp-port port
Specifies the base UDP port used in probes (default is 33434).
bypass-routing
Sends the request directly to the host on a direct attached network, bypassing usual routing table.
debug-socket
Enables socket level debugging.
do-not-fragment
Sets the do-not-fragment bit.
first-ttl ttl
Sets the time-to-live in the first outgoing probe packet in number of hops.
gateway
Specifies a loose source router gateway (maximum 8).
icmp-echo
Uses ICMP ECHO requests instead of UDP datagrams.
max-ttl ttl
Sets the maximum time-to-live in number of hops.
no-resolve
Does not attempt to print resolved domain names.
pause
Sets the time to pause between probes (milliseconds).
source ip
Specifies the source IP address for the command.
toggle-ipchecksums
Toggles the IP checksum of the outgoing packets for the traceroute command.
tos
Specifies the type of service (TOS) treatment for the packets by way of the TOS bit for the IP header in the ping packet (0-255).
verbose
Requests complete details of the traceroute request.
wait
Specifies a delay in transmission of the traceroute request (seconds).
host
Specifies the IP address or domain name of the other host.
178 • Operational Mode Commands
Palo Alto Networks
traceroute
Sample Output The following command displays information about the route from the firewall to www.google.com. username@hostname> traceroute www.paloaltonetworks.com traceroute to www.paloaltonetworks.com (72.32.199.53), 30 hops max, 38 byte packets 1 10.1.0.1 (10.1.0.1) 0.399 ms 1.288 ms 0.437 ms 2 64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.910 ms dsl027-186189.sfo1.dsl.speakeasy.net (216.27.186.189) 1.012 ms 64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.865 ms 3 dsl027-182-001.sfo1.dsl.speakeasy.net (216.27.182.1) 16.768 ms 581.420 ms 64.3.142.37.ptr.us.xo.net (64.3.142.37) 219.190 ms 4 ge5-0-0.mar2.fremont-ca.us.xo.net (207.88.80.21) 228.551 ms 110.ge-0-00.cr1.sfo1.speakeasy.net (69.17.83.189) 12.352 ms ge5-0-0.mar2.fremontca.us.xo.net (207.88.80.21) 218.547 ms 5 ge-5-3-0.mpr3.pao1.us.above.net (209.249.11.177) 13.212 ms p4-00.rar2.sanjose-ca.us.xo.net (65.106.5.137) 273.935 ms 221.313 ms 6 p1-0.ir1.paloalto-ca.us.xo.net (65.106.5.178) 139.212 ms so-1-21.mpr1.sjc2.us.above.net (64.125.28.141) 13.348 ms p1-0.ir1.paloaltoca.us.xo.net (65.106.5.178) 92.795 ms 7 so-0-0-0.mpr2.sjc2.us.above.net (64.125.27.246) 12.069 ms 206.111.12.146.ptr.us.xo.net (206.111.12.146) 93.278 ms so-0-00.mpr2.sjc2.us.above.net (64.125.27.246) 556.033 ms 8 tbr1p013201.sffca.ip.att.net (12.123.13.66) 52.726 ms so-3-20.cr1.dfw2.us.above.net (64.125.29.54) 61.875 ms tbr1p013201.sffca.ip.att.net (12.123.13.66) 58.462 ms MPLS Label=32537 CoS=0 TTL=1 S=1 9 64.124.12.6.available.above.net (64.124.12.6) 74.828 ms tbr1cl3.la2ca.ip.att.net (12.122.10.26) 62.533 ms 64.124.12.6.available.above.net (64.124.12.6) 60.537 ms 10 tbr1cl20.dlstx.ip.att.net (12.122.10.49) 60.617 ms vlan901.core1.dfw1.rackspace.com (72.3.128.21) 59.881 ms 60.429 ms 11 gar1p360.dlrtx.ip.att.net (12.123.16.169) 108.713 ms aggr5a.dfw1.rackspace.net (72.3.129.19) 58.049 ms gar1p360.dlrtx.ip.att.net (12.123.16.169) 173.102 ms 12 72.32.199.53 (72.32.199.53) 342.977 ms 557.097 ms 60.899 ms username@hostname>
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 179
view-pcap
view-pcap Examine the content of packet capture files.
Syntax view-pcap option filename
Options option
filename
Specifies the type of information to report. Option
Description
absolute-seq
Displays absolute TCP sequence numbers.
delta
Displays a delta (in micro-seconds) between current and previous line.
hex
Displays each packet (minus link header) in hex.
hex-ascii
Displays each packet (minus link header) in hex and ASCII.
hex-ascii-link
Displays each packet (including link header) in hex and ASCII.
hex-link
Displays each packet (including link header) in hex.
link-header
Displays the link-level header on each dump line.
no-dns-lookup
Does not convert host addresses to names.
no-port-lookup
Does not convert protocol and port numbers to names.
no-qualification
Does not print domain name qualification of host names.
timestamp
Displays timestamp proceeded by date.
undecoded-nfs
Displays undecoded NFS handles.
unformattedtimestamp
Displays an unformatted timestamp.
verbose
Displays verbose output.
verbose+
Displays more verbose output.
verbose++
Displays the maximum output details..
Name of the packet capture file.
180 • Operational Mode Commands
Palo Alto Networks
view-pcap
Sample Output The following command displays the contents of the packet capture file /var/session/pan/filters/ syslog.pcap in ASCII and hex formats. username@hostname> view-pcap hex-ascii /var/session/pan/filters/syslog.pcap reading from file /var/session/pan/filters/syslog.pcap, link-type EN10MB (Ethernet) 08:34:31.922899 IP 10.0.0.244.32884 > jdoe.paloaltonetworks.local.syslog: UDP, length 314 0x0000: 4500 0156 0000 4000 4011 2438 0a00 00f4 E..V..@.@.$8.... 0x0010: 0a00 006c 8074 0202 0142 d163 3c31 3137 ...l.t...B.c<117 0x0020: 3e41 7072 2020 3233 2030 383a 3334 3a33 >Apr..23.08:34:3 0x0030: 3420 312c 3034 2f32 3320 3038 3a33 343a 4.1,04/23.08:34: 0x0040: 3334 2c54 4852 4541 542c 7572 6c2c 312c 34,THREAT,url,1, 0x0050: 3034 2f32 3320 3038 3a33 343a 3235 2c31 04/23.08:34:25,1 0x0060: 302e 302e 302e 3838 2c32 3039 2e31 3331 0.0.0.88,209.131 0x0070: 2e33 362e 3135 382c 302e 302e 302e 302c .36.158,0.0.0.0, 0x0080: 302e 302e 302e 302c 6c32 2d6c 616e 2d6f 0.0.0.0,l2-lan-o 0x0090: 7574 2c77 6562 2d62 726f 7773 696e 672c ut,web-browsing, 0x00a0: 7673 7973 312c 6c32 2d6c 616e 2d74 7275 vsys1,l2-lan-tru 0x00b0: 7374 2c6c 322d 6c61 6e2d 756e 7472 7573 st,l2-lan-untrus 0x00c0: 742c 6574 6865 726e 6574 312f 3132 2c65 t,ethernet1/12,e 0x00d0: 7468 6572 6e65 7431 2f31 312c 466f 7277 thernet1/11,Forw 0x00e0: 6172 6420 746f 204d 696b 652c 3034 2f32 ard.to.Mike,04/2 0x00f0: 3320 3038 3a33 343a 3334 2c38 3336 3435 3.08:34:34,83645 0x0100: 372c 322c 3438 3632 2c38 302c 302c 302c 7,2,4862,80,0,0, 0x0110: 3078 302c 7463 7028 3629 2c61 6c65 7274 0x0,tcp(6),alert 0x0120: 2c77 7777 2e79 6168 6f6f 2e63 6f6d 2f70 ,www.yahoo.com/p 0x0130: 2e67 6966 3f2c 2c73 6561 7263 682d 656e .gif?,,search-en 0x0140: 6769 6e65 732c 696e 666f 726d 6174 696f gines,informatio 0x0150: 6e61 6c2c 3000 nal,0.
Required Privilege Level superuser, vsysadmin, deviceadmin
Palo Alto Networks
Operational Mode Commands • 181
view-pcap
182 • Operational Mode Commands
Palo Alto Networks
May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL
Chapter 5
Maintenance Mode Maintenance mode provides support for error recovery and diagnostics, and allows you to reset the firewall to factory defaults. This chapter describes how to enter Maintenance mode:
•
“Entering Maintenance Mode” in the next section
•
“Using Maintenance Mode” on page 186
Entering Maintenance Mode The system enters Maintenance mode automatically if a critical error is discovered, or you can enter Maintenance mode explicitly when booting the firewall. Critical failure can be due to service errors, bootloader corruption, or disk filesystem errors. You can enter Maintenance mode in either of the following ways:
•
Serial cable to the serial port on the firewall. For serial cable specifications, refer to the Hardware Reference Guide for your firewall model.
•
Secure Socket Layer (SSL). SSL access is supported if the firewall has already entered Maintenance mode (either automatically or explicitly during bootup).
Palo Alto Networks
Maintenance Mode • 183
Entering Maintenance Mode Upon Bootup To enter Maintenance mode upon bootup: 1.
Press m when prompted by the bootloader.
2.
Press any key on your keyboard when prompted to stop the automatic boot, and then select Maint as the booting partition.
184 • Maintenance Mode
Palo Alto Networks
Entering Maintenance Mode Automatically If the system detects a critical error it will automatically fail over to Maintenance mode. When the firewall enters Maintenance mode, messages are displayed on the serial console, web interface, and CLI interface. The serial console displays the following message.
The web interface displays the following message.
Palo Alto Networks
Maintenance Mode • 185
The SSH interface displays the following message. ATTENTION: A critical error has been detected preventing proper boot up of the device. Please contact Palo Alto Networks to resolve this issue at 866-898-9087 or [email protected]. The system is in maintenance mode. Connect via serial console or with user 'maint' through ssh to access the recovery tool.
Using Maintenance Mode The Maintenance mode main menu displays the following options.
186 • Maintenance Mode
Palo Alto Networks
The following table describes the Maintenance mode selections that are accessible without entering a password.
Table 4. General Maintenance Mode Options Option
Description
Maintenance Entry Reason
Indicates why the system entered Maintenance mode and includes possible recovery steps.
Get System Info
Displays basic information about the system. This information is useful when obtaining assistance from Customer Support.
FSCK (Disk Check)
Provides the ability to run a file system check (FSCK) on various partitions.
Log Files
Allows viewing and copying of log files from the system.
Disk Image
Allows the system to revert back to the previously installed software version.
Content Rollback
Allows a rollback to the previously installed content version.
Reboot
Reboots the firewall.
Some of the options are password protected to prevent accidental changes that could leave the system in an inoperative state. The password is intended as a safeguard and it not meant to be secret. The password is MA1NT (numeral 1).
Table 5. General Maintenance Mode Options Option
Description
Factory Reset
Returns the firewall into the factory default state. The reset includes an option to scrub the Config and Log partitions using a National Nuclear Security Administration (NNSA) or Department of Defense (DOD) compliant scrubbing algorithm. Note: Scrubbing can take up to six hours to complete.
Bootloader Recovery
Reprograms the main bootloader with the latest bootloader image on the system. Use this option if the failsafe bootloader is running and recovery of the main bootloader is required. (PA-2000 and PA-500 systems only)
Disk Image Advanced
These options provide greater granularity and control over installation, including status, history, bootstrapping, and other commands.
Diagnostics
Tests the dataplane booting and dataplane memory, and run disk performance with bonnie++.
Palo Alto Networks
Maintenance Mode • 187
188 • Maintenance Mode
Palo Alto Networks
May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL
Appendix A CONFIGURATION HIERARCHY This appendix presents the complete firewall configuration hierarchies for the application identification firewall and for Panorama:
•
“Firewall Hierarchy” in the next section
•
“Panorama Hierarchy” on page 251
Firewall Hierarchy operations { schedule { commit; OR... uar-report { user ; title ; period ; start-time ; end-time ; } } OR... clear { application-signature { statistics; } OR... arp |; OR... counter { interface; OR... global { filter { category ; severity ; aspect ; } OR... name ; } OR...
Palo Alto Networks
• 189
all; } OR... dhcp { lease { all; OR... interface { name ; ip ; mac ; } } } OR... high-availability { control-link { statistics; } } OR... job { id 0-4294967295; } OR... log { traffic; OR... threat; OR... config; OR... system; OR... acc; } OR... mac |; OR... query { all-by-session; OR... id 0-4294967295; } OR... report { all-by-session; OR... id 0-4294967295; } OR... session { all { filter { nat none|source|destination|both; proxy yes|no; type flow|predict; state initial|opening|active|discard|closing|closed; from ;
190 •
Palo Alto Networks
to ; source ; destination ; source-user ; destination-user ; source-port 1-65535; destination-port 1-65535; protocol 1-255; application ; rule ; nat-rule ; } } OR... id 1-2147483648; } OR... statistics; OR... vpn { ike-sa { gateway ; } OR... ipsec-sa { tunnel ; } OR... flow { tunnel-id 1-2147483648; } } } OR... delete { admin-sessions; OR... application-block-page; OR... captive-portal-text; OR... config { saved ; } OR... config-audit-history; OR... content { update ; } OR... core { data-plane { file ; } OR... control-plane { file ; }
Palo Alto Networks
• 191
} OR... data-capture { directory ; } OR... debug-filter { file ; } OR... file-block-page; OR... inbound-key { file ; } OR... license { key ; } OR... logo; OR... pcap { directory ; } OR... policy-cache; OR... report { predefined { report-name ; file-name ; } OR... custom { report-name ; file-name ; } OR... summary { report-name ; file-name ; } } OR... root-certificate { file ; } OR... software { image ; OR... version ; } OR... spyware-block-page; OR... ssl-optout-text; OR...
192 •
Palo Alto Networks
threat-pcap { directory ; } OR... unknown-pcap { directory ; } OR... url-block-page; OR... url-coach-text; OR... url-coach-text; OR... user-file { ssh-known-hosts; } OR... virus-block-page; } OR... show { admins { all; } OR... arp ||; OR... chassis-ready; OR... cli { info; OR... idle-timeout; } OR... clock; OR... config { diff; OR... running { xpath ; } OR... synced; OR... candidate; OR... pushed { vsys ; } OR... audit { info; OR... base-version |; OR... base-version-no-deletes |;
Palo Alto Networks
• 193
OR... version |; } OR... saved ; } OR... counter { management-server; OR... global { filter { category ; severity ; aspect ; delta yes|no; value all|non-zero; } OR... name ; } OR... interface |; } OR... ctd { state; OR... threat { id 1-4294967295; application 0-4294967295; profile 0-4294967295; } OR... url-block-cache; } OR... dhcp { lease |; } OR... high-availability { all; OR... state; OR... link-monitoring; OR... path-monitoring; OR... state-synchronization; OR... control-link { statistics; } } OR... interface |||; OR...
194 •
Palo Alto Networks
jobs { all; OR... pending; OR... processed; OR... id 1-4294967296; } OR... local-user-db { vsys ; username ; disabled yes|no; } OR... location { ip ; } OR... log { traffic { direction { equal forward|backward; } csv-output { equal yes|no; } query { equal ; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } start-time { equal ; } end-time { equal ; } src { in ; OR... not-in ; } dst { in ; OR... not-in ; } rule { equal ; OR... not-equal ; } app { equal ; OR...
Palo Alto Networks
• 195
not-equal ; } from { equal ; OR... not-equal ; } to { equal ; OR... not-equal ; } sport { equal 1-65535; OR... not-equal 1-65535; } dport { equal 1-65535; OR... not-equal 1-65535; } action { equal allow|deny|drop; OR... not-equal allow|deny|drop; } srcuser { equal ; } dstuser { equal ; } } OR... threat { suppress-threatid-mapping { equal yes|no; } direction { equal forward|backward; } csv-output { equal yes|no; } query { equal ; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } start-time { equal ; } end-time { equal ; } src {
196 •
Palo Alto Networks
in ; OR... not-in ; } dst { in ; OR... not-in ; } rule { equal ; OR... not-equal ; } app { equal ; OR... not-equal ; } from { equal ; OR... not-equal ; } to { equal ; OR... not-equal ; } sport { equal 1-65535; OR... not-equal 1-65535; } dport { equal 1-65535; OR... not-equal 1-65535; } action { equal alert|allow|deny|drop|drop-all-packets|reset-client|resetserver|reset-both|block-url; OR... not-equal alert|allow|deny|drop|drop-all-packets|resetclient|reset-server|reset-both|block-url; } srcuser { equal ; } dstuser { equal ; } category { equal ; OR... not-equal ; } subtype { equal url|file;
Palo Alto Networks
• 197
} } OR... config { direction { equal forward|backward; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } query { equal ; } start-time { equal ; } end-time { equal ; } client { equal web|cli; OR... not-equal web|cli; } cmd { equal add|clone|commit|create|delete|edit|get|load-fromdisk|move|rename|save-to-disk|set; OR... not-equal add|clone|commit|create|delete|edit|get|load-fromdisk|move|rename|save-to-disk|set; } result { equal succeeded|failed|unauthorized; OR... not-equal succeeded|failed|unauthorized; } } OR... system { direction { equal forward|backward; } opaque { contains ; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } query { equal ; }
198 •
Palo Alto Networks
start-time { equal ; } end-time { equal ; } severity { equal critical|high|medium|low|informational; OR... not-equal critical|high|medium|low|informational; OR... greater-than-or-equal critical|high|medium|low|informational; OR... less-than-or-equal critical|high|medium|low|informational; } subtype { equal ; OR... not-equal ; } object { equal ; OR... not-equal ; } eventid { equal ; OR... not-equal ; } id { equal ; OR... not-equal ; } } OR... appstat { direction { equal forward|backward; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } query { equal ; } start-time { equal ; } end-time { equal ; } name { equal ;
Palo Alto Networks
• 199
OR... not-equal ; } type { equal ; OR... not-equal ; } risk { equal 1|2|3|4|5; OR... not-equal 1|2|3|4|5; OR... greater-than-or-equal 1|2|3|4|5; OR... less-than-or-equal 1|2|3|4|5; } } OR... trsum { direction { equal forward|backward; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } query { equal ; } start-time { equal ; } end-time { equal ; } app { equal ; OR... not-equal ; } src { in ; } dst { in ; } rule { equal ; OR... not-equal ; } srcuser { equal ; OR... not-equal ;
200 •
Palo Alto Networks
} dstuser { equal ; OR... not-equal ; } srcloc { equal ; OR... not-equal ; OR... greater-than-or-equal ; OR... less-than-or-equal ; } dstloc { equal ; OR... not-equal ; OR... greater-than-or-equal ; OR... less-than-or-equal ; } } OR... thsum { direction { equal forward|backward; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } query { equal ; } start-time { equal ; } end-time { equal ; } app { equal ; OR... not-equal ; } src { in ; } dst { in ; } rule { equal ;
Palo Alto Networks
• 201
OR... not-equal ; } srcuser { equal ; OR... not-equal ; } dstuser { equal ; OR... not-equal ; } srcloc { equal ; OR... not-equal ; OR... greater-than-or-equal ; OR... less-than-or-equal ; } dstloc { equal ; OR... not-equal ; OR... greater-than-or-equal ; OR... less-than-or-equal ; } threatid { equal ; OR... not-equal ; OR... greater-than-or-equal ; OR... less-than-or-equal ; } subtype { equal ; OR... not-equal ; } } } OR... logging; OR... mac |; OR... management-clients; OR... multi-vsys; OR... object { ip ; vsys ;
202 •
Palo Alto Networks
} OR... pan-agent { statistics; OR... user-IDs; } OR... pan-ntlm-agent { statistics; } OR... proxy { setting; OR... certificate-cache; OR... certificate; OR... notify-cache; OR... exclude-cache; OR... memory { detail; } } OR... query { id 1-4294967296; OR... jobs; } OR... report { id 1-4294967296; OR... jobs; OR... predefined { name { equal top-attackers|top-victims|top-attackers-by-countries|topvictims-by-countries|top-sources|top-destinations|top-destinationcountries|top-source-countries|top-connections|top-ingress-interfaces|topegress-interfaces|top-ingress-zones|top-egress-zones|top-applications|tophttp-applications|top-rules|top-attacks|top-spyware-threats|top-viruses|topvulnerabilities|top-websites|top-url-categories|top-url-users|top-url-userbehavior|unknown-tcp-connections|unknown-udp-connections|top-deniedsources|top-denied-destinations|top-denied-applications; } start-time { equal ; } end-time { equal ; } } OR... custom {
Palo Alto Networks
• 203
database { equal appstat|threat|thsum|traffic|trsum; } topn { equal ; } receive_time { in last-hour|last-12-hrs|last-24-hrs|last-7-days|last-30-days; } query { equal ; } aggregate-fields { equal ; } value-fields { equal ; } } } OR... routing { resource; OR... summary { virtual-router ; } OR... fib { virtual-router ; } OR... route { destination ; interface ; nexthop ; type static|connect|ospf|rip; virtual-router ; } OR... protocol { redist all|ospf|rip; OR... ospf summary|area|interface|virt-link|neighbor|virtneighbor|lsdb|dumplsdb; OR... rip summary|interface|peer|database; virtual-router ; } } OR... session { start-at 1-2097152; OR... info; OR... meter; OR... all {
204 •
Palo Alto Networks
filter { nat none|source|destination|both; proxy yes|no; type flow|predict; state initial|opening|active|discard|closing|closed; from ; to ; source ; destination ; source-user ; destination-user ; source-port 1-65535; destination-port 1-65535; protocol 1-255; application ; rule ; nat-rule ; } } OR... id 1-2147483648; } OR... shared-policy; OR... ssl-vpn { portal { name ; } OR... user { portal ; domain ; user ; } OR... flow { name ; OR... tunnel-id 1-2147483648; } } OR... statistics; OR... system { software { status; } OR... info; OR... services; OR... state { filter ; OR... filter-pretty ; OR...
Palo Alto Networks
• 205
browser; } OR... statistics; OR... resources { follow; } OR... disk-space; OR... logdb-quota; OR... files; } OR... target-vsys; OR... threat { id <1-4294967296,...>; } OR... ts-agent { statistics; OR... user-IDs; } OR... url-database; OR... virtual-wire |; OR... vlan |; OR... vpn { gateway { name ; } OR... tunnel { name ; } OR... ike-sa { gateway ; } OR... ipsec-sa { tunnel ; } OR... flow { name