PaloAlto cheat sheet
Show Command--
Debug command--
-->> debug routing pcap <routing-protocol> on
-->> debug routing pcap show
-->> debug routing pcap <routing-protocol> view
-->> debug routing pcap <routing-protocol> off
-->> debug routing pcap <routing-protocol> delete
-->> tail follow yes mp-log routed.log
-->> show routing path-monitor
-->> debug routing path-monitor
USE Test command--
-->> test routing fib-lookup virtual-router default ip <ip>
-->> test vpn ipsec-sa tunnel <value>
-->> test security-policy-match ?
-->> test security-policy-match from trans-internet to pa-trust-server source 192.168.86.5 -->> destination 192.168.120.2 protocol 6 application ssl destination-port 443
Viewing Management-Plane Logs :
In order to view the debug log files, “less” or “tail” can be used. The keyword “mp-log” links to the management-plane logs (similar to “dp-log” for the dataplane-logs). The tail command can be used with “follow yes” to have a live view of all logged messages
Examples:
-->> less mp-log ?
-->> less mp-log dnsproxyd.log
-->> tail follow yes mp-log dhcpd.log
-->> tail follow yes mp-log routed.log
Capturing Management Packets :
To view the traffic from the management port at least two console connections are needed. The first one executes the tcpdump command (with “snaplen 0” for capturing the whole packet, and a filter, if desired),
-->> tcpdump snaplen 0 filter "port 53"
while the second console follows the live capture:
-->> view-pcap follow yes mgmt-pcap mgmt.pcap
Live Viewing of Packet Captures:
When using the Packet Capture feature on the Palo Alto, the filter settings can easily be made from the GUI (Monitor -> Packet Capture). These settings as well as the current size of the running packet capture files can be examined with:
-->> debug dataplane packet-diag show setting
Now, the current capturing in follow mode can be viewed with:
-->> view-pcap follow yes filter-pcap
VPN Troubleshooting-
-->> show vpn gateway
-->> show vpn ike-sa
-->> show counter global filter delta yes | match ipsec
-->> Debug command for VPN--
-->> debug ike pcap on
-->> view-pcap follow yes debug-pcap ikemgr.pcap
-->> debug ike pcap off
-->> Export packet capture--
-- >> scp export debug-pcap from ikemgr.pcap to <username@host:path>
Clear Tunnel--
-->> clear vpn ike-sa gateway <value>
-->> clear vpn ipsec-sa tunnel <value>
-->> test vpn ike-sa gateway <value>
-->> test vpn ipsec-sa tunnel <value>
Global protect command--
-->> show global-protect-gateway current-user
-->> show global-protect-gateway flow
High Availability --
Some show commands for the HA:
-->> show high-availability ?
-->> show high-availability all
-->> show high-availability state
-->> show high-availability link-monitoring
-->> show high-availability path-monitoring
-->> show high-availability control-link statistics
-->> show high-availability state-synchronization
-->> show high-availability flap-statistics
The following request can be used to trigger an HA failover, either for the local device or the “peer” device:
-->> request high-availability state suspend
-->> request high-availability state functional
-->> request high-availability state peer suspend
-->> request high-availability state peer functional
User-IDs and Groups:
State of the LDAP server connections incl. the listing of all groups:
->> show user group-mapping state all
Group mapping and user-id agent refresh (=update) and reset (=delete and reload):
-->> debug user-id refresh group-mapping all
-->> debug user-id refresh user-id agent all
-->> debug user-id reset group-mapping all
-->> debug user-id reset user-id-agent all
Show the group memberships for a particular user:
-->> show user user-IDs match-user <value>
Show the members of a particular group:
-->> show user group name "ADname-of-the-group"
IP Addresses of External Dynamic Lists:
Similar, the entries in an external dynamic (block) list can be viewed or refreshed with:
-->> request system external-list show type {ip|name|url} name <name-of-the-list>
-->> request system external-list refresh type {ip|name|url} name <name-of-the-list>
DNS Proxy
To verify the functionality of DNS proxy objects, at least two commands are useful. Both outputs should speak for themselves:
-->> show dns-proxy statistics all
-->> show dns-proxy cache all
Active URL Vendor/Database:
I had some issues with the two different URL databases “brightcloud” and “PAN-DB”. This is the command to show unambiguously which vendor is active on the PA (independent of the licenses):
-->> show system setting url-database
The output is either brightcloud or paloaltonetworks. The standard URL DB up to PAN-OS 5.0 is brightcloud. Beginning with PAN-OS 6.0, the default is PAN-DB (refer to the release notes, section “Changes to Default Behavior”). To change the vendor (of course only if it is licensed), click the “Activate” link under licenses in the GUI.
PAN-DB URL Test & Cache:
To show the category of a specific URL, use one of the following commands:
-->> test url <fqdn>
-->> test url-info-cloud <fqdn>
-->> test url-info-host <fqdn>
To display the current URL cache from the PAN-DB, two steps are required. The first one is the creation of a logfile which contains all entries and the second one is to display this logfile:
-->> 1show system setting url-cache all
-->> less dp-log dp_url_DB.log
Fan Speed :--
Ok, this is not a troubleshooting command, but nevertheless very useful. It sets the fan speed to “auto” which immediately drops the noise of the fan, e.g. on a PA-200:
-->> set system setting fan-mode auto
Defaults:
login with management ip if you already connect with mgmt -
Default Management Interface IP: 192.168.1.1
Login: admin
Password: admin
To change the static IP settings of the management interface via the console:
#set deviceconfig system ip-address 192.168.1.5 netmask 255.255.255.0 default-gateway 192.168.1.1 dns-setting servers primary 8.8.8.8
or
to change Configure DHCP client (of the management interface) :
#set deviceconfig system type dhcp-client send-hostname yes send-client-id no accept-dhcp-domain no accept-dhcp-hostname no
And wait for a console message such as DHCP: new ip 10.10.1.100 : mask 255.255.255.128 . Otherwise, you can show the management IP address via show interface management . If you, later on, want to change back to static IP addresses you must not only use the set command above (for the mere IP address) but also change the type back to static: set deviceconfig system type static
Perform a Factory Reset:
In some cases, such as an RMA, you want to factory reset your device. You should perform the following steps for this:
Delete all saved configurations via
-->> delete config saved ? delete config saved <name-of-every-single-config>
Remove all logs and restore the default configuration with
-->> request system private-data-reset
Perform the actual factory reset: reboot the device, enter the “maint” mode via a console cable, select “Factory Reset”.