Professional Documents
Culture Documents
Palo Alto CLI Commands
Palo Alto CLI Commands
GUIDE
COMMAND DESCRIPTION 4.1 5.x
General System Health
show system info Shows the system’s management IP, serial #, and code version ✓ ✓
show jobs processed Shows when commits, downloads, upgrades, etc are completed. ✓ ✓
show system disk-space Shows percent usage of disk partitions. ✓ ✓
show system logdb-quota Shows the maximum log file sizes. ✓ ✓
show system software status Shows running processes. ✓ ✓
Monitor CPUs
show system resources Shows processes running in the Management Plane. ✓ ✓
show running resource-monitor Shows the resource utilization in the Dataplane ✓ ✓
Dropped Packet Troubleshooting
ping source <IP_addr_src_int> host <IP_addr_host> Ping from a specified device source interface to destination IP. ✓ ✓
ping host <IP> Ping from the management interface. ✓ ✓
Shows specific sessions in the sessions table for source and
show session all filter source <source-IP> destination <destination-IP> ✓ ✓
destination IPs.
show session info Shows usage, pps rates, etc. ✓ ✓
show session id <id-number> Shows session details by entering the session ID number. ✓ ✓
Packet Filters and Capture WARNING: Running debug commands on a production device may cause undesirable results.
debug dataplane packet-diag clear all
debug dataplane packet-diag clear log log Clear/delete settings and files previously created. ✓ ✓
Packet Flow Logs WARNING: Always set specific packet filters to minimize CPU usage. See above Packet Filters and Capture commands.
debug dataplane packet-diag set log feature flow basic Set packet-diag log to capture flow basic. ✓ ✓
debug dataplane packet-diag set log on Turns on packet-diag log. ✓ ✓
debug dataplane packet-diag set log off Capture traffic then immediately disable packet-diag log. ✓ ✓
Aggregates pack-diag logs to a single file. After disabling packet-
debug dataplane packet-diag aggregate-logs - ✓
diag log, wait 1-2 minutes before running this command.
less dp-log pan_pcaket_diag.log View packet-diag log output. N o te : PA-5000 series writes to ✓ ✓
individual dp0-log, dp1-log or dp2-log.
Log/Forward Device Issues
Shows the log statistics, like logging incoming rate, log written rate,
debug log-receiver statistics ✓ ✓
corrupted packets and logs discarded due to a full queue.
less mp-log logrcvr.log Shows debug logging issues on the device. ✓ ✓
debug software restart log-receiver Restarts log-receiver process. ✓ ✓
Log Viewing/Deleting
Goes to the beginning/end of a log.
show log [system | traffic | threat] direction equal [forward | backward] N o te : Arguments shown with square bracket [] and pipe | symbols ✓ ✓
mean choose one of the arguments listed.
Monitor Management or Device Server
show system resources follow Shows management server messages for commit failures, updates,
✓ ✓
tail follow yes mp-log ms.log licenses, link status, policy details, etc.
Shows device server message for commit failures, updates,
tail follow yes mp-log devsrv.log ✓ ✓
licenses, link status, policy details, etc.
Authentication Logs
less mp-log authd.log Shows the detail authentication logs on the device. ✓ ✓
NAT
show running nat-policy Shows current NAT policy table. ✓ ✓
show running ippool
show running global-ippool Shows NAT pool utilization. ✓ ✓
Routing
show routing route Shows routing table. ✓ ✓
Policies
show running security-policy Shows current policy set. ✓ ✓
v6
COMMAND DESCRIPTION 4.1 5.x
User-ID Agent
show user user-id-agent state all Shows agent’s status. Status should be connected OK and there should
✓ ✓
show user user-id-agent statistics be numbers shown under users, groups, and IPS.
show user user-IDs
show user group-mapping state all
show user group-mapping statistics Shows the groups pulled from User-ID Agent. ✓ ✓
show user group list
show user group name <value>
show user ip-user-mapping all Shows IP to username mappings. ✓ ✓
clear user-cache all
clear user-cache ip <ip/netmask> Clears user-ID cache. ✓ ✓
3300 Olcott Street Copyright ©2013, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto
Santa Clara, CA 95054 Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All
specifications are subject to change without notice. Palo Alto Networks assumes no responsibility
Main: +1.408.753.4000
for any inaccuracies in this document or for any obligation to update the information in this
Sales: +1.866.320.4788
Support: +1.866.898.9087 document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise
this publication without notice.
www.paloaltonetworks.com