PAN-OS 3.0 CLI Reference Guide

PAN-OS Command Line Interface Reference Guide
Release 3.0
5/30/09 Final Review Draft- Palo Alto Networks COMPANY CONFIDENTIAL
Palo Alto Networks, Inc. www.paloaltonetworks.com 2009 Palo Alto Networks. All rights reserved. Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks are the property of their respective owners Part number: 810-000043-00A
May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Typographical Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Notes, Cautions, and Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Obtaining More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7 7 7 8 9 9 9 9
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
Understanding the PAN-OS CLI Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Accessing the PAN-OS CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Understanding the PAN-OS CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . 13 Understanding the PAN-OS CLI Command Conventions . . . . . . . . . . . . . . . . . . . . 13 Understanding Command Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Using Operational and Configuration Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Displaying the PAN-OS CLI Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Using Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Understanding Command Option Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Restricting Command Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Understanding Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Referring to Firewall Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 2 Understanding CLI Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
Understanding Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Using Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Understanding the Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Navigating Through the Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Understanding Operational Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Palo Alto Networks
Chapter 3 Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
Chapter 4 Operational Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug captive-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug cpld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug dataplane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug device-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug dhcpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug high-availability-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug ike . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug keymgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug log-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug management-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug master-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug rasmgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug swm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug tac-login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug vardata-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . grep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . less . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request comfort-page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 53 54 55 56 57 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 75 76 77 78 79 81 82 84 85
Palo Alto Networks
request data-filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 request device-registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 request high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 request license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 request password-hash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 request restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 request ssl-output-text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 request ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 request support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 request system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 request tech-support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 request url-filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 request vpn-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 scp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 set application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 set cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 set clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 set ctd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 set data-access-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 set logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 set management-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 set multi-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 set panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 set password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 set proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 set serial-number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 set session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 set shared-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 set ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 set target-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 set ts-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 set url-database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 set zip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 show admins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 show authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 show chassis-ready . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 show cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 show clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 show config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 show counter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 show ctd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 show device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 show device-messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 show devicegroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 show dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 show high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 show interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 show jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 show local-user-db . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 show location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 show log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 show logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 show mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Palo Alto Networks
show management-clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show multi-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show pan-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show pan-ntlm-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show shared-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show target-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ts-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show url-database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show virtual-wire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show zip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show zone-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . view-pcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
143 144 145 146 147 148 149 150 154 156 157 158 160 162 163 164 165 166 167 168 170 171 172 173 174 175 176 178 180
Chapter 5 Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
183
Entering Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Using

Entering Maintenance Mode Upon Bootup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Entering Maintenance Mode Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Appendix A Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
189
Firewall Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Panorama Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Appendix B PAN-OS CLI Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
255 259
Palo Alto Networks
Preface
This preface contains the following sections:
About This Guide in the next section Organization on page 7 Typographical Conventions on page 8 Related Documentation on page 9 Obtaining More Information on page 9 Technical Support on page 9
About This Guide

This guide provides an overview of the PAN-OS command line interface (CLI), describes how to access and use the CLI, and provides command reference pages for each of the CLI commands. This guide is intended for system administrators responsible for deploying, operating, and maintaining the firewall and who require reference information about the PAN-OS CLI commands that they want to execute on a per-device basis. For an explanation of features and concepts, refer to the Palo Alto Networks Administrators Guide.
Organization
This guide is organized as follows:
Chapter 1, IntroductionIntroduces and describes how to use the PAN-OS CLI. Chapter 2, Understanding CLI Command ModesDescribes the modes used to interact with the PAN-OS CLI. Chapter 3, Configuration Mode CommandsContains command reference pages for Configuration mode commands. Chapter 4, Operational Mode CommandsContains command reference pages for Operational mode commands.
Palo Alto Networks
Preface 7
Chapter 5, Maintenance ModeDescribes how to enter Maintenance mode and use the Maintenance mode options. Appendix A, Configuration HierarchyContains command reference pages for Operational mode commands. Appendix B, PAN-OS CLI Keyboard ShortcutsDescribes the keyboard shortcuts supported in the PAN-OS CLI.
Typographical Conventions
This guide uses the following typographical conventions for special terms and instructions.
Convention
boldface
Meaning
Names of commands, keywords, and selectable items in the web interface Name of variables, files, configuration elements, directories, or Uniform Resource Locators (URLs) Command syntax, code examples, and screen output
Example
Use the configure command to enter Configuration mode. The address of the Palo Alto Networks home page is http://www.paloaltonetworks.com. element2 is a required variable for the move command. The show arp all command yields this output: username@hostname> show arp all maximum of entries supported: 8192 default timeout: 1800 seconds total ARP entries in table: 0 total ARP entries shown: 0 status: s - static, c - complete, i - incomplete Enter the following command to exit from the current PAN-OS CLI level: # exit In the following command, 8bit and port are optional parameters. > telnet [8bit] [port] host <tab> indicates that the tab key is pressed. > delete core <control-plane | data-plane> file filename The request support command includes options to get support information from the update server or show downloaded support information: > request support [check | info]
italics
courier font
courier bold font
Text that you enter at the command prompt Optional parameters.
[ ] (text enclosed in angle brackets) < > (text enclosed in square brackets) | (pipe symbol)
Special keys or choice of required options. Choice of values, indicated by a pipe symbol-separated list.
8 Preface
Palo Alto Networks
Notes, Cautions, and Warnings

This guide uses the following symbols for notes, cautions, and warnings.
Symbol
Description
NOTE Indicates helpful suggestions or supplementary information. CAUTION Indicates information about which the reader should be careful to avoid data loss or equipment failure. WARNING Indicates potential danger that could involve bodily injury.
Related Documentation
The following additional documentation is provided with the firewall:
Quick Start Hardware Reference Guide Palo Alto Networks Administrators Guide
Obtaining More Information

To obtain more information about the firewall, refer to:
Palo Alto Networks websiteGo to http://www.paloaltonetworks.com. Online helpClick Help in the upper right corner of the GUI to access the online help system.
Technical Support
For technical support, use the following methods:
Go to http://support.paloaltonetworks.com. Call 1-866-898-9087 (U.S, Canada, and Mexico). Email us at: support@paloaltonetworks.com.
Palo Alto Networks
Preface 9
10 Preface
Palo Alto Networks
Chapter 1
Introduction
This chapter introduces and describes how to use the PAN-OS command line interface (CLI):
Understanding the PAN-OS CLI Structure in the next section Getting Started on page 12 Understanding the PAN-OS CLI Commands on page 13
Understanding the PAN-OS CLI Structure

The PAN-OS CLI allows you to access the firewall, view status and configuration information, and modify the configuration. Access to the PAN-OS CLI is provided through SSH, Telnet, or direct console access. The PAN-OS CLI operates in two modes:
Operational modeView the state of the system, navigate the PAN-OS CLI, and enter configuration mode. Configuration modeView and modify the configuration hierarchy.
Chapter 3 describes each mode in detail.
Palo Alto Networks
Introduction 11
Getting Started
This section describes how to access and begin using the PAN-OS CLI:
Before You Begin in the next section Accessing the PAN-OS CLI on page 12
Before You Begin

Verify that the firewall is installed and that a SSH, Telnet, or direct console connection is established. Note: Refer to the Hardware Reference Guide for hardware installation information and to the Quick Start for information on initial device configuration.
Use the following settings for direct console connection:
Data rate: 9600 Data bits: 8 Parity: none Stop bits: 1 Flow control: None
Accessing the PAN-OS CLI

To access the PAN-OS CLI: 1. 2. 3. 4. Open the console connection. Enter the administrative user name. The default is admin. Enter the administrative password. The default is admin. The PAN-OS CLI opens in Operational mode, and the CLI prompt is displayed:
username@hostname>
12 Introduction
Palo Alto Networks
Understanding the PAN-OS CLI Commands

This section describes how to use the PAN-OS CLI commands and display command options:
Understanding the PAN-OS CLI Command Conventions in the next section Understanding Command Messages on page 14 Using Operational and Configuration Modes on page 15 Displaying the PAN-OS CLI Command Options on page 15 Using Keyboard Shortcuts on page 16 Understanding Command Option Symbols on page 17 Understanding Privilege Levels on page 18 Referring to Firewall Interfaces on page 19
Understanding the PAN-OS CLI Command Conventions

The basic command prompt incorporates the user name and model of the firewall:
username@hostname>
Example:
username@hostname>
When you enter Configuration mode, the prompt changes from > to #:
username@hostname> (Operational mode) username@hostname> configure Entering configuration mode [edit] (Configuration mode) username@hostname#
In Configuration mode, the current hierarchy context is shown by the [edit...] banner presented in square brackets when a command is issued. Refer to Using the Edit Command on page 26 for additional information on the edit command.
Palo Alto Networks
Introduction 13
Understanding Command Messages

Messages may be displayed when you issue a command. The messages provide context information and can help in correcting invalid commands. In the following examples, the message is shown in bold. Example: Unknown command
username@hostname# application-group Unknown command: application-group [edit network] username@hostname#
Example: Changing modes

username@hostname# exit Exiting configuration mode username@hostname>
Example: Invalid syntax

username@hostname> debug 17 Unrecognized command Invalid syntax. username@hostname>
Each time you enter a command the syntax is checked. If the syntax is correct, the command is executed, and the candidate hierarchy changes are recorded. If the syntax is incorrect, an invalid syntax message is presented, as in the following example:
username@hostname# set zone application 1.1.2.2 Unrecognized command Invalid syntax. [edit] username@hostname#
14 Introduction
Palo Alto Networks
Using Operational and Configuration Modes

When you log in, the PAN-OS CLI opens in Operational mode. You can move between Operational and Configuration modes at any time.
To enter Configuration mode from Operational mode, use the configure command:
username@hostname> configure Entering configuration mode [edit] username@hostname#
To leave Configuration mode and return to Operational mode, use the quit or exit command:
username@hostname# quit Exiting configuration mode username@hostname>
To enter an Operational mode command while in Configuration mode, use the run command, as described in run on page 40.
Displaying the PAN-OS CLI Command Options

Use ? (or Meta-H) to display a list of command option, based on context:
To display a list of operational commands, enter ? at the command prompt.

username@hostname> ? clear Clear runtime parameters configure Manipulate software configuration information debug Debug and diagnose exit Exit this session grep Searches file for lines containing a pattern match less Examine debug file content ping Ping hosts and networks quit Exit this session request Make system-level requests scp Use ssh to copy file to another host set Set operational parameters show Show operational parameters ssh Start a secure shell to another host tail Print the last 10 lines of debug file content telnet Start a telnet session to another host username@hostname>
Palo Alto Networks
Introduction 15
To display the available options for a specified command, enter the command followed by ?. Example:
admin@localhost> ping ? username@hostname> ping + bypass-routing Bypass routing table, use specified interface + count Number of requests to send (1..2000000000 packets) + do-not-fragment Don't fragment echo request packets (IPv4) + inet Force to IPv4 destination + interface Source interface (multicast, all-ones, unrouted packets) + interval Delay between requests (seconds) + no-resolve Don't attempt to print addresses symbolically + pattern Hexadecimal fill pattern + record-route Record and report packet's path (IPv4) + size Size of request packets (0..65468 bytes) + source Source address of echo request + tos IP type-of-service value (0..255) + ttl IP time-to-live value (IPv6 hop-limit value) (0..255 hops) + verbose Display detailed output + wait Delay after sending last packet (seconds) <host> Hostname or IP address of remote host username@hostname> ping
Using Keyboard Shortcuts

The PAN-OS CLI supports a variety of keyboard shortcuts. For a complete list, refer to Appendix B, PAN-OS CLI Keyboard Shortcuts. Note: Some shortcuts depend upon the SSH client that is used to access the PAN-OS CLI. For some clients, the Meta key is the Control key; for some it is the Esc key.
16 Introduction
Palo Alto Networks
Understanding Command Option Symbols

The symbol preceding an option can provide additional information about command syntax, as described in Table 1.
Table 1. Option Symbols Symbol

* > +
Description
This option is required. There are additional nested options for this command. There are additional command options for this command at this level.
The following example shows how these symbols are used. Example: In the following command, the keyword from is required:
username@hostname> scp import configuration ? + remote-port SSH port number on remote host * from Source (username@host:path) username@hostname> scp import configuration
Example: This command output shows options designated with + and >.
username@hostname# set + action + application + description + destination + disabled + from + log-end + log-setting + log-start + negate-destination + negate-source + schedule + service + source + to > profiles <Enter> [edit] username@hostname# set rulebase security rules rule1 ? action application description destination disabled from log-end log-setting log-start negate-destination negate-source schedule service source to profiles Finish input rulebase security rules rule1
Each option listed with + can be added to the command. The profiles keyword (with >) has additional options:
username@hostname# set rulebase security rules rule1 profiles ? + virus Help string for virus + spyware Help string for spyware + vulnerability Help string for vulnerability + group Help string for group <Enter> Finish input [edit] username@hostname# set rulebase security rules rule1 profiles
Palo Alto Networks
Introduction 17
Restricting Command Output

Some operational commands include an option to restrict the displayed output. To restrict the output, enter a pipe symbol followed by except or match and the value that is to be excluded or included:
Example: The following sample output is for the show system info command:
username@hostname> show system info hostname: PA-HDF ip-address: 10.1.7.10 netmask: 255.255.0.0 default-gateway: 10.1.0.1 mac-address: 00:15:E9:2E:34:33 time: Fri Aug 17 13:51:49 2007 uptime: 0 days, 23:19:23 devicename: PA-HDF family: i386 model: pa-4050 serial: unknown sw-version: 1.5.0.0-519 app-version: 25-150 threat-version: 0 url-filtering-version: 0 logdb-version: 1.0.8 username@hostname>
The following sample displays only the system model information:

username@hostname> show system info | match model model: pa-4050 username@hostname>
Understanding Privilege Levels

Privilege levels determine which commands the user is permitted to execute and the information the user is permitted to view. Table 2 describes the PAN-OS CLI privilege levels.
Table 2. Privilege Levels Level

superuser superreader vsysadmin vsysreader
Description
Has full access to the firewall and can define new administrator accounts and virtual systems. Has complete read-only access to the firewall. Has full access to a selected virtual system on the firewall. Has read-only access to a selected virtual system on the firewall.
18 Introduction
Palo Alto Networks
Referring to Firewall Interfaces

The Ethernet interfaces are numbered from left to right and top to bottom on the firewall, as shown in Figure 1.
ethernet1/1
1 3 5 7 9 11 13
ethernet1/15
15
10
12
14
16
ethernet1/2
ethernet1/16
Figure 1. Firewall Ethernet Interfaces

Use these names when referring to the Ethernet interfaces within the PAN-OS CLI commands, as in the following example:
username@hostname# set network interface ethernet ethernet1/4 virtual-wire
Palo Alto Networks
Introduction 19
20 Introduction
Palo Alto Networks
Chapter 2
Understanding CLI Command Modes

This chapter describes the modes used to interact with the PAN-OS CLI:
Understanding Configuration Mode in the next section Understanding Operational Mode on page 27
Understanding Configuration Mode

When you enter Configuration mode and enter commands to configure the firewall, you are modifying the candidate configuration. The modified candidate configuration is stored in firewall memory and maintained while the firewall is running. Each configuration command involves an action, and may also include keywords, options, and values. Entering a command makes changes to the candidate configuration. This section describes Configuration mode and the configuration hierarchy:
Using Configuration Mode Commands in the next section Understanding the Configuration Hierarchy on page 23 Navigating Through the Hierarchy on page 25
Using Configuration Mode Commands

Use the following commands to store and apply configuration changes (see Figure 2):
save commandSaves the candidate configuration in firewall non-volatile storage. The saved configuration is retained until overwritten by subsequent save commands. Note that this command does not make the configuration active. commit commandApplies the candidate configuration to the firewall. A committed configuration becomes the active configuration for the device. set commandChanges a value in the candidate configuration. load commandAssigns the last saved configuration or a specified configuration to be the candidate configuration.
Palo Alto Networks
Understanding CLI Command Modes 21
Example: Make and save a configuration change.

username@hostname# rename zone untrust to untrust1
command)
[edit] username@hostname# save config to snapshot.xml Config saved to .snapshot.xml [edit] username@hostname#
(enter a configuration
Example: Make a change to the candidate configuration.

[edit] username@hostname# set network interface vlan ip 1.1.1.4/24 [edit] username@hostname#
Example: Make the candidate configuration active on the device.

[edit] username@hostname# commit [edit] username@hostname#
Note: If you exit Configuration mode without issuing the save or commit command, your configuration changes could be lost if power is lost to the firewall.
Active Configuration
Candidate Configuration
Saved Configuration
Commit
Save Load Set
Figure 2. Configuration Mode Command Relationship
22 Understanding CLI Command Modes
Palo Alto Networks
Maintaining a candidate configuration and separating the save and commit steps confers important advantages when compared with traditional CLI architectures:
Distinguishing between the save and commit concepts allows multiple changes to be made at the same time and reduces system vulnerability. For example, if you want to remove an existing security policy and add a new one, using a traditional CLI command structure would leave the system vulnerable for the period of time between removal of the existing security policy and addition of the new one. With the PAN-OS approach, you configure the new security policy before the existing policy is removed, and then implement the new policy without leaving a window of vulnerability.
You can easily adapt commands for similar functions. For example, if you are configuring two Ethernet interfaces, each with a different IP address, you can edit the configuration for the first interface, copy the command, modify only the interface and IP address, and then apply the change to the second interface.
The command structure is always consistent. Because the candidate configuration is always unique, all the authorized changes to the candidate configuration will be consistent with each other.
Understanding the Configuration Hierarchy

The configuration for the firewall is organized in a hierarchical structure. To display a segment of the current hierarchy, use the show command. Entering show displays the complete hierarchy, while entering show with keywords displays a segment of the hierarchy. For example, the following command displays the configuration hierarchy for the ethernet interface segment of the hierarchy:
username@hostname# show network interface ethernet ethernet { ethernet1/1 { virtual-wire; } ethernet1/2 { virtual-wire; } ethernet1/3 { layer2 { units { ethernet1/3.1; } } } ethernet1/4; } [edit] username@hostname#
Palo Alto Networks
Understanding Hierarchy Paths

When you enter a command, path is traced through the hierarchy, as shown in Figure 3.
network
profiles interface
vlan
virtual-wire virtual-router
...
ethernet
...
...
...
loopback
aggregate-ethernet vlan
...
...
...
ethernet1/1
ethernet1/2
ethernet1/3 ethernet1/4
link-duplex auto
link-state up
virtual-wire link-speed 1000
Figure 3. Sample Hierarchy Segment

For example, the following command assigns the IP address/netmask 10.1.1.12/24 to the Layer 3 interface for the Ethernet port ethernet1/4:
[edit] username@hostname# set network interface ethernet ethernet1/4 layer3 ip 10.1.1.12/24 [edit] username@hostname#
This command generates a new element in the hierarchy, as shown in Figure 4 and in the output of the following show command:
[edit] username@hostname# show network interface ethernet ethernet1/4 ethernet1/4 { layer3 { ip { 10.1.1.12/24; } } } [edit] username@hostname#
Palo Alto Networks
network
profiles interface
vlan
virtual-wire virtual-router
...
ethernet
...
...
...
loopback
aggregate-ethernet vlan
...
...
...
ethernet1/1
ethernet1/2
ethernet1/3 ethernet1/4
ip
10.1.1.12/24
Figure 4. Sample Hierarchy Segment
Navigating Through the Hierarchy

The [edit...] banner presented below the Configure mode command prompt line shows the current hierarchy context. For example, the banner
[edit]
indicates that the relative context is the top level of the hierarchy, whereas
[edit network profiles]
indicates that the relative context is at the network profiles node. Use the commands listed in Table 3 to navigate through the configuration hierarchy.
Table 3. Navigation Commands Command

edit up top
Description
Sets the context for configuration within the command hierarchy. Changes the context to the next higher level in the hierarchy. Changes the context to the highest level in the hierarchy.
Palo Alto Networks
Using the Edit Command

Use the edit command to change context to lower levels of the hierarchy, as in the following examples:
Move from the top level to a lower level:

[edit] (top level) username@hostname# edit network [edit network] username@hostname# (now at the network [edit network]
level)
Move from one level to a lower level:

[edit network] (network level) username@hostname# edit interface [edit network interface] admin@abce# (now at the network
interface level)
Using the Up and Top Commands

Use the up and top commands to move to higher levels in the hierarchy:
upchanges the context to one level up in the hierarchy. Example:

[edit network interface] admin@abce# up [edit network] username@hostname#
(network level)
(now at the network level)
topchanges context to the top level of the hierarchy. Example:

[edit network interface vlan] username@hostname# top [edit] username@hostname#
(network vlan level)
(now at network vlan level)
Note: The set command issued after using the up and top commands starts from the new context.
Palo Alto Networks
Understanding Operational Mode

When you first log in, the PAN-OS CLI opens in Operational mode. Operational mode commands involve actions that are executed immediately. They do not involve changes to the configuration, and do not need to be saved or committed. Operational mode commands are of several types:
Network accessOpen a window to another host. Includes ssh and telnet commands. Monitoring and troubleshootingPerform diagnosis and analysis. Includes debug and ping commands. Display commandsDisplay or clear current information. Includes clear and show commands. PAN-OS CLI navigation commandsEnter Configure mode or exit the PAN-OS CLI. Includes configure, exit, and quit commands. System commandsMake system-level requests or restart. Includes set and request commands.
Palo Alto Networks
Palo Alto Networks
Chapter 3
Configuration Mode Commands

This chapter contains command reference pages for the following Configuration mode command types:
check on page 30 commit on page 31 copy on page 32 delete on page 33 edit on page 34 exit on page 35 load on page 36 move on page 37 quit on page 38 rename on page 39 run on page 40 save on page 41 set on page 42 show on page 43 top on page 44 up on page 45
Palo Alto Networks
Configuration Mode Commands 29
check
check
Check configuration status.
Syntax
check option
Options
data-access-passwd pending-changes Check data access authentication status for this session. Check for uncommitted changes.
Sample Output
The following command shows that there are currently no uncommitted changes.
username@hostname# check pending-changes no [edit] username@hostname#
Required Privilege Level

superuser, vsysadmin, deviceadmin
30 Configuration Mode Commands
Palo Alto Networks
commit
commit
Make the current candidate configuration the active configuration on the firewall.
Syntax
commit
Options
None
Sample Output
The following command makes the current candidate configuration the active configuration.
# commit

Palo Alto Networks
copy
copy
Make a copy of a node in the hierarchy along with its children, and add the copy to the same hierarchy level.
Syntax
copy [node1] to [node2]
Options
node1 node2 Specifies the node to be copied. Specifies the name of the copy.
Sample Output
The following command, executed from the rule base security level of the hierarchy, makes a copy of rule1, called rule2.
[edit rulebase security] username@hostname# copy rules rule1 to rule2 [edit rulebase security] username@hostname#
The following command shows the location of the new rule in the hierarchy.
[edit rulebase security] username@hostname# show security { rules { rule1 { source [ any 1.1.1.1/32 ]; destination 1.1.1.2/32; } rule2 { source [ any 1.1.1.1/32 ]; destination 1.1.1.2/32; } } }

Palo Alto Networks
delete
delete
Remove a node from the candidate configuration along with all its children. Note: No confirmation is requested when this command is entered.
Syntax
delete [node]
Options
node
Specifies the hierarchy node to delete.
Sample Output
The following command deletes the application myapp from the candidate configuration.
username@hostname# delete application myapp [edit] username@hostname#

Palo Alto Networks
edit
edit
Change context to a lower level in the configuration hierarchy.
Syntax
edit [context]
Options
context
Specifies a path through the hierarchy.
Sample Output
The following command changes context from the top level to the network profiles level of the hierarchy.
[edit] username@hostname# edit rulebase [edit rulebase] username@hostname#

Palo Alto Networks
exit
exit
Exit from the current PAN-OS CLI level.
From Operational modeExits the PAN-OS CLI. From Configuration mode, top hierarchy levelExits Configuration mode, returning to Operational mode. From Configuration mode, lower hierarchy levelsChanges context to one level up in the hierarchy. Provides the same result as the up command. Note: The exit command is the same as the quit command.
Syntax
exit
Options
None
Sample Output
The following command changes context from the network interface level to the network level.
[edit network interface] username@hostname# exit [edit network] username@hostname#
The following command changes from Configuration mode to Operational mode.

[edit] username@hostname# exit Exiting configuration mode username@hostname>

All
Palo Alto Networks
load
load
Assigns the last saved configuration or a specified configuration to be the candidate configuration.
Syntax
load config [from filename]
Options
filename Specifies the filename from which the configuration will be loaded.
Sample Output
The following command assigns output.xml to be the candidate configuration.
[edit] username@hostname# load config from output.xml command succeeded [edit] username@hostname#

Palo Alto Networks
move
move
Relocate a node in the hierarchy along with its children to be at another location at the same hierarchy level.
Syntax
move element [bottom | top | after element | before element]
Options
element element placement Specifies the items to be moved. Specifies the new location of the element: Option bottom top after before Description Makes the element the last entry of the hierarchy level. Makes the element the first entry of the hierarchy level. Moves element to be after element2. Moves element to be before element2.
element2
Indicates the element after or before which element1 will be placed.
Sample Output
The following command moves the security rule rule1 to the top of the rule base.
username@hostname# move rulebase security rules rule1 top [edit] username@hostname#

Palo Alto Networks
quit
quit
Exit from the current PAN-OS CLI level.
From Operational modeExits the PAN-OS CLI. From Configuration mode, top hierarchy levelExits Configuration mode, returning to Operational mode. From Configuration mode, lower hierarchy levelsChanges context to one level up in the hierarchy. Provides the same result as the up command. Note: The exit and quit commands are interchangeable.
Syntax
quit
Options
None
Sample Output
The following command changes context from the network interface level to the network level.
[edit log-settings] username@hostname# quit [edit] username@hostname#
The following command changes from Configuration mode to Operational mode.

[edit] username@hostname# quit Exiting configuration mode username@hostname>

All
Palo Alto Networks
rename
rename
Change the name of a node in the hierarchy.
Syntax
rename [node1] to [node2]
Options
node1 node2
Indicates the original node name. Indicates the new node name.
Sample Output
The following command changes the name of a node in the hierarchy from 1.1.1.1/24 to 1.1.1.2/24.
username@hostname# rename network interface vlan ip 1.1.1.1/24 to 1.1.1.2/24

Palo Alto Networks
run
run
Execute an Operational mode command while in Configuration mode.
Syntax
run [command]
Options
command Specifies an Operational mode command.
Sample Output
The following command executes a ping command to the IP address 1.1.1.2 from Configuration mode.
username@hostname# run ping 1.1.1.2 PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. ... username@hostname#

Palo Alto Networks
save
save
Saves a snapshot of the firewall configuration. Note: This command saves the configuration on the firewall, but does not make the configuration active. Use the commit command to make the current candidate configuration active.
Syntax
save config [to filename]
Options
filename Specifies the filename to store the configuration. The filename cannot include a hyphen (-).
Sample Output
The following command saves a copy of the configuration to the file savefile.
[edit] username@hostname# save config to savefile Config saved to savefile [edit] username@hostname#

Palo Alto Networks
set
set
Changes a value in the candidate configuration. Changes are retained while the firewall is powered until overwritten. Note: To save the candidate configuration in non-volatile storage, use the save command. To make the candidate configuration active, use the commit command.
Syntax
set [context]
Options
context
Specifies a path through the hierarchy.
Sample Output
The following command assigns the ethernet1/4 interface to be a virtual wire interface.
[edit] username@hostname# set network interface ethernet ethernet1/1 virtual-wire
[edit] username@hostname#
The following command sets the VLAN IP address to 1.1.1.4/32 from the network interface vlan level of the hierarchy.
[edit network interface vlan] username@hostname# set ip 1.1.1.4/32 [edit network interface vlan] username@hostname#
The following command locks an administrative user out for 15 minutes after 5 failed login attempts.
username@hostname# set deviceconfig setting management admin-lockout 5 lockout-time 15

Palo Alto Networks
show
show
Display information about the current candidate configuration.
Syntax
show [context]
Options
context Specifies a path through the hierarchy.
Sample Output
The following command shows the full candidate hierarchy.
username@hostname# show
The following commands can be used to display the hierarchy segment for network interface.
Specify context on the command line:

show network interface
Use the edit command to move to the level of the hierarchy, and then use the show command without specifying context:
edit network interface [edit network interface] show

Palo Alto Networks
top
top
Change context to the top hierarchy level.
Syntax
top
Options
None
Sample Output
The following command changes context from the network level of the hierarchy to the top level.
[edit network] username@hostname# top [edit] username@hostname#

All
Palo Alto Networks
up
up
Change context to the next higher hierarchy level.
Syntax
up
Options
None
Sample Output
The following command changes context from the network interface level of the hierarchy to the network level.
[edit network interface] username@hostname# up [edit network] username@hostname#

All
Palo Alto Networks
up
Palo Alto Networks
Chapter 4
Operational Mode Commands

This chapter contains command reference pages for the following operational mode commands:
clear on page 51 configure on page 53 debug captive-portal on page 54 debug cli on page 55 debug cpld on page 56 debug dataplane on page 57 debug device-server on page 59 debug dhcpd on page 60 debug high-availability-agent on page 61 debug ike on page 62 debug keymgr on page 63 debug log-receiver on page 64 debug management-server on page 65 debug master-service on page 66 debug rasmgr on page 67 debug routing on page 68 debug software on page 69 debug swm on page 70 debug tac-login on page 71 debug vardata-receiver on page 72
Palo Alto Networks
Operational Mode Commands 47
delete on page 73 exit on page 75 grep on page 76 less on page 77 netstat on page 78 ping on page 79 quit on page 81 request certificate on page 82 request comfort-page on page 84 request content on page 85 request data-filtering on page 86 request device-registration on page 87 request high-availability on page 88 request license on page 89 request password-hash on page 90 request restart on page 91 request ssl-output-text on page 92 request ssl-vpn on page 93 request support on page 94 request system on page 95 request tech-support on page 96 request url-filtering on page 97 request vpn-client on page 98 scp on page 99 set application on page 101 set cli on page 102 set clock on page 103 set ctd on page 104 set data-access-password on page 105 set logging on page 106 set management-server on page 107
48 Operational Mode Commands
Palo Alto Networks
set multi-vsys on page 108 set panorama on page 109 set password on page 110 set proxy on page 111 set serial-number on page 112 set session on page 113 set shared-policy on page 115 set ssl-vpn on page 116 set target-vsys on page 117 set ts-agent on page 118 set url-database on page 119 set zip on page 120 show admins on page 121 show arp on page 122 show authentication on page 123 show chassis-ready on page 124 show cli on page 125 show clock on page 126 show config on page 127 show counter on page 128 show ctd on page 129 show device on page 130 show device-messages on page 131 show devicegroups on page 132 show dhcp on page 133 show high-availability on page 134 show interface on page 135 show jobs on page 136 show local-user-db on page 137 show location on page 138 show log on page 139
Palo Alto Networks
show logging on page 141 show mac on page 142 show management-clients on page 143 show multi-vsys on page 144 show pan-agent on page 145 show pan-ntlm-agent on page 146 show proxy on page 147 show query on page 148 show report on page 149 show routing on page 150 show session on page 154 show ssl-vpn on page 157 show statistics on page 158 show system on page 160 show target-vsys on page 162 show threat on page 163 show ts-agent on page 164 show url-database on page 165 show virtual-wire on page 166 show vlan on page 167 show vpn on page 168 show zip on page 170 show zone-protection on page 171 ssh on page 172 tail on page 173 telnet on page 174 test on page 175 tftp on page 176 traceroute on page 178 view-pcap on page 180
Palo Alto Networks
clear
clear
Reset information, counters, sessions, or statistics.
Syntax
clear application-signature statistics clear arp <all | interfacename> clear counter <all | global | interface> clear dhcp lease <all | interface name interfacename [ip ipaddr]> clear high-availability control-link statistics clear job jobid clear log type clear mac <value | all> clear query <all-by-session | id queryid> clear report <all-by-session | id reportid> clear session <id sessionid | all [filter rule]> clear statistics clear vpn <flow [tunnel-id tunnelid] | ike-sa [gateway gatewayid] | ipsec-sa [tunnel tunnelid]>
Options
applicationsignature statistics arp counter dhcp lease job log mac session Clears application-signature statistics.
Clears Address Resolution Protocol (ARP) information for a specified interface, loopback, or VLAN, or all. Clears interface counters. Specify all counters, global counters, or interface counters. Clears DHCP leases. Specify all or specify an interface and optional IP address. Clears download jobs. Specify the job id. Remove log files from disk. Specify the log type: acc, config, system, threat, or traffic. Clears MAC address information for a specified VLAN or all addresses. Clears a specified session or all sessions. Refer to show session on page 154 for a description of the filter options when clearing all sessions.
Palo Alto Networks
clear
statistics vpn
Clears all statistics. Clears IKE or IPSec VPN run-time objects: flow Clears the VPN tunnel on the data plane. Specify the tunnel or press Enter to apply to all tunnels. Removes the active IKE SA and stops all ongoing key negotiations. Specify the gateway or press Enter to apply to all gateways. Deactivate the IPsec SA for a tunnel or all tunnels. Specify the tunnel or press Enter to apply to all tunnels.
ike-sa
ipsec-sa
Sample Output
The following command clears the session with ID 2245.
username@hostname> clear session id 2245 Session 2245 cleared username@hostname>

Palo Alto Networks
configure
configure
Enter Configuration mode.
Syntax
configure
Options
None
Sample Output
To enter Configuration mode from Operational mode, enter the following command.
username@hostname> configure Entering configuration mode [edit] username@hostname#

Palo Alto Networks
debug captive-portal
debug captive-portal
Define settings for debugging the captive portal daemon.
Syntax
debug captive-portal option
Options
show off on Shows whether this command is on or off. Turns the debugging option off. Turns the debugging option on.
Sample Output
The following command turns the debugging option on.
admin@PA-HDF> debug captive-portal on admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug cli
debug cli
Define settings and display information for debugging the CLI connection.
Syntax
debug cli option
Options
detail show off on Shows details information about the CLI connection. Shows whether this command is on or off. Turns the debugging option off. Turns the debugging option on.
Sample Output
The following command shows details of the CLI connection.
admin@PA-HDF> debug cli detail Environment variables : (USER . admin) (LOGNAME . admin) (HOME . /home/admin) (PATH . /usr/local/bin:/bin:/usr/bin) (MAIL . /var/mail/admin) (SHELL . /bin/bash) (SSH_CLIENT . 10.31.1.104 1109 22) (SSH_CONNECTION . 10.31.1.104 1109 10.1.7.2 22) (SSH_TTY . /dev/pts/0) (TERM . vt100) (LINES . 24) (COLUMNS . 80) (PAN_BASE_DIR . /opt/pancfg/mgmt) PAN_BUILD_TYPE : DEVELOPMENT
Total Heap : 7.00 M Used : 5.51 M Nursery : 0.12 M admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug cpld
debug cpld
Debug the complex programmable logic device (CPLD).
Syntax
debug cpld
Options
None
Sample Output
N/A

superuser vsysadmin
Palo Alto Networks
debug dataplane
debug dataplane
Configure settings for debugging the data plane.
Syntax
debug dataplane option
Options
The available sub-options depend on the specified option.
clear device drop-filter filter fpga get internal memory mode off on pool pow process reset set show task-heartbeat unset Clear all dataplane debug logs. Debug dataplane hardware component. Define a filter to capture dropped packets. Determine the packets to capture or send to a debug log file. Debug the field programmable gate array (FPGA). Show current dataplane debug settings. Debug the dataplane internal state. Examine dataplane memory. Control dataplane debug logging mode. Turn off dataplane debug logging. Turn on dataplane debug logging. Debug buffer pools, including checks of hardware and software utilization and buffer pool statistics. Debug packet scheduling engine. Debug the dataplane process for the high-availability agent (ha-agent) and management plane relay agent (mprelay). Reset settings for debugging the data plane. Specify parameters for dataplane debugging Show dataplane running information. Debug dataplane task heartbeat. Clear the previously-set parameters for dataplane debugging
Palo Alto Networks
debug dataplane
Sample Output
The following command shows the statistics for the dataplane buffer pools.
admin@PA-HDF> debug dataplane pool statistics
The following command turns dataplane filtering on and sets filter parameters.
admin@PA-HDF> debug dataplane filter on admin@PA-HDF> debug dataplane filter set source 10.1 11.2.3 file abc.pcap

superuser vsysadmin
Palo Alto Networks
debug device-server
debug device-server
Configure settings for debugging the device server.
Syntax
debug device-server option
Options
clear dump off on refresh reset set show test uset Clear all debug logs. Dump the debug data. Turn off debug logging. Turn on debug logging. Refresh the user-group data. Clear logging data. Set debugging values. Display current debug log settings. Test the current settings. Remove current settings.
Sample Output
The following command turns off debug logging for the device server.
admin@PA-HDF> debug device-server off admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug dhcpd
debug dhcpd
Configure settings for debugging the Dynamic Host Configuration Protocol (DHCP) daemon.
Syntax
debug dhcpd option
Options
global pcap Define settings for the global DHCP daemon. Define settings for debugging packet capture.
Sample Output
The following command shows current global DHCP daemon settings.
admin@PA-HDF> debug dhcpd global show sw.dhcpd.runtime.debug.level: debug admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug high-availability-agent
debug high-availability-agent
Configure settings for debugging the high availability agent.
Syntax
debug high-availability-agent option
Options
clear internal-dump model-check off on show Clear the debug logs. Dump the internal state of the agent to its log. Turn model checking with the peer on or off. Turns the debugging option off. Turns the debugging option on. Shows whether this command is on or off.
Sample Output
The following command turns modeling checking on for the high availability agent.
admin@PA-HDF> debug high-availability-agent model-check on admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug ike
debug ike
Configure settings for debugging Internet Key Exchange (IKE) daemon.
Syntax
debug ike option
Options
global pcap socket stat Configure global settings. Configure packet capture settings. Configure socket settings. Show IKE daemon statistics.
Sample Output
The following command turns on the global options for debugging the IKE daemon.
admin@PA-HDF> debug ike global on admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug keymgr
debug keymgr
Configure settings for debugging the key manager daemon.
Syntax
debug keymgr option
Options
list-sa off on show Lists the IPSec security associations (SAs) that are stored in the key manager daemon. Turn the settings off. Turn the settings on. Show key manager daemon information.
Sample Output
The following command shows the current information on the key manager daemon.
admin@PA-HDF> debug keymgr show sw.keymgr.debug.global: normal admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug log-receiver
debug log-receiver
Configure settings for debugging the log receiver daemon.
Syntax
debug log-receiver option
Options
off on show statistics Turns the debugging option off. Turns the debugging option on. Shows whether this command is on or off. Show log receiver daemon statistics.
Sample Output
The following command turns log receiver debugging on.
admin@PA-HDF> debug log-receiver on admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug management-server
debug management-server
Configure settings for debugging the management server.
Syntax
debug management-server option
Options
clear client off on phased-commit show Clear all debug logs. Debug the management server client. Turn debugging off Turn debugging on. Set experimental mode for committing in phases. Show management server debug statistics.
Sample Output
The following example turns management server debugging on.
admin@PA-HDF> debug management-server on (null) admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug master-service
debug master-service
Configure settings for debugging the master service.
Syntax
debug master-service option
Options
clear internal-dump off on show Clear all debug logs. Dump the internal state of the server to the log. Turn debugging off Turn debugging on. Show debug settings.
Sample Output
The following command dumps the internal state of the master server to the log.
admin@PA-HDF> debug master-service internal-dump admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug rasmgr
debug rasmgr
Configure settings for debugging the remote access service daemon.
Syntax
debug rasmgr option
Options
show off on Show whether this command is on or off. Turn the debugging option off. Turn the debugging option on.
Sample Output
The following command shows the debug settings for the remote access service daemon.
admin@PA-HDF> debug rasmgr show sw.rasmgr.debug.global: normal admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug routing
debug routing
Configure settings for debugging the route daemon.
Syntax
debug routing option
Options
fib global Turn on debugging for the forwarding table. Turn on global debugging.
list-mib Show the routing list with management information base (MIB) names. mib pcap socket Show the MIB tables. Show packet capture data. Show socket data.
Sample Output
The following command displays the MIB tables for routing.
admin@PA-HDF> debug routing list-mib i3EmuTable (1 entries) ========================== sckTable (0 entries) sckSimInterfaceTable (0 entries) sckEiTable (0 entries) sckEaTable (0 entries) i3Table (0 entries) i3EiTable (0 entries) i3EaTable (0 entries) i3EtTable (0 entries) i3EmTable (0 entries) dcSMLocationTable (0 entries) dcSMHMTestActionObjects (0 entries) siNode (0 entries) siOSFailures (0 entries) siTraceControl (0 entries) siExecAction (0 entries) ... admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug software
debug software
Restart software processes to aid debugging.
Syntax
debug software restart option
Options
device-server management-server web-server Restart the device server. Restart the management server. Restart the web server.
Sample Output
The following command restarts the web server.
admin@PA-HDF> debug software restart web-server admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug swm
debug swm
Configure settings for debugging the Palo Alto Networks software manager.
Syntax
debug swm option
Options
command history list refresh revert status unlock Run a software manager command. Show the history of software installation operations. List software versions that are available for installation. Revert back to the last successfully installed content. Revert back to the last successfully installed software. Show the status of the software manager. Unlock the software manager.
Sample Output
The following command shows the list of available software versions.
admin@PA-HDF> debug swm list 3.0.0-c4.dev 3.0.0-c1.dev_base 2.0.0-c207 2.0.0-c206 admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug tac-login
debug tac-login
Configure settings for debugging the Palo Alto Networks Technical Assistance Center (TAC) connection.
Syntax
debug tac-login option
Options
enable disable permanently-disable Enable TAC login. Disable TAC login. Turn off TAC login debugging permanently.
Sample Output
The following command turns TAC login debugging on.
admin@PA-HDF> debug tac-login on admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug vardata-receiver
debug vardata-receiver
Configure settings for debugging the variable data daemon.
Syntax
debug vardata-receiver option
Options
off on show statistics Turns the debugging option off. Turns the debugging option on. Shows whether this command is on or off. Show log receiver daemon statistics.
Sample Output
The following command shows statistics for the variable data daemon.
admin@PA-HDF> debug vardata-receiver statistics admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
delete
delete
Remove files from disk or restore default comfort pages, which are presented when files or URLs are blocked.
Syntax
delete item
Options
item Specifies the type of file to be deleted. Option captive-portal-text config saved filename content update filename core <control-plane | dataplan> file filename data-capture directoryname debug-filter file filename file-block-page inbound-key filename license key filename logo pcap file filename policy-cache report <custom | predefined | summary> file-name filename report-name report root-certificate file filename Description Text included in a captive portal. Saved configuration file. Content updates. Control or data plane cores. Data capture files. Debugging packet capture files on disk. Page presented to users when files are blocked. Restores default page. SSL inbound proxy keys on disk. License key file. Custom logo file. Packet capture files. Cached policy compilations Specified report with file name and report name. Root certificates.
Palo Alto Networks
delete
item (contd)
Specifies the type of file to be deleted. Option software image imagename version versionname spyware-block-page Description Software image. Page presented to users when web pages are blocked due to spyware. Restores default page. Page presented to users when a web session is to be decrypted. Restores default page. Threat packet capture files in a specified directory. Packet capture files for unknown sessions. Page presented to users when web pages are blocked. Restores default page. Page presented to users. Restores default page. SSH known hosts file. Page presented to users when web pages are blocked. Restores default page.
ssl-optout-text threat-pcap directory directoryname unknown-pcap directory directoryname url-block-page url-coach-text user-file ssh-known-hosts virus-block-page
Sample Output
The following command deletes the custom page presented to users when web pages are blocked due to spyware.
username@hostname> delete spyware-block-page username@hostname>

Palo Alto Networks
exit
exit
Exit the PAN-OS CLI. Note: The exit command is the same as the quit command.
Syntax
exit
Options
None
Sample Output
N/A

All
Palo Alto Networks
grep
grep
Find and list lines from log files that match a specified pattern.
Syntax
grep [after-context number] [before-context number] [context number] [count] [ignore-case] [invert-match] [line-number] [max-count] [nofilename] [with-filename] pattern file
Options
after-context before-context context count ignore-case invert-match line-number max-count no-filename with-filename pattern file Prints the matching lines plus the specified number of lines that follow the matching lines. Prints the matching lines plus the specified number of lines that precede the matching lines. Prints the specified number of lines in the file for output context. Prints a count of matching files for each input file. Ignores case distinctions. Selects non-matching lines instead of matching lines. Adds the line number at the beginning of each line of output. Stops reading a file after the specified number of matching lines. Does not add the filename prefix for output. Prints the file name for each match. Indicates the string to be matched. Indicates the log file to be searched.
Sample Output
The following command searches the ms.log file for occurrences of the string id:admin.
username@hostname> grep id:admin /var/log/pan/ms.log username@hostname>

All
Palo Alto Networks
less
less
List the contents of the specified log file.
Syntax
less type file
Options
type Indicates the type of log file to be searched: custom-page dp-backtrace dp-log mp-backtrace mp-log webserver-log file Indicates the log file to be searched:
Sample Output
The following command lists the contents of the web server error log.
username@hostname> default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main ... less webserver-log error.log Configuration for Mbedthis Appweb -------------------------------------------Host: pan-mgmt2 CPU: i686 OS: LINUX Distribution: unknown Unknown OS: LINUX Version: 2.4.0.0 BuildType: RELEASE Started at: Mon Mar 2 12

All
Palo Alto Networks
netstat
netstat
Displays packet capture file content.
Syntax
netstat type <no | yes>
Options
type Indicates the packet capture file type: allDisplay all sockets (default: connected). cacheDisplay routing cache instead of Forwarding Information Base (FIB). continuousContinuous listing. extendDisplay other/more information. fibDisplay FIB (default). groupsDisplay multicast group memberships. interfacesDisplay interface table. listeningDisplay listening server sockets. numericDo not resolve names. numeric-hostsDo not resolve host names. numeric-portsDo not resolve port names. numeric-usersDo not resolve user names. programsDisplay PID/Program name for sockets. routeDisplay routing table. statisticsDisplay networking statistics (like SNMP). symbolicResolve hardware names. timersDisplay timers. verboseDisplay full details. no | yes Indicates whether the specified option is included in the output.
Sample Output
The following command shows an excerpt from the output of the netstat command.
username@hostname> netstat all yes ... Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 5366 /tmp/ssh-lClRtS1936/ agent.1936 unix 2 [ ] DGRAM 959 @/org/kernel/udev/udevd unix 18 [ ] DGRAM 4465 /dev/log ...

All
Palo Alto Networks
ping
ping
Check network connectivity to a host.
Syntax
ping [bypass-routing] [count] [do-not-fragment] [inet] [no resolve] [pattern] [size] [source] [tos] [ttl] host
Options
bypass-routing count do-not-fragment inet interval no-resolve pattern Sends the ping request directly to the host on a direct attached network, bypassing usual routing table. Specifies the number of ping requests to be sent. Prevents packet fragmentation by use of the do-not-fragment bit in the packets IP header. Specifies that the ping packets will use IP version 4. Specifies how often the ping packets are sent (0 to 2000000000 seconds). Provides IP address only without resolving to hostnames. Specifies a custom string to include in the ping request. You can specify up to 12 padding bytes to fill out the packet that is sent as an aid in diagnosing datadependent problems. Specifies the size of the ping packets. Specifies the source IP address for the ping command. Specifies the type of service (TOS) treatment for the packets by way of the TOS bit for the IP header in the ping packet. Specifies the time-to-live (TTL) value for the ping packet (IPv6 hop-limit value) (0-255 hops). Requests complete details of the ping request. Specifies the host name or IP address of the remote host.
size source tos ttl verbose host
Sample Output
The following command checks network connectivity to the host 66.102.7.104, specifying 4 ping packets and complete details of the transmission.
username@hostname> ping count 4 verbose 66.102.7.104 PING 66.102.7.104 (66.102.7.104) 56(84) bytes of data. 64 bytes from 66.102.7.104: icmp_seq=0 ttl=243 time=316 64 bytes from 66.102.7.104: icmp_seq=1 ttl=243 time=476 64 bytes from 66.102.7.104: icmp_seq=2 ttl=243 time=376 64 bytes from 66.102.7.104: icmp_seq=3 ttl=243 time=201
ms ms ms ms
--- 66.102.7.104 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 3023ms rtt min/avg/max/mdev = 201.718/342.816/476.595/99.521 ms, pipe 2 username@hostname>
Palo Alto Networks
ping

Palo Alto Networks
quit
quit
Exit the current session for the firewall. Note: The quit command is the same as the exit command.
Syntax
quit
Options
None
Sample Output
N/A

All
Palo Alto Networks
request certificate
request certificate
Generate a self-signed security certificate.
Syntax
request certificate [install for-use-by purpose | self-signed option for-use-by purpose]
Options
install self-signed option Installs the generated certificate. Generates the self-signed certificate. Specifies information to include in the certificate. Multiple options are supported. country-code email locality nbits value organization organization unit state name passphrase Two-character code for the country in which the certificate will be used. Email address of the contact person. City, campus, or other local area. Number of bits in the certificate (512 or 1024). Organization using the certificate. Department using the certificate. Two-character code for the state or province in which the certificate will be used. IP address or fully qualified domain name (FQDN) to appear on the certificate. Passphrase for encrypting the private key.
purpose
Requests the certificate for the specified purpose. panorama-server Panorama server machine (used by Panorama to communicate with managed devices). Embedded web interface.
web-interface
Sample Output
The following command requests a self-signed certificate for the web interface with length 1024 and IP address 1.1.1.1.
username@hostname> request certificate self-signed nbits 1024 name 1.1.1.1 for-use-by web-interface
Palo Alto Networks
request certificate

Palo Alto Networks
request comfort-page
request comfort-page
Installs a user-defined comfort page.
Syntax
request comfort page install option
Options
option Specifies the type of file to export to the other host. Option applicationblock-page file-block-page spyware-blockpage url-block-page virus-block-page Description Application packet capture file. File containing comfort pages to be presented when files are blocked. Comfort page to be presented when files are blocked due to spyware. Comfort page to be presented when files are blocked due to a blocked URL. Comfort page to be presented when files are blocked due to a virus.
The following command installs an application block page.

username@hostname> request comfort-page install application-block-page Shared application-block-page installed successfully! username@hostname>

Palo Alto Networks
request content
request content
Perform application level upgrade operations.
Syntax
request content upgrade [check | download latest | info | install latest]
Options
check download latest info install latest Obtain information from the Palo Alto Networks server. Download application identification packages. Show information about the available application ID packages. Install application identification packages.
Sample Output
The following command lists information about the firewall server software.
username@hostname> request content upgrade check Version Size Released on Downloaded
------------------------------------------------------------------------13-25 username@hostname> 10MB 2007/04/19 15:25:02 yes

Palo Alto Networks
request data-filtering
request data-filtering
Assign passwords for data filtering.
Syntax
request data-filtering access-password option
Options
option Specifies one of the following options. Option create password pword modify oldpassword oldpwd new-password newpwd o delete Description Creates the specified password. Changes the specified old password to the new password.
Deletes the data filtering password. When this command is issued, the system prompts for confirmation and warns that logged data will be deleted and logging will be stopped.
Sample Output
The following command assigns the specified password for data filtering.
username@hostname> request data-filtering access-password create password mypwd username@hostname>

Palo Alto Networks
request device-registration
request device-registration
Perform device registration.
Syntax
request device-registration username user password pwd
Options
username user password pwd Specify the user name for device access. Specify the password for device access.
Sample Output
The following command registers the device with the specified user name and password.
username@hostname> request device-registration username admin password adminpwd username@hostname>

Palo Alto Networks
request high-availability
request high-availability
Perform high-availability operations.
Syntax
request high-availability option
Options
option Specifies one of the following options. Option clear-alarm-led state <functional | suspended> sync-to-remote option Description Clears the high-availability alarm LED. Changes the state to operational (functional) or suspended.
Performs synchronization operations: candidate-configSynchronize the candidate configuration to peer. clockSynchronize the local time and date to the peer. disk-stateSynchronize required on-disk state to peer. running-configSynchronize the running configuration to peer. runtime-stateSynchronize the runtime synchronization state to peer.
Sample Output
The following command sets the high-availability state of the device to the suspended state.
username@hostname> request high-availability state suspend username@hostname>

Palo Alto Networks
request license
request license
Perform license-related operations.
Syntax
request license [fetch [auth-code] | info | install]
Options
fetch info install Gets a new license key using an authentication code. Displays information about currently owned licenses. Installs a license key.
Sample Output
The following command requests a new license key with the authentication code 123456.
username@hostname> request fetch auth-code 123456
username@hostname>

Palo Alto Networks
request password-hash
request password-hash
Generate a hashed string for the user password.
Syntax
request password-hash password pwd
Options
pwd Specify the clear text password that requires the hash string.
Sample Output
The following command generates a hash of the specified password.
username@hostname> request password-hash password mypassword $1$flhvdype$qupuRAx4SWWuZcjhxn0ED.

Palo Alto Networks
request restart
request restart
Restart the system or software modules. CAUTION: Using this command causes the firewall to reboot, resulting in the temporary disruption of network traffic. Unsaved or uncommitted changes will be lost.
Syntax
request restart [dataplane | software | system]
Options
dataplane software system Restarts the dataplane software. Restarts all system software Reboots the system.
Sample Output
The following command restarts all the firewall software.
username@hostname> request restart software

Palo Alto Networks
request ssl-output-text
request ssl-output-text
Install user-defined Secure Socket Layer (SSL) output text.
Syntax
request ssl-option-text install
Options
None
Sample Output
The following command installs SSL output text.
username@hostname> request ssl-optout-text install Shared ssl optout text installed successfully!

Palo Alto Networks
request ssl-vpn
request ssl-vpn
Forces logout from a Secure Socket Layer (SSL) virtual private network (VPN) session.
Syntax
request ssl-vpn client-logout option
Options
option Specify the following required options: portalSpecify the SSL VPN portal name. domainSpecify the users domain name. reason force-logoutSpecify to indicate that the logout is administrator-initiated. userSpecify the user name.
Sample Output
The following command forces a logout of the specified user.
username@hostname> request ssl-vpn client-logout domain paloaltonetworks.com port sslportal user ssmith reason force-logout

Palo Alto Networks
request support
request support
Obtain technical support information.
Syntax
request support [check | info]
Options
check info Get support information from the Palo Alto Networks update server. Show downloaded support information.
Sample Output
The following command shows downloaded support information.
username@hostname> request support info 0 Support Home https://support.paloaltonetworks.com Manage Cases https://support.paloaltonetworks.com/pa-portal/ index.php?option=com_pan&task=vie wcases&Itemid=100 Download User Identification Agent https://support.paloaltonetworks.com/pa-portal/ index.php?option=com_pan&task=sw_ updates&Itemid=135 866-898-9087 support@paloaltonetworks.com November 07, 2009 Standard 10 x 5 phone support; repair and replace hardware service username@hostname>

Palo Alto Networks
request system
request system
Download system software or request information about the available software packages.
Syntax
request system [factory-reset | software [check | download [file | version] name] | info | install [file | version] name]]
Options
check download info install Gets information from the Palo Alto Networks server. Downloads software packages. Shows information about the available software packages. Downgrades to a downloaded software package.
Sample Output
The following command requests information about the software packages that are available for download.
username@hostname> request system software info Version Filename Size Released Downloaded ------------------------------------------------------------------------1.0.1 panos.4050-1.0.1.tar.gz 127MB 2007/02/07 00:00:00 no 1.0.2 panos.4050-1.0.2.tar.gz 127MB 2007/02/07 00:00:00 no 1.0.0-20 PANOS-QA-20.tar.gz 122MB 2007/02/13 00:00:00 no 1.0.0-1746 PANOS-DEV-1746.tgz 122MB 2007/02/13 00:00:00 no username@hostname>

Palo Alto Networks
request tech-support
request tech-support
Obtain information to assist technical support in troubleshooting.
Syntax
request technical support dump
Options
None
Sample Output
The following command creates a dump for technical support.
username@hostname> request tech-support dump Exec job enqueued with jobid 1 1

Palo Alto Networks
request url-filtering
request url-filtering
Perform URL filtering operations
Syntax
request url-filtering option
Options
upgrade download status Upgrade to latest version. Optionally specify brightcloud to update the BrightCloud database. Show status of information download for URL filtering.
Sample Output
The following command upgrades the BrightCloud database.
username@hostname> request url-filtering upgrade brightcloud

Palo Alto Networks
request vpn-client
request vpn-client
Perform VPN client package operations.
Syntax
request vpn-client software option
Options
check download Obtain information from the Palo Alto Networks server. Download software packages. Specify one of the following: fileName of the file containing the software package. versionSpecified software version. info install Show downloaded support information. Install the software as specified: fileName of the file containing the software package. versionSpecified software version.
Sample Output
The following command displays information about the available software packages.
username@hostname> request vpnclient software info Version Size Released on Downloaded ------------------------------------------------------------------------1.0.0-c54 916KB 2009/03/04 15:04:33 no 1.0.0-c53 916KB 2009/03/04 14:09:17 no 1.0.0-c52 916KB 2009/03/04 11:49:51 no 1.0.0-c51 916KB 2009/03/03 16:45:38 no

Palo Alto Networks
scp
scp
Copy files between the firewall and another host. Enables downloading of a customizable HTML replacement message (comfort page) in place of a malware infected file.
Syntax
scp export export-option [control-plane | data-plane] to target from source [remote-port portnumber] [source-ip address] scp import import-option [source-ip address] [remote-port portnumber] from source
Options
export export- Specifies the type of file to export to the other host. option Option application captive-portaltext configuration core-file debug pcap file-block-page filter log-file log-db packet-log spyware-blockpage ssl-optout-text tech-support trusted-cacertificate url-block-page virus-block-page web-interfacecertificate Description Application packet capture file. Text to be included in a captive portal. Configuration file. Core file. IKE negotiation packet capture file. File containing comfort pages to be presented when files are blocked. Filter definitions. Log files. Log database. Logs of packet data. Comfort page to be presented when files are blocked due to spyware. SSL optout text. Technical support information. Certificate Authority (CA) security certificate. Comfort page to be presented when files are blocked due to a blocked URL. Comfort page to be presented when files are blocked due to a virus. Web interface certificate.
Palo Alto Networks
scp
import import- Specifies the type of file to import from the other host. option Option Description application captive-portaltext configuration core-file file-block-page filter ike-pcapc-file log-file log-db packet-log spyware-blockpage ssl-optout-text tech-support trusted-cacertificate url-block-page Application packet capture file. Text to be included in a captive portal. Configuration file. Core file. File containing comfort pages to be presented when files are blocked. Filter definitions. IKE negotiation packet capture file. Log files. Log database. Logs of packet data. Comfort page to be presented when files are blocked due to spyware. SSL optout text. Technical support information. Certificate Authority (CA) security certificate. Comfort page to be presented when files are blocked due to a blocked URL.
control-plane data-plane remote-port portnumber source-ip address to from
Indicates that the file contains control information. Indicates that the file contains information about data traffic. Specifies the port number on the remote host. Specifies the source IP address. Specifies the destination user in the format username@host:path. Specifies the source user in the format username@host:path.
Sample Output
The following command imports a license file from a file in user1s account on the machine with IP address 10.0.3.4.
username@hostname> scp import ssl-certificate from user1@10.0.3.4:/tmp/ certificatefile

Palo Alto Networks
set application
set application
Set parameters for system behavior when applications are blocked.
Syntax
set application option
Options
cache <yes | no> dump <off | on option> Enables (yes) or disables (no) the application cache. Enables (on) or disables (off) the application packet capture. The following options determine the contents of the dump: application Specified application. destinationDestination IP address of the session. destination-userDestination user. destination-port Destination port. zoneSpecified zone. protocolSpecified protocol. limit Maximum number of sessions to capture. sourceSource IP address for the session. source-userSpecified source user. source-portSpecified source port. dump-unknown <yes | no> Enables (yes) or disables (no) capture of unknown applications. Enables (yes) or disables (no) heuristics detection for applications. Enables (yes) or disables (no) user notification when an application is blocked. Enables (yes) or disables (no) detection of super nodes for peer-topeer applications that have designated supernodes on the Internet.
heuristics <yes | no> notify-user <yes | no> supernode <yes | no>
Sample Output
The following command turns packet capture for unknown applications off.
username@hostname> set application dump off username@hostname>

Palo Alto Networks
set cli
set cli
Set scripting and pager options for the PAN-OS CLI.
Syntax
set cli [scripting-mode | pager | timeout [idle idle-value] [session session-value]] off | on
Options
scripting-mode pager timeout idle-value session-value off on Enables or disables scripting mode. Enables or disables pages. Sets administrative session timeout values. Specifies the idle timeout (0-86400 seconds). Specifies the administrative session timeout (0-86400 seconds). Turns the option off. Turns the option on.
Sample Output
The following command turns the PAN-OS CLI pager option off.
username@hostname> set cli pager off username@hostname>

Palo Alto Networks
set clock
set clock
Set the system date and time.
Syntax
set clock option
Options
date YYYY/MM/DD time hh:mm:ss Specify the date in yyyy/mm/dd format. Specify the time in hh:mm:ss format (hh: 0-23, mm: 0-59, ss: 0-59).
Sample Output
The following command sets the system date and time.
username@hostname> set clock date 2009/03/20 time 14:32:00 username@hostname>

Palo Alto Networks
set ctd
set ctd
Show content-related information on the Content-based Threat Detection (CTD) engine.
Syntax
set ctd x-forwarded-for <no | yes>
Options
no yes Disable parsing of the x-forwarded-for attribute. Enable parsing of the x-forwarded-for attribute.
Sample Output
The following command enables parsing of the attribute.
username@hostname> set ctd x-forwarded-for yes username@hostname>

Palo Alto Networks
set data-access-password
set data-access-password
Set the access password for the data filtering logs.
Syntax
set data-access-password pwd
Options
pwd Specifies the password.
Sample Output
The following command sets the password for data filtering logs.
username@hostname> set data-access password 12345678 username@hostname>

Palo Alto Networks
set logging
set logging
Set logging options for traffic and event logging.
Syntax
set logging option value
Options Options
default log-suppression <yes | no> max-packet-rate value Restores all log settings to default. Enables or disables suppression of log information. Specifies the maximum packet rate (0-5120 KB/s) Specifies the maximum logging rate (0-5120 KB/s)
max-log-rate value
Note: max-packet-rate and max-log rate both affect the rate at which log messages are forwarded. Generated log messages are kept in priority queues, and the log forwarding engine forwards the generated logs based on the log and packet rates. If the rates are set too low, the queues may build up and eventually drop log messages.
Sample Output
The following command sets the logging rate to be a maximum of 1000 KB/second.
username@hostname> set logging max-log-rate 1000 Logging rate changed to 1000 KB/s username@hostname>

Palo Alto Networks
set management-server
set management-server
Set parameters for the management server, which manages configuration, reports, and authentication for the firewall.
Syntax
set management-server option
Options
logging option Sets the following logging options: import-endExit import mode. import-startEnter import mode. offDisable logging. onAllow logging. unlock Specifies the serial number or software license key.
Sample Output
The following command enables logging on the management server.
username@hostname> set management-server logging on username@hostname>

Palo Alto Networks
set multi-vsys
set multi-vsys
Enable or disable multiple virtual system functionality on the firewall.
Syntax
set multi-vsys <off | on>
Options
on off Enables support for multiple virtual systems. Disables support for multiple virtual systems.
Sample Output
The following command enables multiple virtual system functionality on the firewall.
username@hostname> set multi-vsys on username@hostname>

Palo Alto Networks
set panorama
set panorama
Enable or disable connection between the firewall and Panorama.
Syntax
set panorama <off | on>
Options
on off Enables the connection between the firewall and Panorama. Disables the connection between the firewall and Panorama.
Sample Output
The following command disables the connection between the firewall and Panorama.
username@hostname> set panorama off username@hostname>

Palo Alto Networks
set password
set password
Set the firewall password. When you issue this command, the system prompts you to enter the old and new password and to confirm the new password.
Syntax
set password
Options
None
Sample Output
The following example shows how to reset the firewall password.
username@hostname> Enter old password Enter new password Confirm password Password changed username@hostname> set password : (enter the old password) : (enter the new password0 : (reenter the new password)

Palo Alto Networks
set proxy
set proxy
Sets the proxy parameter. The firewall can act as a proxy for the client, as a forward proxy for outbound traffic, and as an inbound proxy for traffic coming to the clients.
Syntax
set proxy option
Options
answer-timeout notify-user <yes | no> Sets the timeout value for communication with the proxy server (1-86400 seconds). Enables or disables the user notification web page. Disables or enable the proxy function. Disables or enables Secure Socket Layer (SSL) decryption.
skip-proxy <yes | no> skip-ssl <yes | no>
Sample Output
The following command disables SSL decryption.
username@hostname> set proxy skip-ssl yes username@hostname>

Palo Alto Networks
set serial-number
set serial-number
(Panorama only) Configure the serial number of the Panorama machine. The serial number must be set for Panorama to connect to the update server.
Syntax
set serial-number value
Options
value Specifies the serial number or software license key.
Sample Output
The following command sets the Panorama serial number to 123456.
username@hostname> set serial-number 123456 username@hostname>

Palo Alto Networks
set session
set session
Set parameters for the networking session.
Syntax
set session [default | item value]
Options
default item value Restores all session settings to the default values. Specifies the debugging target or level. Option acceleratedaging-enable acceleratedaging-scalingfactor acceleratedaging-threshold offload Value no | yes Power of 2 Description Enables or disables accelerated session aging. Sets the accelerated session aging scaling factor (power of 2). Sets the accelerated aging threshold as a percentage of session utilization. Enables or disables hardware session offload. Some firewall models have specialized hardware to manage TCP, UDP, and ICMP sessions. This option command enables or disables this capability. If it is disabled, the sessions are managed by the firewall software. Rejects non-synchronized TCP packets for session setup. Sets the session default timeout value in seconds. Sets the session timeout value for ICMP commands. Sets the session timeout value for TCP commands. Sets the initial TCP timeout value in seconds. Sets the session TCP wait timeout value in seconds. Sets the session timeout value for UDP commands.
Power of 2 (1-100)
no | yes
tcp-reject-nonsyn timeout-default
no | yes Number of seconds
timeout-icmp timeout-tcp timeout-tcpinit timeout-tcpwait timeout-udp
1-15999999 1-15999999 Number of seconds Number of seconds 1-15999999
Palo Alto Networks
set session
Sample Output
The following command sets the TCP timeout to 1 second.
username@hostname> set session timeout-tcpwait 1 username@hostname>

Palo Alto Networks
set shared-policy
set shared-policy
Set shared policy management behavior with Panorama.
Syntax
set shared-policy option
Options
disable enable import-and-disable <yes | no> Disables Panorama shared policy management. Enable Panorama shared policy management. Imports and then disallows shared policies.
Sample Output
The following command enables shared policies with Panorama.
username@hostname> set shared-policy enable username@hostname>

Palo Alto Networks
set ssl-vpn
set ssl-vpn
Enable Secure Socket Layer (SSL) virtual private network (VPN) for a specified user.
Syntax
set ssl-vpn unlock auth-profile profilename user uname vsys vsysname
Options
profilename uname vsysname Specifies the authentication profile that applies to the user. Specifies the name of the user. Specifies the name of the target virtual system.
Sample Output
The following command applies an authentication profile, user and virtual system for SSLVPN access.
username@hostname> set ssl-vpn auth-profile profile_1 user ssmith vsysname vsys_a username@hostname >

Palo Alto Networks
set target-vsys
set target-vsys
Sets the target virtual system. Note: When the target virtual system is set, the CLI prompt incorporates the vsys name. In this mode, if any command is executed, it executes for the vsys, if possible. For example, if you use secure copy to import or export a comfort page, the page is imported or exported for the vsys. Commands that are not virtual-system-specific continue to work normally.
Syntax
set target-vsys vsys
Options
vsys Specifies the name of the target virtual system.
Sample Output
The following command shows information about target virtual systems.
username@hostname> set target-vsys vsys1 Session target vsys changed to vsys1 username@hostname vsys1>>

Palo Alto Networks
set ts-agent
set ts-agent
Sets the Terminal Services (TS) agent parameters.
Syntax
set ts-agent name name ip-address ipaddr port portnum ip-list iplist
Options
name ipaddr portnum iplist Specifies the user name. Specifies the IP address of the Windows PC on which the TS agent is installed. You can also specify alternative IP addresses using the ip-list parameter. Specifies the port number for communication between the terminal server and the TS agent. Specifies 0-8 additional IP addresses for Windows PCs on which the TS agent is installed.
Sample Output
The following command sets the TS agent parameters for the user ssmith with the specified port and IP addresses.
username@hostname> set ts-agent user ssmith ip-address 192.168.3.4 port 772 ip-list 192.168.5.5 192.168.9.3 username@hostname>

Palo Alto Networks
set url-database
set url-database
Set the database for URL resolution in support of URL filtering. The available selections depend on the URL license available on the firewall.
Syntax
set url-database dbasename
Options
dbasename Uses a database with the specified name: surfcontrol or brightcloud.
Sample Output
The following command switches the database from surfcontrol to brightcloud.
admin@PA-4050> set url-database surfcontrol surfcontrol <value> URL database username@hostname> set url-database brightcloud username@hostname>

Palo Alto Networks
set zip
set zip
Determines whether zipped files are automatically unzipped and policies are applied to the unzipped contents.
Syntax
set zip enable <yes | no>
Options
yes no Enables automatic unzipping and inspection of zipped files. Disables automatic unzipping and inspection of zipped files.
Sample Output
The following command enables automatic unzipping and inspection of zipped files.
username@hostname> set zip enable yes username@hostname>

superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
show admins
show admins
Display information about the active firewall administrators.
Syntax
show admins [all]
Options
all Lists the names of all administrators.
Sample Output
The following command displays administrator information for the 10.0.0.32 firewall.
username@hostname> show admins | match 10.0.0 Admin From Type Session-start Idle-for -------------------------------------------------------------------------admin 10.0.0.132 Web 02/19 09:33:07 00:00:12s username@hostname>

Palo Alto Networks
show arp
show arp
Shows current Address Resolution Protocol (ARP) entries.
Syntax
show arp interface
Options
interface Specifies the interface for which the ARP table is displayed. all ethernetn/m loopback vlan Shows information for all ARP tables. Shows information for the specified interface. Shows loopback information. Shows VLAN information.
Sample Output
The following command displays ARP information for the ethernet1/1 interface.
username@hostname> show arp ethernet1/1 maximum of entries supported : default timeout: total ARP entries in table : total ARP entries shown : status: s - static, c - complete, i username@hostname> 8192 1800 seconds 0 0 - incomplete

Palo Alto Networks
show authentication
show authentication
Shows authentication information.
Syntax
show authentication option
Options
interface Specifies the following authentication information. allowlistShows the authentication allow list. groupdbLists the group authentication databases. groupnamesLists the distinct group names.
Sample Output
The following command shows the list of users that are allowed to access the firewall.
username@hostname> show authentication allowlist vsysname ---------vsys1 vsys1 profilename ----------SSLVPN wtam-SSLVPN username ---------------------------paloaltonetwork\domain users group1
username@hostname>

Palo Alto Networks
show chassis-ready
show chassis-ready
Shows whether the dataplane has a running policy.
Syntax
show chassis-ready
Options
None
Sample Output
The following command shows that the dataplane has a currently running policy.
username@hostname> show chassis-ready yes username@hostname>

Palo Alto Networks
show cli
show cli
Shows information about the current CLI session.
Syntax
show cli info
Options
None
Sample Output
The following command shows information about the current CLI session.
username@hostname> show cli info Process ID : 2045 Pager : enabled Vsys configuration mode : disabled username@hostname>

Palo Alto Networks
show clock
show clock
Shows the current time on the firewall.
Syntax
show clock
Options
None
Sample Output
The following command shows the current time.
username@hostname> show clock Sun Feb 18 10:49:31 PST 2007 username@hostname>

Palo Alto Networks
show config
show config
Shows the active configuration.
Syntax
show config
Options
None
Sample Output
The following command shows the configuration lines that pertain to VLANs.
username@hostname> show config | match vlan vlan { vlan; username@hostname>

Palo Alto Networks
show counter
show counter
Display system counter information.
Syntax
show counter [global | interface]
Options
global interface Shows global system counter information. Shows system counter information grouped by interface.
Sample Output
The following command displays all configuration counter information grouped according to interface.
username@hostname> show counter interface
hardware interface counters: -----------------------------------------------------------------------interface: ethernet1/1 -----------------------------------------------------------------------bytes received 0 bytes transmitted 0 packets received 0 packets transmitted 0 receive errors 0 packets dropped 0 -----------------------------------------------------------------------... username@hostname>

Palo Alto Networks
show ctd
show ctd
Show the threat signature information on the system.
Syntax
show ctd threat threat_id application appid profile pfid
Options
threat_id application appid profile pfid Uniquely identifies the threat. Shows the action of the threat action in the application. Identifies the profile.
Sample Output
The following command shows an example with the default threat action.
username@hostname> show ctd threat 100000 application 109 profile 1 Profile 1 appid 109 , action 0 action 0 means default action.
The following command shows an example with the no threat action.

admin@PA-HDF> show ctd threat 100000 application 108 profile 1 Profile 1 appid 108 , action ffff action ffff means no action. username@hostname>

Palo Alto Networks
show device
show device
(Panorama only) Show the state of managed devices.
Syntax
show device-messages [all | connected]
Options
all connected Shows information for all managed devices. Shows information for all connected devices.
Sample Output
The following command shows information for connected devices.
username@hostname> show devices connected Serial Hostname IP Connected -------------------------------------------------------------------------PA04070001 pan-mgmt2 10.1.7.2 yes last push state: none
username@hostname>

superuser, superuser (read only), Panorama admin
Palo Alto Networks
show device-messages
show device-messages
(Panorama only) Show information on the policy messages for devices.
Syntax
show device-messages [device] [group]
Options
device group Shows the messages only for the specified device. Shows the messages only for the specified device group.
Sample Output
The following command shows the device messages for the device pan-mgmt2 and the group dg1.
username@hostname> show device-messages device pan-mgmt2 group dg1 username@hostname>

Palo Alto Networks
show devicegroups
show devicegroups
(Panorama only) Show information on device groups.
Syntax
show devicegroups [name]
Options
name Shows the information only for the specified device group.
Sample Output
The following command shows information for the device group dg1.
username@hostname> show devicegroups dg1 ========================================================================== Group: dg3 Shared policy md5sum:dfc61be308c23e54e5cde039689e9d46 Serial Hostname IP Connected -------------------------------------------------------------------------PA04070001 pan-mgmt2 10.1.7.2 yes last push state: push succeeded vsys3 shared policy md5sum:dfc61be308c23e54e5cde039689e9d46(In Sync) username@hostname>

Palo Alto Networks
show dhcp
show dhcp
Show information on Dynamic Host Control Protocol (DHCP) leases.
Syntax
show dhcp lease <value | all>
Options
value all Identifies the interface (ethernetn/m) Shows all the lease information.
Sample Output
The following command shows all lease information.
username@hostname> show dhcp all interface: ethernet1/9 ip mac expire 66.66.66.1 00:15:c5:60:a5:b0 Tue Mar 11 16:12:09 2008 66.66.66.2 00:15:c5:e1:0d:b0 Tue Mar 11 16:08:01 2008 username@hostname>

Palo Alto Networks
show high-availability
show high-availability
Show runtime information for the high-availability subsystem.
Syntax
show high-availability [all | control-link statistics| linkmonitoring | path-monitoring | state | state-synchronization]
Options
all control-link statistics link-monitoring path-monitoring state statesynchronization Shows all high-availability information. Shows control-link statistic information. Shows the link-monitoring state. Shows path-monitoring statistics. Shows high-availability state information. Shows state synchronization statistics.
Sample Output
The following command information for the high-availability subsystem.
username@hostname> show high-availability path-monitoring ---------------------------------------------------------------------------path monitoring: disabled total paths monitored: 0 ---------------------------------------------------------------------------username@hostname>

Palo Alto Networks
show interface
show interface
Display information about system interfaces.
Syntax
show interface interface
Options
element Specifies the interface. all ethernetn/m hardware logical loopback vlan Shows information for all ARP tables. Shows information for the specified interface. Shows hardware information. Shows logical interface information. Shows loopback information. Shows VLAN information.
Sample Output
The following command displays information about the ethernet1/2 interface.
username@hostname> show interface ethernet1/2 ---------------------------------------------------------------------------Name: ethernet1/2, ID: 17 Link status: Runtime link speed/duplex/state: auto/auto/auto Configured link speed/duplex/state: auto/auto/auto MAC address: Port MAC address 0:f:b7:20:2:11 Operation mode: virtual-wire ---------------------------------------------------------------------------Name: ethernet1/2, ID: 17 Operation mode: virtual-wire Virtual wire: default-vwire, peer interface: ethernet1/1 Interface management profile: N/A Zone: trust, virtual system: (null) username@hostname>

Palo Alto Networks
show jobs
show jobs
Display information about current system processes.
Syntax
show jobs [all | id number | pending | processed]
Options
all id number pending processed Shows information for all jobs. Identifies the process by number. Shows recent jobs that are waiting to be executed. Shows recent jobs that have been processed.
Sample Output
The following command lists jobs that have been processed in the current session.
username@hostname> show jobs processed Enqueued ID Type Status Result Completed -------------------------------------------------------------------------2007/02/18 09:34:39 2 AutoCom FIN OK 2007/02/18 09:34:40 2007/02/18 09:33:00 1 AutoCom FIN FAIL 2007/02/18 09:33:54 username@hostname>

Palo Alto Networks
show local-user-db
show local-user-db
Display information about the local user database on the firewall.
Syntax
show local-user-db [disabled <yes | no>] [username user] [vsys vsysname]
Options
disabled <yes | no> Filters the information according to whether the user accounts are enabled or disabled: yesDisplays users that are administratively disabled. noDisplays users that are administratively active. username user vsys vsysname Shows information for the specified user. Shows information for the specified virtual system.
Sample Output
The following command lists the local user database.
username@hostname> show local-user-db Vsys vsys1 vsys1 User user1 user2 Disabled no no
username@hostname>

Palo Alto Networks
show location
show location
Show the geographic location of a firewall.
Syntax
show location ip address
Options
address Specifies the IP address of the firewall.
Sample Output
The following command shows location information for the firewall 10.1.1.1.
username@hostname> show location ip 10.1.1.1 show location ip 201.52.0.0 201.52.0.0 Brazil username@hostname>

Palo Alto Networks
show log
show log
Display system logs.
Syntax
show log [threat | config | system | traffic] [equal | not-equal] option value
Options
threat config system traffic option value Displays threat logs. Displays configuration logs. Displays system logs. Displays traffic logs. Restricts the output (the available options depend upon the keyword used in the command (threat, config, system, traffic). Option action app client command dport dst from receivetime in result rule severity sport src to Description Type of alarm action (alert, allow, or drop) Application. Type of client (CLI or web). Command. Destination port. Destination IP address. Source zone. Time interval in which the information was received. Result of the action (failed, succeeded, or unauthorized). Rule name. Level of importance (critical, high, medium, low, informational) Source port. Source IP address. Destination zone.
greater-thanor-equal less-than-orequal equal not-equal
Indicates that the option is equal to the specified value. Indicates that the option is not equal to the specified value. Indicates that the option is equal to the specified value. Indicates that the option is not equal to the specified value.
Palo Alto Networks
show log
Sample Output
The following command shows the configuration log.
username@hostname> show log config Time Host Command Admin Client Result ============================================================================ === 03/05 22:04:16 10.0.0.135 edit admin Web Succeeded 03/05 22:03:22 10.0.0.135 edit admin Web Succeeded 03/05 22:03:22 10.0.0.135 create admin Web Succeeded 03/05 21:56:58 10.0.0.135 edit admin Web Succeeded ... username@hostname>

Palo Alto Networks
show logging
show logging
Show whether logging is enabled.
Syntax
show logging
Options
None
Sample Output
The following command shows that logging is enabled.
username@hostname> show logging on username@hostname>

Palo Alto Networks
show mac
show mac
Display MAC address information.
Syntax
show mac [value | all]
Options
value all Specifies a MAC address (aa:bb:cc:dd:ee:ff format). MAC address (aa:bb:cc:dd:ee:ff format).
Sample Output
The following command lists all currently MAC address information.
username@hostname> show mac all maximum of entries supported : 8192 default timeout : 1800 seconds total MAC entries in table : 4 total MAC entries shown : 4 status: s - static, c - complete, i - incomplete vlan hw address interface status ttl --------------------------------------------------------------------------Vlan56 0:0:1:0:0:3 ethernet1/5 c 1087 Vlan56 0:0:1:0:0:4 ethernet1/6 c 1087 Vlan11-12 0:0:1:0:0:9 ethernet1/12 c 487 Vlan11-12 0:0:1:0:0:10 ethernet1/11 c 487 username@hostname>

Palo Alto Networks
show management-clients
Show information about internal management server clients.
Syntax
Options
None
Sample Output
The following command shows information about the internal management server clients.
username@hostname> show management-clients Client PRI State Progress ------------------------------------------------------------------------routed 30 P2-ok 100 device 20 P2-ok 100 ikemgr 10 P2-ok 100 keymgr 10 init 0 (op cmds only) dhcpd 10 P2-ok 100 ha_agent 10 P2-ok 100 npagent 10 P2-ok 100 exampled 10 init 0 (op cmds only) Overall status: P2-ok. Progress: 0 Warnings: Errors:

Palo Alto Networks
show multi-vsys
show multi-vsys
Show if multiple virtual system mode is set.
Syntax
show multi-vsys
Options
None
Sample Output
The following command shows the current status of multiple virtual systems.
username@hostname> show multi-vsys on username@hostname>

Palo Alto Networks
show pan-agent
show pan-agent
Show statistics or user information for the Palo Alto Networks agent.
Syntax
show pan-agent <statistics | user-IDs>
Options
statistics user-IDs Displays full information about the Palo Alto Networks agent. Displays user information for the Palo Alto Networks agent.
Sample Output
The following command shows information about the Palo Alto Networks agent.
username@hostname> show pan-agent statistics IP Address Port Vsys State Users Grps IPs Recei ved Pkts ---------------------------------------------------------------------------10.0.0.100 2011 vsys1 connected, ok 134 77 95 5757 10.1.200.22 2009 vsys1 connected, ok 5 864 2 1097

Palo Alto Networks
show pan-ntlm-agent
show pan-ntlm-agent
Display status information about the Palo Alto Networks user identification agent for NT LAN Manager (NTLM). The firewall uses the user identification agent to provide Microsoft NTLM authentication for the captive portal.
Syntax
show pan-ntlm-agent statistics
Options
None
Sample Output
The following command displays information about the NTLM agent.
username@hostname> show pan-ntlm-agent statistics IP Address Port Vsys State ---------------------------------------------------10.16.3.249 2010 vsys1 trying to connect username@hostname>

Palo Alto Networks
show proxy
show proxy
Displays information about the proxy that is used for the Secure Socket Layer (SSL) decryption function.
Syntax
show [certificate-cache | notify-cache | setting]
Options
certificate-cache notify-cache setting Displays the proxy certificate cache. Displays the proxy notification cache. Displays the current proxy settings.
Sample Output
The following command shows the current proxy settings.
username@hostname> show proxy setting Ready: Enable proxy: Enable ssl: Notify user: no yes yes yes
username@hostname>

Palo Alto Networks
show query
show query
Show information about query jobs.
Syntax
show query <jobs | id value>
Options
jobs id value Displays all job information. Displays job information for the specified ID.
Sample Output
The following command shows information about all current query jobs.
username@hostname> show query jobs Enqueued ID Last Upd -------------------------------------------------------------------------13:58:19 16 13:58:19 Type ID Dequeued? -----------------------------------------------------

Palo Alto Networks
show report
show report
Displays information about process jobs.
Syntax
show [id number | jobs]
Options
id number jobs Displays information about the job with the specified ID number. Displays information on all jobs.
Sample Output
The following command shows the current jobs.
username@hostname> show report jobs Enqueued ID Last Updated dev/skip/req/resp/proc -------------------------------------------------------------------------username@hostname> username@hostname>

Palo Alto Networks
show routing
show routing
Display routing run-time objects.
Syntax
show routing fib [virtual-router name] show routing protocol [virtual-router name] ospf <area | dumplsdb | interface | lsdb | neighbor | summary | virt-link | virt-neighbor> show routing protocol [virtual-router name] redist <all | ospf | rip> show routing protocol [virtual-router name] rip <database | interface | peer | summary> show routing resource show routing route [destination ip/netmask][interface interfacename] [nexthop ip/netmask][type <connect | ospf | rip | static>] [virtual-router name] show routing summary
Options
fib protocol ospf Shows forwarding table entries. Specify an individual virtual router or all. Shows OSPF information. Specify one of the following (virtual router is optional). area dumplsdb interface lsdb neighbor summary virt-link virt-neighbor Show OSPF area status. Shows the OSPF LS database details. Shows OSPF interface status. Shows the LS database status. Shows neighbor status. Shows OSPF summary status. Shows status of virtual links. Shows OSPF virtual neighbor status.
protocol redist
Shows redistribution rule entries. Specify one of the following (virtual router is optional). ospf rip all Shows OSPF rules Shows RIP rules. Shows all redistribution rules.
Palo Alto Networks
show routing
protocol rip
Shows RIP information. Specify one of the following options (virtual router is optional). database interface peer summary Shows RIP route database. Shows RIP interface status. Shows RIP peer status. Shows the RIP summary information.
resources route
Shows resource usage.
Shows route entries. Optionally specify any of the following options.

destination interface nexthop type virtual-router Restricts the result to a specified subnet (IP address/mask). Restricts the result to a specified network interface. Restricts the result to a the next hop from the firewall (IP address/mask). Restricts the result according to type of route: connect and host routes, ospf, rip, or static. Restrict the result to a specified virtual router.
summary
Shows summary information.
Sample Output
The following command shows summary routing information for the virtual router vrl.
username@hostname> show routing summary virtual-router vr1 VIRTUAL ROUTER: vr1 (id 1) ========== OSPF area id: 0.0.0.0 interface: 192.168.6.254 interface: 200.1.1.2 dynamic neighbors: IP 200.1.1.1 ID 200.1.1.1 area id: 1.1.1.1 interface: 1.1.1.1 interface: 1.1.2.1 interface: 1.1.3.1 interface: 2.1.1.1 static neighbor: IP 65.54.5.33 ID *down* static neighbor: IP 65.54.77.88 ID *down* interface: 22.22.22.22 interface: 35.1.15.40 interface: 192.168.7.254 dynamic neighbors: IP 35.1.15.1 ID 35.35.35.35 ========== RIP interface: 2.1.1.1
Palo Alto Networks
show routing
interface: interface: interface: interface: ========== INTERFACE ========== interface name: interface index: virtual router: operation status: IPv4 address: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address: IPv4 address: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address: ========== interface name: interface index: virtual router: operation status: IPv4 address: username@hostname>
22.22.22.22 35.1.15.40 192.168.6.254 200.1.1.2
ethernet1/1 16 vr1 up 22.22.22.22/24 35.1.15.40/24 ethernet1/3 18 vr1 up 200.1.1.2/24 ethernet1/7 22 vr1 up 1.1.1.1/24 1.1.2.1/24 1.1.3.1/24 ethernet1/15 30 vr1 up 192.168.6.254/24 ethernet1/16 31 vr1 up 192.168.7.254/24 ethernet1/18 33 vr1 down 2.1.1.1/24
Palo Alto Networks
show routing
The following command shows dynamic routing protocol information for RIP.
username@hostname> show routing protocol rip summary ========== virtual router: reject default route: interval seconds: update intervals: expire intervals: delete intervals: interface: interface: interface: interface: interface: ========== virtual router: reject default route: interval seconds: update intervals: expire intervals: delete intervals: interface: interface: interface:
vr1 yes 1 30 180 120 2.1.1.1 22.22.22.22 35.1.15.40 192.168.6.254 200.1.1.2 newr yes 1 30 180 120 0.0.0.0 30.30.30.31 151.152.153.154

Palo Alto Networks
show session
show session
Show session information.
Syntax
show session [all | info] [filter [application appname][destination destname][destination-port destport][destination-user destuser][from zone zonename][limit value][protocol protnumber][source-port sourcename][source-user sourceuser][state state]] [type type]]
Options
all info application appname destination destname destination-port destport destination-user destuser from protocol protname source sourcename source-port sourceport source-user sourceuser state state to type type Displays all active sessions. Displays session statistics. Specifies the application. Specifies the destination IP address. Specifies the destination port. Specifies the destination user name. Specifies the source. Specifies the protocol. Specifies the sourced IP address. Specifies the source port. Specifies the source user name. Specifies the condition for the filter (active, closed, closing, discard, initial, or opening). Specifies the destination. Specifies the flow type (regular or predict).
Sample Output
The following command displays summary statistics about current sessions.
username@hostname> show session info ------------------------------------------------------------------------number of sessions supported: 2097151 number of active sessions: 8 session table utilization: 0% number of sessions created since system bootup: 21
Palo Alto Networks
show session
--------------------------------------------------------------------------session timeout TCP default timeout: 3600 seconds TCP session timeout after FIN/RST: 5 seconds UDP default timeout: 600 seconds ICMP default timeout: 6 seconds other IP default timeout: 1800 seconds ---------------------------------------------------------------------------session accelerated aging: enabled accelerated aging threshold: 80% of utilization scaling factor: 2 X --------------------------------------------------------------------------session setup TCP - reject non-SYN first packet: yes ---------------------------------------------------------------------------
The following command lists all current sessions.

username@hostname> show session all number of sessions: 8 ID/vsys src[sport]/zone/proto dest[dport]/zone state type 19 192.168.10.199[2219]/1/6 10.10.10.10[6667]/2 ACTIVE FLOW 20 192.168.10.191[4069]/1/6 192.168.10.199[139]/2 DISCARD FLOW 22 192.168.10.199[2261]/1/6 10.10.10.10[6667]/2 ACTIVE FLOW 4 192.168.10.191[138]/1/17 192.168.10.255[138]/2 ACTIVE FLOW 6 192.168.10.199[138]/1/17 192.168.10.255[138]/2 ACTIVE FLOW 21 192.168.10.199[1025]/1/17 4.2.2.1[53]/2 CLOSING FLOW 9 192.168.10.199[2187]/1/6 10.10.10.10[6667]/2 ACTIVE FLOW 13 192.168.10.199[2195]/1/6 10.10.10.10[6667]/2 ACTIVE FLOW
app. 0 ms-ds-smb 0 netbios-dg netbios-dg dns 0 0

Palo Alto Networks
show shared-policy
show shared-policy
Show the current shared policy status.
Syntax
show shared-policy
Options
None
Sample Output
The following command displays the current shared policy status.
username@hostname> show shared-policy disabled username@hostname>

Palo Alto Networks
show ssl-vpn
show ssl-vpn
Show Secure Socket Layer (SSL) virtual private network (VPN) runtime objects.
Syntax
show ssl-vpn option
Options
flow portal user uname domain domname portal portalname Displays dataplane SSL-VPN tunnel information. Displays the SSL-VPN configuration. Specifies the user, domain, and portal.
Sample Output
The following command displays information on SSL-VPN tunnels.
username@hostname> show ssl-vpn flow ---------------------------------------------------------------------------total tunnels configured: filter - type SSL-VPN, state any total SSL-VPN tunnel configured: total SSL-VPN tunnel shown: name id 2 2 local-i/f local-ip tunnel-i/f 10
---------------------------------------------------------------------------s1 2 tunnel.7 10.1.6.105 tunnel.7 rad 11 tunnel.8 10.1.6.106 tunnel.8 --------------------------------------------------------------------------username@hostname>

Palo Alto Networks
show statistics
show statistics
Show firewall statistics.
Syntax
show statistics
Options
None
Sample Output
The following command displays firewall statistics.
username@hostname> show statistics TASK PID N_PACKETS CONTINUE ERROR DROP BYPASS TERMINATE 0 0 0 0 0 0 0 0 1 806 6180587 6179536 39 0 0 1012 2 807 39312 37511 0 0 0 1801 3 808 176054840 173273080 2289 2777524 0 1947 4 809 112733251 111536151 1744 1194906 0 450 5 810 66052142 65225559 1271 825010 0 302 6 811 49682445 49028991 909 652227 0 318 7 812 43618777 43030638 712 587129 0 298 8 813 41255949 40706957 708 548031 0 253 9 814 42570163 42010404 714 558773 0 272 10 815 7332493 7332494 0 0 0 0 11 816 19620028 19620028 0 0 0 0 12 817 12335557 12335557 0 0 0 0 13 818 0 0 0 0 0 0 14 819 6105056 6105056 0 0 0 0 task 1(pid: 806) flow_mgmt task 2(pid: 807) flow_ctrl flow_host task 3(pid: 808) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 4(pid: 809) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 5(pid: 810) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 6(pid: 811) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 7(pid: 812) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 8(pid: 813) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 9(pid: 814) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 10(pid: 815) appid_result task 11(pid: 816) ctd_nac ctd_token ctd_detector task 12(pid: 817) ctd_nac ctd_token ctd_detector task 13(pid: 818) proxy_packet task 14(pid: 819) pktlog_forwarding
Palo Alto Networks
show statistics

Palo Alto Networks
show system
show system
Show system information.
Syntax
show system type
Options
type Specifies the type of system information to be displayed. info services software status state [browser | filter | value] Shows network address and security information. Shows the current system services and whether they are running. Shows software version information. Shows the system tree. The browser displays the information in a text-mode browser. The filter option allows you to limit the information that is displayed. The * wildcard can be used. Shows device, packet rate, throughput, and session information. Enter q to quit or h to get help.
statistics
Sample Output
The following command displays system information.
username@hostname> show system info hostname: mgmt-device ip-address: 10.1.7.1 netmask: 255.255.0.0 default-gateway: 10.1.0.1 radius-server: 127.0.0.1 radius-secret: xxxxxxxx
Palo Alto Networks
show system
The following command displays the system tree entries that begin with the string
cfg.env.slot1. username@hostname> show system state filter cfg.env.slot1* cfg.env.slot1.power0.high-limit: 1.26 cfg.env.slot1.power0.low-limit: 1.0 cfg.env.slot1.power1.high-limit: 1.26 cfg.env.slot1.power1.low-limit: 1.14 cfg.env.slot1.power2.high-limit: 1.575 cfg.env.slot1.power2.low-limit: 1.425 cfg.env.slot1.power3.high-limit: 1.89 cfg.env.slot1.power3.low-limit: 1.71 ...

Palo Alto Networks
show target-vsys
show target-vsys
Show information about the target virtual systems.
Syntax
show target-vsys
Options
None
Sample Output
The following command shows information about target virtual systems.
username@hostname> show target-vsys vsys1 username@hostname>

Palo Alto Networks
show threat
show threat
Show threat ID descriptions.
Syntax
show threat id value
Options
value Specifies the threat ID.
Sample Output
The following command shows threat ID descriptions for ID 11172.
username@hostname> show threat id 11172 This signature detects the runtime behavior of the spyware MiniBug. MiniBug, also known as Weatherbug, installs other spyware, such as WeatherBug, and My Web Search Bar. It is also adware program that displays advertisements in its application window. medium http://www.spywareguide.com/product_show.php?id=2178 http://www.spyany.com/program/article_spw_rm_Minibug.htm username@hostname>

Palo Alto Networks
show ts-agent
show ts-agent
Show information about the Terminal Services agent (TS agent).
Syntax
show ts-agent option
Options
statistics user-IDs Displays information about the TS agent configuration. Displays information about the users who are connected through the TS agent.
Sample Output
The following command displays information about the users who are connecting through the TS agent.
username@hostname> show ts-agent statistics IP Address Port Vsys State Users ------------------------------------------------------------10.1.200.1 5009 vsys1 connected 8 10.16.3.249 5009 vsys1 connected 10 username@hostname>

Palo Alto Networks
show url-database
show url-database
Displays the name of the database that is being used for URL filtering.
Syntax
show url-database
Options
None
Sample Output
The following command displays the name of the URL database.
admin@PA-HDF> show url-database brightcloud admin@PA-HDF>

Palo Alto Networks
show virtual-wire
show virtual-wire
Show information about virtual wire interfaces.
Syntax
show virtual-wire [value | all]
Options
value all Specifies a virtual wire interface. Shows information for all virtual wire interfaces.
Sample Output
The following command displays information for the default virtual wire interface.
username@hostname> show virtual-wire default-vwire
total virtual-wire shown :
name interface1 interface2 -----------------------------------------------------------------------------default-vwire ethernet1/1 ethernet1/2 username@hostname>

Palo Alto Networks
show vlan
show vlan
Show VLAN information.
Syntax
show vlan [value | all]
Options
value all Specifies a virtual wire interface. Shows information for all virtual wire interfaces.
Sample Output
The following command displays information for all VLANs.
username@hostname> show vlan all vlan { Vlan56 { interface [ stp { enabled } rstp { enabled } } Vlan11-12 { interface [ stp { enabled } rstp { enabled } } } username@hostname>
ethernet1/5 ethernet1/6 ]; no;
no;
ethernet1/11 ethernet1/12 ]; no;
no;

Palo Alto Networks
show vpn
show vpn
Show VPN information.
Syntax
show show show show show vpn vpn vpn vpn vpn flow [tunnel-id tunnelid] gateway [gateway gatewayid] ike-sa [gateway gatewayid] ipsec-sa [tunnel tunnelid] tunnel [name tunnelid]
Options
flow gateway ike-sa ipsec-sa tunnel name Shows information about the VPN tunnel on the data plane. Specify the tunnel or press Enter to apply to all tunnels. Shows IKE gateway information. Specify the gateway or press Enter to apply to all gateways. Shows information about the active IKE SA. Specify the gateway or press Enter to apply to all gateways. Shows information about IPsec SA tunnels. Specify the tunnel or press Enter to apply to all tunnels. Shows information about auto-key IPSec tunnels. Specify the tunnel or press Enter to apply to all tunnels. Shows information about the VPN tunnel. Specify the tunnel or press Enter to apply to all tunnels.
Sample Output
The following command shows VPN information for the auto key IPsec tunnel k1.
username@hostname> show vpn tunnel name k1 TnID Name(Gateway) Local Proxy ID Local Proxy ID Proposals ------------------------------------------7 pan5gt(pan-5gt) 0.0.0.0/0 0.0.0.0/0 ESP tunl [DH2][AES128,3DES][SHA1] 90-sec Total 1 tunnels found, 0 ipsec sa found, 0 error username@hostname>
The following command shows VPN information for the IKE gateway g2.
username@hostname> show vpn tunnel name g2 GwID Name Peer Address/ID Local Address/ID ---- --------------------------------3 falcon-kestrel 35.1.15.1 35.1.15.40 [PSK][DH2][AES128,3DES][SHA1] 28800-sec Total 1 gateways found, 0 ike sa found, 0 error. username@hostname> Protocol Proposals ---------------Auto(main)
Palo Alto Networks
show vpn

Palo Alto Networks
show zip
show zip
Shows whether ability to unzip a file and apply the policy on the uncompressed content is enabled. The default is enable.
Syntax
show zip setting
Options
None
Sample Output
The following command shows that the unzip option is enabled.
username@hostname> show zip setting zip engine is enabled username@hostname>

Palo Alto Networks
show zone-protection
show zone-protection
Shows the running configuration status and run time statistics for zone protection elements.
Syntax
show zone-protection [zone zonename]
Options
zonename Specifies the name of a zone.
Sample Output
The following command shows statistics for the trust zone.
username@hostname> show zone-protection zone trust --------------------------------------------------------------------------Zone trust, vsys vsys1, profile custom-zone-protection ---------------------------------------------------------------------------tcp-syn enabled: no ---------------------------------------------------------------------------udp RED enabled: no ---------------------------------------------------------------------------icmp RED enabled: no ---------------------------------------------------------------------------other-ip RED enabled: no ---------------------------------------------------------------------------packet filter: discard-ip-spoof: enabled: no discard-ip-frag: enabled: no discard-icmp-ping-zero-id: enabled: no discard-icmp-frag: enabled: no discard-icmp-large-packet: enabled: no reply-icmp-timeexceeded: enabled: no username@hostname>

Palo Alto Networks
ssh
ssh
Open a secure shell (SSH) connection to another host.
Syntax
ssh [inet] [port number] [source address] [v1 | v2] [user@]host
Options
inet port source version user@ host Specifies that IP version 4 be used. Specifies a port on the other host. (default 22) Specifies a source IP address. Specifies SSH version 1 or 2 (default is version 2) Specifies a user name on the other host. Specifies the IP address of the other host.
Sample Output
The following command opens an SSH connection to host 10.0.0.250 using SSH version 2.
username@hostname> ssh v2 user@10.0.0.250 user@10.0.0.250's password: #

Palo Alto Networks
tail
tail
Print the last 10 lines of a debug file.
Syntax
tail [follow] [lines] file
Options
follow lines file Adds appended data as the file grows. Lists the last N lines, instead of the last 10. Specifies the debug file.
Sample Output
The following command displays the last 10 lines of the /var/log/pan/masterd.log file.
username@hostname> tail /var/log/pan/masterd.log [09:32:46] Successfully started process 'mgmtsrvr' instance '1' [09:32:47] Successfully started process 'appWeb' instance '1' [09:32:47] Started group 'pan' start script 'octeon' with options 'start' [09:32:48] Process 'appWeb' instance '1' exited normally with status '7' [09:32:48] Process 'appWeb' instance '1' has no further exit rules [09:32:53] Successfully started process 'pan-ez-agent' instance '1' [09:32:53] Process 'pan-ez-agent' instance '1' exited normally with status '0' [09:32:53] Process 'pan-ez-agent' instance '1' has no further exit rules [09:32:54] Successfully started process 'pan_netconfig_agent' instance '1' [09:32:54] Finished initial start of all processes username@hostname>

Palo Alto Networks
telnet
telnet
Open a Telnet session to another host.
Syntax
telnet [8bit] [port] host
Options
8bit port host Indicates that 8-bit data will be used. Specifies the port number for the other host. Specifies the IP address of the other host.
Sample Output
The following command opens a Telnet session to the host 1.2.5.5 using 8-bit data.
username@hostname> telnet 8bit 1.2.5.5

Palo Alto Networks
test
test
Run tests based on installed security policies.
Syntax
test nat policy-match source src-ip destination dst-ip destination-port port protocol protocol from zone1 to zone2 test nat policy-match application name source src-ip destination dst-ip destination-port port protocol protocol from zone1 to zone2 test routing fib-lookup ip ipaddress virtual router virtualrouterid test vpn flow [ike-sa [gateway gatewayid] | ipsec-sa [tunnel tunnelid]>
Options
name src-ip dst-ip port zone1 zone2 fib-lookup ike-sa ipsec-sa Specifies the name of an application. Enter any to include all applications. Specifies the source IP address for the test. Specifies the destination IP address for the test. Specifies the destination port for the test. Specifies the source security zone. Specifies the destination security zone. Specifies the route to test within the active routing table. Specify an IP address and virtual router. Performs the tests only for the negotiated IKE SA. Specify a gateway or press Enter to run the test for all gateways. Performs the tests for IPsec SA (and IKE SA if necessary). Specify a tunnel or press Enter to run the test for all tunnels.
Sample Output
The following command tests whether the set of criteria will match any of the existing rules in the security rule base.
username@hostname> test security-policy-match from trust to untrust application google-talk source 10.0.0.1 destination 192.168.0.1 protocol 6 destination-port 80 source-user known-user Matched rule: 'rule1' action: allow username@hostname>

Palo Alto Networks
tftp
tftp
Use Trivial File Transfer Protocol (TFTP) to copy files between the firewall and another host.
Syntax
tftp [export export-option [control-plane | data-plane] to target | import import-option] [remote-port portnumber] [from source]
Options
export export- Specifies the type of file to export to the other host. option Option application captive-portaltext configuration core-file debug-pcap file-block-page filter log-file log-db packet-log spyware-blockpage ssl-optout-text tech-support trusted-cacertificate url-block-page virus-block-page web-interfacecertificate Description Application packet capture file. Text to be included in a captive portal. Configuration file. Core file. IKE negotiation packet capture file. File containing comfort pages to be presented when files are blocked. Filter definitions. Log files. Log database. Logs of packet data. Comfort page to be presented when files are blocked due to spyware. SSL optout text. Technical support information. Certificate Authority (CA) security certificate. Comfort page to be presented when files are blocked due to a blocked URL. Comfort page to be presented when files are blocked due to a virus. Web interface certificate
Palo Alto Networks
tftp
import import- Specifies the type of file to import from the other host. option Option Description captive-portal-text configuration content file-block-page license private-key software spyware-block-page ssl-decryptioncertificate ssl-optout-text trusted-cacertificate url-block-page virus-block-page web-interfacecertificate Text to be included in a captive portal. Configuration file. Database content. File containing comfort pages to be presented when files are blocked. License key file. SSL private key file. Software package. Comfort page to be presented when files are blocked due to spyware. SSL decryption certificate. SSL optout text. Certificate Authority (CA) security certificate. Comfort page to be presented when files are blocked due to a blocked URL. Comfort page to be presented when files are blocked due to a virus. Web interface certificate
control-plane data-plane port-number target source
Indicates that the file contains control information. Indicates that the file contains information about data traffic. Specifies the port number on the remote host. Specifies the destination in the format username@host:path. Specifies the file to be copied in the format username@host:path.
The following command imports a license file from a file in user1s account on the machine with IP address 10.0.3.4.
username@hostname> tftp import ssl-certificate from user1@10.0.3.4:/tmp/ certificatefile

Palo Alto Networks
traceroute
traceroute
Display information about the route packet taken to another host.
Syntax
traceroute [base-udp-port port][bypass-routing][debug-socket][do-notfragment][first-ttl ttl][gateway][icmp-echo][max-ttl ttl][noresolve][pause][source ip][toggle-ip-checksums][tos][verbose][wait] host
Options
base-udp-port port bypass-routing debug-socket do-not-fragment first-ttl ttl gateway icmp-echo max-ttl ttl no-resolve pause source ip toggle-ipchecksums tos verbose wait host Specifies the base UDP port used in probes (default is 33434). Sends the request directly to the host on a direct attached network, bypassing usual routing table. Enables socket level debugging. Sets the do-not-fragment bit. Sets the time-to-live in the first outgoing probe packet in number of hops. Specifies a loose source router gateway (maximum 8). Uses ICMP ECHO requests instead of UDP datagrams. Sets the maximum time-to-live in number of hops. Does not attempt to print resolved domain names. Sets the time to pause between probes (milliseconds). Specifies the source IP address for the command. Toggles the IP checksum of the outgoing packets for the traceroute command. Specifies the type of service (TOS) treatment for the packets by way of the TOS bit for the IP header in the ping packet (0-255). Requests complete details of the traceroute request. Specifies a delay in transmission of the traceroute request (seconds). Specifies the IP address or domain name of the other host.
Palo Alto Networks
traceroute
Sample Output
The following command displays information about the route from the firewall to www.google.com.
username@hostname> traceroute www.paloaltonetworks.com traceroute to www.paloaltonetworks.com (72.32.199.53), 30 hops max, 38 byte packets 1 10.1.0.1 (10.1.0.1) 0.399 ms 1.288 ms 0.437 ms 2 64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.910 ms dsl027-186189.sfo1.dsl.speakeasy.net (216.27.186.189) 1.012 ms 64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.865 ms 3 dsl027-182-001.sfo1.dsl.speakeasy.net (216.27.182.1) 16.768 ms 581.420 ms 64.3.142.37.ptr.us.xo.net (64.3.142.37) 219.190 ms 4 ge5-0-0.mar2.fremont-ca.us.xo.net (207.88.80.21) 228.551 ms 110.ge-0-00.cr1.sfo1.speakeasy.net (69.17.83.189) 12.352 ms ge5-0-0.mar2.fremontca.us.xo.net (207.88.80.21) 218.547 ms 5 ge-5-3-0.mpr3.pao1.us.above.net (209.249.11.177) 13.212 ms p4-00.rar2.sanjose-ca.us.xo.net (65.106.5.137) 273.935 ms 221.313 ms 6 p1-0.ir1.paloalto-ca.us.xo.net (65.106.5.178) 139.212 ms so-1-21.mpr1.sjc2.us.above.net (64.125.28.141) 13.348 ms p1-0.ir1.paloaltoca.us.xo.net (65.106.5.178) 92.795 ms 7 so-0-0-0.mpr2.sjc2.us.above.net (64.125.27.246) 12.069 ms 206.111.12.146.ptr.us.xo.net (206.111.12.146) 93.278 ms so-0-00.mpr2.sjc2.us.above.net (64.125.27.246) 556.033 ms 8 tbr1p013201.sffca.ip.att.net (12.123.13.66) 52.726 ms so-3-20.cr1.dfw2.us.above.net (64.125.29.54) 61.875 ms tbr1p013201.sffca.ip.att.net (12.123.13.66) 58.462 ms MPLS Label=32537 CoS=0 TTL=1 S=1 9 64.124.12.6.available.above.net (64.124.12.6) 74.828 ms tbr1cl3.la2ca.ip.att.net (12.122.10.26) 62.533 ms 64.124.12.6.available.above.net (64.124.12.6) 60.537 ms 10 tbr1cl20.dlstx.ip.att.net (12.122.10.49) 60.617 ms vlan901.core1.dfw1.rackspace.com (72.3.128.21) 59.881 ms 60.429 ms 11 gar1p360.dlrtx.ip.att.net (12.123.16.169) 108.713 ms aggr5a.dfw1.rackspace.net (72.3.129.19) 58.049 ms gar1p360.dlrtx.ip.att.net (12.123.16.169) 173.102 ms 12 72.32.199.53 (72.32.199.53) 342.977 ms 557.097 ms 60.899 ms username@hostname>

Palo Alto Networks
view-pcap
view-pcap
Examine the content of packet capture files.
Syntax
view-pcap option filename
Options
option Specifies the type of information to report. Option absolute-seq delta hex hex-ascii hex-ascii-link hex-link link-header no-dns-lookup no-port-lookup no-qualification timestamp undecoded-nfs unformattedtimestamp verbose verbose+ verbose++ filename Description Displays absolute TCP sequence numbers. Displays a delta (in micro-seconds) between current and previous line. Displays each packet (minus link header) in hex. Displays each packet (minus link header) in hex and ASCII. Displays each packet (including link header) in hex and ASCII. Displays each packet (including link header) in hex. Displays the link-level header on each dump line. Does not convert host addresses to names. Does not convert protocol and port numbers to names. Does not print domain name qualification of host names. Displays timestamp proceeded by date. Displays undecoded NFS handles. Displays an unformatted timestamp. Displays verbose output. Displays more verbose output. Displays the maximum output details..
Name of the packet capture file.
Palo Alto Networks
view-pcap
Sample Output
The following command displays the contents of the packet capture file /var/session/pan/filters/ syslog.pcap in ASCII and hex formats.
username@hostname> view-pcap hex-ascii /var/session/pan/filters/syslog.pcap reading from file /var/session/pan/filters/syslog.pcap, link-type EN10MB (Ethernet) 08:34:31.922899 IP 10.0.0.244.32884 > jdoe.paloaltonetworks.local.syslog: UDP, length 314 0x0000: 4500 0156 0000 4000 4011 2438 0a00 00f4 E..V..@.@.$8.... 0x0010: 0a00 006c 8074 0202 0142 d163 3c31 3137 ...l.t...B.c<117 0x0020: 3e41 7072 2020 3233 2030 383a 3334 3a33 >Apr..23.08:34:3 0x0030: 3420 312c 3034 2f32 3320 3038 3a33 343a 4.1,04/23.08:34: 0x0040: 3334 2c54 4852 4541 542c 7572 6c2c 312c 34,THREAT,url,1, 0x0050: 3034 2f32 3320 3038 3a33 343a 3235 2c31 04/23.08:34:25,1 0x0060: 302e 302e 302e 3838 2c32 3039 2e31 3331 0.0.0.88,209.131 0x0070: 2e33 362e 3135 382c 302e 302e 302e 302c .36.158,0.0.0.0, 0x0080: 302e 302e 302e 302c 6c32 2d6c 616e 2d6f 0.0.0.0,l2-lan-o 0x0090: 7574 2c77 6562 2d62 726f 7773 696e 672c ut,web-browsing, 0x00a0: 7673 7973 312c 6c32 2d6c 616e 2d74 7275 vsys1,l2-lan-tru 0x00b0: 7374 2c6c 322d 6c61 6e2d 756e 7472 7573 st,l2-lan-untrus 0x00c0: 742c 6574 6865 726e 6574 312f 3132 2c65 t,ethernet1/12,e 0x00d0: 7468 6572 6e65 7431 2f31 312c 466f 7277 thernet1/11,Forw 0x00e0: 6172 6420 746f 204d 696b 652c 3034 2f32 ard.to.Mike,04/2 0x00f0: 3320 3038 3a33 343a 3334 2c38 3336 3435 3.08:34:34,83645 0x0100: 372c 322c 3438 3632 2c38 302c 302c 302c 7,2,4862,80,0,0, 0x0110: 3078 302c 7463 7028 3629 2c61 6c65 7274 0x0,tcp(6),alert 0x0120: 2c77 7777 2e79 6168 6f6f 2e63 6f6d 2f70 ,www.yahoo.com/p 0x0130: 2e67 6966 3f2c 2c73 6561 7263 682d 656e .gif?,,search-en 0x0140: 6769 6e65 732c 696e 666f 726d 6174 696f gines,informatio 0x0150: 6e61 6c2c 3000 nal,0.

Palo Alto Networks
view-pcap
Palo Alto Networks
Chapter 5
Maintenance Mode
Maintenance mode provides support for error recovery and diagnostics, and allows you to reset the firewall to factory defaults. This chapter describes how to enter Maintenance mode:
Entering Maintenance Mode in the next section Using Maintenance Mode on page 186
Entering Maintenance Mode

The system enters Maintenance mode automatically if a critical error is discovered, or you can enter Maintenance mode explicitly when booting the firewall. Critical failure can be due to service errors, bootloader corruption, or disk filesystem errors. You can enter Maintenance mode in either of the following ways:
Serial cable to the serial port on the firewall. For serial cable specifications, refer to the Hardware Reference Guide for your firewall model. Secure Socket Layer (SSL). SSL access is supported if the firewall has already entered Maintenance mode (either automatically or explicitly during bootup).
Palo Alto Networks
Maintenance Mode 183
Entering Maintenance Mode Upon Bootup

To enter Maintenance mode upon bootup: 1. Press m when prompted by the bootloader.
2.
Press any key on your keyboard when prompted to stop the automatic boot, and then select Maint as the booting partition.
184 Maintenance Mode
Palo Alto Networks
Entering Maintenance Mode Automatically

If the system detects a critical error it will automatically fail over to Maintenance mode. When the firewall enters Maintenance mode, messages are displayed on the serial console, web interface, and CLI interface. The serial console displays the following message.
The web interface displays the following message.
Palo Alto Networks
The SSH interface displays the following message.

ATTENTION: A critical error has been detected preventing proper boot up of the device. Please contact Palo Alto Networks to resolve this issue at 866-898-9087 or support@paloaltonetworks.com. The system is in maintenance mode. Connect via serial console or with user 'maint' through ssh to access the recovery tool.
Using Maintenance Mode

The Maintenance mode main menu displays the following options.
Palo Alto Networks
The following table describes the Maintenance mode selections that are accessible without entering a password.
Table 4. General Maintenance Mode Options Option

Maintenance Entry Reason Get System Info FSCK (Disk Check) Log Files Disk Image Content Rollback Reboot
Description
Indicates why the system entered Maintenance mode and includes possible recovery steps. Displays basic information about the system. This information is useful when obtaining assistance from Customer Support. Provides the ability to run a file system check (FSCK) on various partitions. Allows viewing and copying of log files from the system. Allows the system to revert back to the previously installed software version. Allows a rollback to the previously installed content version. Reboots the firewall.
Some of the options are password protected to prevent accidental changes that could leave the system in an inoperative state. The password is intended as a safeguard and it not meant to be secret. The password is MA1NT (numeral 1).
Table 5. General Maintenance Mode Options Option

Factory Reset
Description
Returns the firewall into the factory default state. The reset includes an option to scrub the Config and Log partitions using a National Nuclear Security Administration (NNSA) or Department of Defense (DOD) compliant scrubbing algorithm. Note: Scrubbing can take up to six hours to complete. Reprograms the main bootloader with the latest bootloader image on the system. Use this option if the failsafe bootloader is running and recovery of the main bootloader is required. (PA-2000 and PA-500 systems only) These options provide greater granularity and control over installation, including status, history, bootstrapping, and other commands. Tests the dataplane booting and dataplane memory, and run disk performance with bonnie++.
Bootloader Recovery Disk Image Advanced Diagnostics
Palo Alto Networks
Palo Alto Networks
Appendix A CONFIGURATION HIERARCHY

This appendix presents the complete firewall configuration hierarchies for the application identification firewall and for Panorama:
Firewall Hierarchy in the next section Panorama Hierarchy on page 251
Firewall Hierarchy
operations { schedule { commit; OR... uar-report { user <value>; title <value>; period <value>; start-time <value>; end-time <value>; } } OR... clear { application-signature { statistics; } OR... arp |<value>; OR... counter { interface; OR... global { filter { category <value>; severity <value>; aspect <value>; } OR... name <value>; } OR...
Palo Alto Networks
189
all; } OR... dhcp { lease { all; OR... interface { name <value>; ip <ip>; mac <mac-address>; } } } OR... high-availability { control-link { statistics; } } OR... job { id 0-4294967295; } OR... log { traffic; OR... threat; OR... config; OR... system; OR... acc; } OR... mac |<value>; OR... query { all-by-session; OR... id 0-4294967295; } OR... report { all-by-session; OR... id 0-4294967295; } OR... session { all { filter { nat none|source|destination|both; proxy yes|no; type flow|predict; state initial|opening|active|discard|closing|closed; from <value>;
190
Palo Alto Networks
to <value>; source <value>; destination <value>; source-user <value>; destination-user <value>; source-port 1-65535; destination-port 1-65535; protocol 1-255; application <value>; rule <value>; nat-rule <value>; } } OR... id 1-2147483648; } OR... statistics; OR... vpn { ike-sa { gateway <value>; } OR... ipsec-sa { tunnel <value>; } OR... flow { tunnel-id 1-2147483648; } } } OR... delete { admin-sessions; OR... application-block-page; OR... captive-portal-text; OR... config { saved <value>; } OR... config-audit-history; OR... content { update <value>; } OR... core { data-plane { file <value>; } OR... control-plane { file <value>; }
Palo Alto Networks
191
} OR... data-capture { directory <value>; } OR... debug-filter { file <value>; } OR... file-block-page; OR... inbound-key { file <value>; } OR... license { key <value>; } OR... logo; OR... pcap { directory <value>; } OR... policy-cache; OR... report { predefined { report-name <value>; file-name <value>; } OR... custom { report-name <value>; file-name <value>; } OR... summary { report-name <value>; file-name <value>; } } OR... root-certificate { file <value>; } OR... software { image <value>; OR... version <value>; } OR... spyware-block-page; OR... ssl-optout-text; OR...
192
Palo Alto Networks
threat-pcap { directory <value>; } OR... unknown-pcap { directory <value>; } OR... url-block-page; OR... url-coach-text; OR... url-coach-text; OR... user-file { ssh-known-hosts; } OR... virus-block-page; } OR... show { admins { all; } OR... arp ||<value>; OR... chassis-ready; OR... cli { info; OR... idle-timeout; } OR... clock; OR... config { diff; OR... running { xpath <value>; } OR... synced; OR... candidate; OR... pushed { vsys <value>; } OR... audit { info; OR... base-version <value>|; OR... base-version-no-deletes <value>|;
Palo Alto Networks
193
OR... version <value>|; } OR... saved <value>; } OR... counter { management-server; OR... global { filter { category <value>; severity <value>; aspect <value>; delta yes|no; value all|non-zero; } OR... name <value>; } OR... interface |<value>; } OR... ctd { state; OR... threat { id 1-4294967295; application 0-4294967295; profile 0-4294967295; } OR... url-block-cache; } OR... dhcp { lease |<value>; } OR... high-availability { all; OR... state; OR... link-monitoring; OR... path-monitoring; OR... state-synchronization; OR... control-link { statistics; } } OR... interface |||<value>; OR...
194
Palo Alto Networks
jobs { all; OR... pending; OR... processed; OR... id 1-4294967296; } OR... local-user-db { vsys <value>; username <value>; disabled yes|no; } OR... location { ip <ip>; } OR... log { traffic { direction { equal forward|backward; } csv-output { equal yes|no; } query { equal <value>; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } start-time { equal <value>; } end-time { equal <value>; } src { in <ip/netmask>; OR... not-in <ip/netmask>; } dst { in <ip/netmask>; OR... not-in <ip/netmask>; } rule { equal <value>; OR... not-equal <value>; } app { equal <value>; OR...
Palo Alto Networks
195
not-equal <value>; } from { equal <value>; OR... not-equal <value>; } to { equal <value>; OR... not-equal <value>; } sport { equal 1-65535; OR... not-equal 1-65535; } dport { equal 1-65535; OR... not-equal 1-65535; } action { equal allow|deny|drop; OR... not-equal allow|deny|drop; } srcuser { equal <value>; } dstuser { equal <value>; } } OR... threat { suppress-threatid-mapping { equal yes|no; } direction { equal forward|backward; } csv-output { equal yes|no; } query { equal <value>; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } start-time { equal <value>; } end-time { equal <value>; } src {
196
Palo Alto Networks
in <ip/netmask>; OR... not-in <ip/netmask>; } dst { in <ip/netmask>; OR... not-in <ip/netmask>; } rule { equal <value>; OR... not-equal <value>; } app { equal <value>; OR... not-equal <value>; } from { equal <value>; OR... not-equal <value>; } to { equal <value>; OR... not-equal <value>; } sport { equal 1-65535; OR... not-equal 1-65535; } dport { equal 1-65535; OR... not-equal 1-65535; } action { equal alert|allow|deny|drop|drop-all-packets|reset-client|resetserver|reset-both|block-url; OR... not-equal alert|allow|deny|drop|drop-all-packets|resetclient|reset-server|reset-both|block-url; } srcuser { equal <value>; } dstuser { equal <value>; } category { equal <value>; OR... not-equal <value>; } subtype { equal url|file;
Palo Alto Networks
197
} } OR... config { direction { equal forward|backward; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } query { equal <value>; } start-time { equal <value>; } end-time { equal <value>; } client { equal web|cli; OR... not-equal web|cli; } cmd { equal add|clone|commit|create|delete|edit|get|load-fromdisk|move|rename|save-to-disk|set; OR... not-equal add|clone|commit|create|delete|edit|get|load-fromdisk|move|rename|save-to-disk|set; } result { equal succeeded|failed|unauthorized; OR... not-equal succeeded|failed|unauthorized; } } OR... system { direction { equal forward|backward; } opaque { contains <value>; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } query { equal <value>; }
198
Palo Alto Networks
start-time { equal <value>; } end-time { equal <value>; } severity { equal critical|high|medium|low|informational; OR... not-equal critical|high|medium|low|informational; OR... greater-than-or-equal critical|high|medium|low|informational; OR... less-than-or-equal critical|high|medium|low|informational; } subtype { equal <value>; OR... not-equal <value>; } object { equal <value>; OR... not-equal <value>; } eventid { equal <value>; OR... not-equal <value>; } id { equal <value>; OR... not-equal <value>; } } OR... appstat { direction { equal forward|backward; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } query { equal <value>; } start-time { equal <value>; } end-time { equal <value>; } name { equal <value>;
Palo Alto Networks
199
OR... not-equal <value>; } type { equal <value>; OR... not-equal <value>; } risk { equal 1|2|3|4|5; OR... not-equal 1|2|3|4|5; OR... greater-than-or-equal 1|2|3|4|5; OR... less-than-or-equal 1|2|3|4|5; } } OR... trsum { direction { equal forward|backward; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } query { equal <value>; } start-time { equal <value>; } end-time { equal <value>; } app { equal <value>; OR... not-equal <value>; } src { in <value>; } dst { in <value>; } rule { equal <value>; OR... not-equal <value>; } srcuser { equal <value>; OR... not-equal <value>;
200
Palo Alto Networks
} dstuser { equal <value>; OR... not-equal <value>; } srcloc { equal <value>; OR... not-equal <value>; OR... greater-than-or-equal <value>; OR... less-than-or-equal <value>; } dstloc { equal <value>; OR... not-equal <value>; OR... greater-than-or-equal <value>; OR... less-than-or-equal <value>; } } OR... thsum { direction { equal forward|backward; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } query { equal <value>; } start-time { equal <value>; } end-time { equal <value>; } app { equal <value>; OR... not-equal <value>; } src { in <value>; } dst { in <value>; } rule { equal <value>;
Palo Alto Networks
201
OR... not-equal <value>; } srcuser { equal <value>; OR... not-equal <value>; } dstuser { equal <value>; OR... not-equal <value>; } srcloc { equal <value>; OR... not-equal <value>; OR... greater-than-or-equal <value>; OR... less-than-or-equal <value>; } dstloc { equal <value>; OR... not-equal <value>; OR... greater-than-or-equal <value>; OR... less-than-or-equal <value>; } threatid { equal <value>; OR... not-equal <value>; OR... greater-than-or-equal <value>; OR... less-than-or-equal <value>; } subtype { equal <value>; OR... not-equal <value>; } } } OR... logging; OR... mac |<value>; OR... management-clients; OR... multi-vsys; OR... object { ip <ip>; vsys <value>;
202
Palo Alto Networks
} OR... pan-agent { statistics; OR... user-IDs; } OR... pan-ntlm-agent { statistics; } OR... proxy { setting; OR... certificate-cache; OR... certificate; OR... notify-cache; OR... exclude-cache; OR... memory { detail; } } OR... query { id 1-4294967296; OR... jobs; } OR... report { id 1-4294967296; OR... jobs; OR... predefined { name { equal top-attackers|top-victims|top-attackers-by-countries|topvictims-by-countries|top-sources|top-destinations|top-destinationcountries|top-source-countries|top-connections|top-ingress-interfaces|topegress-interfaces|top-ingress-zones|top-egress-zones|top-applications|tophttp-applications|top-rules|top-attacks|top-spyware-threats|top-viruses|topvulnerabilities|top-websites|top-url-categories|top-url-users|top-url-userbehavior|unknown-tcp-connections|unknown-udp-connections|top-deniedsources|top-denied-destinations|top-denied-applications; } start-time { equal <value>; } end-time { equal <value>; } } OR... custom {
Palo Alto Networks
203
database { equal appstat|threat|thsum|traffic|trsum; } topn { equal <value>; } receive_time { in last-hour|last-12-hrs|last-24-hrs|last-7-days|last-30-days; } query { equal <value>; } aggregate-fields { equal <value>; } value-fields { equal <value>; } } } OR... routing { resource; OR... summary { virtual-router <value>; } OR... fib { virtual-router <value>; } OR... route { destination <ip/netmask>; interface <value>; nexthop <ip/netmask>; type static|connect|ospf|rip; virtual-router <value>; } OR... protocol { redist all|ospf|rip; OR... ospf summary|area|interface|virt-link|neighbor|virtneighbor|lsdb|dumplsdb; OR... rip summary|interface|peer|database; virtual-router <value>; } } OR... session { start-at 1-2097152; OR... info; OR... meter; OR... all {
204
Palo Alto Networks
filter { nat none|source|destination|both; proxy yes|no; type flow|predict; state initial|opening|active|discard|closing|closed; from <value>; to <value>; source <value>; destination <value>; source-user <value>; destination-user <value>; source-port 1-65535; destination-port 1-65535; protocol 1-255; application <value>; rule <value>; nat-rule <value>; } } OR... id 1-2147483648; } OR... shared-policy; OR... ssl-vpn { portal { name <value>; } OR... user { portal <value>; domain <value>; user <value>; } OR... flow { name <value>; OR... tunnel-id 1-2147483648; } } OR... statistics; OR... system { software { status; } OR... info; OR... services; OR... state { filter <value>; OR... filter-pretty <value>; OR...
Palo Alto Networks
205
browser; } OR... statistics; OR... resources { follow; } OR... disk-space; OR... logdb-quota; OR... files; } OR... target-vsys; OR... threat { id <1-4294967296,...>; } OR... ts-agent { statistics; OR... user-IDs; } OR... url-database; OR... virtual-wire |<value>; OR... vlan |<value>; OR... vpn { gateway { name <value>; } OR... tunnel { name <value>; } OR... ike-sa { gateway <value>; } OR... ipsec-sa { tunnel <value>; } OR... flow { name <value>; OR... tunnel-id 1-2147483648; } } OR... zip {
206
Palo Alto Networks
setting; } OR... zone-protection { zone <value>; } } OR... debug { captive-portal { on { normal; OR... debug; } OR... off; OR... show; } OR... cli on|off|detail|show|enable-internal-command; OR... cpld; OR... dataplane { get; OR... show { url-license; OR... user { all; OR... ip <ip/netmask>; } OR... ts-agent-data { all; OR... ip <ip/netmask>; } OR... nat-rule-cache; OR... global-ippool; OR... ippool; OR... security-policy; OR... nat-policy; OR... captive-portal-policy; OR... ssl-policy; OR... qos-policy; OR...
Palo Alto Networks
207
application-override-policy; OR... policy-based-forwarding-policy; OR... application-signature { statistics; } OR... application { dump-setting; } OR... resource-monitor { second { last 1-60; } OR... minute { last 1-60; } OR... hour { last 1-24; } OR... day { last 1-7; } OR... week { last 1-13; } } OR... logging; OR... url-cache { statistics; } OR... top-urls { top 1-10000; category <value>; } OR... ssl-cert-cn; } OR... reset { user-cache { all; OR... ip <ip/netmask>; } OR... url-cache; OR... logging; OR...
208
Palo Alto Networks
pow; OR... appid { unknown-cache { destination <ip/netmask>; } } OR... proxy { host-certificate-cache; OR... certificate-cache; OR... exclude-cache; OR... notify-cache { source <ip/netmask>; } } OR... ctd { url-block-cache { lockout; } } } OR... mode sync|no-sync; OR... on error|warn|info|debug; OR... off; OR... clear; OR... drop-filter { on; OR... off; OR... set { ingress <value>; file <value>; source <value>; destination <value>; source-port 1-65535; destination-port 1-65535; protocol 1-255; packet-count 1-20000; byte-count 1-2000000; } OR... unset 1-4; } OR... filter { on; OR... off;
Palo Alto Networks
209
OR... set { ingress <value>; file <value>; source <value>; destination <value>; source-port 1-65535; destination-port 1-65535; protocol 1-255; packet-count 1-20000; byte-count 1-2000000; } OR... unset 1-4; OR... close 1-4; } OR... pool { statistics; OR... check { hardware 0-255; OR... software 0-255; } } OR... pow { status; OR... performance { all; } } OR... memory { status; } OR... tcp { state; } OR... internal { pci-access { sample; OR... register <value>; } OR... vif { address; OR... link; OR... rule; OR... vr;
210
Palo Alto Networks
OR... route 0-255; } OR... dt { lion { rd 0-4294967295; OR... igr { show drops|flow|internal|packets|queues; OR... iftbl; OR... mymac; OR... port; } OR... egr { show counts|queues; OR... route; OR... nexthop; } OR... mac { stats { clear; } } OR... spi { stats { clear; } } } OR... oct { csr { rd <value>; } OR... gmx { stats; } OR... pip { stats; } OR... pko { disp; OR... stats; } OR... pow {
Palo Alto Networks
211
dump; } } } } OR... fpga { set { sw_aho yes|no; OR... sw_dfa yes|no; OR... sw_dlp yes|no; } OR... state; } OR... device { switch-dx { uplink; OR... register { read 0-4294967295; } OR... vlan-table { dump; OR... index 0-4095; } OR... port-based-vlan { port 0-32; } OR... fdb { dump; OR... index 0-65535; } } } OR... process { mprelay { on { dump; OR... debug; OR... info; OR... warn; OR... error; } OR... off;
212
Palo Alto Networks
OR... show; } OR... ha-agent { on { dump; OR... debug; OR... info; OR... warn; OR... error; } OR... off; OR... show; } } OR... task-heartbeat { on; OR... off; OR... show; } OR... monitor { detail { on; OR... off; OR... show; } } OR... set { tcp reass|fptcp|all; OR... ssl basic|all; OR... proxy basic|all; OR... pow basic|all; OR... zip basic|all; OR... misc misc|all; OR... module aho|dfa|scan|url|all; OR... flow basic|ager|ha|np|arp|receive|all; OR... tunnel flow|ager;
Palo Alto Networks
213
OR... ctd basic|sml|url|detector|all; OR... appid agt|basic|policy|dfa|all; OR... all; } OR... unset { tcp reass|fptcp|all; OR... ssl basic|all; OR... proxy basic|all; OR... pow basic|all; OR... misc misc|all; OR... flow basic|ager|np|ha|arp|receive|all; OR... tunnel flow|ager; OR... ctd basic|sml|url|detector|all; OR... appid basic|policy|dfa|all; OR... all; } } OR... device-server { set { agent basic|conn|ntlm|group|sslvpn|detail|ha|tsa|all; OR... misc basic|all; OR... base config|all; OR... url basic|stat|all; OR... config basic|tdb|fpga|all; OR... tdb basic|aho|all; OR... all; } OR... unset { agent basic|conn|detail|sslvpn|ha|tsa|all; OR... base config|all; OR... misc basic|all; OR... url basic|all; OR... config basic|tdb|fpga|all; OR...
214
Palo Alto Networks
tdb basic|aho|all; OR... all; } OR... test { dynamic-url <value>; OR... url <value>; OR... url-category 1-4192; OR... admin-override-password <value>; } OR... delete { dynamic-url { host { all; OR... name <value>; } } } OR... reset { brightcloud-database; OR... url { dynamic-url-timeout 1-43200; OR... dynamic-url-size 10-1000000; } OR... logging { statistics; } OR... pan-ntlm-agent { all; } OR... pan-agent { all; } OR... captive-portal { ip-address <ip/netmask>; } OR... id-manager; OR... url-cache; } OR... save { dynamic-url { database; }
Palo Alto Networks
215
} OR... dump { dynamic-url { database { start-from 1-1000000; category <value>; } OR... statistics; } OR... user-group { name <value>; } OR... ts-agent { config; } OR... idmgr { type { zone { all; OR... id 1-4294967295; OR... name <value>; } OR... vsys { all; OR... id 1-4294967295; OR... name <value>; } OR... global-tunnel { all; OR... id 1-; OR... name <value>; } OR... global-interface { all; OR... id 1-4294967295; OR... name <value>; } OR... global-vlan-domain { all; OR... id 1-4294967295; OR...
216
Palo Alto Networks
name <value>; } OR... global-vlan { all; OR... id 1-4294967295; OR... name <value>; } OR... global-vrouter { all; OR... id 1-4294967295; OR... name <value>; } OR... global-rib-instance { all; OR... id 1-4294967295; OR... name <value>; } OR... shared-application { all; OR... id 1-4294967295; OR... name <value>; } OR... custom-url-filter { all; OR... id 1-4294967295; OR... name <value>; } OR... user { all; OR... id 1-4294967295; OR... name <value>; } OR... user-group { all; OR... id 1-4294967295; OR... name <value>; } OR...
Palo Alto Networks
217
custom-application { all; OR... id 1-4096; OR... name <value>; } OR... security-rule { all; OR... id 1-4096; OR... name <value>; } OR... nat-rule { all; OR... id 1-4096; OR... name <value>; } OR... ssl-rule { all; OR... id 1-4096; OR... name <value>; } OR... ike-gateway { all; OR... id 1-4096; OR... name <value>; } } } OR... logging { statistics; } } OR... on error|warn|info|debug|dump; OR... off; OR... clear; OR... show; OR... refresh { user-group; } }
218
Palo Alto Networks
OR... dhcpd { global { on { error; OR... warn; OR... info; OR... debug; OR... dump; } OR... off; OR... show; } OR... pcap { show; OR... on { virtualrouter <value>; } OR... off; OR... delete; OR... view; } } OR... ez { enable; OR... disable; OR... show { counter { index 0-4194304; num-counters 0-40; } OR... session-counter { index 0-4194304; num-counters 0-40; } OR... port { index 0-32; } OR... throughput; OR... arp; OR...
Palo Alto Networks
219
route; OR... session; OR... drop_flag; OR... freerfd; OR... register { index 0-4294967295; count 0-40; } OR... tm-stats; } OR... set { drop 0|1; } } OR... high-availability-agent { on error|warn|info|debug|dump; OR... off; OR... show; OR... internal-dump; OR... model-check on|off; OR... commit-ex-hello on|off; } OR... ike { global { on { normal; OR... debug; OR... dump; } OR... off; OR... show; } OR... pcap { show; OR... on; OR... off; OR... delete; OR...
220
Palo Alto Networks
view; } OR... socket; OR... stat; } OR... keymgr { on { normal; OR... debug; OR... dump; } OR... off; OR... show; OR... list-sa; } OR... log-receiver { on { normal; OR... debug; OR... dump; } OR... off; OR... show; OR... statistics; OR... fwd { on; OR... off; OR... show; } } OR... management-server { on error|warn|info|debug|dump; OR... off; OR... clear; OR... show; OR... phased-commit enable|disable|show; OR...
Palo Alto Networks
221
client { disable device|ikemgr|dhcpd|ha_agent|routed|npagent|modhttpd|rasmgr; OR... enable device|ikemgr|dhcpd|ha_agent|routed|npagent|modhttpd|rasmgr; } } OR... master-service { on error|warn|info|debug|dump; OR... off; OR... show; OR... internal-dump; } OR... netconfig-agent { on { dump; OR... debug; OR... info; OR... warn; OR... error; } OR... off; OR... show; } OR... rasmgr { on { normal; OR... debug; OR... dump; } OR... off; OR... show; } OR... routing { mib <value>; OR... list-mib; OR... fib { flush; OR... stats; }
222
Palo Alto Networks
OR... global { on { error; OR... warn; OR... info; OR... debug; OR... dump; } OR... off; OR... show; } OR... pcap { show; OR... ospf { on { virtualrouter <value>; } OR... off; OR... delete; OR... view; } OR... rip { on { virtualrouter <value>; } OR... off; OR... delete; OR... view; } OR... all { on { virtualrouter <value>; } OR... off; OR... delete; OR... view; } } OR...
Palo Alto Networks
223
socket; } OR... software { restart { pan-comm; OR... device-server; OR... management-server; OR... web-server; } } OR... swm { list; OR... log; OR... history; OR... status; OR... unlock; OR... revert; OR... refresh { content; } } OR... tac-login { permanently-disable; OR... disable; OR... enable; } OR... vardata-receiver { on { normal; OR... debug; OR... dump; } OR... off; OR... show; OR... statistics; } } OR... set {
224
Palo Alto Networks
application { dump-unknown yes|no; OR... dump { on { limit 1-5000; from <value>; to <value>; source <value>; destination <value>; source-user <value>; destination-user <value>; source-port 1-65535; destination-port 1-65535; protocol 1-255; application <value>; rule <value>; } OR... off; } OR... cache yes|no; OR... supernode yes|no; OR... heuristics yes|no; OR... notify-user yes|no; } OR... cli { pager on|off; OR... confirmation-prompt on|off; OR... scripting-mode on|off; OR... timeout { idle |1-1440; } OR... terminal { type aaa|aaa+dec|aaa+rv|aaa+unk|aaa-18|aaa-18-rv|aaa-20|aaa-22|aaa24|aaa-24-rv|aaa-26|aaa-28|aaa-30-ctxt|aaa-30-rv|aaa-30-rv-ctxt|aaa-30s|aaa-30-s-rv|aaa-36|aaa-36-rv|aaa-40|aaa-40-rv|aaa-48|aaa-48-rv|aaa-60|aaa60-dec-rv|aaa-60-rv|aaa-60-s|aaa-60-s-rv|aaa-db|aaa-rv-unk|aaa-s-ctxt|aaa-srv-ctxt|aas1901|abm80|abm85|abm85e|abm85h|abm85hold|act4|act5|addrinfo|adds980|adm+sgr|adm11|adm1178|adm12|adm1a|adm2|adm20| adm21|adm22|adm3|adm31|adm31-old|adm36|adm3a|adm3a+|adm42|adm42ns|adm5|aepro|aixterm|aixterm-m|aixterm-m-old|aj510|aj830|altoh19|altos2|altos3|altos4|altos7|altos7pc|amiga|amiga-8bit|amiga-h|amigavnc|ampex175|ampex175b|ampex210|ampex219|ampex219w|ampex232|ampex232w|ampex80|annarbor4080|ansi|a nsi+arrows|ansi+csr|ansi+cup|ansi+erase|ansi+idc|ansi+idl|ansi+idl1|ansi+ini ttabs|ansi+local|ansi+local1|ansi+pp|ansi+rca|ansi+rep|ansi+sgr|ansi+sgrbold |ansi+sgrdim|ansi+sgrso|ansi+sgrul|ansi+tabs|ansi-color-2-emx|ansi-color-3emx|ansi-emx|ansi-generic|ansi-m|ansi-mini|ansi-mr|ansi-mtabs|ansint|ansi.sys|ansi.sys-
Palo Alto Networks
225
old|ansi.sysk|ansi77|apollo|apollo_15P|apollo_19L|apollo_color|apple80|apple-ae|apple-soroc|apple-uterm|apple-uterm-vb|apple-videx|applevidex2|apple-videx3|apple-vm80|apple2e|apple2ep|apple80p|appleII|appleIIgs|arm100|arm100w|atari|att2300|att2350|att4410|att4410v1-w|att4415|att4415+nl|att4415nl|att4415-rv|att4415-rv-nl|att4415-w|att4415-w-nl|att4415-w-rv|att4415-wrv-n|att4418|att4418-w|att4420|att4424|att44241|att4424m|att4426|att500|att505|att505-24|att510a|att510d|att5310|att5410w|att5410v1|att5420_2|att5420_2-w|att5425|att5425-nl|att5425w|att5620|att5620-1|att5620-24|att5620-34|att5620-s|att605|att605-pc|att605w|att610|att610-103k|att610-103k-w|att610-w|att615|att615-103k|att615-103kw|att615-w|att620|att620-103k|att620-103k-w|att620-w|att630|att63024|att6386|att700|att730|att730-24|att730-41|att7300|att730r|att730r24|att730r-41|avatar|avatar0|avatar0+|avt|avt+s|avt-ns|avt-rv|avt-rv-ns|avtw|avt-w-ns|avt-w-rv|avt-w-rvns|aws|awsc|bantam|basis|beacon|beehive|beehive3|beehive4|beterm|bg1.25|bg1. 25nv|bg1.25rv|bg2.0|bg2.0rv|bitgraph|blit|bobcat|bq300|bq300-8|bq300-8pc|bq300-8-pc-rv|bq300-8-pc-w|bq300-8-pc-w-rv|bq300-8rv|bq300-8w|bq300pc|bq300-pc-rv|bq300-pc-w|bq300-pc-w-rv|bq300-rv|bq300-w|bq300-w-8rv|bq300w-rv|bsdos-pc|bsdos-pc-m|bsdos-pc-nobold|bsdos-ppc|bsdos-sparc|c100|c100rv|c108|c108-4p|c108-rv|c108-rv-4p|c108-w|ca22851|cad68-2|cad683|cbblit|cbunix|cci|cdc456|cdc721|cdc721esc|cdc721ll|cdc752|cdc756|cg7900|cit101|cit101e|cit101e-132|cit101en|cit101e-n132|cit101e-rv|cit500|cit80|citoh|citoh-6lpi|citoh-8lpi|citohcomp|citoh-elite|citoh-pica|citohprop|coco3|color_xterm|commodore|cons25|cons25-m|cons25l1|cons25l1m|cons25r|cons25r-m|cons25w|cons30|cons30-m|cons43|cons43-m|cons50|cons50m|cons50l1|cons50l1-m|cons50r|cons50r-m|cons60|cons60-m|cons60l1|cons60l1m|cons60r|cons60r-m|contel300|contel301|cops10|crt|cs10|cs10w|ct8500|ctrm|cyb110|cyb83|cygwin|cygwinB19|cygwinDBG|d132|d200|d210|d210dg|d211|d211-7b|d211-dg|d216-dg|d216-unix|d216-unix-25|d217-unix|d217-unix25|d220|d220-7b|d220-dg|d230c|d230c-dg|d400|d410|d410-7b|d410-7b-w|d410dg|d410-w|d412-dg|d412-unix|d412-unix-25|d412-unix-s|d412-unix-sr|d412-unixw|d413-unix|d413-unix-25|d413-unix-s|d413-unix-sr|d413-unix-w|d414unix|d414-unix-25|d414-unix-s|d414-unix-sr|d414-unix-w|d430c-dg|d430c-dgccc|d430c-unix|d430c-unix-25|d430c-unix-25-ccc|d430c-unix-ccc|d430c-unixs|d430c-unix-s-ccc|d430c-unix-sr|d430c-unix-sr-ccc|d430c-unix-w|d430c-unixw-ccc|d470c|d470c-7b|d470c-dg|d555|d555-7b|d555-7b-w|d555-dg|d555w|d577|d577-7b|d577-7b-w|d577-dg|d577-w|d578|d578-7b|d800|ddr|dec-vt100|decvt220|decansi|delta|dg+ccc|dg+color|dg+color8|dg+fixed|dggeneric|dg200|dg210|dg211|dg450|dg460-ansi|dg6053|dg6053old|dgkeys+11|dgkeys+15|dgkeys+7b|dgkeys+8b|dgmode+color|dgmode+color8|dguni x+ccc|dgunix+fixed|diablo1620|diablo1620-m8|diablo1640|diablo1640lm|diablo1740-lm|digilog|djgpp|djgpp203|djgpp204|dku7003|dku7003dumb|dku7102old|dku7202|dm1520|dm2500|dm3025|dm3045|dm80|dm80w|dmchat|dmterm|dp3360|dp82 42|dt100|dt100w|dt110|dt80sas|dtc300s|dtc382|dtterm|dumb|dw1|dw2|dw3|dw4|dwk|ecma+color|ecma+sgr|elks| elks-ansi|elks-glasstty|elks-vt52|emu|emu-220|emxbase|env230|ep40|ep48|ergo4000|esprit|espritam|Eterm|eterm|ex155|excel62|excel62-rv|excel62-w|f100|f100-rv|f110|f11014|f110-14w|f110-w|f1720|f200|f200-w|f200vi|f200vi-w|falco|falcop|fos|fox|gator|gator-52|gator-52t|gator-t|gigi|glasstty|gnome|gnomerh62|gnome-rh72|gnome-rh80|gnome-rh90|go140|go140w|go225|graphos|graphos30|gs6300|gsi|gt40|gt42|guru|guru+rv|guru+s|guru-24|guru-44|guru-44-s|guru76|guru-76-lp|guru-76-s|guru-76-w|guru-76-w-s|guru-76-wm|guru-nctxt|gururv|guru-s|h19|h19-a|h19-bs|h19-g|h19-u|h19us|h19k|ha8675|ha8686|hazel|hds200|hft-c|hft-c-old|hftold|hirez100|hirez100-
226
Palo Alto Networks
w|hmod1|hp+arrows|hp+color|hp+labels|hp+pfk+arrows|hp+pfk+cr|hp+pfkcr|hp+printer|hp110|hp150|hp2|hp236|hp2382a|hp2392|hp2397a|hp2621|hp262148|hp2621-a|hp2621-ba|hp2621-fl|hp2621-k45|hp2621-nl|hp2621nt|hp2621b|hp2621b-kx|hp2621b-kx-p|hp2621b-p|hp2621p|hp2621pa|hp2622|hp2623|hp2624|hp2624-10p|hp2624b-10p-p|hp2624b-p|hp2626|hp262612|hp2626-12-s|hp2626-12x40|hp2626-ns|hp2626-s|hp2626-x40|hp2627a|hp2627arev|hp2627c|hp262x|hp2640a|hp2640b|hp2641a|hp2645|hp2648|hp300h|hp700wy|hp70092|hp9837|hp9845|hp98550|hpansi|hpex|hpgeneric|hpsub|hpterm|hurd|hz1 000|hz1420|hz1500|hz1510|hz1520|hz1520-noesc|hz1552|hz1552rv|hz2000|i100|i400|ibcs2|ibm+16color|ibm+color|ibm-apl|ibm-pc|ibmsystem1|ibm3101|ibm3151|ibm3161|ibm3161C|ibm3162|ibm3164|ibm327x|ibm5081|ibm5081-c|ibm5151|ibm5154|ibm6153|ibm615340|ibm6153-90|ibm6154|ibm6155|ibm8503|ibm8512|ibm8514|ibm8514c|ibmaed|ibmapa8c|ibmapa8c-c|ibmega|ibmegac|ibmmono|ibmpc|ibmpc3|ibmpcx|ibmvga|ibmvga-c|icl6404|icl6404-w|ifmr|imsansi|ims950|ims950-b|ims950-rv|infoton|interix|interixnti|intertube|intertube2|intext|intext2|iris-ansi|iris-ansi-ap|iriscolor|jaixterm|jaixterm-m|kaypro|kermit|kermitam|klone+acs|klone+color|klone+koi8acs|klone+sgr|klone+sgrdumb|konsole|konsole-16color|konsole-base|konsole-linux|konsolevt100|konsole-vt420pc|konsole-xf3x|konsole-xf4x|kt7|kt7ix|kterm|ktermcolor|kvt|lft|linux|linux-basic|linux-c|linux-c-nc|linux-koi8|linuxkoi8r|linux-lat|linux-m|linux-nic|linux-vt|lisa|lisaterm|lisatermw|liswb|ln03|ln03-w|lpr|luna|m2-nam|mac|mac-w|mach|mach-bold|machcolor|mai|masscomp|masscomp1|masscomp2|megatek|memhp|mgr|mgr-linux|mgrsun|mgterm|microb|mime|mime-fb|mime-hb|mime2a|mime2as|mime314|mime3a|mime3ax|minitel1|minitel1b|minitel1b-80|minix|minixold|minix-old-am|mlterm|mm340|modgraph|modgraph2|modgraph48|monoemx|morphos|ms-vt-utf8|ms-vt100|ms-vt100+|ms-vt100color|msk227|msk22714|msk227am|mt4520-rv|mt70|mterm|mtermansi|MtxOrb|MtxOrb162|MtxOrb204|mvterm|nansi.sys|nansi.sysk|ncr160vppp|ncr16 0vpwpp|ncr160vt100an|ncr160vt100pp|ncr160vt100wan|ncr160vt100wpp|ncr160vt200 an|ncr160vt200pp|ncr160vt200wan|ncr160vt200wpp|ncr160vt300an|ncr160vt300pp|n cr160vt300wan|ncr160vt300wpp|ncr160wy50+pp|ncr160wy50+wpp|ncr160wy60pp|ncr16 0wy60wpp|ncr260intan|ncr260intpp|ncr260intwan|ncr260intwpp|ncr260vppp|ncr260 vpwpp|ncr260vt100an|ncr260vt100pp|ncr260vt100wan|ncr260vt100wpp|ncr260vt200a n|ncr260vt200pp|ncr260vt200wan|ncr260vt200wpp|ncr260vt300an|ncr260vt300pp|nc r260vt300wan|NCR260VT300WPP|ncr260wy325pp|ncr260wy325wpp|ncr260wy350pp|ncr26 0wy350wpp|ncr260wy50+pp|ncr260wy50+wpp|ncr260wy60pp|ncr260wy60wpp|ncr7900i|n cr7900iv|ncr7901|ncrvt100an|ncrvt100wan|ncsa|ncsa-m|ncsa-m-ns|ncsa-ns|ncsavt220|nec5520|newhp|newhpkeyboard|news-29|news-29-euc|news-29-sjis|news33|news-33-euc|news-33-sjis|news-42|news-42-euc|news-42-sjis|news-oldunk|newsunk|news28|news29|next|nextshell|northstar|nsterm|nsterm+7|nsterm+acs|nsterm +c|nsterm+c41|nsterm+mac|nsterm+s|nsterm-7|nsterm-7-c|nsterm-acs|nstermc|nsterm-c-acs|nsterm-c-s|nsterm-c-s-7|nsterm-c-s-acs|nsterm-m|nsterm-m7|nsterm-m-acs|nsterm-m-s|nsterm-m-s-7|nsterm-m-s-acs|nsterm-s|nsterm-s7|nsterm-s-acs|nwp511|nwp512|nwp512-a|nwp512-o|nwp513|nwp513-a|nwp513o|nwp517|nwp517-w|oblit|oc100|ofcons|oldpc3|oldsun|omron|opennt-100|opennt100-nti|opennt-35|opennt-35-nti|opennt-35-w|opennt-50|opennt-50-nti|opennt50-w|opennt-60|opennt-60-nti|opennt-60-w|opennt-w|opennt-wvt|opus3n1+|origpc3|osborne|osbornew|osexec|otek4112|otek4115|owl|p19|p8gl|pc-coherent|pc-minix|pcvenix|pc3|pc6300plus|pcansi|pcansi-25|pcansi-25-m|pcansi-33|pcansi-33m|pcansi-43|pcansi-43-m|pcansim|pccons|pcix|pckermit|pckermit120|pcmw|pcplot|pcvt25|pcvt25color|pcvt25w|pcvt28|pcvt28w|pcvt35|pcvt35w|pcvt40|pcvt40w|pcvt43|pcvt43w|pc vt50|pcvt50w|pcvtXX|pe1251|pe7000c|pe7000m|pilot|pmcons|prism12|prism12m|prism12-m-w|prism12-w|prism14|prism14-m|prism14-m-w|prism14-
Palo Alto Networks
227
w|prism2|prism4|prism5|prism7|prism8|prism8-w|prism9|prism9-8|prism9-8w|prism9-w|pro350|ps300|psterm|psterm-80x24|psterm-90x28|psterm96x48|psterm-fast|pt100|pt100w|pt210|pt250|pt250w|pty|putty|qansi|qansig|qansi-m|qansi-t|qansiw|qdss|qnx|qnxm|qnxt|qnxt2|qnxtmono|qnxw|qume5|qvt101|qvt101+|qvt102|qvt103| qvt103-w|qvt119+|qvt119+-25|qvt119+-25-w|qvt119+-w|qvt203|qvt203-25|qvt20325-w|qvt203-w|rbcomm|rbcomm-nam|rbcomm-w|rca|rcons|rconscolor|regent|regent100|regent20|regent25|regent40|regent40+|regent60|rt6221| rt6221-w|rtpc|rxvt|rxvt+pcfkeys|rxvt-16color|rxvt-basic|rxvt-color|rxvtcygwin|rxvt-cygwin-native|rxvt-xpm|sb1|sb2|sbi|scanset|scoansi|scoansinew|scoansi-old|screen|screen-bce|screen-s|screenw|screen.linux|screen.teraterm|screen.xterm-r6|screen.xtermxfree86|screen2|screen3|screwpoint|scrhp|sibo|simterm|soroc120|soroc140|st52 |sun|sun-1|sun-12|sun-17|sun-24|sun-34|sun-48|sun-c|sun-cgsix|sun-e|sun-es|sun-il|sun-s|sun-type4|superbeexsb|superbeeic|superbrain|swtp|synertek|t10|t1061|t1061f|t16|t3700|t3800|tab 132|tab132-rv|tab132-w|tab132-wrv|tandem6510|tandem653|tek|tek4013|tek4014|tek4014-sm|tek4015|tek4015sm|tek4023|tek4024|tek4025-17|tek4025-17-ws|tek4025-cr|tek4025ex|tek4025a|tek4025ex|tek4105|tek410530|tek4105a|tek4106brl|tek4107|tek4112|tek4112-5|tek4112-nd|tek4113|tek411334|tek4113-nd|tek4115|tek4125|tek4205|tek4207|tek4207s|tek4404|teletec|teraterm|terminet1200|ti700|ti916|ti916-132|ti916-8|ti9168-132|ti924|ti924-8|ti924-8w|ti924w|ti926|ti926-8|ti928|ti9288|ti931|ti_ansi|trs16|trs2|ts100|ts100-ctxt|tt|tt50522|tty33|tty37|tty40|tty43|tvi803|tvi9065|tvi910|tvi910+|tvi912|tvi912b|tvi9 12b+2p|tvi912b+dim|tvi912b+mc|tvi912b+printer|tvi912b+vb|tvi912b-2p|tvi912b2p-mc|tvi912b-2p-p|tvi912b-2p-unk|tvi912b-mc|tvi912b-p|tvi912b-unk|tvi912bvb|tvi912b-vb-mc|tvi912b-vb-p|tvi912b-vbunk|tvi912cc|tvi920b|tvi920b+fn|tvi920b-2p|tvi920b-2p-mc|tvi920b-2pp|tvi920b-2p-unk|tvi920b-mc|tvi920b-p|tvi920b-unk|tvi920b-vb|tvi920b-vbmc|tvi920b-vb-p|tvi920b-vb-unk|tvi921|tvi924|tvi925|tvi925hi|tvi92B|tvi92D|tvi950|tvi950-2p|tvi950-4p|tvi950-rv|tvi950-rv-2p|tvi950rv-4p|tvi955|tvi955-hb|tvi955-w|tvi970|tvi970-2p|tvi970-vb|tvipt|twsgeneric|tws2102-sna|tws2103|tws2103sna|uniterm|unknown|uts30|uwin|v3220|v5410|vanilla|vc303|vc303a|vc404|vc404s|vc414|vc415|versaterm|vi200|vi200-f|vi200-rv|vi300|vi300old|vi50|vi500|vi50adm|vi55|vi550|vi603|viewpoint|vip|vip-H|vip-Hw|vipw|visa50|vp3a+|vp60|vp90|vremote|vsc|vt100|vt100+fnkeys|vt100+keypad|vt100+p fkeys|vt100-nav|vt100-nav-w|vt100-putty|vt100-s|vt100-s-bot|vt100-vb|vt100w|vt100-w-nam|vt100nam|vt102|vt102-nsgr|vt102-w|vt125|vt131|vt132|vt200js|vt220|vt220+keypad|vt220-8bit|vt220-nam|vt220-old|vt220w|vt220d|vt320|vt320-k3|vt320-k311|vt320-nam|vt320-w|vt320-wnam|vt320nam|vt340|vt400|vt420|vt420f|vt420pc|vt420pcdos|vt50|vt50h|vt510|vt 510pc|vt510pcdos|vt52|vt520|vt525|vt61|wsiris|wsvt25|wsvt25m|wy100|wy100q|wy 120|wy120-25|wy120-25-w|wy120-vb|wy120-w|wy120-w-vb|wy160|wy160-25|wy160-25w|wy160-42|wy160-42-w|wy160-43|wy160-43-w|wy160-tek|wy160-vb|wy160-w|wy160w-vb|wy185|wy185-24|wy185-vb|wy185-w|wy185-wvb|wy30|wy30-mc|wy30vb|wy325|wy325-25|wy325-25w|wy325-42|wy325-42w|wy325-42w-vb|wy325-43|wy32543w|wy325-43w-vb|wy325-vb|wy325-w|wy325-w-vb|wy350|wy350-vb|wy350-w|wy350wvb|wy370|wy370-105k|wy370-EPC|wy370-nk|wy370-rv|wy370-tek|wy370-vb|wy370w|wy370-wvb|wy50|wy50-mc|wy50-vb|wy50-w|wy50-wvb|wy520|wy520-24|wy52036|wy520-36pc|wy520-36w|wy520-36wpc|wy520-48|wy520-48pc|wy520-48w|wy52048wpc|wy520-epc|wy520-epc-24|wy520-epc-vb|wy520-epc-w|wy520-epc-wvb|wy520vb|wy520-w|wy520-wvb|wy60|wy60-25|wy60-25-w|wy60-42|wy60-42-w|wy60-43|wy6043-w|wy60-vb|wy60-w|wy60-w-vb|wy75|wy75-mc|wy75-vb|wy75-w|wy75wvb|wy75ap|wy85|wy85-8bit|wy85-vb|wy85-w|wy85-wvb|wy99-ansi|wy99aansi|wy99f|wy99fa|wy99gt|wy99gt-25|wy99gt-25-w|wy99gt-tek|wy99gt-vb|wy99gtw|wy99gt-w-vb|wyse-
228
Palo Alto Networks
vp|x10term|x68k|xerox1720|xerox820|xnuppc|xnuppc+100x37|xnuppc+112x37|xnuppc +128x40|xnuppc+128x48|xnuppc+144x48|xnuppc+160x64|xnuppc+200x64|xnuppc+200x7 5|xnuppc+256x96|xnuppc+80x25|xnuppc+80x30|xnuppc+90x30|xnuppc+b|xnuppc+basic |xnuppc+c|xnuppc+f|xnuppc+f2|xnuppc-100x37|xnuppc-100x37-m|xnuppc112x37|xnuppc-112x37-m|xnuppc-128x40|xnuppc-128x40-m|xnuppc-128x48|xnuppc128x48-m|xnuppc-144x48|xnuppc-144x48-m|xnuppc-160x64|xnuppc-160x64-m|xnuppc200x64|xnuppc-200x64-m|xnuppc-200x75|xnuppc-200x75-m|xnuppc-256x96|xnuppc256x96-m|xnuppc-80x25|xnuppc-80x25-m|xnuppc-80x30|xnuppc-80x30-m|xnuppc90x30|xnuppc-90x30-m|xnuppc-b|xnuppc-f|xnuppc-f2|xnuppc-m|xnuppc-m-b|xnuppcm-f|xnuppc-m-f2|xtalk|xterm|xterm+pcfkeys|xterm+sl|xterm+sl-twm|xterm1002|xterm-1003|xterm-16color|xterm-24|xterm-256color|xterm-88color|xterm8bit|xterm-basic|xterm-bold|xterm-color|xterm-hp|xterm-new|xterm-nic|xtermnoapp|xterm-pcolor|xterm-r5|xterm-r6|xterm-sco|xterm-sun|xterm-vt220|xtermvt52|xterm-xf86-v32|xterm-xf86-v33|xterm-xf86-v333|xterm-xf86-v40|xtermxf86-v43|xterm-xf86-v44|xterm-xfree86|xterm-xi|xterm1|xtermc|xtermm|xtermssun|z100|z100bw|z29|z29a|z29a-kc-uc|z29a-nkc-bc|z29a-nkc-uc|z340|z340nam|z39-a|zen30|zen50|ztx; OR... width 1-500; OR... height 1-500; } } OR... clock { date <value>; time <value>; } OR... ctd { x-forwarded-for yes|no; } OR... data-access-password <value>; OR... logging { max-log-rate 0-50000; OR... max-packet-rate 0-2560; OR... log-suppression yes|no; OR... default; } OR... management-server { unlock { admin <value>; } OR... logging on|off|import-start|import-end; } OR... multi-vsys on|off; OR... panorama on|off; OR... password; OR...
Palo Alto Networks
229
proxy { skip-proxy yes|no; OR... skip-ssl yes|no; OR... answer-timeout 1-86400; OR... notify-user yes|no; } OR... session { timeout-tcp 1-15999999; OR... timeout-udp 1-15999999; OR... timeout-icmp 1-15999999; OR... timeout-default 1-15999999; OR... timeout-tcpinit 1-60; OR... timeout-tcpwait 1-60; OR... timeout-scan 5-30; OR... scan-threshold 50-99; OR... scan-scaling-factor 2-16; OR... accelerated-aging-enable yes|no; OR... accelerated-aging-threshold 50-99; OR... accelerated-aging-scaling-factor 2-16; OR... tcp-reject-non-syn yes|no; OR... offload yes|no; OR... default; } OR... shared-policy enable|disable|import-and-disable; OR... ssl-vpn { unlock { vsys <value>; auth-profile <value>; user <value>; } } OR... target-vsys <value>; OR... url-database <value>; OR... zip { enable yes|no; }
230
Palo Alto Networks
} OR... request { certificate { self-signed { for-use-by web-interface|ssl-decryption|ssl-untrusted|inbound-proxy; passphrase <value>; name <value>; nbits 1024|512; country-code <value>; state <value>; locality <value>; organization <value>; organization-unit <value>; email <value>; filename <value>; } OR... install { for-use-by { web-interface { passphrase <value>; key <value>; certificate <value>; } OR... ssl-decryption { passphrase <value>; key <value>; certificate <value>; } OR... ssl-untrusted { passphrase <value>; key <value>; certificate <value>; } OR... inbound-proxy { passphrase <value>; key <value>; certificate <value>; name <value>; } } } OR... verify { for-use-by { web-interface { passphrase <value>; key <value>; certificate <value>; } } } } OR... comfort-page {
Palo Alto Networks
231
install application-block-page|url-block-page|spyware-block-page|virusblock-page|file-block-page; } OR... content { downgrade { install <value>; } OR... upgrade { info; OR... check; OR... download latest; OR... install { version latest; OR... file <value>; commit yes|no; } } } OR... data-filtering { access-password { create { password <value>; } OR... modify { old-password <value>; new-password <value>; } OR... delete; } } OR... device-registration { username <value>; password <value>; } OR... high-availability { sync-to-remote { candidate-config; OR... running-config; OR... disk-state; OR... runtime-state; OR... clock; } OR... state {
232
Palo Alto Networks
suspend; OR... functional; } OR... clear-alarm-led; } OR... license { info; OR... fetch { auth-code <value>; } OR... install <value>; } OR... password-hash { password <value>; } OR... restart { system; OR... software; OR... dataplane; } OR... ssl-optout-text { install; } OR... ssl-vpn { client-register { portal <value>; domain <value>; user <value>; } OR... client-logout { portal <value>; domain <value>; user <value>; authcookie <value>; reason |||||||||<value>; } OR... client-config { portal <value>; user <value>; authcookie <value>; client-type 1-100000; os-version <value>; app-version <value>; protocol-version |<value>; existing-ip <value>; existing-mtu 1-32000;
Palo Alto Networks
233
preferred-ip <ip>; } OR... ssl-switch { portal <value>; user <value>; authcookie <value>; conn-c-ip <ip>; conn-c-port 1-65535; conn-s-ip <ip>; conn-s-port 1-65535; } } OR... support { info; OR... check; } OR... system { software { info; OR... check; OR... download { version <value>; OR... file <value>; } OR... install { version <value>; OR... file <value>; } } OR... factory-reset; } OR... tech-support { dump; } OR... url-filtering { upgrade { brightcloud; } OR... download { status; } } OR... vpnclient { software { info;
234
Palo Alto Networks
OR... check; OR... download { version <value>; OR... file <value>; } OR... install { version <value>; OR... file <value>; } } } } OR... check { data-access-passwd { system; } OR... pending-changes; } OR... save { config { to <value>; } } OR... scp { export { configuration { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... packet-log { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... pdf-reports { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... filter { from <pathname>; to <value>; remote-port 1-65535;
Palo Alto Networks
235
source-ip <ip>; } OR... application { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... ssl-decryption-certificate { to <value>; remote-port 1-65535; source-ip <ip>; } OR... web-interface-certificate { to <value>; remote-port 1-65535; source-ip <ip>; } OR... logdb { to <value>; remote-port 1-65535; source-ip <ip>; } OR... log { traffic { max-log-count 0-65535; unexported-only { equal yes|no; } start-time { equal <value>; } end-time { equal <value>; } query <value>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... threat { max-log-count 0-65535; unexported-only { equal yes|no; } start-time { equal <value>; } end-time { equal <value>; } query <value>; to <value>;
236
Palo Alto Networks
remote-port 1-65535; source-ip <ip>; } } OR... stats-dump { to <value>; remote-port 1-65535; source-ip <ip>; } OR... tech-support { to <value>; remote-port 1-65535; source-ip <ip>; } OR... core-file { control-plane { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... data-plane { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } } OR... log-file { control-plane { to <value>; remote-port 1-65535; source-ip <ip>; } OR... data-plane { to <value>; remote-port 1-65535; source-ip <ip>; } } OR... ssl-optout-text { to <value>; remote-port 1-65535; source-ip <ip>; } OR... captive-portal-text { to <value>; remote-port 1-65535; source-ip <ip>; } OR...
Palo Alto Networks
237
url-coach-text { to <value>; remote-port 1-65535; source-ip <ip>; } OR... file-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... application-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... url-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... virus-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... spyware-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... debug-pcap { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } } OR... import { configuration { from <value>; remote-port 1-65535; source-ip <ip>; } OR... ssl-decryption-certificate { from <value>; remote-port 1-65535; source-ip <ip>; } OR... private-key { from <value>;
238
Palo Alto Networks
remote-port 1-65535; source-ip <ip>; } OR... web-interface-certificate { from <value>; remote-port 1-65535; source-ip <ip>; } OR... trusted-ca-certificate { from <value>; remote-port 1-65535; source-ip <ip>; } OR... logdb { from <value>; remote-port 1-65535; source-ip <ip>; } OR... license { from <value>; remote-port 1-65535; source-ip <ip>; } OR... content { from <value>; remote-port 1-65535; source-ip <ip>; } OR... software { from <value>; remote-port 1-65535; source-ip <ip>; } OR... inbound-proxy-key { from <value>; remote-port 1-65535; source-ip <ip>; } OR... ssl-optout-text { from <value>; remote-port 1-65535; source-ip <ip>; } OR... captive-portal-text { from <value>; remote-port 1-65535; source-ip <ip>; } OR... url-coach-text {
Palo Alto Networks
239
from <value>; remote-port 1-65535; source-ip <ip>; } OR... application-block-page { from <value>; remote-port 1-65535; source-ip <ip>; } OR... url-block-page { from <value>; remote-port 1-65535; source-ip <ip>; } OR... file-block-page { from <value>; remote-port 1-65535; source-ip <ip>; } OR... virus-block-page { from <value>; remote-port 1-65535; source-ip <ip>; } OR... spyware-block-page { from <value>; remote-port 1-65535; source-ip <ip>; } OR... sslvpn-custom-login-page { profile <value>; from <value>; remote-port 1-65535; source-ip <ip>; } } } OR... ftp { export { log { traffic { unexported-only { equal yes|no; } passive-mode { equal yes|no; } start-time { equal <value>; } end-time { equal <value>;
240
Palo Alto Networks
} query <value>; max-log-count 0-65535; to <value>; remote-port 1-65535; } OR... threat { unexported-only { equal yes|no; } passive-mode { equal yes|no; } start-time { equal <value>; } end-time { equal <value>; } query <value>; max-log-count 0-65535; to <value>; remote-port 1-65535; } } } } OR... tftp { export { configuration { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... packet-log { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... filter { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... application { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR...
Palo Alto Networks
241
ssl-decryption-certificate { to <value>; remote-port 1-65535; source-ip <ip>; } OR... web-interface-certificate { to <value>; remote-port 1-65535; source-ip <ip>; } OR... stats-dump { to <value>; remote-port 1-65535; source-ip <ip>; } OR... tech-support { to <value>; remote-port 1-65535; source-ip <ip>; } OR... core-file { control-plane { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... data-plane { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } } OR... log-file { control-plane { to <value>; remote-port 1-65535; source-ip <ip>; } OR... data-plane { to <value>; remote-port 1-65535; source-ip <ip>; } } OR... ssl-optout-text { to <value>; remote-port 1-65535; source-ip <ip>; }
242
Palo Alto Networks
OR... captive-portal-text { to <value>; remote-port 1-65535; source-ip <ip>; } OR... url-coach-text { to <value>; remote-port 1-65535; source-ip <ip>; } OR... file-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... application-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... url-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... virus-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... spyware-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... debug-pcap { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } } OR... import { configuration { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR...
Palo Alto Networks
243
ssl-decryption-certificate { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... private-key { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... web-interface-certificate { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... trusted-ca-certificate { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... license { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... content { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... software { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... ssl-optout-text { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... captive-portal-text { from <value>; file <value>;
244
Palo Alto Networks
remote-port 1-65535; source-ip <ip>; } OR... url-coach-text { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... file-block-page { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... application-block-page { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... url-block-page { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... virus-block-page { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... spyware-block-page { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... sslvpn-custom-login-page { profile <value>; from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } } } OR... load { config { last-saved;
Palo Alto Networks
245
OR... from <value>; OR... version <value>; OR... partial { from <value>; from-xpath <value>; to-xpath <value>; mode merge|replace; } } } OR... test { cp-policy-match { from <value>; to <value>; source <value>; destination <value>; } OR... dlp { pattern <value>; OR... ccn <value>; OR... ssn <value>; } OR... nat-policy-match { from <value>; to <value>; source <value>; destination <value>; protocol 1-255; source-port 1-65535; destination-port 1-65535; protocol 1-255; } OR... policy-based-forwarding-policy-match { from <value>; source <value>; destination <value>; destination-port 1-65535; source-user <value>; protocol 1-255; } OR... qos-policy-match { from <value>; to <value>; source <value>; destination <value>; destination-port 1-65535; source-user <value>; protocol 1-255; application <value>;
246
Palo Alto Networks
} OR... routing { fib-lookup { ip <ip>; virtual-router <value>; } } OR... security-policy-match { from <value>; to <value>; source <value>; destination <value>; destination-port 1-65535; source-user <value>; protocol 1-255; show-all yes|no; application <value>; } OR... ssl-policy-match { from <value>; to <value>; source <value>; destination <value>; category <value>; } OR... vpn { ike-sa { gateway <value>; } OR... ipsec-sa { tunnel <value>; } } } OR... less { mp-log <pathname>; OR... dp-log <pathname>; OR... mp-backtrace <pathname>; OR... dp-backtrace <pathname>; OR... webserver-log <pathname>; OR... custom-page <pathname>; OR... global <pathname>; OR... content <pathname>; } OR... grep {
Palo Alto Networks
247
mp-log <pathname>; OR... dp-log <pathname>; after-context 1-65535; before-context 1-65535; context 1-65535; count yes|no; ignore-case yes|no; invert-match yes|no; line-number yes|no; max-count 1-65535; no-filename yes|no; pattern <value>; } OR... ping { bypass-routing yes|no; count 1-2000000000; do-not-fragment yes|no; host <value>; inet6 yes|no; interval 1-2000000000; no-resolve yes|no; pattern <value>; size 0-65468; source <value>; tos 1-255; ttl 1-255; verbose yes|no; } OR... ssh { host <value>; inet yes|no; port 0-65535; source <value>; v1 yes|no; v2 yes|no; } OR... tail { mp-log <pathname>; OR... dp-log <pathname>; OR... webserver-log <pathname>; follow yes|no; lines 1-65535; } OR... view-pcap { application-pcap <pathname>; OR... filter-pcap <pathname>; OR... threat-pcap <pathname>; OR... debug-pcap <pathname>; absolute-seq yes|no;
248
Palo Alto Networks
delta yes|no; follow yes|no; hex yes|no; hex-ascii yes|no; hex-ascii-link yes|no; hex-link yes|no; link-header yes|no; no-dns-lookup yes|no; no-port-lookup yes|no; no-qualification yes|no; no-timestamp yes|no; timestamp yes|no; undecoded-NFS yes|no; unformatted-timestamp yes|no; verbose yes|no; verbose+ yes|no; verbose++ yes|no; } OR... telnet { 8bit yes|no; host <value>; port 0-65535; } OR... traceroute { bypass-routing yes|no; debug-socket yes|no; do-not-fragment yes|no; first-ttl 1-255; gateway <ip/netmask>; host <value>; ipv4 yes|no; ipv6 yes|no; max-ttl 1-255; no-resolve yes|no; pause 1-2000000000; port 1-65535; source <value>; tos 1-255; wait 1-99999; } OR... netstat { all yes|no; cache yes|no; continuous yes|no; extend yes|no; fib yes|no; groups yes|no; interfaces yes|no; listening yes|no; numeric yes|no; numeric-hosts yes|no; numeric-ports yes|no; numeric-users yes|no; programs yes|no; route yes|no; statistics yes|no;
Palo Alto Networks
249
symbolic yes|no; timers yes|no; verbose yes|no; } }
250
Palo Alto Networks
Panorama Hierarchy
config { predefined; mgt-config { users { REPEAT... <name> { phash <value>; remote-authentication radius; preferences { disable-dns yes|no; } permissions { role-based { superreader yes; OR... superuser yes; OR... panorama-admin yes; } } } } devices { REPEAT... <name> { hostname <value>; ip <ip>; } } } devices { REPEAT... <name> { deviceconfig { system { hostname <value>; domain <value>; ip-address <ip>; netmask <ip>; default-gateway <ip>; radius-server <ip>; radius-secret <value>; dns-primary <ip>; dns-secondary <ip>; ntp-server-1 <value>; ntp-server-2 <value>; update-server <value>; secure-proxy-server <value>; secure-proxy-port 1-65535; service { disable-http yes|no; disable-https yes|no; disable-telnet yes|no; disable-ssh yes|no; disable-icmp yes|no; }
Palo Alto Networks
251
timezone W-SU|CST6CDT|Japan|Portugal|Hongkong|Mideast|Mideast/ Riyadh87|Mideast/Riyadh88|Mideast/Riyadh89|Eire|Poland|Factory|GBEire|America|America/Port_of_Spain|America/Indiana|America/Indiana/ Vevay|America/Indiana/Indianapolis|America/Indiana/Marengo|America/Indiana/ Knox|America/St_Johns|America/Grand_Turk|America/Tijuana|America/ Toronto|America/Araguaina|America/Virgin|America/El_Salvador|America/ Coral_Harbour|America/Jujuy|America/Mexico_City|America/Guyana|America/ Cayman|America/Ensenada|America/Fortaleza|America/Iqaluit|America/ Boa_Vista|America/Chihuahua|America/Nome|America/Cancun|America/ Cayenne|America/Recife|America/Panama|America/Caracas|America/ Costa_Rica|America/Cambridge_Bay|America/Martinique|America/ Yellowknife|America/Godthab|America/Sao_Paulo|America/Edmonton|America/ Fort_Wayne|America/Danmarkshavn|America/Barbados|America/Dawson|America/ Thunder_Bay|America/Tegucigalpa|America/Chicago|America/Guadeloupe|America/ Grenada|America/Anguilla|America/Kentucky|America/Kentucky/ Monticello|America/Kentucky/Louisville|America/Argentina|America/Argentina/ Jujuy|America/Argentina/Ushuaia|America/Argentina/Catamarca|America/ Argentina/San_Juan|America/Argentina/Mendoza|America/Argentina/ La_Rioja|America/Argentina/Buenos_Aires|America/Argentina/Tucuman|America/ Argentina/ComodRivadavia|America/Argentina/Cordoba|America/Argentina/ Rio_Gallegos|America/Mazatlan|America/Regina|America/Montevideo|America/ Catamarca|America/Los_Angeles|America/Campo_Grande|America/Aruba|America/ Manaus|America/Knox_IN|America/Rosario|America/St_Lucia|America/ Hermosillo|America/Denver|America/Detroit|America/Santiago|America/ Shiprock|America/Cuiaba|America/Dominica|America/Porto_Acre|America/ Curacao|America/Belize|America/Merida|America/Swift_Current|America/ Antigua|America/Adak|America/Indianapolis|America/Belem|America/ Miquelon|America/Louisville|America/Bogota|America/New_York|America/ Boise|America/Scoresbysund|America/Mendoza|America/Goose_Bay|America/ Yakutat|America/Eirunepe|America/Winnipeg|America/Buenos_Aires|America/ Menominee|America/Paramaribo|America/Thule|America/Montreal|America/ Jamaica|America/Monterrey|America/St_Thomas|America/Rio_Branco|America/ Lima|America/Juneau|America/La_Paz|America/Vancouver|America/ Rankin_Inlet|America/Puerto_Rico|America/St_Kitts|America/Halifax|America/ Guayaquil|America/Inuvik|America/Noronha|America/Nassau|America/Port-auPrince|America/Guatemala|America/Glace_Bay|America/Nipigon|America/ Cordoba|America/Bahia|America/Asuncion|America/Maceio|America/Atka|America/ North_Dakota|America/North_Dakota/Center|America/Managua|America/ Anchorage|America/Montserrat|America/Tortola|America/Dawson_Creek|America/ Santo_Domingo|America/Pangnirtung|America/Whitehorse|America/ St_Vincent|America/Porto_Velho|America/Havana|America/Phoenix|America/ Rainy_River|Indian|Indian/Christmas|Indian/Reunion|Indian/Comoro|Indian/ Cocos|Indian/Mauritius|Indian/Antananarivo|Indian/Mahe|Indian/ Mayotte|Indian/Kerguelen|Indian/Chagos|Indian/Maldives|GMT0|Canada|Canada/ Yukon|Canada/Saskatchewan|Canada/Central|Canada/Eastern|Canada/EastSaskatchewan|Canada/Atlantic|Canada/Pacific|Canada/Mountain|Canada/ Newfoundland|MET|ROK|US|US/Alaska|US/East-Indiana|US/Central|US/Eastern|US/ Samoa|US/Arizona|US/Pacific|US/Aleutian|US/Hawaii|US/Mountain|US/ Michigan|US/Indiana-Starke|MST|Mexico|Mexico/BajaSur|Mexico/General|Mexico/ BajaNorte|EST5EDT|Atlantic|Atlantic/Madeira|Atlantic/Cape_Verde|Atlantic/ St_Helena|Atlantic/Stanley|Atlantic/South_Georgia|Atlantic/ Jan_Mayen|Atlantic/Azores|Atlantic/Reykjavik|Atlantic/Canary|Atlantic/ Faeroe|Atlantic/Bermuda|HST|Antarctica|Antarctica/McMurdo|Antarctica/ Davis|Antarctica/South_Pole|Antarctica/Vostok|Antarctica/Rothera|Antarctica/ Mawson|Antarctica/DumontDUrville|Antarctica/Palmer|Antarctica/ Casey|Antarctica/Syowa|UTC|Iceland|Pacific|Pacific/Honolulu|Pacific/ Truk|Pacific/Niue|Pacific/Wake|Pacific/Apia|Pacific/Majuro|Pacific/ Norfolk|Pacific/Efate|Pacific/Enderbury|Pacific/Palau|Pacific/ Saipan|Pacific/Nauru|Pacific/Kiritimati|Pacific/Tahiti|Pacific/Guam|Pacific/
252
Palo Alto Networks
Tongatapu|Pacific/Fiji|Pacific/Rarotonga|Pacific/Samoa|Pacific/ Fakaofo|Pacific/Guadalcanal|Pacific/Port_Moresby|Pacific/Midway|Pacific/ Galapagos|Pacific/Yap|Pacific/Johnston|Pacific/Marquesas|Pacific/ Noumea|Pacific/Auckland|Pacific/Gambier|Pacific/Kwajalein|Pacific/ Kosrae|Pacific/Wallis|Pacific/Easter|Pacific/Chatham|Pacific/ Funafuti|Pacific/Pago_Pago|Pacific/Tarawa|Pacific/Pitcairn|Pacific/ Ponape|EET|EST|Greenwich|GMT|Cuba|Brazil|Brazil/Acre|Brazil/East|Brazil/ DeNoronha|Brazil/West|Turkey|Arctic|Arctic/Longyearbyen|NZCHAT|Zulu|Israel|Jamaica|Etc|Etc/GMT-14|Etc/GMT+6|Etc/GMT-10|Etc/GMT-2|Etc/ GMT-8|Etc/GMT+4|Etc/GMT0|Etc/GMT-12|Etc/GMT+11|Etc/GMT-11|Etc/GMT+12|Etc/ UTC|Etc/GMT-3|Etc/Greenwich|Etc/GMT-9|Etc/GMT|Etc/GMT+2|Etc/Zulu|Etc/GMT4|Etc/GMT+7|Etc/GMT+1|Etc/GMT+8|Etc/GMT-7|Etc/GMT-6|Etc/GMT+10|Etc/GMT5|Etc/GMT+0|Etc/GMT-1|Etc/GMT+3|Etc/GMT+5|Etc/GMT-13|Etc/UCT|Etc/ Universal|Etc/GMT+9|Etc/GMT-0|NZ|Europe|Europe/Vienna|Europe/Athens|Europe/ Tiraspol|Europe/Lisbon|Europe/Rome|Europe/Bratislava|Europe/Andorra|Europe/ Sofia|Europe/Kaliningrad|Europe/Zurich|Europe/Belfast|Europe/Oslo|Europe/ Samara|Europe/Malta|Europe/Chisinau|Europe/Moscow|Europe/Paris|Europe/ Minsk|Europe/Zaporozhye|Europe/Amsterdam|Europe/Tallinn|Europe/ Uzhgorod|Europe/Brussels|Europe/Vatican|Europe/Vaduz|Europe/ San_Marino|Europe/Nicosia|Europe/Berlin|Europe/Vilnius|Europe/Monaco|Europe/ Istanbul|Europe/Belgrade|Europe/Stockholm|Europe/Riga|Europe/Madrid|Europe/ Gibraltar|Europe/Copenhagen|Europe/Skopje|Europe/Budapest|Europe/ Dublin|Europe/Bucharest|Europe/Helsinki|Europe/Prague|Europe/ Sarajevo|Europe/London|Europe/Tirane|Europe/Zagreb|Europe/Kiev|Europe/ Warsaw|Europe/Ljubljana|Europe/Simferopol|Europe/Mariehamn|Europe/ Luxembourg|Singapore|ROC|Kwajalein|Egypt|PST8PDT|GMT+0|Asia|Asia/ Kuwait|Asia/Kamchatka|Asia/Thimphu|Asia/Macau|Asia/Gaza|Asia/Thimbu|Asia/ Pyongyang|Asia/Vladivostok|Asia/Katmandu|Asia/Sakhalin|Asia/Muscat|Asia/ Ashkhabad|Asia/Ulan_Bator|Asia/Riyadh|Asia/Riyadh87|Asia/Calcutta|Asia/ Yerevan|Asia/Shanghai|Asia/Baghdad|Asia/Makassar|Asia/Oral|Asia/ Hong_Kong|Asia/Jayapura|Asia/Omsk|Asia/Almaty|Asia/Saigon|Asia/Magadan|Asia/ Chungking|Asia/Hovd|Asia/Brunei|Asia/Novosibirsk|Asia/Dacca|Asia/Qatar|Asia/ Ulaanbaatar|Asia/Krasnoyarsk|Asia/Kuching|Asia/Qyzylorda|Asia/Karachi|Asia/ Anadyr|Asia/Yakutsk|Asia/Seoul|Asia/Choibalsan|Asia/Macao|Asia/ Samarkand|Asia/Yekaterinburg|Asia/Aqtobe|Asia/Riyadh88|Asia/Nicosia|Asia/ Pontianak|Asia/Urumqi|Asia/Irkutsk|Asia/Taipei|Asia/Harbin|Asia/ Istanbul|Asia/Colombo|Asia/Tel_Aviv|Asia/Jakarta|Asia/Amman|Asia/ Bahrain|Asia/Tokyo|Asia/Chongqing|Asia/Ashgabat|Asia/Singapore|Asia/ Aqtau|Asia/Baku|Asia/Bishkek|Asia/Dili|Asia/Tbilisi|Asia/Beirut|Asia/ Riyadh89|Asia/Damascus|Asia/Aden|Asia/Dubai|Asia/Manila|Asia/Vientiane|Asia/ Tehran|Asia/Kashgar|Asia/Dushanbe|Asia/Kabul|Asia/Bangkok|Asia/Rangoon|Asia/ Jerusalem|Asia/Dhaka|Asia/Kuala_Lumpur|Asia/Tashkent|Asia/Phnom_Penh|Asia/ Ujung_Pandang|CET|PRC|Africa|Africa/Kinshasa|Africa/Ndjamena|Africa/ Mbabane|Africa/Lagos|Africa/El_Aaiun|Africa/Douala|Africa/Kampala|Africa/ Mogadishu|Africa/Tripoli|Africa/Conakry|Africa/Niamey|Africa/Asmera|Africa/ Khartoum|Africa/Lubumbashi|Africa/Kigali|Africa/Johannesburg|Africa/ Blantyre|Africa/Malabo|Africa/Gaborone|Africa/Lome|Africa/Algiers|Africa/ Addis_Ababa|Africa/Brazzaville|Africa/Dakar|Africa/Nairobi|Africa/ Cairo|Africa/Banjul|Africa/Bamako|Africa/Bissau|Africa/Libreville|Africa/ Sao_Tome|Africa/Casablanca|Africa/Timbuktu|Africa/Nouakchott|Africa/ Freetown|Africa/Monrovia|Africa/Ceuta|Africa/Dar_es_Salaam|Africa/ Lusaka|Africa/Abidjan|Africa/Bujumbura|Africa/Maseru|Africa/Bangui|Africa/ Windhoek|Africa/Accra|Africa/Djibouti|Africa/Ouagadougou|Africa/PortoNovo|Africa/Tunis|Africa/Maputo|Africa/Harare|Africa/ Luanda|UCT|GB|Universal|Australia|Australia/Hobart|Australia/ Lord_Howe|Australia/Perth|Australia/South|Australia/Yancowinna|Australia/ Currie|Australia/Tasmania|Australia/Queensland|Australia/NSW|Australia/ Lindeman|Australia/Melbourne|Australia/Adelaide|Australia/ Victoria|Australia/Canberra|Australia/West|Australia/Brisbane|Australia/
Palo Alto Networks
253
Broken_Hill|Australia/Darwin|Australia/ACT|Australia/North|Australia/ Sydney|Australia/LHI|Iran|WET|Libya|MST7MDT|Chile|Chile/EasterIsland|Chile/ Continental|GMT-0|Navajo; } } } } }
254
Palo Alto Networks
Appendix B PAN-OS CLI KEYBOARD SHORTCUTS

This appendix lists the supported keyboard shortcuts and Editor Macros (EMACS) commands supported in the PAN-OS CLI. Note: Some shortcuts depend upon the SSH client that is used to access the PAN-OS CLI. For some clients, the Meta key is the Control key; for some it is the Esc key.
Table 6 lists the keyboard shortcuts.
Table 6. Keyboard Shortcuts Item

Commands for Moving beginning-of-line (C-a) end-of-line (C-e) forward-char (C-f) backward-char (C-b) forward-word (M-f) backward-word (M-b) Move to the start of the current line. Move to the end of the line. Move forward a character. Move back a character. Move forward to the end of the next word. Words consist of alphanumeric characters (letters and digits). Move back to the start of this, or the previous, word. Words consist of alphanumeric characters (letters and digits). Clear the screen and place the current line at the top of the screen. If an argument is included, refresh the current line without clearing the screen.
Description
clear-screen (C-l)
Commands for Manipulating Command History accept-line (Newline, Return) Accept the line regardless of where the cursor is. If the line is nonempty, add it to the history list. If the line is a modified history line, then restore the history line to its original state. Fetch the previous command from the history list, moving back in the list. Fetch the next command from the history list, moving forward in the list. Move to the first line in the history.
previous-history (C-p) next-history (C-n) beginning-of-history (M-<)
Palo Alto Networks
255
Table 6. Keyboard Shortcuts (Continued) Item

end-of-history (M->) reverse-search-history (C-r) forward-search-history (C-s) non-incremental-reversesearch-history (M-p) non-incremental-forwardsearch-history (M-n) Commands for Changing Text delete-char (C-d) backward-delete-char (backspace) transpose-chars (C-t) Delete the character under the cursor. If point is at the beginning of the line, there are no characters in the line, and the last character typed was not C-d, then return EOF. Delete the character behind the cursor. Drag the character before point forward over the character at point. Point moves forward as well. If point is at the end of the line, then transpose the two characters before point. Drag the word behind the cursor past the word in front of the cursor moving the cursor over that word as well. Make the current (or following) word uppercase. With a negative argument, do the previous word, but do not move point. Make the current (or following) word lowercase. With a negative argument, change the previous word, but do not move point. Capitalize the current (or following) word. With a negative argument, do the previous word, but do not move point.
Description
Move to the end of the input history (the line currently being entered). Search backward starting at the current line and moving up through the history as necessary. This is an incremental search. Search forward starting at the current line and moving down through the history as necessary. This is an incremental search. Search backward through the history starting at the current line using a non-incremental search for a string supplied by the user. Search forward through the history using a non-incremental search for a string supplied by the user.
transpose-words (M-t) upcase-word (M-u) downcase-word (M-l) capitalize-word (M-c) Deleting and Yanking Text kill-line (C-k) backward-kill-line (Cx backspace) unix-line-discard (Cu) kill-word (M-d) backward-kill-word (Mbackspace) unix-word-backspace (C-w) yank (C-y)
Delete the text from the current cursor position to the end of the line. Delete backward to the beginning of the line. Delete backward from point to the beginning of the line Delete from the cursor to the end of the current word, or if between words, to the end of the next word. Word boundaries are the same as those used by forward-word. Delete the word behind the cursor. Word boundaries are the same as those used by backward-word. Delete the word behind the cursor, using white space as a word boundary. The word boundaries are different from backward-killword. Place the top of the deleted section into the buffer at the cursor.
256
Palo Alto Networks
Table 6. Keyboard Shortcuts (Continued) Item

yank-pop (M-y) Completing Commands complete (TAB) possible-completions (?) Attempt to perform completion on the text before point. List the possible completions of the text before point.
Description
Rotate the kill-ring, and yank the new top. Only works following yank or yank-pop.
Performing Miscellaneous Functions undo (C-_, C-x C-u) revert-line (M-r) Perform an incremental undo, separately remembered for each line. Undo all changes made to this line. This is like typing the undo command enough times to return the line to its initial state.
Table 7 lists the EMACS commands.
Table 7. EMACS Commands Command

C-A C-B C-D C-E C-F C-G C-H C-I C-J C-K C-L C-M C-N C-P C-R C-S C-T C-U C-W C-Y C-_
Description
beginning-of-line backward-char delete-char end-of-line forward-char abort backward-delete-char complete accept-line kill-line clear-screen accept-line next-history previous-history reverse-search-history forward-search-history transpose-chars unix-line-discard unix-word-backspace yank undo
Emacs Standard bindings
Palo Alto Networks
257
Table 7. EMACS Commands (Continued) Command

M-C-H M-C-R M-< M-> ? M-B M-C M-D M-F M-L M-N M-P M-R M-T M-U M-Y
Description
backward-kill-word revert-line beginning-of-history end-of-history possible-completions backward-word capitalize-word kill-word forward-word downcase-word non-incremental-forward-search-history non-incremental-reverse-search-history revert-line transpose-words upcase-word yank-pop
Emacs Meta bindings
258
Palo Alto Networks
Index
Symbols
# prompt 13 + option symbol 17 > option symbol 17 > prompt 13 ? symbol 15 configuration mode hierarchy 23 prompt 13 understanding 21 configure command 53 control key 16 conventions, typographical 8 copy command 32 critical errors, switching to maintenance mode 185
A
accessing the CLI 12
B
banner 13, 25 bootloader recovery 187 bootup 184
D
debug captive-portal command 54 debug cli command 55 debug cpld command 56 debug dataplane command 57 debug device-server command 59 debug dhcpd command 60 debug high-availability-agent command 61 debug ike command 62 debug keymgr command 63 debug log-receiver command 64 debug management-server command 65 debug master-service command 66 debug rasmgr command 67 debug routing command 68 debug software command 69 debug swm command 70 debug tac-login command 71 debug vardata-receiver command 72 delete command 33, 54 diagnostics 187 disk image 187
C
changing modes 14 check command 30 clear command 51 CLI accessing 12 configuration mode 11 EMACS commands 257 keyboard shortcuts 255 operational model 11 prompt 13 structure 11 commands 27 conventions 13 display 27 messages 14 monitoring and troubleshooting 27 navigation 27 network access 27 option symbols 17 options 15 understanding 13 commit command 21, 31 configuration hierarchy 23 hierarchy paths 24
E
edit banner 25 edit command banner 13 using 26, 34 errors, switching to maintenance mode 185 esc key 16 Ethernet interfaces 19 ethernet1/n 19 exit command 35, 75
259 Index
Palo Alto Networks
F
factory reset 187 file system check (FSCK) 187
P
password, maintenance mode 187 ping command 79 privilege levels 18
G
getting started 12 grep command 76
Q
quit command 38, 81
H
hierarchy complete 189 configuration 23 navigating 25 new elements 24 paths 24 hostname 13
R
rename command 39 request certificate command 82 request content upgrade command 85 request data-filtering command 86 request device-registration command 87 request high-availability command 88 request license command 89 request password-hash command 90 request restart command 91 request ssl-output-text command 92 request ssl-vpn command 93 request support command 94, 96 request system command 95 request url-filtering command 97 request vpn-client command 98 rollback 187 run command 40
I
interfaces 19
K
keyboard shortcuts 16, 255
L
less command 77
M
maintenance mode about 183 diagnostics 187 entering automatically 185 entering upon bootup 184 password 187 serial console message 185 SSH message 186 web interface message 185 meta key 16 modes changing 14, 15 configuration 21 operational 27 move command 37
S
save command 21, 41 scp command 99 serial console maintenance mode 183 message 185 set application dump command 101 set cli command 102, 104, 105 set clock command 103 set command 42 set logging command 106 set management-server command 107 set multi-vsys command 108 set panorama command 109 set password command 110 set proxy command 111 set serial-number command 112 set session command 113 set ssl-vpn command 116 set target-vsys command 115, 117 set ts-agent command 118 set url-database command 119 set zip command 120 shortcuts 16 show admins command 121 show arp command 122 show authentication command 123 show cli command 124, 125 show clock command 126 show command 23, 43
N
navigating hierarchy 25 netstat command 78
O
operational mode command types 27 prompt 13 using 27
260 Index
Palo Alto Networks
show config command 127 show counter command 128 show ctd command 129 show device command 130 show devicegroups command 132 show device-messages command 131 show dhcp command 133 show high-availability command 134 show interface command 135 show jobs command 136 show local-user-db command 137 show location command 138, 141 show log command 139 show mac command 142 show management-clients command 143 show multi-vsys command 144 show pan-agent command 145 show pan-ntlm-agent command 146 show proxy command 147 show query command 148 show report command 149 show routing command 150 show session command 154 show shared-policy command 156 show ssl-vpn command 157 show statistics command 158 show system command 160 show target-vsys command 162 show threat command 163 show ts-agent command 164 show updates command 165 show virtual-wire command 166 show vlan command 167 show vpn command 168, 170 show zone-protection command 171 ssh command 172 syntax checking 14 system 27 system information 187
T
tail command 173 telnet command 174 test command 175 tftp command 84, 176 top command 25, 26, 44 traceroute command 178 typographical conventions 8
U
up command 25, 26, 45 user name 13 user privileges 18
V
view-pccap command 180
Palo Alto Networks
Index 261
262 Index
Palo Alto Networks

PAN-OS 3.0 CLI Reference Guide

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

PAN-OS 3.0 CLI Reference Guide

Hochgeladen von

Copyright:

Verfügbare Formate

PAN-OS Command Line Interface Reference Guide

5/30/09 Final Review Draft- Palo Alto Networks COMPANY CONFIDENTIAL

May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL

Understanding the PAN-OS CLI Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Chapter 2 Understanding CLI Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Understanding Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Palo Alto Networks

Chapter 3 Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Chapter 4 Operational Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Palo Alto Networks

Palo Alto Networks

Chapter 5 Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Entering Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Using

Appendix A Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Firewall Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Panorama Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Appendix B PAN-OS CLI Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Palo Alto Networks

May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL

About This Guide

Palo Alto Networks

courier bold font

Text that you enter at the command prompt Optional parameters.

Palo Alto Networks

Notes, Cautions, and Warnings

Obtaining More Information

Palo Alto Networks

Palo Alto Networks

May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL

Understanding the PAN-OS CLI Structure

Chapter 3 describes each mode in detail.

Palo Alto Networks

Before You Begin

Use the following settings for direct console connection:

Accessing the PAN-OS CLI

Palo Alto Networks

Understanding the PAN-OS CLI Commands

Understanding the PAN-OS CLI Command Conventions

Palo Alto Networks

Understanding Command Messages

Example: Changing modes

Example: Invalid syntax

Palo Alto Networks

Using Operational and Configuration Modes

Displaying the PAN-OS CLI Command Options

To display a list of operational commands, enter ? at the command prompt.

Palo Alto Networks

Using Keyboard Shortcuts

Palo Alto Networks

Understanding Command Option Symbols

Table 1. Option Symbols Symbol

Palo Alto Networks

Restricting Command Output

The following sample displays only the system model information:

Understanding Privilege Levels

Table 2. Privilege Levels Level

Palo Alto Networks

Referring to Firewall Interfaces

Figure 1. Firewall Ethernet Interfaces

Palo Alto Networks

Palo Alto Networks

May 30, 2009 - Palo Alto Networks COMPANY CONFIDENTIAL

Understanding CLI Command Modes

Understanding Configuration Mode