Skip to content

thomaxxl/Palo-Alto

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

82 Commits
CNSE.md
CNSE.md
 
 
PA_api.py
PA_api.py
 
 
README.md
README.md
 
 
expect-cli
expect-cli
 
 
todo
todo
 
 

Repository files navigation

Palo-Alto

Palo Alto commands

  • Session Info
show session all filter destination 8.8.8.8
show session id XXXX
  • Errors, drops
show counter global filter packet-filter yes
show counter global | match drop
show interface ethernetX/X
show system state filter * | match over
  • Debug Flow Basic
debug dataplane packet-diag clear all
debug dataplane packet-diag clear log log
debug dataplane packet-diag set filter on
debug dataplane packet-diag set filter match [ source destination ... ]

debug dataplane packet-diag set log feature flow basic
debug dataplane packet-diag show setting
debug dataplane packet-diag set log on

debug dataplane packet-diag set log off
debug dataplane packet-diag aggregate-logs 

less dp-log pan_packet_diag.log
  • Route lookup
test routing fib-lookup virtual-router default ip <ip address>
  • System info
show jobs all
show system resources follow
show running resource-monitor
show session info
debug dataplane pool statistics
show counter global filter aspect resource
show system statistics

The following is very effective command in troubleshooting a suspect packet drop scenario. The reason for packets dropped can help narrow down on what the issue is.

show counter global filter severity drop

The above command can be used with the Delta option which allows viewing packets dropped since the last time the command was issued.

show counter global filter delta yes severity drop

Apart from the severity drop, there are various other severities that this command can be used for based on the scenario. A few examples are: error, informational and warning.

Packet filter can be enabled using the following command:

debug dataplane packet-diag set filter match source x.x.x.x destination y.y.y.y
debug dataplane packet-diag set filter on

To get the deltas:

show counter global filter packet-filter yes delta yes
  • VPN
show vpn ike-sa gateway
test vpn
tail follow yes ikemgr.log
  • USER id
show user group name Domain\user
show user ip-user-mapping all
clear user-cache ip 1.1.1.1
  • High Availability
request high-availability sync-to-remote running-config

https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/framemaker/60/pan-os/pan-os/section_4.pdf

  • Restart Management Plane
debug software restart device-server
debug software restart management-server
  • SSL decrypt debugging:

https://live.paloaltonetworks.com/docs/DOC-1386

show counter global | match proxy
  • Links

http://blog.webernetz.net/2013/11/21/cli-commands-for-troubleshooting-palo-alto-firewalls/ https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/4254-102-6-17063/qrg_v6.pdf https://live.paloaltonetworks.com/docs/DOC-3608 cli quick reference: https://live.paloaltonetworks.com/docs/DOC-4254 http://blog.webernetz.net/2013/11/21/cli-commands-for-troubleshooting-palo-alto-firewalls/

About

Palo Alto Stuff

Resources

Readme
Activity

Stars

16 stars

Watchers

4 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages