Difference between revisions of "Useful commands"

Revision as of 02:35, 12 July 2016 (view source) Fabricio.Lima (Talk | contribs) (Created page with "Category:Palo Alto Executing ping: ping host xxx.xxx.xxx.xxx Sample log filter to use in GUI: (addr.src in 192.168.1.10) and (port.dst eq 21) Getting performance stat...")		Latest revision as of 22:22, 25 May 2021 (view source) Fabricio.Lima (Talk | contribs)
(17 intermediate revisions by the same user not shown)
Line 1:		Line 1:
	[[Category:Palo Alto]]		[[Category:Palo Alto]]
−	Executing ping:	+	Executing ping/traceroute:
	ping host xxx.xxx.xxx.xxx		ping host xxx.xxx.xxx.xxx
		+	traceroute host xxx.xxx.xxx.xxx
−	Sample log filter to use in GUI:	+	To get interfaces and MAC address:
−	(addr.src in 192.168.1.10) and (port.dst eq 21)	+	show interface all
		+	show arp all
−	Getting performance status:	+	Display routing table:
−	show system statistics session	+	show routing route
−	show system resources	+
−	show running resource-monitor	+
−	show session all filter state active	+	Getting system information:
−	show session id 35299	+	show system info
		+	show system logdb-quota
−	# validate full	+	Getting performance status:
−	# exit	+	show system statistics session    (Throughput)
−	> show jobs id xxx	+	show system resources            (Top equivalent)
−	# commit	+	show running resource-monitor    (Historical)
−	# commit partial ?	+
−	# commit partial vsys vsys1 device-and-network excluded	+
		+	Sample log filter examples to use in GUI:
		+	(addr.src in 192.168.1.10) and (port.dst eq 21)
		+	(from/member eq 'trust') and (source/member eq 'Host1')
−	Check pending changes:	+	Reading the system log:
−	Click on the Device tab > Config audit	+	less mp-log master.log
−	Select a candidate config on the right	+
		+	Validate if specified traffic will match any firewall/nat rule
		+	test security-policy-match from trust to untrust source 10.4.70.48 destination 200.1.2.100 destination-port 80 protocol 6
		+	test nat-policy-match source 10.1.0.1 destination 200.1.2.100 destination-port 21 protocol 6
−	If your GUI is presenting some slowness, you can restart the management plane with no impact in your traffic:	+	To view current host objects based on FQDN or to update the list:
−	debug software restart management-server	+	show dns-proxy fqdn all
		+	request system fqdn show
		+	request system fqdn refresh force yes
−	If you are experiencing Commit slowness or failed, you can also restart the management plane with no impact in your traffic:	+	Display current connections through the firewall and get detailed info for a specific one:
−	debug software restart device-server	+	show session all filter state active
−	debug software restart log-receiver	+	show session id xxxxx
−	request system fqdn refresh force yes	+	Filtering and closing active connections:
−	request system fqdn show	+	show session all filter source x.x.x.x
		+	show session all filter application xxxxxx
		+	clear session id xxxxx
		+	Change the virtual system
		+	set system setting target-vsys ?
−	show routing route	+	To commit the candidate version of configuration:
		+	commit partial vsys vsys1 device-and-network excluded
−	To get MAC address:	+	Check pending changes:
−	show interface all	+	Click on the Device tab > Config audit
−	show arp all	+	Select a candidate config on the right
−		+
−	Validate if specified traffic will match any firewall/nat rule	+
−	test security-policy-match from trust to untrust source 10.4.70.48 destination 200.1.2.100 destination-port 80 protocol 6	+
−	test nat-policy-match source 10.1.0.1 destination 200.1.2.100 destination-port 21 protocol 6	+
−	Performing a packet capture (sniffering)	+	To validate if the candidate version is consistent (validating syntax and semantics):
−	debug dataplane packet-diag clear filter all	+	> configure
−	debug dataplane packet-diag clear capture all	+	# validate full
−	debug dataplane packet-diag set filter match source 10.1.1.100 destination 200.1.1.100	+	> show jobs id xxxx
−	debug dataplane packet-diag set filter match destination-port 80	+
−	debug dataplane packet-diag set filter on	+
−	debug dataplane packet-diag show setting	+
−	debug dataplane packet-diag set capture stage transmit file filename_transmit	+
−	debug dataplane packet-diag set capture stage receive file filename_receive	+
−	debug dataplane packet-diag set capture stage firewall file filename_firewall	+
−	debug dataplane packet-diag set capture stage drop file filename_drop	+
−	debug dataplane packet-diag set capture on	+	To commit even with errors:
		+	commit force
−	view-pcap filter-pcap filename_firewall	+	Troubleshoot IPSec VPN issues:
−	view-pcap follow yes filter-pcap filename_transmit	+	show vpn gateway
		+	show vpn ike-sa
		+	debug ike global on debug
		+	less mp--log ikemgr.log
−	debug dataplane packet-diag set capture off	+	Reboot/Shutdown the device
−	debug dataplane packet-diag set filter off	+	request restart/shutdown system
		+	On GUI click on Device tab > Setup link > Operations tab

---

Latest revision as of 22:22, 25 May 2021

Executing ping/traceroute:

ping host xxx.xxx.xxx.xxx
traceroute host xxx.xxx.xxx.xxx

To get interfaces and MAC address:

show interface all
show arp all

Display routing table:

show routing route

Getting system information:

show system info
show system logdb-quota

Getting performance status:

show system statistics session    (Throughput)
show system resources             (Top equivalent)
show running resource-monitor     (Historical)

Sample log filter examples to use in GUI:

(addr.src in 192.168.1.10) and (port.dst eq 21)
(from/member eq 'trust') and (source/member eq 'Host1')

Reading the system log:

less mp-log master.log

Validate if specified traffic will match any firewall/nat rule

test security-policy-match from trust to untrust source 10.4.70.48 destination 200.1.2.100 destination-port 80 protocol 6
test nat-policy-match source 10.1.0.1 destination 200.1.2.100 destination-port 21 protocol 6

To view current host objects based on FQDN or to update the list:

show dns-proxy fqdn all
request system fqdn show
request system fqdn refresh force yes

Display current connections through the firewall and get detailed info for a specific one:

show session all filter state active
show session id xxxxx

Filtering and closing active connections:

show session all filter source x.x.x.x
show session all filter application xxxxxx
clear session id xxxxx

Change the virtual system

set system setting target-vsys ?

To commit the candidate version of configuration:

commit partial vsys vsys1 device-and-network excluded 

Check pending changes:

Click on the Device tab > Config audit
Select a candidate config on the right

To validate if the candidate version is consistent (validating syntax and semantics):

> configure
# validate full
> show jobs id xxxx

To commit even with errors:

commit force

Troubleshoot IPSec VPN issues:

show vpn gateway
show vpn ike-sa
debug ike global on debug
less mp--log ikemgr.log

Reboot/Shutdown the device

request restart/shutdown system
On GUI click on Device tab > Setup link > Operations tab