PALO ALTO NETWORKS SUPPORT QUICK REFERENCE

GUIDE

COMMAND

DESCRIPTION

4.1

5.x

6.x

General System Health

show system info

Shows the systems management IP, serial #, and code version

show jobs processed

Shows when commits, downloads, upgrades are completed.

show system disk-space

Shows percent usage of disk partitions.

show system logdb-quota

Shows the maximum log file sizes.

show system software status

Shows running processes.

show system resources

Shows processes running in the Management Plane.

show running resource-monitor

Shows the resource utilization in the Dataplane

ping source <IP_addr_src_int> host <IP_addr_host>

Ping from a specified device source interface to destination IP.

ping host <IP>

Ping from the management interface.

show session all filter source <source-IP> destination <destinationIP>

Shows specific sessions in the sessions table for source and

destination IPs.

show session info

Shows usage, pps rates, etc.

show session id <id-number>

Shows session details by entering the session ID number.

Monitor CPUs

Dropped Packet Troubleshooting

Packet Filters and Capture

WARNING: Running debug commands on a production device may cause undesirable results.

debug dataplane packet-diag clear all

debug dataplane packet-diag clear log log

Clear/delete settings and files previously created.

delete debug-filter file *

Removes all packet capture files.

Sets filter with the source IP, destination IP and port to capture
from/to packets.

Configures the different stage of capture types to be executed.

debug dataplane pack-diag show setting

Verifies packet filters are setup correctly.

show counter global filter delta yes packet-filter yes

While test is running, run the command 2-3 times to verify

filtered traffic is being captured.

debug dataplane packet-diag set capture off

Turns off packet capture and filter.

Captures PCAP on management interface.

debug dataplane packet-diag set filter

destination y.y.y.y destination-port
debug dataplane packet-diag set filter
destination x.x.x.x destination-port
debug dataplane packet-diag set filter
debug dataplane
rx.pcap
debug dataplane
tx.pcap
debug dataplane
drop.pcap
debug dataplane
fw.pcap
debug dataplane

match source x.x.x.x

<port-num>
match source y.y.y.y
<port-num>
on

packet-diag set capture stage receive file pantacpacket-diag set capture stage transmit file pantacpacket-diag set capture stage drop file pantacpacket-diag set capture stage firewall file pantacpacket-diag set capture on

tcpdump filter src net <ip/netmask>

tcpdump snaplen 1500 filter src net <ip/netmask>
view-pcap mgmt-pcap mgmt.pcap

Packet Flow Logs

WARNING: Always set specific packet filters to minimize CPU usage. See above Packet Filters and Capture commands.

debug dataplane packet-diag set log feature flow basic

Set packet-diag log to capture flow basic.

debug dataplane packet-diag set log on

Turns on packet-diag log.

debug dataplane packet-diag set log off

Capture traffic then immediately disable packet-diag log.

debug dataplane packet-diag aggregate-logs

Aggregates pack-diag logs to a single file. After disabling

packet-diag log, wait 1-2 minutes before running this command.

less dp-log pan_packet_diag.log

View packet-diag log output. N o te : PA-5000 series writes to

individual dp0-log, dp1-log or dp2-log.

Shows the log statistics, like logging incoming rate, log written
rate, corrupted packets and logs discarded due to a full queue.

less mp-log logrcvr.log

Shows debug logging issues on the device.

debug software restart log-receiver

Restarts log-receiver process.

Goes to the beginning/end of a log.

N o te : Arguments shown with square bracket [] and pipe |
symbols mean choose one of the arguments listed.

show system resources follow

tail follow yes mp-log ms.log

Shows management server messages for commit failures,

updates, licenses, link status, policy details, etc.

tail follow yes mp-log devsrv.log

Shows device server message for commit failures, updates,

licenses, link status, policy details, etc.

Shows the detail authentication logs on the device.

show running nat-policy

Shows current NAT policy table.

show running ippool

show running global-ippool

Shows NAT pool utilization.

Shows routing table.

Log/Forward Device Issues

debug log-receiver statistics

Log Viewing/Deleting
show log [system | traffic | threat] direction equal [forward |
backward]

Monitor Management or Device Server

Authentication Logs
less mp-log authd.log

NAT

Routing
show routing route

v7

COMMAND

DESCRIPTION

4.1

5.x

6.x

Shows current policy set.

Shows agents status. Status should be connected OK and

there should be numbers shown under users, groups, and IPS.

Shows the groups pulled from User-ID Agent.

show user ip-user-mapping all

Shows IP to username mappings.

clear user-cache all

clear user-cache ip <ip/netmask>

Clears user-ID cache.

test url <url or IP>

Tests categorization of a URL on the device.

tail follow yes mp-log pan_bc_download.log

Shows the BrightCloud database update logs.

debug dataplane show url-cache statistics

Shows statistics on the URL cache.

clear url-cache all

show log url direction equal backward

Clears URL cache.

Shows the URL log, most recent entries first.
N o te : Cache contains 100k of the most popular URLs on the
network.

ping host service.brightcloud.com

Tests connectivity to the BrightCloud servers.

show url-cloud status

Check URL cloud status.

test url-resolve-path <url>

test url-info-host <url>
test url-info-cloud <url>

Tests categorization of a URL on Dataplane cache.

Tests categorization of a URL on Management Plane cache.
Tests categorization of a URL on Cloud.

clear url-cache all

clear url-cache url <url>
delete url-database url <url>

Clears URL cache.

Clears URLs from the Dataplane cache.
Clears URLs from the Management Plane cache.

show running url-cache statistics

debug device-server pan-url-db show-stats

Show statistics on URL Dataplane cache.

Show statistics on URL Management Plane cache.

show vpn flow

Shows encap/decap counters.

show vpn gateway

Shows list of IKE gateway configurations.

show vpn ike-sa

Shows IKE Phase 1 SA

show vpn ipsec-sa

Shows IPSEC Phase 2 SA.

show vpn tunnel

Shows list of auto-key IPSec tunnel configurations.

show log system subtype equal vpn direction equal backward

debug ike global on debug
less mp-log ikemgr.log

Shows detail debug information for IPSec tunneling.

show high-availability state

Shows the HA state of the device.

show high-availability all

Shows the HQ settings configured on the device and peer.

show high-availability state-synchronization

Shows if the devices are synchronized.

request high-availability state suspend

Suspends active device and makes passive device active.

request high-availability state functional

Changes the state from suspend to passive.

request restart system

Reboots the system.

request content upgrade

> check
> download
> info
> install

Upgrades content.
Gets info from Palo Alto Networks server.
Downloads content packages.
Displays available content packages info.
Installs content packages.

request content downgrade install previous

Downgrades to previous content version.

request license info

Shows the license installed on the device.

delete license key

Deletes a license file.

Policies
show running security-policy

User-ID Agent
show user user-id-agent state all
show user user-id-agent statistics
show
show
show
show
show
show

user
user
user
user
user
user

user-ids
user-IDs
group-mapping state all
group-mapping statistics
group list
group name <value>

BrightCloud URL Filtering

PAN-DB URL Filtering

IPSEC

High Availability

Software, Content and Licenses

Miscellaneous
configure
set deviceconfig setting session tcp-reject-non-syn no
commit
show session info

Ignore SYN when creating sessions.

configure
set deviceconfig setting session offload no
commit
show session info

Make all packets go through CPU, otherwise all fastpath

packets go through the chip. Turns session offload to fastpath.
Confirms command took effect.

debug dataplane pool statistics

Shows the different dataplane buffers and capacity.

Confirms command took effect.

4401 Great America Parkway

Santa Clara, CA 95054
Main:
+1.408.753.4000
Sales:
+1.866.320.4788
Support: +1.866.898.9087
www.paloaltonetworks.com

Copyright 2014, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto
Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All
specifications are subject to change without notice. Palo Alto Networks assumes no responsibility
for any inaccuracies in this document or for any obligation to update the information in this
document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise
this publication without notice.