Difference between revisions of "Useful commands"

From Tech-Wiki
Jump to: navigation, search
(Created page with "Category:Palo Alto Executing ping: ping host xxx.xxx.xxx.xxx Sample log filter to use in GUI: (addr.src in 192.168.1.10) and (port.dst eq 21) Getting performance stat...")
 
 
(17 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
[[Category:Palo Alto]]
 
[[Category:Palo Alto]]
  
Executing ping:
+
Executing ping/traceroute:
 
  ping host xxx.xxx.xxx.xxx
 
  ping host xxx.xxx.xxx.xxx
 +
traceroute host xxx.xxx.xxx.xxx
  
Sample log filter to use in GUI:
+
To get interfaces and MAC address:
  (addr.src in 192.168.1.10) and (port.dst eq 21)
+
  show interface all
 +
show arp all
  
Getting performance status:
+
Display routing table:
  show system statistics session
+
  show routing route
show system resources
+
show running resource-monitor
+
  
show session all filter state active
+
Getting system information:
show session id 35299
+
show system info
 +
show system logdb-quota
  
# validate full
+
Getting performance status:
# exit
+
show system statistics session    (Throughput)
> show jobs id xxx
+
show system resources            (Top equivalent)
# commit
+
show running resource-monitor    (Historical)
# commit partial ?
+
# commit partial vsys vsys1 device-and-network excluded
+
  
 +
Sample log filter examples to use in GUI:
 +
(addr.src in 192.168.1.10) and (port.dst eq 21)
 +
(from/member eq 'trust') and (source/member eq 'Host1')
  
Check pending changes:
+
Reading the system log:
  Click on the Device tab > Config audit
+
  less mp-log master.log
Select a candidate config on the right
+
  
 +
Validate if specified traffic will match any firewall/nat rule
 +
test security-policy-match from trust to untrust source 10.4.70.48 destination 200.1.2.100 destination-port 80 protocol 6
 +
test nat-policy-match source 10.1.0.1 destination 200.1.2.100 destination-port 21 protocol 6
  
If your GUI is presenting some slowness, you can restart the management plane with no impact in your traffic:
+
To view current host objects based on FQDN or to update the list:
  debug software restart management-server
+
  show dns-proxy fqdn all
 +
request system fqdn show
 +
request system fqdn refresh force yes
  
If you are experiencing Commit slowness or failed, you can also restart the management plane with no impact in your traffic:
+
Display current connections through the firewall and get detailed info for a specific one:
  debug software restart device-server
+
  show session all filter state active
  debug software restart log-receiver
+
  show session id xxxxx
  
request system fqdn refresh force yes
+
Filtering and closing active connections:
request system fqdn show
+
show session all filter source x.x.x.x
 +
show session all filter application xxxxxx
 +
clear session id xxxxx
  
 +
Change the virtual system
 +
set system setting target-vsys ?
  
show routing route
+
To commit the candidate version of configuration:
 +
commit partial vsys vsys1 device-and-network excluded
  
To get MAC address:
+
Check pending changes:
  show interface all
+
  Click on the Device tab > Config audit
  show arp all
+
  Select a candidate config on the right
 
+
Validate if specified traffic will match any firewall/nat rule
+
test security-policy-match from trust to untrust source 10.4.70.48 destination 200.1.2.100 destination-port 80 protocol 6
+
test nat-policy-match source 10.1.0.1 destination 200.1.2.100 destination-port 21 protocol 6
+
  
Performing a packet capture (sniffering)
+
To validate if the candidate version is consistent (validating syntax and semantics):
  debug dataplane packet-diag clear filter all
+
  > configure
  debug dataplane packet-diag clear capture all
+
  # validate full
  debug dataplane packet-diag set filter match source 10.1.1.100 destination 200.1.1.100
+
  > show jobs id xxxx
debug dataplane packet-diag set filter match destination-port 80
+
debug dataplane packet-diag set filter on
+
debug dataplane packet-diag show setting
+
debug dataplane packet-diag set capture stage transmit file filename_transmit
+
debug dataplane packet-diag set capture stage receive file filename_receive
+
debug dataplane packet-diag set capture stage firewall file filename_firewall
+
debug dataplane packet-diag set capture stage drop file filename_drop
+
  
  debug dataplane packet-diag set capture on
+
To commit even with errors:
 +
  commit force
  
  view-pcap filter-pcap filename_firewall
+
Troubleshoot IPSec VPN issues:
  view-pcap follow yes filter-pcap filename_transmit
+
  show vpn gateway
 +
show vpn ike-sa
 +
debug ike global on debug
 +
  less mp--log ikemgr.log
  
  debug dataplane packet-diag set capture off
+
Reboot/Shutdown the device
  debug dataplane packet-diag set filter off
+
  request restart/shutdown system
 +
  On GUI click on Device tab > Setup link > Operations tab

Latest revision as of 21:22, 25 May 2021


Executing ping/traceroute:

ping host xxx.xxx.xxx.xxx
traceroute host xxx.xxx.xxx.xxx

To get interfaces and MAC address:

show interface all
show arp all

Display routing table:

show routing route

Getting system information:

show system info
show system logdb-quota

Getting performance status:

show system statistics session    (Throughput)
show system resources             (Top equivalent)
show running resource-monitor     (Historical)

Sample log filter examples to use in GUI:

(addr.src in 192.168.1.10) and (port.dst eq 21)
(from/member eq 'trust') and (source/member eq 'Host1')

Reading the system log:

less mp-log master.log

Validate if specified traffic will match any firewall/nat rule

test security-policy-match from trust to untrust source 10.4.70.48 destination 200.1.2.100 destination-port 80 protocol 6
test nat-policy-match source 10.1.0.1 destination 200.1.2.100 destination-port 21 protocol 6

To view current host objects based on FQDN or to update the list:

show dns-proxy fqdn all
request system fqdn show
request system fqdn refresh force yes

Display current connections through the firewall and get detailed info for a specific one:

show session all filter state active
show session id xxxxx

Filtering and closing active connections:

show session all filter source x.x.x.x
show session all filter application xxxxxx
clear session id xxxxx

Change the virtual system

set system setting target-vsys ?

To commit the candidate version of configuration:

commit partial vsys vsys1 device-and-network excluded 

Check pending changes:

Click on the Device tab > Config audit
Select a candidate config on the right

To validate if the candidate version is consistent (validating syntax and semantics):

> configure
# validate full
> show jobs id xxxx

To commit even with errors:

commit force

Troubleshoot IPSec VPN issues:

show vpn gateway
show vpn ike-sa
debug ike global on debug
less mp--log ikemgr.log

Reboot/Shutdown the device

request restart/shutdown system
On GUI click on Device tab > Setup link > Operations tab