CLI Cheat Sheet: Device Management

No IF YOU WANT TO... USE... CLI

1. Show general system health information. > Show system info
2. Show percent usage of disk partitions. Include the optional  > Show system disk-space files
File’s parameter to show information about inodes, which track
file storage.
3. Show the maximum log file size. > Show system logdb-quota
4. Show running processes. > Show system software status
5. Show processes running in the management plane. > Show system resources
6. Show resource utilization in the dataplane. > Show running resources-
monitor
7. Show the licenses installed on the device. > Request licence info
8. Show when commits, downloads, and/or upgrades are > Show jobs processed
completed.
9. Show session information. > Show session info
10. Show information about a specific session. > Show session id <session-id>
11. Show the running security policy. > Show running security-policy
12. Show the authentication logs. > Less mp-log authd.log
13. Restart the device. > Request restart system
14. Show the administrators who are currently logged in to the web > Show admins
interface, CLI, or API.
15. Show the administrators who can access the web interface, CLI, > Show admins all
or API, regardless of whether those administrators are currently
logged in.
When you run this command on the firewall, the output includes
local administrators, remote administrators, and all
administrators pushed from a Panorama template. Remote
administrators are listed regardless of when they last logged in.
16. Configure the management interface as a DHCP client. # set deviceconfig system type
For a successful commit, you must include each of the dhcp-client accept-dhcp-domain
parameters:  <yes|no> accept-dhcp-hostname
accept-dhcp-domain <yes|no> send-client-id <yes|no>
,  send-hostname <yes|no>
accept-dhcp-hostname
, 
send-client-id
, and 
send-hostname
.

CLI CHEAT SHEET: USER-ID

View all User-ID agents configured to send user mappings to the Palo Alto Networks device:
To see all configured Windows-based agents:
> show user user-id-agent state all
To see if the PAN-OS-integrated agent is configured:
> show user server-monitor state all
CLI CHEAT SHEET: USER-ID

View how many log messages came in from syslog senders and how many entries the User-ID agent
successfully mapped:
> show user server-monitor statistics

View the configuration of a User-ID agent from the Palo Alto Networks device:
> show user user-id-agent config name <agent-name>

View group mapping information:

> show user group-mapping statistics
> show user group-mapping state all
> show user group list
> show user group name <group-name>

View all user mappings on the Palo Alto Networks device:

> show user ip-user-mapping all
Show user mappings filtered by a username string (if the string includes the domain name, use two
backslashes before the username):
> show user ip-user-mapping all | match <domain> \\ <username-string>
Show user mappings for a specific IP address:
> show user ip-user-mapping ip <ip-address>
Show usernames:
> show user user-ids

View the most recent addresses learned from a particular User-ID agent:
> show log userid datasourcename equal <agent-name> direction equal backward

View mappings from a particular type of authentication service:

> show log userid datasourcetype equal <authentication-service> where 
<authentication-service>  can be 
authenticate, 
client-cert, 
directory-server, 
exchange-server, 
globalprotect, 
kerberos, 
netbios-probing, 
CLI CHEAT SHEET: USER-ID

ntlm, 
unknown, 
vpn-client, or 
wmi-probing.
For example, to view all user mappings from the Kerberos server, you would enter the following
command:
> show log userid datasourcetype equal kerberos

View mappings learned using a particular type of user mapping:

> show log userid datasource equal <datasource>
where <datasource> can be 
agent, 
captive-portal, 
event-log, 
ha, 
probing, 
server-session-monitor, 
ts-agent, 
unknown, 
vpn-client, or 
xml-api.
For example, to view all user mappings from the XML API, you would enter the following command:
> show log userid datasourcetype equal xml-api

Find a user mapping based on an email address:

> show user email-lookup
+ base Default base distinguished name (DN) to use for searches
+ bind-dn bind distinguished name
+ bind-password bind password
+ domain Domain name to be used for username
+ group-object group object class(comma-separated)
+ name-attribute name attribute
+ proxy-agent agent ip or host name.
+ proxy-agent-port user-id agent listening port, default is 5007
CLI CHEAT SHEET: USER-ID

+ use-ssl use-ssl
* email email address
> mail-attribute mail attribute
> server ldap server ip or host name.
> server-port ldap server listening port
For example:
> show user email-lookup base "DC=lab,DC=sg,DC=acme,DC=local" bind-dn
"CN=Administrator,CN=Users,DC=lab,DC=sg,DC=acme,DC=local" bind-password acme use-ssl
no email [email protected] mail-attribute mail server 10.1.1.1 server-port 389 labsg\user1

Clear the User-ID cache:

clear user-cache all
Clear a User-ID mapping for a specific IP address:
clear user-cache ip
<ip-address/netmask>

CLI Cheat Sheet: Networking

No IF YOU WANT TO . . . USE . . .
1. Display the routing table > Show routing route
2. Look at routes for a specific destination > show routing fib virtual-router
<name> | match <x.x.x.x/Y>
3. Change the ARP cache timeout setting from the default of 1800 > set system setting arp-cache-
seconds. timeout <60-65536>
4. View the ARP cache timeout setting. > show system setting arp-cache-
timeout
NAT
1. Show the NAT policy table > show running nat-policy
2. Test the NAT policy > test nat-policy-match
3. Show NAT pool utilization > show running ippool
> show running global-ippool
IPSec
1. Show IPSec counters > show vpn flow
2. Show a list of all IPSec gateways and their configurations. > show vpn gateway
3. Show IKE phase 1 SAs > show vpn ike-sa
4. Show IKE phase 2 SAs > show vpn ipsec-sa
5. Show a list of auto-key IPSec tunnel configurations > show vpn tunnel
BFD
1. Show BFD profiles > show routing bfd active-profile
[<name>]
2. Show BFD details > show routing bfd details
[interface <name>] [local-ip
<ip>] [multihop][peer-ip <ip>]
[session-id] [virtual-router
<name>]
3. Show BFD statistics on dropped sessions > show routing bfd drop-counters
session-id <session-id>
4. Show counters of transmitted, received, and dropped BFD packets > show counter global | match bfd
5. Clear counters of transmitted, received, and dropped BFD packets > clear routing bfd counters
session-id all | <1-1024>
6. Clear BFD sessions for debugging purposes > clear routing bfd session-state
session-id all | <1-1024>
PVST+
1. Set the native VLAN ID > set session pvst-native-vlan-id
<vid>
2. Drop all STP BPDU packets > set session drop-stp-packet
3. Verify PVST+ BPDU rewrite configuration, native VLAN ID, and > show vlan all
STP BPDU packet drop
4. Show counter of times the 802.1Q tag and PVID fields in a > show counter global
PVST+ BPDU packet do not match Look at the flow_pvid_inconsistent
counter.
Troubleshooting
1. Ping from the management (MGT) interface to a destination IP > ping host <destination-ip-
address address>
2. Ping from a dataplane interface to a destination IP address > ping source <ip-address-on-
dataplane> host <destination-ip-
address>
3. Show network statistics > show netstat statistics yes

CLI Cheat Sheet: VSYS

No IF YOU WANT TO . . . USE . . .
1. Find out if the firewall is in multi-vsys mode admin@PA> show system info | match vsys
multi-vsys: on
2. View a list of virtual systems configured on the firewall admin@PA>
set system setting target-vsys ?
none none
vsys1 vsys1
vsys2 vsys2
<value> <value>
3. Switch to a particular vsys so that you can issue admin@PA> set system setting target-vsys
commands and view data specific to that vsys <vsys-name>
For example, use the following command to
switch to vsys2; note that the vsys name is
case sensitive:
> set system setting target-vsys vsys2
Session target vsys changed to vsys2
admin@PA-vsys2>
Notice that the command prompt now shows
the name of the vsys you are now
administering.
4. View the maximum number of sessions allowed, in use, admin@PA> show session meter
and throttled Example output:
VSYS  Maximum  Current  Throttled
1      10       30      1587
Maximum indicates the maximum number of
sessions allowed per dataplane, Current
indicates the number of sessions being used by
the virtual system, and Throttled indicates the
number of sessions denied for the virtual
system because the sessions exceeded the
Maximum number multiplied by the number
of dataplanes in the system.
As shown in this example, on a PA-5200
Series or PA-7000 Series firewall, the Current
number of sessions being used can be greater
than the Maximum configured for Sessions
Limit (Device > Virtual Systems > Resource)
because there are multiple dataplanes per
virtual system. The Sessions Limit you
configure on a PA-5200 or PA-7000 Series
firewall is per dataplane, and will result in a
higher maximum per virtual system.
5. View the User-ID mappings in the vsys admin@PA-vsys2> show user ip-user-
mapping all
6. Return to configuring the firewall globally. admin@PA-vsys2> set system setting target-
vsys none

CLI Cheat Sheet: Panorama

No IF YOU WANT TO . . . USE . . .
1. Display the current operational mode. > show system info | match
system-mode
2. Switch from Panorama mode to Log Collector mode. > request system system-mode
logger
3. Switch from Panorama mode to PAN-DB private cloud mode (M- > request system system-mode
500 appliance only). panurldb
4. Switch an M-Series appliance from Log Collector mode or PAN- > request system system-mode
DB private cloud mode (M-500 appliance only) to Panorama panorama
mode.
5. Switch the Panorama virtual appliance from Legacy mode to > request system system-mode
Panorama mode. panorama
6. Switch the Panorama virtual appliance from Panorama mode to > request system system-mode
Legacy mode. legacy
Panorama Management Server
1. Change the output for show commands to a format that you can > set cli config-output-mode set
run as CLI commands. The following is an example of the
output for the 
show device-group
 command after setting the output
format:
# show device-group branch-
offices
set device-group branch-offices
devices
set device-group branch-offices
pre-rulebase ...
2. Enable or disable the connection between a firewall and Panorama. > set panorama [off | on]
You must enter this command from the firewall CLI.
3. Synchronize the configuration of M-Series appliance high > request high-availability sync-to-
availability (HA) peers. remote [running-config | candidate-
config]
4. Reboot multiple firewalls or Dedicated Log Collectors. > request batch reboot [devices |
log-collectors] <serial-number>
5. Change the interval in seconds (default is 10; range is 5 to 60) at > set dlsrvr poll-interval <5-60>
which Panorama polls devices (firewalls and Log Collectors) to
determine the progress of software or content updates. Panorama
displays the progress when you deploy the updates to devices.
Decreasing the interval makes the progress report more accurate
but increases traffic between Panorama and the devices.
Device Groups and Templates
1. Show the history of device group commits, status of the > show devicegroups name
connection to Panorama, and other information for the firewalls <device-group-name>
assigned to a device group.
2. Show the history of template commits, status of the connection to > show templates name <template-
Panorama, and other information for the firewalls assigned to a name>
template.
3. Show all the policy rules and objects pushed from Panorama to a > show config pushed-shared-
firewall. You must enter this command from the firewall CLI. policy
4. Show all the network and device settings pushed from Panorama > show config pushed-template
to a firewall. You must enter this command from the firewall CLI.
Log Collection
1. Show the current rate at which the Panorama management server > debug log-collector log-
or a Dedicated Log Collector receives firewall logs. collection-stats show incoming-
logs
2. Show the quantity and status of logs that Panorama or a Dedicated > debug log-collector log-
Log Collector forwarded to external servers (such as syslog collection-stats show log-
servers) as well as the auto-tagging status of the logs. Tracking forwarding-stats
dropped logs helps you troubleshoot connectivity issues.
3. Show status information for log forwarding to the Panorama > show logging-status device
management server or a Dedicated Log Collector from a particular <firewall-serial-number>
firewall (such as the last received and generated log of each type).
When you run this command at the firewall CLI (skip the 
device <firewall-serial-number>  argument), the output also
shows how many logs the firewall has forwarded.
4. Clear logs by type. > clear log [acc | alarm | config |
Running this command on the Panorama management server hipmatch | system]
clears logs that Panorama and Dedicated Log Collectors generated,
as well as any firewall logs that the Panorama management server
collected. Running this command on a Dedicated Log Collector
clears the logs that it collected from firewalls.