Release 2.1
PAN-OS Command Line Interface
Reference Guide
PAN-OS™ Command Line Interface Reference GuideRelease 2.1
11/4/08 Final Review Draft- Palo Alto Networks COMPANY CONFIDENTIAL
Palo Alto Networks, Inc.www.paloaltonetworks.com© 2008 Palo Alto Networks. All rights reserved. Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks are the property of their respective ownersPart number: 810-000033-00A
Palo Alto Networks • 3
November 4, 2008 - Palo Alto Networks COMPANY CONFIDENTIAL
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Typographical Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Notes, Cautions, and Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Obtaining More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Understanding the PAN-OS CLI Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . 11Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Accessing the PAN-OS CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Understanding the PAN-OS CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . 13Understanding the PAN-OS CLI Command Conventions . . . . . . . . . . . . . . . . . . . . 13Understanding Command Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Using Operational and Configuration Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Displaying the PAN-OS CLI Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Using Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Understanding Command Option Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Restricting Command Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Understanding Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Referring to Firewall Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 2Understanding CLI Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Understanding Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Using Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Understanding the Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Navigating Through the Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Understanding Operational Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Table of Contents
4 • Palo Alto Networks
Chapter 3Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Chapter 4Operational Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52debug captive-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54debug cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55debug cpld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56debug dataplane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57debug device-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59debug dhcpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60debug ez . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61debug high-availability-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62debug ike . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63debug keymgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64debug log-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65debug management-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66debug master-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67debug netconfig-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68debug routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69debug software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70debug swm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71debug tac-login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72debug vardata-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74grep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75less . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79request certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80request content upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82request high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83request license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Palo Alto Networks • 5
request restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85request support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86request system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87scp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88set application dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90set cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91set logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92set serial-number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93set session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94set target-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95set zip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96show admins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98show chassis-ready . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99show cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100show clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101show config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102show counter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103show ctd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104show device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105show device-messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106show devicegroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107show dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108show high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109show interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110show jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111show location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112show log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113show logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115show mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116show management-clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117show multi-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118show pan-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119show proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120show query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121show report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122show routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123show route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127show session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128show statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130show system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132show target-vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134show threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135show virtual-wire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136show vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137show vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138show zip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140show zone-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142tail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
6 • Palo Alto Networks
test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145tftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148view-pcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Appendix AConfiguration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Firewall Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Panorama Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Appendix BPAN-OS CLI Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Palo Alto Networks Preface • 7
November 4, 2008 - Palo Alto Networks COMPANY CONFIDENTIAL
Preface
This preface contains the following sections:
• “About This Guide” in the next section
• “Organization” on page 7
• “Typographical Conventions” on page 8
• “Related Documentation” on page 9
• “Obtaining More Information” on page 9
• “Technical Support” on page 9
About This Guide
This guide provides an overview of the PAN-OS™ command line interface (CLI), describes how to access and use the CLI, and provides command reference pages for each of the CLI commands.
This guide is intended for system administrators responsible for deploying, operating, and maintaining the firewall and who require reference information about the PAN-OS CLI commands that they want to execute on a per-device basis. For an explanation of features and concepts, refer to the Palo Alto Networks Administrator’s Guide.
Organization
This guide is organized as follows:
• Chapter 1, “Introduction”—Introduces and describes how to use the PAN-OS CLI.
• Chapter 2, “Understanding CLI Command Modes”—Describes the modes used to interact with the PAN-OS CLI.
• Chapter 3, “Configuration Mode Commands”—Contains command reference pages for Configuration mode commands.
• Chapter 4, “Operational Mode Commands”—Contains command reference pages for Operational mode commands.
8 • Preface Palo Alto Networks
• Appendix A, “Configuration Hierarchy”—Contains command reference pages for Operational mode commands.
• Appendix B, “PAN-OS CLI Keyboard Shortcuts”—Describes the keyboard shortcuts supported in the PAN-OS CLI.
Typographical Conventions
This guide uses the following typographical conventions for special terms and instructions.
Convention Meaning Example
boldface Names of commands, keywords, and selectable items in the web interface
Use the configure command to enter Configuration mode.
italics Name of variables, files, configuration elements, directories, or Uniform Resource Locators (URLs)
The address of the Palo Alto Networks home page is http://www.paloaltonetworks.com.
element2 is a required variable for the move command.
courier font Command syntax, code examples, and screen output
The show arp all command yields this output:
username@hostname> show arp allmaximum of entries supported: 8192default timeout: 1800 secondstotal ARP entries in table: 0total ARP entries shown: 0status: s - static, c - complete, i - incomplete
courier bold font
Text that you enter at the command prompt
Enter the following command to exit from the current PAN-OS CLI level:
# exit
[ ] (text enclosed in angle brackets)
Optional parameters. In the following command, 8bit and port are optional parameters.
> telnet [8bit] [port] host
< > (text enclosed in square brackets)
Special keys or choice of required options.
<tab> indicates that the tab key is pressed.
> delete core <control-plane | data-plane> file filename
| (pipe symbol) Choice of values, indicated by a pipe symbol-separated list.
The request support command includes options to get support information from the update server or show downloaded support information:
> request support [check | info]
Palo Alto Networks Preface • 9
Notes, Cautions, and Warnings
This guide uses the following symbols for notes, cautions, and warnings.
Related Documentation
The following additional documentation is provided with the firewall:
• Quick Start
• Hardware Reference Guide
• Palo Alto Networks Administrator’s Guide
Obtaining More Information
To obtain more information about the firewall, refer to:
• Palo Alto Networks website—Go to http://www.paloaltonetworks.com.
• Online help—Click Help in the upper right corner of the GUI to access the online help system.
Technical Support
For technical support, use the following methods:
• Go to http://support.paloaltonetworks.com.
• Call 1-866-898-9087 (U.S, Canada, and Mexico).
• Email us at: [email protected].
Symbol Description
NOTE
Indicates helpful suggestions or supplementary information.
CAUTION
Indicates information about which the reader should be careful to avoid data loss or equipment failure.
WARNING
Indicates potential danger that could involve bodily injury.
10 • Preface Palo Alto Networks
Palo Alto Networks Introduction • 11
November 4, 2008 - Palo Alto Networks COMPANY CONFIDENTIAL
Chapter 1
Introduction
This chapter introduces and describes how to use the PAN-OS command line interface (CLI):
• “Understanding the PAN-OS CLI Structure” in the next section
• “Getting Started” on page 12
• “Understanding the PAN-OS CLI Commands” on page 13
Understanding the PAN-OS CLI Structure
The PAN-OS CLI allows you to access the firewall, view status and configuration information, and modify the configuration. Access to the PAN-OS CLI is provided through SSH, Telnet, or direct console access.
The PAN-OS CLI operates in two modes:
• Operational mode—View the state of the system, navigate the PAN-OS CLI, and enter configuration mode.
• Configuration mode—View and modify the configuration hierarchy.
Chapter 3 describes each mode in detail.
12 • Introduction Palo Alto Networks
Getting Started
This section describes how to access and begin using the PAN-OS CLI:
• “Before You Begin” in the next section
• “Accessing the PAN-OS CLI” on page 12
Before You BeginVerify that the firewall is installed and that a SSH, Telnet, or direct console connection is established.
Use the following settings for direct console connection:
• Data rate: 9600
• Data bits: 8
• Parity: none
• Stop bits: 1
• Flow control: None
Accessing the PAN-OS CLITo access the PAN-OS CLI:1. Open the console connection.
2. Enter the administrative user name. The default is admin.
3. Enter the administrative password. The default is admin.
4. The PAN-OS CLI opens in Operational mode, and the CLI prompt is displayed:
username@hostname>
Note: Refer to the Hardware Reference Guide for hardware installation information and to the Quick Start for information on initial device configuration.
Palo Alto Networks Introduction • 13
Understanding the PAN-OS CLI Commands
This section describes how to use the PAN-OS CLI commands and display command options:
• “Understanding the PAN-OS CLI Command Conventions” in the next section
• “Understanding Command Messages” on page 14
• “Using Operational and Configuration Modes” on page 15
• “Displaying the PAN-OS CLI Command Options” on page 15
• “Using Keyboard Shortcuts” on page 16
• “Understanding Command Option Symbols” on page 17
• “Understanding Privilege Levels” on page 18
• “Referring to Firewall Interfaces” on page 19
Understanding the PAN-OS CLI Command ConventionsThe basic command prompt incorporates the user name and model of the firewall:username@hostname>
Example:username@hostname>
When you enter Configuration mode, the prompt changes from > to #:
username@hostname> (Operational mode)username@hostname> configureEntering configuration mode[edit] username@hostname# (Configuration mode)
In Configuration mode, the current hierarchy context is shown by the [edit...] banner presented in square brackets when a command is issued. Refer to “Using the Edit Command” on page 26 for additional information on the edit command.
14 • Introduction Palo Alto Networks
Understanding Command MessagesMessages may be displayed when you issue a command. The messages provide context information and can help in correcting invalid commands. In the following examples, the message is shown in bold.
Example: Unknown commandusername@hostname# application-groupUnknown command: application-group[edit network] username@hostname#
Example: Changing modesusername@hostname# exitExiting configuration mode
username@hostname>
Example: Invalid syntaxusername@hostname> debug 17Unrecognized commandInvalid syntax.username@hostname>
Each time you enter a command the syntax is checked. If the syntax is correct, the command is executed, and the candidate hierarchy changes are recorded. If the syntax is incorrect, an invalid syntax message is presented, as in the following example:username@hostname# set zone application 1.1.2.2Unrecognized commandInvalid syntax.[edit] username@hostname#
Palo Alto Networks Introduction • 15
Using Operational and Configuration ModesWhen you log in, the PAN-OS CLI opens in Operational mode. You can move between Operational and Configuration modes at any time.
• To enter Configuration mode from Operational mode, use the configure command:
username@hostname> configureEntering configuration mode
[edit] username@hostname#
• To leave Configuration mode and return to Operational mode, use the quit or exit command:
username@hostname# quitExiting configuration mode
username@hostname>
• To enter an Operational mode command while in Configuration mode, use the run command, as described in “run” on page 39.
Displaying the PAN-OS CLI Command OptionsUse ? (or Meta-H) to display a list of command option, based on context:
• To display a list of operational commands, enter ? at the command prompt.
username@hostname> ? clear Clear runtime parameters configure Manipulate software configuration information debug Debug and diagnose exit Exit this session grep Searches file for lines containing a pattern match less Examine debug file content ping Ping hosts and networks quit Exit this session request Make system-level requests scp Use ssh to copy file to another host set Set operational parameters show Show operational parameters ssh Start a secure shell to another host tail Print the last 10 lines of debug file content telnet Start a telnet session to another host username@hostname>
16 • Introduction Palo Alto Networks
• To display the available options for a specified command, enter the command followed by ?.
Example:
admin@localhost> ping ?username@hostname> ping + bypass-routing Bypass routing table, use specified interface + count Number of requests to send (1..2000000000 packets) + do-not-fragment Don't fragment echo request packets (IPv4) + inet Force to IPv4 destination + interface Source interface (multicast, all-ones, unrouted packets) + interval Delay between requests (seconds) + no-resolve Don't attempt to print addresses symbolically + pattern Hexadecimal fill pattern + record-route Record and report packet's path (IPv4) + size Size of request packets (0..65468 bytes) + source Source address of echo request + tos IP type-of-service value (0..255) + ttl IP time-to-live value (IPv6 hop-limit value) (0..255 hops)+ verbose Display detailed output + wait Delay after sending last packet (seconds) <host> Hostname or IP address of remote host username@hostname> ping
Using Keyboard ShortcutsThe PAN-OS CLI supports a variety of keyboard shortcuts. For a complete list, refer to Appendix B, “PAN-OS CLI Keyboard Shortcuts”.
Note: Some shortcuts depend upon the SSH client that is used to access the PAN-OS CLI. For some clients, the Meta key is the Control key; for some it is the Esc key.
Palo Alto Networks Introduction • 17
Understanding Command Option SymbolsThe symbol preceding an option can provide additional information about command syntax, as described in Table 1.
The following example shows how these symbols are used.
Example: In the following command, the keyword from is required:username@hostname> scp import configuration ?+ remote-port SSH port number on remote host* from Source (username@host:path)username@hostname> scp import configuration
Example: This command output shows options designated with + and >.username@hostname# set rulebase security rules rule1 ?+ action action + application application + description description + destination destination + disabled disabled + from from + log-end log-end + log-setting log-setting + log-start log-start + negate-destination negate-destination + negate-source negate-source + schedule schedule + service service + source source + to to > profiles profiles <Enter> Finish input [edit] username@hostname# set rulebase security rules rule1
Each option listed with + can be added to the command.
The profiles keyword (with >) has additional options:username@hostname# set rulebase security rules rule1 profiles ?+ virus Help string for virus + spyware Help string for spyware + vulnerability Help string for vulnerability + group Help string for group <Enter> Finish input [edit] username@hostname# set rulebase security rules rule1 profiles
Table 1. Option Symbols
Symbol Description
* This option is required.
> There are additional nested options for this command.
+ There are additional command options for this command at this level.
18 • Introduction Palo Alto Networks
Restricting Command OutputSome operational commands include an option to restrict the displayed output. To restrict the output, enter a pipe symbol followed by except or match and the value that is to be excluded or included:
Example:The following sample output is for the show system info command:
username@hostname> show system info
hostname: PA-HDFip-address: 10.1.7.10netmask: 255.255.0.0default-gateway: 10.1.0.1mac-address: 00:15:E9:2E:34:33time: Fri Aug 17 13:51:49 2007
uptime: 0 days, 23:19:23devicename: PA-HDFfamily: i386model: pa-4050serial: unknownsw-version: 1.5.0.0-519app-version: 25-150threat-version: 0url-filtering-version: 0logdb-version: 1.0.8
username@hostname>
The following sample displays only the system model information:
username@hostname> show system info | match modelmodel: pa-4050
username@hostname>
Understanding Privilege LevelsPrivilege levels determine which commands the user is permitted to execute and the information the user is permitted to view. Table 2 describes the PAN-OS CLI privilege levels.
Table 2. Privilege Levels
Level Description
superuser Has full access to the firewall and can define new administrator accounts and virtual systems.
superreader Has complete read-only access to the firewall.
vsysadmin Has full access to a selected virtual system on the firewall.
vsysreader Has read-only access to a selected virtual system on the firewall.
Palo Alto Networks Introduction • 19
Referring to Firewall InterfacesThe Ethernet interfaces are numbered from left to right and top to bottom on the firewall, as shown in Figure 1.
Figure 1. Firewall Ethernet Interfaces
Use these names when referring to the Ethernet interfaces within the PAN-OS CLI commands, as in the following example:username@hostname# set network interface ethernet ethernet1/4 virtual-wire
1 3 5 7 9 11 13 15
2 4 6 8 10 12 14 16
ethernet1/1
ethernet1/2
ethernet1/15
ethernet1/16
20 • Introduction Palo Alto Networks
Palo Alto Networks Understanding CLI Command Modes • 21
November 4, 2008 - Palo Alto Networks COMPANY CONFIDENTIAL
Chapter 2
Understanding CLI Command Modes
This chapter describes the modes used to interact with the PAN-OS CLI
• “Understanding Configuration Mode” in the next section
• “Understanding Operational Mode” on page 27
Understanding Configuration Mode
When you enter Configuration mode and enter commands to configure the firewall, you are modifying the candidate configuration. The modified candidate configuration is stored in firewall memory and maintained while the firewall is running.
Each configuration command involves an action, and may also include keywords, options, and values. Entering a command makes changes to the candidate configuration.
This section describes Configuration mode and the configuration hierarchy:
• “Using Configuration Mode Commands” in the next section
• “Understanding the Configuration Hierarchy” on page 23
• “Navigating Through the Hierarchy” on page 25
Using Configuration Mode CommandsUse the following commands to store and apply configuration changes (see Figure 2):
• save command—Saves the candidate configuration in firewall non-volatile storage. The saved configuration is retained until overwritten by subsequent save commands. Note that this command does not make the configuration active.
• commit command—Applies the candidate configuration to the firewall. A committed configuration becomes the active configuration for the device.
• set command—Changes a value in the candidate configuration.
• load command—Assigns the last saved configuration or a specified configuration to be the candidate configuration.
22 • Understanding CLI Command Modes Palo Alto Networks
Example: Make and save a configuration change.username@hostname# rename zone untrust to untrust1 (enter a configuration command)[edit] username@hostname# save config to snapshot.xmlConfig saved to .snapshot.xml[edit] username@hostname#
Example: Make a change to the candidate configuration.[edit] username@hostname# set network interface vlan ip 1.1.1.4/24[edit] username@hostname#
Example: Make the candidate configuration active on the device.[edit] username@hostname# commit[edit] username@hostname#
Figure 2. Configuration Mode Command Relationship
Note: If you exit Configuration mode without issuing the save or commit command, your configuration changes could be lost if power is lost to the firewall.
ActiveConfiguration
CandidateConfiguration
SavedConfiguration
Commit Save
Set
Load
Palo Alto Networks Understanding CLI Command Modes • 23
Maintaining a candidate configuration and separating the save and commit steps confers important advantages when compared with traditional CLI architectures:
• Distinguishing between the save and commit concepts allows multiple changes to be made at the same time and reduces system vulnerability.
For example, if you want to remove an existing security policy and add a new one, using a traditional CLI command structure would leave the system vulnerable for the period of time between removal of the existing security policy and addition of the new one. With the PAN-OS approach, you configure the new security policy before the existing policy is removed, and then implement the new policy without leaving a window of vulnerability.
• You can easily adapt commands for similar functions.
For example, if you are configuring two Ethernet interfaces, each with a different IP address, you can edit the configuration for the first interface, copy the command, modify only the interface and IP address, and then apply the change to the second interface.
• The command structure is always consistent.
Because the candidate configuration is always unique, all the authorized changes to the candidate configuration will be consistent with each other.
Understanding the Configuration HierarchyThe configuration for the firewall is organized in a hierarchical structure. To display a segment of the current hierarchy, use the show command. Entering show displays the complete hierarchy, while entering show with keywords displays a segment of the hierarchy.
For example, the following command displays the configuration hierarchy for the ethernet interface segment of the hierarchy:username@hostname# show network interface ethernet ethernet { ethernet1/1 { virtual-wire; } ethernet1/2 { virtual-wire; } ethernet1/3 { layer2 { units { ethernet1/3.1; } } } ethernet1/4;}[edit] username@hostname#
24 • Understanding CLI Command Modes Palo Alto Networks
Understanding Hierarchy Paths
When you enter a command, path is traced through the hierarchy, as shown in Figure 3.
Figure 3. Sample Hierarchy Segment
For example, the following command assigns the IP address/netmask 10.1.1.12/24 to the Layer 3 interface for the Ethernet port ethernet1/4: [edit] username@hostname# set network interface ethernet ethernet1/4 layer3 ip 10.1.1.12/24
[edit] username@hostname#
This command generates a new element in the hierarchy, as shown in Figure 4 and in the output of the following show command:[edit] username@hostname# show network interface ethernet ethernet1/4ethernet1/4 { layer3 { ip { 10.1.1.12/24; } } }[edit] username@hostname#
network
profiles interface vlan virtual-wire virtual-router
ethernet aggregate-ethernetvlan loopback
ethernet1/1
link-duplex link-state virtual-wire link-speed
... ... ... ...
... ... ...
ethernet1/2 ethernet1/3 ethernet1/4
auto up 1000
Palo Alto Networks Understanding CLI Command Modes • 25
Figure 4. Sample Hierarchy Segment
Navigating Through the HierarchyThe [edit...] banner presented below the Configure mode command prompt line shows the current hierarchy context. For example, the banner[edit]
indicates that the relative context is the top level of the hierarchy, whereas [edit network profiles]
indicates that the relative context is at the network profiles node.
Use the commands listed in Table 3 to navigate through the configuration hierarchy.
network
profiles interface vlan virtual-wire virtual-router
ethernet aggregate-ethernetvlan loopback
ethernet1/1
10.1.1.12/24
... ... ... ...
... ... ...
ethernet1/2 ethernet1/3 ethernet1/4
ip
Table 3. Navigation Commands
Command Description
edit Sets the context for configuration within the command hierarchy.
up Changes the context to the next higher level in the hierarchy.
top Changes the context to the highest level in the hierarchy.
26 • Understanding CLI Command Modes Palo Alto Networks
Using the Edit Command
Use the edit command to change context to lower levels of the hierarchy, as in the following examples:
• Move from the top level to a lower level:
[edit] (top level)username@hostname# edit network[edit network] username@hostname# (now at the network level)
[edit network]
• Move from one level to a lower level:
[edit network] (network level)username@hostname# edit interface
[edit network interface] admin@abce# (now at the network interface level)
Using the Up and Top Commands
Use the up and top commands to move to higher levels in the hierarchy:
• up—changes the context to one level up in the hierarchy.
Example:
[edit network interface] (network level)admin@abce# up
[edit network] username@hostname# (now at the network level)
• top—changes context to the top level of the hierarchy.
Example:
[edit network interface vlan] (network vlan level) username@hostname# top
[edit] username@hostname# (now at network vlan level)
Note: The set command issued after using the up and top commands starts from the new context.
Palo Alto Networks Understanding CLI Command Modes • 27
Understanding Operational Mode
When you first log in, the PAN-OS CLI opens in Operational mode. Operational mode commands involve actions that are executed immediately. They do not involve changes to the configuration, and do not need to be saved or committed.
Operational mode commands are of several types:
• Network access—Open a window to another host. Includes ssh and telnet commands.
• Monitoring and troubleshooting—Perform diagnosis and analysis. Includes debug and ping commands.
• Display commands—Display or clear current information. Includes clear and show commands.
• PAN-OS CLI navigation commands—Enter Configure mode or exit the PAN-OS CLI. Includes configure, exit, and quit commands.
• System commands—Make system-level requests or restart. Includes set and request commands.
28 • Understanding CLI Command Modes Palo Alto Networks
Palo Alto Networks Configuration Mode Commands • 29
November 4, 2008 - Palo Alto Networks COMPANY CONFIDENTIAL
Chapter 3
Configuration Mode Commands
This chapter contains command reference pages for the following Configuration mode command types:
• “commit” on page 30
• “copy” on page 31
• “delete” on page 32
• “edit” on page 33
• “exit” on page 34
• “load” on page 35
• “move” on page 36
• “quit” on page 37
• “rename” on page 38
• “run” on page 39
• “save” on page 40
• “set” on page 41
• “show” on page 42
• “top” on page 43
• “up” on page 44
commit
30 • Configuration Mode Commands Palo Alto Networks
commit
Make the current candidate configuration the active configuration on the firewall.
Syntaxcommit
Options
None
Sample Output
The following command makes the current candidate configuration the active configuration.# commit
Required Privilege Level
superuser, vsysadmin, deviceadmin
Palo Alto Networks Configuration Mode Commands • 31
copy
copy
Make a copy of a node in the hierarchy along with its children, and add the copy to the same hierarchy level.
Syntaxcopy [node1] to [node2]
Options
Sample Output
The following command, executed from the rule base security level of the hierarchy, makes a copy of rule1, called rule2.[edit rulebase security] username@hostname# copy rules rule1 to rule2[edit rulebase security] username@hostname#
The following command shows the location of the new rule in the hierarchy.
[edit rulebase security] username@hostname# show
security { rules {s rule1 { source [ any 1.1.1.1/32 ]; destination 1.1.1.2/32; }
rule2 { source [ any 1.1.1.1/32 ]; destination 1.1.1.2/32; } }}
Required Privilege Level
superuser, vsysadmin, deviceadmin
node1 Specifies the node to be copied.
node2 Specifies the name of the copy.
delete
32 • Configuration Mode Commands Palo Alto Networks
delete
Remove a node from the candidate configuration along with all its children.
Syntaxdelete [node]
Options
Sample Output
The following command deletes the application myapp from the candidate configuration.username@hostname# delete application myapp[edit] username@hostname#
Required Privilege Level
superuser, vsysadmin, deviceadmin
Note: No confirmation is requested when this command is entered.
node Specifies the hierarchy node to delete.
Palo Alto Networks Configuration Mode Commands • 33
edit
edit
Change context to a lower level in the configuration hierarchy.
Syntaxedit [context]
Options
Sample Output
The following command changes context from the top level to the network profiles level of the hierarchy.[edit] username@hostname# edit rulebase
[edit rulebase] username@hostname#
Required Privilege Level
superuser, vsysadmin, deviceadmin
context Specifies a path through the hierarchy.
exit
34 • Configuration Mode Commands Palo Alto Networks
exit
Exit from the current PAN-OS CLI level.
• From Operational mode—Exits the PAN-OS CLI.
• From Configuration mode, top hierarchy level—Exits Configuration mode, returning to Operational mode.
• From Configuration mode, lower hierarchy levels—Changes context to one level up in the hierarchy. Provides the same result as the up command.
Syntaxexit
Options
None
Sample Output
The following command changes context from the network interface level to the network level.[edit network interface] username@hostname# exit[edit network] username@hostname#
The following command changes from Configuration mode to Operational mode.[edit] username@hostname# exitExiting configuration mode
username@hostname>
Required Privilege Level
All
Note: The exit command is the same as the quit command.
Palo Alto Networks Configuration Mode Commands • 35
load
load
Assigns the last saved configuration or a specified configuration to be the candidate configuration.
Syntaxload config [from filename]
Options
Sample Output
The following command assigns output.xml to be the candidate configuration.[edit] username@hostname# load config from output.xml
command succeeded
[edit] username@hostname#
Required Privilege Level
superuser, vsysadmin, deviceadmin
filename Specifies the filename from which the configuration will be loaded.
move
36 • Configuration Mode Commands Palo Alto Networks
move
Relocate a node in the hierarchy along with its children to be at another location at the same hierarchy level.
Syntaxmove element [bottom | top | after element | before element]
Options
Sample Output
The following command moves the security rule rule1 to the top of the rule base.username@hostname# move rulebase security rules rule1 top
[edit] username@hostname#
Required Privilege Level
superuser, vsysadmin, deviceadmin
element Specifies the items to be moved.
element placement
Specifies the new location of the element:
element2 Indicates the element after or before which element1 will be placed.
Option Description
bottom Makes the element the last entry of the hierarchy level.
top Makes the element the first entry of the hierarchy level.
after Moves element to be after element2.
before Moves element to be before element2.
Palo Alto Networks Configuration Mode Commands • 37
quit
quit
Exit from the current PAN-OS CLI level.
• From Operational mode—Exits the PAN-OS CLI.
• From Configuration mode, top hierarchy level—Exits Configuration mode, returning to Operational mode.
• From Configuration mode, lower hierarchy levels—Changes context to one level up in the hierarchy. Provides the same result as the up command.
Syntaxquit
Options
None
Sample Output
The following command changes context from the network interface level to the network level.[edit log-settings] username@hostname# quit
[edit] username@hostname#
The following command changes from Configuration mode to Operational mode.[edit] username@hostname# quitExiting configuration mode
username@hostname>
Required Privilege Level
All
Note: The exit and quit commands are interchangeable.
rename
38 • Configuration Mode Commands Palo Alto Networks
rename
Change the name of a node in the hierarchy.
Syntaxrename [node1] to [node2]
Options
Sample Output
The following command changes the name of a node in the hierarchy from 1.1.1.1/24 to 1.1.1.2/24.username@hostname# rename network interface vlan ip 1.1.1.1/24 to 1.1.1.2/24
Required Privilege Level
superuser, vsysadmin, deviceadmin
node1 Indicates the original node name.
node2 Indicates the new node name.
Palo Alto Networks Configuration Mode Commands • 39
run
run
Execute an Operational mode command while in Configuration mode.
Syntaxrun [command]
Options
Sample Output
The following command executes a ping command to the IP address 1.1.1.2 from Configuration mode.username@hostname# run ping 1.1.1.2PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data....username@hostname#
Required Privilege Level
superuser, vsysadmin, deviceadmin
command Specifies an Operational mode command.
save
40 • Configuration Mode Commands Palo Alto Networks
save
Saves a snapshot of the firewall configuration.
Syntaxsave config [to filename]
Options
Sample Output
The following command saves a copy of the configuration to the file savefile.[edit]username@hostname# save config to savefileConfig saved to savefile
[edit] username@hostname#
Required Privilege Level
superuser, vsysadmin, deviceadmin
Note: This command saves the configuration on the firewall, but does not make the configuration active. Use the commit command to make the current candidate configuration active.
filename Specifies the filename to store the configuration. The filename cannot include a hyphen (-).
Palo Alto Networks Configuration Mode Commands • 41
set
set
Changes a value in the candidate configuration. Changes are retained while the firewall is powered until overwritten.
Syntaxset [context]
Options
Sample Output
The following command assigns the ethernet1/4 interface to be a virtual wire interface.[edit]username@hostname# set network interface ethernet ethernet1/1 virtual-wire
[edit] username@hostname#
The following command sets the VLAN IP address to 1.1.1.4/32 from the network interface vlan level of the hierarchy.[edit network interface vlan] username@hostname# set ip 1.1.1.4/32
[edit network interface vlan] username@hostname#
The following command locks an administrative user out for 15 minutes after 5 failed login attempts.username@hostname# set deviceconfig setting management admin-lockout 5 lockout-time 15
Required Privilege Level
superuser, vsysadmin, deviceadmin
Note: To save the candidate configuration in non-volatile storage, use the save command. To make the candidate configuration active, use the commit command.
context Specifies a path through the hierarchy.
show
42 • Configuration Mode Commands Palo Alto Networks
show
Display information about the current candidate configuration.
Syntaxshow [context]
Options
Sample Output
The following command shows the full candidate hierarchy.username@hostname# show
The following commands can be used to display the hierarchy segment for network interface.
• Specify context on the command line:
show network interface
• Use the edit command to move to the level of the hierarchy, and then use the show command without specifying context:
edit network interface[edit network interface] show
Required Privilege Level
superuser, vsysadmin, deviceadmin
context Specifies a path through the hierarchy.
Palo Alto Networks Configuration Mode Commands • 43
top
top
Change context to the top hierarchy level.
Syntaxtop
Options
None
Sample Output
The following command changes context from the network level of the hierarchy to the top level.[edit network] username@hostname# top
[edit] username@hostname#
Required Privilege Level
All
up
44 • Configuration Mode Commands Palo Alto Networks
up
Change context to the next higher hierarchy level.
Syntaxup
Options
None
Sample Output
The following command changes context from the network interface level of the hierarchy to the network level.[edit network interface] username@hostname# up
[edit network] username@hostname#
Required Privilege Level
All
Palo Alto Networks Operational Mode Commands • 45
November 4, 2008 - Palo Alto Networks COMPANY CONFIDENTIAL
Chapter 4
Operational Mode Commands
This chapter contains command reference pages for the following operational mode commands:
• “clear” on page 49
• “configure” on page 51
• “delete” on page 52
• “debug captive-portal” on page 54
• “debug cli” on page 55
• “debug cpld” on page 56
• “debug dataplane” on page 57
• “debug device-server” on page 59
• “debug dhcpd” on page 60
• “debug ez” on page 61
• “debug high-availability-agent” on page 62
• “debug ike” on page 63
• “debug keymgr” on page 64
• “debug log-receiver” on page 65
• “debug management-server” on page 66
• “debug master-service” on page 67
• “debug netconfig-agent” on page 68
• “debug routing” on page 69
• “debug software” on page 70
• “debug swm” on page 71
46 • Operational Mode Commands Palo Alto Networks
• “debug tac-login” on page 72
• “debug vardata-receiver” on page 73
• “exit” on page 74
• “grep” on page 75
• “less” on page 76
• “ping” on page 77
• “quit” on page 79
• “request certificate” on page 80
• “request content upgrade” on page 82
• “request high-availability” on page 83
• “request license” on page 84
• “request restart” on page 85
• “request support” on page 86
• “request system” on page 87
• “scp” on page 88
• “set application dump” on page 90
• “set cli” on page 91
• “set logging” on page 92
• “set serial-number” on page 93
• “set session” on page 94
• “set target-vsys” on page 95
• “set zip” on page 96
• “show admins” on page 97
• “show arp” on page 98
• “show chassis-ready” on page 99
• “show cli” on page 100
• “show clock” on page 101
• “show config” on page 102
• “show counter” on page 103
• “show ctd” on page 104
• “show device” on page 105
Palo Alto Networks Operational Mode Commands • 47
• “show device-messages” on page 106
• “show devicegroups” on page 107
• “show dhcp” on page 108
• “show high-availability” on page 109
• “show interface” on page 110
• “show jobs” on page 111
• “show location” on page 112
• “show log” on page 113
• “show logging” on page 115
• “show mac” on page 116
• “show management-clients” on page 117
• “show multi-vsys” on page 118
• “show pan-agent” on page 119
• “show proxy” on page 120
• “show query” on page 121
• “show report” on page 122
• “show routing” on page 123
• “show route” on page 127
• “show session” on page 128
• “show statistics” on page 130
• “show system” on page 132
• “show target-vsys” on page 134
• “show threat” on page 135
• “show vlan” on page 137
• “show vpn” on page 138
• “show zip” on page 140
• “show zone-protection” on page 141
• “ssh” on page 142
• “tail” on page 143
• “telnet” on page 144
• “test” on page 145
48 • Operational Mode Commands Palo Alto Networks
• “tftp” on page 146
• “traceroute” on page 148
• “view-pcap” on page 150
Palo Alto Networks Operational Mode Commands • 49
clear
clear
Reset information, counters, sessions, or statistics.
Syntax clear application-signature statistics clear arp <all | interfacename> clear counter <all | global | interface> clear dhcp lease <all | interface name interfacename [ip ipaddr]> clear high-availability control-link statisticsclear job jobid clear log type clear mac <value | all>clear query <all-by-session | id queryid>clear report <all-by-session | id reportid>clear session <id sessionid | all [filter rule]>clear statistics clear vpn <flow [tunnel-id tunnelid] | ike-sa [gateway gatewayid] | ipsec-sa [tunnel tunnelid]>
clear
50 • Operational Mode Commands Palo Alto Networks
Options
Sample Output
The following command clears the session with ID 2245.username@hostname> clear session id 2245Session 2245 clearedusername@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin
application-signature statistics
Clears application-signature statistics.
arp Clears Address Resolution Protocol (ARP) information for a specified interface, loopback, or VLAN, or all.
counter Clears interface counters. Specify all counters, global counters, or interface counters.
dhcp lease Clears DHCP leases. Specify all or specify an interface and optional IP address.
job Clears download jobs. Specify the job id.
log Remove log files from disk. Specify the log type: acc, config, system, threat, or traffic.
mac Clears MAC address information for a specified VLAN or all addresses.
session Clears a specified session or all sessions. Refer to “show session” on page 128 for a description of the filter options when clearing all sessions.
statistics Clears all statistics.
vpn Clears IKE or IPSec VPN run-time objects:
flow Clears the VPN tunnel on the data plane. Specify the tunnel or press Enter to apply to all tunnels.
ike-sa Removes the active IKE SA and stops all ongoing key negotiations. Specify the gateway or press Enter to apply to all gateways.
ipsec-sa Deactivate the IPsec SA for a tunnel or all tunnels. Specify the tunnel or press Enter to apply to all tunnels.
Palo Alto Networks Operational Mode Commands • 51
configure
configure
Enter Configuration mode.
Syntax configure
Options
None
Sample Output
To enter Configuration mode from Operational mode, enter the following command.username@hostname> configureEntering configuration mode
[edit] username@hostname#
Required Privilege Level
superuser, vsysadmin, deviceadmin
delete
52 • Operational Mode Commands Palo Alto Networks
delete
Remove files from disk or restores default comfort pages, which are presented when files or URLs are blocked.
Syntax delete item
Options
item Specifies the type of file to be deleted.
Option Description
captive-portal-text Text included in a captive portal.
config saved filename Saved configuration file.
content update filename Content updates.
core <control-plane | dataplan> file filename
Control or data plane cores.
debug-filter file filename Debugging capture files.
file-block-page Page presented to users when files are blocked. Restores default page.
license key filename License key file.
pcap file filename Packet capture files.
policy-cache Cached policy compilations
reverse-key file filename SSL reverse proxy keys.
root-certificate file filename
Root certificates.
software image imagename Software image.
spyware-block-page Page presented to users when web pages are blocked due to spyware. Restores default page.
ssl-optout-text Page presented to users when a web session is to be decrypted. Restores default page.
threat-pcap directory directoryname
Threat packet capture files in a specified directory.
unknown-pcap Packet capture files for unknown sessions.
url-block-page Page presented to users when web pages are blocked. Restores default page.
user-file ssh-known-hosts SSH known hosts file.
virus-block-page Page presented to users when web pages are blocked. Restores default page.
Palo Alto Networks Operational Mode Commands • 53
delete
Sample Output
The following command deletes the custom page presented to users when web pages are blocked due to spyware.username@hostname> delete spyware-block-pageusername@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin
debug captive-portal
54 • Operational Mode Commands Palo Alto Networks
debug captive-portal
Define settings for debugging the captive portal daemon.
Syntax debug captive-portal option
Options
Sample Output
The following command turns the debugging option on.admin@PA-HDF> debug captive-portal on
admin@PA-HDF>
Required Privilege Level
superuser vsysadmin
show Shows whether this command is on or off.
off Turns the debugging option off.
on Turns the debugging option on.
Palo Alto Networks Operational Mode Commands • 55
debug cli
debug cli
Define settings and display information for debugging the CLI connection.
Syntax debug cli option
Options
Sample Output
The following command shows details of the CLI connection.admin@PA-HDF> debug cli detailEnvironment variables :(USER . admin)(LOGNAME . admin)(HOME . /home/admin)(PATH . /usr/local/bin:/bin:/usr/bin)(MAIL . /var/mail/admin)(SHELL . /bin/bash)(SSH_CLIENT . 10.31.1.104 1109 22)(SSH_CONNECTION . 10.31.1.104 1109 10.1.7.2 22)(SSH_TTY . /dev/pts/0)(TERM . vt100)(LINES . 24)(COLUMNS . 80)(PAN_BASE_DIR . /opt/pancfg/mgmt)
PAN_BUILD_TYPE : DEVELOPMENT
Total Heap : 7.00 MUsed : 5.51 MNursery : 0.12 Madmin@PA-HDF>
Required Privilege Level
superuser vsysadmin
detail Shows details information about the CLI connection.
show Shows whether this command is on or off.
off Turns the debugging option off.
on Turns the debugging option on.
debug cpld
56 • Operational Mode Commands Palo Alto Networks
debug cpld
Debug the complex programmable logic device (CPLD).
Syntax debug cpld
Options
None
Sample OutputN/A
Required Privilege Level
superuser vsysadmin
Palo Alto Networks Operational Mode Commands • 57
debug dataplane
debug dataplane
Configure settings for debugging the data plane.
Syntax debug dataplane option
Options
The available sub-options depend on the specified option.
Sample Output
The following command shows the statistics for the dataplane buffer pools.admin@PA-HDF> debug dataplane pool statistics
The following command turns dataplane filtering on and sets filter parameters.
admin@PA-HDF> debug dataplane filter onadmin@PA-HDF> debug dataplane filter set source 10.1 11.2.3 file abc.pcap
clear Clear all dataplane debug logs.
device Debug dataplane hardware component.
drop-filter Define a filter to capture dropped packets.
filter Determine the packets to capture or send to a debug log file.
fpga Debug the field programmable gate array (FPGA).
get Show current dataplane debug settings.
internal Debug the dataplane internal state.
memory Examine dataplane memory.
mode Control dataplane debug logging mode.
off Turn off dataplane debug logging.
on Turn on dataplane debug logging.
pool Debug buffer pools, including checks of hardware and software utilization and buffer pool statistics.
pow Debug packet scheduling engine.
process Debug the dataplane process for the high-availability agent (ha-agent) and management plane relay agent (mprelay).
reset Reset settings for debugging the data plane.
set Specify parameters for dataplane debugging
show Show dataplane running information.
task-heartbeat Debug dataplane task heartbeat.
unset Clear the previously-set parameters for dataplane debugging
debug dataplane
58 • Operational Mode Commands Palo Alto Networks
Required Privilege Level
superuser vsysadmin
Palo Alto Networks Operational Mode Commands • 59
debug device-server
debug device-server
Configure settings for debugging the device server.
Syntax debug device-server option
Options
Sample Output
The following command turns off debug logging for the device server.admin@PA-HDF> debug device-server offtdb is onadmin@PA-HDF>
Required Privilege Level
superuser vsysadmin
clear Clear all debug logs.
dump Dump the debug data.
off Turn off debug logging.
on Turn on debug logging.
reset Clear logging data.
set Set debugging values.
show Display current debug log settings.
test Test the current settings.
uset Remove current settings.
debug dhcpd
60 • Operational Mode Commands Palo Alto Networks
debug dhcpd
Configure settings for debugging the Dynamic Host Configuration Protocol (DHCP) daemon.
Syntax debug dhcpd option
Options
Sample Output
The following command shows current global DHCP daemon settings.admin@PA-HDF> debug dhcpd global showtdb is onadmin@PA-HDF>
Required Privilege Level
superuser vsysadmin
global Define settings for the global DHCP daemon.
pcap Define settings for debugging packet capture.
Palo Alto Networks Operational Mode Commands • 61
debug ez
debug ez
Configure settings for debugging the EZ chip.
Syntax debug ez option
Options
Sample Output
The following command disables debugging of the EZ chip.admin@PA-HDF> debug ez enabletdb is onadmin@PA-HDF>
Required Privilege Level
superuser vsysadmin
disable Turn EZ debugging off.
enable Turn EZ debugging on.
set Set parameters for EZ debugging.
show Show EZ debugging information.
debug high-availability-agent
62 • Operational Mode Commands Palo Alto Networks
debug high-availability-agent
Configure settings for debugging the high availability agent.
Syntax debug high-availability-agent option
Options
Sample Output
The following command turns modeling checking on for the high availability agent. admin@PA-HDF> debug high-availability-agent model-check on tdb is onadmin@PA-HDF>
Required Privilege Level
superuser vsysadmin
clear Clear the debug logs.
internal-dump Dump the internal state of the agent to its log.
model-check Turn model checking with the peer on or off.
off Turns the debugging option off.
on Turns the debugging option on.
show Shows whether this command is on or off.
Palo Alto Networks Operational Mode Commands • 63
debug ike
debug ike
Configure settings for debugging Internet Key Exchange (IKE) daemon.
Syntax debug ike option
Options
Sample Output
The following command turns on the global options for debugging the IKE daemon.admin@PA-HDF> debug ike global ontdb is onadmin@PA-HDF>
Required Privilege Level
superuser vsysadmin
global Configure global settings.
pcap Configure packet capture settings.
socket Configure socket settings.
stat Show IKE daemon statistics.
debug keymgr
64 • Operational Mode Commands Palo Alto Networks
debug keymgr
Configure settings for debugging the key manager daemon.
Syntax debug keymgr option
Options
Sample Output
The following command shows the current information on the key manager daemon.admin@PA-HDF> debug keymgr show
sw.keymgr.debug.global: normal
admin@PA-HDF>
Required Privilege Level
superuser vsysadmin
list-sa Lists the IPSec security associations (SAs) that are stored in the key manager daemon.
off Turn the settings off.
on Turn the settings on.
show Show key manager daemon information.
Palo Alto Networks Operational Mode Commands • 65
debug log-receiver
debug log-receiver
Configure settings for debugging the log receiver daemon.
Syntax debug log-receiver option
Options
Sample Output
The following command turns log receiver debugging on.admin@PA-HDF> debug log-receiver ontdb is onadmin@PA-HDF>
Required Privilege Level
superuser vsysadmin
off Turns the debugging option off.
on Turns the debugging option on.
show Shows whether this command is on or off.
statistics Show log receiver daemon statistics.
debug management-server
66 • Operational Mode Commands Palo Alto Networks
debug management-server
Configure settings for debugging the management server.
Syntax debug management-server option
Options
Sample Output
The following example turns management server debugging on.admin@PA-HDF> debug management-server on(null)admin@PA-HDF>
Required Privilege Level
superuser vsysadmin
clear Clear all debug logs.
client Debug the management server client.
off Turn debugging off
on Turn debugging on.
show Show management server debug statistics.
Palo Alto Networks Operational Mode Commands • 67
debug master-service
debug master-service
Configure settings for debugging the master service.
Syntax debug master-service option
Options
Sample Output
The following command dumps the internal state of the master server to the log.admin@PA-HDF> debug master-service internal-dumptdb is onadmin@PA-HDF>
Required Privilege Level
superuser vsysadmin
clear Clear all debug logs.
internal-dump Dump the internal state of the server to the log.
off Turn debugging off
on Turn debugging on.
show Show debug settings.
debug netconfig-agent
68 • Operational Mode Commands Palo Alto Networks
debug netconfig-agent
Configure settings for debugging the network configuration agent.
Syntax debug netconfig-agent option
Options
Sample Output
The following command shows the debug settings for the network configuration agent.admin@PA-HDF> debug netconfig-agent show
sw.netconfig-agent.debug: off
admin@PA-HDF>
Required Privilege Level
superuser vsysadmin
show Show whether this command is on or off.
off Turn the debugging option off.
on Turn the debugging option on.
Palo Alto Networks Operational Mode Commands • 69
debug routing
debug routing
Configure settings for debugging the route daemon.
Syntax debug routing option
Options
Sample Output
The following command displays the MIB tables for routing.admin@PA-HDF> debug routing list-mib
i3EmuTable (1 entries)==========================sckTable (0 entries)sckSimInterfaceTable (0 entries)sckEiTable (0 entries)sckEaTable (0 entries)i3Table (0 entries)i3EiTable (0 entries)i3EaTable (0 entries)i3EtTable (0 entries)i3EmTable (0 entries)dcSMLocationTable (0 entries)dcSMHMTestActionObjects (0 entries)siNode (0 entries)siOSFailures (0 entries)siTraceControl (0 entries)siExecAction (0 entries)...admin@PA-HDF>
Required Privilege Level
superuser vsysadmin
fib Turn on debugging for the forwarding table.
global Turn on global debugging.
list-mib Show the routing list with management information base (MIB) names.
mib Show the MIB tables.
pcap Show packet capture data.
socket Show socket data.
debug software
70 • Operational Mode Commands Palo Alto Networks
debug software
Restart software processes to aid debugging.
Syntax debug software restart option
Options
Sample Output
The following command restarts the web server.admin@PA-HDF> debug software restart web-servertdb is onadmin@PA-HDF>
Required Privilege Level
superuser vsysadmin
device-server Restart the device server.
management-server Restart the management server.
web-server Restart the web server.
Palo Alto Networks Operational Mode Commands • 71
debug swm
debug swm
Configure settings for debugging the Palo Alto Networks software manager.
Syntax debug swm option
Options
Sample Output
The following command shows the list of available software versions.admin@PA-HDF> debug swm list
2.1.0-c4.dev2.1.0-c1.dev_base2.0.0-c2072.0.0-c206admin@PA-HDF>
Required Privilege Level
superuser vsysadmin
command Run a software manager command.
history Show the history of software installation operations.
list List software versions that are available for installation.
refresh Revert back to the last successfully installed content.
revert Revert back to the last successfully installed software.
status Show the status of the software manager.
unlock Unlock the software manager.
debug tac-login
72 • Operational Mode Commands Palo Alto Networks
debug tac-login
Configure settings for debugging the Palo Alto Networks Technical Assistance Center (TAC) connection.
Syntax debug tac-login option
Options
Sample Output
The following command turns TAC login debugging on.admin@PA-HDF> debug tac-login on
admin@PA-HDF>
Required Privilege Level
superuser vsysadmin
enable Enable TAC login.
disable Disable TAC login.
permanently-disable Turn off TAC login debugging permanently.
Palo Alto Networks Operational Mode Commands • 73
debug vardata-receiver
debug vardata-receiver
Configure settings for debugging the variable data daemon.
Syntax debug vardata-receiver option
Options
Sample Output
The following command shows statistics for the variable data daemon.admin@PA-HDF> debug vardata-receiver statisticstdb is onadmin@PA-HDF>
Required Privilege Level
superuser vsysadmin
off Turns the debugging option off.
on Turns the debugging option on.
show Shows whether this command is on or off.
statistics Show log receiver daemon statistics.
exit
74 • Operational Mode Commands Palo Alto Networks
exit
Exit the PAN-OS CLI.
Syntax exit
Options
None
Sample Output
N/A
Required Privilege Level
All
Note: The exit command is the same as the quit command.
Palo Alto Networks Operational Mode Commands • 75
grep
grep
Find and list lines from log files that match a specified pattern.
Syntax grep [after-context number] [before-context number] [context number] [count] [ignore-case] [invert-match] [line-number] [max-count] [no-filename] [with-filename] pattern file
Options
Sample Output
The following command searches the ms.log file for occurrences of the string id:admin.username@hostname> grep id:admin /var/log/pan/ms.log
username@hostname>
Required Privilege Level
All
after-context Prints the matching lines plus the specified number of lines that follow the matching lines.
before-context Prints the matching lines plus the specified number of lines that precede the matching lines.
context Prints the specified number of lines in the file for output context.
count Prints a count of matching files for each input file.
ignore-case Ignores case distinctions.
invert-match Selects non-matching lines instead of matching lines.
line-number Adds the line number at the beginning of each line of output.
max-count Stops reading a file after the specified number of matching lines.
no-filename Does not add the filename prefix for output.
with-filename Prints the file name for each match.
pattern Indicates the string to be matched.
file Indicates the log file to be searched.
less
76 • Operational Mode Commands Palo Alto Networks
less
Find and l
List the contents of the specified log file.
Syntax less file
Options
Sample Output
The following command lists the contents of the web application log.username@hostname> less ?/var/log/pan/appWeb.log 1249/var/log/pan/devsrv.log 65009/var/log/pan/masterd.log 2092/var/log/pan/ms.log 166/var/log/pan/pan_netconfig_agent.log 749...
Required Privilege Level
All
file Indicates the log file to be searched.
Palo Alto Networks Operational Mode Commands • 77
ping
ping
Check network connectivity to a host.
Syntax ping [bypass-routing] [count] [do-not-fragment] [inet] [no resolve] [pattern] [record-route] [size] [source] [tos] [ttl] [wait] host
Options
Sample Output
The following command checks network connectivity to the host 66.102.7.104, specifying 4 ping packets and complete details of the transmission.username@hostname> ping count 4 verbose 66.102.7.104PING 66.102.7.104 (66.102.7.104) 56(84) bytes of data.64 bytes from 66.102.7.104: icmp_seq=0 ttl=243 time=316 ms64 bytes from 66.102.7.104: icmp_seq=1 ttl=243 time=476 ms64 bytes from 66.102.7.104: icmp_seq=2 ttl=243 time=376 ms64 bytes from 66.102.7.104: icmp_seq=3 ttl=243 time=201 ms
--- 66.102.7.104 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3023ms
bypass-routing Sends the ping request directly to the host on a direct attached network, bypassing usual routing table.
count Specifies the number of ping requests to be sent.
do-not-fragment Prevents packet fragmentation by use of the do-not-fragment bit in the packet’s IP header.
inet Specifies that the ping packets will use IP version 4.
interval Specifies how often the ping packets are sent (0 to 2000000000 seconds).
no-resolve Provides IP address only without resolving to hostnames.
pattern Specifies a custom string to include in the ping request. You can specify up to 12 padding bytes to fill out the packet that is sent as an aid in diagnosing data-dependent problems.
record-route Requests a report on the path traveled by the ping packets.
size Specifies the size of the ping packets.
source Specifies the source IP address for the ping command.
tos Specifies the type of service (TOS) treatment for the packets by way of the TOS bit for the IP header in the ping packet.
ttl Specifies the time-to-live (TTL) value for the ping packet (IPv6 hop-limit value) (0-255 hops).
verbose Requests complete details of the ping request.
wait Specifies a delay in transmission of the ping request (seconds).
host Specifies the host name or IP address of the remote host.
ping
78 • Operational Mode Commands Palo Alto Networks
rtt min/avg/max/mdev = 201.718/342.816/476.595/99.521 ms, pipe 2
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin
Palo Alto Networks Operational Mode Commands • 79
quit
quit
Exit the current session for the firewall.
Syntax quit
Options
None
Sample OutputN/A
Required Privilege Level
All
Note: The quit command is the same as the exit command.
request certificate
80 • Operational Mode Commands Palo Alto Networks
request certificate
Generate a self-signed security certificate.
Syntax request certificate [install for-use-by purpose | self-signed option for-use-by purpose]
Options
Sample Output
The following command requests a self-signed certificate for the web interface with length 1024 and IP address 1.1.1.1.username@hostname> request certificate self-signed nbits 1024 name 1.1.1.1 for-use-by web-interface
install Installs the generated certificate.
self-signed Generates the self-signed certificate.
option Specifies information to include in the certificate. Multiple options are supported.
purpose Requests the certificate for the specified purpose.
country-code Two-character code for the country in which the certificate will be used.
email Email address of the contact person.
locality City, campus, or other local area.
nbits value Number of bits in the certificate (512 or 1024).
organization Organization using the certificate.
organization unit
Department using the certificate.
state Two-character code for the state or province in which the certificate will be used.
name IP address or fully qualified domain name (FQDN) to appear on the certificate.
passphrase Passphrase for encrypting the private key.
panorama-server Panorama server machine (used by Panorama to communicate with managed devices).
web-interface Embedded web interface.
Palo Alto Networks Operational Mode Commands • 81
request certificate
Required Privilege Level
superuser, vsysadmin, deviceadmin
request content upgrade
82 • Operational Mode Commands Palo Alto Networks
request content upgrade
Perform application level upgrade operations.
Syntax request content upgrade [check | download latest | info | install latest]
Options
Sample Output
The following command lists information about the firewall server software.username@hostname> request content upgrade check
Version Size Released on Downloaded
-------------------------------------------------------------------------
13-25 10MB 2007/04/19 15:25:02 yes
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin
check Obtain information from the Palo Alto Networks server.
download latest Download application identification packages.
info Show information about available application ID packages.
install latest Install application identification packages.
Palo Alto Networks Operational Mode Commands • 83
request high-availability
request high-availability
Perform operations related to high availability.
Syntax request high-availability clear-alarm-led
request high-availability state <functional | suspend>
request high-availability sync-to-remote <candidate-config | clock | disk-state | running-config | runtime-state>
Options
Sample Output
The following command sets the high-availability state of the device to suspend.
username@hostname> request high-availability state suspend
Required Privilege Level
superuser, vsysadmin, deviceadmin
clear-alarm-led
Clear the high-availability alarm LED.
state Set the high availability state of the device:
• functional—Set the device to the functioning state.
• suspend—Set the device to the suspended state.
sync-to-remote
Perform configuration synchronization operations:
• candidate-config—Synchronize the candidate configuration to the peer device.
• clock—Synchronize the local time and date to the peer device.
• disk-state—Synchronize the required on-disk state to the peer device.
• running-config—Synchronize the running configuration to the peer device.
• runtime-state—Synchronize the runtime synchronization state to the peer device.
request license
84 • Operational Mode Commands Palo Alto Networks
request license
Perform license-related operations.
Syntax request license [fetch [auth-code] | info | install]
Options
Sample Output
The following command requests a new license key with the authentication code 123456.
username@hostname> request fetch auth-code 123456
Required Privilege Level
superuser, vsysadmin, deviceadmin
fetch Gets a new license key using an authentication code.
info Displays information about currently owned licenses.
install Installs a license key.
Palo Alto Networks Operational Mode Commands • 85
request restart
request restart
Restart the system or software modules.
Syntax request restart [dataplane | software | system]
Options
Sample Output
The following command restarts all the firewall software.username@hostname> request restart software
Required Privilege Level
superuser, vsysadmin, deviceadmin
CAUTION: Using this command causes the firewall to reboot, resulting in the temporary disruption of network traffic. Unsaved or uncommitted changes will be lost.
dataplane Restarts the dataplane software.
software Restarts all system software
system Reboots the system.
request support
86 • Operational Mode Commands Palo Alto Networks
request support
Obtain technical support information.
Syntax request support [check | info]
Options
Sample Output
The following command restarts the firewall software.username@hostname> request support info
Required Privilege Level
superuser, vsysadmin, deviceadmin
check Get support information from the Palo Alto Networks update server.
info Show downloaded support information.
Palo Alto Networks Operational Mode Commands • 87
request system
request system
Download system software or request information about available software packages.
Syntax request system [factory-reset | software [check | download [file | version] name] | info | install [file | version] name]]
Options
Sample Output
The following command requests information about the software packages that are available for download.username@hostname> request system software info
Version Filename Size Released Downloaded-------------------------------------------------------------------------1.0.1 panos.4050-1.0.1.tar.gz 127MB 2007/02/07 00:00:00 no1.0.2 panos.4050-1.0.2.tar.gz 127MB 2007/02/07 00:00:00 no1.0.0-20 PANOS-QA-20.tar.gz 122MB 2007/02/13 00:00:00 no1.0.0-1746 PANOS-DEV-1746.tgz 122MB 2007/02/13 00:00:00 no
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin
factory-reset
Resets the configuration to factory defaults.
check Gets information from the Palo Alto Networks server.
download Downloads software packages.
info Shows information about available software packages.
install Downgrades to a downloaded software package.
file Specifies the file to download or install.
version Specifies the software version to download or install.
name Specifies the file or version name.
scp
88 • Operational Mode Commands Palo Alto Networks
scp
Copy files between the firewall and another host. Enables downloading of a customizable HTML replacement message (comfort page) in place of a malware infected file.
Syntax scp export export-option [control-plane | data-plane] to target from source [remote-port portnumber] [source-ip address]
scp import import-option [source-ip address] [remote-port portnumber] from source
Options
export export-option
Specifies the type of file to export to the other host.
Option Description
application Application packet capture file.
captive-portal-text
Text to be included in a captive portal.
configuration Configuration file.
core-file Core file.
debug pcap IKE negotiation packet capture file.
file-block-page File containing comfort pages to be presented when files are blocked.
filter Filter definitions.
log-file Log files.
log-db Log database.
packet-log Logs of packet data.
spyware-block-page
Comfort page to be presented when files are blocked due to spyware.
ssl-optout-text SSL optout text.
tech-support Technical support information.
trusted-ca-certificate
Certificate Authority (CA) security certificate.
url-block-page Comfort page to be presented when files are blocked due to a blocked URL.
virus-block-page Comfort page to be presented when files are blocked due to a virus.
web-interface-certificate
Web interface certificate.
Palo Alto Networks Operational Mode Commands • 89
scp
Sample Output
The following command imports a license file from a file in user1’s account on the machine with IP address 10.0.3.4.username@hostname> scp import ssl-certificate from [email protected]:/tmp/certificatefile
Required Privilege Level
superuser, vsysadmin, deviceadmin
import import-option
Specifies the type of file to import from the other host.
control-plane Indicates that the file contains control information.
data-plane Indicates that the file contains information about data traffic.
remote-port portnumber
Specifies the port number on the remote host.
source-ip address
Specifies the source IP address.
to Specifies the destination user in the format username@host:path.
from Specifies the source user in the format username@host:path.
Option Description
application Application packet capture file.
captive-portal-text
Text to be included in a captive portal.
configuration Configuration file.
core-file Core file.
file-block-page File containing comfort pages to be presented when files are blocked.
filter Filter definitions.
ike-pcapc-file IKE negotiation packet capture file.
log-file Log files.
log-db Log database.
packet-log Logs of packet data.
spyware-block-page
Comfort page to be presented when files are blocked due to spyware.
ssl-optout-text SSL optout text.
tech-support Technical support information.
trusted-ca-certificate
Certificate Authority (CA) security certificate.
url-block-page Comfort page to be presented when files are blocked due to a blocked URL.
set application dump
90 • Operational Mode Commands Palo Alto Networks
set application dump
Captures session packets for unknown applications.
Syntax set application dump [off | [on [application appname][destination destname][destination-port destport] [destination-user destuser] [from zone zonename][limit value][protocol protnumber][source-port sourcename][source-port sourceport][source-user sourceuser][to zone zonename]
Sample Output
The following command turns packet capture for unknown applications off.
username@hostname> set application dump off
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin
off Turns application dump off.
on Turns application dump on.
application appname
Specifies the application.
destination destname
Specifies the destination IP address.
destination-user destuser
Specifies the destination user.
destination-port destport
Specifies the destination port.
zone zonename Specifies the zone.
protocol protname
Specifies the protocol.
limit value Specifies the limit.
source sourcename
Specifies the source IP address.
source-user sourceuser
Specifies the source user.
source-port sourceport
Specifies the source port.
Palo Alto Networks Operational Mode Commands • 91
set cli
set cli
Set scripting and pager options for the PAN-OS CLI.
Syntax set cli [scripting-mode | pager | timeout [idle idle-value] [session session-value]] off | on
Options
Sample Output
The following command turns the PAN-OS CLI pager option off.username@hostname> set cli pager offusername@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin
scripting-mode Enables or disables scripting mode.
pager Enables or disables pages.
timeout Sets administrative session timeout values.
idle-value Specifies the idle timeout (0-86400 seconds).
session-value Specifies the administrative session timeout (0-86400 seconds).
off Turns the option off.
on Turns the option on.
set logging
92 • Operational Mode Commands Palo Alto Networks
set logging
Set logging options for traffic and event logging.
Syntax set logging option value
Options
Sample Output
The following command sets the logging rate to be a maximum of 1000 KB/second.
username@hostname> set logging max-log-rate 1000Logging rate changed to 1000 KB/s
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin
option Determines which of the following logging options is set.
value Sets the value of the rate for the logging option: 0-5120
Note: max-packet-rate and max-log rate both affect the rate at which log messages are forwarded. Generated log messages are kept in priority queues, and the log forwarding engine forwards the generated logs based on the log and packet rates. If the rates are set too low, the queues may build up and eventually drop log messages.
Option Description
default Restores all log settings to default.
log-suppression [yes | no]
Enables or disables suppression of log information.
max-packet-rate Specifies the maximum packet rate (0-5120 KB/s)
max-log-rate Specifies the maximum logging rate (0-5120 KB/s)
Palo Alto Networks Operational Mode Commands • 93
set serial-number
set serial-number
(Panorama™ only) Configure the serial number of the Panorama machine. The serial number must be set for Panorama to connect to the update server.
Syntax set serial-number value
Options
Sample Output
The following command sets the Panorama serial number to 123456.username@hostname> set serial-number 123456username@hostname>
Required Privilege Level
superuser, superuser (read only), Panorama admin
value Specifies the serial number or software license key.
set session
94 • Operational Mode Commands Palo Alto Networks
set session
Set parameters for the networking session.
Syntax set session [default | item value]
Options
Sample Output
The following command sets the TCP timeout to 1 second.username@hostname> set session timeout-tcpwait 1username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin
default Restores all session settings to the default values.
item value
Specifies the debugging target or level.
Option Value Description
accelerated-aging-enable
no | yes Enables or disables accelerated session aging.
accelerated-aging-scaling-factor
Power of 2 Sets the accelerated session aging scaling factor (power of 2).
accelerated-aging-threshold
Power of 2 (1-100) Sets the accelerated aging threshold as a percentage of session utilization.
tcp-reject-non-syn
no | yes Rejects non-synchronized TCP packets for session setup.
timeout-default Number of seconds Sets the session default timeout value in seconds.
timeout-icmp 1-15999999 Sets the session timeout value for ICMP commands.
timeout-tcp 1-15999999 Sets the session timeout value for TCP commands.
timeout-tcpwait Number of seconds Sets the session TCP wait timeout value in seconds.
timeout-udp 1-15999999 Sets the session timeout value for UDP commands.
Palo Alto Networks Operational Mode Commands • 95
set target-vsys
set target-vsys
Sets the target virtual system.
Syntax set target-vsys vsys
Options
Sample Output
The following command shows information about target virtual systems.username@hostname> set target-vsys vsys1Session target vsys changed to vsys1
username@hostname vsys1>>
Required Privilege Level
superuser, vsysadmin, deviceadmin
Note: When the target virtual system is set, the CLI prompt incorporates the vsys name. In this mode, if any command is executed, it executes for the vsys, if possible. For example, if you use secure copy to import or export a comfort page, the page is imported or exported for the vsys. Commands that are not virtual-system-specific continue to work normally.
vsys Specifies the name of the target virtual system.
set zip
96 • Operational Mode Commands Palo Alto Networks
set zip
Determines whether zipped files are automatically unzipped and policies are applied to the unzipped contents.
Syntax set zip enable <yes | no>
Options
Sample Output
The following command enables automatic unzipping and inspection of zipped files.username@hostname> set zip enable yes
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
yes Enables automatic unzipping and inspection of zipped files.
no Disables automatic unzipping and inspection of zipped files.
Palo Alto Networks Operational Mode Commands • 97
show admins
show admins
Display information about the active firewall administrators.
Syntax show admins [all]
Options
Sample Output
The following command displays administrator information for the 10.0.0.32 firewall.username@hostname> show admins | match 10.0.0
Admin From Type Session-start Idle-for --------------------------------------------------------------------------admin 10.0.0.132 Web 02/19 09:33:07 00:00:12s
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
all Lists the names of all administrators.
show arp
98 • Operational Mode Commands Palo Alto Networks
show arp
Shows current Address Resolution Protocol (ARP) entries.
Syntax show arp interface
Options
Sample Output
The following command displays ARP information for the ethernet1/1 interface.username@hostname> show arp ethernet1/1
maximum of entries supported : 8192default timeout: 1800 secondstotal ARP entries in table : 0total ARP entries shown : 0status: s - static, c - complete, i - incomplete
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
interface Specifies the interface for which the ARP table is displayed.
all Shows information for all ARP tables.
ethernetn/m Shows information for the specified interface.
loopback Shows loopback information.
vlan Shows VLAN information.
Palo Alto Networks Operational Mode Commands • 99
show chassis-ready
show chassis-ready
Shows whether the dataplane has a running policy.
Syntax show chassis-ready
Options
None
Sample Output
The following command shows that the dataplane has a currently running policy.username@hostname> show chassis-ready yes
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
show cli
100 • Operational Mode Commands Palo Alto Networks
show cli
Shows information about the current CLI session.
Syntax show cli info
Options
None
Sample Output
The following command shows information about the current CLI session.username@hostname> show cli infoProcess ID : 2045Pager : enabledVsys configuration mode : disabled
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks Operational Mode Commands • 101
show clock
show clock
Shows the current time on the firewall.
Syntax show clock
Options
None
Sample Output
The following command shows the current time.username@hostname> show clock
Sun Feb 18 10:49:31 PST 2007
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
show config
102 • Operational Mode Commands Palo Alto Networks
show config
Shows the active configuration.
Syntax show config
Options
None
Sample Output
The following command shows the configuration lines that pertain to VLANs.username@hostname> show config | match vlan vlan { vlan;
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks Operational Mode Commands • 103
show counter
show counter
Display system counter information.
Syntax show counter [global | interface]
Options
Sample Output
The following command displays all configuration counter information grouped according to interface.username@hostname> show counter interface
hardware interface counters:------------------------------------------------------------------------
interface: ethernet1/1------------------------------------------------------------------------bytes received 0 bytes transmitted 0 packets received 0 packets transmitted 0 receive errors 0 packets dropped 0 ------------------------------------------------------------------------
...
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
global Shows global system counter information.
interface Shows system counter information grouped by interface.
show ctd
104 • Operational Mode Commands Palo Alto Networks
show ctd
Show the threat signature information on the system.
Syntax show ctd threat threat_id application appid profile pfid
Options
Sample Output
The following command shows an example with the default threat action. username@hostname> show ctd threat 100000 application 109 profile 1Profile 1 appid 109 , action 0action 0 means “default” action.
The following command shows an example with the no threat action.admin@PA-HDF> show ctd threat 100000 application 108 profile 1Profile 1 appid 108 , action ffffaction “ffff” means “no” action.username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
threat_id Uniquely identifies the threat.
application appid
Shows the action of the threat action in the application.
profile pfid Identifies the profile.
Palo Alto Networks Operational Mode Commands • 105
show device
show device
(Panorama only) Show the state of managed devices.
Syntax show device-messages [all | connected]
Options
Sample Output
The following command shows information for connected devices.username@hostname> show devices connected
Serial Hostname IP Connected--------------------------------------------------------------------------PA04070001 pan-mgmt2 10.1.7.2 yes last push state: none
username@hostname>
Required Privilege Level
superuser, superuser (read only), Panorama admin
all Shows information for all managed devices.
connected Shows information for all connected devices.
show device-messages
106 • Operational Mode Commands Palo Alto Networks
show device-messages
(Panorama only) Show information on the policy messages for devices.
Syntax show device-messages [device] [group]
Options
Sample Output
The following command shows the device messages for the device pan-mgmt2 and the group dg1.username@hostname> show device-messages device pan-mgmt2 group dg1
username@hostname>
Required Privilege Level
superuser, superuser (read only), Panorama admin
device Shows the messages only for the specified device.
group Shows the messages only for the specified device group.
Palo Alto Networks Operational Mode Commands • 107
show devicegroups
show devicegroups
(Panorama only) Show information on device groups.
Syntax show devicegroups [name]
Options
Sample Output
The following command shows information for the device group dg1.username@hostname> show devicegroups dg1==========================================================================Group: dg3 Shared policy md5sum:dfc61be308c23e54e5cde039689e9d46
Serial Hostname IP Connected--------------------------------------------------------------------------PA04070001 pan-mgmt2 10.1.7.2 yes last push state: push succeeded vsys3 shared policy md5sum:dfc61be308c23e54e5cde039689e9d46(In Sync)
username@hostname>
Required Privilege Level
superuser, superuser (read only), Panorama admin
name Shows the information only for the specified device group.
show dhcp
108 • Operational Mode Commands Palo Alto Networks
show dhcp
Show information on Dynamic Host Control Protocol (DHCP) leases.
Syntax show dhcp lease <value | all>
Options
Sample Output
The following command shows all lease information. username@hostname> show dhcp allinterface: ethernet1/9ip mac expire66.66.66.1 00:15:c5:60:a5:b0 Tue Mar 11 16:12:09 200866.66.66.2 00:15:c5:e1:0d:b0 Tue Mar 11 16:08:01 2008
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
value Identifies the interface (ethernetn/m)
all Shows all the lease information.
Palo Alto Networks Operational Mode Commands • 109
show high-availability
show high-availability
Show runtime information for the high-availability subsystem.
Syntax show high-availability [all | control-link statistics| link-monitoring | path-monitoring | state | state-synchronization]
Options
Sample Output
The following command information for the high-availability subsystem.username@hostname> show high-availability path-monitoring
----------------------------------------------------------------------------path monitoring: disabledtotal paths monitored: 0----------------------------------------------------------------------------
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
all Shows all high-availability information.
control-link statistics
Shows control-link statistic information.
link-monitoring Shows the link-monitoring state.
path-monitoring Shows path-monitoring statistics.
state Shows high-availability state information.
state-synchronization
Shows state synchronization statistics.
show interface
110 • Operational Mode Commands Palo Alto Networks
show interface
Display information about system interfaces.
Syntax show interface interface
Options
Sample Output
The following command displays information about the ethernet1/2 interface.username@hostname> show interface ethernet1/2 ----------------------------------------------------------------------------Name: ethernet1/2, ID: 17Link status: Runtime link speed/duplex/state: auto/auto/auto Configured link speed/duplex/state: auto/auto/autoMAC address: Port MAC address 0:f:b7:20:2:11Operation mode: virtual-wire----------------------------------------------------------------------------Name: ethernet1/2, ID: 17Operation mode: virtual-wireVirtual wire: default-vwire, peer interface: ethernet1/1Interface management profile: N/AZone: trust, virtual system: (null)username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
element Specifies the interface.
all Shows information for all ARP tables.
ethernetn/m Shows information for the specified interface.
hardware Shows hardware information.
logical Shows logical interface information.
loopback Shows loopback information.
vlan Shows VLAN information.
Palo Alto Networks Operational Mode Commands • 111
show jobs
show jobs
Display information about current system processes.
Syntax show jobs [all | id number | pending | processed]
Options
Sample Output
The following command lists jobs that have been processed in the current session.username@hostname> show jobs processed
Enqueued ID Type Status Result Completed --------------------------------------------------------------------------2007/02/18 09:34:39 2 AutoCom FIN OK 2007/02/18 09:34:40 2007/02/18 09:33:00 1 AutoCom FIN FAIL 2007/02/18 09:33:54
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
all Shows information for all jobs.
id number Identifies the process by number.
pending Shows recent jobs that are waiting to be executed.
processed Shows recent jobs that have been processed.
show location
112 • Operational Mode Commands Palo Alto Networks
show location
Show the geographic location of a firewall.
Syntax show location ip address
Options
Sample Output
The following command shows location information for the firewall 10.1.1.1.username@hostname> show location ip 10.1.1.1show location ip 201.52.0.0201.52.0.0
Brazilusername@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
address Specifies the IP address of the firewall.
Palo Alto Networks Operational Mode Commands • 113
show log
show log
Display system logs.
Syntax show log [threat | config | system | traffic] [equal | not-equal] option value
Options
threat Displays threat logs.
config Displays configuration logs.
system Displays system logs.
traffic Displays traffic logs.
option value Restricts the output (the available options depend upon the keyword used in the command (threat, config, system, traffic).
greater-than-or-equal
Indicates that the option is equal to the specified value.
less-than-or-equal
Indicates that the option is not equal to the specified value.
equal Indicates that the option is equal to the specified value.
not-equal Indicates that the option is not equal to the specified value.
Option Description
action Type of alarm action (alert, allow, or drop)
app Application.
client Type of client (CLI or web).
command Command.
dport Destination port.
dst Destination IP address.
from Source zone.
receive-time in
Time interval in which the information was received.
result Result of the action (failed, succeeded, or unauthorized).
rule Rule name.
severity Level of importance (critical, high, medium, low, informational)
sport Source port.
src Source IP address.
to Destination zone.
show log
114 • Operational Mode Commands Palo Alto Networks
Sample Output
The following command shows the configuration log.username@hostname> show log config Time Host Command Admin Client Result===============================================================================03/05 22:04:16 10.0.0.135 edit admin Web Succeeded03/05 22:03:22 10.0.0.135 edit admin Web Succeeded03/05 22:03:22 10.0.0.135 create admin Web Succeeded03/05 21:56:58 10.0.0.135 edit admin Web Succeeded...
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks Operational Mode Commands • 115
show logging
show logging
Show whether logging is enabled.
Syntax show logging
Options
None
Sample Output
The following command shows that logging is enabled.username@hostname> show logging
onusername@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
show mac
116 • Operational Mode Commands Palo Alto Networks
show mac
Display MAC address information.
Syntax show mac [value | all]
Options
Sample Output
The following command lists all currently MAC address information.username@hostname> show mac all
maximum of entries supported : 8192default timeout : 1800 secondstotal MAC entries in table : 4total MAC entries shown : 4status: s - static, c - complete, i - incompletevlan hw address interface status ttl---------------------------------------------------------------------------Vlan56 0:0:1:0:0:3 ethernet1/5 c 1087Vlan56 0:0:1:0:0:4 ethernet1/6 c 1087Vlan11-12 0:0:1:0:0:9 ethernet1/12 c 487Vlan11-12 0:0:1:0:0:10 ethernet1/11 c 487
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
value Specifies a MAC address (aa:bb:cc:dd:ee:ff format).
all MAC address (aa:bb:cc:dd:ee:ff format).
Palo Alto Networks Operational Mode Commands • 117
show management-clients
show management-clients
Show information about internal management server clients.
Syntax show management-clients
Options
None
Sample Output
The following command shows information about the internal management server clients.username@hostname> show management-clients
Client PRI State Progress------------------------------------------------------------------------- routed 30 P2-ok 100 device 20 P2-ok 100 ikemgr 10 P2-ok 100 keymgr 10 init 0 (op cmds only) dhcpd 10 P2-ok 100 ha_agent 10 P2-ok 100 npagent 10 P2-ok 100 exampled 10 init 0 (op cmds only)
Overall status: P2-ok. Progress: 0Warnings:Errors:
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
show multi-vsys
118 • Operational Mode Commands Palo Alto Networks
show multi-vsys
Show if multiple virtual system mode is set.
Syntax show multi-vsys
Options
None
Sample Output
The following command shows the current status of multiple virtual systems.username@hostname> show multi-vsys
on
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks Operational Mode Commands • 119
show pan-agent
show pan-agent
Show statistics or user information for the Palo Alto Networks agent.
Syntax show pan-agent <statistics | user-IDs>
Options
Sample Output
The following command shows information about the Palo Alto Networks agent.username@hostname> show pan-agent statistics
IP Address Port Vsys State Users Grps IPs Received Pkts----------------------------------------------------------------------------10.0.0.100 2011 vsys1 connected, ok 134 77 95 575710.1.200.22 2009 vsys1 connected, ok 5 864 2 1097
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
statistics Displays full information about the Palo Alto Networks agent.
user-IDs Displays user information for the Palo Alto Networks agent.
show proxy
120 • Operational Mode Commands Palo Alto Networks
show proxy
Displays information about the proxy that is used for the Secure Socket Layer (SSL) decryption function.
Syntax show [certificate-cache | notify-cache | setting]
Options
Sample Output
The following command shows the current proxy settings.username@hostname> show proxy setting
Ready: noEnable proxy: yes Enable ssl: yes Notify user: yes
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
certificate-cache Displays the proxy certificate cache.
notify-cache Displays the proxy notification cache.
setting Displays the current proxy settings.
Palo Alto Networks Operational Mode Commands • 121
show query
show query
Show information about query jobs.
Syntax show query <jobs | id value>
Options
Sample Output
The following command shows information about all current query jobs.username@hostname> show query jobsEnqueued ID Last Upd --------------------------------------------------------------------------13:58:19 16 13:58:19
Type ID Dequeued?-----------------------------------------------------
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
jobs Displays all job information.
id value Displays job information for the specified ID.
show report
122 • Operational Mode Commands Palo Alto Networks
show report
Displays information about process jobs.
Syntax show [id number | jobs]
Options
Sample Output
The following command shows the current jobs.username@hostname> show report jobs
Enqueued ID Last Updated dev/skip/req/resp/proc--------------------------------------------------------------------------
username@hostname> username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
id number Displays information about the job with the specified ID number.
jobs Displays information on all jobs.
Palo Alto Networks Operational Mode Commands • 123
show routing
show routing
Display routing run-time objects.
Syntax show routing fib [virtual-router name]
show routing protocol [virtual-router name] ospf <area | dumplsdb | interface | lsdb | neighbor | summary | virt-link | virt-neighbor>
show routing protocol [virtual-router name] redist <all | ospf | rip>
show routing protocol [virtual-router name] rip <database | interface | peer | summary>
show routing resource
show routing route [destination ip/netmask][interface interfacename] [nexthop ip/netmask][type <connect | ospf | rip | static>] [virtual-router name]
show routing summary
Options
fib Shows forwarding table entries. Specify an individual virtual router or all.
protocol ospf Shows OSPF information. Specify one of the following (virtual router is optional).
protocol redist Shows redistribution rule entries. Specify one of the following (virtual router is optional).
area Show OSPF area status.
dumplsdb Shows the OSPF LS database details.
interface Shows OSPF interface status.
lsdb Shows the LS database status.
neighbor Shows neighbor status.
summary Shows OSPF summary status.
virt-link Shows status of virtual links.
virt-neighbor Shows OSPF virtual neighbor status.
ospf Shows OSPF rules
rip Shows RIP rules.
all Shows all redistribution rules.
show routing
124 • Operational Mode Commands Palo Alto Networks
Sample Output
The following command shows summary routing information for the virtual router vrl.username@hostname> show routing summary virtual-router vr1
VIRTUAL ROUTER: vr1 (id 1)==========OSPFarea id: 0.0.0.0interface: 192.168.6.254interface: 200.1.1.2dynamic neighbors:IP 200.1.1.1 ID 200.1.1.1area id: 1.1.1.1interface: 1.1.1.1interface: 1.1.2.1interface: 1.1.3.1interface: 2.1.1.1static neighbor: IP 65.54.5.33 ID *down*static neighbor: IP 65.54.77.88 ID *down*interface: 22.22.22.22interface: 35.1.15.40interface: 192.168.7.254dynamic neighbors:IP 35.1.15.1 ID 35.35.35.35==========RIPinterface: 2.1.1.1
protocol rip Shows RIP information. Specify one of the following options (virtual router is optional).
resources Shows resource usage.
route Shows route entries. Optionally specify any of the following options.
summary Shows summary information.
database Shows RIP route database.
interface Shows RIP interface status.
peer Shows RIP peer status.
summary Shows the RIP summary information.
destination Restricts the result to a specified subnet (IP address/mask).
interface Restricts the result to a specified network interface.
nexthop Restricts the result to a the next hop from the firewall (IP address/mask).
type Restricts the result according to type of route: connect and host routes, ospf, rip, or static.
virtual-router Restrict the result to a specified virtual router.
Palo Alto Networks Operational Mode Commands • 125
show routing
interface: 22.22.22.22interface: 35.1.15.40interface: 192.168.6.254interface: 200.1.1.2==========INTERFACE==========interface name: ethernet1/1interface index: 16virtual router: vr1operation status: upIPv4 address: 22.22.22.22/24IPv4 address: 35.1.15.40/24==========interface name: ethernet1/3interface index: 18virtual router: vr1operation status: upIPv4 address: 200.1.1.2/24==========interface name: ethernet1/7interface index: 22virtual router: vr1operation status: upIPv4 address: 1.1.1.1/24IPv4 address: 1.1.2.1/24IPv4 address: 1.1.3.1/24==========interface name: ethernet1/15interface index: 30virtual router: vr1operation status: upIPv4 address: 192.168.6.254/24==========interface name: ethernet1/16interface index: 31virtual router: vr1operation status: upIPv4 address: 192.168.7.254/24==========interface name: ethernet1/18interface index: 33virtual router: vr1operation status: downIPv4 address: 2.1.1.1/24
username@hostname>
show routing
126 • Operational Mode Commands Palo Alto Networks
The following command shows dynamic routing protocol information for RIP.username@hostname> show routing protocol rip summary
==========virtual router: vr1reject default route: yesinterval seconds: 1update intervals: 30expire intervals: 180delete intervals: 120interface: 2.1.1.1interface: 22.22.22.22interface: 35.1.15.40interface: 192.168.6.254interface: 200.1.1.2==========virtual router: newrreject default route: yesinterval seconds: 1update intervals: 30expire intervals: 180delete intervals: 120interface: 0.0.0.0interface: 30.30.30.31interface: 151.152.153.154
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks Operational Mode Commands • 127
show route
show route
Display current Secure Socket Layer (SSL) proxy settings.
Syntax show route ip address virtual-router name
Options
Sample Output
The following command shows the current SSL proxy settings for the virtual router vrouter.username@hostname> show route ip address virtual-router vrouter
on
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
ip address Specifies the destination IP address.
virtual-router name
Specifies the name of the virtual router.
show session
128 • Operational Mode Commands Palo Alto Networks
show session
Show session information.
Syntax show session [all | info] [filter [application appname][destination destname][destination-port destport][destination-user destuser][from zone zonename][limit value][protocol protnumber][source-port sourcename][source-user sourceuser][state state]] [type type]]
Options
Sample Output
The following command displays summary statistics about current sessions.username@hostname> show session info
-------------------------------------------------------------------------number of sessions supported: 2097151number of active sessions: 8session table utilization: 0%number of sessions created since system bootup: 21
all Displays all active sessions.
info Displays session statistics.
application appname
Specifies the application.
destination destname
Specifies the destination IP address.
destination-port destport
Specifies the destination port.
destination-user destuser
Specifies the destination user name.
from Specifies the source.
protocol protname Specifies the protocol.
source sourcename Specifies the sourced IP address.
source-port sourceport
Specifies the source port.
source-user sourceuser
Specifies the source user name.
state state Specifies the condition for the filter (active, closed, closing, discard, initial, or opening).
to Specifies the destination.
type type Specifies the flow type (regular or predict).
Palo Alto Networks Operational Mode Commands • 129
show session
---------------------------------------------------------------------------session timeoutTCP default timeout: 3600 secondsTCP session timeout after FIN/RST: 5 secondsUDP default timeout: 600 secondsICMP default timeout: 6 secondsother IP default timeout: 1800 seconds----------------------------------------------------------------------------session accelerated aging: enabledaccelerated aging threshold: 80% of utilizationscaling factor: 2 X---------------------------------------------------------------------------session setupTCP - reject non-SYN first packet: yes---------------------------------------------------------------------------
The following command lists all current sessions.username@hostname> show session all
number of sessions: 8ID/vsys src[sport]/zone/proto dest[dport]/zone app. state type19 192.168.10.199[2219]/1/6 10.10.10.10[6667]/2 0 ACTIVE FLOW20 192.168.10.191[4069]/1/6 192.168.10.199[139]/2 ms-ds-smb DISCARD FLOW22 192.168.10.199[2261]/1/6 10.10.10.10[6667]/2 0 ACTIVE FLOW4 192.168.10.191[138]/1/17 192.168.10.255[138]/2 netbios-dg ACTIVE FLOW6 192.168.10.199[138]/1/17 192.168.10.255[138]/2 netbios-dg ACTIVE FLOW21 192.168.10.199[1025]/1/17 4.2.2.1[53]/2 dns CLOSING FLOW9 192.168.10.199[2187]/1/6 10.10.10.10[6667]/2 0 ACTIVE FLOW13 192.168.10.199[2195]/1/6 10.10.10.10[6667]/2 0 ACTIVE FLOW
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
show statistics
130 • Operational Mode Commands Palo Alto Networks
show statistics
Show firewall statistics.
Syntax show statistics
Options
None
Sample Output
The following command displays firewall statistics.username@hostname> show statistics
TASK PID N_PACKETS CONTINUE ERROR DROP BYPASS TERMINATE 0 0 0 0 0 0 0 0 1 806 6180587 6179536 39 0 0 1012 2 807 39312 37511 0 0 0 1801 3 808 176054840 173273080 2289 2777524 0 1947 4 809 112733251 111536151 1744 1194906 0 450 5 810 66052142 65225559 1271 825010 0 302 6 811 49682445 49028991 909 652227 0 318 7 812 43618777 43030638 712 587129 0 298 8 813 41255949 40706957 708 548031 0 253 9 814 42570163 42010404 714 558773 0 272 10 815 7332493 7332494 0 0 0 0 11 816 19620028 19620028 0 0 0 0 12 817 12335557 12335557 0 0 0 0 13 818 0 0 0 0 0 0 14 819 6105056 6105056 0 0 0 0task 1(pid: 806) flow_mgmttask 2(pid: 807) flow_ctrl flow_hosttask 3(pid: 808) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_nptask 4(pid: 809) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_nptask 5(pid: 810) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_nptask 6(pid: 811) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_nptask 7(pid: 812) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_nptask 8(pid: 813) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_nptask 9(pid: 814) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_nptask 10(pid: 815) appid_resulttask 11(pid: 816) ctd_nac ctd_token ctd_detectortask 12(pid: 817) ctd_nac ctd_token ctd_detectortask 13(pid: 818) proxy_packettask 14(pid: 819) pktlog_forwarding
Palo Alto Networks Operational Mode Commands • 131
show statistics
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
show system
132 • Operational Mode Commands Palo Alto Networks
show system
Show system information.
Syntax show system type
Options
Sample Output
The following command displays system information.username@hostname> show system info
hostname: mgmt-deviceip-address: 10.1.7.1netmask: 255.255.0.0default-gateway: 10.1.0.1radius-server: 127.0.0.1radius-secret: xxxxxxxx
type Specifies the type of system information to be displayed.
info Shows network address and security information.
services Shows the current system services and whether they are running.
software status Shows software version information.
state [browser | filter | value]
Shows the system tree. The browser displays the information in a text-mode browser. The filter option allows you to limit the information that is displayed. The * wildcard can be used.
statistics Shows device, packet rate, throughput, and session information. Enter q to quit or h to get help.
Palo Alto Networks Operational Mode Commands • 133
show system
The following command displays the system tree entries that begin with the string cfg.env.slot1.username@hostname> show system state filter cfg.env.slot1*
cfg.env.slot1.power0.high-limit: “1.26”cfg.env.slot1.power0.low-limit: “1.0”cfg.env.slot1.power1.high-limit: “1.26”cfg.env.slot1.power1.low-limit: “1.14”cfg.env.slot1.power2.high-limit: “1.575”cfg.env.slot1.power2.low-limit: “1.425”cfg.env.slot1.power3.high-limit: “1.89”cfg.env.slot1.power3.low-limit: “1.71”
...
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
show target-vsys
134 • Operational Mode Commands Palo Alto Networks
show target-vsys
Show information about the target virtual systems.
Syntax show target-vsys
Options
None
Sample Output
The following command shows information about target virtual systems.username@hostname> show target-vsysvsys1username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks Operational Mode Commands • 135
show threat
show threat
Show threat ID descriptions.
Syntax show threat id value
Options
Sample Output
The following command shows threat ID descriptions for ID 11172.username@hostname> show threat id 11172This signature detects the runtime behavior of the spyware MiniBug. MiniBug, also known as Weatherbug, installs other spyware, such as WeatherBug, and My Web Search Bar. It is also adware program that displays advertisements in its application window.
medium
http://www.spywareguide.com/product_show.php?id=2178
http://www.spyany.com/program/article_spw_rm_Minibug.htm
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
value Specifies the threat ID.
show virtual-wire
136 • Operational Mode Commands Palo Alto Networks
show virtual-wire
Show information about virtual wire interfaces.
Syntax show virtual-wire [value | all]
Options
Sample Output
The following command displays information for the default virtual wire interface.username@hostname> show virtual-wire default-vwire
total virtual-wire shown : 1
name interface1 interface2 -------------------------------------------------------------------------------default-vwire ethernet1/1 ethernet1/2
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
value Specifies a virtual wire interface.
all Shows information for all virtual wire interfaces.
Palo Alto Networks Operational Mode Commands • 137
show vlan
show vlan
Show VLAN information.
Syntax show vlan [value | all]
Options
Sample Output
The following command displays information for all VLANs.username@hostname> show vlan all
vlan {Vlan56 {
interface [ ethernet1/5 ethernet1/6 ];stp {
enabled no;}rstp {
enabled no;}
}Vlan11-12 {
interface [ ethernet1/11 ethernet1/12 ];stp {
enabled no;}rstp {
enabled no;}
}}
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
value Specifies a virtual wire interface.
all Shows information for all virtual wire interfaces.
show vpn
138 • Operational Mode Commands Palo Alto Networks
show vpn
Show VPN information.
Syntax show vpn flow [tunnel-id tunnelid]show vpn gateway [gateway gatewayid]show vpn ike-sa [gateway gatewayid]show vpn ipsec-sa [tunnel tunnelid]show vpn tunnel [name tunnelid]
Options
Sample Output
The following command shows VPN information for the auto key IPsec tunnel k1.username@hostname> show vpn tunnel name k1TnID Name(Gateway) Local Proxy ID Local Proxy ID Proposals-------------- -------------- --------- ---------7 pan5gt(pan-5gt) 0.0.0.0/0 0.0.0.0/0 ESP tunl [DH2][AES128,3DES][SHA1] 90-secTotal 1 tunnels found, 0 ipsec sa found, 0 errorusername@hostname>
The following command shows VPN information for the IKE gateway g2.username@hostname> show vpn tunnel name g2GwID Name Peer Address/ID Local Address/ID Protocol Proposals---- ---- --------------- ---------------- -------- --------- 3 falcon-kestrel 35.1.15.1 35.1.15.40 Auto(main) [PSK][DH2][AES128,3DES][SHA1] 28800-sec
Total 1 gateways found, 0 ike sa found, 0 error.username@hostname>
flow Shows information about the VPN tunnel on the data plane. Specify the tunnel or press Enter to apply to all tunnels.
gateway Shows IKE gateway information. Specify the gateway or press Enter to apply to all gateways.
ike-sa Shows information about the active IKE SA. Specify the gateway or press Enter to apply to all gateways.
ipsec-sa Shows information about IPsec SA tunnels. Specify the tunnel or press Enter to apply to all tunnels.
tunnel Shows information about auto-key IPSec tunnels. Specify the tunnel or press Enter to apply to all tunnels.
name Shows information about the VPN tunnel. Specify the tunnel or press Enter to apply to all tunnels.
Palo Alto Networks Operational Mode Commands • 139
show vpn
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
show zip
140 • Operational Mode Commands Palo Alto Networks
show zip
Shows whether ability to unzip a file and apply the policy on the uncompressed content is enabled. The default is enable.
Syntax show zip setting
Options
None
Sample Output
The following command shows that the unzip option is enabled.username@hostname> show zip setting
zip engine is enabledusername@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks Operational Mode Commands • 141
show zone-protection
show zone-protection
Shows the running configuration status and run time statistics for zone protection elements.
Syntax show zone-protection [zone zonename]
Options
Sample Output
The following command shows statistics for the trust zone.username@hostname> show zone-protection zone trust
---------------------------------------------------------------------------Zone trust, vsys vsys1, profile custom-zone-protection---------------------------------------------------------------------------- tcp-syn enabled: no---------------------------------------------------------------------------- udp RED enabled: no---------------------------------------------------------------------------- icmp RED enabled: no---------------------------------------------------------------------------- other-ip RED enabled: no----------------------------------------------------------------------------packet filter:discard-ip-spoof: enabled: nodiscard-ip-frag: enabled: nodiscard-icmp-ping-zero-id: enabled: nodiscard-icmp-frag: enabled: nodiscard-icmp-large-packet: enabled: noreply-icmp-timeexceeded: enabled: no
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin, superreader, vsysreader
zonename Specifies the name of a zone.
ssh
142 • Operational Mode Commands Palo Alto Networks
ssh
Open a secure shell (SSH) connection to another host.
Syntax ssh [inet] [port number] [source address] [v1 | v2] [user@]host
Options
Sample Output
The following command opens an SSH connection to host 10.0.0.250 using SSH version 2.username@hostname> ssh v2 [email protected]@10.0.0.250's password:
#
Required Privilege Level
superuser, vsysadmin, deviceadmin
inet Specifies that IP version 4 be used.
port Specifies a port on the other host. (default 22)
source Specifies a source IP address.
version Specifies SSH version 1 or 2 (default is version 2)
user@ Specifies a user name on the other host.
host Specifies the IP address of the other host.
Palo Alto Networks Operational Mode Commands • 143
tail
tail
Print the last 10 lines of a debug file.
Syntax tail [follow] [lines] file
Options
Sample Output
The following command displays the last 10 lines of the /var/log/pan/masterd.log file.username@hostname> tail /var/log/pan/masterd.log[09:32:46] Successfully started process 'mgmtsrvr' instance '1'[09:32:47] Successfully started process 'appWeb' instance '1'[09:32:47] Started group 'pan' start script 'octeon' with options 'start'[09:32:48] Process 'appWeb' instance '1' exited normally with status '7'[09:32:48] Process 'appWeb' instance '1' has no further exit rules[09:32:53] Successfully started process 'pan-ez-agent' instance '1'[09:32:53] Process 'pan-ez-agent' instance '1' exited normally with status '0'[09:32:53] Process 'pan-ez-agent' instance '1' has no further exit rules[09:32:54] Successfully started process 'pan_netconfig_agent' instance '1'[09:32:54] Finished initial start of all processes
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin
follow Adds appended data as the file grows.
lines Lists the last N lines, instead of the last 10.
file Specifies the debug file.
telnet
144 • Operational Mode Commands Palo Alto Networks
telnet
Open a Telnet session to another host.
Syntax telnet [8bit] [port] host
Options
Sample Output
The following command opens a Telnet session to the host 1.2.5.5 using 8-bit data.username@hostname> telnet 8bit 1.2.5.5
Required Privilege Level
superuser, vsysadmin, deviceadmin
8bit Indicates that 8-bit data will be used.
port Specifies the port number for the other host.
host Specifies the IP address of the other host.
Palo Alto Networks Operational Mode Commands • 145
test
test
Run tests based on installed security policies.
Syntax test nat policy-match source src-ip destination dst-ip destination-port port protocol protocol from zone1 to zone2
test nat policy-match application name source src-ip destination dst-ip destination-port port protocol protocol from zone1 to zone2
test routing fib-lookup ip ipaddress virtual router virtualrouterid
test vpn flow [ike-sa [gateway gatewayid] | ipsec-sa [tunnel tunnelid]>
Options
Sample Output
The following command tests whether the set of criteria will match any of the existing rules in the security rule base.username@hostname> test security-policy-match from trust to untrust application google-talk source 10.0.0.1 destination 192.168.0.1 protocol 6 destination-port 80 source-user known-user
Matched rule: 'rule1' action: allow
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin
name Specifies the name of an application. Enter any to include all applications.
src-ip Specifies the source IP address for the test.
dst-ip Specifies the destination IP address for the test.
port Specifies the destination port for the test.
zone1 Specifies the source security zone.
zone2 Specifies the destination security zone.
fib-lookup Specifies the route to test within the active routing table. Specify an IP address and virtual router.
ike-sa Performs the tests only for the negotiated IKE SA. Specify a gateway or press Enter to run the test for all gateways.
ipsec-sa Performs the tests for IPsec SA (and IKE SA if necessary). Specify a tunnel or press Enter to run the test for all tunnels.
tftp
146 • Operational Mode Commands Palo Alto Networks
tftp
Use Trivial File Transfer Protocol (TFTP) to copy files between the firewall and another host.
Syntax tftp [export export-option [control-plane | data-plane] to target | import import-option] [remote-port portnumber] [from source]
Options
export export-option
Specifies the type of file to export to the other host.
Option Description
application Application packet capture file.
captive-portal-text
Text to be included in a captive portal.
configuration Configuration file.
core-file Core file.
debug-pcap IKE negotiation packet capture file.
file-block-page File containing comfort pages to be presented when files are blocked.
filter Filter definitions.
log-file Log files.
log-db Log database.
packet-log Logs of packet data.
spyware-block-page
Comfort page to be presented when files are blocked due to spyware.
ssl-optout-text SSL optout text.
tech-support Technical support information.
trusted-ca-certificate
Certificate Authority (CA) security certificate.
url-block-page Comfort page to be presented when files are blocked due to a blocked URL.
virus-block-page Comfort page to be presented when files are blocked due to a virus.
web-interface-certificate
Web interface certificate
Palo Alto Networks Operational Mode Commands • 147
tftp
The following command imports a license file from a file in user1’s account on the machine with IP address 10.0.3.4.
username@hostname> tftp import ssl-certificate from [email protected]:/tmp/certificatefile
Required Privilege Level
superuser, vsysadmin, deviceadmin
import import-option
Specifies the type of file to import from the other host.
control-plane Indicates that the file contains control information.
data-plane Indicates that the file contains information about data traffic.
port-number Specifies the port number on the remote host.
target Specifies the destination in the format username@host:path.
source Specifies the file to be copied in the format username@host:path.
Option Description
captive-portal-text Text to be included in a captive portal.
configuration Configuration file.
content Database content.
file-block-page File containing comfort pages to be presented when files are blocked.
license License key file.
private-key SSL private key file.
software Software package.
spyware-block-page Comfort page to be presented when files are blocked due to spyware.
ssl-decryption-certificate
SSL decryption certificate.
ssl-optout-text SSL optout text.
trusted-ca-certificate
Certificate Authority (CA) security certificate.
url-block-page Comfort page to be presented when files are blocked due to a blocked URL.
virus-block-page Comfort page to be presented when files are blocked due to a virus.
web-interface-certificate
Web interface certificate
traceroute
148 • Operational Mode Commands Palo Alto Networks
traceroute
Display information about the route packet taken to another host.
Syntax traceroute [base-udp-port port][bypass-routing][debug-socket][do-not-fragment][first-ttl ttl][gateway][icmp-echo][max-ttl ttl][no-resolve][pause][source ip][toggle-ip-checksums][tos][verbose][wait] host
Options
base-udp-port port
Specifies the base UDP port used in probes (default is 33434).
bypass-routing Sends the request directly to the host on a direct attached network, bypassing usual routing table.
debug-socket Enables socket level debugging.
do-not-fragment Sets the do-not-fragment bit.
first-ttl ttl Sets the time-to-live in the first outgoing probe packet in number of hops.
gateway Specifies a loose source router gateway (maximum 8).
icmp-echo Uses ICMP ECHO requests instead of UDP datagrams.
max-ttl ttl Sets the maximum time-to-live in number of hops.
no-resolve Does not attempt to print resolved domain names.
pause Sets the time to pause between probes (milliseconds).
source ip Specifies the source IP address for the command.
toggle-ip-checksums
Toggles the IP checksum of the outgoing packets for the traceroute command.
tos Specifies the type of service (TOS) treatment for the packets by way of the TOS bit for the IP header in the ping packet (0-255).
verbose Requests complete details of the traceroute request.
wait Specifies a delay in transmission of the traceroute request (seconds).
host Specifies the IP address or domain name of the other host.
Palo Alto Networks Operational Mode Commands • 149
traceroute
Sample Output
The following command displays information about the route from the firewall to www.google.com.username@hostname> traceroute www.paloaltonetworks.comtraceroute to www.paloaltonetworks.com (72.32.199.53), 30 hops max, 38 byte packets1 10.1.0.1 (10.1.0.1) 0.399 ms 1.288 ms 0.437 ms2 64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.910 ms dsl027-186-189.sfo1.dsl.speakeasy.net (216.27.186.189) 1.012 ms 64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.865 ms3 dsl027-182-001.sfo1.dsl.speakeasy.net (216.27.182.1) 16.768 ms 581.420 ms 64.3.142.37.ptr.us.xo.net (64.3.142.37) 219.190 ms4 ge5-0-0.mar2.fremont-ca.us.xo.net (207.88.80.21) 228.551 ms 110.ge-0-0-0.cr1.sfo1.speakeasy.net (69.17.83.189) 12.352 ms ge5-0-0.mar2.fremont-ca.us.xo.net (207.88.80.21) 218.547 ms5 ge-5-3-0.mpr3.pao1.us.above.net (209.249.11.177) 13.212 ms p4-0-0.rar2.sanjose-ca.us.xo.net (65.106.5.137) 273.935 ms 221.313 ms6 p1-0.ir1.paloalto-ca.us.xo.net (65.106.5.178) 139.212 ms so-1-2-1.mpr1.sjc2.us.above.net (64.125.28.141) 13.348 ms p1-0.ir1.paloalto-ca.us.xo.net (65.106.5.178) 92.795 ms7 so-0-0-0.mpr2.sjc2.us.above.net (64.125.27.246) 12.069 ms 206.111.12.146.ptr.us.xo.net (206.111.12.146) 93.278 ms so-0-0-0.mpr2.sjc2.us.above.net (64.125.27.246) 556.033 ms8 tbr1p013201.sffca.ip.att.net (12.123.13.66) 52.726 ms so-3-2-0.cr1.dfw2.us.above.net (64.125.29.54) 61.875 ms tbr1p013201.sffca.ip.att.net (12.123.13.66) 58.462 ms
MPLS Label=32537 CoS=0 TTL=1 S=1
9 64.124.12.6.available.above.net (64.124.12.6) 74.828 ms tbr1cl3.la2ca.ip.att.net (12.122.10.26) 62.533 ms 64.124.12.6.available.above.net (64.124.12.6) 60.537 ms10 tbr1cl20.dlstx.ip.att.net (12.122.10.49) 60.617 ms vlan901.core1.dfw1.rackspace.com (72.3.128.21) 59.881 ms 60.429 ms11 gar1p360.dlrtx.ip.att.net (12.123.16.169) 108.713 ms aggr5a.dfw1.rackspace.net (72.3.129.19) 58.049 ms gar1p360.dlrtx.ip.att.net (12.123.16.169) 173.102 ms12 72.32.199.53 (72.32.199.53) 342.977 ms 557.097 ms 60.899 ms
username@hostname>
Required Privilege Level
superuser, vsysadmin, deviceadmin
view-pcap
150 • Operational Mode Commands Palo Alto Networks
view-pcap
Examine the content of packet capture files.
Syntax view-pcap option filename
Options
option Specifies the type of information to report.
filename Name of the packet capture file.
Option Description
absolute-seq Displays absolute TCP sequence numbers.
delta Displays a delta (in micro-seconds) between current and previous line.
hex Displays each packet (minus link header) in hex.
hex-ascii Displays each packet (minus link header) in hex and ASCII.
hex-ascii-link Displays each packet (including link header) in hex and ASCII.
hex-link Displays each packet (including link header) in hex.
link-header Displays the link-level header on each dump line.
no-dns-lookup Does not convert host addresses to names.
no-port-lookup Does not convert protocol and port numbers to names.
no-qualification Does not print domain name qualification of host names.
timestamp Displays timestamp proceeded by date.
undecoded-nfs Displays undecoded NFS handles.
unformatted-timestamp
Displays an unformatted timestamp.
verbose Displays verbose output.
verbose+ Displays more verbose output.
verbose++ Displays the maximum output details..
Palo Alto Networks Operational Mode Commands • 151
view-pcap
Sample OutputThe following command displays the contents of the packet capture file /var/session/pan/filters/syslog.pcap in ASCII and hex formats.
username@hostname> view-pcap hex-ascii /var/session/pan/filters/syslog.pcap reading from file /var/session/pan/filters/syslog.pcap, link-type EN10MB (Ethernet)08:34:31.922899 IP 10.0.0.244.32884 > jdoe.paloaltonetworks.local.syslog: UDP, length 314 0x0000: 4500 0156 0000 4000 4011 2438 0a00 00f4 E..V..@.@.$8.... 0x0010: 0a00 006c 8074 0202 0142 d163 3c31 3137 ...l.t...B.c<117 0x0020: 3e41 7072 2020 3233 2030 383a 3334 3a33 >Apr..23.08:34:3 0x0030: 3420 312c 3034 2f32 3320 3038 3a33 343a 4.1,04/23.08:34: 0x0040: 3334 2c54 4852 4541 542c 7572 6c2c 312c 34,THREAT,url,1, 0x0050: 3034 2f32 3320 3038 3a33 343a 3235 2c31 04/23.08:34:25,1 0x0060: 302e 302e 302e 3838 2c32 3039 2e31 3331 0.0.0.88,209.131 0x0070: 2e33 362e 3135 382c 302e 302e 302e 302c .36.158,0.0.0.0, 0x0080: 302e 302e 302e 302c 6c32 2d6c 616e 2d6f 0.0.0.0,l2-lan-o 0x0090: 7574 2c77 6562 2d62 726f 7773 696e 672c ut,web-browsing, 0x00a0: 7673 7973 312c 6c32 2d6c 616e 2d74 7275 vsys1,l2-lan-tru 0x00b0: 7374 2c6c 322d 6c61 6e2d 756e 7472 7573 st,l2-lan-untrus 0x00c0: 742c 6574 6865 726e 6574 312f 3132 2c65 t,ethernet1/12,e 0x00d0: 7468 6572 6e65 7431 2f31 312c 466f 7277 thernet1/11,Forw 0x00e0: 6172 6420 746f 204d 696b 652c 3034 2f32 ard.to.Mike,04/2 0x00f0: 3320 3038 3a33 343a 3334 2c38 3336 3435 3.08:34:34,83645 0x0100: 372c 322c 3438 3632 2c38 302c 302c 302c 7,2,4862,80,0,0, 0x0110: 3078 302c 7463 7028 3629 2c61 6c65 7274 0x0,tcp(6),alert 0x0120: 2c77 7777 2e79 6168 6f6f 2e63 6f6d 2f70 ,www.yahoo.com/p 0x0130: 2e67 6966 3f2c 2c73 6561 7263 682d 656e .gif?,,search-en 0x0140: 6769 6e65 732c 696e 666f 726d 6174 696f gines,informatio 0x0150: 6e61 6c2c 3000 nal,0.
Required Privilege Level
superuser, vsysadmin, deviceadmin
view-pcap
152 • Operational Mode Commands Palo Alto Networks
Palo Alto Networks • 153
November 4, 2008 - Palo Alto Networks COMPANY CONFIDENTIAL
Appendix ACONFIGURATION HIERARCHY
This appendix presents the complete firewall configuration hierarchies for the application identification firewall and for Panorama:
• “Firewall Hierarchy” in the next section
• “Panorama Hierarchy” on page 245
Firewall Hierarchyshared { signature { REPEAT... <name> { engine-version <value>; application <value>; protocol <value>; rules { REPEAT... <name> { direction client-to-server|server-to-client|any; match { string { pattern <value>; ignore-case yes|no; offset 0-1000000; depth 0-10000; per-packet-match yes|no; payload-length-validate { byte-offset 0-65535; discount 1-65535; number-of-bytes 1|2|4; endian little|big; } } OR... header { source-ip <value>; destination-ip <value>; source-port <value>; destination-port <value>; l3-payload-length <value>; l4-payload-length <value>;
154 • Palo Alto Networks
} } } rule-match match-in-order|match-all|match-any; } } } allowed-applications { enable-all { except [ <except1> <except2>... ]; } OR... disable-all { except [ <except1> <except2>... ]; } } address { REPEAT... <name> { ip-netmask <ip/netmask>; OR... ip-range <ip-range>; } } address-group { REPEAT... <name> [ <entry1> <entry2>... ]; } application { REPEAT... <name> { default { port [ <port1> <port2>... ]; OR... ident-by-ip-protocol 0-255; } category <value>; subcategory <value>; technology <value>; description <value>; timeout 0-604800; tcp-timeout 0-604800; udp-timeout 0-604800; risk 1-5; evasive-behavior yes|no; consume-big-bandwidth yes|no; used-by-malware yes|no; able-to-transfer-file yes|no; has-known-vulnerability yes|no; tunnel-other-application yes|no; prone-to-misuse yes|no; pervasive-use yes|no; } } application-filter { REPEAT... <name> { category [ <category1> <category2>... ]; subcategory [ <subcategory1> <subcategory2>... ];
Palo Alto Networks • 155
technology [ <technology1> <technology2>... ]; evasive yes; excessive-bandwidth-use yes; used-by-malware yes; transfers-files yes; has-known-vulnerabilities yes; tunnels-other-apps yes; prone-to-misuse yes; pervasive yes; risk [ <risk1> <risk2>... ]; } } application-group { REPEAT... <name> [ <entry1> <entry2>... ]; } service { REPEAT... <name> { protocol { tcp { port <0-65535,...>; } OR... udp { port <0-65535,...>; } } } } service-group { REPEAT... <name> [ <entry1> <entry2>... ]; } log-settings { snmptrap { REPEAT... <name> { manager <ip>; community <value>; } } syslog { REPEAT... <name> { server <ip>; port 1-65535; facility LOG_USER|LOG_LOCAL0|LOG_LOCAL1|LOG_LOCAL2|LOG_LOCAL3|LOG_LOCAL4|LOG_LOCAL5|LOG_LOCAL6|LOG_LOCAL7; } } email { REPEAT... <name> { display-name <value>; from <value>; to <value>; and-also-to <value>;
156 • Palo Alto Networks
gateway <value>; } } system { informational { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } low { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } medium { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } high { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } critical { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>;
Palo Alto Networks • 157
} send-syslog { using-syslog-setting <value>; } } } config { any { send-to-panorama yes|no; send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } } profiles { REPEAT... <name> { alarm { informational { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } low { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } medium { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } high { send-to-panorama yes|no;
158 • Palo Alto Networks
send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } critical { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } } traffic { any { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } } } } } profiles { virus { REPEAT... <name> { description <value>; packet-capture yes|no; decoder { REPEAT... <name> { action default|allow|alert|block; } } application { REPEAT... <name> { action default|allow|alert|block; } } }
Palo Alto Networks • 159
} spyware { REPEAT... <name> { description <value>; download-protection { decoder { REPEAT... <name> { spyware default|allow|alert|block; adware default|allow|alert|block; } } application { REPEAT... <name> { spyware default|allow|alert|block; adware default|allow|alert|block; } } } packet-capture yes|no; phone-home-detection { simple { packet-capture yes|no; critical default|allow|alert|block; high default|allow|alert|block; medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } OR... custom { REPEAT... <name> { packet-capture yes|no; action default|alert|drop|drop-all-packets|reset-both|reset-client|reset-server; } } } } } vulnerability { REPEAT... <name> { description <value>; simple { packet-capture yes|no; client { critical default|allow|alert|block; high default|allow|alert|block; medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } server { critical default|allow|alert|block; high default|allow|alert|block;
160 • Palo Alto Networks
medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } } OR... custom { REPEAT... <name> { packet-capture yes|no; action default|alert|drop|drop-all-packets|reset-both|reset-client|reset-server; } } } } url-filtering { REPEAT... <name> { description <value>; license-expired block|allow; action block|continue|override|alert; block-list [ <block-list1> <block-list2>... ]; allow-list [ <allow-list1> <allow-list2>... ]; alert [ <alert1> <alert2>... ]; block [ <block1> <block2>... ]; continue [ <continue1> <continue2>... ]; override [ <override1> <override2>... ]; } } file-blocking { REPEAT... <name> { description <value>; rules { REPEAT... <name> { application [ <application1> <application2>... ]; file-type [ <file-type1> <file-type2>... ]; direction upload|download|both; action alert|block; } } } } data-objects { REPEAT... <name> { description <value>; credit-card-numbers { weight 1-255; } social-security-numbers { weight 1-255; } pattern { REPEAT... <name> { regex <value>;
Palo Alto Networks • 161
weight 1-255; } } } } data-filtering { REPEAT... <name> { description <value>; data-capture yes|no; rules { REPEAT... <name> { data-object <value>; application [ <application1> <application2>... ]; file-type [ <file-type1> <file-type2>... ]; direction upload|download|both; alert-threshold 1-65535; block-threshold 1-65535; } } } } } admin-role { REPEAT... <name> { description <value>; role { device { webui { acc enable|disable; monitor { app-scope enable|disable; logs { traffic enable|disable; threat enable|disable; url enable|disable; configuration enable|disable; system enable|disable; } pdf-reports enable|disable; custom-reports { application-statistics enable|disable; threat-log enable|disable; threat-summary enable|disable; traffic-log enable|disable; traffic-summary enable|disable; } application-reports enable|disable; threat-reports enable|disable; url-filtering-reports enable|disable; traffic-reports enable|disable; } policies { security-rulebase enable|read-only|disable; nat-rulebase enable|read-only|disable; ssl-decryption-rulebase enable|read-only|disable; application-override-rulebase enable|read-only|disable;
162 • Palo Alto Networks
captive-portal-rulebase enable|read-only|disable; } objects { addresses enable|read-only|disable; address-groups enable|read-only|disable; applications enable|read-only|disable; application-groups enable|read-only|disable; application-filters enable|read-only|disable; services enable|read-only|disable; service-groups enable|read-only|disable; data-objects enable|read-only|disable; security-profiles { antivirus enable|read-only|disable; anti-spyware enable|read-only|disable; vulnerability-protection enable|read-only|disable; url-filtering enable|read-only|disable; file-blocking enable|read-only|disable; log-forwarding enable|read-only|disable; data-filtering enable|read-only|disable; } security-profile-groups enable|read-only|disable; schedules enable|read-only|disable; } network { interfaces enable|read-only|disable; zones enable|read-only|disable; vlans enable|read-only|disable; virtual-wires enable|read-only|disable; virtual-routers enable|read-only|disable; ipsec-tunnels enable|read-only|disable; dhcp enable|read-only|disable; network-profiles { ike-gateways enable|read-only|disable; ipsec-crypt enable|read-only|disable; ike-crypt enable|read-only|disable; tunnel-monitor enable|read-only|disable; interface-mgmt enable|read-only|disable; zone-protection enable|read-only|disable; } } device { setup enable|read-only|disable; config-audit enable|read-only|disable; administrators enable|read-only|disable; data-protection enable|read-only|disable; virtual-systems enable|read-only|disable; user-identification enable|read-only|disable; high-availability enable|read-only|disable; certificates enable|read-only|disable; block-pages enable|read-only|disable; log-settings { system enable|read-only|disable; config enable|read-only|disable; } log-destinations { snmp-trap enable|read-only|disable; syslog enable|read-only|disable; email enable|read-only|disable; }
Palo Alto Networks • 163
software enable|read-only|disable; dynamic-updates enable|read-only|disable; licenses enable|read-only|disable; support enable|read-only|disable; } commit enable|disable; } cli superuser|superreader|deviceadmin|devicereader; } OR... vsys { webui { policies { security-rulebase enable|read-only|disable; nat-rulebase enable|read-only|disable; ssl-decryption-rulebase enable|read-only|disable; application-override-rulebase enable|read-only|disable; captive-portal-rulebase enable|read-only|disable; } objects { addresses enable|read-only|disable; addresse-groups enable|read-only|disable; applications enable|read-only|disable; application-groups enable|read-only|disable; application-filters enable|read-only|disable; services enable|read-only|disable; service-groups enable|read-only|disable; data-objects enable|read-only|disable; security-profiles { antivirus enable|read-only|disable; anti-spyware enable|read-only|disable; vulnerability-protection enable|read-only|disable; url-filtering enable|read-only|disable; file-blocking enable|read-only|disable; log-forwarding enable|read-only|disable; data-filtering enable|read-only|disable; } security-profile-groups enable|read-only|disable; schedules enable|read-only|disable; } network { zones enable|read-only|disable; } device { setup read-only|disable; config-audit enable|read-only|disable; administrators enable|read-only|disable; data-protection enable|read-only|disable; user-identification read-only|disable; high-availability read-only|disable; block-pages enable|read-only|disable; log-settings { system read-only|disable; config read-only|disable; } log-destinations { snmp-trap enable|read-only|disable; syslog enable|read-only|disable; email enable|read-only|disable;
164 • Palo Alto Networks
} } commit enable|disable; } cli vsysadmin|vsysreader; } } } } profile-group { REPEAT... <name> { virus [ <virus1> <virus2>... ]; spyware [ <spyware1> <spyware2>... ]; vulnerability [ <vulnerability1> <vulnerability2>... ]; url-filtering [ <url-filtering1> <url-filtering2>... ]; file-blocking [ <file-blocking1> <file-blocking2>... ]; data-filtering [ <data-filtering1> <data-filtering2>... ]; } } schedule { REPEAT... <name> { recurring { weekly { sunday [ <sunday1> <sunday2>... ]; monday [ <monday1> <monday2>... ]; tuesday [ <tuesday1> <tuesday2>... ]; wednesday [ <wednesday1> <wednesday2>... ]; thursday [ <thursday1> <thursday2>... ]; friday [ <friday1> <friday2>... ]; saturday [ <saturday1> <saturday2>... ]; } OR... daily [ <daily1> <daily2>... ]; } OR... non-recurring [ <non-recurring1> <non-recurring2>... ]; } } pdf-summary-report { REPEAT... <name> { header { caption <value>; } footer { note <value>; } predefined-widget { REPEAT... <name> { chart-type pie|line|bar|table; row 1-6; column 1-3; } } custom-widget { REPEAT...
Palo Alto Networks • 165
<name> { chart-type pie|line|bar|table; row 1-6; column 1-3; } } } } pdf-email-profile { REPEAT... <name> { predefined-report [ <predefined-report1> <predefined-report2>... ]; custom-report [ <custom-report1> <custom-report2>... ]; summary-report [ <summary-report1> <summary-report2>... ]; display-name <value>; from <value>; to <value>; and-also-to <value>; gateway <value>; recurring { daily; OR... weekly sunday|monday|tuesday|wednesday|thursday|friday|saturday; } } } reports { REPEAT... <name> { disabled yes|no; query <value>; caption <value>; frequency daily|weekly; start-time <value>; end-time <value>; delta 1-65535; period last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-7-calendar-days|last-calendar-week|last-30-days; topn 1-50; type { appstat { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby nbytes|npkts|nsess|nthreats; } OR... threat { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby repeatcnt; } OR... thsum { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby count; } OR...
166 • Palo Alto Networks
traffic { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby bytes|elapsed|packets|repeatcnt; } OR... trsum { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby bytes|sessions; } } } } ssl-exclude-cert { REPEAT... <name>; }}
vsys { REPEAT... <name> { import { network { interface [ <interface1> <interface2>... ]; virtual-wire [ <virtual-wire1> <virtual-wire2>... ]; vlan [ <vlan1> <vlan2>... ]; virtual-router [ <virtual-router1> <virtual-router2>... ]; } resource { max-sessions 0-2097151; } } pan-agent { REPEAT... <name> { ip-address <ip>; port 1-65535; } } captive-portal { enable-captive-portal yes|no; domain <name>; timer 5-1440; radius-server { REPEAT... <name> { ip-address <ip>; secret <value>; } } ntlm-auth { pan-agent <value>; hostname <value>; } } url-admin-override { password <value>;
Palo Alto Networks • 167
} ssl-exclude-cert { REPEAT... <name>; } zone { REPEAT... <name> { enable-user-identification yes|no; network { zone-protection-profile <value>; log-setting <value>; tap [ <tap1> <tap2>... ]; OR... virtual-wire [ <virtual-wire1> <virtual-wire2>... ]; OR... layer2 [ <layer21> <layer22>... ]; OR... layer3 [ <layer31> <layer32>... ]; } user-acl { include-list [ <include-list1> <include-list2>... ]; exclude-list [ <exclude-list1> <exclude-list2>... ]; } } } address { REPEAT... <name> { ip-netmask <ip/netmask>; OR... ip-range <ip-range>; } } address-group { REPEAT... <name> [ <entry1> <entry2>... ]; } log-settings { snmptrap { REPEAT... <name> { manager <ip>; community <value>; } } syslog { REPEAT... <name> { server <ip>; port 1-65535; facility LOG_USER|LOG_LOCAL0|LOG_LOCAL1|LOG_LOCAL2|LOG_LOCAL3|LOG_LOCAL4|LOG_LOCAL5|LOG_LOCAL6|LOG_LOCAL7; } } email { REPEAT... <name> {
168 • Palo Alto Networks
display-name <value>; from <value>; to <value>; and-also-to <value>; gateway <value>; } } profiles { REPEAT... <name> { alarm { informational { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } low { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } medium { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } high { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } }
Palo Alto Networks • 169
critical { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } } traffic { any { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } } } } } schedule { REPEAT... <name> { recurring { weekly { sunday [ <sunday1> <sunday2>... ]; monday [ <monday1> <monday2>... ]; tuesday [ <tuesday1> <tuesday2>... ]; wednesday [ <wednesday1> <wednesday2>... ]; thursday [ <thursday1> <thursday2>... ]; friday [ <friday1> <friday2>... ]; saturday [ <saturday1> <saturday2>... ]; } OR... daily [ <daily1> <daily2>... ]; } OR... non-recurring [ <non-recurring1> <non-recurring2>... ]; } } rulebase { security { rules { REPEAT... <name> { from <value>; to <value>; source [ <source1> <source2>... ]; source-user [ <source-user1> <source-user2>... ];
170 • Palo Alto Networks
destination [ <destination1> <destination2>... ]; service [ <service1> <service2>... ]; application [ <application1> <application2>... ]; action deny|allow; log-setting <value>; schedule <value>; negate-source yes|no; negate-destination yes|no; profile-setting { profiles { url-filtering [ <url-filtering1> <url-filtering2>... ]; data-filtering [ <data-filtering1> <data-filtering2>... ]; file-blocking [ <file-blocking1> <file-blocking2>... ]; virus [ <virus1> <virus2>... ]; spyware [ <spyware1> <spyware2>... ]; vulnerability [ <vulnerability1> <vulnerability2>... ]; } OR... group [ <group1> <group2>... ]; } qos { marking { ip-dscp |||||||||||||||||||||<value>; OR... ip-precedence ||||||||<value>; } } disabled yes|no; log-start yes|no; log-end yes|no; description <value>; } } } nat { rules { REPEAT... <name> { from <value>; to <value>; source [ <source1> <source2>... ]; destination [ <destination1> <destination2>... ]; service <value>; source-translation { translated-address <ip-range>|<value>; pool dynamic-ip|dynamic-ip-and-port|static-ip; } destination-translation { translated-address <ip/netmask>; translated-port 1-65535; } disabled yes|no; description <value>; } } } application-override { rules { REPEAT...
Palo Alto Networks • 171
<name> { from <value>; to <value>; source [ <source1> <source2>... ]; destination [ <destination1> <destination2>... ]; protocol tcp|udp; port <0-65535,...>; application <value>; disabled yes|no; description <value>; } } } ssl-decryption { rules { REPEAT... <name> { from <value>; to <value>; source [ <source1> <source2>... ]; source-user [ <source-user1> <source-user2>... ]; destination [ <destination1> <destination2>... ]; category [ <category1> <category2>... ]; action decrypt|no-decrypt; negate-source yes|no; negate-destination yes|no; disabled yes|no; description <value>; reverse-key <value>; } } } captive-portal { rules { REPEAT... <name> { from <value>; to <value>; source [ <source1> <source2>... ]; destination [ <destination1> <destination2>... ]; action captive-portal|no-captive-portal|ntlm-auth; negate-source yes|no; negate-destination yes|no; disabled yes|no; description <value>; } } } } application { REPEAT... <name> { default { port [ <port1> <port2>... ]; OR... ident-by-ip-protocol 0-255; } category <value>; subcategory <value>;
172 • Palo Alto Networks
technology <value>; description <value>; timeout 0-604800; tcp-timeout 0-604800; udp-timeout 0-604800; risk 1-5; evasive-behavior yes|no; consume-big-bandwidth yes|no; used-by-malware yes|no; able-to-transfer-file yes|no; has-known-vulnerability yes|no; tunnel-other-application yes|no; prone-to-misuse yes|no; pervasive-use yes|no; } } application-filter { REPEAT... <name> { category [ <category1> <category2>... ]; subcategory [ <subcategory1> <subcategory2>... ]; technology [ <technology1> <technology2>... ]; evasive yes; excessive-bandwidth-use yes; used-by-malware yes; transfers-files yes; has-known-vulnerabilities yes; tunnels-other-apps yes; prone-to-misuse yes; pervasive yes; risk [ <risk1> <risk2>... ]; } } application-group { REPEAT... <name> [ <entry1> <entry2>... ]; } service { REPEAT... <name> { protocol { tcp { port <0-65535,...>; } OR... udp { port <0-65535,...>; } } } } service-group { REPEAT... <name> [ <entry1> <entry2>... ]; } profiles { virus { REPEAT... <name> {
Palo Alto Networks • 173
description <value>; packet-capture yes|no; decoder { REPEAT... <name> { action default|allow|alert|block; } } application { REPEAT... <name> { action default|allow|alert|block; } } } } spyware { REPEAT... <name> { description <value>; download-protection { decoder { REPEAT... <name> { spyware default|allow|alert|block; adware default|allow|alert|block; } } application { REPEAT... <name> { spyware default|allow|alert|block; adware default|allow|alert|block; } } } packet-capture yes|no; phone-home-detection { simple { packet-capture yes|no; critical default|allow|alert|block; high default|allow|alert|block; medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } OR... custom { REPEAT... <name> { packet-capture yes|no; action default|alert|drop|drop-all-packets|reset-both|reset-client|reset-server; } } } } } vulnerability {
174 • Palo Alto Networks
REPEAT... <name> { description <value>; simple { packet-capture yes|no; client { critical default|allow|alert|block; high default|allow|alert|block; medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } server { critical default|allow|alert|block; high default|allow|alert|block; medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } } OR... custom { REPEAT... <name> { packet-capture yes|no; action default|alert|drop|drop-all-packets|reset-both|reset-client|reset-server; } } } } url-filtering { REPEAT... <name> { description <value>; license-expired block|allow; action block|continue|override|alert; block-list [ <block-list1> <block-list2>... ]; allow-list [ <allow-list1> <allow-list2>... ]; alert [ <alert1> <alert2>... ]; block [ <block1> <block2>... ]; continue [ <continue1> <continue2>... ]; override [ <override1> <override2>... ]; } } file-blocking { REPEAT... <name> { description <value>; rules { REPEAT... <name> { application [ <application1> <application2>... ]; file-type [ <file-type1> <file-type2>... ]; direction upload|download|both; action alert|block; } } }
Palo Alto Networks • 175
} data-objects { REPEAT... <name> { description <value>; credit-card-numbers { weight 1-255; } social-security-numbers { weight 1-255; } pattern { REPEAT... <name> { regex <value>; weight 1-255; } } } } data-filtering { REPEAT... <name> { description <value>; data-capture yes|no; rules { REPEAT... <name> { data-object <value>; application [ <application1> <application2>... ]; file-type [ <file-type1> <file-type2>... ]; direction upload|download|both; alert-threshold 1-65535; block-threshold 1-65535; } } } } } profile-group { REPEAT... <name> { virus [ <virus1> <virus2>... ]; spyware [ <spyware1> <spyware2>... ]; vulnerability [ <vulnerability1> <vulnerability2>... ]; url-filtering [ <url-filtering1> <url-filtering2>... ]; file-blocking [ <file-blocking1> <file-blocking2>... ]; data-filtering [ <data-filtering1> <data-filtering2>... ]; } } }}
deviceconfig { system { hostname <value>; domain <value>; ip-address <ip>; netmask <ip>;
176 • Palo Alto Networks
default-gateway <ip>; ipv6-address <value>; ipv6-default-gateway <value>; radius-server <ip>; radius-secret <value>; dns-primary <ip>; dns-secondary <ip>; panorama-server <ip>; ntp-server-1 <value>; location <value>; contact <value>; ntp-server-2 <value>; update-server <value>; secure-proxy-server <value>; secure-proxy-port 1-65535; secure-proxy-user <value>; secure-proxy-password <value>; geo-location { latitude <value>; longitude <value>; } service { disable-http yes|no; disable-https yes|no; disable-telnet yes|no; disable-ssh yes|no; disable-icmp yes|no; disable-snmp yes|no; } permitted-ip { REPEAT... <name>; } route { service { REPEAT... <name> { source-address <value>; } } destination { REPEAT... <name> { source-address <value>; } } } update-schedule { threats { recurring { daily { at <value>; action download-only|download-and-install; } OR... weekly { day-of-week sunday|monday|tuesday|wednesday|thursday|friday|saturday; at <value>;
Palo Alto Networks • 177
action download-only|download-and-install; } } } url-database { recurring { daily { at <value>; action download-and-install; } OR... weekly { day-of-week sunday|monday|tuesday|wednesday|thursday|friday|saturday; at <value>; action download-and-install; } } } } timezone W-SU|CST6CDT|Japan|Portugal|Hongkong|Mideast|Mideast/Riyadh87|Mideast/Riyadh88|Mideast/Riyadh89|Eire|Poland|Factory|GB-Eire|America|America/Port_of_Spain|America/Indiana|America/Indiana/Vevay|America/Indiana/Indianapolis|America/Indiana/Marengo|America/Indiana/Knox|America/St_Johns|America/Grand_Turk|America/Tijuana|America/Toronto|America/Araguaina|America/Virgin|America/El_Salvador|America/Coral_Harbour|America/Jujuy|America/Mexico_City|America/Guyana|America/Cayman|America/Ensenada|America/Fortaleza|America/Iqaluit|America/Boa_Vista|America/Chihuahua|America/Nome|America/Cancun|America/Cayenne|America/Recife|America/Panama|America/Caracas|America/Costa_Rica|America/Cambridge_Bay|America/Martinique|America/Yellowknife|America/Godthab|America/Sao_Paulo|America/Edmonton|America/Fort_Wayne|America/Danmarkshavn|America/Barbados|America/Dawson|America/Thunder_Bay|America/Tegucigalpa|America/Chicago|America/Guadeloupe|America/Grenada|America/Anguilla|America/Kentucky|America/Kentucky/Monticello|America/Kentucky/Louisville|America/Argentina|America/Argentina/Jujuy|America/Argentina/Ushuaia|America/Argentina/Catamarca|America/Argentina/San_Juan|America/Argentina/Mendoza|America/Argentina/La_Rioja|America/Argentina/Buenos_Aires|America/Argentina/Tucuman|America/Argentina/ComodRivadavia|America/Argentina/Cordoba|America/Argentina/Rio_Gallegos|America/Mazatlan|America/Regina|America/Montevideo|America/Catamarca|America/Los_Angeles|America/Campo_Grande|America/Aruba|America/Manaus|America/Knox_IN|America/Rosario|America/St_Lucia|America/Hermosillo|America/Denver|America/Detroit|America/Santiago|America/Shiprock|America/Cuiaba|America/Dominica|America/Porto_Acre|America/Curacao|America/Belize|America/Merida|America/Swift_Current|America/Antigua|America/Adak|America/Indianapolis|America/Belem|America/Miquelon|America/Louisville|America/Bogota|America/New_York|America/Boise|America/Scoresbysund|America/Mendoza|America/Goose_Bay|America/Yakutat|America/Eirunepe|America/Winnipeg|America/Buenos_Aires|America/Menominee|America/Paramaribo|America/Thule|America/Montreal|America/Jamaica|America/Monterrey|America/St_Thomas|America/Rio_Branco|America/Lima|America/Juneau|America/La_Paz|America/Vancouver|America/Rankin_Inlet|America/Puerto_Rico|America/St_Kitts|America/Halifax|America/Guayaquil|America/Inuvik|America/Noronha|America/Nassau|America/Port-au-Prince|America/Guatemala|America/Glace_Bay|America/Nipigon|America/Cordoba|America/Bahia|America/Asuncion|America/Maceio|America/Atka|America/North_Dakota|America/North_Dakota/Center|America/Managua|America/Anchorage|America/Montserrat|America/Tortola|America/Dawson_Creek|America/
178 • Palo Alto Networks
Santo_Domingo|America/Pangnirtung|America/Whitehorse|America/St_Vincent|America/Porto_Velho|America/Havana|America/Phoenix|America/Rainy_River|Indian|Indian/Christmas|Indian/Reunion|Indian/Comoro|Indian/Cocos|Indian/Mauritius|Indian/Antananarivo|Indian/Mahe|Indian/Mayotte|Indian/Kerguelen|Indian/Chagos|Indian/Maldives|GMT0|Canada|Canada/Yukon|Canada/Saskatchewan|Canada/Central|Canada/Eastern|Canada/East-Saskatchewan|Canada/Atlantic|Canada/Pacific|Canada/Mountain|Canada/Newfoundland|MET|ROK|US|US/Alaska|US/East-Indiana|US/Central|US/Eastern|US/Samoa|US/Arizona|US/Pacific|US/Aleutian|US/Hawaii|US/Mountain|US/Michigan|US/Indiana-Starke|MST|Mexico|Mexico/BajaSur|Mexico/General|Mexico/BajaNorte|EST5EDT|Atlantic|Atlantic/Madeira|Atlantic/Cape_Verde|Atlantic/St_Helena|Atlantic/Stanley|Atlantic/South_Georgia|Atlantic/Jan_Mayen|Atlantic/Azores|Atlantic/Reykjavik|Atlantic/Canary|Atlantic/Faeroe|Atlantic/Bermuda|HST|Antarctica|Antarctica/McMurdo|Antarctica/Davis|Antarctica/South_Pole|Antarctica/Vostok|Antarctica/Rothera|Antarctica/Mawson|Antarctica/DumontDUrville|Antarctica/Palmer|Antarctica/Casey|Antarctica/Syowa|UTC|Iceland|Pacific|Pacific/Honolulu|Pacific/Truk|Pacific/Niue|Pacific/Wake|Pacific/Apia|Pacific/Majuro|Pacific/Norfolk|Pacific/Efate|Pacific/Enderbury|Pacific/Palau|Pacific/Saipan|Pacific/Nauru|Pacific/Kiritimati|Pacific/Tahiti|Pacific/Guam|Pacific/Tongatapu|Pacific/Fiji|Pacific/Rarotonga|Pacific/Samoa|Pacific/Fakaofo|Pacific/Guadalcanal|Pacific/Port_Moresby|Pacific/Midway|Pacific/Galapagos|Pacific/Yap|Pacific/Johnston|Pacific/Marquesas|Pacific/Noumea|Pacific/Auckland|Pacific/Gambier|Pacific/Kwajalein|Pacific/Kosrae|Pacific/Wallis|Pacific/Easter|Pacific/Chatham|Pacific/Funafuti|Pacific/Pago_Pago|Pacific/Tarawa|Pacific/Pitcairn|Pacific/Ponape|EET|EST|Greenwich|GMT|Cuba|Brazil|Brazil/Acre|Brazil/East|Brazil/DeNoronha|Brazil/West|Turkey|Arctic|Arctic/Longyearbyen|NZ-CHAT|Zulu|Israel|Jamaica|Etc|Etc/GMT-14|Etc/GMT+6|Etc/GMT-10|Etc/GMT-2|Etc/GMT-8|Etc/GMT+4|Etc/GMT0|Etc/GMT-12|Etc/GMT+11|Etc/GMT-11|Etc/GMT+12|Etc/UTC|Etc/GMT-3|Etc/Greenwich|Etc/GMT-9|Etc/GMT|Etc/GMT+2|Etc/Zulu|Etc/GMT-4|Etc/GMT+7|Etc/GMT+1|Etc/GMT+8|Etc/GMT-7|Etc/GMT-6|Etc/GMT+10|Etc/GMT-5|Etc/GMT+0|Etc/GMT-1|Etc/GMT+3|Etc/GMT+5|Etc/GMT-13|Etc/UCT|Etc/Universal|Etc/GMT+9|Etc/GMT-0|NZ|Europe|Europe/Vienna|Europe/Athens|Europe/Tiraspol|Europe/Lisbon|Europe/Rome|Europe/Bratislava|Europe/Andorra|Europe/Sofia|Europe/Kaliningrad|Europe/Zurich|Europe/Belfast|Europe/Oslo|Europe/Samara|Europe/Malta|Europe/Chisinau|Europe/Moscow|Europe/Paris|Europe/Minsk|Europe/Zaporozhye|Europe/Amsterdam|Europe/Tallinn|Europe/Uzhgorod|Europe/Brussels|Europe/Vatican|Europe/Vaduz|Europe/San_Marino|Europe/Nicosia|Europe/Berlin|Europe/Vilnius|Europe/Monaco|Europe/Istanbul|Europe/Belgrade|Europe/Stockholm|Europe/Riga|Europe/Madrid|Europe/Gibraltar|Europe/Copenhagen|Europe/Skopje|Europe/Budapest|Europe/Dublin|Europe/Bucharest|Europe/Helsinki|Europe/Prague|Europe/Sarajevo|Europe/London|Europe/Tirane|Europe/Zagreb|Europe/Kiev|Europe/Warsaw|Europe/Ljubljana|Europe/Simferopol|Europe/Mariehamn|Europe/Luxembourg|Singapore|ROC|Kwajalein|Egypt|PST8PDT|GMT+0|Asia|Asia/Kuwait|Asia/Kamchatka|Asia/Thimphu|Asia/Macau|Asia/Gaza|Asia/Thimbu|Asia/Pyongyang|Asia/Vladivostok|Asia/Katmandu|Asia/Sakhalin|Asia/Muscat|Asia/Ashkhabad|Asia/Ulan_Bator|Asia/Riyadh|Asia/Riyadh87|Asia/Calcutta|Asia/Yerevan|Asia/Shanghai|Asia/Baghdad|Asia/Makassar|Asia/Oral|Asia/Hong_Kong|Asia/Jayapura|Asia/Omsk|Asia/Almaty|Asia/Saigon|Asia/Magadan|Asia/Chungking|Asia/Hovd|Asia/Brunei|Asia/Novosibirsk|Asia/Dacca|Asia/Qatar|Asia/Ulaanbaatar|Asia/Krasnoyarsk|Asia/Kuching|Asia/Qyzylorda|Asia/Karachi|Asia/Anadyr|Asia/Yakutsk|Asia/Seoul|Asia/Choibalsan|Asia/Macao|Asia/Samarkand|Asia/Yekaterinburg|Asia/Aqtobe|Asia/Riyadh88|Asia/Nicosia|Asia/Pontianak|Asia/Urumqi|Asia/Irkutsk|Asia/Taipei|Asia/Harbin|Asia/Istanbul|Asia/Colombo|Asia/Tel_Aviv|Asia/Jakarta|Asia/Amman|Asia/Bahrain|Asia/Tokyo|Asia/Chongqing|Asia/Ashgabat|Asia/Singapore|Asia/Aqtau|Asia/Baku|Asia/Bishkek|Asia/Dili|Asia/Tbilisi|Asia/Beirut|Asia/
Palo Alto Networks • 179
Riyadh89|Asia/Damascus|Asia/Aden|Asia/Dubai|Asia/Manila|Asia/Vientiane|Asia/Tehran|Asia/Kashgar|Asia/Dushanbe|Asia/Kabul|Asia/Bangkok|Asia/Rangoon|Asia/Jerusalem|Asia/Dhaka|Asia/Kuala_Lumpur|Asia/Tashkent|Asia/Phnom_Penh|Asia/Ujung_Pandang|CET|PRC|Africa|Africa/Kinshasa|Africa/Ndjamena|Africa/Mbabane|Africa/Lagos|Africa/El_Aaiun|Africa/Douala|Africa/Kampala|Africa/Mogadishu|Africa/Tripoli|Africa/Conakry|Africa/Niamey|Africa/Asmera|Africa/Khartoum|Africa/Lubumbashi|Africa/Kigali|Africa/Johannesburg|Africa/Blantyre|Africa/Malabo|Africa/Gaborone|Africa/Lome|Africa/Algiers|Africa/Addis_Ababa|Africa/Brazzaville|Africa/Dakar|Africa/Nairobi|Africa/Cairo|Africa/Banjul|Africa/Bamako|Africa/Bissau|Africa/Libreville|Africa/Sao_Tome|Africa/Casablanca|Africa/Timbuktu|Africa/Nouakchott|Africa/Freetown|Africa/Monrovia|Africa/Ceuta|Africa/Dar_es_Salaam|Africa/Lusaka|Africa/Abidjan|Africa/Bujumbura|Africa/Maseru|Africa/Bangui|Africa/Windhoek|Africa/Accra|Africa/Djibouti|Africa/Ouagadougou|Africa/Porto-Novo|Africa/Tunis|Africa/Maputo|Africa/Harare|Africa/Luanda|UCT|GB|Universal|Australia|Australia/Hobart|Australia/Lord_Howe|Australia/Perth|Australia/South|Australia/Yancowinna|Australia/Currie|Australia/Tasmania|Australia/Queensland|Australia/NSW|Australia/Lindeman|Australia/Melbourne|Australia/Adelaide|Australia/Victoria|Australia/Canberra|Australia/West|Australia/Brisbane|Australia/Broken_Hill|Australia/Darwin|Australia/ACT|Australia/North|Australia/Sydney|Australia/LHI|Iran|WET|Libya|MST7MDT|Chile|Chile/EasterIsland|Chile/Continental|GMT-0|Navajo; } setting { application { cache yes|no; supernode yes|no; heuristics yes|no; notify-user yes|no; } ctd { url-coach-timeout 1-86400; url-admin-timeout 1-86400; url-lockout-timeout 1-86400; } proxy { url-proxy yes|no; notify-user yes|no; answer-timeout 1-86400; } session { timeout-tcp 1-15999999; timeout-udp 1-15999999; timeout-icmp 1-15999999; timeout-default 1-15999999; timeout-tcpinit 1-60; timeout-tcpwait 1-60; timeout-scan 5-30; scan-threshold 50-99; scan-scaling-factor 2-16; accelerated-aging-enable yes|no; accelerated-aging-threshold 50-99; accelerated-aging-scaling-factor 2-16; tcp-reject-non-syn yes|no; offload yes|no; } zip { enable yes|no;
180 • Palo Alto Networks
sw yes|no; } config { rematch yes|no; } logging { max-log-rate 0-2560; max-packet-rate 0-2560; log-suppression yes|no; } management { idle-timeout 1-1440|; admin-lockout { failed-attempts 0-10; lockout-time 0-60; } max-rows-in-csv-export 1-1048576; panorama-tcp-receive-timeout 1-120; panorama-tcp-send-timeout 1-120; panorama-ssl-send-retries 1-64; } } high-availability { enabled yes|no; interface { ha1 { port <value>; encryption { enabled yes|no; passphrase <value>; } ip-address <ip/netmask>; netmask <ip>; } ha2 { port <value>; } } group { REPEAT... <name> { description <value>; election-option { device-priority 0-255; preemptive yes|no; passive-hold-time 0-60000; hello-interval 8000-60000; hello-interval 1000-60000; passive-link-state shutdown|auto; } peer-ip <ip>; state-synchronization { enabled yes|no; } monitoring { path-monitoring { enabled yes|no; failure-condition any|all; path-group {
Palo Alto Networks • 181
virtual-wire { REPEAT... <name> { enabled yes|no; failure-condition any|all; source-ip <ip>; destination-ip [ <destination-ip1> <destination-ip2>... ]; } } vlan { REPEAT... <name> { enabled yes|no; failure-condition any|all; source-ip <ip>; destination-ip [ <destination-ip1> <destination-ip2>... ]; } } virtual-router { REPEAT... <name> { enabled yes|no; failure-condition any|all; destination-ip [ <destination-ip1> <destination-ip2>... ]; } } } } link-monitoring { enabled yes|no; failure-condition any|all; link-group { REPEAT... <name> { enabled yes|no; failure-condition any|all; interface [ <interface1> <interface2>... ]; } } } } } } }}
mgt-config { users { REPEAT... <name> { phash <value>; remote-authentication radius; preferences { disable-dns yes|no; saved-log-query { traffic { REPEAT... <name> { query <value>;
182 • Palo Alto Networks
} } threat { REPEAT... <name> { query <value>; } } config { REPEAT... <name> { query <value>; } } system { REPEAT... <name> { query <value>; } } } } permissions { role-based { vsysreader { REPEAT... <name> { vsys <name>; } } OR... vsysadmin { REPEAT... <name> { vsys <name>; } } OR... devicereader [ <devicereader1> <devicereader2>... ]; OR... deviceadmin [ <deviceadmin1> <deviceadmin2>... ]; OR... superreader yes; OR... superuser yes; OR... custom { profile <name>; vsys <name>; } } } } } devices { REPEAT... <name> { ip <ip>; vsys {
Palo Alto Networks • 183
REPEAT... <name>; } } }}
predefined { signature { REPEAT... <name> { application <value>; protocol <value>; description <value>; dynamic yes|no; rules { REPEAT... <name> { direction client-to-server|server-to-client|any; match { string { pattern <value>; encrypt yes|no; ignore-case yes|no; offset 0-1000000; depth 0-10000; per-packet-match yes|no; payload-length-validate { byte-offset 0-65535; discount 0-65535; number-of-bytes 1|2|3|4; endian little|big; } source-port-validate { byte-offset 0-65535; endian little|big; } } header { source-ip <value>; destination-ip <value>; source-port <value>; destination-port <value>; l3-payload-length <value>; l4-payload-length <value>; packet-sequence <value>; } } } } rule-match match-in-order|match-all|match-any; } } application-type { REPEAT... category { <name> { description <value>; }
184 • Palo Alto Networks
} technology { <name> { description <value>; } } } url-categories { REPEAT... <name> { malware yes|no; description <value>; } } private-application { REPEAT... <name> { correlate { key-by [ <key-by1> <key-by2>... ]; rule-match match-all|match-any; interval 1-65535; rules { REPEAT... entry { protocol tcp|udp; interval 1-65535; threshold 1-65535; track-by [ <track-by1> <track-by2>... ]; } } } default { port [ <port1> <port2>... ]; OR... ident-by-ip-protocol <0-255,...>; } tunnel-applications [ <tunnel-applications1> <tunnel-applications2>... ]; deny-action drop|drop-reset; use-applications [ <use-applications1> <use-applications2>... ]; alg yes|no; appident yes|no; virus-ident yes|no; spyware-ident yes|no; child <value>; decode <value>; threat-id <1-4294967295,...>; per-direction-regex yes|no; enable-ssl-decryption yes|no; enable-source-cache yes|no; preemptive yes|no; ident-by-sport yes|no; ident-by-port yes|no; ident-by-dport yes|no; source-cache-timeout 0-255; source-cache-threshold 0-255; risk 1-5; type <value>; category <value>;
Palo Alto Networks • 185
description <value>; timeout 0-604800; tcp-timeout 0-604800; udp-timeout 0-604800; evasive-behavior yes|no; consume-big-bandwidth yes|no; carry-malware yes|no; used-by-malware yes|no; able-to-transfer-file yes|no; has-known-vulnerability yes|no; tunnel-other-application yes|no; report-as <value>; prone-to-misuse yes|no; pervasive-use yes|no; references { REPEAT... <name> { link <value>; } } reference <value>; } } application { REPEAT... <name> { correlate { key-by [ <key-by1> <key-by2>... ]; rule-match match-all|match-any; interval 1-65535; rules { REPEAT... entry { protocol tcp|udp; interval 1-65535; threshold 1-65535; track-by [ <track-by1> <track-by2>... ]; } } } default { port [ <port1> <port2>... ]; OR... ident-by-ip-protocol <0-255,...>; } tunnel-applications [ <tunnel-applications1> <tunnel-applications2>... ]; deny-action drop|drop-reset; use-applications [ <use-applications1> <use-applications2>... ]; alg yes|no; appident yes|no; virus-ident yes|no; spyware-ident yes|no; decode <value>; threat-id <1-4294967295,...>; per-direction-regex yes|no; preemptive yes|no; ident-by-sport yes|no; ident-by-port yes|no;
186 • Palo Alto Networks
ident-by-dport yes|no; risk 1-5; type <value>; category <value>; subcategory <value>; technology <value>; description <value>; timeout 0-604800; tcp-timeout 0-604800; udp-timeout 0-604800; evasive-behavior yes|no; consume-big-bandwidth yes|no; carry-malware yes|no; used-by-malware yes|no; able-to-transfer-file yes|no; has-known-vulnerability yes|no; tunnel-other-application yes|no; prone-to-misuse yes|no; pervasive-use yes|no; references { REPEAT... <name> { link <value>; } } reference <value>; } } application-group { REPEAT... <name> { member <value>; } } profiles { virus { REPEAT... <name> { description <value>; decoder { REPEAT... <name> { action default|allow|alert|block; } } application { REPEAT... <name> { action default|allow|alert|block; } } } } spyware { REPEAT... <name> { description <value>; download-protection { decoder {
Palo Alto Networks • 187
REPEAT... <name> { adware default|allow|alert|block; spyware default|allow|alert|block; } } application { REPEAT... <name> { adware default|allow|alert|block; spyware default|allow|alert|block; } } } phone-home-detection { simple { critical default|allow|alert|block; high default|allow|alert|block; medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } OR... custom { REPEAT... <name> { packet-capture yes|no; action default|alert|drop|drop-all-packets|reset-both|reset-client|reset-server; } } } } } vulnerability { REPEAT... <name> { description <value>; simple { client { critical default|allow|alert|block; high default|allow|alert|block; medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } server { critical default|allow|alert|block; high default|allow|alert|block; medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } } OR... custom { REPEAT... <name> { packet-capture yes|no;
188 • Palo Alto Networks
action default|alert|drop|drop-all-packets|reset-both|reset-client|reset-server; } } } } url-filtering { REPEAT... <name> { description <value>; license-expired block|allow; action block|continue|override|alert; block-list [ <block-list1> <block-list2>... ]; allow-list [ <allow-list1> <allow-list2>... ]; alert [ <alert1> <alert2>... ]; block [ <block1> <block2>... ]; continue [ <continue1> <continue2>... ]; override [ <override1> <override2>... ]; } } } profile-group { REPEAT... <name> { virus [ <virus1> <virus2>... ]; spyware [ <spyware1> <spyware2>... ]; vulnerability [ <vulnerability1> <vulnerability2>... ]; url-filtering [ <url-filtering1> <url-filtering2>... ]; } } service { REPEAT... <name> { protocol { any; OR... tcp { port <0-65535,...>; } OR... udp { port <0-65535,...>; } OR... ip { ip-protocol <0-255,...>; } } } } service-group { REPEAT... <name> [ <entry1> <entry2>... ]; } reports { REPEAT... <name> { disabled yes|no; query <value>;
Palo Alto Networks • 189
caption <value>; frequency daily|weekly; start-time <value>; end-time <value>; delta 1-65535; period last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-7-calendar-days|last-calendar-week|last-30-days; topn 1-50; type { appstat { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby nbytes|npkts|nsess|nthreats; } OR... threat { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby repeatcnt; } OR... thsum { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby count; } OR... traffic { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby bytes|elapsed|packets|repeatcnt; } OR... trsum { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; values [ <values1> <values2>... ]; sortby bytes|sessions; } } } } threats { phone-home { REPEAT... <name> { category <value>; severity critical|high|medium|low|informational; host client|server; app <value>; } } vulnerability { REPEAT... <name> { category code-execution|overflow|sql-injection|info-leak|email-worm|net-worm|adware|keylogger|data-theft|phishing|spam|botnet|rootkit|trojan|backdoor|virus|email-flooder|spamtool|hacktool|dos|suspicious|other-malware|user-defined;
190 • Palo Alto Networks
severity critical|high|medium|low|informational; affected-host { client yes|no; server yes|no; } } } ssl-exclude-cert { REPEAT... <name>; } }}
operations { schedule { commit; } OR... clear { application-signature { statistics; } OR... arp |<value>; OR... counter { interface; OR... global { filter { category <value>; severity <value>; aspect <value>; } OR... name <value>; } OR... all; } OR... dhcp { lease { all; OR... interface { name <value>; ip <ip>; mac <mac-address>; } } } OR... high-availability { control-link { statistics; }
Palo Alto Networks • 191
} OR... job { id 0-4294967295; } OR... log { traffic; OR... threat; OR... config; OR... system; OR... acc; } OR... mac |<value>; OR... query { all-by-session; OR... id 0-4294967295; } OR... report { all-by-session; OR... id 0-4294967295; } OR... session { all { filter { nat none|source|destination|both; proxy yes|no; type flow|predict; state initial|opening|active|discard|closing|closed; from <value>; to <value>; source <value>; destination <value>; source-user <value>; destination-user <value>; source-port 1-65535; destination-port 1-65535; protocol 1-255; application <value>; rule <value>; nat-rule <value>; } } OR... id 1-2147483648; } OR... statistics; OR...
192 • Palo Alto Networks
vpn { ike-sa { gateway <value>; } OR... ipsec-sa { tunnel <value>; } OR... flow { tunnel-id 1-2147483648; } } } OR... delete { admin-sessions; OR... application-block-page; OR... captive-portal-text; OR... config { saved <value>; } OR... config-audit-history; OR... content { update <value>; } OR... core { data-plane { file <value>; } OR... control-plane { file <value>; } } OR... debug-filter { file <value>; } OR... file-block-page; OR... license { key <value>; } OR... pcap { file <value>; } OR... policy-cache; OR... reverse-key {
Palo Alto Networks • 193
file <value>; } OR... root-certificate { file <value>; } OR... software { image <value>; OR... version <value>; } OR... spyware-block-page; OR... ssl-optout-text; OR... threat-pcap { directory <value>; } OR... unknown-pcap { file <value>; } OR... url-block-page; OR... url-coach-text; OR... url-coach-text; OR... user-file { ssh-known-hosts; } OR... virus-block-page; } OR... show { admins { all; } OR... arp |<value>; OR... chassis-ready; OR... cli { info; OR... idle-timeout; } OR... clock; OR... config { diff; OR... running {
194 • Palo Alto Networks
xpath <value>; } OR... synced; OR... candidate; OR... audit { info; OR... base-version <value>; OR... version <value>; } OR... saved <value>; } OR... counter { management-server; OR... global { filter { category <value>; severity <value>; aspect <value>; delta yes|no; value all|non-zero; } OR... name <value>; } OR... interface |<value>; } OR... ctd { url-block-cache; OR... threat { id 1-4294967295; application 0-4294967295; profile 0-4294967295; } } OR... dhcp { lease |<value>; } OR... high-availability { all; OR... state; OR... link-monitoring; OR... path-monitoring; OR...
Palo Alto Networks • 195
state-synchronization; OR... control-link { statistics; } } OR... interface |||<value>; OR... jobs { all; OR... pending; OR... processed; OR... id 1-4294967296; } OR... location { ip <ip>; } OR... log { traffic { direction { equal forward|backward; } csv-output { equal yes|no; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-hrs|last-7-days|last-30-days; } start-time { equal <value>; } end-time { equal <value>; } src { in <ip/netmask>; OR... not-in <ip/netmask>; } dst { in <ip/netmask>; OR... not-in <ip/netmask>; } rule { equal <value>; OR... not-equal <value>; } app { equal <value>; OR...
196 • Palo Alto Networks
not-equal <value>; } from { equal <value>; OR... not-equal <value>; } to { equal <value>; OR... not-equal <value>; } sport { equal 1-65535; OR... not-equal 1-65535; } dport { equal 1-65535; OR... not-equal 1-65535; } action { equal allow|deny|drop; OR... not-equal allow|deny|drop; } srcuser { equal <value>; } dstuser { equal <value>; } } OR... threat { suppress-threatid-mapping { equal yes|no; } direction { equal forward|backward; } csv-output { equal yes|no; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-hrs|last-7-days|last-30-days; } start-time { equal <value>; } end-time { equal <value>; } src { in <ip/netmask>; OR... not-in <ip/netmask>;
Palo Alto Networks • 197
} dst { in <ip/netmask>; OR... not-in <ip/netmask>; } rule { equal <value>; OR... not-equal <value>; } app { equal <value>; OR... not-equal <value>; } from { equal <value>; OR... not-equal <value>; } to { equal <value>; OR... not-equal <value>; } sport { equal 1-65535; OR... not-equal 1-65535; } dport { equal 1-65535; OR... not-equal 1-65535; } action { equal alert|allow|deny|drop|drop-all-packets|reset-client|reset-server|reset-both|block-url; OR... not-equal alert|allow|deny|drop|drop-all-packets|reset-client|reset-server|reset-both|block-url; } srcuser { equal <value>; } dstuser { equal <value>; } category { equal adult-or-sexually-explicit|advertisements-and-popups|alcohol-and-tobacco|arts|blogs-and-forums|business|chat|computing-and-internet|criminal-activity|downloads|education|entertainment|fashion-and-beauty|finance-and-investment|food-and-dining|gambling|games|government|hacking|health-and-medicine|hobbies-and-recreation|hosting-sites|illegal-drugs|infrastructure|intimate-apparel-and-swimwear|intolerance-and-hate|job-search-and-career-development|kids-sites|motor-vehicles|news|peer-to-peer|personals-and-dating|philanthropic-and-professional-orgs|phishing-and-fraud|phising-and-fraud|photo-
198 • Palo Alto Networks
searches|politics|proxies-and-translators|real-estate|reference|religion|ringtones-or-mobile-phone-downloads|search-engines|sex-education|shopping|society-and-culture|spam-urls|sports|spyware|streaming-media|tasteless-and-offensive|travel|unknown|violence|weapons|web-based-e-mail; OR... not-equal adult-or-sexually-explicit|advertisements-and-popups|alcohol-and-tobacco|arts|blogs-and-forums|business|chat|computing-and-internet|criminal-activity|downloads|education|entertainment|fashion-and-beauty|finance-and-investment|food-and-dining|gambling|games|government|hacking|health-and-medicine|hobbies-and-recreation|hosting-sites|illegal-drugs|infrastructure|intimate-apparel-and-swimwear|intolerance-and-hate|job-search-and-career-development|kids-sites|motor-vehicles|news|peer-to-peer|personals-and-dating|philanthropic-and-professional-orgs|phishing-and-fraud|phising-and-fraud|photo-searches|politics|proxies-and-translators|real-estate|reference|religion|ringtones-or-mobile-phone-downloads|search-engines|sex-education|shopping|society-and-culture|spam-urls|sports|spyware|streaming-media|tasteless-and-offensive|travel|unknown|violence|weapons|web-based-e-mail; } subtype { equal url|file; } } OR... config { direction { equal forward|backward; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } start-time { equal <value>; } end-time { equal <value>; } client { equal web|cli; OR... not-equal web|cli; } cmd { equal add|clone|commit|create|delete|edit|get|load-from-disk|move|rename|save-to-disk|set; OR... not-equal add|clone|commit|create|delete|edit|get|load-from-disk|move|rename|save-to-disk|set; } result { equal succeeded|failed|unauthorized; OR... not-equal succeeded|failed|unauthorized;
Palo Alto Networks • 199
} } OR... system { direction { equal forward|backward; } opaque { contains <value>; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } start-time { equal <value>; } end-time { equal <value>; } severity { equal critical|high|medium|low|informational; OR... not-equal critical|high|medium|low|informational; OR... greater-than-or-equal critical|high|medium|low|informational; OR... less-than-or-equal critical|high|medium|low|informational; } subtype { equal <value>; OR... not-equal <value>; } object { equal <value>; OR... not-equal <value>; } eventid { equal <value>; OR... not-equal <value>; } id { equal <value>; OR... not-equal <value>; } } OR... appstat { direction { equal forward|backward; } receive_time {
200 • Palo Alto Networks
in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } start-time { equal <value>; } end-time { equal <value>; } name { equal <value>; OR... not-equal <value>; } type { equal <value>; OR... not-equal <value>; } risk { equal 1|2|3|4|5; OR... not-equal 1|2|3|4|5; OR... greater-than-or-equal 1|2|3|4|5; OR... less-than-or-equal 1|2|3|4|5; } } OR... trsum { direction { equal forward|backward; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } start-time { equal <value>; } end-time { equal <value>; } app { equal <value>; OR... not-equal <value>; } src { in <value>; } dst {
Palo Alto Networks • 201
in <value>; } rule { equal <value>; OR... not-equal <value>; } srcuser { equal <value>; OR... not-equal <value>; } dstuser { equal <value>; OR... not-equal <value>; } srcloc { equal <value>; OR... not-equal <value>; OR... greater-than-or-equal <value>; OR... less-than-or-equal <value>; } dstloc { equal <value>; OR... not-equal <value>; OR... greater-than-or-equal <value>; OR... less-than-or-equal <value>; } } OR... thsum { direction { equal forward|backward; } receive_time { in last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-hrs|last-7-days|last-30-days; } csv-output { equal yes|no; } start-time { equal <value>; } end-time { equal <value>; } app { equal <value>; OR... not-equal <value>; }
202 • Palo Alto Networks
src { in <value>; } dst { in <value>; } rule { equal <value>; OR... not-equal <value>; } srcuser { equal <value>; OR... not-equal <value>; } dstuser { equal <value>; OR... not-equal <value>; } srcloc { equal <value>; OR... not-equal <value>; OR... greater-than-or-equal <value>; OR... less-than-or-equal <value>; } dstloc { equal <value>; OR... not-equal <value>; OR... greater-than-or-equal <value>; OR... less-than-or-equal <value>; } threatid { equal <value>; OR... not-equal <value>; OR... greater-than-or-equal <value>; OR... less-than-or-equal <value>; } subtype { equal <value>; OR... not-equal <value>; } } } OR... logging; OR... mac |<value>;
Palo Alto Networks • 203
OR... management-clients; OR... multi-vsys; OR... object { ip <ip>; vsys <value>; } OR... pan-agent { statistics; OR... user-IDs; } OR... proxy { setting; OR... certificate-cache; OR... certificate; OR... notify-cache; } OR... query { id 1-4294967296; OR... jobs; } OR... report { id 1-4294967296; OR... jobs; OR... predefined { name { equal top-attackers|top-victims|top-attackers-by-countries|top-victims-by-countries|top-sources|top-destinations|top-destination-countries|top-source-countries|top-connections|top-ingress-interfaces|top-egress-interfaces|top-ingress-zones|top-egress-zones|top-applications|top-http-applications|top-rules|top-attacks|top-spyware-threats|top-viruses|top-vulnerabilities|top-websites|top-url-categories|top-url-users|top-url-user-behavior|unknown-tcp-connections|unknown-udp-connections|top-denied-sources|top-denied-destinations|top-denied-applications; } start-time { equal <value>; } end-time { equal <value>; } } OR... custom { database { equal appstat|threat|thsum|traffic|trsum;
204 • Palo Alto Networks
} topn { equal <value>; } receive_time { in last-hour|last-12-hrs|last-24-hrs|last-7-days|last-30-days; } query { equal <value>; } aggregate-fields { equal <value>; } value-fields { equal <value>; } } } OR... routing { resource; OR... summary { virtual-router <value>; } OR... fib { virtual-router <value>; } OR... route { destination <ip/netmask>; interface <value>; nexthop <ip/netmask>; type static|connect|ospf|rip; virtual-router <value>; } OR... protocol { redist all|ospf|rip; OR... ospf summary|area|interface|virt-link|neighbor|virt-neighbor|lsdb|dumplsdb; OR... rip summary|interface|peer|database; virtual-router <value>; } } OR... session { start-at 1-2097152; OR... info; OR... meter; OR... all { filter { nat none|source|destination|both;
Palo Alto Networks • 205
proxy yes|no; type flow|predict; state initial|opening|active|discard|closing|closed; from <value>; to <value>; source <value>; destination <value>; source-user <value>; destination-user <value>; source-port 1-65535; destination-port 1-65535; protocol 1-255; application <value>; rule <value>; nat-rule <value>; } } OR... id 1-2147483648; } OR... shared-policy; OR... statistics; OR... system { software { status; } OR... info; OR... services; OR... state { filter <value>; OR... filter-pretty <value>; OR... browser; } OR... statistics; OR... resources; OR... disk-space; OR... logdb-quota; OR... files; } OR... target-vsys; OR... threat { id 1-4294967296; } OR...
206 • Palo Alto Networks
virtual-wire |<value>; OR... vlan |<value>; OR... vpn { gateway { name <value>; } OR... tunnel { name <value>; } OR... ike-sa { gateway <value>; } OR... ipsec-sa { tunnel <value>; } OR... flow { tunnel-id 1-2147483648; } } OR... zip { setting; } OR... zone-protection { zone <value>; } } OR... debug { captive-portal { on { normal; OR... debug; } OR... off; OR... show; } OR... cli on|off|detail|show; OR... cpld; OR... dataplane { get; OR... show { user { all; OR...
Palo Alto Networks • 207
ip <ip/netmask>; } OR... nat-rule-cache; OR... global-ippool; OR... ippool; OR... security-policy; OR... nat-policy; OR... captive-portal-policy; OR... ssl-policy; OR... application-override-policy; OR... application-signature { statistics; } OR... log-queue { statistics; } OR... application { dump-setting; } OR... resource-monitor { second { last 1-60; } OR... minute { last 1-60; } OR... hour { last 1-24; } OR... day { last 1-7; } OR... week { last 1-13; } } OR... logging; OR... url-cache { statistics; } OR...
208 • Palo Alto Networks
top-urls { top 1-10000; category adult-or-sexually-explicit|advertisements-and-popups|alcohol-and-tobacco|arts|blogs-and-forums|business|chat|computing-and-internet|criminal-activity|downloads|education|entertainment|fashion-and-beauty|finance-and-investment|food-and-dining|gambling|games|government|hacking|health-and-medicine|hobbies-and-recreation|hosting-sites|illegal-drugs|infrastructure|intimate-apparel-and-swimwear|intolerance-and-hate|job-search-and-career-development|kids-sites|motor-vehicles|news|peer-to-peer|personals-and-dating|philanthropic-and-professional-orgs|phishing-and-fraud|phising-and-fraud|photo-searches|politics|proxies-and-translators|real-estate|reference|religion|ringtones-or-mobile-phone-downloads|search-engines|sex-education|shopping|society-and-culture|spam-urls|sports|spyware|streaming-media|tasteless-and-offensive|travel|unknown|violence|weapons|web-based-e-mail; } } OR... reset { user-cache { all; OR... ip <ip/netmask>; } OR... url-cache; OR... logging; OR... pow; OR... appid { unknown-cache { destination <ip/netmask>; } } OR... proxy { host-certificate-cache; OR... certificate-cache; OR... notify-cache { source <ip/netmask>; } } OR... ctd { url-block-cache { lockout; } } } OR... mode sync|no-sync; OR... on error|warn|info|debug; OR...
Palo Alto Networks • 209
off; OR... clear; OR... drop-filter { on; OR... off; OR... set { ingress <value>; file <value>; source <value>; destination <value>; source-port 1-65535; destination-port 1-65535; protocol 1-255; packet-count 1-20000; byte-count 1-2000000; } OR... unset 1-4; } OR... filter { on; OR... off; OR... set { ingress <value>; file <value>; source <value>; destination <value>; source-port 1-65535; destination-port 1-65535; protocol 1-255; packet-count 1-20000; byte-count 1-2000000; } OR... unset 1-4; OR... close 1-4; } OR... pool { statistics; OR... check { hardware 0-255; OR... software 0-255; } } OR... pow { status; OR...
210 • Palo Alto Networks
performance { all; } } OR... memory { status; } OR... internal { pci-access { sample; OR... register <value>; } OR... vif { address; OR... link; OR... rule; OR... vr; OR... route 0-255; } OR... dt { lion { rd 0-4294967295; OR... igr { show drops|flow|internal|packets|queues; OR... iftbl; OR... mymac; OR... port; } OR... egr { show counts|queues; OR... route; OR... nexthop; } OR... mac { stats { clear; } } OR... spi { stats { clear;
Palo Alto Networks • 211
} } } OR... oct { csr { rd <value>; } OR... gmx { stats; } OR... pip { stats; } OR... pko { disp; OR... stats; } OR... pow { dump; } } } } OR... fpga { set { sw_aho yes|no; OR... sw_dfa yes|no; } OR... state; } OR... device { switch-dx { uplink; OR... register { read 0-4294967295; } OR... vlan-table { dump; OR... index 0-4095; } OR... port-based-vlan { port 0-32; } OR... fdb {
212 • Palo Alto Networks
dump; OR... index 0-65535; } } } OR... process { mprelay { on { dump; OR... debug; OR... info; OR... warn; OR... error; } OR... off; OR... show; } OR... ha-agent { on { dump; OR... debug; OR... info; OR... warn; OR... error; } OR... off; OR... show; } } OR... task-heartbeat { on; OR... off; OR... show; } OR... set { tcp reass|fptcp|all; OR... ssl basic|all; OR... proxy basic|all;
Palo Alto Networks • 213
OR... pow basic|all; OR... misc misc|all; OR... flow basic|ager|ha|np|arp|receive|all; OR... tunnel flow|ager; OR... ctd basic|sml|url|detector|all; OR... appid agt|basic|policy|dfa|all; OR... all; } OR... unset { tcp reass|fptcp|all; OR... ssl basic|all; OR... proxy basic|all; OR... pow basic|all; OR... misc misc|all; OR... flow basic|ager|np|ha|arp|receive|all; OR... tunnel flow|ager; OR... ctd basic|sml|url|detector|all; OR... appid basic|policy|dfa|all; OR... all; } } OR... device-server { set { agent basic|conn|ntlm|group|detail|ha|all; OR... misc basic|all; OR... url basic|all; OR... config basic|tdb|fpga|all; OR... all; } OR... unset { agent basic|conn|detail|ha|all; OR... misc basic|all; OR... url basic|all; OR...
214 • Palo Alto Networks
config basic|tdb|fpga|all; OR... all; } OR... test { url <value>; OR... url-category 1-4192; OR... admin-override-password <value>; } OR... reset { logging { statistics; } OR... pan-agent { all; } OR... captive-portal { ip-address <ip/netmask>; } OR... id-manager; } OR... dump { idmgr { type { zone { all; OR... id 1-4294967295; OR... name <value>; } OR... vsys { all; OR... id 1-4294967295; OR... name <value>; } OR... global-tunnel { all; OR... id 1-; OR... name <value>; } OR... global-interface { all; OR...
Palo Alto Networks • 215
id 1-4294967295; OR... name <value>; } OR... global-vlan-domain { all; OR... id 1-4294967295; OR... name <value>; } OR... global-vlan { all; OR... id 1-4294967295; OR... name <value>; } OR... global-vrouter { all; OR... id 1-4294967295; OR... name <value>; } OR... global-rib-instance { all; OR... id 1-4294967295; OR... name <value>; } OR... shared-application { all; OR... id 1-4294967295; OR... name <value>; } OR... custom-url-filter { all; OR... id 1-4294967295; OR... name <value>; } OR... user { all; OR... id 1-4294967295; OR... name <value>;
216 • Palo Alto Networks
} OR... user-group { all; OR... id 1-4294967295; OR... name <value>; } OR... custom-application { all; OR... id 1-4096; OR... name <value>; } OR... security-rule { all; OR... id 1-4096; OR... name <value>; } OR... nat-rule { all; OR... id 1-4096; OR... name <value>; } OR... ssl-rule { all; OR... id 1-4096; OR... name <value>; } OR... ike-gateway { all; OR... id 1-4096; OR... name <value>; } } } OR... logging { statistics; } } OR... on error|warn|info|debug|dump; OR...
Palo Alto Networks • 217
off; OR... clear; OR... show; } OR... dhcpd { global { on { error; OR... warn; OR... info; OR... debug; OR... dump; } OR... off; OR... show; } OR... pcap { show; OR... on { virtualrouter <value>; } OR... off; OR... delete; OR... view; } } OR... ez { enable; OR... disable; OR... show { counter { index 0-4194304; num-counters 0-40; } OR... session-counter { index 0-4194304; num-counters 0-40; } OR... port { index 0-32;
218 • Palo Alto Networks
} OR... throughput; OR... arp; OR... route; OR... session; OR... drop_flag; } OR... set { drop 0|1; } } OR... high-availability-agent { on error|warn|info|debug|dump; OR... off; OR... clear; OR... show; OR... internal-dump; OR... model-check on|off; } OR... ike { global { on { normal; OR... debug; OR... dump; } OR... off; OR... show; } OR... pcap { show; OR... on; OR... off; OR... delete; OR... view; } OR...
Palo Alto Networks • 219
socket; OR... stat; } OR... keymgr { on { normal; OR... debug; OR... dump; } OR... off; OR... show; OR... list-sa; } OR... log-receiver { on { normal; OR... debug; OR... dump; } OR... off; OR... show; OR... statistics; } OR... management-server { on error|warn|info|debug|dump; OR... off; OR... clear; OR... show; OR... phased-commit enable|disable|show; OR... client { disable device|ikemgr|dhcpd|ha_agent|routed|npagent|modhttpd; OR... enable device|ikemgr|dhcpd|ha_agent|routed|npagent|modhttpd; } } OR... master-service { on error|warn|info|debug|dump; OR... off;
220 • Palo Alto Networks
OR... clear; OR... show; OR... internal-dump; } OR... netconfig-agent { on { dump; OR... debug; OR... info; OR... warn; OR... error; } OR... off; OR... show; } OR... routing { mib <value>; OR... list-mib; OR... fib { flush; OR... stats; } OR... global { on { error; OR... warn; OR... info; OR... debug; OR... dump; } OR... off; OR... show; } OR... pcap { show; OR... ospf {
Palo Alto Networks • 221
on { virtualrouter <value>; } OR... off; OR... delete; OR... view; } OR... rip { on { virtualrouter <value>; } OR... off; OR... delete; OR... view; } OR... all { on { virtualrouter <value>; } OR... off; OR... delete; OR... view; } } OR... socket; } OR... software { restart { device-server; OR... management-server; OR... web-server; } } OR... swm { list; OR... command <value>; OR... history; OR... status; OR... unlock;
222 • Palo Alto Networks
OR... revert; OR... refresh { content; } } OR... tac-login { permanently-disable; OR... disable; OR... enable; } OR... vardata-receiver { on { normal; OR... debug; OR... dump; } OR... off; OR... show; OR... statistics; } } OR... set { application { dump-unknown on|off; OR... dump { on { limit 1-5000; from <value>; to <value>; source <value>; destination <value>; source-user <value>; destination-user <value>; source-port 1-65535; destination-port 1-65535; protocol 1-255; application <value>; rule <value>; } OR... off; } OR... cache yes|no; OR... supernode yes|no;
Palo Alto Networks • 223
OR... heuristics yes|no; OR... notify-user yes|no; } OR... cli { pager on|off; OR... scripting-mode on|off; OR... timeout { idle |1-1440; } OR... terminal { type aaa|aaa+dec|aaa+rv|aaa+unk|aaa-18|aaa-18-rv|aaa-20|aaa-22|aaa-24|aaa-24-rv|aaa-26|aaa-28|aaa-30-ctxt|aaa-30-rv|aaa-30-rv-ctxt|aaa-30-s|aaa-30-s-rv|aaa-36|aaa-36-rv|aaa-40|aaa-40-rv|aaa-48|aaa-48-rv|aaa-60|aaa-60-dec-rv|aaa-60-rv|aaa-60-s|aaa-60-s-rv|aaa-db|aaa-rv-unk|aaa-s-ctxt|aaa-s-rv-ctxt|aas1901|abm80|abm85|abm85e|abm85h|abm85h-old|act4|act5|addrinfo|adds980|adm+sgr|adm11|adm1178|adm12|adm1a|adm2|adm20|adm21|adm22|adm3|adm31|adm31-old|adm36|adm3a|adm3a+|adm42|adm42-ns|adm5|aepro|aixterm|aixterm-m|aixterm-m-old|aj510|aj830|alto-h19|altos2|altos3|altos4|altos7|altos7pc|amiga|amiga-8bit|amiga-h|amiga-vnc|ampex175|ampex175-b|ampex210|ampex219|ampex219w|ampex232|ampex232w|ampex80|annarbor4080|ansi|ansi+arrows|ansi+csr|ansi+cup|ansi+erase|ansi+idc|ansi+idl|ansi+idl1|ansi+inittabs|ansi+local|ansi+local1|ansi+pp|ansi+rca|ansi+rep|ansi+sgr|ansi+sgrbold|ansi+sgrdim|ansi+sgrso|ansi+sgrul|ansi+tabs|ansi-color-2-emx|ansi-color-3-emx|ansi-emx|ansi-generic|ansi-m|ansi-mini|ansi-mr|ansi-mtabs|ansi-nt|ansi.sys|ansi.sys-old|ansi.sysk|ansi77|apollo|apollo_15P|apollo_19L|apollo_color|apple-80|apple-ae|apple-soroc|apple-uterm|apple-uterm-vb|apple-videx|apple-videx2|apple-videx3|apple-vm80|apple2e|apple2e-p|apple80p|appleII|appleIIgs|arm100|arm100-w|atari|att2300|att2350|att4410|att4410v1-w|att4415|att4415+nl|att4415-nl|att4415-rv|att4415-rv-nl|att4415-w|att4415-w-nl|att4415-w-rv|att4415-w-rv-n|att4418|att4418-w|att4420|att4424|att4424-1|att4424m|att4426|att500|att505|att505-24|att510a|att510d|att5310|att5410-w|att5410v1|att5420_2|att5420_2-w|att5425|att5425-nl|att5425-w|att5620|att5620-1|att5620-24|att5620-34|att5620-s|att605|att605-pc|att605-w|att610|att610-103k|att610-103k-w|att610-w|att615|att615-103k|att615-103k-w|att615-w|att620|att620-103k|att620-103k-w|att620-w|att630|att630-24|att6386|att700|att730|att730-24|att730-41|att7300|att730r|att730r-24|att730r-41|avatar|avatar0|avatar0+|avt|avt+s|avt-ns|avt-rv|avt-rv-ns|avt-w|avt-w-ns|avt-w-rv|avt-w-rv-ns|aws|awsc|bantam|basis|beacon|beehive|beehive3|beehive4|beterm|bg1.25|bg1.25nv|bg1.25rv|bg2.0|bg2.0rv|bitgraph|blit|bobcat|bq300|bq300-8|bq300-8-pc|bq300-8-pc-rv|bq300-8-pc-w|bq300-8-pc-w-rv|bq300-8rv|bq300-8w|bq300-pc|bq300-pc-rv|bq300-pc-w|bq300-pc-w-rv|bq300-rv|bq300-w|bq300-w-8rv|bq300-w-rv|bsdos-pc|bsdos-pc-m|bsdos-pc-nobold|bsdos-ppc|bsdos-sparc|c100|c100-rv|c108|c108-4p|c108-rv|c108-rv-4p|c108-w|ca22851|cad68-2|cad68-3|cbblit|cbunix|cci|cdc456|cdc721|cdc721-esc|cdc721ll|cdc752|cdc756|cg7900|cit101|cit101e|cit101e-132|cit101e-n|cit101e-n132|cit101e-rv|cit500|cit80|citoh|citoh-6lpi|citoh-8lpi|citoh-comp|citoh-elite|citoh-pica|citoh-prop|coco3|color_xterm|commodore|cons25|cons25-m|cons25l1|cons25l1-m|cons25r|cons25r-m|cons25w|cons30|cons30-m|cons43|cons43-m|cons50|cons50-
224 • Palo Alto Networks
m|cons50l1|cons50l1-m|cons50r|cons50r-m|cons60|cons60-m|cons60l1|cons60l1-m|cons60r|cons60r-m|contel300|contel301|cops10|crt|cs10|cs10-w|ct8500|ctrm|cyb110|cyb83|cygwin|cygwinB19|cygwinDBG|d132|d200|d210|d210-dg|d211|d211-7b|d211-dg|d216-dg|d216-unix|d216-unix-25|d217-unix|d217-unix-25|d220|d220-7b|d220-dg|d230c|d230c-dg|d400|d410|d410-7b|d410-7b-w|d410-dg|d410-w|d412-dg|d412-unix|d412-unix-25|d412-unix-s|d412-unix-sr|d412-unix-w|d413-unix|d413-unix-25|d413-unix-s|d413-unix-sr|d413-unix-w|d414-unix|d414-unix-25|d414-unix-s|d414-unix-sr|d414-unix-w|d430c-dg|d430c-dg-ccc|d430c-unix|d430c-unix-25|d430c-unix-25-ccc|d430c-unix-ccc|d430c-unix-s|d430c-unix-s-ccc|d430c-unix-sr|d430c-unix-sr-ccc|d430c-unix-w|d430c-unix-w-ccc|d470c|d470c-7b|d470c-dg|d555|d555-7b|d555-7b-w|d555-dg|d555-w|d577|d577-7b|d577-7b-w|d577-dg|d577-w|d578|d578-7b|d800|ddr|dec-vt100|dec-vt220|decansi|delta|dg+ccc|dg+color|dg+color8|dg+fixed|dg-generic|dg200|dg210|dg211|dg450|dg460-ansi|dg6053|dg6053-old|dgkeys+11|dgkeys+15|dgkeys+7b|dgkeys+8b|dgmode+color|dgmode+color8|dgunix+ccc|dgunix+fixed|diablo1620|diablo1620-m8|diablo1640|diablo1640-lm|diablo1740-lm|digilog|djgpp|djgpp203|djgpp204|dku7003|dku7003-dumb|dku7102-old|dku7202|dm1520|dm2500|dm3025|dm3045|dm80|dm80w|dmchat|dmterm|dp3360|dp8242|dt100|dt100w|dt110|dt80-sas|dtc300s|dtc382|dtterm|dumb|dw1|dw2|dw3|dw4|dwk|ecma+color|ecma+sgr|elks|elks-ansi|elks-glasstty|elks-vt52|emu|emu-220|emx-base|env230|ep40|ep48|ergo4000|esprit|esprit-am|Eterm|eterm|ex155|excel62|excel62-rv|excel62-w|f100|f100-rv|f110|f110-14|f110-14w|f110-w|f1720|f200|f200-w|f200vi|f200vi-w|falco|falco-p|fos|fox|gator|gator-52|gator-52t|gator-t|gigi|glasstty|gnome|gnome-rh62|gnome-rh72|gnome-rh80|gnome-rh90|go140|go140w|go225|graphos|graphos-30|gs6300|gsi|gt40|gt42|guru|guru+rv|guru+s|guru-24|guru-44|guru-44-s|guru-76|guru-76-lp|guru-76-s|guru-76-w|guru-76-w-s|guru-76-wm|guru-nctxt|guru-rv|guru-s|h19|h19-a|h19-bs|h19-g|h19-u|h19-us|h19k|ha8675|ha8686|hazel|hds200|hft-c|hft-c-old|hft-old|hirez100|hirez100-w|hmod1|hp+arrows|hp+color|hp+labels|hp+pfk+arrows|hp+pfk+cr|hp+pfk-cr|hp+printer|hp110|hp150|hp2|hp236|hp2382a|hp2392|hp2397a|hp2621|hp2621-48|hp2621-a|hp2621-ba|hp2621-fl|hp2621-k45|hp2621-nl|hp2621-nt|hp2621b|hp2621b-kx|hp2621b-kx-p|hp2621b-p|hp2621p|hp2621p-a|hp2622|hp2623|hp2624|hp2624-10p|hp2624b-10p-p|hp2624b-p|hp2626|hp2626-12|hp2626-12-s|hp2626-12x40|hp2626-ns|hp2626-s|hp2626-x40|hp2627a|hp2627a-rev|hp2627c|hp262x|hp2640a|hp2640b|hp2641a|hp2645|hp2648|hp300h|hp700-wy|hp70092|hp9837|hp9845|hp98550|hpansi|hpex|hpgeneric|hpsub|hpterm|hurd|hz1000|hz1420|hz1500|hz1510|hz1520|hz1520-noesc|hz1552|hz1552-rv|hz2000|i100|i400|ibcs2|ibm+16color|ibm+color|ibm-apl|ibm-pc|ibm-system1|ibm3101|ibm3151|ibm3161|ibm3161-C|ibm3162|ibm3164|ibm327x|ibm5081|ibm5081-c|ibm5151|ibm5154|ibm6153|ibm6153-40|ibm6153-90|ibm6154|ibm6155|ibm8503|ibm8512|ibm8514|ibm8514-c|ibmaed|ibmapa8c|ibmapa8c-c|ibmega|ibmega-c|ibmmono|ibmpc|ibmpc3|ibmpcx|ibmvga|ibmvga-c|icl6404|icl6404-w|ifmr|ims-ansi|ims950|ims950-b|ims950-rv|infoton|interix|interix-nti|intertube|intertube2|intext|intext2|iris-ansi|iris-ansi-ap|iris-color|jaixterm|jaixterm-m|kaypro|kermit|kermit-am|klone+acs|klone+color|klone+koi8acs|klone+sgr|klone+sgr-dumb|konsole|konsole-16color|konsole-base|konsole-linux|konsole-vt100|konsole-vt420pc|konsole-xf3x|konsole-xf4x|kt7|kt7ix|kterm|kterm-color|kvt|lft|linux|linux-basic|linux-c|linux-c-nc|linux-koi8|linux-koi8r|linux-lat|linux-m|linux-nic|linux-vt|lisa|lisaterm|lisaterm-w|liswb|ln03|ln03-w|lpr|luna|m2-nam|mac|mac-w|mach|mach-bold|mach-color|mai|masscomp|masscomp1|masscomp2|megatek|memhp|mgr|mgr-linux|mgr-sun|mgterm|microb|mime|mime-fb|mime-hb|mime2a|mime2a-s|mime314|mime3a|mime3ax|minitel1|minitel1b|minitel1b-80|minix|minix-
Palo Alto Networks • 225
old|minix-old-am|mlterm|mm340|modgraph|modgraph2|modgraph48|mono-emx|morphos|ms-vt-utf8|ms-vt100|ms-vt100+|ms-vt100-color|msk227|msk22714|msk227am|mt4520-rv|mt70|mterm|mterm-ansi|MtxOrb|MtxOrb162|MtxOrb204|mvterm|nansi.sys|nansi.sysk|ncr160vppp|ncr160vpwpp|ncr160vt100an|ncr160vt100pp|ncr160vt100wan|ncr160vt100wpp|ncr160vt200an|ncr160vt200pp|ncr160vt200wan|ncr160vt200wpp|ncr160vt300an|ncr160vt300pp|ncr160vt300wan|ncr160vt300wpp|ncr160wy50+pp|ncr160wy50+wpp|ncr160wy60pp|ncr160wy60wpp|ncr260intan|ncr260intpp|ncr260intwan|ncr260intwpp|ncr260vppp|ncr260vpwpp|ncr260vt100an|ncr260vt100pp|ncr260vt100wan|ncr260vt100wpp|ncr260vt200an|ncr260vt200pp|ncr260vt200wan|ncr260vt200wpp|ncr260vt300an|ncr260vt300pp|ncr260vt300wan|NCR260VT300WPP|ncr260wy325pp|ncr260wy325wpp|ncr260wy350pp|ncr260wy350wpp|ncr260wy50+pp|ncr260wy50+wpp|ncr260wy60pp|ncr260wy60wpp|ncr7900i|ncr7900iv|ncr7901|ncrvt100an|ncrvt100wan|ncsa|ncsa-m|ncsa-m-ns|ncsa-ns|ncsa-vt220|nec5520|newhp|newhpkeyboard|news-29|news-29-euc|news-29-sjis|news-33|news-33-euc|news-33-sjis|news-42|news-42-euc|news-42-sjis|news-old-unk|news-unk|news28|news29|next|nextshell|northstar|nsterm|nsterm+7|nsterm+acs|nsterm+c|nsterm+c41|nsterm+mac|nsterm+s|nsterm-7|nsterm-7-c|nsterm-acs|nsterm-c|nsterm-c-acs|nsterm-c-s|nsterm-c-s-7|nsterm-c-s-acs|nsterm-m|nsterm-m-7|nsterm-m-acs|nsterm-m-s|nsterm-m-s-7|nsterm-m-s-acs|nsterm-s|nsterm-s-7|nsterm-s-acs|nwp511|nwp512|nwp512-a|nwp512-o|nwp513|nwp513-a|nwp513-o|nwp517|nwp517-w|oblit|oc100|ofcons|oldpc3|oldsun|omron|opennt-100|opennt-100-nti|opennt-35|opennt-35-nti|opennt-35-w|opennt-50|opennt-50-nti|opennt-50-w|opennt-60|opennt-60-nti|opennt-60-w|opennt-w|opennt-w-vt|opus3n1+|origpc3|osborne|osborne-w|osexec|otek4112|otek4115|owl|p19|p8gl|pc-coherent|pc-minix|pc-venix|pc3|pc6300plus|pcansi|pcansi-25|pcansi-25-m|pcansi-33|pcansi-33-m|pcansi-43|pcansi-43-m|pcansi-m|pccons|pcix|pckermit|pckermit120|pcmw|pcplot|pcvt25|pcvt25-color|pcvt25w|pcvt28|pcvt28w|pcvt35|pcvt35w|pcvt40|pcvt40w|pcvt43|pcvt43w|pcvt50|pcvt50w|pcvtXX|pe1251|pe7000c|pe7000m|pilot|pmcons|prism12|prism12-m|prism12-m-w|prism12-w|prism14|prism14-m|prism14-m-w|prism14-w|prism2|prism4|prism5|prism7|prism8|prism8-w|prism9|prism9-8|prism9-8-w|prism9-w|pro350|ps300|psterm|psterm-80x24|psterm-90x28|psterm-96x48|psterm-fast|pt100|pt100w|pt210|pt250|pt250w|pty|putty|qansi|qansi-g|qansi-m|qansi-t|qansi-w|qdss|qnx|qnxm|qnxt|qnxt2|qnxtmono|qnxw|qume5|qvt101|qvt101+|qvt102|qvt103|qvt103-w|qvt119+|qvt119+-25|qvt119+-25-w|qvt119+-w|qvt203|qvt203-25|qvt203-25-w|qvt203-w|rbcomm|rbcomm-nam|rbcomm-w|rca|rcons|rcons-color|regent|regent100|regent20|regent25|regent40|regent40+|regent60|rt6221|rt6221-w|rtpc|rxvt|rxvt+pcfkeys|rxvt-16color|rxvt-basic|rxvt-color|rxvt-cygwin|rxvt-cygwin-native|rxvt-xpm|sb1|sb2|sbi|scanset|scoansi|scoansi-new|scoansi-old|screen|screen-bce|screen-s|screen-w|screen.linux|screen.teraterm|screen.xterm-r6|screen.xterm-xfree86|screen2|screen3|screwpoint|scrhp|sibo|simterm|soroc120|soroc140|st52|sun|sun-1|sun-12|sun-17|sun-24|sun-34|sun-48|sun-c|sun-cgsix|sun-e|sun-e-s|sun-il|sun-s|sun-type4|superbee-xsb|superbeeic|superbrain|swtp|synertek|t10|t1061|t1061f|t16|t3700|t3800|tab132|tab132-rv|tab132-w|tab132-w-rv|tandem6510|tandem653|tek|tek4013|tek4014|tek4014-sm|tek4015|tek4015-sm|tek4023|tek4024|tek4025-17|tek4025-17-ws|tek4025-cr|tek4025-ex|tek4025a|tek4025ex|tek4105|tek4105-30|tek4105a|tek4106brl|tek4107|tek4112|tek4112-5|tek4112-nd|tek4113|tek4113-34|tek4113-nd|tek4115|tek4125|tek4205|tek4207|tek4207-s|tek4404|teletec|teraterm|terminet1200|ti700|ti916|ti916-132|ti916-8|ti916-8-132|ti924|ti924-8|ti924-8w|ti924w|ti926|ti926-8|ti928|ti928-8|ti931|ti_ansi|trs16|trs2|ts100|ts100-ctxt|tt|tt505-22|tty33|tty37|tty40|tty43|tvi803|tvi9065|tvi910|tvi910+|tvi912|tvi912b|tvi912b+2p|tvi912b+dim|tvi912b+mc|tvi912b+printer|tvi912b+vb|tvi912b-2p|tvi912b-
226 • Palo Alto Networks
2p-mc|tvi912b-2p-p|tvi912b-2p-unk|tvi912b-mc|tvi912b-p|tvi912b-unk|tvi912b-vb|tvi912b-vb-mc|tvi912b-vb-p|tvi912b-vb-unk|tvi912cc|tvi920b|tvi920b+fn|tvi920b-2p|tvi920b-2p-mc|tvi920b-2p-p|tvi920b-2p-unk|tvi920b-mc|tvi920b-p|tvi920b-unk|tvi920b-vb|tvi920b-vb-mc|tvi920b-vb-p|tvi920b-vb-unk|tvi921|tvi924|tvi925|tvi925-hi|tvi92B|tvi92D|tvi950|tvi950-2p|tvi950-4p|tvi950-rv|tvi950-rv-2p|tvi950-rv-4p|tvi955|tvi955-hb|tvi955-w|tvi970|tvi970-2p|tvi970-vb|tvipt|tws-generic|tws2102-sna|tws2103|tws2103-sna|uniterm|unknown|uts30|uwin|v3220|v5410|vanilla|vc303|vc303a|vc404|vc404-s|vc414|vc415|versaterm|vi200|vi200-f|vi200-rv|vi300|vi300-old|vi50|vi500|vi50adm|vi55|vi550|vi603|viewpoint|vip|vip-H|vip-Hw|vip-w|visa50|vp3a+|vp60|vp90|vremote|vsc|vt100|vt100+fnkeys|vt100+keypad|vt100+pfkeys|vt100-nav|vt100-nav-w|vt100-putty|vt100-s|vt100-s-bot|vt100-vb|vt100-w|vt100-w-nam|vt100nam|vt102|vt102-nsgr|vt102-w|vt125|vt131|vt132|vt200-js|vt220|vt220+keypad|vt220-8bit|vt220-nam|vt220-old|vt220-w|vt220d|vt320|vt320-k3|vt320-k311|vt320-nam|vt320-w|vt320-w-nam|vt320nam|vt340|vt400|vt420|vt420f|vt420pc|vt420pcdos|vt50|vt50h|vt510|vt510pc|vt510pcdos|vt52|vt520|vt525|vt61|wsiris|wsvt25|wsvt25m|wy100|wy100q|wy120|wy120-25|wy120-25-w|wy120-vb|wy120-w|wy120-w-vb|wy160|wy160-25|wy160-25-w|wy160-42|wy160-42-w|wy160-43|wy160-43-w|wy160-tek|wy160-vb|wy160-w|wy160-w-vb|wy185|wy185-24|wy185-vb|wy185-w|wy185-wvb|wy30|wy30-mc|wy30-vb|wy325|wy325-25|wy325-25w|wy325-42|wy325-42w|wy325-42w-vb|wy325-43|wy325-43w|wy325-43w-vb|wy325-vb|wy325-w|wy325-w-vb|wy350|wy350-vb|wy350-w|wy350-wvb|wy370|wy370-105k|wy370-EPC|wy370-nk|wy370-rv|wy370-tek|wy370-vb|wy370-w|wy370-wvb|wy50|wy50-mc|wy50-vb|wy50-w|wy50-wvb|wy520|wy520-24|wy520-36|wy520-36pc|wy520-36w|wy520-36wpc|wy520-48|wy520-48pc|wy520-48w|wy520-48wpc|wy520-epc|wy520-epc-24|wy520-epc-vb|wy520-epc-w|wy520-epc-wvb|wy520-vb|wy520-w|wy520-wvb|wy60|wy60-25|wy60-25-w|wy60-42|wy60-42-w|wy60-43|wy60-43-w|wy60-vb|wy60-w|wy60-w-vb|wy75|wy75-mc|wy75-vb|wy75-w|wy75-wvb|wy75ap|wy85|wy85-8bit|wy85-vb|wy85-w|wy85-wvb|wy99-ansi|wy99a-ansi|wy99f|wy99fa|wy99gt|wy99gt-25|wy99gt-25-w|wy99gt-tek|wy99gt-vb|wy99gt-w|wy99gt-w-vb|wyse-vp|x10term|x68k|xerox1720|xerox820|xnuppc|xnuppc+100x37|xnuppc+112x37|xnuppc+128x40|xnuppc+128x48|xnuppc+144x48|xnuppc+160x64|xnuppc+200x64|xnuppc+200x75|xnuppc+256x96|xnuppc+80x25|xnuppc+80x30|xnuppc+90x30|xnuppc+b|xnuppc+basic|xnuppc+c|xnuppc+f|xnuppc+f2|xnuppc-100x37|xnuppc-100x37-m|xnuppc-112x37|xnuppc-112x37-m|xnuppc-128x40|xnuppc-128x40-m|xnuppc-128x48|xnuppc-128x48-m|xnuppc-144x48|xnuppc-144x48-m|xnuppc-160x64|xnuppc-160x64-m|xnuppc-200x64|xnuppc-200x64-m|xnuppc-200x75|xnuppc-200x75-m|xnuppc-256x96|xnuppc-256x96-m|xnuppc-80x25|xnuppc-80x25-m|xnuppc-80x30|xnuppc-80x30-m|xnuppc-90x30|xnuppc-90x30-m|xnuppc-b|xnuppc-f|xnuppc-f2|xnuppc-m|xnuppc-m-b|xnuppc-m-f|xnuppc-m-f2|xtalk|xterm|xterm+pcfkeys|xterm+sl|xterm+sl-twm|xterm-1002|xterm-1003|xterm-16color|xterm-24|xterm-256color|xterm-88color|xterm-8bit|xterm-basic|xterm-bold|xterm-color|xterm-hp|xterm-new|xterm-nic|xterm-noapp|xterm-pcolor|xterm-r5|xterm-r6|xterm-sco|xterm-sun|xterm-vt220|xterm-vt52|xterm-xf86-v32|xterm-xf86-v33|xterm-xf86-v333|xterm-xf86-v40|xterm-xf86-v43|xterm-xf86-v44|xterm-xfree86|xterm-xi|xterm1|xtermc|xtermm|xterms-sun|z100|z100bw|z29|z29a|z29a-kc-uc|z29a-nkc-bc|z29a-nkc-uc|z340|z340-nam|z39-a|zen30|zen50|ztx; OR... width 1-500; OR... height 1-500; } } OR... clock { date <value>; time <value>;
Palo Alto Networks • 227
} OR... data-access-password <value>; OR... logging { max-log-rate 0-50000; OR... max-packet-rate 0-2560; OR... log-suppression yes|no; OR... default; } OR... management-server { unlock { admin <value>; } OR... logging on|off|import-start|import-end; } OR... multi-vsys on|off; OR... panorama on|off; OR... password; OR... proxy { skip-proxy yes|no; OR... skip-ssl yes|no; OR... answer-timeout 1-86400; OR... notify-user yes|no; } OR... session { timeout-tcp 1-15999999; OR... timeout-udp 1-15999999; OR... timeout-icmp 1-15999999; OR... timeout-default 1-15999999; OR... timeout-tcpinit 1-60; OR... timeout-tcpwait 1-60; OR... timeout-scan 5-30; OR... scan-threshold 50-99; OR... scan-scaling-factor 2-16; OR... accelerated-aging-enable yes|no; OR...
228 • Palo Alto Networks
accelerated-aging-threshold 50-99; OR... accelerated-aging-scaling-factor 2-16; OR... tcp-reject-non-syn yes|no; OR... offload yes|no; OR... default; } OR... shared-policy enable|disable|import-and-disable; OR... target-vsys <value>; OR... zip { enable yes|no; } } OR... request { certificate { self-signed { for-use-by web-interface|ssl-decryption|ssl-untrusted; passphrase <value>; name <value>; nbits 1024|512; country-code <value>; state <value>; locality <value>; organization <value>; organization-unit <value>; email <value>; } OR... install { for-use-by { web-interface { passphrase <value>; key <value>; certificate <value>; } OR... ssl-decryption { passphrase <value>; key <value>; certificate <value>; } OR... ssl-untrusted { passphrase <value>; key <value>; certificate <value>; } OR... reverse-proxy { passphrase <value>; key <value>; certificate <value>;
Palo Alto Networks • 229
name <value>; } } } OR... verify { for-use-by { web-interface { passphrase <value>; key <value>; certificate <value>; } } } } OR... comfort-page { install application-block-page|url-block-page|spyware-block-page|virus-block-page|file-block-page; } OR... content { downgrade { install <value>; } OR... upgrade { info; OR... check; OR... download latest; OR... install { latest { no-commit; } OR... file <value>; } } } OR... data-filtering { access-password { create { password <value>; } OR... modify { old-password <value>; new-password <value>; } OR... delete; } } OR... device-registration {
230 • Palo Alto Networks
username <value>; password <value>; } OR... high-availability { sync-to-remote { candidate-config; OR... running-config; OR... disk-state; OR... runtime-state; OR... clock; } OR... state { suspend; OR... functional; } OR... clear-alarm-led; } OR... license { info; OR... fetch { auth-code <value>; } OR... install <value>; } OR... restart { system; OR... software; OR... dataplane; } OR... ssl-optout-text { install; } OR... support { info; OR... check; } OR... system { software { info; OR... check;
Palo Alto Networks • 231
OR... download { version <value>; OR... file <value>; } OR... install { version <value>; OR... file <value>; } } OR... factory-reset; } OR... url-filtering { upgrade; } } OR... check { data-access-passwd { system; } OR... pending-changes; } OR... save { config { to <value>; } } OR... scp { export { configuration { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... packet-log { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... pdf-reports { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR...
232 • Palo Alto Networks
filter { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... application { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... trusted-ca-certificate { to <value>; remote-port 1-65535; source-ip <ip>; } OR... web-interface-certificate { to <value>; remote-port 1-65535; source-ip <ip>; } OR... logdb { to <value>; remote-port 1-65535; source-ip <ip>; } OR... log { traffic { start-time { equal <value>; } end-time { equal <value>; } to <value>; remote-port 1-65535; source-ip <ip>; } OR... threat { start-time { equal <value>; } end-time { equal <value>; } to <value>; remote-port 1-65535; source-ip <ip>; } } OR... stats-dump {
Palo Alto Networks • 233
to <value>; remote-port 1-65535; source-ip <ip>; } OR... tech-support { to <value>; remote-port 1-65535; source-ip <ip>; } OR... core-file { control-plane { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... data-plane { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } } OR... log-file { control-plane { to <value>; remote-port 1-65535; source-ip <ip>; } OR... data-plane { to <value>; remote-port 1-65535; source-ip <ip>; } } OR... ssl-optout-text { to <value>; remote-port 1-65535; source-ip <ip>; } OR... captive-portal-text { to <value>; remote-port 1-65535; source-ip <ip>; } OR... url-coach-text { to <value>; remote-port 1-65535; source-ip <ip>; } OR...
234 • Palo Alto Networks
file-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... application-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... url-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... virus-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... spyware-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... debug-pcap { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } } OR... import { configuration { from <value>; remote-port 1-65535; source-ip <ip>; } OR... ssl-decryption-certificate { from <value>; remote-port 1-65535; source-ip <ip>; } OR... private-key { from <value>; remote-port 1-65535; source-ip <ip>; } OR... web-interface-certificate { from <value>;
Palo Alto Networks • 235
remote-port 1-65535; source-ip <ip>; } OR... trusted-ca-certificate { from <value>; remote-port 1-65535; source-ip <ip>; } OR... logdb { from <value>; remote-port 1-65535; source-ip <ip>; } OR... license { from <value>; remote-port 1-65535; source-ip <ip>; } OR... content { from <value>; remote-port 1-65535; source-ip <ip>; } OR... software { from <value>; remote-port 1-65535; source-ip <ip>; } OR... reverse-proxy-key { from <value>; remote-port 1-65535; source-ip <ip>; } OR... ssl-optout-text { from <value>; remote-port 1-65535; source-ip <ip>; } OR... captive-portal-text { from <value>; remote-port 1-65535; source-ip <ip>; } OR... url-coach-text { from <value>; remote-port 1-65535; source-ip <ip>; } OR... application-block-page {
236 • Palo Alto Networks
from <value>; remote-port 1-65535; source-ip <ip>; } OR... url-block-page { from <value>; remote-port 1-65535; source-ip <ip>; } OR... file-block-page { from <value>; remote-port 1-65535; source-ip <ip>; } OR... virus-block-page { from <value>; remote-port 1-65535; source-ip <ip>; } OR... spyware-block-page { from <value>; remote-port 1-65535; source-ip <ip>; } } } OR... tftp { export { configuration { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... packet-log { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... filter { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... application { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>;
Palo Alto Networks • 237
} OR... trusted-ca-certificate { to <value>; remote-port 1-65535; source-ip <ip>; } OR... web-interface-certificate { to <value>; remote-port 1-65535; source-ip <ip>; } OR... stats-dump { to <value>; remote-port 1-65535; source-ip <ip>; } OR... tech-support { to <value>; remote-port 1-65535; source-ip <ip>; } OR... core-file { control-plane { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } OR... data-plane { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } } OR... log-file { control-plane { to <value>; remote-port 1-65535; source-ip <ip>; } OR... data-plane { to <value>; remote-port 1-65535; source-ip <ip>; } } OR... ssl-optout-text { to <value>; remote-port 1-65535;
238 • Palo Alto Networks
source-ip <ip>; } OR... captive-portal-text { to <value>; remote-port 1-65535; source-ip <ip>; } OR... url-coach-text { to <value>; remote-port 1-65535; source-ip <ip>; } OR... file-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... application-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... url-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... virus-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... spyware-block-page { to <value>; remote-port 1-65535; source-ip <ip>; } OR... debug-pcap { from <pathname>; to <value>; remote-port 1-65535; source-ip <ip>; } } OR... import { configuration { from <value>; file <value>; remote-port 1-65535; source-ip <ip>;
Palo Alto Networks • 239
} OR... ssl-decryption-certificate { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... private-key { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... web-interface-certificate { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... trusted-ca-certificate { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... license { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... content { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... software { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... ssl-optout-text { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... captive-portal-text {
240 • Palo Alto Networks
from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... url-coach-text { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... file-block-page { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... application-block-page { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... url-block-page { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... virus-block-page { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } OR... spyware-block-page { from <value>; file <value>; remote-port 1-65535; source-ip <ip>; } } } OR... load { config { from <value>; OR... version <value>; } } OR... download {
Palo Alto Networks • 241
custom-report { report-name <value>; file-name <value>|; format csv|pdf|xml; } OR... dlplog { file <value>; } OR... generic { file <value>; } OR... pktlog { file <value>; } OR... report { report-name <value>; file-name <value>|; format csv|pdf|xml; } OR... summary-report { report-name <value>; file-name <value>|; } } OR... test { cp-policy-match { from <value>; to <value>; source <value>; destination <value>; } OR... nat-policy-match { from <value>; to <value>; source <value>; destination <value>; protocol 1-255; source-port 1-65535; destination-port 1-65535; protocol 1-255; } OR... routing { fib-lookup { ip <ip>; virtual-router <value>; } } OR... security-policy-match { from <value>; to <value>;
242 • Palo Alto Networks
source <value>; destination <value>; destination-port 1-65535; source-user <value>; protocol 1-255; show-all yes|no; application <value>; } OR... ssl-policy-match { from <value>; to <value>; source <value>; destination <value>; category <value>; } OR... vpn { ike-sa { gateway <value>; } OR... ipsec-sa { tunnel <value>; } } } OR... less { mp-log <pathname>; OR... dp-log <pathname>; OR... mp-backtrace <pathname>; OR... dp-backtrace <pathname>; OR... webserver-log <pathname>; OR... custom-page <pathname>; } OR... grep { mp-log <pathname>; OR... dp-log <pathname>; after-context 1-65535; before-context 1-65535; context 1-65535; count yes|no; ignore-case yes|no; invert-match yes|no; line-number yes|no; max-count 1-65535; no-filename yes|no; pattern <value>; } OR... ping {
Palo Alto Networks • 243
bypass-routing yes|no; count 1-2000000000; do-not-fragment yes|no; host <value>; inet yes|no; interval 1-2000000000; no-resolve yes|no; pattern <value>; record-route yes|no; size 0-65468; source <value>; tos 1-255; ttl 1-255; verbose yes|no; wait 1-99999; } OR... ssh { host <value>; inet yes|no; port 0-65535; source <value>; v1 yes|no; v2 yes|no; } OR... tail { mp-log <pathname>; OR... dp-log <pathname>; OR... webserver-log <pathname>; follow yes|no; lines 1-65535; } OR... view-pcap { application-pcap <pathname>; OR... filter-pcap <pathname>; OR... threat-pcap <pathname>; OR... debug-pcap <pathname>; absolute-seq yes|no; delta yes|no; hex yes|no; hex-ascii yes|no; hex-ascii-link yes|no; hex-link yes|no; link-header yes|no; no-dns-lookup yes|no; no-port-lookup yes|no; no-qualification yes|no; no-timestamp yes|no; timestamp yes|no; undecoded-NFS yes|no; unformatted-timestamp yes|no; verbose yes|no;
244 • Palo Alto Networks
verbose+ yes|no; verbose++ yes|no; } OR... telnet { 8bit yes|no; host <value>; port 0-65535; } OR... traceroute { base-udp-port 1-65535; bypass-routing yes|no; debug-socket yes|no; do-not-fragment yes|no; first-ttl 1-255; gateway <ip/netmask>; host <value>; max-ttl 1-255; no-resolve yes|no; pause 1-2000000000; source <value>; toggle-ip-checksums yes|no; tos 1-255; verbose yes|no; wait 1-99999; } OR... netstat { all yes|no; cache yes|no; continuous yes|no; extend yes|no; fib yes|no; groups yes|no; interfaces yes|no; listening yes|no; masquerade yes|no; numeric yes|no; numeric-hosts yes|no; numeric-ports yes|no; numeric-users yes|no; programs yes|no; route yes|no; statistics yes|no; symbolic yes|no; timers yes|no; verbose yes|no; }}
Palo Alto Networks • 245
Panorama Hierarchyconfig { predefined; mgt-config { users { REPEAT... <name> { phash <value>; remote-authentication radius; preferences { disable-dns yes|no; } permissions { role-based { superreader yes; OR... superuser yes; OR... panorama-admin yes; } } } } devices { REPEAT... <name> { hostname <value>; ip <ip>; } } } devices { REPEAT... <name> { deviceconfig { system { hostname <value>; domain <value>; ip-address <ip>; netmask <ip>; default-gateway <ip>; radius-server <ip>; radius-secret <value>; dns-primary <ip>; dns-secondary <ip>; ntp-server-1 <value>; ntp-server-2 <value>; update-server <value>; secure-proxy-server <value>; secure-proxy-port 1-65535; service { disable-http yes|no; disable-https yes|no; disable-telnet yes|no; disable-ssh yes|no; disable-icmp yes|no; }
246 • Palo Alto Networks
timezone W-SU|CST6CDT|Japan|Portugal|Hongkong|Mideast|Mideast/Riyadh87|Mideast/Riyadh88|Mideast/Riyadh89|Eire|Poland|Factory|GB-Eire|America|America/Port_of_Spain|America/Indiana|America/Indiana/Vevay|America/Indiana/Indianapolis|America/Indiana/Marengo|America/Indiana/Knox|America/St_Johns|America/Grand_Turk|America/Tijuana|America/Toronto|America/Araguaina|America/Virgin|America/El_Salvador|America/Coral_Harbour|America/Jujuy|America/Mexico_City|America/Guyana|America/Cayman|America/Ensenada|America/Fortaleza|America/Iqaluit|America/Boa_Vista|America/Chihuahua|America/Nome|America/Cancun|America/Cayenne|America/Recife|America/Panama|America/Caracas|America/Costa_Rica|America/Cambridge_Bay|America/Martinique|America/Yellowknife|America/Godthab|America/Sao_Paulo|America/Edmonton|America/Fort_Wayne|America/Danmarkshavn|America/Barbados|America/Dawson|America/Thunder_Bay|America/Tegucigalpa|America/Chicago|America/Guadeloupe|America/Grenada|America/Anguilla|America/Kentucky|America/Kentucky/Monticello|America/Kentucky/Louisville|America/Argentina|America/Argentina/Jujuy|America/Argentina/Ushuaia|America/Argentina/Catamarca|America/Argentina/San_Juan|America/Argentina/Mendoza|America/Argentina/La_Rioja|America/Argentina/Buenos_Aires|America/Argentina/Tucuman|America/Argentina/ComodRivadavia|America/Argentina/Cordoba|America/Argentina/Rio_Gallegos|America/Mazatlan|America/Regina|America/Montevideo|America/Catamarca|America/Los_Angeles|America/Campo_Grande|America/Aruba|America/Manaus|America/Knox_IN|America/Rosario|America/St_Lucia|America/Hermosillo|America/Denver|America/Detroit|America/Santiago|America/Shiprock|America/Cuiaba|America/Dominica|America/Porto_Acre|America/Curacao|America/Belize|America/Merida|America/Swift_Current|America/Antigua|America/Adak|America/Indianapolis|America/Belem|America/Miquelon|America/Louisville|America/Bogota|America/New_York|America/Boise|America/Scoresbysund|America/Mendoza|America/Goose_Bay|America/Yakutat|America/Eirunepe|America/Winnipeg|America/Buenos_Aires|America/Menominee|America/Paramaribo|America/Thule|America/Montreal|America/Jamaica|America/Monterrey|America/St_Thomas|America/Rio_Branco|America/Lima|America/Juneau|America/La_Paz|America/Vancouver|America/Rankin_Inlet|America/Puerto_Rico|America/St_Kitts|America/Halifax|America/Guayaquil|America/Inuvik|America/Noronha|America/Nassau|America/Port-au-Prince|America/Guatemala|America/Glace_Bay|America/Nipigon|America/Cordoba|America/Bahia|America/Asuncion|America/Maceio|America/Atka|America/North_Dakota|America/North_Dakota/Center|America/Managua|America/Anchorage|America/Montserrat|America/Tortola|America/Dawson_Creek|America/Santo_Domingo|America/Pangnirtung|America/Whitehorse|America/St_Vincent|America/Porto_Velho|America/Havana|America/Phoenix|America/Rainy_River|Indian|Indian/Christmas|Indian/Reunion|Indian/Comoro|Indian/Cocos|Indian/Mauritius|Indian/Antananarivo|Indian/Mahe|Indian/Mayotte|Indian/Kerguelen|Indian/Chagos|Indian/Maldives|GMT0|Canada|Canada/Yukon|Canada/Saskatchewan|Canada/Central|Canada/Eastern|Canada/East-Saskatchewan|Canada/Atlantic|Canada/Pacific|Canada/Mountain|Canada/Newfoundland|MET|ROK|US|US/Alaska|US/East-Indiana|US/Central|US/Eastern|US/Samoa|US/Arizona|US/Pacific|US/Aleutian|US/Hawaii|US/Mountain|US/Michigan|US/Indiana-Starke|MST|Mexico|Mexico/BajaSur|Mexico/General|Mexico/BajaNorte|EST5EDT|Atlantic|Atlantic/Madeira|Atlantic/Cape_Verde|Atlantic/St_Helena|Atlantic/Stanley|Atlantic/South_Georgia|Atlantic/Jan_Mayen|Atlantic/Azores|Atlantic/Reykjavik|Atlantic/Canary|Atlantic/Faeroe|Atlantic/Bermuda|HST|Antarctica|Antarctica/McMurdo|Antarctica/Davis|Antarctica/South_Pole|Antarctica/Vostok|Antarctica/Rothera|Antarctica/Mawson|Antarctica/DumontDUrville|Antarctica/Palmer|Antarctica/Casey|Antarctica/Syowa|UTC|Iceland|Pacific|Pacific/Honolulu|Pacific/Truk|Pacific/Niue|Pacific/Wake|Pacific/Apia|Pacific/Majuro|Pacific/Norfolk|Pacific/Efate|Pacific/Enderbury|Pacific/Palau|Pacific/Saipan|Pacific/Nauru|Pacific/Kiritimati|Pacific/Tahiti|Pacific/Guam|Pacific/
Palo Alto Networks • 247
Tongatapu|Pacific/Fiji|Pacific/Rarotonga|Pacific/Samoa|Pacific/Fakaofo|Pacific/Guadalcanal|Pacific/Port_Moresby|Pacific/Midway|Pacific/Galapagos|Pacific/Yap|Pacific/Johnston|Pacific/Marquesas|Pacific/Noumea|Pacific/Auckland|Pacific/Gambier|Pacific/Kwajalein|Pacific/Kosrae|Pacific/Wallis|Pacific/Easter|Pacific/Chatham|Pacific/Funafuti|Pacific/Pago_Pago|Pacific/Tarawa|Pacific/Pitcairn|Pacific/Ponape|EET|EST|Greenwich|GMT|Cuba|Brazil|Brazil/Acre|Brazil/East|Brazil/DeNoronha|Brazil/West|Turkey|Arctic|Arctic/Longyearbyen|NZ-CHAT|Zulu|Israel|Jamaica|Etc|Etc/GMT-14|Etc/GMT+6|Etc/GMT-10|Etc/GMT-2|Etc/GMT-8|Etc/GMT+4|Etc/GMT0|Etc/GMT-12|Etc/GMT+11|Etc/GMT-11|Etc/GMT+12|Etc/UTC|Etc/GMT-3|Etc/Greenwich|Etc/GMT-9|Etc/GMT|Etc/GMT+2|Etc/Zulu|Etc/GMT-4|Etc/GMT+7|Etc/GMT+1|Etc/GMT+8|Etc/GMT-7|Etc/GMT-6|Etc/GMT+10|Etc/GMT-5|Etc/GMT+0|Etc/GMT-1|Etc/GMT+3|Etc/GMT+5|Etc/GMT-13|Etc/UCT|Etc/Universal|Etc/GMT+9|Etc/GMT-0|NZ|Europe|Europe/Vienna|Europe/Athens|Europe/Tiraspol|Europe/Lisbon|Europe/Rome|Europe/Bratislava|Europe/Andorra|Europe/Sofia|Europe/Kaliningrad|Europe/Zurich|Europe/Belfast|Europe/Oslo|Europe/Samara|Europe/Malta|Europe/Chisinau|Europe/Moscow|Europe/Paris|Europe/Minsk|Europe/Zaporozhye|Europe/Amsterdam|Europe/Tallinn|Europe/Uzhgorod|Europe/Brussels|Europe/Vatican|Europe/Vaduz|Europe/San_Marino|Europe/Nicosia|Europe/Berlin|Europe/Vilnius|Europe/Monaco|Europe/Istanbul|Europe/Belgrade|Europe/Stockholm|Europe/Riga|Europe/Madrid|Europe/Gibraltar|Europe/Copenhagen|Europe/Skopje|Europe/Budapest|Europe/Dublin|Europe/Bucharest|Europe/Helsinki|Europe/Prague|Europe/Sarajevo|Europe/London|Europe/Tirane|Europe/Zagreb|Europe/Kiev|Europe/Warsaw|Europe/Ljubljana|Europe/Simferopol|Europe/Mariehamn|Europe/Luxembourg|Singapore|ROC|Kwajalein|Egypt|PST8PDT|GMT+0|Asia|Asia/Kuwait|Asia/Kamchatka|Asia/Thimphu|Asia/Macau|Asia/Gaza|Asia/Thimbu|Asia/Pyongyang|Asia/Vladivostok|Asia/Katmandu|Asia/Sakhalin|Asia/Muscat|Asia/Ashkhabad|Asia/Ulan_Bator|Asia/Riyadh|Asia/Riyadh87|Asia/Calcutta|Asia/Yerevan|Asia/Shanghai|Asia/Baghdad|Asia/Makassar|Asia/Oral|Asia/Hong_Kong|Asia/Jayapura|Asia/Omsk|Asia/Almaty|Asia/Saigon|Asia/Magadan|Asia/Chungking|Asia/Hovd|Asia/Brunei|Asia/Novosibirsk|Asia/Dacca|Asia/Qatar|Asia/Ulaanbaatar|Asia/Krasnoyarsk|Asia/Kuching|Asia/Qyzylorda|Asia/Karachi|Asia/Anadyr|Asia/Yakutsk|Asia/Seoul|Asia/Choibalsan|Asia/Macao|Asia/Samarkand|Asia/Yekaterinburg|Asia/Aqtobe|Asia/Riyadh88|Asia/Nicosia|Asia/Pontianak|Asia/Urumqi|Asia/Irkutsk|Asia/Taipei|Asia/Harbin|Asia/Istanbul|Asia/Colombo|Asia/Tel_Aviv|Asia/Jakarta|Asia/Amman|Asia/Bahrain|Asia/Tokyo|Asia/Chongqing|Asia/Ashgabat|Asia/Singapore|Asia/Aqtau|Asia/Baku|Asia/Bishkek|Asia/Dili|Asia/Tbilisi|Asia/Beirut|Asia/Riyadh89|Asia/Damascus|Asia/Aden|Asia/Dubai|Asia/Manila|Asia/Vientiane|Asia/Tehran|Asia/Kashgar|Asia/Dushanbe|Asia/Kabul|Asia/Bangkok|Asia/Rangoon|Asia/Jerusalem|Asia/Dhaka|Asia/Kuala_Lumpur|Asia/Tashkent|Asia/Phnom_Penh|Asia/Ujung_Pandang|CET|PRC|Africa|Africa/Kinshasa|Africa/Ndjamena|Africa/Mbabane|Africa/Lagos|Africa/El_Aaiun|Africa/Douala|Africa/Kampala|Africa/Mogadishu|Africa/Tripoli|Africa/Conakry|Africa/Niamey|Africa/Asmera|Africa/Khartoum|Africa/Lubumbashi|Africa/Kigali|Africa/Johannesburg|Africa/Blantyre|Africa/Malabo|Africa/Gaborone|Africa/Lome|Africa/Algiers|Africa/Addis_Ababa|Africa/Brazzaville|Africa/Dakar|Africa/Nairobi|Africa/Cairo|Africa/Banjul|Africa/Bamako|Africa/Bissau|Africa/Libreville|Africa/Sao_Tome|Africa/Casablanca|Africa/Timbuktu|Africa/Nouakchott|Africa/Freetown|Africa/Monrovia|Africa/Ceuta|Africa/Dar_es_Salaam|Africa/Lusaka|Africa/Abidjan|Africa/Bujumbura|Africa/Maseru|Africa/Bangui|Africa/Windhoek|Africa/Accra|Africa/Djibouti|Africa/Ouagadougou|Africa/Porto-Novo|Africa/Tunis|Africa/Maputo|Africa/Harare|Africa/Luanda|UCT|GB|Universal|Australia|Australia/Hobart|Australia/Lord_Howe|Australia/Perth|Australia/South|Australia/Yancowinna|Australia/Currie|Australia/Tasmania|Australia/Queensland|Australia/NSW|Australia/Lindeman|Australia/Melbourne|Australia/Adelaide|Australia/Victoria|Australia/Canberra|Australia/West|Australia/Brisbane|Australia/
248 • Palo Alto Networks
Broken_Hill|Australia/Darwin|Australia/ACT|Australia/North|Australia/Sydney|Australia/LHI|Iran|WET|Libya|MST7MDT|Chile|Chile/EasterIsland|Chile/Continental|GMT-0|Navajo; } } } }}
Palo Alto Networks • 249
November 4, 2008 - Palo Alto Networks COMPANY CONFIDENTIAL
Appendix BPAN-OS CLI KEYBOARD SHORTCUTS
This appendix lists the supported keyboard shortcuts and Editor Macros (EMACS) commands supported in the PAN-OS CLI.
Table 4 lists the keyboard shortcuts.
Note: Some shortcuts depend upon the SSH client that is used to access the PAN-OS CLI. For some clients, the Meta key is the Control key; for some it is the Esc key.
Table 4. Keyboard Shortcuts
Item Description
Commands for Moving
beginning-of-line (C-a) Move to the start of the current line.
end-of-line (C-e) Move to the end of the line.
forward-char (C-f) Move forward a character.
backward-char (C-b) Move back a character.
forward-word (M-f)Move forward to the end of the next word. Words consist of alphanumeric characters (letters and digits).
backward-word (M-b)Move back to the start of this, or the previous, word. Words consist of alphanumeric characters (letters and digits).
clear-screen (C-l)Clear the screen and place the current line at the top of the screen. If an argument is included, refresh the current line without clearing the screen.
Commands for Manipulating Command History
accept-line (Newline, Return)Accept the line regardless of where the cursor is. If the line is non-empty, add it to the history list. If the line is a modified history line, then restore the history line to its original state.
previous-history (C-p)Fetch the previous command from the history list, moving back in the list.
next-history (C-n) Fetch the next command from the history list, moving forward in the list.
beginning-of-history (M-<) Move to the first line in the history.
250 • Palo Alto Networks
end-of-history (M->)Move to the end of the input history (the line currently being entered).
reverse-search-history (C-r)Search backward starting at the current line and moving up through the history as necessary. This is an incremental search.
forward-search-history (C-s) Search forward starting at the current line and moving down through the history as necessary. This is an incremental search.
non-incremental-reverse-search-history (M-p)
Search backward through the history starting at the current line using a non-incremental search for a string supplied by the user.
non-incremental-forward-search-history (M-n)
Search forward through the history using a non-incremental search for a string supplied by the user.
Commands for Changing Text
delete-char (C-d)Delete the character under the cursor. If point is at the beginning of the line, there are no characters in the line, and the last character typed was not C-d, then return EOF.
backward-delete-char (backspace)
Delete the character behind the cursor.
transpose-chars (C-t)Drag the character before point forward over the character at point. Point moves forward as well. If point is at the end of the line, then transpose the two characters before point.
transpose-words (M-t)Drag the word behind the cursor past the word in front of the cursor moving the cursor over that word as well.
upcase-word (M-u)Make the current (or following) word uppercase. With a negative argument, do the previous word, but do not move point.
downcase-word (M-l)Make the current (or following) word lowercase. With a negative argument, change the previous word, but do not move point.
capitalize-word (M-c)Capitalize the current (or following) word. With a negative argument, do the previous word, but do not move point.
Deleting and Yanking Text
kill-line (C-k)Delete the text from the current cursor position to the end of the line.
backward-kill-line (C-x backspace)
Delete backward to the beginning of the line.
unix-line-discard (C-u)
Delete backward from point to the beginning of the line
kill-word (M-d)Delete from the cursor to the end of the current word, or if between words, to the end of the next word. Word boundaries are the same as those used by forward-word.
backward-kill-word (M-backspace)
Delete the word behind the cursor. Word boundaries are the same as those used by backward-word.
unix-word-backspace (C-w)
Delete the word behind the cursor, using white space as a word boundary. The word boundaries are different from backward-kill-word.
yank (C-y) Place the top of the deleted section into the buffer at the cursor.
Table 4. Keyboard Shortcuts (Continued)
Item Description
Palo Alto Networks • 251
Table 5 lists the EMACS commands.
yank-pop (M-y)Rotate the kill-ring, and yank the new top. Only works following yank or yank-pop.
Completing Commands
complete (TAB) Attempt to perform completion on the text before point.
possible-completions (?)
List the possible completions of the text before point.
Performing Miscellaneous Functions
undo (C-_, C-x C-u) Perform an incremental undo, separately remembered for each line.
revert-line (M-r)Undo all changes made to this line. This is like typing the undo command enough times to return the line to its initial state.
Table 5. EMACS Commands
Command Description
Emacs Standard bindings
C-A beginning-of-line
C-B backward-char
C-D delete-char
C-E end-of-line
C-F forward-char
C-G abort
C-H backward-delete-char
C-I complete
C-J accept-line
C-K kill-line
C-L clear-screen
C-M accept-line
C-N next-history
C-P previous-history
C-R reverse-search-history
C-S forward-search-history
C-T transpose-chars
C-U unix-line-discard
C-W unix-word-backspace
C-Y yank
C-_ undo
Table 4. Keyboard Shortcuts (Continued)
Item Description
252 • Palo Alto Networks
Emacs Meta bindings
M-C-H backward-kill-word
M-C-R revert-line
M-< beginning-of-history
M-> end-of-history
? possible-completions
M-B backward-word
M-C capitalize-word
M-D kill-word
M-F forward-word
M-L downcase-word
M-N non-incremental-forward-search-history
M-P non-incremental-reverse-search-history
M-R revert-line
M-T transpose-words
M-U upcase-word
M-Y yank-pop
Table 5. EMACS Commands (Continued)
Command Description
November 4, 2008 - Palo Alto Networks COMPANY CONFIDENTIAL
253 • Index Palo Alto Networks
Symbols# prompt 13+ option symbol 17> option symbol 17> prompt 13? symbol 15
Aaccessing the CLI 12
Bbanner 13, 25
Cchanging
modes 15changing modes 14clear command 49CLI
accessing 12configuration mode 11EMACS commands
commands 251keyboard shortcuts 249operational model 11prompt 13structure 11
commands 27conventions 13display 27messages 14monitoring and troubleshooting 27navigation 27network access 27option symbols 17options 15understanding 13
commit command 21, 30configuration
hierarchy 23hierarchy paths 24
configuration modehierarchy 23prompt 13understanding 21
configure command 51control key 16conventions, typographical 8copy command 31
Ddebug captive-portal command 54debug cli command 55debug cpld command 56debug dataplane command 57debug device-server command 59debug dhcpd command 60debug ez command 61debug high-availability-agent command 62debug ike command 63debug keymgr command 64debug log-receiver command 65debug management-server command 66debug master-service command 67debug netconfig-agent command 68debug routing command 69debug software command 70debug swm command 71debug tac-login command 72debug vardata-receiver command 73delete command 32, 52
Eedit banner 25edit command
banner 13using 26, 33
esc key 16Ethernet interfaces 19ethernet1/n 19exit command 34, 74
Ggetting started 12grep command 75
Index
254 • Index Palo Alto Networks
Hhierarchy
complete 153configuration 23navigating 25new elements 24paths 24
hostname 13
Iinterfaces 19
Kkeyboard shortcuts 16, 249
Lless command 76
Mmeta key 16modes
changing 14, 15configuration 21operational 27
move command 36
Nnavigating hierarchy 25
Ooperational mode
command types 27prompt 13using 27
Pping command 77privilege levels 18
Qquit command 37, 79
Rrename command 38request certificate command 80request content upgrade command 82request high-availability command 83request license command 84request restart command 85request support command 86request system command 87run command 39
Ssave command 21, 40scp command 88set application dump command 90set cli command 91set command 41set logging command 92set serial-number command 93set session command 94set target-vsys command 95set zip command 96shortcuts 16show admins command 97show arp command 98show cli command 99, 100show clock command 101show command 23, 42show config command 102show counter command 103show ctd command 104show device command 105show devicegroups command 107show device-messages command 106show dhcp command 108show high-availability command 109show interface command 110show jobs command 111show location command 112, 115show log command 113show mac command 116show management-clients command 117show multi-vsys command 118show pan-agent command 119show proxy command 120show query command 121show report command 122show route command 127show routing command 123show session command 128show statistics command 130show system command 132show target-vsys command 134show threat command 135show virtual-wire command 136show vlan command 137show vpn command 138, 140show zone-protection command 141ssh command 142syntax checking 14system 27
Palo Alto Networks Index • 255
Ttail command 143telnet command 144test command 145tftp command 146top command 25, 26, 43traceroute command 148typographical conventions 8
Uup command 25, 26, 44user name 13user privileges 18
Vview-pccap command 150
256 • Index Palo Alto Networks
Top Related