{"id":585,"date":"2015-02-18T13:12:37","date_gmt":"2015-02-18T19:12:37","guid":{"rendered":"http:\/\/www.echorequest.com\/?p=585"},"modified":"2015-02-18T13:14:21","modified_gmt":"2015-02-18T19:14:21","slug":"palo-alto-basic-troubleshooting","status":"publish","type":"post","link":"https:\/\/www.echorequest.com\/?p=585","title":{"rendered":"Palo-Alto basic troubleshooting"},"content":{"rendered":"

When troubleshooting network and security issues on many different devices I always miss some command options to do exactly what I want to do on the device I am currently working with. Therefore,\u00a0I list a few commands for the Palo Alto Networks firewalls to have a short reference for myself.<\/strong>\u00a0Maybe some other network professionals will find it useful.<\/p>\n

However, since I am almost always using the GUI\u00a0this short reference only lists commands that are useful for the console while\u00a0not<\/em>\u00a0present in the GUI<\/strong>.<\/span><\/p>\n

This blog post will be a living document. Whenever I use some \u201cnew\u201d commands for troubleshooting issues, I will update it.\u00a0If there are any useful commands missing, please send me a comment!<\/strong><\/p>\n

For a complete list of all CLI commands, use the\u00a0CLI Reference Guides from PAN<\/a>. Or use the official\u00a0Quick Reference Guide: Helpful Commands<\/a>\u00a0PDF.<\/p>\n

Standard Show Commands<\/h2>\n

The following commands are really the basics and need no further description. I list them just as a reference:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n<\/div>\n<\/td>\n
\n
\n
show system info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/shows the uptime of the device<\/div>\n
show session info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/packet rate, # of sessions, fastpath active, etc.<\/div>\n
show interface { all | name-of-the-interface }<\/div>\n
show routing route<\/div>\n
show routing protocol<\/div>\n
show arp all<\/div>\n
show mac all<\/div>\n
show jobs all<\/div>\n
show jobs id <id><\/div>\n
show system resource follow\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/CPU usage and processes<\/div>\n
debug software restart <service>\u00a0\u00a0 \/\/Restart a certain process<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

\u00a0<\/p>\n

Find<\/h2>\n

Since PAN-OS 6.0, the \u201cfind\u201d command helps searching for the needed command in case you do not fully know the whole set of commands. With \u201cfind command\u201d, all possible commands are displayed. With \u201cfind command keyword xyz\u201d, all commands containing \u201cxyz\u201d are shown.<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n<\/div>\n<\/td>\n
\n
\n
find command<\/div>\n
find command keyword <word-to-search-for><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Ping, Traceroute, and DNS<\/h2>\n

A standard\u00a0ping command<\/strong>\u00a0looks like that:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
ping host 8.8.8.8<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Note that this ping request is issued from the management interface! To use a data interface as the source, the option\u00a0source <ip-address><\/span><\/span>\u00a0 can be used. To use IPv6, the option is\u00a0inet6 yes<\/span><\/span>\u00a0. For example:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
ping inet6 yes source 2003:51:6012:120::1 host 2a00:1450:4008:800::1017<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

A\u00a0traceroute command<\/strong>\u00a0looks like that:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
traceroute host 8.8.8.8<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

The\u00a0source <ip-address><\/span><\/span>\u00a0 can be used to specify the outgoing interface. However, for IPv6, the option is dissimilar to the ping command:\u00a0ipv6 yes<\/span><\/span>\u00a0.<\/p>\n

To\u00a0resolve DNS names<\/strong>, e.g., to test the DNS server that is configured on the management interface, simply ping a name:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
ping host ip.webernetz.net<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Test<\/h2>\n

The Palo offers some great test commands,\u00a0e.g., for testing a route-lookup, a VPN connection, or a security policy match<\/strong>. Use the question mark to find out more about the test commands. Here are some useful examples:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n<\/div>\n<\/td>\n
\n
\n
test routing fib-lookup virtual-router default ip <ip><\/div>\n
test vpn ipsec-sa tunnel <value><\/div>\n
test security-policy-match ?<\/div>\n
test security-policy-match from trans-internet to pa-trust-server source 192.168.86.5 destination 192.168.120.2 protocol 6 application ssl destination-port 443<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Viewing Management-Plane Logs<\/h2>\n

In order to\u00a0view the debug log files<\/strong>, \u201cless\u201d or \u201ctail\u201d can be used. The keyword \u201cmp-log\u201d links to the management-plane logs (similar to \u201cdp-log\u201d for the dataplane-logs). The tail command can be used with \u201cfollow yes\u201d to have a live view of all logged messages. And as always: Use the question mark in order to display all possibilities.<\/p>\n

Examples:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n<\/div>\n<\/td>\n
\n
\n
less mp-log ?<\/div>\n
less mp-log dnsproxyd.log<\/div>\n
tail follow yes mp-log dhcpd.log<\/div>\n
tail follow yes mp-log routed.log<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Capturing Management Packets<\/h2>\n

To view the traffic from the management port at least two console connections are needed. The first one executes the\u00a0tcpdump<\/strong>\u00a0command (with \u201csnaplen 0\u2033 for capturing the whole packet, and a filter, if desired),<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
tcpdump snaplen 0 filter “port 53”<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

while the second console\u00a0follows the live capture<\/strong>:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
view-pcap follow yes mgmt-pcap mgmt.pcap<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Test traffic can be generated with a third console session, e.g.:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
ping host webernetz.net<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Later on, the\u00a0pcap file can be moved to another computer<\/strong>\u00a0with the following command:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
scp export mgmt-pcap from mgmt.pcap to <username@host:path><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Alternatively,\u00a0tftp<\/strong>\u00a0can be used:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
tftp export mgmt-pcap from mgmt.pcap to <host><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Live Viewing of Packet Captures<\/h2>\n

When using the\u00a0Packet Capture<\/strong>\u00a0feature on the Palo Alto, the filter settings can easily be made from the GUI (Monitor -> Packet Capture). These settings as well as the current size of the running packet capture files can be examined with:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
debug dataplane packet-diag show setting<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Now, the current capturing in follow mode can be viewed with:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
view-pcap follow yes filter-pcap<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

And for a really detailed analysis, the counters for these filtered packets can be viewed. This exactly reveals how many packets traversed which way, and so on.\u00a0With the \u201cdelta yes\u201d option, only the counter values since the last execution of this command are shown.<\/strong>\u00a0The \u201cpacket-filter yes\u201d option uses the packet filter from the GUI (Monitor -> Packet Capture) to filter the counters:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
show counter global filter packet-filter yes delta yes<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

For example, here are the delta counters after a few DNS lookups:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n
20<\/div>\n
21<\/div>\n
22<\/div>\n
23<\/div>\n<\/div>\n<\/td>\n
\n
\n
weberjoh@fd-wv-fw02> show counter global filter packet-filter yes delta yes<\/div>\n
<\/div>\n
Global counters:<\/div>\n
Elapsed time since last sampling: 44.689 seconds<\/div>\n
<\/div>\n
name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 value\u00a0\u00a0\u00a0\u00a0 rate severity\u00a0\u00a0category\u00a0\u00a0aspect\u00a0\u00a0\u00a0\u00a0description<\/div>\n
——————————————————————————–<\/div>\n
pkt_sent\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a024\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00 info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0packet\u00a0\u00a0\u00a0\u00a0pktproc\u00a0\u00a0 Packets transmitted<\/div>\n
pkt_outstanding\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 24\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00 info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0packet\u00a0\u00a0\u00a0\u00a0pktproc\u00a0\u00a0 Outstanding packet to be transmitted<\/div>\n
pkt_alloc\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0120\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a02 info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0packet\u00a0\u00a0\u00a0\u00a0resource\u00a0\u00a0Packets allocated<\/div>\n
session_allocated\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 19\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00 info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0session\u00a0\u00a0 resource\u00a0\u00a0Sessions allocated<\/div>\n
session_installed\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 19\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00 info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0session\u00a0\u00a0 resource\u00a0\u00a0Sessions installed<\/div>\n
flow_host_pkt_xmt\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0144\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a03 info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0flow\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0mgmt\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Packets transmitted to control plane<\/div>\n
flow_host_service_allow\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 24\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00 info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0flow\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0mgmt\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Device management session allowed<\/div>\n
appid_ident_by_dport_first\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a019\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00 info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0appid\u00a0\u00a0\u00a0\u00a0 pktproc\u00a0\u00a0 Application identified by L4 dport first<\/div>\n
dfa_sw\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a048\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a01 info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0dfa\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pktproc\u00a0\u00a0 The total number of dfa match using software<\/div>\n
ctd_sml_vm_check_domain\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 24\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00 info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ctd\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pktproc\u00a0\u00a0 sml vm check domain<\/div>\n
ctd_bloom_filter_nohit\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a024\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00 info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ctd\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pktproc\u00a0\u00a0 The number of no match for virus bloom filter<\/div>\n
aho_sw\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a048\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a01 info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0aho\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pktproc\u00a0\u00a0 The total usage of software for AHO<\/div>\n
ctd_pkt_slowpath\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a048\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a01 info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ctd\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pktproc\u00a0\u00a0 Packets processed by slowpath<\/div>\n
——————————————————————————–<\/div>\n
Total counters shown: 13<\/div>\n
——————————————————————————–<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Or, even more interesting,\u00a0filtered on \u201cdrop\u201d severity.<\/strong>\u00a0(Note the reasons on the right-hand side):<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n<\/div>\n<\/td>\n
\n
\n
weberjoh@fd-wv-fw02> show counter global filter delta yes severity drop<\/div>\n
<\/div>\n
Global counters:<\/div>\n
Elapsed time since last sampling: 166.755 seconds<\/div>\n
<\/div>\n
name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 value\u00a0\u00a0\u00a0\u00a0 rate severity\u00a0\u00a0category\u00a0\u00a0aspect\u00a0\u00a0\u00a0\u00a0description<\/div>\n
——————————————————————————–<\/div>\n
flow_rcv_dot1q_tag_err\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 726\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a04 drop\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0flow\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0parse\u00a0\u00a0\u00a0\u00a0 Packets dropped: 802.1q tag not configured<\/div>\n
flow_no_interface\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0726\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a04 drop\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0flow\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0parse\u00a0\u00a0\u00a0\u00a0 Packets dropped: invalid interface<\/div>\n
flow_ipv6_disabled\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00 drop\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0flow\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0parse\u00a0\u00a0\u00a0\u00a0 Packets dropped: IPv6 disabled on interface<\/div>\n
flow_tcp_non_syn_drop\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 50\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00 drop\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0flow\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0session\u00a0\u00a0 Packets dropped: non-SYN TCP without session match<\/div>\n
flow_fwd_l3_mcast_drop\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a050\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00 drop\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0flow\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0forward\u00a0\u00a0 Packets dropped: no route for IP multicast<\/div>\n
flow_fwd_l3_ttl_zero\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 9\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00 drop\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0flow\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0forward\u00a0\u00a0 Packets dropped: IP TTL reaches zero<\/div>\n
flow_fwd_zonechange\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a08\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00 drop\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0flow\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0forward\u00a0\u00a0 Packets dropped: forwarded to different zone<\/div>\n
flow_dos_pf_ipspoof\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 17\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00 drop\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0flow\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0dos\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Packets dropped: Zone protection option ‘discard-ip-spoof’<\/div>\n
flow_dos_pf_noreplyttl\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 6\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00 drop\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0flow\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0dos\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Packets dropped: Zone protection option ‘suppress-icmp-timeexceeded’<\/div>\n
——————————————————————————–<\/div>\n
Total counters shown: 9<\/div>\n
——————————————————————————–<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Examining the Session Table<\/h2>\n

If a network connection failure is not found in the traffic log, the session table can be asked for sessions in DISCARD state, filtered based on its source, or whatever.\u00a0This is useful at the console because the session browser in the GUI does not store the filter options and is therefore a bit unhandy.<\/strong>\u00a0All commands start with \u201cshow session all filter \u2026\u201d, e.g.:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n<\/div>\n<\/td>\n
\n
\n
show session all filter state discard<\/div>\n
show session all filter application dns destination 8.8.8.8<\/div>\n
show session all filter from trust to untrust application ssl state active<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

To see whether there are some \u201cpredict\u201d sessions in which the Palo Alto uses a ALG (appliation layer gateway) to\u00a0predict dynamic ports<\/strong>\u00a0(e.g., SIP, active FTP), use this command:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
show session all filter type predict<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

A specific session can then be\u00a0cleared<\/strong>\u00a0with:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
clear session id <value><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Reason for Session Close<\/h2>\n

You cannot see the reason for a closed session in the traffic log in the GUI. For this purpose, find out the session id in the traffic log and type in the following command in the CLI (Named the \u201cSession Tracker<\/a>\u201c).\u00a0Note the last line in the output, e.g. \u201ctracker stage firewall : Aged out\u201d or \u201ctracker stage firewall : TCP FIN\u201d.<\/strong>\u00a0This shows what reason the firewall sees when it ends a session:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
show session id <id><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Alternatively, the\u00a0traffic log on the CLI can display the session tracker<\/strong>\u00a0when used with the option \u201cshow-tracker equal yes\u201d such as:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n<\/div>\n<\/td>\n
\n
\n
show log traffic show-tracker equal yes<\/div>\n
show log traffic show-tracker equal yes direction equal backward<\/div>\n
show log traffic show-tracker equal yes direction equal backward app equal ipv6-icmp from equal pa-ripe-atlas<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

VPN Issues<\/h2>\n

(Palo Alto:\u00a0How to Troubleshoot VPN Connectivity Issues<\/a>). Though you can find many reasons for not working site-to-site VPNs in the system log in the GUI, some CLI commands might be useful.\u00a0To reveal whether packets traverse through a VPN connection, use this:<\/strong>\u00a0(it shows the number of encap\/decap packets and bytes, i.e., the actual traffic flow)<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
show vpn flow name <value><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Or use the counter values for ipsec issues:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
show counter global filter delta yes | match ipsec<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

And for a detailled debugging of IKE,\u00a0enable the debug<\/strong>\u00a0(without any more options)<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
debug ike pcap on<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

then\u00a0follow the pcap<\/strong>\u00a0with<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
view-pcap follow yes debug-pcap ikemgr.pcap<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

and do NOT forget to\u00a0set the debugging off!<\/strong><\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
debug ike pcap off<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

The complete ikemgr.pcap can be\u00a0downloaded<\/strong>\u00a0from the Palo with scp or tftp, e.g.:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
scp export debug-pcap from ikemgr.pcap to <username@host:path><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Displaying the Config in Set Mode<\/h2>\n

The XML output of the \u201cshow config running\u201d command might be unpractical when troubleshooting at the console.\u00a0That\u2019s why the output format can be set to \u201cset\u201d mode:<\/strong><\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
set cli config-output-format set<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Now, enter the\u00a0\u00a0configure<\/span><\/span>\u00a0 mode and type\u00a0show<\/span><\/span>\u00a0. This reveals the complete configuration with \u201cset \u2026\u201d commands. Here is a sample output of a particular show command:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n<\/div>\n<\/td>\n
\n
\n
weberjoh@fd-wv-fw02# show network interface ethernet ethernet1\/1<\/div>\n
set network interface ethernet ethernet1\/1 layer3 ip 172.16.1.2\/24<\/div>\n
set network interface ethernet ethernet1\/1 layer3 untagged-sub-interface no<\/div>\n
set network interface ethernet ethernet1\/1 layer3 interface-management-profile ping<\/div>\n
set network interface ethernet ethernet1\/1 link-speed auto<\/div>\n
set network interface ethernet ethernet1\/1 link-duplex auto<\/div>\n
set network interface ethernet ethernet1\/1 link-state auto<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

The\u00a0pipe<\/strong>\u00a0(|) can be used to grep certain values with the \u201cmatch<\/strong>\u201d keyword, such as:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n<\/div>\n<\/td>\n
\n
\n
weberjoh@fd-wv-fw02# show | match 192.168.120.2<\/div>\n
set deviceconfig system ip-address 192.168.120.2<\/div>\n
set address h_fd-wv-fw02_mgmt ip-netmask 192.168.120.2<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

To show the complete config\u00a0without breaks<\/strong>\u00a0(which is \u201cterminal length 0\u2033 on Cisco devices), the following command can be used:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
set cli pager off<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Export\/Import Files<\/h2>\n

To copy files from or to the Palo Alto firewall,<\/strong>\u00a0scp or tftp can be used. The commands have both the same structure with \u201cexport \u2026 to\u201d or \u201cimport \u2026 from\u201d, e.g.:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n<\/div>\n<\/td>\n
\n
\n
scp export log system to <username@host:path_to_destination_filename><\/div>\n
scp import software from <username@host:path><\/div>\n
tftp export configuration from running-config.xml to <tftp-host><\/div>\n
tftp import url-block-page from <tftp-host><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

User-IDs and Groups<\/h2>\n

State of the\u00a0LDAP server connections:<\/strong><\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
show user group-mapping state all<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

List the\u00a0groups<\/strong>\u00a0that are stored in the Palo Alto:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
show user group list<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Manual group mapping\u00a0refresh<\/strong>:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
debug user-id refresh group-mapping all<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Show the group memberships for a particular user:<\/strong><\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
show user user-IDs match-user <value><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

IP to User mapping:<\/strong><\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
show user ip-user-mapping all<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

User-ID cache clearance:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
clear user-cache all<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

IP Addresses of FQDN Objects<\/h2>\n

When using objects with FQDNs, the current IP addresses are not shown in the GUI. The following command displays respectively refreshes them:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
request system fqdn { show | refresh }<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

IP Addresses of Dynamic Block Lists<\/h2>\n

Similar, the entries in a dynamic block list can be viewed with:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
request system external-list show name <name-of-the-list><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

DNS Proxy<\/h2>\n

To verify the functionality of DNS proxy objects, at least two commands are useful. Both outputs should speak for themselves:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n<\/div>\n<\/td>\n
\n
\n
show dns-proxy statistics all<\/div>\n
show dns-proxy cache all<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Active URL Vendor\/Database<\/h2>\n

I had some issues with the two different URL databases \u201cbrightcloud\u201d and \u201cPAN-DB\u201d. This is the command to show unambiguously which vendor is active on the PA (independent of the licenses):<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
show system setting url-database<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

The output is either \u201cbrightcloud\u201d or \u201cpaloaltonetworks\u201d. The standard URL DB up to PAN-OS 5.0 is brightcloud. Beginning with PAN-OS 6.0, the default is PAN-DB (refer to the release notes, section \u201cChanges to Default Behavior\u201d). To change the vendor (of course only if it is licensed), click the \u201cActivate\u201d link under licenses in the GUI.<\/p>\n

PAN-DB URL Test & Cache<\/h2>\n

To show the category of a specific URL, use one of the following commands:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n<\/div>\n<\/td>\n
\n
\n
test url <fqdn><\/div>\n
test url-info-cloud <fqdn><\/div>\n
test url-info-host <fqdn><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

To display the current URL cache from the PAN-DB, two steps are required. The first one is the creation of a logfile which contains all entries and the second one is to display this logfile:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n<\/div>\n<\/td>\n
\n
\n
show system setting url-cache all<\/div>\n
less dp-log dp_url_DB.log<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

Stolen from:\u00a0http:\/\/blog.webernetz.net\/2013\/11\/21\/cli-commands-for-troubleshooting-palo-alto-firewalls\/ \u00a0<— I took this just in case it ever went offline and I still use this for reference. \ud83d\ude42 \u00a0contact me if I’m in violation! lol<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

When troubleshooting network and security issues on many different devices I always miss some command options to do exactly what I want to do on the device I am currently working with. Therefore,\u00a0I list a few commands for the Palo Alto Networks firewalls to have a short reference for myself.\u00a0Maybe some other network professionals will […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-585","post","type-post","status-publish","format-standard","hentry","category-geek","post-preview"],"_links":{"self":[{"href":"https:\/\/www.echorequest.com\/index.php?rest_route=\/wp\/v2\/posts\/585","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.echorequest.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.echorequest.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.echorequest.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.echorequest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=585"}],"version-history":[{"count":2,"href":"https:\/\/www.echorequest.com\/index.php?rest_route=\/wp\/v2\/posts\/585\/revisions"}],"predecessor-version":[{"id":587,"href":"https:\/\/www.echorequest.com\/index.php?rest_route=\/wp\/v2\/posts\/585\/revisions\/587"}],"wp:attachment":[{"href":"https:\/\/www.echorequest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=585"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.echorequest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=585"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.echorequest.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=585"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}