Saturday, May 15, 2021

Palo Alto firewall - How to check installed SFP modules


▶ To check the SFP module on the firewall, run the following command via the CLI:


> show system state filter sys.sX.pY.phy
where X=slot=1 and Y=port=21 for interface 1/21

show system state filter-pretty sys.s1.p19.phy

The following command shows the SFP module information on a 1Gbps interface.

[email protected](active)> show system state filter-pretty sys.s1.p19.phy

sys.s1.p19.phy: {
  link-partner: { },
  media: SFP-Plus-Fiber,
  sfp: {
    connector: LC,
    encoding: 8B10B,
    identifier: SFP,
    transceiver: 1000B-SX,I dist,SN,
    vendor-name: FINISAR CORP.   ,
    vendor-part-number: FTLF8519P2BCL-EX,
    vendor-part-rev: A   ,
  },
  type: Ethernet,
}


The following command shows the SFP+ module information on a 10Gbps interface.

[email protected](active)> show system state filter-pretty sys.s1.p20.phy

sys.s1.p20.phy: {
  link-partner: { },
  media: SFP-Plus-Fiber,
  sfp: {
    connector: LC,
    encoding: Reserved,
    identifier: SFP,
    transceiver: 10000B-SR,
    vendor-name: AVAGO           ,
    vendor-part-number: AFBR-709SMZ-EX1 ,
    vendor-part-rev: G4.1,
  },
  type: Ethernet,
}
}


  • Typical SFP module output

> show system state filter sys.s1.p19.phy

sys.s1.p19.phy: { 'link-partner': { }, 'media': SFP-Plus-Fiber, 'sfp': { 'connector': 
LC, 'encoding': Reserved, 'identifier': SFP, 'transceiver': 10000B-SR, 'vendor-name': 
OEM , 'vendor-part-number': PAN-SFP-PLUS-SR , 'vendor-part-rev': B4 , }, 'type': 
Ethernet, }


> show system state filter sys.s1.p21.phy

sys.s1.p21.phy: { 'link-partner': { }, 'media': SFP-Plus-Fiber, 'sfp': { 'connector': 
LC, 'encoding': Reserved, 'identifier': SFP, 'transceiver': , 'vendor-name': FINISAR 
CORP.   , 'vendor-part-number': FTLX8574D3BCL   , 'vendor-part-rev':A   , }, 'type': 
Ethernet, }


  • Defective SFP module output

If the output appears similar to the sample below, then the SFP module may be defective:

sys.s1.p21.phy: { 'link-partner': { }, 'media': SFP-Fiber, 'sfp': { 'connector': 
vendor specific, 'encoding': Reserved, 'identifier': SFP, 'transceiver': , 'vendor-
name': yyyyyyyyyyyyyyyy, 'vendor-part-number': yyyyyyyyyyyyyyyy, 'vendor-part-rev':
yyyy, }, 'type': Ethernet, }
 

Note: To verify the above output, unplug the SFP module from the initial SFP port and plug it into another SFP port. Run the same "show system state filter" command as above. If the output is the same, then the module is defective.


The Ethernet interface shows as below.

[email protected](active)> show system state filter-pretty sys.s1.p9.phy

sys.s1.p9.phy: {
  link-partner: { },
  media: CAT5,
  type: Ethernet,
}


▶ To show the HSCI on a PA-3220 you do the following commands.


show system state filter-pretty ha.net.s0.hsci.hwcfg

[email protected](active)> show system state filter-pretty ha.net.s0.hsci.hwcfg

ha.net.s0.hsci.hwcfg: {
  farloop: False,
  link: Up,
  mode: Autoneg,
  mru: 1856,
  nearloop: False,
  pause-frames: True,
  setting: 10Gb/s-full,
  type: SFP-Plus,
}


show system state filter-pretty ha.net.s0.hsci.stats

[email protected](active)> show system state filter-pretty ha.net.s0.hsci.hwcfg

ha.net.s0.hsci.stats: {
  rx-broadcast: 0,
  rx-bytes: 899087084,
  rx-multicast: 0,
  rx-unicast: 0,
  tx-broadcast: 0,
  tx-bytes: 4550650254212,
  tx-multicast: 0,
  tx-unicast: 11013338532,
}


* Reference URL: How to View Currently Installed SFP Modules (login required)


No comments: