ASC Troubleshooting Cheatsheet - Rev2.2 - FINAL

PAN-OS Troubleshooting Cheatsheet
Revision 2.2 – Aug 2014
Basic Troubleshooting General Packet Flow PCAP and Flow Basic

CLI Commands: CLI Commands: CLI Commands:
6.0 introduces “find” for CLI command search: show system files Step 1: Start fresh.
find command keyword <value> show running resource-monitor debug dataplane packet-diag clear all
show session all filter …
Management Plane Step 2: ALWAYS enable specific filters.
show session id <sess-id>
show system info debug dataplane packet-diag set filter match …
show counter global filter delta yes
show system statistics [application | session] debug dataplane packet-diag set filter on
show system resources Logs:
show counter global filter delta yes packet-
show system software status less dp-log dp-monitor.log
filter yes
show system logdb-quota or less dpX-log for multi-dp systems
show system disk-space Step 3: Enable PCAPs.
Debugs:
show jobs all debug dataplane packet-diag set capture stage
debug device-server dump idmgr type …
show routing route receive file <rx-filename>
debug log-receiver statistics
request license info debug dataplane packet-diag set capture stage
debug dataplane pool statistics
netstat all yes transmit file <tx-filename>
ping source <src-ip> host <dst-ip>
debug dataplane packet-diag set capture stage
Dataplane test routing fib-lookup virtual-router <vr-
drop file <dr-filename>
show running resource-monitor name> ip <ip-addr>
debug dataplane packet-diag set capture stage
show session all filter … test security-policy-match …
firewall file <fw-filename>
show session id <sess-id> test nat-policy-match …
debug dataplane packet-diag set capture on
show counter global filter delta yes Run PCAP and Flow Basic
show interface all debug dataplane packet-diag show setting
Additional Steps:
Logs: -Look in traffic log for traffic allow/deny. Confirm setting and see PCAP capture rate.
Management Plane -If no log, ensure there is rule with logging. Make sure rate is not too high before
show log system direction equal backward -Turn off all threat profiles. attempting flow basic debug (can crash box if
show log config direction equal backward -App-override rule for traffic in question. debug logging rate is too high). If high rate
less mp-log mp-monitor.log -Disable session offload (CLI). then be more specific with filters and/or
set session offload no reschedule for less busy time.
Dataplane
-Disable TCP SYN check (CLI). Step 4: Enable flow basic.
less dp-log dp-monitor.log
set session tcp-reject-non-syn no debug dataplane packet-diag clear log log
or less dpX-log for multi-dp systems
-Disable TCP window check (Config). debug dataplane packet-diag set log feature
Debugs: 4.0 and earlier: flow basic
Management Plane set deviceconfig setting tcp drop-out-of-wnd debug dataplane packet-diag set log on
debug log-receiver statistics no
(6.0+) tcpdump snaplen 0 filter “host x.x.x.x” 4.1 and later: Step 5: Capture traffic, then disable debugs.
view-pcap mgmt-pcap mgmt.pcap set deviceconfig setting tcp asymmetric-path debug dataplane packet-diag set log off
bypass debug dataplane packet-diag set capture off
Dataplane
(5.0+) debug dataplane packet-diag aggregate-
debug dataplane internal vif link
logs
ping source <src-ip> host <dst-ip> Step 6: View PCAPs and flow basic output.
test routing fib-lookup virtual-router <vr- view-pcap filter-pcap <filename>
name> ip <ip-addr> less dp-log pan_packet_diag.log
test security-policy-match … less dp-log pan_task*
test nat-policy-match … Note: for 5000 use dp0-log, dp1-log,dp2-log
Can also download PCAPs from Monitor tab in
GUI. Tech Support should contain
pan_packet_diag.log but not PCAPs.
Links:
Packet Captures and debug Flow Basic:
https://live.paloaltonetworks.com/docs/DOC-
1506
©2014, Palo Alto Networks. Confidential and Proprietary. This document is for Palo Alto Networks employees and Authorized Support Centers only.
CPU/Memory Utilization Performance Dynamic Updates
Management Plane show system statistics show system info
show system statistics show system resources show system resources
show system resources show system files show jobs all
show jobs all show running resource-monitor show jobs id <#>
netstat all yes show session info request license info
show session all filter … netstat all yes
Dataplane
show running resource-monitor Logs:
show session info show log system direction equal backward
show interface all (look for speed/duplex)
show session all filter … less mp-log ms.log
show counter global filter delta yes Logs: less mp-log devsrv.log
show counter global filter delta yes | match less mp-log mp-monitor.log less mp-log mp-monitor.log
fpga less dp-log dp-monitor.log less mp-log pan_bc_download.log
show counter global filter delta yes | match less mp-log pan_url_download.log
Debugs:
log
debug log-receiver statistics Debugs:
show counter global filter delta yes | match zip
debug dataplane internal vif link debug log-receiver statistics
Logs: debug dataplane pool statistics debug dataplane internal vif link
Management Plane debug dataplane packet-diag clear all debug dataplane pool statistics
show log system direction equal backward ping source <src-ip> host <dst-ip> debug dataplane packet-diag clear all
less mp-log mp-monitor.log Run PCAP and Flow Basic ping host updates.paloaltonetworks.com
less mp-log ms.log ping host services.brightcloud.com
Additional Steps:
less mp-log <log-for-high-process> (5.0+) tcpdump filter “host x.x.x.x and not port
-Look in threat log for denies or blocks
22”
Dataplane -Turn off all threat profiles.
less dp-log dp-monitor.log -Turn off ssl decryption rules If using service routes…
-App-override rule for traffic in question ping source <src-ip> host …
Debugs:
-For VPN traffic, ensure that tcp-mss Run PCAP and Flow Basic
Management Plane
adjustment is enabled on interfaces.
debug log-receiver statistics Additional Steps:
debug management-server on debug -Does PA device have license?
debug management-server memory info -Is DNS configured in deviceconfig?
debug management-server memory info -Can you resolve
less mp-log ms.log updates.paloaltonetworks.com?
debug management-server on info - Can you resolve
services.paloaltonetworks.com?
Dataplane
If using service route…
-Does dns have service route enabled?
-Is DNS allowed in policy?
-is there any any any deny rule? If so then is
intrazone traffic allowed for paloalto-updates
and dns?
Links:
Tcpdump on management interface (5.0+):
4595
NAT URL Filtering (Brightcloud) URL Filtering (PAN-DB)
Management Plane Management Plane Management Plane
show system info show system setting url-filtering-feature show url-cloud status
show system resources request url-filtering update <URL> request url-filtering download status vendor
show routing route test url <URL> paloaltonetworks
show routing fib ping host service.brightcloud.com request url-filtering update <URL>
See Dynamic Updates test url <URL>
Dataplane
Enabling bloom filter: test url-info-host <URL> (test MP cache)
show session all filter …
set system setting url-filtering-feature cache True test url-info-cloud <URL> (test on cloud)
set system setting url-filtering-feature filter True delete url-database url <URL> (MP cache)
show counter global filter delta yes <category
nat> Dataplane Dataplane
show interface all show running url-license show running url <URL>
show running resource-monitor show running top-urls show running url-info <URL>
show running nat-policy show running url-cache statistics show running url-cache statistics
show running nat-rule-cache show counter global filter delta yes | match url show system setting url-cache statistics
show running nat-rule-ippool rule <rule-name> test url-resolve-path <URL> show system setting url-cache all
show running global-ippool (dyn src nat) show counter global filter delta yes | match url
Logs:
show running ippool (src nat) test url-resolve-path <URL>
Management Plane
clear url-cache url <URL> (DP cache)
Logs: show log system direction equal backward
Management Plane less mp-log devsrv.log Logs:
show log system direction equal backward less mp-log pan_bc_download.log Management Plane
show log config direction equal backward less mp-log devsrv.log
Dataplane
less mp-log mp-monitor.log less mp-log pan_url_download.log
Dataplane Dataplane
Debugs:
less dp-log dp-monitor.log less dp-log dp_url_DB.log
Management Plane
Debugs: debug device-server test url-update-server
Management Plane debug device-server bc-url-db show-stats Debugs:
debug log-receiver statistics debug device-server bc-url-db db-info Management Plane
debug device-server bc-url-db bloom-stats debug device-server pan-url-db cloud-reelect
Dataplane
debug device-server reset brightcloud- debug device-server pan-url-db show-stats
debug device-server dump idmgr type nat-rule
database debug device-server set url basic
all
debug device-server bc-url-db cache-enable debug device-server set url_trie basic
<yes/no> debug device-server on debug
ping source <src-ip> host <dst-ip> debug device-server bc-url-db cache-clear Dataplane
test routing fib-lookup virtual-router <vr- debug software restart device-server debug url-resolve-path <URL>
name> ip <ip-addr> debug device-server set url basic debug dataplane show url-cache statistics
test security-policy-match … debug device-server on debug debug dataplane test url-cache-resolve-path
test nat-policy-match … Dataplane debug dataplane packet-diag set log feature
Run PCAP and Flow Basic debug url-resolve-path <URL> url_trie basic
debug device-server dump dynamic-url debug dataplane packet-diag set log feature
Links: database ctd url
Understanding PAN-OS NAT Technote: debug device-server dump dynamic-url debug dataplane packet-diag set log on
https://live.paloaltonetworks.com/docs/DOC- statistics
1517 debug dataplane show url-cache statistics Links:
debug dataplane test url-cache-resolve-path BC/PAN-DB CLI Commands:
delete dynamic-url host all https://live.paloaltonetworks.com/docs/DOC-
clear url-cache all 3608
Test-A-Site:
Links: http://urlfiltering.paloaltonetworks.com/testA
BrightCloud website: Site.aspx
http://www.brightcloud.com
BC/PAN-DB CLI Commands:
3608
IPSec VPN NetConnect (4.0 and earlier) GlobalProtect (4.0+)
show vpn ike-sa gateway <name> show ssl-vpn flow show global-protect-gateway flow
show vpn ipsec-sa tunnel <name> show ssl-vpn current-user show global-protect-gateway gateway name
show vpn flow name <name> show ssl-vpn previous-user <name>
show vpn gateway name <name> show ssl-vpn portal show global-protect-gateway current-user
show vpn tunnel name <name> show interface all show global-protect-gateway previous-user
show running tunnel flow info show user ip-user-mapping type GP all
Logs:
show running tunnel flow context <#> show interface all
Management Plane
show running tunnel flow nexthop request license info
show log system direction equal backward
show session all filter destination-port 500
subtype equal sslvpn Logs:
show session all filter protocol 50
less mp-log sslvpn-access.log Management Plane
show session all filter destination-port 4500
less mp-log sslvpn.log show log system direction equal backward
less mp-log rasmgr.log subtype equal globalprotect
less mp-log authd.log less webserver-log sslvpn-access.log
show interface all
less webserver-log sslvpn-error.log
Dataplane
Logs: less mp-log authd.log
less dp-log mp-relay.log
Management Plane less mp-log useridd.log
show log system direction equal backward less mp-log sslvpn.log
subtype equal vpn NetConnect Client less mp-log rasmgr.log
less mp-log ikemgr.log Right-click tray icon > Information… (6.x)
Palo Alto Networks > NetConnect > Support less mp-log appweb3-sslvpn.log
Dataplane
CMD: wmic niconfig list
less dp-log mp-relay.log Dataplane
Wireshark on client PC
less dp-log dp-monitor.log less dp-log mp-relay.log
Debugs: less dp-log dp-monitor.log
Debugs:
debug ike global on debug
debug ike global on debug GP Client
debug ike pcap on
debug ike pcap on Advanced view > Troubleshooting tab: start
view-pcap debug-pcap ikemgr.pcap
view-pcap debug-pcap ikemgr.pcap debug on PanGP Service
delete network tunnel ssl-vpn
ping source <src-ip> host <peer-ip> File > Collect Log
request ssl-vpn client-logout
test routing fib-lookup virtual-router <vr- c:\Users: look for Pan… files
Run PCAP and Flow Basic
name> ip <peer-ip-addr> Wireshark on client PC
test vpn ipsec-sa tunnel <name> Additional Steps:
Debugs:
clear vpn ike-sa -Is there any deny all rules
debug global-protect portal on
clear vpn ipsec-sa -For 64-bit OS, did you use 64-bit browser?
debug user-id dump hip-profile-database
Run PCAP and Flow Basic -Is Java updated?
debug user-id dump hip-report computer
-For 64-bit OS, did you update both 32-bit and
Additional Steps: <name> user <user> ip <ip>
64-bit Java?
-Can you ping remote peer IP? debug user-id on debug
-Any other VPN clients installed on PC?
-Is there any deny all rules blocking ike, ipsec- debug user-id set hip all
-Is IP pool overlapping interface IP subnet (we
esp or ipsec-esp-udp?
do not proxy-arp)? Additional for LSVPN (5.0+):
-Check phase1, is it up?
show log system direction equal backward
-Check phase2, is it up?
Links: subtype equal satd
-For traffic issue, do you have route for traffic
How to configure SSL-VPN in 4.0: show global-protect-gateway current-satellite
with next-hop as tunnel interface?
https://live.paloaltonetworks.com/docs/DOC- show global-protect-gateway flow-site-to-site
-Are you sending protocol 50 or udp 4500?
1841 show global-protect-satellite …
-Are you receiving any protocol 50 or udp
SSL-VPN for Windows 7 64-bit install checklist: debug satd on debug
4500?
https://live.paloaltonetworks.com/docs/DOC- less mp-log satd.log
-Any other firewalls between IKE peers that
1584 test global-protect-satellite gateway-connect…
may be blocking ESP or nat-t?
-Did you enable tcp-mss for the LAN side
interface?
Links:
-Always get remote peer side logs and data
Troubleshooting GlobalProtect:
captures.
2568
Links:
GlobalProtect Technote:
How to configure and troubleshoot IPSec VPN:
2020
1163
Hub and Spoke VPN:
1608
User-ID (4.0 Pan/LDAP Agents) User-ID (4.1+ Userid-Agent) Agentless User-ID (5.0+)
PAN Agent User-ID Agent User-ID Agent
show user pan-agent statistics show user user-id-agent state all show user server-monitor state all
show user pan-agent user-IDs show user user-id-agent statistics show user server-monitor statistics
show user ip-user-mapping all show user user-IDs show user user-IDs
show user ip-user-mapping ip <x.x.x.x> show user ip-user-mapping all show user ip-user-mapping all
show user ip-user-mapping ip <x.x.x.x> show user ip-user-mapping ip <x.x.x.x>
LDAP Agent
show user group list show user group list
show user userid-agent statistics
show user group name <name> show user group name <name>
show user ldap-server state all
show user group-mapping state all show user group-mapping state all
show user ldap-server server all
show user group-mapping statistics show user group-mapping statistics
show user ip-user-mapping
show user ip-user-mapping ip <x.x.x.x> TS Agent Logs:
show user ts-agent state all less mp-global userinfo.xml
TS Agent
show user ts-agent statistics show log userid
show user user-ts-agent statistics
show user ip-port-mapping all less mp-log useridd.log
show user ip-port-user-mapping all
less mp-log mp-monitor.log
Logs:
Logs:
less mp-global userinfo.xml Debugs:
less mp-global userinfo.xml
show log userid debug user-id on debug
less mp-log devsvr.log
less mp-log useridd.log debug user-id log-ip-user-mapping yes
less mp-log ldapd.log
less mp-log mp-monitor.log debug user-id dump idmgr type user all
debug user-id dump idmgr type user-group all
Debugs:
Debugs: debug user-id reset group-mapping all
debug user-id dump domain-map
debug device-server on debug debug user-id reset captive-portal ip-address
debug user-id dump objects-in-policy
debug device-server set agent basic <x.x.x.x>
debug user-id dump idmgr type user all
debug device-server set agent conn debug user-id refresh group-mapping all
debug user-id dump idmgr type user-group all
debug device-server dump user-group name … clear user-cache all
debug user-id reset user-id-agent all
debug device-server dump idmgr type user all clear user-cache ip x.x.x.x
debug user-id reset group-mapping all
debug device-server reset pan-agent all
debug user-id reset captive-portal ip-address Captive Portal
debug device-server reset captive-portal ip-
<x.x.x.x> show running captive-portal-policy
address <x.x.x.x>
debug user-id refresh user-id agent all debug user-id set agent ntlm
debug ldap-server reset server all
debug user-id refresh group-mapping all debug user-id dump ntlm-stats
debug ldap-server reset bind
clear user-cache all debug l3svc on debug
debug ldap-server refresh server all
clear user-cache ip x.x.x.x debug l3svc pcap on
clear user-cache all
debug user-id on debug view-pcap debug-pcap l3svc-vr-X.pcap
clear user-cache ip x.x.x.x
debug user-id agent <agent_name> receive yes less mp-log authd.log
Captive Portal debug user-id agent <agent_name> on
Additional Steps:
show running captive-portal-policy debug user-id set agent basic
-Confirm security log events on DC
show user user-ntlm-agent statistics debug user-id set agent conn
-Use ‘wmic’ on server
debug device-server set agent ntlm less agent-log 1/<agent_name>.log
debug l3svc on debug
Captive Portal Links:
debug l3svc pcap on
show running captive-portal-policy User ID and elevated accounts technote:
view-pcap debug-pcap l3svc-vr-X.pcap
debug user-id set agent ntlm https://live.paloaltonetworks.com/docs/DOC-
less mp-log authd.log
debug user-id dump ntlm-stats 1920
Additional Steps: debug l3svc on debug
-Restart PanAgentService debug l3svc pcap on
-Confirm ip-user mapping on agent view-pcap debug-pcap l3svc-vr-X.pcap
-Confirm security log events on DC less mp-log authd.log
-LDAP agent, look for user directory fields:
Additional Steps:
networkAddress and loginTime
-Confirm ip-user mapping on agent
-Confirm security log events on DC
Links:
-LDAP agent, look for user directory fields:
User ID Technote for 4.0:
networkAddress and loginTime
1807
Links:
User ID Technote for 4.1:
3120
OSPF BGP RIP
Management Plane Management Plane Management Plane
show system resources show system resources show system resources
show routing protocol ospf summary show routing protocol bgp summary show routing protocol rip summary
show routing protocol ospf neighbor show routing protocol bgp peer show routing protocol rip interface
show routing protocol ospf area show routing protocol bgp peer-group show routing protocol rip peer
show routing protocol ospf lsdb show routing protocol bgp policy … show routing protocol rip database
show routing protocol ospf dumplsdb show routing protocol bgp loc-rib show routing route type rip
show routing protocol ospf interface show routing protocol bgp rib-out show routing fib
show routing route type ospf show routing protocol bgp rib-out-detail show routing resource
show routing fib show routing route type bgp
Dataplane
show routing resource show routing fib
show running resource-monitor
show routing resource
Dataplane show session all filter destination-ip 224.0.0.9
show running resource-monitor Dataplane show counter global filter delta yes
show session all filter protocol 89 show running resource-monitor show interface all
show counter global filter delta yes show session all filter destination-port 179
Logs:
show interface all show counter global filter delta yes
Management Plane
show interface all
Logs: show log system direction equal backward
Management Plane Logs: subtype equal routing
show log system direction equal backward Management Plane less mp-log routed.log
subtype equal routing show log system direction equal backward less mp-log mp-monitor.log
less mp-log routed.log subtype equal routing
Dataplane
less mp-log mp-monitor.log less mp-log routed.log
Dataplane
Debugs:
less dp-log dp-monitor.log Dataplane
debug routing global on debug
Debugs: debug routing pcap rip on
debug routing global on debug Debugs: debug routing restart
debug routing pcap ospf on debug routing global on debug debug software trace routed
debug routing restart debug routing pcap bgp on debug dataplane internal vif link
debug software trace routed debug routing socket ping source <src-ip> host <peer-ip>
debug dataplane internal vif link debug routing mib bgpRmEntTable test routing fib-lookup virtual-router <vr-
ping source <src-ip> host <peer-ip> debug routing mib bgpRmAfmJoinTable name> ip <ip-addr>
test routing fib-lookup virtual-router <vr- debug routing list-mib Run PCAP and Flow Basic
name> ip <ip-addr> debug software trace routed
Run PCAP and Flow Basic debug dataplane internal vif link
test routing bgp virtual-router <name> restart
Links: self
How to configure OSPF Technote: test routing bgp virtual-router <name> refresh
https://live.paloaltonetworks.com/docs/DOC- self
1939 Run PCAP and Flow Basic
Links:
How to configure BGP Technote:
1572
HA Active-Passive HA Active-Active Authentication
show high-availability all show high-availability all show admins
show high-availability state show high-availability state show authentication allowlist
show high-availability interface ha1 show high-availability interface ha1 show authentication groupnames
show high-availability control-link statistics show high-availability control-link statistics
LDAP:
show high-availability interface ha2 show high-availability interface ha2
show user group list
show high-availability state-synchronization show high-availability state-synchronization
show user group-mapping state all
show high-availability interface flap statistics show high-availability interface ha3
show user group-mapping statistics
show high-availability link-monitoring show high-availability virtual-address
show high-availability path-monitoring show high-availability interface flap statistics Logs:
show high-availability transitions show high-availability link-monitoring show log system direction equal backward
show system resources show high-availability path-monitoring eventid equal auth-success
request high-availability state suspend show high-availability transitions show log system direction equal backward
request high-availability state functional show system resources eventid equal auth-fail
request high-availability sync-to-remote … request high-availability state suspend less mp-log authd.log
show counter global filter delta yes category request high-availability state functional less mp-log mp-monitor.log
ha request high-availability sync-to-remote … Debugs:
show counter global filter delta yes category ha debug authd on dump
Logs:
show counter global filter delta yes aspect aa debug user-id set ldap basic
Management Plane
show log system direction equal backward Logs: debug user-id on debug
subtype equal ha Management Plane debug user-id dump idmgr type user all
less mp-log ha_agent.log show log system direction equal backward debug user-id dump idmgr type user-group
less mp-log mp-monitor.log subtype equal ha all
less mp-log ha_agent.log debug user-id reset group-mapping all
Dataplane
less mp-log mp-monitor.log debug user-id refresh group-mapping all
less dp-log pan_dha.log
debug user-id set agent group
less dp-log dp-monitor.log Dataplane
clear user-cache all
less dp-log pan_dha.log
Debugs: ping host <auth-server>
debug high-availability-agent on debug (5.0+) tcpdump filter “host x.x.x.x and not
debug high-availability-agent on internal-dump Debugs: port 22”
debug dataplane internal vif link debug high-availability-agent on debug
If using service routes…
debug high-availability-agent on internal-dump
ping source <src-ip> host <auth-server>
Links: debug dataplane internal vif link
How to upgrade HA pair:
https://live.paloaltonetworks.com/docs/DOC- Links: Additional Steps:
4043 HA Active/Active Technote: -Check on Radius server logs for errors
https://live.paloaltonetworks.com/docs/DOC- -Check on LDAP or AD server event logs
2541
Links:
How to configure Radius on Win2008:
https://live.paloaltonetworks.com/docs/DO
C-1232
Radius Dictionary:
C-3189
LDAP authentication with PANOS:
C-1445
Kerberos authentication with PANOS:
C-1762
SSL Decryption Logging/Netflow Panorama
Management Plane Management Plane show system info
show routing route show system resources show system resources
show system setting ssl-decrypt setting show system logdb-quota show jobs all
show system setting ssl-decrypt certificate show system disk-space netstat all yes
show system setting ssl-decrypt memory detail show system raid detail show panorama-status
show system setting ssl-decrypt exclude-cache show jobs all show logging-status
show panorama-status show counter global filter delta yes | match
Dataplane
show logging-status log
show running resource-monitor
show log-collector preference-list
show session all filter … Logs:
show session id <sess-id> Dataplane show log system direction equal backward
show counter global filter delta yes show running resource-monitor less mp-log ms.log
show interface all show session info less mp-log mp-monitor.log
show counter global filter delta yes | match
Logs: Debugs:
log
Management Plane PAN-OS
show counter global filter delta yes | match
less mp-log mp-monitor.log debug log-receiver statistics
netflow
debug management-server conn
Dataplane
Logs: debug dataplane internal vif link
Management Plane debug dataplane pool statistics
Debugs: less mp-log ms.log debug dataplane packet-diag clear all
Management Plane show log system direction equal backward ping host <panorama-ip>
debug log-receiver statistics subtype equal syslog (5.0+) tcpdump filter “host x.x.x.x and not port
debug sslmgr delete ocsp all (6.x) 22”
debug dataplane reset ssl-decrypt certificate- less mp-log syslog-ng.log
If using service routes…
cache
Dataplane ping source <src-ip> host …
Dataplane less dp-log dp-monitor.log Run PCAP and Flow Basic
Debugs: Panorama
PAN-OS show logging-status device <serial#>
debug log-receiver statistics
Also: M-100:
debug log-receiver netflow statistics
debug dataplane packet-diag set log feature debug log-collector-group show name
debug log-receiver on dump
proxy basic debug log-collector log-collection-stats show
debug log-receiver on normal
debug dataplane packet-diag set log feature ssl incoming-logs
debug management-server conn
basic
tcpdump filter "udp port 514“ Additional Steps:
(6.x) -Has serial number of device been added to
Links:
debug syslog-ng stats Panorama Device list?
How to Implement SSL Decryption:
https://live.paloaltonetworks.com/docs/DOC- Panorama
Links:
1412 show logging-status device <serial#>
Tcpdump on management interface:
Controlling SSL decryption:
M-100: https://live.paloaltonetworks.com/docs/DOC-
debug log-collector-group show name 4595
2008
debug log-collector log-collection-stats show
SSL Decryption Certificates:
incoming-logs
2006 Additional Steps:
Troubleshooting Slowness with Traffic, -If too much logging, is logging at session start
Management, or Intermittent SSL Decryption: enabled?
https://live.paloaltonetworks.com/docs/DOC- -For forwarding (Panorama, syslog) issues, is
1036 log forwarding profile configured? Does
security rule specify the log forwarding profile?
Links:
M-100 Log Collector Configuration
4156
PAN-OS Syslog Integration
2021
DHCP Zone/Dos Protection QoS
Server show running resource-monitor show running resource-monitor
show dhcp server lease all show session all filter … show session all filter qos-class [1-8]
show dhcp server settings all show session id <sess-id> show session all filter qos-rule <qosrulename>
clear dhcp lease interface <if-name> show counter global filter delta yes aspect dos show session id <sess-id>
show counter global filter delta yes | match show qos interface <interfacename> counter
Client
drop show qos interface <interfacename>
show dhcp client state all
show running dos-policy throughput <qid>
request dhcp client release <if-name>
show zone-protection zone <zonename> show qos interface <interfacename> match-
request dhcp client renew <if-name>
show dos-protection zone <zonename> rule
Relay blocked source show counter global filter delta yes aspect qos
See debugs section. show dos-protection rule <rulename> settings show running qos-policy
Logs: show dos-protection rule <rulename> statistics
Logs:
show log system direction equal backward show interface <interfacename>
(5.x) less mp-log dhcpd.log Logs:
Debugs:
(6.x) less mp-log pan_dhcpd.log show log threat direction equal backward
debug device-server dump idmgr type qos-rule
less mp-log mp-monitor.log less dp-log dp-monitor.log
all
Debugs: Debugs: debug log-receiver statistics
debug dhcpd show objects debug device-server dump idmgr type dos-rule debug dataplane pool statistics
debug dhcpd global on dump all
Additional Steps:
debug dhcpd pcap on debug log-receiver statistics
-Confirm correctly configured QoS policy?
debug dhcpd pcap view debug dataplane pool statistics
-Check GUI under Network > QoS >
debug dhcpd pcap off Run PCAP and Flow Basic
[interfacename] > Statistics
debug dhcpd global on info
Links:
debug dataplane pool statistics Links:
Attack Mitigation using Zone Protection
ping source <src-ip> host <dhcp-server> QoS in PAN-OS 4.1
Technote
Run PCAP and Flow Basic https://live.paloaltonetworks.com/docs/DOC-
3439
3581
Links: Qos Capacity by PAN Model
Threat Prevention Deployment Technote
CLI commands to troubleshoot DHCP: https://live.paloaltonetworks.com/docs/DOC-
https://live.paloaltonetworks.com/docs/DOC- 1231
3094
1318 Threat IDs for Zone/Dos Protection
4024
Certificates WildFire Multicast
Links: CLI Commands: CLI Commands:
Troubleshooting SSL Certificates in PAN-OS PA Device show routing multicast igmp interface
https://live.paloaltonetworks.com/docs/DOC- show system resources show routing multicast igmp membership
5075 show wildfire status show routing multicast igmp statistics
SSL Decryption Certificates: show wildfire statistics show routing multicast pim state
https://live.paloaltonetworks.com/docs/DOC- show wildfire disk-usage show routing multicast pim interface
2006 show system setting ctd state show routing multicast pim neighbor
Exporting IIS SSL Certificate: netstat all yes show routing multicast pim statistics
https://live.paloaltonetworks.com/docs/DOC- (6.x) show routing multicast pim group-mapping
1223 show wildfire cloud-info show routing multicast pim elected-bsr
How to generate CSR using IIS show routing multicast route
WF-500
https://live.paloaltonetworks.com/docs/DOC- show routing multicast route group <group-ip>
See Platform section
3501 show routing multicast route interface <intf-
How to generate CSR using OpenSSL Logs: name>
https://live.paloaltonetworks.com/docs/DOC- show log wildfire direction equal backward show routing multicast route source <sr-ip>
3502 less mp-log varrcvr.log show routing multicast fib
How to implement Cert from Microsoft CS Debugs: show routing multicast fib group <group-ip>
https://live.paloaltonetworks.com/docs/DOC- test wildfire registration show routing multicast fib interface <intf-
3486 show counter global | match cancel name>
(5.0) How to generate CSR, import signed CA. debug dataplane show ctd version show routing multicast fib source <src-ip>
https://live.paloaltonetworks.com/docs/DOC- debug wildfire dp-status show routing multicast group-permission
4232 debug wildfire reset forwarding show routing route
How to Install a Chained Certificate Signed by a debug wildfire reset dp-receiver show session all
Public CA debug wildfire reset log-cache show session id <mcast_sess>
https://live.paloaltonetworks.com/docs/DOC- debug wildfire reset file-cache show counter global filter delta yes
4289 debug wildfire reset report-cache Logs:
How to Configure an OCSP Responder debug wildfire reset all less mp-log routed.log
https://live.paloaltonetworks.com/docs/DOC- debug wildfire file-digest sha256 <hash> less dp-log mp-relay.log
5837 debug vardata-receiver set third-party libcurl less dp-log dp-monitor.log
debug vardata-receiver on debug
Debugs:
(6.x)
debug routing mpf stats
debug wildfire content-info
debug routing list-mib
debug wildfire file-cache [enable|disable]
debug routing mib <value>
debug wildfire transition-file-list
debug routing fib stats
debug wildfire cloud-info set add-file-type
debug routing pcap pim on
<filetype>
debug routing pcap igmp on
debug wildfire cloud-info set delete-file-type
view-pcap debug-pcap pim-vr-X.pcap
<filetype>
view-pcap debug-pcap igmp-vr-X.pcap
debug wildfire cloud-info set cloud-type
debug routing global on debug
[wf-app|wf-public]
ping source <src-ip> host <dst-ip>
WF-500 Run PCAP and Flow Basic
See Platform section
Additional Steps:
Links: -If not seeing PIM joins, confirm receiving
WildFire Portal proper IGMP joins (we do not support static
https://wildfire.paloaltonetworks.com/Wildfir IGMP joins).
e -Do you have proper join to RP?
WildFire Configuration and Testing -Check that downstream receivers have route
https://live.paloaltonetworks.com/docs/DOC- to RP and source.
3300
Links:
WildFire Flow Chart
How to config basic multicast with static RP
3555
4197
WildFire Counters
5097
Platform Commands
PA-7000 (6.0+)
(NPC) DP Octeon Commands: (NPC) NPC Petra Commands: (LPC) Log Card:
debug dataplane internal pdt oct pip stats slot debug dataplane internal pdt petra counters less s8lp-log lp-monitor.log
<s#> proc <dp#> chip slot <s#> less s8lp-log vldgmr.log
debug dataplane internal pdt oct pko stats all debug dataplane internal pdt petra counters debug log-receiver statistics
yes slot <s#> proc <dp#> port slot <s#> debug log-card-interface info slot s8
debug dataplane internal pdt petra show debug log-card-interface ping slot s8 host <ext-
Force traffic to specific DP:
traffic_info slot <s#> server-ip>
set session distribution-policy fixed <s#dp#>
debug dataplane internal pdt petra show debug log-collector stats runtime interval-type
Show DP specific sessions/data: non_empty_queues slot <s#> all segment all ld <1|2>
set system setting target-dp <s#dp#> debug log-collector stats storage segment all ld
Note: <1|2>
<s#> refers to slot number (i.e. s1, s2, etc.) debug dataplane internal pdt petra counters
<dp#> refers to DP number (i.e. dp0, dp1, etc.) port slot s8
Note 7K does NOT support Netflow in 6.0
(NPC) Offload (FE20) Commands: (SMC) FPP Commands: General Commands:
Fe20 ingress and flows: show session distribution policy Chassis commands:
debug dataplane internal pdt fe20 show stats show session distribution statistics show chassis inventory
slot <s#> show chassis status
debug dataplane internal pdt petra counters
debug dataplane internal pdt fe20 show show chassis status slot <s#>
port slot s4
pipecmd slot <s#> show chassis power
debug dataplane internal fpp statistics
debug dataplane internal pdt fe20 port stats show system environmentals
debug dataplane internal pdt fpp show version
slot <s#> request chassis enable slot <s#> (card insert)
debug dataplane internal pdt fpp show stats
request chassis restart slot <s#>
debug dataplane internal pdt fe20 flow count debug dataplane internal pdt fpp show queues
request chassis admin-power-<on/off> slot
slot <s#> debug dataplane internal pdt fpp show
<s#>
debug dataplane internal pdt fe20 flow dump msgcnts
request chassis power-<off|on> slot <s#>
count 256 slot <s#> debug dataplane internal pdt fpp show
target <ha-pair|local-device> time-to-wait <#>
debug dataplane internal pdt fe20 flow lookup pipecmd
verbose yes slot <s#> saddr <src-ip> sport debug dataplane internal pdt fpp sw stats Chassis logs:
<src-port> daddr <dst-ip> dport <dst-port> less mp-log chasd.log
debug dataplane internal pdt fpp xge stats
proto <ipproto#> zone <zone-id> less mp-log slot<#>-console-output.log
debug dataplane internal pdt fpp xge info
less s<#>cp-log dataplane<#>-console-
Fe20 egress and forwarding: debug dataplane internal pdt fpp xaui info
output.log
debug dataplane internal pdt fe20 route dump
debug dataplane internal pdt fpp gft count
slot <s#> Forcing traffic to single DP:
debug dataplane internal pdt fpp gft dump
debug dataplane internal pdt fe20 nexthop show session distribution policy (check current)
debug dataplane internal pdt fpp gft lookup
dump type <TYPE> slot <s#> set session distribution-policy fixed <s#dp#>
saddr <src-ip> sport <src-port> daddr <dst-ip>
debug dataplane internal pdt fe20 mac dump Revert back to normal, set to previous setting
dport <dst-port> proto <ipproto#> zone <zone-
slot <s#>
id> flowid <sess-id> Internal Paths
Fe20 Link to Petra: debug dataplane internal pdt fpp predict dump debug dataplane packet-path-test test slot<s#>
debug dataplane internal pdt fe20 xge stats debug dataplane internal pdt fpp event dump debug dataplane internal path nodes
slot <s#> debug dataplane internal pdt fpp vsys dump debug dataplane internal path sample nodes
debug dataplane internal pdt fe20 xge info slot “<node1> <node2>”
<s#> debug dataplane internal path sample filter err
nodes “<node1> <node2>”
Fe20 Link to Marvells:
debug dataplane internal path sample filter pkt
debug dataplane internal pdt fe20 xge20g stats
nodes “<node1> <node2>”
slot <s#>
Examples of “<node1> <node2>”:
debug dataplane internal pdt fe20 xge20g info
"s1.dp0 s4.cougar" slot1 DP0 to FPP
slot <s#>
(NPC) FPGA (Jaguar) Commands: (NPC) Stats engine (SE20): Other Components:
debug dataplane internal pdt jaguar xge stats debug dataplane internal pdt se20 xge stats Marvell (phy port chips)
slot <s#> instance <0 | 1> slot <s#> debug dataplane internal pdt marvell stats slot
debug dataplane internal pdt jaguar cip ififo debug dataplane internal pdt se20 xge info slot <s#>
slot <s#> instance <0 | 1> <s#>
MP-DP link:
debug dataplane internal pdt jaguar cip ofifo debug dataplane internal pdt se20 xaui info
slot <s#> instance <0 | 1> slot <s#>
debug dataplane internal vif address
debug dataplane internal pdt nac stats slot debug dataplane internal pdt se20 aurora stats
debug dataplane internal vif rule
<s#> instance <0 | 1> slot <s#>
debug dataplane internal pdt se20 aurora info
slot <s#>
Platform Commands
PA-5000 (4.0+) PA-4000 PA-3000 (5.0+)
DP Octeon Commands: DP Octeon Commands: DP Octeon Commands:
debug dataplane internal pdt oct pip stats debug dataplane internal pci-access sample debug dataplane internal pdt oct pip stats
debug dataplane internal pdt oct pko stats all y debug dataplane internal pdt oct pip stats debug dataplane internal pdt oct pko stats all
debug dataplane internal pdt oct pko stats all yes
Force traffic to specific DP:
yes
set session processing-cpu <dp0|dp1>
debug dataplane internal pdt oct pko debug
set session processing-cpu dp2 (5060 only)
port 0
set session processing-cpu random
..to…
Show DP specific sessions/data: debug dataplane internal pdt oct pko debug
set system setting target-dp <dp0|dp1> port 31
set system setting target-dp dp2 (5060 only)
set system setting target-dp none
Offload (Tiger) Commands: Offload (EZ-Chip) Commands: Offload (Liger) Commands:
Tiger ingress and flows: debug ez show port PA-3050 Only
debug dataplane internal pdt tiger igr stats debug ez show counter index 0 num-counters Liger ingress and flows:
debug dataplane internal pdt tiger igr errors 40 debug dataplane internal pdt liger igr stats
debug dataplane internal pdt tiger igr drop debug ez show counter index 40 num-counters debug dataplane internal pdt liger igr errors
stats 40 debug dataplane internal pdt liger igr drop
debug dataplane internal pdt tiger igr port debug ez show counter index 40 num-counters stats
stats 40 debug dataplane internal pdt liger igr port stats
debug dataplane internal pdt tiger igr flow debug ez show register count 10 index 653 debug dataplane internal pdt liger igr flow
dump count 256 debug ez show freerfd dump count 256
debug dataplane internal pdt tiger igr flow debug ez show tm-sum-stats debug dataplane internal pdt liger igr flow
dump verbose yes id <sessionid*2> debug ez show tm-q-depth wred-level global dump verbose yes id <sessionid*2>
debug dataplane internal pdt tiger igr flow tm-id TMa entity-addr 0 debug dataplane internal pdt liger igr flow
dump verbose yes id <(sessionid*2)+1> debug ez show tm-q-depth wred-level global dump verbose yes id <(sessionid*2)+1>
tm-id TMb entity-addr 0
Tiger egress and forwarding: Liger egress and forwarding:
debug ez show tm-q-depth wred-level tm tm-id
debug dataplane internal pdt tiger egr stats debug dataplane internal pdt liger egr stats
TMa entity-addr 0
debug dataplane internal pdt tiger egr route v4 debug dataplane internal pdt liger egr route v4
debug ez show tm-q-depth wred-level tm tm-id
dump dump
TMb entity-addr 0debug ez show arp
debug dataplane internal pdt tiger egr nexthop debug dataplane internal pdt liger egr nexthop
debug ez show route
dump dump
debug ez show route6
debug dataplane internal pdt tiger egr mac debug dataplane internal pdt liger egr mac
debug ez show session-counter num-counters
dump dump
40
Tiger to Petra Link: debug ez show session Liger to Marvell/Octeon Link:
debug dataplane internal pdt tiger spaui stats debug ez show throughput debug dataplane internal pdt liger xge stats
Tiger to Octeon Links:
debug dataplane internal pdt tiger xge stats
FPGA (Jaguar) Commands: FPGA (DFA/AHO) Commands: FPGA (Ocelot) Commands:
debug dataplane internal pdt jaguar xge stats debug dataplane internal pdt nac stats debug dataplane internal pdt ocelot xge stats
instance <0 | 1> instance <0 | 1> debug dataplane internal pdt ocelot xge info
debug dataplane internal pdt jaguar cip ififo debug dataplane internal pdt ocelot xge
Disable FPGA for Appid/Ctd:
instance <0 | 1> epb_status
debug dataplane fpga set sw_aho yes
debug dataplane internal pdt jaguar cip ofifo debug dataplane internal pdt ocelot cip ififo
debug dataplane fpga set sw_dfa yes
instance <0 | 1> debug dataplane internal pdt ocelot cip ofifo
debug dataplane fpga set sw_dlp yes
debug dataplane internal pdt nac stats debug dataplane internal pdt ocelot xaui info
instance <0 | 1>
Other Component Commands: Other Component Commands: Other Component Commands:
Petra Switch: Puma Switch (4060 only): Marvell Switch:
debug dataplane internal pdt petra counters debug dataplane internal pdt puma stats debug dataplane internal pdt marvell stats
chip verbose yes port <1-8>
MP-DP link:
debug dataplane internal pdt petra counters
MP-DP link: debug dataplane internal vif link
port (10G ports)
Disable FPGA for Ctd:
Marvell (1G ports):
debug dataplane internal pdt marvell stats
MP-DP link:
Platform Commands
PA-2000 PA-500 PA-200 (4.1+)
DP Octeon Commands: DP Octeon Commands: DP Octeon Commands:
debug dataplane internal pdt oct pip stats debug dataplane internal pdt oct pip stats debug dataplane internal pdt oct pip stats
debug dataplane internal pdt oct pko stats all debug dataplane internal pdt oct pko stats all debug dataplane internal pdt oct pko stats all
yes yes yes
Logs:
All logs including DP logs will in mp-log
Offload (Lion) Commands: Offload Commands: Offload Commands:

Lion ingress and flows: N/A N/A
debug dataplane internal pdt lion igr port stats
debug dataplane internal pdt lion igr drops
debug dataplane internal pdt lion igr port
dump
debug dataplane internal pdt lion igr flow
dump
dump verbose yes id <sessionid*2>
dump verbose yes id <(sessionid*2)+1>
Lion egress and forwarding:
debug dataplane internal pdt lion egr stats
debug dataplane internal pdt lion egr route
dump
debug dataplane internal pdt lion egr nexthop
dump
Lion to Octeon Link:
debug dataplane internal pdt lion spi stats
FPGA Commands: FPGA (DFA/AHO) Commands: FPGA (DFA/AHO) Commands:
Disable FPGA for Appid/Ctd: N/A N/A
debug dataplane fpga set sw_dfa yes
debug dataplane fpga set sw_dlp yes
Other Component Commands: Other Component Commands: Other Component Commands:

MP-DP link: MP-DP link: MP-DP link:
debug dataplane internal vif link debug dataplane internal vif link debug dataplane internal vif link
Platform Commands
GP-100 (6.0+) VM Series/Dynamic Addr Obj (5.0+) WF-500 (5.1+)
CLI Commands: VM-Series CLI Commands: CLI Commands:
show global-protect-mdm statistics Similar to PA-200 show system resources
show global-protect-mdm state all show system disk-space
Dynamic Address Object Commands
show mobile-device list show system raid detail
show running security-policy
show mobile-device hip device-mac <mac> show wildfire status
show jobs all
show wildfire statistics
Logs: show object dynamic-address-object all
show wildfire last-device-registration all
less mp-log mdmd.log show object dynamic-address-object name
show wildfire vm all
less mp-log useridd.log <name>
show wildfire latest samples
(6.x)
Debugs: show wildfire latest analysis
show object registered-address ...
debug mdmd show setting show wildfire latest sessions
show object dynamic-address-group ...
debug mdmd show stats show wildfire latest uploads
debug mdmd show stats all Dynamic Address Object Logs: show wildfire sample-status sha256 equal
debug mdmd show log-stats show log system direction equal backward <sha_value>
debug mdmd show cloud-stats tail follow yes mp-log useridd.log show counter device
debug mdmd show gateway-connection tail follow yes mp-log devsrv.log (6.x)
summary show wildfire vm-images
VM Series Debugs:
debug mdmd show gateway-connection detail
Same debugs as PA-200 Logs:
debug mdmd get show log system direction equal backward
Dynamic Address Object Debugs:
debug mdmd set <all | agent | base | comm | less mp-log ms.log
debug user-id dump xmlapi-stats
db | hip | ldap | mdm | misc> less mp-log wf_devsrv.log
debug user-id on debug
debug mdmd on debug less mp-log vmcontroller.<#>.log
debug user-id set userid xmlapi
debug user-id get grep mp-log vmcontroller_detail.* pattern
debug user-id set userid vmmonitor
debug user-id set hip <sha-hash>
debug user-id get
debug user-id on debug
debug device-server on debug Debugs:
debug device-server show debug wildfire reset forwarding
Links:
(6.x) debug wildfire vm all
Link
debug device-server dump tag-table tag <tag> debug device dump queue-stats
debug device-server dump regips tag <tag> debug device dump queues
debug device-server dump regips ip <ip-addr> debug device dump queue <queue_name>
debug user-id clear registered-ip ... debug device flush queue …
debug device set all
Links: debug device on debug
VM Series Troubleshooting: debug management-server set all
https://live.paloaltonetworks.com/docs/DOC- debug management-server on debug
4159 debug vardata-receiver set third-party libcurl
debug vardata-receiver on debug
(6.x)
debug vardata-receiver statistics
test wildfire tor
test wildfire registration
Links:
WildFire Counters
5097

ASC Troubleshooting Cheatsheet - Rev2.2 - FINAL

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ASC Troubleshooting Cheatsheet - Rev2.2 - FINAL

Uploaded by

Copyright:

Available Formats

PAN-OS Troubleshooting Cheatsheet

Revision 2.2 – Aug 2014

Basic Troubleshooting General Packet Flow PCAP and Flow Basic

Offload (Lion) Commands: Offload Commands: Offload Commands:

Other Component Commands: Other Component Commands: Other Component Commands:

You might also like