2/12/24, 8:47 PM Dhansham - Engineer's Notebook Checkpoint Firewalls Gaia: Palo Alto: Useful CLI Commands

More

Dhansham - Engineer's Notebook Checkpoint Firewalls

Over three decades of Information Technology experience, specializing in High Performance Networks, Security Architecture, E-Commerce Engineering, Data Center Desig

Home Design IPS Cisco_ASA5500 Troubleshooting Palo_Alto S2S VPN IA ClusterXL NAT Wires

Firewalls Monday, September 19, 2022

Home Palo Alto: Useful CLI Commands

ACL Background

Administrative Distance Founded in 2005 by security visionary Nir Zuk

Earlier 2002-2005 CTO of Netsceen Juniper
ATM Before 2000-2002 founder and CTP OneSecure – World’s First IPS
Before that 1994-1999 Principal Engineer at Checkpoint
BGP
Innovations: App-ID, User-ID (AD/Directory Service LDAP users can access certain sites) , Content-ID (URL Filtering, anti-virus prot
AntiSpyWare, SSL Decrypt, Data loss Prevention)
Bridging
Builds Next Generation Firewalls that identifies and control more than 3000 applications which makes firewalls a strategic security d
Default Routes (advertising) again!

DHCP Strata PA- Series - ML Powered Next Generation Firewall - App-ID, User-ID, Content-ID, Device-ID
VM Series - Virtual Next-Generation Firewall - App-ID, User-ID, Content-ID, Device-ID
DLSW CN Series - Containerized Next generation firewall - App-ID, User-ID, Content-ID, Device-ID
Panaroma - Firewall Management
EEM
Prisma Access - Secure Access - Service Edge
EIGRP Prisma Cloud - Cloud Native Security Platform
Prisma SD-WAN
Ethernet
Cortex XDR - Extended Detection and Response
Frame Relay Cortex XSOAR
Expense
GRE Tunnels Crypsis

Cloud Content Delivery Services (Content-ID)

HSRP
DNS Security
Threat Prevention
HTTP & HTTPS URL Filtering
Wild Fire
IP Addressing IoT Security
Global Protect
IP SLA SD-WAN
Data Lost Prevention
IPv6 Prisma SaaS

IS-IS
Modules
ISDN
1. Security Platform and Architecture
ISL & 802.1q 2. Initial Configuration
3. Interface Configuration
Logging 4. Security and NAT Policies
5. App-ID
Modems 6. Content-ID
7. URL Filtering
MPLS
8. Decryption
9. WildFire
MST
10. User-ID
Multicast 11. GlobalProtect
12. Site to Site VPNs
Multicast (routing) 13. Monitoring and Reporting
14. Active/Passive High Availability
NAT & PAT 15. Security Practices

NetFlow

NTP

OSPF

PfR & OER

Port Channels

PPP

PPPoE

Prefix Lists

QoS

Redistribution

RIPv2

https://dkcheckpoint.blogspot.com/2022/09/i-have-older-pa-2050-im-having-to-do.html 1/11
2/12/24, 8:47 PM Dhansham - Engineer's Notebook Checkpoint Firewalls Gaia: Palo Alto: Useful CLI Commands

RITE

RMON

Route Maps

RSTP

SCP

Security

SNMP

SPAN & RSPAN

SSH

STP

Summarization

Switching Paths

Virtual LANs

VoIP

VTP

WCCP Here is a list of useful CLI commands.

Switching
cd "c:\Program Files\Palo Alto Networks\GlobalProtect"
VLAN PanGPS.exe -registerplap

Windows
General system health
show system info –provides the system’s management IP, serial number and code version
show system statistics – shows the real time throughput on the device
show system software status – shows whether various system processes are running
show jobs processed – used to see when commits, downloads, upgrades, etc. are completed
show system disk--space-- show percent usage of disk partitions
show system logdb--quota – shows the maximum log file sizes
debug dataplane internal vif link – show management interface (eth0) counters

To monitor CPUs
show system resources -- shows processes running in the management plane similar to “top” command
show running resource--monitor – used to see the resource utilization in the data plane, such as dataplane CPU util
less mp--log mp--monitor.log – Every 15 minutes the system runs a script to monitor management plane resource u
in this file.
less dp--log dp--monitor.log -- Every 15 minutes the system runs a script to monitor dataplane resource usage, outp

General dropped packet troubleshooting

ping source <IP_addr_src_int> host <IP_addr_host> -- allows to ping from the specified FW source interface
ping host <IP> -- ping from the MGT interface
show session all | match – used to show specific sessions in the session table. You can
enter any text after the word match. A good example would be a source or destination IP or an application
show session all | filter destination <IP> dest--port <port>-- shows all sessions going to a particular dest IP and port
show session id – shows the specifics behind a particular session by entering the ID number after the word "id”
show counter interface – shows interface counters
show counter global | match drop – used to troubleshoot dropped packets
show counter global delta yes | match [ drop | error | frag ] – show counter changes
since last time ran this command, filter on particular keyword

NAT
show running nat--policy-- shows current NAT policy table
show running ippool-- use to see if NAT pool leak
test nat--policy--match – simulate traffic going through the device, what NAT policy will it match?

Routing
show routing route – displays the routing table
test routing fib--lookup virtual--router <VR_name> ip <IP_addr_trying_reach> -- finds which route in the routing table
the IP address that you are testing

Policies
show running security--policy – shows the current policy set
test security--policy--match from trust to untrust destination <IP>-- simulate a packet going through the system, whic

PAN Agent
show user pan--agent statistics – used to see if the agent is connected and operational. Status should be connected
see numbers under users, groups and IPs.
show pan--agent user--IDs -- used to see if the FW has pulled groups from the PANAgent
show user ip--user--mapping – used to see IP to username mappings on the FW

https://dkcheckpoint.blogspot.com/2022/09/i-have-older-pa-2050-im-having-to-do.html 2/11
2/12/24, 8:47 PM Dhansham - Engineer's Notebook Checkpoint Firewalls Gaia: Palo Alto: Useful CLI Commands
clear user--cache all – clears the user--ID cache
debug device--server reset pan--agent <name> -- reset the firewall’s connection to the specified agent

URL
test url <url or IP> – used to test the categorization of a URL on the FW
tail follow yes mp--log pan_bc_download.log – shows the BrightCloud database update logs
request url--filtering download status – shows the status of the database download (essentially the very last line from
pan_bc_download.log file)
debug dataplane show url--cache statistics– shows statistics on the URL cache
show counter global | match url – shows statistics on URL processing
clear url--cache – used to clear the URL cache-- cache contains 100k of the most popular URLs on this network
show log url direction equal backward-- view the URL log, most recent entries first

To test connectivity to the BrightCloud servers:

ping host service.brightcloud.com
ping host database.brightcloud.com

Log viewing / deleting1

show log [ system | traffic | threat ] direction equal backward – will take you to the end of the specified log
show log [ system | traffic | threat ] direction equal forward – will take you to beginning of the specified log
clear log [ traffic | threat | acc ] – clear everything in the specified log

Software, Content, and Licenses

To upgrade the software on the FW:
tftp import software from <IP_addr_tftp_server> file <filename>
request system software install file <filename>
request restart system
request system software [info | check | download | install ] –manipulate PANOS software from the CLI

To upgrade the content on the FW:

tftp import content from <IP_addr_tftp_server> file <filename>
request content upgrade install file <filename>
request content downgrade install previous –downgrade to the previous content version
request system private--data--reset-- to clear config and logs/reports
debug swm [ status | list | revert ] – will show possible code to install, or code that was installed. “revert” is used to re
OS version without having to do a
factory reset (such as from 4.0 to back to 3.1)
request license info – shows the license installed on the device
delete license key ? – use to delete a license file if having issues and want to retrieve new licenses, use question m
only delete the files you see fit

Config diff/force/cli format

show config diff-- compares two versions of the config
commit force-- perform a commit, even if there are errors
set cli config--output--format set-- use to view the config in “set” format from within the configure prompt (#)

IPSec
To view detailed debug information for IPSec tunneling:
1. debug ike global on debug
2. less mp--log ikemgr.log

Misc
set deviceconfig setting session tcp--reject--non--syn no – used to ignore SYN when creating sessions; confirm com
show session info
set deviceconfig setting session offload no –-- makes all packets go through CPU, otherwise all fastpath packets jus
(turns off session offload to fastpath); confirm command took effect with show session info
debug dataplane pool statistics -- this will show the different dataplane buffers and can e used to see if the system is
certain functionality.

Palo Alto: How To Clear The ARP Cache

How do you clear the ARP cache? This is not too hard. Just SSH into the Palo Alto box. Then run the command:

dk@PA-3020> clear arp all

All ARP entries are cleared.

dk@PA-3020>

I have an older PA-2050 I'm having to do a factory reset on it. Below, you can see the output of what I had to do. I
it, and during the 5 second window, type in "maint".

https://dkcheckpoint.blogspot.com/2022/09/i-have-older-pa-2050-im-having-to-do.html 3/11
2/12/24, 8:47 PM Dhansham - Engineer's Notebook Checkpoint Firewalls Gaia: Palo Alto: Useful CLI Commands

Welcome to the PanOS Bootloader.

U-Boot 4.1.8.0-21 (Build time: Aug 27 2012 - 19:23:20)

BIST check passed.
KESTREL board revision major:2, minor:0, serial #: 0003C104442
OCTEON CN3120-CP pass 1.1, Core clock: 500 MHz, DDR clock: 265 MHz (530 Mhz data rate)
DRAM: 1024 MB
Clearing DRAM........ done
Using default environment

Flash: 64 MB
Net: octeth0, octeth1, octeth2
Bus 0 (CF Card): not available

USB: (port 0) No USB devices found.

Autoboot to default partition in 5 seconds.

Enter 'maint' to boot to maint partition.

Entry: maint

Booting to maint mode.

Palo Alto: How To Determine What Ports Are 10 Gig Ports On Palo Alto PA-850 Series

What ports are 10Gig on the Palos? Good question. You cant tell by just looking at them, so you either know wh
what I do. Go into CLI and run the following command:

PA850-1(active)> show system state | match capability

cfg.capability.dfa.sw: 0x0
cfg.capability.regex.sw: 0x0
peer.cfg.capability.dfa.sw: 0x0
peer.cfg.capability.regex.sw: 0x0
sys.s1.ha1.capability: [ auto, 10Mb/s-half, 10Mb/s-full, 100Mb/s-half, 100Mb/s-full, 1Gb/s-half, 1Gb/s-full, ]
sys.s1.p1.capability: [ auto, 10Mb/s-half, 10Mb/s-full, 100Mb/s-half, 100Mb/s-full, 1Gb/s-half, 1Gb/s-full, ]
sys.s1.p10.capability: [ auto, 10Gb/s-full, ]
sys.s1.p11.capability: [ auto, 10Gb/s-full, ]
sys.s1.p12.capability: [ auto, 10Gb/s-full, ]
sys.s1.p2.capability: [ auto, 10Mb/s-half, 10Mb/s-full, 100Mb/s-half, 100Mb/s-full, 1Gb/s-half, 1Gb/s-full, ]
sys.s1.p3.capability: [ auto, 10Mb/s-half, 10Mb/s-full, 100Mb/s-half, 100Mb/s-full, 1Gb/s-half, 1Gb/s-full, ]
sys.s1.p4.capability: [ auto, 10Mb/s-half, 10Mb/s-full, 100Mb/s-half, 100Mb/s-full, 1Gb/s-half, 1Gb/s-full, ]
sys.s1.p5.capability: [ auto, 1Gb/s-full, ]
sys.s1.p6.capability: [ auto, 1Gb/s-full, ]
sys.s1.p7.capability: [ auto, 1Gb/s-full, ]
sys.s1.p8.capability: [ auto, 1Gb/s-full, ]
sys.s1.p9.capability: [ auto, 10Gb/s-full, ]

It looks like ports 9 - 12 are my 10Gig ports on the PA-850.

Firewall Setup
Tunnel Interface
Phase 1 Crypto
Phase 2 Crypto

192.69.180.132
68.160.164.11
18.235.195.121
54.208.86.132
152.195.50.6

VPN Configuration
Proxy ID

https://dkcheckpoint.blogspot.com/2022/09/i-have-older-pa-2050-im-having-to-do.html 4/11
2/12/24, 8:47 PM Dhansham - Engineer's Notebook Checkpoint Firewalls Gaia: Palo Alto: Useful CLI Commands
Create Routes
Create Security Policy
Create Reverse Policy
Create Tunnel Interface
Check Tunnels

How Firwall works

Why we need it

Module 2
Administrative controls
Initial Access to the system
Configuration management
Licensing and software update
Account administration
Viewing and filtering logs

2 ways to access PA-220

gui - https
cli - console, telnet
uid: admin
password: admin

To reset to factory default (if you know the firewall admin password)
set system private-data-reset

If you do not know the admin passwordk you must place the firewall in maintainance mode
at boot up time, type maint into the CLI through the console port
at some point you can chose the action Reset to Factory Default

Console - uid/password admin

>configuration
# set deviceconfig system type static
# set deviceconfig system ip-address 192.168.10.1 netmask 255.255.255.0
# commit

Module 3 Interface Configuration

Security Zones and interfaces
Tap interface
Virtual Wire interface
Layer 2 Interface
Layer 3 Interface
Virtual Router
Loopback Interface
Policy based Fowarding

Module 4 Security and NAT Policies

Security policy fundamental concepts
Security policy Administration
Network Address Translation
Source NAT configuration
Destination Configuration
https://www.youtube.com/watch?v=poQphxWb2MQ

License /Register device/feature set allowed

Palo Alto Portal https://support.paloaltonetworks.com/Support/Index
Login to Customer Support account
Assets

Management settings
<Device><setup><Management><General Settings> <gear>
hostname:
Domain:
Time

https://dkcheckpoint.blogspot.com/2022/09/i-have-older-pa-2050-im-having-to-do.html 5/11
2/12/24, 8:47 PM Dhansham - Engineer's Notebook Checkpoint Firewalls Gaia: Palo Alto: Useful CLI Commands

More Palo Alto HA Cluster Installs

Palo Alto has a great firewall solution. It's one of two firewall vendors that I highly recommend to companies.

October Palo Alto 850 HA Install

https://dkcheckpoint.blogspot.com/2022/09/i-have-older-pa-2050-im-having-to-do.html 6/11
2/12/24, 8:47 PM Dhansham - Engineer's Notebook Checkpoint Firewalls Gaia: Palo Alto: Useful CLI Commands

Palo Alto Firewall: Testing PBF (Policy Based Forwarding) In CLI

PBR (or PBF as Palo calls it), is a really great feature. Policy Based Forwarding (in the network world, we call it p
feature where you can control where packets go without using the routing table. You set a destination based on c
you define (like source, protocol, etc) and it catches this PBF policy BEFORE it hits the routing table. Here is how
verify it works the way you want it to.

PA850-1(active)> test pbf-policy-match from L3-Inside application web-browsing source 192.168.1.5 destination 5
destination-port 443

"Exchange; index: 8" {

id 9;
from L3-Inside;
source 192.168.1.5;
destination any;
user any;
application/service any/any/any/any;
action Forward;
symmetric-return no;
forwarding-egress-IF/VSYS ethernet1/3;
next-hop 68.68.68.68;
terminal no;
}

Palo Alto Firewall: CLI Command To Verify Optic Module

Guys, real quick, if you need to check the SFP status to know if the Palo is seeing it or not, here is a CLI comman
if it is. The below is a Proline SFP.

killen@PA-850> show system state filter sys.s1.p9.phy

sys.s1.p9.phy: { 'link-partner': { }, 'media': SFP-Plus-Fiber, 'sfp': { 'connector': LC, 'encoding':

8B10B, 'identifier': SFP, 'transceiver': 1000B-SX, 'vendor-name': PROLINE , 'vendor-part-nu
mber': PAN-SFP-SX-PRO , 'vendor-part-rev': A3 , }, 'type': Ethernet, }

Palo Alto Firewall: PBF (Policy Based Forwarding) Testing In CLI

https://dkcheckpoint.blogspot.com/2022/09/i-have-older-pa-2050-im-having-to-do.html 7/11
2/12/24, 8:47 PM Dhansham - Engineer's Notebook Checkpoint Firewalls Gaia: Palo Alto: Useful CLI Commands
Did you know you can test your policy based forwarding yourself in CLI on the Palo Alto firewall? You sure can.
zone L3-Inside (my inside zone) to verify it will go out Ethernet 1/3 port. Based on the response below, it looks lik
having to involve the server guys.

killen@PA850-1(active)> test pbf-policy-match from L3-Inside application web-browsing source 192.168.5.5 desti
protocol 6 destination-port 443

"Exchange; index: 8" {

id 9;
from L3-Inside;
source 192.168.5.5;
destination any;
user any;
application/service any/any/any/any;
action Forward;
symmetric-return no;
forwarding-egress-IF/VSYS ethernet1/3;
next-hop 65.65.65.65;
terminal no;
}

allen@PA850-1(active)>

Palo Alto Firewall: Adding A Static Route In CLI

Real quick, I think this is useful for adding a lot of static routes into a Palo Alto. SSH in and do this in CLI and typ
out the following:
set network virtual-router [name of virtual router i.e. default] routing-table ip static-route [name of route i.e. Shane
destination [network/subnet mask i.e 10.10.10.0/24] interface [name of interface to be used outgoing i.e. ethernet
[next hop ip i.e. 4.4.4.4]

Add 50 or so of them from notepad at one time, then type in "commit".

Palo Alto Firewall: Verifying A Route In CLI

Real quick, how do you verify what interface a destination route goes out of the Palo Alto in CLI? Here is what yo
PA850-1(active)> test routing fib-lookup virtual-router vsys_router ip 192.168.1.5

--------------------------------------------------------------------------------
runtime route lookup
--------------------------------------------------------------------------------
virtual-router: vsys_router
destination: 192.168.1.5
result:
via 5.5.5.5 interface ethernet1/3, source 5.5.5.6, metric 10
--------------------------------------------------------------------------------

Right there it is. Its ethernet1/3 in this case. I wanted to know what interface 192.168.1.5 would be going out, an
command, it tells me. Note that "vsys_router" is your virtual router that you have defined for routing. It may be de
whatever you named it.

SSL Decrypt
Most NGFWs have the ability to do SSL decryption, and its a really good idea to do so. Many attacks now come
packets, and they need to be inspected. If you have the capability to do SSL decryption, you should be doing this

Palo Alto Firewall: PA-200 Replacement

https://dkcheckpoint.blogspot.com/2022/09/i-have-older-pa-2050-im-having-to-do.html 8/11
2/12/24, 8:47 PM Dhansham - Engineer's Notebook Checkpoint Firewalls Gaia: Palo Alto: Useful CLI Commands
I went on-site to a consumer to replace a PA-200 that was having some issues. I got the software, global protect,
the same version and then did a restore from a backup I had taken. It's not a bad price process to go through.

Palo Alto Firewall: Upgrade From 7.1.x To 8.0.9 On HA Pair

Well, what should have been an easy upgrade turned ugly on me today. I've upgraded many Palo Altos is my car
product. But today, I spent three hours working through a Palo that wouldn't boot up after the upgrade to 7.1.17. T
pair and the customer didn't experience any real downtime.
After a factory reset, getting to the same software version and importing the config back in, we were back to its or
with a download of the base 8.0 software and a download and install of 8.0.9 on both units, all is good.
Palo Alto Firewall: Amber STS LED When Booting

What does that STS amber LED mean? Well, its still bootIng firewall services. You can login to the console, but
for a few minutes for all the services to come up. You should see a "System initializing; please wait... (CTRL-C to
during this time. When the STS amber LED goes green, then you should be good to go for CLI config.
I had a unit that kept the amber LED on STS. I had to do a factory reset to overcome this problem.
Palo Alto (And Check Point)

I've been working on a pair of Palo Alto 3020s in HA mode. I really like the Palo Alto firewall. Don't get me wrong
firewalls. But Palo Alto (and Check Point) just ranks to me as the best on the market. I've been consistent in say
working on this cluster, I certainly recall why.
Just FYI, I have noticed in the past few years, its been Palo Alto and Check Point at the top of the list for NGFWs
that for sure.

https://dkcheckpoint.blogspot.com/2022/09/i-have-older-pa-2050-im-having-to-do.html 9/11
2/12/24, 8:47 PM Dhansham - Engineer's Notebook Checkpoint Firewalls Gaia: Palo Alto: Useful CLI Commands

Enterprise NGFW 2016 Gartner Chart

NGFW 2016 Gartner Chart

This is interesting. I have always believed Palo and CP were the leaders. It still appears that way according to G

Palo Alto Firewall: Ping With A Source Address

Just a quick post today about ping in CLI. You can use a particular source address of your choice that belongs to
need to. Typically, you do need to if you are going across a VPN. Here is the quick command, fill in your IPs of c

PA-3020> ping source 192.168.2.1 host 192.168.1.86

Ref https://www.shanekillen.com/search/label/Palo%20Alto%20Firewall

https://dkcheckpoint.blogspot.com/2022/09/i-have-older-pa-2050-im-having-to-do.html 10/11
2/12/24, 8:47 PM Dhansham - Engineer's Notebook Checkpoint Firewalls Gaia: Palo Alto: Useful CLI Commands

Posted by Shyam's Engineering Notes at 8:27 PM

Newer Post Home

Total Pageviews

3 5 8 3 9 3

Followers Visitors

Followers (10)
Live Traffic Feed
A visitor from Mumbai
Live Feed viewed 'Dhansham - Engineer's
Notebook Checkpoint Firewall' 1 min
ago
A visitor from Saharanpur
viewed 'Dhansham - Engineer's
Notebook Checkpoint Firewall' 3
mins ago
A visitor from Montevideo
viewed 'Dhansham - Engineer's
Notebook Checkpoint Firewall' 14
mins ago
A visitor from Ramla viewed
'Dhansham - Engineer's Notebook
Checkpoint Firewall' 18 mins ago
A visitor from Asnieres-sur-
seine viewed 'Dhansham -
Engineer's Notebook Checkpoint
Firewall' 41 mins ago
A visitor from Stockholm
viewed 'Dhansham - Engineer's
Notebook Checkpoint Firewall' 55
mins ago
A visitor from Bourgogne
viewed 'Dhansham - Engineer's
Notebook Checkpoint Firewall' 56
mins ago
A visitor from Kristinehamn
viewed 'Dhansham - Engineer's
Notebook Checkpoint Firewall' 1 hr 1
min ago
A visitor from Minsk viewed
'Dhansham - Engineer's Notebook
Checkpoint Firewall' 1 hr 7 mins ago
A visitor from Geneva
viewed 'Dhansham - Engineer's
Notebook Checkpoint Firewall' 1 hr 8
mins ago
Real-time | Get Script | More Info

DK Engineering Notes . Awesome Inc. theme. Powered by Blogger.

https://dkcheckpoint.blogspot.com/2022/09/i-have-older-pa-2050-im-having-to-do.html 11/11