Tuesday, August 4, 2020

PALO ALTO Firewall Handy Commands PAN-OS 9.1

show routing route   >> route

ping source 203.0.11.1 host 8.8.8.8  > ping a host

show system statistics application

show log system subtype equal HA    > HA
show log system subtype equal HA




Time                Severity Subtype Object EventID ID Description
===============================================================================
2016/07/01 00:24:55 info     ha             ha1-lin 0  HA1 link up
2016/07/01 00:25:12 info     ha             state-c 0  HA Group 1: Moved from state Initial to state Active-P

show system disk-space

show running resource-monitor

show system resource followsho 
show log [ system | traffic | threat ] direction equal backward –   >> log

show log system direction equal backward 

show log system severity equal critical

show log system subtype equal LACP start-time equal 2019/05/13@18:20:00   > specific date and time


show system info –provides the system’s management IP, serial number and code version
show system statistics – shows the real-time throughput on the device
show system software status – shows whether various system processes are running
show jobs processed – used to see when commits, downloads, upgrades, etc. are completed
show system disk--space-- show percent usage of disk partitions
show system logdb--quota – shows the maximum log file sizes
debug dataplane internal vif link – show management interface (eth0) counters
show system resources -- shows processes running in the management plane similar to “top” command
show running resource--monitor – used to see the resource utilization in the data plane, such as dataplane CPU utilization

NAT
show running nat--policy-- shows current NAT policy table
show running ippool-- use to see if NAT pool leak
test nat--policy--match – simulate traffic going through the device, what NAT policy will it match?

Routing
show routing route – displays the routing table
test routing fib--lookup virtual--router <VR_name> ip <IP_addr_trying_reach> -- finds which route in the routing table will be used to reach the IP address that you are testing

Policies
show running security--policy – shows the current policy set
test security--policy--match from trust to untrust destination <IP>-- simulate a packet going through the system, which policy will it match?


URL
test url <url or IP> – used to test the categorization of a URL on the FW

Agent
show pan--agent user--IDs -- used to see if the FW has pulled groups from the PANAgent
show user ip--user--mapping – used to see IP to username mappings on the FW
clear user--cache all – clears the user--ID cache

show user user-id-agent statistics
show user group name "AD\name-of-the-group"

LOG

show log [ system | traffic | threat ] direction equal backward – will take you to the end of the specified log
show log [ system | traffic | threat ] direction equal forward – will take you to beginning of the specified log

Update / Downgrade

request content upgrade install file <filename>
request content downgrade install previous –downgrade to the previous content version

License

request license info – shows the license installed on the device

IPSec
To view detailed debug information for IPSec tunneling:
          1. debug ike global on debug
          2. less mp--log ikemgr.log


TCPDUMP
tcpdump filter “src net <ip/netmask>”
tcpdump snaplen 1500 filter “src net <ip/netmask>”

view-pcap filename.pcap


VPN

show vpn flow Shows encap/decap counters
show vpn gateway Shows list of IKE gateway configurations.
show vpn ike-sa Shows IKE Phase 1 SA
show vpn ipsec-sa Shows IPSEC Phase 2 SA.
show vpn tunnel Shows list of auto-key IPSec tunnel configurations.
show log system subtype equal vpn direction equal backward
clear vpn ike-sa gateway <value>
clear vpn ipsec-sa tunnel <value>
test vpn ike-sa gateway <value>
test vpn ipsec-sa tunnel <value


System details

show system info                   //shows the uptime of the device
show system environmentals         //e.g. power supply failures
show ntp
show session info                  //packet rate, number of sessions, fastpath active, etc.
show session id <id>
show interface { all | <interface-name> }
show routing route                 //routing table (all routes)
show routing fib                   //forwarding table (only used routes)
show routing protocol <protocol> ...
show arp { all | <interface-name> }
show neighbor interface { all | <interface-name> }   //IPv6 neighbor cache
show mac all                       //only with layer 2 interfaces
show jobs all
show jobs id <id>
show running resource-monitor      //resource statistics
show system resource follow        //="top", CPU usage and processes
show system disk-space             //="df -h"
debug software restart <service>   //Restart a certain process
request restart system             //Reboot the whole device


HA

show high-availability all
show high-availability state
show high-availability link-monitoring
show high-availability path-monitoring
show high-availability control-link statistics
show high-availability state-synchronization
request high-availability state suspend
request high-availability state functional
request high-availability state peer suspend
request high-availability state peer functional

SCP


scp export log system to username@host://ip address of the server/home/username/filename
scp import software from username@host://ip address of the server/home/username/file name




No comments:

Post a Comment

Turn off pop notifications in chrome browser from major news outlets

 On Chrome browser, go to settings select privacy and security select site settings select Java Script Select Don't allow sites to use J...