Scribd
Upload
3K views426 pages

Prisma SD Wan Ion Cli Reference

The document is a reference guide for the Prisma SD-WAN ION Device CLI, detailing command access, usage, and syntax. It includes sections on various command types such as clear, config, debug, dump, and inspect commands, along with their specific functionalities. The guide also provides contact information and links to additional resources for support and documentation updates.

Uploaded by

dinou
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3K views426 pages

Prisma SD Wan Ion Cli Reference

The document is a reference guide for the Prisma SD-WAN ION Device CLI, detailing command access, usage, and syntax. It includes sections on various command types such as clear, config, debug, dump, and inspect commands, along with their specific functionalities. The guide also provides contact information and links to additional resources for support and documentation updates.

Uploaded by

dinou
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Prisma SD-WAN ION Device CLI

Reference

[Link]
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
[Link]/company/contact-support

About the Documentation


• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal [Link].
• To search for a specific topic, go to our search page [Link]/[Link].
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@[Link].

Copyright
Palo Alto Networks, Inc.
[Link]

© 2020-2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at [Link]/company/
[Link]. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
June 24, 2021

Prisma SD-WAN ION Device CLI Reference 2 ©2025 Palo Alto Networks, Inc.
Table of Contents
Get Started with the ION Device CLI.........................................................11
Roles to Access the ION Device CLI Commands..............................................................12
Command Syntax...................................................................................................................... 13
Grep Support for the ION Device CLI Commands........................................................... 14

Access the ION Device CLI Commands..................................................... 15


Access through SSH................................................................................................................. 16
Assign a Static IP Address Using the Console................................................................... 17
Access the ION Device CLI Commands Using the Prisma SD-WAN Web
Interface.......................................................................................................................................19

Use CLI Commands......................................................................................... 21


Clear Commands........................................................................................................................22
clear app-engine.............................................................................................................22
clear app-map dynamic................................................................................................ 23
clear app-probe prefix.................................................................................................. 24
clear connection............................................................................................................. 25
clear device account-login...........................................................................................26
clear dhcplease............................................................................................................... 27
clear dhcprelay stat....................................................................................................... 27
clear flow and clear flows........................................................................................... 28
clear flow-arp..................................................................................................................29
clear qos-bwc queue-snapshot...................................................................................30
clear routing.................................................................................................................... 31
clear routing multicast statistics.................................................................................31
clear routing ospf...........................................................................................................32
clear routing peer-ip..................................................................................................... 33
clear switch mac-address-entries...............................................................................33
clear user-id agent statistics....................................................................................... 34
Config Commands..................................................................................................................... 35
config banner.................................................................................................................. 35
config bypass pair interface delete........................................................................... 36
config cellular modem.................................................................................................. 36
config controller cipher................................................................................................ 37
config interface...............................................................................................................38
config poe system usage threshold...........................................................................42
config static host........................................................................................................... 42
Debug Commands.....................................................................................................................44
arping interface.............................................................................................................. 45

Prisma SD-WAN ION Device CLI Reference 3 ©2025 Palo Alto Networks, Inc.
Table of Contents

curl..................................................................................................................................... 46
ping.................................................................................................................................... 47
ping6..................................................................................................................................48
debug bounce interface............................................................................................... 49
debug bw-test src-interface........................................................................................50
debug cellular stats....................................................................................................... 50
debug controller reachability...................................................................................... 52
debug flow.......................................................................................................................53
debug ipfix....................................................................................................................... 55
debug log agent eal file log.........................................................................................56
debug logging facility....................................................................................................57
debug logs dump............................................................................................................58
debug logs follow.......................................................................................................... 58
debug logs tail................................................................................................................ 59
debug performance-policy...........................................................................................59
debug poe interface...................................................................................................... 60
debug process.................................................................................................................61
debug reboot...................................................................................................................62
debug routing multicast log........................................................................................ 63
debug routing multicast pimd.....................................................................................64
debug servicelink logging.............................................................................................65
debug tcpproxy.............................................................................................................. 66
debug time sync.............................................................................................................67
dig dns.............................................................................................................................. 68
dig6.................................................................................................................................... 69
file export.........................................................................................................................70
file remove.......................................................................................................................71
file space available.........................................................................................................71
file tailf log.......................................................................................................................72
file view log.....................................................................................................................73
ssh6 interface..................................................................................................................74
ssh interface.................................................................................................................... 74
tcpdump............................................................................................................................75
tcpping.............................................................................................................................. 77
traceroute.........................................................................................................................78
traceroute6...................................................................................................................... 79
Dump Commands......................................................................................................................81
dump appdef config...................................................................................................... 85
dump appdef version.................................................................................................... 87
dump app-engine........................................................................................................... 88
dump app-l4-prefix table............................................................................................. 89

Prisma SD-WAN ION Device CLI Reference 4 ©2025 Palo Alto Networks, Inc.
Table of Contents

dump app-probe config................................................................................................90


dump app-probe flow................................................................................................... 91
dump app-probe prefix................................................................................................ 92
dump app-probe status................................................................................................ 93
dump auth config...........................................................................................................94
dump auth status........................................................................................................... 95
dump banner config...................................................................................................... 96
dump bfd status............................................................................................................. 96
dump bypass-pair config..............................................................................................97
dump cellular config......................................................................................................99
dump cellular stats........................................................................................................ 99
dump cellular status....................................................................................................101
dump cgnxinfra status................................................................................................104
dump cgnxinfra status live........................................................................................ 105
dump cgnxinfra status store.....................................................................................106
dump config network................................................................................................. 106
dump config security..................................................................................................107
dump controller cipher...............................................................................................114
dump controller status............................................................................................... 115
dump device accessconfig.........................................................................................116
dump device conntrack count..................................................................................116
dump device date........................................................................................................117
dump device info.........................................................................................................118
dump device status.....................................................................................................118
dump dhcp-relay config.............................................................................................119
dump dhcprelay stat................................................................................................... 120
dump dhcp-server config.......................................................................................... 121
dump dhcp-server status...........................................................................................123
dump dhcpstat............................................................................................................. 125
dump dnsservice config all........................................................................................126
dump dpdk cpu............................................................................................................ 132
dump dpdk interface.................................................................................................. 133
dump dpdk port status.............................................................................................. 136
dump dpdk stats.......................................................................................................... 137
dump flow..................................................................................................................... 138
dump flow count-summary.......................................................................................140
dump interface config................................................................................................ 142
dump interface status................................................................................................ 147
dump interface status interface details................................................................. 150
dump interface status interface module................................................................153
dump ipfix config collector-contexts......................................................................154

Prisma SD-WAN ION Device CLI Reference 5 ©2025 Palo Alto Networks, Inc.
Table of Contents

dump ipfix config derived-exporters...................................................................... 155


dump ipfix config filter-contexts............................................................................. 156
dump ipfix config ipfix-overrides............................................................................ 156
dump ipfix config prefix-filters................................................................................ 157
dump ipfix config profiles......................................................................................... 158
dump ipfix config templates..................................................................................... 159
dump lldp.......................................................................................................................159
dump lldp config..........................................................................................................161
dump lldp info.............................................................................................................. 162
dump lldp stats............................................................................................................ 163
dump lldp status.......................................................................................................... 163
dump log-agent eal conn...........................................................................................164
dump log-agent eal response-time......................................................................... 165
dump log-agent eal stats........................................................................................... 166
dump log-agent config............................................................................................... 167
dump log-agent iot snmp config............................................................................. 168
dump log-agent iot snmp device discovery stats................................................ 169
dump log-agent ip mac bindings............................................................................. 171
dump log-agent neighbor discovery stats............................................................. 171
dump log-agent status............................................................................................... 173
dump ml7 mctd counters.......................................................................................... 173
dump ml7 mctd session.............................................................................................174
dump ml7 mctd version.............................................................................................175
dump nat counters......................................................................................................176
dump nat6 counters................................................................................................... 177
dump nat summary..................................................................................................... 178
dump network-policy config policy-rules.............................................................. 179
dump network-policy config policy-sets............................................................... 183
dump network-policy config policy-stacks........................................................... 183
dump network-policy config prefix-filters.............................................................184
dump overview............................................................................................................ 185
dump performance-policy config policy-rules......................................................189
dump performance-policy config policy-sets....................................................... 192
dump performance-policy config policy-set-stacks............................................ 193
dump performance-policy config threshold-profile............................................ 193
dump poe system config........................................................................................... 195
dump poe system status........................................................................................... 195
dump priority-policy config policy-rules................................................................195
dump priority-policy config policy-sets................................................................. 198
dump priority-policy config policy-stacks............................................................. 201
dump priority-policy config prefix-filters.............................................................. 202

Prisma SD-WAN ION Device CLI Reference 6 ©2025 Palo Alto Networks, Inc.
Table of Contents

dump probe config......................................................................................................203


dump probe profile..................................................................................................... 204
dump radius config..................................................................................................... 205
dump radius statistics.................................................................................................206
dump radius status......................................................................................................207
dump reachability-probe config...............................................................................208
dump qos-bwc config.................................................................................................209
dump reachability-probe status............................................................................... 212
dump routing aspath-list............................................................................................213
dump routing cache.................................................................................................... 214
dump routing communitylist.....................................................................................220
dump routing multicast config................................................................................. 221
dump routing multicast igmp................................................................................... 222
dump routing multicast interface............................................................................ 223
dump routing multicast internal vif-entries.......................................................... 224
dump routing multicast mroute............................................................................... 225
dump routing multicast pim......................................................................................226
dump routing multicast sources.............................................................................. 227
dump routing multicast statistics............................................................................ 228
dump routing multicast status................................................................................. 229
dump routing ospf.......................................................................................................230
dump routing peer advertised routes.....................................................................233
dump routing peer config......................................................................................... 236
dump routing peer neighbor.....................................................................................237
dump routing peer received-routes........................................................................241
dump routing peer routes......................................................................................... 247
dump routing peer route-via.................................................................................... 249
dump routing peer status..........................................................................................250
dump routing peer route-json..................................................................................252
dump routing prefixlist...............................................................................................256
dump routing prefix-reachability............................................................................. 257
dump routing route.....................................................................................................261
dump routing routemap.............................................................................................263
dump routing running-config....................................................................................264
dump routing summary..............................................................................................265
dump routing static-route reachability-status......................................................268
dump routing static-route config............................................................................ 269
dump security-policy config policy-rules...............................................................272
dump security-policy config policy-set.................................................................. 275
dump security-policy config policy-set-stack....................................................... 276
dump security-policy config prefix-filters............................................................. 277

Prisma SD-WAN ION Device CLI Reference 7 ©2025 Palo Alto Networks, Inc.
Table of Contents

dump security-policy config zones......................................................................... 278


dump sensor type........................................................................................................279
dump sensor type summary..................................................................................... 281
dump serviceendpoints.............................................................................................. 282
dump servicelink summary........................................................................................282
dump servicelink stats................................................................................................286
dump servicelink status............................................................................................. 288
dump site config.......................................................................................................... 294
dump snmpagent config............................................................................................ 294
dump snmpagent status............................................................................................ 295
dump software status................................................................................................ 296
dump spoke-ha config................................................................................................297
dump spoke-ha status................................................................................................297
dump standingalarms..................................................................................................298
dump static-arp config............................................................................................... 299
dump static host config............................................................................................. 300
dump static routes...................................................................................................... 301
dump support details..................................................................................................301
dump-support............................................................................................................... 303
dump switch fdb vlan-id............................................................................................305
dump switch port status............................................................................................305
dump switch vlan-db.................................................................................................. 306
dump syslog config..................................................................................................... 307
dump syslog-rtr stats..................................................................................................307
dump syslog status..................................................................................................... 309
dump time config........................................................................................................ 309
dump time log.............................................................................................................. 310
dump time status.........................................................................................................311
dump troubleshoot message.................................................................................... 312
dump user-id agent config........................................................................................313
dump user-id agent statistics................................................................................... 314
dump user-id agent status........................................................................................ 315
dump user-id agent summary.................................................................................. 317
dump user-id groupidx...............................................................................................318
dump user-id group-mapping...................................................................................318
dump user-id ip-user-mapping.................................................................................319
dump user-id statistics............................................................................................... 320
dump user-id status.................................................................................................... 321
dump user-id summary.............................................................................................. 322
dump user-id useridx..................................................................................................323
dump vlan member..................................................................................................... 323

Prisma SD-WAN ION Device CLI Reference 8 ©2025 Palo Alto Networks, Inc.
Table of Contents

dump vpn count.......................................................................................................... 324


dump vpn ka all........................................................................................................... 325
dump vpn ka summary...............................................................................................327
dump vpn ka VpnID................................................................................................... 328
dump vpn status.......................................................................................................... 329
dump vpn summary.................................................................................................... 331
dump vrf........................................................................................................................ 333
dump waninterface config........................................................................................ 334
dump waninterface summary...................................................................................335
Inspect Commands................................................................................................................. 337
inspect app-flow-table............................................................................................... 338
inspect app-l4-prefix lookup.....................................................................................340
inspect app-map.......................................................................................................... 341
inspect certificate........................................................................................................ 343
inspect certificate device...........................................................................................344
inspect cgnxinfra role................................................................................................. 347
inspect connection...................................................................................................... 348
inspect dhcplease........................................................................................................ 349
inspect dhcp6lease......................................................................................................351
inspect dpdk ip-rules.................................................................................................. 352
inspect dpdk vrf...........................................................................................................353
inspect fib......................................................................................................................354
inspect fib-leak.............................................................................................................361
inspect flow-arp........................................................................................................... 362
inspect flow brief........................................................................................................ 364
inspect flow-detail.......................................................................................................365
inspect flow internal................................................................................................... 367
inspect interface stats................................................................................................ 371
inspect ipfix exporter-stats....................................................................................... 375
inspect ipfix collector-stats.......................................................................................376
inspect ipfix app-table................................................................................................377
inspect ipfix wan-path-info.......................................................................................378
inspect ipfix interface-info........................................................................................ 379
inspect ip-rules.............................................................................................................380
inspect ipv6-rules........................................................................................................ 381
inspect lqm stats..........................................................................................................381
inspect memory summary......................................................................................... 383
inspect network-policy conflicts..............................................................................384
inspect network-policy dropped..............................................................................386
inspect network-policy hits policy-rules................................................................387
inspect network-policy lookup.................................................................................388

Prisma SD-WAN ION Device CLI Reference 9 ©2025 Palo Alto Networks, Inc.
Table of Contents

inspect performance-policy fec status................................................................... 393


inspect policy-manager status..................................................................................394
inspect policy-mix lookup-flow................................................................................394
inspect priority-policy conflicts................................................................................396
inspect priority-policy dropped................................................................................397
inspect priority-policy hits default-rule-dscp........................................................398
inspect priority-policy hits policy-rules..................................................................399
inspect priority-policy lookup...................................................................................400
inspect performance-policy incidents.................................................................... 402
inspect performance-policy lookup........................................................................ 405
inspect performance-policy hits analytics............................................................. 406
inspect process status................................................................................................ 407
inspect qos-bwc debug-state................................................................................... 408
inspect qos-bwc queue-history................................................................................409
inspect qos-bwc queue-snapshot............................................................................410
inspect routing multicast fc site-iface.................................................................... 411
inspect routing multicast interface......................................................................... 413
inspect routing multicast mroute............................................................................ 414
inspect security-policy lookup................................................................................. 415
inspect security-policy size....................................................................................... 416
inspect switch mac-address-table........................................................................... 417
inspect system arp...................................................................................................... 417
inspect system ipv6-neighbor.................................................................................. 418
inspect system vrf....................................................................................................... 419
inspect vrf..................................................................................................................... 421
inspect wanpaths.........................................................................................................424

Prisma SD-WAN ION Device CLI Reference 10 ©2025 Palo Alto Networks, Inc.
Get Started with the ION Device
CLI
The Prisma SD-WAN ION device CLI provides a debugging interface to perform advanced
troubleshooting of the ION devices independent of the console.
• Roles to Access the ION Device CLI Commands
• Command Syntax
• Grep Support for the ION Device CLI Commands

11
Get Started with the ION Device CLI

Roles to Access the ION Device CLI Commands


Role-based access levels for the Prisma SD-WAN ION device using the command-line interface
(CLI) determine how much control an administrator has over the device. The levels of access are
Monitor, Read-Only, and Super.
• Monitor—Enables an administrator to execute the dump, inspect and file CLI commands to
display information.
• Read Only—Enables an administrator to execute the dump and file CLI commands and also
the inspect, debug, and search commands to display information.
• Super—Enables an administrator to execute all the dump and file CLI commands and also the
inspect, debug, configure, and search supported commands to display information to
troubleshoot the device, and to configure the device.

Commands User Role Description

Dump Super, Read Only, Monitor Enables you to display


information such as
configurations, controller, and
communication status.

Inspect Super, Read Only, Monitor Enables you to display


dynamic information.

Debug Super, Read Only Enables you to leverage


debugging commands.

Config Super Enables you to perform


limited configuration of the
device.

File Super, Read Only, Monitor Enables you to remove, list,


view, or export files such as
log files or packet captures.

Search Super, Read Only Reserved for future use.

There are four additional commands:


• Tab—Use after typing a command to list all options for that command.
• Help—Use at any time to display the command and any options available for that command.
• Set—Use to change the prompt or timeout for a session.
• Exit—Log out of the Prisma SD-WAN ION device CLI.

Prisma SD-WAN ION Device CLI Reference 12 ©2025 Palo Alto Networks, Inc.
Get Started with the ION Device CLI

Command Syntax
The general command syntax is as follows:

Convention Description

Keyword[Keyword] The keyword is [Link] keyword within


square brackets indicates that it is optional.

Variable A variable value or string.

X|Y|Z A bar between options or variables indicates that


you may choose only one.

(X | Y | Z) A set of options enclosed in () and separated by |


indicates that you must specify one of the values.

[X | Y | Z] A set of options enclosed in [] and separated by


a ‘|’ indicates that you mayspecify one or none of
the values.

[X | Y | Z]* A set of options enclosed in [ ] followed by a * and


separated by a ‘|’ indicates that you may specify
one or more values or none.

[X | Y | Z]+ A set of keys/values enclosed in [ ] followed by


a + and separated by a ‘|’ indicates that you may
specify one or more than one value.

Prisma SD-WAN ION Device CLI Reference 13 ©2025 Palo Alto Networks, Inc.
Get Started with the ION Device CLI

Grep Support for the ION Device CLI Commands


Grep is a command-line utility that searches for text that matches a specified regular expression
or a pattern and use CLI commands to filter the command output.

Option Description

-i Ignores case, i.e., the search is irrespective of


uppercase or lowercase.

-v Inverts match, i.e., returns results that do not


have the specified search string.

-w Matches words or regular expressions,


i.e. returns only those lines which contain
matches that form whole words.

-F Interprets patterns as a list of fixed strings


instead of regular expressions.

An example of grep command usage is shown as follows:


Output without grep
#dump interface status interface=controller1

Interface : controller 1
Device : eth0
ID : 15257577339130077
MAC Address : [Link]
State : up
Last Change : 2018-08-22 [Link].450667117 +0000 UTC
Duplex : full
Speed : 1000Mbps
Address : [Link]/22
Route : [Link]/0 via [Link] metric 0
DNS Server : [Link]
DNS Server : [Link]
DNS Search : [Link]

Output with grep


#dump interface status interface=controller1 | grep Add

MAC Address : [Link]


Address : [Link]/22

Prisma SD-WAN ION Device CLI Reference 14 ©2025 Palo Alto Networks, Inc.
Access the ION Device CLI
Commands
Access the Prisma SD-WAN ION device CLI commands in three different ways. Access through
secure socket shell (SSH), assign a static IP address, or log in through the Prisma SD-WAN web
interface (remote access).
• Access through SSH
• Assign a Static IP Address Using the Console
• Access the ION Device CLI Commands Using the Prisma SD-WAN Web Interface

15
Access the ION Device CLI Commands

Access through SSH


Once you define the user role and device access, log in to the ION device through SSH with a user
name (Login ID) and password.
• Enter ssh username@<ip address>
• Enter <password>
You now have access to the CLI commands.

Prisma SD-WAN ION Device CLI Reference 16 ©2025 Palo Alto Networks, Inc.
Access the ION Device CLI Commands

Assign a Static IP Address Using the Console


Access the Prisma SD-WAN ION device command-line interface (CLI) using the console and
assign a static IP address to an unclaimed ION device controller or internet port.

Command-line interface (CLI) using the console and assigning a static IP address is only
required to establish initial communication with the controller. Once a device is claimed,
the controller will overwrite any further configuration changes done locally on the ION via
the console or device toolkit. This is supported on all the Prisma SD-WAN ION Devices.

STEP 1 | Connect an RJ-45 to USB cable to the AUX port on the Prisma SD-WAN ION device.

STEP 2 | Connect the other end of the RJ-45 to USB cable to your computer and launch a terminal
emulator.

STEP 3 | Set the terminal or baud rate to 115200/8/n/1 on the terminal window.
The Login menu displays the login prompt with the ION device serial number.
<ION-device-serial-number> login:

STEP 4 | Use the default user details username elem-admin/hackle628)bags for unclaimed
devices.

CloudGenix 5.1.0-b23
30-001189-8149 login: elem-admin
Password:
Last login: Tue Nov 20 [Link] UTC 2018 on ttyS0

STEP 5 | Configure the controller port or one of the internet ports with the appropriate IP address,
gateway address, and DNS server.
1. Assign a static IP address to the ION devices with controller ports using the config
interface command.

# config interface controller1 ip static address=[Link]/24


gw=[Link] dns=[Link]

2. Verify your configuration using the dump interface config command.

# dump interface config controller1


Interface : controller 1
Description:
ID : 15403462741430053
Type : port
Admin State : up
Alarms : enabled
MTU:1500
IP : static
Address : [Link]/24
Route : [Link]/0 via [Link] metric 1
DNS Server : [Link]

Prisma SD-WAN ION Device CLI Reference 17 ©2025 Palo Alto Networks, Inc.
Access the ION Device CLI Commands

# dump interface status controller1


Interface: controller 1
Device : eth0
ID : 15403462741430053
MAC Address : [Link]
State: up
Last Change : 2018-11-20 [Link].785009014 +0000
UTC
Duplex: full
Speed : 1000Mbps
Address : [Link]/24
Route : [Link]/0 via [Link] metric 0
DNS Server : [Link]

3. Use the config interface command to assign a static IP address to the internet
port, this step is required for ION devices without controller ports.

# config interface 1 ip static address=[Link]/30 gw=[Link]


dns=[Link]

4. Verify your configuration using the dump interface config command.

STEP 6 | Verify the connection to the controller using the dump controller status command.

# dump controller status


Controller Connection : Partially Connected
Number of Active Connections : 2

-----------------------------------------------------------------
tcp 0 0 [Link]:57966 [Link]:443 ESTABLISHED
tcp 0 0 [Link]:57338 [Link]:443 ESTABLISHED

-----------------------------------------------------------------

STEP 7 | Go to the Prisma SD-WAN web interface to claim your recently configured ION device and
assign it to a site.
After you change the device to the claimed state, change the default password to match your
configured password (System Administration > Device Toolkit User Management).

Prisma SD-WAN ION Device CLI Reference 18 ©2025 Palo Alto Networks, Inc.
Access the ION Device CLI Commands

Access the ION Device CLI Commands Using the Prisma


SD-WAN Web Interface
Remote Access allows operators to access all the Prisma SD-WAN ION CLI commands for
diagnosing and troubleshooting device (online and in a claimed state) issues through the Prisma
SD-WAN web interface. The maximum number of simultaneous operator sessions per device is
10 and per customer account is 30.
The CLI Commands are accessed by user Roles with Root, Network Admin, Security Admin,
Admin, Super, or View Only permissions. In addition to the console credentials, an operator
requires device credentials to successfully log in to the device.
There are two ways to remotely access the device CLI commands, either through the Claimed
Devices menu or from a specific device configuration page.
STEP 1 | Select Workflows > Prisma SD-WAN Setup > Devices > Claimed Devices.
1. Click ellipsis menu, select Remote Sessions to access commands remotely.
The device must be online to access the CLI commands.
2. Another way to access the CLI commands, click ellipsis menu (next to the device) and
Remote access to access CLI commands.

STEP 2 | Log in with your credentials to access the device CLI commands.

STEP 3 | Click the gear icon on the claimed devices page and select Remote Sessions.

STEP 4 | The Remote Sessions widget displays both the Active Sessions and History tabs. To view
active sessions filter by Session ID, Element ID or Operator. You can close an active session
by clicking the Close from Action column. You can sort historical sessions by the column
headers.

Prisma SD-WAN ION Device CLI Reference 19 ©2025 Palo Alto Networks, Inc.
Access the ION Device CLI Commands

Prisma SD-WAN ION Device CLI Reference 20 ©2025 Palo Alto Networks, Inc.
Use CLI Commands
Use the Prisma SD-WAN ION device CLI (clear, config, debug, dump, and inspect) commands for
debugging and troubleshooting.
• Clear Commands
• Config Commands
• Debug Commands
• Dump Commands
• Inspect Commands

21
Use CLI Commands

Clear Commands
Clear commands enable users to clear status.
• clear app-engine
• clear app-map dynamic
• clear app-probe prefix
• clear connection
• clear device account-login
• clear dhcplease
• clear dhcprelay stat
• clear flow and clear flows
• clear flow-arp
• clear qos-bwc queue-snapshot
• clear routing
• clear routing multicast statistics
• clear routing ospf
• clear routing peer-ip
• clear switch mac-address-entries
• clear user-id agent statistics

clear app-engine
Use the clear app-engine command to clear per-app stats, global app stats, and dns-based
appmap entries for application id.

Command

clear app-engine app-stats [all | uappname= | appid= | fcappid= ]

clear app-engine globals

clear app-engine dns-cache [all | uappname= | ipv4= ]

Options

app-stats Enter an unified application name / all/


application id / fcappid to clear app-stats for the
application.

globals Enter globals to clear global for the application.

Prisma SD-WAN ION Device CLI Reference 22 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dns-cache Enter all / unified application name / ipv4 address


to clear dns cache for the application.

Command Notes

Role Super

Related Commands dump app-engine

Introduced in Release 6.0.1

Example

clear app-engine app-stats all

clear app-map dynamic


Use the clear app-map dynamic command to remove an entry from the application map
cache that identifies an IP, port, or protocol as a specific application ID.

The protocol field is mandatory for all attributes except all.

Command

clear app-map dynamic ( all | srcv4= | dstv4= | srcv6= | dstv6= |


srcport= | dstport= ) prot=

Options

all Enter all to clear all the application entries.

srcv4 Enter the source IPv4 address to clear the


source IP of the application.

dstv4 Enter the destination IPv4 address to clear the


destination IP of the application.

srcv6 Enter the source IPv6 address to clear the


source IP of the application. Release 6.2.1

dstv6 Enter the destination IPv6 address to clear the


destination IP of the application. Release 6.2.1

srcport Enter the source port to clear the source port


of the application.

Prisma SD-WAN ION Device CLI Reference 23 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dstport Enter the destination port to clear the


destination port of the application.

protocol Tab to select UDP, TCP, or ICMP. Or, enter a


protocol number ranging from 0 - 255 to clear
the application protocol.

Command Notes

Role Super

Related Commands inspect app-map

Introduced in Release 5.0.3

Example

clear app-map-dynamic srcport=1080 prot=udp

clear app-probe prefix


Use the clear app-probe prefix command to clear prefixes mapped on an application for
each path or port combination.

Command

clear app-probe prefix (application= | server-ip= | path-id= |


port= )

Options

application Enter an application name to clear prefixes for


the application.

server-ip Enter a server IP address to clear prefixes


mapped to the server.

path-id Enter a Path ID to clear prefixes mapped to the


path.

port Enter a port number to clear prefixes mapped to


the port.

Prisma SD-WAN ION Device CLI Reference 24 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super

Related Commands

Introduced in Release 5.1.1

Example

clear app-probe prefix application=ftp


Wait for 15-20 seconds.
dump app-probe prefix application=ftp

Prefix/Subnet LastFailedServerIP Port Path-ID


AppProbeStarted LastActivityTime ClientReachAttemptTime
ResetProbeTime
[Link]/32 [Link] 21 15247082647420237
false 2018-12-[Link] 2018-12-[Link]
2018-12-[Link]

clear connection
Use the clear connection command to clear the established connections that match user-
specified options.

Command

clear connection (all | srcv4=src-ipv4 | destv4=dst-ipv4 | ) | |


srcport=src-port |dstport=dst-port | proto= ( udp | tcp | icmp |
other )

Options

srcv4 Enter the source IP address to clear the


established connections that match the specified
source IP address.

dstv4 Enter the destination IP address to clear the


established connections that match the specified
destination IP address.

srcport Enter the source port to clear the established


connections that match the specified source port.

dstport Enter the destination port to clear the established


connections that match the specified destination
port.

Prisma SD-WAN ION Device CLI Reference 25 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

prot Tab to select UDP, TCP, or ICMP. Or, enter a


protocol number ranging from 0 - 255.

Command Notes

Role Super

Related Commands —

Introduced in Release 5.0.1

Example
clear connection proto=udp
This will be Service impacting for the matching connections areyou sure? [Y|N]:Y
PROTO TIME OUT SRC DST SPORT DPORT t-src t-dst tsport tdport
udp 29 [Link] [Link] 38382 53 [Link] [Link] 38382 53
udp 29 [Link] [Link] 37516 53 [Link] [Link] 37516 53

clear device account-login


Use the clear device account-login command to clear the login failures. User account is
locked because of multiple failed login attempts.

Command

clear device account-login (user=user-name | all)

Options

user Enter user-name to clear the login failures for the


given user device account-login.

all Enter all to clear login failures of all the users.

Command Notes

Role Super

Related Commands dump device account-login

Introduced in Release 6.2.1

Prisma SD-WAN ION Device CLI Reference 26 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Example

clear device account-login all

clear device account-login user=elem-admin

clear dhcplease
Use the clear dhcplease command to clear the DHCP server lease.

Disable the dhcp server before running clear dhcplease command.

Command

clear dhcplease

Options

None

Command Notes

Role Super, Read Only

Related Commands inspect dhcplease

Introduced in Release 5.1.3

Example

clear dhcplease

clear dhcprelay stat


Use the clear dhcprelay stat to clear the DHCP relay statistics. A successful execution of
the command does not show any output. Failure in execution of the command displays dhcprelay
clear stat failed and it occurs if the DHCP relay is not in operation.

Command

clear dhcprelay stat

Prisma SD-WAN ION Device CLI Reference 27 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

None

Command Notes

Role Super

Related Commands dump dhcprelay stat

Introduced in Release 4.5.1

Example

clear dhcprelay stat

dhcprelay clear stat failed

clear flow and clear flows


Use the clear flow and clear flows command to clear the flows from the flow table to
debug and troubleshoot. For clear flow, you have to use with all 5 tuple (srcv4/srcv6, dstv4/
dstv6, srcport, dstport, prot) and for clear flows, you can use with any one of 7 tuple (srcv4=
dstv4= srcv6= dstv6= srcport= dstport= prot=).

Command

clear flow srcv4= source IP address dstv4= destination IP address


srcv6= source IP address dstv6= destination IP address
srcport= sourceport number dstport= destination port number
prot= protocol number

clear flows srcv4= source IP address dstv4= destination IP address


srcv6= source IP address dstv6= destination IP address
srcport= sourceport number dstport= destination port number
prot= protocol number

Options

None

Prisma SD-WAN ION Device CLI Reference 28 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super

Related Commands inspect flow-detail

Introduced in Release 4.5.3

Example

clear flow srcv4=[Link] dstv4=[Link]


srcport=38851dstport=443 prot=17flow

clear flow srcv6=[Link] dstv6=2103::13 srcport=128 dstport=0


prot=58

clear flows dstv6=2103::13

clear flow-arp
Use the clear flow-arp command to clear cached address resolution protocol (ARP) entries
from the data plane.

Command

clear flow-arp

Options

all Enter all to clear all cached ARP entries from the
data plane.

host Enter the host IP address to clear ARP entries


for the specified host from the data plane.

Command Notes

Role Super

Related Commands inspect flow-arp

Introduced in Release 4.6.1

Prisma SD-WAN ION Device CLI Reference 29 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Example

clear flow-arp

clear qos-bwc queue-snapshot


Use the clear qos-bwc queue-snapshot command to clear details of the QoS bandwidth
queue snapshot information.

Command

clear qos-bwc queue-snapshot agent= agent number

Options

snapshot agent= Provide the QoS agent number


to indicate which agent to clear.
(This must always be provided.)

Command Notes

Role Super, Read Only, Monitor

Related Commands dump qos-bwc config

inspect qos-bwc queue-snapshot

Introduced in Release 6.0.1

Example

clear qos-bwc queue-snapshot agent=


agent=300 agent=100 agent=201 agent=501 agent=401 agent=600
agent=500
agent=400 agent=701 agent=301 agent=200 agent=601 agent=101
agent=700

clear qos-bwc queue-snapshot agent=201

Prisma SD-WAN ION Device CLI Reference 30 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

clear routing
Use the clear routing command to clear the border gateway protocol (BGP) peer sessions on
a device.

Command

clear routing (vrf-name | vrf-id) peer-ip

Options

vrf-name This clears the BGP peer session with the


associated VRF name and peer IP.

vrf-id This clears the BGP peer session with the


associated VRF id and peer IP.

Command Notes

Role Super

Related Commands dump routing summary

Introduced in Release 6.3.1

Example

clear routing vrf-name=IOT-Data peer-ip [Link]

clear routing vrf-id=1686679744525012828 peer-ip [Link]

clear routing multicast statistics


Use the clear routing multicast statistics command to clear the PIM routing
multicast statistics to debug and troubleshoot.

Command

clear routing multicast statistics

Options

None

Prisma SD-WAN ION Device CLI Reference 31 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super

Related Commands -

Introduced in Release 5.6.1

Example

clear routing multicast statistics

clear routing ospf


Use the clear routing ospf command to clear all the open shortest path first (OSPF)
sessions on a device and used to debug any routing-related issues on the device.

Command

clear routing ospf process ( vrf < process | interface=interface


name> )

Options

process Enter the process to reset all ospf (all vrf).

vrf process: Enter process with VRF name to reset


given OSPF.
interface: Enter the interface name or ID
associated with VRF name to reset OSPF
interface.

Command Notes

Role Super

Related Commands -

Introduced in Release 6.4.1

Example

clear routing ospf process

Prisma SD-WAN ION Device CLI Reference 32 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

clear routing peer-ip


Use the clear routing peer-ip command to clear the border gateway protocol (BGP) peer
sessions on a device.

Command

clear routing peer-ip ( hard | soft)

Options

hard This tears down the session with a BGP peer


and invalidates the cached routes.

soft This enables BGP peers to request an update


without tearing down the entire procedure.

Command Notes

Role Super

Related Commands dump routing summary

Introduced in Release 5.0.1

Example

clear routing peer-ip [Link] soft

clear switch mac-address-entries


Use the clear switch mac-address-entries command to clear Layer 2 switch MAC
address entries.

Command

clear switch mac-address-entries

Options
None.

Command Notes

Role Super

Prisma SD-WAN ION Device CLI Reference 33 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Related Commands -

Introduced in Release 6.0.2

Example

clear switch mac-address-entries

Do you really want to clear switch mac-address-entries [y/n]: yes to remove entries.

clear user-id agent statistics


Use the clear user-id agent statistics command to clear the agent statistics of the
User-ID service.

Command

clear user-id agent statistics ( Id= | all

Options

all Enter all to clear statistics for all the User-ID


agents on the device.

id Enter an ID to clear the statistics for the User-ID


agent.

Command Notes
This command applies only to data center ION devices.

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.2.1

Example

clear user-id agent statistics all


Cleared user-id agent statistics

clear user-id agent statistics Id=16201238163240333


Cleared user-id agent statistics

Prisma SD-WAN ION Device CLI Reference 34 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Config Commands
Config commands enable users to configure interfaces, devices, and routing. This command
option is available only to the Super user role.
• config banner
• config bypass pair interface delete
• config cellular modem
• config controller cipher
• config interface
• config poe system usage threshold
• config static host

config banner
Use the config banner command to configure an alphanumeric banner string of 1000
characters to display on the user login screen.

Command

config banner

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump banner config

Introduced in Release 4.4.1

Example

config banner
###################################
\nThis is a sample banner\n
###################################

Prisma SD-WAN ION Device CLI Reference 35 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

config bypass pair interface delete


Use the config bypass pair interface delete command to remove bypass pairs
configured on interfaces and to remove default bypass pairs for unclaimed ION 2000 and ION
3000 devices.

Command

config bypass pair interface= interface number delete

Options

None

Command Notes

Role Super

Related Commands dump bypass-pair config

Introduced in Release 5.0.1

Example

config bypass-pair 4 delete

config cellular modem


Use the config cellular modem command to configure modem SIM PIN.

Command

config cellular modem <module-name> sim <sim-slot-number> enter-pin


pin=<pin-code>

config cellular modem <module-name> sim <sim-slot-number> remove-pin

Prisma SD-WAN ION Device CLI Reference 36 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

SIM PIN operational commands:

cellular modem <module-name> sim <sim-slot-number> enable-sim-pin


pin=<pin-code>

cellular modem <module-name> sim <sim-slot-number> disable-sim-pin


pin=<pin-code>

cellular modem <module-name> sim <sim-slot-number> unblock-sim-pin


puk=<puk-code> new-pin=<new-pin-code>

cellular modem <module-name> sim <sim-slot-number> change-pin


pin=<pin-code> new-pin=<new-pin-code>

Options

None

Command Notes

Role Super

Related Commands

Introduced in Release 5.6.1

Example

config cellular modem cwan1 sim 1 enter-pin pin=1234

config cellular modem cwan1 sim 1 remove-pin

cellular modem cwan1 sim 1 enable-sim-pin pin=1234

config controller cipher


Use the config controller cipher command to configure controller cipher or encryption
and to set the encryption level for device to controller communication.

Command

config controller cipher

Prisma SD-WAN ION Device CLI Reference 37 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

None

Command Notes

Role Super

Related Commands dump controller cipher

Introduced in Release 4.4.1

Example

config controller cipher RSA-AES256-GCM-SHA384


Applied Cipher config

config interface
Use the config interface command to configure a physical or a logical interface and
consists of sub-commands—create a point to point protocol over ethernet (PPPoE) interface on a
parent physical interface, update PPPoE interface details, configure the LLDP state of a selected
interface, configure or enable the PoE threshold of a selected interface.

PPPoE option is only available for preclaimed or unclaimed devices.

Command

config interface interface-number (pppoe | ip | ip6 | mode | mtu |


usedfor= (none | private | public | private-l2) | enabled = (false |
true))

config interface (cellular1 | cellular2) (apn (auto-apn | name) |


iptype (ipv4 | ipv6 | ipv4v6)| mtu | enabled= (false | true))

config interface interface-number ip6 (dhcp | static address=)

config interface interface-number ipv6 (autoconf | static address= |


pppoe | none)

config interface <id> lldp state=(rxonly or txrx)

config interface <id> poe enabled=true-usage-threshold 60

Prisma SD-WAN ION Device CLI Reference 38 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

pppoe description Enter a description for the PPPoE


interface.

pppoeuser Enter the challenge handshake


authentication protocol (CHAP) or
password authentication protocol
(PAP) user name for PPPoE
authentication.

pppoepasswd Enter the CHAP or PAP password for


PPPoE authentication.

servicename Enter the name of the PPPoE service


provider for connection. A WAN
network has multiple service providers
and select the service name field.

adddress Enter the IP address of the remote


shim.

gw Enter the IP address of the Gateway.

reconnectdelay Enter a value for delay (in seconds) for


PPPoE reconnection.

hostuniq Enter an even-sized hexadecimal


number to set a value for Host-Uniq.

ip static gw - Enter the IP address for the


gateway.

dns - Enter the DNS address.

address - Enter the static IP address of


the interface.

dhcp hostname - Enter a single hostname or


comma separated multiple hostnames.

clientid - Enter the DHCP client


identity.

pppoe Select pppoe to configure a PPPoE


interface.

none Enter none to reset previously entered


information.

Prisma SD-WAN ION Device CLI Reference 39 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

ipv6 static gw - Enter the IP address for the


gateway.

dns - Enter the DNS address.

address - Enter the static IP address of


the interface.

autoconf Indicates the Global IP address is


derived using stateless address
autoconfiguration (SLAAC). Release
6.2.1

pppoe Select pppoe to configure a PPPoE


interface. Release 6.2.1

none Enter none to reset previously entered


information. Release 6.2.1

mode auto Select auto for automatic negotiation.

speed Select speed as 10, 100 or 1000 MBPS.

duplex Select duplex for duplex negotiation.

mtu Enter a number between 552-1500. The default value is 1500.

usedfor none Enter none when interface is used as a


controller port (just for connecting to
controller).

private Enter private to configure the interface


for a private WAN.

public Enter public to configure the interface


for a public network.

private-l2 Enter private-l2 to configure an L2


interface as part of a bypass pair.

enabled true Enter true to enable the interface.

false Enter false to disable the interface.

Cellular Interfaces

apn auto-apn When you select auto-apn, default


carrier APN is automatically detected
and the device connects using auto-
APN profile.

Prisma SD-WAN ION Device CLI Reference 40 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

name= Enter the name of the APN profile.


Optional parameters are auth-type
(pap, chap, pap/chap), username, and
password.

iptype ipv4/ipv6/ipv4v6 Configure cellular iptype options IPv4 /


IPv4v6 on the cellular interface. In case
of IPv4v6, devices can run IPv4 and
IPv6 in [Link] 6.1.1

mtu MTU number must be between 552-1428 for IPv4 and 1280-1428
for IPv6. The default value is 1428.

enabled= false Enter false to disable the cellular


interface.

true Enter true to enable the cellular


interface.

lldp state All non-PoE ports are set to receive-only mode and PoE ports are
set to transmit and receive mode.

rxonly LLDP packets in receive only mode.

txrx LLDP packets in transmit and receive


mode.

poe Configure PoE ports.

enabled= Enter true to enable or false to disable


the PoE port.

usage threshold Enter a usage threshold percentage.

Command Notes

Role Super

Related Commands dump interface config

Introduced in Release 4.5.1

Example

config interface controller1 ip dhcp


config interface 3 pppoe pppoeuser=root pppoepasswd=pass

Prisma SD-WAN ION Device CLI Reference 41 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

config interface config interface 2 ip static


address=[Link]

config interface cellular1 apn name=test auth-type=pap username=test1


password=test2

config interface cellular1 iptype version=ipv4

config interface cellular1 iptype version=ipv6

config interface cellular1 iptype version=ipv4v6

config interface 7 ip6 dhcp

config interface 5 ipv6 static address=[Link]/64


gw=[Link] dns=[Link]

config poe system usage threshold


Use the config poe system usage threshold command to configure PoE system usage
threshold.

Command

config poe system usage threshold

Command Notes

Role Super

Related Commands

Introduced in Release 6.0.2

Example

config poe system usage-threshold 80

config static host


Use the config static host command to add or remove a static entries from the static
host configuration file. To add a static host entry, provide an IP address and a single hostname
or comma-separated multiple hostnames. To remove an entry, provide an IP address and a single
hostname to remove only the specific hostname mapped to the IP address.

Prisma SD-WAN ION Device CLI Reference 42 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

config static host ( add ip IPADDR= host IP address | remove ( ip |


name))

Options

ip Enter the IP address to add or remove a static


entries from the static host configuration file.

(Optional) name When removing a static host, enter a single


host name for the IP address.

Command Notes

Role Super

Related Commands dump static host config

Introduced in Release 4.4.1

Example

config static host add ip [Link] name


[Link],[Link]
dump static host config

Address Hosts
[Link] [Link]
[Link] [Link]
[Link] [Link] [Link]

config static host remove ip [Link] name


[Link]
dump static host config

Address Hosts
[Link] [Link]
[Link] [Link]
[Link] [Link]

config static host remove ip [Link]


dump static host config

Address Hosts
[Link] [Link]
[Link] [Link]

Prisma SD-WAN ION Device CLI Reference 43 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Debug Commands
The debug command enables you to leverage debugging commands such as tcpdump and reboot
and also to debug and troubleshoot interfaces, devices, and routing. Only SUPER users are
allowed to execute Debug commands.
• arping interface
• curl
• ping
• ping6
• debug bounce interface
• debug bw-test src-interface
• debug cellular stats
• debug controller reachability
• debug flow
• debug ipfix
• debug log agent eal file log
• debug logging facility
• debug logs dump
• debug logs follow
• debug logs tail
• debug performance-policy
• debug poe interface
• debug process
• debug reboot
• debug routing multicast log
• debug routing multicast pimd
• debug servicelink logging
• debug tcpproxy
• debug time sync
• dig dns
• dig6
• file export
• file remove
• file space available
• file tailf log
• file view log

Prisma SD-WAN ION Device CLI Reference 44 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

• ssh interface
• ssh6 interface
• tcpdump
• tcpping
• traceroute
• traceroute6

arping interface
Use the arping interface command to send the ARP requests, replies, or gratuitous and to
ping an interface or source IP.

Command

arping interface= interface_name Hostname= host_name (args= " ")

Options

interface Enter the interface name or ID.

hostname Enter the host name or IP address.

args= "-b" Continue broadcasting, don't go unicast.

args= "-cnumber" Enter the number of packets to be sent.

args="-wnumber" Enter a time in seconds for arping to wait for a


reply.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 4.4.1

Example

arping controller1 [Link] args="-c 3"


ARPING [Link] from [Link] eth0
Unicast reply from [Link] [Link] 0.888ms
Unicast reply from [Link] [Link] 0.862ms
Unicast reply from [Link] [Link] 0.830ms
Sent 3 probes (1 broadcast(s))Received 3 response(s)

Prisma SD-WAN ION Device CLI Reference 45 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

curl
Use the curl command to send an HTTP GET request to a destination.

Command

curl interface dst-URL (args=" ")

Options

dst-URL Enter the destination URL.

interface Enter the interface name or ID.

args= "-l" Use -I to send an HTTP HEAD request to fetch


only the headers.

args= "-k" Allows connections to SSL sites without


certificates.

args="-mnumber" Enter the maximum time in seconds allowed for


the transfer.

args="-v" Makes the operation more talkative.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 4.4.1

Example

curl controller1 [Link] args="-I"


HTTP/1.1 200 OK
Date: Wed, 25 Oct 2017 [Link] GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See [Link]/p3phelp for
moreinfo."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: 1P_JAR=2017-10-25-14;
expires=Wed, 01-Nov-2017 [Link] GMT;
path=/; domain=.[Link]

Prisma SD-WAN ION Device CLI Reference 46 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Set-Cookie: NID=115=GLq9imCH9M-Ar8qQ_s09GowOc9mDrJC-
esgzWdd_R1ghnCfMhaYKSbwuNpiNG6N0w74HY1gjkIn-
WWPSdmteo9rDiGklmsNlMGydCkZaPhrAP9D1105jC5szPla3Bltp; expires=Thu,26-
Apr-2018 [Link] GMT;
path=/;
domain=.[Link]; HttpOnly
Transfer-Encoding: chunked
Accept-Ranges: none
Vary: Accept-Encoding

ping
Use the ping command to test internet control message protocol (ICMP) reachability of a host
and to troubleshoot network connectivity issues. It displays the network connectivity response
and the time it takes to receive the response.

Command

ping interface host (args =" ")

Options

interface Enter the interface from which to send packets.

host Enter the destination IP address or hostname.

args= "-c number" Enter the number of pings to be displayed.

args= "-s number" Enter the packet size. The default size is 56.

args="-wnumber" Enter the number of seconds to wait to receive


the first response after all the -c packets are sent.
The default value is 10 seconds.

args="-q" Quiet mode displays only the summary lines at


the start and finish.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 4.4.1

Prisma SD-WAN ION Device CLI Reference 47 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Example

Example of ping which controls the count (-c) and the ping packet
size (-s)
ping controller1 [Link] args="-c 3 -s 1400"
PING [Link] ([Link]): 1400 data bytes
1408 bytes from [Link]: seq=0 ttl=59 time=50.710 ms
1408 bytes from [Link]: seq=1 ttl=59 time=50.590 ms
1408 bytes from [Link]: seq=2 ttl=59 time=50.568 ms

ping6
Use the ping6 command to test internet control message protocol (ICMP) reachability of a host
and to troubleshoot network connectivity issues for IPv6. It displays the network connectivity
response and the time it takes to receive the response.

Command

ping6 interface host (args =" ")

Options

interface Enter the interface from which to send packets.

host Enter the destination IP address or hostname.

args= "-c number" Enter the number of pings to be displayed.

args= "-s number" Enter the packet size. The default size is 56.

args="-W number" Enter the number of seconds to wait to receive


the first response after all the -c packets are sent.
The default value is 10 seconds.

args="-w number" Enter the number of seconds to wait to receive


the first response before the -c packets are sent.
The default value is infinite seconds.

args=”-i number” Enter the number of seconds of interval between


the packets.

args=”-I” Enter the source IP interface or IP address.

args=”=t” Enter the TTL to set the TTL on the packets.

args="-q" Quiet mode displays only the summary lines at


the start and finish.

Prisma SD-WAN ION Device CLI Reference 48 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 6.0.1

Example

ping6 1 5001::1 args="-c 100"


PING 5001::1 (5001::1): 56 data bytes
64 bytes from 5001::1: seq=0 ttl=64 time=1.321 ms
64 bytes from 5001::1: seq=1 ttl=64 time=0.672 ms
64 bytes from 5001::1: seq=2 ttl=64 time=1.489 ms
64 bytes from 5001::1: seq=3 ttl=64 time=3.160 ms
64 bytes from 5001::1: seq=4 ttl=64 time=4.122 ms
64 bytes from 5001::1: seq=5 ttl=64 time=3.071 ms

debug bounce interface


Use the debug bounce interface command to disable an interface for five seconds and to
re-enable it. Useful to force DHCP resynchronization or link speed renegotiation.

Command

debug bounce interface = interface number

Options

None

Command Notes

Role Super

Related Commands —

Introduced in Release 4.5.1

Example

debug bounce 1

Prisma SD-WAN ION Device CLI Reference 49 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

debug bw-test src-interface


Use the debug bw-test src-interface command to run a single bandwidth capacity test of
a circuit. Information displayed includes link capacities in Mbps, percentage loss in bandwidth, and
jitter.

Command

debug bw-test src-interface <interface> <destination=>

Options

interface Enter the source interface.

destination Enter the destination URL. The destination URL


is [Link] for Internet circuits. For private
WAN circuits, use [Link] or the data center
ION device's IP address.

Command Notes

Role Super

Related Commands —

Introduced in Release 4.6.1

Example

debug bw-test src-interface controller1 destination=[Link]


Press CTR+C to stop.
Units of downlink and uplink capacity measurement are Mbps.
capacity_uplink 31.782000read entry not available. go with
default
Final Downlink capacity estimate: 9.14
-------------------------------------------------
Downlink percentage loss: 19.20
Downlink Jitter: 2.99 ms
-----------------------------------------
Final Uplink capacity estimate: 31.78
-------------------------------------------------
Uplink rtt: 330.01 ms
Uplink Percentage Loss: 2.90
Uplink Jitter: 3.44 ms

debug cellular stats


Use the debug cellular stats command to check the cellular stats for the device.

Prisma SD-WAN ION Device CLI Reference 50 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

debug cellular stats details

Options

None

Command Notes

Role Super

Related Commands —

Introduced in Release 5.6.1

Example

debug cellular stats details


Module Id : 16249934729950037
Modem threads created : 1
Modem threads removed : 0
User init resets : 0
User init powercycle : 0
Request Queue Stats
Total Insert Success : 1483
Total Insert Failed : 0
Total Get Success : 1483
Total Get Failed : 0
Insert
Get Modem Init Info (0)
Success : 1
Failed, invalid index : 0
Failed, not ready : 0
Failed, queue full : 0
Set SIM config (1)
Success : 0
Failed, invalid index : 0
Failed, not ready : 0
Failed, queue full : 0
Set Active SIM config (2)
Success : 3
Failed, invalid index : 0
Failed, not ready : 0
Failed, queue full : 0
Start Data Session (3)
Success : 2
Failed, invalid index : 0
Failed, not ready : 0
Failed, queue full : 0
Set Radio config (4)

Prisma SD-WAN ION Device CLI Reference 51 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Success : 0
Failed, invalid index : 0
Failed, not ready : 0
Failed, queue full : 0
Get Radio Config (5)
Success : 0
Failed, invalid index : 0
Failed, not ready : 0
Failed, queue full : 0
Set profile (6)
Success : 0
Failed, invalid index : 0
Failed, not ready : 0
Failed, queue full : 0
Get Profile (7)
Success : 0
Failed, invalid index : 0
Failed, not ready : 0
Failed, queue full : 0
Set MTU (8)
Success : 0
Failed, invalid index : 0
Failed, not ready : 0
Failed, queue full : 0
Set interface adminup (9)
Success : 0
Failed, invalid index : 0
Failed, not ready : 0
Failed, queue full : 0
Set GPS config (10)
Success : 2
Failed, invalid index : 0
Failed, not ready : 0
Failed, queue full : 0
GET GPS (11)
Success : 0
Failed, invalid index : 0
Failed, not ready : 0
Failed, queue full : 0
Set SIM Pin config (12)
Success : 0
Failed, invalid index : 0
Failed, not ready : 0
Failed, queue full : 0
SIM Pin verification (13)
Success : 0
Failed, invalid index : 0
Failed, not ready : 0
Failed, queue full : 0

debug controller reachability


Use the debug controller reachability command to check if the ION device is
connected to the controller. This command is useful during installation to verify connectivity
between the device and the controller. Ensures that the IP address is valid and gateway

Prisma SD-WAN ION Device CLI Reference 52 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

reachability from the controller interface on the ION device. If the controller is not reachable via
the controller interface, the command checks the controller's reachability from other L3 interfaces
on the device.
An error displays if a device is not able to connect to the controller due to certificate or other
issues. For example:

debug controller reachability controller1


Mic cert check passed
Cic cert check passed
Mic cert verify passed
Cic cert verify passed
CIC cert connection test failed
curl exitCode: 7

The CURL exit code helps in identifying the cause of the error.

Command

debug controller reachability <interface = interface number>

Options

None

Command Notes

Role Super

Related Commands —

Introduced in Release 4.7.1

Example

debug controller reachability 2


Mic cert check passed
Cic cert check passed
Mic cert verify passed
Cic cert verify passed
CIC cert connection test done
Device is connected to Controller

debug flow
Use the debug flow command to create, display, or delete a filter when enabling data plane
debugging to reduce the ION device load. The match criteria for the filter must be one or two
host IP addresses, one or two port numbers, a specific protocol type, or a particular ether-type.

Prisma SD-WAN ION Device CLI Reference 53 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

The filter ID is mandatory for creating and delete options (values between 1 and 8). All are used
with the view option to display all filters on the device.

Command

debug flow (create | view | delete) id= [ host1= | host2= | port1= |


port2= | protocol= | ether-type= ]

Options

id Enter the filter ID.

host1 Enter the source IP address.

host2 Enter the destination IP address.

port1 Enter the source port address.

port2 Enter the destination port address.

protocol Enter the protocol for creating a filter. For


example TCP, UDP, ICMP, etc.

ether-type Enter the Ether Type value for the protocol


used. For example, 0x0800 for Internet Protocol
version 4 (IPv4).

Command Notes

Role Super

Related Commands —

Introduced in Release 4.6.1

Example

debug flow create id=1 host1=[Link] host2=[Link]

debug flow view id=8


ID Host1 Host2 Port1 Port2 EtherType
Protocol
8 [Link] [Link] 23 17 6
9

debug flow delete id=8


Deleted:8

debug flow view all

Prisma SD-WAN ION Device CLI Reference 54 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

ID Host1 Host2 Port1 Port2


EtherType Protocol
2 [Link] [Link] 23 80 234
17
6 [Link] [Link] 23 80 289
1

debug flow view all


ID Host1 Host2 Port1 Port2 EtherType Protocol
2 [Link] 0 0
1 [Link] 0 0

debug ipfix
Use the debug ipfix command to configure filters to select flow statistics for debugging and
troubleshooting.

Command

debug ipfix ((create | view | delete) [id=|host1=|host2=|port1=|


port2=|protocol=])

Options

id Enter a number between 1 and 4 for the filter


ID.

host1 Enter the source IP address of the originator or


client for selecting the flow.

host2 Enter the destination IP address of the server


for selecting the flow.

port1 Enter the source UDP or TCP port of the


originator or client for selecting the flow. This
applies only to UDP or TCP connections.

port2 Enter the destination UDP or TCP port of the


server for selecting the flow. This applies only
to UDP or TCP connections.

protocol Enter the IP protocol used for selecting the


flow.

Prisma SD-WAN ION Device CLI Reference 55 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super

Related Commands debug logging facility=ipfix

Introduced in Release 5.5.1

Example

debug ipfix view all


ID Host1 Host2 Port1 Port2 Protocol
-- --------------- --------------- ----- ----- --------
1 [Link] tcp (6)

2 [Link] tcp (6)

debug log agent eal file log


Use the debug log agent eal file log command to enable or disable the logging of IP
and MAC address bindings.

Command

debug log-agent eal-file-log enable | disable

Options

Enable Enter enable to start logging the IP and MAC


address bindings.

Disable Enter disable to stop logging the IP and MAC


address bindings.

Command Notes

Role Super

Related Commands dump log-agent ip-mac-bindings

Introduced in Release 6.3.1

Ensure that you disable the debug log agent eal file log command when
not needed, to avoid memory consumption.

Prisma SD-WAN ION Device CLI Reference 56 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Example

debug log-agent eal-file-log enable


Enabling file logging will restart log-agent service
Do you really want to enable logging [y/n]: y

debug logging facility


Use the debug logging facility command to set the log level for a component.

Command

debug logging facility= <facility name> module = <module name> level


= [trace | debug | warning | info | error | notice | alert | crit]

Options

trace Enter trace to set logging facility to trace for a


component.

debug Enter debug to set logging facility to debug for a


component.

warning Enter warning to set logging facility to warning for


a component.

info Enter info to set logging facility to info for a


component.

error Enter error to set logging facility to error for a


component.

critical Enter critical to set logging facility to critical for a


component.

notice Enter notice to set logging facility to notice for a


component. Release 5.6.1

alert Enter alert to set logging facility to alert for a


component. Release 5.6.1

Command Notes

Role Super

Related Commands debug create filter

Prisma SD-WAN ION Device CLI Reference 57 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Introduced in Release 4.6.1

Example

debug logging facility=mcastsvc levels <debug | info | notice | error


| crit | alert>
For PIMD daemon:

debug logging facility=local7 levels <debug | info | notice |


error | crit | alert>

debug logs dump


Use the debug logs dump command to dump existing log lines in the time interval between
start and end (defaults forever ago and now, respectively) for each listed facility (default all) and
displays raw format dumps JSON instead of colorized output.

Command

debug logs dump [start=<datetime>] [end=<datetime>] [raw]


[facility...]

Options

None

Command Notes

Role Super

Related Commands —

Introduced in Release 5.4.1

Example

debug logs dump

debug logs follow


Use the debug logs follow command to dump lines as they are written for each listed facility
(default all) and displays raw format dumps JSON instead of colorized output.

Command

debug log follow [raw] [facility...]

Prisma SD-WAN ION Device CLI Reference 58 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

None

Command Notes

Role Super

Related Commands —

Introduced in Release 5.4.1

Example

debug logs follow

debug logs tail


Use the debug logs tail command to dump the last # of lines (default 20) of the log for each
listed facility (default all) and displays raw format dumps JSON instead of colorized output.

Command

debug logs tail [lines=#] [raw] [facility...]( enable | disable)

Options

None

Command Notes

Role Super

Related Commands —

Introduced in Release 5.4.1

Example

debug logs tail

debug performance-policy
Use the debug performance-policy command to debug circuit information for a path used
in performance policy.

Prisma SD-WAN ION Device CLI Reference 59 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

debug performance-policy path-cache path-id=<Path ID>

Options

Path ID Enter the Path ID to debug the path IDs for


direct, VPN, and ServiceLink path types in
performance policy.

Command Notes

Role Super, Read Only, Monitor

Related Commands NA

Introduced in Release 6.3.1

Example

debug performance-policy path-cache path-id=1697698664341010637


Path ID : 1697698664341010637
Circuit ID : 1697698664341010637
Path Status : true
Path Type : direct
Path Label : public-10
Service Labels :
Circuit Devices :
Device Name : eth1

debug poe interface


Use the debug poe interface command to restart a PoE port using the toolkit commands.

Command

debug poe interface <id> restart

Options

interface id Enter the interface ID to restart the PoE port.

Command Notes

Role Super

Prisma SD-WAN ION Device CLI Reference 60 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Related Commands —

Introduced in Release 6.0.2

Example

Debug poe interface <7> restart

debug process
Use the debug process command to start, stop, restart a process, or check the status of a
process. Services are interrupted, and traffic for the duration of the restart. Stopping or restarting
a procedure should only be done under the guidance of support team.

Command

debug process (status (all | process name) |start |stop | restart)


<process name>

Options

status Enter status to check the status of a process.


Enter all to check the status of all processes, or
enter a process name to check the status of a
specific process.

start Enter start to start a process.

stop Enter stop to stop a process.

restart Enter restart to restart a process.

Command Notes

Role Super

Related Commands —

Introduced in Release 4.6.1

Example

debug process status name=dns


dns RUNNING pid 940, uptime 5 days, [Link]
debug process stop name=rtr_mgr_api
Do you really want to stop rtr_mgr_api [y/n]: y
rtr_mgr_api: stopped

Prisma SD-WAN ION Device CLI Reference 61 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

# debug process status all


ase RUNNING pid 1498, uptime 11 days, [Link]
ave_active_probe RUNNING pid 1499, uptime 11 days, [Link]
ave_register RUNNING pid 1496, uptime 11 days, [Link]
bfdd-beacon RUNNING pid 1540, uptime 11 days, [Link]
bwm_server STOPPED Not started
cg_super_event_listener RUNNING pid 1476, uptime 11 days,
[Link]
cgnx_cloud_infra RUNNING pid 1501, uptime 11 days, [Link]
charon RUNNING pid 1506, uptime 11 days, [Link]
...
debug process restart name=dhcp-server

debug process status name=dnsmasq


dnsmasq RUNNING pid 29491, uptime 4 days,
[Link]

debug reboot
Use the debug reboot command to reboot the device. Services are interrupted and traffic for
the duration of the restart.

Command

debug reboot

Options

None

Command Notes

Role Super

Related Commands —

Introduced in Release 4.4.1

Example

debug reboot
Do you really want to perform reboot on the device [y/n]: n
debug reboot
Do you really want to perform reboot on the device [y/n]: y
…….rebooting logs…..

Prisma SD-WAN ION Device CLI Reference 62 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

debug routing multicast log


Use the debug routing multicast log command to know the routing multicast log module
details.

This command is not available from the release 6.0.1 onward.

Command

debug routing multicast log module =

Options

detail Enter detail to know the routing multicast log


module details.

none Enter none to reset or disable the routing


multicast log module for a component.

pim Enter pim to know the pim routing multicast


module details.

packets Enter packets know the packet routing multicast


module details.

mrt Enter mrt to know the mrt routing multicast


module details.

interfaces Enter interfaces to know the interfaces routing


multicast module details.

all Enter all to know the all routing multicast module


details.

mfc Enter mfc to know the mfc routing multicast


module details.

jp Enter jp to know the jp routing multicast module


details.

igmp Enter igmp to know the igmp routing multicast


module details.

neigbhors Enter neigbhors to know the neigbhors routing


multicast module details.

rpf Enter rpf to know the rpf routing multicast


module details.

Prisma SD-WAN ION Device CLI Reference 63 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super

Related Commands debug logging facility

Introduced in Release 5.6.1

Example

debug routing multicast log module=


module=pim module=packets module=neighbours module=mrt module=jp
module=interfaces module=all module=igmp module=rpf module=detail
module=none

To reset/disable all PIMD daemon module debugging:

debug routing multicast log module=none

debug routing multicast pimd


Use the debug routing multicast pimd command to know the routing multicast PIM
module details.

Command

debug routing multicast pimd ( all | bsm | nth | packet | trace |


zebra | disable )

Options

all Enter all to know all the routing multicast log


module details.

bsm Enter bsm to know the routing multicast BSR


message processing activity.

nth Enter nth to know the pim routing multicast


Nexthop Tracking details.

packet Enter packets know the packet routing multicast


module details.

trace Enter trace to know the PIM internal daemon


activity for routing multicast module details.

Prisma SD-WAN ION Device CLI Reference 64 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

zebra Enter zebra to know the ZEBRA protocol activity's


for routing multicast PIM module details.

disable Enter disable to disable the PIM routing multicast.

Command Notes

Role Super

Related Commands dump routing multicast pim

Introduced in Release 6.0.1

Example

debug routing multicast pimd all


Enabled debug for bsm nht packets trace zebra

debug routing multicast pimd disable


Disabled debug for pimd for all modules

debug servicelink logging


Use the debug servicelink logging command to set the logging facility for standard VPNs
as some debugs impact service if not executed properly.

Command

debug servicelink logging [enabled | disabled]

Options

enabled Enter enabled to set the logging facility for


standard VPNs.

disabled Enter disabled to remove the logging facility for


standard VPNs.

Command Notes

Role Super

Related Commands —

Prisma SD-WAN ION Device CLI Reference 65 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Introduced in Release 5.0.3

Example

debug servicelink logging enabled

debug tcpproxy
Use the debug tcpproxy command to create, display, or delete a filter to enable debugging
for tcpproxy service and provides a mechanism to enable debugging based on functionality or
category. On an ION device, the TCP proxy service is responsible for application detection,
metrics, link/application reachability, application prefix management, and so on.
Categories include application detection, application reachability, link reachability, metrics, and
application path prefixes. The match criteria for filters a source and destination IP addresses, one
or two port numbers, a specific protocol type, a path ID, or an application ID. Specific categories
and filters combine in the command for debugging the specified classes and functions.
For app-reachability and app-path-prefix category, app-id or destination prefix is required. The
filter ID is mandatory for create and delete options (values between 1 and 8). All is used with the
view option to display all filters on the device.

Command

debug tcpproxy (create | view | delete) [app-detection | app-


reachability | linkreachability | metrics | app-path-prefix | all] +
[id= srcv4= dstv4= srcport= dstport= protocol= app-id= path-id=]

Options

id Enter the filter ID.

srcv4 Enter the source IP address.

dstv4 Enter the destination IP address.

srcport Enter the source port.

dstport Enter the destination port.

protocol Enter the protocol for creating a filter. For


example TCP, UDP, ICMP, and so on.

app-id Enter the application ID for creating a filter.

path-id Enter the path ID for creating a filter.

Prisma SD-WAN ION Device CLI Reference 66 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super

Related Commands —

Introduced in Release 5.1.1

Example

debug tcpproxy create app-detection metrics


id=5 dstv4=[Link]/29

debug tcpproxy view all


ID SrcHost DstHost SrcPort DstPort Protocol
Path ID Categories
1 [Link] 0 10051 0
15244250442940223 appdetection

debug tcpproxy delete id=1

debug time sync


Use the debug time sync command to manually force the clock to synchronize with the
specified time source. It is used only in troubleshooting scenarios and does not need to run during
normal operations.

Command

debug time sync [ntp | cts | any]

Options

ntp Enter ntp to synchronize with [Link]. This


is the default source.

cts Enter cts to synchronize with [Link].

any Enter any to synchronize with [Link] or


with [Link]. First, try the network
time protocol (NTP) and then the controller time
source (CTS).

Prisma SD-WAN ION Device CLI Reference 67 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super

Related Commands dump time status

Introduced in Release 4.7.1

Example

debug time sync ntp

dig dns
Use the dig command to display domain information groper (Dig) for querying domain name
system (DNS) servers. It helps troubleshoot DNS problems along with displaying answers from the
queried name servers.

Command

dig
<interface>
<server address>
<hostname>

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.2.1

Example

dig controller1 [Link] [Link]


; <<>> DiG 9.10.3-P3 <<>> -b [Link] @[Link] [Link]
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30084

Prisma SD-WAN ION Device CLI Reference 68 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,


ADDITIONAL:1
;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:;[Link]. IN A
;; ANSWER SECTION:[Link]. 63 IN A [Link]
;; Query time: 28 msec
;; SERVER: [Link]#53([Link])
;; WHEN: Tue Feb 04 [Link] UTC 2020
;; MSG SIZE rcvd: 55

dig6
Use the dig6 command to display domain information groper (Dig) for querying domain name
system (DNS) servers. It helps troubleshoot DNS problems along with displaying answers from the
queried name servers.

Command

dig6
<interface>
<server address>
<hostname>

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.2.1

Example

dig6 3 2702::abcc [Link]


; <<>> DiG 9.11.35 <<>> -6 -b 2203::11 @2702::abcc -t AAAA
[Link]
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51816
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 470075d63cabb41d01000000642d1f281097dd340bbe42fa (good)

Prisma SD-WAN ION Device CLI Reference 69 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

;; QUESTION SECTION:
;[Link]. IN AAAA
;; ANSWER SECTION:
[Link]. 604800 IN AAAA [Link]
;; Query time: 1 msec
;; SERVER: 2702::abcc#53(2702::abcc)
;; WHEN: Wed Apr 05 [Link] UTC 2023
;; MSG SIZE rcvd: 107

file export
Use the file export command to export log, core, and capture files from the device to the
destination machine.

Command

file export interface-name [ log | core | capturefile ] Destination-


URL

Options

log Enter a specific log file to be exported.

core Enter a specific core file to be exported.

capturefile Enter the name of the actual capture file to


export. The capture filename displays only if such
a capture file exists or is created by the user.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 4.4.1

Example

file export 1 log elem-mgr scp://ubuntu@[Link]:/home/ubuntu/


ubuntu@[Link]'s password:
elem-mgr 100% 477KB 8.0MB/s 00:00
file export 1 [Link] scp://ubuntu@[Link]:/home/
ubuntu/
ubuntu@[Link]'s password:
[Link] 100% 10KB 3.7MB/s 00:00

Prisma SD-WAN ION Device CLI Reference 70 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

file remove
Use the file remove command to remove file list.

Command

file remove <file name>

Options

None

Command Notes

Role Super

Related Commands

Introduced in Release 5.1.1

Example

# file remove [Link]

file space available


Use the file space available command to display the available disk space for a user. The
maximum available space for a user is 400 MB.

Command

file space available

Options

None

Command Notes

Role Super, Read Only

Related Commands —

History Introduced in Release 4.5.3

Prisma SD-WAN ION Device CLI Reference 71 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Example

file space available


Available space: 399.988 MB

file tailf log


Use the file tailf log command to debug logs as it allows users to tail and follow logs as
they get updated.

Command

file tailf log


<name of the log>

Options

None

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 4.6.1

Example

# file tailf log syslog


{ "_ts": "2018-03-08T[Link].303Z", "_prog": "bgpd",
"_pid":22376, "_msgid": "@EoQhBD", "text": "Terminating on signal",
"_fac": "syslog", "_level": "note" }
{ "_ts": "2018-03-08T[Link].316Z", "_prog": "zebra",
"_pid":22372, "_msgid": "@cecePC", "text": "client 20 disconnected.
0 bgproutes removed from the rib", "_fac": "syslog", "_level":
"note" }
{ "_ts": "2018-03-08T[Link].815Z", "_prog": "zebra",
"_pid":22372, "_msgid": "@EoQhBD", "text": "Terminating on signal",
"_fac": "syslog", "_level": "note" }
{ "_ts": "2018-03-08T[Link].549Z", "_prog": "zebra",
"_pid":26031, "_msgid": "@EoQhBD", "text": "Terminating on signal",
"_fac": "syslog", "_level": "note" }
{ "_ts": "2018-03-08T[Link].583Z", "_prog": "bgpd",
"_pid":26035, "_msgid": "@EoQhBD", "text": "Terminating on signal",
"_fac": "syslog", "_level": "note" }
{ "_ts": "2018-03-08T[Link].753Z", "_prog": "zebra",
"_pid":9915, "_msgid": "@EoQhBD", "text": "Terminating on signal",
"_fac": "syslog", "_level": "note" }

Prisma SD-WAN ION Device CLI Reference 72 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

{ "_ts": "2018-03-08T[Link].795Z", "_prog": "bgpd",


"_pid":9919, "_msgid": "@EoQhBD", "text": "Terminating on signal",
"_fac": "syslog", "_level": "note" }
{ "_ts": "2018-03-08T[Link].701Z", "_prog": "zebra",
"_pid":13131, "_msgid": "@cecePC", "text": "client 20 disconnected.
0 bgproutes removed from the rib", "_fac": "syslog", "_level":
"note" }
{ "_ts": "2018-03-08T[Link].370Z", "_prog": "bgpd",
"_pid":14685, "_msgid": "@EoQhBD", "text": "Terminating on signal",
"_fac": "syslog", "_level": "note" }
{ "_ts": "2018-03-08T[Link].373Z", "_prog": "zebra",
"_pid":14681, "_msgid": "@cecePC", "text": "client 20 disconnected.
0 bgproutes removed from the rib", "_fac": "syslog", "_level":
"note" }
<follow syslog>

file view log


Use the file view log command to display information for different types of logs. Choose or
enter the name of a log to view information for the specified log.

Command

file view log


<log name>

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 4.4.1

Example

file view log auth


{ "_ts": "2018-03-05T[Link].979Z", "_prog": "sshd",
"_pid":1111, "_msgid": "s shd-all", "text": "Received signal
15;terminating.", "_event": true, "_fac": "auth", "_level": "info" }
{ "_ts": "2018-03-05T[Link].335Z", "_prog": "sshd",
"_pid":1598, "_msgid": "s shd-all", "text": "Server listening
on 0.0.0.0port 22.", "_event": true, "_fac" : "auth", "_level":
"info" }

Prisma SD-WAN ION Device CLI Reference 73 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

{ "_ts": "2018-03-05T[Link].335Z", "_prog": "sshd",


"_pid":1598, "_msgid": "s shd-all", "text": "Server listening on ::
port22.", "_event": true, "_fac": "auth", "_level": "info" }

ssh6 interface
Use the ssh6 interface command to invoke the secure shell (SSH) or client from the device
for debugging and troubleshooting purposes.

Command

ssh6 <interface> <user>@<hostname> [port | identity]

Options

port Enter a port number for SSH6 connection.

identity Provides a file identity in the form of a private


key for RSA or DSA authentication. For
example,

[Link]

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 6.0.1

Example

ssh6 1 elem-admin@[Link]
getaddrinfo: 3001::99: Address family for hostname not supported
ssh: connect to host [Link] port 22: failure

ssh6 1 elem-admin@3001::22
option-key-algo=curve25519-sha256 port 22 identity home/.ssh/
id_rsa
elem-admin@3001::22's password:
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.18.0-15-generic
x86_64)

ssh interface
Use the ssh interface command to invoke the secure shell (SSH) or client from the device for
debugging and troubleshooting purposes.

Prisma SD-WAN ION Device CLI Reference 74 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

ssh <interface> <user>@<hostname> [port | identity]

Options

port Enter a port number for SSH connection.

identity Provides a file identity in the form of a private


key for RSA or DSA authentication. For
example,

[Link]

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 4.7.1

Example

ssh controller1 elem-admin@[Link]


Warning: Permanently added '[Link]' (ECDSA) to the list
ofknown hosts.
Password: # #

dump software status


CurrentVersion : 4.7.1-b6
APICompleteSha :

e54a0cedb4e999f6453d98110cf8a3baac9affc68fcbe91157344d83d4b815c2APIMajorShacf7c
#exit
Connection to [Link] closed.

tcpdump
Use the tcpdump command to capture the TCP, or IP packets received or transferred over a
network on a specific interface and used for network debugging and traffic analysis. The packet
data is printed on a console or saved to a future analysis file or transfer. The following (args)
options are automatically included in the device:

"-A", "b", "-e", "-K", "-#", "-p", "-q", "-S", "-t", "-tt", "-ttt",
"-tttt", "-ttttt", "-u", "-v", "-vv", "-vvv", "-x", "-xx", "-X", "-
XX" "-B", "-c", "-E", "-j", "-M", "-Q", "-T", "-s" "-C"

Prisma SD-WAN ION Device CLI Reference 75 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Capturing packets using the tcpdump command is currently not supported on sub-
interfaces or SVIs for ION device software versions 6.1.x, 6.2.x, and 6.3.x. However, traffic
flow of interest on such interfaces can be captured on parent interface, with the help of
available (args) options.

• For capturing the packets:


tcpdump interface args=” “ show
• For saving packets capture to a file:
tcpdump interface args=” “ show | save filename
• For viewing and exporting a .pcap file:
file view [Link]

Command

tcpdump (interface name or number <args= " " | show | save


file=filename>)

Options

interface Enter the interface to listen on.

show Displays TCP packet information.

save file Enter the name of the file in which the tcpdump is
saved.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 4.4.1

Example

tcpdump filtering on host IP [Link], protocol = icmp, and display


ethernetframe info (-e)
tcpdump controller1 args=" -e host [Link] and icmp" show
tcpdump:verbose
output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size
65535
bytes [Link].488774 [Link] > [Link],
ethertype IPv4 (0x0800), length 98: [Link] > [Link]: ICMP
echo request, id 12410, seq 0, length 64

Prisma SD-WAN ION Device CLI Reference 76 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

[Link].5395[Link] > [Link],


ethertype IPv4 (0x0800),length

tcpdump controller1 args="-vvv" show


tcpdump: listening on eth0, link-type EN10MB (Ethernet),
capture size 262144 bytes
[Link].589948 ARP, Ethernet (len 6), IPv4 (len 4),
Request who-has [Link] ([Link]) tell [Link],
length 46
[Link].589953 ARP, Ethernet (len 6), IPv4 (len 4),
Request who-has [Link] ([Link]) tell [Link],
length 78

tcpdump controller1 args="-c 5" save file=tcpdump_capture.pcap


Saving...
Press CTR+C to stop.
tcpdump: listening on eth0, link-type EN10MB (Ethernet),
capture size 262144 bytes
5 packets captured

tcpping
Use the tcpping command to create a transmission control protocol (TCP) connection to the
destination host on a specified port. It is useful for hosts or destinations where ping is disabled.

Command

tcpping interface dst-ipv4:port

Options

dst-ipv4 Enter the destination IPv4 address.

interface Enter the interface name or ID.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 4.4.1

Example

tcpping controller1 [Link]


tcpping connected to [Link]:80 time=2ms
tcpping controller1 [Link]

Prisma SD-WAN ION Device CLI Reference 77 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

tcpping connected to [Link]:80 time=28ms

traceroute
Use the traceroute command to print the route taken by packets to a destination and to
identify the route or measure packet transit delays across a network.

Command

traceroute interface dst-ipv4 (args=" ")

Options

dst-ipv4 Enter the interface to listen on.

interface Enter the interface name or ID.

args= "-F" Use when probe packets should not be


fragmented.

args= "-l" Displays the time-to-live (TTL) value of the


returned packet.

args="-l" Use ICMP ECHO instead of UDP datagrams.

args="-m number" Enter the maximum number of hops (max TTL


value) that trace route probe.

args= "-n" Print hop addresses numerically rather than


symbolically.

args="-p string" This is the base UDP port number used in


probes (default value is 33434).

args="-q number" Enter the number of probe packets per TTL. The
default value is 3.

args= "-t number" Enter a value for Type of Service (TOS) in probe
packets. The default value is 0.

args="-w number" Enter a time (in seconds) to wait for a response


to a probe. The default value is 3 seconds.

Command Notes

Role Super, Read Only

Prisma SD-WAN ION Device CLI Reference 78 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Related Commands —

Introduced in Release 4.4.1

Example

traceroute 1 [Link] args="-n"


traceroute to [Link] ([Link]), 30 hops max, 46 byte packets 1
[Link] 92.231 ms 92.298 ms 92.241 ms 2 [Link] 92.336 ms
92.327 ms 92.388 ms 3 [Link] 93.410 ms 93.279 ms * 4
[Link] 102.026 ms 102.013 ms 103.401 ms 5 [Link]
101.901 ms * [Link] 101.729 ms 6 [Link] 102.291
ms
[Link] 102.165 ms [Link] 102.435 ms 7 [Link]
101.937 ms 101.563 ms 102.023 ms

traceroute6
Use the traceroute6 command to print the route taken by packets to a destination and to
identify the route or measure packet transit delays across a network for IPv6.

Command

traceroute6 interface (args="")

Options

dst-ipv6 Enter the interface to listen on.

interface Enter the interface name or ID.

args= "-F" Use when probe packets should not be


fragmented.

args= "-l" Displays the time-to-live (TTL) value of the


returned packet.

args="-l" Use ICMP ECHO instead of UDP datagrams.

args="-m number" Enter the maximum number of hops (max TTL


value) that trace route probe.

args= "-n" Print hop addresses numerically rather than


symbolically.

args="-p string" This is the base UDP port number used in


probes (default value is 33434).

Prisma SD-WAN ION Device CLI Reference 79 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

args="-q number" Enter the number of probe packets per TTL.


The default value is 3.

args= "-t number" Enter a value for Type of Service (TOS) in


probe packets. The default value is 0.

args="-w number" Enter a time (in seconds) to wait for a response


to a probe. The default value is 3 seconds.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 6.0.1

Example

traceroute6 2 2001::1

traceroute to 2001::1 (2001::1) from 2001::22, 30 hops max, 72


byte packets
1 2001::1 (2001::1) 0.378 ms 3.645 ms 0.220 ms

traceroute6 2 2001::33

traceroute to 2001::33 (2001::33) from 2001::22, 30 hops max, 72


byte packets
1 2001::22 (2001::22) 3064.851 ms !H 3067.614 ms !H 3071.971
ms !H

Prisma SD-WAN ION Device CLI Reference 80 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Dump Commands
The dump command enables you to display information such as interfaces, devices, and routing.
This command option is available to all user roles.
• dump appdef config
• dump appdef version
• dump app-engine
• dump app-l4-prefix table
• dump app-probe config
• dump app-probe flow
• dump app-probe prefix
• dump app-probe status
• dump auth config
• dump auth status
• dump banner config
• dump bfd status
• dump bypass-pair config
• dump cellular config
• dump cellular stats
• dump cellular status
• dump cgnxinfra status
• dump cgnxinfra status live
• dump cgnxinfra status store
• dump config network
• dump config security
• dump controller cipher
• dump controller status
• dump device accessconfig
• dump device conntrack count
• dump device date
• dump device info
• dump device status
• dump dhcp-relay config
• dump dhcprelay stat
• dump dhcp-server config
• dump dhcp-server status

Prisma SD-WAN ION Device CLI Reference 81 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

• dump dhcpstat
• dump dnsservice config all
• dump dpdk cpu
• dump dpdk interface
• dump dpdk port status
• dump dpdk stats
• dump flow count-summary
• dump interface config
• dump interface status
• dump interface status interface details
• dump interface status interface module
• dump ipfix config collector-contexts
• dump ipfix config filter-contexts
• dump ipfix config derived-exporters
• dump ipfix config templates
• dump ipfix config ipfix-overrides
• dump ipfix config profiles
• dump ipfix config prefix-filters
• dump lldp
• dump lldp config
• dump lldp info
• dump lldp stats
• dump lldp status
• dump nat counters
• dump nat6 counters
• dump nat summary
• dump network-policy config policy-rules
• dump network-policy config policy-sets
• dump network-policy config policy-stacks
• dump network-policy config prefix-filters
• dump overview
• dump performance-policy config policy-rules
• dump performance-policy config policy-sets
• dump performance-policy config policy-set-stacks
• dump performance-policy config threshold-profile
• dump poe system config

Prisma SD-WAN ION Device CLI Reference 82 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

• dump poe system status


• dump priority-policy config policy-rules
• dump priority-policy config policy-sets
• dump priority-policy config policy-stacks
• dump priority-policy config prefix-filters
• dump probe config
• dump probe profile
• dump qos-bwc config
• dump radius config
• dump radius statistics
• dump radius status
• dump reachability-probe config
• dump reachability-probe status
• dump routing aspath-list
• dump routing cache
• dump routing communitylist
• dump routing multicast config
• dump routing multicast igmp
• dump routing multicast interface
• dump routing multicast internal vif-entries
• dump routing multicast mroute
• dump routing multicast pim
• dump routing multicast sources
• dump routing multicast statistics
• dump routing multicast status
• dump routing peer advertised routes
• dump routing peer config
• dump routing peer neighbor
• dump routing peer received-routes
• dump routing peer route-json
• dump routing peer routes
• dump routing peer status
• dump routing prefixlist
• dump routing prefix-reachability
• dump routing route
• dump routing routemap

Prisma SD-WAN ION Device CLI Reference 83 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

• dump routing peer route-via


• dump routing running-config
• dump routing summary
• dump routing static-route reachability-status
• dump routing static-route config
• dump security-policy config policy-rules
• dump security-policy config policy-set-stack
• dump security-policy config policy-set
• dump security-policy config prefix-filters
• dump security-policy config zones
• dump sensor type
• dump sensor type summary
• dump serviceendpoints
• dump servicelink summary
• dump servicelink stats
• dump servicelink status
• dump site config
• dump snmpagent config
• dump snmpagent status
• dump software status
• dump spoke-ha config
• dump spoke-ha status
• dump standingalarms
• dump static-arp config
• dump static host config
• dump static routes
• dump support details
• dump-support
• dump switch fdb vlan-id
• dump switch port status
• dump switch vlan-db
• dump syslog config
• dump syslog-rtr stats
• dump syslog status
• dump time config
• dump time log

Prisma SD-WAN ION Device CLI Reference 84 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

• dump time status


• dump troubleshoot message
• dump vlan member
• dump vpn count
• dump vpn ka all
• dump vpn ka summary
• dump vpn ka VpnID
• dump vpn status
• dump vpn summary
• dump vrf
• dump waninterface config
• dump waninterface summary

dump appdef config


Use the dump appdef config command to display details of all application definitions (system
or custom) available on the device, such as the application ID, the name of the application, the
application type, the application category, and the application transfer type.

Command

dump appdef config (all | type= (system | custom) |


application= application definition name ) + )

Options

all Enter all to display details of all application


definitions on a device.

type Enter system to display system application


definitions on a device. Enter custom to
display configuration of custom application
definitions on a device.

application Enter the application definition name to display


application definition configurations on the
device.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Prisma SD-WAN ION Device CLI Reference 85 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Introduced in Release 4.5.1

Example

dump appdef config all


Application ID : 2328
Application Name : pptp
Display Name : Point-to-Point Tunnelling
Protocol Type : port-based
Application Category : net-mgmt
Application Transfer Type : bulk
Application ID : 2
Application Name : office365-sharepoint
Display Name : Share
PointType : saas
Application Category : saas
Application Transfer Type : transactional
Application ID : 9
Application Name : google-apps
Display Name : Google Apps
Type : saas
Application Category : saas
Application Transfer Type : transactional

dump appdef config application=ms-teams


Unified Application ID : 2443
Unified Application Name : ms-teams
Legacy Application ID : 250
Display Name : ms-teams
FC Application ID : 16399435545140067
Type : saas
Unified Application Category : saas
Legacy Application Category : saas
Supported App-Engine Type : all
Application Transfer Type : collaboration
Timeout : 600
Path Affinity : 1
Ingress load percentage : 50
Ingress load percentage : 50
TCP filter rules:
Server Port Range: 443 - 443
Server Prefixes:
[Link]/18
[Link]/14
[Link]/14
[Link]/32
[Link]/32
[Link]/32
IPv6 Server Prefixes:
[Link]/48
[Link]/48
[Link]/48
[Link]/48
[Link]/38

Prisma SD-WAN ION Device CLI Reference 86 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

[Link]/48
[Link]/42
Server Port Range: 80 - 80
Server Prefixes:
[Link]/18
[Link]/14
[Link]/14
[Link]/32
[Link]/32
[Link]/32
IPv6 Server Prefixes:
[Link]/48
[Link]/48
[Link]/48
[Link]/48
[Link]/38
[Link]/48
[Link]/42
UDP filter rules:
Port Range: 3478 - 3481
Prefixes:
[Link]/18
[Link]/14
[Link]/14
IPv6 Prefixes:
[Link]/38
Domains:
[Link]
[Link]
App Unreachability detection : true
Parent App Name : microsoft

dump appdef version


Use the dump appdef version command to display running Appdef and Signature file version
of the application.

Command

dump appdef version

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands

Prisma SD-WAN ION Device CLI Reference 87 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Introduced in Release 6.0.1

Example

dump appdef version


App-def-version : 8523-7225_000003.000002
App-content-version : 8523-7225_000003.000002

dump app-engine
Use the dump app-engine command to display per-app stats, global app stats, appdefs-info,
and dns-based app map entries for application id.

Command

dump app-engine [app-stats | global | dns-cache | appdefs-info ]

Options

app-stats Enter an unified application name / all/


application id / fcappid to display app-stats for
the application.

globals Enter globals to display global app stats for the


application.

dns-cache Enter all / unified application name / ipv4 address


to display dns based cache for the application.

appdefs-info Enter an appdefs info to display appdefs stats


for the application.

Command Notes

Role Super, Read Only, Monitor

Related Commands clear app-engine

Introduced in Release 6.0.1

Example

dump app-engine app-stats all

-------------------------------------------------------------------------------

Prisma SD-WAN ION Device CLI Reference 88 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Applcation:grammarly SupportType:panos Appid:2935


Fcappid:1644737497417006828

-------------------------------------------------------------------------------
Number of hits: 7
Last 7 flows on grammarly:
[Link]:52514->[Link]:443, proto:6, dpi:DNS-based
[Link]:52514->[Link]:80, proto:6, dpi:DNS-based
[Link]:52514->[Link]:443, proto:6, dpi:DNS-based
[Link]:52514->[Link]:80, proto:6, dpi:DNS-based
[Link]:52514->[Link]:443, proto:6, dpi:DNS-based
[Link]:52514->[Link]:80, proto:6, dpi:DNS-based
[Link]:50320->[Link]:80, proto:6, dpi:Session-
Based

First session seen on grammarly:


Time: 2022-02-14 [Link].282588704 +0000 UTC
Flow: [Link]:52514->[Link]:443, proto:6, dpi:DNS-
based

-------------------------------------------------------------------------------
Applcation:myABC-131089 SupportType:ave Appid:131089
Fcappid:16165698407260238

-------------------------------------------------------------------------------
Number of hits: 14
Last 10 flows on myABC-131089:
[Link]:37642->[Link]:80, proto:6, dpi:Custom-based
[Link]:58826->[Link]:443, proto:6, dpi:Custom-based
[Link]:45896->[Link]:80, proto:6, dpi:Custom-based
[Link]:40716->[Link]:443, proto:6, dpi:Custom-based
[Link]:45470->[Link]:80, proto:6, dpi:Custom-based
[Link]:52288->[Link]:443, proto:6, dpi:Custom-based
[Link]:52596->[Link]:80, proto:6, dpi:Custom-based
[Link]:40758->[Link]:443, proto:6, dpi:Custom-based
[Link]:36930->[Link]:443, proto:6, dpi:Custom-based
[Link]:48854->[Link]:443, proto:6, dpi:Custom-based

First session seen on myABC-131089:


Time: 2022-02-14 [Link].842568339 +0000 UTC
Flow: [Link]:60256->[Link]:80, proto:6, dpi:Custom-
based

dump app-l4-prefix table


Use the dump app-l4-prefix table command to display TCPPROXY L4-Prefix-Lookup table
information based on L4 rules of TCP, UDP, or non-TCP-UDP.

Command

dump app-l4-prefix table (all | l4Rule=tcp | udp | ip)

Prisma SD-WAN ION Device CLI Reference 89 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

all Enter all to display summary of all the TCPPROXY


L4-Prefix-Lookup table.

l4Rule Enter rule to view the TCPPROXY L4-Prefix-Lookup


table matching the rule.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.4.1

Example

dump app-l4-prefix table all


-------------- L4 Prefix Lookup Table--------------------------
L4 ip_rules:
Prefix AppID AppName Protocol
L4 tcp_rules:
Index Port-Range Prefix AppID AppName Protocol
1 805-807 [Link]/24 3888 ringcentral3 6
[Link]/24
[Link]/28
[Link]/24
2 9998-9999 [Link]/24 65 disk 6
[Link]/24
[Link]/28
[Link]/24

L4 udp_rules:
Index Port-Range Prefix AppID AppName Protocol
1 905-907 [Link]/24 3888 ringcentral3 17
[Link]/24
[Link]/28
[Link]/24
2 5557-5559 [Link]/24 3888 ringcentral3 17
[Link]/24
[Link]/28
[Link]/24

dump app-probe config


Use the dump app-probe config command to display the current configuration for
application probe, if enabled and the interface set as the probe source interface.

Prisma SD-WAN ION Device CLI Reference 90 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump app-probe config

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump app-probe statusdump app-probe


flow

Introduced in Release 5.4.1

Example

dump app-probe config


Probe Enabled : true
Source Interface ID : 15845897281350020

dump app-probe flow


Use the dump app-probe flow command to display details of application probing on a device.
Expire Type denotes the category of LAN to WAN flow. Flows are categorized based on the
type of application detected for a flow. Unreachable applications will be probed for a period
determined by Expire Time.
The categories for Expire Type along with Expire Time are as follows:

Expire Type Expire Time

Static Infinite - Unreachable applications will be probed


indefinitely till they are reachable.

Dynamic 10 hours

One Time 30 minutes

Custom Infinite - Unreachable applications will be probed


indefinitely till they are reachable.

Default 120 seconds

Prisma SD-WAN ION Device CLI Reference 91 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump app-probe flow (all | application= | server-ip= )

Options

all Enter all to display probing statistics for all applications.

application Enter an application name to display probing statistics for the


application.

server-ip Enter a server IP address to display probing statistics for


applications on the server.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.1.1

Example

dump app-probe flow application=ftp


Protocol Source-Ip:Port Dest-IP:Port AppName Expire-Type
ExpireTime Path ID
TCP [Link] :54019 [Link] :21 "ftp" 0 7 secs
1524708264742023 7

dump app-probe prefix


Use the dump app-probe prefix command to display statistics for prefixes mapped against
an application for each path or port combination.

Command

dump app-probe prefix application=<name of the application> [server-


ip= | path-id= | port= ]

Options

application Enter an application name to display prefixes for the application.

server-ip Enter a server IP address to display prefixes mapped to the


server.

Prisma SD-WAN ION Device CLI Reference 92 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

path-id Enter a Path ID to display prefixes mapped to the path.

port Enter a port number to display prefixes mapped to the port.

Command Notes

Role Super, Read Only Monitor

Related Commands clear app-probe prefix

Introduced in Release 5.1.1

Example

dump app-probe prefix application=ftp


Prefix LastFailed Port Path-ID AppProbe Last
ClientReach ResetProbeTime
/Subnet ServerIP Started ActivityTime
AttemptTime
[Link]/32 [Link] 21 1524708 true 2018-12-
2018-12- 2018-12-[Link]
2647420237 [Link]
[Link]

dump app-probe status


Use the dump app-probe status command to display the status for an application probe on
an ION device. The controller port generates the application probes, in case you do not configure
any LAN ports for generating application probes.

By default, it is enabled.

Command

dump app-probe status

Options

None

Prisma SD-WAN ION Device CLI Reference 93 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands dump app-probe config

dump app-probe flow

Introduced in Release 5.4.1

Example

dump app-probe status


App Probe Enabled : true
Probe IP : [Link]
App Probe Conf IP : [Link]
App Probe Conf Dev ID : 15845897281350020
App Probe Conf Dev Status : true
Controller IP : [Link]
Controller IP Dev ID : 15845897281390027
Controller IP Dev Status : true

dump auth config


Use the dump auth config command to display authorization details on users logged into the
device and their role. The user ID is a unique identifier for the device user, while the login ID is the
login ID for accessing the device.

Command

dump auth config ( all | user =login ID )

Options

all Enter an application name to display prefixes for the application.

login ID Enter a server IP address to display prefixes mapped to the


server.

Command Notes

Role Super, Read Only, Monitor

Related Commands dump auth status

Prisma SD-WAN ION Device CLI Reference 94 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Introduced in Release 4.4.1

Example

dump auth config all


User ID : 14872526471910248
Login ID: elem-admin
Role : super
Username: elem-admin
User ID : 14890435456360091
Login ID: bob1Role : monitor
Username: Bob1
User ID : 14890407466420045
Login ID: john
Role : readonly
Username: John

dump auth status


Use the dump auth status command to display details of the logged-in users, roles, IDs, and
user names.

Command

dump auth status

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump auth config

Introduced in Release 4.4.1

Example

dump auth status


LoggedIn user details
User ID : 14872526471910248
Login ID: elem-admin
Role : super
Username: elem-admin

Prisma SD-WAN ION Device CLI Reference 95 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dump banner config


Use the dump banner config command to display the current configured banner.

Command

dump banner config

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands config banner

Introduced in Release 4.4.1

Example

dump banner config


###################################
This is a sample banner.
##########################

dump bfd status


Use the dump bfd status command to display details of bidirectional forwarding detection
(BFD) status for VPNs on a device. Information includes session ID, BFD Local IPv4 and IPv6
addresses, BFD Remote IPv4 and IPv6 addresses, along with BFD state (up or down).

Command

dump bfd status [ all | [localv4=local-ipv4 | remotev4=remote-ipv4 |


localv6=local-ipv6 | remotev6=remote-ipv6 |state=(up | down) ]+

Options

all Enter all to display all BFD sessions on a device.

localv4 Displays status of BFD sessions with the specific local IPv4
address.

Prisma SD-WAN ION Device CLI Reference 96 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

remotev4 Displays status of BFD sessions with the specific remote IPv4
address.

localv6 Displays status of BFD sessions with the specific local IPv6
address.

remotev6 Displays status of BFD sessions with the specific remote IPv6
address.

state=up Displays BFD sessions in the up state.

state=down Displays BFD sessions in the down state.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 4.5.1

Example

# dump bfd status localv6=2008::5


id=62 local=2008::5 (a) remote=6001::1 state=UP
id=61 local=2008::5 (a) remote=5001::1 state=Down
id=58 local=2008::5 (a) remote=2007::23 state=UP
id=55 local=2008::5 (a) remote=2020::2 state=Down
id=52 local=2008::5 (a) remote=7901::1 state=Down

dump bypass-pair config


Use the dump bypass-pair config command to display bypass-pair configuration details.
Information displayed includes port names configured as part of a bypass-pair, status of LAN state
propagation—whether enabled or not, Hardware Relay connection status, admin state, and use of
the port for public or private networks.

Command

dump bypass-pair config

Options

None

Prisma SD-WAN ION Device CLI Reference 97 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 4.6.1

Example

dump bypass-pair config


Bypass Pair : wan 1 & lan 1
Propagate Lan State : No
Hardware Relay : Yes
Admin State : up
Used For : private_wan
Attached Network :
Network ID : 15132379689770097
Name : default_lahor_523862800
VLAN : 10
Scope : global
IP address at Router: [Link]/24
Network ID : 15208455382440118
Name : default_lahore_97264634
VLAN : 110Scope : global
IP address at Router: [Link]/24
Network ID : 15208455388040127
Name : default_lahore_623716095
VLAN : 220
Scope : global
IP address at Router: [Link]/24
Bypass Pair : wan 3 & lan 3
Propagate Lan State : No
Hardware Relay : Yes
Admin State : up
Used For : none
Bypass Pair : wan 4 & lan 4
Propagate Lan State : No
Hardware Relay : Yes
Admin State : up
Used For : public

dump bypass-pair config


Bypass Pair : 1 & 3
Propagate Lan State : No
Hardware Relay : No
Used For : private-l2
Attached Network :
Network ID : 1678787458499023596
Name : default_bangalore_567099648
VLAN : 0
Scope : global
IP address at Router: [Link]/24

Prisma SD-WAN ION Device CLI Reference 98 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

IPv6 address at Router: [Link]/64


CircuitLabel : BangalorePvtSWI1

dump cellular config


Use the dump cellular config command to display the cellular configurations.

Command

dump cellular config cwan1

Options

all Enter all to display cellular configuration for all


interfaces.

interfaces Enter the interface name to display cellular


configuration for a specific interface.

Command Notes

Role Super, Read Only, Monitor

Related Commands

Introduced in Release 5.6.1

Example

dump cellular config cwan1


Name : cwan1
ID : 16237015533020015
Radio : on
Primary SIM : 1
GPS : enabled
SIM pin configuration
Slot : 2
SIM pin : not configured
Slot : 1
SIM pin : configured

dump cellular stats


Use the dump cellular stats command to display the statistics of the modem.

Prisma SD-WAN ION Device CLI Reference 99 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump cellular status


cwan1

Options

all Enter all to display statistics for all modems.

interface Enter the modem name to display statistics for a


specific modem.

Command Notes

Role Super, Read Only, Monitor

Related Commands

Introduced in Release 5.6.1

Example

dump cellular stats cwan1


Element ID : 1660185387409003213
Site ID : 1657914731039022013
Tenant ID : 100
Module Id : 1660185401330007713
Carrier : Amarisoft
MCC Code : 1
MNC Code : 1
Cell ID : 27447393
Signal Strength
Technology Code : LTE (2)
Signal Strength Indicator : POOR (1)
RSRP (in dBm) : -75.0
RSRQ (in dB) : -7.0
RSSI (in dBm) : -49.0
SNR (in dB) : 30.0
Packet Statistics
APN : internet1
IPv4 Data Session
Session ID : 2912266896
Rx Packets : 9, Drops : 0, Errors : 0, Overflows : 0

Tx Packets : 4, Drops : 0, Errors : 0, Overflows : 0

Rx Total Bytes : 1258 Tx Total Bytes : 488


IPv6 Data Session
Session ID : 2912268832

Prisma SD-WAN ION Device CLI Reference 100 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Rx Packets : 0, Drops : 0, Errors : 0, Overflows : 0

Tx Packets : 4, Drops : 0, Errors : 0, Overflows : 0

Rx Total Bytes : 804 Tx Total Bytes : 304


GPS
Latitude (in degrees) : Not Available
Longitude (in degrees) : Not Available
Misc counters
Cell Switches : 0
Modem Resets : 0
Radio Resets : 0
Network Disconnects : 0
SIM Switchovers : 1

dump cellular status


Use the dump cellular status command to display the cellular status of the modem.

Command

dump cellular status


cwan1

Options

all Enter all to display configuration for all modems.

interface Enter the modem name to display configuration for a specific modem.

firmware Displays firmware information.

profiles Displays cellular profile information.

network Displays the network information.

active-sim Displays active SIM information.

internal-stats Displays model internal stats information.

radio Displays radio information.

image Displays firmware and PRI files information.

data-sessions Displays data sessions information.

Prisma SD-WAN ION Device CLI Reference 101 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands

Introduced in Release 5.6.1

Example

dump cellular status cwan1


Modem information
ID : 1643856748616017328
Provider : T-Mobile
Technology : LTE
Signal Strength : good
Operating Mode : online
Model : EM7411
Manufacturer : Sierra Wireless, Incorporated
IMEI : 356280110572292
FSN : 8F1394217702B119
SIM status
Slot : 1
Card State : present
IMSI : 311882005035600
ICCID : 89018820017503560000
PIN State : disabled
PIN Retries : 3
PUK Retries : 10
Slot : 2
Card State : present
IMSI : 311480964222275
ICCID : 89148000004918037931
PIN State : disabled
PIN Retries : 3
PUK Retries : 10
Active SIM : 1
Network access information
Registration State : registered
Activation State : activated
PS State : attached
MCC : 310
MNC : 260
Freq Band : B2
Cell ID : 21327368
Roaming : false
Location information
State : acquiring
Firmware information Image Carrier Firmware Version PRI
Version Active Location
ATT [Link] 002.048.006 false
on_host
TMO [Link] 002.006.000 true
on_modem_and_host

Prisma SD-WAN ION Device CLI Reference 102 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

VERIZON [Link] 002.045.005 false


on_modem_and_host
Firmware config status information
Status ID : 43802778
Processed : true
Download Deadline Time : <nil>
Upgrade Deadline Time : <nil>
Firmware State
Current Carrier : VERIZON
Current Firmware Version : [Link]
Current PRI Version : 002.045.005
Upgrade Carrier :
Upgrade Firmware Version :
Upgrade PRI Version :
Location : [Link]
home/7411_VERIZON_01.14.07.00_002.[Link]
Download Start Time : <nil>
Upgrade Start Time : <nil>
Download Percent : 0
Status : downloadFailed
Status Info : File
7411_VERIZON_01.14.07.00_002.[Link] not found

Last Change : 2022-10-28 [Link].43 +0000 UTC

dump cellular status cwan1 active-sim


Active SIM Information
Slot Number : 2
Card State : Present
Card Error : Unknown
PIN Retries : 3
PUK Retries : 10
PIN State : Disabled
Slot Status : Present
PHY Slot Status : Active
Slot Logical : 1
ICCID : 89882119100000046580
IMSI : 001010123456789

dump cellular status cwan1 network


Network Information
LTE Network Information
Band : B6
Bandwidth : 20MHz
RX Chain : 3350
TX Chain : 21350
EMM State : Registered
EMM Substate : Normal Service
EMM Conn State : RRC Connected
Serving System Information
Registration State : Registered
CS Attach State : Attached
PS Attach State : Attached
Selected Network : 3GPP
Roaming : Home

Prisma SD-WAN ION Device CLI Reference 103 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

LAC : 65534
Cell ID : 27447297
TAC : 1
Service Status : Service available
Service Capability : CS

dump cellular status cwan1 data-sessions


Data Session Details
Session 1
Status : Connected
State : Active
IP Address : [Link]/32
Gateway : [Link]
DNS Primary : [Link]
DNS Secondary : [Link]
MTU : 1500
APN : internet1
Session 2
Status : Connected
State : Active
IP Address : [Link]/64
Gateway : [Link]
DNS Primary : [Link]
DNS Secondary :
MTU : 1500
APN : internet1

dump cgnxinfra status


Use the dump cgnxinfra status command to display web-socket statistics, logs, and flows
connections.

Command

dump cgnxinfra status

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.4.1

Prisma SD-WAN ION Device CLI Reference 104 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Example

dump cgnxinfra status


Role WS-state Live-WS-Intf Last-Msg-Received-At
Last-Msg-Sent-To-Controller-At
---- -------- ------- --------------------
------------------------------
stats connected controller1 14 Jul 2020 [Link] 14 Jul
2020 [Link]
logs connected controller1 14 Jul 2020 [Link] 14 Jul
2020 [Link]
flows connected controller1 N/A 14 Jul
2020 [Link]

dump cgnxinfra status live


Use the dump cgnxinfra status live command to display the websocket status of live
connections.

Command

dump cgnxinfra status live

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.4.1

Example

dump cgnxinfra status live


Role Live-WS Live-WS-Intf Live-WS-Addr Store-WS
Store-WS-Intf Store-WS-Addr File-Uploading
---- -------- ------- -------------------- ---------
------------- ------------- --------------
stats connected controller1 [Link]:48179 N/A
N/A N/A N/A
logs connected controller1 [Link]:47833 idle-
closed N/A N/A N/A
flows connected controller1 [Link]:36921 N/A
N/A N/A N/A

Prisma SD-WAN ION Device CLI Reference 105 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dump cgnxinfra status store


Use the dump cgnxinfra status store command to display the websocket status of file
connections.

Command

dump cgnxinfra status store

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.4.1.

Example

dump cgnxinfra status store


Role WS-State WS-Intf File-Uploading Last-
File-Uploading-At
---- -------- ------- --------------------
------------------------------
stats N/A N/A N/A N/A
logs idle-closed N/A N/A 13 Jul
2020 [Link]
flows N/A N/A N/A N/A

dump config network


Use the dump config network command to display the network specific configurations of
a device. Information includes interface details such as Interface ID, type of interface, whether
the interface is used for public or private WAN, admin state of the interface along with IP
configuration.

Command

dump config network

Prisma SD-WAN ION Device CLI Reference 106 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump-support details

Introduced in Release 4.7.1

Example

dump config network


Interface configuration:
------------------------------------------------------------
Interface : controller 1
Description : Controller
ID : 15202329874080140
Type : port
Admin State : up
Alarms : enabled
MTU : 1500
IP : dhcp
Interface : 1
Description : Interface 1
ID : 15202329874780150
Type : port
Used For : private_wan
Admin State : down
Alarms : enabled
MTU : 1500
IP : dhcp
Interface : 2
Description :
ID : 15202329874870156
Type : port
Used For : public
Admin State : down
Alarms : disabled
MTU : 1500
No IP configuration...

dump config security


Use the dump config security command to display the security configuration available on a
device. Information displayed includes configuration for security policy stack, security policy sets,
security policy zones, prefix filters, and security policy rules.

Prisma SD-WAN ION Device CLI Reference 107 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump config security

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump-support details

Introduced in Release 4.7.1

Example

dump config security


SECURITY POLICY STACKS
---------------------------------------------------
Security Policy Stack ID : 16242998621490011
Security Policy Stack Name : Stack1
Default Policy Set ID : 16228336609730048
Default Policy Set Name : default
Policy Set Order:
16245957623450255 : Set2-Port-Range
16245009722000198 : Set3-Specific
16245013500920058 : Set4-Generic

SECURITY POLICY SETS


---------------------------------------------------
Security Policy Set ID : 16245957623450255
Security Policy Set Name: Set2-Port-Range
Policy Rule Order:
16246315738930189: Rule1-Set2-20
16246317241460212: Rule2-Set2-21
16246318197250246: Rule3-Set2-22

Security Policy Set ID : 16245009722000198


Security Policy Set Name: Set3-Specific
Policy Rule Order:
16245010650670003: Rule1-Set3-20
16245011984140128: Rule2-Set3-21
16245012757060237: Rule3-Set3-22

Security Policy Set ID : 16245013500920058


Security Policy Set Name: Set4-Generic
Policy Rule Order:
16245013906270078: Rule1-Set4

Prisma SD-WAN ION Device CLI Reference 108 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Security Policy Set ID : 16228336609730048


Security Policy Set Name: default
Policy Rule Order:
16228336610060052: self-zone
16228336610050051: intra-zone
16228336609900050: default
SECURITY POLICY ZONES
---------------------------------------------------
Security Policy Zone ID : 16204672468290016
Security Policy Zone Name : Zone-Internet-VPN
Zone Association ID : 16245135536470064
Interfaces :
VPN-overlay
LAN Networks :

Security Policy Zone ID : 16200471388560063


Security Policy Zone Name : Zone-Internet
Zone Association ID : 16285714095880087
Interfaces :
16150115632720220 : 2
LAN Networks :

Security Policy Zone ID : 16200471619100074


Security Policy Zone Name : Zone-LAN
Zone Association ID : 16245779281070041
Interfaces :
LAN Networks :
Name : default_san-jose_114105279
ID : 16200275524390210
LAN Prefixes :
[Link]/24

Name : default_san-jose_450021252
ID : 16261268429250112
LAN Prefixes : [Link]/24

Name : default_san-jose_270864556
ID : 16261251535530088
LAN Prefixes : [Link]/24

SECURITY POLICY PREFIX FILTERS


---------------------------------------------------
Prefix Filter ID : 16242993943320129
Prefix Filter Name : DC-192-168-20-0
Prefix :
[Link]/24

Prefix Filter ID : 16242994662000182


Prefix Filter Name : DC-192-168-22-0
Prefix :
[Link]/24

Prefix Filter ID : 16242994310450145


Prefix Filter Name : DC-192-168-21-0
Prefix :

Prisma SD-WAN ION Device CLI Reference 109 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

[Link]/24

Prefix Filter ID : 16242993172060125


Prefix Filter Name : LAN-192-168-7-100
Prefix : [Link]/32

SECURITY POLICY RULES


---------------------------------------------------
Security Policy Rule ID : 16246315738930189
Security Policy Rule Name : Rule1-Set2-20
Action : allow
Rule-Type : custom
Enabled : true
Source Zones :
16200471619100074: Zone-LAN
Destination Zones :
16204672468290016: Zone-Internet-VPN
Applications :
ANY
Source Prefix Filters :
16242993172060125: LAN-192-168-7-100
Destination Prefix Filters :
16242993943320129: DC-192-168-20-0
Services :
Protocol : 6
Source Port Range :
ANY
Destination Port Range :
from : 5005
to : 5015

from : 5020
to : 5025

Protocol : 17
Source Port Range :
ANY
Destination Port Range :
from : 5005
to : 5015

Protocol : 1
Source Port Range :
ANY
Destination Port Range :
ANY

Security Policy Rule ID : 16246317241460212


Security Policy Rule Name : Rule2-Set2-21
Action : deny
Rule-Type : custom
Enabled : true
Source Zones :
16200471619100074: Zone-LAN
Destination Zones :
16204672468290016: Zone-Internet-VPN

Prisma SD-WAN ION Device CLI Reference 110 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Applications :
ANY
Source Prefix Filters :
16242993172060125: LAN-192-168-7-100
Destination Prefix Filters :
16242994310450145: DC-192-168-21-0
Services :
Protocol : 6
Source Port Range :
ANY
Destination Port Range :
from : 6000
to : 6010

Protocol : 17
Source Port Range :
ANY
Destination Port Range :
from : 6005
to : 6015

Security Policy Rule ID : 16246318197250246


Security Policy Rule Name : Rule3-Set2-22
Action : reject
Rule-Type : custom
Enabled : true
Source Zones :
16200471619100074: Zone-LAN
Destination Zones :
16204672468290016: Zone-Internet-VPN
Applications :
ANY
Source Prefix Filters :
16242993172060125: LAN-192-168-7-100
Destination Prefix Filters :
16242994662000182: DC-192-168-22-0
Services :
Protocol : 6
Source Port Range :
ANY
Destination Port Range :
from : 7000
to : 7010

Protocol : 17
Source Port Range :
ANY
Destination Port Range :
from : 7000
to : 7010

Security Policy Rule ID : 16245010650670003


Security Policy Rule Name : Rule1-Set3-20
Action : allow
Rule-Type : custom
Enabled : true

Prisma SD-WAN ION Device CLI Reference 111 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Source Zones :
16200471619100074: Zone-LAN
Destination Zones :
16204672468290016: Zone-Internet-VPN
Applications :
ANY
Source Prefix Filters :
16242993172060125: LAN-192-168-7-100
Destination Prefix Filters :
16242993943320129: DC-192-168-20-0
Services :
Protocol : 6
Source Port Range :
ANY
Destination Port Range :
from : 5005
to : 5005

Protocol : 17
Source Port Range :
ANY
Destination Port Range :
from : 5005
to : 5005

Security Policy Rule ID : 16245011984140128


Security Policy Rule Name : Rule2-Set3-21
Action : deny
Rule-Type : custom
Enabled : true
Source Zones :
16200471619100074: Zone-LAN
Destination Zones :
16204672468290016: Zone-Internet-VPN
Applications :
ANY
Source Prefix Filters :
16242993172060125: LAN-192-168-7-100
Destination Prefix Filters :
16242994310450145: DC-192-168-21-0
Services :
Protocol : 6
Source Port Range :
ANY
Destination Port Range :
from : 6000
to : 6000

Protocol : 17
Source Port Range :
ANY
Destination Port Range :
from : 6005
to : 6005

Security Policy Rule ID : 16245012757060237

Prisma SD-WAN ION Device CLI Reference 112 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Security Policy Rule Name : Rule3-Set3-22


Action : reject
Rule-Type : custom
Enabled : true
Source Zones :
16200471619100074: Zone-LAN
Destination Zones :
16204672468290016: Zone-Internet-VPN
Applications :
ANY
Source Prefix Filters :
16242993172060125: LAN-192-168-7-100
Destination Prefix Filters :
16242994662000182: DC-192-168-22-0
Services :
Protocol : 6
Source Port Range :
ANY
Destination Port Range :
from : 7000
to : 7000

Protocol : 17
Source Port Range :
ANY
Destination Port Range :
from : 7000
to : 7000

Security Policy Rule ID : 16245013906270078


Security Policy Rule Name : Rule1-Set4
Action : allow
Rule-Type : custom
Enabled : true
Source Zones :
16200471619100074: Zone-LAN
Destination Zones :
16204672468290016: Zone-Internet-VPN
Applications :
ANY
Source Prefix Filters :
ANY
Destination Prefix Filters :
ANY
Services :
ANY

Security Policy Rule ID : 16228336610060052


Security Policy Rule Name : self-zone
Action : allow
Rule-Type : self-zone
Enabled : true
Source Zones :
ANY
Destination Zones :
ANY

Prisma SD-WAN ION Device CLI Reference 113 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Applications :
ANY
Source Prefix Filters :
ANY
Destination Prefix Filters :
ANY
Services :
ANY

Security Policy Rule ID : 16228336610050051


Security Policy Rule Name : intra-zone
Action : allow
Rule-Type : intra-zone
Enabled : true
Source Zones :
ANY
Destination Zones :
ANY
Applications :
ANY
Source Prefix Filters :
ANY
Destination Prefix Filters :
ANYServices :
ANY

Security Policy Rule ID : 16228336609900050


Security Policy Rule Name : default
Action : deny
Rule-Type : default
Enabled : true
Source Zones :
ANY
Destination Zones :
ANY
Applications :
ANY
Source Prefix Filters :
ANY
Destination Prefix Filters :
ANY
Services :
ANY

dump controller cipher


Use the dump controller cipher command to determine the encryption level to use for
device-to-controller communication.

Command

dump controller cipher

Prisma SD-WAN ION Device CLI Reference 114 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands config controller cipher

Introduced in Release 4.4.1

Example

dump controller cipher


Cipher: RSA-AES256-GCM-SHA384

dump controller status


Use the dump controller status command to display the status of the ION device’s
connection to the controller such as connected, partially connected, or not connected.

Command

dump controller status

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 4.4.1

Example

dump controller status


Controller Connection : Connected
Number of Active Connections : 4

--------------------------------------------------------------------

Prisma SD-WAN ION Device CLI Reference 115 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Logs_live tcp 0 0 [Link]:40785 [Link]:443


ESTABLISHED
flows_live tcp 0 0 [Link]:34105 [Link]:443
ESTABLISHED
mrl tcp 0 0 [Link]:52609 [Link]:443
ESTABLISHED
stats_live tcp 0 0 [Link]:52777 [Link]:443
ESTABLISHED

dump device accessconfig


Use the dump device accessconfig command to display the details of device toolkit
configuration. Information displayed includes values in seconds for account disabled interval and
inactive interval along with the number of login attempts allowed.

Command

dump device accessconfig

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.3

Example

dump device accessconfig


SSH Enabled : true
Account Disabled Interval : 5
Inactive Interval : 15
Opt Key Version : 1
Retry Login Count : 5
SSH Outbound Enabled : false

dump device conntrack count


Use the dump device conntrack count command to display the number of current
internal kernel level connections. A high conntrack count impacts device performance and traffic
forwarding.

Prisma SD-WAN ION Device CLI Reference 116 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump device conntrack count

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.1.11

Example

dump device conntrack countconntrack count : 177 (max: 327680)

dump device date


Use the dump device date command to display the current date and time displayed in
coordinated universal time (UTC) on the Prisma SD-WAN ION device.

Command

dump device date

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump device info

dump device status

Introduced in Release 4.4.1

Prisma SD-WAN ION Device CLI Reference 117 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Example

dump device dateMon Mar 20 [Link] UTC 2017

dump device info


Use the dump device info command to display the details on the device. The device id is a
unique identifier for the device. Additional information includes firmware and hardware versions,
the manufacturer’s name, and model name and serial number of the device.

Command

dump device info

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump device status

Introduced in Release 4.4.1

Example

dump device info


ModelName : ion 2000
SerialNumber : 20-016545-8088
UUID : cc53d205-4401-e411-b9f8-ecb907048a3c
FirmwareVersion : American Megatrends Inc. DBDA 05/23/2017
HardwareVersion : V2.0, MB-7525DB V0.0
Manufacturer : CloudGenix
Operating Fips Mode : fips
Storage Details
Model Family :
Model Name : TS128VSDMD15LAP
Firmware Version: O1225G
Serial Number : F755340233

dump device status


Use the dump device status command to display the overall status of device, including
device state, role, and HA state. The device state indicates if the device is claimed, assigned,
revoked, or unassigned. The device role indicates if it is a branch or a data center device.

Prisma SD-WAN ION Device CLI Reference 118 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

The HA State of the branch device, in the case of redundant configuration, displays as none,
active, or standby, indicating:
• None—When the site is in Monitor mode, the device is neither active nor on standby.
• Active—When the device is in non-redundant configuration or is in redundant configuration
and is currently Active.
• Standby—When the device is in redundant configuration and is currently on Standby.
Active or Backup branch devices implies the number of active and backup branch devices
currently handled by the data center device as part of a cluster.

Command

dump device status

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump device info

Introduced in Release 4.4.1

Example

dump device status


Device ID: 4212f970-1187-f625-9074-277d2ed52f9f
Device Name: None
Device State: Assigned
Site State: active
Device Role: HUB
HA State: active

dump dhcp-relay config


Use the dump dhcp-relay config command to display the DHCP relay configuration. DHCP
relay configuration is a part of interface configuration. A list of DHCP server IPs are displayed. A
maximum of two DHCP servers are configured as part of DHCP relay configuration per interface.
DHCP relay supports four re-forwarding policies: keep, replace, append, and drop. The default
value is replace. If option 82 is enabled, then those options are replaced at the DHCP relay.
If option 82 is not enabled, incoming packets from other relays are forwarded without any
modification. DHCP Relay can be configured only on branch ION devices.

Prisma SD-WAN ION Device CLI Reference 119 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

By default, controller port is used as the source interface to reach the DHCP servers. If option
82 support is enabled on the DHCP relay, option 82 parameters are added to incoming DHCP
requests from a client or another relay, before forwarding to the DHCP server.

Command

dump dhcp-relay config

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump dhcprelay stat

config interface

Introduced in Release 5.1.3

Example

dump dhcp-relay config


Name : controller 1
ID : 15476292791020179
DHCP Relay Enabled : true
Server IPs : [[Link]]
SourceInterface : 1
Option 82 Enabled : true
Circuit ID : 200
Remote ID : 500
Reforwarding Policy : replace

dump dhcprelay stat


Use the dump dhcprelay stat command to display the DHCP relay statistics for all
configured interfaces. Statistics displayed for each interface include Process ID of the DHCP
Relay Process and DHCP statistics. DHCP statistics include number of requests, number of
responses, packets dropped, packets acknowledged, packets not-acknowledged and packets
declined.

Command

dump dhcprelay stat

Prisma SD-WAN ION Device CLI Reference 120 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands clear dhcprelay stat

Introduced in Release 4.5.1

Example

dump dhcprelay stat


Interface : eth0
Pid : 15109
Request : 0
Request Relayed : 0
Response : 0
Response Relayed: 0
Drop : 0
NACK : 0
Decline : 0
ACK : 0

dump dhcp-server config


Use the dump dhcp-server config command to display the DHCP server configuration. A
DHCP server configuration includes up to 256 different subnets. Information displayed includes
Subnet ID, DNS, Domain Names, Subnet IP address range, default lease time, and maximum lease
time in seconds.
It also supports vendor class identifier (VCI) or option 60 for a DHCP Server. A DHCP client sends
an option code 60 (VCI) in its communication with the DHCP server. On receiving option 60 or
VCI, the DHCP server matches the received VCI with a VCI from its own table. It then returns a
value corresponding to the VCI to the DHCP client. DHCP Servers is enabled and configured only
on branch ION devices.

Command

dump dhcp-server config ( all | vrf-name=vrf name )

Options

all Enter all to display the DHCP server


configuration. Release 6.3.1

Prisma SD-WAN ION Device CLI Reference 121 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

vrf-name Enter a VRF name to display the DHCP server


configuration for a specific VRF. Release 6.3.1

Command Notes

Role Super, Read Only, Monitor

Related Commands dump dhcp-server status

Introduced in Release 5.1.3

Example

dump dhcp-server config


ID : 15674925897730164
Subnet : [Link]/24
Broadcast Address : [Link]
Gateway : [Link]
IP Ranges : [Link] to [Link] [Link] to [Link]
Default Lease Time : 43200
Max Lease Time : 86400
Static Mappings :
Name : CLIENT1
IP Address : [Link]
MAC Address : [Link]
Name : CLIENT2
IP Address : [Link]
MAC Address : [Link]
Custom Options :
VCI : CGNXCLIENT
Option Definition : option name code 1 = text
Option Value : option name "Cloudgenix"
VCI : BOAOption Definition : option value code 2 = integer 8
Option Value : option value 56
Network Context ID :
Disabled : false

dump dhcp-server config


ID : 1677230916405018128
Address Family : ipv6
Subnet : 3001::/64
IP Ranges : 3001::10 to 3001::20
Default Lease Time : 43200
Max Lease Time : 86400
Custom Options :
VCI : CGNXClient
Option Definition : option vendor-
encapsulated-option code 1 = string
Option Value : option vendor-
encapsulated-option "[Link]"
Network Context ID :

Prisma SD-WAN ION Device CLI Reference 122 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Disabled : false

ID : 1678186343314004728
Address Family : ipv4
Subnet : [Link]/24
Broadcast Address : [Link]
Gateway : [Link]
DNS Servers : [[Link] [Link]
[Link]]
Domain Name : [Link]
IP Ranges : [Link] to [Link]
Default Lease Time : 43200
Max Lease Time : 86400
Network Context ID :
Disabled : false

dump dhcp-server config vrf-name=yellow


ID : 1696567405235006428
Address Family : ipv4
Subnet : [Link]/24
Broadcast Address : [Link]
Gateway : [Link]
IP Ranges : [Link] to [Link]
Default Lease Time : 43200
Max Lease Time : 86400
Network Context ID :
VRF Context ID : 1695795392653021428
VRF Name : yellow
Vni : 965
Disabled : false

dump dhcp-server status


Use the dump dhcp-server status command to display the dynamic host configuration
protocol (DHCP) server status.

Command

dump dhcp-server status ( all | vrf-name=vrf name )

Options

all Enter all to display the DHCP server status.


Release 6.3.1

vrf-name Enter a VRF name to display the DHCP server


status for a specific VRF. Release 6.3.1

Prisma SD-WAN ION Device CLI Reference 123 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands inspect dhcplease

Introduced in Release 5.0.3

Example

dump dhcp-server status


DHCP server is running on the following interfaces:5 6 4

dump dhcp-server status


DHCPv4 server is running on the following interfaces:
9
DHCPv6 server is running on the following interfaces:
9

dump dhcp-server status all

-----------------------------------------------------------
VRF: Global
DHCPv4 server is running on the following interfaces:
2 4

-----------------------------------------------------------
VRF: yellow
DHCPv4 server is running on the following interfaces:
6

-----------------------------------------------------------
No DHCPv6 server running

dump dhcp-server status vrf-name=yellow

-----------------------------------------------------------
VRF: yellow
DHCPv4 server is running on the following interfaces:
6

-----------------------------------------------------------
No DHCPv6 server running

dump dhcp-server status vrf-name=yellow

-----------------------------------------------------------
VRF: yellow
DHCPv4 server is running on the following interfaces:
6

Prisma SD-WAN ION Device CLI Reference 124 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

-----------------------------------------------------------
No DHCPv6 server running

dump dhcpstat
Use the dump dhcpstat command to display the dynamic host configuration protocol (DHCP)
server statistics, to understand DHCP requests and responses, and the number of IP addresses
that have been used out of the available pool of IP addresses.

Command

dump dhcpstat (all | vrf-name=vrf name)

Options

all Enter all to display information on all the DHCP stats.

vrf-name Enter vrf name for selected VRF DHCP [Link] 6.3.1

Command Notes

Role Super, Read Only, Monitor

Related Commands inspect dhcplease

Introduced in Release 4.4.1

Example

dump dhcpstat
Request: 15
Response: 16
NACK: 0
Decline: 0
ACK: 7
Lease Used: 1
Lease Available: 10

dump dhcpstat all

=====================================
VRF: Global
Request : 0
Response : 0
NACK : 0
Decline : 0
ACK : 0

Prisma SD-WAN ION Device CLI Reference 125 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Lease Used : 0
Lease Available : 9

=====================================
VRF: yellow
Request : 0
Response : 0
NACK : 0
Decline : 0
ACK : 0
Lease Used : 0
Lease Available : 9

dump dhcpstat vrf-name=Global

=====================================
VRF: Global
Request : 0
Response : 0
NACK : 0
Decline : 0
ACK : 0
Lease Used : 0
Lease Available : 9

dump dnsservice config all


Use the dump dnsservice config all to display all the configurations related to DNS
Service Profile. DNS Service Profiles are used to specify configuration parameters for the Prisma
SD-WAN DNS Service. DNS configurations include all the details of authoritative config, dns-
forward config, cache config, dns-queries metadata, dns-rebind config, dns-response overrides,
dnssec config and domain to address.

Command

dump dnsservice config (all | dns-forward-config | dns-queries-


metadata | domain-to-address | dns-response-overrides | cache-config
| dns-rebindconfig | dnssec-config | authoritative-config)

Options

all Enter all to display summary of all the configurations related to DNS.

dns-forward- Enter dns-forward-config to view all the DNS-Forward configurations from


config DNS profile

dns-queries- Enter dns-queries-metadata to view all the configurations related to dns-


metadata queries-metadata from DNS profile.

domain-to- Enter domain-to-address to view all the domain-to-address configurations


address from DNS profile.

Prisma SD-WAN ION Device CLI Reference 126 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dns-response- Enter dns-response-overrides to view all the configurations related to dns-


overrides response-overrides from DNS profile.

cache-config Enter cache-config to view all the cache configurations from DNS profile.

dns-rebind- Enter dns-rebind-config to view all the dns-rebind configurations from DNS
config profile.

dnssec-config Enter dnssec-config to view all the DNSSEC configurations from DNS
profile.

authoritative- Enter authoritative-config to view all the authoritative configurations from


config DNS profile.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.4.1

Example

dump dnsservice config all


Name : Myservicename update 100
Enabled : true
Etag : 3ID : 15862297924230215
DNS Service Profile
DNS Service Profile
ID : 15857239920150188
Etag : 1
Listen Dnsservice roleID : 15857234131980064
Listen Port : 53

DNS Forward Config

DNS Servers :
IP Prefix : [Link]/24
Domain Names : [[Link] [Link]]
DNS Server IP : [Link]
DNS Server Port : 60
Forward DNS Service Role ID : 15857233845640047
Source Port : 1002
IP Prefix : [Link]/32
Domain Names : [[Link] [Link]]
DNS Server IP : [Link]
DNS Server Port : 70
Forward DNS Service Role ID : 15857233845640047
Source Port : 1005
Minimum Source Port : 1000

Prisma SD-WAN ION Device CLI Reference 127 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Maximum Source Port : 2000


Send to all DNS Servers : true
Enable Strict DomainName : false
Enable DNS Loop Detection : false
Edns Packet Max : 100
DNS Queries Metadata
Add Customer Premises Equipment :
Type : text
IdentifierText : cpeid
Add Client Mac :
MacEncodingFormat : [Link]
Identifier :
Type : text
IdentifierText : mytxt1
Add Subnets :
Ipv4 Address : [Link]
Ipv4 Prefix Length : 32
Ipv4 Address : [Link]
Ipv4 Prefix Length : 32

Domains To Addresses

Domain Names : [[Link] [Link]]


Enable All Domains : false
IP Address : [Link]
Domain Names : [[Link] [Link]]
Enable All Domains : false
IP Address : [Link]

DNS Response Overrides

Max TTL : 10
Local TTL : 20
Disable Private IP Lookups : false
Ignore IP Addresses : [[Link] [Link]]
Bogus Nx Domains : [[Link] [Link]]
Aliases :
Original IP : [Link]
Original Start IP : [Link]
Original End IP : [Link]
Replace IP Address : [Link]
Replace Mask : mask
Original IP : [Link]
Original Start IP : [Link]
Original End IP : [Link]
Replace IP Address : [Link]
Replace Mask : mask

CacheConfig

Disable Negative Caching : false


Minimun Cache TTL : 40
Maximum Cache TTL : 60
Negative Cache TTL : 50
Cache Size : 1024

Prisma SD-WAN ION Device CLI Reference 128 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

DNSRebindConfig

Stop DNS Rebind Private IP : false


Enable LocalHost Rebind : true
Rebind Domains : [[Link] [Link]]
Enable Dnssec Proxy : false
DnsSecConfigEnabled : false
DNS Check Unsigned : true
Disable DNSSec Timecheck : true
Trust Anchors :
Class : class
Domain : [Link]
KeyDigest :
Key Tag : 19036
Algorithm : 8
Digest Type : 2

Digest :49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
Class : class
Domain : [Link]
KeyDigest :
Key Tag : 20326
Algorithm : 8
Digest Type : 2

Digest :E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

AuthoritativeConfig

AuthoritativeServers :
Domain Name : [Link]
DNS Service Role ID : 10
Domain Name : [Link]
DNS Service Role ID : 10
Zones :
Domain Name : [Link]
Include Prefix : [[Link]/24 [Link]/32]
Exclude Prefix : [[Link]/32 [Link]/32]
Domain Name : [Link]
Include Prefix : [[Link]/24 [Link]/32]
Exclude Prefix : [[Link]/32 [Link]/32]
SOA :
Serial Number : 2000
Host Master : hostmaster
Refresh : 10
Retry : 10
Expiry : 30
Serial Number : 2000
Host Master : hostmaster
Refresh : 10
Retry : 10
Expiry : 10
Secondary Servers : [[Link] [Link]]
Peers : [[Link] [Link]]
TTL : 100
HostRecords :

Prisma SD-WAN ION Device CLI Reference 129 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Domain Names : [[Link] [Link]]


IPV4 Address : [Link]
TTL : 300
Domain Names : [[Link] [Link]]
IPV4 Address : [Link]
TTL : 300
SynthDomains :
Domain : [Link]
Start IP Address : [Link]
End IP Address : [Link]
IP Address Prefix : [Link]/24
Domain : [Link]
Start IP Address : [Link]
End IP Address : [Link]
IP Address Prefix : [Link]/24
SRVHosts :
Service : service
Protocol : protocol
Domain Name : [Link]
Service : service
Protocol : protocol
Domain Name : [Link]
NaptrRecords :
Name : naptrrecord
Order : 10
Preference : 20
Flags : flg
Name : naptrrecord
Order : 10
Preference : 20
Flags : flg
CaaRecords :
Name : caarecord
Flags : flags
Tag : tag
Value : value
Name : caarecord
Flags : flags
Tag : tag
Value : value
CnameRecords :
Name : [cname cnaam]
Target : target1
Tag : ctag
TTL : 20
Name : [cname]
Target : target
Tag : ctag
TTL : 10
DNSResourceRecords :
Name : rcords
RR Number : 100
HEX Data : data
Name : rcords
RR Number : 100
HEX Data : data

Prisma SD-WAN ION Device CLI Reference 130 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

PtrRecords :
Name : ptrrecord
Target : target
Name : ptrrecord
Target : target
TxtRecords :
Domain Name : [Link]
Texts : [testtext]
Domain Name : [Link]
Texts : [testtext]
MxHostRecords :
Mx Name : mx_name
Hostname : hostname
Preference : 1
Mx Name : mx_name
Hostname : hostname
Preference : 1
Max Concurrent DNS Queries : 100
Dns servicerole Bindings :
Dns service role ID : 15857234131980064
Interfaces :
InterfaceID : cgx_interface:controller1
InterfaceIP : <nil>
InterfaceID :
InterfaceIP : [Link]
Dns service role ID : 15857233845640047
Interfaces :
InterfaceID : cgx_interface:1
InterfaceIP : <nil>
InterfaceID :
InterfaceIP : [Link]
DomainsToInterfaces :
Domain Names : [[Link] [Link]]
Interface ID : cgx_interface:1
Domain Names : [[Link] [Link]]
Interface ID : cgx_interface:2

dump dnsservice config all


Name : dns_service1
Enabled : true
Etag : 1
ID : 1676871344643003896
DNS Service Profile
ID : 1675823408415012596
Etag : 58
Name : Dns_profile1
Listen Dnsservice roleID : 1675768429191002596
Listen Port : 53
DNS Forward Config
DNS Servers :
DNS Server IP : [Link]
Forward DNS Service Role ID : 1675823222537008896

DNS Server IP : 2702::abcc


Forward DNS Service Role ID : 1675823222537008896

Prisma SD-WAN ION Device CLI Reference 131 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

IP Prefix : 2000::/4
DNS Server IP : 2103::13
Forward DNS Service Role ID : 1675823237643021496

Minimum Source Port : 1024


Send to all DNS Servers : true
Enable Strict DomainName : false
Enable DNS Loop Detection : false
Edns Packet Max : 4096
DNS Queries Metadata
Add Customer Premises Equipment :
Type : text
Add Client Mac :
MacEncodingFormat : base64
Add Subnets :
Ipv6 Address : [Link]
Ipv6 Prefix Length : 127

Ipv4 Address : [Link]


Ipv4 Prefix Length : 24

Domains To Addresses
DNS Response Overrides
Disable Private IP Lookups : false
Ignore IP Addresses : []
Aliases :
CacheConfig
Disable Negative Caching : false
Minimun Cache TTL : 3600
Cache Size : 150
DNSRebindConfig
Stop DNS Rebind Private IP : false
Enable LocalHost Rebind : false
Enable Dnssec Proxy : false
DnsSecConfig
Enabled : false
DNS Check Unsigned : false
Disable DNSSec Timecheck : false
Trust Anchors :
No AuthoritativeConfig
Max Concurrent DNS Queries : 150
Dns servicerole Bindings :
Dns service role ID : 1675823222537008896
Interfaces :
InterfaceID : 1675750379317012696
InterfaceIP : <nil>
Dns service role ID : 1675823237643021496
Interfaces :
InterfaceID : 1675746176821021496
InterfaceIP : <nil>
DomainsToInterfaces :

dump dpdk cpu


Use the dump dpdk cpu command to display details of the dpdk cpu usage information.

Prisma SD-WAN ION Device CLI Reference 132 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump dpdk cpu

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump dpdk port status

Introduced in Release 5.6.1

Example

dump dpdk cpu


Fast path CPU usage:
cpu: %busy cycles cycles/packet cycles/ic pkt
1: <1% 197656 26486 0
2: <1% 149272 37286 0
3: <1% 203816 20744 0

average cycles/packets received from NIC: 24627 (246270/10)

dump dpdk interface


Use the dump dpdk interface command to display details of the all interfaces within the
dpdk stack information.

Command

dump dpdk interface

Options

None

Prisma SD-WAN ION Device CLI Reference 133 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands dump dpdk stats

Introduced in Release 5.6.1

Example

dump dpdk interface


1:lo [VR-0] ifid=1 (virtual) <UP|RUNNING|FWD4|FWD6> (0x1b)
type=loop mac=[Link] mtu=65535 no numa group=0
tcp4mss=0 tcp6mss=0
IPv4 routes=1 IPv6 routes=1
if_ops: rx_dev=none rx_early=none tx_dev=none ip_output=none
2:eth0 [VR-0] ifid=2 (port 0) <UP|RUNNING|FWD4|FWD6> (0x1b)
type=ether mac=[Link] mtu=1500 numa=0 group=0
tcp4mss=0 tcp6mss=0
IPv4 routes=4 IPv6 routes=3
if_ops: rx_dev=none rx_early=none tx_dev=none ip_output=none
3:eth1 [VR-0] ifid=3 (port 1) <UP|RUNNING|FWD4|FWD6> (0x1b)
type=ether mac=[Link] mtu=1500 numa=0 group=0
tcp4mss=0 tcp6mss=0
IPv4 routes=17 IPv6 routes=2
if_ops: rx_dev=none rx_early=none tx_dev=none ip_output=none
4:eth2 [VR-0] ifid=4 (port 2) <UP|RUNNING|FWD4|FWD6> (0x1b)
type=ether mac=[Link] mtu=1500 numa=0 group=0
tcp4mss=0 tcp6mss=0
IPv4 routes=10 IPv6 routes=2
if_ops: rx_dev=none rx_early=none tx_dev=none ip_output=none
5:eth3 [VR-0] ifid=5 (port 3) <UP|RUNNING|FWD4|FWD6> (0x1b)
type=ether mac=[Link] mtu=1500 numa=0 group=0
tcp4mss=0 tcp6mss=0
IPv4 routes=5 IPv6 routes=2
if_ops: rx_dev=none rx_early=none tx_dev=none ip_output=none
6:eth4 [VR-0] ifid=6 (port 4) <FWD4|FWD6> (0x18)
type=ether mac=[Link] mtu=1500 numa=0 group=0
tcp4mss=0 tcp6mss=0
IPv4 routes=0 IPv6 routes=0
if_ops: rx_dev=none rx_early=none tx_dev=none ip_output=none
7:eth5 [VR-0] ifid=7 (port 5) <FWD4|FWD6> (0x18)
type=ether mac=[Link] mtu=1500 numa=0 group=0
tcp4mss=0 tcp6mss=0
IPv4 routes=0 IPv6 routes=0
if_ops: rx_dev=none rx_early=none tx_dev=none ip_output=none
10:dummy0 [VR-0] ifid=10 (virtual) <UP|RUNNING|FWD4|FWD6|NOARP>
(0x5b)
type=ether mac=[Link] mtu=1500 no numa group=0
tcp4mss=0 tcp6mss=0
IPv4 routes=1 IPv6 routes=1
if_ops: rx_dev=none rx_early=none tx_dev=none ip_output=none

Prisma SD-WAN ION Device CLI Reference 134 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

11:sl1 [VR-0] ifid=11 (virtual) <UP|RUNNING|FWD4|FWD6|NOARP>


(0x5b)
type=svti mac=[Link] mtu=1400 no numa group=0
tcp4mss=0 tcp6mss=0
IPv4 routes=4 IPv6 routes=1
if_ops: rx_dev=none rx_early=none tx_dev=none ip_output=none
12:mtap [VR-0] ifid=12 (virtual) <UP|FWD4|FWD6> (0x19)
type=ether mac=[Link] mtu=1500 no numa group=0
tcp4mss=0 tcp6mss=0
IPv4 routes=0 IPv6 routes=1
if_ops: rx_dev=none rx_early=none tx_dev=none ip_output=none
15:erspan0 [VR-0] ifid=15 (virtual) <FWD4|FWD6> (0x18)
type=ether mac=[Link] mtu=1450 no numa group=0
tcp4mss=0 tcp6mss=0
IPv4 routes=0 IPv6 routes=0
if_ops: rx_dev=none rx_early=none tx_dev=none ip_output=none
16:sl2 [VR-0] ifid=16 (virtual) <UP|RUNNING|FWD4|FWD6|NOARP>
(0x5b)
type=gre mac=[Link] mtu=1472 no numa group=0
tcp4mss=0 tcp6mss=0
IPv4 routes=4 IPv6 routes=1
if_ops: rx_dev=none rx_early=none tx_dev=none ip_output=gre
link: eth3-vr0 link_vrfid: 0
local: [Link] remote: [Link]
ttl: inherit tos: 0x00
iflags: oflags:
17:veth1p [VR-0] ifid=17 (virtual) <FWD4|FWD6> (0x18)
type=veth mac=[Link] mtu=1500 no numa group=0
tcp4mss=0 tcp6mss=0
IPv4 routes=0 IPv6 routes=0
if_ops: rx_dev=none rx_early=none tx_dev=veth ip_output=none

veth peer: veth1-vr0


18:veth1 [VR-0] ifid=18 (virtual) <FWD4|FWD6> (0x18)
type=veth mac=[Link] mtu=1500 no numa group=0
tcp4mss=0 tcp6mss=0
IPv4 routes=0 IPv6 routes=0
if_ops: rx_dev=none rx_early=none tx_dev=veth ip_output=none

veth peer: veth1p-vr0


20:tap1 [VR-0] ifid=20 (virtual) <UP|FWD4|FWD6> (0x19)
type=ether mac=[Link] mtu=1500 no numa group=0
tcp4mss=0 tcp6mss=0
IPv4 routes=0 IPv6 routes=1
if_ops: rx_dev=none rx_early=none tx_dev=none ip_output=none
21:fpn0 [VR-0] ifid=21 (virtual) <UP|RUNNING|FWD4|FWD6|NOARP>
(0x5b)
type=ether mac=[Link] mtu=65521 no numa group=0
tcp4mss=0 tcp6mss=0
IPv4 routes=0 IPv6 routes=2
if_ops: rx_dev=none rx_early=none tx_dev=none ip_output=none
22:fptun0 [VR-0] ifid=22 (virtual) <UP|RUNNING|FWD4|FWD6|NOARP>
(0x5b)
type=ether mac=[Link] mtu=65535 no numa group=0
tcp4mss=0 tcp6mss=0
IPv4 routes=0 IPv6 routes=0

Prisma SD-WAN ION Device CLI Reference 135 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

if_ops: rx_dev=none rx_early=none tx_dev=none ip_output=none


23:veth-peer-p [VR-0] ifid=23 (virtual) <UP|RUNNING|FWD4|FWD6>
(0x1b)
type=veth mac=[Link] mtu=65535 no numa group=0
tcp4mss=0 tcp6mss=0
IPv4 routes=7 IPv6 routes=0
if_ops: rx_dev=none rx_early=none tx_dev=veth ip_output=none

veth peer: veth-peer-vr0


24:veth-peer [VR-0] ifid=24 (virtual) <UP|RUNNING|PROMISC|FWD4|
FWD6> (0x1f)
type=veth mac=[Link] mtu=65535 no numa group=0
tcp4mss=0 tcp6mss=0
IPv4 routes=0 IPv6 routes=0
if_ops: rx_dev=fc rx_early=none tx_dev=veth ip_output=none
veth peer: veth-peer-p-vr0

dump dpdk port status


Use the dump dpdk port status command to display details of the dpdk port status
information.

Command

dump dpdk port status


<port>

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump dpdk cpu

Introduced in Release 5.6.1

Example

dump dpdk port status port=


port=1 port=3 port=5 port=4 port=controller1
port=2

dump dpdk port status port=1


Settings for eth1:
Supported Link modes: Not reported

Prisma SD-WAN ION Device CLI Reference 136 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Advertised Link modes: Not reported


Advertised pause frame use: No
Advertised auto-negotiation: No
Speed: 10000Mb/s
Duplex: Full
Auto-negotiation: off
Link detected: yes

dump dpdk stats


Use the dump dpdk stats command to display details of the dpdk stats information.

Command

dump dpdk stats

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump dpdk port status

Introduced in Release 5.6.1

Example

dump dpdk stats


==== interface stats:
lo-vr0 port:65534
eth0-vr0 port:0
eth1-vr0 port:1
eth2-vr0 port:2
eth3-vr0 port:3
eth4-vr0 port:4
eth5-vr0 port:5
dummy0-vr0 port:65534
sl1-vr0 port:65534
mtap-vr0 port:65534
erspan0-vr0 port:65534
sl2-vr0 port:65534
veth1p-vr0 port:65534
veth1-vr0 port:65534
tap1-vr0 port:65534
fpn0-vr0 port:65534

Prisma SD-WAN ION Device CLI Reference 137 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

fptun0-vr0 port:65534
veth-peer-p-vr0 port:65534
veth-peer-vr0 port:65534
==== global stats:
fp_dropped:45
fp_dropped_ipsec:43
fp_dropped_system:2
==== exception stats:
LocalBasicExceptions:2905149
LocalFPTunExceptions:203342
ExceptionByModule:
fp_exception_ether:5811
fp_exception_ifnet:1
fp_exception_unknown_ifnet:22
fp_exception_ip:3101716
fp_exception_ipv6:25
fp_exception_netfilter:916
LocalExceptionClass:
FPTUN_EXC_SP_FUNC:3107522
FPTUN_EXC_ETHER_DST:1
FPTUN_EXC_IP_DST:25
FPTUN_EXC_ICMP_NEEDED:4
FPTUN_EXC_NF_FUNC:916
LocalExceptionType:
FPTUN_BASIC_EXCEPT:2905126
FPTUN_IPV4_IPSECDONE_INPUT_EXCEPT:203342
FPTUN_ETH_SP_OUTPUT_REQ:16
FPTUN_IPSEC_SP_OUTPUT_REQ:411739
==== IPv4 stats:
IpInReceives:43
IpInDelivers:3508475
IpDroppedIPsec:43
==== arp stats:
==== IPv6 stats:
==== fp-vswitch stats:
==== IPsec stats:
IpsecDroppedInError:43
IpsecDroppedInErrorDetailed:
IpsecDroppedNoSA:23
IpsecDroppedInUdpEncapNoSA:20
==== IPsec IPv6 stats:
==== VXLAN stats:
==== vlan stats:
==== bridge stats:
==== lag stats:
==== GRE stats:
==== ebtables stats:
==== pppoe stats:

dump flow
Use the dump flow command to display the flows from the flow table to debug and
troubleshoot.

Prisma SD-WAN ION Device CLI Reference 138 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump flow (drop-summary | ifaces | stats)

Options

drop-summary Enter the drop-summary to display the summary


information of the dropped flows.

ifaces Enter the ifaces to display the information on the


ifaces of the flow.

stats Enter the stats to display the information for the


interface stats flow.

Command Notes

Role Super, Read Only

Related Commands

Introduced in Release 6.2.1

Example

dump flow drop-summary


"ae_to_dp_queue_drop": "0",
"ctrl_to_dp_queue_drop": "0",
"dp_drop_all": "6",
"dpdk_ic_drop": "32031622338",
"dpdk_packet_drop_dp": "0",
"dpdk_packet_drop_geneve_mtu": "0",
"dpdk_packet_drop_geneve_prepend_fail": "0",
"dpdk_packet_drop_invalid_iface": "46636798",
"dpdk_packet_drop_l2_inner_prepend_fail": "0",
"dpdk_packet_drop_no_ic_bulk": "0",
"dpdk_packet_drop_no_iface": "0",
"dpdk_packet_drop_no_vxlan": "0",
"dpdk_packet_drop_udp_short": "0",
"dpdk_packet_drop_vxlan_invalid": "0",
"dpdk_packet_drop_vxlan_mtu": "0",
"dpdk_packet_drop_vxlan_prepend_fail": "0",
"dpdk_qos_egress_drop": "4364958007",
"dpdk_qos_egress_mgmt_drop": "0",
"dpdk_qos_ingress_drop": "46634077",
"dpdk_qos_ingress_mgmt_drop": "0",
"drop_arp": "0",

Prisma SD-WAN ION Device CLI Reference 139 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

"drop_bfd": "0",

dump flow ifaces


id: 1657276914875014128
device: "eth5.411"
rm_state_up: true
iface_state_up: true
iface_type: "lan_ep"
refcnt: 3
input_allowed: false
bridge_only: false
dp_portno: 18446744073709551615
peer_id: 0
parent_id: 0
wn_path_id: 0
eth_addr: "[Link]"
lqm_state: false
ct_zone: 0
nat_present: false
mtu: 1500
site_iface_local_id: 0
tenant_id: 250
local_site_id: 1653992478091007828
element_id: 1655359221269018828
use_geneve: false
peer_site_role: "SPOKE"

dump flow stats


==== interface stats:
lo-vr0 port:65534
eth0-vr0 port:0
eth1-vr0 port:1
ifs_ierrors:4
eth2-vr0 port:2
ifs_ierrors:5
eth3-vr0 port:3
eth4-vr0 port:4
eth5-vr0 port:5
eth6-vr0 port:6
eth7-vr0 port:7
eth8-vr0 port:8
eth9-vr0 port:9
dummy0-vr0 port:65534
fpn0-vr0 port:65534
fptun0-vr0 port:65534
dpi0-vr0 port:65534
eth5.411-vr0 port:65534
sl1-vr0 port:65534
sl2-vr0 port:65534

dump flow count-summary


Use the dump flow count-summary command to display the total concurrent flows and fps
for monitoring purposes.

Prisma SD-WAN ION Device CLI Reference 140 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump flow count-summary

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands

Introduced in Release 5.4.1

Example

dump flow count-summary


FLOW STATS INFO at :2020-05-13 [Link]
TCP flows: 1276
UDP flows: 2
Other flows: 0
Active flows: 1278
FPS in previous second: 1097

dump flow count-summary


Flow Summary:
TCP flows: 0
UDP flows: 1
Other flows: 1
Active flows: 2
FPS in previous second: 0
Active flows: 2
FPS in previous second: 0
Path Stats:
Private Direct: 0
Public Direct: 0
Private VPN: 0
Public VPN: 0
Private Service Link: 0
Public Service Link: 0
WAN to WAN: 2
Total TCP flows: 0
Private Direct: 0
Public Direct: 0
Private VPN: 0
Public VPN: 0
Private Service Link: 0
Public Service Link: 0
WAN to WAN: 0

Prisma SD-WAN ION Device CLI Reference 141 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Total UDP flows: 1


Private Direct: 0
Public Direct: 0
Private VPN: 0
Public VPN: 0
Private Service Link: 0
Public Service Link: 0
WAN to WAN: 1
Total Other flows: 1
Private Direct: 0
Public Direct: 0
Private VPN: 0
Public VPN: 0
Private Service Link: 0
Public Service Link: 0
WAN to WAN: 1

dump interface config


Use the dump interface config command to display the interface configurations.
To display Point-to-Point Protocol over Ethernet (PPPoE) interface configuration information,
enter the PPPoE interface address for the interface. Information includes PPPoE parameters such
as interface name, interface ID, CHAP username, password, and reconnection delay.
The output changes based on whether the standard VPN is IPSec or GRE.

Command

dump interface config ( all | interface


interface_name)

Options

all Enter all to display configuration for all interfaces.

interface Enter the interface name to display configuration for


a specific interface.

Command Notes

Role Super, Read Only, Monitor

Related Commands dump interface status

Introduced in Release 4.4.1

Prisma SD-WAN ION Device CLI Reference 142 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Example

dump interface config 2


Interface : 2
Description :
ID : 15886634104300012
Type : port
Admin State : up
Auto-Operational-State: enabled
Alarms : enabled
Auth type : 802.1X | mac-auth | none
Auth Reauth Timeout(sec): 3600
Auth Aging Timeout (sec): 300
NetworkContextID :
IpfixCollectorContextID :16119040123250058
IpfixFilterContextID :16136273196720228
Scope : local
Directed Broadcast : false
MTU : 1500
IP : static
Address : [Link]/24
Secondary : [Link]/24,
scope local Route : [Link]/0 via [Link] metric 0
DNS Server : [Link]
Wan ID : 15865353324180060 privatewan
CircuitLabel : Verizon MPLS
PathLabel : Verizon MPLS
BW : manual, up 20.000000 down 50.000000
QoS : enabled
LQM : enabled
PCM : enabled

dump interface config 1


Interface : 1
Description :
ID : 15886634104300012
Type : port
Used For : lan
Admin State : up
Alarms : disabled
NetworkContextID :
IpfixCollectorContextID :
IpfixFilterContextID :
Scope : local
Directed Broadcast : false
MTU : 1500
IP : No configuration
Static ARP : [Link], mac [Link]
: [Link], mac [Link]

dump interface config 1


Interface : 1
Description :
ID : 16111544924170199
Type : port
Used For : private-l2

Prisma SD-WAN ION Device CLI Reference 143 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Admin State : up
Alarms : enabled
NetworkContextID :
IpfixCollectorContextID :
IpfixFilterContextID :
Scope : local
Directed Broadcast : false
MTU : 1500
IP : No configuration
Wan ID : 15047410360090142 privatewan
CircuitLabel : L3_ATLANTA
PathLabel : private-1
BW : manual, up 20.000000 down 40.000000
QoS : enabled
QoS Agents : egress 700 ingress 701
LQM : enabled
PCM : enabled

Example of Cellular Config

dump interface config cellular1


Interface : cellular1
Description :
ID : 1643856748406010228
Type : cellular
Used For : public
Admin State : up
Alarms : enabled
Auth Type : none
NetworkContextID :
IpfixCollectorContextID :
IpfixFilterContextID :
Scope : local
Directed Broadcast : false
MTU : 1428
IP : negotiated
IPv6 : negotiated
NatZoneID : 7777
Cellular Configurations
IP Address Type : ipv4v6
Auto-APN : Enabled
Parent Module ID : 1643856748616017328
SIM Slot Number : 1

Example of IPv6

dump interface config 5


Interface : 5
Description :
ID : 1648470841543023896
Type : port
Used For : private
Admin State : up
Alarms : enabled
NetworkContextID :
IpfixCollectorContextID :

Prisma SD-WAN ION Device CLI Reference 144 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

IpfixFilterContextID :
Scope : local
Directed Broadcast : false
MTU : 1500
IP : static
Address : [Link]/24
Route : [Link]/0 via [Link] metric 0
IPv6 : static
IPv6 Address : [Link]/64
Route : ::/0 via [Link] metric 0
IPv6 DNS Server : [Link] , [Link] ,
[Link]

dump interface config 1


Interface : 1
Description :
ID : 1673506352021012628
Type : port
Used For : lan
Admin State : up
Alarms : enabled
Auth Type : none
NetworkContextID :
IpfixCollectorContextID :
IpfixFilterContextID :
Scope : local
Directed Broadcast : false
MTU : 1500
IP : static
Address : [Link]/24
IPv6 : static
IPv6 Address : [Link]/64
Prefix Distribution : Enabled

dump interface config 1.1


Interface : 1.1
Description :
ID : 1692621445883024996
Type : subinterface
Used For : private
VLAN : 1
NativeVLAN : false
Admin State : up
Alarms : enabled
Auth Type : none
NetworkContextID :
VRFContextID : 1692597097579024296
Vni : 242
IpfixCollectorContextID :
IpfixFilterContextID :
Scope : local
Directed Broadcast : false
MTU : 1500
IP : static
Address : [Link]/24

Prisma SD-WAN ION Device CLI Reference 145 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

IPv6 : No configuration
Parent Interface : 1
Parent Device : eth1

dump interface config 6


Interface : 6
Description :
ID : 1696395020985008828
Type : port
Used For : lan
Admin State : up
Alarms : enabled
Auth Type : none
NetworkContextID :
VRFContextID : 1695795392653021428
Vni : 965
VRF Name : yellow
IpfixCollectorContextID :
IpfixFilterContextID :
Scope : global
Directed Broadcast : false
MTU : 1500
IP : static
Address : [Link]/24
Route : [Link]/0 via [Link] metric 0
IPv6 : No configuration
DHCP Relay : enabled
Servers : [Link]
SourceInterface : 6
Option 82 : enabled
ReforwardingPolicy : replace

dump interface config ToDC


Interface : ToDC
Description : To Hub2
ID : 1703221347301010628
Type : service_link (ipsec)
Admin State : up
Alarms : enabled
Auth Type : none
NetworkContextID :
VRFContextID : 1692629914880022528
Vni : 0
VRF Name : Global
IpfixCollectorContextID :
IpfixFilterContextID :
Scope : local
Directed Broadcast : false
MTU : 1400
IP : static
Address : a.b.1.1/24
IPv6 : No configuration
Parent Interface : 1
Parent Device : eth1
Peer : p.q.27.38
IPSec Profile : DC-DC

Prisma SD-WAN ION Device CLI Reference 146 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Authentication Type : psk


Local ID Type : local_ip
Key Exchange : ikev1
IKE Mode : Main
IKE Lifetime : 24 hours
IKE Remote Port : 500
IKE DH Group/Encryption/Hash : modp1536/aes256/sha256, modp2048/
aes128/sha256, ecp384/aes128/sha256
ESP Lifetime : 8 hours
ESP Encapsulation : Auto
ESP DH Group/Encryption/Hash : modp1536/aes256/sha256, modp1024/
aes128/sha256
DPD Enabled : yes
DPD Delay : 1
DPD Timeout : 5
Passive Mode : disabled
Authentication Override
Authentication Type : psk
Remote ID : hub2@[Link]
Local ID Type : custom
Local ID : hub1@[Link]

dump interface status


Use the dump interface status command to display the interface status (port or sub
interface). The speed is 10,000 Mbps for 10GE SFP+ ports, and 1,000, 100, or 10 Mbps for 1GE
ports. The address is the current IPv4 and IPv6 addresses and mask for the interface and the
current DNS server learned through a DHCPor AutoConf server, or could be a static IP address
and DNS server.
To display a loopback interface status, enter the loopback interface address for the interface.

Command

dump interface status (all | interface


interface_name)

Options

all Enter all to display status for all interfaces.

interface Enter the interface name to display configuration for a


specific interface.

Prisma SD-WAN ION Device CLI Reference 147 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands dump interface config

Introduced in Release 4.4.1

Example

dump interface status 1


Interface : 1
Device : eth1
ID : 15886634104300012
MAC Address : [Link]
State : up
Last Change : 2020-12-02 [Link].373 (164h23m30s
ago)
Duplex : full
Speed : 1000Mbps
Address : [Link]/24
Secondary Address : [Link]/24

Example of Cellular interfaces

dump interface status cellular1


Interface : cellular1
Device : cellular1
ID : 1643856748406010228
Active Cellular Link : True
APN Name : [Link]
APN Authentication Type : none
State : up
Last Change : 2022-10-28 [Link].553 (29.554s ago)
Address : [Link]/32
Route : [Link]/0 via [Link] metric 0
DNS Server : [Link] , [Link]
Ipv6 Address : [Link]/64
Ipv6 DNS Server : [Link] , [Link]
DPDK Controlled : true

Example of IPv6

dump interface status 5


Interface : 5
Device : eth5
ID : 1648470841543023896
MAC Address : [Link]
LinkLocalAddress : fe80::250:56ff:feab:e0d4/64
State : up
Last Change : 2022-04-13 [Link].129 (149h23m6s ago)
Duplex : full
Speed : 10000Mbps

Prisma SD-WAN ION Device CLI Reference 148 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Address : [Link]/24
Route : [Link]/0 via [Link] metric 0
Ipv6 Address : [Link]/64
Route : ::/0 via [Link] metric 0
Ipv6 DNS Server : [Link] , [Link] ,
[Link]
DPDK Controlled : true

dump interface status 1


Interface : 1
Device : eth1
ID : 1662377409110006828
MAC Address : [Link]
LinkLocalAddress : fe80::250:56ff:feab:d008/64
State : up
Last Change : 2023-02-22 [Link].480 (19.938s
ago)
IPv6 Address : 2014::250:56ff:feab:d008/64
Route : ::/0 via fe80::250:56ff:fe88:53a8
metric 0
DPDK Controlled : true

Autoconf information received from router


Managed Flag : false
Other Flag : false

Example of command output showing PoE and STP state

Interface : 7
Device : dsa7
ID : 1646140037785020628
MAC Address : [Link]
State : down
Last Change : 2022-03-15 [Link].200 (1038h7m40s ago)
Status : Not connected
DPDK Controlled : false
PoE State
PoE Enabled : False
Device Type : None
Power Pair Control Ability : False
Power Pair State : NONE
Detection Status : disabled
Power Priority : low
Power Class Type : NONE
Power Consumed : 0.0
Power Usage Threshold : 100
Signal Channel Requested Class : NONE
Signal Channel Assigned Class : NONE
Signal Channel Detection Status : disabled
Signal Channel Power Consumed : 0.0
Spare Channel Requested Class : NONE
Spare Channel Assigned Class : NONE
Spare Channel Detection Status : disabled
Spare Channel Power Consumed : 0.0Stp
Interface State
STP Enabled : False

Prisma SD-WAN ION Device CLI Reference 149 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

BPDU guard enabled : False


Root Guard enabled : False
Port STP State :
Port Cost : 0
Port Priority : 128

dump interface status 1.1


Interface : 1.1
Device : eth1.1
ID : 1692621445883024996
MAC Address : [Link]
State : up
Last Change : 2023-09-18 [Link].171 (166h19m39s ago)
Address : [Link]/24
VRF Context ID : 1692597097579024296
VRF Name : VRF001
Vni : 242
DPDK Controlled : false

dump interface status 6


Interface : 6
Device : eth6
ID : 1696395020985008828
MAC Address : [Link]
State : up
Last Change : 2023-10-09 [Link].074 (18h20m4s ago)
Address : [Link]/24
Route : [Link]/0 via [Link] metric 0
VRF Context ID : 1695795392653021428
VRF Name : yellow
Vni : 965
DPDK Controlled : true

dump interface status interface details


Use the dump interface status interface details command to display the current
details of a device interface.
The output changes based on whether the standard VPN is IPSec or GRE.

Command

dump interface status [ all | interface


interface name ] details

Options

all Enter all to display status for all interfaces.

interface Enter the interface name to display configuration for a specific


interface.

Prisma SD-WAN ION Device CLI Reference 150 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands dump interface status

Introduced in Release 4.4.1

Example

dump interface config 1


Interface : 1
Description : NAT Config
ID : 15670679352040140
Type : port
Used For : private
Admin State : up
Alarms : enabled
NetworkContextID:
Scope : local
MTU : 1500
IP : dhcp
NatPoolID : 15603210612690114
IPv4Ranges : [Link] - [Link]
NatZoneID : 15603213252200095
Wan ID : 15338838016530159 privatewan
CircuitLabel : WAN-EASTERN
PathLabel : WAN-EASTERN
BW : manual, up 10.000000 down 30.000000
QoS : disabled
LQM : enabled
PCM : enabled

dump interface config interface=ppp0


Interface : ppp91871660175
ID : 15024291871670177
Type : pppoe
Admin State : up
Alarms : enabled
MTU : 0
IP : pppoe
PPPOE User : test1
PPPOE Password : test$123
PPPOE Reconnect Delay : 0

dump interface config bvi-1


Interface : BVI-1
Description : BVI
ID : 15734532300070135
Type : virtual_interface
Used For : private
Link #0 : 5
Link #1 : 6

Prisma SD-WAN ION Device CLI Reference 151 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Admin State : up
Alarms : enabled
NetworkContextID:
Scope : local
MTU : 1500
IP : dhcp

dump interface config Server-NY-GRE-wCC


Interface : Server-NY-GRE-wCC
Description : GRE
ID : 15666004852430198
Type : service_link (gre)
Admin State : up
Alarms : enabled
NetworkContextID:
Scope : local
MTU : 1472
IP : static
Address : [Link]/30
Parent Interface : 3
Parent Device : eth3
Peer : [Link]
Service Endpoint : GRE-SL-BGRE
Checksum : disabled
GRE Keepalives : enabled
Interval : 10
Fail Count : 3

dump interface config Server-NY-IPSEC


Interface : Server-NY-IPSEC
Description : IPSEC
ID : 15670047510280153
Type : service-link (ipsec)
Used For : public
Admin State : up
Alarms : enabled
NetworkContextID:
Scope : local
MTU : 1400
IP : static
Address : [Link]/30
Parent Interface : 3
Parent Device : eth3
Peer : [Link]
Service Endpoint : IPSEC-SL-B
Authentication Type : psk
Local ID Type : local_ip
Key Exchange : ikev2
IKE Reauth : no
IKE Lifetime : 8 hours
IKE Remote Port : 500
IKE DH Group/Encryption/Hash : modp1024/aes256/sha256
ESP Lifetime : 8 hours
ESP Encapsulation : Auto
ESP DH Group/Encryption/Hash : modp1024/aes256/sha256
DPD Enabled : yes

Prisma SD-WAN ION Device CLI Reference 152 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

DPD Delay : 30
DPD Timeout : 5

dump interface config 3


Interface : 3
Description: NAT Ports
ID : 15035385483610095
Type : port
Used For : public
Admin State : up
Alarms : enabled
NetworkContextID:
Scope : local
MTU : 1500
IP : static.
Address : [Link]/29
Route : [Link]/0 via [Link] metric 0
DNS Server : [Link]
NatAddress:
Port : [Link]:98765
NatZoneID : 15713885282360139
Wan ID : 15047410360100143 publicwan
CircuitLabel : AT&T_ATLANTA
PathLabel : AT&T_ATLANTA
BW : manual, up 20.000000 down 40.000000
QoS : disabled
LQM : enabled
PCM : enabled

dump interface status interface module


Use the dump interface status interface module command to display the EEPROM
information of a device interface.
Information displayed includes gigabit interface converter (GBIC) or small form-factor pluggable
(SFP) and extended identifier. Details such as type of connector, transceiver codes and types,
lengths supported for single-mode optical fiber (SMF), copper, and other optical fibers, along with
vendor details, are also displayed.

Command

dump interface status [ all | interface


interface name ] module

Options

all Enter all to display status for all interfaces.

interface Enter the interface name to display configuration for a


specific interface.

Prisma SD-WAN ION Device CLI Reference 153 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands dump interface status

Introduced in Release 5.1.3

Example

dump interface status 14 moduleIdentifier : 0x03


(SFP)Extended identifier : 0x04 (GBIC/SFP defined by 2-wire
interfaceID)Connector : 0x00 (unknown or unspecified)Transceiver
codes : 0x00 0x00 0x00 0x08 0x00 0x00 0x00 0x00Transceiver
type : Ethernet: 1000BASE-TEncoding : 0x01 (8B/10B)BR, Nominal :
1300MBdRate identifier : 0x00 (unspecified)Length (SMF,km) :
0kmLength (SMF) : 0mLength (50um) : 0mLength (62.5um) : 0mLength
(Copper) : 100mLength (OM3) : 0mLaser wavelength : 0nmVendor name :
AVAGOVendor OUI : [Link]Vendor PN : ABCU-5730RZVendor rev :Option
values : 0x00 0x10Option : TX_DISABLE implementedBR margin, max :
0%BR margin, min : 0%Vendor SN : AGC15315200QDate code : 150729

dump ipfix config collector-contexts


Use the dump ipfix config collector-contexts command to display collector contexts
configured for a device.

Command

dump ipfix config collector-contexts (all|collector-context=


collector context ID)

Options

all Enter all to display all the collector contexts


configured.

collector context ID Enter the collector context ID to display details


for a collector context.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.5.1

Prisma SD-WAN ION Device CLI Reference 154 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Example

dump ipfix config collector-contexts all


Ipfix Collector Context : 16097350669480033
: CC-1 Interface Name: 1

dump ipfix config derived-exporters


Use the dump ipfix config derived-exporters command to display IPFIX configuration
for a device.

Command

dump ipfix config derived-exporters

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.5.1

Example

dump ipfix config derived-exporters Ipfix Overrides :


16104290335980071 : testProfile ID : 16091932631500121
: testCollectors: Ipfix Collector : 1 Host : [Link]
Host Port : 4739 Protocol : tcp Src Interface :
16092007245570119 : cc Max Message Size : 8192 Ipfix
Collector : 2 Host : [Link] Host Port : 2055
Protocol : udp Src Interface : 16092007245570119 : cc
Max Message Size : 1372Export Cache Timeout : 60Filters :
*None*Ipfix Template : 16091810523420212 : test Flow Fields:
TIME_STAMPS DST_IPV4_ADDRESS DST_PORT SRC_IPV4_ADDRESS
SRC_PORT PROTOCOL CONNECTION_SRT CONNECTION_NTT
CONNECTION_RTT CONNECTION_INIT CONNECTION_BIFLOW_BYTES
CONNECTION_BIFLOW_PACKETS CONNECTION_UNIFLOW_PACKETS
CONNECTION_UNIFLOW_BYTES CONNECTION_UDPTRT CONNECTION_XACT
APPLICATION_HOST APP_DEF_ID DSCP_MAP INTERFACES
QOS_QUEUE TRANSPORT_TCP_WINDOWSIZE TROUBLESHOOT_DECISION_MAP
TROUBLESHOOT_TCP WAN_PATH MEDIA_CODEC MEDIA_JITTER
MEDIA_MOS MEDIA_LOSS RTP_TRANSPORT_TYPE Template
Export Timeout : 600 Option Export Timeout : 600 Options:

Prisma SD-WAN ION Device CLI Reference 155 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

WAN_PATH_ID_TABLE DEVICE_IDENTIFICATION APP_DEF_ID_TABLE


LINK_QUALITY_METRICSSampler: Algorithm : none

dump ipfix config filter-contexts


Use the dump ipfix config filter-contexts command to display filter contexts
configured for a device.

Command

dump ipfix config filter-contexts (context= filter context ID)

Options

context Enter the filter context ID to display details for a


filter context.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.5.1

Example

dump ipfix config filter-context context=16097351040390067


Ipfix Filter Context : 16097351040390067 : Filter-1 Interface
Name: 1

dump ipfix config ipfix-overrides


Use the dump ipfix config ipfix-overrides command to display the IPFIX configuration
overrides for a device.

Command

dump ipfix config ipfix-overrides

Options

None

Prisma SD-WAN ION Device CLI Reference 156 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.5.1

Example

dump ipfix config ipfix-overrides


Ipfix Overrides : 16093048942460231 : IPFIX - A on ION
Device
Profile ID : 16079372293010052 : IPFIX - A
Collectors : *None*
Export Cache Timeout : 60
Filters : *None*
Ipfix Template : 16079371396720162 : IPFIX Template - A
Flow Fields:
TIME_STAMPS
DST_IPV4_ADDRESS
DST_PORT
SRC_IPV4_ADDRESS
SRC_PORT
PROTOCOL
APP_DEF_ID
Template Export Timeout : 600
Option Export Timeout : 600
Options: *None*
Sampler : *None*

dump ipfix config prefix-filters


Use the dump ipfix config prefix-filters command to display the IPFIX prefix filters
configured for a device.

Command

dump ipfix config prefix-filters (prefix= prefix ID)

Options

prefix Enter the prefix filter ID to display details for a


prefix filter.

Command Notes

Role Super, Read Only, Monitor

Prisma SD-WAN ION Device CLI Reference 157 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Related Commands —

Introduced in Release 5.5.1

Example

dump ipfix config prefix-filters prefix=LOCALPR-1


Ipfix Prefixes : 16097351829610000 : LOCAL PR-1 IPv4 Prefixes:
[Link]/24

dump ipfix config profiles


Use the dump ipfix config profiles command to display the IPFIX profiles configured for
a device.

Command

dump ipfix config profiles

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.5.1

Example

dump ipfix config profilesIpfix Profile : 16079372293010052 :


IPFIX - ACollectors: Ipfix Collector : 1 Host
: [Link] Host Port : 1011 Protocol :
udp Src Interface : 16097350669480033 : CC-1 Max Message
Size : 1372Export Cache Timeout : 60Filters: Filter : 1 Src
Prefixes : 16097351829610000 : LOCAL PR-1 IPv4 Prefixes:
[Link]/24 Protocols: udp tcp Applications:
15240337075290145 : CA Google-131109 15186805633330011 :
Google Play Src Interface Contexts: 16097351040390067 :
Filter-1 16097370807850021 : FILTER CONTEXT OVERRIDEIpfix
Template : 16079371396720162 : IPFIX Template - A Flow Fields:
TIME_STAMPS DST_IPV4_ADDRESS DST_PORT SRC_IPV4_ADDRESS
SRC_PORT PROTOCOL APP_DEF_ID Template Export Timeout :
600 Option Export Timeout : 600 Options: *None*Sampler:
Algorithm : time_based Time Interval : 5 Time Spacing : 5

Prisma SD-WAN ION Device CLI Reference 158 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dump ipfix config templates


Use the dump ipfix config templates command to display IPFIX templates configured for
a device.

Command

dump ipfix config templates (all|template= template ID)

Options

all Enter all to display all the IPFIX templates


configured.

template Enter a template ID to display a specific IPFIX


template.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.5.1

Example

dump ipfix config templates all


Ipfix Template : 16079371396720162
: IPFIX Template - A
Flow Fields: TIME_STAMPS DST_IPV4_ADDRESS DST_PORT
SRC_IPV4_ADDRESS SRC_PORT PROTOCOL APP_DEF_ID
Template Export Timeout : 600
Option Export Timeout : 600
Options: APP_DEF_ID_TABLE

dump lldp
Use the dump lldp command to display the link layer discovery protocol (LLDP) and cisco
discovery protocol (CDP) messages received on physical ports.
Messages replace with the new messages received on the same interface from the same source,
and they get deleted when their time to live expires. The command output displays the interface
the message was received on the protocol type and the decoded value list.
There are two entries for each interface for a bypass pair interface. These are bridge interfaces
such as a private WAN bypass pair for LAN 1 and WAN 1 connected to a switch, and the router
displays an LLDP entry for both the controller and router when viewing output for LAN1.

Prisma SD-WAN ION Device CLI Reference 159 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump lldp [ all | interface


interface name ]

Options

all Enter all to display status for all interfaces.

interface Enter the interface name to display configuration for a


specific interface.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.3

Example

dump lldp all


interface : controller
protocol : LLDP
chassis capabilities : wlan_ap
chassis mac : [Link]
chassis port_descr : enp3s0
chassis system_descr : Ubuntu 18.04 LTS Linux 4.15.0-20-generic
#21-Ubuntu SMP Tue Apr 24 [Link] UTC 2018 x86_64
chassis system_name : len
port auto_negotiation : yes
port link_aggregation : disabled
port mac : [Link]
port mode : 1000baseT/Full
port modes_advertised : 1000baseT/Full, 1000baseT/Half,FdxAPause,
FdxPause, 100baseTX/Full, 100baseTX/Half, 10baseT/Full, 10baseT/
Half, otherinterface : controller
protocol : CDP
chassis capabilities : host
chassis id : michael-bionic-vm
chassis ios_version : Ubuntu 18.04.1 LTS Linux 4.15.0-29-generic
#31-Ubuntu SMP Tue Jul 17 [Link] UTC 2018 x86_64
chassis name : michael-bionic-vm
chassis platform : Ubuntu 18.04.1 LTS Linux x86_64
port address : [Link]
port duplex : full
port id : ens33
port mtu : 1500

Prisma SD-WAN ION Device CLI Reference 160 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dump lldp config


Use the dump lldp config command to view the LLDP configuration of a selected interface or
all the interfaces.

Command
dump lldp config <all> dump lldp config interface=9

Options

Interface ID Enter the interface ID to display LLDP


configuration for a specific interface.

All Enter all to display LLDP configuration for all


interfaces.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.0.2

Example

interface : dsa3
LLDP Config: Receive Only
Interface : dsa4
LLDP Config : Receive Only
Interface : dsa5
LLDP Config : Transmit and Receive
Interface : dsa6
LLDP Config : Transmit and Receive
Interface : dsa7
LLDP Config : Receive Only
Interface : dsa8
LLDP Config : Transmit and Receive
Interface : e380
LLDP Config : Receive Only
Interface : e382
LLDP Config : Receive Only
Interface : e500
LLDP Config : Receive Only
Interface : e501
LLDP Config : Receive Only

Prisma SD-WAN ION Device CLI Reference 161 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dump lldp info


Use the dump lldp info command to view LLDP configuration of a selected interface or all
interfaces.

Command
dump lldp info interface <all>

Options

Interface ID

All

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.0.2

Example

dump lldp info all


interface :
protocol :
received : 0001-01-01 [Link].000 (2562047h47m16s ago)
ttl : 0
interface :
protocol :
received : 0001-01-01 [Link].000 (2562047h47m16s ago)
ttl : 0
interface :
protocol :
received : 0001-01-01 [Link].000 (2562047h47m16s ago)
ttl : 0
interface :
protocol :
received : 0001-01-01 [Link].000 (2562047h47m16s ago)
ttl : 0
interface :
protocol :
received : 0001-01-01 [Link].000 (2562047h47m16s ago)
ttl : 0
interface :
protocol :
received : 0001-01-01 [Link].000 (2562047h47m16s ago)
ttl : 0

Prisma SD-WAN ION Device CLI Reference 162 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dump lldp stats


Use the dump lldp stats command to view the LLDP statistics of a selected interface or all
interfaces.

Command
dump lldp stats

Options

Interface ID Enter the interface ID to display LLDP statistics


for a specific interface.

All Enter all to display LLDP statistics for all


interfaces.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.0.2

Example

dump lldp stats all


Element ID : 1655801713584023628
Site ID : 1644212583502001628
Tenant ID : 100

dump lldp stats interface=vlan1


LLDP not supported on interface
Element ID : 1655801713584023628
Site ID : 1644212583502001628
Tenant ID : 100

dump lldp status


Use the dump lldp status command to view the LLDP status of a selected interface or all the
interfaces.

Command
dump lldp status interface <id>

Prisma SD-WAN ION Device CLI Reference 163 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.0.2

Example

Interface : dsa8
LLDP State : rx_only
LLDP Type : lldp

dump log-agent eal conn


Use the dump log-agent eal conn command to view the log-agent cloud server
connections.

Command
dump log-agent eal conn

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.2.1

Example

dump log-agent eal conn


DPI Cloud server: [Link]-
[Link]
Cloud connection: connected

dump log-agent eal conn detail

Prisma SD-WAN ION Device CLI Reference 164 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

DPI Cloud server: [Link]-


[Link]
Cloud connection: connected
Summary of DPI gRPC client:
number of connection reset: 7
number of connection failed: 52
number of connection established: 4671
number of connection attempts: 4723
number of connection released: 4670
number of connection selected: 4706
number of selections failed: 115
number of bytes sent: 117607080
number of bytes received: 0
Last gRPC connection Attempt: 2023-04-13 [Link] +0000 UTC
Last successful gRPC connection: 2023-04-13 [Link] +0000 UTC

Summary of gRPC connections [configured source IP: [Link]]:


Device cert status: Installed
Validity:
Notbefore: 2023-03-21 [Link] +0000 UTC
Notafter: 2023-06-19 [Link] +0000 UTC

max gRPC connections: 1, max alive time: 0, max bytes sent: 0,


ongoing: 0
[0]gRPC conn[[Link]:57897 -> [Link]:443], state true,
selected 0, backup false,0, device cert
send: wire 13828, app 13748, num 16; receive: wire 0, app 0, num 0

Current Time: 2023-04-13 [Link].481278374 +0000 UTC m=


+1129604.186989851

dump log-agent eal response-time


Use the dump log-agent eal response-time command to view the log-agent cloud server
response time.

Command
dump log-agent eal response-time

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.2.1

Prisma SD-WAN ION Device CLI Reference 165 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Example

dump log-agent eal response-time

Time distribution of CDL response:


<50ms: 0; <100ms: 0; <150ms: 0; <200ms: 0; <250ms: 0;
<300ms: 0; <350ms: 0; <400ms: 1; <450ms: 1; <500ms: 1;
<550ms: 1; <600ms: 1; <650ms: 1; <700ms: 1; <750ms: 1;
<800ms: 1; <850ms: 1; <900ms: 1; <950ms: 1; <1000ms: 1;
<1200ms: 1; <1400ms: 1; <1600ms: 1; <1800ms: 1; <2000ms: 1;
>=2000ms: 0

Current Time: 2023-01-19 [Link].170214621 +0000 UTC m=


+349.584693745

dump log-agent eal stats


Use the dump log-agent eal stats command to view the log-agent cloud server statistics.

Command
dump log-agent eal stats

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.2.1

Example

dump log-agent eal stats

Summary of DPI client:


Customer ID: 1640275471
Software Version: 6.2.1-a161
Serial Number: b9593e42-
ec49-7fe6-9096-94992261f96b
number of sdwan dpi logs: 64314

Summary of DPI parser 0


number of sdwan logs enqueued: 64314
number of sdwan logs dropped: 0
number of sdwan logs in queue: 0
number of eal logs generated: 64314

Prisma SD-WAN ION Device CLI Reference 166 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Summary of EAL log deliver 0


number of eal logs consumed(total): 64314
number of eal logs(ack) consumed: 64314
number of eal logs dropped: 0
number of eal logs in ack queue: 0 [0 bytes]
number of eal logs in non-ack queue:0 [0 bytes]
number of ingestion req sent(total):134540
number of ingestion req sent failed:149639
average ingestion req sending time: 0.00ms [max: 18ms]
average eal life time on ION: 13111.56ms [max: 257068ms]
average e2e time(ack, ion<->cdl): 0.00ms [max: 0ms]
number of must-have req sent: 284179
number of must-have req re-sent: 248656
number of response received: 0
number of eal logs acked: 0
number of eal logs nacked: 0
number of eal logs(ack) errored:
unauthenticated: 1128376
other: 195
number of non-ack logs reach cdl: 0
number of must-have req expired: 35519
number of must-have req no timer: 0
number of ack stream re-connected: 1128628
number of non-ack stream re-conn: 18577
Ack stream running state: S
Non-ack stream running state: S
grpc connection(ack) to cloud: true
grpc connection(non-ack) to cloud: true
eal drop rate in last 5 seconds: 0.00%
sending rate of eal log(total): 0 per second
sending rate of Ingestion req: 0 per second
sending rate of req with ack: 0 per second
ingestion response rate: 0 per second
number of outgoing req with timeout 16 seconds[retry: 3]: 1
number of outgoing req with timeout 32 seconds[retry: 4]: 3
total un-acked ingestion requests: 4

Current Time: 2023-04-13 [Link].493888451 +0000 UTC m=


+1129608.199599930

dump log-agent config


Use the dump log-agent config command to view the log-agent service configurations.

Command
dump log-agent config

Options

None

Prisma SD-WAN ION Device CLI Reference 167 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.2.1

Example

dump log-agent config


Enabled: false
Cloud URL: [Link]-
[Link]

dump log-agent iot snmp config


Use the dump log-agent iot snmp config command to view the SNMP discovery-related
configuration on the device.

Command
dump log-agent iot-snmp config

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.3.1

Example

dump log-agent iot-snmp config

Enabled : true
Local Discovery : false
Version : v2
Network Refresh Frequency : 1min
Device Refresh Frequency : 2min
Community String : test
Username : RO_USER
Security Level : private
Auth Protocol : sha

Prisma SD-WAN ION Device CLI Reference 168 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Auth Password : Configured


Privacy Protocol : aes
Privacy Password : Configured
SourceInterface : None

Start Nodes:
Name : site1
ID : 1679046639066111111
IPv4 Address : [Link]
Site ID : 1679046639067111111
Site : SiteName1
Scope:
[Link]/24 [Link]/24

Name : site1
ID : 1679046639066111112
IPv4 Address : [Link]
Site ID : 1679046639067111111
Site : SiteName1
Scope:
[Link]/24 [Link]/24

dump log-agent iot snmp device discovery stats


Use the dump log-agent iot snmp device discovery stats command to view various
statistics for IoT discovered devices such as status of discovery, number of endpoints, interfaces,
subnets, VLANs, and so on.

Command
dump log-agent iot-snmp device-discovery-stats

Options

all Enter all to display device discovery statistics for all the nodes.

node-ip Enter a node-ip to display device discovery statistics for the


node.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.3.1

Example

dump log-agent iot-snmp device-discovery-stats all


Node IP: [Link]

Prisma SD-WAN ION Device CLI Reference 169 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Start Datetime: [Link] June 21, 2023


End Datetime: [Link] June 21, 2023
Status: Finished
Queries: 76
Responses: 76
Timeouts: 0
Errors: 0
Last Activity: [Link] June 21, 2023
Endpoints Discovered: 3
Subnets Discovered: 0
Interfaces Discovered: 4
VLANs Discovered: 0

Node IP: [Link]


Start Datetime: [Link] June 21, 2023
End Datetime: [Link] June 21, 2023
Status: Failed. Connection test failed.
Queries: 0
Responses: 0
Timeouts: 0
Errors: 0
Last Activity:
Endpoints Discovered: 0
Subnets Discovered: 0
Interfaces Discovered: 0
VLANs Discovered: 0

Node IP: [Link]


Start Datetime: [Link] June 21, 2023
End Datetime: [Link] June 21, 2023
Status: Finished
Queries: 101
Responses: 100
Timeouts: 1
Errors: 0
Last Activity: [Link] June 21, 2023
Endpoints Discovered: 9
Subnets Discovered: 1
Interfaces Discovered: 7
VLANs Discovered: 5

Node IP: [Link]


Start Datetime: [Link] June 21, 2023
End Datetime: [Link] June 21, 2023
Status: Finished
Queries: 156
Responses: 156
Timeouts: 0
Errors: 0
Last Activity: [Link] June 21, 2023
Endpoints Discovered: 7
Subnets Discovered: 0
Interfaces Discovered: 8
VLANs Discovered: 0

Prisma SD-WAN ION Device CLI Reference 170 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dump log-agent ip mac bindings


Use the dump log-agent ip-mac-bindings command to view the list of discovered IP and
MAC addresses to be sent to Strata Logging Service.

Command
dump log-agent ip-mac-bindings

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands debug log-agent eal-file-log enable

Introduced in Release 6.3.1

To view the log agent IP address to MAC bindings, you must use the debug log-agent
eal-file-log enable command before using the dump log-agent ip-mac-
bindings command.

Example

dump log-agent ip-mac-bindings


IP Address MAC Address Source Timestamp
[Link] [Link] snmp 2023-07-20 [Link]
[Link] [Link] snmp 2023-07-20 [Link]
[Link] [Link] arp 2023-07-20 [Link]
[Link] [Link] dhcp 2023-07-20 [Link]

dump log-agent neighbor discovery stats


Use the dump log-agent iot-snmp neighbor-discovery-stats command to view
various statistics related to neighbor discovery such as status of discovery, number of nodes
discovered, and so on.

Command
dump log-agent iot-snmp neighbor-discovery-stats

Options

all Enter all to display neighbor discovery statistics for all the nodes.

Prisma SD-WAN ION Device CLI Reference 171 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

node-ip Enter a node-ip to display neighbor discovery statistics for the


node.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.3.1

Example

dump log-agent iot-snmp neighbor-discovery-stats all


Node IP: [Link]
Start Datetime: [Link] June 21, 2023
End Datetime: [Link] June 21, 2023
Status: Finished
Queries: 31
Responses: 31
Timeouts: 0
Errors: 0
Last Activity: [Link] June 21, 2023
Nodes Discovered: 0
Topology Depth: 1
Node List:

Node IP: [Link]


Start Datetime: [Link] June 21, 2023
End Datetime: [Link] June 21, 2023
Status: Finished
Queries: 86
Responses: 86
Timeouts: 0
Errors: 0
Last Activity: [Link] June 21, 2023
Nodes Discovered: 1
Topology Depth: 2
Node List: [Link]

Node IP: [Link]


Start Datetime: [Link] June 21, 2023
End Datetime: [Link] June 21, 2023
Status: Finished
Queries: 36
Responses: 36
Timeouts: 0
Errors: 0
Last Activity: [Link] June 21, 2023
Nodes Discovered: 0
Topology Depth: 1
Node List:
Node IP: [Link]

Prisma SD-WAN ION Device CLI Reference 172 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Start Datetime: [Link] June 21, 2023


End Datetime: [Link] June 21, 2023
Status: Failed. Connection test failed.
Queries: 0
Responses: 0
Timeouts: 0
Errors: 0
Last Activity:
Nodes Discovered: 0
Topology Depth: 0
Node List:

dump log-agent status


Use the dump log-agent status command to view the log-agent service status.

Command
dump log-agent status

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.2.1

Example

dump log-agent status


log-agent service status: exit status 4. ----> This is exit code
supervisorctl status
Status: Not Running

dump log-agent status


Status: Running

dump ml7 mctd counters


Use the dump ml7-mctd counters command to display the global counters for App IDs.

Prisma SD-WAN ION Device CLI Reference 173 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump ml7-mctd counters

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands

Introduced in Release 6.4.1

Example

dump ml7-mctd counters

Global counters:
Elapsed time since last sampling: 51.081 seconds
name value rate severity
category aspect description
-------------------------------------------------------------------------------
appid_proc 111 0 info
appid pktproc The number of packets processed by Application
identification
appid_unknown_udp 111 0 info appid
pktproc The number of unknown UDP applications after app engine
dfa_sw 2011 0 info dfa
pktproc The total number of dfa match using software
ctd_appid_reassign 101 0 info ctd
pktproc appid was changed
ctd_process 111 0 info ctd
pktproc session processed by ctd
ctd_pkt_slowpath 2011 0 info ctd
pktproc Packets processed by slowpath
aho_request 1 0 info aho
resource The AHO outstanding requests
aho_sw 2011 0 info aho
pktproc The total usage of software for AHO
-------------------------------------------------------------------------------
Total counters shown: 8

dump ml7 mctd session


Use the dump ml7-mctd session command to display the session status for App IDs.

Prisma SD-WAN ION Device CLI Reference 174 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump ml7-mctd session id=<L7-session-ID>

The L7 session ID associated with a flow can be found in the output of the "inspect flow
detail" command.

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands

Introduced in Release 6.4.1

Example

dump ml7-mctd session id= 1


Session 1 (Local 1), Session App: 2659 (ms-ds-smbv1)

CTD (Session)
Packet Sequence: 9
Number of Queued Packets: 0

CTD Flow
Index: 4
Decoder: 698 (smb)

dump ml7 mctd version


Use the dump ml7-mctd version command to display the library and content version of the
App IDs.

Command

dump ml7-mctd version

Options

None

Prisma SD-WAN ION Device CLI Reference 175 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands

Introduced in Release 6.4.1

Example

dump ml7-mctd version


mctd version: main-da505a85cee, tag PAN_MCTD_TAG, code 184680448
Engine Version : [Link]
Threat Version : 0-0
APP Version : 8770-8363
Virus Version : 0-0
Wildfire Version : 0
WPC Version : 0

dump nat counters


Use the dump nat counters command to display the NAT configuration on the device via IP
tables.
Information displayed includes details of packets sent and received along with the source and
destination addresses.

Command

dump nat counters ( all | policysetstacks= NAT Policy Stack Name |


policysets= NAT Policy Set Name | policyrules= NAT Policy Rule Name)

Options

all Enter all to display configuration for all policy set stacks,
sets and rules.

policysetstacks Enter the policy set stack name to display configuration


for a specific policy set stack.

policysets Enter the policy set name to display configuration for a


specific policy set.

policyrules Enter the policy rule name to display configuration for a


specific policy rule.

Prisma SD-WAN ION Device CLI Reference 176 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands dump nat summary

Introduced in Release 5.2.1

Example

dump nat counters all


RULE: wantolanset3 ENABLED: true
POLICYSET: ryanzNatPolicySet

-------------------------------------------------------------------------------
pkts bytes target prot opt in
out source destination
0 8 SNAT all -- *
eth5 [Link]/0 [Link]/0 to [Link]-[Link]

-------------------------------------------------------------------------------

dump nat6 counters


Use the dump nat6 counters command to display the NAT configuration on the device via
IPv6 tables.
Information displayed includes details of packets sent and received along with the source and
destination addresses.

Command

dump nat6 counters ( all | policysetstacks= NAT Policy Stack Name |


policysets= NAT Policy Set Name | policyrules= NAT Policy Rule Name)

Options

all Enter all to display configuration for all policy set stacks,
sets and rules.

policysetstacks Enter the policy set stack name to display configuration


for a specific policy set stack.

policysets Enter the policy set name to display configuration for a


specific policy set.

Prisma SD-WAN ION Device CLI Reference 177 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

policyrules Enter the policy rule name to display configuration for a


specific policy rule.

Command Notes

Role Super, Read Only, Monitor

Related Commands

Introduced in Release 6.4.2

Example

dump nat6 counters

POLICY SET STACK: NA


POLICY SETS: NA
RULE: NA
ENABLED: true
POLICYSET: NA

-----------------------------------------------------

pkts bytes target prot opt in out source destination


1255 108K MASQUERADE all * eth2 ::/0 ::/0
0 0 MASQUERADE all * eth4 ::/0 ::/0

------------------------------------------------------

dump nat summary


Use the dump nat summary command to display the NAT configuration. Information displayed
includes details of NAT Policy Set Stacks, NAT Policy Sets, and NAT Policy rules configured for a
site.

Command

dump nat summary ( all | policysetstacks=


NAT Policy Stack Name | policysets=
NAT Policy Set Name | policyrules=
NAT Policy Rule Name)

Options

all Enter all to display configuration for all policy set


stacks, sets and rules.

Prisma SD-WAN ION Device CLI Reference 178 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

policysetstacks Enter the policy set stack name to display


configuration for a specific policy set stack.

policysets Enter the policy set name to display configuration for


a specific policy set.

policyrules Enter the policy rule name to display configuration


for a specific policy rule.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.2.1

Example

dump nat summary


POLICY SET STACK: Default-NATPolicySetStack
POLICY SETS: est
RULE: asasd
ENABLED: true
POLICYSET: est

-------------------------------------------------------------------------------
Zone Dev SourcePrefix DestinationPrefix Sport Dport
ProtocolNatAction NatPool NatPort Alg Destination
eth7 (veth-e7-p)[Link]/24 any any any any STATIC-SNAT
[Link]-10.33.52.50any N/A Destination
eth8() [Link]/24 any any any any STATICSNATany N/A

-------------------------------------------------------------------------------

dump network-policy config policy-rules


Use the dump network-policy config policy-rules command to display the path policy
rule configuration for a device.
Information displayed includes the application name, policy rule, policy set, order number,
network context, prefixes, service groups, and paths.

Command

dump network-policy config policy-rules ( all | application=


application name or ID| app-wildcard | [enabled=true |
enabled=false] | network-context=networkcontext ID | path-type=

Prisma SD-WAN ION Device CLI Reference 179 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

[path-type=direct | path-type=vpn] | path-label= path label or ID|


policy-rule=
policy-rule name | | policy-set=
policy-set name | prefix=
name of the prefix | service-context= Group ID)

Options

all Enter all to display configuration of all path policy


rules on the device.

application Enter an application name or ID to display policy


rules for the application.

app-wildcard Choose this option to display policy rules which are


not configured for any application.

enabled Choose true or false to display policy rules which are


either enabled or disabled.

network-context Enter a network context ID to display policy rules for


the network context.

path-type Enter a path type to display information for the path.


Path type is either direct or VPN.

path-label Enter a path label or path ID to display policy rules


for the path.

policy-rule Enter a policy rule name or ID to display information


for the policy rule.

policy-set Enter a policy set name or ID to display policy rules


in the policy set.

prefix Enter a prefix name or ID to display policy rules for


the prefix.

service-context Enter a service group ID to display policy rules for


the service group.

Command Notes

Role Super, Read Only, Monitor

Related Commands dump network-policy config


policy-sets

Prisma SD-WAN ION Device CLI Reference 180 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Introduced in Release 5.0.1

Example

dump network-policy config policy-rules application=Adobeconnect


Network Policy Rule : 15311157630600173 : C-1
Policy Set : 15282771307010195 : Policy Set-1
Applications:15186805682900053 : adobeconnect
Source Prefix : 15272331126400047 : EnterpriseGlobalPrefix
Destination Prefix : 15311156874260255 :
Network Context ID : none
Order Number : 1024
Enabled : true
Active Paths:
Path Label : public-*Path Type : direct
Backup Paths: none
Service Contexts: none
Network Policy Rule : 15311158615700214 : C-2
Policy Set : 15282771307010195 : Policy Set-1
Applications:15186805682900053 : adobeconnect
Source Prefix : 15272331126400047 : EnterpriseGlobalPrefix
Destination Prefix : 15311158461310162 :
Network Context ID : none
Order Number : 1024
Enabled : true
Active Paths:
Path Label : public-*Path Type : direct
Backup Paths: none
Service Contexts: none

dump network-policy config policy-rules all


Network Policy Rule : 1665722128500017628 : enterprise-default
Policy Set : 1665722128442016828 : Default Path Simple
Stack Default Rule Policy Set (Simple)
Applications : WILDCARD
Source Prefix : none
Users : any
UserGroups : any
Destination Prefix : 1665722013410012528 : EnterpriseGlobalPrefix
Network Context ID : none
Order Number : 1024
Enabled : true
Active Paths:
Path Label : public-*
Path Type : vpn
Path Label : private-*
Path Type : vpn
Backup Paths:
Path Label : private-*
Path Type : direct
L3 Failure Paths: none
Service Contexts: none

Prisma SD-WAN ION Device CLI Reference 181 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Network Policy Rule : 1674657402598017628 : Test Specific User


Policy Set : 1666172238228021828 : User ID Test
Applications : WILDCARD
Source Prefix : none
Users : none
UserGroups:
1675699201696006228 :
CN=engineering,DC=sdwanamsteltest,DC=onmicrosoft,DC=com
1675699201696005528 :
CN=devops,DC=sdwanamsteltest,DC=onmicrosoft,DC=com
Destination Prefix : none
Network Context ID : none
Order Number : 1024
Enabled : true
Active Paths:
Path Label : public-*
Path Type : direct
Path Label : private-*
Path Type : direct
Path Label : public-*
Path Type : vpn
Path Label : private-*
Path Type : vpn
Backup Paths: none
L3 Failure Paths: none
Service Contexts: none

Network Policy Rule : 1675854982005007228 : test2


Policy Set : 1666172238228021828 : User ID Test
Applications : WILDCARD
Source Prefix : none
Users : any
UserGroups : any
Destination Prefix : none
Network Context ID : none
Order Number : 1024
Enabled : true
Active Paths:
Path Label : public-*
Path Type : direct
Backup Paths: none
L3 Failure Paths: none
Service Contexts: none

Network Policy Rule : 1665722128450017028 : default


Policy Set : 1665722128442016828 : Default Path Simple
Stack Default Rule Policy Set (Simple)
Applications : WILDCARD
Source Prefix : none
Users : any
UserGroups : any
Destination Prefix : none
Network Context ID : none
Order Number : 1024
Enabled : true
Active Paths:

Prisma SD-WAN ION Device CLI Reference 182 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Path Label : public-*


Path Type : direct
Path Label : public-*
Path Type : vpn
Path Label : private-*
Path Type : direct
Path Label : private-*
Path Type : vpn
Backup Paths: none
L3 Failure Paths: none
Service Contexts: none

dump network-policy config policy-sets


Use the dump network-policy config policy-sets command to display the current
details of a device interface.
Information displayed includes the name of the policy set and the policy set ID.

Command

dump network-policy config policy-sets all

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump network-policy config policy-sets all


Network Policy Set : 15306005116850233 : DFR-1
Network Policy Set : 15282771307010195 : Policy Set-1

dump network-policy config policy-stacks


Use the dump network-policy config policy-stacks command to display the
configuration of path policy sets within a stack for a device.
Information displayed includes the policy stack ID, policy set names, and IDs.

Prisma SD-WAN ION Device CLI Reference 183 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump network-policy config policy-stacks all

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump network-policy config policy-stacks all


Network Policy Stack : 15318111735590013 : 1531811173519
Policy Sets:15282771307010195 : Policy Set-1
Default Policy Set : 15306005116850233 : DFR-1

dump network-policy config prefix-filters


Use the dump network-policy config prefix-filters command to display the path
policy prefix filter configuration.

Command

dump network-policy config prefix-filters ( all | prefix=prefix name


or ID )

Options

all Enter all to display configuration of all prefix filters


on the device.

prefix Enter a prefix name or ID to display configuration for


the prefix.

Prisma SD-WAN ION Device CLI Reference 184 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands dump network-policy config


policy-rules

Introduced in Release 5.0.1

Example

dump network-policy config prefix-filter prefix=EGP


Network Policy Prefix : 15272331126400047 : EGP
IPv4 Prefixes:
[Link]/8
[Link]/12
[Link]/16

dump network-policy config prefix-filters all


Network Policy Prefix : 1668762655896023828 : banglore-client-1
IPv4 Prefixes: none
IPv6 Prefixes:
[Link]/64

Network Policy Prefix : 1663592970514016728 :


EnterpriseGlobalPrefix
IPv4 Prefixes:
[Link]/8
[Link]/12
[Link]/18
IPv6 Prefixes:
fc00::/7

Network Policy Prefix : 1663694455784022328 : india-hub-01


IPv4 Prefixes:
[Link]/24
IPv6 Prefixes:
2105::/64
2103::/64
2104::/64

dump overview
Use the dump overview command to display the basic information about the device.
Information displayed includes the software version, hardware details such as model number and
hardware ID, controller connection status, controller address, and the validity of the manufacturer
install certificate (MIC), Claim certificates, the number of operational interfaces, and the address
of the controller port.

Prisma SD-WAN ION Device CLI Reference 185 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump overview

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 4.5.1

Example

dump overview
Software : 6.0.1-a193
Hardware Model : ion 7000
Uptime : 6h27m45.03s
Device ID : 70-001912-7727
Registration State : Assigned
Registration Name : ION7k_7727
Description :
Element ID : 1647252509029019628
Site ID : 1648006920635001428
Site Name : HW_HUB
Role : HUB
Tenant ID : 100
Site State : active
HA State : active
Element State : active
Simple State : active
Controller : Up [CIC]
Controller : [Link] [[Link]]
MIC Certificate : valid until 2032-03-11 [Link] +0000 UTC
Claim Certificate : valid until 2032-03-11 [Link] +0000 UTC
Force VPN to VPN Traffic To Local Next Hop : false

operational interfaces
4 : addr [Link]/24 gw [Link]
: IPv6 addr [Link]/64 gw [Link]
3 : addr [Link]/24 gw [Link]
: IPv6 addr [Link]/64 gw [Link]
controller 2 : addr [Link]/24 gw [Link]
controller 1 : addr [Link]/22 gw [Link]

dump overview

Prisma SD-WAN ION Device CLI Reference 186 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Software : 6.1.1-a137
Hardware Model : ion 1200-s-c-na
Hardware Version : TBD by OEM
Time Now : 2022-10-28 [Link]
Uptime : 5m20.98s
Last Reboot Reason : upgrade to 6.1.1-a137
Device ID : 028301000002
Registration State : Assigned
Registration Name : BR5-Wasp4G-NA-M-HOME
Description :
Element ID : 1643856728382012628
Site ID : 16278958258770112
Site Name : BR5-Evergreen
Role : SPOKE
Tenant ID : 100
Site Mode : in-path
Site State : active
HA State : active
Element State : active
Simple State : active
Controller Connection : Down
Stats Connection : Down
Flows Connection : Down
MIC Certificate : valid until 2032-02-01 [Link] +0000 UTC
Claim Certificate : valid until 2032-02-01 [Link] +0000 UTC
L3 Direct Private WAN forwarding: true
L3 LAN forwarding : true

operational interfaces
2 : addr [Link]/24 gw [Link]
cellular1 : addr [Link]/32 gw [Link]
: IPv6 addr [Link]/64

dump overview
Software : 6.2.1-a141
Hardware Model : ion 5200
Hardware Version : 0.3
Time Now : 2023-03-20 [Link]
Uptime : 1h12m24.09s
Last Reboot Reason : unknown
Device ID : 029601-000028-2129
Registration State : Assigned
Registration Name : ION5200-2129
Description :
Element ID : 1676639704807015828
Site ID : 1676650802905002628
Site Name : BR5200-2129
Role : SPOKE
Tenant ID : 100
Site Mode : in-path
Site State : active
HA State : active
Element State : active
Simple State : active
Controller Connection : Up [CIC]

Prisma SD-WAN ION Device CLI Reference 187 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Controller : [Link]
[[Link]]
Stats Connection : Up [sdwan-stats-local-
[Link]] [[Link]]
Flows Connection : Up [sdwan-stats-local-
[Link]] [[Link]]
MIC Certificate : valid until 2033-02-14 [Link]
+0000 UTC
Claim Certificate : valid until 2033-02-14 [Link]
+0000 UTC
L3 Direct Private WAN forwarding: true
L3 LAN forwarding : true

operational interfaces
5 : addr [Link]/22 gw [Link]
9 : addr [Link]/24
: IPv6 addr 3001::1/64
1 : addr [Link]/22 gw [Link]
10 : no address
18 : no address
3 : addr [Link]/22 gw [Link]
17 : no address

dump overview
Software : 6.4.1-8
Hardware Model : ion 3000v
Time Now : 2024-02-16 [Link]
Uptime : 43h53m9.49s
Last Reboot Reason : upgrade to 6.4.1-8
Device ID : d5163e42-0c86-e5b0-9efd-8f3b4a8c38c8
Registration State : Assigned
Registration Name : Red NP
Description :
Element ID : 1678087629642023428
Site ID : 1678249583893007828
Site Name : Red NP12
Role : SPOKE
Tenant ID : 100
Site Mode : in-path
Site State : active
Spoke HA : not configured
Element State : active
Simple State : active
Controller Connection : Up [CIC]
Controller : [Link] [[Link]]
Stats Connection : Up [[Link]]
[[Link]]
Flows Connection : Up [[Link]]
[[Link]]
MIC Certificate : valid until 2033-01-30 [Link] +0000 UTC
Claim Certificate : valid until 2033-07-01 [Link] +0000 UTC
L3 Direct Private WAN forwarding: true
L3 LAN forwarding : true
Branch Gateway : Enabled

Prisma SD-WAN ION Device CLI Reference 188 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dump performance-policy config policy-rules


Use the dump performance-policy config policy-rules command to display a
device's path policy rule configuration. The information displayed includes the policy rule, policy
set, app filter used (bulk, rtt, transactional), path filters, threshold profile, action information, and
policy rule type.

Command

dump performance-policy config policy-rules ( policy-rule = ruleID or


ruleName | application= appID or appName | path-type= <direct | vpn
| servicelink | all>
| path-label=pathLabel | service-label=serviceLabelID | action-
type= <raise_atarm | move_flows_forced | fec | visibility> | app-
transfer-type = < rt-video | rt-audio | transactional | bulk > )

Options

policy-rule Enter a policy rule name or ID to display


information for the policy rule.
ruleID/ruleName: Enter the performance
policy rule ID or name.

application Enter an application name or ID to display


policy rules for the application.
appID: Enter an application ID to display
policy rules for the application.
appName: Enter an application name to
display policy rules for the application.

path-type Enter a path type or all to display information


for the path. Path type can be Direct, Prisma
SD-WAN VPN, or Standard VPN.

path-label Enter a path label or path ID to display policy


rules for the path.

service-label Enter a service label to display policy rules.

app-transfer-type Enter the Application transfer type for the


rule. Transfer type can be Bulk, Audio, Video,
or [Link] 6.4.1

action-type Select the actions associated with the


rule type. Actions selected can be raise
alarms, move flows, fec, visibility, and packet
duplication.

Prisma SD-WAN ION Device CLI Reference 189 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands NA

Introduced in Release 6.3.1

Example

dump performance-policy config policy-rules policy-rule=PERFTEST


Performance Policy Rule : PERFTEST (1713509684750011637)
Performance Policy Set : TestPolicySet (1711686637498019637)
App Filters :
App Transfer Types :
TransferType : bulk
TransferType : rt-audio
TransferType : rt-video
TransferType : transactional
Applications :
Path Filters :
Service Labels :
Service Label ID : 1708593979446002837
Threshold Profile : Test-909 (1713526460183025437)
Actions :
Action Type : raise_alarm
Lqm Perf :
Bad Health Thresholds :
Monitoring Approach : moderate
Clear Below : 50
Raise Above : 70
App Perf :
Bad Health Thresholds :
Monitoring Approach : moderate
Clear Below : 50
Raise Above : 70
Action Type : move_flows
Enabled : true
Policy Rule Type : app_circuit_health

dump performance-policy config policy-rules app-transfer-type=rt-


video
Performance Policy Rule : Default-PerfMgmtRule-Media-Apps
(1690882969059023937)
Performance Policy Set : Default-PerfMgmtPolicySet
(1690882969054023637)
App Filters :
App Transfer Types :
TransferType : rt-audio
TransferType : rt-video
Applications :
Path Filters :
Service Labels :

Prisma SD-WAN ION Device CLI Reference 190 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Threshold Profile : Default-PerfMgmtThresholdProfile-Media-Apps


(1690882969051023537)
Actions :
Action Type : move_flows
Action Type : visibility
Enabled : true

dump performance-policy config policy-rules action-type=move_flows


Performance Policy Rule : Default-PerfMgmtRule-Media-Apps
(1690882969059023937)
Performance Policy Set : Default-PerfMgmtPolicySet
(1690882969054023637)
App Filters :
App Transfer Types :
TransferType : rt-audio
TransferType : rt-video
Applications :
Path Filters :
Service Labels :
Threshold Profile : Default-PerfMgmtThresholdProfile-Media-Apps
(1690882969051023537)
Actions :
Action Type : move_flows
Action Type : visibility
Enabled : true

Performance Policy Rule : Default-PerfMgmtRule-All-Apps


(1690882969057023837)
Performance Policy Set : Default-PerfMgmtPolicySet
(1690882969054023637)
App Filters :
App Transfer Types :
TransferType : transactional
TransferType : bulk
Applications :
Path Filters :
Service Labels :
Threshold Profile : Default-PerfMgmtThresholdProfile-All-Apps
(1690882969049023437)
Actions :
Action Type : move_flows
Action Type : visibility
Enabled : true

dump performance-policy config policy-rules action-type=fec


Performance Policy Rule : PolicyRuleFecCustAP (1696459885696021517)
Performance Policy Set : PolicyOct4 (1696458119162019217)
App Filters :
App Transfer Types :
Applications :
1696037546669005617 : serverclient-131078
Path Filters :
Path Type : vpn
Path Label : private-*
Service Labels :

Prisma SD-WAN ION Device CLI Reference 191 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Threshold Profile : fectp (1696458336096003517)


Actions :
Action Type : fec
Enabled : true

dump performance-policy config policy-sets


Use the dump performance-policy config policy-sets command to display the
current details of a device interface.
Information displayed includes the name of the policy set and the policy set ID.

Command

dump performance-policy config policy-sets <all | policy-set>

Options

name Enter the name of the policy set.

Command Notes

Role Super, Read Only, Monitor

Related Commands NA

Introduced in Release 6.3.1

Example

dump performance-policy config policy-sets all


Performance Policy Set : FirstPolicy (1690738857525016028)
Link Health Policy rule Order : 1696588934366004628 :
Rule_1

Performance Policy Set : Default-PerfMgmtPolicySet


(1690621745198024028)
Link Health Policy rule Order : 1690621746053024428 :
Default-PerfMgmtRule-Visibility
1690621746045024328 : Default-PerfMgmtRule-Media-Apps
1690621745787024228 : Default-PerfMgmtRule-All-Apps

dump performance-policy config policy-sets policy-


set=1690621745198024028
Performance Policy Set : Default-PerfMgmtPolicySet
(1690621745198024028)
Link Health Policy rule Order : 1690621746053024428 :
Default-PerfMgmtRule-Visibility
1690621746045024328 : Default-PerfMgmtRule-Media-Apps

Prisma SD-WAN ION Device CLI Reference 192 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

1690621745787024228 : Default-PerfMgmtRule-All-Apps

dump performance-policy config policy-set-stacks


Use the dump performance-policy config policy-stacks command to display the
configuration of performance policy sets within a stack for a device.
Information displayed includes the policy stack ID, policy set names, and IDs.

Command

dump performance-policy config policy-set-stack all

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands NA

Introduced in Release 6.3.1

Example

dump performance-policy config policy-set-stack all


Performance Policy Stack: 1690621746201024628 : Default-
PerfMgmtPolicySetStack
Default Rule Policy Set : 1690621745198024028 : Default-
PerfMgmtPolicySet
Policy Sets : 1690738857525016028 : FirstPolicy

dump performance-policy config threshold-profile


Use the dump performance-policy config threshold-profile command to display
the performance policy thresholds for a device.
Information displayed includes the LQM and application metrics for the performance rule.

Command

dump performance-policy config threshold-profile <all |


profile=profileID or profileName>

Prisma SD-WAN ION Device CLI Reference 193 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

all Enter all to display the threshold configuration


of the path policy rule on the device. This
includes circuit utilization metrics thresholds,
flow metrics thresholds, and system health
metrics thresholds. Release 6.4.1

profile Enter the policy profile details.


profileID: Enter the profile ID to display
information on the profile’s threshold
configurations.
profileName: Enter the profile name to
display information on the profile’s threshold
configurations.

Command Notes

Role Super, Read Only, Monitor

Related Commands NA

Introduced in Release 6.3.1

Example

dump performance-policy config threshold-profile profile=Default-


PerfMgmtThresholdProfile-Media-Apps
Performance Policy Threshold Profile : Default-
PerfMgmtThresholdProfile-Media-Apps (1690882969051023537)
Lqm Thresholds :
MaxJitter : 40
MaxLatency : 150
MaxPacketLoss : 2

dump performance-policy config threshold-profile profile=ADemoCPU


Performance Policy Threshold Profile : ADemoCPU
(1713446549346005937)
Circuit Utilization Metrics Thresholds :
Percentage Circuit Utilization : 1
Flow Metrics Thresholds :
Percentage Flow Utilization : 1
System Health Metrics Thresholds :
Cpu Utilization : 1
Memory Utilization : 1
Disk Utilization : 1

Prisma SD-WAN ION Device CLI Reference 194 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dump poe system config


Use the dump poe system config command to display the configuration of the PoE ports.

Command
dump poe system config

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.0.2

Example

Main Power Threshold(Percent): 100

dump poe system status


Use the dump poe system status command to view the PoE port status.

Command

dump poe system status

Options
None.

Example

Main PSE State : upMain Power


Usage (Watts) : 0.000Main Power
Threshold(Percent) : 100Main Max Power
Supported : 90PSE Operating
temperature (Celsius) : 36.07

dump priority-policy config policy-rules


Use the dump priority-policy config policy-rules command to display the QoS
policy rule configuration for a device.

Prisma SD-WAN ION Device CLI Reference 195 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Information displayed includes the application name, policy rule, policy set, order number,
network context, prefixes, priorities and DSCP values.

Command

dump priority-policy config policy-rules ( all |


application=application name or ID| app-wildcard | dscp value= DSCP
value | [enabled=true | enabled=false] | network-context=network-
context ID | policy-rule= policy-rule name | policyset= policy-set
name | prefix= name of the prefix | priority= priority number)

Options

all Enter all to display configuration of all path policy


rules on the device.

application Enter an application name or ID to display policy


rules for the application.

app-wildcard Choose this option to display policy rules which are


not configured for any application.

dscp value Enter a DSCP value between 0 and 63 to display


policy rules for the DSCP.

enabled Choose true or false to display policy rules which are


either enabled or disabled.

network-context Enter a network context ID to display policy rules for


the network context.

policy-rule Enter a policy rule name or ID to display information


for the policy rule.

policy-set Enter a policy set name or ID to display policy rules


in the policy set.

prefix Enter a prefix name or ID to display policy rules for


the prefix.

priority Enter a priority number to display policy rules for the


priority.

Prisma SD-WAN ION Device CLI Reference 196 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands dump priority-policy config


policy-sets

Introduced in Release 5.0.1

Example

dump priority-policy config policy-rules application=Adobeconnect


Priority Policy Rule : 15311157630600173 : QC-4
Policy Set : 15282771307010195 : QoS Corporate
Applications:15186805682900053 : adobeconnect
Source Prefix : 15272331126400047 : EnterpriseGlobalPrefix
Destination Prefix : 15311156874260255 :
Network Context ID : none
Order Number : 1024
Enabled : true
Priority Number : 2
DSCP Value : none

Priority Policy Rule : 15311158615700214 : QC-2


Policy Set : 15282771307010195 : QoS Corporate
Applications:15186805682900053 : adobeconnect
Source Prefix : 15272331126400047 : EnterpriseGlobalPrefix
Destination Prefix : 15311158461310162 :
Network Context ID : none
Order Number : 1024
Enabled : true
Priority Number : 2
DSCP Value : none

dump priority-policy config policy-rules policy-rule=PL4_IPV6


Priority Policy Rule : 1676971237181015896 :
PL4_IPV6
Policy Set : 1675845753688008496 : IPv6_QoS
Applications:
16409223802140110 : netop-remote-control
Source Prefix : 1675846030099014596 : ipv6_1_Spoke
Users : any
UserGroups : any
Destination Prefix : 1676272395407004096 :
ipv6_2_Hub
Network Context ID : none
Order Number : 1024
Enabled : true
Priority Number : 1

Prisma SD-WAN ION Device CLI Reference 197 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

DSCP Value : 56

dump priority-policy config policy-rules user-


group=1675699201696005528
Priority Policy Rule : 1674798441633001528 : Specific User
Policy Set : 1666170947938011528 : User ID test
Applications : WILDCARD
Source Prefix : none
Users:
1674636535551002128 : None
UserGroups:
1675699201696005528 :
CN=devops,DC=sdwanamsteltest,DC=onmicrosoft,DC=com
1675699201696006228 :
CN=engineering,DC=sdwanamsteltest,DC=onmicrosoft,DC=com
Destination Prefix : none
Network Context ID : none
Order Number : 1023
Enabled : true
Priority Number : 2
DSCP Value : none

dump priority-policy config policy-sets


Use the dump priority-policy config policy-sets command to display the QoS policy
sets configuration for a device.
Information displayed includes the bandwidth allocation for business priorities along with the
bandwidth split per traffic in a priority.

Command

dump priority-policy config policy-sets all

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump priority-policy config policy-sets all


Priority Policy Set : 15306021021010029 : QoS DR

Prisma SD-WAN ION Device CLI Reference 198 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Default Rule DSCP Mappings: none


Bandwidth Allocation Schemes:
Bandwidth Range: High: 10000.00 Low: 0.00
Business Priorities:
Name : Platinum
Bandwidth Allocation : 50.00%
Priority Number : 1
Bandwidth Split Per Type:
Bulk : 20.00%
RtAudio : 30.00%
RtVideo : 20.00%
Transactional : 30.00%
Name : Gold
Bandwidth Allocation : 25.00%
Priority Number : 2
Bandwidth Split Per Type:
Bulk : 20.00%
RtAudio : 30.00%
RtVideo : 20.00%
Transactional : 30.00%
Name : Silver
Bandwidth Allocation : 15.00%
Priority Number : 3
Bandwidth Split Per Type:
Bulk : 20.00%
RtAudio : 30.00%
RtVideo : 20.00%
Transactional : 30.00%
Name : Bronze
Bandwidth Allocation : 10.00%
Priority Number : 4
Bandwidth Split Per Type:
Bulk : 20.00%
RtAudio : 30.00%
RtVideo : 20.00%
Transactional : 30.00%

dump priority-policy config policy-sets all


Priority Policy Set : 1675845753688008496 : IPv6_QoS
Default Rule DSCP Mappings: none
Bandwidth Allocation Schemes:
Bandwidth Range: High: 10000.00 Low: 0.00
Business Priorities:
Name : Platinum
Bandwidth Allocation : 50.00%
Priority Number : 1
Bandwidth Split Per Type:
Bulk : 20.00%
RtAudio : 30.00%
RtVideo : 20.00%
Transactional : 30.00%
Name : Gold
Bandwidth Allocation : 25.00%
Priority Number : 2
Bandwidth Split Per Type:
Bulk : 20.00%

Prisma SD-WAN ION Device CLI Reference 199 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

RtAudio : 30.00%
RtVideo : 20.00%
Transactional : 30.00%
Name : Silver
Bandwidth Allocation : 15.00%
Priority Number : 3
Bandwidth Split Per Type:
Bulk : 20.00%
RtAudio : 30.00%
RtVideo : 20.00%
Transactional : 30.00%
Name : Bronze
Bandwidth Allocation : 10.00%
Priority Number : 4
Bandwidth Split Per Type:
Bulk : 20.00%
RtAudio : 30.00%
RtVideo : 20.00%
Transactional : 30.00%

Priority Policy Set : 16409225090350228 : Default QoS Simple Stack


Default Rule Policy Set (Simple)
Default Rule DSCP Mappings: none
Bandwidth Allocation Schemes:
Bandwidth Range: High: 10000.00 Low: 0.00
Business Priorities:
Name : platinum
Bandwidth Allocation : 50.00%
Priority Number : 1
Bandwidth Split Per Type:
Bulk : 20.00%
RtAudio : 20.00%
RtVideo : 30.00%
Transactional : 30.00%
Name : gold
Bandwidth Allocation : 25.00%
Priority Number : 2
Bandwidth Split Per Type:
Bulk : 20.00%
RtAudio : 20.00%
RtVideo : 30.00%
Transactional : 30.00%
Name : silver
Bandwidth Allocation : 15.00%
Priority Number : 3
Bandwidth Split Per Type:
Bulk : 20.00%
RtAudio : 20.00%
RtVideo : 30.00%
Transactional : 30.00%
Name : bronze
Bandwidth Allocation : 10.00%
Priority Number : 4
Bandwidth Split Per Type:
Bulk : 20.00%
RtAudio : 20.00%

Prisma SD-WAN ION Device CLI Reference 200 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

RtVideo : 30.00%
Transactional : 30.00%

dump priority-policy config policy-stacks


Use the dump priority-policy config policy-stacks command to display the QoS
policy sets within a stack for a device.
Information displayed includes the policy stack ID, policy set names and IDs.

Command

dump priority-policy config policy-stacks all

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump priority-policy config policy-stacks all


Priority Policy Stack : 15311184545800050 : 1531118454364
Policy Sets:15319024296440147 : QoS Conflict
Default Policy Set : 15306021021010029 : QoS DR

dump priority-policy config policy-stacks all


Priority Policy Stack : 16409225257220008 : PriorityPolicySetStack
Policy Sets:
1675845753688008496 : IPv6_QoS
Default Policy Set : 16409225090350228 : Default QoS Simple
Stack Default Rule Policy Set (Simple)

ION2K-4137# dump priority-policy config prefix-filters all


Priority Policy Prefix : 1676308296796021696 : ipv4_1
IPv4 Prefixes:
[Link]/24
IPv6 Prefixes: none

Priority Policy Prefix : 1676308318098010796 : ipv4_2


IPv4 Prefixes:
[Link]/24
IPv6 Prefixes: none

Prisma SD-WAN ION Device CLI Reference 201 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Priority Policy Prefix : 1675846030099014596 : ipv6_1_Spoke


IPv4 Prefixes: none
IPv6 Prefixes:
3000::/64
3100::/64
3200::/64

Priority Policy Prefix : 1676272395407004096 : ipv6_2_Hub


IPv4 Prefixes: none
IPv6 Prefixes:
2100::/64

Priority Policy Prefix : 16409222610090238 :


EnterpriseGlobalPrefix
IPv4 Prefixes:
[Link]/8
[Link]/12
[Link]/16
IPv6 Prefixes:
fc00::/7

dump priority-policy config prefix-filters


Use the dump priority-policy config prefix-filters command to display the QoS
policy prefix filter configuration.

Command

dump priority-policy config prefix-filters ( all | prefix=prefix name


or ID )

Options

all Enter all to display configuration of all prefix


filters on the device.

prefix Enter a prefix name or ID to display configuration


for the prefix.

Command Notes

Role Super, Read Only, Monitor

Related Commands dump priority-policy config


policy-rules

Introduced in Release 5.0.1

Prisma SD-WAN ION Device CLI Reference 202 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Example

dump priority-policy config prefix-filter prefix=EGP


Priority Policy Prefix : 15272331126400047 : EGP
IPv4 Prefixes:
[Link]/8
[Link]/12
[Link]/16

dump network-policy config prefix-filters all


Network Policy Prefix : 1668762655896023828 : banglore-client-1
IPv4 Prefixes: none
IPv6 Prefixes:
[Link]/64

Network Policy Prefix : 1663592970514016728 :


EnterpriseGlobalPrefix
IPv4 Prefixes:
[Link]/8
[Link]/12
[Link]/18
IPv6 Prefixes:
fc00::/7

Network Policy Prefix : 1663694455784022328 : india-hub-01


IPv4 Prefixes:
[Link]/24
IPv6 Prefixes:
2105::/64
2103::/64
2104::/64

dump probe config


Use the dump probe config command to display all the probe configurations for a device.

Command

dump probe config ( all | config ID =confID )

Options

all Enter all to display the probe configurations.

config ID Enter the probe config ID to list details of the


probe configuration like endpoints, protocol,
probe duration, probe count, and path types.

Prisma SD-WAN ION Device CLI Reference 203 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands NA

Introduced in Release 6.4.1

Example

dump probe config configid=1710934377425002537


Probe Config : test-https
(1710934377425002537)
Enabled : false
Endpoints :
Fqdn/URL : [Link]
Protocol : https
Probe Cycle Duration : 5
Probe Count : 5
Path Types : vpn
Http Response Codes :
Code : 200
Http Response String :
Allow Insecure Https Connection : true

dump probe profile


Use the dump probe profile command to display all the probe profile configurations for a
device.
The information displayed includes the probe profile and configuration information like endpoints,
protocol, probe duration, probe count, and path types.

Command

dump probe profile ( all | profile ID =pID | details )

Options

all Enter all to display the probe profile’s


configurations.

profile ID Enter the probe profile ID to view the probe


config details.

details Enter details to list all information of the


probe profile.

Prisma SD-WAN ION Device CLI Reference 204 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands NA

Introduced in Release 6.4.1

Example

dump probe profile all


Probe Profile : Default probe profile-100
(1708407527488022737)
Probe Configs :
Google G-Suite ICMP Response : 1708407527400020937
CloudFlare DNS ICMP Response : 1708407527400021037
MS Teams ICMP Response : 1708407527400021137
test-https : 1710934377425002537

Probe Profile : probe_1 (1712867979971004337)


Probe Configs :
CustomPingProbe : 1710136407621001437
NewHTTPOnly : 1713518051368019137

dump probe profile all details


Probe Profile : Default probe profile-100
(1708407527488022737)
Probe Config : Google G-Suite ICMP Response
(1708407527400020937)
Enabled : false
Endpoints :
Fqdn/URL : [Link]
Protocol : icmp
Probe Cycle Duration : 10
Probe Count : 2
Path Types : direct, vpn, servicelink

dump radius config


Use the dump radius config command to view the RADIUS server configuration.

Command
dump radius config

Options
None.

Prisma SD-WAN ION Device CLI Reference 205 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.0.2

Example

Source Interface Name : 1


Source Interface ID : 1655412991746001114
Primary Radius Server Details:
IP Address : [Link]
Authentication Port : 1812
Accounting Port : 1813
Priority : 10
Secondary Radius Server Details:
IP Address : [Link]
Authentication Port : 1812
Accounting Port : 1813
Priority : 100

dump radius statistics


Use the dump radius statistics command to view the RADIUS server statistics of a
selected interface or all interfaces.

Command
dump radius statistics

Options

Interface ID Enter the interface ID to display RADIUS server


statistics for a specific interface.

All Enter all to display RADIUS server statistics for


all interfaces.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.0.2

Prisma SD-WAN ION Device CLI Reference 206 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Example

Interface: 6
Radius Server Statistics:
-----------------------------------------------------------------
Authentication Server
Address: [Link]:1812
RTT: 211
Bad Authenticators: 0
Pending Requests: 0
Timeouts: 0
Unknown Types: 0
Packets Dropped: 0
Malformed Access Responses: 0
Access Requests: 2
Access Retransmissions: 0
Access Accepts: 1
Access Rejects: 0
Access Challenges: 1
Accounting Server
Address: [Link]:1813
RTT: 1
Bad Authenticators: 0
Pending Requests: 0
Timeouts: 0
Unknown Types: 0
Packets Dropped: 0
Malformed Responses: 0
Accounting Requests: 1
Accounting Retransmissions: 0

dump radius status


Use the dump radius status command to view the RADIUS server status.

Command
dump radius status

Options
None.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.0.2

Prisma SD-WAN ION Device CLI Reference 207 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Example

dump radius status


Current Radius Server Details:
Source Interface Name : 1
Source Interface ID : 16554129917460011
IP Version : 4
IP Address : [Link]
Authentication Port : 1812
Accounting Port : 1813
Priority : 10
Authenticated Client Details:
1 Mac Address : [Link]
Authentication Type: dot1x
Interface : 5
UserName : spirent
Uptime : 10.984670324s
Reauth Period(secs): 1800
Next Reauth(secs) : 1790
VLAN ID : 10

dump reachability-probe config


Use the dump reachability-probe config command to display the configuration details
of liveliness probing from a device. Information displayed includes the source interface, protocol,
probe interval, and failure count.

Command

dump reachability-probe config all

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump reachability-probe status

Introduced in Release 5.1.1

Example

dump reachability-probe config all


Name : sl4
Src Interface : eth1
Type : icmp

Prisma SD-WAN ION Device CLI Reference 208 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Ipv4 : [Link]
Interval : 1800
Failure Count : 3
Type : icmp
Ipv4 : [Link]
Interval : 1800
Failure Count : 3
Type : icmp
Ipv4 : [Link]
Interval : 1800
Failure Count : 3
Name : sl4
Src Interface : sl4
Type : http
Url : [Link]
Interval : 10
Failure Count : 3
Status code : [200]

dump qos-bwc config


Use the dump qos-bwc config command to display details of the QoS bandwidth
configuration information.

Command

dump qos-bwc config

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands inspect qos-bwc queue

Introduced in Release 6.0.1

Example

dump qos-bwc config 1


Wan ID : 15047410360090142 privatewan
CircuitLabel : L3_ATLANTA
PathLabel : private-1
BW : manual, up 20.000000 down 40.000000
QoS : enabled

Prisma SD-WAN ION Device CLI Reference 209 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Egress QosBwc Agent 700 Bandwidth Allocations:


Overall Bandwidth: : QID : 20000000 : Priority% => Overall%
Priority Number 1 : : 10000000 : 50.00%
RT-Video : 11 : 2000000 : 20.00% => 10.00%
RT-Audio : 12 : 3000000 : 30.00% => 15.00%
Bulk : 13 : 2000000 : 20.00% => 10.00%
Transactional : 14 : 3000000 : 30.00% => 15.00%
Priority Number 2 : : 5000000 : 25.00%
RT-Video : 21 : 1000000 : 20.00% => 5.00%
RT-Audio : 22 : 1500000 : 30.00% => 7.50%
Bulk : 23 : 1000000 : 20.00% => 5.00%
Transactional : 24 : 1500000 : 30.00% => 7.50%
Priority Number 3 : : 3000000 : 15.00%
RT-Video : 31 : 600000 : 20.00% => 3.00%
RT-Audio : 32 : 900000 : 30.00% => 4.50%
Bulk : 33 : 600000 : 20.00% => 3.00%
Transactional : 34 : 900000 : 30.00% => 4.50%
Priority Number 4 : : 2000000 : 10.00%
RT-Video : 41 : 400000 : 20.00% => 2.00%
RT-Audio : 42 : 600000 : 30.00% => 3.00%
Bulk : 43 : 400000 : 20.00% => 2.00%
Transactional : 44 : 600000 : 30.00% => 3.00%
Ingress QosBwc Agent 701 Bandwidth Allocations:
Overall Bandwidth: : QID : 40000000 : Priority% => Overall%
Priority Number 1 : : 20000000 : 50.00%
RT-Video : 11 : 4000000 : 20.00% => 10.00%
RT-Audio : 12 : 6000000 : 30.00% => 15.00%
Bulk : 13 : 4000000 : 20.00% => 10.00%
Transactional : 14 : 6000000 : 30.00% => 15.00%
Priority Number 2 : : 10000000 : 25.00%
RT-Video : 21 : 2000000 : 20.00% => 5.00%
RT-Audio : 22 : 3000000 : 30.00% => 7.50%
Bulk : 23 : 2000000 : 20.00% => 5.00%
Transactional : 24 : 3000000 : 30.00% => 7.50%
Priority Number 3 : : 6000000 : 15.00%
RT-Video : 31 : 1200000 : 20.00% => 3.00%
RT-Audio : 32 : 1800000 : 30.00% => 4.50%
Bulk : 33 : 1200000 : 20.00% => 3.00%
Transactional : 34 : 1800000 : 30.00% => 4.50%
Priority Number 4 : : 4000000 : 10.00%
RT-Video : 41 : 800000 : 20.00% => 2.00%
RT-Audio : 42 : 1200000 : 30.00% => 3.00%
Bulk : 43 : 800000 : 20.00% => 2.00%
Transactional : 44 : 1200000 : 30.00% => 3.00%

dump qos-bwc config all


Interface : 3.20
Wan ID : 1663572292988015596 privatewan
PathLabel : private-15
BW : manual, up 1000.000000 down 1000.000000
QoS : enabled
Egress QosBwc Agent 300 Bandwidth Allocations:
Overall Bandwidth: : QID : 1000000000 : Priority% => Overall%
Priority Number 1 : : 500000000 : 50.00%
RT-Video : 11 : 100000000 : 20.00% => 10.00%
RT-Audio : 12 : 150000000 : 30.00% => 15.00%

Prisma SD-WAN ION Device CLI Reference 210 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Bulk : 13 : 100000000 : 20.00% => 10.00%


Transactional : 14 : 150000000 : 30.00% => 15.00%
Priority Number 2 : : 250000000 : 25.00%
RT-Video : 21 : 50000000 : 20.00% => 5.00%
RT-Audio : 22 : 75000000 : 30.00% => 7.50%
Bulk : 23 : 50000000 : 20.00% => 5.00%
Transactional : 24 : 75000000 : 30.00% => 7.50%
Priority Number 3 : : 150000000 : 15.00%
RT-Video : 31 : 30000000 : 20.00% => 3.00%
RT-Audio : 32 : 45000000 : 30.00% => 4.50%
Bulk : 33 : 30000000 : 20.00% => 3.00%
Transactional : 34 : 45000000 : 30.00% => 4.50%
Priority Number 4 : : 100000000 : 10.00%
RT-Video : 41 : 20000000 : 20.00% => 2.00%
RT-Audio : 42 : 30000000 : 30.00% => 3.00%
Bulk : 43 : 20000000 : 20.00% => 2.00%
Transactional : 44 : 30000000 : 30.00% => 3.00%
Ingress QosBwc Agent 301 Bandwidth Allocations:
Overall Bandwidth: : QID : 1000000000 : Priority% => Overall%
Priority Number 1 : : 500000000 : 50.00%
RT-Video : 11 : 100000000 : 20.00% => 10.00%
RT-Audio : 12 : 150000000 : 30.00% => 15.00%
Bulk : 13 : 100000000 : 20.00% => 10.00%
Transactional : 14 : 150000000 : 30.00% => 15.00%
Priority Number 2 : : 250000000 : 25.00%
RT-Video : 21 : 50000000 : 20.00% => 5.00%
RT-Audio : 22 : 75000000 : 30.00% => 7.50%
Bulk : 23 : 50000000 : 20.00% => 5.00%
Transactional : 24 : 75000000 : 30.00% => 7.50%
Priority Number 3 : : 150000000 : 15.00%
RT-Video : 31 : 30000000 : 20.00% => 3.00%
RT-Audio : 32 : 45000000 : 30.00% => 4.50%
Bulk : 33 : 30000000 : 20.00% => 3.00%
Transactional : 34 : 45000000 : 30.00% => 4.50%
Priority Number 4 : : 100000000 : 10.00%
RT-Video : 41 : 20000000 : 20.00% => 2.00%
RT-Audio : 42 : 30000000 : 30.00% => 3.00%
Bulk : 43 : 20000000 : 20.00% => 2.00%
Transactional : 44 : 30000000 : 30.00% => 3.00%

Interface : 3.10
Wan ID : 1677043285250000596 publicwan
PathLabel : public-14
BW : manual, up 1000.000000 down 1000.000000
QoS : enabled
Egress QosBwc Agent 200 Bandwidth Allocations:
Overall Bandwidth: : QID : 1000000000 : Priority% => Overall%
Priority Number 1 : : 500000000 : 50.00%
RT-Video : 11 : 100000000 : 20.00% => 10.00%
RT-Audio : 12 : 150000000 : 30.00% => 15.00%
Bulk : 13 : 100000000 : 20.00% => 10.00%
Transactional : 14 : 150000000 : 30.00% => 15.00%
Priority Number 2 : : 250000000 : 25.00%
RT-Video : 21 : 50000000 : 20.00% => 5.00%
RT-Audio : 22 : 75000000 : 30.00% => 7.50%
Bulk : 23 : 50000000 : 20.00% => 5.00%

Prisma SD-WAN ION Device CLI Reference 211 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Transactional : 24 : 75000000 : 30.00% => 7.50%


Priority Number 3 : : 150000000 : 15.00%
RT-Video : 31 : 30000000 : 20.00% => 3.00%
RT-Audio : 32 : 45000000 : 30.00% => 4.50%
Bulk : 33 : 30000000 : 20.00% => 3.00%
Transactional : 34 : 45000000 : 30.00% => 4.50%
Priority Number 4 : : 100000000 : 10.00%
RT-Video : 41 : 20000000 : 20.00% => 2.00%
RT-Audio : 42 : 30000000 : 30.00% => 3.00%
Bulk : 43 : 20000000 : 20.00% => 2.00%
Transactional : 44 : 30000000 : 30.00% => 3.00%
Ingress QosBwc Agent 201 Bandwidth Allocations:
Overall Bandwidth: : QID : 1000000000 : Priority% => Overall%
Priority Number 1 : : 500000000 : 50.00%
RT-Video : 11 : 100000000 : 20.00% => 10.00%
RT-Audio : 12 : 150000000 : 30.00% => 15.00%
Bulk : 13 : 100000000 : 20.00% => 10.00%
Transactional : 14 : 150000000 : 30.00% => 15.00%
Priority Number 2 : : 250000000 : 25.00%
RT-Video : 21 : 50000000 : 20.00% => 5.00%
RT-Audio : 22 : 75000000 : 30.00% => 7.50%
Bulk : 23 : 50000000 : 20.00% => 5.00%
Transactional : 24 : 75000000 : 30.00% => 7.50%
Priority Number 3 : : 150000000 : 15.00%
RT-Video : 31 : 30000000 : 20.00% => 3.00%
RT-Audio : 32 : 45000000 : 30.00% => 4.50%
Bulk : 33 : 30000000 : 20.00% => 3.00%
Transactional : 34 : 45000000 : 30.00% => 4.50%
Priority Number 4 : : 100000000 : 10.00%
RT-Video : 41 : 20000000 : 20.00% => 2.00%
RT-Audio : 42 : 30000000 : 30.00% => 3.00%
Bulk : 43 : 20000000 : 20.00% => 2.00%
Transactional : 44 : 30000000 : 30.00% => 3.00%

dump reachability-probe status


Use the dump reachability-probe status command to display the results of liveliness
probing from a device. Information displayed includes the protocol, URL, probe status, latency and
update time.

Command

dump reachability-probe status all

Options

None

Prisma SD-WAN ION Device CLI Reference 212 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands dump reachability-probe config

Introduced in Release 5.1.1

Example

dump probe status all


Name : sl4
Type : icmp
Ipv4 : [Link]
Status : true
Latency : 11
Last updated : 2019-03-19T[Link]
Type : icmp
Ipv4 : [Link]
Status : true
Latency : 84
Last updated : 2019-03-19T[Link]
Type : icmp
Ipv4 : [Link]
Status : true
Latency : 178
Last updated : 2019-03-19T[Link]
Name : sl4
Type : http
Url : [Link]
Status : true
Latency : 166
Last updated : 2019-03-19T[Link]

dump routing aspath-list


Use the dump routing aspath-list command to display the routing AS path list.

Command

dump routing aspath-list ( all | name =


AS path list name)

Options

all Enter all to display all AS path lists.

name Enter a name to display a specific AS path list.

Prisma SD-WAN ION Device CLI Reference 213 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump routing aspath-list all


Path Name : AS-1
Path ID : 15290552064410229
Path regular expressions :
Order Permit Expression
--------- ------------ ----------------
1 true ^661

dump routing cache


Use the dump routing cache command to display the routing information stored in cache.

Command

dump routing cache ( all |


interface name | bypassfib | interfacefib | staticroute |
networks | bgpcache | counters | queueinfo | globalinfo | reginfo |
lanadvprefix | wanadvprefix | discoveredprefixset)

Options

all Enter all to display routes of all BGP peers.

interface Enter interface to display routing cache for all


interfaces.

bypassfib Enter bypassfib to display bypass interface (LAN)


forward information base (FIB) cache.

interfacefib Enter interfacefib to display interface FIB cache.

staticroute Enter staticroute to display routing cache for


static routes.

networks Enter networks to display routing cache for LAN


networks and other connected networks.

Prisma SD-WAN ION Device CLI Reference 214 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

bgpcache Enter bgpcache to display routing cache for all


BGP peers.

counters Enter counters to display routing cache counters.

queueinfo Enter queueinfo to display routing cache for


message queue counters.

globalinfo Enter globalinfo to display global BGP


configuration settings.

reginfo Enter reginfo to display registration information of


the ION device.

lanadvprefix Enter lanadvprefix to display LAN prefix


information of the ION device.

wanadvprefix Enter wanadvprefix to display WAN prefix


information of the ION device.

discoveredprefixset Enter discoveredprefixset to display discovered


prefix set information of the ION device.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump routing cache interface


Route mgr Cache Info:
=====================
Interface Cache
++++++++++++++++
{
"eth5": {
"v6_addr": "[Link]",
"mask": 24,
"is_dpdk": true,
"device": "eth5",
"secondary_ipv4_addresses": null,
"id": "1648470841543023896",
"label": null,
"state": "up",
"path_ids": [],
"mac_address": "[Link]",

Prisma SD-WAN ION Device CLI Reference 215 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

"scope": "local",
"v6routes": [
{
"destination": "::/0",
"metric": 0,
"via": "[Link]"
}
],
"extended_state": null,
"type_specific_form": "port",
"rt_installed": true,
"form": "static",
"directed_broadcast": false,
"members": [],
"v4_addr": "[Link]",
"v6form": "static",
"rt6_installed": true,
"v6mask": 64,
"name": "5",
"idx": 7,
"is_update_inprogress": false,
"last_state_change": "2022-04-13T[Link].129660007Z",
"used_for": "private",
"routes": [
{
"destination": "[Link]/0",
"metric": 0,
"via": "[Link]"
}
],
"lan_nws": []
},
-------------------------

dump routing cache interface


Route mgr Cache Info:

=====================

Interface Cache

++++++++++++++++

{
"eth8": {
"v6_addr": "[Link]",
"mask": 24,
"is_dpdk": true,
"device": "eth8",
"secondary_ipv4_addresses": null,
"id": "16281763161220210",
"label": "publicwan",
"state": "up",
"path_ids": [
"1654868757030024296"
],

Prisma SD-WAN ION Device CLI Reference 216 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

"mac_address": "[Link]",
"scope": "local",
"v6routes": [
{
"destination": "::/0",
"metric": 0,
"via": "[Link]"
}
],
"extended_state": null,
"type_specific_form": "port",
"rt_installed": true,
"form": "static",
"directed_broadcast": false,
"autoconf_routes": [],
"members": [],
"v4_addr": "[Link]",
"v6form": "static",
"rt6_installed": true,
"tenant_ctx": null,
"v6mask": 64,
"name": "8",
"idx": 10,
"is_update_inprogress": false,
"last_state_change": "2023-03-23T[Link].351803509Z",
"used_for": "public",
"endpoint_id": "16281763161220210",
"routes": [
{
"destination": "[Link]/0",
"metric": 0,
"via": "[Link]"
}
],
"lan_nws": []
},
,...

dump routing cache interfacefib


Route mgr Cache Info:

=====================

Interface FIB Cache

++++++++++++++++



Interface FIB6 Cache

++++++++++++++++

{
"eth8": {
"status": true,

Prisma SD-WAN ION Device CLI Reference 217 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

"prefixes": {
"[Link]/64": {
"type": "C",
"prefix": "[Link]/64",
"nexthop": "[Link]",
"cost": "0",
"ad": "0"
},
"::/0": {
"type": "S",
"prefix": "::/0",
"nexthop": "[Link]",
"cost": "0",
"ad": "5"
}
},
"tenant_ctx": null,
"last_update_timestamp": 1679564885429,
"timestamp": 1679564885261
},

"eth7": {
"status": true,
"prefixes": {
"::/0": {
"type": "S",
"prefix": "::/0",
"nexthop": "[Link]",
"cost": "0",
"ad": "5"
},
"[Link]/64": {
"type": "S",
"prefix": "[Link]/64",
"nexthop": "[Link]",
"cost": "0",
"ad": "1"
},
"[Link]/64": {
"type": "C",
"prefix": "[Link]/64",
"nexthop": "[Link]",
"cost": "0",
"ad": "0"
}
},
"tenant_ctx": null,
"last_update_timestamp": 1680235916683,
"timestamp": 1680235916588
},

dump routing cache staticroute


Route mgr Cache Info:

=====================

Prisma SD-WAN ION Device CLI Reference 218 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Static Routes

++++++++++++++++
"1680235917646018796": {
"address_family": "ipv6",
"_etag": 1,
"scope": "local",
"destination_prefix": "[Link]/64",
"nexthop_reachability_probe": false,
"id": "1680235917646018796",
"nexthops": [
{
"nexthop_interface_id": "",
"nexthop_ip": "[Link]",
"self": false,
"admin_distance": 1
}
]
},

BR-SITE2-ELEM1# dump routing cache networks


Route mgr Cache Info:

=====================

--------------------------

LAN networks

++++++++++++++++

"{}"
--------------------------

--------------------------

Connected networks

++++++++++++++++

"{\"[Link]/24\": {\"scope\": \"local\", \"id\":


\"16281763158650203\", \"if_name\": \"eth6\"}, \"[Link]
64::/64\": {\"scope\": \"local\", \"id\": \"16795645794616730\",
\"if_name\": \"eth4\"}, \"[Link]/24\": {\
"scope\": \"local\", \"id\": \"16281763161220210\", \"if_name\":
\"eth8\"}, \"[Link]/24\": {\"scope\": \"lo
cal\", \"id\": \"16281763166650231\", \"if_name\": \"eth7\"},
\"[Link]/64\": {\"scope\": \"local\", \
"id\": \"16795645735984300\", \"if_name\": \"eth8\"},
\"[Link]/24\": {\"scope\": \"local\", \"id\": \"1628
1763164550224\", \"if_name\": \"eth3\"}, \"[Link]/64\":
{\"scope\": \"local\", \"id\": \"167956457882
29290\", \"if_name\": \"eth3\"}, \"[Link]/64\": {\"scope\":
\"local\", \"id\": \"16800675904492372\",
\"if_name\": \"eth6\"}, \"[Link]/64\": {\"scope\":
\"global\", \"id\": \"16795654682625540\", \"if

Prisma SD-WAN ION Device CLI Reference 219 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

_name\": \"eth1\"}, \"[Link]/24\": {\"scope\": \"local\", \"id\":


\"16281763155550196\", \"if_name\": \"eth
4\"}, \"[Link]/24\": {\"scope\": \"global\", \"id\":
\"16281763172250245\", \"if_name\": \"eth1\"}, \"2
[Link]/64\": {\"scope\": \"local\", \"id\":
\"16795645731871870\", \"if_name\": \"eth7\"}}"

dump routing communitylist


Use the dump routing communitylist command to display the routing community list. The
ION device checks the community attribute of a route with each condition in the community
list. The first match determines whether to permit the route or reject the route that specified
community.

Command

dump routing communitylist ( all | name =


community list name)

Options

all Enter all to display all community lists.

name Enter a name to display a specific community


list.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump routing communitylist all


Community Name : 17
Community ID : 15290550887260117
Community List :
Community Permit
--------- ------
internet true

Prisma SD-WAN ION Device CLI Reference 220 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dump routing multicast config


Use the dump routing multicast config command to display the routing multicast
specific configurations of a device.

Command

dump routing multicast config ( all | brief | interface | rp |


wanpeers )

Options

all Enter all to know all the routing multicast specific


configurations of a device.

brief Enter brief to know the brief routing multicast


specific configurations of a device.

interface Enter interface to know the interfaces on which


multicast traffic is forwarded or replicated.

rp Enter rp to display the address of the Rendezvous


Point (RP) in the network.

wanpeers Enter wanpeers to know the wanpeer details of


the routing multicast.

Command Notes

Role Super, Read Only, Monitor

Related Commands dump routing multicast status

Introduced in Release 5.6.1

Example

dump routing multicast config all


Global
------
SPT : Enabled
BSM : Enabled
DR Priority : 200
SSM exclude group prefix: [Link]/0

IGMP Protocol Parameters


------------------------
Last Member Query Count : 2

Prisma SD-WAN ION Device CLI Reference 221 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Last Member Query Interval : 10


Query Interval : 125
Query Max Response Time : 100

PIM Protocol Parameters


-------------------------
Hello Hold Time : 105
Hello Interval : 30
Join Prune Interval : 60

Interfaces
----------
Interface : 1
Device : eth1
IGMP Version : IGMPV3
DR Priority : 1
No. of IGMP Static Joins: 0
Interface : 4
Device : eth4
IGMP Version : IGMPV3
DR Priority : 1
No. of IGMP Static Joins: 0

WAN Peers
----------
ID : 1650617954511023996
LocalShimIP : [Link]
RemoteSite : London
RemoteShimIpv4 : [Link]

Rendezvous Point(RP)
--------------------
Name : RP1
ID : 1650629816749002696
Address : [Link]
Groups :
Name :
Prefix : [Link]/4
Type : Remote-Static

dump routing multicast igmp


Use the dump routing multicast igmp command to display the routing multicast internet
group management protocol (IGMP) specific configurations of a device.

Command

dump routing multicast igmp <all | interface>

Prisma SD-WAN ION Device CLI Reference 222 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

all Enter all to display all the details related to routing


multicast igmp.

interface Enter interface to display interface details related


to routing multicast igmp.

Command Notes

Role Super, Read Only, Monitor

Related Commands dump routing multicast config

dump routing multicast interface


all

Introduced in Release 5.6.1

Example

dump routing multicast igmp all

Interface Group Source Timer Fwd Uptime


eth1 [Link] * 03:00 Y [Link]

No of active IGMP sources : 1

dump routing multicast interface


Use the dump routing multicast interface command to display the routing multicast
interface specific configurations of a device.

Command

dump routing multicast interface ( all |


interface name )

Options

all Enter all to display all the details related to routing


multicast interface.

interface name Enter interface name to display per interface details


related to routing multicast interface.

Prisma SD-WAN ION Device CLI Reference 223 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands dump routing multicast status

Introduced in Release 5.6.1

Example

dump routing multicast interface all


Interface State Address PIM Nbrs PIM DR FHR
IfChannels
eth1 up [Link] 0 local 0
1
eth4 up [Link] 4 [Link] 0
0
mcast0 up [Link] 1 local 0
0
pimreg up [Link] 0 local 0
0

dump routing multicast internal vif-entries


Use the dump routing multicast internal vif-entries command to display the
internal vif entries in multicast.

This command is not available from the release 6.0.1 onward.

Command

dump routing multicast internal vif-entries

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump routing multicast status

Prisma SD-WAN ION Device CLI Reference 224 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Introduced in Release 5.6.1

Example

dump routing multicast internal vif-entries


PIM VIF Interface array
VIF Index Interface State Flags Address
0 64 pimreg Up 0x4 [Link] (eth1)

1 3 eth1 Up 0x240000 [Link]


2 4 eth2 Up 0x200400 [Link]
3 5 eth3 Up 0xa40000 [Link]
4 6 eth4 Up 0xc0400 [Link]

PIM VIF Entry list


VIF Index Interface State Flags Address
0 64 pimreg Up 0x4 [Link] (eth1)

1 3 eth1 Up 0x240000 [Link]


2 4 eth2 Up 0x200400 [Link]
3 5 eth3 Up 0xa40000 [Link]
4 6 eth4 Up 0xc0400 [Link]

dump routing multicast mroute


Use the dump routing multicast mroute command to display the routing multicast mroute
specific configurations of a device.

Command

dump routing multicast mroute <detail>

Options

type Enter type to display all the details related to lan/


wan routing multicast mroute.

detail Enter detail to display all the details related to


routing multicast mroute.

statistics Enter statistics to display all the statistics related


to routing multicast mroute.

Prisma SD-WAN ION Device CLI Reference 225 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands dump routing multicast status

Introduced in Release 5.6.1

Example

dump routing multicast mroute


Source Group Flags Proto Input Output TTL Uptime
* [Link] SC IGMP London pimreg 1
[Link] IGMP eth1 1

dump routing multicast pim


Use the dump routing multicast pim command to display the routing multicast protocol
independent multicast (pim) specific configurations of a device.

Command

dump routing multicast pim <rp (all |


address | dynamic)| neighbor | bsrinfo>

Options

rp Enter rp all/ rp address/ dynamic to display all the


details related to routing multicast pim.

neighbor Enter neighbor to display PIM neighbors available


for the ION device.

bsrinfo Enter bsrinfo to display PIM bsrinfo available for


the ION device. Release 6.0.1

Command Notes

Role Super, Read Only, Monitor

Related Commands dump routing multicast status

Introduced in Release 5.6.1

Prisma SD-WAN ION Device CLI Reference 226 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Example

dump routing multicast pim neighbor


LAN Neighbors
--------------
Interface Neighbor Uptime Holdtime DR Pri
eth4 [Link] [Link] [Link] 900
eth4 [Link] [Link] [Link] 900
eth4 [Link] [Link] [Link] 900
eth4 [Link] [Link] [Link] 1999999

Total Active LAN neighbor count : 4

WAN Neighbors
--------------
Neighbor State Uptime
London UP [Link]

Total Active WAN neighbor count : 1

dump routing multicast pim rp all


RP address group/prefix-list OIF I am RP Source
[Link] [Link]/4 London no Static

dump routing multicast pim rp address=[Link]


RP address group/prefix-list OIF I am RP Source
[Link] [Link]/4 London no Static

dump routing multicast sources


Use the dump routing multicast sources command to display the information about
multicast source(s).

This command is not available from the release 6.0.1 onward.

Command

dump routing multicast sources

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump routing multicast statistics

Prisma SD-WAN ION Device CLI Reference 227 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Introduced in Release 5.6.1

Example

dump routing multicast sources


PIM Source entries:
Address I/F Metric Pref Adv-Hold Neighbor AD Cost
[Link] eth2 0 0 0 None 0 0

dump routing multicast statistics


Use the dump routing multicast statistics command to display the routing multicast
statistics for LAN and WAN of a device.

Command

dump routing multicast statistics type= [wan | lan]

Options

type Enter LAN or WAN to get the LAN/WAN related traffic


statics. Release 6.0.1.

Command Notes

Role Super, Read Only, Monitor

Related Commands dump routing multicast status

Introduced in Release 5.6.1

Example

dump routing multicast statistics Type=WAN


WAN Traffic Statistics
------------------------
Remote-Site :London
HelloRx :1641
HelloTx :2940
JoinPruneRx :121
JoinPruneTx :1630
RegisterRx :0
RegisterTx :0
RegisterStopRx :0
RegisterStopTx :0
BsmRx :0

Prisma SD-WAN ION Device CLI Reference 228 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

BsmTx :0
AssertRx :0
AssertTx :0

dump routing multicast statistics Type=LAN


LAN Traffic Statistics
------------------------
Interface :eth1
HelloRx :0
HelloTx :2899
JoinRx :0
JoinTx :0
PruneRx :0
PruneTx :0
RegisterRx :0
RegisterTx :0
RegisterStopRx :0
RegisterStopTx :0
BsmRx :0
BsmTx :0
AssertRx :0
AssertTx :0

dump routing multicast status


Use the dump routing multicast status command to display the routing multicast status
of a ION device.

Command

dump routing multicast status

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.6.1

Example

dump routing multicast status


Multicast Service running
PIMD Service running

Prisma SD-WAN ION Device CLI Reference 229 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

When PIMD is not running:

dump routing multicast status


Multicast Service running
PIMD Service not running, Reason: "No configured multicast
interface"
And all other multicast toolkit commands will show:

dump routing ospf


Use the dump routing ospf command to display the open shortest path first (OSPF) specific
configurations of a device.

Command

dump routing ospf ( global-config | vrf ( config | interface = <all


| interface name | neighbor | statistics> | routes | database |
discovered-neighbors | reachable-prefixes )

Options

global-config Enter global-config to see all the configured and


managed OSPF global settings/parameters.

vrf Enter vrf to see all the attached VRFs Global and
customised).

config Enter config to know all the VRF specific


configurations of a device.

interface Enter interface name or all to know the interfaces


on which ospf traffic is forwarded or replicated.
neighbor: Displays the router ID of the router
(neighbor) on the other side of the virtual link.
statistics: Displays the statistics of the routes.

routes Enter routes to see all the routes of the network,


router, and external routing table of the OSPF.

database Enter database to see the

discovered-neighbors Enter discovered-neighbors to know the two


OSPF-enabled routers connected by a shared
network and in the same OSPF area form a
relationship and are OSPF neighbors.

reachable-prefixes

Prisma SD-WAN ION Device CLI Reference 230 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands clear routing ospf

Introduced in Release 6.4.1

Example

dump routing ospf global-config


ID : 1707121524214025528
Router ID : [Link]
Cost :
Dead Interval : 40
Hello Interval : 10
Retransmit Interval : 5
Md5 Secret :
Md5 KeyID :
Prefix Advertisement Type : default
Transmit Delay : 1

dump routing ospf vrf Global config


Name : G
Description :
Tags :
Scope : global
VRF : Name - Global, Vni - 0, ID -
1695187971257016928
Config ID : 1713256072536012828
Shutdown : false
Router ID :
Prefix Advertisement Type : unaggregated
Prefix Advertisement Route-map :
BGP Prefix Redistribution : false
BGP Prefix Redistribution Route-map :
Areas
+----------------------+----------------------+
| Area ID | Area Type |
+----------------------+----------------------+
| 0 | normal |
+----------------------+----------------------+
Interfaces
+------------------------------------------
+---------------------------+
| Interface | OSPF Config
|
+------------------------------------------
+---------------------------+
| Interface : 1 (eth1) | Cost:
|
| Interface ID: 1706795250766004028 | Dead Interval: 40
|

Prisma SD-WAN ION Device CLI Reference 231 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

| Area ID: 0 | Hello Interval: 10


|
| Area Type: normal | Retransmit Interval: 5
|
| | Transmit Delay: 1
|
| | Md5 Secret: qwerty
|
| | Md5 KeyID: 1
|
+------------------------------------------
+---------------------------+
| Interface : 2.1 (eth2.1) | Cost:
|
| Interface ID: 1707583634718019928 | Dead Interval: 40
|
| Area ID: 0 | Hello Interval: 10
|
| Area Type: normal | Retransmit Interval: 5
|
| | Transmit Delay: 1
|
| | Md5 Secret:
|
| | Md5 KeyID:
|
+------------------------------------------
+---------------------------+

dump routing ospf vrf Global interface eth1 neighbor

Neighbor ID Pri State Dead Time Address Interface


RXmtL RqstL DBsmL
[Link] 4 Full/DR 37.813s [Link] eth1:[Link]
0 0 0

dump routing ospf vrf Global database


VRF Name: default

OSPF Router with ID ([Link])

Router Link States (Area [Link])

Link ID ADV Router Age Seq# CkSum Link count


[Link] [Link] 619 0x80006b77 0xa00e 2
[Link] [Link] 572 0x80000359 0xce1c 2
[Link] [Link] 617 0x80000081 0xff79 2

Net Link States (Area [Link])

Link ID ADV Router Age Seq# CkSum


[Link] [Link] 569 0x800017f7 0x87cd
[Link] [Link] 562 0x800002c8 0xa9bf

AS External Link States

Prisma SD-WAN ION Device CLI Reference 232 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Link ID ADV Router Age Seq# CkSum Route


[Link] [Link] 465 0x80000087 0xeeb1 E2 [Link]/0
[0x0]
[Link] [Link] 1128 0x8000005f 0xd9d8 E2 [Link]/24
[0x0]
[Link] [Link] 465 0x80000001 0x09e6 E2
[Link]/24 [0x0]
[Link] [Link] 465 0x80000001 0xe408 E2
[Link]/24 [0x0]
[Link] [Link] 607 0x80000061 0xde92 E2
[Link]/24 [0x0]
[Link] [Link] 1228 0x8000005f 0x55fc E2
[Link]/24 [0x0]

dump routing ospf vrf Global reachable-prefixes


VRF : Name - Global, ID -
1695187971257016928
OSPF Config ID : 1713256072536012828
Reachable IPv4 Prefixes Count : 2
Redistribute : true
Reachable IPv4 Prefixes
+----------------------+----------------------+
| Network | Nexthop |
+----------------------+----------------------+
| [Link]/24 | [Link] |
| [Link]/24 | [Link] |
+----------------------+----------------------+

dump routing peer advertised routes


Use the dump routing peer advertised routes command to display the routes
advertised to BGP peers. Information displayed includes details on network, next hop, metrics,
path, and weight along with status codes.

Command

dump routing peer advertised routes ( all | peer-ip = Peer IP vrf-


id= vrf id | vrf-name= vrf name | address-family= (ipv4 or ipv6))

Options

all Enter all to display routes advertised to all BGP


peers.

vrf-id Enter a VRF ID to display routes advertised to a


specific BGP peer. Release 6.3.1

peer-ip Enter an IP address to display routes advertised


to a specific BGP peer with both IPv4 and IPv6
address..

Prisma SD-WAN ION Device CLI Reference 233 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

address-family Enter an address family (IPv4 or IPv6) to display


the learned routes advertised to a specific BGP
peer. Release 6.3.1

vrf-name Enter a VRF name to display routes advertised


to a specific BGP peer. Release 6.3.1

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump routing peer advertised-routes all


BGP table version is 0, local router ID is [Link]
Status codes: s suppressed, d damped, h history, * valid, >
best,i - internal,r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric Loc Prf Weight Path
[Link]/30 [Link] 0 32768 i
[Link]/30 [Link] 0 32768 i
Total number of prefixes 2
BGP table version is 0, local router ID is [Link]
Status codes: s suppressed, d damped, h history, * valid, >
best,i - internal,r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric Loc Prf Weight Path
[Link]/30 [Link] 0 32768 i
[Link]/30 [Link] 0 32768 i

dump routing peer advertised-routes all


Default BGP instance not found
BGP table version is 10, local router ID is [Link], vrf id 27
Default local pref 100, local AS 1200
Status codes: s suppressed, d damped, h history, * valid, > best, =
multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


*> [Link]/24 [Link] 0 32768 i

Total number of prefixes 1


BGP table version is 2, local router ID is [Link], vrf id 31
Default local pref 100, local AS 1200

Prisma SD-WAN ION Device CLI Reference 234 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Status codes: s suppressed, d damped, h history, * valid, > best, =


multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


*> [Link]/24 [Link] 0 32768 i

dump routing peer advertised-routes vrf-name=IOT-Data peer-ip


[Link]
BGP table version is 2, local router ID is [Link], vrf id 31
Default local pref 100, local AS 1200
Status codes: s suppressed, d damped, h history, * valid, > best, =
multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


*> [Link]/24 [Link] 0 32768 i

Total number of prefixes 1

dump routing peer advertised-routes peer-ip [Link] address-


family=ipv4
BGP table version is 208, local router ID is [Link], vrf id 0
Default local pref 100, local AS 2001
Status codes: s suppressed, d damped, h history, * valid, > best, =
multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> [Link]/0 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i

Prisma SD-WAN ION Device CLI Reference 235 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

*> [Link]/24 [Link] 0 32768 i


*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/32 [Link] 0 32768 i
*> [Link]/32 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/32 [Link] 0 32768 i
*> [Link]/32
[Link] 0 32768 i
*> [Link]/32
[Link] 0 32768 i
*> [Link]/32
[Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
*> [Link]/24 [Link] 0 32768 i
Total number of prefixes 44

dump routing peer config


Use the dump routing peer config command to display the configuration of BGP peers.
Information displayed includes the BGP peer IP address, vrf name, peer id, peer type, remote AS
numbers, and route map details along with the BGP global configuration.

Command

dump routing peer config ( all | peer-ip = Peer IP | vrf-name=vrf


name)

Options

all Enter all to display the configuration of all BGP


peers.

peer-ip Enter an IP address to display the configuration


for a specific BGP peer.

vrf-name Enter a VRF name to display the configuration


for a specific BGP peer. Release 6.3.1

Prisma SD-WAN ION Device CLI Reference 236 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump routing peer config all


BGP Peer IP : [Link]
Description :
ID : 1692873743021009528
Peer Type : classic
Remote AS Num : 23
Vrf Context ID : 1686679744525012828
Vni : 0
Vrf Name : Global
Scope : local
Shutdown : false
AllowV4Prefixes : true
AllowV6Prefixes : false
Update Source :
Update Source V6:

dump routing peer config vrf-name=Global


BGP Peer IP : [Link]
Description :
ID : 1692873743021009528
Peer Type : classic
Remote AS Num : 23
Vrf Context ID : 1686679744525012828
Vni : 0
Vrf Name : Global
Scope : local
Shutdown : false
AllowV4Prefixes : true
AllowV6Prefixes : false
Update Source :
Update Source V6:

dump routing peer neighbor


Use the dump routing peer neighbor-stat command to display the configuration of BGP
peers. Information displayed includes the BGP peer IP address, vrf name, address-family, peer
id, peer type, remote AS numbers, and route map details along with the BGP peer negotiated
parameters.

Prisma SD-WAN ION Device CLI Reference 237 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump routing peer neighbor-stat( vrf-name=vrf name | address-family=


(ipv4 or ipv6))

Options

all Enter all to display learned routes from all BGP


peers.

vrf-name Enter a VRF name to display the configuration


for a specific BGP peer. Release 6.3.1

address-family Enter an address family to display the learned


routes of IPv4 or IPv6 for a specific BGP peer.
Release 6.3.1

peer-ip Enter an IP address to display routes learned


from a specific BGP peer with both IPv4 and
IPv6 address..

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump routing peer neighbor-stat vrf-name=IOT-Data


BGP neighbor is [Link], remote AS 1400, local AS 1200, external
link
Description: "classic global lan-side peer 1689151867802013328"
Hostname: vyos
BGP version 4, remote router ID [Link], local router ID
[Link]
BGP state = Established, up for [Link]
Last read [Link], Last write [Link]
Hold time is 90, keepalive interval is 30 seconds
Configured hold time is 90, keepalive interval is 30 seconds
Neighbor capabilities:
4 Byte AS: advertised and received
Extended Message: advertised
AddPath:
IPv4 Unicast: RX advertised and received
Route refresh: advertised and received(old & new)
Enhanced Route Refresh: advertised
Address Family IPv4 Unicast: advertised and received

Prisma SD-WAN ION Device CLI Reference 238 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Hostname Capability: advertised (name: 53963e42-28e8-


ae40-2924-2f4e3023032f,domain name: n/a) received (name: vyos,domain
name: n/a)
Graceful Restart Capability: advertised and received
Remote Restart timer is 120 seconds
Address families by peer:
none
Graceful restart information:
End-of-RIB send: IPv4 Unicast
End-of-RIB received: IPv4 Unicast
Local GR Mode: Helper*
Remote GR Mode: Helper
R bit: False
Timers:
Configured Restart Time(sec): 120
Received Restart Time(sec): 120
IPv4 Unicast:
F bit: False
End-of-RIB sent: Yes
End-of-RIB sent after update: Yes
End-of-RIB received: Yes
Timers:
Configured Stale Path Time(sec): 360
Message statistics:
Inq depth is 0
Outq depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 2 3
Keepalives: 38 38
Route Refresh: 0 0
Capability: 0 0
Total: 41 42
Minimum time between advertisement runs is 1 seconds

For address family: IPv4 Unicast


Update group 2, subgroup 2
Packet Queue length 0
Inbound soft reconfiguration allowed
Community attribute sent to this neighbor(all)
1 accepted prefixes

Connections established 1; dropped 0


Last reset [Link], Waiting for peer OPEN
External BGP neighbor may be up to 5 hops away.
Local host: [Link], Local port: 60212
Foreign host: [Link], Foreign port: 179
Nexthop: [Link]
Nexthop global: ::
Nexthop local: ::
BGP connection: shared network
BGP Connect Retry Timer in Seconds: 120
Estimated round trip time: 2 ms

Prisma SD-WAN ION Device CLI Reference 239 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Read thread: on Write thread: on FD used: 23

dump routing peer neighbor-stat peer-ip [Link]


BGP neighbor is [Link], remote AS 2000, local AS 2001,
external link
Description: "classic global wan-side peer 1700023939437024728"
Hostname: BR2
BGP version 4, remote router ID [Link], local router ID [Link]
BGP state = Established, up for [Link]
Last read [Link], Last write [Link]
Hold time is 90, keepalive interval is 30 seconds
Configured hold time is 90, keepalive interval is 30 seconds
Neighbor capabilities:
4 Byte AS: advertised and received
Extended Message: advertised
AddPath:
IPv4 Unicast: RX advertised and received
IPv6 Unicast: RX advertised and received
Route refresh: advertised and received(old & new)
Enhanced Route Refresh: advertised
Address Family IPv4 Unicast: advertised and received
Address Family IPv6 Unicast: advertised and received
Hostname Capability: advertised (name: e6bb2b42-155f-6f6a-a8ce-
dfa7e7f7a3ed,domain name: n/a) received (name: BR2,domain name: n/a)
Graceful Restart Capability: advertised and received
Remote Restart timer is 120 seconds
Address families by peer:
none
Graceful restart information:
End-of-RIB send: IPv4 Unicast, IPv6 Unicast
End-of-RIB received: IPv4 Unicast, IPv6 Unicast
Local GR Mode: Helper*
Remote GR Mode: Helper
R bit: False
Timers:
Configured Restart Time(sec): 120
Received Restart Time(sec): 120
IPv4 Unicast:
F bit: False
End-of-RIB sent: Yes
End-of-RIB sent after update: Yes
End-of-RIB received: Yes
Timers:
Configured Stale Path Time(sec): 360
IPv6 Unicast:
F bit: False
End-of-RIB sent: Yes
End-of-RIB sent after update: Yes
End-of-RIB received: Yes
Timers:
Configured Stale Path Time(sec): 360
Message statistics:
Inq depth is 0
Outq depth is 0
Sent Rcvd
Opens: 1 1

Prisma SD-WAN ION Device CLI Reference 240 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Notifications: 0 0
Updates: 4 274
Keepalives: 584 584
Route Refresh: 0 0
Capability: 0 0
Total: 589 859
Minimum time between advertisement runs is 1 seconds

For address family: IPv4 Unicast


Update group 255, subgroup 255
Packet Queue length 0
Inbound soft reconfiguration allowed
Community attribute sent to this neighbor(all)
41 accepted prefixes

For address family: IPv6 Unicast


Update group 256, subgroup 256
Packet Queue length 0
Inbound soft reconfiguration allowed
Community attribute sent to this neighbor(all)
41 accepted prefixes

Connections established 1; dropped 0


Last reset [Link], No AFI/SAFI activated for peer
Local host: [Link], Local port: 45654
Foreign host: [Link], Foreign port: 179
Nexthop: [Link]
Nexthop global: [Link]
Nexthop local: fe80::250:56ff:feab:97ed
BGP connection: shared network
BGP Connect Retry Timer in Seconds: 20
Read thread: on Write thread: on FD used: 23

dump routing peer received-routes


Use the dump routing peer received-routes command to display the filtered routes
received from BGP peers. Information displayed includes the details of network, next hop,
metrics, path, and weight along with status codes.

Command

dump routing peer received-routes ( all | peer-ip = Peer IP | vrf-


name=vrf name | address-family= (ipv4 or ipv6) )

Options

all Enter all to display routes received from all BGP


peers.

vrf-name Enter a VRF name to display the configuration


for a specific BGP peer. Release 6.3.1

Prisma SD-WAN ION Device CLI Reference 241 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

address-family Enter an address family (IPv4 or IPv6) to display


the routes received from a specific BGP peer.
Release 6.3.1

peer-ip Enter an IP address to display routes received


from a specific BGP peer with both IPv4 and
IPv6 address..

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump routing peer received-routes peer-ip [Link]


BGP table version is 0, local router ID is [Link]
Status codes: s suppressed, d damped, h history, * valid, >
best,i - internal,r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric Loc Prf Weight Path
[Link] [Link] 0 2000 65000 1111i
[Link]/29 [Link] 0 2000 65000 1111
1101?
.
.
.
[Link]/30 [Link] 0 2000 65000 ?

Total number of prefixes 37

dump routing peer received-routes vrf-name=IOT-Data


BGP table version is 2, local router ID is [Link], vrf id 31
Default local pref 100, local AS 1200
Status codes: s suppressed, d damped, h history, * valid, > best, =
multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


*> [Link]/24 [Link] 0 0 1400 i
*> [Link]/24 [Link] 0 1400
1200 i

Prisma SD-WAN ION Device CLI Reference 242 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Total number of prefixes 2

dump routing peer received-routes peer-ip [Link] address-


family=ipv6
BGP table version is 192, local router ID is [Link], vrf id 0
Default local pref 100, local AS 2001
Status codes: s suppressed, d damped, h history, * valid, > best, =
multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> ::/0 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64

Prisma SD-WAN ION Device CLI Reference 243 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 0 2002 ?
*> [Link]/64
[Link] 0 0 2002 ?
*> [Link]/64
[Link] 0 0 2002 ?
*> [Link]/64
[Link] 0 0 2002 ?
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/128
[Link] 0 2002
2001 i
*> [Link]/128
[Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/128
[Link] 0 2002
2001 i
*> [Link]/63 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i

Prisma SD-WAN ION Device CLI Reference 244 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

*> [Link]/64 [Link] 0 2002


2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/128
[Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/65
[Link] 0 0 2002 ?
*> [Link]/96
[Link] 0 2002
2001 i
*> [Link]/96
[Link] 0 2002
2001 i
Total number of prefixes 48
BGP table version is 192, local router ID is [Link], vrf id 0
Default local pref 100, local AS 2001
Status codes: s suppressed, d damped, h history, * valid, > best, =
multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> ::/0 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64

Prisma SD-WAN ION Device CLI Reference 245 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 0 2002 ?
*> [Link]/64
[Link] 0 0 2002 ?
*> [Link]/64
[Link] 0 0 2002 ?
*> [Link]/64
[Link] 0 0 2002 ?
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64

Prisma SD-WAN ION Device CLI Reference 246 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/128
[Link] 0 2002
2001 i
*> [Link]/128
[Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/128
[Link] 0 2002
2001 i
*> [Link]/63 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64
[Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/128
[Link] 0 2002
2001 i
*> [Link]/64 [Link] 0 2002
2001 i
*> [Link]/65
[Link] 0 0 2002 ?
*> [Link]/96
[Link] 0 2002
2001 i
*> [Link]/96
[Link] 0 2002
2001 i
Total number of prefixes 48

dump routing peer routes


Use the dump routing peer routes command to display the installed routes learned from
BGP peers.

Prisma SD-WAN ION Device CLI Reference 247 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump routing peer routes ( all | peer-ip = Peer IP | vrf-name=vrf


name | address-family= (ipv4 or ipv6) )

Options

all Enter all to display learned routes from all BGP


peers.

vrf-name Enter a VRF name to display the configuration


for a specific BGP peer. Release 6.3.1

address-family Enter an address family to display the learned


routes of IPv4 or IPv6 for a specific BGP peer.
Release 6.3.1

peer-ip Enter an IP address to display routes learned


from a specific BGP peer with both IPv4 and
IPv6 address..

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump routing peer routes peer-ip [Link]


BGP table version is 0, local router ID is [Link]
Status codes: s suppressed, d damped, h history, * valid, >
best,i - internal,r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric Loc Prf Weight Path
[Link] [Link] 0 2000 65000 1111i
[Link]/29 [Link] 0 2000 65000 1111
1101?
.
.
.
[Link]/30 [Link] 0 2000 65000 ?

Total number of prefixes 37

dump routing peer routes vrf-name=IOT-Voice

Prisma SD-WAN ION Device CLI Reference 248 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

BGP table version is 10, local router ID is [Link], vrf id 27


Default local pref 100, local AS 1200
Status codes: s suppressed, d damped, h history, * valid, > best, =
multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


*> [Link]/24 [Link](vyos) 0 0 1300 i

Displayed 1 routes and 2 total paths

dump routing peer routes peer-ip [Link] address-family=ipv6

BGP table version is 192, local router ID is [Link], vrf id 0


Default local pref 100, local AS 2001
Status codes: s suppressed, d damped, h history, * valid, > best, =
multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
* [Link]/64
fe80::250:56ff:fe95:2a6f(BR2L3SW)
0 0 2002 ?
* [Link]/64
fe80::250:56ff:fe95:2a6f(BR2L3SW)
0 0 2002 ?
*> [Link]/64
fe80::250:56ff:fe95:2a6f(BR2L3SW)
0 0 2002 ?
*> [Link]/64
fe80::250:56ff:fe95:2a6f(BR2L3SW)
0 0 2002 ?
*> [Link]/65
fe80::250:56ff:fe95:2a6f(BR2L3SW)
0 0 2002 ?
Displayed 5 routes and 50 total paths

dump routing peer route-via


Use the dump routing peer route-via command to display the installed routes learned
from BGP peers.

Command

dump routing peer routes-via ( peer-ip peer ip prefix=prefix ip |


vrf-name=vrf name | vrf-id= )

Prisma SD-WAN ION Device CLI Reference 249 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

vrf-id Enter a vrf id to display learned routes from all


BGP peers. Release 6.3.1

vrf-name Enter a VRF name to display the configuration


for a specific BGP peer. Release 6.3.1

peer-ip Enter an IP address to display routes learned


from a specific BGP peer.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump routing peer route-via vrf-name=IOT-Data peer-ip [Link]


prefix=[Link]/24
Routes learnt from peer [Link] for prefix [Link]/24:
BGP routing table entry for [Link]/24, version 1
Paths: (1 available, best #1, vrf v633-e3)
Advertised to non peer-group peers:
vyos([Link])
Local
[Link](53963e42-28e8-ae40-2924-2f4e3023032f) from [Link]
([Link])
Origin IGP, metric 0, weight 32768, valid, sourced, local,
bestpath-from-AS Local, best (First path received)
Last update: Mon Oct 9 [Link] 2023

dump routing peer status


Use the dump routing peer status command to display the status of BGP peers.
Information displayed includes the BGP peer ip address, peer id, connection state, and the time
during which the connection with the peer up or down.

Command

dump routing peer status ( all | peer-ip = Peer IP | vrf-name=vrf


name | address-family= (ipv4 or ipv6) )

Prisma SD-WAN ION Device CLI Reference 250 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

all Enter all to display status of all BGP peers.

vrf-name Enter a VRF name to display the configuration


for a specific BGP peer. Release 6.3.1

address-family Enter an address family to display the status of


IPv4 or IPv6 for a specific BGP peer. Release
6.3.1

peer-ip Enter an IP address to display status for a


specific BGP peer with both IPv4 and IPv6
address.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump routing peer status all


BGP Peer IP : [Link]
ID : 15269236938690175
State : Established
Uptime : [Link]
Downtime :
BGP Peer IP : [Link]
ID : 15269236937040160
State : Established
Uptime : [Link]
Downtime :
BGP Peer IP : [Link]
ID : 15266976684940116
State : Established
Uptime : [Link]
Downtime :

dump routing peer status vrf-name=IOT-Data


BGP Peer IP : [Link]

IPv4 Unicast Summary (VRF v633-e3):


BGP router identifier [Link], local AS number 1200 vrf-id 31
BGP table version 2
RIB entries 3, using 552 bytes of memory
Peers 1, using 723 KiB of memory

Prisma SD-WAN ION Device CLI Reference 251 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ


Up/Down State/PfxRcd PfxSnt Desc
vyos([Link]) 4 1400 58 57 0 0 0
[Link] 1 1 "classic global lan-

Displayed neighbors 1
Total number of neighbors 1

dump routing peer status peer-ip [Link] address-family=ipv6


BGP LAN Peer summary
SSSSipv6
IPv6 Unicast Summary (VIEW 64):
BGP router identifier [Link], local AS number 2001 vrf-id 0
BGP table version 192
RIB entries 93, using 17 KiB of memory
Peers 1, using 723 KiB of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ
OutQ Up/Down State/PfxRcd PfxSnt Desc
BR2L3SW([Link]) 4 2002 145 137 0 0
0 [Link] 5 45 "classic global lan-
Total number of neighbors 1

dump routing peer route-json


Use the dump routing peer routes-json command to display the installed routes learned
from BGP peers in javascript object notation (JSON) format.

Command

dump routing peer routes-json ( all | peer-ip = Peer IP | vrf-


name=vrf name | address-family= (ipv4 or ipv6) )

Options

all Enter all to display learned routes from all BGP


peers.

vrf-name Enter a VRF name to display the configuration


for a specific BGP peer. Release 6.3.1

address-family Enter an address family (IPv4 or IPv6) to display


the learned routes to a specific BGP peer.
Release 6.3.1

peer-ip Enter an IP address to display routes learned


from a specific BGP peer with both IPv4 and
IPv6 address..

Prisma SD-WAN ION Device CLI Reference 252 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump routing peer route-json peer-ip 192.168.106.1Routes


for peer:[Link]{"[Link]/30":
{"nexthop":"[Link]","metric":0,"lp":0,"wt":32768,"path":"","rtrid":"[Link]","t
{"nexthop":"[Link]","metric":1,"lp":0,"wt":0,"path":"65192" ,"rtrid":"192

dump routing peer route-json vrf-name=IOT-Data


Routes for peer:[Link]
{
"vrfId": 31,
"vrfName": "v633-e3",
"tableVersion": 2,
"routerId": "[Link]",
"defaultLocPrf": 100,
"localAS": 1200,
"routes": { "[Link]/24": [
{
"valid":true,
"bestpath":true,
"selectionReason":"First path received",
"pathFrom":"external",
"prefix":"[Link]",
"prefixLen":24,
"network":"[Link]\/24",
"version":2,
"metric":0,
"weight":0,
"peerId":"[Link]",
"path":"1400",
"origin":"IGP",
"nexthops":[
{
"ip":"[Link]",
"hostname":"vyos",
"afi":"ipv4",
"used":true
}
]
}
] } }

dump routing peer route-json peer-ip [Link] address-family=ipv6


Routes for peer:[Link]
{

Prisma SD-WAN ION Device CLI Reference 253 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

"vrfId": 0,
"vrfName": "64",
"tableVersion": 192,
"routerId": "[Link]",
"defaultLocPrf": 100,
"localAS": 2001,
"routes": { "[Link]/64": [
{
"valid":true,
"pathFrom":"external",
"prefix":"[Link]",
"prefixLen":64,
"network":"[Link]\/64",
"version":41,
"metric":0,
"weight":0,
"peerId":"[Link]",
"path":"2002",
"origin":"incomplete",
"nexthops":[
{
"ip":"[Link]",
"hostname":"BR2L3SW",
"afi":"ipv6",
"scope":"global"
},
{
"ip":"fe80::250:56ff:fe95:2a6f",
"hostname":"BR2L3SW",
"afi":"ipv6",
"scope":"link-local",
"used":true
}
]
}
],"[Link]/64": [
{
"valid":true,
"pathFrom":"external",
"prefix":"[Link]",
"prefixLen":64,
"network":"[Link]\/64",
"version":12,
"metric":0,
"weight":0,
"peerId":"[Link]",
"path":"2002",
"origin":"incomplete",
"nexthops":[
{
"ip":"[Link]",
"hostname":"BR2L3SW",
"afi":"ipv6",
"scope":"global"
},
{

Prisma SD-WAN ION Device CLI Reference 254 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

"ip":"fe80::250:56ff:fe95:2a6f",
"hostname":"BR2L3SW",
"afi":"ipv6",
"scope":"link-local",
"used":true
}
]
}
],"[Link]/64": [
{
"valid":true,
"bestpath":true,
"selectionReason":"First path received",
"pathFrom":"external",
"prefix":"[Link]",
"prefixLen":64,
"network":"[Link]\/64",
"version":92,
"metric":0,
"weight":0,
"peerId":"[Link]",
"path":"2002",
"origin":"incomplete",
"nexthops":[
{
"ip":"[Link]",
"hostname":"BR2L3SW",
"afi":"ipv6",
"scope":"global"
},
{
"ip":"fe80::250:56ff:fe95:2a6f",
"hostname":"BR2L3SW",
"afi":"ipv6",
"scope":"link-local",
"used":true
}
]
}
],"[Link]/64": [
{
"valid":true,
"bestpath":true,
"selectionReason":"First path received",
"pathFrom":"external",
"prefix":"[Link]",
"prefixLen":64,
"network":"[Link]\/64",
"version":93,
"metric":0,
"weight":0,
"peerId":"[Link]",
"path":"2002",
"origin":"incomplete",
"nexthops":[
{

Prisma SD-WAN ION Device CLI Reference 255 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

"ip":"[Link]",
"hostname":"BR2L3SW",
"afi":"ipv6",
"scope":"global"
},
{
"ip":"fe80::250:56ff:fe95:2a6f",
"hostname":"BR2L3SW",
"afi":"ipv6",
"scope":"link-local",
"used":true
}
]
}
],"[Link]/65": [
{
"valid":true,
"bestpath":true,
"selectionReason":"First path received",
"pathFrom":"external",
"prefix":"[Link]",
"prefixLen":65,
"network":"[Link]\/65",
"version":94,
"metric":0,
"weight":0,
"peerId":"[Link]",
"path":"2002",
"origin":"incomplete",
"nexthops":[
{
"ip":"[Link]",
"hostname":"BR2L3SW",
"afi":"ipv6",
"scope":"global"
},
{
"ip":"fe80::250:56ff:fe95:2a6f",
"hostname":"BR2L3SW",
"afi":"ipv6",
"scope":"link-local",
"used":true
}
]
}
] } }

dump routing prefixlist


Use the dump routing prefixlist command to display the status of BGP peers.

Command

dump routing prefixlist ( all | name = prefix list name)

Prisma SD-WAN ION Device CLI Reference 256 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

all Enter all to display all prefix lists.

name Enter a name to display a specific prefix list.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump routing prefixlist all


Len: 3
Prefix Name :PLC
Prefix ID :15299886208880134
Prefix filter list :
Order Prefix Range Permit
--------- ------------ ------------------- -------------
2 [Link]/24 ge 28 le 30 true
Prefix Name :auto-prefix-adv-and-distribute
Prefix ID :15296497970690160
Prefix filters not configured. Prefix Name :auto-prefix-adv-
nodistribute
Prefix ID :15296497970790161

dump routing prefixlist name=TEST


Len: 5
Prefix Name :TEST
Prefix ID :1700041934638013028
Prefix filter list :
Order Prefix Range Permit
----- ------ ----- ------
10 [Link]/64 ge 0 le 0 true
20 [Link]/64 ge 0 le 0 true

dump routing prefix-reachability


Use the dump routing prefix-reachability command to display the reachability
information for a prefix. Information displayed includes the interface or path id, type of path, cost,
next hop and VLAN ids.

Command

dump routing prefix reachability prefix = prefix address

Prisma SD-WAN ION Device CLI Reference 257 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump routing prefix-reachability prefix=3001::1


Reachability info for VNI:0 ip_addr:3001::1
--------------------------------------------
Flags:
Lan=False, Wan=True,
KnownLanNetwork=False,
AttachedLanNetwork=False
-------------------------------------------------------------------------------
|Interface/Path ID |Type |Sub-Type |Cost |
Fwd_VNI|AD |Mask|Next Hop |NH-Vlan-ID|Vlan-ID |
-------------------------------------------------------------------------------
|1710310167085025228 |public-direct |static |32768|0
|5 |160 | N-A | N-A |0 |
|1701711156120023428 |public-direct |nat-pt |65535|0
|255 |0 | N-A | N-A |0 |
|1713522114623000928 |public-vpn |dynamic |256 |0
|5 |160 | N-A | N-A |0 |
|1713522114611001728 |public-vpn |dynamic |256 |0
|5 |160 | N-A | N-A |0 |
-------------------------------------------------------------------------------

dump routing prefix-reachability prefix=[Link]/24


Reachability info for [Link]/24:
----------------------------------------
Flags:
Lan=False, Wan=True,
KnownLanNetwork=False,
AttachedLanNetwork=False
-----------------------------------------------------------
|Interface/Path ID |Type |Sub-Type |Cost |AD |Mask|Next Hop |
NHVlanID|Vlan-ID |
-----------------------------------------------------------
|15084922379570055 |public-direct |connected |32768|20 |24 | N-A
|
N-A
|0 |
|15084922379570054 |private-wan |connected |0 |33 |0 | N-A | N-A|
0 |

Prisma SD-WAN ION Device CLI Reference 258 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

|15318966561540117 |public-vpn |connected |0 |34 |0 | N-A | N-A |


0|
|15318966541290029 |public-vpn |connected |0 |34 |0 | N-A | N-A |
0|
|15318966560600089 |public-vpn |connected |0 |34 |0 | N-A | N-A |
0|
|15318966562710142 |public-vpn |connected |0 |34 |0 | N-A | N-A |
0|
|15266769965170227 |public-svclink |connected |0 |36 |0 | N-A |
NA|0 |
|15272863841440119 |public-svclink |connected |0 |36 |0 | N-A |
NA|0 |
|15311157418440023 |public-svclink |connected |0 |36 |0 | N-A |
NA|0 |
-----------------------------------------------------------

For WAN connected prefix:

dump routing prefix-reachability prefix=[Link]

Reachability info for [Link]


----------------------------------------
Flags:
Lan=False, Wan=True,
KnownLanNetwork=False,
AttachedLanNetwork=False
-------------------------------------------------------------------------------
|Interface/Path ID |Type |Sub-Type |Cost |AD |
Mask|Next Hop |NH-Vlan-ID|Vlan-ID |
-------------------------------------------------------------------------------
|1654868757030024296 |public-direct |connected |0 |0 |
224 | N-A | N-A |0 |
|1654868707819008896 |private-wan |static |0 |5 |
160 | N-A | N-A |0 |
|1654868727519023196 |private-wan |static |0 |5 |
160 | N-A | N-A |0 |
|1679331668449017496 |public-vpn |dynamic |256 |5 |
160 | N-A | N-A |0 |
|1679331667843012296 |public-vpn |dynamic |256 |5 |
160 | N-A | N-A |0 |
|1679331667962013396 |public-vpn |dynamic |256 |5 |
160 | N-A | N-A |0 |
|1679331667962013396 |public-vpn |dynamic |256 |5 |
160 | N-A | N-A |0 |
|1679334236429017496 |private-vpn |dynamic |256 |5 |
160 | N-A | N-A |0 |
|1679334232284013396 |private-vpn |dynamic |256 |5 |
160 | N-A | N-A |0 |
|1679334229219012296 |private-vpn |dynamic |256 |5 |
160 | N-A | N-A |0 |
|1679334229219012296 |private-vpn |dynamic |256 |5 |
160 | N-A | N-A |0 |
|1679334229219012296 |private-vpn |dynamic |256 |5 |
160 | N-A | N-A |0 |
-------------------------------------------------------------------------------

Prisma SD-WAN ION Device CLI Reference 259 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

For LAN connected interface:

dump routing prefix-reachability prefix=[Link]

Reachability info for [Link]


---------------------------------------
Flags:
Lan=True, Wan=False,
KnownLanNetwork=True,
AttachedLanNetwork=False
-------------------------------------------------------------------------------
|Interface/Path ID |Type |Sub-Type |Cost |AD |
Mask|Next Hop |NH-Vlan-ID|Vlan-ID |
-------------------------------------------------------------------------------
|16281763158650203 |lan |connected |0 |0 |
224 | N-A | N-A |0 |
-------------------------------------------------------------------------------

For static route on WAN underlay:

dump routing prefix-reachability prefix=[Link]

Reachability info for [Link]


----------------------------------------
Flags:
Lan=False, Wan=True,
KnownLanNetwork=False,
AttachedLanNetwork=False
-------------------------------------------------------------------------------
|Interface/Path ID |Type |Sub-Type |Cost |AD |
Mask|Next Hop |NH-Vlan-ID|Vlan-ID |
-------------------------------------------------------------------------------
|1654868757030024296 |public-direct |static |0 |5 |
160 | N-A | N-A |0 |
|1654868707819008896 |private-wan |static |0 |1 |
224 | N-A | N-A |0 |
|1654868727519023196 |private-wan |static |0 |5 |
160 | N-A | N-A |0 |
|1679331668449017496 |public-vpn |dynamic |256 |5 |
160 | N-A | N-A |0 |
|1679331667843012296 |public-vpn |dynamic |256 |5 |
160 | N-A | N-A |0 |
|1679331667962013396 |public-vpn |dynamic |256 |5 |
160 | N-A | N-A |0 |
|1679331667962013396 |public-vpn |dynamic |256 |5 |
160 | N-A | N-A |0 |
|1679334236429017496 |private-vpn |dynamic |256 |5 |
160 | N-A | N-A |0 |
|1679334232284013396 |private-vpn |dynamic |256 |5 |
160 | N-A | N-A |0 |
|1679334229219012296 |private-vpn |dynamic |256 |5 |
160 | N-A | N-A |0 |
|1679334229219012296 |private-vpn |dynamic |256 |5 |
160 | N-A | N-A |0 |
|1679334229219012296 |private-vpn |dynamic |256 |5 |
160 | N-A | N-A |0 |

Prisma SD-WAN ION Device CLI Reference 260 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

-------------------------------------------------------------------------------

dump routing route


Use the dump routing route command to display the routes learned from BGP peers.

Command

dump routing route ( all | peer-ip = Peer IP )

Options

all Enter all to display routes learned from all BGP


peers.

peer-ip Enter an IP address to display routes learned


from a specific BGP peer.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump routing route prefix=[Link]/24


Routes learnt from peers:
BGP routing table entry for [Link]/24
Paths: (2 available, best #2, table Default-IP-Routing-Table)
Not advertised to any peer
7702 7701 6600 6666
[Link] from [Link] ([Link])
Origin incomplete, local
pref 100, valid, external
Last update: Tue Jun 19 [Link] 20187701 6600 6666
[Link] from [Link] ([Link])
Origin incomplete, localpref 500, valid, external, best
Last update: Fri Jun 8 [Link] 2018
Routes lookup tree information:
{"data": null}
Forwarding Information (FIB):
Path ID: 15084910001440094, Path Type: privwan, Status: true
Prefix: [Link]/24 Type:D Cost:0 Admin distance:5

dump routing route prefix=[Link]

Prisma SD-WAN ION Device CLI Reference 261 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Routes learnt from view 1 for prefix [Link]


View/Vrf 1 is unknown

Routes lookup tree information:


-------------------------------
{
"data": {
"cnh_node": [],
"address_family": "ipv6",
"nh_items": [
{
"nexthop": "[Link]",
"best_source_id": "1927427249",
"best_opq_data": "0",
"best_type": "1",
"nh_objs": [
{
"source_id": "16045690981097406464",
"active": true,
"sequence": " [Link] -> [Link]/64 "
}
],
"best_ad": "1",
"ad_items": [
{
"real_cost_2": "0",
"real_cost_0": "0",
"real_cost_1": "0",
"ad": "1",
"cost": "0",
"source_id": "1927427249"
}
],
"best_cost": "0"
}
],
"entry_type": "route",
"route_objs": [
{
"term_id": "16045690981097406464",
"cost": "0",
"type": "1",
"ad": "1",
"sequence": " [Link]/64 -> [Link] ->
[Link]/64 "
}
],
"prefix": "[Link]/64"
}
}

Forwarding Information (FIB):

Prisma SD-WAN ION Device CLI Reference 262 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dump routing routemap


Use the dump routing routemap command to display the information in a route map.
Information displayed includes AS path ids, community ids, ip nexthop and prefix ids.

Command

dump routing routemap (all | name)

Options

all Enter all to see information for all route maps.

name Enter a route map name to see routing


information for the routemap.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump routing routemap all


RouteMap Name :test
RouteMap ID :15892697053910075
Route map entries :
Order Permit Match Clauses Set Clauses Continue
Entry
------ ------ -------------- -----------
--------------
10 true 100
As-path ID:
Community ID:
IP nexthop ID:
IP prefix ID:
As path prepend:
Community list:65000:8030
Additive community:false
IP nexthop:
Local Preference:20
weight:0

dump routing routemap name=test


RouteMap Name :test
RouteMap ID :1696491691872014628

Prisma SD-WAN ION Device CLI Reference 263 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Route map entries :


Order Permit Match Clauses Set
Clauses Continue Entry
----- ------ -------------
----------- --------------
10 true
As-path ID:
Community ID:
IP nexthop ID:
IP prefix ID:1700041934638013028
Prefix Name:TEST
As
path prepend:

Community list:

Additive community:false
IP
nexthop:3001::2
Local
Preference:0

Weight:0

dump routing running-config


Use the dump routing running-config command to display the current routing
configuration for a device.

Command

dump routing running-config

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump routing running-config


Building configuration...

Prisma SD-WAN ION Device CLI Reference 264 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Current configuration:
!
log syslog notifications
log facility syslog
bgp multiple-instance
!
debug zebra rib
debug bgp
!
password default
!
interface br0
ipv6 nd suppress-ra
!
...
router bgp 7000
bgp router-id [Link]
neighbor [Link] remote-as 1234
neighbor [Link] description "core peer 15296501950110247"
neighbor [Link] advertisement-interval 1
neighbor [Link] timers 30 90 |
neighbor [Link] timers connect 120
neighbor [Link] soft-reconfiguration inbound
neighbor [Link] route-map auto-core-15296501950110247-
routemap-in in
neighbor [Link] route-map auto-core-15296501950110247-
routemap-out out
!
ip prefix-list PLC seq 2 permit [Link]/24 ge 28 le 30
ip prefix-list [Link] seq 5 permit [Link]/32
!
ip as-path access-list auto-core-15296501950110247-as-path-
outpermit .*
!
route-map auto-core-15296501950110247-route-map-in permit 10
set local-preference 100
!
route-map auto-core-15296501950110247-route-map-out permit 99
match as-path auto-core-15296501950110247-as-path-out
match ip address prefix-list auto-prefix-adv-and-distribute set
as-path prepend 7000,7000,7000,7000
!
route-map peer-[Link]-show permit 10
match ip next-hop prefix-list [Link]
!
ip forwarding!line vty
!
end

dump routing summary


Use the dump routing summary command to display the routing summary for a BGP peer.

Prisma SD-WAN ION Device CLI Reference 265 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump routing summary ( address-family= (ipv4 or ipv6) )

Options

address-family Enter an address family to display the learned


routes of IPv4 or IPv6 for a specific BGP peer.
Release 6.3.1

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump routing summary


BGP router identifier [Link], local AS number 65003
RIB entries 36, using 4032 bytes of memory
Peers 2, using 9120 bytes of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/
PfxRcd
[Link] 4 65000 8290 8292 0 0 0 2d21h03m 15
[Link] 4 65001 8292 8288 0 0 0 2d21h02m 6
Total number of neighbors 2
================================================================
BGP table version is 0, local router ID is [Link]
Status codes: s suppressed, d damped, h history, * valid, > best,
i - internal,r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* [Link]/27 [Link] 500 0 65001 65002 ?
*> [Link] 0 32768 i
* [Link] 100 0 65000 65001 65002 ?
*> [Link]/28 [Link] 500 0 65001 65002 ?
* [Link] 100 0 65000 65001 65002 ?
*> [Link]/29 [Link] 500 0 65001 65002 ?
* [Link] 100 0 65000 65001 65002 ?
*> [Link]/30 [Link] 500 0 65001 65002 ?
* [Link] 100 0 65000 65001 65002 ?
*> [Link]/29 [Link] 0 32768 i
*> [Link]/28 [Link] 1 100 0 65000 ?
*> [Link]/28 [Link] 1 100 0 65000 ?
*> [Link]/28 [Link] 100 0 65000 65001 ?
*> [Link]/28 [Link] 500 0 65001 65002 ?
* [Link] 100 0 65000 65001 65002 ?
*> [Link]/29 [Link] 0 32768 i

Prisma SD-WAN ION Device CLI Reference 266 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

*> [Link]/29 [Link] 0 32768 i


*> [Link]/28 [Link] 1 100 0 65000 ?
*> [Link]/28 [Link] 100 0 65000 65001 ?
*> [Link]/28 [Link] 500 0 65001 65002 ?
* [Link] 100 0 65000 65001 65002 ?
*> [Link]/29 [Link] 0 32768 i
*> [Link]/29 [Link] 0 32768 i
*> [Link]/28 [Link] 100 0 65000 65001 ?
*> [Link]/28 [Link] 100 0 65000 65001 65002 ?
*> [Link]/22 [Link] 1 100 0 65000 ?
*> [Link]/28 [Link] 0 32768 i
*> [Link]/29 [Link] 0 32768 i
*> [Link]/27172.16.94.1 100 0 65000 65001 65002 ?
Total number of prefixes 22

dump routing summary address-family=ipv6

IPv6 Unicast Summary (VIEW 64):


BGP router identifier [Link], local AS number 2001 vrf-id 0
BGP table version 51
RIB entries 16, using 2944 bytes of memory
Peers 1, using 723 KiB of memory

Neighbor V AS MsgRcvd MsgSent TblVer InQ


OutQ Up/Down State/PfxRcd PfxSnt Desc
BR2L3SW([Link]) 4 2002 317 306 0 0
0 [Link] 5 6 "classic global lan-

Total number of neighbors 1

Instance 64:
BGP table version is 51, local router ID is [Link], vrf id 0
Default local pref 100, local AS 2001
Status codes: s suppressed, d damped, h history, * valid, > best, =
multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


*> ::/0 ::(e6bb2b42-155f-6f6a-a8ce-dfa7e7f7a3ed)
0 32768 i
*> [Link]/64
::(e6bb2b42-155f-6f6a-a8ce-dfa7e7f7a3ed)
0 32768 i
*> [Link]/64
::(e6bb2b42-155f-6f6a-a8ce-dfa7e7f7a3ed)
0 32768 i
*> [Link]/64
::(e6bb2b42-155f-6f6a-a8ce-dfa7e7f7a3ed)
0 32768 i
* fe80::250:56ff:fe95:2a6f(BR2L3SW)
0 0 2002 ?
*> [Link]/64
::(e6bb2b42-155f-6f6a-a8ce-dfa7e7f7a3ed)

Prisma SD-WAN ION Device CLI Reference 267 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

0 32768 i
* fe80::250:56ff:fe95:2a6f(BR2L3SW)
0 0 2002 ?
*> [Link]/64
fe80::250:56ff:fe95:2a6f(BR2L3SW)
0 0 2002 ?
*> [Link]/64
fe80::250:56ff:fe95:2a6f(BR2L3SW)
0 0 2002 ?
*> [Link]/64
::(e6bb2b42-155f-6f6a-a8ce-dfa7e7f7a3ed)
0 32768 i
*> [Link]/65
fe80::250:56ff:fe95:2a6f(BR2L3SW)
0 0 2002 ?

Displayed 9 routes and 11 total paths

dump routing static-route reachability-status


Use the dump routing static-route reachability-status command to display the
reachability status of a next hop on a static route.

Command

dump routing static-route reachability-status (all | destination-


prefix= destination prefix ID | vrf-name= vrf name)

Options

all Enter all to display reachability status for next hops


for all destination prefixes.

destination-prefix Enter the destination prefix to display reachability


status for the next hop for the destination prefix.

vrf-name Enter the vrf name to display reachability status for


the next hop for that vrf name. Release 6.3.1

Command Notes

Role Super, Read Only, Monitor

Related Commands dump routing static-route config

Introduced in Release 5.5.1

Prisma SD-WAN ION Device CLI Reference 268 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Example

dump routing static-route reachability-status


destination-prefix=2030::/96

Destination Prefix : 2030::/96


Route ID : 1649675818894024328
+------------------------------------------+---------------+
| Nexthop IP | Reachability status |
+------------------------------------------+---------------+|
2008::33 | true |
+------------------------------------------+----------------+

dump routing peer static-route reachability-status all

Destination Prefix : [Link]/24


Route ID : 1696410072329018228
Vrf Context ID : 1688365522034014928
Vni : 0
Vrf Name : Global
Nexthop reachability probe not configured.

Destination Prefix : [Link]/24


Route ID : 1696410095274020028
Vrf Context ID : 1695795392653021428
Vni : 965
Vrf Name : yellow
Nexthop reachability probe not configured.

Destination Prefix : [Link]/24


Route ID : 1696410082955019128
Vrf Context ID : 1689223232301017828
Vni : 155
Vrf Name : green
Nexthop reachability probe not configured.

dump routing peer static-route reachability-status vrf-name=green

Destination Prefix : [Link]/24


Route ID : 1696410082955019128
Vrf Context ID : 1689223232301017828
Vni : 155
Vrf Name : green
Nexthop reachability probe not configured.

dump routing static-route config


Use the dump routing static-route config command to display details such as
destination prefix, route ID, scope, next hop reachability probe status, and admin distance of next
hops for static routes configured.

Prisma SD-WAN ION Device CLI Reference 269 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump routing static-route config (all | destination-prefix=


destination prefix ID | vrf-name= vrf name)

Options

all Enter all to display all static routes configured.

vrf-name Enter the vrf name to display reachability status for


the next hop for that vrf name. Release 6.3.1

destination-prefix Enter the destination prefix to display the static


route configured for the destination prefix.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.5.1

Example

dump routing static-route config destination-prefix=[Link]/32


Destination Prefix : [Link]/32
Route ID : 16091314861720105
Scope : local
Nexthop reachability probe : True
+-----------------+----------------+-------------------+
| Nexthop | Admin Distance | Interface ID |
+-----------------+----------------+-------------------+
| [Link] | 2 | - |
+-----------------+----------------+-------------------+
dump routing cache staticroute
Route mgr Cache Info:
=====================
Static Routes
++++++++++++++++
{
"1649675818894024328":
{
"address_family": "ipv6",
"_etag": 3,
"scope": "local",
"destination_prefix": "2030::/96",
"nexthop_reachability_probe": false,
"id": "1649675818894024328",
"nexthops":
[

Prisma SD-WAN ION Device CLI Reference 270 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

{
"nexthop_interface_id": "",
"nexthop_ip": "2008::33",
"self": false,
"admin_distance": 1
}
]
},
"1648629254536014028":
{
"address_family": "ipv4",
"_etag": 9,
"scope": "local",
"destination_prefix": "[Link]/24",
"nexthop_reachability_probe": false,
"id": "1648629254536014028",
"nexthops":
[
{
"nexthop_interface_id": "",
"nexthop_ip": "[Link]",
"self": false,
"admin_distance": 1
}
]
}
}
--------------------------

dump routing static-route config all


Destination Prefix : [Link]/32
Route ID : 1693764139556012596
Scope : global
Vrf Context ID : 1692293763109009696
Vni : 326
Nexthop reachability probe : False
+------------------------------------------+----------------
+-------------------+
| Nexthop | Admin Distance |
Interface ID |
+------------------------------------------+----------------
+-------------------+
| [Link] | 1 | -
|
+------------------------------------------+----------------
+-------------------+

dump routing peer static-route config vrf-name=Global

Destination Prefix : [Link]/24


Route ID : 1696410072329018228
Scope : local
Vrf Context ID : 1688365522034014928
Vni : 0
Vrf Name : Global
Nexthop reachability probe : False

Prisma SD-WAN ION Device CLI Reference 271 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

+------------------------------------------+----------------
+-------------------+
| Nexthop | Admin Distance |
Interface ID |
+------------------------------------------+----------------
+-------------------+
| [Link] | 1 | -
|
+------------------------------------------+----------------
+-------------------+

dump security-policy config policy-rules


Use the dump security-policy config policy-rules command to display the security
policy rule configuration for a device.
Information displayed includes the security policy rule name, action, state, source zone ids,
destination zone ids, and application definition ids.

Command

dump security-policy config policy-rules ( all | policy-rule=


policy-rule name | application=
application definition name | source-zone=
source zone name | dest-zone=
destination zone name | action= (allow | deny | reject) |
state=( enabled | disabled ))+ ]

Options

all Enter all to display configuration of all security


policy rules on the device.

application Enter an application name to display policy rules


for the application.

source-zone Enter the source zone to display configuration of


security policy rules for the source zone.

dest-zone Enter the destination zone to display


configuration of security policy rules for the
destination zone.

action Enter allow to display configuration for those


security policy rules where the action is set to
allow.

Enter deny to display configuration for those


security policy rules where the action is set to
deny.

Prisma SD-WAN ION Device CLI Reference 272 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Enter reject to display configuration for those


security policy rules where the action is set to
reject.

policy-rule Enter an application definition policy rule name to


display information for the policy rule.

state Enter enabled to display configuration for those


security policy rules where the state is set to
enabled.

Enter disabled to display configuration for those


security policy rules where the state is set to
disabled.

Command Notes

Role Super, Read Only, Monitor

Related Commands dump security-policy config


policy-sets

Introduced in Release 4.5.1

Example

dump security-policy config policy-rules all


Security Policy Rule ID : 16246315738930189
Security Policy Rule Name : Rule1-Set2-20
Action : allow
Rule-Type : custom
Enabled : true
Source Zones :
16200471619100074: Zone-LAN
Destination Zones :
16204672468290016: Zone-Internet-VPN
Applications :
ANY
Source Prefix Filters :
16242993172060125: LAN-192-168-7-100
Destination Prefix Filters :
16242993943320129: DC-192-168-20-0
Services :
Protocol : 6
Source Port Range :
ANY
Destination Port Range :
from : 5005
to : 5015
from : 5020

Prisma SD-WAN ION Device CLI Reference 273 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

to : 5025
Protocol : 17
Source Port Range :
ANY
Destination Port Range :
from : 5005
to : 5015
Protocol : 1
Source Port Range :
ANY
Destination Port Range :
ANY
...

dump security-policy config policy-rules policy-rule=branch-


zbfw_rule1

Security Policy Rule ID : 1675995765132024696


Security Policy Rule Name : branch-zbfw_rule1
Action : allow
Rule-Type : custom
Enabled : true
Source Zones :
1675995054995018796: branch1_lan_zone
Destination Zones :
1675995069171003096: branch1_vpn_zone
Applications :
ANY
Source Prefix Filters :
1675995350736002196: branch_lan1
Destination Prefix Filters :
1675995723718016196: branch_hub_prefix
Users :
ANY
UserGroups :
ANY
Services :
ANY

dump security-policy config policy-rules user="1674636535551002128"

Security Policy Rule ID : 1675969523166013128


Security Policy Rule Name : Test 1
Action : allow
Rule-Type : custom
Enabled : true
Source Zones :
ANY
Destination Zones :
ANY
Applications :
ANY
Source Prefix Filters :
ANY
Destination Prefix Filters :

Prisma SD-WAN ION Device CLI Reference 274 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

ANY
Users :
1674636535551002128: None
UserGroups :
NONE
Services :
ANY

dump security-policy config policy-set


Use the dump security-policy config policy-set command to display the security
policy sets configuration for a device.
Information displayed includes the policy set ids along with the order of security policy rules.

Command

dump security-policy config policy-set all

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump security-policy config


policy-rules

Introduced in Release 4.5.1

Example

dump security-policy config policy-set all


Security Policy Set ID : 16245957623450255
Security Policy Set Name: Set2-Port-Range
Policy Rule Order:
16246315738930189: Rule1-Set2-20
16246317241460212: Rule2-Set2-21
16246318197250246: Rule3-Set2-22
Security Policy Set ID : 16245009722000198
Security Policy Set Name: Set3-Specific
Policy Rule Order:
16245010650670003: Rule1-Set3-20
16245011984140128: Rule2-Set3-21
16245012757060237: Rule3-Set3-22
Security Policy Set ID : 16245013500920058
Security Policy Set Name: Set4-Generic

Prisma SD-WAN ION Device CLI Reference 275 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Policy Rule Order:


16245013906270078: Rule1-Set4
Security Policy Set ID : 16228336609730048
Security Policy Set Name: default
Policy Rule Order:
16228336610060052: self-zone
16228336610050051: intra-zone
16228336609900050: default

dump security-policy config policy-set policy-set-name=branch-zfbw-


set2

Security Policy Set ID :


1676108499873022196
Security Policy Set Name : branch-
zfbw-set2
Policy Rule Order:
1676108536798018796 : branch-
zbfw-rule2
1676114407512016596 : branch-
zbfw-rule3

dump security-policy config policy-set-stack


Use the dump security-policy config policy-set-stack command to display the
security policy set stack configuration for a device.

Command

dump security-policy config policy-set-stack ( all |


policy-set-stack name)

Options

all Enter all to display configuration of all security


policy set stack on the device.

policy-set-stack Enter an application definition policy set stack


name to display information for the policy set
stack.

Command Notes

Role Super, Read Only, Monitor

Related Commands dump security-policy config


policy-sets

Prisma SD-WAN ION Device CLI Reference 276 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Introduced in Release 5.6.1

Example

dump security-policy config policy-set-stack all

Security Policy Stack ID : 1675994992949025496


Security Policy Stack Name : branch1-zbfw-stack1
Default Policy Set ID : 1670555580669013096
Default Policy Set Name : DefaultSet
Policy Set Order:
1676108499873022196 : branch-zfbw-set2
1675995005199001996 : branch1-zbfw-set1

dump security-policy config prefix-filters


Use the dump security-policy config prefix-filters command to display the
security policy prefix filter configuration.

Command

dump security-policy config prefix-filters ( all | prefix=


prefix name )

Options

all Enter all to display configuration of all prefix


filters on the device.

prefix Enter a prefix name to display configuration for


the prefix.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 4.5.1

Example

dump security-policy config prefix-filters all


Prefix Filter ID : 16242993943320129
Prefix Filter Name : DC-192-168-20-0
Prefix : [Link]/24

Prisma SD-WAN ION Device CLI Reference 277 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Prefix Filter ID : 16242994662000182


Prefix Filter Name : DC-192-168-22-0
Prefix : [Link]/24

Prefix Filter ID : 16242994310450145


Prefix Filter Name : DC-192-168-21-0
Prefix : [Link]/24

Prefix Filter ID : 16242993172060125


Prefix Filter Name : LAN-192-168-7-100
Prefix : [Link]/32

dump security-policy config prefix-filters prefix-filter=branch_lan1

Prefix Filter ID : 1675995350736002196


Prefix Filter Name : branch_lan1
Prefix : 2000::/16

dump security-policy config zones


Use the dump security-policy config zones command to display the configuration of
security policy rules for zones. Information displayed includes the security policy, zone names and
network details.

Command

dump security-policy config zones (all | security-zone=


zone name)

Options

all Enter all to display configuration of security policy


rules for all zones.

security zone Enter a zone name to display configuration of


security policy rules for the zone.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 4.5.1

Example

dump security-policy config zones all

Prisma SD-WAN ION Device CLI Reference 278 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Security Policy Zone ID : 16204672468290016


Security Policy Zone Name : Zone-Internet-VPN
Zone Association ID : 16245135536470064
Interfaces :
VPN-overlay
LAN Networks :

Security Policy Zone ID : 16200471388560063


Security Policy Zone Name : Zone-Internet
Zone Association ID : 16285714095880087
Interfaces :
16150115632720220 : 2
LAN Networks :

Security Policy Zone ID : 16200471619100074


Security Policy Zone Name : Zone-LAN
Zone Association ID : 16245779281070041
Interfaces :
LAN Networks :
Name : default_san-jose_114105279
ID : 16200275524390210
LAN Prefixes :
[Link]/24

Name : default_san-jose_450021252
ID : 16261268429250112
LAN Prefixes :
[Link]/24

Name : default_san-jose_270864556
ID : 16261251535530088
LAN Prefixes :
[Link]/24

dump security-policy config zones security-zone=branch1_lan_zone

Security Policy Zone ID : 1675995054995018796


Security Policy Zone Name : branch1_lan_zone
Zone Association ID : 1675996004509021296
Interfaces :
1675746177355024996 : 7
LAN Networks :

dump sensor type


Use the dump sensor type command to display the information from sensor logs. Information
displayed includes the values for voltage sensors, eight core temperatures, board temperature
sensors, temperature of line card i350CPU, and fan speeds.

Command

dump sensor type= (all | temperature | voltage | fan)


<start date= YYYY-MM-DD> <end date=YYYY-MM-DD >

Prisma SD-WAN ION Device CLI Reference 279 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

all Enter all to display information for all sensors.

temperature Enter temperature to display information for


temperature sensors.

voltage Enter voltage to display information for voltage


sensors.

fan Enter fan to display information for fans.

Command Notes

Role Super, Read Only, Monitor

Related Commands dump sensor type summarize

Introduced in Release 5.1.3

Example

dump sensor type=all start=2023-03-14T00:00 end=2023-03-14T03:00


time 1v 5v vcore vddr core0 core1
core2 core3 sys
(mV) (mV) (mV) (mV) (°C) (°C)
(°C) (°C) (°C)
2023-03-14T[Link] 1000 5056 984 1520 36 36
35 35 46
2023-03-14T[Link] 1000 5056 984 1520 35 35
34 35 46
2023-03-14T[Link] 1000 5056 984 1520 36 36
34 34 46
2023-03-14T[Link] 1000 5056 984 1520 36 36
35 35 46
2023-03-14T[Link] 1000 5056 984 1520 36 36
37 36 47
2023-03-14T[Link] 1000 5056 984 1520 36 36
36 36 47
2023-03-14T[Link] 1000 5056 984 1520 36 36
37 35 47
2023-03-14T[Link] 1000 5056 984 1520 37 37
35 37 47
2023-03-14T[Link] 1000 5056 984 1520 37 37
35 35 47
2023-03-14T[Link] 1000 5056 984 1512 36 36
36 36 47

Prisma SD-WAN ION Device CLI Reference 280 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dump sensor type summary


Use the dump sensor type summary command to display the information from sensor logs.
Information displayed includes the mean, median and mode values for voltage sensors, eight core
temperatures, board temperature sensors, temperature of line card i350CPU, and fan speeds.

Command

dump sensor type= (all | temperature | voltage | fan)


<start date= YYYY-MM-DD> <end date=YYYY-MM-DD > summary

Options

all Enter all to display information for all sensors.

temperature Enter temperature to display information for


temperature sensors.

voltage Enter voltage to display information for voltage


sensors.

fan Enter fan to display information for fans.

Command Notes

Role Super, Read Only, Monitor

Related Commands dump sensor type

Introduced in Release 5.1.3

Example

dump sensor type=all start=2023-03-14T00:00 end=2023-03-14T03:00


summary
1v 5v vcore vddr core0 core1 core2 core3
sys
(mV) (mV) (mV) (mV) (°C) (°C) (°C) (°C)
(°C)
Mean: 1000 5056 984 1519 36 36 35 35
46
Median: 1000 5056 984 1520 36 36 35 35
47
Mode: 1000 5056 984 1520 36 36 35 35
47

Prisma SD-WAN ION Device CLI Reference 281 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dump serviceendpoints
Use the dump serviceendpoints command to display the information for standard VPN
endpoints. Information displayed includes the name of the endpoint, type of the endpoint, and
whether the endpoint allows enterprise traffic to transit through it.

Command

dump serviceendpoints ( all | endpoint= )

Options

all Enter all to view information for all service


endpoints.

endpoints Enter an endpoint name to view information


specific to the endpoint.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 4.7.1

Example

dump serviceendpoints all


Name AllowEnterpriseTraffic Type AdminUp
CO-EP False non-cgtransit true

dump servicelink summary


Use the dump servicelink summary command to display information on standard VPNs.
Information includes the name of the standard VPN, status, parent interface, extended state of
the VPN, IP addresses of the local and standard VPN endpoints, Type (GRE or IPsec), and the
IPsec profile.

Command

dump servicelink summary ( all | sltype=)

Prisma SD-WAN ION Device CLI Reference 282 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

all Enter all to display summary of all the standard VPNs.

sltype Enter type to view the summary of all the standard VPNs
matching the type.

Command Notes

Role Super, Read Only, Monitor

Related Commands dump servicelink stats

dump servicelink status

Introduced in Release 4.7.1

Example

dump servicelink summary all


-------------- SERVICE LINKS ----------------------------------
Total : 2
TotalUP : 1
TotalDown : 1
---------------------------------------------------------------
SlDev SlName Status ExtState ParentDev
LocalIP Peer Type IpsecProfile
---------------------------------------------------------------
sl2 Gre down gre_keepalive_configured eth3
[Link] [Link] GRE N/A
sl1 ubuntu up tunnel_up eth3
[Link] [Link] IPsec Ubuntu

dump servicelink summary all


-------------- SERVICE LINKS ----------------------------------
Total : 2
TotalUP : 0
TotalDown : 2
---------------------------------------------------------------
Vrf SlDev SlName
Status ExtState ParentDev LocalIP Peer
Type IpsecProfile
---------------------------------------------------------------
blue sl2 service_link-1709200539046021828 down
peer_address_unresolved eth2 [Link]
IPsec ZSCALER_IKEV2

green sl1 service_link-1704789489196015028 down


proposal_mismatch_ike eth2 [Link] [Link]
IPsec ZSCALER_IKEV2

Prisma SD-WAN ION Device CLI Reference 283 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dump servicelink summary sltype=ipsec


-------------- SERVICE LINKS ----------------------------------
Total : 2
TotalUP : 0
TotalDown : 2
---------------------------------------------------------------
Vrf SlDev SlName Status
ExtState ParentDev LocalIP Peer
Type IpsecProfile
---------------------------------------------------------------
green sl1 service_link-1704789489196015028 down
retransmit_send eth2 [Link] [Link]
IPsec ZSCALER_IKEV2

blue sl2 service_link-1709200539046021828 down


peer_address_unresolved eth2 [Link]
IPsec ZSCALER_IKEV2

dump servicelink summary sltype=gre


-------------- SERVICE LINKS ----------------------------------
Total : 0
TotalUP : 0
TotalDown : 0
---------------------------------------------------------------
Vrf SlDev SlName Status ExtState ParentDev
LocalIP Peer Type IpsecProfile

---------------------------------------------------------------

The ExtState in the command output displays the status of the standard VPN. The following
table describes the various reasons for the VPN tunnel down status:

Extended State Description

liveliness_failed If the liveliness is configured and if probe does not get the
response through the tunnel, the tunnel manager marks the
tunnel down with the extended status as liveliness failed.

parent_no_ip The underlay parent interface on which the standard VPN


tunnel is configured does not have the IP address.

peer_address_unresolved If there is no peer IP address to use.

invalid_service_endpoint Service endpoint configured is not present.

peer_auth_failed Peer authentication failed.

parse_error If the control message parsing failed during tunnel bring up.

cert_expired If the certificates are expired.

cert_revoked If the certificates are revoked.

Prisma SD-WAN ION Device CLI Reference 284 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Extended State Description

no_issuer_cert No Issuer certificate found.

retransmit_send_timeout If no response is seen from the remote.

proposal_mismatch_ike Proposal mismatch in phase-1.

proposal_mismatch_child Proposal mismatch in phase-2.

admin_down Service link is admin down.

StandbySpoke Spoke is Stand up.

bringup_wait Scenarios to move to this state:


• After unloading the VPN connection.
• If the load connection request fails.
• If the terminate SA request fails.

bring up When the config is complete and trying to bring up the


connection.

hold_down When the tunnel flaps 3 times with in 120 sec (2 min), we mark
the tunnel to be in hold downstate.

internal_resource_unavailable Parsing psk failed in tunnelmgr.

duplicate_endpoints Already a tunnel is UP with the same Source and Remote IP.

local_auth_failed Received authentication failed.

peer_auth_failed Detected authentication failed.

parse_error Parsing control message failed.

retransmit_send_timeout No reply from peer retry in progress.

half_open_timeout Timeout for negotiating child sa in phase2.

proposal_mismatch_ike Phase1 proposal mismatch (ike).

proposal_mismatch_child Phase2 proposal mismatch (ipsec).

transform_selector_mismatch Phase2 selectors mismatch (ipsec).

install_child_sa_failed Installing child sa failed.

install_child_policy_failed Installing child policy failed.

Prisma SD-WAN ION Device CLI Reference 285 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Extended State Description

authorization_failed When explicit authorization rules are defiled (remote identity).

cert_expired When the certificate is expired.

cert_revoked Certificate is revoked.

no_issuer_cert No issuer certificate found.

unique_replace Session is uniquely identified uniquely.

unique_keep Keep the session with unique ids.

vip_failure Virtual interface creation failed.

retransmit_send No reply from peer, hence retry in progress.

standby_spoke Standby spoke.

lowerlayerdown Lower layer is down.

liveliness_configured When the tunnel comes up and if liveliness is configured.

tunnel_bringup_up_wait When the tunnel is in bringup wait state.

tunnel_bringup When the tunnel is in bringup state (loading the config to


charon).

multiple_ike_session When tunnel is reset because of multi ike.

invalid_auth_param When the secret is invalid.

config_changed Configuration was updated.

load_failed Loading the configuration failed.

gre_keepalive_configured GRE keepalive is configured.

dump servicelink stats


Use the dump servicelink stats command to display statistics on standard VPNs.

Command

dump servicelink stats (


sldev= |
slname=)

Prisma SD-WAN ION Device CLI Reference 286 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

sldev Enter the standard VPN number to view the statistics for
a standard VPN.

slname Enter the standard VPN interface name to view the


statistics for a standard VPN.

Command Notes

Role Super, Read Only, Monitor

Related Commands dump servicelink summary

dump servicelink status

Introduced in Release 4.7.1

Example

dump servicelink stats slname=sl1


Type: IPSEC
No of times IkeRekeyed : 0
No of times ChildRekeyed : 0
No of times HoldDown : 0
No of times TunnelUp : 0
No of times TunnelDown : 1
No of Incoming Bytes : 0
No of Outgoing Bytes : 0
No of Incoming Packets : 0
No of Outgoing Packets : 0

dump servicelink stats slname=sl2


Type: GRE
No of times HoldDown : 4
No of times TunnelUp : 33
No of times TunnelDown : 66
No of Incoming Bytes : 1348
No of Outgoing Bytes : 70
No of Incoming Packets : 5
No of Outgoing Packets : 2
No of Frame Errors : 0
No of Carrier Errors : 0
No of Keepalives Sent : 21
No of Keepalives Received : 21

Prisma SD-WAN ION Device CLI Reference 287 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dump servicelink status


Use the dump servicelink status command to display status of standard VPNs.
Information includes the IPsec profile selected, authentication, Internet Key Exchange (IKE)
protocol details, Encapsulating Security Payload (ESP) details and Dead Peer Detection (DPD)
details.
The output differs based on whether the standard VPN is up or down. When the VPN is down,
the configuration details are displayed as part of the status.
The output differs based on the standard VPN protocol—IPsec or GRE. For GRE, interval and
Failure Count information displays only if Keepalives are enabled.

Command

dump servicelink status (all | sldev= | slname=)

Options

all Enter all to display status of all the standard VPNs.

sldev Enter the standard VPN number to view status for a


standard VPN.

slname Enter the standard VPN interface name to view status for
a standard VPN.

Command Notes

Role Super, Read Only, Monitor

Related Commands dump servicelink stats

dump servicelink summary

Introduced in Release 4.7.1

Example
The output for ZScaler Service Link (IPSec)

dump servicelink status sldev=sl1


ServiceLink : sl1
Interface : slzscalerthree
Description :
ID : 16119027917990015
Type : service_link (ipsec)
Admin State : up
Alarms : enabled

Prisma SD-WAN ION Device CLI Reference 288 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

NetworkContextID :
IpfixCollectorContextID :
IpfixFilterContextID :
Scope : local
Directed Broadcast : false
MTU : 1400
IP : static
Address : [Link]/24
Parent Interface : 12.34
Parent Device : eth1.34
Service Endpoint : ZScalerthree
IPSec Profile : ZSCALER_IKEV1
Authentication Type : psk
Local ID Type : custom
Local ID : zainab@[Link]
Key Exchange : ikev1
IKE Mode : Aggressive
IKE Lifetime : 1 hours
IKE Remote Port : 500
IKE DH Group/Encryption/Hash : modp1024/aes128/sha1, modp1024/
aes128/sha256
ESP Lifetime : 1 hours
ESP Encapsulation : Auto
ESP DH Group/Encryption/Hash : none/none/md5
DPD Enabled : yes
DPD Delay : 10
DPD Timeout : 60
Device : sl1
State : up
Last Change : 2021-02-03 [Link].531 (1m47s ago)
Address : [Link]/24
Route : [Link]/0 via [Link] metric 0
Extended State : tunnel_up
IPSec Algo : NULL_HMAC_MD5_96
Ike Algo : AES_CBC_128HMAC_SHA1_96
HostName : [Link]
Remote IP : [Link]
Local IP : [Link]
IkeNextRekey : 2021-02-03 [Link].707023365 +0000 UTC
IPsecNextRekey : 2021-02-03 [Link].707022419 +0000 UTC
Peer configured on service endpoint Service endpoint name:
ZScalerthree
Order of connection
Try:---------------------------------------------------------------------------

IP Address | Hostname | Reachable | Latency(ms)


| Last Liveliness Failed | Last TunnelBringup Failed |
Hold Time |
-------------------------------------------------------------------------------
[Link] | [Link] | Yes |
2 | | 2021-02-03 [Link]
| ||
[Link] | [Link] | Yes |
10 | |
| ||

Prisma SD-WAN ION Device CLI Reference 289 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

[Link] | [Link] | Yes |


20 | |
| ||
[Link] | [Link] | Yes |
39 | |
| ||
[Link] | [Link] | Yes |
40 | |
| ||
[Link] | [Link] | Yes |
50 | |
| ||
[Link] | [Link] | Yes |
64 | |
| ||
[Link] | [Link] | Yes |
73 | |
| ||
[Link] | [Link] | Yes |
78 | |
| ||
[Link] | [Link] | Yes |
80 | |
| ||
[Link] | [Link] | Yes |
106 | |
| ||
[Link] | [Link] | Yes |
133 | |
| ||
[Link] | [Link] | Yes |
137 | |
| ||
[Link] | [Link] | Yes |
138 | |
| ||
[Link] | [Link] | Yes |
143 | |
| ||
[Link] | [Link] | Yes |
151 | |
| ||
[Link] | [Link] | Yes |
154 | |
| ||
[Link] | [Link] | Yes |
155 | |
| ||
[Link] | [Link] | Yes |
167 | |
| ||
[Link] | [Link] | Yes |
168 | |
| ||

Prisma SD-WAN ION Device CLI Reference 290 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

[Link] |
[Link] | Yes |
172 | |
| ||
[Link] | [Link] | Yes |
188 | |
| ||
[Link] | [Link] | Yes |
207 | |
| ||
[Link] | [Link] | Yes |
227 | |
| ||
[Link] | [Link] | Yes |
244 | |
| ||
[Link] | [Link] | Yes |
265 | |
| ||
[Link] | [Link] | No |
NA | |
| ||
[Link] | [Link] |
No | NA | |
|
|------------------------------------------------------------------------------

Liveliness probe
status---------------------------------------------------------------
Type : http
Url : [Link]
Status : true
Latency(ms) : 95
Last updated : 2021-02-03T[Link]
Type : icmp
Ipv4 : [Link]
Status : true
Latency(ms) : 12
Last updated : 2021-02-03T[Link]

The output for Prisma Access Service Link (IPSec)

Public-BLR-Branch3K# dump servicelink status slname=AUTO-


PRISMA_IPSEC-Tunnel_us-east-1_6
ServiceLink : sl2
Interface : AUTO-PRISMA_IPSEC-Tunnel_us-east-1_6
Description : Prisma Access info on Panorama:
Remote Onboarding: AUTO-CGX_remotenet-2
IPSEC Tunnel: AUTO-CGX_ipsec_tn-2-A
IKE Gateway: AUTO-CGX_ike_gw-2-c6ab50f
Prisma License: FWAAS-AGGREGATE
ID : 16124203058570004
Type : service_link (ipsec)
Admin State : up
Alarms : enabled
NetworkContextID :
Scope : local

Prisma SD-WAN ION Device CLI Reference 291 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Directed Broadcast : false


MTU : 1400
IP : static
Address : [Link]/31
Parent Interface : 6
Parent Device : eth6
Peer : [Link]
Service Endpoint : Prisma US East (us-east-1)
IPSec Profile : AUTO-PRISMA_IPSEC-Profile
Authentication Type : psk
Remote ID : prisma-tunnel@[Link]
Local ID Type : custom
Local ID : cgx-tunnel@[Link]
Key Exchange : ikev2
IKE Reauth : no
IKE Lifetime : 8 hours
IKE Remote Port : 500
IKE DH Group/Encryption/Hash : ecp384/aes256/sha512
ESP Lifetime : 1 hours
ESP Encapsulation : Auto
ESP DH Group/Encryption/Hash : ecp384/aes256/sha512
DPD Enabled : yes
DPD Delay : 10
DPD Timeout : 30
Authentication Override
Authentication Type : psk
Remote ID : prisma-tunnel@[Link]
Local ID Type : custom
Local ID : cgx-tunnel.2@[Link]
Device : sl2
State : up
Last Change : 2021-02-04 [Link].502 (11h36m2s ago)
Address : [Link]/31
Route : [Link]/0 via [Link] metric 0
Extended State : tunnel_up
IPSec Algo : AES_CBC_256_HMAC_SHA2_512_256
Ike Algo : AES_CBC_256HMAC_SHA2_512_256
Remote IP : [Link]
Local IP : [Link]
IkeLastRekeyed : 2021-02-04 [Link].744106061 +0000 UTC
IkeNextRekey : 2021-02-05 [Link].744106976 +0000 UTC
IPsecLastRekeyed: 2021-02-05 [Link].850020484 +0000 UTC
IPsecNextRekey : 2021-02-05 [Link].850022436 +0000 UTC
Peer configured on interface Ipv4Addr: [Link]
---------------------------------------------------------------

Liveliness probe status


---------------------------------------------------------------
Type : icmp
Ipv4 : [Link]
Status : true
Latency : 251
Last updated : 2021-02-04T[Link]

Prisma SD-WAN ION Device CLI Reference 292 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Output for DC-DC Interconnectivity

dump servicelink status sldev=sl1


ServiceLink : sl1
Interface : ToDC
Description : To Hub2
ID : 1703221347301010628
Type : service_link (ipsec)
Admin State : up
Alarms : enabled
Auth Type : none
NetworkContextID :
VRFContextID : 1692629914880022528
Vni : 0
VRF Name : Global
IpfixCollectorContextID :
IpfixFilterContextID :
Scope : local
Directed Broadcast : false
MTU : 1400
IP : static
Address : a.b.1.1/24
IPv6 : No configuration
Parent Interface : 1
Parent Device : eth1
Peer : p.q.27.38
IPSec Profile : DC-DC
Authentication Type : psk
Local ID Type : local_ip
Key Exchange : ikev1
IKE Mode : Main
IKE Lifetime : 24 hours
IKE Remote Port : 500
IKE DH Group/Encryption/Hash : modp1536/aes256/sha256, modp2048/
aes128/sha256, ecp384/aes128/sha256
ESP Lifetime : 8 hours
ESP Encapsulation : Auto
ESP DH Group/Encryption/Hash : modp1536/aes256/sha256, modp1024/
aes128/sha256
DPD Enabled : yes
DPD Delay : 1
DPD Timeout : 5
Passive Mode : disabled
Authentication Override
Authentication Type : psk
Remote ID : hub2@[Link]
Local ID Type : custom
Local ID : hub1@[Link]

Device : sl1
State : up
Last Change : 2024-05-08 [Link].739 (19h58m5s ago)
Address : a.b.1.1/24
VRF Context ID : 1692629914880022528
VRF Name : Global
Vni : 0

Prisma SD-WAN ION Device CLI Reference 293 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Extended State : tunnel_up


IPSec Algo : AES_CBC_256_HMAC_SHA2_256_128
Ike Algo : AES_CBC_256HMAC_SHA2_256_128
Remote IP : p.q.27.38
Local IP : p.q.27.37
IkeNextRekey : 2024-05-09 [Link].690634914 +0000 UTC
IPsecLastRekeyed: 2024-05-08 [Link].342122037 +0000 UTC
IPsecNextRekey : 2024-05-09 [Link].342127823 +0000 UTC
DPDK Controlled : false
Passive Mode State : false
Peer configured on interface
IPv4Addr: p.q.27.38

dump site config


Use the dump site config command to display the details of site-level configuration.
Information displayed includes the name of the tenant id (a unique identifier for a tenant), the site
id (a unique identifier for a site), site type (indicates if the site is a branch or a data center), and site
state (active or disabled).

Command

dump site config

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 4.4.1

Example

dump site config


Site ID : 14739338134150055
Type : SPOKE
Tenant ID : 200
Site State : active

dump snmpagent config


Use the dump snmpagent config command to display the information on SNMP agent
configuration.

Prisma SD-WAN ION Device CLI Reference 294 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump snmpagent config

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 4.5.1

Example

dump snmpagent config


V2Config
Enabled : true
Community : public
V3Config
Enabled : true
UserName : Admin
SecurityLevel : Private
EngineID : 0102030405
AuthType : SHA
AuthPhrase: k3JyaaTwHidwLZTkAn01yA==
EncType : DES
EncPhrase : g/VOugXLQvgsxJ1dHx98SQ==

dump snmpagent status


Use the dump snmpagent status command to display the information on SNMP agent status.

Command

dump snmpagent status

Options

None

Prisma SD-WAN ION Device CLI Reference 295 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 4.7.1

Example

dump snmpagent status


SNMP agent is running

dump software status


Use the dump software status command to display the software status. Information
displayed includes the software id, which is a unique identifier of the software version currently
running on the device.

Command

dump software status

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 4.4.1

Example

dump software status


CurrentVersion : 4.4.1-pre-b38

APICompleteSha :03840820cf4ec0bfc64cc21ae972c65cd7f2a189642d28c4c271a7196565bb9

APIMajorSha :8e9bbb49861fe9a38df62c693772136a4b4863348800d6b3cf90ce3e3a856cca

Prisma SD-WAN ION Device CLI Reference 296 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dump spoke-ha config


Use the dump spoke-ha config command to display branch ION device configuration
for high availability (HA). Information includes the name of the cluster, description, cluster
ID, advertisement interval in seconds, whether preemption is enabled or disabled, HA control
interface, redundancy group ID, base priority of the ION, Interface tracked for availability and
the priority adjustment to be made when the interface becomes unavailable, and WAN Interface
tracked for reachability and the priority adjustment to be made when reachability is down.

Command

dump spoke-ha config

Options

None

Command Notes

Role Super, Read Only Monitor

Related Commands —

Introduced in Release 5.1.1

Example

dump spoke-ha config


Name: HA
Enable: true
Cluster ID: 16138454814560175
Description:
Advertisement Interval: 1
Preempt: true
Interface: controller 1
Group ID: 133
Base Priority: 200
Track Interface: controller 1 reduce 200
WAN Reachability: BR1-INT2 (9) reduce 200

dump spoke-ha status


Use the dump spoke-ha status command to display branch ION device status for high
availability (HA). Information includes whether the ION device is active in a cluster, if a peer is
connected, base priority, interface tracked for availability and the priority adjustment to be made
when interface becomes unavailable, WAN Interface tracked for reachability and the priority
adjustment to be made when reachability is down, effective priority when adjustments are made
for interface availability and WAN reachability, and the update time.

Prisma SD-WAN ION Device CLI Reference 297 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump spoke-ha status

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump spoke-ha config

Introduced in Release 5.1.1

Example

dump spoke-ha status


Active: true
Peer Connected: true
Base Priority: 150
Effective Priority: 150
Updated: 2021-03-10 [Link].240 (1h13m25s ago)
dump spoke-ha status
Active: false
Peer Connected: true
Base Priority: 150
Priority Adjustment: -100 wanReachability MTNL_Public (6)
Effective Priority: 50
Updated: 2021-03-10 [Link].157 (2.329s ago)

dump standingalarms
Use the dump standingalarms command to display the outstanding alarms. Information
displayed includes the codes, alarm severity, time of alarm generation along with the site ID.

Command

dump standingalarms

Options

None

Prisma SD-WAN ION Device CLI Reference 298 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 4.4.1

Example

dump standingalarms
Alarm code: NETWORK_VPNPEER_UNAVAILABLE
Type: alarm
Device time: 2018-05-07T[Link].433
Severity: minor
Status: Not cleared
SITE_ID: 15209369385900097
PEER_SITE_ID: 15232631532540203
IDENT: 15232573714440190
Alarm code: NETWORK_VPNLINK_DOWN
Type: alarm
Device time: 2018-05-07T[Link].448
Severity: major
Status: Not cleared
IDENT: 15232649210690118
SITE_ID: 15209369385900097
AL_ID: 15232631538940074
VPN_LINK_ID: 15232649210400116
Alarm code: NETWORK_DIRECTPRIVATE_DOWN
Type: alarm
Device time: 2018-05-07T[Link].023
Severity: major
Status: Not cleared
SITE_ID: 15209369385900097
REASON: bfd_down
IDENT: 15209369385900097

dump static-arp config


Use the dump static-arp config command to display the address resolution protocol (ARP)
table and displays the ARP cache for all or a specific interface.

Command

dump static-arp config ( all | interface )

Options

all Enter all to display the entire ARP cache.

Prisma SD-WAN ION Device CLI Reference 299 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

interface Enter interface to display the ARP cache for a specific interface
name or ID.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.5.1

Example

dump static-arp config all


Interface : eth1
Static ARP : [Link], mac [Link]

: [Link], mac [Link]

dump static host config


Use the dump static host config command to display the details of static host
configurations. The address is the IP address mapped to a host. Multiple hosts separated by
spaces are mapped to the same IP address.

Command

dump static host config

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 4.4.1

Example

dump static host config

Prisma SD-WAN ION Device CLI Reference 300 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Address Hosts
[Link] [Link]
[Link] [Link]

dump static routes


Use the dump static routes command to display the static routes configured. Information
displayed includes the destination prefixes, route IDs, scope, next hop IP address and the admin
distance.

Command

dump static routes

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump static routes


Destination Prefix : [Link]/24
Route ID : 15305206799980113
Scope : global
Nexthop IP : [Link]
Admin Distance : 1
Nexthop IP : [Link]
Admin Distance : 2
Destination Prefix : [Link]/24
Route ID : 15305207178250142
Scope : global
Nexthop Interface ID : 15207799720350195
Admin Distance : 1

dump support details


Use the dump support details command to display the device configuration, current state,
logs, and core dump summaries.

Prisma SD-WAN ION Device CLI Reference 301 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump support details file=


<filename>

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 4.7.1

Example

dump-support details file=abc


# file view abc
****************************************
Device support details
****************************************
dump appdef config all=true
-----------------------------------------
Application ID : 2120
Application Name : openvpn
Display Name : openvpn
Type : ndpi
Application Category : tunnel
Application Transfer Type : bulk
...
Application Policy Rule ID : 15186805759380011
Application Policy Rule Name : quadstor-vtl-backup-Policy
Application ID : 15186805647100189
Application name : quadstor-vtl-backup
Priority Number : 2
Network ID: none
Active Paths:
Path ID : 15186805736810077
Path Label : public-*
Path Type : VPN
Path Label : private-*
Path Type : DIRECT
Backup Paths : none
dump bfd status all=true
-----------------------------------------
There are 0 sessions:
dump bypass-pair config

Prisma SD-WAN ION Device CLI Reference 302 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

-----------------------------------------
Bypass Pair : 4 & 5
Propagate Lan State : No
Hardware Relay : No
Admin State : up
Used For : public
...

dump-support
Use the dump-support command to download all the CLI command outputs, cores and device
logs in a tar file. Saves the log file in your home directory; You can list the files using the file
list command. You can also export the file to an SCP server using the file export command.

Command

dump-support ( all | core | syslog |output ) file=<tar_name>

Options

syslog Enter syslog to collect all the syslog [Link]


6.4.1

core Enter core to collect all the core files. Release


6.4.1

output Enter output with a file name tp collect all the


output files to be exported. It displays the device
configuration, current state, logs, and core dump
summaries.

all Enter all to capture syslog, core and output files to


be exported. Release 6.4.1

Command Notes

Role Super

Related Commands

Introduced in Release 5.6.11

Example

dump-support output file=abc


# file view abc
****************************************
Device support details

Prisma SD-WAN ION Device CLI Reference 303 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

****************************************
dump appdef config all=true
-----------------------------------------
Application ID : 2120
Application Name : openvpn
Display Name : openvpn
Type : ndpi
Application Category : tunnel
Application Transfer Type : bulk
...
Application Policy Rule ID : 15186805759380011
Application Policy Rule Name : quadstor-vtl-backup-Policy
Application ID : 15186805647100189
Application name : quadstor-vtl-backup
Priority Number : 2
Network ID: none
Active Paths:
Path ID : 15186805736810077
Path Label : public-*
Path Type : VPN
Path Label : private-*
Path Type : DIRECT
Backup Paths : none
dump bfd status all=true
-----------------------------------------
There are 0 sessions:
dump bypass-pair config
-----------------------------------------
Bypass Pair : 4 & 5
Propagate Lan State : No
Hardware Relay : No
Admin State : up
Used For : public
...

Extracting tar file will give dump_support_output and logs.

tar -xf 10_14_2022_dump_logs.[Link]


ls 10_14_2022_dump_logs.[Link] dump_support_output log
ls log/syslog

file export <interface> <file to export> scp://


user@host[:port]:location
Example: file export controller1 tech-support-file scp://
admin@[Link]:/home/user/tech-support-file

dump-support all file=all


Collecting outputs file
dump tpm status...TPM device not foundld-profile...
dump geneve ifaces-overview... Geneve Interfaces Overview

------------------------------------------------------

Summary:
Total : 0

Prisma SD-WAN ION Device CLI Reference 304 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

TotalUP : 0
TotalDown : 0
------------------------------------------------------

Collecting syslog filesdress-table...ace......ts...


Collecting core files
Generating tech support file
Successfully generated tech support file all

dump switch fdb vlan-id


Use this command to display the MAC address learnt of the VLAN and switch ports.

Command
dump switch fdb vlan-id

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.0.2

Example

-------------------------------------------------------
FID MAC LAG PORTVEC STATE FPRI QPRI
-------------------------------------------------------

dump switch port status


Use this command to view the port status for a particular interface or all the interfaces.

Command
dump switch port status

Options

None

Prisma SD-WAN ION Device CLI Reference 305 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.0.2

Example

Switch Port : 7Link : downSpeed :Duplex :AutoNeg


: onPower : on

dump switch vlan-db


Use the dump switch vlan-db command to display the available VLANs on the switch and
which members are part of the VLAN programmed in the device.

Command
Dump switch vlan-db

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.0.2

Example

FID VID SID MEMBERTAGP VP USEFPRI FPRI USEQPRI QPRI


DONTLEARN FILTERUC FILTERBC FILTERMC routeDis MLDSnoop IGMPSnoop
-------------------------------------------------------------------------------
0x1 0x1 0x0 3 3 3 3 3 1 1 1 1 2 3 0 0 0 0
0 0 0 0 0 0 1
10x3e8 0x3e8 0x0 3 3 3 1 3 3 3 3 3 2 3 0 0 0 0
0 0 0 0 0 0 1
10x3e9 0x3e9 0x0 3 3 3 3 1 3 3 3 3 2 3 0 0 0 0
0 0 0 0 0 0 1
10xfa3 0xfa3 0x0 3 0 3 3 3 3 3 3 3 3 0 0 0 0 0
0 0 0 0 0 0 0
00xfa4 0xfa4 0x0 3 3 0 3 3 3 3 3 3 3 0 0 0 0 0
0 0 0 0 0 0 0 0

Prisma SD-WAN ION Device CLI Reference 306 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options 0x63 0x63 0x0 3 3 3 3 2 2 3 1 2 2 3 0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 3 2 2 3 1 2 2 3


represent from switch port 0 to 10 2 is a member of the vlan 3 is not a member of the vlan 1 is a
member, also the port’s default vlan

dump syslog config


Use the dump syslog config command to display the configuration details such as server ID,
server IP address, server fully qualified domain name (FQDN), server port, protocol used, severity
level and status of the enabled flag for syslog server support.

Command

dump syslog config

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 4.6.1

Example

dump syslog config


Server ID : 16299866452050021
Server Name : Windows-10
Description :
Server IP : [Link]
Server FQDN :
Server Port : 514
Protocol : tcp
Severity Level : minor
Enable flag : true

dump syslog-rtr stats


Use the dump syslog-rtr stats command to display the current status of the syslog
router. Information displayed includes the number of configured syslog servers, names and IP
addresses of the syslog servers, interfaces on which syslog servers are configured, cipher info, and
connection details.

Prisma SD-WAN ION Device CLI Reference 307 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump syslog-rtr stats

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump syslog config

dump syslog status

Introduced in Release 5.1.15

Example

dump syslog-rtr stats


Syslog service is running

Server Name : Windows-10


Enabled : true
Flow logging Enabled : true
Connected : true
IP : [Link]
Server FQDN : NA
Port : 514
Protocol : 6
Cipher Info : NA
Src Interface : eth0
Src Interface IP : [Link]
Alarm Enabled : false
Alarm Reason : NA
Connect Fail Count : 6
Connect Success Count : 4
Send Fail Count : 0
Send Skip Count : 172
Send Skip Severity Count: 0
Send Retry Count : 0
Send Success Count : 2042
Server Disconnect Count : 0
Sockfd : 17
Connected clients : 3

Prisma SD-WAN ION Device CLI Reference 308 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dump syslog status


Use the dump syslog status command to display the syslog service status.

Command

dump syslog status

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump syslog config

Introduced in Release 4.6.1

Example

dump syslog status


Syslog service is Running

dump time config


Use the dump time config command to display the time servers used by the device.
Information displayed includes the NTP version and polling interval. Polling happens at random
intervals between the two values of min poll and max poll seconds. Hosts with the same
performance, min poll, and max poll values as a group.

Command

dump time config

Options

None

Prisma SD-WAN ION Device CLI Reference 309 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands dump time status

Introduced in Release 4.7.1

Example

dump time config


ntp server version min poll max poll
[Link] 4 13 15

dump time log


Use the dump time log command to display the time synchronization logs.

Command

dump time log

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump time status

Introduced in Release 4.7.1

Example

dump time log


2018-03-05T[Link].788Z inf elmgr/1270 cts-poll {
"data": {
"delta": -15.683,
"ip": "",
"slop": 1.1539999999999999,
"stratum": 0
},
"update": {

Prisma SD-WAN ION Device CLI Reference 310 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

"drift": -15.683,
"old_drift": -15.288639
}
}
2018-03-05T[Link].788Z inf elmgr/1270 do-time-adj {
"output": {
"drift": -15.683,
"old_drift": -15.288639
}
}
2018-03-05T[Link].564Z inf elmgr/1270 ntp-poll {
"answer": {
"delta": -15.679638000000001,
"host": "[Link]",
"ip": "[Link]",
"slop": 10.453676,
"stratum": 1,
"update": {
"drift": -15.679639999999999
}
}
}

dump time status


Use the dump time status command to display the latest information from time
[Link] displayed includes:
• Current time—Displays system time on the device.
• Current drift—Displays system time adjustment specified by the importance of being ahead or
behind, according to time sync information.
• Server—Displays either a configured NTP server or the controller time source (CTS).
• Polled—Displays the time when sent the last request to a time server.
• Error—Displays the latest error obtained on contacting the server.
• Selected—Displays the last time this server was the first to answer when selected it.
• Delta—Displays the difference in time of the system and the time server along with the margin
of error.
• Address—Displays the address of the selected server.
• Stratum—Displays the stratum of the time server.
• Action—Displays the action taken; drift means slow or speeds up the system clock, a jump
means change immediately.

Command

dump time status

Prisma SD-WAN ION Device CLI Reference 311 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump time config

Introduced in Release 4.7.1

Example

dump time status


Current Time 2018-03-05 [Link].726938694 +0000 UTC
Current Drift -15.682
Server Event
[Link] polled 13m4s ago
selected 13m4s ago
delta -15.680±10.454
address [Link]
stratum 1
action drift -15.680
CTS polled 1.939s ago
selected 1.939s ago
delta -15.683±1.154
action drift -15.683

dump troubleshoot message


Use the dump troubleshooting message command to display the troubleshooting message.

Command

dump troubleshooting message

Options

None

Command Notes

Role Super, Read Only, Monitor

Prisma SD-WAN ION Device CLI Reference 312 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Related Commands —

Introduced in Release 4.4.1

Example

dump troubleshoot message


Troubleshoot Message : Key missing in License metadata

dump user-id agent config


Use the dump user-id agent config command to display the User-ID agent configurations
details.

Command

dump user-id agent config (all, id=)

Options

all Enter all to display configuration of all User-ID


agents on the device.

id Enter an ID to display the configuration for the


User-ID agent.

Command Notes
This command will apply only to data center ION devices.

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.2.1

Example

dump user-id agent config all


Id: 16201238163240365
Name: Agent2
Enabled: true
IP: [Link]
FQDN:
Port: 5007
Source Interface: 16111564359360135
Authentication Info:
Collector Name: pavm1vsys1

Prisma SD-WAN ION Device CLI Reference 313 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Certificate:
Subject:
CN=[Link],OU=clienttest,O=clienttestmain,L=client2place,ST=CA,C=US
Issuer:
CN=rsyslogtest,OU=catest,O=catestmain,L=catestplace,ST=CA,C=US,1.2.840.113549.1
Not Before: 2021-10-21 [Link] +0000 UTC
Not After: 2024-07-17 [Link] +0000 UTC
Remote CA Certificate:
Subject:
CN=rsyslogtest,OU=catest,O=catestmain,L=catestplace,ST=CA,C=US,1.2.840.113549.1
Issuer:
CN=rsyslogtest,OU=catest,O=catestmain,L=catestplace,ST=CA,C=US,1.2.840.113549.1
Not Before: 2021-02-03 [Link] +0000 UTC
Not After: 2031-02-01 [Link] +0000 UTC

Id: 16201238163240254
Name: Agent1
Enabled: true
IP: [Link]
FQDN:
Port: 5007
Source Interface: 16111564359710142
Authentication Info:
Collector Name: pavm1vsys1
Certificate:
Subject:
CN=[Link],OU=clienttest,O=clienttestmain,L=clientplace,ST=CA,C=US
Issuer:
CN=rsyslogtest,OU=catest,O=catestmain,L=catestplace,ST=CA,C=US,1.2.840.113549.1
Not Before: 2021-09-20 [Link] +0000 UTC
Not After: 2024-06-16 [Link] +0000 UTC
Remote CA Certificate:
Subject:
CN=rsyslogtest,OU=catest,O=catestmain,L=catestplace,ST=CA,C=US,1.2.840.113549.1
Issuer:
CN=rsyslogtest,OU=catest,O=catestmain,L=catestplace,ST=CA,C=US,1.2.840.113549.1
Not Before: 2021-02-03 [Link] +0000 UTC
Not After: 2031-02-01 [Link] +0000 UTC

dump user-id agent statistics


Use the dump user-id agent statistics command to display the statistics for the User-ID
agent.

Command

dump user-id agent statistics (all, id=)

Options

all Enter all to display statistics for all the User-ID


agents on the device.

Prisma SD-WAN ION Device CLI Reference 314 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

id Enter an ID to display the statistics for the User-


ID agent.

Command Notes
This command applies only to data center ION devices.

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.2.1

Example

dump user-id agent statistics all


Id: 16201238163240222
Name: AgentTestPassphrase
Connection Stats:
Connected: 1
IP-User Mappings: 250000
Packet Stats:
Send:
GET-ALL-USER-IP: 1
GET-STATUS: 1
HEARTBEAT: 1
SET-FILTER: 1
Receive:
GET-STATUS: 1
HEARTBEAT-REP:1
USER-IP-POST: 5556

Id: 16201238163240333
Name: AgentSimulator
Connection Stats:
Connected: 1
Connection failure: 1
IP-User Mappings: 250000
Packet Stats:
Send:
GET-ALL-USER-IP: 1
GET-STATUS: 1
SET-FILTER: 1
Receive:
GET-STATUS: 1
USER-IP-POST: 5556

dump user-id agent status


Use the dump user-id agent status command to display the status of the User-ID agent.

Prisma SD-WAN ION Device CLI Reference 315 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump user-id agent status

Options

all Enter all to display status of all the User-ID agents


on the device.

id Enter an ID to display the status for the User-ID


agent.

Command Notes
This command is applicable for data center ION devices only.

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.2.1

Example

dump user-id agent status all


Id: 16201238163240254
Name: Agent1
State: Completed
Active: 142h32m35s
Source Interface: 16111564359710142(status: Completed)
Version: TLS 1.2
Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Remote Cert: Subject:
CN=[Link],OU=servertest,O=servertestmain,L=serverplace,ST=CA,C=US
Issuer:
CN=rsyslogtest,OU=catest,O=catestmain,L=catestplace,ST=CA,C=US,1.2.840.113549.1
Not Before: 2021-02-03 [Link] +0000 UTC
Not After: 2023-10-31 [Link] +0000 UTC
Last Heartbeat Reply: 15s ago
Last Disconnect Reason: None

Id: 16201238163240365
Name: Agent2
State: Completed
Active: 142h32m35s
Source Interface: 16111564359710142(status: Completed)
Version: TLS 1.2
Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Remote Cert: Subject:
CN=[Link],OU=servertest,O=servertestmain,L=serverplace,ST=CA,C=US

Prisma SD-WAN ION Device CLI Reference 316 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Issuer:
CN=rsyslogtest,OU=catest,O=catestmain,L=catestplace,ST=CA,C=US,1.2.840.113549.1
Not Before: 2021-02-03 [Link] +0000 UTC
Not After: 2023-10-31 [Link] +0000 UTC
Last Heard: 15s ago
Last Disconnect Reason: None

dump user-id agent status Id=16201238163240254


Id: 16201238163240254
Name: Agent1
State: Completed
Active: 142h32m39s
Source Interface: 16111564359710142(status: Completed)
Version: TLS 1.2
Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Remote Cert: Subject:
CN=[Link],OU=servertest,O=servertestmain,L=serverplace,ST=CA,C=US
Issuer:
CN=rsyslogtest,OU=catest,O=catestmain,L=catestplace,ST=CA,C=US,1.2.840.113549.1
Not Before: 2021-02-03 [Link] +0000 UTC
Not After: 2023-10-31 [Link] +0000 UTC
Last Heard: 19s ago
Last Disconnect Reason: None

dump user-id agent summary


Use the dump user-id agent summary command to display the summary of the User-ID
agent.

Command

dump user-id agent summmary

Options

None

Command Notes
This command applies only to data center ION devices.

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.2.1

Example

dump user-id agent summary

Prisma SD-WAN ION Device CLI Reference 317 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Id Name State Active


16201238163240254 Agent1 Completed 142h32m28s
16201238163240365 Agent2 Completed 142h32m28s

dump user-id groupidx


Use the dump user-id groupidx command to display the group index pushed from the
controller.

Command

dump user groupidx ( all | groupname )

Options

all Enter all to display all the group indices on the


device.

groupname Enter a group name to display the group index for


the group.

Command Notes
This command applies only to branch ION devices.

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.2.1

Example

dump user-id groupidx all


Groupname GroupIndex
employees 158622979242302242
sales 158622979242302241
engineering 158622979242302240

dump user-id groupidx groupname=sales


Groupname GroupIndex
sales 158622979242302241

dump user-id group-mapping


Use the dump user-id group-mapping command to display the group mapping learnt from
the controller.

Prisma SD-WAN ION Device CLI Reference 318 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump user-id group-mapping ( all | username= | groupname= )

Options

all Enter all to display information for all the group mappings
learnt from the controller.

username Enter a username to display group mapping learnt from the


controller for the user.

groupname Enter a groupname to display information learnt from the


controller for the group.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.2.1

Example

dump user-id group-mapping all


Username Groups
user/alice employees
user/bob employees
user/madhu engineering
employees
user/ravi engineering
sales

dump user-id group-mapping username=user/alice


Username Groups
user/alice employees

dump user-id group-mapping groupname=sales


Username Groups
user/ravi engineering
Sales

dump user-id ip-user-mapping


Use the dump user-id ip-user-mapping command to display the IP address to user
mapping learnt from the controller.

Prisma SD-WAN ION Device CLI Reference 319 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump user ip-user-mapping ( all | ip-address )

Options

all Enter all to display all the IP address to user


mappings on the device.

ip-address Enter an IP address to display the user mapping


for the IP address.

Command Notes
This command applies only to branch ION devices.

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.2.1

Example

dump user-id ip-user-mapping all


IP-Address UserIndex UserName Expire Time
[Link] 15862297924230219 user/madhu 2022-09-23 [Link]
+0000 UTC
[Link] 15862297924230222 user/bob 2022-09-23 [Link]
+0000 UTC
[Link] 15862297924230220 user/ravi 2022-09-23 [Link]
+0000 UTC
[Link] 15862297924230221 user/alice 2022-09-23 [Link]
+0000 UTC

dump user-id statistics


Use the dump user-id statistics command to display statistics of the User-ID service.

Command

dump user-id statistics

Options

None

Prisma SD-WAN ION Device CLI Reference 320 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.2.1

Example

dump user-id statistics


Total ip-user mappings received: 100
Total ip-user mappings queued: 0
Total ip-user mappings sent to controller: 100
Total ip-user messages sent to controller: 1

dump user-id status


Use the dump user-id status command to display the status of the User-ID service and its
functionality.

Command

dump user-id status

Options

None

Command Notes
This command is applicable for Data Center ION devices only.

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.2.1

Example

dump user-id status


User-ID service running
User-ID functionality is active

Prisma SD-WAN ION Device CLI Reference 321 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dump user-id summary


Use the dump user-id summary command to display the number of users, groups, IP address
to user mapping, and user-group mapping learnt from the controller.

Command

dump user-id summmary

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.2.1

Example

dump user-id summary


Number of IP User Mappings: 4
IP Address: [Link]
UserIndex: 15862297924230219
UserName: user/madhu
Expire Time: 2022-09-23 [Link] +0000 UTC
User Groups:
GroupIndex : 158622979242302240 GroupName : engineering
GroupIndex : 158622979242302242 GroupName : employees

IP Address: [Link]
UserIndex: 15862297924230222
UserName: user/bob
Expire Time: 2022-09-23 [Link] +0000 UTC
User Groups:
GroupIndex : 158622979242302242 GroupName : employees

IP Address: [Link]
UserIndex: 15862297924230220
UserName: user/ravi
Expire Time: 2022-09-23 [Link] +0000 UTC
User Groups:
GroupIndex : 158622979242302240 GroupName : engineering
GroupIndex : 158622979242302241 GroupName : sales

IP Address: [Link]
UserIndex: 15862297924230221

Prisma SD-WAN ION Device CLI Reference 322 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

UserName: user/alice
Expire Time: 2022-09-23 [Link] +0000 UTC
User Groups:
GroupIndex : 158622979242302242 GroupName : employees

dump user-id useridx


Use the dump user-id useridx command to display the user index pushed from the
controller.

Command

dump user useridx ( all | username )

Options

all Enter all to display all the user indices on the


device.

username Enter a username to display the user index for the


user.

Command Notes
This command applies only to branch ION devices.

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.2.1

Example

dump user-id useridx all


Username UserIndex
user/alice 15862297924230221
user/bob 15862297924230222
user/madhu 15862297924230219
user/ravi 15862297924230220
unknown 15862297924230223

dump vlan member


Use the dump vlan member command to view the VLAN members of the switch ports.

Prisma SD-WAN ION Device CLI Reference 323 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump vlan member

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 6.0.2

Example

VLAN ID VLAN Name VLAN type Members


-------- ------------------- --------- ----------------
1 vlan1 data 10, 7, 8, 9
1000 vlan_1000 data 5
1001 vlan_1001 data 6
* Default Vlan : vlan1

dump vpn count


Use the dump vpn count command to display the total count for all public and private virtual
private networks (VPNs) KeepAlive sessions.

Command

dump vpn count

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Prisma SD-WAN ION Device CLI Reference 324 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Introduced in Release 5.4.1

Example

dump vpn count


Number of public VPNs=6
Number of private VPNs=3
Total VPNs=9

dump vpn ka all


Use the dump vpn ka all command to display the information about all VPN KeepAlive
sessions.

Command

dump vpn ka all

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.4.1

Example

dump vpn ka all


vep_id=15915113777470065 local_shim=[Link] remote_
shim=[Link] state=UP
ka_interval=1000 msec, ka_count=3
fast_tx_mode: False
rx_timeout in 772 msec
next transmit in 716 msec
rx_failure_count=0
seq=3 last_ack_seen=3 ack_sent=1
local: active=True usable=True core_peering_up=True fc_up=True
remote: active=False usable=False core_peering_up=True fc_up=True

vep_id=15915113773860252 local_shim=[Link] remote_


shim=[Link] state=UP
ka_interval=1000 msec, ka_count=3

Prisma SD-WAN ION Device CLI Reference 325 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

fast_tx_mode: False
rx_timeout in 623 msec
next transmit in 357 msec
rx_failure_count=0
seq=2 last_ack_seen=2 ack_sent=1
local: active=True usable=True core_peering_up=True fc_up=True
remote: active=False usable=False core_peering_up=True fc_up=True

vep_id=15889791457500187 local_shim=[Link] remote_


shim=[Link] state=UP
ka_interval=1000 msec, ka_count=3
fast_tx_mode: False
rx_timeout in 207 msec
next transmit in 746 msec
rx_failure_count=0
seq=3 last_ack_seen=3 ack_sent=1
local: active=True usable=True core_peering_up=True fc_up=True
remote: active=False usable=False core_peering_up=True fc_up=True

vep_id=15915099843000157 local_shim=[Link] remote_


shim=[Link] state=UP
ka_interval=1025 msec, ka_count=5
fast_tx_mode: False
rx_timeout in 795 msec
next transmit in 193 msec
rx_failure_count=0
seq=3 last_ack_seen=3 ack_sent=1
local: active=True usable=True core_peering_up=True fc_up=True
remote: active=False usable=False core_peering_up=True fc_up=True

vep_id=15915113777470069 local_shim=[Link] remote_


shim=[Link] state=UP
ka_interval=1000 msec, ka_count=3
fast_tx_mode: False
rx_timeout in 482 msec
next transmit in 311 msec
rx_failure_count=0
seq=3 last_ack_seen=3 ack_sent=1
local: active=True usable=True core_peering_up=True fc_up=True
remote: active=False usable=False core_peering_up=True fc_up=True

vep_id=15906873445710096 local_shim=[Link] remote_


shim=[Link] state=UP
ka_interval=1000 msec, ka_count=3
fast_tx_mode: False
rx_timeout in 194 msec
next transmit in 520 msec
rx_failure_count=0
seq=2 last_ack_seen=2 ack_sent=3
local: active=True usable=True core_peering_up=True fc_up=True
remote: active=False usable=False core_peering_up=True fc_up=True

vep_id=15915099835840090 local_shim=[Link] remote_


shim=[Link] state=UP
ka_interval=1000 msec, ka_count=3
fast_tx_mode: False

Prisma SD-WAN ION Device CLI Reference 326 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

rx_timeout in 18 msec
next transmit in 31 msec
rx_failure_count=0
seq=3 last_ack_seen=3 ack_sent=1
local: active=True usable=True core_peering_up=True fc_up=True
remote: active=False usable=False core_peering_up=True fc_up=True

vep_id=15889791470980001 local_shim=[Link] remote_


shim=[Link] state=UP
ka_interval=1000 msec, ka_count=3
fast_tx_mode: False
rx_timeout in 530 msec
next transmit in 436 msec
rx_failure_count=0
seq=3 last_ack_seen=3 ack_sent=4
local: active=True usable=True core_peering_up=True fc_up=True
remote: active=False usable=False core_peering_up=True fc_up=True

dump vpn ka summary


Use the dump vpn ka summary command to display the information for all virtual private
networks (VPNs) Keep-alive sessions.

Command

dump vpn ka summary

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.4.1

Example

dump vpn ka summary


vep_id=15915113777470065 local_shim=[Link] remote_
shim=[Link] state=UP

vep_id=15915113773860252 local_shim=[Link] remote_


shim=[Link] state=UP

Prisma SD-WAN ION Device CLI Reference 327 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

vep_id=15889791457500187 local_shim=[Link] remote_


shim=[Link] state=UP

vep_id=15915099843000157 local_shim=[Link] remote_


shim=[Link] state=UP

vep_id=15915113777470069 local_shim=[Link] remote_


shim=[Link] state=UP

vep_id=15906873445710096 local_shim=[Link] remote_


shim=[Link] state=UP

vep_id=15915099835840090 local_shim=[Link] remote_


shim=[Link] state=UP

vep_id=15889791470980001 local_shim=[Link] remote_


shim=[Link] state=UP

dump vpn ka VpnID


Use the dump vpn ka VpnID command to display the detailed Keep-alive information about
specific VPN.

Command

dump vpn ka VpnID=

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.4.1

Prisma SD-WAN ION Device CLI Reference 328 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Example

dump vpn ka VpnID=15915113777470065


vep_id=15915113777470065 local_shim=[Link] remote_
shim=[Link] state=UP
ka_interval=1000 msec, ka_count=3
fast_tx_mode: False
rx_timeout in 772 msec
next transmit in 716 msec
rx_failure_count=0
seq=3 last_ack_seen=3 ack_sent=1
local: active=True usable=True core_peering_up=True fc_up=True
remote: active=False usable=False core_peering_up=True fc_up=True

dump vpn status


Use the dump vpn status command to display the information for a virtual private network
(VPN) link.

Command

dump vpn status ( VpnID= | VpnLinkID= )

Options

VpnID Enter the VPN ID to display the information for


that particular ID.

VpnLinkID Enter the VPN link ID to display the information


for that particular link ID.

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump vpn status VpnID=1650257699288022828


VEP ID: 1650257699288022828
vpnlink_id: 1650257699288023128
vpn_underlay_address_family : ipv6(Active)
local_ipv4: [Link]
remote_ipv4: [Link]

Prisma SD-WAN ION Device CLI Reference 329 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

local_ipv6: [Link]
remote_ipv6: [Link]
local_shim_ipv4: [Link]
remote_shim_ipv4: [Link]
peer_vep_id: 1650257699288022928
admin_up: true
devname: eth5
type: public
status: Up
active: true
usable: true
cipher: aes-256-cbc
link if_id: vpn3
Link is "Up"([Link]).
Link is "Usable".
Remote IP & Port: [Link]

dump vpn status VpnLinkID=1650257699288023128


VEP ID: 1650257699288022828
vpnlink_id: 1650257699288023128
vpn_underlay_address_family : ipv6(Active)
local_ipv4: [Link]
remote_ipv4: [Link]
local_ipv6: [Link]
remote_ipv6: [Link]
local_shim_ipv4: [Link]
remote_shim_ipv4: [Link]
peer_vep_id: 1650257699288022928
admin_up: true
devname: eth5
type: public
status: Up
active: true
usable: true
cipher: aes-256-cbc
link if_id: vpn3
Link is "Up"([Link]).
Link is "Usable".
Remote IP & Port: [Link]

dump vpn status VpnLinkID=1673510254318006577


VEP ID: 1673510254318006377
vpnlink_id: 1673510254318006577
vpn_underlay_address_family : ipv4(Active)
local_ipv4: [Link]
remote_ipv4: [Link]
local_ipv6: N/A
remote_ipv6: N/A
local_shim_ipv4: [Link]
remote_shim_ipv4: [Link]
peer_vep_id: 1673510254318006277
peer_site_role: HUB
admin_up: true
devname: 5
type: private

Prisma SD-WAN ION Device CLI Reference 330 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

status: Up
active: true
encap: vxlan
usable: true
cipher: aes-256-cbc
link_healthy: na
link if_id: vpn5
Spi: 2951605019
next_key_rotation: Thu Jan 12 [Link] UTC 2023
OutBytes: 2419186 OutPackets: 27692
InBytes: 2440744 InPackets: 27976
Link is "Up"([Link]).
Link is "Usable".
Remote IP & Port: [Link]:4500

dump vpn status VpnID=1710234858072020128


VEP ID: 1710234858072020128
vpnlink_id: 1710234858072020428
vpn_underlay_address_family : ipv4(Active)
local_ipv4: [Link]
remote_ipv4: [Link]
local_ipv6: N/A
remote_ipv6: N/A
local_shim_ipv4: [Link]
remote_shim_ipv4: [Link]
peer_vep_id: 1710234858072020228
peer_site_role: SPOKE
peer_site_branch_gateway: true
admin_up: true
devname: 4.10
type: public
status: Up
active: true
encap: geneve
usable: true
cipher: aes-256-cbc
link_healthy: na
link if_id: vpn21
Spi: 2892175933
next_key_rotation: Mon Mar 18 [Link] UTC 2024
OutBytes: 2858181 OutPackets: 32621
InBytes: 2817220 InPackets: 32359
Link is "Up"([Link]).
Link is "Usable".
Remote IP & Port: [Link]:4500

dump vpn summary


Use the dump vpn summary command to display the information for virtual private networks
(VPNs). In environments where there are multiple VPN paths, this command helps to pinpoint
VPN paths belonging to a specific circuit that are experiencing problems.

Prisma SD-WAN ION Device CLI Reference 331 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

dump vpn summary ( all | RemoteSite=remote-site-id | Active=(true


| false) | VpnType= (public | private) | Status=(Up | Down) | vrf-
name= | vni= )

Options

all Enter all to display all VPN paths.

RemoteSite Enter the remote site ID to filter VPN paths


between this device and a specific remote site.

Active Enter true to display all VPN paths between the


branch device and the active data center device.

VpnType Choose the type of VPN as either public or


Private WAN.

Status Select Up or Down to view status of active or


inactive VPN links.

vrf-name Enter the vrf name to filter VPN paths between


this device and a specific remote site. Release
6.3.1

vni Enter the vni to filter VPN paths between this


device and a specific remote [Link] 6.3.1

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.1

Example

dump vpn summary all


VepID Circuit-local Circuit-Remote Remote-Site
VpnType Interface SrcIP DstIP
Status Active
1650257699288022828 p10 p10 HW_branch
public 4 [Link]
[Link] Up true

dump vpn summary

Prisma SD-WAN ION Device CLI Reference 332 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

VepID Circuit-local Circuit-Remote Remote-Site


VpnType Interface SrcIP DstIP Status Active
FecEnabled
1691044560641007196 BR-SITE1-PVT1 DC-SITE1-PVT1 DC-SITE1
private 3 [Link] [Link] Up true false
1691044549083002096 BR-SITE1-PUB1 DC-SITE1-PUB1 DC-SITE1
public 2 [Link] [Link] Up true false
1693047867998008196 BR-SITE1-PVT1 BR-SITE2-PVT1 BR-SITE2
private 3 [Link] [Link] Up true false
1693191696405009296 BR-SITE1-PUB1 DC-SITE1-PUB2 DC-SITE1
public 2 [Link] [Link] Down true false

dump vrf
Use the dump vrf command to display the VRF, VRF Profiles, and VRF Route Leak Rules
configurations.

Command

dump vrf ( profile | info (id= | all) | route_leak_rule)

Options

profile Enter profile to display configuration for vrf profiles.

info Enter the id number to display configuration for a


specific vrf or enter all to display configuration for
all the vrf.

route_leak_rule Enter the route leak rule all to display configuration


for vrf leak rules.

Command Notes

Role Super, Read Only, Monitor

Related Commands

Introduced in Release 6.2.2-i

Example

dump vrf profile


ID : 1690291151483023296
Name : VRF-PROFILE-BR-SITE1
Description :

dump vrf info all


------------------------------------------------------------------

Prisma SD-WAN ION Device CLI Reference 333 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

VRF_ID VRF_Name Vni Default


------------------------------------------------------------------
1690268758377017596 Global 0 true
1692273028658009996 VRF006 180 false
1692273683744010396 VRF007 355 false
1692273774461016296 VRF008 107 false
1692273799353012096 VRF009 883 false
1692274012350019296 VRF010 234 false
1692274016645020396 VRF011 931 false
1692274020918010896 VRF012 372 false
1692274025215019796 VRF013 185 false
1692274029459019696 VRF014 938 false
1692274037246020096 VRF015 141 false
1692274063147021196 VRF016 138 false

dump vrf route_leak_rule all


--------------------------------------------------------------------------------
ID Name Src_VRF Src_Vni
Dest_VRF Dest_Vni Ipv4Prefixes
--------------------------------------------------------------------------------
324_326 VRF254 TO VRF255 VRF254 324 VRF255
326 [Link]/32
[Link]/32
[Link]/32
838_895 03 VRF031 TO VRF061 VRF031 838 VRF061
895 [Link]/32
895_838 02 VRF061 TO VRF031 VRF061 895 VRF031
838 [Link]/32

dump waninterface config


Use the dump waninterface config command to display the WAN circuit configurations.

Command

dump waninterface config

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.2.1

Prisma SD-WAN ION Device CLI Reference 334 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Example

dump waninterface config


WAN ID : 16285759500410061
Devices : 2
PathLabel : public-10
Type : publicwan
Cost : 128
BWConfigMode : manual
BWC enabled : enabled
Circuit-Label :
Application reachability probes : True
Controller connection : True
LQM : enabled
LQM for Non-Hub Paths : enabled
LQM Config
Inter packet gap : 100
Statistic : min

dump waninterface summary


Use the dump waninterface summary command to display the summary of WAN circuit
configurations.

Command

dump waninterface summary

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands —

Introduced in Release 5.0.3

Example

dump waninterface summary


WAN ID Devices PathLabel Type Cost
BWConfigMode BWC enabled BWC Agents Circuit-Label LQM
16390166973660113 4 public-12 publicwan 128 manual
disabled 400 / 401 enabled

Prisma SD-WAN ION Device CLI Reference 335 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

15332088894110080 1 private-9 privatewan 126 manual


enabled 500 / 501 enabled

Prisma SD-WAN ION Device CLI Reference 336 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Inspect Commands
Inspect commands enable users to display information on interfaces, devices, and routing. Only
Super and Read Only user role are allowed to access the inspect commands.
Learn more about the inspect commands:
• inspect app-flow-table
• inspect app-l4-prefix lookup
• inspect app-map
• inspect certificate
• inspect cgnxinfra role
• inspect connection
• inspect dhcplease
• inspect dpdk ip-rules
• inspect dpdk vrf
• inspect fib
• inspect fib-leak
• inspect flow-arp
• inspect flow brief
• inspect flow-detail
• inspect flow internal
• inspect interface stats
• inspect ip-rules
• inspect ipv6-rules
• inspect ipfix exporter-stats
• inspect ipfix collector-stats
• inspect ipfix app-table
• inspect ipfix wan-path-info
• inspect ipfix interface-info
• inspect lqm stats
• inspect memory summary
• inspect network-policy conflicts
• inspect network-policy dropped
• inspect network-policy hits policy-rules
• inspect network-policy lookup
• inspect performance-policy fec status
• inspect performance-policy hits analytics

Prisma SD-WAN ION Device CLI Reference 337 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

• inspect performance-policy incidents


• inspect performance-policy lookup
• inspect policy-manager status
• inspect policy-mix lookup-flow
• inspect priority-policy conflicts
• inspect priority-policy dropped
• inspect priority-policy hits default-rule-dscp
• inspect priority-policy hits policy-rules
• inspect priority-policy lookup
• inspect process status
• inspect qos-bwc debug-state
• inspect qos-bwc queue-history
• inspect qos-bwc queue-snapshot
• inspect routing multicast fc site-iface
• inspect routing multicast interface
• inspect routing multicast mroute
• inspect security-policy lookup
• inspect security-policy size
• inspect switch mac-address-table
• inspect system arp
• inspect system ipv6-neighbor
• inspect system vrf
• inspect vrf
• inspect wanpaths

inspect app-flow-table
Use the inspect app-flow-table command to inspect application flow tables and use to
debug application flow tables that match user-specified options. It displays DSCP markings on the
flows in both directions - LAN to WAN and WAN to LAN.

Command

inspect app-flow-table (all | prot=( udp | tcp | icmp | other ) |


srcv4=src-ipv4 | srcport=src-port | destv4=dst-ipv4 | dstport=dst-
port ))

Options

srcv4 Enter the source IP address.

Prisma SD-WAN ION Device CLI Reference 338 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dstv4 Enter the destination IP address.

srcport Enter the source port.

dstport Enter the destination port.

prot Tab to select UDP, TCP, or ICMP. Or, enter a


protocol number ranging from 0 - 255.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 4.6.1

Example

inspect app-flow-table
Source-IP SPort Dest-IP DPort Prot VLAN
L2W-DSCP W2L-DSCP Pkts Unk Reason
AppName Wan-path PathChangeReason
FST

-------------------------------------------------------------------------------
[Link] 41327 [Link] 443 tcp 0
['0x30'] ['0x0'] 2833/2247 None
"cloudgenix-control" 15017147952320044
2021-03-18T[Link].046000Z
[Link] 0 [Link] 53 udp 0
['0x0'] [] 1/0 None
"dns" 15017147952320044
2021-03-18T[Link].396000Z
[Link] 33336 [Link] 179 tcp 0
['0x30'] ['0x30'] 832/832 Flow in mid
unknown 0
2021-03-18T[Link].278000Z
[Link] 58835 [Link] 443 tcp 0
['0x30'] ['0x0'] 7415/5507 None
"cloudgenix-control" 15017147952320044
2021-03-18T[Link].316000Z
[Link] 33934 [Link] 179 tcp 0
[] ['0x30'] 7/0 Init State
unknown 0
2021-03-18T[Link].801000Z
[Link] 54413 [Link] 443 tcp 0
['0x30'] ['0x0'] 3152/2498 None
"cloudgenix-control" 15017147952320044
2021-03-18T[Link].045000Z
[Link] 59379 [Link] 443 tcp 0
['0x30'] ['0x0'] 5970/3168 None

Prisma SD-WAN ION Device CLI Reference 339 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

"cloudgenix-control" 15017147952320044
2021-03-18T[Link].045000Z
[Link] 54570 [Link] 59999 udp
0 ['0x0'] ['0x0'] 68/67
None "custom_udp-131557" 15938741581220143
active_path_available_path_chang 2021-03-18T[Link].315000Z
Total flows 8, tcp 6, udp 2, unknown application 2

inspect app-l4-prefix lookup


Use the inspect app-l4-prefix lookup command to identify lookup on a given destination
address in TCPPROXY L4-Prefix-Lookup table and also configures at the device level.

Command

inspect app-l4-prefix lookup dstv4=[Link] dstport=805


protocol= [ protocol=tcp|udp|ip ]

Options

tcp Enter tcp to look up a given destination address in


TCP L4-Prefix-Lookup table.

udp Enter udp to look up a given destination address


in UDP L4-Prefix-Lookup table.

ip Enter ip to look up a given destination address in


non-TCP-UDP L4-Prefix-Lookup table.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.4.1

Example

inspect app-l4-prefix lookup dstv4=[Link]


dstport=907protocol=udp
{
"App Found": "ring-central3",
"App ID": 3888,
"dscp": 0,
"App Name": "ring-central3",
"Order Number": 32768
}

Prisma SD-WAN ION Device CLI Reference 340 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

inspect app-l4-prefix lookup dstv4=[Link]


dstport=907protocol=tcp
{
"App Found": "disk",
"App ID": 65,
"dscp": 0,
"App Name": "disk",
"Order Number": 32768
}

inspect app-l4-prefix lookup dstv4=[Link]


dstport=907protocol=tcp
{
"App NOT Found": []
}

inspect app-map
Use the inspect app-map command to display the application ID to IP, port, or protocol
mapping cache.

Command

inspect app-map

Options

detail Enter detail to display details of app-map entries.

summary Enter summary to display brief details of app-map entries.

filter Set a filter to display filtered app-map entries using the following
parameters:

srcv4 Enter the source IP address.

dstv4 Enter the destination IP address.

srcv6 Enter the source IP address. Release 6.2.1

dstv6 Enter the destination IP [Link]


6.2.1

srcport Enter the source port.

dstport Enter the destination port.

prot-nm Tab to select UDP, TCP, or ICMP.

Prisma SD-WAN ION Device CLI Reference 341 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

prot-no Enter a protocol number ranging from 0 -


255.

Command Notes

Role Super, Read Only

Related Commands clear app-map-dynamic

Introduced in Release 5.0.3

Example

inspect app-map detail


UDP dst [Link].1080 -> app_id 15186805708420143
enterprise_app_id 0
anchor_ip 0
xfer_type 2
alg_rule 0
detected 1
expire_type 0
expire 18446744073709547259 sec s
order_number 32768
TCP dst [Link].7752 -> app_id 15186805708360135
enterprise_app_id 0
anchor_ip 0
xfer_type 2
alg_rule 0
detected 1
expire_type 0
expire 18446744073709547259 sec s
order_number 32768
UDP dst [Link].33462 -> app_id 15186805702410193
enterprise_app_id 0
anchor_ip 0
xfer_type 2
alg_rule 0
detected 1
expire_type 0
expire 18446744073709547259 se cs
order_number 32768...

inspect app-map summary


PROTOCOL DIRECTION IP PORT APP_NAME ENTERPISE_APP_NAME
DETECTED_APPS EXP_TYPE EXPIRY ORDER_NUMBER

-------------------------------------------------------------------------------
UDP dst [Link] 1080 "socks4" None -- Static
N/A32768TCP dst [Link] 7752 "meraki-control" None -- StaticN/A
32768inspect app-map filter prot-no=124

Prisma SD-WAN ION Device CLI Reference 342 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

PROTOCOL DIRECTION IP PORT APP_NAME APP_ID ENTERPISE_APPID


ENTERPISE_APP_NAME DETECTED_APPS EXP_TYPEEXPIRY ORDER_NUMBER

-------------------------------------------------------------------------------
124 src [Link] 0 ”is-is-over-ipv4"
149729554645600670 None -- Static N/A 32768

inspect app-map summary

Number of app-map entries : 2

PROTOCOL DIRECTION IP PORT APP_NAME


ENTERPISE_APP_NAME DETECTED_APPS
EXP_TYPE XFER_TYPE EXPIRY
ORDER_NUMBER
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
TCP dst [Link] 443 google-play
None --
Dynamic bulk 35999
32768
TCP dst [Link] 80 google-maps
None ['google-base
', 'web-browsing'] Dynamic xact 35999
32768

inspect certificate
Use the inspect certificate command to display the information on certificates used for
communicating with the controller. The MIC option displays the certificate for an unclaimed
device, while the CIC option displays the certificate for a claimed device.

Command

inspect certificate ( cic | mic )

Options

cic Enter cic to display information for the customer install


certificate (CIC) certificate.

mic Enter mic to display information for the manufacturer


install certificate (MIC) certificate.

Command Notes

Role Super, Read Only

Related Commands —

Prisma SD-WAN ION Device CLI Reference 343 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Introduced in Release 4.5.1

Example

inspect certificate cic


Certificate:Data:Version: 3 (0x2)
Serial Number: 15009073212790042 (0x3552ac2d41951a)
Signature Algorithm: sha256
WithRSAEncryptionIssuer: C=US, ST=California, L=Santa Clara,
O=CloudGenix Inc,OU=CloudGenix Service, CN=Temp CloudGenix Class 3
Intermediate
CertificateAuthority - CValidity
Not Before: Jul 23 [Link] 2017 GMT
Not After : Jul 22 [Link] 2027 GMT
Subject: C=US, ST=California, L=Santa
Clara, O=CloudGenix Inc,OU=Service/title=200/
serialNumber=422787ff-3343-3eda-1c11-56ed13992637/UID=CLAIM,
CN=150090731806 [Link]
Subject Public Key Info:
Public Key Algorithm: rsa
EncryptionPublic-Key: (2048 bit)
Modulus:
[Link]
Exponent: 65537 (0x10001) X509v3
extensions: X509v3
Subject Key
Identifier:A7:2F:0F:E6:28:B2:81:47:75:B4:14:F1:04:A2:92:DE:32:AE:71:A1
X509v3
Authority Key Identifier:

keyi[Link]X509v3
Basic Constraints: critical
CA:FALSE X509v3
Key Usage: critical Digital Signature, Non Repudiation,
KeyEncipherment
Signature Algorithm:
sha256WithRSAEncryption[Link]

inspect certificate device


Use the inspect certificate device command to display the information on certificates
used for communicating with the device.

Command

inspect certificate device

Options

None

Prisma SD-WAN ION Device CLI Reference 344 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 6.2.1

Example

inspect certificate device


Certificate:
Data:
Version: 3 (0x2)
Serial Number:

[Link]
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = USC-Client-Issuing-CA2-BETA2-G3, O = Palo-Alto-
Networks-Inc., C = US
Validity
Not Before: Feb 6 [Link] 2023 GMT
Not After : May 7 [Link] 2023 GMT
Subject: CN = b9593e42-ec49-7fe6-9096-94992261f9,
O = Palo Alto Networks, L = Santa Clara, ST = CA, C = US,
[Link].4.1.25461.4.22.1 = prisma_sdwa
n_service_cert, [Link].4.1.25461.4.22.2 = prisma-sdwan,
[Link].4.1.25461.4.22.3 = b9593e42-ec49-7fe6-9096-94992261f9,
[Link].4.1.25461.4.22.6 = 100, 1.
[Link].1.25461.4.22.7 = [Link]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]

Prisma SD-WAN ION Device CLI Reference 345 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:

keyi[Link]

Authority Information Access:


CA Issuers - URI:[Link]
beta2/[Link]
OCSP - URI:[Link]
ocsp

X509v3 Extended Key Usage:


TLS Web Client Authentication
X509v3 CRL Distribution Points:

Full Name:
URI:[Link]
[Link]

X509v3 Subject Key Identifier:

[Link]
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
Signature Algorithm: sha256WithRSAEncryption
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]

Prisma SD-WAN ION Device CLI Reference 346 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]

inspect cgnxinfra role


Use the inspect cgnxinfra role command to inspect the cgnxinfra roles and to display
connection stats of cgnxinfra roles.

Command

inspect cgnxinfra role=logs( details | store-history | live | client


| store)

Options

details Enter details to display information on all types cgnxinfra


roles.

live Enter live to display information on live connection stats.

store-history Enter store-history to display information on last 50files


uploaded.

client Enter client to display information on client connection


stats.

store Enter store to display information on store connection


stats.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.4.1

Example

inspect cgnxinfra role=logs store-history


1. File name : logs_disk_dump_1589869896205766673
File path :/log/cgnx_infra/logs_disk_dump_1589869896205766673

Prisma SD-WAN ION Device CLI Reference 347 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Created at : 19 May 2020 [Link]


File size (Bytes) : 882
Last modified at : 19 May 2020 [Link]
Last uploaded offset : 882
File upload started at : 19 May 2020 [Link]
Last uploaded at : 19 May 2020 [Link]
File upload ended at : 19 May 2020 [Link]
Upload percentage (%) : 100
File deleted at : 19 May 2020 [Link]
File flush errors count : 0
File open errors count : 0
File parse errors count : 0
File upload errors count : 0
File write errors count : 0

inspect cgnxinfra role=logs client


Client Stats at: 14 Jul 2020 [Link]
Server accept errors count : 0
Client reconnect count : 0
Current session stats :
Session started at : 13 Jul 2020 [Link]
Session ended at : N/A
Previous session stats : N/A

inspect connection
Use the inspect connection command to inspect the established connections and to
debug connections that match user-specified options. It displays the protocol, time after which
connection times out, source IP, destination IP, source port, and destination port.

Command

inspect connection (all | srcv4=src-ipv4 | destv4=dst-ipv4


| srcv6=src-ipv6 | destv6=dst-ipv6 | srcport=src-port | dstport=dst-
port | proto= ( udp | tcp | icmp | other ))

Options

srcv4 Enter the source IPv4 address.

dstv4 Enter the destination IPv4 address.

srcv6 Enter the source IPv6 address.

dstv6 Enter the destination IPv6 address.

srcport Enter the source port.

dstport Enter the destination port.

Prisma SD-WAN ION Device CLI Reference 348 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

proto Tab to select UDP, TCP, or ICMP. Or, enter a protocol


number ranging from 0 - 255.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.0.1

Example

inspect connection proto=udp


PROTO TIMEOUT SRC DST SPORT DPORT
t-src t-dst tsport tdport
udp 6 [Link] [Link] 51884 53
[Link] 127.0. 0.1 51884 53
udp 12 [Link] [Link] 68 67
[Link] [Link] 68 67
udp 29 [Link] [Link] 51409 3784
[Link] [Link] 51409 3784

inspect connection all

PROTO TIMEOUT SRC DST SPORT


DPORT t-src t-dst t-sport t-dport

tcp 3524 fd13::2 [Link] 52754


9999 [Link] [Link] 52754 9999

udp 29 [Link] [Link] 52634


3784 [Link] [Link] 52634 3784

udp 29 [Link] [Link] 62944


3784 [Link] [Link] 62944 3784

inspect dhcplease
Use the inspect dhcplease command to inspect the DHCP server lease and to display
information on machines that are assigned to specific IP address and the lease validity for each
machine.

Command

inspect dhcplease ( all | subnet= | expired)

This command

Prisma SD-WAN ION Device CLI Reference 349 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

all Enter all to display information on DHCP server lease.

subnet Enter subnet to display information on live connection


[Link] 5.4.1

expired Enter expired to display information on last 50 files


uploaded. Release 5.4.1

Command Notes

Role Super, Read Only

Related Commands dump dhcpstat

Introduced in Release 4.4.1

Example

inspect dhcplease all

To get manufacturer names please downloadhttp://


[Link]/regauth/oui/[Link] to/usr/local/etc/[Link]

MAC IP hostname valid until


manufacturer

==========================================================================
[Link] [Link] dhcp_test
2017-02-[Link] -NA

inspectdhcplease subnet=[Link]/24 expired

To get manufacturer names please downloadhttp://


[Link]/regauth/oui/[Link] to/usr/local/etc/[Link]

MAC IP hostname valid until


manufacturer

============================================================================
[Link] [Link] -NA-
2020-05-[Link] -NA-
[Link] [Link] -NA-
2020-05-[Link] -NA-
[Link] [Link] -NA-
2020-05-[Link] -NA-
[Link] [Link] -NA-
2020-05-[Link] -NA-

Prisma SD-WAN ION Device CLI Reference 350 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

[Link] [Link] -NA-


2020-05-[Link] -NA

inspect dhcplease subnet=[Link]/24

To get manufacturer names please downloadhttp://


[Link]/regauth/oui/[Link] to/usr/local/etc/[Link]

MAC IP hostname valid


until manufacturer

===============================================================================
[Link] [Link] user1-virtual-
2020-07-[Link] -NA

inspect dhcp6lease
Use the inspect dhcp6lease command to inspect the DHCP server lease and to display
information on machines that are assigned to specific IPv6 address and the lease validity for each
machine.

Command

inspect dhcp6lease ( all | subnet= | state=)

This command

Options

all Enter all to display information on DHCP server lease.

subnet Enter subnet to display information on live connection


stats.

state Enter state to display information on connection state.

Command Notes

Role Super, Read Only

Related Commands dump dhcp-server status

Introduced in Release 6.2.1

Example

inspect dhcp6lease all

Prisma SD-WAN ION Device CLI Reference 351 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

IP_TYPE IP BINDING_STATE VALID_UNTIL DUID


IA_NA 3001::20active 2023-03-20 [Link]
000429db66cbc604c03db28080f9bceeca90

inspect dhcp6lease subnet=3001::/64

IP_TYPE IP BINDING_STATE VALID_UNTIL DUID


IA_NA 3001::20active 2023-03-20 [Link]
000429db66cbc604c03db28080f9bceeca90

inspect dhcp6lease state=active

IP_TYPE IP BINDING_STATE VALID_UNTIL DUID


IA_NA 3001::20active 2023-03-20 [Link]
000429db66cbc604c03db28080f9bceeca90

inspect dpdk ip-rules


Use the inspect dpdk ip-rules command to inspect the ip address rules in the dpdk stack
configured on the device.

Command

inspect dpdk ip-rules

Options

None

Command Notes

Role Super, Read Only

Related Commands inspect dpdk vrf

Introduced in Release 5.6.1

Example

inspect dpdk ip-rules


0: from all lookup 255
1: from all iif veth-peer-p lookup 254
2010: from all iif eth2 lookup 2010
2010: from all iif eth1 lookup 2010
2010: from all iif sl2 lookup 2010
2010: from all iif sl1 lookup 2010
2050: from [Link] lookup 2050
2051: from [Link] lookup 2051
2100: from all iif eth3 lookup 2100

Prisma SD-WAN ION Device CLI Reference 352 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

2100: from all to [Link] lookup 2100


2101: from [Link] lookup 2101
2401: from [Link] lookup 2401
2402: from [Link] lookup 2402
32000: from all iif eth0 lookup 32000
32000: from [Link] lookup 32000
32000: from all to [Link] lookup 32000
32766: from all lookup 254
32767: from all lookup 253

inspect dpdk vrf


Use the inspect dpdk vrf command to inspect the dpdk route table for a specific vrf
configured on the device.

Command

inspect dpdk vrf vrf=

Options

None

Command Notes

Role Super, Read Only

Related Commands inspect dpdk ip-rules

Introduced in Release 5.6.1

Example

inspect dpdk vrf vrf=2010


# - Preferred, * - Active, > - selected
(2010) [Link]/24 [nh:17] NEIGH gw [Link] via veth-peer-p-vr0
(rt:30)
(2010) [Link]/29 [nh:17] NEIGH gw [Link] via veth-peer-p-
vr0 (rt:31)
(2010) [Link]/29 [nh:17] NEIGH gw [Link] via veth-peer-p-
vr0 (rt:29)
(2010) [Link]/29 [nh:17] NEIGH gw [Link] via veth-peer-
p-vr0 (rt:32)
(2010) [Link]/29 [nh:17] NEIGH gw [Link] via veth-peer-
p-vr0 (rt:28)

Prisma SD-WAN ION Device CLI Reference 353 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

inspect fib
Use the inspect fib command to inspect the forwarding information base (FIB) table, to
display FIB entries, and to debug path selection issues. The path type is internet, private WAN,
LAN, or VPN.

Command

inspect fib ( all | vpn | privwan | internet | path-id =path id |


site-id = site id | servicelink | vrf-name= )

Options

all Enter all to display information on all types of FIBs.

vpn Enter vpn to display information on VPN FIBs.

privwan Enter privwan to display information on private WAN FIBs.

internet Enter internet to display information on internet FIBs.

path-id Enter path ID for FIB information for a specific path-id.

site-id Enter the site ID for FIB information for a specific site.

servicelink Enter servicelink for FIB information for Standard VPNs.

lan Enter lan for FIB information for Standard [Link]


6.3.1

vrf-name Enter vrf name for FIB information for Standard VPNs.
Release 6.3.1

Command Notes

Role Super, Read Only

Related Commands

Introduced in Release 4.4.1

Example

inspect fib all


Path ID: 15792149372670031, Path Type: vpn, Vpn Type: private,
Site ID: 15477701676350156, Site Name: HUB-SITE, Status: true
Path

Prisma SD-WAN ION Device CLI Reference 354 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Info: [Anynetlink-ID : 15477701710800191] SJ-Verizon to NY-


Verizon
Prefixes: Prefix: [Link]/24 Type:D Cost:256
Admin distance:5
Prefix: [Link]/24 Type:D Cost:256
Admin distance:5
Prefix:[Link]/24 Type:D Cost:256
Admin distance:5
Prefix:[Link]/24 Type:D Cost:256
Admin distance:5
Prefix:[Link]/24 Type:D Cost:256
Admin distance:5
Prefix:[Link]/24 Type:D Cost:256
Admin distance:5
Prefix: [Link]/0Type:D Cost:256
Admin distance:5
Path ID: 15822231898660142, PathType: internet, Status: true
Path Info: Circuit to SJ-Test
Prefixes: Prefix: [Link]/24
Nexthop:[Link] Type:C
Cost:0 Admin distance:0 Prefix: [Link]/0
Nexthop:192.168.105.1Type:S Cost:0
Admin distance:5 Path ID: 15477700312380071,
PathType: privwan, Status: true
Path Info: Circuit to SJ-Verizon
Prefixes: Prefix: [Link]/0 Type:C Cost:0 Admin distance:5

inspect fib servicelink path-id=15931329594130190


Path ID:15931329594130190, Path Type: servicelink, Status: true
Peer :[Link] Service Endpoint : GRE-Ubuntu-Endpoint-2 Path
Info:
Circuit to Charter Prefixes: Prefix: [Link]/0 Nexthop:[Link]
Type:S Cost:0 Admin distance:5 Prefix:[Link]/24
Nexthop:[Link] Type:C Cost:0 Admin distance:0

inspect fib all


Path ID: 1679331667843012296, Path Type: vpn, Vpn Type: public,
Site ID: 1654865330934020396, Site Name: Sa
nFrancisco, Status: true
Path Info: [Anynetlink-ID : 1654868953471013196] LondonPublicSWI1 to
SanFranciscoPublicSWI1
Prefixes:
Prefix: [Link]/24Type:D Cost:256Admin distance:5
Prefix: [Link]/0 Type:D Cost:256Admin distance:5

V6 Prefixes:
Prefix: [Link]/64 Type:D Cost:256Admin distance:5
Prefix: ::/0 Type:D Cost:256Admin distance:5

Path ID: 1679331667962013396, Path Type: vpn, Vpn Type: public,


Site ID: 1654865330934020396, Site Name: Sa
nFrancisco, Status: false
Path Info: [Anynetlink-ID : 1654868953471013196] LondonPublicSWI1 to
SanFranciscoPublicSWI1
Prefixes:
Prefix: [Link]/24Type:D Cost:256Admin distance:5

Prisma SD-WAN ION Device CLI Reference 355 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Prefix: [Link]/0 Type:D Cost:256Admin distance:5

V6 Prefixes:
Prefix: [Link]/64 Type:D Cost:256Admin distance:5
Prefix: ::/0 Type:D Cost:256Admin distance:5

Path ID: 1679334229219012296, Path Type: vpn, Vpn Type: private,


Site ID: 1654865330934020396, Site Name: S
anFrancisco, Status: false
Path Info: [Anynetlink-ID : 1654868922677008596] LondonPrivateSWI1 to
SanFranciscoPrivateSWI1
Prefixes:
Prefix: [Link]/24Type:D Cost:256Admin distance:5
Prefix: [Link]/0 Type:D Cost:256Admin distance:5

V6 Prefixes:
Prefix: [Link]/64 Type:D Cost:256Admin distance:5
Prefix: ::/0 Type:D Cost:256Admin distance:5

Path ID: 1679334232284013396, Path Type: vpn, Vpn Type: private,


Site ID: 1654865330934020396, Site Name: S
anFrancisco, Status: true
Path Info: [Anynetlink-ID : 1654868922677008596] LondonPrivateSWI1 to
SanFranciscoPrivateSWI1
Prefixes:
Prefix: [Link]/24Type:D Cost:256Admin distance:5
Prefix: [Link]/0 Type:D Cost:256Admin distance:5

V6 Prefixes:
Prefix: [Link]/64 Type:D Cost:256Admin distance:5
Prefix: ::/0 Type:D Cost:256Admin distance:5

Path ID: 1679334236429017496, Path Type: vpn, Vpn Type: private,


Site ID: 1652095578789021896, Site Name: S
eattle, Status: true
Path Info: [Anynetlink-ID : 1654868862969000696] LondonPrivateSWI1 to
SeattlePrivateSWI1
Prefixes:
Prefix: [Link]/24 Type:D Cost:256Admin distance:5
Prefix: [Link]/0 Type:D Cost:256Admin distance:5

V6 Prefixes:
Prefix: [Link]/64 Type:D Cost:256Admin distance:5
Prefix: ::/0 Type:D Cost:256Admin distance:5

Path ID: 1679331668449017496, Path Type: vpn, Vpn Type: public,


Site ID: 1652095578789021896, Site Name: Se
attle, Status: true
Path Info: [Anynetlink-ID : 1654868905119009996] LondonPublicSWI1 to
SeattlePublicSWI1
Prefixes:
Prefix: [Link]/24 Type:D Cost:256Admin distance:5
Prefix: [Link]/0 Type:D Cost:256Admin distance:5

V6 Prefixes:
Prefix: [Link]/64 Type:D Cost:256Admin distance:5

Prisma SD-WAN ION Device CLI Reference 356 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Prefix: ::/0 Type:D Cost:256Admin distance:5

Path ID: 1654868757030024296, Path Type: internet, Status: true


Path Info: Circuit to LondonPublicSWI1
Prefixes:
Prefix: [Link]/24 Nexthop:[Link] Type:C Cost:0 Admin
distance:0
Prefix: [Link]/0 Nexthop:[Link] Type:S Cost:0 Admin
distance:5

V6 Prefixes:
Prefix: [Link]/64 Nexthop:2001:10:2:105::1Type:C Cost:0
Admin distance:0
Prefix: ::/0 Nexthop:2001:10:2:105::1Type:S Cost:0 Admin
distance:5

Path ID: 16281763158650203, Path Type: lan, Status: true


Prefixes:
Prefix: [Link]/24 Nexthop:[Link] Type:C Cost:0 Admin
distance:0
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/32 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20

V6 Prefixes:
Prefix: [Link]/64 Nexthop::: Type:C Cost:0 Admin
distance:0
Prefix: [Link]/64 Nexthop:2001:10:2:68::2 Type:S Cost:0
Admin distance:1

Path ID: 16281763172250245, Path Type: lan, Status: true


Prefixes:
Prefix: [Link]/0 Nexthop:[Link] Type:S Cost:0 Admin
distance:0
Prefix: [Link]/24 Nexthop:[Link] Type:C Cost:0
Admin distance:0

V6 Prefixes:
Prefix: ::/0 Nexthop:3000:192:168:100::1 Type:S Cost:0 Admin
distance:0
Prefix: [Link]/64 Nexthop:3000:192:168:100::1 Type:C
Cost:0 Admin distance:0

Path ID: 16281763164550224, Path Type: lan, Status: true


Prefixes:
Prefix: [Link]/24 Nexthop:[Link] Type:C Cost:0 Admin
distance:0
Prefix: [Link]/32 Nexthop:[Link] Type:S Cost:0 Admin
distance:1

Prisma SD-WAN ION Device CLI Reference 357 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

V6 Prefixes:
Prefix: [Link]/64 Nexthop::: Type:C Cost:0 Admin
distance:0
Prefix: 2001::13:23:77/128 Nexthop:2001:20:20:20::222 Type:S
Cost:0 Admin distance:1

Path ID: 1654868727519023196, Path Type: privwan, Status: true


Path Info: Circuit to LondonPrivateSWI3
Prefixes:
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/0 Nexthop:[Link] Type:S Cost:0 Admin
distance:5
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/32 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/32 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20

Prisma SD-WAN ION Device CLI Reference 358 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin


distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/32 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20
Prefix: [Link]/24 Nexthop:[Link] Type:C Cost:0 Admin
distance:0
Prefix: [Link]/24 Nexthop:[Link] Type:D Cost:32768 Admin
distance:20

V6 Prefixes:
Prefix: [Link]/64 Nexthop:2001:10:2:64::1 Type:C Cost:0
Admin distance:0
Prefix: ::/0 Nexthop:2001:10:2:64::1 Type:S Cost:0 Admin
distance:5

Path ID: 1654868707819008896, Path Type: privwan, Status: true


Path Info: Circuit to LondonPrivateSWI1
Prefixes:
Prefix: [Link]/0 Nexthop:[Link] Type:S Cost:0 Admin
distance:5
Prefix: [Link]/24Nexthop:[Link] Type:C Cost:0 Admin
distance:0

V6 Prefixes:
Prefix: ::/0 Nexthop:2001:10:2:65::2 Type:S Cost:0 Admin
distance:5
Prefix: [Link]/64 Nexthop:2001:10:2:65::2 Type:S Cost:0
Admin distance:1
Prefix: [Link]/64 Nexthop:2001:10:2:65::2 Type:C Cost:0
Admin distance:0

inspect fib vpn


Path ID: 1646804547298006528, Path Type: vpn, Vpn Type:
public,
Site ID: 1644236312418017028, Site Name: SPOKE-NEW-BANG, Status:
false
Path Info: [Anynetlink-ID : 1645769602048005028] Jaya-Pub1 to
Suresh-Hathway

Prisma SD-WAN ION Device CLI Reference 359 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Path ID: 1650357026300025728, Path Type: vpn, Vpn Type:


private,
Site ID: 1643002184702000028, Site Name: Jaya-Branch-2, Status:
false
Path Info: [Anynetlink-ID : 1643002213265017028] Jaya-Pvt-1 to
Jaya-Pvt-1
Prefixes:
Prefix: [Link]/24
Type:D Cost:278
Admin distance:10
V6 Prefixes:
Prefix: 2008::/64
Type:D Cost:278
Admin distance:10
Path ID: 1644999852286009428, Path Type: vpn, Vpn Type: public,
Site ID: 16282507889030214, Site Name: SPOKE-Site-Amit, Status:
false
Path Info: [Anynetlink-ID : 1643001962214008728] Jaya-Pub1 to
Tatasky
Prefixes:
Prefix: [Link]/24
Type:D Cost:256
Admin distance:10
Prefix: [Link]/24
Type:D Cost:256
Admin distance:10
Prefix: [Link]/24
Type:D Cost:256
Admin distance:10
V6 Prefixes:
Prefix: 4001::/64
Type:D Cost:256
Admin distance:10
Prefix: 5001::/64
Type:D Cost:256
Admin distance:10

inspect fib vpn vni=242


Path ID: 1693191694036013596,
Path Type: vpn,
Vpn Type: public,
Site ID: 1690980902207004096,
Site Name: BR-SITE2,
Status: false
Path Info: [Anynetlink-ID : 1693191588738014296] DC-SITE1-PUB2 to BR-
SITE2-PUB1
Vrf context id: 1692597097579024296,
Vni: 242
Prefixes:
Prefix: [Link]/32 Type:D Cost:256 Admin distance:10

Path ID: 1691044549083002396,


Path Type: vpn,
Vpn Type: public,
Site ID: 1690270505109025096,
Site Name: BR-SITE1,

Prisma SD-WAN ION Device CLI Reference 360 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Status: true
Path Info: [Anynetlink-ID : 1690290030367018296] DC-SITE1-PUB1 to BR-
SITE1-PUB1
Vrf context id: 1692597097579024296,
Vni: 242
Prefixes:
Prefix: [Link]/32 Type:D Cost:256 Admin distance:10

Path ID: 1691044560641007496,


Path Type: vpn,
Vpn Type: private,
Site ID: 1690270505109025096,
Site Name: BR-SITE1,
Status: true
Path Info: [Anynetlink-ID : 1690290052166008496] DC-SITE1-PVT1 to BR-
SITE1-PVT1
Vrf context id: 1692597097579024296, Vni: 242
Prefixes:
Prefix: [Link]/32 Type:D Cost:256 Admin distance:10

inspect fib lan vni=242


Path ID: 1692614195858016096,
Path Type: lan,
Status: true
Vrf context id: 1692597097579024296,
Vni: 242
Prefixes:
Prefix: [Link]/32 Nexthop:[Link] Type:S Cost:0 Admin
distance:1
Prefix: [Link]/24 Nexthop:[Link] Type:C Cost:0 Admin
distance:0

inspect fib all


Path ID: 1696395771321023828, Path Type: vpn, Vpn Type: public,
Site ID: 1681450037421018528, Site Name: Santa Clara DC, Status:
true
Path Info: [Anynetlink-ID : 1681450038408021128] Jio to Jio
Vrf context id: 1695795392653021428, Vni: 965, Vrf Name: yellow
Prefixes:
Prefix: [Link]/24 Type:D Cost:256 Admin distance:5
Prefix: [Link]/0 Type:D Cost:256 Admin distance:5

V6 Prefixes:
Prefix: ::/0Type:D Cost:256 Admin distance:5

inspect fib-leak
Use the inspect fib-leak command to inspect the forwarding information base (FIB) table, to
display FIB leak entries, and to debug path selection issues.

Command

inspect fib-leak (dest-vrf = destination vrf name)

Prisma SD-WAN ION Device CLI Reference 361 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

dest-vrf Enter all to display information on all destination VRF


types of FIBs.

Command Notes

Role Super, Read Only

Related Commands

Introduced in Release 6.3.1

Example

inspect fib-leak dest-vrf=green


Path ID: 1697478736077020628, Path Type: vpn, Vpn Type: public,
Site ID: 1697397638697023728, Site Name: Santa Clara, Status: true
Path Info: [Anynetlink-ID : 1697397639975009928] Jio to Jio
Dest-Vni: 102
Prefixes:
Src-Vni: 101 Prefix: [Link]/24 Type:L Cost:256 Admin
distance:5

Path ID: 1697478730698007528, Path Type: vpn, Vpn Type: public,


Site ID: 1697397638697023728, Site Name: Santa Clara, Status: false
Path Info: [Anynetlink-ID : 1697475888558012028] Airtel to Jio
Dest-Vni: 102
Prefixes:
Src-Vni: 101 Prefix: [Link]/24 Type:L Cost:256 Admin
distance:5

Path ID: 1697399666252005828, Path Type: vpn, Vpn Type: private,


Site ID: 1697397638697023728, Site Name: Santa Clara, Status: true
Path Info: [Anynetlink-ID : 1697397640778004528] Comcast to Comcast
Dest-Vni: 102
Prefixes:
Src-Vni: 101 Prefix: [Link]/24 Type:L Cost:256 Admin
distance:5

inspect flow-arp
Use the inspect flow-arp command to inspect the address resolution protocol (ARP)
entries used and recorded by the flow controller (FC) module. The ARP cache is displayed for all
interfaces or a specific interface filtered by either interface name, VLAN ID, Host IP or Gateway
ID.

Prisma SD-WAN ION Device CLI Reference 362 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

inspect flow-arp ( all | interface = interface | vlan= vlan_id |


host= host_ip_address | gateway= gateway_id )

Options

all Enter all to inspect data plane ARP cache for all interfaces.

interface Enter the interface name to inspect data plane ARP cache
for an interface.

vlan Enter the VLAN ID to inspect data plane ARP cache for a
VLAN.

host Enter the host IP address to inspect data plane ARP cache
for a host.

gateway Enter the gateway ID to inspect data plane ARP cache for
a gateway.

Command Notes

Role Super, Read Only

Related Commands inspect system arp

Introduced in Release 4.5.1

Example

inspect flow-arp all


ifname device vlan_id host mac gateway arp_eth_addr
router_arp_srcrouter valid expired expire_secslan 1 eth11 10
[Link] [Link] [Link] True True
False True False 1215
wan 1 eth10 220 [Link] [Link] [Link]
True
False True True False 315359408
wan 1 eth10 10 [Link] [Link] [Link] True
False True True False 315359406
wan 1 eth10 35 [Link] [Link] [Link] True False
True True False 315359408
wan 1 eth10 110 [Link] [Link] [Link]
True False False True False 1207

Prisma SD-WAN ION Device CLI Reference 363 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

inspect flow brief


Use the inspect flow brief command to inspect the brief details for active flows and to
debug current flows matching the user-specified options. It displays existing flows and their path,
along with information on application, network policy, priority policy, security policy, security
action and path details.

Command

inspect flow brief (all | [prot-nm=( udp | tcp | icmp ) | prot-


no= 0-255] | srcv4=src-ipv4 | srcport=src-port | dstv4=dst-ipv4 |
dstport=dst-port )]

inspect flow brief (all | [prot-nm=( udp | tcp | icmp ) | prot-


no= 0-255] | srcv4=src-ipv4 | srcv6=src-ipv6 |srcport=src-port |
dstv4=dst-ipv4 | dstv6=dst-ipv6 | dstport=dst-port )]

Options

srcv4 Enter the source IPv4 address.

dstv4 Enter the destination IPv4 address.

srcv6 Enter the source IPv6 address. Release 6.2.1

dstv6 Enter the destination IPv6 address. Release 6.2.1

srcport Enter the source port.

dstport Enter the destination port.

prot-nm Tab to select UDP, TCP, or ICMP.

prot-no Enter a protocol number ranging from 0 - 255.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.0.1

Example

inspect flow brief

Prisma SD-WAN ION Device CLI Reference 364 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

SRC DST SPORT DPORT PROTOCOL


START-TIME APP-ID NET-POLICY PRI-POLICY
SEC-POLICY SEC-ACTION WANPATH-ID PATH
[Link] [Link] 8 0 1
2021-08-11 [Link] icmp-ping Rule 1 icmp-ping-Policy
Rule1-Set2-20 ALLOW 16261257799450062 lan_to_public_vpn

inspect flow brief


SRC DST SPORT DPORT PROTOCOL
START-TIME APP-ID NET-POLICY
PRI-POLICY SEC-POLICY SEC-ACTION WANPATH-ID
PATH
[Link] [Link] 53 49272 6
2023-02-28 [Link] enterprise-unknown enterprise-default
enterprise-default RULE1 ACTION
1672939700547018696 lan_to_l3_private_direct

inspect flow brief dstv6=2103::13 srcv6=[Link]


SRC DST SPORT DPORT PROTOCOL
START-TIME APP-ID NET-POLICY
PRI-POLICY SEC-POLICY SEC-ACTION
WANPATH-ID PATH
[Link] 2103::13 35924 21 6
2023-03-30 [Link] ftp private_vpn
default -- N/A
1670476802377011228 lan_to_l3_private_direct
[Link] 2103::13 128 0 58
2023-03-30 [Link] ipv6-icmp-base default
default -- N/A
1670476802377011228 lan_to_l3_private_direct

inspect flow brief


VRF SRC DST SPORT DPORT
PROTOCOL START-TIME APP-ID NET-POLICY PRI-
POLICY SEC-POLICY SEC-ACTION WANPATH-ID
PATH
yellow [Link] [Link] 8 0
1 2023-10-09 [Link] unknown enterprise-
default enterprise-default -- N/A
1696395771321023828 lan_to_public_vpn

inspect flow-detail
Use the inspect flow-detail command to inspect the details on active flows and to debug
current flows matching the user-specified options. It displays existing flows and their path, and
whether the path is in established or initialized state.

Command

inspect flow-detail (all | [prot-nm=( udp | tcp | icmp ) |prot-


no=0-255] | srcv4=src-ipv4 | srcv6=src-ipv6 | srcport=src-port |
dstv4=dst-ipv4 | dstv6=dst-ipv6 | dstport=dst-port )

Prisma SD-WAN ION Device CLI Reference 365 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

srcv4 Enter the source IP address.

dstv4 Enter the destination IP address.

srcv6 Enter the source IP address. Release 6.2.1

dstv6 Enter the destination IP address. Release 6.2.1

srcport Enter the source port.

dstport Enter the destination port.

prot-nm Tab to select UDP, TCP, or ICMP.

prot-no Enter a protocol number ranging from 0 - 255.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 4.4.1

Example

inspect flow detail


VRF SRC DST SPORT DPORT PROTOCOL
START-TIME APP-ID NET-POLICY PRI-POLICY
SEC-POLICY SEC-ACTION WANPATH-ID
PATH
yellow [Link] [Link] 8 0 1
2023-10-10 [Link] unknown enterprise-default
1696395771321023828 lan_to_public_vpn
TRAFFIC: xact
PRIORITY: 2
DSCP: --
STATE: ESTABLISHED
IDLE: 20
IFACE: v-eth6
RX_VRF: yellow (965)
FWD_VRF: yellow (965)
LEAK_VRF: Global (0)
NET-POLICY:: NCTX-ID: none
SPF-ID: none
DPF-ID: 1681410079845017228
UG-INFO: any
PRI-POLICY:: NCTX-ID: none
SPF-ID: none

Prisma SD-WAN ION Device CLI Reference 366 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

DPF-ID: 1681410079905017328
UG-INFO: any
SEC-RULE-IDS: none

inspect flow detail


SRC DST SPORT DPORT PROTOCOL
START-TIME APP-ID NET-POLICY PRI-POLICY SEC-
POLICY SEC-ACTION WANPATH-ID PATH
[Link] [Link] 8 0 1
2021-08-11 [Link] icmp-ping Rule 1 icmp-ping-Policy
Rule1-Set2-20 ALLOW 16261257799450062 lan_to_public_vpn

TRAFFIC: xact PRIORITY: 2 DSCP: -- STATE: ESTABLISHED


IDLE: 20 IFACE: ethr3,tnl-1,bwc_in_1 NET-POLICY:: NCTX-ID: none
SPF-ID: none DPF-ID: none
PRI-POLICY:: NCTX-ID: none SPF-ID: none DPF-ID: none SEC-RULE-
IDS: 16246315738930189

inspect flow detail


SRC DST SPORT DPORT PROTOCOL START-TIME
APP-ID NET-POLICY PRI-POLICY
SEC-POLICY SEC-ACTION
WANPATH-ID PATH
[Link] [Link] 8 0 1 2022-12-15 [Link]
ping match icmp test default user
allow any other user ALLOW
1665475784156002328 unknown_flow_path
TRAFFIC: xact PRIORITY: 3 DSCP: -- STATE: INIT IDLE: 20
IFACE:
NET-POLICY:: NCTX-ID: none SPF-ID:
none DPF-ID: none UG-INFO:
158622979242302240[CN=engineering,DC=sdwanamsteltest,DC=onmicrosoft,DC=com]
PRI-POLICY:: NCTX-ID: none SPF-
ID: none DPF-ID: none
UG-INFO: 1674636535551001928[sdwanamsteltest
\edward@[Link]]
SEC-RULE-IDS: 1667810313551011228

inspect flow internal


Use the inspect flow internal command to display the details of flows that match the
input filter. It displays existing flows and their path, along with information on applications and
attached interfaces.

Command

inspect flow internal (srcv4= src-ipv4 | dstv4=dst-ipv4 |


srcport=src-port | dstport=dst-port | prot-nm=(udp | tcp | icmp) |
prot-no= 0 - 255)

Prisma SD-WAN ION Device CLI Reference 367 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

srcv4 Enter the source IP address.

dstv4 Enter the destination IP address.

srcport Enter the source port.

dstport Enter the destination port.

prot-nm Tab to select UDP, TCP, or ICMP.

prot-no Enter a protocol number ranging from 0 - 255.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.0.3

Example

inspect flow internal


FLOW DETAILS :
app_id : 16150106802370049
app_idle_timeout : 20
app_iface_cookie : 0
attached_iface_1 :

type: FC_DP_IFACE_LAN

name: ethr3

vlan_id: 0

alt_vlan_id: 0

signature: 0xdeadcafe (-559035650)

dp_fid: 39

cookie: 0

policy_action

tos: 0
out_port_name: bwc_out_1

Prisma SD-WAN ION Device CLI Reference 368 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

push_vlan_id: 0

queue_id: 2097187

idle_timeout: 20

insert_flow: 1

policy_action_flags: 0

cookie: 0

nw_src: [Link]

nw_dst: [Link]

src_eth_addr: [Link],

dst_eth_addr: [Link],
attached_iface_2 :

type: FC_DP_IFACE_WAN

name: tnl-1

vlan_id: 0

alt_vlan_id: 0

signature: 0xdeadcafe (-559035650)

dp_fid: 43

cookie: 0

policy_action

tos: 0
out_port_name: bwc_in_1

push_vlan_id: 0

queue_id: 2097187

idle_timeout: 20

insert_flow: 1

policy_action_flags: 0

cookie: 2

nw_src: [Link]

nw_dst: [Link]

Prisma SD-WAN ION Device CLI Reference 369 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

src_eth_addr: [Link],

dst_eth_addr: [Link],
byte_count : 0
cookie : 4
detected_app_count : 0
dport : 0
dropped_cookie : 0
dscp : --
dst : [Link]
dst_vlan_id : 0
expire_time : 430123
flow_count : 4
flow_drop_reason : not dropped
flow_type : NORMAL
id : 35
idle_timeout : 20
iface_count : 4
lan2_type : lan-unknown
lan_type : spoke-lan
ln_id : 16200275524390210
loopback_to_edge_fid : 0
meta_packet_count : 1
mp_vlan_id : 0
nat_nw_src : 0
nctx_id : 0
net_dpf_id : 0
net_nctx_id : 0
net_policy_name : Rule 1
net_spf_id : 0
other_pkt_count : 2
other_sec_state_valid : 1
packet_count : 0
path_type : lan_to_public_vpn
prefix_iface_cookie : 0
prefix_mask : 827453603864
prev_flow_path_type : unknown_flow_path
prev_flow_type : NORMAL
pri_dpf_id : 0
pri_nctx_id : 0
pri_policy_name : icmp-ping-Policy
pri_spf_id : 0
priority : 2
protocol : 1
refcnt : 2
security_policy :

sec_stack_id : 16242998621490011

sec_app_count : 1

sec_app :

sec_rule_index : 0

Prisma SD-WAN ION Device CLI Reference 370 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

sec_action : ALLOW

sec_result_count : 1

sec_result :

sec_src_id : 16200275524390210

sec_dst_id : 100

sec_src_zone_id : 16200471619100074

sec_dst_zone_id : 16204672468290016

sec_action : ALLOW

sec_rule_id : 16246315738930189

sec_rule_num : 1

sec_rule_app_count : 0
set_flags : is_src_lan is_src_origis_lan_to_wan
is_eps is_dst_wan is_dst_server is_fast_path is_matured_flow
is_icmp_req_orig is_icmp_ping_app bwc_enabled non_port_scanning
app_detection_done update_stats
sport : 8
src : [Link]
src_vlan_id : 0
start_time : 2021-08-11 [Link]
state : ESTABLISHED
term_app_id : 16150106802370049
traffic_typ : xact
tuple : [Link] > [Link]: icmp,
update_priority : 0
wan2_type : wan-unknown
wan_path_change_count : 0
wan_path_id : 16261257799450062
wan_type : public-vpn-wan

inspect interface stats


Use the inspect interfaces stats command to inspect the interface statistics and to
debug current flows matching the user-specified input filter. It displays existing flows and their
path, along with information on applications and attached interfaces.

Command

inspect interface stats (all |


<name of the interface>)

Prisma SD-WAN ION Device CLI Reference 371 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

inspect interface stats <id> details

inspect interface stats <vlan-name>

Options

all Enter all to inspect statistics for all interfaces.

interface Enter the interface or VLAN name to inspect


statistics for the interface.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.1.3

Example

inspect interface stats interface=1


Interface : 1
Device : eth1
Rx stats :
Rx Bytes : 130273173
Rx Packets : 1168917
Rx Drop : 421
IPv6 Rx Packets : 415677
Tx stats :
Tx Bytes : 21063016
Tx Packets : 241666
IPv6 Tx Packets : 493940

inspect interface stats all


Interface : 2
Device : eth2
Rx stats :
Rx Bytes : 127053969
Rx Packets : 1162721
IPv6 Rx Packets : 393950
Tx stats :
Tx Bytes : 26484673
Tx Packets : 230731
IPv6 Tx Packets : 448476

Interface : 4
Device : eth4

Prisma SD-WAN ION Device CLI Reference 372 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Rx stats :
Rx Bytes : 358520906
Rx Packets : 3317023
Rx Drop : 26795
Ipv6 Rx Packets : 1012125
Tx stats :
Tx Bytes : 34236014
Tx Packets : 410831
IPv6 Tx Packets : 8

Example showing PoE and STP stats

Interface : 7
Device : dsa7
Rx stats :
Rx Bytes : 0
Rx Packets : 0
Tx stats :
Tx Bytes : 0
Tx Packets : 0
PoE stats:
Port MPS Absent Counter : 0
Port Invalid Signature Counter : 0
Port Power Denied Counter : 0
Port Overload Counter : 0
Port Short Counter : 0
Port Power Usage (Watts) : 0.0
Signal Channel Power Usage (Watts) : 0.0
Spare Channel Power Usage (Watts) : 0.0
PoE Channel-level stats:
Signal Channel MPS Absent Counter : 0
Spare Channel MPS Absent Counter : 0
Signal Channel Invalid Signature Counter: 0
Spare Channel Invalid Signature Counter : 0
Signal Channel Power Denied Counter : 0
Spare Channel Power Denied Counter : 0
Signal Channel Overload Counter : 0
Spare Channel Overload Counter : 0
Signal Channel Short Counter : 0
Spare Channel Short Counter : 0
STP port stats:
LastTcnSince : 337535
Tcn Cnt : 0
Tcn Port : None
Tcn Source Br id : 0.000.[Link]

Example of interface details

Interface : 10
Device : dsa6
Rx stats :
Rx Bytes : 0
Rx Packets : 0
Tx stats :
Tx Bytes : 0
Tx Packets : 0

Prisma SD-WAN ION Device CLI Reference 373 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

----------------------------------
InGoodOctetsLo: 0
InGoodOctetsHi: 0
InUnicasts: 0
InBroadcasts: 0
InMulticasts: 0
InBadOctets: 0
OutFCSErr: 0
Deferred/OutPFrames: 0
Octets64: 0
Octets127: 0
Octets255: 0
Octets511: 0
Octets1023: 0
OctetsMax: 0
OutOctetsLo: 0
OutOctetsHi: 0
Excessive/InPFrames: 0
OutUnicasts: 0
OutMulticasts: 0
OutBroadcasts: 0
Single/InBadPFrags: 0
OutPause: 0
InPause: 0
Multiple/InPFrags: 0
InUndersize: 0
InFragments: 0
InOversize: 0
InJabber: 0
InRxErr: 0
InFCSErr: 0
Collisions/OutPFrags: 0
Late/InPAssemblyErr: 0
InDiscards: 0
InFiltered: 0
InAccepted: 0
InBadAccepted: 0
InGoodAvbClassA: 0
InGoodAvbClassB: 0
InBadAvbClassA: 0
InBadAvbClassB: 0
TCAMCounter0: 0
TCAMCounter1: 0
TCAMCounter2: 0
TCAMCounter3: 0
InDroppedAvbA: 0
InDroppedAvbB: 0
InDaUnknown: 0
InMGMT: 0
OutQueue0: 0
OutQueue1: 0
OutQueue2: 0
OutQueue3: 0
OutQueue4: 0
OutQueue5: 0
OutQueue6: 0

Prisma SD-WAN ION Device CLI Reference 374 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

OutQueue7: 0
OutCutThrough: 0
InBadQbv: 0
OutOctetsA: 0
OutOctetsB: 0
OutYellow: 0
OutDroppedYel: 0
OutDiscards: 0
OutMGMT: 0
DropEvents: 0
AtsFiltered: 0
PoE stats:
Port MPS Absent Counter : 0
Port Invalid Signature Counter : 0
Port Power Denied Counter : 0
Port Overload Counter : 0
Port Short Counter : 0
Port Power Usage (Watts) : 0.0
Signal Channel Power Usage (Watts) : 0.0
Spare Channel Power Usage (Watts) : 0.0
PoE Channel-level stats:
Signal Channel MPS Absent Counter : 0
Spare Channel MPS Absent Counter : 0
Signal Channel Invalid Signature Counter: 0
Spare Channel Invalid Signature Counter : 0
Signal Channel Power Denied Counter : 0
Spare Channel Power Denied Counter : 0
Signal Channel Overload Counter : 0
Spare Channel Overload Counter : 0
Signal Channel Short Counter : 0
Spare Channel Short Counter : 0
STP port stats:LastTcnSince : 1112436
Tcn Cnt : 0
Tcn Port : None
Tcn Source Br id : 0.000.[Link]

inspect ipfix exporter-stats


Use the inspect ipfix exporter-stats command to present the statistics for the flows
presented to the IPFIX exporter.

Command

inspect ipfix exporter-stats

Options

None

Prisma SD-WAN ION Device CLI Reference 375 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.5.1

Example

inspect ipfix exporter-stats


Exporter : 16109593131720064 : 'IPFIX
New Config for ION'
Flow Statistics:
Total Observations : 0 : 100.00%
Sampler
Selected : 0 : 0.00% (100.00%)
Filter 1 : 0 : 0.00% (
0.00%)
Total Filter Selected : 0 : 0.00% (
0.00%)
Other Statistics:
Flow Records Generated : 0
Flow Record Sends : 0
Export Cache Flushes : 7114
Template Resends : 711
Option Resends : 711
No Connected Collector Drops : 0
Option Record Sends : 0
LQM Observations : 0

inspect ipfix collector-stats


Use the inspect ipfix collector-stats command to present status information for
IPFIX collectors. This command displays details of operation and error conditions including
misconfiguration or interactions with other modules, and data loss.

Command

inspect ipfix collector-stats

Options

None

Command Notes

Role Super, Read Only

Prisma SD-WAN ION Device CLI Reference 376 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Related Commands —

Introduced in Release 5.5.1

Example

inspect ipfix collector-stats Collector 1:


Host:Port : [Link]:4739
Protocol : TCP
Source Interface IP : [Link]
Status : Down (connection failures)
Connection:
Successes : 0
Failures : 188
Disconnects : 0
Operation Counters:
Buf Appends : 0
Buf Emit Errors : 0
No Session Drops : 181Collector 2:
Host:Port : [Link]:2055
Protocol : UDP
Source Interface IP : [Link]
Status : Up
Connection:
Successes : 1
Failures : 0
Disconnects : 0
Operation Counters:
Buf Appends : 2242
Buf Emit Errors : 0
No Session Drops : 0
No outstanding alarm.
IPFIX Interface Collector Contexts:
16092007245570119 : cc
IPFIX Interface Filter Contexts : *None*

inspect ipfix app-table


Use the inspect ipfix app-table command to present mapping information exported in
the IPFIX option records. The standard applicationId (IANA 95) information element provides
the AppId value as a part of the flow data record. Collectors need to associate the exported
application identifiers with the application names.

Command

inspect ipfix app-table

Options

None

Prisma SD-WAN ION Device CLI Reference 377 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.5.1

Example

inspect ipfix app-table | grep netbios


Application Name IPFIX..App Id (Hex)
--------------------- ----------------------- ------------------
netbios 6..14585908745650047
0x060033d1ce8582bf7f

inspect ipfix wan-path-info


Use the inspect ipfix wan-path-info command to map the Information Element exported
WAN path identifiers (WAN Path IDs) to a descriptive name.

Command

inspect ipfix wan-path-info

Options

None

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.5.1

Example

inspect ipfix wan-path-info WAN Path ID


SNMP Index IPFIX Fltr Ctx ID
Description-------------------- ---------- --------------------
----------------------------------------15047410360090142 3
16035667810610193
direct:L3_ATLANTA:private-1:privatewan:115796481404180227 6
16038947021630138
vpn:publi[Link]979380243:415796472170550216
6 16038947021630138 direct:CGNX-PAN-GRE-

Prisma SD-WAN ION Device CLI Reference 378 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Test:public-2:publicwan:415863060010090181 6
service-link:gre:ZScalar-GRE-
Primary-1:public15047410360100143 5
direct:AT&T_ATLANTA:public-1:publicwan:315641674342680164
5
AT&T_ATLANTA:DC_NY:DC_AT&T:15035407979380243:3

inspect ipfix interface-info


Use the inspect ipfix interface-info command to present mapping information for all
interfaces and view the collector context attached to an interface.

Command

inspect ipfix interface-info

Options

None

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.5.1

Example

Interface ID Interface Name Device SNMP Index


IPFIX Context ID (Type) IPFIX Context Name
-------------------- -------------------------
---------------- ---------- ------------------------
--------------------------------
15759796305670035 23.123 eth2.123
21
15670679352910161 9 eth9
11
15670679351650126 3 eth3
5
15734532300070135 BVI-1 vi2
19 16097351040390067 (F) Filter-115670679353260189 2
eth2 415670679352040140 1
eth1 3 16097350669480033 (C) CC-1

16097370807850021 (F) FILTER CONTEXT OVERRIDE


15670679352470147 6 eth6
8

Prisma SD-WAN ION Device CLI Reference 379 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

15761299727860133 89.1113 eth8.1113


20
15670679353020168 4 eth4
6 16097617291090212 (C)15670679351940133 8
eth8 10
15670679353080175 5 eth5
7
15670679352830154 controller 1 eth0
2
15670679353130182 7 eth7
9
INTERFACES Flow Field Option : false
SNMP agent is running

inspect ip-rules
Use the inspect ip-rules command to inspect the IP rules configured on the device and to
display all the Linux IP policy rules configured on the device.

Command

inspect ip-rules

Options

None

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 4.4.1

Example

inspect ip-rules
0: from all lookup local1
0: from all iif eth2 lookup core-in1
0: from all iif eth1 lookup core-in1
1: from all iif veth-e1-p-2 lookup core-out-veth-e1-p-210
0: from all iif eth3 lookup internet-eth310
0: from [Link] lookup internet-eth310
0: from all to [Link] lookup internet-eth310
0: from all oif eth3 lookup internet-eth320
0: from all iif eth0 lookup mgmt20
0: from [Link] lookup mgmt20
0: from all to [Link] lookup mgmt20
0: from all oif eth0 lookup mgmt3276

Prisma SD-WAN ION Device CLI Reference 380 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

6: from all lookup main3276


7: from all lookup default

inspect ipv6-rules
Use the inspect ipv6-rules command to display all the IPv6 rules.

Command

inspect ipv6-rules

Options

None

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 6.0.1

Example

inspect ipv6-rules
0: from all lookup local
1000: from all lookup [l3mdev-table]
2050: from all iif eth1 lookup privwan-in-eth1
2050: from all to 2008::5 lookup privwan-in-eth1
2051: from 2008::5 lookup privwan-out-eth1
2051: from all oif eth1 lookup privwan-out-eth1
2051: from all iif v-eth1-p lookup privwan-out-eth1
2053: from all iif v-ppp1-p lookup 2053
2100: from all iif ppp1 lookup 2100
2100: from all to 3009::210 lookup 2100
2100: from all to 2005::65 lookup 2100
2101: from 3009::210 lookup 2101
2101: from all oif ppp1 lookup 2101
2101: from 2005::65 lookup 2101
32766: from all lookup main

inspect lqm stats


Use the inspect lqm stats command to inspect the link quality metrics (LQM). Statistics
displayed provide visibility into RTT latency, packet loss, latency, jitter, and MOS score.

Prisma SD-WAN ION Device CLI Reference 381 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

inspect lqm stats (all | path-id=


<Path ID> |
path type)

Options

all Enter all to inspect statistics for all interfaces.

path-id Enter the Path ID to inspect statistics for the path.

path-type Enter the Path Type to inspect statistics for the path.
Release 5.6.1

Command Notes

Role Super, Read Only

Related Commands

Introduced in Release 5.2.1

Example

inspect lqm stats internet


Path-ID : 16285759500410061
Path Type : internet
RTT latency : 0.424500
Uplink jitter : 0.319195
Uplink packet loss : 0.000000
Uplink mos : 4.409286
Downlink jitter : 0.317220
Downlink packet loss : 0.000000
Downlink mos : 4.409286
Link healthy : true
Last stats computed at : 16 Aug 2021 [Link]
Last stats published at : 16 Aug 2021 [Link]
----------------------------------------
inspect lqm stats servicelink
Path-ID : 15396733776120181
Path Type : private servicelink
RTT latency : 0.443167
Uplink jitter : 0.086628
Uplink packet loss : 0.000000
Uplink mos : 4.409286
Downlink jitter : 0.359310
Downlink packet loss : 0.000000
Downlink mos : 4.409286
Link healthy : true

Prisma SD-WAN ION Device CLI Reference 382 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Last stats computed at : 16 Aug 2021 [Link]


Last stats published at : 16 Aug 2021 [Link]
----------------------------------------
inspect lqm stats vpn
Path-ID : 16286157282240029
Path Type : public vpn
Branch Site Info :
Site ID : 15476294007940142
Site Name : MUMBAI
RTT latency : 0.437167
Uplink jitter : 0.111514
Uplink packet loss : 0.000000
Uplink mos : 4.409286
Downlink jitter : 0.232811
Downlink packet loss : 0.000000
Downlink mos : 4.409286
Link healthy : true
Last stats computed at : 16 Aug 2021 [Link]
Last stats published at : 16 Aug 2021 [Link]
----------------------------------------

inspect memory summary


Use the inspect memory summary command to display the memory allocation and statistics.

Command

inspect memory summary

Options

None

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 4.7.1

Example

inspect memory summary


Virtual Memory Statistics procs -----------memory---------- ---
swap-- -----io---- -system-- ------cpu----- r b swpd free buffcache
si so bi bo in cs us sy id wa st 2 0 0 911204 76656 216120 00 40 10
536 1269 3 2 95 1 0

Device memory information:

Prisma SD-WAN ION Device CLI Reference 383 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

-----------------------------------------
MemTotal: 2047916 kB
MemFree: 911204 kB
MemAvailable: 1163032 kB
Buffers: 76656 kB
Cached: 186992 kB
Active: 876520 kB
Inactive: 145404 kB
Active(anon): 760368 kB
Inactive(anon): 6004 kB
Active(file): 116152 kB
Inactive(file): 139400 kB
Unevictable: 2192 kBM
locked: 2192 kB
SwapTotal: 1023996 kB
SwapFree: 1023996 kB
Dirty: 76 kB
AnonPages: 760432 kB
Mapped: 38620 kB
Shmem: 6264 kB
Slab: 49984 kB
SReclaimable: 29128 kB
SUnreclaim: 20856 kB
KernelStack: 6104 kB
PageTables: 11740 kB
CommitLimit: 2047952 kB
Committed_AS: 3705744 kB
VmallocTotal: 34359738367 kB
HugePages_Total: 0
HugePages_Free: 0
HugePages_Rsvd: 0
HugePages_Surp: 0
Hugepagesize: 2048 kB
DirectMap4k: 16320 kB
DirectMap2M: 2080768 kB

inspect network-policy conflicts


Use the inspect network-policy conflict command to inspect the conflicting network
policy rules. A configuration conflict occurs when multiple rules have the same classification
criteria in common such that it is ambiguous as to which rule should be chosen.

Command

inspect network-policy conflicts

Options

None

Prisma SD-WAN ION Device CLI Reference 384 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only

Related Commands

Introduced in Release 5.0.1

Example

inspect network-policy conflicts


Network Policy Rule : 15311157630600173 : C-1
Policy Set : 15282771307010195 : Policy Set-1
Stack Index | Order Number: 0 | 1024
Source Prefix : 15272331126400047 : EnterpriseGlobalPrefix
Destination Prefix : 15311156874260255 :
Application Id : 15186805682900053 : adobeconnect
Network_Context Id : none
Source : Destination : Conflicting Policy
[Link]/16 : [Link]/0 : 15311158615700214 :
C-2
[Link]/12 : [Link]/0 : 15311158615700214 :
C-2
[Link]/8 : [Link]/0 : 15311158615700214 :
C-2

Network Policy Rule : 15311158615700214 : C-2


Policy Set : 15282771307010195 : Policy Set-1
Stack Index | Order Number: 0 | 1024
Source Prefix : 15272331126400047 : EnterpriseGlobalPrefix
Destination Prefix : 15311158461310162 :
Application Id : 15186805682900053 : adobeconnect
Network_Context Id : none
Source : Destination : Conflicting Policy
[Link]/16 : [Link]/0 : 15311157630600173 : C-1
[Link]/12 : [Link]/0 : 15311157630600173 : C-1
[Link]/8 : [Link]/0 : 15311157630600173 : C-1

inspect network-policy conflicts


Network Policy Rule : 1664343200310006628 : match icmp

Policy Set : 1662009498094024828 : test user-id

Stack Index | Order Number: 0 | 1024


Source Prefix : 1658477619909015028 : Branch 1 Lan client

Destination Prefix : none


Users : UserGroups :
:
CN=engineering,DC=sdwanamsteltest,DC=onmicrosoft,DC=com :
:
CN=sales,DC=sdwanamsteltest,DC=onmicrosoft,DC=com :
Application Id : 1658139887050014528 : icmp

Prisma SD-WAN ION Device CLI Reference 385 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Network_Context Id : none
Source : Destination : Conflicting Policy
[Link]/32 : [Link]/0 : 1664346696667006328 :
match icmp duplicate

Network Policy Rule : 1664346696667006328 : match icmp duplicate

Policy Set : 1662009498094024828 : test user-id

Stack Index | Order Number: 0 | 1024


Source Prefix : 1664346663085024328 : Branch 1 Lan client
duplicate
Destination Prefix : none
Application Id : 1658139887050014528 : icmp

Network_Context Id : none
Source : Destination : Conflicting Policy
[Link]/32 : [Link]/0 : 1664343200310006628 :
match icmp

inspect network-policy dropped


Use the inspect network-policy dropped command to inspect the dropped network
policy rules. A configuration drop occurs when the complexity of the configuration requires more
resources than allowed by the resource limit.
The policy rule complexity depends on multiple factors:
• Number of Applications.
• Number of Source IP Prefixes in the Source Prefix List.
• Number of Destination IP Prefixes in the Destination Prefix List.
• Application overlap within Policy Sets and within a Policy Set Stack.
Generally, rules requiring the most resources (other than default rules) are dropped first to stay
within the resource limit.

Command

inspect network-policy dropped

Options

None

Command Notes

Role Super, Read Only

Related Commands —

Prisma SD-WAN ION Device CLI Reference 386 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Introduced in Release 5.0.3

Example

inspect network-policy dropped


Network Policy Resource Usage:
Resource Limit : 1350000
Required Resources : 10
Adjusted Resource Use : 10
Non-Optimized Resource Use : 10
No dropped rules [Link] network-policy dropped
Network Policy Resource Usage:
Resource Limit : 400
Required Resources : 423
Adjusted Resource Use : 400
Non-Optimized Resource Use : 423
Network Policy Rule : 15300304239150020 : newrelic-Policy
Policy Set : 15300304235910157 : MKC-OrigPolicySet1
Stack Index : 0
Application Count : 1
Source Prefix : none
Destination Prefix : none
Resource Count : 1
Network Policy Rule : 15300304237690074 : scps-Policy
Policy Set : 15300304235910157 : MKC-OrigPolicySet1
Stack Index : 0
Application Count : 1
Source Prefix : none
Destination Prefix : none
Resource Count : 1. . .

inspect network-policy hits policy-rules


Use the inspect network-policy hits policy-rules command to inspect the hit
counts for network policy rules. Filtering is provided to limit the list displayed and make it easier
to distinguish changes. The reset-diff option resets the New Hits counter to zero. The diff-only
option used after the reset-diff option displays only those policy rules where the New Hits value
is non-zero.

Command

inspect network-policy hits policy-rules ( all | reset-diff | diff-


only )

Options

all Enter all to display hit count information for all network policy rules.

reset-diff Enter reset-diff to reset New Hits to zero.

Prisma SD-WAN ION Device CLI Reference 387 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

diff-only Enter diff-only to display policy rules where the New Hits value is non-zero.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.0.1

Example

inspect network-policy hits policy-rules diff-only


Network Policy Name Policy ID Total Hits
New Hits
------------------ -------------------------- -------------
----------
enterprise-default 15037814306340038 175
175
Cloudgenix-Control-Policy 14732427836910250 58
58
ssl-Policy 14732427833800136 18
18
Cloudgenix-PCM-Policy 14732427839350042 48
48
ntp-Policy 14732427820940210 6
6

inspect network-policy lookup


Use the inspect network-policy lookup command to identify the potential network
policies for an application flow.
The options Source IP, Destination IP, and Network Context provide to limit the list displayed
and make it easier to identify changes. Rules that override by another rule in the Active Override
column show the currently active policy rule.

Command

inspect network-policy lookup (app-wildcard |


application= application name| nctx-wildcard | network-context=
network context ID| srcv4=src-ipv4| dstv4=dstipv4)

Options

all Enter all to display hit count information for all network
policy rules.

Prisma SD-WAN ION Device CLI Reference 388 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

reset-diff Enter reset-diff to reset New Hits to zero.

diff-only Enter diff-only to display policy rules where the New Hits
value is non-zero.

reset-diff Enter reset-diff to reset New Hits to zero.

diff-only Enter diff-only to display policy rules where the New Hits
value is non-zero.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.0.1

Example

inspect network-policy hits policy-rules diff-only


Network Policy Name Policy ID Total
Hits New Hits
-------------------------- -----------------
------------- ----------
enterprise-default 15037814306340038 175
175
Cloudgenix-Control-Policy 14732427836910250 58
58
ssl-Policy 14732427833800136 18
18
Cloudgenix-PCM-Policy 14732427839350042 48
48
ntp-Policy 14732427820940210 6
6

inspect network-policy lookup application=1658139887050014528


srcv4=[Link] dstv4=[Link] nctx-wildcard
Requested App Id: 1658139887050014528 : icmp

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Network Policy Rule : 1664343200310006628 : match icmp

Policy Set : 1662009498094024828 : test user-id

Stack Index | Order Number: 0 | 1024


Matching App Id : 1658139887050014528 : icmp

Source Prefix : none


Destination Prefix : none
Users : UserGroups :

Prisma SD-WAN ION Device CLI Reference 389 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

:
CN=engineering,DC=sdwanamsteltest,DC=onmicrosoft,DC=com :
:
CN=sales,DC=sdwanamsteltest,DC=onmicrosoft,DC=com :
Network_Context Id : none
Source : Destination : Active Override
[Link]/0 : [Link]/0 :

inspect network-policy lookup application=ssh


Requested App Id: 16282366122080176 : ssh
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Network Policy Rule : 1652700894751007228 : testService
Policy Set : 1652700894685007028 : Policy Set (Simple)
Stack Index | Order Number: 0 | 512
Matching App Id : 16282366122080176 : ssh
Source Prefix : none
Destination Prefix : none
Users : any
UserGroups : any
Network_Context Id : none
Source : Destination : Active Override
[Link]/0 : [Link]/0 :

Network Policy Rule : 1680667485074019628 : test-1


Policy Set : 1652700894685007028 : Policy Set (Simple)
Stack Index | Order Number: 0 | 1024
Matching App Id : WILDCARD :
Source Prefix : none
Destination Prefix : none
Users : any
UserGroups : any
Network_Context Id : none
Source : Destination : Active Override
[Link]/0 : [Link]/0 :

Network Policy Rule : 1666103611987024728 : pp_global_rule_1


Policy Set : 1652700894685007028 : Policy Set (Simple)
Stack Index | Order Number: 0 | 1024
Matching App Id : WILDCARD :
Source Prefix : 1666155200086004428 : GlobalP1
Destination Prefix : 1666155062360019328 : GlobalP2
Users : any
UserGroups : any
Network_Context Id : none
Source : Destination : Active Override
[Link]/12 : [Link]/8 :
[Link]/8 : [Link]/8 :

Network Policy Rule : 1652700894994004728 : enterprise-default


Policy Set : 1652700894674004428 : Default Rule Policy Set
(Simple)
Stack Index | Order Number: 1 | 10024
Matching App Id : WILDCARD :
Source Prefix : none
Destination Prefix : 16282366020950094 : EnterpriseGlobalPrefix
Users : any

Prisma SD-WAN ION Device CLI Reference 390 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

UserGroups : any
Network_Context Id : none
Source : Destination : Active Override
[Link]/0 : [Link]/32 :
: [Link]/32 :
: [Link]/32 :
: [Link]/32 :
: [Link]/32 :
: [Link]/25 :
: [Link]/24 :
: [Link]/24 :
: [Link]/24 :
: [Link]/24 :
: [Link]/24 :

Network Policy Rule : 1652700894752004628 : default


Policy Set : 1652700894674004428 : Default Rule Policy Set (Simple)
Stack Index | Order Number: 1 | 10240
Matching App Id : WILDCARD :
Source Prefix : none
Destination Prefix : none
Users : any
UserGroups : any
Network_Context Id : none
Source : Destination : Active Override
[Link]/0 : [Link]/0 : 1680667485074019628 : test-1

Requested App Id: 16282366122080176 : ssh


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Network Policy Rule : 1652700894751007228 : testService
Policy Set : 1652700894685007028 : Policy Set (Simple)
Stack Index | Order Number: 0 | 512
Matching App Id : 16282366122080176 : ssh
Source Prefix : none
Destination Prefix : none
Users : any
UserGroups : any
Network_Context Id : none
Source : Destination : Active Override
::/0 : ::/0 :

Network Policy Rule : 1666246797922021528 : Local-test-rule


Policy Set : 1652700894685007028 : Policy Set (Simple)
Stack Index | Order Number: 0 | 1024
Matching App Id : WILDCARD :
Source Prefix : 1666245510839004328 : Local-Test
Destination Prefix : 1666246951267022228 : Local-Test-IPV6
Users : any
UserGroups : any
Network_Context Id : none
Source : Destination : Active Override
2001::/65 : 2001::/67 :
: 2001::/65 :

Network Policy Rule : 1680667485074019628 : test-1

Prisma SD-WAN ION Device CLI Reference 391 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Policy Set : 1652700894685007028 : Policy Set (Simple)


Stack Index | Order Number: 0 | 1024
Matching App Id : WILDCARD :
Source Prefix : none
Destination Prefix : none
Users : any
UserGroups : any
Network_Context Id : none
Source : Destination : Active Override
::/0 : ::/0 :

Network Policy Rule : 1666103611987024728 : pp_global_rule_1


Policy Set : 1652700894685007028 : Policy Set (Simple)
Stack Index | Order Number: 0 | 1024
Matching App Id : WILDCARD :
Source Prefix : 1666155200086004428 : GlobalP1
Destination Prefix : 1666155062360019328 : GlobalP2
Users : any
UserGroups : any
Network_Context Id : none
Source : Destination : Active Override
[Link]/64 : fc00::/7 :

Network Policy Rule : 1671548683418013528 : test-count


Policy Set : 1652700894685007028 : Policy Set (Simple)
Stack Index | Order Number: 0 | 1024
Matching App Id : WILDCARD :
Source Prefix : 1667902393539019128 : Nag
Destination Prefix : 1667902393539019128 : Nag
Users : any
UserGroups : any
Network_Context Id : none
Source : Destination : Active Override
2222::/64 : 2222::/64 :

Network Policy Rule : 1652700894994004728 : enterprise-default


Policy Set : 1652700894674004428 : Default Rule Policy Set
(Simple)
Stack Index | Order Number: 1 | 10024
Matching App Id : WILDCARD :
Source Prefix : none
Destination Prefix : 16282366020950094 : EnterpriseGlobalPrefix
Users : any
UserGroups : any
Network_Context Id : none
Source : Destination : Active Override
::/0 : [Link]/64:
: [Link]/64:

Network Policy Rule : 1652700894752004628 : default


Policy Set : 1652700894674004428 : Default Rule Policy Set
(Simple)
Stack Index | Order Number: 1 | 10240
Matching App Id : WILDCARD :
Source Prefix : none
Destination Prefix : none

Prisma SD-WAN ION Device CLI Reference 392 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Users : any
UserGroups : any
Network_Context Id : none
Source : Destination : Active Override
::/0 : ::/0 : 1680667485074019628 : test-1

inspect performance-policy fec status


Use the inspect performance-policy fec status command to inspect the details of
FEC for the performance policy.

Command

inspect performance-policy fec status (path-id | application)

Options

path-id Enter the path ID to inspect FEC status for the path.

application Enter the application ID to view FEC status for the


application.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 6.3.1

Example

inspect performance-policy fec status path-id=1695428550797008817


application=1696037546669005617
Path-ID : 1695428550797008817
Path Type : private vpn
DC Site Info :
Site ID : 16325224801600128
Site Name : San Francisco
Uplink Packet Loss : 0.666667
Downlink Packet Loss : 2.000000
Fec Supported : True
Fec Action Match : True
Fec Applied : True
Fec Parity Upstream : 20:2 (10%)
Fec Parity Downstream : 20:2 (10%)

Prisma SD-WAN ION Device CLI Reference 393 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

inspect policy-manager status


Use the inspect policy-manager status command to inspect the status of policy
manager.

Command

inspect policy-manager status

Options

None

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.0.1

Example

inspect policy-manager status


{"_net_policy_present": true,"_pri_policy_node_limit":
3000000,"_has_reached_all_policy_present":
true,"_net_policy_node_limit": 3000000,"_is_migrated_policy":
false,"_net_policy_active": true,"_pri_policy_present":
true,"is_nctx_info_on_all_ifaces": true,"_pri_policy_active": true}

inspect policy-mix lookup-flow


Use the inspect policy-mix lookup-flow command to inspect the network and priority
policies for a flow and identifies a set of applications, network-contexts, path, and priority that a
specific flow would use. Most of the options except srcport and dscp require an effective custom
application lookup.

Command

inspect policy-mix lookup-flow srcv4=src-ipv4 dstv4=dst-ipv4(prot-


nm=( udp | tcp | icmp) | prot-no= protocol number) [ srcport=src-port
| dstport=dst-port]

Options

srcv4 Enter the source IP address.

Prisma SD-WAN ION Device CLI Reference 394 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

dstv4 Enter the destination IP address.

srcport Enter the source port.

dstport Enter the destination port.

prot-nm Tab to select UDP, TCP, or ICMP.

dscp Enter a DSCP value.

prot-no Enter a protocol number ranging from 0 -255.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.0.1

Example

inspect policy-mix lookup-flow prot-nm=tcp


srcv4=10.2.53.101dstv4=[Link] dstport=443
Most Specific App Id : 14611073109530070 : yahoo
Other Detected App Ids:
15035327122180161 : ssl
Identified LAN ID : 15047412584460168
Network Context ID : 0
Policy Lookup App Ids:
15035327095370149 : yahoo
15035327122180161 : ssl
WILDCARD :
- - - - - - - - - - - - - - - - - - - - - - - - - - -
Network Policy Rule : 15035327231370099 : yahoo-Policy
Policy Set : 15035327157110245 : default
Stack Index : 0
Application : 15035327095370149 : yahoo
Source Prefix : none
Destination Prefix : 15035327218390191 : [Link]/16
Network_Context Id : none
Order Number : 1024
Is Default Rule : False
Active Paths:
direct : public-*
direct : private-*
vpn : private-1 : 15047410360090142
vpn : public-1 : 15047410360100143
Backup Paths : none
Service Context : none
Priority Policy Rule : 15035327231370099 : yahoo-Policy
Policy Set : 15035327157110245 : default

Prisma SD-WAN ION Device CLI Reference 395 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Stack Index : 0
Application : 15035327095370149 : yahoo
Source Prefix : none
Destination Prefix : none
Network_Context Id : none
Order Number : 1024
Is Default Rule : False
Priority Number : 4
DSCP Value : none

inspect priority-policy conflicts


Use the inspect priority-policy conflicts command to inspect the conflicting priority
policy rules.
A configuration conflict occurs when multiple rules have the same classification criteria in
common.

Command

inspect priority-policy conflicts

Options

None

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.0.1

Example

inspect priority-policy conflicts


Priority Policy Rule : 15035327235830701 : Rule701
Policy Set : 15035327235850301 : Set301
Stack Index | Order Number: 0 | 1024
Source Prefix : 15035327235860302 : Prefix302
Destination Prefix : 15035327235860301 : Prefix301
Application Id : 15035327118070156 : ms-olap
Network_Context Id : 77770500
Source : Destination: Conflicting Policy
[Link]/32 : [Link]/16: 15035327235830702 : Rule702

Priority Policy Rule : 15035327235830702 : Rule702


Policy Set : 15035327235850301 : Set301
Stack Index | Order Number: 0 | 1024

Prisma SD-WAN ION Device CLI Reference 396 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Source Prefix : 15035327235860402 : Prefix402


Destination Prefix : 15035327235860401 : Prefix401
Application Id : 15035327118070156 : ms-olap
Network_Context Id : 15035327235870500
Source : Destination : Conflicting Policy
Source : Destination : Conflicting Policy
[Link]/32 : [Link]/16 : 15035327235830701 : Rule701

inspect priority-policy dropped


Use the inspect priority-policy dropped command to inspect the dropped policy rules.
A configuration drop occurs when the complexity of the configuration requires more resources
than allowed by the resource limit.

Command

inspect priority-policy dropped

Options

None

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.0.1

Example

inspect priority-policy dropped


Priority Policy Resource Usage:
Resource Limit : 1350000
Required Resources : 409
Adjusted Resource Use : 409
Non-Optimized Resource Use : 409
No dropped rules found.

inspect priority-policy dropped


Priority Policy Resource Usage:
Resource Limit : 400
Required Resources : 409
Adjusted Resource Use : 400
Non-Optimized Resource Use : 409
Priority Policy Rule : 15302035782090225 : MKC-Policy
Policy Set : 15302033124150094 : MKC-PolicySet3
Stack Index : 0

Prisma SD-WAN ION Device CLI Reference 397 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Application Count : 2
Source Prefix Count : 2
Source Prefix : 15209663164520010 : EnterpriseGlobalPrefix
Destination Prefix Count: 1
Destination Prefix : 15287319348610122 : GlobalPrefix10
Resource Count : 4
Priority Policy Rule : 15300315132120195 : xmpp-server-Policy
Policy Set : 15300315130730009 : MKC-OrigPolicySet1
Stack Index : 1
Application Count : 1
Source Prefix : none
Destination Prefix : none
Resource Count : 1
...

inspect priority-policy hits default-rule-dscp


Use the inspect priority-policy hits default-rule-dscp command to inspect the
default rule DSCP hit counts and allows hit count information displayed for priority policy default
rule DSCP mappings. Filtering provides to limit the list displayed and to distinguish changes.

Command

inspect priority-policy hits default-rule-dscp ( all | reset-diff |


diff-only )

Options

all Enter all to display hit count information for the default rule DSCP.

reset-diff Enter reset-diff to reset New Hits to zero.

diff-only Enter diff-only to display DSCP rules where the New Hits value is non-zero.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.0.1

Example

inspect priority-policy hits default-rule-dscp all


DSCP Mapped Priority Traffic Type TotalHits New Hits
------ ------ -------- ---------- ------ -----
0 Yes 1 rt_audio 175 8
1 Yes 2 rt_audio 58 1

Prisma SD-WAN ION Device CLI Reference 398 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

2 Yes 2 rt_video 48 12
3 No 4 -------- 0 0
.
.
62
63 Yes 3 bulk 0 0

inspect priority-policy hits policy-rules


Use the inspect priority-policy hits policy-rules command to inspect the hit
counts for priority policy rules and allows hit count information displayed for priority policy rules.
Filtering provides to limit the list displayed and to distinguish changes.

Command

inspect priority-policy hits policy-rules ( all | reset-diff | diff-


only )

Options

all Enter all to display hit count information for all priority policy rules.

reset-diff Enter reset-diff to reset New Hits to zero.

diff-only Enter diff-only to display policy rules where the New Hits value is non-zero.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.0.1

Example

inspect priority-policy hits policy-rules diff-only


Network Policy Name Policy ID Total Hits
New Hits
------------------ -------------------------- -------------
----------
enterprise-default 15037814306340038 175
175
Cloudgenix-Control-Policy 14732427836910250 58
58
ssl-Policy 14732427833800136 18
18
Cloudgenix-PCM-Policy 14732427839350042 48
48

Prisma SD-WAN ION Device CLI Reference 399 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

ntp-Policy 14732427820940210 6
6

inspect priority-policy lookup


Use the inspect priority-policy lookup command to inspect the hit counts for priority
policy rules and identifies policy rules which override other rules in the stack.
The app-wildcard option inspects policy rules which do not specify any applications.

Command

inspect network-policy lookup (app-wildcard |


application= application name| nctx-wildcard | network-context=
network context ID| srcv4=src-ipv4| dstv4=dstipv4 srcv6=src-ipv6|
dstv6=dstipv6))

Options

app-wildcard Use app-wildcard to display policy rules that do not specify any application.

application Enter an application name to display policy rules for the specified
application.

nctx-wildcard Use nctx-wildcard to display policy rules that do not specify any network
context.

network-context Enter a network context ID to display policy rules for the specified network
context.

srcv4 Enter the source IP address.

dstv4 Enter the destination IP address.

srcv6 Enter the source IP address. Release 6.2.1

dstv6 Enter the destination IP address. Release 6.2.1

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.0.1

Prisma SD-WAN ION Device CLI Reference 400 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Example

inspect priority-policy lookup application=adobeconnect


Requested App Id : 15186805682900053 : adobeconnect
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Priority Policy Rule : 15306021021420040 : default
Policy Set : 15306021021010029 : QoS DR
Stack Index | Order Number: 0 | 1024
Matching App Id : WILDCARD :
Source Prefix : none
Destination Prefix : none
Network_Context Id : none
Source : Destination : Active Override
[Link]/0 : [Link]/0 :
Priority Policy Rule : 15306021022360045 : enterprise-default
Policy Set : 15306021021010029 : QoS DR
Stack Index | Order Number: 0 | 1024
Matching App Id : WILDCARD :
Source Prefix : none
Destination Prefix : 15272331126430048 : EnterpriseGlobalPrefix
Network_Context Id : none
Source : Destination : Active Override
[Link]/0 : [Link]/16 :
: [Link]/12:
: [Link]/8 :

inspect priority-policy lookup application=1658139888834015928


srcv4=[Link] dstv4=[Link] nctx-wildcard
Requested App Id: 1658139888834015928 : ping

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Priority Policy Rule : 1667810193597008628 : test default user

Policy Set : 1662017536133021028 : test-userid

Stack Index | Order Number: 0 | 1025


Matching App Id : 1658139888834015928 : ping

Source Prefix : none


Destination Prefix : none
Users : UserGroups :
:
CN=engineering,DC=sdwanamsteltest,DC=onmicrosoft,DC=com :
:
CN=sales,DC=sdwanamsteltest,DC=onmicrosoft,DC=com :
Network_Context Id : none
Source : Destination : Active Override
[Link]/0 : [Link]/0 :

inspect priority-policy lookup srcv6=3000::1 application=timbuktu


Requested App Id: 16409223713350210 : timbuktu
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Priority Policy Rule : 16409225137330230 : default
Policy Set : 16409225090350228 : Default QoS Simple
Stack Default Rule Policy Set (Simple)

Prisma SD-WAN ION Device CLI Reference 401 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Stack Index | Order Number: 0 | 1024


Matching App Id : WILDCARD :
Source Prefix : none
Destination Prefix : none
Users : any
UserGroups : any
Network_Context Id : none
Source : Destination : Active Override
::/0 : ::/0 :

Priority Policy Rule : 16409225162750231 : enterprise-default


Policy Set : 16409225090350228 : Default QoS Simple
Stack Default Rule Policy Set (Simple)
Stack Index | Order Number: 0 | 1024
Matching App Id : WILDCARD :
Source Prefix : none
Destination Prefix : 16409222610090238 :
EnterpriseGlobalPrefix
Users : any
UserGroups : any
Network_Context Id : none
Source : Destination : Active Override
::/0 : fc00::/7

inspect performance-policy incidents


Use the inspect performance-policy incidents command to inspect the incident
summary and details of the link quality circuits for performance policies and identify potential
system related health alarms.

Command

inspect performance-policy incidents type ( link-quality


circuit=Circuit ID<summary | details> |
system-health health-type = < cpu | memory | disk > | circuit-health
circuit = Circuit ID )

Options

summary Enter circuit ID to inspect the performance


policy incidents summary.

details Enter circuit ID to inspect the performance


policy incidents summary details.

circuit-health Enter the circuit type for which the incident


was raised to view incident information
for the circuit. These include bandwidth
utilization, monitoring approach and raise
above and clear below values.

Prisma SD-WAN ION Device CLI Reference 402 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

circuitID: Enter the circuit ID to identify the


circuit for which the incident is raised.
Release 6.4.1

health-type Enter the system type for which the incident


was raised. The information includes CPU,
memory, and disk information of the system.
Release 6.4.1

Command Notes

Role Super, Read Only, Monitor

Related Commands NA

Introduced in Release 6.3.1

Example

inspect performance-policy incidents type link-quality


circuit=1697698664341010637 details

========================================
Circuit ID : 1697698664341010637
========================================

Policy Rule : Filters (1701923892838000737)


Policy Set : Hello (1701923835766003137)
Idle Since : 0 Minutes
EMA (Bad samples percent) : 0.000000
Alarm Standing : false
Monitored Paths :
Path ID : 1702032497450001537
Raise Alarm Above : 70
Clear Alarm Below : 50
Monitoring Approach : MODERATE
Current Bucket Stats :
Monitored Paths :
Path ID : 1702032497450001537
Bad Paths :
First Sample At : 11 Dec 2023 [Link]
Last Sample At : 11 Dec 2023 [Link]
Previous Bucket Stats : NA
inspect performance-policy incidents type link-quality
circuit=1697698664341010637 summary

inspect performance-policy incidents type link-quality


circuit=1697698664341010637 summary

Prisma SD-WAN ION Device CLI Reference 403 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

========================================
Circuit ID : 1697698664341010637
========================================

Policy Rule : Filters (1701923892838000737)


Policy Set : Hello (1701923835766003137)
EMA (Bad samples percent) : 0.000000
Alarm Standing : false
Monitored Paths :
Path ID : 1702032497450001537

inspect performance-policy incidents type system-health health-


type=cpu details
System Type : CPU
========================================

Policy Rule : CPUUtilization123


(1712646980313000337)
Policy Set : TestPolicySet (1711686637498019637)
Idle Since : 0 Minutes
EMA (Bad samples percent) : 0.000000
Alarm Standing : false
Raise Alarm Above : 70
Clear Alarm Below : 50
Monitoring Approach : MODERATE
Current Bucket Stats :
Bad Samples :
Sample : 33.757069 %
Sample : 33.284089 %
First Sample At : 25 Apr 2024 [Link]
Last Sample At : 25 Apr 2024 [Link]
Previous Bucket Stats : NA

inspect performance-policy incidents type site-health


circuit=ChennaiPublicSWI1 details
Circuit : ChennaiPublicSWI1 (1705120337130021137)
========================================

Policy Rule : CPUUtilization123


(1712646980313000337)
Policy Set : TestPolicySet (1711686637498019637)
Idle Since : 0 Minutes
EMA (Bad samples percent) : 0.000000
Alarm Standing : false
Raise Alarm Above : 70
Clear Alarm Below : 50
Monitoring Approach : MODERATE
Current Bucket Stats :
Bad Samples :
Sample : 4.029699% (Uplink BW Util),
8.512731% (Downlink BW Util)
Sample : 40.768729% (Uplink BW Util),
0.021723% (Downlink BW Util)
First Sample At : 25 Apr 2024 [Link]
Last Sample At : 25 Apr 2024 [Link]

Prisma SD-WAN ION Device CLI Reference 404 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Previous Bucket Stats : NA

inspect performance-policy lookup


Use the inspect performance-policy lookup command to inspect and identify the
potential performance policies for an application flow.

Command

inspect performance-policy lookup ( application= appID or appName |


path-id= pathID |
threshold-type=<app-perf | lqm-perf> | health-type= <cpu | memory |
disk | circuit | flow-util> )

Options

application Enter application ID / application name to


inspect the performance policy rules.
appID: Enter an application ID to display
policy rules for the application.
appName: Enter an application name to
display policy rules for the application.

health-type Enter the health type to display the policy


thresholds. These include system health,
metrics health, system performance
thresholds, and circuit utilization thresholds.

path-id Enter path ID to inspect performance policies


rules.

threshold-type Enter the threshold type as application


performance or LQM to inspect the
application performance.
Lqm-perf: Enter the Link Quality Metrics
threshold configurations for the policy.
App-perf: Enter the application performance
thresholds for the policy.

Command Notes

Role Super, Read Only, Monitor

Related Commands NA

Prisma SD-WAN ION Device CLI Reference 405 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Introduced in Release 6.3.1

Example

inspect performance-policy lookup path-id=1699889670704015737


Requested PathID: 1699889670704015737

Performance Policy Rule : Default-PerfMgmtRule-Visibility


(1690882969061024037)
Performance Policy Rule Num : 1
Performance Policy Set : Default-PerfMgmtPolicySet
(1690882969054023637)
Performance Policy Stack : Default-PerfMgmtPolicySetStack
(1690882969064024237)
App Filters :
App Transfer Types :
Applications :
Path Filters :
Service Labels :
Lqm Thresholds :
MaxJitter : 40
MaxLatency : 150
MaxPacketLoss : 2
Actions :
Action Type : visibility

inspect performance-policy hits analytics


Use the inspect performance-policy hits analytics command to inspect the hit
counts for performance policy rules and allows hit count information displayed for performance
policy rules.

Command

inspect performance-policy hits analytics threshold-type=lqm-perf


(all | diff-only | reset-diff )

Options

all Enter all to display hit count information for


all performance policy rules.

diff-only Enter diff-only to display policy rules where


the New Hits value is non-zero.

reset-diff Enter reset-diff to reset New Hits to zero.

Prisma SD-WAN ION Device CLI Reference 406 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands NA

Introduced in Release 6.3.1

Example

inspect performance-policy hits analytics threshold-type=lqm-perf


Policy ID Performance Policy Name Total Hits
New Hits
1690882969061024037 Default-PerfMgmtRule-Visibility 5
5
1701923892838000737 Filters 2
2
BR-SITE1-ELEM1# inspect performance-policy hits analytics threshold-
type=lqm-perf diff-only
Policy ID Performance Policy Name Total Hits
New Hits
1690882969061024037 Default-PerfMgmtRule-Visibility 10
10
1701923892838000737 Filters 4
4

inspect process status


Use the inspect process status command to inspect the status of processes running on
the device. Information displayed includes Process ID, name of the process, CPU consumption in
percentage, memory consumption in KB, and the time in hours, minutes, and seconds for which
the process is running.

Command

inspect process status

Options

None

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.1.1

Prisma SD-WAN ION Device CLI Reference 407 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Example

inspect process status


PID NAME CPU (%) MEM (kB) UPTIME
784 syslogd 0.041930 948 42m0s
21522 mrl_agent.py 1.099557 37298 213h6m0s
1058 scm 0.132904 6575 332h48m0s

inspect qos-bwc debug-state


Use the inspect qos-bwc debug-state command to inspect details of the current debug
state for all QoS Enforcement.

Command

inspect qos-bwc debug-state

Options

None

Command Notes

Role Super, Read Only, Monitor

Related Commands dump qos-bwc config

Introduced in Release 6.0.1

Example

inspect qos-bwc debug-state


qos-bwc-iface-list
-----------------------------------------
Interface Name State Ingress Agent Egress Agent
Egress Id
ethr3 Active 201 200 1

ethr1 Active 101 100 2

vpn2 Active 101 100 3

vpn1 Active 201 200 4

v-ethr3 Active 201 200 5

v-ethr1 Active 101 100 7

Prisma SD-WAN ION Device CLI Reference 408 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

qos-bwc-agent-list
-----------------------------------------
. . .

qos-bwc-hfsc-list <agent-id>
-----------------------------------------
. . .

for each agent-id


.
.

qos-bwc-fq-codel-list <agent-id>
-----------------------------------------
. . .

for each agent-id


.
.

qos-bwc-core-stats
-----------------------------------------
. . .

inspect qos-bwc queue-history


Use the inspect qos-bwc queue-history command to inspect details of the QoS
bandwidth queue history information.

Command

inspect qos-bwc queue-history [ latest ]

Options

history Enter the history to inspect QoS


queue activity records for up to
the last 5 minutes.

latest Enter the history with latest


to inspect QoS queue activity
records for just the last 1 minute.

Prisma SD-WAN ION Device CLI Reference 409 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only, Monitor

Related Commands dump qos-bwc config

Introduced in Release 6.0.1

Example

inspect qos-bwc queue-history


WAN Path Id-Dir Queue@Agnt Class-Desc Sum Min Max Ave
Min Max Lmt Ave Min Max

Tue Feb 28 [Link] UTC 2023


1677043285250000596-egress 11@200 P1 Video drops 0 0 0
qlen 1 0 32 256 bps 151932577 139761280 161067120
1677043285250000596-egress 13@200 P1 Bulk drops 0 0 0
qlen 0 0 14 256 bps 101310509 91270320 108122160
1677043285250000596-egress 12@200 P1 Audio drops 0 0 0
qlen 1 0 29 256 bps 262335185 252243120 269063520
1663572292988015596-ingress 12@301 P1 Audio drops 0 0 0
qlen 1 0 29 256 bps 145550412 33281920 155918560
1663572292988015596-ingress 42@301 P4 Audio drops 0 0 0
qlen 1 0 13 256 bps 100576373 88003440 108751440
1663572292988015596-ingress 43@301 P4 Bulk drops 0 0 0
qlen 1 0 16 256 bps 109010524 108762080 109262160
1663572292988015596-ingress 41@301 P4 Video drops 0 0 0
qlen 2 0 22 256 bps 150887790 131967920 163132480

inspect qos-bwc queue-snapshot


Use the inspect qos-bwc queue-snapshot command to inspect details of the QoS
bandwidth queue snapshot information.

Command

inspect qos-bwc queue-snapshot agent= agent number [queue= queue


number|all ]

Options

snapshot agent= Provide the QoS agent number


to indicate which agent to
inspect. (This must always be
provided.)

queue= Enter the snapshot agent


number with queue number

Prisma SD-WAN ION Device CLI Reference 410 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

to get all the queue details for


a specific QoS queue. Do not
specify the queue= or specify
the queue = all to get the queue
details for all queues associated
with the QoS agent.

Command Notes

Role Super, Read Only, Monitor

Related Commands dump qos-bwc config

clear qos-bwc queue-snapshot

Introduced in Release 6.0.1

Example

inspect qos-bwc queue-snapshot agent=201 queue=all

Queue ID: 11 QLimit: 256 FlowQs: 256 Active FlowQs: 0


Packets Bytes
xmit_cnt: 0 0
lmt_drop_cnt: 0 0
aqm_drop_cnt: 0 0
total_drop_cnt: 0 0
queue_length: 0 0
max_flowq_len: 0 0

inspect qos-bwc queue-snapshot agent=301 queue=41


Queue ID: 41 QLimit: 256 FlowQs:
256 Active FlowQs: 1
Packets Bytes
xmit_cnt: 41180472 54770026878

lmt_drop_cnt: 0 0
aqm_drop_cnt: 0 0
total_drop_cnt: 0 0
queue_length: 5 6650
max_flowq_len: 5 6650

inspect routing multicast fc site-iface


Use the inspect routing multicast fc site-iface command to inspect the local and
remote site id published data of the multicast.

Prisma SD-WAN ION Device CLI Reference 411 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command

inspect routing multicast fc site-iface (local id= | remote-site id=)

Options

local id Enter local id to display the published data of the


multicast.

remote-site id Enter remote-site id to display the published data


of the multicast.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 6.0.1

Example

inspect routing multicast fc site-iface local id=1650537302974020296


Received published data
======================================================
Peer Site Id ==> 0 | Local Id ==> 0
======================================================

+------------------------------------------------------------------------------
+
| key : 0 | mroute-count : 0 | vpn-count : 0 | is-up : False |
| is-valid : False | avg-mroutes-per-vpn : 0 | usable-wan-count :
0 | used-wan-count : 0|

+------------------------------------------------------------------------------
+
Preferred vpn :

+------------------------------------------------------------------------------
+
| name : | vpnlink_id : 0 | type : | usable : False |

+------------------------------------------------------------------------------
+
Statistics :

+------------------------------------------------------------------------------
+

Prisma SD-WAN ION Device CLI Reference 412 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

| hello-tx : 0 | register-tx : 0 | register-stop-tx : 0 | join-


prune-tx : 0 | bootstrap-tx : 0 |
| hello-rx : 0 | register-rx : 0 | register-stop-rx : 0 | join-
prune-rx : 0 | bootstrap-rx : 0 |

+------------------------------------------------------------------------------
+

inspect routing multicast fc site-iface remote-site


id=16420688997280209
Received published data
======================================================
Peer Site Id ==> 0 | Local Id ==> 0
======================================================

+------------------------------------------------------------------------------
+
| key : 0 | mroute-count : 0 | vpn-count : 0 | is-up : False |
| is-valid : False | avg-mroutes-per-vpn : 0 | usable-wan-count :
0 | used-wan-count : 0|

+------------------------------------------------------------------------------
+
Preferred vpn :

+------------------------------------------------------------------------------
+
| name : | vpnlink_id : 0 | type : | usable : False |

+------------------------------------------------------------------------------
+
Statistics :

+------------------------------------------------------------------------------
+
| hello-tx : 0 | register-tx : 0 | register-stop-tx : 0 | join-
prune-tx : 0 | bootstrap-tx : 0 |
| hello-rx : 0 | register-rx : 0 | register-stop-rx : 0 | join-
prune-rx : 0 | bootstrap-rx : 0 |

+------------------------------------------------------------------------------
+

inspect routing multicast interface


Use the inspect routing multicast interface command to inspect the forwarding
state of the multicast enabled interfaces.

Command

inspect routing multicast interface

Prisma SD-WAN ION Device CLI Reference 413 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

None

Command Notes

Role Super, Read Only

Related Commands dump routing multicast interface

Introduced in Release 5.6.1

Example

inspect routing multicast interface


VIF Interface BytesIn PktsIn BytesOut PktsOut Flags
Local Remote
0 pimreg 10368 81 0 0 00004
[Link] [Link]
1 eth1 0 0 176640 1380 00000
[Link] [Link]
2 eth2 166272 1299 0 0 00000
[Link] [Link]

inspect routing multicast mroute


Use the inspect routing multicast mroute command to inspect the forwarding state of
the multicast.

Command

inspect routing multicast mroute (table | cache)

Options

table Enter table to display the multicast forwarding


route table entries.

cache Enter cache to display the entry of multicast


forwarding statistics.

Prisma SD-WAN ION Device CLI Reference 414 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.6.1

Example

inspect routing multicast mroute table


([Link],[Link]) Iif: eth1 Oifs: eth3
State: resolved
([Link],[Link]) Iif: eth3 Oifs: eth2
State: resolved

inspect routing multicast mroute cache


Group Source IIF Pkts Bytes Wrong
OIFs(interface:ttl)
[Link] [Link] eth1 6653 851584 32
eth3:1
[Link] [Link] eth3 147 18816 0
eth2:1

inspect security-policy lookup


Use the inspect security-policy lookup command to identify the potential security
policies for an application flow.

Command

inspect security-policy lookup (src-network-id= | dst-network-id= |


srcv4= | dstv4= | srcport= | dstport= | prot-no=)

inspect security-policy lookup (src-network-id= | dst-network-id= |


srcv4= | dstv4= | srcv6= | dstv6= | srcport= | dstport= | prot-no=)

Options

None

Command Notes

Role Super, Read Only

Related Commands —

Prisma SD-WAN ION Device CLI Reference 415 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Introduced in Release 5.6.1

Example

inspect security-policy lookup src-network-id=16200275524390210 dst-


network-id=100
srcv4=[Link] dstv4=[Link] srcport=8 dstport=0
prot-no=1 app-id=16150106802370049

src_id: 16200275524390210
dst_id: 100
src_zone_id: 16200471619100074
dst_zone_id: 16204672468290016
action: ALLOW
rule_id: 16246315738930189
rule_num: 1
rule_app_count: 0

inspect security-policy lookup src-network-id=1665410093433014628


dst-network-id=100 srcv4=[Link] dstv4=[Link] srcport=1001
dstport=80 prot-no=8 app-id=0
src_id: 1665410093433014628
dst_id: 100
src_zone_id: 1662994347084009028
dst_zone_id: 1662973510780016628
action: ALLOW
rule_id: 1667810313551011228
rule_num: 2
rule_app_count: 0

inspect security-policy lookup srcv6=2001::1 dstv6=3001::5 src-


network-id=1645021023365000728 dst-network-id=100 srcport=128
dstport=0 prot-no=1 app-id=371
src_id: 1645021023365000728
dst_id: 100
src_zone_id: 1653468437560006328
dst_zone_id: 1653468445156006428
action: ALLOW
rule_id: 1669042681739017728
rule_num: 1
rule_app_count: 0

inspect security-policy size


Use the inspect security-policy size command to displays the size of the security
policies for an application flow.

Command

inspect network-policy size

Prisma SD-WAN ION Device CLI Reference 416 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

None

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 5.6.1

Example

inspect security-policy size


MEMORY USED(APPROX BYTES)
Zone-Network ID Map Size : 96
Security Policy Size : 23605854

inspect switch mac-address-table


Use the inspect switch mac-address table command to inspect the MAC addresses on
the switch port or VLAN.

Command

inspect switch mac-address table

Example

MAC Address Trunk mem/LAG Dest Port Vector FID


[Link] 00 00000200 03E9
[Link] 00 00000200 0001
[Link] 00 00000200 03E8

inspect system arp


Use the inspect system arp command to inspect the address resolution protocol (ARP) table
and displays the ARP cache for all or a specific interface.

Command

inspect system arp ( all | interface )

Prisma SD-WAN ION Device CLI Reference 417 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Options

all Enter all to inspect the entire ARP cache.

interface Enter interface to inspect the ARP cache for a specific interface name or ID.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 4.4.1

Example

inspect system arp all


Address Mask HWtype HWaddress Flags Iface
[Link] ether [Link] C eth0
[Link] ether [Link] C eth0
[Link] ether [Link] C eth0
[Link] ether [Link] C eth0
[Link] ether [Link] C eth0
[Link] ether [Link] C eth0
inspect arp 1
No entries for eth1
inspect arp controller1
Address Mask HWtype HWaddress Flags Iface
[Link] ether [Link] C eth0
[Link] ether [Link] C eth0
[Link] ether [Link] C eth0
[Link] ether [Link] C eth0
[Link] ether [Link] C eth0
[Link] ether [Link] C eth0

inspect system ipv6-neighbor


Use the inspect system ipv6-neighbor command to inspect all the IPv6 system neighbors.

Command

inspect system ipv6-neighbor ( all | interface


interface-name )

Options

all Enter all to inspect all system IPv6 neighbors for a device.

Prisma SD-WAN ION Device CLI Reference 418 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

interface Enter interface name to list the names of system IPv6 neighbors
for a device.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 6.0.1

Example

inspect system ipv6-neighbor all


fe80::250:56ff:fe95:edf dev eth1 lladdr [Link] STALE
fe80::250:56ff:feab:42c4 dev eth2 lladdr [Link] router
STALE
fe80::fcde:feff:fe28:5143 dev eth1 lladdr [Link]
router STALE
fe80::250:56ff:fe95:db52 dev eth1 lladdr [Link] STALE
fe80::8c61:66ff:fe7a:f943 dev v-ppp1-p lladdr [Link]
PERMANENT
fe80::700a:a5ff:fe6d:5d55 dev v-eth1-p lladdr [Link]
PERMANENT
2008::33 dev eth1 INCOMPLETE
fe80::250:56ff:feab:90e5 dev eth2 lladdr [Link] router
STALE
2008::55 dev eth1 INCOMPLETE
fe80::250:56ff:fe88:e61d dev eth1 lladdr [Link] router
STALE

inspect system vrf


Use the inspect system vrf command to inspect all the kernel VRF link information for a
device and used to debug any routing-related issues on the device.

Command

inspect system vrf ( all | vrf-name=vrf name)

Options

all Enter all to display status of all the kernel VRF


link information for a device.

vrf-name Enter a VRF name to display a particular kernel


VRF link information for a device.

Prisma SD-WAN ION Device CLI Reference 419 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 6.3.1

Example

inspect system vrf all


--------------------------------------------------------------------------------
VRF-NAME INTERFACE VNI VRF-KERNEL-LINK VRF-
TABLE-NUMBER PER-VRF-KERNEL-LINK PER-VRF-TABLE-NUMBER
--------------------------------------------------------------------------------
blue eth7.1 100 v100-e7.1 20004
NA 65535
red eth7.3 101 v101-e7.3 20005
NA 65535
red eth7.2 101 v101-e7.2 20006
NA 65535

--------------------------------------------------------------------------------
VRF-KERNEL-
LINKS
--------------------------------------------------------------------------------

50: v101-e7.2: <NOARP,MASTER,UP,LOWER_UP> mtu 65536 qdisc noqueue


state UP mode DEFAULT group default qlen 1000
link/ether [Link] brd [Link]

VRF-MASTER: 47: eth7.2@eth7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu


1500 qdisc noqueue master v101-e7.2 state UP mode DEFAULT group
default qlen 1000
link/ether [Link] brd [Link]

--------------------------------------------------------------------------------

45: v100-e7.1: <NOARP,MASTER,UP,LOWER_UP> mtu 65536 qdisc noqueue


state UP mode DEFAULT group default qlen 1000
link/ether [Link] brd [Link]

VRF-MASTER: 36: eth7.1@eth7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu


1500 qdisc noqueue master v100-e7.1 state UP mode DEFAULT group
default qlen 1000
link/ether [Link] brd [Link]

--------------------------------------------------------------------------------

46: v101-e7.3: <NOARP,MASTER,UP,LOWER_UP> mtu 65536 qdisc noqueue


state UP mode DEFAULT group default qlen 1000
link/ether [Link] brd [Link]

Prisma SD-WAN ION Device CLI Reference 420 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

VRF-MASTER: 39: eth7.3@eth7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu


1500 qdisc noqueue master v101-e7.3 state UP mode DEFAULT group
default qlen 1000
link/ether [Link] brd [Link]

--------------------------------------------------------------------------------

inspect system vrf name=blue


--------------------------------------------------------------------------------
VRF-NAME INTERFACE VNI VRF-KERNEL-LINK VRF-
TABLE-NUMBER PER-VRF-KERNEL-LINK PER-VRF-TABLE-NUMBER
--------------------------------------------------------------------------------
blue eth7.1 100 v100-e7.1 20004
NA 65535

--------------------------------------------------------------------------------
VRF-KERNEL-
LINKS
--------------------------------------------------------------------------------

45: v100-e7.1: <NOARP,MASTER,UP,LOWER_UP> mtu 65536 qdisc noqueue


state UP mode DEFAULT group default qlen 1000
link/ether [Link] brd [Link]

VRF-MASTER: 36: eth7.1@eth7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu


1500 qdisc noqueue master v100-e7.1 state UP mode DEFAULT group
default qlen 1000
link/ether [Link] brd [Link]

--------------------------------------------------------------------------------

inspect vrf
Use the inspect vrf command to inspect all the route tables for a device and used to debug
any routing-related issues on the device.

Command

inspect vrf ( all | list | mgmt | main | default | core-in | ) | vrf=


vrf-name) +)

Options

all Enter all to inspect all route tables for a device.

list Enter list to list the names of configured route tables.

mgmt Enter mgmt to inspect the management table.

main Enter main to inspect only the main route table.

Prisma SD-WAN ION Device CLI Reference 421 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

default Enter default to inspect the default route table.

core-in Enter core-in to inspect the core-in route table. Core-in table is the route
table specific for traffic that ingresses from the core router. This option is
applicable only for hub devices.

vrfname Enter one of the route table names from the list.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 4.4.1

Example

inspect vrf list


RouteTable Number
---------- ------
local 255
main 254
default 253
unspec 0
all-peer-in 2010
plain-in-eth5 2701
plain-out-eth5 2702
internet-in-eth2 2100
internet-out-eth2 2101
plain-in-eth1 2703
plain-out-eth1 2704
privwan-eth4 2051
plain-in-eth7 2705
plain-out-eth7 2706
mgmt-eth0 32000
plain-in-eth3 2707
plain-out-eth3 2708
all-peer-100-in 1010
vrf-privwan-eth6 1500
vrf-100 20002
vrf-privwan-eth7.1 1501
all-peer-102-in 1011
vrf-privwan-eth7.2 1502
vrf-102 20003
all-peer-101-in 1012
vrf-privwan-eth7.3 1503
vrf-101 20001

inspect vrf all


default via [Link] dev v-eth1-p table privwan-in-eth1

Prisma SD-WAN ION Device CLI Reference 422 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

[Link]/24 dev eth1 table privwan-in-eth1 scope link src


[Link]
default via [Link] dev eth1 table privwan-out-eth1 proto
static
[Link]/24 dev eth1 table privwan-out-eth1 scope link src
[Link]
[Link]/24 dev eth1 table allow-connected-drop-default proto
rsync scope link src
21.168.2.92127.2.0.0/30 dev v-eth1-p table allow-connected-drop-
default proto rsync scope link src
[Link].168.2.0/24 dev eth1 proto kernel scope link src
[Link]
[Link]/30 dev v-eth1-p proto kernel scope link src [Link]
broadcast [Link] dev eth1 table local proto kernel scope link
src [Link]
local [Link] dev eth1 table local proto kernel scope host
src [Link]
broadcast [Link] dev eth1 table local proto kernel scope
link src [Link]
broadcast [Link] dev v-eth1-p table local proto kernel scope
link src [Link]
local [Link] dev v-eth1-p table local proto kernel scope host
src [Link]
broadcast [Link] dev v-eth1-p table local proto kernel scope
link src [Link]
2008::/64 dev eth1 table privwan-in-eth1 metric 256 pref medium
2008::/64 dev eth1 table privwan-out-eth1 metric 256 pref medium
default via 2008::55 dev eth1 table privwan-out-eth1 proto static
metric 1024 pref medium
2008::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev v-eth1-p proto kernel metric 256 pref medium
fe80::/64 dev v-eth1 proto kernel metric 256 pref medium
anycast 2008:: dev eth1 table local proto kernel metric 0 pref
medium
local 2008::5 dev eth1 table local proto kernel metric 0 pref
medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref
medium
anycast fe80:: dev v-eth1-p table local proto kernel metric 0
pref medium
anycast fe80:: dev v-eth1 table local proto kernel metric 0 pref
medium
local fe80::250:56ff:fe88:e61d dev eth1 table local proto kernel
metric 0 pref medium
local fe80::700a:a5ff:fe6d:5d55 dev v-eth1 table local proto
kernel metric 0 pref medium
local fe80::cc92:5fff:fe14:e9d9 dev v-eth1-p table local proto
kernel metric 0 pref medium
ff00::/8 dev eth1 table local metric 256 pref medium
ff00::/8 dev v-eth1-p table local metric 256 pref medium
ff00::/8 dev v-eth1 table local metric 256 pref medium

Prisma SD-WAN ION Device CLI Reference 423 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

inspect wanpaths
Use the inspect wanpaths command to inspect the VPN WAN paths from the controller and
displays all VPN WAN paths on a device sent by the controller.

Command

inspect wanpaths ( all | site-id = site id | path-id = path id |


vrf-name= | vni= )

Options

all Enter all to display all VPN paths for a device.

site-id Enter the site-id to display the VPN path for a specific site.

vrf-name Enter the vrf name to filter VPN paths between this device and a specific
remote site. Release 6.3.1

vni Enter the vni to filter VPN paths between this device and a specific remote
[Link] 6.3.1

path-id Enter the path-id to display a specific VPN path.

Command Notes

Role Super, Read Only

Related Commands —

Introduced in Release 4.4.1

Example

inspect wanpaths all


Path ID: 14903787743060209, Path Type: vpn, Site ID:
14810476033280153
Prefixes: [Link]/29, Cost: 1
[Link]/0, Cost: 1

Path ID: 14903787806110119, Path Type: vpn, Site ID:


14810476033280153
Prefixes: [Link]/29, Cost: 1
[Link]/0, Cost: 1

Path ID: 14903787820790032, Path Type: vpn, Site ID:


14810477231140214
Prefixes: [Link]/29, Cost: 1

Prisma SD-WAN ION Device CLI Reference 424 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Path ID: 14903787825540071, Path Type: vpn, Site ID:


14810476033280153
Prefixes: [Link]/29, Cost: 1
[Link]/0, Cost: 1

inspect wanpaths all


Path ID: 1696395704553023928, Path Type: vpn, Vpn Type: private, Site
ID: 1681450037421018528, Site Name: Santa Clara DC
Vrf context id: 1688365522034014928, Vni: 0, Vrf name: Global
Prefixes:
Prefix: [Link]/0, Cost: 356
V6 Prefixes:
Prefix: ::/0, Cost: 356

Path ID: 1696395771321023828, Path Type: vpn, Vpn Type: public, Site
ID: 1681450037421018528, Site Name: Santa Clara DC
Vrf context id: 1695795392653021428, Vni: 965, Vrf name: yellow
Prefixes:
Prefix: [Link]/24, Cost: 256
Prefix: [Link]/0, Cost: 256
V6 Prefixes:
Prefix: ::/0, Cost: 256

inspect wanpaths vrf-name=yellow


Path ID: 1696395771321023828, Path Type: vpn, Vpn Type: public, Site
ID: 1681450037421018528, Site Name: Santa Clara DC
Vrf context id: 1695795392653021428, Vni: 965, Vrf name: yellow
Prefixes:
Prefix: [Link]/24, Cost: 256
Prefix: [Link]/0, Cost: 256
V6 Prefixes:
Prefix: ::/0, Cost: 256

inspect wanpaths site-id=1684490871652002728


Path ID: 1710234825501004428, Path Type: vpn, Vpn Type: public, Site
ID: 1684490871652002728, Site Name: Tahoe
Vrf context id: 1692528296703011028, Vni: 0, Vrf name: Global
Prefixes:
Prefix: [Link]/24, Cost: 256, Hop Count: 1
Prefix: [Link]/24, Cost: 256, Hop Count: 1
Prefix: [Link]/24,Cost: 256, Hop Count: 1
Prefix: [Link]/24, Cost: 256, Hop Count: 1
Prefix: [Link]/24, Cost: 256, Hop Count: 1
Prefix: [Link]/24, Cost: 256, Hop Count: 1
Prefix: [Link]/24,Cost: 256, Hop Count: 1
Prefix: [Link]/24, Cost: 256, Hop Count: 2
Prefix: [Link]/24, Cost: 256, Hop Count: 2
Prefix: [Link]/24, Cost: 256, Hop Count: 2
Prefix: [Link]/24, Cost: 256, Hop Count: 2
Prefix: [Link]/32, Cost: 256, Hop Count: 2

V6 Prefixes:
Prefix: [Link]/64, Cost: 256, Hop Count: 2

Prisma SD-WAN ION Device CLI Reference 425 ©2025 Palo Alto Networks, Inc.
Use CLI Commands

Path ID: 1710234809735022128, Path Type: vpn, Vpn Type: public, Site
ID: 1684490871652002728, Site Name: Tahoe
Vrf context id: 1692528296703011028, Vni: 0, Vrf name: Global
Prefixes:
Prefix: [Link]/24, Cost: 256, Hop Count: 1
Prefix: [Link]/24, Cost: 256, Hop Count: 1
Prefix: [Link]/24,Cost: 256, Hop Count: 1
Prefix: [Link]/24, Cost: 256, Hop Count: 1
Prefix: [Link]/24, Cost: 256, Hop Count: 1
Prefix: [Link]/24, Cost: 256, Hop Count: 1
Prefix: [Link]/24,Cost: 256, Hop Count: 1
Prefix: [Link]/24, Cost: 256, Hop Count: 2
Prefix: [Link]/24, Cost: 256, Hop Count: 2
Prefix: [Link]/24, Cost: 256, Hop Count: 2
Prefix: [Link]/24, Cost: 256, Hop Count: 2
Prefix: [Link]/32, Cost: 256, Hop Count: 2

V6 Prefixes:
Prefix: [Link]/64, Cost: 256, Hop Count: 2

Prisma SD-WAN ION Device CLI Reference 426 ©2025 Palo Alto Networks, Inc.

You might also like