Palo Alto Commands (Important)

Show version command on Palo:
>show system info

Set management IP address:
>configure
#set deviceconfig system ip-address 192.168.3.100 netmask 255.255.255.0
(# set deviceconfig system ip-address <ip address> netmask <netmask> default-gateway <default gateway> dns-setting servers primary <DNS ip address>)
#commit

To see interfaces status:
>show interface all

Ping from a dataplane interface to a destination IP address:
> ping source <ip-address-on-dataplane> host <destination-ip-address>

Trigger a Gratuitous ARP (GARP) from a Palo Alto Networks Device:
> show interface ethernet1/3
> test arp gratuitous ip 10.66.24.139 interface ethernet1/3

Display the routing table:
> show routing route

Restart or Shutdown Palos:
request shutdown system
request restart system

Restart management server on Palo:
debug software restart process management-server

System logs to see for Errors:
less mp-log ms.log

HA pair sync error logs:
less mp-log ha_agent.log

Push the config/sync to the HA peer:
request high-availability sync-to-remote running-config

HA:
Force configuration and session synchronisation to peer device:
>request high-availability sync-to-remote
Fail to peer and suspend current device:
>request high-availability state suspend
Re-enable HA on suspended system:
>request high-availability state functional
Shows the high-availability information on current device:
>show high-availability all
Shows the control link statistics:
>show high-availability control-link
Shows the high-availability state information:
>show high-availability state
Shows the synchronisation state to the peer device:
>show high-availability state-synchronisation

To see the sessions (sip sessions):
show session all
show session all | match sip
To clear all the sessions:
clear session all
clear session all filter application skype
clear session all filter source 192.168.51.71
clear session all filter destination 8.8.8.8

To test authentication for a user:
>test authentication authentication-profile AD username iee\tungera password

Palo Monitoring Authentication logs:
>debug authentication on debug
>tail follow yes mp-log authd.log
>debug authentication off

User-group mapping for a specific user:
show user ip-user-mapping ip 192.168.64.18

Force refresh group mappings:
>debug user-id refresh group-mapping all
To see the groups that the firewall knows about:
>show user group name
The lists for every group can be read using the following CLI command:
> show user group list
To use the needed group in the previous step:
> show user group name cn=firewall-mf-rave-pcs,ou=_groups,dc=iee,dc=mfh
The group-mappings on the LDAP profile can be reset with the following CLI command:
> debug user-id reset group-mapping AD_Group_Mapping

Verify that the groups are being pulled:
> show user group-mapping state all
> show user group-mapping statistics

The following commands can be used to clear and see the user to IP mappings:
> clear user-cache-mp ip <IP-address> //user-cache-mp (Clear management plane user cache)
> clear user-cache ip <IP-address> //user-cache (Clear dataplane user cache)
> clear user-cache all
> show user ip-user-mapping ip <IP-address>
> show user ip-user-mapping all

Restart ldap user-id service Palo:
debug software restart process user-id

See the user-id agent version from the CLI on Palo:
show user user-id-agent config name MM-DC_MMISEXCHANGE_LOCAL

Check GlobalProtect currently connected users:
show global-protect-gateway current-user

Show IKE phase 1 SAs:
> show vpn ike-sa
Show IKE phase 2 SAs:
> show vpn ipsec-sa

Save an Entire Configuration for Import into Another Palo Alto Networks Device:
> configure
# save config to 2014-09-22_CurrentConfig.xml
# exit
> scp export configuration from 2014-09-22_CurrentConfig.xml to username@scpserver/PanConfigs

> scp import configuration username@scpserver/PanConfigs/2014-09-22_CurrentConfig.xml
> configure
# load config from 2014-09-22_CurrentConfig.xml
# commit
# exit

See NTP status:
>show ntp
To manually restart the NTP process, use the following CLI command:
>debug software restart process ntp
To view whether the NTP process has a new PID, execute:
>show system software status | match ntp
To verify current system date and time, use the following CLI command:
> show clock
To see the jobs being processed or all the jobs:
show jobs all
show jobs processed
Immediately after restarting, every Palo Alto Networks firewall performs an auto-commit. This takes place in the background and can last up to 30 minutes. The firewall can be accessed from the management interface during that time, but the data plane will be down and the physical interfaces will be down.

Palo Upgrade Commands:

request high-availability state suspend
request system software info
request system software check
request system software download version 7.1.19
request system software install version 7.1.19
request restart system
request high-availability state functional
show jobs all

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s