Palo Alto firewall - CLI Commands Cheat Sheet

Here are PAN-OS CLI commands.

• Device Management

※ CLI Cheat Sheet: Device Management (PAN-OS CLI Quick Start)

show system info
show system disk-space
show system logdb-quota
show system software status

▶ Display CPU information

 show system resources

- shows MP CPU

* Related posts: 

Palo Alto firewall - Troubleshooting High MP CPU

show running resource-monitor

- shows dataplane CPU

* Related posts: 

Palo Alto firewall - Troubleshooting High DP CPU

request license info
show jobs processed

show session info
show session all
show session all filter
show session meter
show session id session-id
show running security-policy
less mp-log authd.log
request restart system
show admins
show admins all
delete admin-sessions username
set deviceconfig system type dhcp-client accept-dhcp-domain accept-dhcp-hostname send-client-id send-hostname

• Policies

▶ Security

set system setting arp-cache-timeout
show system setting arp-cache-timeout

▶ NAT

- Show the NAT policy table:

show running nat-policy

- Test the NAT policy:
test nat-policy-match

- Show NAT pool utilization:

show running ippool

show running global-ippool

▶ PBF

show pbf rule name <value>
show pbf rule all
show pbf return-mac name <value>
show pbf return-mac all

• Networking

※ CLI Cheat Sheet: Networking (PAN-OS CLI Quick Start)

▶ System

set system setting arp-cache-timeout
show system setting arp-cache-timeout

▶ VPN (IPSec)

show vpn flow
show vpn gateway
show vpn ike-sa
show vpn ipsec-sa
show vpn tunnel
test vpn ike-sa gateway
test vpn ipsec-sa tunnel

▶ Routing

show routing route
show routing fib virtual-router name | match x.x.x.x

show routing bfd active-profile []
show routing bfd details [interface ] [local-ip ] [multihop][peer-ip ] [session-id] [virtual-router ]
show routing bfd drop-counters session-id
show counter global | match bfd
clear routing bfd counters session-id all |
clear routing bfd session-state session-id all |

set session pvst-native-vlan-id
set session drop-stp-packet
show vlan all
show counter global

▶ Troubleshooting

ping host destination-ip-address
ping source ip-address-on-dataplane host destination-ip-address
traceroute host remote host
show netstat statistics yes

• User-ID

※ CLI Cheat Sheet: User-ID (PAN-OS CLI Quick Start)

debug user-id log-ip-user-mapping yes
debug user-id log-ip-user-mapping no
show user user-id-agent state all
show user server-monitor state all
show user server-monitor statistics
show user user-id-agent config name
show user group-mapping statistics
show user group-mapping state all
show user group list
show user group name
show user ip-user-mapping all
show user ip-user-mapping all | match \\
show user ip-user-mapping ip
show user user-ids
show log userid datasourcename equal direction equal backward
show log userid datasourcetype equal
show log userid datasourcetype equal kerberos
show log userid datasource equal
show log userid datasourcetype equal xml-api
show user email-lookup
show user email-lookup base "DC=lab,DC=sg,DC=acme,DC=local" bind-dn "CN=Administrator,CN=Users,DC=lab,DC=sg,DC=acme,DC=local" bind-password acme use-ssl no email [email protected] mail-attribute mail server 10.1.1.1 server-port 389 labsg\user1
clear user-cache all
clear user-cache ip

• HA

※ CLI Cheat Sheet: HA (PAN-OS CLI Quick Start)

show high-availability cluster all
show high-availability cluster flap-statistics
show high-availability cluster ha4-status
show high-availability cluster ha4-backup-status
show high-availability cluster session-synchronization
show high-availability cluster state
show high-availability cluster statistics
clear high-availability cluster statistics
request high-availability cluster clear-cache
request high-availability cluster sync-from
show high-availability interface ha2 | match bytes
request high-availability state suspend

• VSYS

※ CLI Cheat Sheet: VSYS (PAN-OS CLI Quick Start)

show system info | match vsys
set system setting target-vsys ?
set system setting target-vsys vsys-name
set system setting target-vsys vsys2
show session meter
show user ip-user-mapping all
set system setting target-vsys none

• Panorama

※ CLI Cheat Sheet: Panorama (PAN-OS CLI Quick Start)

show system info | match system-mode
request system system-mode logger
request system system-mode panurldb
request system system-mode panorama
request system system-mode legacy

set cli config-output-mode set
show device-group branch-offices
set panorama [off | on]
request high-availability sync-to-remote [running-config | candidate-config]
request batch reboot [devices | log-collectors]
set dlsrvr poll-interval

show devicegroups name
show templates name
show config pushed-shared-policy
show config pushed-template

debug log-collector log-collection-stats show incoming-logs
debug log-collector log-collection-stats show log-forwarding-stats
show logging-status device
clear log [acc | alarm | config | hipmatch | system | threat | traffic]

* Reference links:

▶ Get Started with the CLI

▶ CLI Jump Start

▶ PAN-OS 10.1 CLI Ops Command Hierarchy

▶ PAN-OS 10.1 Configure CLI Command Hierarchy