PAN-OS ™ Command Line Interface Reference Guide

PAN-OS Command Line Interface Reference Guide
Release 4.0
1/16/11 Third/Final Review Draft- Palo Alto Networks COMPANY CONFIDENTIAL
Palo Alto Networks, Inc. www.paloaltonetworks.com 2011 Palo Alto Networks. All rights reserved. Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks are the property of their respective owners Part number: 810-000065-00A
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Typographical Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Notes, Cautions, and Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Obtaining More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9 9 9 10 11 11 11 11
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13
Understanding the PAN-OS CLI Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Accessing the PAN-OS CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Understanding the PAN-OS CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . 15 Understanding the PAN-OS CLI Command Conventions . . . . . . . . . . . . . . . . . . . . 15 Understanding Command Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Using Operational and Configuration Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Displaying the PAN-OS CLI Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Using Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Understanding Command Option Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Restricting Command Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Understanding Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Referring to Firewall Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Chapter 2 Understanding CLI Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Using Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Configuration Commands with Virtual Systems . . . . . . . . . . . . . . . . . . . . . . Understanding the Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Navigating Through the Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
Understanding Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

21 23 24 26 Understanding Operational Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Setting the Output Format for Configuration Commands . . . . . . . . . . . . . . . . . . . . 28
Palo Alto Networks
Chapter 3 Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 set address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 set address-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 set application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 set application-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 set application-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 set captive-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 set deviceconfig high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 set deviceconfig setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 set deviceconfig system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 set display-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 set email-scheduler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 set global-protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 set ldap-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 set mgt-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 set network dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 set network dns-proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 set network ike . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 set network interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 set network profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 set network qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 set network shared-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 set network tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 set network virtual-router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 set network virtual-router protocol bgp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 set network virtual-router protocol ospf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 set network virtual-router protocol redist-profile . . . . . . . . . . . . . . . . . . . . . . . . 134 set network virtual-router protocol rip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 set network virtual-wire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 set network vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 set pan-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 set pdf-summary-report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 set profile-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 set profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 set region . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 set report-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 set reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 set rulebase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 set schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Palo Alto Networks
set service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 set service-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 set setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 set shared admin-role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 set shared allowed-applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 set shared authentication-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 set shared authentication-sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 set shared botnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 set shared certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 set shared client-certificate-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 set shared email-scheduler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 set shared local-user-database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 set shared log-settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 set shared override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 set shared pdf-summary-report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 set shared report-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 set shared reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 set shared response-page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 set shared server-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 set shared ssl-decrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 set ssl-decrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 set ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 set threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 set ts-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 set url-admin-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 set url-content-types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 set userid-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 set vsys import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 set zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 show predefined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Chapter 4 Operational Mode Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
227
clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 debug authd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 debug cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 debug cryptod . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 debug dataplane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 debug device-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 debug dhcpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 debug dnsproxyd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 debug global-protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 debug high-availability-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 debug ike . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 debug keymgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 debug l3svc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 debug ldap-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 debug log-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Palo Alto Networks
debug management-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug master-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug netconfig-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug pppoed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug rasmgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug sslmgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug swm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug tac-login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug vardata-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . grep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . less . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request acknowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request anti-virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request commit-lock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request config-lock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request data-filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request device-registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request global-protect-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request global-protect-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request global-protect-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request master-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request password-hash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request quota-enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request tech-support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request url-filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . request vpnclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . scp export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . scp import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . set application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . set cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . set clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . set data-access-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . set management-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . set panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
265 267 268 269 270 271 273 275 276 278 279 280 281 282 284 285 286 287 288 289 291 293 294 295 297 299 300 301 303 304 305 306 307 308 309 310 311 312 313 314 315 316 318 319 320 321 322 324 326 328 330 331 332 333
Palo Alto Networks
set password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 set serial-number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 set session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 set system setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 show admins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 show authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 show chassis-ready . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 show cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 show clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 show commit-locks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 show config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 show config-locks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 show counter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 show device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 show device-messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 show devicegroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352 show dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 show dns-proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 show dos-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 show fips-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 show global-protect-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 show high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 show interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 show jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 show location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 show log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 show mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 show management-clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 show neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 show ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 show object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 show panorama-certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 show panorama-status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 show pbf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 show pppoe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 show qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 show query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 show report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 show resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 show routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385 show running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 show session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 show ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 show statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 show system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 show threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 show user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 show virtual-wire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 show vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 show vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 show zone-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 tail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Palo Alto Networks
telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tftp export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tftp import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . view-pcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
414 415 419 421 423 425
Chapter 5 Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
427
Entering Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Using

Entering Maintenance Mode Upon Bootup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 Entering Maintenance Mode Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Appendix A Panorama Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appendix B PAN-OS CLI Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
433
459 463
Palo Alto Networks
Preface
This preface contains the following sections:
About This Guide in the next section Organization on page 9 Typographical Conventions on page 10 Notes, Cautions, and Warnings on page 11 Related Documentation on page 11 Obtaining More Information on page 11 Technical Support on page 11
About This Guide

This guide provides an overview of the PAN-OS command line interface (CLI), describes how to access and use the CLI, and provides command reference pages for each of the CLI commands. This guide is intended for system administrators responsible for deploying, operating, and maintaining the firewall and who require reference information about the PAN-OS CLI commands that they want to execute on a per-device basis. For an explanation of features and concepts, refer to the Palo Alto Networks Administrators Guide.
Organization
This guide is organized as follows:
Chapter 1, IntroductionIntroduces and describes how to use the PAN-OS CLI. Chapter 2, Understanding CLI Command ModesDescribes the modes used to interact with the PAN-OS CLI. Chapter 3, Configuration Mode CommandsContains command reference pages for Configuration mode commands. Chapter 4, Operational Mode CommandsContains command reference pages for Operational mode commands.
Palo Alto Networks
Preface 9
Chapter 5, Maintenance ModeDescribes how to enter Maintenance mode and use the Maintenance mode options. Appendix A, Panorama HierarchyContains command reference pages for Operational mode commands. Appendix B, PAN-OS CLI Keyboard ShortcutsDescribes the keyboard shortcuts supported in the PAN-OS CLI.
Typographical Conventions
This guide uses the following typographical conventions for special terms and instructions.
Convention
boldface
Meaning
Names of commands, keywords, and selectable items in the web interface Name of variables, files, configuration elements, directories, or Uniform Resource Locators (URLs) Command syntax, code examples, and screen output
Example
Use the configure command to enter Configuration mode. The address of the Palo Alto Networks home page is http://www.paloaltonetworks.com. element2 is a required variable for the move command. The show arp all command yields this output: username@hostname> show arp all maximum of entries supported: 8192 default timeout: 1800 seconds total ARP entries in table: 0 total ARP entries shown: 0 status: s - static, c - complete, i - incomplete Enter the following command to exit from the current PAN-OS CLI level: # exit <tab> indicates that the tab key is pressed. > delete file <file_name> > delete core {control-plane | data-plane} The request support command includes options to get support information from the update server or show downloaded support information: > request support {check | info}
italics
courier font
courier bold font < > (text enclosed in angle brackets) { } (text enclosed in curly brackets) | (pipe symbol)
Text that you enter at the command prompt Variables or special keys. Command options. Choice of values, indicated by a pipe symbol-separated list.
10 Preface
Palo Alto Networks
Notes, Cautions, and Warnings

This guide uses the following symbols for notes, cautions, and warnings.
Symbol
Description
NOTE Indicates helpful suggestions or supplementary information. CAUTION Indicates information about which the reader should be careful to avoid data loss or equipment failure. WARNING Indicates potential danger that could involve bodily injury.
Related Documentation
The following additional documentation is provided with the firewall:
Quick Start Hardware Reference Guide Palo Alto Networks Administrators Guide
Obtaining More Information

To obtain more information about the firewall, refer to:
Palo Alto Networks websiteGo to http://www.paloaltonetworks.com. Online helpClick Help in the upper right corner of the GUI to access the online help system.
Technical Support
For technical support, use the following methods:
Go to the KnowledgePoint online support community at http://live.paloaltonetworks.com. Go to http://support.paloaltonetworks.com. Call 1-866-898-9087 (U.S, Canada, and Mexico). Email us at: support@paloaltonetworks.com.
Palo Alto Networks
Preface 11
12 Preface
Palo Alto Networks
Chapter 1
Introduction
This chapter introduces and describes how to use the PAN-OS command line interface (CLI):
Understanding the PAN-OS CLI Structure in the next section Getting Started on page 14 Understanding the PAN-OS CLI Commands on page 15
Understanding the PAN-OS CLI Structure

The PAN-OS CLI allows you to access the firewall, view status and configuration information, and modify the configuration. Access to the PAN-OS CLI is provided through SSH, Telnet, or direct console access. The PAN-OS CLI operates in two modes:
Operational modeView the state of the system, navigate the PAN-OS CLI, and enter configuration mode. Configuration modeView and modify the configuration hierarchy.
Chapter 3 describes each mode in detail.
Palo Alto Networks
Introduction 13
Getting Started
This section describes how to access and begin using the PAN-OS CLI:
Before You Begin in the next section Accessing the PAN-OS CLI on page 14
Before You Begin

Verify that the firewall is installed and that a SSH, Telnet, or direct console connection is established. Note: Refer to the Hardware Reference Guide for hardware installation information and to the Quick Start for information on initial device configuration.
Use the following settings for direct console connection:
Data rate: 9600 Data bits: 8 Parity: none Stop bits: 1 Flow control: None
Accessing the PAN-OS CLI

To access the PAN-OS CLI: 1. 2. 3. 4. Open the console connection. Enter the administrative user name. The default is admin. Enter the administrative password. The default is admin. The PAN-OS CLI opens in Operational mode, and the CLI prompt is displayed:
username@hostname>
14 Introduction
Palo Alto Networks
Understanding the PAN-OS CLI Commands

This section describes how to use the PAN-OS CLI commands and display command options:
Understanding the PAN-OS CLI Command Conventions in the next section Understanding Command Messages on page 16 Using Operational and Configuration Modes on page 17 Displaying the PAN-OS CLI Command Options on page 17 Using Keyboard Shortcuts on page 18 Understanding Command Option Symbols on page 18 Understanding Privilege Levels on page 20 Referring to Firewall Interfaces on page 20
Understanding the PAN-OS CLI Command Conventions

The basic command prompt incorporates the user name and model of the firewall:
username@hostname>
Example:
username@hostname>
When you enter Configuration mode, the prompt changes from > to #:
username@hostname> (Operational mode) username@hostname> configure Entering configuration mode [edit] (Configuration mode) username@hostname#
In Configuration mode, the current hierarchy context is shown by the [edit...] banner presented in square brackets when a command is issued. Refer to Using the Edit Command on page 27 for additional information on the edit command.
Palo Alto Networks
Introduction 15
Understanding Command Messages

Messages may be displayed when you issue a command. The messages provide context information and can help in correcting invalid commands. In the following examples, the message is shown in bold. Example: Unknown command
username@hostname# application-group Unknown command: application-group [edit network] username@hostname#
Example: Changing modes

username@hostname# exit Exiting configuration mode username@hostname>
Example: Invalid syntax

username@hostname> debug 17 Unrecognized command Invalid syntax. username@hostname>
Each time you enter a command the syntax is checked. If the syntax is correct, the command is executed, and the candidate hierarchy changes are recorded. If the syntax is incorrect, an invalid syntax message is presented, as in the following example:
username@hostname# set zone application 1.1.2.2 Unrecognized command Invalid syntax. [edit] username@hostname#
16 Introduction
Palo Alto Networks
Using Operational and Configuration Modes

When you log in, the PAN-OS CLI opens in Operational mode. You can move between Operational and Configuration modes at any time.
To enter Configuration mode from Operational mode, use the configure command:
username@hostname> configure Entering configuration mode [edit] username@hostname#
To leave Configuration mode and return to Operational mode, use the quit or exit command:
username@hostname# quit Exiting configuration mode username@hostname>
To enter an Operational mode command while in Configuration mode, use the run command, as described in run on page 46.
Displaying the PAN-OS CLI Command Options

Use ? (or Meta-H) to display a list of command option, based on context:
To display a list of operational commands, enter ? at the command prompt.

username@hostname> ? clear Clear runtime parameters configure Manipulate software configuration information debug Debug and diagnose exit Exit this session grep Searches file for lines containing a pattern match less Examine debug file content ping Ping hosts and networks quit Exit this session request Make system-level requests scp Use ssh to copy file to another host set Set operational parameters show Show operational parameters ssh Start a secure shell to another host tail Print the last 10 lines of debug file content telnet Start a telnet session to another host username@hostname>
To display the available options for a specified command, enter the command followed by ?. Example:
admin@localhost> ping ? username@hostname> ping + bypass-routing Bypass routing table, use specified interface + count Number of requests to send (1..2000000000 packets)
Palo Alto Networks
Introduction 17
+ do-not-fragment Don't fragment echo request packets (IPv4) + inet Force to IPv4 destination + interface Source interface (multicast, all-ones, unrouted packets) + interval Delay between requests (seconds) + no-resolve Don't attempt to print addresses symbolically + pattern Hexadecimal fill pattern + record-route Record and report packet's path (IPv4) + size Size of request packets (0..65468 bytes) + source Source address of echo request + tos IP type-of-service value (0..255) + ttl IP time-to-live value (IPv6 hop-limit value) (0..255 hops) + verbose Display detailed output + wait Delay after sending last packet (seconds) <host> Hostname or IP address of remote host username@hostname> ping
Using Keyboard Shortcuts

The PAN-OS CLI supports a variety of keyboard shortcuts. For a complete list, refer to Appendix B, PAN-OS CLI Keyboard Shortcuts. Note: Some shortcuts depend upon the SSH client that is used to access the PAN-OS CLI. For some clients, the Meta key is the Control key; for some it is the Esc key.
Understanding Command Option Symbols

The symbol preceding an option can provide additional information about command syntax, as described in Table 1.
Table 1. Option Symbols Symbol

* > +
Description
This option is required. There are additional nested options for this command. There are additional command options for this command at this level.
The following example shows how these symbols are used. Example: In the following command, the keyword from is required:
username@hostname> scp import configuration ? + remote-port SSH port number on remote host * from Source (username@host:path) username@hostname> scp import configuration
Example: This command output shows options designated with + and >.
username@hostname# set rulebase security rules rule1 ?
18 Introduction
Palo Alto Networks
+ + + + + + + + + + + + + + + >
action application description destination disabled from log-end log-setting log-start negate-destination negate-source schedule service source to profiles <Enter> [edit] username@hostname# set
action application description destination disabled from log-end log-setting log-start negate-destination negate-source schedule service source to profiles Finish input rulebase security rules rule1
Each option listed with + can be added to the command. The profiles keyword (with >) has additional options:
username@hostname# set rulebase security rules rule1 profiles ? + virus Help string for virus + spyware Help string for spyware + vulnerability Help string for vulnerability + group Help string for group <Enter> Finish input [edit] username@hostname# set rulebase security rules rule1 profiles
Restricting Command Output

Some operational commands include an option to restrict the displayed output. To restrict the output, enter a pipe symbol followed by except or match and the value that is to be excluded or included:
Example: The following sample output is for the show system info command:
username@hostname> show system info hostname: PA-HDF ip-address: 10.1.7.10 netmask: 255.255.0.0 default-gateway: 10.1.0.1 mac-address: 00:15:E9:2E:34:33 time: Fri Aug 17 13:51:49 2007 uptime: 0 days, 23:19:23 devicename: PA-HDF family: i386 model: pa-4050 serial: unknown sw-version: 1.5.0.0-519
Palo Alto Networks
Introduction 19
app-version: 25-150 threat-version: 0 url-filtering-version: 0 logdb-version: 1.0.8 username@hostname>
The following sample displays only the system model information:

username@hostname> show system info | match model model: pa-4050 username@hostname>
Understanding Privilege Levels

Privilege levels determine which commands the user is permitted to execute and the information the user is permitted to view. Table 2 describes the PAN-OS CLI privilege levels.
Table 2. Privilege Levels Level

superuser superreader vsysadmin vsysreader
Description
Has full access to the firewall and can define new administrator accounts and virtual systems. Has complete read-only access to the firewall. Has full access to a selected virtual system on the firewall. Has read-only access to a selected virtual system on the firewall.
Referring to Firewall Interfaces

The Ethernet interfaces are numbered from left to right and top to bottom on the firewall, as shown in Figure 1.
ethernet1/1
1 3 5 7 9 11 13
ethernet1/15
15
10
12
14
16
ethernet1/2
ethernet1/16
Figure 1. Firewall Ethernet Interfaces

Use these names when referring to the Ethernet interfaces within the PAN-OS CLI commands, as in the following example:
username@hostname# set network interface ethernet ethernet1/4 virtual-wire
20 Introduction
Palo Alto Networks
Chapter 2
Understanding CLI Command Modes

This chapter describes the modes used to interact with the PAN-OS CLI:
Understanding Configuration Mode in the next section Understanding Operational Mode on page 28
Understanding Configuration Mode

When you enter Configuration mode and enter commands to configure the firewall, you are modifying the candidate configuration. The modified candidate configuration is stored in firewall memory and maintained while the firewall is running. Each configuration command involves an action, and may also include keywords, options, and values. Entering a command makes changes to the candidate configuration. This section describes Configuration mode and the configuration hierarchy:
Using Configuration Mode Commands in the next section Using Configuration Commands with Virtual Systems on page 23 Understanding the Configuration Hierarchy on page 24 Navigating Through the Hierarchy on page 26
Using Configuration Mode Commands

Use the following commands to store and apply configuration changes (see Figure 2):
save commandSaves the candidate configuration in firewall non-volatile storage. The saved configuration is retained until overwritten by subsequent save commands. Note that this command does not make the configuration active. commit commandApplies the candidate configuration to the firewall. A committed configuration becomes the active configuration for the device.
Palo Alto Networks
Understanding CLI Command Modes 21
set commandChanges a value in the candidate configuration. load commandAssigns the last saved configuration or a specified configuration to be the candidate configuration.
Example: Make and save a configuration change.

username@hostname# rename zone untrust to untrust1
command)
[edit] username@hostname# save config to snapshot.xml Config saved to .snapshot.xml [edit] username@hostname#
(enter a configuration
Example: Make a change to the candidate configuration.

[edit] username@hostname# set network interface vlan ip 1.1.1.4/24 [edit] username@hostname#
Example: Make the candidate configuration active on the device.

[edit] username@hostname# commit [edit] username@hostname#
Note: If you exit Configuration mode without issuing the save or commit command, your configuration changes could be lost if power is lost to the firewall.
Active Configuration
Candidate Configuration
Saved Configuration
Commit
Save Load Set
Figure 2. Configuration Mode Command Relationship
22 Understanding CLI Command Modes
Palo Alto Networks
Maintaining a candidate configuration and separating the save and commit steps confers important advantages when compared with traditional CLI architectures:
Distinguishing between the save and commit concepts allows multiple changes to be made at the same time and reduces system vulnerability. For example, if you want to remove an existing security policy and add a new one, using a traditional CLI command structure would leave the system vulnerable for the period of time between removal of the existing security policy and addition of the new one. With the PAN-OS approach, you configure the new security policy before the existing policy is removed, and then implement the new policy without leaving a window of vulnerability.
You can easily adapt commands for similar functions. For example, if you are configuring two Ethernet interfaces, each with a different IP address, you can edit the configuration for the first interface, copy the command, modify only the interface and IP address, and then apply the change to the second interface.
The command structure is always consistent. Because the candidate configuration is always unique, all the authorized changes to the candidate configuration will be consistent with each other.
Using Configuration Commands with Virtual Systems

If multiple virtual systems are enabled, you must specify a virtual system as part of the set command in order to see the available options, as in the following example.
username@hostname> configure Entering configuration mode [edit] [edit] username@hostname# set ? > deviceconfig deviceconfig > mgt-config mgt-config > network network configuration > shared shared > vsys vsys [edit] username@hostname# set vsys vsys1 ? + display-name alphanumeric string [ 0-9a-zA-Z._-] > address address > address-group address-group > application application > application-filter application-filter > application-group application-group > authentication-profile authentication-profile > captive-portal captive-portal > custom-url-category custom-url-category > import Import predefined configured resources > ldap-server ldap-server > local-user-database local-user-database > log-settings log-settings > pan-agent pan-agent > profile-group profile-group > profiles profiles > rulebase rulebase > schedule schedule
Palo Alto Networks
> > > >
service service-group setting ssl-exclude-cert
service service-group setting ssl-exclude-cert
Understanding the Configuration Hierarchy

The configuration for the firewall is organized in a hierarchical structure. To display a segment of the current hierarchy, use the show command. Entering show displays the complete hierarchy, while entering show with keywords displays a segment of the hierarchy. For example, the following command displays the configuration hierarchy for the ethernet interface segment of the hierarchy:
username@hostname# show network interface ethernet ethernet { ethernet1/1 { virtual-wire; } ethernet1/2 { virtual-wire; } ethernet1/3 { layer2 { units { ethernet1/3.1; } } } ethernet1/4; } [edit] username@hostname#
Palo Alto Networks
Understanding Hierarchy Paths

When you enter a command, path is traced through the hierarchy, as shown in Figure 3.
network
profiles interface
vlan
virtual-wire virtual-router
...
ethernet
...
...
...
loopback
aggregate-ethernet vlan
...
ethernet1/1 ethernet1/2
...
...
link-duplex auto
link-state up
virtual-wire link-speed 1000
Figure 3. Sample Hierarchy Segment

For example, the following command assigns the IP address/netmask 10.1.1.12/24 to the Layer 3 interface for the Ethernet port ethernet1/4:
[edit] username@hostname# set network interface ethernet ethernet1/4 layer3 ip 10.1.1.12/24 [edit] username@hostname#
Palo Alto Networks
This command generates a new element in the hierarchy, as shown in Figure 4 and in the output of the following show command:
[edit] username@hostname# show network interface ethernet ethernet1/4 ethernet1/4 { layer3 { ip { 10.1.1.12/24; } } } [edit] username@hostname# network
profiles interface
vlan
virtual-wire virtual-router
...
ethernet
...
...
...
loopback
aggregate-ethernet vlan
...
...
...
ip
10.1.1.12/24
Figure 4. Sample Hierarchy Segment
Navigating Through the Hierarchy

The [edit...] banner presented below the Configure mode command prompt line shows the current hierarchy context. For example, the banner
[edit]
indicates that the relative context is the top level of the hierarchy, whereas
[edit network profiles]
indicates that the relative context is at the network profiles node.
Palo Alto Networks
Use the commands listed in Table 3 to navigate through the configuration hierarchy.
Table 3. Navigation Commands Command

edit up top
Description
Sets the context for configuration within the command hierarchy. Changes the context to the next higher level in the hierarchy. Changes the context to the highest level in the hierarchy.
Using the Edit Command

Use the edit command to change context to lower levels of the hierarchy, as in the following examples:
Move from the top level to a lower level:

[edit] (top level) username@hostname# edit network [edit network] username@hostname# (now at the network [edit network]
level)
Move from one level to a lower level:

[edit network] (network level) username@hostname# edit interface [edit network interface] admin@abce# (now at the network
interface level)
Using the Up and Top Commands

Use the up and top commands to move to higher levels in the hierarchy:
upchanges the context to one level up in the hierarchy. Example:

[edit network interface] admin@abce# up [edit network] username@hostname#
(network level)
(now at the network level)
topchanges context to the top level of the hierarchy. Example:

[edit network interface vlan] username@hostname# top [edit] username@hostname#
(network vlan level)
(now at network vlan level)
Palo Alto Networks
Note: The set command issued after using the up and top commands starts from the new context.
Understanding Operational Mode

When you first log in, the PAN-OS CLI opens in Operational mode. Operational mode commands involve actions that are executed immediately. They do not involve changes to the configuration, and do not need to be saved or committed. Operational mode commands are of several types:
Network accessOpen a window to another host. Includes ssh and telnet commands. Monitoring and troubleshootingPerform diagnosis and analysis. Includes debug and ping commands. Display commandsDisplay or clear current information. Includes clear and show commands. PAN-OS CLI navigation commandsEnter Configure mode or exit the PAN-OS CLI. Includes configure, exit, and quit commands. System commandsMake system-level requests or restart. Includes set and request commands.
Setting the Output Format for Configuration Commands

You can specify the output format for configuration commands by using the set cli config-output-format command in Operational mode. Options include the default format, XML format, and set command format. The following examples show the difference in output for each of these options. For information on setting these options, refer to set cli on page 328. Default option:
username@hostname# show system log-export-schedule log-export-schedule { 10.16.0.97 { description 10.16.0.97; enable yes; log-type threat; start-time 03:00; protocol { ftp { hostname 10.16.0.97; port 21; passive-mode yes; username admin; password mZDB7rbW5y8=; } } username@hostname#
XML option:
Palo Alto Networks
username@hostname# show system log-export-schedule <log-export-schedule> <entry name="10.16.0.97"> <description>10.16.0.97</description> <enable>yes</enable> <log-type>threat</log-type> <start-time>03:00</start-time> <protocol> <ftp> <hostname>10.16.0.97</hostname> <port>21</port> <passive-mode>yes</passive-mode> <username>admin</username> <password>mZDB7rbW5y8=</password> </ftp> </protocol> </entry> </log-export-schedule> [edit deviceconfig] [edit deviceconfig] username@hostname#
set command option:

username@hostname# show set deviceconfig system set deviceconfig system set deviceconfig system set deviceconfig system set deviceconfig system username@hostname# system log-export-schedule log-export-schedule 10.16.0.97 log-export-schedule 10.16.0.97 log-export-schedule 10.16.0.97 log-export-schedule 10.16.0.97 log-export-schedule 10.16.0.97 description 10.16.0.97 enable yes log-type threat start-time 03:00 protocol ftp hostname
Palo Alto Networks
Palo Alto Networks
Chapter 3
Configuration Mode Commands

This chapter contains command reference pages for the following Configuration mode commands:
check on page 35 commit on page 36 copy on page 37 delete on page 38 edit on page 39 exit on page 40 load on page 41 move on page 43 quit on page 44 rename on page 45 run on page 46 save on page 47 set address on page 48 set address-group on page 49 set application on page 50 set application-filter on page 53 set application-group on page 55 set captive-portal on page 56 set deviceconfig high-availability on page 58 set deviceconfig setting on page 64 set deviceconfig system on page 71
Palo Alto Networks
Configuration Mode Commands 31
set display-name on page 78 set email-scheduler on page 79 set global-protect on page 80 set ldap-server on page 83 set mgt-config on page 84 set network dhcp on page 86 set network dns-proxy on page 88 set network ike on page 90 set network interface on page 94 set network profiles on page 98 set network qos on page 103 set network shared-gateway on page 105 set network tunnel on page 113 set network virtual-router on page 117 set network virtual-router protocol bgp on page 119 set network virtual-router protocol ospf on page 131 set network virtual-router protocol redist-profile on page 134 set network virtual-router protocol rip on page 136 set network virtual-wire on page 138 set network vlan on page 139 set pan-agent on page 140 set pdf-summary-report on page 141 set profile-group on page 142 set profiles on page 143 set region on page 156 set report-group on page 157 set reports on page 158 set rulebase on page 163 set schedule on page 172 set service on page 173 set service-group on page 174
32 Configuration Mode Commands
Palo Alto Networks
set setting on page 175 set shared admin-role on page 176 set shared allowed-applications on page 183 set shared authentication-profile on page 184 set shared authentication-sequence on page 186 set shared botnet on page 187 set shared certificate on page 189 set shared client-certificate-profile on page 190 set shared email-scheduler on page 191 set shared local-user-database on page 192 set shared log-settings on page 193 set shared override on page 197 set shared pdf-summary-report on page 198 set shared report-group on page 199 set shared reports on page 200 set shared response-page on page 205 set shared server-profile on page 206 set shared ssl-decrypt on page 208 set ssl-decrypt on page 209 set ssl-vpn on page 210 set threats on page 211 set ts-agent on page 216 set url-admin-override on page 217 set url-content-types on page 218 set userid-agent on page 219 set vsys import on page 220 set zone on page 222 show on page 223 show predefined on page 224 top on page 225 up on page 226
Palo Alto Networks
Note: Changes in the configuration are retained, until overwritten, while the firewall is powered. To save a candidate configuration in non-volatile storage, use the save command. To make a candidate configuration active, use the commit command.
Palo Alto Networks
check
check
Displays the current configuration status. For more information about managing configurations, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
check { data-access-passwd {system} | pending-changes }
Options
> data-access-passwd Check data access authentication status for this session + system Check whether data access password exists for the system > pending-changes Check for uncommitted changes
Sample Output
The following command shows that there are currently no uncommitted changes.
username@hostname# check pending-changes no [edit] username@hostname#
Required Privilege Level

superuser, vsysadmin, deviceadmin
Palo Alto Networks
commit
commit
Makes the current candidate configuration the active configuration on the firewall. For more information about the committing changes, refer to the Getting Started chapter in the Palo Alto Networks Administrators Guide.
Syntax
commit {force}
Options
+ force Force the commit command in the event of a conflict
Sample Output
The following command makes the current candidate configuration the active configuration.
# commit

Palo Alto Networks
copy
copy
Makes a copy of a node in the hierarchy along with its children, and adds the copy to the same hierarchy level. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
copy <node1> to <node2>
Options
<node1> Specifies the node to be copied <node2> Specifies the name of the copy
Sample Output
The following command, executed from the rule base security level of the hierarchy, makes a copy of rule1, called rule2.
[edit rulebase security] username@hostname# copy rules rule1 to rule2 [edit rulebase security] username@hostname#
The following command shows the location of the new rule in the hierarchy.
[edit rulebase security] username@hostname# show security { rules { rule1 { source [ any 1.1.1.1/32 ]; destination 1.1.1.2/32; } rule2 { source [ any 1.1.1.1/32 ]; destination 1.1.1.2/32; } } }

Palo Alto Networks
delete
delete
Removes a node from the candidate configuration along with all its children. Note: No confirmation is requested when this command is entered.
Syntax
delete <node>
Options
<node> Specifies the node to be deleted. For available nodes of the hierarchy, refer to the set configuration commands in this chapter.
Sample Output
The following command deletes the application myapp from the candidate configuration.
username@hostname# delete application myapp [edit] username@hostname#

Palo Alto Networks
edit
edit
Changes context to a lower level in the configuration hierarchy.
Syntax
edit <context>
Options
<context> Specifies a path through the hierarchy. For available contexts in the hierarchy, refer to the copy configuration commands in this chapter.
Sample Output
The following command changes context from the top level to the network profiles level of the hierarchy.
[edit] username@hostname# edit rulebase [edit rulebase] username@hostname#

Palo Alto Networks
exit
exit
Exits from the current PAN-OS CLI level.
From Operational mode Exits the PAN-OS CLI. From Configuration mode, top hierarchy level Exits Configuration mode, returning to Operational mode. From Configuration mode, lower hierarchy levels Changes context to one level up in the hierarchy. Provides the same result as the up command. Note: The exit command is the same as the quit command.
Syntax
exit
Options
None
Sample Output
The following command changes context from the network interface level to the network level.
[edit network interface] username@hostname# exit [edit network] username@hostname#
The following command changes from Configuration mode to Operational mode.

[edit] username@hostname# exit Exiting configuration mode username@hostname>

All
Palo Alto Networks
load
load
Assigns the last saved configuration or a specified configuration to be the candidate configuration. For more information about managing configurations, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
load config { key <value> | from <filename> | last-saved | partial | { from <filename> | from-xpath <value> | mode {merge | replace} | to-xpath <value> } version {<value> | candidate | running} }
Options
+ key Key used for encryption > from File name (select from the file names provided, or enter a new name) > last-saved Loads the last saved configuration > partial Loads partial configuration * from File name (select from the file names provided, or enter a new name) * from-xpath XML Path (XPath) of the source node * mode Mode in which to load (merge or replace) * to-xpath XML Path (XPath) of the destination's parent > version Selects from the provided versions, or the candidate or running versions
Sample Output
The following command assigns output.xml to be the candidate configuration.
[edit] username@hostname# load config from output.xml command succeeded [edit] username@hostname#
Palo Alto Networks
load
The following command adds the top-apps report found in the x.xml configuration to the specified candidate configuration.
[edit] username@hostname# load config partial from x.xml from-xpath shared/ reports/entry[@name='top-apps'] mode merge to-xpath/config/devices/ entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/reports command succeeded [edit] username@hostname#

Palo Alto Networks
move
move
Relocates a node in the hierarchy along with its children to be at another location at the same hierarchy level.
Syntax
move <element1> {bottom | top | after <element2> | before <element2>}
Options
<element1> Specifies the items to be moved. For available elements of the hierarchy, refer to the copy configuration commands in this chapter. <element2> Indicates the element after or before which element1 will be placed after Moves element to be after element2 before Moves element to be before element2 bottom Makes the element the last entry of the hierarchy level top Makes the element the first entry of the hierarchy level
Sample Output
The following command moves the security rule rule1 to the top of the rule base.
username@hostname# move rulebase security rules rule1 top [edit] username@hostname#

Palo Alto Networks
quit
quit
Exits from the current PAN-OS CLI level.
From Operational mode Exits the PAN-OS CLI. From Configuration mode, top hierarchy level Exits Configuration mode, returning to Operational mode. From Configuration mode, lower hierarchy levels Changes context to one level up in the hierarchy. Provides the same result as the up command. Note: The exit and quit commands are interchangeable.
Syntax
quit
Options
None
Sample Output
The following command changes context from the network interface level to the network level.
[edit log-settings] username@hostname# quit [edit] username@hostname#
The following command changes from Configuration mode to Operational mode.

[edit] username@hostname# quit Exiting configuration mode username@hostname>

All
Palo Alto Networks
rename
rename
Changes the name of a node in the hierarchy.
Syntax
rename <node1> to <node2>
Options
<node1> Indicates the original node name. For available nodes of the hierarchy, refer to the copy configuration commands in this chapter. <node2> Indicates the new node name
Sample Output
The following command changes the name of a node in the hierarchy from 1.1.1.1/24 to 1.1.1.2/ 24.
username@hostname# rename network interface vlan ip 1.1.1.1/24 to 1.1.1.2/24

Palo Alto Networks
run
run
Executes an Operational mode command while in Configuration mode. For information about the syntax and options for each Operational mode command, refer to its command page in Chapter 4, Operational Mode Commands.
Syntax
run { check | clear | commit | debug | delete | ftp | grep | less | load | ls | netstat | ping | request | save | schedule | scp | set | show | ssh | tail | telnet | test | tftp | traceroute | view-pcap }
Sample Output
The following command executes a ping command to the IP address 1.1.1.2 from Configuration mode.
username@hostname# run ping host 1.1.1.2 PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. ... username@hostname#

Palo Alto Networks
save
save
Saves a snapshot of the firewall configuration. Note: This command saves the configuration on the firewall, but does not make the configuration active. Use the commit command to make the current candidate configuration active.
Syntax
save config to <filename>
Options
+ to File name (select from the file names provided, or enter a new name)
Sample Output
The following command saves a copy of the configuration to the file savefile.
[edit] username@hostname# save config to savefile Config saved to savefile [edit] username@hostname#

Palo Alto Networks
set address
set address
Specifies addresses and address ranges for use in security policies. Addresses requiring the same security settings can be combined into address groups that you can refer to as a unit. For information on configuring address groups using the CLI, refer to set address-group on page 49. For more information on addresses and security policies, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
set address <name> | { fqdn <value> | ip-netmask <ip/netmask> | ip-range <ip_range> }
Options
<name> Select from the local server list or enter a name for the address > fqdn Fully Qualified Domain Name (FQDN) value > ip-netmask IP address and network mask (x.x.x.x/y or IPv6/netmask) > ip-range IP address range (x.x.x.x-y.y.y.y or IPv6-range)

Palo Alto Networks
set address-group
set address-group
Configures sets of addresses that will be assigned the same security settings, to simplify the creation of security policies. For information on configuring address groups using the CLI, refer to set address on page 48. For more information on address groups and security policies, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
set address-group <name> <member_value>
Options
<name> Select from the local server list or enter a name for the address group <member_value> Select from the local server list, or enter a name or group of names enclosed in [ ]

Palo Alto Networks
set application
set application
Creates a custom App-ID for use throughout PAN-OS wherever an application can be specified. For more information, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
set application <name> | { able-to-transfer-file {no | yes} | category {business systems | collaboration | general internet | media | networking | <value>} | consume-big-bandwidth {no | yes} | data-ident {no | yes} | description <value> | evasive-behavior {no | yes} | file-type-ident {no | yes} | has-known-vulnerability {no | yes} | parent-app <value> | pervasive-use {no | yes} | prone-to-misuse {no | yes} | risk <value> | spyware-ident {no | yes} | subcategory <value> | tcp-timeout <value> | technology {browser-based | client-server | network-protocol | peer-topeer| <value>} | timeout <value> | tunnel-applications {no | yes} | tunnel-other-application {no | yes} | udp-timeout <value> | used-by-malware {no | yes} | virus-ident {no | yes} | default port | { port <value> | ident-by-icmp-type <value> | ident-by-icmp6-type <value> | ident-by-ip-protocol <value> | } signature <name> { comment <value> | order-free {no | yes} | scope {protocol-data-unit | session} | and-condition <name> {or-condition <name>} { operator equal-to | { context {unknown-req-tcp | unknown-req-udp | unknown-rsp-tcp |
Palo Alto Networks
set application
unknown-rsp-udp} mask <value> | position <value> | value <value> } operator pattern-match { context <value> | pattern <value> | qualifier <name> value <value> } } } }
Options
<name> Enter a name for the application + able-to-transfer-file Able to transfer files + category Category; select from business-systems, collaboration, general-internet, media, networking, or enter a value + consume-big-bandwidth Consumes big bandwidth + data-ident Data identifitication + description Description value + evasive-behavior Has evasive behavior + file-type-ident File type identification + has-known-vulnerability Has known vulnerability + parent-app Parent application; select from list or enter a value + pervasive-use Pervasively used + prone-to-misuse Prone to misuse + risk Risk value (1-5) + spyware-ident Spyware identification + subcategory Subcategory; select from the list or enter a value - business-systems subcategories are auth-service, database, erp-crm, general-business, management, officeprograms, software-update, or storage-backup - collaboration subcategories are email, instant-messaging, internet-conferencing, social-networking, voipvideo, or web-posting - general-internet subcategories are file-sharing or internet-utility - media subcategories are audio-streaming, gaming, or photo-video - networking subcategories are encrypted-tunnel, infrastructure, ip-protocol, proxy, remote-access. or routing + tcp-timeout TCP timeout in seconds (0-604800) + technology Technology; select from browser-based, client-server, network-protocol, peer-to-peer, or enter a value + timeout Timeout in seconds (0-604800) + tunnel-applications Tunnel applications + tunnel-other-application Tunnel other applications + udp-timeout UDP timeout in seconds (0-604800) + used-by-malware Used by malware + virus-ident Virus identification > default Default application + port Protocol port specification : {tcp|udp}/{dynamic|port range list} (e.g. tcp/8080, tcp/80,443, tcp/11024,10000, udp/dynamic), or list of values enclosed in [ ] > ident-by-icmp-type Identification by ICMP type (0-255,...) > ident-by-icmp6-type Identification by ICMP6 type (0-255,...) > ident-by-ip-protocol Identification by IP protocol (0-255,...) > signature Signature application
Palo Alto Networks
set application
+ comment Comment value + order-free Order free (no or yes) + scope Scope (protocol data unit transaction or session) > and-condition And-condition name > or-condition Or-condition name > operator Operator choices > equal-to Equal-to choices + context Context (unknown TCP request, unknown UDP request, unknown TCP response, or unknown UDP response) + mask Mask 4-byte hexidecimal value + position Position value + value Value 4-byte hexidecimal value > pattern-match Pattern-match choices + context Context (file-html-body, file-office-content, file-pdf-body, ftp-req-params, ftprsp-banner, http-req-headers, http-req-host-header, http-req-mime-form-data, http-reqparams, http-req-uri-path, http-rsp-headers, imap-req-cmd-line, imap-req-first-param , imap-req-params-after-first-param, rtsp-req-headers, rtsp-req-uri-path, smtp-reqargument, smtp-rsp-content, ssl-req-client-hello, ssl-rsp-certificate, ssl-rsp-serverhello, telnet-req-client-data, telnet-rsp-server-data, or enter a value) + pattern Pattern value > qualifier Qualifier name and value (some contexts include available options; press <tab> to view available options)
Sample Output
The following command configures an application that detects web traffic going to a specified website.
username@hostname# set application specifiedsite category collaboration subcategory social-networking technology browser-based signature s1 andcondition a1 or-condition o1 operator pattern-match context http-reqhost-header pattern www.specifiedsite.com username@hostname#
The following example demonstrates configuring an application that detects blog posting activity on a specified blog.
username@hostname# set application specifiedblog_posting category collaboration subcategory web-posting technology browser-based signature s1 and-condition a1 or-condition o1 operator pattern-match context httpreq-host-header pattern specifiedblog.com qualifier http-method value POST username@hostname# set application specifiedblog_posting category collaboration subcategory web-posting technology browser-based signature s1 and-condition a2 or-condition o2 operator pattern-match context httpreq-params pattern post_title qualifier http-method value POST username@hostname# set application specifiedblog_posting category collaboration subcategory web-posting technology browser-based signature s1 and-condition a3 or-condition o3 operator pattern-match context httpreq-params pattern post_author qualifier http-method value POST username@hostname#

Palo Alto Networks
set application-filter
Specifies application filters to simplify repeated searches. For more information, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
set application-filter <name> { category {business-systems | collaboration | general-internet | media | networking | unknown | <member_value>} | evasive yes | excessive-bandwidth-use yes | has-known-vulnerabilities yes | pervasive yes | prone-to-misuse yes | risk <value> | subcategory <member_value> | technology {browser-based | client-server | network-protocol | peer-topeer| <member_value>} | transfers-files yes | tunnels-other-apps yes | used-by-malware yes }
Options
<name> Enter a name for the application filter + category Category; select from business systems, collaboration, general internet, media, networking, unknown, or enter a value or list of values enclosed in [ ] + evasive Configure to filter for evasive applications + excessive-bandwidth-use Configure to filter for excessive bandwidthuse + has-known-vulnerabilities Configure to filter for applications with known vulnerabilities + pervasive Configure to filter for pervasive applications + prone-to-misuse Configure to filter for applications prone to misuse + risk Risk value (1-5) + subcategory Subcategory; select from the list or enter a value or list of values enclosed in [ ] - business-systems subcategories are auth-service, database, erp-crm, general-business, management, officeprograms, software-update, or storage-backup - collaboration subcategories are email, instant-messaging, internet-conferencing, social-networking, voipvideo, or web-posting - general-internet subcategories are file-sharing or internet-utility - media subcategories are audio-streaming, gaming, or photo-video - networking subcategories are encrypted-tunnel, infrastructure, ip-protocol, proxy, remote-access. or routing - unknown subcategories include all of the above + technology Technology; select from browser-based, client-server, network-protocol, peer-to-peer, or enter a value or list of values enclosed in [ ] + transfers-files Configure to filter for applications that transfer files + tunnels-other-apps Configure to filter for applications that tunnel other applications + used-by-malware Configure to filter for applications used by malware
Palo Alto Networks

Palo Alto Networks
set application-group
set application-group
Specifies a set of applications that require the same security settings, to simplify the creation of security policies. For information on enabling application settings using the CLI, refer to set application on page 50. For more information on application groups, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
set application-group <name> <member_value>
Options
<name> Enter a name for the application group <value> Select from the list of predefined applications, filters, and groups, or enter a value or list of values enclosed in [ ]

Palo Alto Networks
set captive-portal
set captive-portal
Configures a captive portal on the firewall. You can set up and customize a captive portal to direct user authentication by way of an authentication profile or authentication sequence. Captive portal is used in conjunction with the User-ID Agent to extend user identification functions beyond the Active Directory domain. Users are directed to the portal and authenticated, thereby creating a user-to-IP address mapping For more information, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
set captive-portal { authentication-profile <value> | client-certificate-profile <value> | enable-captive-portal {no | yes} | idle-timer <value> | server-certificate <value> | timer <value> | mode | { redirect | { address {<ip/netmask> | <host_name>} | session-cookie { enable {no | yes} | roaming {no | yes} | timeout <value> } } transparent } ntlm-auth { hostname <value> | pan-agent <value> } }
Options
+ authentication-profile Authentication profile name + client-certificate-profile Profile for authenticating client certificates + enable-captive-portal Enable the captive portal + idle-timer Idle timer in minutes (1-1440) + server-certificate SSL server certificate file name + timer Expiration timer in minutes (1-1440) > mode Captive portal mode > redirect Redirect configuration + address Set IP or host name for redirect captive portal (x.x.x.x/y or IPv6/netmask or host hame)
Palo Alto Networks
set captive-portal
> session-cookie Session cookie configuration + enable Enable session cookie + roaming Enable/disable IP roaming + timeout Expiration timer in minutes (60-10080) transparent Transparent option > ntlm-auth NT LAN Manager Authentication + hostname Hostname in the local intranet zone for HTTP redirection + pan-agent Palo Alto Networks agent

Palo Alto Networks
set deviceconfig high-availability

Configures High Availability (HA) on the device. Changes are retained, until overwritten, while the firewall is powered. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
set deviceconfig { high-availability | { enabled {no | yes} | group <value> | { description <value> | peer-ip <ip_address> | peer-ip-backup <ip_address> | configuration-synchronization enabled {no | yes} | election-option | { additional-master-hold-up-time <seconds> device-priority <value> flap-max <value> heartbeat-backup {no | yes} heartbeat-interval <milliseconds> hello-interval <milliseconds> monitor-fail-hold-up-time <seconds> preemption-hold-time <minutes> preemptive {no | yes} promotion-hold-time <milliseconds> } mode | { active-active | { device-id {1 | 0} | packet-forwarding {no | yes} | network-configuration sync | { qos {no | yes} | virtual-router {no | yes} } session-load-sharing | { first-packet session-setup | { ip-hash | { hash-key {source | source-and-destination} |
Palo Alto Networks
hash-seed <value> } ip-modulo | primary-device } primary-device } virtual-address <Layer_3_interface_name> {ip <ip_address> | ipv6 <ipv6_address>} { arp-load-sharing | { ip-hash hash-seed <value> | ip-modulo } floating device-priority { device-0 <value> | device-1 <value> | failover-on-link-down {no | yes} } } } active-passive { monitor-fail-hold-down-time <value> passive-link-state {auto | shutdown} } } monitoring | { link-monitoring | { enabled {no | yes} | failure-condition {all | any} | link-group <group_name> } interface {[list of values] | <value>} } } path-monitoring { enabled {no | yes} | failure-condition {all | any} | path-group { virtual-router <value> | { destination-ip <ip_address> | enabled {no | yes} | failure-condition {all | any} | } virtual-wire <value> | {
Palo Alto Networks
destination-ip <ip_address> | enabled {no | yes} | failure-condition {all | any} | source-ip <ip_address> } vlan <value> { destination-ip <ip_address> | enabled {no | yes} | failure-condition {all | any} | source-ip <ip_address> } } } } state-synchronization { enabled {no | yes} | transport { ethernet enabled {no | yes} ip enabled {no | yes} udp enabled {no | yes} } } } interface { ha1 | { gateway <ip_address> ip-address <ip_address> monitor-hold-time <value> netmask <ip_address> port <interface_name> encryption enabled {no | yes} } ha1-backup | { gateway <ip_address> ip-address <ip_address> netmask <ip_address> port <interface_name> } ha2 | { gateway <ip_address> ip-address <ip_address> netmask <ip_address> port <interface_name> } ha2-backup | { gateway <ip_address>
Palo Alto Networks
ip-address <ip_address> netmask <ip_address> port <interface_name> } ha3 port <interface_name> } }
Options
> high-availability + enabled enabled (no or yes) > group HA group configuration <value> Alphanumeric string [a-zA-Z0-9:@./_-] (between 1 and 63) + description group description + peer-ip Peer IP address + peer-ip-backup Backup Peer IP address > configuration-synchronization Configuration synchronization > election-option HA election options + additional-master-hold-up-time Interval in seconds to wait before honoring a path or link monitor failure on the Active or Active-Primary device (between 0 and 60), default = 0. This time is added to that defined in the monitor-fail-hold-up-time setting. + device-priority highest = 0, lowest = 255, default = 100 + flap-max Flaps before entering suspended state, 0 = infinite flaps, default = 3 + heartbeat-backup Use management port as backup path for heartbeat messages + heartbeat-interval Interval in milliseconds to send Heartbeat pings, default = 1000 + hello-interval Interval in milliseconds to send Hello messages, default = 8000 + monitor-fail-hold-up-time Interval in seconds to wait before honoring a path or link monitor failure on this device, default = 0 + preemption-hold-time Interval in minutes to stay Passive before preempting Active device or to stay Active-Secondary before preempting Active-Primary device, default = 1 + preemptive Configure on both HA peers to allow preemption by Passive or Active-Secondary device based on device-priority, default = no + promotion-hold-time Interval in milliseconds to wait before changing state from Passive to Active or Active-Secondary to Active-Primary following a loss of communications with the peer device, default = 2000 > mode Operational mode configuration > active-active Active-Active mode + device-id Device ID in HA group, 0 or 1 + packet-forwarding Forward packet via HA3 link if session is owned by peer device (no or yes) > network-configuration Network configuration synchronization options > sync Synchronization options + qos Synchronize interface QoS configuration + virtual-router Synchronize virtual router configuration > session-load-sharing Firewall session load-sharing options > first-packet Session is owned by the device that receives the first packet of the session > session-setup Session setup load-sharing options > ip-hash Use hashing on source and destination addresses + hash-key Address(es) to use as hash key - source Source address only - source-and-destination Source and destination addresses + hash-seed User-specified hash seed (between 0 and 4294967295) - ip-modulo Use modulo operations on source and destination addresses - primary-device Use Active-Primary device to setup session
Palo Alto Networks

- primary-device Session is owned by the device in Active-Primary state > virtual-address Virtual address configuration (Layer 3 interface name) > ip Interface virtual IP address > arp-load-sharing ARP-based load-sharing > ip-hash Hash based on IP address + hash-seed User-specified hash seed - ip-modulo IP address modulo number of devices, default option > floating Floating address bound to one virtual device at any given time > device-priority Virtual device priority + device-0 Device 0 priority, highest: 0, lowest: 255 + device-1 Device 1 priority, highest: 0, lowest: 255 + failover-on-link-down Failover address if link state is down (no or yes) > ipv6 Interface virtual IPv6 address > arp-load-sharing ARP-based load-sharing > ip-hash Hash based on IP address + hash-seed User-specified hash seed - ip-modulo IP address modulo number of devices, default option > floating Floating address bound to one virtual device at any given time > device-priority Virtual device priority + device-0 Device 0 priority, highest: 0, lowest: 255 + device-1 Device 1 priority, highest: 0, lowest: 255 + failover-on-link-down Failover address if link state is down (no or yes) > active-passive Active-Passive mode + monitor-fail-hold-down-time Interval in minutes to stay in non-functional state following a link/path monitor failure (between 1 and 60); default = 1 + passive-link-state Link mode of data-plane interfaces while in Passive state - auto Link put into automatically configured mode - shutdown Link put into powered off state > monitoring Monitoring configuration > link-monitoring Link monitoring configuration + enabled Link monitoring enabled + failure-condition Condition to determine failure, default = any (failure on any link group) > link-group Monitored link group configuration + interface - Interface(s) to monitor (member value or list of values enclosed in [ ]) > path-monitoring Path monitoring configuration + enabled Path monitoring enabled + failure-condition Condition to determine failure, default = any (failure on any path group) > path-group Monitored path group > virtual-router Monitor within virtual-router (alpha-numeric string [a-zA-Z0-9:@./_-]) + destination-ip Destination IP addresses to monitor + enabled Monitoring enabled + failure-condition Condition to determine failure, default = any (failure on any monitored IP) > virtual-wire Monitor within virtual-wire (alphanumeric string [a-zA-Z0-9:@./_-]) + destination-ip Destination IP addresses to monitor + enabled Monitoring enabled + failure-condition Condition to determine failure, default = any (failure on any monitored IP) + source-ip Source IP address to send monitoring packet > vlan Monitor within VLAN (alphanumeric string [a-zA-Z0-9:@./_-]) + destination-ip Destination IP addresses to monitor + enabled Monitoring enabled + failure-condition Condition to determine failure, default = any (failure on any monitored IP)
Palo Alto Networks
+ source-ip Source IP address to send monitoring packet > state-synchronization State synchronization + enabled enabled (no or yes) + transport transport layer configuration - ethernet Layer2 transport via Ethernet + enabled no | yes - ip Layer3 transport via IP protocol 99 + enabled no | yes - udp Layer4 transport via UDP/29281 + enabled no | yes > interface HA interface configuration > ha1 HA1 interface (control link) + gateway Gateway for the HA1 interface (x.x.x.x) + ip-address IP address for the HA1 interface (x.x.x.x) + monitor-hold-time Hold time in milliseconds to allow HA1 link flapping (between 1000 and 60000); default = 3000 + netmask IP netmask for the HA1 interface (x.x.x.x) + port Interface name > encryption HA1 interface encryption settings + enabled no | yes > ha1-backup Backup HA1 interface (control link) + gateway Gateway for the HA1 interface (x.x.x.x) + ip-address IP address for the HA1 interface (x.x.x.x) + netmask IP netmask for the HA1 interface (x.x.x.x) + port Interface name > ha2 HA2 interface (runtime object synchronization link) + gateway Gateway for the HA2 interface (x.x.x.x) + ip-address IP address for the HA2 interface (x.x.x.x) + netmask IP netmask for the HA2 interface (x.x.x.x) + port Interface name > ha2-backup Backup HA2 interface (runtime object synchronization link) + gateway Gateway for the HA2 interface (x.x.x.x) + ip-address IP address for the HA2 interface (x.x.x.x) + netmask IP netmask for the HA2 interface (x.x.x.x) + port Interface name > ha3 HA3 interface (packet forwarding link in Active-Active mode) + port Interface name

Palo Alto Networks
set deviceconfig setting

Specifies general device settings on the firewall. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
set deviceconfig { setting | { application | { bypass-exceed-queue {no | yes} | cache {no | yes} | cache-threshold <value> | dump-unknown {off | on} | heuristics {no | yes} | identify-unknown-traffic-by-port {no | yes} | notify-user {no | yes} | supernode {no | yes} | } config rematch {no | yes} | ctd | { bypass-exceed-queue {no | yes} | http-proxy-use-transaction {no | yes} | strip-x-fwd-for {no | yes} | url-admin-timeout <minutes> | url-coach-timeout <minutes> | url-lockout-timeout <minutes> | url-wait-timeout <seconds> | x-forwarded-for {no | yes} } custom-logo | { login-screen {content <value> | file-name <value>} | main-ui {content <value> | file-name <value>} | pdf-report-footer {content <value> | file-name <value>} | pdf-report-header {content <value> | file-name <value>} } icmpv6-rate-limit | { bucket-size <value> | packet-rate <value> } logging | { log-suppression {no | yes} | max-log-rate <value> |
Palo Alto Networks
max-packet-rate <value> } logrcvr container-page-timeout <value> | management | { auto-acquire-commit-lock {no | yes} | idle-timeout <value> | log-forwarding-from-device-buffered {no | yes} | max-audit-versions <value> | max-rows-in-csv-export <value> | max-rows-in-pdf-report <value> | only-active-primary-logs-to-local-disk {no | yes} | panorama-ssl-send-retries <value> | panorama-tcp-receive-timeout <value> | panorama-tcp-send-timeout <value> | send-hostname-in-syslog {no | yes} | traffic-stop-on-logdb-full {no | yes} | admin-lockout | { failed-attempts <value> | lockout-time <value> } common-criteria | { enable-cconly-logs {no | yes} | skip-authentication-failure-logs {no | yes} | skip-authentication-success-logs {no | yes} | skip-configuration-logs-for {[list of values] | <value>} } common-criteria-alarm-generation | { enable-alarm-generation {no | yes} | enable-audible-alarms {no | yes} | enable-cli-alarm-notification {no | yes} | enable-web-alarm-notification {no | yes} | encrypt-decrypt-fail-count <value> | log-correlation | { tags <value> | rule-limits {count <value> | time-interval <value>} | security-policy-limits {count <value> | time-interval <value>} } log-databases-alarm-threshold {alarm | config | hipmatch | system | threat | traffic} <value> } disk-quota | { alarm <value> | application-pcaps <value> | appstat <value> | config <value> | debug-filter-pcaps <value> | dlp-logs <value> |
Palo Alto Networks
hip-reports <value> | hipmatch <value> | system <value> | threat <value> | threat-pcaps <value> | thsum <value> | traffic <value> | trsum <value> } log-correlation { tags {[list of values] | <value> | no log | filter} | rule-limits | { count <value> | time-interval <value> } security-policy-limits { count <value> | time-interval <value> } } } nat | { reserve-ip {no | yes} | reserve-time <seconds> } pan-agent ignore-unknown-response {no | yes} | pow | { wqe-inuse-check {no | yes} | wqe-tag-check {no | yes} } session | { accelerated-aging-enable {no | yes} | accelerated-aging-scaling-factor <value> | accelerated-aging-threshold <value> | ipv6-firewalling {no | yes} | offload {no | yes} | scan-scaling-factor <value> | scan-threshold <value> | tcp-reject-non-syn {no | yes} | timeout-default <value> | timeout-discard-default <value> | timeout-discard-tcp <value> | timeout-discard-udp <value> | timeout-icmp <value> | timeout-scan <value> | timeout-tcp <value> | timeout-tcpinit <value> | timeout-tcpwait <value> |
Palo Alto Networks
timeout-udp <value> } ssl-decrypt | { answer-timeout <seconds> | block-timeout-cert {no | yes} | block-unknown-cert {no | yes} | cert-status-timeout <seconds> | crl {no | yes} | crl-receive-timeout <seconds> | deny-setup-failure {no | yes} | notify-user {no | yes} | ocsp {no | yes} | ocsp-receive-timeout <seconds> | url-proxy {no | yes} } tcp | { bypass-exceed-oo-queue {no | yes} | drop-out-of-wnd {no | yes} | favor-new-seg {no | yes} | out-of-sync {bypass | ignore | reject} } url dynamic-url-timeout <hours> zip { enable {no | yes} | sw {no | yes} } }
Options
> setting > application + bypass-exceed-queue Set whether to skip inspection of session if queue limit is exceeded + cache Set if application cache should be enabled + cache-threshold Set application cache threshold (between 1 and 65535) + dump-unknown Set if unknown application capture should be enabled + heuristics Set if heuristics detection should be enabled + identify-unknown-traffic-by-port Set if unknown traffic should be identified by source or destination port + notify-user Set if user should be notified when web-application is blocked + supernode Set if supernode detection should be enabled > config rematch (no or yes) > ctd + bypass-exceed-queue Set whether to skip inspection of session if queue limit is exceeded + http-proxy-use-transaction Set whether to use transaction for stats for http proxy sessions + strip-x-fwd-for Set whether to strip x-forwarded-for in http header + url-admin-timeout Set URL admin continue timeout in minutes (1-86400) + url-coach-timeout Set URL coach continue timeout in minutes (1-86400) + url-lockout-timeout Set URL admin override lockout timeout in minutes (1-86400) + url-wait-timeout Set URL category query timeout in seconds (1-60) + x-forwarded-for Enable/disable parsing of x-forwarded-for attribute
Palo Alto Networks
> custom-logo > login-screen Import custom logo for login screen (from content or file) > main-ui Import custom logo for main user interface (from content or file) > pdf-report-footer Import custom logo for PDF report footers(from content or file) > pdf-report-header Import custom logo for PDF report headers(from content or file) > icmpv6-rate-limit + bucket-size Token-bucket size for ICMPv6 error rate limiting (10-65535) + packet-rate ICMPv6 error packet limit per second (1-65535) > logging + log-suppression Enable/disable log suppression + max-log-rate Set maximum logging rate (0-50000) + max-packet-rate Set maximum packet logging rate (0-2560) > logrcvr container-page-timeout Container page timeout in seconds (1-60) > management + auto-acquire-commit-lock Automatically add a commit lock when modifying configuration + idle-timeout Default administrative session idle timeout in minutes (1-1440; 0 = never) + log-forwarding-from-device-buffered (Panorama only) Set to enable log buffering between the device and Panorama; if enabled, logs are retained despite a temporary connection loss; default = yes + max-audit-versions Maximum number of audited versions of config to preserve (1-1048576) + max-rows-in-csv-export Maximum number of rows in exported csv files (1-1048576) + max-rows-in-pdf-report Maximum number of rows in user activity report (1-1048576) + only-active-primary-logs-to-local-disk (Panorama only) Set to perform all logging only on the Active-Primary Panorama instance; if not set, both Panorama instances will receive and store all logs; default = no (this setting affects only logging to Panorama's internal log store and does not affect NFS mounts) + panorama-ssl-send-retries Retry count for SSL sends to Panorama (1-64) + panorama-tcp-receive-timeout Receive timeout for TCP connection to Panorama (1-120) + panorama-tcp-send-timeout Send timeout for TCP connection to Panorama (1-120) + send-hostname-in-syslog Send hostname as part of syslog + traffic-stop-on-logdb-full Stop traffic if logdb is full with unexported logs > admin-lockout Administrative login lockout settings + failed-attempts Number of failed login attempts to trigger lock-out (0-10) + lockout-time Number of minutes to lock-out (0-60) > common-criteria + enable-cconly-logs Enable logging of Common Criteria (CC) only logs + skip-authentication-failure-logs Do not log unsuccessful authentication attempts + skip-authentication-success-logs Do not log successful authentication + skip-configuration-logs-for Lists administrator accounts for which configuration logs will not be recorded (member or list of members) > common-criteria-alarm-generation + enable-alarm-generation Enable Common Criteria (CC) alarms generation + enable-audible-alarms Enable audio sound for alarms + enable-cli-alarm-notification Enable alarms notification on admin console + enable-web-alarm-notification Enable alarms notification on Web + encrypt-decrypt-fail-count Encryption/Decryption failure counts limit (1-4294967295) > log-correlation Log correlation tagging and policies + tags Specify tag or list of tags between [ ] > rule-limits Rule policy limits for log-correlation (count 1-4294967295; time-interval 3086400). The two options apply to the number of times, and time in which, the rules that are tagged with "tags" are matched. > security-policy-limits Security policy limits for log correlation (count 1-4294967295; timeinterval 30-86400). Security policy limits affect each individual rule in the security policy. If any rule hits the specified count within the time-interval, an alarm is generated. > log-databases-alarm-threshold Log databases % full threshold value for alarms generation
Palo Alto Networks
+ alarm alarm logs database % full threshold value for alarm generation (1-100) + config configuration logs database % full threshold value for alarm generation (1-100) + hipmatch hipmatch logs database % full threshold value for alarm generation (1-100) + system system logs database % full threshold value for alarm generation (1-100) + threat threat logs database % full threshold value for alarm generation (1-100) + traffic traffic logs database % full threshold value for alarm generation (1-100) > disk-quota Quotas for logs, packet captures etc. (percentages between 0 and 90.0) + alarm Alarm logs quota percentage + application-pcaps Application packet capture quota percentage + appstat Application statistics quota percentage + config Configuration logs quota percentage + debug-filter-pcaps Debug filter packet capture quota percentage + dlp-logs DLP log data quota percentage + hip-reports Host information profile quota percentage + hipmatch HIP match quota percentage + system System logs quota percentage + threat Threat logs quota percentage + threat-pcaps Threat packet capture quota percentage + thsum Threat summary quota percentage + traffic Traffic logs quota percentage + trsum Traffic summary quota percentage > log-correlation + tags Tags (member value, list of values, No Log, or tag filter) > rule-limits Rule policy limits + count Between 30 and 4294967296 + time-interval Between 30 and 3600 > security-policy-limits Security policy limits + count Between 30 and 4294967296 + time-interval Between 30 and 3600 > nat + reserve-ip Reserve translated IP for specified time + reserve-time Reserve time value in seconds (1-604800) > pan-agent + ignore-unknown-response If true, ignore unknown response from PAN-agent > pow + wqe-inuse-check Enable/disable WQE in-use check + wqe-tag-check Enable/disable WQE session id tag check > session + accelerated-aging-enable Enable/disable accelerated session aging + accelerated-aging-scaling-factor Set accelerated session aging scaling factor (power of 2) (2-16) + accelerated-aging-threshold Set accelerated aging threshold in percentage of session utilization (5099) + ipv6-firewalling Enable/disable IPv6 firewalling + offload Enable/disable hardware session offloading + scan-scaling-factor Set scan scaling factor (2-16) + scan-threshold Resource utilization threshold to trigger session scan (50-99) + tcp-reject-non-syn Reject non-SYN TCP packet for session setup + timeout-default Set session default timeout value in seconds (1-15999999) + timeout-discard-default Set timeout of non-TCP/UDP session in discard state (1-15999999) + timeout-discard-tcp Set timeout of TCP session in discard state (1-15999999) + timeout-discard-udp Set timeout of UDP session in discard state (1-15999999) + timeout-icmp Set ICMP timeout value in seconds (1-15999999) + timeout-scan Application trickling timeout value in seconds (5-30) + timeout-tcp Set TCP timeout value in seconds (1-15999999)
Palo Alto Networks
+ timeout-tcpinit Set TCP initial session timeout (before 3-way handshaking is completed) value in seconds (1-60) + timeout-tcpwait Set session TCP wait timeout (after receiving FIN/RST) value in seconds (1-60) + timeout-udp Set UDP timeout value in seconds (1-15999999) > ssl-decrypt + answer-timeout Set user reply timeout value in seconds (1-86400) + block-timeout-cert Set whether to block a session if certificate status can't be retrieved within timeout + block-unknown-cert Set whether to block a session if certificate status is unknown + cert-status-timeout Set cert status query timeout value in seconds (0-60) + crl Set whether to use CRL to check certificate status + crl-receive-timeout Set CRL receive timeout value in seconds (0-60) + deny-setup-failure Set whether to deny session if proxy setup failed + notify-user Set if user notification should be enabled + ocsp Set whether to use OCSP to check certificate status + ocsp-receive-timeout Set OCSP receive timeout value in seconds (0-60) + url-proxy Set proxy for SSL sessions if the IPs URL category is blocked > tcp + bypass-exceed-oo-queue Set whether to skip inspection of session if out-of-order packets limit is exceeded + drop-out-of-wnd Set drop/allow out of window packets + favor-new-seg Set whether to favor new segments when overlapping happens + out-of-sync Set actions for out of sync tcp sessions (bypass, ignore, or reject) > url + dynamic-url-timeout Dynamic URL entry timeout in hours (1-720) > zip + enable Enable/disable zip engine + sw Enable/disable zip hardware engine
Sample Output
The following command locks an administrative user out for 15 minutes after 5 failed login attempts.
username@hostname# set deviceconfig setting management admin-lockout 5 lockout-time 15

Palo Alto Networks
set deviceconfig system

Specifies system-related settings on the firewall. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
set deviceconfig { system { authentication-profile <value> | client-certificate-profile <value> | default-gateway <ip_address> | domain <value> | domain-lookup-url <value> | fqdn-forcerefresh-time <value> | fqdn-refresh-time <value> | hostname <value> | ip-address <ip_address> | ip-address-lookup-url <value> | ipv6-address <ip/netmask> | ipv6-default-gateway <value> | login-banner <value> | netmask <value> | ntp-server-1 <value> | ntp-server-2 <value> | panorama-server <value> | panorama-server-2 <value> | secure-proxy-password <value> | secure-proxy-port <value> | secure-proxy-server <value> | secure-proxy-user <value> | speed-duplex <value> | timezone <value> | update-server <value> | web-server-certificate <value> | dns-setting | { dns-proxy-object <value> | servers {primary <value> | secondary <value>} } geo-location | { latitude <coordinate> | longitude <coordinate> } log-export-schedule <schedule_name> { description <value> |
Palo Alto Networks
enable {no | yes} | log-type {data | hipmatch | threat | traffic | url} start-time <value> | protocol ftp { hostname <value> | passive-mode {no | yes} | password <value> | port <value> | username <value> } } log-link <value> url <value> | permitted-ip <value> | route | { destination <value> source-address <value> | service { crl-status source-address <value> | dns source-address <value> | email source-address <value> | ntp source-address <value> | paloalto-updates source-address <value> | panorama source-address <value> | proxy source-address <value> | radius source-address <value> | snmp source-address <value> | syslog source-address <value> | uid-agent source-address <value> | url-updates source-address <value> } } service | { disable-http {no | yes} | disable-https {no | yes} | disable-icmp {no | yes} | disable-snmp {no | yes} | disable-ssh {no | yes} | disable-telnet {no | yes} } snmp-setting | { access-setting version | { v2c snmp-community-string <value> | v3 { users <user_name> | { authpwd <value> | privpwd <value> | view <value>
Palo Alto Networks
} views <view_name> view <value> } snmp-system { contact <value> | location <value> } } update-schedule { anti-virus recurring | { sync-to-peer {no | yes} | threshold <value> | daily at <value> action {download-and-install | download-only} | hourly at <value> action {download-and-install | download-only} | weekly { at <value> | day-of-week {friday | monday | saturday | sunday | thursday | tuesday | wednesday} | action {download-and-install | download-only} } } opswat-datafile recurring | { daily at <value> action {download-and-install | download-only} | hourly at <value> action {download-and-install | download-only} | weekly { at <value> | day-of-week {friday | monday | saturday | sunday | thursday | tuesday | wednesday} | action {download-and-install | download-only} } } statistics-service | { application-reports | { top-applications-by-destination-ports {no | yes} | top-applications-by-sessions {no | yes} } device software-crash-info {no | yes} | threat-reports | { top-threats-by-attacker-addresses {no | yes} | top-threats-by-attacker-countries {no | yes} | top-threats-by-destination-ports {no | yes} | top-threats-by-name {no | yes} } unknown-application-reports | {
Palo Alto Networks
unknown-applications-by-destination-addresses {no | yes} | unknown-applications-by-destination-ports {no | yes} } url-reports { malware-categories-by-url {no | yes} | unknown-categories-by-url {no | yes} } } threats recurring | { sync-to-peer {no | yes} | threshold <value> | daily at <value> action {download-and-install | download-only} weekly { at <value> | day-of-week {friday | monday | saturday | sunday | thursday tuesday | wednesday} | action {download-and-install | download-only} } } url-database recurring { daily at <value> action {download-and-install | download-only} weekly { at <value> | day-of-week {friday | monday | saturday | sunday | thursday tuesday | wednesday} | action {download-and-install | download-only} } } } } }
Options
> system + authentication-profile Authentication profile to use for non-local administrators (RADIUS method is supported) + client-certificate-profile Profile for verifying client certificates + default-gateway Default gateway IP address + domain Domain value + domain-lookup-url Domain lookup URL + fqdn-forcerefresh-time Seconds for Periodic Timer to force refresh FQDN object entries (14400-86400) + fqdn-refresh-time Seconds for Periodic Timer to refresh expired FQDN object entries (1800-14399) + hostname Hostname value + ip-address IP address for the management interface + ip-address-lookup-url IP address lookup URL + ipv6-address IPv6/netmask for the management interface + ipv6-default-gateway IPv6 for the default gateway + login-banner Login banner text
Palo Alto Networks
+ netmask IP address or IPv6 for the management interface network mask + ntp-server-1 First Network Time Protocol (NTP) server IP address + ntp-server-2 Second Network Time Protocol server IP address + panorama-server First Panorama server IP address or FQDN + panorama-server-2 Second Panorama server IP address or FQDN + secure-proxy-password Secure Proxy password to use + secure-proxy-port Port for secure proxy server (1-65535) + secure-proxy-server Secure Proxy server to use + secure-proxy-user Secure Proxy user name to use + speed-duplex Speed and duplex for the management interface (100Mbps-full-duplex, 100Mbps-halfduplex, 10Mbps-full-duplex, 10Mbps-half-duplex, 1Gbps-full-duplex, 1Gbps-half-duplex, or autonegotiate) + timezone Time zone name (press <tab> for a list of time zones) + update-server Palo Alto Networks update server + web-server-certificate Certificate for secure web GUI > dns-setting > dns-proxy-object DNS proxy object to use for resolving FQDNs > servers Primary and secondary DNS servers + primary Primary DNS server IP address + secondary Secondary DNS server IP address > geo-location Device geographic location + latitude Latitude coordinate + longitude Longitude coordinate > log-export-schedule Schedule for exporting logs + description description text + enable Enable no or yes + log-type Type of log (data, hipmatch, threat, traffic, or URL) + start-time Time to start the scheduled export hh:mm (e.g. 03:30) > protocol Use ftp protocol for export + hostname ftp hostname + passive-mode Passive mode (no or yes) + password ftp password + port ftp port (1-65535) + username ftp username > log-link Link to external log (option to provide URL format of link) > permitted-ip Permitted IP address (x.x.x.x/y) or IPv6/netmask > route > destination Destination IP address or FQDN + source-address Source IP address to use to reach destination > service Service name + source-address Source IP address to use to reach destination > service + disable-http Disable HTTP (no or yes) + disable-https Disable HTTPS (no or yes) + disable-icmp Disable ICMP (no or yes) + disable-snmp Disable SNMP (no or yes) + disable-ssh Disable SSH (no or yes) + disable-telnet Disable Telnet (no or yes) > snmp-setting > access-setting Access setting version version v2c + snmp-community-string SNMP community string value version v3 > users User name
Palo Alto Networks
+ authpwd Authentication Protocol Password + privpwd Privacy Protocol Password + view SNMP View Name > views View name view Oid subtree name > snmp-system + contact Email contact information + location System location > update-schedule Schedule for downloading/installing updates > anti-virus Anti-virus database + sync-to-peer Synchronize content with HA peer after download/install + threshold Ignore if release date is new (1-120 hours) > daily Schedule update everyday + action Action (download and install or download and do not install) + at Time specification hh:mm (e.g. 20:10) > hourly Schedule update every hour + action Action (download and install or download and do not install) + at Minutes past the hour > weekly Schedule update once a week + action Action (download and install or download and do not install) + at Time specification hh:mm (e.g. 20:10) + day-of-week Day of the week (Friday, Monday, Saturday, Sunday, Thursday, Tuesday, Wednesday) > opswat-datafile OPSWAT, Inc. data file update > daily Schedule update everyday + action Action (download and install or download and do not install) + at Time specification hh:mm (e.g. 20:10) > hourly Schedule update every hour + action Action (download and install or download and do not install) + at Minutes past the hour > weekly Schedule update once a week + action Action (download and install or download and do not install) + at Time specification hh:mm (e.g. 20:10) + day-of-week Day of the week (Friday, Monday, Saturday, Sunday, Thursday, Tuesday, Wednesday) > statistics-service Participate in anonymous statistics upload service > application-reports Upload application reports statistics + top-applications-by-destination-ports Application usage by destination ports (no or yes) + top-applications-by-sessions Application usage by session count (no or yes) > device Upload device statistics + software-crash-info Back traces of crashes (no or yes) > threat-reports Upload threat reports statistics + top-threats-by-attacker-addresses Threats by attacker IP Addresses (no or yes) + top-threats-by-attacker-countries Threats by attacker countries (no or yes) + top-threats-by-destination-ports Threats by destination ports (no or yes) + top-threats-by-name Threats by name (no or yes) > unknown-application-reports Upload unknown application reports statistics + unknown-applications-by-destination-addresses Unknown applications by destination IP addresses (no or yes) + unknown-applications-by-destination-ports Unknown applications by destination ports (no or yes) > url-reports Upload URL reports statistics + malware-categories-by-url Malware categories by URLs (no or yes) + unknown-categories-by-url Unknown categories by URLs (no or yes)
Palo Alto Networks
> threats Threat-detection database + sync-to-peer Synchronize content with HA peer after download/install + threshold Ignore if release date is new (1-120 hours) > daily Schedule update everyday + action Action (download and install or download and do not install) + at Time specification hh:mm (e.g. 20:10) > weekly Schedule update once a week + action Action (download and install or download and do not install) + at Time specification hh:mm (e.g. 20:10) + day-of-week Day of the week (Friday, Monday, Saturday, Sunday, Thursday, Tuesday, Wednesday) > url-database URL filtering database > daily Schedule update everyday + action Action (download and install or download and do not install) + at Time specification hh:mm (e.g. 20:10) > weekly Schedule update once a week + action Action (download and install or download and do not install) + at Time specification hh:mm (e.g. 20:10) + day-of-week Day of the week (Friday, Monday, Saturday, Sunday, Thursday, Tuesday, Wednesday)
Sample Output
The following command locks an administrative user out for 15 minutes after 5 failed login attempts.
username@hostname# set deviceconfig setting management admin-lockout 5 lockout-time 15

Palo Alto Networks
set display-name
set display-name
Configures a system name that will be used as an identifier in other commands. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
set display-name <name>
Options
<name> Specifies the display name for the system

Palo Alto Networks
set email-scheduler
set email-scheduler
Specifies settings for email delivery of PDF summary reports. For more information, refer to the Reports and Logs chapter in the Palo Alto Networks Administrators Guide.
Syntax
set email-scheduler <name> { email-profile <value> | recipient-emails <value> | report-group <value> | recurring { weekly {friday | monday | saturday | sunday | thursday | tuesday | wednesday} | daily | disabled } }
Options
<name> Specifies the name for the email scheduler + email-profile Email profile value + recipient-emails Recipient emails value + report-group Report group value > recurring Recurring frequency > weekly Once a week; specify the day - daily Every day - disabled No scheduling

Palo Alto Networks
set global-protect
set global-protect
Configures GlobalProtect on the firewall. GlobalProtect provides security for client systems, such as laptops, that are used in the field by allowing easy and secure login from anywhere in the world. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
set global-protect { global-protect-gateway <name> | { authentication-profile <value> | client-certificate-profile <value> | server-certificate <value> | tunnel-mode {no | yes} | hip-notification <name> {match-message <value> | not-match-message <value>} | local-address | { interface <value> | floating-ip <ip_address> | ip <ip_address> } roles default { inactivity-logout {days | hours | minutes} | login-lifetime {days | hours | minutes} } } global-protect-portal <name> { client-config | { client-certificate <value> | on-demand {no | yes} | root-ca <value> | third-party-vpn-clients <member_value> | use-sso {no | yes} | agent-ui | { agent-user-override {disabled | with-comment | with-passcode} | can-save-password {no | yes} | passcode <value> } gateways {external list <value> | internal list <value>} | hip-collection | { max-wait-time <value> | custom-checks windows |
Palo Alto Networks
set global-protect
{ process-list <member_value> | registry-key <name> registry-value <value> } exclusion category <name> {vendor <name> product <name>}} } internal-host-detection { hostname <value> | ip-address <ip_address> } } portal-config { authentication-profile <value> | custom-help-page {factory-default | <value>} | custom-login-page {factory-default | <value>} | server-certificate <value> | local-address { interface <value> | floating-ip <ip_address> | ip <ip_address> } } } }
Options
> global-protect-gateway GlobalProtect gateway user related configuration + authentication-profile Authentication profile used for this GlobalProtect gateway + client-certificate-profile Profile for authenticating client certificates + server-certificate SSL server certificate file name + tunnel-mode Tunnel mode configuration > hip-notification Host PC health evaluation + match-message Display message for matching result + not-match-message Display message for non-matching result > local-address Local IP configuration + interface Local gateway end-point > floating-ip Floating IP address in HA Active-Active configuration > ip Specify exact IP address if interface has multiple addresses > roles Role-based user management for GlobalProtect gateway users > inactivity-logout GlobalProtect gateway session timeout due to inactivity > days Specify lifetime in days (1-30) > hours Specify lifetime in hours (1-720) > minutes Specify lifetime in minutes (3-43200) > login-lifetime GlobalProtect gateway user login lifetime before re-authentication > days Specify lifetime in days (1-3650) > hours Specify lifetime in hours (1-87600) > minutes Specify lifetime in minutes (3-5256000) > global-protect-portal GlobalProtect portal configuration > client-config Client configuration + client-certificate SSL client certificate
Palo Alto Networks
set global-protect
+ on-demand On demand + root-ca Trusted CAs of gateways; specify value or list of values enclosed in [ ] + third-party-vpn-clients Third party vpn clients configuration; specify member value or list of values enclosed in [ ] + use-sso Use single sign-on > agent-ui Agent user interface configuration + agent-user-override Agent override policy (disabled, with comment, or with passcode) + can-save-password User can save password + passcode Passcode required for override > gateways GlobalProtect gateways configuration > external External gateways + list IP address or Fully Qualified Domain Name (FQDN) host name (x.x.x.x/y or IPv6/ netmask or host name or list of values enclosed in [ ]) > internal Internal gateways + list IP address or Fully Qualified Domain Name (FQDN) host name (x.x.x.x/y or IPv6/ netmask or host name or list of values enclosed in [ ]) > hip-collection Host information profile collection instructions + max-wait-time Max wait time in seconds (10-60) > custom-checks Custom checks > windows Windows specific custom checks + process-list Process list (member value or list of values enclosed in [ ]) > registry-key Registry key name + registry-value Registry value (member value or list of values enclosed in [ ]) > exclusion Exclusion categories > category Category name > vendor Vendor name + product Product name (member value or list of values enclosed in [ ]) > internal-host-detection Internal host detection + hostname Host name of the IP in DNS record + ip-address Internal IP address of a host (x.x.x.x or IPv6) > portal-config Portal configuration + authentication-profile Authentication profile used for this GlobalProtect + custom-help-page Custom help page; select factory default or enter a value + custom-login-page Custom login page; select factory default or enter a value + server-certificate SSL server certificate file name > local-address Local IP configuration + interface Local gateway end-point > floating-ip Floating IP address in HA Active-Active configuration > ip Specify exact IP address if interface has multiple addresses

Palo Alto Networks
set ldap-server
set ldap-server
Specifies Lightweight Directory Access Protocol (LDAP) settings for use in authentication profiles. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
set ldap-server <name> { disabled {no | yes} | group-filter <value> | group-member <member_value> | group-name <member_value> | group-object <member_value> | server-profile <name> | update-interval <value> | user-filter <value> | user-name <member_value> | user-object <member_value> }
Options
<name> Specifies the Lightweight Directory Access Protocol (LDAP) server + disabled Disabled + group-filter LDAP search filter for group + group-member Group member attribute (value or list of values enclosed in [ ]) + group-name Group name attribute (value or list of values enclosed in [ ]) + group-object Group object class (value or list of values enclosed in [ ]) + server-profile LDAP server object name + update-interval Interval for updating group membership, in seconds (60-86400; default = 3600 seconds) + user-filter LDAP search filter for user + user-name User name attribute (value or list of values enclosed in [ ]) + user-object User object class (value or list of values enclosed in [ ])

Palo Alto Networks
set mgt-config
set mgt-config
Configures management accounts on the firewall. For more information, refer to the Getting Started chapter in the Palo Alto Networks Administrators Guide.
Syntax
set mgt-config { access domain <name> {vsys <name> | [list of values]} | users <name> { authentication-profile <profile_name> | client-certificate-only {no | yes} | permissions role-based | { deviceadmin <name> | devicereader <name> | custom | { profile <name> | vsys <name> } superreader yes | superuser yes | vsysadmin <name> {vsys <name> | [list of values]} | vsysreader <name> {vsys <name> | [list of values]} } phash <value> | preferences | { disable-dns {no | yes} | saved-log-query { config <name> query <query_value> | data <name> query <query_value> | system <name> query <query_value> | threat <name> query <query_value> | traffic <name> query <query_value> | url <name> query <query_value> } } password }
Options
> access-domain Groups used for restricting administrative access + vsys Virtual system name or list of values enclosed in [ ] > users Select from the list of defined users or enter a new name
Palo Alto Networks
set mgt-config
+ authentication-profile Authentication profile or sequence name + client-certificate-only Is client certificate authentication enough? (no or yes) > permissions Role-based permissions + deviceadmin Device name(s) (localhost.localdomain) or list of values enclosed in [ ] + devicereader Device name(s) (localhost.localdomain) or list of values enclosed in [ ] > custom Custom role-based permissions + profile Select from the list of defined profiles or enter a new name + vsys Virtual system name or list of values enclosed in [ ] (available only when virtual systems are enabled) > superreader Assign superreader role to specified user > superuser Assign superuser role to specified user > vsysadmin Virtual system administrator (available only when virtual systems are enabled) + vsys virtual system name(s) (localhost.localdomain) or list of values enclosed in [ ] > vsysreader Virtual system reader (available only when virtual systems are enabled) + vsys virtual system name(s) (localhost.localdomain) or list of values enclosed in [ ] > phash phash value > preferences Preferences for specified user + disable-dns Disable Domain Name System (DNS) > saved-log-query Query a saved log > config Configuration log name and query value > data Data log name and query value > system System log name and query value > threat Threat log name and query value > traffic Traffic log name and query value > url URL log name and query value password Option to provide a password

Palo Alto Networks
set network dhcp
set network dhcp

Configures the network Dynamic Host Configuration Protocol (DHCP) server or DHCP relay settings. For more information, refer to the Network Configuration chapter in the Palo Alto Networks Administrators Guide.
Syntax
set network dhcp interface <interface_value> { relay | { ip | { enabled {no | yes} | server <ip_address> } ipv6 server { enabled {no | yes} | server <ip/netmask> {interface <value>} } } server { ip-pool {<ip_range> | <ip/netmask> | <value>} | mode {auto | disabled | enabled} | probe-ip {no | yes} | option { dns <ip_address> | dns-suffix <value> | gateway <ip_address> | nis <ip_address> | ntp <ip_address> | pop3-server <ip_address> | smtp-server <ip_address> | wins <ip_address> | lease {timeout <value> | unlimited} } reserved <ip_address> {mac <mac_address>} } }
Options
<interface_value> Interface for DHCP configuration > relay Relay configuration > ip DHCP IP configuration + enabled Enable configuration + server Relay server IP address (x.x.x.x or IPv6 or list enclosed in [ ])
Palo Alto Networks
set network dhcp
> ipv6 DHCP IPv6 configuration + enabled Enable configuration > server Relay server IPv6 address (x.x.x.x or IPv6 or list enclosed in [ ]) + interface Interface value > server Server configuration + ip-pool IP subnets or ranges (x.x.x.x-y.y.y.y or IPv6-range or x.x.x.x/y or IPv6/netmask or list of values enclosed in [ ]) + mode Mode (automatic, disable DHCP server, or enable DHCP server) + probe-ip Ping the IP when allocating a new IP > option Options + dns Domain Name System (DNS) server IP address (x.x.x.x or IPv6 or list of values enclosed in [ ]) + dns-suffix DNS suffix + gateway Gateway (x.x.x.x or IPv6) + nis Network Information Service (NIS) server IP address (x.x.x.x or IPv6 or list of values enclosed in [ ]) + ntp Network Time Protocol (NTP) server IP address (x.x.x.x or IPv6 or list of values enclosed in [ ]) + pop3-server Post Office Protocol 3 (POP3) server (x.x.x.x or IPv6) + smtp-server Simple Mail Transfer Protocol (SMTP) server (x.x.x.x or IPv6) + wins Windows Internet Name Service (WINS) server IP address (x.x.x.x or IPv6 or list of values enclosed in [ ]) > lease Lease, unlimited or timeout in minutes (0-1000000) > reserved Reserved IP address or IPv6 address + mac Media Access Control (MAC) address (xx:xx:xx:xx:xx:xx)

Palo Alto Networks
set network dns-proxy

Configures Domain Name System (DNS) proxy on the firewall. The firewall supports the selective directing of DNS queries to different DNS servers based on full or partial domain names. TCP or UDP DNS queries are sent through the configured interface. UDP queries fail over to TCP when a DNS query answer is too long for a single UDP packet. If the domain name is not found in the DNS proxy cache, the domain name is searched for a match based on configuration of the entries in the specific DNS proxy object (on the interface on which the DNS query arrived) and forwarded to a name server based on the match results. If no match is found, the default name servers are used. For more information, refer to the Network Configuration chapter in the Palo Alto Networks Administrators Guide.
Syntax
set network dns-proxy <name> { enabled {no | yes} | interface <interface_name> | cache | { enabled {no | yes} | size <value> | timeout <value> | } default {primary <ip_address> | secondary <ip_address>} | domain-servers <name> | { cacheable {no | yes} | domain-name <value> | primary <ip_address> | secondary <ip_address> } static-entries <name> {address <ip_address> | domain <value>} | tcp-queries | { enabled {no | yes} | max-pending-requests <value> } udp-queries retries {attemps <value> | interval <value>} }
Options
<name> DNS proxy name + enabled Enable or disable processing of DNS requests on interface(s) on this object + interface Interface(s) enabled for DNS Proxy > cache Specify DNS cache related settings + enabled Turn on/off caching for this DNS object + size Max number of entries stored in cache (1024-10240) + timeout Time in hours after which cache is cleared (4-24)
Palo Alto Networks
> default Specify DNS default settings + primary Primary DNS Name server IP address (x.x.x.x or IPv6) + secondary Secondary DNS Name server IP address (x.x.x.x or IPv6) > domain-servers Specify domain names to name servers mappings + cacheable Turn on/off caching of domains resolved by this mapping + domain-name Domain names(s) that will be matched (value or list of values enclosed in [ ]) + primary Primary DNS Name server IP address (x.x.x.x or IPv6) + secondary Secondary DNS Name server IP address (x.x.x.x or IPv6) > static-entries Specify static domain name to name server mappings + address IP addresses for specified domain name (x.x.x.x or IPv6 or list of values enclosed in [ ]) + domain Fully qualified domain name for specified IP address > tcp-queries Specify TCP queries related settings + enabled Turn on/off forwarding of TCP DNS queries + max-pending-requests Upper limit on number of concurrent TCP DNS requests (1024-2048) > udp-queries Specify UDP queries related settings > retries Tune DNS query forwarding retry parameters + attempts Maximum number of retries before trying next name server (1-30) + interval Time in seconds for another request to be sent (1-30)

Palo Alto Networks
set network ike
set network ike

Configures the Internet Key Exchange (IKE) protocol for securing IPSec tunnels. For more information, refer to the Configuring IPSec Tunnels chapter in the Palo Alto Networks Administrators Guide.
Syntax
set network ike { crypto-profiles | { ike-crypto-profiles {default | <name>} | { dh-group {group1 | group14 | group2 | group5 | <list>} | encryption {3des | aes128 | aes192 | aes256 | <list>} | hash {md5 | sha1 | <list>} | lifetime {days | hours | minutes | seconds} <value> } ipsec-crypto-profiles {default | <name>} | { dh-group {group1 | group14 | group2 | group5 | no-pfs} | ah authentication { md5 | sha1 | <list>} | esp | { authentication {md5 | sha1 | none | <list>} | encryption {3des | aes128 | aes192 | aes256 | null | <list>} | } lifesize {gb | kb | mb | tb} <value> | lifetime {days | hours | minutes | seconds} <value> } } gateway <name> { authentication pre-shared-key key <value> | local-address | { interface <value> | floating-ip <ip_address> | ip <ip_address> } local-id | { id <value> | type {fqdn | ipaddr | keyid | ufqdn} } peer-address {ip <ip_address> | dynamic} | peer-id | { id <value> | type {fqdn | ipaddr | keyid | ufqdn}
Palo Alto Networks
set network ike
} protocol ikev1 | { exchange-mode {aggressive | auto | main} | ike-crypto-profile {default | <name>} | dpd { enable {no | yes} | interval <value> | retry <value> } } protocol-common { passive-mode {no | yes} | nat-traversal enable {no | yes} } } }
Options
> crypto-profiles IKE/IPsec Security Association (SA) Proposal Configuration > ike-crypto-profiles IKE SA proposals; specify default or enter a name + dh-group Phase-1 Diffie-Hellman (DH) group; select from the following or enter a list of values enclosed in [ ] group1 768-bit MODP Group group14 2048-bit MODP Group, NIST rating 112-bit strength group2 1024-bit MODP Group, NIST rating 80-bit strength group5 1536-bit MODP Group + encryption Encryption algorithm; select from the following or enter a list of values enclosed in [ ] 3des NIST rating 112-bit strength aes128 NIST rating 128-bit strength aes192 NIST rating 192-bit strength aes256 NIST rating 256-bit strength + hash Hashing algorithm; select from the following or enter a list of values enclosed in [ ] md5 Below 80-bit strength sha1 NIST rating 128-bit strength > lifetime IKE SA lifetime > days Specify lifetime in days (1-65535) > hours Specify lifetime in hours (1-65535) > minutes Specify lifetime in minutes (3-65535) > seconds Specify lifetime in seconds (180-65535) > ipsec-crypto-profiles Internet Protocol Security (IPsec) SA proposals + dh-group Phase-2 DH group (PFS DH group) group1 768-bit MODP Group group14 2048-bit MODP Group, NIST rating 112-bit strength group2 1024-bit MODP Group, NIST rating 80-bit strength group5 1536-bit MODP Group no-pfs Disable PFS feature > ah AH only + authentication Authentication algorithm; select from the following or enter a list of values enclosed in [ ] md5 Below 80-bit strength
Palo Alto Networks
set network ike
sha1 NIST rating 128-bit strength > esp ESP options + authentication Authentication algorithm; select from the following or enter a list of values enclosed in [ ] md5 below 80-bit strength none none sha1 NIST rating 128-bit strength + encryption Encryption algorithm; select from the following or enter a list of values enclosed in [ ] 3des NIST rating 112-bit strength aes128 NIST rating 128-bit strength aes192 NIST rating 192-bit strength aes256 NIST rating 256-bit strength null Null > lifesize IPSec SA lifesize; specify in gigabytes (GB), kilobytes (KB), megabytes (MB), or terabytes (TB) (1-65535) > lifetime IPSec SA lifetime > days Specify lifetime in days (1-65535) > hours Specify lifetime in hours (1-65535) > minutes Specify lifetime in minutes (3-65535) > seconds Specify lifetime in seconds (180-65535) > gateway IKE gateway configuration > authentication Authentication method > pre-shared-key Use pre-shared key for mutual authentication + key String used as pre-shared key > local-address Tunnel local IP configuration + interface Local gateway end-point > floating-ip Floating IP address in HA Active-Active configuration > ip Specify exact IP address if interface has multiple addresses > local-id Optionally how peer gateway will identify local gateway instead of using IP address + id Local ID string + type Type; select from list fqdn FQDN (hostname) ipaddr IP address keyid KEYID (binary format ID string in HEX) ufqdn User FQDN (email address) > peer-address Peer gateway address > ip Peer gateway has static IP address (x.x.x.x or IPv6) dynamic Peer gateway has dynamic IP address > peer-id Optionally how local gateway will identify peer gateway instead of using IP address + id Local ID string + type Type; select from list fqdn FQDN (hostname) ipaddr IP address keyid KEYID (binary format ID string in HEX) ufqdn User FQDN (email address) > protocol IKE Protocol settings > ikev1 IKEv1 setting + exchange-mode Exchange mode aggressive Use aggressive mode auto Choose IKE exchange mode automatically main Use main mode + ike-crypto-profile IKE SA crypto profile name (default or enter a name) > dpd Dead-Peer-Detection settings
Palo Alto Networks
set network ike
+ enable Enable Dead-Peer-Detection + interval Sending interval for probing packets, in seconds (2-100) + retry Number of retries before disconnection (2-100) > protocol-common IKE Protocol settings common to IKEv1 and IKEv2 + passive-mode Enable passive mode (responder only) > nat-traversal NAT-Traversal settings + enable Enable NAT-Traversal

Palo Alto Networks
set network interface

Configures network interfaces on the firewall. For more information, refer to the Network Configuration chapter in the Palo Alto Networks Administrators Guide.
Syntax
set network interface { ethernet <interface_name> | { link-duplex {auto | full | half) | link-speed (10 | 100 | 1000 | auto} | link-state {auto | down | up} | layer2 units <name_value> {tag <value>} | layer3 | { adjust-tcp-mss {no | yes} | interface-management-profile <value> | mtu <value> | untagged-sub-interface {no | yes} | arp <ip/netmask> {hw-address <mac_address>} | ip <ip/netmask> | ipv6 | { enabled {no | yes} | interface-id <value> | address <value> {anycast | prefix} | neighbor-discovery { dad-attempts <value> | enable-dad {no | yes} | ns-interval <seconds> | reachable-time <seconds> | neighbor <ip/netmask> {hw-address <mac_address>} } } pppoe | { access-concentrator <value> | authentication {CHAP | PAP | auto} | create-default-route {no | yes} | default-route-metric <value> | enable {no | yes} | password <value> | service <value> | username <value> | passive enable {no | yes} | static-address ip <ip/netmask> } units <name_value> }
Palo Alto Networks
ha | tap | virtual-wire } loopback | { adjust-tcp-mss {no | yes} | interface-management-profile <value> | mtu <value> | ip <ip/netmask> | ipv6 | { enabled {no | yes} | interface-id <value> | address <value> {anycast | prefix} { units <name_value> } tunnel | { interface-management-profile <value> | mtu <value> | ip <ip/netmask> | units <name_value> } vlan { adjust-tcp-mss {no | yes} | interface-management-profile <value> | mtu <value> | arp <ip/netmask> {hw-address <mac_address>} | ip <ip/netmask> | ipv6 | { enabled {no | yes} | interface-id <value> | address <value> {anycast | prefix} | neighbor-discovery { dad-attempts <value> | enable-dad {no | yes} | ns-interval <seconds> | reachable-time <seconds> | neighbor <ip/netmask> {hw-address <mac_address>} } } units <name_value> } }
Options
> ethernet Ethernet interface alphanumeric string [ 0-9a-zA-Z./_-] (format: ethernetx/x) + link-duplex Interface link duplex (auto, full, or half)
Palo Alto Networks
+ link-speed Interface link speed (10, 100, 1000, or auto) + link-state Interface link state (auto-detect, force to down, or force to up) > layer2 Layer 2 interface > units Logical interface configuration (name.x) + tag 802.1q VLAN tag > layer3 Layer 3 interface + adjust-tcp-mss Set if TCP MSS value should be reduced based on mtu + interface-management-profile Interface management profile + mtu Maximum Transfer Unit, up to 9192 in Jumbo-Frame mode, up to 1500 otherwise + untagged-sub-interface Enable untagged sub-interface > arp ARP configuration IP address and network mask (x.x.x.x/y) + hw-address MAC address (xx:xx:xx:xx:xx:xx) > ip Interface IP address and network mask (x.x.x.x/y) > ipv6 Interface IPv6 configuration + enabled Enable IPv6 on the interface + interface-id 64-bit Extended Unique Identifier (in hex) > address IPv6 address or IP address and network mask (x.x.x.x/y) anycast anycast address prefix use this as prefix to form full address with interface id/EUI-64 > neighbor-discovery Neighbor Discovery configuration + dad-attempts number of consecutive neighbor solicitation messages sent for duplicate address detection (0-10) + enable-dad enable duplicate address detection + ns-interval interval (in seconds) between consecutive neighbor solicitation messages (13600) + reachable-time time (in seconds) that the Reachable status for a neighbor can be maintained (10-3600) > neighbor Static entries in neighbor cache IP address and network mask (x.x.x.x/y) + hw-address MAC address (xx:xx:xx:xx:xx:xx) > pppoe PPPOE configuration + access-concentrator desired access concentrator + authentication authentication protocol CHAP Challenge Handshake Authentication Protocol PAP Password Authentication Protocol auto auto select CHAP or PAP + create-default-route automatically create default route pointing to peer + default-route-metric metric of the default route created (1-65535) + enable enable (no or yes) + password password for PPP authentication + service desired service + username username for PPP authentication > passive device awaits PPP request from peer > static-address use static interface address IP address and network mask (x.x.x.x/y) > units Logical interface (name.x) * ha Interface for high-availability functions * tap Tap mode interface * virtual-wire Virtual-wire interface > loopback Loopback interface + adjust-tcp-mss Set if TCP MSS value should be reduced based on mtu + interface-management-profile Interface management profile + mtu Maximum Transfer Unit, up to 9192 in Jumbo-Frame mode, up to 1500 otherwise > ip Interface IP address (x.x.x.x) > ipv6 Interface IPv6 configuration + enabled Enable IPv6 on the interface
Palo Alto Networks
+ interface-id 64-bit Extended Unique Identifier (in hex) > address IPv6 address or IP address and network mask (x.x.x.x/y) anycast anycast address prefix use this as prefix to form full address with interface id/EUI-64 (64-bit extended unique identifier) > units Logical interface alphanumeric string [ 0-9a-zA-Z./_-] (loopback.x) > tunnel Tunnel interface + interface-management-profile Interface management profile + mtu Maximum Transfer Unit, up to 9192 in Jumbo-Frame mode, up to 1500 otherwise > ip Interface IP address (x.x.x.x) > units Logical interface alphanumeric string [ 0-9a-zA-Z./_-] (tunnel.x) > vlan VLAN interface + adjust-tcp-mss Set if TCP MSS value should be reduced based on mtu + interface-management-profile Interface management profile + mtu Maximum Transfer Unit, up to 9192 in Jumbo-Frame mode, up to 1500 otherwise > arp ARP configuration IP address and network mask (x.x.x.x/y) + hw-address MAC address (xx:xx:xx:xx:xx:xx) > ip Interface IP address (x.x.x.x) > ipv6 Interface IPv6 configuration + enabled Enable IPv6 on the interface + interface-id 64-bit Extended Unique Identifier (in hex) > address IPv6 address or IP address and network mask (x.x.x.x/y) anycast anycast address prefix use this as prefix to form full address with interface id/EUI-64 > neighbor-discovery Neighbor Discovery configuration + dad-attempts number of consecutive neighbor solicitation messages sent for duplicate address detection (0-10) + enable-dad enable duplicate address detection + ns-interval interval (in seconds) between consecutive neighbor solicitation messages (1-3600) + reachable-time time (in seconds) that the Reachable status for a neighbor can be maintained (103600) > neighbor Static entries in neighbor cache IP address and network mask (x.x.x.x/y) + hw-address MAC address (xx:xx:xx:xx:xx:xx) > units Logical interface alphanumeric string [ 0-9a-zA-Z./_-] (vlan.x)
Sample Output
The following command assigns the ethernet1/4 interface to be a virtual wire interface.
[edit] username@hostname# set network interface ethernet ethernet1/1 virtual-wire [edit] username@hostname#
The following command sets the VLAN IP address to 1.1.1.4/32 from the network interface vlan level of the hierarchy.
[edit network interface vlan] username@hostname# set ip 1.1.1.4/32 [edit network interface vlan] username@hostname#

Palo Alto Networks
set network profiles

Configures network profiles on the firewall. Network profiles capture configuration information that the firewall can use to establish network connections and implement policies. For more information, refer to the Network Configuration chapter in the Palo Alto Networks Administrators Guide.
Syntax
set network profiles { interface-management-profile <name> { http {no | yes} | https {no | yes} | ping {no | yes} | response-pages {no | yes} | snmp {no | yes} | ssh {no | yes} | telnet {no | yes} | permitted-ip <ip/netmask> } monitor-profile <name> | { action {fail-over | wait-recover} | interval <value> | threshold <value> } zone-protection-profile <name> { description <value> | discard-icmp-error {no | yes} | discard-icmp-frag {no | yes} | discard-icmp-large-packet {no | yes} | discard-icmp-ping-zero-id {no | yes} | discard-ip-frag {no | yes} | discard-ip-spoof {no | yes} | discard-loose-source-routing {no | yes} | discard-record-route {no | yes} | discard-strict-source-routing {no | yes} | discard-timestamp {no | yes} | suppress-icmp-needfrag {no | yes} | suppress-icmp-timeexceeded {no | yes} | tcp-reject-non-syn {global | no | yes} | flood | { icmp | { enable {no | yes} | red { activate-rate <value> | alarm-rate <value> |
Palo Alto Networks
maximal-rate <value> } } icmpv6 | { enable {no | yes} | red { activate-rate <value> | alarm-rate <value> | maximal-rate <value> } } other-ip | { enable {no | yes} | red { activate-rate <value> | alarm-rate <value> | maximal-rate <value> } } tcp-syn | { enable {no | yes} | red { activate-rate <value> | alarm-rate <value> | maximal-rate <value> } syn-cookies { activate-rate <value> | alarm-rate <value> | maximal-rate <value> } } udp { enable {no | yes} | red { activate-rate <value> | alarm-rate <value> | maximal-rate <value> } } } ipv6 | { anycast-source {no | yes} | ipv4-compatible-address {no | yes} |
Palo Alto Networks
multicast-source {no | yes} | routing-header {no | yes} | } scan <threat_id> { interval <value> | threshold <value> | action { block-ip | { duration <value> | track-by {source | source-and-desintation} } alert | allow | block } } } }
Options
> interface-management-profile Interface management profile configuration + http Enable HTTP service on the interface + https Enable HTTPS service on the interface + ping Enable Ping service on the interface + response-pages Enable response pages on the interface + snmp Enable SNMP service on the interface + ssh Enable SSH service on the interface + telnet Enable Telnet service on the interface > permitted-ip Permitted IP address and network mask (x.x.x.x/y or IPv6/netmask) > monitor-profile Monitor profile configuration + action Configure action triggered when tunnel status change fail-over When tunnel is down, make traffic fail over to backup path is configured wait-recover When tunnel is down, wait for the recover + interval Probing interval in seconds (2-100) + threshold Number of failed probe to determine tunnel is down (2-10) > zone-protection-profile Zone-based protection profile configuration + description Description value + discard-icmp-error Discard ICMP embedded with error message + discard-icmp-frag Discard ICMP fragment + discard-icmp-large-packet Discard Large ICMP packet (IP length > 1024B) + discard-icmp-ping-zero-id Discard ICMP Ping with zero ID + discard-ip-frag Discard IP fragment + discard-ip-spoof Discard spoofed IP packet + discard-loose-source-routing Discard packets with loose source routing IP option + discard-record-route Discard packets with Record Route IP option + discard-strict-source-routing Discard packets with strict source routing IP option + discard-timestamp Discard packets with Timestmp IP option + suppress-icmp-needfrag Do not reply ICMP NEEDFRAG (layer3 only) + suppress-icmp-timeexceeded Do not reply ICMP TTL expired error (layer3 only) + tcp-reject-non-syn Reject non-SYN TCP packet for session setup
Palo Alto Networks
global Use global setting no Accept non-SYN TCP yes Reject non-SYN TCP > flood Flood protection > icmp ICMP flood protection + enable Enable ICMP flood protection > red Random Early Drop (RED) + activate-rate Packet rate (pps) to start RED (1-2000000) + alarm-rate Packet rate (pps) to generate alarm (0-2000000) + maximal-rate Maximal packet rate (pps) allowed (1-2000000) > icmpv6 ICMPv6 flood protection + enable Enable ICMPv6 flood protection > red Random Early Drop (RED) + activate-rate Packet rate (pps) to start RED (1-2000000) + alarm-rate Packet rate (pps) to generate alarm (0-2000000) + maximal-rate Maximal packet rate (pps) allowed (1-2000000) > other-ip Other IP protocols protection + enable Enable other IP flood protection > red Random Early Drop (RED) + activate-rate Packet rate (pps) to start RED (1-2000000) + alarm-rate Packet rate (pps) to generate alarm (0-2000000) + maximal-rate Maximal packet rate (pps) allowed (1-2000000) > tcp-syn TCP synchronise packet (SYN) flood protection + enable Enable SYN flood protection > red Random Early Drop (RED) + activate-rate Packet rate (pps) to start RED (1-2000000) + alarm-rate Packet rate (pps) to generate alarm (0-2000000) + maximal-rate Maximal packet rate (pps) allowed (1-2000000) > syn-cookies SYN cookies + activate-rate Packet rate (pps) to activate SYN cookies proxy (0-2000000) + alarm-rate Packet rate (pps) to generate alarm (0-2000000) + maximal-rate Maximal packet rate (pps) allowed (1-2000000) > udp UDP flood protection + enable Enable UDP flood protection > red Random Early Drop (RED) + activate-rate Packet rate (pps) to start RED (1-2000000) + alarm-rate Packet rate (pps) to generate alarm (0-2000000) + maximal-rate Maximal packet rate (pps) allowed (1-2000000) > ipv6 IPv6 filtering + anycast-source Drop packets with anycast source address + ipv4-compatible-address Drop packets with IPv4 compatible address + multicast-source Drop packets with multicast source address + routing-header Drop packets with type 0 routing header > scan Scan protection; specify threat ID + interval Interval (2-65535) + threshold Threshold (2-65535) > action Action to take (alert, scan, block, or block IP address) > block-ip Block IP address + duration Duration for block IP address (1-3600) + track-by Track by source or source and destination
Palo Alto Networks

Palo Alto Networks
set network qos
set network qos

Specifies Quality of Service (QoS) settings on the firewall. The firewall supports fine grained QoS settings for clear text and tunneled traffic upon egress from the firewall. QoS profiles are attached to physical interfaces to specify how traffic classes map to bandwidth and priority. QoS classification is supported with all interface types except Aggregate Ethernet. For more information, refer to the Configuring Quality of Service chapter in the Palo Alto Networks Administrators Guide.
Syntax
set network qos { interface <interface_name> { enabled {no | yes} | interface-bandwidth {egress-max <value>} | regular-traffic | { bandwidth {egress-guaranteed <value> | egress-max <value>} | default-group {qos-profile {default | <value>}} | groups regular-traffic-group {members <name>} { qos-profile {default | <value>} | match { local-address { address {any | <ip/netmask>} | interface <value> } } } } tunnel-traffic { bandwidth {egress-guaranteed <value> | egress-max <value>} | default-group {per-tunnel-qos-profile {default | <value>}} | groups tunnel-traffic-group {members <tunnel_interface> {qos-profile {default | <value>}}} } } profile {default | <name>} { aggregate-bandwidth {egress-guaranteed <value> | egress-max <value>} | class <traffic_class_value> { priority {high | low | medium | real-time} | class-bandwidth {egress-guaranteed <value> | egress-max <value>} } } }
Palo Alto Networks
set network qos
Options
> interface Interface QoS configuration (select from the list or enter a new name) > interface-bandwidth Interface bandwidth in mega-bits per second + egress-max Maximum sending bandwidth in mbps (0-16000) > regular-traffic QoS setting for regular traffic > bandwidth Bandwidth of all regular traffic in mega-bit per second + egress-guaranteed Guaranteed sending bandwidth in mbps (0-16000) + egress-max Maximum sending bandwidth in mbps (0-16000) > default-group QoS setting for regular traffic without specified QoS settings + qos-profile Apply default or specify QoS profile for aggregated traffic > groups QoS setting for regular traffic > members Specify QoS setting for traffic go through given group of hosts + qos-profile Apply default or specify QoS profile for traffic go through the group of hosts > match Specify matching criteria for the QoS entity > local-address Matching address on local side + address Any or x.x.x.x/y or IPv6/netmask or a list of values enclosed in [ ] + interface Local-side interface > tunnel-traffic QoS setting for tunneled traffic > bandwidth Bandwidth of all tunnel traffic in mega-bits per second + egress-guaranteed Guaranteed sending bandwidth in mbps (0-16000) + egress-max Maximum sending bandwidth in mbps (0-16000) > default-group QoS setting for tunneled traffic without specified QoS settings + per-tunnel-qos-profile Apply default or specify QoS profile for traffic go through each tunnel interface > groups QoS setting for tunneled traffic > members Specify QoS setting for traffic go through given tunnel interface + qos-profile Apply default or specify QoS profile for traffic go through the tunnel interface > profile QoS profile; default or specify a name > aggregate-bandwidth Aggregate bandwidth of all classes in mega-bits per second + egress-guaranteed Guaranteed sending bandwidth in mbps (0-16000) + egress-max Maximum sending bandwidth in mbps (0-16000) > class QoS setting for traffic classes + priority Traffic class priority (high, low, medium, or real-time = highest priority) > class-bandwidth Class bandwidth in mega-bits per second + egress-guaranteed Guaranteed sending bandwidth in mbps (0-16000) + egress-max Maximum sending bandwidth in mbps (0-16000)

Palo Alto Networks
set network shared-gateway

Configures a shared gateway on the firewall. Shared gateways allow virtual systems to share a common interface for external communications. All of the virtual systems communicate with the outside world through the physical interface using a single IP address. A single virtual router is used to route the traffic for all of the virtual systems through the shared gateway. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide. Note: This command is available only when virtual systems are enabled. Refer to set system setting on page 338, and Using Configuration Commands with Virtual Systems on page 23.
Syntax
set network shared-gateway <name> { display-name <name> | address <name> {fqdn <value> | ip-netmask <ip/netmask> | ip-range <ip_range>} | address-group <group_name> <member_names> | import network | { dns-proxy <value> | network interface <value> } log-settings | { email <name> | { format { config <value> | hip-match <value> | system <value> | threat <value> | traffic <value> | escaping {escape-character <value> | escaped-characters <value>} } server <name> { and-also-to <value> | display-name <name> | from <value> | gateway <value> | to <value> } } profiles <name> | {
Palo Alto Networks
alarm {critical | high | informational | low | medium} | { send-to-panorama {no | yes} | send-email using-email-setting <value> | send-snmptrap using-snmptrap-setting <value> | send-syslog using-syslog-setting <value> } traffic any { send-to-panorama {no | yes} | send-email using-email-setting <value> | send-snmptrap using-snmptrap-setting <value> | send-syslog using-syslog-setting <value> } } snmptrap <name> { version v2c server <name>| { community <value> | manager <value> } version v3 server <name> { authpwd <value> | engineid <value> | manager <value> | privpwd <value> | user <value> | } } syslog <name> | { format | { config <value> | hip-match <value> | system <value> | threat <value> | traffic <value> | escaping {escape-character <value> | escaped-characters <value>} } server <name> { facility {LOG_LOCAL0 | LOG_LOCAL1 | LOG_LOCAL2 | LOG_LOCAL3 | LOG_LOCAL4 | LOG_LOCAL5 | LOG_LOCAL6 | LOG_LOCAL7 | LOG_USER} | port <value> | server <value> } } } rulebase | {
Palo Alto Networks
dos rules <name> { description <value> | destination {any | <value>} | disabled {no | yes} | negate-destination {no | yes} | negate-source {no | yes} | schedule <value> | service {any | application-default | service-http | service-https | <value>} | source {any | <value>} | source-user {any | known-user | unknown | <value>} | tag <value> | action {allow | deny | protect} | from {interface <value> | zone <value>} | protection | { aggregate {profile <value>} | classified { profile <value> | classification-criteria { address destination-ip-only | address source-ip-only | address src-dest-ip-both } } } to {interface <value> | zone <value>} } nat rules <name> | { active-active-device-binding {0 | 1 | both | primary} | description <value> | destination {any | <value>} | disabled {no | yes} | from {any | <value>} | service {any | service-http | service-https | <value>} | source {any | <value>} | tag <value> | to {any | <value>} | to-interface <value> | destination-translation | { translated-address <value> | translated-port <value> } source-translation { dynamic-ip translated-address <value> | dynamic-ip-and-port | { translated-address <value> |
Palo Alto Networks
interface-address { interface <interface_name> | floating-ip <ip_address> | ip <ip_address> } } static-ip { bi-directional {no | yes} | translated-address <value> } } } pbf rules <name> | { active-active-device-binding {0 | 1 | both} | application <value> | description <value> | destination {any | <value>} | disabled {no | yes} | negate-destination {no | yes} | negate-source {no | yes} | schedule <value> | service {any | application-default | service-http | service-https | <value>} | source {any | <value>} | source-user {any | known-user | unknown | <value>} | tag <value> | action | { forward | { egress-interface <value> | monitor | { disable-if-unreachable {no | yes} | ip-addresss <ip_address> | profile {default | <value>} } nexthop <ip_address> } discard | no-pbf } from {interface <value> | zone <value>} } } service <name> | { comment <value> | protocol {tcp | udp} {port <value> | source-port <value>} } service-group <name> {service-http | service-https | <value>} |
Palo Alto Networks
zone <name> { network { external <value> | layer3 <value> | log-setting <value> | zone-protection-profile <value> } user-acl { + exclude-list <value> | + include-list <value> } } }
Options
<name> Shared gateway name + display-name Display name for shared gateway (alphanumeric string [ 0-9a-zA-Z._-]) > address Address configuration > fqdn FQDN value > ip-netmask IP address and network mask (x.x.x.x/y or IPv6/netmask) > ip-range IP address range (x.x.x.x-y.y.y.y or IPv6-range) > address-group Address-group name and list of members (member value or list of values enclosed in [ ]) > import Import predefined configured resources + dns-proxy DNS proxy object to use for resolving FQDNs > network Network configuration + interface Import interface (member value or list of values enclosed in [ ]) > log-settings Log settings for shared gateway > email Email log name > format Custom formats for forwarded logs + config Config log value + hip-match HIP match log value + system System log value + threat Threat log value + traffic Traffic log value > escaping + escape-character Escape character + escaped-characters List of characters to be escaped > server Server address + and-also-to email address (e.g. admin@mycompany.com) + display-name Display name + from email address (e.g. admin@mycompany.com) + gateway IP address or FQDN of SMTP gateway to use + to email address (e.g. admin@mycompany.com) > profiles Profiles to configure > alarm Alarm (critical, high, informational, low, or medium) + send-to-panorama Send to Panorama > send-email Send email (using email setting value) > send-snmptrap Send SNMP trap (using SNMP trap setting value) > send-syslog Send syslog (using syslog setting value) > traffic Traffic profile (any)
Palo Alto Networks
+ send-to-panorama Send to Panorama > send-email Send email (using email setting value) > send-snmptrap Send SNMP trap (using SNMP trap setting value) > send-syslog Send syslog (using syslog setting value) > snmptrap SNMP trap name > version v2c and server address + community Community value + manager IP address or FQDN of SNMP manager to use > version v3 and server address + authpwd Authentication Protocol Password + engineid A hex number in ASCII string + manager IP address or FQDN of SNMP manager to use + privpwd Privacy Protocol Password + user User value > syslog syslog name > format Custom formats for forwarded logs + config Config log value + hip-match HIP match log value + system System log value + threat Threat log value + traffic Traffic log value > escaping + escape-character Escape character + escaped-characters List of characters to be escaped > server Server address + facility Facility (LOG_LOCAL0, LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7, or LOG_USER) + port Port number (1-65535) + server IP address or FQDN of SYSLOG server to use > rulebase Rule base for shared gateway > dos Denial of Service (DoS) Protection Rules + description Description of rule set + destination Destination (any, address, address group, region code, IP address/network mask (x.x.x.x/ y or IPv6/netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + disabled Disable the rule + negate-destination Negate destination + negate-source Negate source + schedule Schedule value + service Service (any, application default, predefined HTTP or HTTPS service, value or list of values enclosed in [ ]) + source Source (any, address, address group, region code, IP address/network mask (x.x.x.x/y or IPv6/ netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + source-user Source user (any, known user, unknown, user name, user group, or list of values enclosed in [ ]) + tag Tag (member value or list of values enclosed in [ ]) > action DoS rule action - allow Allow all packets - deny Deny packets - protect Enforce DoS protection > from Source zone or interface + interface Interface member value or list of values enclosed in [ ] + zone Zone value or list of values enclosed in [ ] > protection DoS protection parameters to enforce > aggregate Parameters for aggregated protection
Palo Alto Networks
+ profile DoS profile to use for aggregated protection > classified Parameters for classified/qualified protection + profile DoS profile to use for classified protection > classification-criteria Parameters to control how DoS protection is applied + address Parameters for IP Address based classification - destination-ip-only Destination IP address only - source-ip-only Source IP address only - src-dest-ip-both Both source and destination IP addresses > to Destination zone, interface, or name + interface Interface member value or list of values enclosed in [ ] + zone Zone value or list of values enclosed in [ ] to Source zone or interface; option to specify a name > nat Network Address Translation Rules + active-active-device-binding Device binding configuration in High Availability (HA) Active-Active mode 0 Rule is bound to device 0 1 Rule is bound to device 1 both Rule is bound to both devices primary Rule is bound to Active-Primary device + description Description of rule set + destination Destination (any, address, address group, IP address/network mask (x.x.x.x/y or IPv6/ netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + disabled Disable the rule + from From (any, zone, or list of values enclosed in [ ]) + service Service (any, predefined HTTP or HTTPS service, service name, or service group) + source Source (any, address, address group, IP address/network mask (x.x.x.x/y or IPv6/netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + tag Tag (member value or list of values enclosed in [ ]) + to To (any, zone, or list of values enclosed in [ ]) + to-interface Egress interface from route lookup > destination-translation + translated-address Address, address group, IP address and network mask (x.x.x.x/y or IPv6/ netmask), or IP address range (x.x.x.x-y.y.y.y or IPv6-range) + translated-port Port number (1-65535) > source-translation > dynamic-ip Dynamic IP-only translation + translated-address Address, address group, IP address and network mask (x.x.x.x/y or IPv6/ netmask), or IP address range (x.x.x.x-y.y.y.y or IPv6-range) > dynamic-ip-and-port Dynamic IP and port translation + translated-address Address, address group, IP address and network mask (x.x.x.x/y or IPv6/ netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ] > interface-address Use interface address as translated address + interface Interface name > floating-ip Floating IP address in HA Active-Active configuration > ip specify exact IP address if interface has multiple addresses > static-ip Static IP translation via IP shifting + bi-directional Allow reverse translation from translated address to original address + translated-address Address, address group, IP address and network mask (x.x.x.x/y or IPv6/ netmask), or IP address range (x.x.x.x-y.y.y.y or IPv6-range) > pbf Policy Based Forwarding Rules + active-active-device-binding Device binding configuration in High Availability (HA) Active-Active mode 0 Rule is bound to device 0 1 Rule is bound to device 1
Palo Alto Networks
both Rule is bound to both devices + application Application (select from list of applications or enter a value) + description Description of rule set + destination Destination (any, address, address-group, IP address/network mask (x.x.x.x/y or IPv6/ netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + disabled Disable the rule + negate-destination Negate destination + negate-source Negate source + schedule Schedule value + service Service (any, application default, predefined HTTP or HTTPS service, value or list of values enclosed in [ ]) + source Source (any, address, address group, IP address/network mask (x.x.x.x/y or IPv6/netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + source-user Source user (any, known user, unknown, user name, user group, or list of values enclosed in [ ]) + tag Tag (member value or list of values enclosed in [ ]) > action Policy-based forwarding action > forward Forward packets + egress-interface Interface to route packet to > monitor Parameters for monitoring + disable-if-unreachable Disable this rule if nexthop/monitor ip is unreachable + ip-address Monitor IP address (x.x.x.x or IPv6) + profile Monitoring profile associated with this rule > nexthop Next hop IP address (x.x.x.x or IPv6) - discard Discard packets - no-pbf Don't forward by PBF > from Source zone or interface + interface Interface member value or list of values enclosed in [ ] + zone Zone value or list of values enclosed in [ ] > service Service name + comment Comment value > protocol Protocol (TCP or UDP) + port Port value or list of values (0-65535) + source-port Source port value or list of values (0-65535) > service-group Service group name and member value, service-http, service-https, or list of values enclosed in [ ] > zone Zone name > network Network configuration + external Virtual system or shared gateway (member value or list of values enclosed in [ ]) + layer3 Layer3 interfaces (member value or list of values enclosed in [ ]) + log-setting Log setting for forwarding scan logs + zone-protection-profile Zone protection profile name > user-acl User Access Control List (ACL) configuration + exclude-list Exclude list (address, address-group, IP/netmask, or list of values enclosed in [ ]) + include-list Include list (address, address-group, IP/netmask, or list of values enclosed in [ ])

Palo Alto Networks
set network tunnel
set network tunnel

Specifies network tunnel settings on the firewall. For more information, refer to the Network Configuration chapter in the Palo Alto Networks Administrators Guide.
Syntax
set network tunnel { global-protect-gateway <name> | { max-user <value> | tunnel-interface <value> | client | { dns-server <ip_address> | dns-suffix <member_value> | ip-pool {<ip_range> | <ip/netmask>} | wins-server <ip_address> | split-tunneling access-route <ip/netmask> } ipsec enable {no | yes} | local-address interface <value> {floating-ip <ip_address> | ip <ip_address>} } ipsec <name> | { anti-replay {no |yes} | copy-tos {no |yes} | tunnel-interface <value> | auto-key | { ipsec-crypto-profile {default | <name>} | ike-gateway <name> | proxy-id <name> { local <ip/netmask> | remote <ip/netmask> | protocol { number <value> | tcp {local-port <port_number> | remote-port <port_number>} | udp {local-port <port_number> | remote-port <port_number>} | any } } } manual-key | { local-spi <value> |
Palo Alto Networks
set network tunnel
remote-spi <value> | ah {md5 <key_value> | sha1 <key_value>} | esp | { authentication {md5 <key_value> | sha1 <key_value> | none} | encryption { algorithm {3des | aes128 | aes192 | aes256 | null} | key <key_value> } local-address | { interface <value> | floating-ip <ip_address> | ip <ip_address> } peer-address <ip_address> } tunnel-monitor { destination-ip <ip_address> | enable {no | yes} | tunnel-monitor-profile {AK_fail | AK_monitor | AK_wait | default} } } ssl-vpn <name> { http-redirect {no | yes} | max-user <value> | tunnel-interface <value> | client | { dns-server <ip_address> | dns-suffix <member_value> | ip-pool {<ip_range> | <ip/netmask>} | wins-server <ip_address> | split-tunneling access-route <ip/netmask> } ipsec enable {no | yes} | local-address interface <value> {floating-ip <ip_address> | ip <ip_address>} } }
Options
> global-protect-gateway GlobalProtect gateway networking specific configuration + max-user Max number of concurrent users logged in (1-20000) + tunnel-interface Apply GlobalProtect gateway tunnels to tunnel interface > client GlobalProtect client configuration + dns-server DNS server IP address (x.x.x.x or IPv6 or list of values enclosed in [ ]) + dns-suffix DNS suffix for client (member value or list of values enclosed in [ ]) + ip-pool IP subnets or ranges (x.x.x.x-y.y.y.y or IPv6-range, x.x.x.x/y or IPv6/netmask, or list of values enclosed in [ ])
Palo Alto Networks
set network tunnel
+ wins-server WINS server IP address (x.x.x.x, IPv6, or list of values enclosed in [ ]) > split-tunneling Split tunneling settings + access-route Subnets need to be accessed by GlobalProtect clients (x.x.x.x/y or IPv6/netmask, or list of values enclosed in [ ]) > ipsec IPSec traffic configuration + enable Enable/disable IPSec encapsulation of client traffic > local-address Tunnel local IP configuration + interface Local gateway end-point > floating-ip Floating IP address in HA Active-Active configuration > ip Specify exact IP address if interface has multiple addresses > ipsec IPSec tunnel configuration + anti-replay Enable Anti-Replay check on this tunnel + copy-tos Copy IP TOS bits from inner packet to IPSec packet (not recommended) + tunnel-interface Apply IPSec VPN tunnels to tunnel interface (ex. tunnel.1) > auto-key IKE VPN options + ipsec-crypto-profile IPSec crypto profile (name or default) > ike-gateway IKE gateway name > proxy-id IKEv1 proxy identification (only needed when peer gateway requires it) + local IP subnet or IP address represents local network (x.x.x.x/y or IPv6/netmask) + remote IP subnet or IP address represents remote network (x.x.x.x/y or IPv6/netmask) > protocol Specify protocol and port number for proxy-id > number IP protocol number (1-254) > tcp TCP protocol; local and remote ports (0-65535) > udp UDP protocol; local and remote ports (0-65535) any any IP protocol > manual-key Manual key options + local-spi Outbound SPI, hex format xxxxxxxx (range 00001000 to 1FFFFFFF) + remote-spi Inbound SPI, hex format xxxxxxxx > ah AH options > md5 Key is 128 bit + key Hex format xxxxxxxx[-xxxxxxxx]... total 4 sections > sha1 Key is 160 bit + key Hex format xxxxxxxx[-xxxxxxxx]... total 5 sections > esp ESP options > authentication Authentication algorithm > md5 Key is 128 bit + key Hex format xxxxxxxx[-xxxxxxxx]... total 4 sections > sha1 Key is 160 bit + key Hex format xxxxxxxx[-xxxxxxxx]... total 5 sections none No authentication > encryption encryption algorithm + algorithm Algorithm (press <tab> for list) 3des Key is 192 bit aes128 Key is 128 bit aes192 Key is 192 bit aes256 Key is 256 bit null Null algorithm + key Hex format xxxxxxxx[-xxxxxxxx]... total number of sections: 3des: 6, aes128: 4, aes192: 6, aes256: 8 > local-address Tunnel local IP configuration + interface Interface to terminate tunnel > floating-ip Floating IP address in HA Active-Active configuration > ip Specify exact IP address if interface has multiple addresses > peer-address Tunnel peer address (x.x.x.x or IPv6)
Palo Alto Networks
set network tunnel
> tunnel-monitor Monitor tunnel status + destination-ip Destination IP to send ICMP probe (x.x.x.x or IPv6) + enable Enable tunnel monitoring on this tunnel + tunnel-monitor-profile Monitoring action (AK_fail, AK_monitor, AK_wait, or default profile) > ssl-vpn SSL VPN networking specific configuration + http-redirect Redirect http traffic to https login page + max-user Max number of concurrent users logged in (1-20000) + tunnel-interface Apply SSL VPN tunnels to tunnel interface > client VPN client configuration (split tunneling) + dns-server DNS server IP address (x.x.x.x or IPv6 or list of values enclosed in [ ]) + dns-suffix DNS suffix for client (member value or list of values enclosed in [ ]) + ip-pool IP subnets or ranges (x.x.x.x-y.y.y.y or IPv6-range, x.x.x.x/y or IPv6/netmask, or list of values enclosed in [ ]) + wins-server WINS server IP address (x.x.x.x, IPv6, or list of values enclosed in [ ]) > split-tunneling Split tunneling settings + access-route Subnets need to be accessed by SSL VPN clients (x.x.x.x/y or IPv6/netmask, or list of values enclosed in [ ]) > ipsec IPSec traffic configuration + enable Enable/disable IPSec encapsulation of client traffic > local-address Tunnel local IP configuration + interface Local gateway end-point > floating-ip Floating IP address in HA Active-Active configuration > ip Specify exact IP address if interface has multiple addresses

Palo Alto Networks
set network virtual-router

Configures a virtual router for the firewall. You can set up virtual routers to enable the firewall to route packets at Layer 3 by making packet forwarding decisions according to the destination address. The Ethernet interfaces, loopback interfaces, and VLAN interfaces defined on the firewall receive and forward the Layer 3 traffic. For more information, refer to the Network Configuration chapter in the Palo Alto Networks Administrators Guide.
Syntax
set network virtual-router <name> { interface <value> | admin-dists | { ebgp <value> | ibgp <value> | ospf-ext <value> | ospf-int <value> | rip <value> | static <value> | } protocol {bgp | ospf | redist-profile | rip} | [refer to separate protocol pages below] routing-table {ip |ipv6} static-route <name> { admin-dist <value> | destination <ip/netmask> interface <value> | metric <value> | nexthop | { ip-address <ip_address> | next-vr <value> | discard } option no-install } }
Options
<name> Configures a virtual router with the specified name + interface Interface(s) within this virtual router, ex. ethernet1/5 (member value or list of values enclosed in [ ]) > admin-dists Administrative distances + ebgp Administrative distance used for eBGP routes (10-240) + ibgp Administrative distance used for iBGP routes (10-240) + ospf-ext Administrative distance used for OSPF external routes (10-240) + ospf-int Administrative distance used for OSPF internal routes (10-240) + rip Administrative distance used for RIP routes (10-240) + static Administrative distance used for static routes (10-240)
Palo Alto Networks
> protocol Routing protocol configuration [refer to separate protocol pages below] > bgp Border Gateway Protocol (BGP) configuration > ospf Open Shortest Path First (OSPF) configuration > redist-profile Define profiles for route redistribution rules > rip Routing Information Protocol (RIP) configuration > routing-table Routing table configuration (IP or IPv6 routing table) > static-route Static route configuration + admin-dist Administrative distance (10-240) + destination Destination IP address/prefix (x.x.x.x/y or IPv6/netmask) + interface Interface value + metric Metric value (path cost) (1-65535) > nexthop Next hop to destination > ip-address Next hop IP address (x.x.x.x or IPv6) > next-vr Next hop virtual router discard Discard packet > option Route entry option no-install Do not install entry to forwarding table

Palo Alto Networks
set network virtual-router protocol bgp

Configures a virtual router for the firewall with the Border Gateway Protocol (BGP). For additional virtual router configuration, refer to set network virtual-router on page 117.
Syntax
set network virtual-router <name> protocol bgp { allow-redist-default-route {no | yes} | enable {no | yes} | install-route {no | yes} | local-as <value> | reject-default-route {no | yes} | router-id <ip_address> | auth-profile <name> {secret <value>} | dampening-profile <name> | { cutoff <value> | decay-half-life-reachable <value> | decay-half-life-unreachable <value> | enable {no | yes} | max-hold-time <value> | reuse <value> } peer-group <name> | { aggregated-confed-as-path {no |yes} | enable {no |yes} | soft-reset-with-stored-info {no |yes} | peer <name> | { enable {no |yes} | max-prefixes {unlimited | <value>} | peer-as <value> | peering-type {bilateral | unspecified} | reflector-client {client | meshed-client | non-client} | connection-options { authentication <name> | hold-time <value> | idle-hold-time <value> | keep-alive-interval <value> | multihop <value> | open-delay-time <value> | incoming-bgp-connection | { allow {no | yes} | remote-port <port_number> } outgoing-bgp-connection
Palo Alto Networks
{ allow {no | yes} | local-port <port_number> } } local-address {interface <value> | ip <ip_address>} | peer-address ip <ip_address> } type { ebgp | { export-nexthop {resolve | use-self} | import-nexthop {original | use-peer} | remove-private-as {no | yes} } ebgp-confed {export-nexthop {original | use-self}} | ibgp {export-nexthop {original | use-self}} | ibgp-confed {export-nexthop {original | use-self}} } } policy | { aggregation {address <aggregating_address>} | { as-set {no | yes} | enable {no | yes} | prefix <ip/netmask> | summary {no | yes} | advertise-filters <name> | { enable {no | yes} | match from-peer <name> | match med <value> | match nexthop <ip/netmask> | match address-prefix <ip/netmask> {exact {no | yes}} | match as-path {regex <value>} | match community {regex <value>} | match extended-community {regex <value>} } aggregate-route-attributes | { as-path-limit <value> | local-preference <value> | med <value> | nexthop <ip_address> | origin {egp | igp | incomplete} | weight <value> | as-path {prepend <value> | none} | community | { append {local-as | no-advertise | no-export | nopeer | <value>} | overwrite {local-as | no-advertise | no-export | nopeer
Palo Alto Networks
| <value>} | remove-regex <value> | none | remove-all } extended-community { append <value> | overwrite <value> | remove-regex <value> | none | remove-all } } suppress-filters <name> { enable {no | yes} | match from-peer <name> | match med <value> | match nexthop <ip/netmask> | match address-prefix <ip/netmask> {exact {no | yes}} | match as-path {regex <value>} | match community {regex <value>} | match extended-community {regex <value>} } } conditional-advertisement {policy <name>} | { enable {no | yes} | used-by <member_value> | advertise-filters <name> | { enable {no | yes} | match from-peer <name> | match med <value> | match nexthop <ip/netmask> | match address-prefix <ip/netmask> | match as-path {regex <value>} | match community {regex <value>} | match extended-community {regex <value>} } non-exist-filters <name> { enable {no | yes} | match from-peer <name> | match med <value> | match nexthop <ip/netmask> | match address-prefix <ip/netmask> | match as-path {regex <value>} | match community {regex <value>} | match extended-community {regex <value>} } } export {rules <name>} |
Palo Alto Networks
{ enable {no | yes} | used-by <member_value> | action | { allow {update as-path-limit <value>} | allow {update local-preference <value>} | allow {update med <value>} | allow {update nexthop <ip_address>} | allow {update origin {egp | igp | incomplete}} | allow {update as-path} | { prepend <value> | remove-and-prepend <value> | none | remove } allow {update community} | { append {local-as | no-advertise | no-export | nopeer | <value>} | overwrite {local-as | no-advertise | no-export | nopeer | <value>} | remove-regex <value> | none | remove-all } allow {update extended-community} | { append <value> | overwrite <value> | remove-regex <value> | none | remove-all } deny } match { from-peer <name> | med <value> | nexthop <ip/netmask> | address-prefix <ip/netmask> {exact {no | yes}} | as-path {regex <value>} | community {regex <value>} | extended-community {regex <value>} } } import | { enable {no | yes} | used-by <member_value> | action | {
Palo Alto Networks
allow | { dampening <value> | update as-path-limit <value>} | update local-preference <value>} | update med <value>} | update nexthop <ip_address>} | update origin {egp | igp | incomplete}} | update weight <value> | update as-path | { prepend <value> | remove-and-prepend <value> | none | remove } update community | { append {local-as | no-advertise | no-export | nopeer | <value>} | overwrite {local-as | no-advertise | no-export | nopeer | <value>} | remove-regex <value> | none | remove-all } update extended-community | { append <value> | overwrite <value> | remove-regex <value> | none | remove-all } } deny } match { from-peer <name> | med <value> | nexthop <ip/netmask> | address-prefix <ip/netmask> {exact {no | yes}} | as-path {regex <value>} | community {regex <value>} | extended-community {regex <value>} } } } redist-rules {<ip/netmask> | <value>} | { enable {no | yes} | set-as-path-limit <value> | set-community {local-as | no-advertise | no-export | nopeer |
Palo Alto Networks
<value>} | set-extended-community <value> | set-local-preference <value> | set-med <value> | set-origin {egp | igp | incomplete} } routing-options { as-format {2-byte | 4-byte} | confederation-member-as <value> | default-local-preference <value> | reflector-cluster-id <ip_address> | aggregate {aggregate-med {no | yes}} | graceful-restart | { enable {no | yes} | local-restart-time <value> | max-peer-restart-time <value> | stale-route-time <value> } med { always-compare-med {no | yes} | deterministic-med-comparison {no | yes} } } }
Options
<name> Configures a virtual router with the specified name + allow-redist-default-route Allow redistribute default route to BGP + enable Enable (no or yes) + install-route Populate BGP learned route to global route table + local-as Local Autonomous system (AS) number (1-4294967295) + reject-default-route Do not learn default route from BGP + router-id Router id of this BGP instance (x.x.x.x or ipv6) > auth-profile BGP authentication profiles + secret Shared secret for the TCP MD5 authentication > dampening-profile Route flap dampening profiles + cutoff Cutoff threshold value (0-1000) + decay-half-life-reachable Decay half-life while reachable, in seconds (1-3600) + decay-half-life-unreachable Decay half-life while unreachable, in seconds (1-3600) + enable Enable (no or yes) + max-hold-time maximum of hold-down time, in seconds (1-3600) + reuse reuse threshold value (0-1000) > peer-group Peer group configuration + aggregated-confed-as-path Peers understand aggregated confederation AS path + enable Enable (no or yes) + soft-reset-with-stored-info Soft reset with stored info > peer Peer configuration + enable Enable (no or yes) + max-prefixes Maximum of prefixes to receive from peer (unlimited or 1-100000) + peer-as Peer AS number (1-4294967295)
Palo Alto Networks
+ peering-type Peering type that affects NOPEER community value handling bilateral Block sending and receiving routes with NOPEER community value unspecified Disregard NOPEER community value with this peer + reflector-client Peer is reflector client client Reflector client meshed-client Fully meshed reflector client non-client Not a reflector client > connection-options Peer connection options + authentication Authentication options + hold-time Hold time, in seconds (3-3600) + idle-hold-time Idle hold time, in seconds (1-3600) + keep-alive-interval Keep-alive interval, in seconds (1-1200) + multihop IP TTL value used for sending BGP packet (set to 0 means eBGP use 2, iBGP use 255) + open-delay-time Open delay time, in seconds (0-240) > incoming-bgp-connection Incoming TCP connection for BGP + allow Allow (no or yes) + remote-port Restrict remote port for incoming BGP connections (0-65535) > outgoing-bgp-connection Outgoing TCP connection for BGP + allow Allow (no or yes) + local-port Use specific local port for outgoing BGP connections (0-65535) > local-address Local address configuration + interface Interface to accept BGP session + ip Specify exact IP address if interface has multiple addresses > peer-address Peer address configuration (x.x.x.x or IPv6) > type Peer group type and options > ebgp External BGP + export-nexthop Export next hop resolve Export locally resolved next hop use-self Export self address as next hop + import-nexthop Import next hop original Keep original next hop use-peer Override next hop with peer address + remove-private-as Remove private AS when exporting route > ebgp-confed External BGP confederation + export-nexthop Export next hop original Keep original next hop use-self Override next hop with self address > ibgp Internal BGP + export-nexthop Export next hop original Keep original next hop use-self Override next hop with self address > ibgp-confed Internal BGP confederation + export-nexthop Export next hop original Keep original next hop use-self Override next hop with self address > policy BGP routing policy configuration > aggregation Address aggregation policy + as-set Generate AS-set attribute + enable Enable aggregation for this prefix + prefix Aggregating address prefix (x.x.x.x/y or IPv6/netmask) + summary Summarize route > advertise-filters Filter(s) to always advertise route if matched + from-peer Peer that advertised the route entry (name or list enclosed in [ ])
Palo Alto Networks
+ med Multi-exit Discriminator (MED) (0-4294967295) + nexthop Next hop attributes (x.x.x.x/y or IPv6/netmask) > address-prefix Address prefix IP address (x.x.x.x/y) or IPv6/netmask to match + exact Match exact prefix length > as-path Autonomous system (AS) path to match > regex AS-path regular expression > community Community to match > regex AS-path regular expression > extended-community Extended community to match > regex AS-path regular expression > aggregate-route-attributes Aggregate route attributes + as-path-limit Add AS path limit attribute if it does not exist (1-255) + local-preference New local preference value (0-4294967295) + med New MED value (0-4294967295) + nexthop Next hop address {x.x.x.x or IPv6) + origin New route origin egp Route originated from EGP igp Route originated from IGP incomplete Incomplete route + weight New weight value (0-65535) > as-path AS path update options > prepend Prepend local AS for specified number of times (1-255) none No change on AS path > community Community update options + append Append community [ Start a list of values local-as Well known community value: NO_EXPORT_SUBCONFED no-advertise Well known community value: NO_ADVERTISE no-export Well known community value: NO_EXPORT nopeer Well known community value: NOPEER <value> 32-bit value in hex, or in AS:VAL format, AS and VAL each in 065535 range + overwrite Remove all communities and replace with specified value [ Start a list of values local-as Well known community value: NO_EXPORT_SUBCONFED no-advertise Well known community value: NO_ADVERTISE no-export Well known community value: NO_EXPORT nopeer Well known community value: NOPEER <value> 32-bit value in hex, or in AS:VAL format, AS and VAL each in 065535 range > remove-regex Remove specified community match regular expression none No change on communities remove-all Remove all communities > extended-community Extended community update options + append Append community (64-bit value in hex, or one of TYPE:AS:VAL, TYPE:IP:VAL, TYPE:A.B:VAL format, TYPE is 'target', 'origin' or decimal number (0-65535) or list enclosed in [ ]) + overwrite Remove all communities and replace with specified value (64-bit value in hex, or one of TYPE:AS:VAL, TYPE:IP:VAL, TYPE:A.B:VAL format, TYPE is 'target', 'origin' or decimal number (0-65535) or list enclosed in [ ]) > remove-regex Remove specified community match regular expression none No change on communities remove-all Remove all communities > suppress-filters Filter(s) to suppress route advertisement if matched
Palo Alto Networks
+ from-peer Peer that advertised the route entry (name or list enclosed in [ ]) + med Multi-exit Discriminator (MED) (0-4294967295) + nexthop Next hop attributes (x.x.x.x/y or IPv6/netmask or list enclosed in [ ]) > address-prefix Address prefix IP address (x.x.x.x/y) or IPv6/netmask to match + exact Match exact prefix length > as-path Autonomous system (AS) path to match > regex AS-path regular expression > community Community to match > regex AS-path regular expression > extended-community Extended community to match > regex AS-path regular expression > conditional-advertisement Conditional-advertisement policy configuration + enable Enable this policy + used-by Peer/peer-groups that use this rule > advertise-filters Filter(s) to match route to be advertised + enable Enable this filter + from-peer Peer that advertised the route entry (name or list enclosed in [ ]) + med Multi-exit Discriminator (MED) (0-4294967295) + nexthop Next hop attributes (x.x.x.x/y or IPv6/netmask or list enclosed in [ ]) > address-prefix Address prefix IP address (x.x.x.x/y) or IPv6/netmask to match > as-path Autonomous system (AS) path to match > regex AS-path regular expression > community Community to match > regex AS-path regular expression > extended-community Extended community to match > regex AS-path regular expression > non-exist-filters Filter(s) to match non-exist routes + enable Enable this filter + from-peer Peer that advertised the route entry (name or list enclosed in [ ]) + med Multi-exit Discriminator (MED) (0-4294967295) + nexthop Next hop attributes (x.x.x.x/y or IPv6/netmask or list enclosed in [ ]) > address-prefix Address prefix IP address (x.x.x.x/y) or IPv6/netmask to match > as-path Autonomous system (AS) path to match > regex AS-path regular expression > community Community to match > regex AS-path regular expression > extended-community Extended community to match > regex AS-path regular expression > export Export policy rule + enable Enable this rule + used-by Peer-groups that use this rule > action Rule action (allow update or deny) + as-path-limit Add AS path limit attribute if it does not exist (1-255) + local-preference New local preference value (0-4294967295) + med New MED value (0-4294967295) + nexthop Next hop address {x.x.x.x or IPv6) + origin New route origin egp Route originated from EGP igp Route originated from IGP incomplete Incomplete route > as-path AS path update options > prepend Prepend local AS for specified number of times (1-255) > remove-and-prepend remove matched AS path(s), and prepend local AS for specified number of times (1-255)
Palo Alto Networks
none No change on AS path remove Remove matched AS path(s) > community Community update options + append Append community [ Start a list of values local-as Well known community value: NO_EXPORT_SUBCONFED no-advertise Well known community value: NO_ADVERTISE no-export Well known community value: NO_EXPORT nopeer Well known community value: NOPEER <value> 32-bit value in hex, or in AS:VAL format, AS and VAL each in 065535 range + overwrite Remove all communities and replace with specified value [ Start a list of values local-as Well known community value: NO_EXPORT_SUBCONFED no-advertise Well known community value: NO_ADVERTISE no-export Well known community value: NO_EXPORT nopeer Well known community value: NOPEER <value> 32-bit value in hex, or in AS:VAL format, AS and VAL each in 065535 range > remove-regex Remove specified community match regular expression none No change on communities remove-all Remove all communities > extended-community Extended community update options + append Append community (64-bit value in hex, or one of TYPE:AS:VAL, TYPE:IP:VAL, TYPE:A.B:VAL format, TYPE is 'target', 'origin' or decimal number (0-65535) or list enclosed in [ ]) + overwrite Remove all communities and replace with specified value (64-bit value in hex, or one of TYPE:AS:VAL, TYPE:IP:VAL, TYPE:A.B:VAL format, TYPE is 'target', 'origin' or decimal number (0-65535) or list enclosed in [ ]) > remove-regex Remove specified community match regular expression none No change on communities remove-all Remove all communities > match Export match + from-peer Peer that advertised the route entry (name or list enclosed in [ ]) + med Multi-exit Discriminator (MED) (0-4294967295) + nexthop Next hop attributes (x.x.x.x/y or IPv6/netmask or list enclosed in [ ]) > address-prefix Address prefix IP address (x.x.x.x/y) or IPv6/netmask to match + exact match exact prefix length > as-path Autonomous system (AS) path to match > regex AS-path regular expression > community Community to match > regex AS-path regular expression > extended-community Extended community to match > regex AS-path regular expression > import Import policy rule + enable Enable this rule + used-by Peer-groups that use this rule > action Rule action (allow or deny) + dampening Route flap dampening profile > update + as-path-limit Add AS path limit attribute if it does not exist (1-255) + local-preference New local preference value (0-4294967295) + med New MED value (0-4294967295) + nexthop Next hop address {x.x.x.x or IPv6)
Palo Alto Networks
+ origin New route origin egp Route originated from EGP igp Route originated from IGP incomplete Incomplete route + weight New weight value (0-65535) > as-path AS path update options > prepend Prepend local AS for specified number of times (1-255) > remove-and-prepend remove matched AS path(s), and prepend local AS for specified number of times (1-255) none No change on AS path remove Remove matched AS path(s) > community Community update options + append Append community [ Start a list of values local-as Well known community value: NO_EXPORT_SUBCONFED no-advertise Well known community value: NO_ADVERTISE no-export Well known community value: NO_EXPORT nopeer Well known community value: NOPEER <value> 32-bit value in hex, or in AS:VAL format, AS and VAL each in 0-65535 range + overwrite Remove all communities and replace with specified value [ Start a list of values local-as Well known community value: NO_EXPORT_SUBCONFED no-advertise Well known community value: NO_ADVERTISE no-export Well known community value: NO_EXPORT nopeer Well known community value: NOPEER <value> 32-bit value in hex, or in AS:VAL format, AS and VAL each in 0-65535 range > remove-regex Remove specified community match regular expression none No change on communities remove-all Remove all communities > extended-community Extended community update options + append Append community (64-bit value in hex, or one of TYPE:AS:VAL, TYPE:IP:VAL, TYPE:A.B:VAL format, TYPE is 'target', 'origin' or decimal number (0-65535) or list enclosed in [ ]) + overwrite Remove all communities and replace with specified value (64-bit value in hex, or one of TYPE:AS:VAL, TYPE:IP:VAL, TYPE:A.B:VAL format, TYPE is 'target', 'origin' or decimal number (0-65535) or list enclosed in [ ]) > remove-regex Remove specified community match regular expression none No change on communities remove-all Remove all communities > match Export match + from-peer Peer that advertised the route entry (name or list enclosed in [ ]) + med Multi-exit Discriminator (MED) (0-4294967295) + nexthop Next hop attributes (x.x.x.x/y or IPv6/netmask or list enclosed in [ ]) > address-prefix Address prefix IP address (x.x.x.x/y) or IPv6/netmask to match + exact match exact prefix length > as-path Autonomous system (AS) path to match > regex AS-path regular expression > community Community to match > regex AS-path regular expression > extended-community Extended community to match > regex AS-path regular expression
Palo Alto Networks
> redist-rules Redistribution rules for export through BGP <ip/netmask> IP address and netmask (x.x.x.x/y) or ipv6/netmask <value> Redistribute routes using redist-profile + enable Enable rule + set-as-path-limit Add the AS_PATHLIMIT path attribute (1-255) + set-community Add the COMMUNITY path attribute [ Start a list of values local-as Well known community value: NO_EXPORT_SUBCONFED no-advertise Well known community value: NO_ADVERTISE no-export Well known community value: NO_EXPORT nopeer Well known community value: NOPEER <value> 32-bit value in hex, or in AS:VAL format, AS and VAL each in 0-65535 range + set-extended-community Add the EXTENDED COMMUNITY path attribute [ Start a list of values <value> 64-bit value in hex, or one of TYPE:AS:VAL, TYPE:IP:VAL, TYPE:A.B:VAL format, TYPE is 'target', 'origin' or decimal number (0-65535) + set-local-preference Add the LOCAL_PREF path attribute (0-4294967295) + set-med Add the MULTI_EXIT_DISC path attribute (0-4294967295) + set-origin Add the ORIGIN path attribute egp Path learned via EGP protocol igp Path interior to originating AS incomplete Path was learned by some other means > routing-options Routing instance options + as-format AS format 2-byte 2-byte AS format 4-byte 4-byte AS format specified in RFC-4893 + confederation-member-as Confederation requires member-AS number (1-4294967295) + default-local-preference Default local preference (0-4294967295) + reflector-cluster-id Route reflector cluster ID (x.x.x.x or IPv6) > aggregate Aggregate options + aggregate-med Aggregate route only if they have same MED attributes > graceful-restart Graceful restart options + enable Enable graceful restart + local-restart-time Local restart time to advertise to peer, in seconds (1-3600) + max-peer-restart-time Maximum of peer restart time accepted, in seconds (1-3600) + stale-route-time Time to remove stale routes after peer restart, in seconds (1-3600) > med Path selection based on Multiple Exit Discriminator (MED) Metric + always-compare-med Always compare MEDs + deterministic-med-comparison Deterministic MEDs comparison

Palo Alto Networks
set network virtual-router protocol ospf

Configures a virtual router for the firewall with the Open Shortest Path First (OSPF) protocol. For additional virtual router configuration, refer to set network virtual-router on page 117.
Syntax
set network virtual-router <name> protocol ospf { allow-redist-default-route {no | yes} | enable {no | yes} | reject-default-route {no | yes} | rfc1583 {no | yes} | router-id <ip_address> | area <ip_address> | { interface <interface_name> | { authentication <name> | dead-counts <value> | enable {no | yes} | hello-interval <value> | metric <value> | passive {no | yes} | priority <value> | retransmit-interval <value> | transit-delay <value> | link-type {broadcast | p2mp | p2p} | neighbor <ip_address> } range <ip/netmask> {advertise | suppress} | type | { nssa | { accept-summary {no | yes} | default-route | { advertise | { metric <value> | type {ext-1 | ext-2} } disable } nssa-ext-range <ip/netmask> {advertise | suppress} } stub { accept-summary {no | yes} | default-route
Palo Alto Networks
{ advertise {metric <value>} | disable } } normal } virtual-link <name> { authentication <name> | dead-counts <value> | enable {no | yes} | hello-interval <value> | neighbor-id <ip_address> retransmit-interval <value> | transit-area-id <value> | transit-delay <value> } } auth-profile <name> | { md5 <value> {key <value> | preferred {no | yes}} | password <value> } export-rules {<ip/netmask> | <value>} { new-path-type {ext-1 | ext-2} | new-tag {<ip/netmask> | <value>} } }
Options
<name> Configures a virtual router with the specified name + allow-redist-default-route Allow redistribute default route to OSPF + enable Enable configuration + reject-default-route Do not learn default route from OSPF + rfc1583 RFC-1583 compatibility + router-id Router ID of this OSPF instance (x.x.x.x or IPv6) > area Area configuration (x.x.x.x or IPv6) > interface Protocol configuration for interface(s) + authentication Authentication options + dead-counts Number of lost hello packets to declare router down (3-20) + enable Enable OSPF in this interface + hello-interval Interval to send Hello packets, in seconds (0-3600) + metric Cost of OSPF interface (1-65535) + passive Suppress the sending of hello packets in this interface + priority Priority for OSPF designated router selection (0-255) + retransmit-interval Interval to retransmit LSAs, in seconds (1-3600) + transit-delay Estimated delay to transmit LSAs, in seconds (1-3600) > link-type Link type (broadcast, p2mp, or p2p) > neighbor Neighbor configuration (x.x.x.x or IPv6) > range Area range for summarization (x.x.x.x/y or IPv6/netmask) advertise Do summarization and advertise
Palo Alto Networks
suppress Suppress summarization to be sent, make this subnet hidden > type Area type > nssa Not-So-Stubby Area (NSSA) configuration + accept-summary Accept summary > default-route Configure default route behavior via this interface/subnet > advertise Advertise default route link-state advertisement (LSA) to this area + metric Metric to be used when advertising default route within this stub area (1-255) + type Metric type to be used when advertising default route ext-1 Metric comparable with OSPF metric ext-2 External route is always less preferred than OSPF routes disable Do not advertise default route LSA to this area > nssa-ext-range Address range for summary external routes learned within this NSSA area (x.x.x.x/y or IPv6/netmask) advertise Do summarization and advertise suppress Suppress summarization to be sent, make this subnet hidden from other areas > stub Stub area configuration + accept-summary Accept-summary > default-route Config default route LSA advertise behavior for this area > advertise Advertise default route LSA to this area + metric Metric to be used when advertising default route within this stub area (1-255) disable Do not advertise default route LSA to this area normal Normal area configuration > virtual-link Virtual link configuration + authentication Authentication options + dead-counts Number of lost hello packets to declare router down (3-20) + enable Enable this virtual link + hello-interval Interval to send Hello packets, in seconds (0-3600) + neighbor-id Neighbor router id for virtual link (x.x.x.x or IPv6) + retransmit-interval Interval to retransmit LSAs, in seconds (1-3600) + transit-area-id ID of transit area, cannot be backbone, stub or NSSA + transit-delay Estimated delay to transmit LSAs, in seconds (1-3600) > auth-profile OSPF authentication profiles > md5 Use OSPF MD5 authentication method (0-255 index of MD5 key) + key Key for the authentication + preferred Use this key when sending packet > password Simple password authentication > export-rules Redistribution rules for export through OSPF <ip/netmask> IP address and netmask (x.x.x.x/y) or IPv6/netmask <value> Redistribute routes using redist-profile + new-path-type Path type to be used for imported external routes ext-1 Metric comparable with OSPF metric ext-2 External route is always less preferred than OSPF routes + new-tag New tag value (x.x.x.x/y or IPv6/netmask or 1-4294967295)

Palo Alto Networks
set network virtual-router protocol redist-profile

Defines profiles for route redistribution rules. For additional virtual router configuration, refer to set network virtual-router on page 117.
Syntax
set network virtual-router <name> protocol redist-profile <name> { priority <value> | action {redist {new-metric <value>} | no-redist} | filter { destination <ip/netmask> | interface <value> | nexthop <ip/netmask> | type <bgp | connect | ospf | rip | static | <type> | bgp | { community {local-as | no-advertise | no-export | nopeer | <value>} | extended-community <value> } ospf { area <ip_address> | path-type {ext-1 | ext-2 | inter-area | intra-area | <list>} | tag {<ip/netmask> | <value>} } } }
Options
<name> Configures a virtual router with the specified name redist-profile Route redistribution profile name + priority Priority (1-255) > action Action taken when filter is matched > redist Redistribute when this rule matched + new-metric New metric value (1-255) no-redist Do not redistribute when this rule matched > filter Define filter criteria for redistribution rules + destination Specify candidate routes' destination networks (subnet match) (x.x.x.x/y or IPv6/ netmask or list enclosed in [ ]) + interface Specify candidate routes' interfaces (member value or list enclosed in [ ]) + nexthop Specify candidate routes' next-hop addresses (subnet match) (x.x.x.x/y or IPv6/netmask or list enclosed in [ ]) + type Specify candidate routes' types (BGP, connect, OSPF, RIP, static, or list enclosed in [ ]) > bgp Specify candidate BGP routes' attributes + community BGP community [ Start a list of values local-as Well known community value: NO_EXPORT_SUBCONFED
Palo Alto Networks
no-advertise Well known community value: NO_ADVERTISE no-export Well known community value: NO_EXPORT nopeer Well known community value: NOPEER <value> 32-bit value in hex, or in AS:VAL format, AS and VAL each in 0-65535 range + extended-community BGP extended-community [ Start a list of values <value> 64-bit value in hex, or one of TYPE:AS:VAL, TYPE:IP:VAL, TYPE:A.B:VAL format, TYPE is 'target', 'origin' or decimal number (0-65535) > ospf Specify candidate OSPF routes' attributes + area Area (x.x.x.x or IPv6 or list enclosed in [ ]) + path-type Path-type (ext-1, ext-2, inter-area, intra-area, or list enclosed in [ ]) + tag Tag (x.x.x.x/y, IPv6/netmask, value between 1-4294967295, or list enclosed in [ ])

Palo Alto Networks
set network virtual-router protocol rip

Configures a virtual router for the firewall with the Routing Information Protocol (RIP). For additional virtual router configuration, refer to set network virtual-router on page 117.
Syntax
set network virtual-router <name> protocol rip { allow-redist-default-route {no | yes} | enable {no | yes} | export-rules <name> | reject-default-route {no | yes} | auth-profile <name> { md5 <value> {key <value> | preferred {no | yes}} | password <value> } interface <interface_name> { authentication <name> | enable {no | yes} | mode {normal | passive | send-only} | default-route {advertise {metric <value>} | disable} } timers { delete-intervals <value> | expire-intervals <value> | interval-seconds <value> | update-intervals <value> } }
Options
<name> Configures a virtual router with the specified name + allow-redist-default-route Allow redistribute default route to RIP + enable Enable configuration + export-rules Redistribution rules for export through RIP (name or list enclosed in [ ]) + reject-default-route do not learn default route from RIP > auth-profile RIP authentication profiles > md5 Use RIP MD5 authentication method (0-255 index of MD5 key) + key Key for the authentication + preferred Use this key when sending packet > password Simple password authentication > interface Protocol Configuration for Interface(s) + authentication Authentication options + enable Enable interface + mode Mode selection normal Send and receive
Palo Alto Networks
passive Receive only send-only Send only, do not receive RIP updates > default-route Configure default route advertise behavior via this interface/subnet > advertise Advertise default route via this interface/subnet + metric Metric to be used when advertise default route via RIP (1-15) disable Do not advertise default route via this interface/subnet > timers Configure RIP timers + delete-intervals Number of intervals take between route expiration to its deletion (1-255) + expire-intervals Number of intervals take between route last updated to its expiration (1-255) + interval-seconds Timer interval value, in seconds (1-60) + update-intervals Number of intervals take between route advertisement (RIP response packet) (1255)

Palo Alto Networks
set network virtual-wire
set network virtual-wire

Specifies virtual wire settings for the firewall. In a virtual wire deployment, the firewall is installed transparently on a network segment by binding two ports together. Virtual wire can be used to install the firewall in any network environment with no configuration of adjacent network devices required. For more information, refer to the Network Configuration chapter in the Palo Alto Networks Administrators Guide.
Syntax
set network virtual-wire {default-vwire | <name>} { interface1 <value> | interface2 <value> | tag-allowed <value> | link-state-pass-through enable {no | yes} | multicast-firewalling enable {no | yes} }
Options
default-vwire Configures a default virtual wire <name> Configures a virtual wire with the specified name + interface1 Interface 1 name + interface2 Interface 2 name + tag-allowed Allowed 802.1q VLAN tags (0-4094) > link-state-pass-through Pass link state change from one interface to another > multicast-firewalling Firewalling for non-unicast traffic

Palo Alto Networks
set network vlan
set network vlan

Configures a Virtual Local Area Network (VLAN) interface on the firewall. For more information, refer to the Network Configuration chapter in the Palo Alto Networks Administrators Guide.
Syntax
set network vlan <name> { interface <value> | mac <mac_address> interface <name> | virtual-interface { interface <value> | l3-forwarding {no | yes} } }
Options
<name> VLAN identifier + interface Interface(s) within this VLAN, ex. ethernet1/5 (member value or list of values enclosed in [ ]) > mac Static MAC configuration (MAC address format xx:xx:xx:xx:xx:xx) + interface Interface name > virtual-interface Virtual interface for this VLAN + interface Virtual interface identifier, ex. vlan 1 + l3-forwarding Enable Layer3 forwarding on this virtual interface

Palo Alto Networks
set pan-agent
set pan-agent
Configures a user identification agent (User-ID Agent) on the firewall. A User-ID Agent is a Palo Alto Networks application that is installed on the network to obtain needed mapping information between IP addresses and network users. The User-ID Agent collects user-to-IP address mapping information automatically and provides it to the firewall for use in security policies and logging. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
set pan-agent <name> { group-timer <value> | ip-address <ip_address> | port <port_number> }
Options
<name> Specifies the Palo Alto Networks (PAN) agent to configure + group-timer Time in second between reading group membership (60-86400) + ip-address PAN agent IP address (x.x.x.x or IPv6) + port Port number (1-65535)

Palo Alto Networks
set pdf-summary-report
set pdf-summary-report
Specifies format settings for PDF summary reports. For more information, refer to the Reports and Logs chapter in the Palo Alto Networks Administrators Guide.
Syntax
set pdf-summary-report <name> { custom-widget <name> | { chart-type {bar | line | pie | table} | column <value> | row <value> } footer {note <value>} | header {caption <value>}| }
Options
<name> PDF report to configure > custom-widget Report widget layout information + chart-type Chart type (bar, line, pie, or table) + column Column number (1-3) + row Row number (1-6) > footer Footer information for PDF summary layout + note Static string to be printed as a note > header Header information for PDF summary layout + caption Caption for the layout

Palo Alto Networks
set profile-group
set profile-group
Specifies settings for sets of security profiles that are treated as a unit and added to security policies. For example, you can create a threats security profile group that includes profiles for antivirus, antispyware, and vulnerability and then create a security policy that includes the threats profile. For more information, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
set profile-group <name> { data-filtering <value> | file-blocking <value> | spyware <value> | url-filtering <value> | virus <value> | vulnerability <value> }
Options
<name> Profile group to configure + data-filtering Data filtering profile to include in the group, or list of profiles enclosed in [ ] + file-blocking File blocking profile to include in the group, or list of profiles enclosed in [ ] + spyware Spyware default profile or profile name to include in the group, or list of profiles enclosed in [ ] + url-filtering URL filtering default profile or profile name to include in the group, or list of profiles enclosed in [] + virus AV default profile or profile name to include in the group, or list of profiles enclosed in [ ] + vulnerability Vulnerability default profile or profile name to include in the group, or list of profiles enclosed in []

Palo Alto Networks
set profiles
set profiles
Specifies settings for security profiles that can be applied to security policies. For more information, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
set profiles { custom-url-category <name> | { description <value> | list <value> } data-filtering <name> | { data-capture {no | yes} | descripton <value> | rules <name> { alert-threshold <value> | application {any | <value>} | block-threshold <value> | data-object <value> | direction {both | download | upload} | file-type {any | <value>} } } data-objects <name> | { description <value> | credit-card-numbers {weight <value>} | pattern <name> {regex <value> | weight <value>} | social-security-numbers {weight <value>} | social-security-numbers-without-dash {weight <value>} } | dos-protection <name> | { description <value> | type {aggregate | classified} | flood | { icmp | { enable {no | yes} | red { activate-rate <value> | alarm-rate <value> | maximal-rate <value>
Palo Alto Networks
set profiles
block {duration <value>} } } icmpv6 | { enable {no | yes} | red { activate-rate <value> | alarm-rate <value> | maximal-rate <value> block {duration <value>} } } other-ip | { enable {no | yes} | red { activate-rate <value> | alarm-rate <value> | maximal-rate <value> block {duration <value>} } } tcp-syn | { enable {no | yes} | red { activate-rate <value> | alarm-rate <value> | maximal-rate <value> block {duration <value>} } syn-cookies { activate-rate <value> | alarm-rate <value> | maximal-rate <value> block {duration <value>} } } udp { enable {no | yes} | red { activate-rate <value> | alarm-rate <value> | maximal-rate <value> block {duration <value>} } }
Palo Alto Networks
set profiles
} resource { sessions { enabled {no | yes} | max-concurrent-limit <value> } } } file-blocking <name> | { description <value> | rules <name> { action {alert | block | continue} | application {any | <value>} | direction {both | download | upload} | file-type {any | <value>} } } hip-objects <name> | { description <value> | anti-spyware | { exclude-vendor {no | yes} | criteria | { is-installed {no | yes} | real-time-protection {no | not-available | yes} | last-scan-time | { not-available | not-within {days <value> | hours <value>} | within {days <value> | hours <value>} } product-version | { contains <value> | greater-equal <value> | greater-than <value> | is <value> | is-not <value> | less-equal <value> | less-than <value> | not-within versions <value> | within versions <value> } virdef-version { not-within {days <value> | versions <value>} | within {days <value> | versions <value>} }
Palo Alto Networks
set profiles
} vendor <name> {product <name>} } antivirus | { exclude-vendor {no | yes} | criteria | { is-installed {no | yes} | real-time-protection {no | not-available | yes} | last-scan-time | { not-available | not-within {days <value> | hours <value>} | within {days <value> | hours <value>} } product-version | { contains <value> | greater-equal <value> | greater-than <value> | is <value> | is-not <value> | less-equal <value> | less-than <value> | not-within versions <value> | within versions <value> } virdef-version { not-within {days <value> | versions <value>} | within {days <value> | versions <value>} } } vendor <name> {product <name>} } custom-checks criteria | { process-list <name> {running {no | yes}} | registry-key <value> { default-value-data <value> | negate {no | yes} | registry-value <name> { negate {no | yes} | value-data <value> } } } disk-backup | { exclude-vendor {no | yes} | criteria |
Palo Alto Networks
set profiles
{ is-installed {no | yes} | last-backup-time | { not-available | not-within {days <value> | hours <value>} | within {days <value> | hours <value>} } } vendor <name> {product <name>} } disk-encryption | { exclude-vendor {no | yes} | criteria | { is-installed {no | yes} | encrypted-locations <value> | { encryption-state is {full | none | not-available | partial} | encryption-state is-not {full | none | not-available | partial} | } } vendor <name> {product <name>} } firewall | { exclude-vendor {no | yes} | criteria | { is-enabled {no | not-available | yes} | is-installed {no | yes} } vendor <name> {product <name>} } host-info criteria | { domain {contains | is | is-not} <value> | os {contains | is | is-not} <value> } patch-management { exclude-vendor {no | yes} | criteria | { is-enabled {no | not-available | yes} | is-installed {no | yes}| missing-patches { check {has-all | has-any | has-none} | patches <value> | severity {
Palo Alto Networks
set profiles
greater-equal <value> | greater-than <value> | is <value> | is-not <value> | less-equal <value> | less-than <value> } } } vendor <name> {product <name>} } } hip-profiles <name> | { description <value> | match <value> } spyware <name> | { description <value> | phone-home-detection | { custom <threat_id> | { packet-capture {no | yes} | action | { alert | block-ip | { duration <value> | track-by {source | source-and-destination} } default | drop | drop-all-packets | reset-both | reset-client | reset-server } time-attribute { interval <value> | threshold <value> | track-by {destination | source | source-and-destination} } } simple { critical {alert | allow | block | default} | high {alert | allow | block | default} | informational {alert | allow | block | default} | low {alert | allow | block | default} | medium {alert | allow | block | default} |
Palo Alto Networks
set profiles
packet-capture {no | yes} } } threat-exception <threat_id> } url-filtering <name> | { action {alert | block | continue | override} | alert <value> | allow <value> | allow-list <value> | block <value> | block-list <value> | continue <value> | description <value> | dynamic-url {no | yes} | enable-container-page {no | yes} | license-expired {allow | block} | log-container-page-only {no | yes} | override <value> } virus <name> { description <value> | packet-capture {no | yes} | application <name> {action {alert | allow | block | default}} | decoder <name> {action {alert | allow | block | default}} | threat-exception <threat_id> } vulnerability <name> { description <value> | custom <threat_id> | { packet-capture {no | yes} | action | { alert | block-ip | { duration <value> | track-by {source | source-and-destination} } default | drop | drop-all-packets | reset-both | reset-client | reset-server } time-attribute { interval <value> | threshold <value> |
Palo Alto Networks
set profiles
track-by {destination | source | source-and-destination} } } simple | { packet-capture {no | yes} | client | { critical {alert | allow | block | default} | high {alert | allow | block | default} | informational {alert | allow | block | default} | low {alert | allow | block | default} | medium {alert | allow | block | default} | } server { critical {alert | allow | block | default} | high {alert | allow | block | default} | informational {alert | allow | block | default} | low {alert | allow | block | default} | medium {alert | allow | block | default} | } threat-exception <threat_id> } }
Options
> custom-url-category Custom URL category profiles + description Profile description + list List; specify member value or list of values enclosed in [ ] > data-filtering Data filtering profiles + data-capture Data capture option + description Profile description > rules Data filtering rules for the profile + alert-threshold Alert threshold value (0-65535) + application Application name or list of values enclosed in [ ]; option to include all applications (any) + block-threshold Block threshold value (0-65535) + data-object Data object value + direction Direction for data filtering (both, download, or upload) + file-type File type or list of values enclosed in [ ]; option to include all types (any) > data-objects Data objects profiles + description Description of the profile > credit-card-numbers Credit card numbers; option to specify weight (0-255) > pattern Pattern; option to specify a regular expression value and weight (0-255) > social-security-numbers Social security numbers; option to specify weight (0-255) > social-security-numbers-without-dash Social security numbers without dash; option to specify weight (0255) > dos-protection Denial of Service (DoS) protection profiles + description Description of the profile + type Type (aggregate or classified) > flood Flood protection > icmp ICMP flood protection + enable Enable ICMP flood protection
Palo Alto Networks
set profiles
> red Random Early Drop (RED) + activate-rate Packet rate (pps) to start RED (1-2000000) + alarm-rate Packet rate (pps) to generate alarm (0-2000000) + maximal-rate Maximal packet rate (pps) allowed (1-2000000) > block Parameters for blocking + duration Duration (1-21600) > icmpv6 ICMPv6 flood protection + enable Enable ICMPv6 flood protection > red Random Early Drop (RED) + activate-rate Packet rate (pps) to start RED (1-2000000) + alarm-rate Packet rate (pps) to generate alarm (0-2000000) + maximal-rate Maximal packet rate (pps) allowed (1-2000000) > block Parameters for blocking + duration Duration (1-21600) > other-ip Other IP protocols protection + enable Enable other IP flood protection > red Random Early Drop (RED) + activate-rate Packet rate (pps) to start RED (1-2000000) + alarm-rate Packet rate (pps) to generate alarm (0-2000000) + maximal-rate Maximal packet rate (pps) allowed (1-2000000) > block Parameters for blocking + duration Duration (1-21600) > tcp-syn TCP synchronise packet (SYN) flood protection + enable Enable SYN flood protection > red Random Early Drop (RED) + activate-rate Packet rate (pps) to start RED (1-2000000) + alarm-rate Packet rate (pps) to generate alarm (0-2000000) + maximal-rate Maximal packet rate (pps) allowed (1-2000000) > block Parameters for blocking + duration Duration (1-21600) > syn-cookies SYN cookies + activate-rate Packet rate (pps) to activate SYN cookies proxy (0-2000000) + alarm-rate Packet rate (pps) to generate alarm (0-2000000) + maximal-rate Maximal packet rate (pps) allowed (1-2000000) > block Parameters for blocking + duration Duration (1-21600) > udp UDP flood protection + enable Enable UDP flood protection > red Random Early Drop (RED) + activate-rate Packet rate (pps) to start RED (1-2000000) + alarm-rate Packet rate (pps) to generate alarm (0-2000000) + maximal-rate Maximal packet rate (pps) allowed (1-2000000) > block Parameters for blocking + duration Duration (1-21600) > resource Parameters to protect resources > sessions Parameters to protect excessive sessions + enabled Enable session protections + max-concurrent-limit Maximum concurrent limit (1-2097152) > file-blocking File blocking profiles + description Description of the profile > rules File blocking rules for the profile + action Action (alert, block, or continue) + application Application name or list of values enclosed in [ ]; option to include all applications (any) + direction Direction for file blocking (both, download, or upload)
Palo Alto Networks
set profiles
+ file-type File type or list of values enclosed in [ ]; option to include all types (any) > hip-objects Host Identity Protocol (HIP) objects profiles + description Description of the profile > anti-spyware Anti-spyware HIP objects + exclude-vendor Exclude vendor (no or yes) > criteria Matching criteria + is-installed Is installed (no or yes) + real-time-protection Real time protection (no, not available, or yes) > last-scan-time Last full scan time > not-within Not-within; specify time in days or hours (1-65535) > within Within; specify time in days or hours (1-65535) Not-available Last scan time not available > product-version Specify product versions > contains Contains specified value > greater-equal Greater than or equal to specified value > greater-than Greater than specified value > is Is specified value > is-not Is not specified value > less-equal Less than or equal to specified value > less-than Less than specified value > not-within Not within versions range (1-65535) > within Within versions range (1-65535) > virdef-version Virus definition version > not-within Not within; specify time in days or versions range (1-65535) > within Within; specify time in days or versions range (1-65535) > vendor Vendor name + product Product name (value or list of values enclosed in [ ]) > antivirus Antivirus HIP objects + exclude-vendor Exclude vendor (no or yes) > criteria Matching criteria + is-installed Is installed (no or yes) + real-time-protection Real time protection (no, not available, or yes) > last-scan-time Last full scan time > not-within Not-within; specify time in days or hours (1-65535) > within Within; specify time in days or hours (1-65535) Not-available Last scan time not available > product-version Specify product versions > contains Contains specified value > greater-equal Greater than or equal to specified value > greater-than Greater than specified value > is Is specified value > is-not Is not specified value > less-equal Less than or equal to specified value > less-than Less than specified value > not-within Not within versions range (1-65535) > within Within versions range (1-65535) > virdef-version Virus definition version > not-within Not within; specify time in days or versions range (1-65535) > within Within; specify time in days or versions range (1-65535) > vendor Vendor name + product Product name (value or list of values enclosed in [ ]) > custom-checks Custom checks HIP objects > criteria Matching criteria > process-list Process list name; option to specify running
Palo Alto Networks
set profiles
> registry-key Registry key value + default-value-data Registry key default value data + negate Key does not exist or match specified value data > registry-value Registry value + negate Value does not exist or match specified value data + value-data Registry value data > disk-backup Disk backup HIP objects + exclude-vendor Exclude vendor (no or yes) > criteria Matching criteria + is-installed Is installed (no or yes) > last-backup-time Last full backup time > not-within Not-within; specify time in days or hours (1-65535) > within Within; specify time in days or hours (1-65535) Not-available Last scan time not available > vendor Vendor name + product Product name (value or list of values enclosed in [ ]) > disk-encryption Disk encryption HIP objects + exclude-vendor Exclude vendor (no or yes) > criteria Matching criteria + is-installed Is installed (no or yes) > encrypted-locations Specify encryption location > encryption-state is Encryption state is full, none, not-available, or partial > encryption-state is-not Encryption state is not full, none, not-available, or partial > vendor Vendor name + product Product name (value or list of values enclosed in [ ]) > firewall Firewall HIP objects + exclude-vendor Exclude vendor (no or yes) > criteria Matching criteria + is-enabled Is enabled (no, not available, or yes) + is-installed Is installed (no or yes) > vendor Vendor name + product Product name (value or list of values enclosed in [ ]) > host-info Host information HIP objects > criteria Matching criteria > domain Domain contains, is, or is not value > os OS contains, is, or is not value > patch-management Patch management HIP objects + exclude-vendor Exclude vendor (no or yes) > criteria Matching criteria + is-enabled Is enabled (no, not available, or yes) + is-installed Is installed (no or yes) > missing-patches Missing patches criteria + check Check has all, has any, or has none + patches Patch security bulletin ID or KB article ID (specify value or list of values enclosed in [ ]) > severity Severity > greater-equal Greater than or equal to specified value (0-100000) > greater-than Greater than specified value (0-100000) > is Is specified value (0-100000) > is-not Is not specified value (0-100000) > less-equal Less than or equal to specified value (0-100000) > less-than Less than specified value (0-100000) > vendor Vendor name + product Product name (value or list of values enclosed in [ ])
Palo Alto Networks
set profiles
> hip-profiles Host Identity Protocol (HIP) profiles + description Profile description + match Match value > spyware Spyware profiles + description Profile description > phone-home-detection Phone-home spyware detection > custom Specify a threat ID + packet-capture Packet capture (no or yes) > action Custom action (alert, default, drop, drop all packets, reset client, reset server, reset both, or block IP address) > block-ip Block IP address + duration Duration for blocking the IP address (1-3600) + track-by Track by source or source and destination > time-attribute Custom time attribute + interval Interval value (1-3600) + threshold Threshold value (1-255) + track-by Track by destination, source, or source and destination > simple Simple detection + critical Critical (alert, allow, block, or default) + high High (alert, allow, block, or default) + informational Informational (alert, allow, block, or default) + low Low (alert, allow, block, or default) + medium Medium (alert, allow, block, or default) + packet-capture Packet capture (no or yes) > threat-exception Specify a threat ID > url-filtering URL filtering profiles + action Action for block list items (alert, block, continue, override) + alert Categories to alert on (value or list of values enclosed in [ ]) + allow Categories to allow (value or list of values enclosed in [ ]) + allow-list Host or IP address to pass (e.g. www.hotmail.com or www.cnn.com/news) (value or list of values enclosed in [ ]) + block Categories to block (value or list of values enclosed in [ ]) + block-list Host or IP address to block (e.g. www.hotmail.com or www.cnn.com/news) (value or list of values enclosed in [ ]) + continue Categories to block/continue (value or list of values enclosed in [ ]) + description Profile description + dynamic-url Dynamic URL filtering + enable-container-page Track container page + license-expired Action when URL filtering license expires (allow or block) + log-container-page-only Log container page only + override Categories to administratively override (value or list of values enclosed in [ ]) > virus Virus profiles + description Profile description + packet-capture Packet capture (no or yes) > application Application name + action Action to take (alert, allow, block, or default) > decoder Decoder name + action Action to take (alert, allow, block, or default) > threat-exception Specify a threat ID > vulnerability Vulnerability profiles + description Profile description > custom Threat ID value + packet-capture Packet capture (no or yes) > action Custom action (alert, default, drop, drop all packets, reset client, reset server, reset both, or
Palo Alto Networks
set profiles
block IP address) > block-ip Block IP address + duration Duration for blocking the IP address (1-3600) + track-by Track by source or source and destination > time-attribute Custom time attribute + interval Interval value (1-3600) + threshold Threshold value (1-255) + track-by Track by destination, source, or source and destination > simple Simple vulnerability + packet-capture Packet capture (no or yes) > client Simple client vulnerability + critical Critical (alert, allow, block, or default) + high High (alert, allow, block, or default) + informational Informational (alert, allow, block, or default) + low Low (alert, allow, block, or default) + medium Medium (alert, allow, block, or default) > server Simple server vulnerability + critical Critical (alert, allow, block, or default) + high High (alert, allow, block, or default) + informational Informational (alert, allow, block, or default) + low Low (alert, allow, block, or default) + medium Medium (alert, allow, block, or default) > threat-exception Specify a threat ID

Palo Alto Networks
set region
set region
Defines a custom region on the firewall. The firewall supports creation of policy rules that apply to specified countries or other regions. The region is available as an option when specifying source and destination for security policies, SSL decryption policies, and DoS policies. A standard list of countries is available by default. This command allows you to define custom regions to include as options for security policy rules. For more information, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
set region <code> { address {<value> | <ip/netmask> | <ip_range>} | geo-location | { latitude <coordinate> | longitude <coordinate> } }
Options
<code> Region to configure (two-character code; press <tab> for list) + address IP address and network mask (x.x.x.x/y or IPv6/netmask), IP address range (x.x.x.x-y.y.y.y or IPv6range), or list of values enclosed in [ ] > geo-location Device geographic location + latitude Latitude coordinate + longitude Longitude coordinate

Palo Alto Networks
set report-group
set report-group
Specifies settings for report groups. Report groups allow you to create sets of reports that the system can compile and send as a single aggregate PDF report with an optional title page and all the constituent reports included. For more information, refer to the Reports and Logs chapter in the Palo Alto Networks Administrators Guide.
Syntax
set report-group <name> | { title-page {no | yes} | custom-widget <value> | { custom-report <value> | log-view <value> | pdf-summary-report <value> } predefined user-activity-report | variable <name> {value <value>} }
Options
<name> Report group to configure + title-page Include title page > custom-widget Custom-widget value > custom-report Custom report value > log-view Log view value > pdf-summary-report PDF summary report value > predefined Predefined user activity report > variable Variable name; option to include a value

Palo Alto Networks
set reports
set reports
Specifies settings for generating reports. For more information, refer to the Reports and Logs chapter in the Palo Alto Networks Administrators Guide.
Syntax
set reports <name> { caption <value> | disabled {no | yes} | end-time <value> | frequency {daily | weekly} | period {last-12-hrs | last-15-minutes | last-24-hrs | last-30-days | last60-seconds | last-7-calendar-days | last-7-days | last-calendar-day | last-calendar-month | last-calendar-week | last-hour} | query <value> | start-time <value> | topm <value> | topn <value> | type { appstat | { aggregate-by {category-of-name | container-of-name | day-ofreceive_time | hour-of-receive_time | name | quarter-hour-ofreceive_time | risk | risk-of-name | subcategory-of-name | technology-of-name | vsys | <value>} | group-by {category-of-name | container-of-name | day-of-receive_time | hour-of-receive_time | name | quarter-hour-of-receive_time | risk | risk-of-name | subcategory-of-name | technology-of-name | vsys} | labels <value> | sortby {nbytes | npkts | nsess | nthreats} | values {nbytes | npkts | nsess | nthreats | <value>} } data | { aggregate-by {action | app | category-of-app | container-of-app | day-of-receive_time | direction | dport | dst | dstloc | dstuser | from | hour-of-receive_time | inbound_if | misc | natdport | natdst | natsport | natsrc | outbound_if | proto | quarter-hourof-receive_time | risk-of-app | rule | severity | sport | src | srcloc | srcuser | subcategory-of-app | subtype | technology-ofapp | threatid | to | vsys | <value>} | group-by {action | app | category-of-app | container-of-app | dayof-receive_time | direction | dport | dst | dstloc | dstuser | from | hour-of-receive_time | inbound_if | misc | natdport | natdst | natsport | natsrc | outbound_if | proto | quarter-hourof-receive_time | risk-of-app | rule | severity | sport | src |
Palo Alto Networks
set reports
srcloc | srcuser | subcategory-of-app | subtype | technology-ofapp | threatid | to | vsys} | labels <value> | sortby repeatcnt | values {repeatcnt | <value>} } hipmatch | { aggregate-by {day-of-receive_time | hour-of-receive_time | machinename | matchname | matchtype | quarter-hour-ofreceive_time | src | srcuser | vsys | <value>} | group-by {day-of-receive_time | hour-of-receive_time | machinename | matchname | matchtype | quarter-hour-of-receive_time | src | srcuser | vsys} | labels <value> | last-match-by time_generated | values {repeatcnt | <value>} } threat | { aggregate-by {action | app | category-of-app | container-of-app | day-of-receive_time | direction | dport | dst | dstloc | dstuser | from | hour-of-receive_time | inbound_if | misc | natdport | natdst | natsport | natsrc | outbound_if | proto | quarter-hourof-receive_time | risk-of-app | rule | severity | sport | src | srcloc | srcuser | subcategory-of-app | subtype | technology-ofapp | threatid | to | vsys | <value>} | group-by {action | app | category-of-app | container-of-app | dayof-receive_time | direction | dport | dst | dstloc | dstuser | from | hour-of-receive_time | inbound_if | misc | natdport | natdst | natsport | natsrc | outbound_if | proto | quarter-hourof-receive_time | risk-of-app | rule | severity | sport | src | srcloc | srcuser | subcategory-of-app | subtype | technology-ofapp | threatid | to | vsys} | labels <value> | sortby repeatcnt | values {repeatcnt | <value>} } thsum | { aggregate-by {app | category-of-app | container-of-app | day-ofreceive_time | dst | dstloc | dstuser | from | hour-ofreceive_time | quarter-hour-of-receive_time | risk-of-app | rule | severity-of-threatid | src | srcloc | srcuser | subcategory-ofapp | subtype | technology-of-app | threatid | to | vsys | <value>} | group-by {app | category-of-app | container-of-app | day-ofreceive_time | dst | dstloc | dstuser | from | hour-ofreceive_time | quarter-hour-of-receive_time | risk-of-app | rule | severity-of-threatid | src | srcloc | srcuser | subcategory-ofapp | subtype | technology-of-app | threatid | to | vsys} | labels <value> | sortby count | values {count | <value>}
Palo Alto Networks
set reports
} traffic | { aggregate-by {action | app | category | category-of-app | containerof-app | day-of-receive_time | dport | dst | dstloc | dstuser | from | hour-of-receive_time | inbound_if | natdport | natdst | natsport | natsrc | outbound_if | proto | quarter-hour-ofreceive_time | risk-of-app | rule | sessionid | sport | src | srcloc | srcuser | subcategory-of-app | technology-of-app | to | vsys | <value>} | group-by {action | app | category | category-of-app | container-ofapp | day-of-receive_time | dport | dst | dstloc | dstuser | from | hour-of-receive_time | inbound_if | natdport | natdst | natsport | natsrc | outbound_if | proto | quarter-hour-ofreceive_time | risk-of-app | rule | sessionid | sport | src | srcloc | srcuser | subcategory-of-app | technology-of-app | to | vsys} | labels <value> | sortby {bytes | elapsed | packets | repeatcnt} | values {bytes | elapsed | packets | repeatcnt | <value>} } trsum | { aggregate-by {app | category | category-of-app | container-of-app | day-of-receive_time | dst | dstuser | from | hour-of-receive_time | quarter-hour-of-receive_time | risk-of-app | rule | src | srcuser | subcategory-of-app | technology-of-app | to | vsys | <value>} | group-by {app | category | category-of-app | container-of-app | dayof-receive_time | dst | dstuser | from | hour-of-receive_time | quarter-hour-of-receive_time | risk-of-app | rule | src | srcuser | subcategory-of-app | technology-of-app | to | vsys} | labels <value> | sortby {bytes | sessions} | values {bytes | sessions | <value>} } url { aggregate-by {action | app | category | category-of-app | containerof-app | contenttype | day-of-receive_time | direction | dport | dst | dstloc | dstuser | from | hour-of-receive_time | inbound_if | misc | natdport | natdst | natsport | natsrc | outbound_if | proto | quarter-hour-of-receive_time | risk-of-app | rule | severity | sport | src | srcloc | srcuser | subcategory-of-app | technology-of-app | to | vsys | <value>} | group-by {action | app | category | category-of-app | container-ofapp | contenttype | day-of-receive_time | direction | dport | dst | dstloc | dstuser | from | hour-of-receive_time | inbound_if | misc | natdport | natdst | natsport | natsrc | outbound_if | proto | quarter-hour-of-receive_time | risk-of-app | rule | severity | sport | src | srcloc | srcuser | subcategory-of-app | technology-of-app | to | vsys} | labels <value> | sortby repeatcnt |
Palo Alto Networks
set reports
values {repeatcnt | <value>} } } }
Options
<name> Report to configure + caption Caption value + disabled Disabled (no or yes) + end-time End time (e.g. 2008/12/31 11:59:59) + frequency Frequency (daily or weekly) + period Time period to include in report (last 12 hrs, last 15 minutes, last 24 hrs, last 30 days, last 60 seconds, last 7 calendar days, last 7 days, last calendar day, last calendar month, last calendar week, or last hour) + query Query value + start-time Start time (e.g. 2008/01/01 09:00:00) + topm TopM value (1-50) + topn TopN value (1-500) > type Report type > appstat Appstat report + aggregate-by Aggregate by category of name, container of name, day of receive time, hour of receive time, name, quarter hour of receive time, risk, risk of name, subcategory of name, technology of name, virtual system, or list of values enclosed in [ ] + group-by Group by category of name, container of name, day of receive time, hour of receive time, name, quarter hour of receive time, risk, risk of name, subcategory of name, technology of name, or virtual system + labels Label value or list of values enclosed in [ ] + sortby Sort by nbytes, npkts, nsess, or nthreats + values Values (nbytes, npkts, nsess, nthreats, or list of values enclosed in [ ]) > data Data report + aggregate-by Select from the list provided or specify a list of values enclosed in [ ] + group-by Select from the list provided + labels Label value or list of values enclosed in [ ] + sortby Sort by repeat count + values Values (repeat count, or list of values enclosed in [ ]) > hipmatch HIP match report + aggregate-by Select from the list provided or specify a list of values enclosed in [ ] + group-by Select from the list provided + labels Label value or list of values enclosed in [ ] + last-match-by Last match by time generated + values Values (repeat count, or list of values enclosed in [ ]) > threat Threat report + aggregate-by Select from the list provided or specify a list of values enclosed in [ ] + group-by Select from the list provided + labels Label value or list of values enclosed in [ ] + sortby Sort by repeat count + values Values (repeat count, or list of values enclosed in [ ]) > thsum thsum report + aggregate-by Select from the list provided or specify a list of values enclosed in [ ] + group-by Select from the list provided + labels Label value or list of values enclosed in [ ] + sortby Sort by count + values Values (count, or list of values enclosed in [ ]) > traffic Traffic report + aggregate-by Select from the list provided or specify a list of values enclosed in [ ]
Palo Alto Networks
set reports
+ group-by Select from the list provided + labels Label value or list of values enclosed in [ ] + sortby Sort by bytes, elapsed, packets, or repeatcnt + values Values (bytes, elapsed, packets, repeatcnt, or list of values enclosed in [ ]) > trsum trsum report + aggregate-by Select from the list provided or specify a list of values enclosed in [ ] + group-by Select from the list provided + labels Label value or list of values enclosed in [ ] + sortby Sort by bytes or sessions + values Values (bytes, sessions, or list of values enclosed in [ ]) > url URL report + aggregate-by Select from the list provided or specify a list of values enclosed in [ ] + group-by Select from the list provided + labels Label value or list of values enclosed in [ ] + sortby Sort by repeat count + values Values (repeat count, or list of values enclosed in [ ])

Palo Alto Networks
set rulebase
set rulebase
Configures sets of rules for policies for the following services: application overrides, captive portals, SSL decryption, Denial of Service (DoS), Network Address Translation (NAT), Policy-based Forwarding (PBF), Quality of Service (QoS), and security. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
set rulebase { application-override rules <name> | { application <value> | description <value> | destination {any | <value>} | disabled {no | yes} | from {any | <value>} | negate-destination {no | yes} | negate-source {no | yes} | port <port_number> | protocol {tcp | udp} | source {any | <value>} | source-user {any | known-user | unknown | <value>} | tag <value> | to {any | <value>} } captive-portal rules <name> | { action {captive-portal | no-captive-portal | ntlm-auth} | description <value> | destination {any | <value>} | disabled {no | yes} | from {any | <value>} | negate-destination {no | yes} | negate-source {no | yes} | service {any | default | service-http | service-https | <value>} | source {any | <value>} | tag <value> | to {any | <value>} } decryption rules <name> { action {decrypt | no-decrypt} | category {any | <value>} | description <value> | destination {any | <value>} | disabled {no | yes} | from {any | <value>} | negate-destination {no | yes} |
Palo Alto Networks
set rulebase
negate-source {no | yes} | source {any | <value>} | source-user {any | known-user | unknown | <value>} | tag <value> | to {any | <value>} | option block-if-failed-to-decrypt {no | yes} | type {ssh-proxy | ssl-forward-proxy | ssl-inbound-inspection <value>} } dos rules <name> | { description <value> | destination {any | <value>} | disabled {no | yes} | negate-destination {no | yes} | negate-source {no | yes} | schedule <value> | service {any | application-default | service-http | service-https | <value>} | source {any | <value>} | source-user {any | known-user | unknown | <value>} | tag <value> | action {allow | deny | protect} | from {interface <value> | zone <value>} | protection | { aggregate {profile <value>} | classified { profile <value> | classification-criteria { address destination-ip-only | address source-ip-only | address src-dest-ip-both } } } to {interface <value> | zone <value>} } nat rules <name> | { active-active-device-binding {0 | 1 | both | primary} | description <value> | destination {any | <value>} | disabled {no | yes} | from {any | <value>} | service {any | service-http | service-https | <value>} | source {any | <value>} | tag <value> | to {any | <value>} | to-interface <value> | destination-translation | { translated-address <value> |
Palo Alto Networks
set rulebase
translated-port <value> } source-translation { dynamic-ip translated-address <value> | dynamic-ip-and-port | { translated-address <value> | interface-address { interface <interface_name> | floating-ip <ip_address> | ip <ip_address> } } static-ip { bi-directional {no | yes} | translated-address <value> } } } pbf rules <name> | { active-active-device-binding {0 | 1 | both} | application <value> | description <value> | destination {any | <value>} | disabled {no | yes} | negate-destination {no | yes} | negate-source {no | yes} | schedule <value> | service {any | application-default | service-http | service-https | <value>} | source {any | <value>} | source-user {any | known-user | unknown | <value>} | tag <value> | action | { forward | { egress-interface <value> | monitor | { disable-if-unreachable {no | yes} | ip-addresss <ip_address> | profile {default | <value>} } nexthop <ip_address> } forward-to-vsys <value> | discard | no-pbf }
Palo Alto Networks
set rulebase
from {interface <value> | zone <value>} } qos rules <name> | { application <value> | description <value> | destination {any | <value>} | disabled {no | yes} | negate-destination {no | yes} | negate-source {no | yes} | schedule <value> | service {any | application-default | service-http | service-https | <value>} | source {any | <value>} | source-user {any | known-user | unknown | <value>} | tag <value> | to {any | <value>} action {class {1 | 2 | 3 | 4 | 5 | 6 | 7 | 8}} } security rules <name> { action {allow | deny} | application <value> | description <value> | destination {any | <value>} | disabled {no | yes} | from {any | <value>} | hip-profiles {any | no-hip | <value>} | log-end {no | yes} log-setting <value> | log-start {no | yes} negate-destination {no | yes} | negate-source {no | yes} | schedule <value> | service {any | application-default | service-http | service-https | <value>} | source {any | <value>} | source-user {any | known-user | unknown | <value>} | tag <value> | to {any | <value>} | option disable-server-response-inspection | profile-setting | { group <value> | profiles { data-filtering <value> | file-blocking <value> | spyware {default | <value>} | url-filtering {default | <value>} | virus {default | <value>} | vulnerability {default | <value>} } }
Palo Alto Networks
set rulebase
qos { marking ip-dscp <value> | marking ip-precedence <value> } } }
Options
> application-override Application override rules + application Application (select from list of applications or enter a value) + description Description of rule set + destination Destination (any, address, address group, IP address/network mask (x.x.x.x/y or IPv6/ netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + disabled Disable the rule + from From (any, zone, or list of values enclosed in [ ]) + negate-destination Negate destination + negate-source Negate source + port Port number value or list of values enclosed in [ ] (1-65535) + protocol Protocol (TCP or UDP) + source Source (any, address, address group, IP address/network mask (x.x.x.x/y or IPv6/netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + source-user Source user (any, known user, unknown, user name, user group, or list of values enclosed in [ ]) + tag Tag (member value or list of values enclosed in [ ]) + to To (any, zone, or list of values enclosed in [ ]) > captive-portal Captive portal rules + action Action (captive portal, no captive portal, or NT LAN Manager authentication) + description Description of rule set + destination Destination (any, address, address group, IP address/network mask (x.x.x.x/y or IPv6/ netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + disabled Disable the rule + from From (any, zone, or list of values enclosed in [ ]) + negate-destination Negate destination + negate-source Negate source + service Service (any, default, predefined HTTP or HTTPS service, value or list of values enclosed in [ ]) + source Source (any, address, address group, IP address/network mask (x.x.x.x/y or IPv6/netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + tag Tag (member value or list of values enclosed in [ ]) + to To (any, zone, or list of values enclosed in [ ]) > decryption SSL/SSH decryption rules + action Action (decrypt or not decrypt) + category Category (select from list, or enter a value or list of values enclosed in [ ]) + description Description of rule set + destination Destination (any, address, address group, region code, IP address/network mask (x.x.x.x/y or IPv6/netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + disabled Disable the rule + from From (any, zone, or list of values enclosed in [ ]) + negate-destination Negate destination + negate-source Negate source + source Source (any, address, address group, region code, IP address/network mask (x.x.x.x/y or IPv6/ netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + source-user Source user (any, known user, unknown, user name, user group, or list of values enclosed in
Palo Alto Networks
set rulebase
[ ]) + tag Tag (member value or list of values enclosed in [ ]) + to To (any, zone, or list of values enclosed in [ ]) > option Option to block of failed to decrypt > type Decryption type > ssl-inbound-inspection SSL Inbound Inspection value - ssh-proxy SSH Proxy - ssl-forward-proxy SSL Forward Proxy > dos Denial of Service (DoS) protection rules + description Description of rule set + destination Destination (any, address, address group, region code, IP address/network mask (x.x.x.x/y or IPv6/netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + disabled Disable the rule + negate-destination Negate destination + negate-source Negate source + schedule Schedule value + service Service (any, application default, predefined HTTP or HTTPS service, value or list of values enclosed in [ ]) + source Source (any, address, address group, region code, IP address/network mask (x.x.x.x/y or IPv6/ netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + source-user Source user (any, known user, unknown, user name, user group, or list of values enclosed in [ ]) + tag Tag (member value or list of values enclosed in [ ]) > action DoS rule action - allow Allow all packets - deny Deny packets - protect Enforce DoS protection > from Source zone or interface + interface Interface member value or list of values enclosed in [ ] + zone Zone value or list of values enclosed in [ ] > protection DoS protection parameters to enforce > aggregate Parameters for aggregated protection + profile DoS profile to use for aggregated protection > classified Parameters for classified/qualified protection + profile DoS profile to use for classified protection > classification-criteria Parameters to control how DoS protection is applied + address Parameters for IP Address based classification - destination-ip-only Destination IP address only - source-ip-only Source IP address only - src-dest-ip-both Both source and destination IP addresses > to Destination zone, interface, or name + interface Interface member value or list of values enclosed in [ ] + zone Zone value or list of values enclosed in [ ] > nat Network Address Translation (NAT) rules + active-active-device-binding Device binding configuration in High Availability (HA) Active-Active mode 0 Rule is bound to device 0 1 Rule is bound to device 1 both Rule is bound to both devices primary Rule is bound to Active-Primary device + description Description of rule set + destination Destination (any, address, address group, IP address/network mask (x.x.x.x/y or IPv6/ netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + disabled Disable the rule
Palo Alto Networks
set rulebase
+ from From (any, zone, or list of values enclosed in [ ]) + service Service (any, predefined HTTP or HTTPS service, service name, or service group) + source Source (any, address, address group, IP address/network mask (x.x.x.x/y or IPv6/netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + tag Tag (member value or list of values enclosed in [ ]) + to To (any, zone, or list of values enclosed in [ ]) + to-interface Egress interface from route lookup > destination-translation + translated-address Address, address group, IP address and network mask (x.x.x.x/y or IPv6/netmask), or IP address range (x.x.x.x-y.y.y.y or IPv6-range) + translated-port Port number (1-65535) > source-translation > dynamic-ip Dynamic IP-only translation + translated-address Address, address group, IP address and network mask (x.x.x.x/y or IPv6/ netmask), or IP address range (x.x.x.x-y.y.y.y or IPv6-range) > dynamic-ip-and-port Dynamic IP and port translation + translated-address Address, address group, IP address and network mask (x.x.x.x/y or IPv6/ netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ] > interface-address Use interface address as translated address + interface Interface name > floating-ip Floating IP address in HA Active-Active configuration > ip specify exact IP address if interface has multiple addresses > static-ip Static IP translation via IP shifting + bi-directional Allow reverse translation from translated address to original address + translated-address Address, address group, IP address and network mask (x.x.x.x/y or IPv6/ netmask), or IP address range (x.x.x.x-y.y.y.y or IPv6-range) > pbf Policy-based Forwarding (PBF) rules + active-active-device-binding Device binding configuration in High Availability (HA) Active-Active mode 0 Rule is bound to device 0 1 Rule is bound to device 1 both Rule is bound to both devices + application Application (select from list of applications or enter a value) + description Description of rule set + destination Destination (any, address, address-group, IP address/network mask (x.x.x.x/y or IPv6/ netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + disabled Disable the rule + negate-destination Negate destination + negate-source Negate source + schedule Schedule value + service Service (any, application default, predefined HTTP or HTTPS service, value or list of values enclosed in [ ]) + source Source (any, address, address group, IP address/network mask (x.x.x.x/y or IPv6/netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + source-user Source user (any, known user, unknown, user name, user group, or list of values enclosed in [ ]) + tag Tag (member value or list of values enclosed in [ ]) > action Policy-based forwarding action > forward Forward packets + egress-interface Interface to route packet to > monitor Parameters for monitoring + disable-if-unreachable Disable this rule if nexthop/monitor ip is unreachable + ip-address Monitor IP address (x.x.x.x or IPv6) + profile Monitoring profile associated with this rule
Palo Alto Networks
set rulebase
> nexthop Next hop IP address (x.x.x.x or IPv6) > forward-to-vsys Virtual system/Shared gateway to route packets to - discard Discard packets - no-pbf Don't forward by PBF > from Source zone or interface + interface Interface member value or list of values enclosed in [ ] + zone Zone value or list of values enclosed in [ ] > qos Quality of Service (QoS) rules + application Application (select from list of applications or enter a value) + description Description of rule set + destination Destination (any, address, address-group, IP address/network mask (x.x.x.x/y or IPv6/ netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + disabled Disable the rule + from From (any, zone, or list of values enclosed in [ ]) + negate-destination Negate destination + negate-source Negate source + schedule Schedule value + service Service (any, application default, predefined HTTP or HTTPS service, value or list of values enclosed in [ ]) + source Source (any, address, address group, IP address/network mask (x.x.x.x/y or IPv6/netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + source-user Source user (any, known user, unknown, user name, user group, or list of values enclosed in [ ]) + tag Tag (member value or list of values enclosed in [ ]) + to To (any, zone, or list of values enclosed in [ ]) > action Classification action + class Assigned class (1-8) > security Security rules + action Action (allow or deny) + application Application (select from list of applications or enter a value) + description Description of rule set + destination Destination (any, address, address group, region code, IP address/network mask (x.x.x.x/y or IPv6/netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + disabled Disable the rule + from From (any, zone, or list of values enclosed in [ ]) + hip-profiles Host IP profiles (any, no HIP profile, value or list of values enclosed in [ ]) + log-end Log at session end (required for certain ACC tables) + log-setting Log setting + log-start Log at session start + negate-destination Negate destination + negate-source Negate source + schedule Schedule value + service Service (any, application default, predefined HTTP or HTTPS service, value or list of values enclosed in [ ]) + source Source (any, address, address group, region code, IP address/network mask (x.x.x.x/y or IPv6/ netmask), IP address range (x.x.x.x-y.y.y.y or IPv6-range), or list of values enclosed in [ ]) + source-user Source user (any, known user, unknown, user name, user group, or list of values enclosed in [ ]) + tag Tag (member value or list of values enclosed in [ ]) + to To (any, zone, or list of values enclosed in [ ]) > option Security option + disable-server-response-inspection Disable inspection of server side traffic > profile-setting Profile setting for group or profile rules + group Group member value or list of values enclosed in [ ]
Palo Alto Networks
set rulebase
> profiles Profiles for security rules + data-filtering Data filtering profiles member value or list of values enclosed in [ ] + file-blocking File blocking profiles member value or list of values enclosed in [ ] + spyware Spyware profiles (default, member value, or list of values enclosed in [ ]) + url-filtering URL filtering profiles (default, member value, or list of values enclosed in [ ]) + virus Anti-virus profiles (default, member value, or list of values enclosed in [ ]) + vulnerability Vulnerability profiles (default, member value, or list of values enclosed in [ ]) > qos QoS security > marking Marking rules > ip-dscp IP dscp; specify codepoint in format of 'xxxxxx' where x is {0|1} af11 codepoint 001010 af12 codepoint 001100 af13 codepoint 001110 af21 codepoint 010010 af22 codepoint 010100 af23 codepoint 010110 af31 codepoint 011010 af32 codepoint 011100 af33 codepoint 011110 af41 codepoint 100010 af42 codepoint 100100 af43 codepoint 100110 cs0 codepoint 000000 cs1 codepoint 001000 cs2 codepoint 010000 cs3 codepoint 011000 cs4 codepoint 100000 cs5 codepoint 101000 cs6 codepoint 110000 cs7 codepoint 111000 ef codepoint 101110, expedited forwarding > ip-precedence IP precedence; specify codepoint in format of 'xxx' cs0 codepoint 000 cs1 codepoint 001 cs2 codepoint 010 cs3 codepoint 011 cs4 codepoint 100 cs5 codepoint 101 cs6 codepoint 110 cs7 codepoint 111

Palo Alto Networks
set schedule
set schedule
Specifies schedules for use in security policies. By default, each security policy applies to all dates and times. To limit a security policy to specific dates and times, define a schedule and then apply it to the policy. For more information, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
set schedule <name> { non-recurring <value> | recurring { daily <value> | weekly {friday | monday | saturday | sunday | thursday | tuesday | wednesday} <value> } }
Options
<name> Schedule to configure + non-recurring Non-recurring date-time range specification (YYYY/MM/DD@hh:mm-YYYY/MM/ DD@hh:mm; e.g. 2006/08/01@10:00-2007/12/31@23:59), or list of values enclosed in [ ] > recurring Recurring period + daily Daily time range specification (hh:mm-hh:mm; e.g. 10:00-23:59), or list of values enclosed in [ ] > weekly Week day and time range specification (hh:mm-hh:mm; e.g. 10:00-23:59), or list of values enclosed in [ ]

Palo Alto Networks
set service
set service
Configures protocol settings for services. When you define security policies for specific applications, you can specify services to limit the port numbers the applications can use. Services requiring the same security settings can be combined into service groups that you can refer to as a unit. For information on configuring service groups using the CLI, refer to set service-group on page 174. For more information on services and service groups, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
set service <name> { description <value> | protocol { tcp {port <port_number> | source-port <port_number>} | udp {port <port_number> | source-port <port_number>} } }
Options
<name> Service to configure + description Service description > protocol Protocol service > tcp Transmission Control Protocol (TCP) + port Port number or list of values enclosed in [ ] (1-65535) + source-port Source port number or list of values enclosed in [ ] (1-65535) > udp User Datagram Protocol (UDP) + port Port number or list of values enclosed in [ ] (1-65535) + source-port Source port number or list of values enclosed in [ ] (1-65535)

Palo Alto Networks
set service-group
set service-group
Configures sets of services that will be assigned the same security settings, to simplify the creation of security policies. When you define security policies for specific applications, you can specify one or more services or service groups to limit the port numbers the applications can use. For information on configuring services using the CLI, refer to set service on page 173. For more information on services and service groups, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
set service-group <name> <value>
Options
<name> Service group name to configure <value> Member value or list of values enclosed in [ ]

Palo Alto Networks
set setting
set setting
Configures Network Address Translation (NAT), PAN-agent, and SSL decryption settings for interaction with other services on the firewall.
Syntax
set setting { nat | { reserve-ip {no | yes} | reserve-time <value> } pan-agent | { ignore-unknown-response {no | yes} } ssl-decrypt { answer-timeout <value> | notify-user {no | yes} | url-proxy {no | yes} } }
Options
> nat Network Address Translation (NAT) + reserve-ip Reserve translated IP for specified time + reserve-time Reserve time value in seconds (1-604800) > pan-agent Palo Alto Networks (PAN) agent + ignore-unknown-response If true, ignore unknown response from PAN agent > ssl-decrypt Secure Socket Layer (SSL) decryption + answer-timeout Set user reply timeout value in seconds (1-86400) + notify-user Set if user notification should be enabled + url-proxy Set proxy for SSL sessions if IP's URL category is blocked

Palo Alto Networks
set shared admin-role

Specifies the access and responsibilities that are assigned to administrative users. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
set shared admin-role <name> { description <value> | role { device { cli {deviceadmin | devicereader | superreader | superuser} | webui { acc {disable | enable} | commit {disable | enable} | dashboard {disable | enable} | device | { access-domain {disable | enable | read-only} | admin-roles {disable | enable | read-only} | administrators {disable | enable | read-only} | authentication-profile {disable | enable | read-only} | authentication-sequence {disable | enable | read-only} | block-pages {disable | enable | read-only} | certificates {disable | enable | read-only} | client-certificate-profile {disable | enable | read-only} | config-audit {disable | enable} | dynamic-updates {disable | enable | read-only} | global-protect-client {disable | enable | read-only} | high-availability {disable | enable | read-only} | licenses {disable | enable | read-only} | scheduled-log-export {disable | enable} | setup {disable | enable | read-only} | shared-gateways {disable | enable | read-only} | software {disable | enable | read-only} | ssl-vpn-client {disable | enable | read-only} | support {disable | enable | read-only} | user-identification {disable | enable | read-only} | virtual-systems {disable | enable | read-only} | local-user-database | { user-groups {disable | enable | read-only} | users {disable | enable | read-only} | } log-settings | {
Palo Alto Networks
config {disable | enable | read-only} | hipmatch {disable | enable | read-only} | system {disable | enable | read-only} } server-profile { email {disable | enable | read-only} | kerberos {disable | enable | read-only} | ldap {disable | enable | read-only} | radius {disable | enable | read-only} | snmp-trap {disable | enable | read-only} | syslog {disable | enable | read-only} } } monitor | { app-scope {disable | enable} | application-reports {disable | enable} | botnet {disable | enable | read-only} | packet-capture {disable | enable | read-only} | session-browser {disable | enable} | threat-reports {disable | enable} | traffic-reports {disable | enable} | url-filtering-reports {disable | enable} | view-custom-reports {disable | enable} | custom-reports | { application-statistics {disable | enable} | data-filtering-log {disable | enable} | hipmatch {disable | enable} | threat-log {disable | enable} | threat-summary {disable | enable} | traffic-log {disable | enable} | traffic-summary {disable | enable} | url-log {disable | enable} } logs | { configuration {disable | enable} | data-filtering {disable | enable} | hipmatch {disable | enable} | system {disable | enable} | threat {disable | enable} | threat-summary {disable | enable} | traffic {disable | enable} | url {disable | enable} } pdf-reports { email-scheduler {disable | enable | read-only} | manage-pdf-summary {disable | enable | read-only} | pdf-summary-reports {disable | enable} | report-groups {disable | enable | read-only} | user-activity-report {disable | enable | read-only} |
Palo Alto Networks
} } network | dhcp {disable | enable | read-only} | dns-proxy {disable | enable | read-only} | interfaces {disable | enable | read-only} | ipsec-tunnels {disable | enable | read-only} | qos {disable | enable | read-only} | ssl-vpn {disable | enable | read-only} | virtual-routers {disable | enable | read-only} | virtual-wires {disable | enable | read-only} | vlans {disable | enable | read-only} | zones {disable | enable | read-only} | global-protect | { gateways {disable | enable | read-only} | portals {disable | enable | read-only} } network-profiles { ike-crypto {disable | enable | read-only} | ike-gateways {disable | enable | read-only} | interface-mgmt {disable | enable | read-only} | ipsec-crypto {disable | enable | read-only} | qos-profile {disable | enable | read-only} | tunnel-monitor {disable | enable | read-only} | zone-protection {disable | enable | read-only} } } objects | { address-groups {disable | enable | read-only} | addresses {disable | enable | read-only} | application-filters {disable | enable | read-only} | application-groups {disable | enable | read-only} | applications {disable | enable | read-only} | custom-url-category {disable | enable | read-only} | log-forwarding {disable | enable | read-only} | regions {disable | enable | read-only} | schedules {disable | enable | read-only} | security-profile-groups {disable | enable | read-only} | service-groups {disable | enable | read-only} | services {disable | enable | read-only} | custom-signatures | { data-patterns {disable | enable | read-only} | spyware {disable | enable | read-only} | vulnerability {disable | enable | read-only} | } global-protect | { hip-objects {disable | enable | read-only} | hip-profiles {disable | enable | read-only} | }
Palo Alto Networks
security-profiles { anti-spyware {disable | enable | read-only} | antivirus {disable | enable | read-only} | data-filtering {disable | enable | read-only} | dos-protection {disable | enable | read-only} | file-blocking {disable | enable | read-only} | url-filtering {disable | enable | read-only} | vulnerability-protection {disable | enable | read-only} | } } policies | { application-override-rulebase {disable | enable | read-only}| captive-portal-rulebase {disable | enable | read-only} | dos-rulebase {disable | enable | read-only} | nat-rulebase {disable | enable | read-only} | pbf-rulebase {disable | enable | read-only} | qos-rulebase {disable | enable | read-only} | security-rulebase {disable | enable | read-only} | ssl-decryption-rulebase {disable | enable | read-only} } privacy { show-full-ip-addresses {disable | enable} | show-user-names-in-logs-and-reports {disable | enable} | view-pcap-files {disable | enable} } } } } }
Options
<name> Shared administrative role name + description Description value > role Sets access and responsibilities for the role > device Device settings + cli Command Line Interface access - deviceadmin Device administrator - devicereader Device reader - superreader Super reader - superuser Super user > webui Sets enable, disable, or read-only access to the web user interface + acc acc + commit commit + dashboard dashboard > device device + access-domain access-domain + admin-roles admin-roles + administrators administrators + authentication-profile authentication-profile + authentication-sequence authentication-sequence
Palo Alto Networks
+ block-pages block-pages + certificates certificates + client-certificate-profile client-certificate-profile + config-audit config-audit + dynamic-updates dynamic-updates + global-protect-client global-protect-client + high-availability high-availability + licenses licenses + scheduled-log-export scheduled-log-export + setup setup + shared-gateways shared-gateways + software software + ssl-vpn-client ssl-vpn-client + support support + user-identification user-identification + virtual-systems virtual-systems > local-user-database local-user-database + user-groups user-groups + users users > log-settings log-settings + config config + hipmatch hipmatch + system system > server-profile server-profile + email email + kerberos kerberos + ldap ldap + radius radius + snmp-trap snmp-trap + syslog syslog > monitor monitor + app-scope app-scope + application-reports application-reports + botnet botnet + packet-capture packet-capture + session-browser session-browser + threat-reports threat-reports + traffic-reports traffic-reports + url-filtering-reports url-filtering-reports + view-custom-reports view-custom-reports > custom-reports custom-reports + application-statistics application-statistics + data-filtering-log data-filtering-log + hipmatch hipmatch + threat-log threat-log + threat-summary threat-summary + traffic-log traffic-log + traffic-summary traffic-summary + url-log url-log > logs logs + configuration configuration + data-filtering data-filtering + hipmatch hipmatch + system system
Palo Alto Networks
+ threat threat + traffic traffic + url url > pdf-reports pdf-reports + email-scheduler email-scheduler + manage-pdf-summary manage-pdf-summary + pdf-summary-reports pdf-summary-reports + report-groups report-groups + user-activity-report user-activity-report > network network + dhcp dhcp + dns-proxy dns-proxy + interfaces interfaces + ipsec-tunnels ipsec-tunnels + qos qos + ssl-vpn ssl-vpn + virtual-routers virtual-routers + virtual-wires virtual-wires + vlans vlans + zones zones > global-protect global-protect + gateways gateways + portals portals > network-profiles network-profiles + ike-crypto ike-crypto + ike-gateways ike-gateways + interface-mgmt interface-mgmt + ipsec-crypto ipsec-crypto + qos-profile qos-profile + tunnel-monitor tunnel-monitor + zone-protection zone-protection > objects objects + address-groups address-groups + addresses addresses + application-filters application-filters + application-groups application-groups + applications applications + custom-url-category custom-url-category + log-forwarding log-forwarding + regions regions + schedules schedules + security-profile-groups security-profile-groups + service-groups service-groups + services services > custom-signatures custom-signatures + data-patterns data-patterns + spyware spyware + vulnerability vulnerability > global-protect global-protect + hip-objects hip-objects + hip-profiles hip-profiles > security-profiles security-profiles + anti-spyware anti-spyware + antivirus antivirus
Palo Alto Networks
+ data-filtering data-filtering + dos-protection dos-protection + file-blocking file-blocking + url-filtering url-filtering + vulnerability-protection vulnerability-protection > policies policies + application-override-rulebase application-override-rulebase + captive-portal-rulebase captive-portal-rulebase + dos-rulebase dos-rulebase + nat-rulebase nat-rulebase + pbf-rulebase pbf-rulebase + qos-rulebase qos-rulebase + security-rulebase security-rulebase + ssl-decryption-rulebase ssl-decryption-rulebase > privacy privacy + show-full-ip-addresses show-full-ip-addresses + show-user-names-in-logs-and-reports show-user-names-in-logs-and-reports + view-pcap-files view-pcap-files

Palo Alto Networks
set shared allowed-applications
set shared allowed-applications

Enables or disables updating of application definitions for use in security policies. For more information on updating threat and application definitions, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide. Note: This command is available only when virtual systems are enabled. Refer to set system setting on page 338, and Using Configuration Commands with Virtual Systems on page 23.
Syntax
set shared allowed-applications { disable-all {except <member_value>} | enable-all {except <member_value>} }
Options
> disable-all Disable all applications + except Select from list (press <tab> for list) or enter a value > enable-all Enable all applications + except Select from list (press <tab> for list) or enter a value

Palo Alto Networks
set shared authentication-profile

Specifies local database, RADIUS, or LDAP settings for assignment to administrator accounts, SSL VPN access, and captive portal. When an administrator attempts to log in to the firewall directly or through an SSL VPN or captive portal, the firewall checks the authentication profile that is assigned to the account and authenticates the user based on the authentication settings. For more informations, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
set shared authentication-profile <group_name> | { allow-list {all | <value>} | lockout | { failed-attempts <value> | lockout-time <minutes> } method { kerberos {server-profile <object_name>} | ldap | { login-attribute <value> | passwd-exp-days <value> | server-profile <name> } radius {server-profile <object_name>} local-database | none } }
Options
<group_name> Specify group to share the profile + allow-list List of allowed users and groups enclosed in [ ]; option to specify all > lockout Network user login lockout settings + failed-attempts Number of failed login attempts to trigger lock-out + lockout-time Number of minutes to lock-out > method method > kerberos Kerberos authentication + server-profile Kerberos server profile object > ldap Lightweight Directory Access Protocol (LDAP) authentication + login-attribute Login attribute in LDAP server to authenticate against; default = uid + passwd-exp-days Days until the password expires + server-profile LDAP server profile object > radius Remote Authentication Dial In User Service (RADIUS) authentication + server-profile RADIUS server profile object - local-database Local database authentication - none No authentication
Palo Alto Networks

Palo Alto Networks
set shared authentication-sequence
set shared authentication-sequence

Specifies a set of authentication profiles that are applied in order when a user attempts to log in to the firewall. Useful in environments where user accounts (including guest and other accounts) reside in multiple directories. The firewall tries each profile in sequence until the user is identified. Access to the firewall is denied only if authentication fails for any of the profiles in the authentication sequence. For information on configuring authentication profiles using the CLI, refer to set shared authentication-profile on page 184. For more information on authentication sequences, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
set shared authentication-sequence <name> { authentication-profiles <value> | lockout { failed-attempts <value> | lockout-time <value> } }
Options
<name> Authentication sequence name + authentication-profiles Authentication profiles to apply in the sequence (name or list of names enclosed in [ ]) > lockout Network user login lockout settings + failed-attempts Number of failed login attempts to trigger lock-out (0-10) + lockout-time Number of minutes to lock-out (0-60)

Palo Alto Networks
set shared botnet
set shared botnet

Specifies types of suspicious traffic (traffic that may indicate botnet activity). The firewall provides support to help identify possible botnet infected clients by analyzing potentially suspicious traffic, such as unknown TCP and UDP traffic, traffic destined for unknown URL or malware categories, and increased Domain Name Service (DNS) traffic. For more information, refer to the Reports and Logs chapter in the Palo Alto Networks Administrators Guide.
Syntax
set shared botnet { configuration | { http | { dynamic-dns {no | yes} | ip-domains {no | yes} | malware-sites {no | yes} | recent-domains {no | yes} | repeat-visit-threshold <value> } other-applications irc {no | yes} | unknown-application {unknown-tcp | unknown-udp} { destinations-per-hour <value> | sessions-per-hour <value> | session-length {maximum-bytes <value> | minimum-bytes <value>} } } report { query <value> | scheduled {no | yes} | topn <value> } }
Options
> configuration Botnet configuration > http HTTP configuration + dynamic-dns Dynamic DNS + ip-domains IP domains + malware-sites Malware sites + recent-domains Recent domains + repeat-visit-threshold Repeated visit threshold (5-1440) > other-applications Other applications + irc Internet Relay Chat (IRC) > unknown-application Unknown application (TCP or UDP)
Palo Alto Networks
set shared botnet
+ destinations-per-hour Destinations per hour (1-3600) + sessions-per-hour Sessions per hour (1-3600) > session-length Session length + maximum-bytes Maximum bytes of the session length (1-3600) + minimum-bytes Minimum bytes of the session length (1-3600) > report Botnet report + query Query value + scheduled Scheduled (no or yes) + topn TopN value (1-500)

Palo Alto Networks
set shared certificate
set shared certificate

Specifies settings for security certificates. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
set shared certificate <name> | { ca {no | yes} | common-name <value> | expires <value> | expiry-epoch <value> | private-key <value> | public-key <value> }
Options
<name> Shared certificate name + ca Certificate Authority (CA) + common-name Common name value + expires Expires value + expiry-epoch Expiry epoch value + private-key Private key value + public-key Public key value

Palo Alto Networks
set shared client-certificate-profile
set shared client-certificate-profile

Specifies settings for client security certificates. You can create client certificate profiles and then attach a profile to an administrator login on the Setup page or to a Secure Socket Layer (SSL) virtual private network (VPN) login for authentication purposes. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
set shared client-certificate-profile <name> | { block-timeout-cert {no | yes} | block-unknown-cert {no | yes} | cert-status-timeout <value> | crl-receive-timeout <value> | domain <name> | ocsp-receive-timeout <value> | use-crl {no | yes} | use-ocsp {no | yes} | CA <name> | { default-ocsp-url <value> | ocsp-verify-ca <value> } username-field { subject common-name | subject-alt {email | principal-name} } }
Options
<name> Profile name + block-timeout-cert Whether to block a session if certificate status can't be retrieved within timeout + block-unknown-cert Whether to block a session if certificate status is unknown + cert-status-timeout Set certificate status query timeout value in seconds (0-60) + crl-receive-timeout Set CRL receive timeout value in seconds (0-60) + domain Domain name (alphanumeric string [ 0-9a-zA-Z._-]) + ocsp-receive-timeout Set OCSP receive timeout value in seconds (0-60) + use-crl Use Certificate Revocation List (CRL) + use-ocsp Use Online Certificate Status Protocol (OCSP) > CA Certificate Authority (CA) name + default-ocsp-url Default URL for OCSP verification + ocsp-verify-ca CA file for OCSP response verify > username-field User name field population > subject Get user name from subject > subject-alt Get user name from subject alternative name (email or principal name)

Palo Alto Networks
set shared email-scheduler
set shared email-scheduler

Specifies shared settings for email delivery of PDF summary reports. For more information, refer to the Reports and Logs chapter in the Palo Alto Networks Administrators Guide.
Syntax
set shared email-scheduler <name> { email-profile <value> | recipient-emails <value> | report-group <value> | recurring { weekly {friday | monday | saturday | sunday | thursday | tuesday | wednesday} | daily | disabled } }
Options
<name> Specifies the name for the email scheduler + email-profile Email profile value + recipient-emails Recipient emails value + report-group Report group value > recurring Recurring frequency > weekly Once a week; specify the day - daily Every day - disabled No scheduling

Palo Alto Networks
set shared local-user-database
set shared local-user-database

Configures a local database on the firewall to store authentication information for administrator access, captive portal, and Secure Socket Layer (SSL) virtual private network (VPN) remote users. For more information, refer to the Creating a Local User Database section in the Palo Alto Networks Administrators Guide.
Syntax
set shared local-user-database { user <name> | { disabled {no | yes} | phash <value> } user-group <name> {user <value>} }
Options
> user User name + disabled Disabled (no or yes) + phash phash value > user-group User group name + user User name or list of names enclosed in [ ]

Palo Alto Networks
set shared log-settings

Configures log settings on the firewall. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
set shared log-settings { config | { any { send-to-panorama {no | yes} | send-email using-email-setting <value> | send-snmptrap using-snmptrap-setting <value> | send-syslog using-syslog-setting <value> } } email <name> | { format | { config <value> | hip-match <value> | system <value> | threat <value> | traffic <value> | escaping {escape-character <value> | escaped-characters <value>} } server <name> { and-also-to <value> | display-name <name> | from <value> | gateway <value> | to <value> } } hipmatch | { any { send-to-panorama {no | yes} | send-email using-email-setting <value> | send-snmptrap using-snmptrap-setting <value> | send-syslog using-syslog-setting <value> } } profiles <name> |
Palo Alto Networks
{ alarm {critical | high | informational | low | medium} | { send-to-panorama {no | yes} | send-email using-email-setting <value> | send-snmptrap using-snmptrap-setting <value> | send-syslog using-syslog-setting <value> } traffic { any { send-to-panorama {no | yes} | send-email using-email-setting <value> | send-snmptrap using-snmptrap-setting <value> | send-syslog using-syslog-setting <value> } } } snmptrap <name> | { version { v2c server <name> | { community <value> | manager <value> | } v3 server <name> { authpwd <value> | engineid <value> | manager <value> | privpwd <value> | user <value> } } } syslog <name> { format | { config <value> | hip-match <value> | system <value> | threat <value> | traffic <value> | escaping {escape-character <value> | escaped-characters <value>} } server <name> { facility {LOG_LOCAL0 | LOG_LOCAL1 | LOG_LOCAL2 | LOG_LOCAL3 | LOG_LOCAL4 | LOG_LOCAL5 | LOG_LOCAL6 | LOG_LOCAL7 | LOG_USER} | port <value> |
Palo Alto Networks
server <value> } } system {critical | high | informational | low | medium} { send-to-panorama {no | yes} | send-email using-email-setting <value> | send-snmptrap using-snmptrap-setting <value> | send-syslog using-syslog-setting <value> } }
Options
> config Configuration log settings (any) + send-to-panorama Send to Panorama (no or yes) > send-email Send email using email setting value > send-snmptrap Send SNMP trap using SNMP trap setting value > send-syslog Send syslog using syslog setting value > email Email log settings name > format Custom formats for forwarded logs + config Config value + hip-match HIP match value + system System value + threat Threat value + traffic Traffic value > escaping Escaping values + escape-character Escape character + escaped-characters List of characters to be escaped > server Server address + and-also-to Email address (e.g. admin@mycompany.com) + display-name Display name of server + from Email address (e.g. admin@mycompany.com) + gateway IP address or FQDN of SMTP gateway to use + to Email address (e.g. admin@mycompany.com) > hipmatch HIP match log settings + send-to-panorama Send to Panorama (no or yes) > send-email Send email using email setting value > send-snmptrap Send SNMP trap using SNMP trap setting value > send-syslog Send syslog using syslog setting value > profiles Profile log settings > alarm Alarm settings (critical, high, informational, low, or medium) + send-to-panorama Send to Panorama (no or yes) > send-email Send email using email setting value > send-snmptrap Send SNMP trap using SNMP trap setting value > send-syslog Send syslog using syslog setting value > traffic Traffic settings any + send-to-panorama Send to Panorama (no or yes) > send-email Send email using email setting value > send-snmptrap Send SNMP trap using SNMP trap setting value > send-syslog Send syslog using syslog setting value > snmptrap SNMP trap log settings > version v2c server Server address + community Community value
Palo Alto Networks
+ manager IP address or FQDN of SNMP manager to use > version v3 server Server address + authpwd Authentication Protocol Password + engineid A hex number in ASCII string + manager IP address or FQDN of SNMP manager to use + privpwd Privacy Protocol Password + user User value > syslog syslog settings > format Custom formats for forwarded logs (escaping) + config Config value + hip-match HIP match value + system System value + threat Threat value + traffic Traffic value > escaping Escaping values + escape-character Escape character + escaped-characters List of characters to be escaped > server Server address + facility Facility (LOG_LOCAL0, LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7, LOG_USER) + port Port (1-65535) + server IP address or FQDN of SYSLOG server to use > system System log settings (critical, high, informational, low, or medium) + send-to-panorama Send to Panorama (no or yes) > send-email Send email using email setting value > send-snmptrap Send SNMP trap using SNMP trap setting value > send-syslog Send syslog using syslog setting value

Palo Alto Networks
set shared override
set shared override

Configures overrides to risk and timeout attributes of App-IDs that are on the PAN-OS. For more information, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
set shared override { application <name> { risk <value> | tcp-timeout <value> | timeout <value> | udp-timeout <value> } }
Options
> application Select from the list or enter a name + risk Risk (1-5) + tcp-timeout Timeout in seconds (0-604800) + timeout Timeout in seconds (0-604800) + udp-timeout Timeout in seconds (0-604800)

Palo Alto Networks
set shared pdf-summary-report
set shared pdf-summary-report

Specifies shared format settings for PDF summary reports. For more information, refer to the Reports and Logs chapter in the Palo Alto Networks Administrators Guide.
Syntax
set shared pdf-summary-report <name> { custom-widget <name> | { chart-type {bar | line | pie | table} | column <value> | row <value> } footer {note <value>} | header {caption <value>}| predefined-widget <name> | { chart-type {bar | line | pie | table} | column <value> | row <value> } }
Options
<name> PDF report to configure > custom-widget Report widget layout information + chart-type Chart type (bar, line, pie, or table) + column Column number (1-3) + row Row number (1-6) > footer Footer information for PDF summary layout + note Static string to be printed as a note > header Header information for PDF summary layout + caption Caption for the layout > predefined-widget Predefined report widget layout information + chart-type Chart type (bar, line, pie, or table) + column Column number (1-3) + row Row number (1-6)

Palo Alto Networks
set shared report-group
set shared report-group

Specifies settings for report groups. Report groups allow you to create sets of reports that the system can compile and send as a single aggregate PDF report with an optional title page and all the constituent reports included. For more information, refer to the Reports and Logs chapter in the Palo Alto Networks Administrators Guide.
Syntax
set shared report-group <name> | { title-page {no | yes} | custom-widget <value> | { custom-report <value> | log-view <value> | pdf-summary-report <value> predefined-report <value> } predefined user-activity-report | variable <name> {value <value>} }
Options
<name> Report group to configure + title-page Include title page > custom-widget Custom-widget value > custom-report Custom report value > log-view Log view value > pdf-summary-report PDF summary report value > predefined-report Predefined report value > predefined Predefined user activity report > variable Variable name; option to include a value

Palo Alto Networks
set shared reports
set shared reports

Specifies shared settings for generating reports. For more information, refer to the Reports and Logs chapter in the Palo Alto Networks Administrators Guide.
Syntax
set shared reports <name> { caption <value> | disabled {no | yes} | end-time <value> | frequency {daily | weekly} | period {last-12-hrs | last-15-minutes | last-24-hrs | last-30-days | last60-seconds | last-7-calendar-days | last-7-days | last-calendar-day | last-calendar-month | last-calendar-week | last-hour} | query <value> | start-time <value> | topm <value> | topn <value> | type { appstat | { aggregate-by {category-of-name | container-of-name | day-ofreceive_time | hour-of-receive_time | name | quarter-hour-ofreceive_time | risk | risk-of-name | subcategory-of-name | technology-of-name | vsys | <value>} | group-by {category-of-name | container-of-name | day-of-receive_time | hour-of-receive_time | name | quarter-hour-of-receive_time | risk | risk-of-name | subcategory-of-name | technology-of-name | vsys} | labels <value> | sortby {nbytes | npkts | nsess | nthreats} | values {nbytes | npkts | nsess | nthreats | <value>} } data | { aggregate-by {action | app | category-of-app | container-of-app | day-of-receive_time | direction | dport | dst | dstloc | dstuser | from | hour-of-receive_time | inbound_if | misc | natdport | natdst | natsport | natsrc | outbound_if | proto | quarter-hourof-receive_time | risk-of-app | rule | severity | sport | src | srcloc | srcuser | subcategory-of-app | subtype | technology-ofapp | threatid | to | vsys | <value>} | group-by {action | app | category-of-app | container-of-app | dayof-receive_time | direction | dport | dst | dstloc | dstuser | from | hour-of-receive_time | inbound_if | misc | natdport | natdst | natsport | natsrc | outbound_if | proto | quarter-hourof-receive_time | risk-of-app | rule | severity | sport | src |
Palo Alto Networks
set shared reports
srcloc | srcuser | subcategory-of-app | subtype | technology-ofapp | threatid | to | vsys} | labels <value> | sortby repeatcnt | values {repeatcnt | <value>} } hipmatch | { aggregate-by {day-of-receive_time | hour-of-receive_time | machinename | matchname | matchtype | quarter-hour-ofreceive_time | src | srcuser | vsys | <value>} | group-by {day-of-receive_time | hour-of-receive_time | machinename | matchname | matchtype | quarter-hour-of-receive_time | src | srcuser | vsys} | labels <value> | last-match-by time_generated | values {repeatcnt | <value>} } threat | { aggregate-by {action | app | category-of-app | container-of-app | day-of-receive_time | direction | dport | dst | dstloc | dstuser | from | hour-of-receive_time | inbound_if | misc | natdport | natdst | natsport | natsrc | outbound_if | proto | quarter-hourof-receive_time | risk-of-app | rule | severity | sport | src | srcloc | srcuser | subcategory-of-app | subtype | technology-ofapp | threatid | to | vsys | <value>} | group-by {action | app | category-of-app | container-of-app | dayof-receive_time | direction | dport | dst | dstloc | dstuser | from | hour-of-receive_time | inbound_if | misc | natdport | natdst | natsport | natsrc | outbound_if | proto | quarter-hourof-receive_time | risk-of-app | rule | severity | sport | src | srcloc | srcuser | subcategory-of-app | subtype | technology-ofapp | threatid | to | vsys} | labels <value> | sortby repeatcnt | values {repeatcnt | <value>} } thsum | { aggregate-by {app | category-of-app | container-of-app | day-ofreceive_time | dst | dstloc | dstuser | from | hour-ofreceive_time | quarter-hour-of-receive_time | risk-of-app | rule | severity-of-threatid | src | srcloc | srcuser | subcategory-ofapp | subtype | technology-of-app | threatid | to | vsys | <value>} | group-by {app | category-of-app | container-of-app | day-ofreceive_time | dst | dstloc | dstuser | from | hour-ofreceive_time | quarter-hour-of-receive_time | risk-of-app | rule | severity-of-threatid | src | srcloc | srcuser | subcategory-ofapp | subtype | technology-of-app | threatid | to | vsys} | labels <value> | sortby count | values {count | <value>}
Palo Alto Networks
set shared reports
} traffic | { aggregate-by {action | app | category | category-of-app | containerof-app | day-of-receive_time | dport | dst | dstloc | dstuser | from | hour-of-receive_time | inbound_if | natdport | natdst | natsport | natsrc | outbound_if | proto | quarter-hour-ofreceive_time | risk-of-app | rule | sessionid | sport | src | srcloc | srcuser | subcategory-of-app | technology-of-app | to | vsys | <value>} | group-by {action | app | category | category-of-app | container-ofapp | day-of-receive_time | dport | dst | dstloc | dstuser | from | hour-of-receive_time | inbound_if | natdport | natdst | natsport | natsrc | outbound_if | proto | quarter-hour-ofreceive_time | risk-of-app | rule | sessionid | sport | src | srcloc | srcuser | subcategory-of-app | technology-of-app | to | vsys} | labels <value> | sortby {bytes | elapsed | packets | repeatcnt} | values {bytes | elapsed | packets | repeatcnt | <value>} } trsum | { aggregate-by {app | category | category-of-app | container-of-app | day-of-receive_time | dst | dstuser | from | hour-of-receive_time | quarter-hour-of-receive_time | risk-of-app | rule | src | srcuser | subcategory-of-app | technology-of-app | to | vsys | <value>} | group-by {app | category | category-of-app | container-of-app | dayof-receive_time | dst | dstuser | from | hour-of-receive_time | quarter-hour-of-receive_time | risk-of-app | rule | src | srcuser | subcategory-of-app | technology-of-app | to | vsys} | labels <value> | sortby {bytes | sessions} | values {bytes | sessions | <value>} } url { aggregate-by {action | app | category | category-of-app | containerof-app | contenttype | day-of-receive_time | direction | dport | dst | dstloc | dstuser | from | hour-of-receive_time | inbound_if | misc | natdport | natdst | natsport | natsrc | outbound_if | proto | quarter-hour-of-receive_time | risk-of-app | rule | severity | sport | src | srcloc | srcuser | subcategory-of-app | technology-of-app | to | vsys | <value>} | group-by {action | app | category | category-of-app | container-ofapp | contenttype | day-of-receive_time | direction | dport | dst | dstloc | dstuser | from | hour-of-receive_time | inbound_if | misc | natdport | natdst | natsport | natsrc | outbound_if | proto | quarter-hour-of-receive_time | risk-of-app | rule | severity | sport | src | srcloc | srcuser | subcategory-of-app | technology-of-app | to | vsys} | labels <value> | sortby repeatcnt |
Palo Alto Networks
set shared reports
values {repeatcnt | <value>} } } }
Options
<name> Report to configure + caption Caption value + disabled Disabled (no or yes) + end-time End time (e.g. 2008/12/31 11:59:59) + frequency Frequency (daily or weekly) + period Time period to include in report (last 12 hrs, last 15 minutes, last 24 hrs, last 30 days, last 60 seconds, last 7 calendar days, last 7 days, last calendar day, last calendar month, last calendar week, or last hour) + query Query value + start-time Start time (e.g. 2008/01/01 09:00:00) + topm TopM value (1-50) + topn TopN value (1-500) > type Report type > appstat Appstat report + aggregate-by Aggregate by category of name, container of name, day of receive time, hour of receive time, name, quarter hour of receive time, risk, risk of name, subcategory of name, technology of name, virtual system, or list of values enclosed in [ ] + group-by Group by category of name, container of name, day of receive time, hour of receive time, name, quarter hour of receive time, risk, risk of name, subcategory of name, technology of name, or virtual system + labels Label value or list of values enclosed in [ ] + sortby Sort by nbytes, npkts, nsess, or nthreats + values Values (nbytes, npkts, nsess, nthreats, or list of values enclosed in [ ]) > data Data report + aggregate-by Select from the list provided or specify a list of values enclosed in [ ] + group-by Select from the list provided + labels Label value or list of values enclosed in [ ] + sortby Sort by repeat count + values Values (repeat count, or list of values enclosed in [ ]) > hipmatch HIP match report + aggregate-by Select from the list provided or specify a list of values enclosed in [ ] + group-by Select from the list provided + labels Label value or list of values enclosed in [ ] + last-match-by Last match by time generated + values Values (repeat count, or list of values enclosed in [ ]) > threat Threat report + aggregate-by Select from the list provided or specify a list of values enclosed in [ ] + group-by Select from the list provided + labels Label value or list of values enclosed in [ ] + sortby Sort by repeat count + values Values (repeat count, or list of values enclosed in [ ]) > thsum thsum report + aggregate-by Select from the list provided or specify a list of values enclosed in [ ] + group-by Select from the list provided + labels Label value or list of values enclosed in [ ] + sortby Sort by count + values Values (count, or list of values enclosed in [ ]) > traffic Traffic report + aggregate-by Select from the list provided or specify a list of values enclosed in [ ]
Palo Alto Networks
set shared reports
+ group-by Select from the list provided + labels Label value or list of values enclosed in [ ] + sortby Sort by bytes, elapsed, packets, or repeatcnt + values Values (bytes, elapsed, packets, repeatcnt, or list of values enclosed in [ ]) > trsum trsum report + aggregate-by Select from the list provided or specify a list of values enclosed in [ ] + group-by Select from the list provided + labels Label value or list of values enclosed in [ ] + sortby Sort by bytes or sessions + values Values (bytes, sessions, or list of values enclosed in [ ]) > url URL report + aggregate-by Select from the list provided or specify a list of values enclosed in [ ] + group-by Select from the list provided + labels Label value or list of values enclosed in [ ] + sortby Sort by repeat count + values Values (repeat count, or list of values enclosed in [ ])

Palo Alto Networks
set shared response-page
set shared response-page

Specifies settings for custom response pages. Custom response pages are the web pages that are displayed when a user tries to access a URL. You can provide a custom HTML message that is downloaded and displayed instead of the requested web page or file. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
set shared response-page { application-block-page <value> | captive-portal-text <value> | file-block-continue-page <value> | file-block-page <value> | ssl-cert-status-page <value> | ssl-optout-text <value> | url-block-page <value> | url-coach-text <value> | virus-block-page <value> | global-protect-portal-custom-help-page <name> {page <value>} | global-protect-portal-custom-login-page <name> {page <value>} | sslvpn-custom-login-page <name> {page <value>} }
Options
+ application-block-page Application block page value + captive-portal-text Captive portal text value + file-block-continue-page File block continue page value + file-block-page File block page value + ssl-cert-status-page SSL certificate status page value + ssl-optout-text SSL optout text value + url-block-page URL block page value + url-coach-text URL coach text value + virus-block-page Virus block page value > global-protect-portal-custom-help-page GlobalProtect portal custom help page name + page GlobalProtect portal custom help page value > global-protect-portal-custom-login-page GlobalProtect portal custom login page name + page GlobalProtect portal custom login page value > sslvpn-custom-login-page SSL VPN custom login page name + page SSL VPN custom login page value

Palo Alto Networks
set shared server-profile

Specifies settings for Kerberos, Lightweight Directory Access Protocol (LDAP), and RADIUS servers. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
set shared server-profile { kerberos <name> | { admin-use-only {no | yes} | domain <name> | realm <name> | server <name> {host <value> | port <value>} } ldap <name> | { admin-use-only {no | yes} | base <value> | bind-dn <value> | bind-password <value> | bind-timelimit <value> | disabled {no | yes} | domain <name> | ldap-type {active-directory | e-directory | none | sun} | retry-interval <value> | ssl {no | yes} | timelimit <value> | server <name> {address <value> | port <value>} } radius <name> { admin-use-only {no | yes} | checkgroup {no | yes} | domain <name> | retries <value> | timeout <value> | server <name> {ip-address <ip_address> | port <value> | secret <value>} } }
Options
> kerberos Kerberos profile name + admin-use-only Can only be used for administrative purposes + domain Domain name to be used for authentication + realm Realm name to be used for authentication > server Server name + host Hostname running Kerberos Domain Controller
Palo Alto Networks
+ port Kerberos Domain Controller (0-65535) > ldap LDAP profile name + admin-use-only Can only be used for administrative purposes + base Default base distinguished name (DN) to use for searches + bind-dn Bind distinguished name + bind-password Bind password + bind-timelimit Number of seconds to use for connecting to servers (1-30) + disabled Disabled (no or yes) + domain Domain name to be used for authentication + ldap-type LDAP type (Active Directory, E Directory, none, or SUN) + retry-interval Interval (seconds) for retrying connecting to ldap search (1-3600, default = 60 seconds) + ssl SSL (no or yes) + timelimit number of seconds to wait for performing searches (1-30) > server Server specification + address LDAP server IP address (x.x.x.x or IPv6) or host name + port Port (0-65535) > radius RADIUS profile name + admin-use-only Can only be used for administrative purposes + checkgroup Retrieve user group from RADIUS + domain Domain name to be used for authentication + retries Number of attempts before giving up authentication (1-5) + timeout Number of seconds to wait for when performing authentication (1-30) > server Server name + ip-address RADIUS server IP address (x.x.x.x or IPv6) + port RADIUS server port (0-65535) + secret Shared secret for RADIUS communication

Palo Alto Networks
set shared ssl-decrypt
set shared ssl-decrypt

Configures shared settings for Secure Socket Layer (SSL) decryption policies, which specify the SSL traffic to be decrypted so that security policies can be applied. For more information, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
set shared ssl-decrypt { forward-trust-certificate <value> | forward-untrust-certificate <value> | ssl-exclude-cert <value> | trusted-root-CA <value> }
Options
+ forward-trust-certificate CA certificate for trusted sites + forward-untrust-certificate CA certificate for untrusted sites + ssl-exclude-cert SSL exclude certificate (member value or list of values enclosed in [ ]) + trusted-root-CA Trusted root CA (member value or list of values enclosed in [ ])

Palo Alto Networks
set ssl-decrypt
set ssl-decrypt
Configures settings for Secure Socket Layer (SSL) decryption policies, which specify the SSL traffic to be decrypted so that security policies can be applied. For more information, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
set ssl-decrypt { forward-trust-certificate <value> | forward-untrust-certificate <value> | ssl-exclude-cert <value> | trusted-root-CA <value> }
Options
+ forward-trust-certificate CA certificate for trusted sites + forward-untrust-certificate CA certificate for untrusted sites + ssl-exclude-cert SSL exclude certificate (member value or list of values enclosed in [ ]) + trusted-root-CA Trusted root CA (member value or list of values enclosed in [ ])

Palo Alto Networks
set ssl-vpn
set ssl-vpn
Configures Secure Sockets Layer (SSL) Virtual Private Network (VPN) user-related settings on the firewall. For more information, refer to the Configuring SSL VPNs chapter in the Palo Alto Networks Administrators Guide.
Syntax
set ssl-vpn <name> { authentication-profile <value> | client-certificate-profile <value> | custom-login-page <value> | server-certificate <value> | roles default { inactivity-logout {days | hours | minutes} | login-lifetime {days | hours | minutes} } }
Options
<name> Specifies the SSL VPN to configure + authentication-profile Authentication profile used for this SSL VPN + client-certificate-profile Profile for authenticating client certificates + custom-login-page Custom login page value + server-certificate SSL server certificate file name > roles Role-based user management for SSL VPN users > inactivity-logout SSL VPN session timeout due to inactivity > days Specify lifetime in days (1-30) > hours Specify lifetime in hours (1-720) > minutes Specify lifetime in minutes (3-43200) > login-lifetime SSL VPN user login lifetime before re-authentication > days Specify lifetime in days (1-30) > hours Specify lifetime in hours (1-720) > minutes Specify lifetime in minutes (3-43200)

Palo Alto Networks
set threats
set threats
Specifies settings for threat definitions. Palo Alto Networks periodically posts updates with new or revised application definitions and information on new security threats, such as antivirus signatures (threat prevention license required). To upgrade the firewall, you can view the latest updates, read the release notes for each update, and then select the update you want to download and install. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
set threats { spyware <threat_id> | { bugtraq <value> | comment <value> | cve <value> | direction <value> | reference <value> | severity <value> | threatname <name> | vendor <value> | default-action | { alert | block-ip | { duration <value> | track-by {source | source-and-desintation} } drop-packets | reset-both | reset-client | reset-server } signature { combination | { order-free {no | yes} | and-condition <name> {or-condition <name>} {threat-id <threat_id>} | time-attribute { interval <value> | threshold <value> | track-by {destination | source | source-and-desintation} } } standard <name>
Palo Alto Networks
set threats
{ comment <value> | order-free {no | yes} | scope {protocol-data-unit | session} | and-condition <name> {or-condition <name>} { operator {equal-to | greater-than | less-than} | { context {ftp-req-param-len | http-req-content-length | http-req-header-length | http-req-param-length | httpreq-uri-path-length | http-rsp-code | http-rsp-contentlength | http-rsp-total-headers-len | imap-req-cmdparam-len | imap-req-first-param-len | imap-req-paramlen-from-second | smtp-req-helo-argument-length | smtpreq-mail-argument-length | smtp-req-rcpt-argumentlength | telnet-req-client-data | telnet-rsp-serverdata | <value>} | pattern <value> | qualifier <name> {value <value>} } operator pattern-match { context {file-html-body | file-office-content | file-pdfbody | ftp-req-params | ftp-rsp-banner | http-reqheaders | http-req-host-header | http-req-mime-formdata | http-req-params | http-req-uri-path | http-rspheaders | imap-req-cmd-line | imap-req-first-param | imap-req-params-after-first-param | rtsp-req-headers | rtsp-req-uri-path | smtp-req-argument | smtp-rspcontent | ssl-req-client-hello | ssl-rsp-certificate | ssl-rsp-server-hello | telnet-req-client-data | telnetrsp-server-data | <value>} | value <value> | qualifier <name> {value <value>} } } } } } vulnerability <value> { bugtraq <value> | comment <value> | cve <value> | direction {both | client2server | server2client} | reference <value> | severity {critical | high | informational | low | medium} | threatname <name> | vendor <value> | affected-host {client | server} {no | yes} | default-action | { alert | block-ip |
Palo Alto Networks
set threats
{ duration <value> | track-by {source | source-and-desintation} } drop-packets | reset-both | reset-client | reset-server } signature { combination | { order-free {no | yes} | and-condition <name> {or-condition <name>} {threat-id <threat_id>} | time-attribute { interval <value> | threshold <value> | track-by {destination | source | source-and-desintation} } } standard <name> { comment <value> | order-free {no | yes} | scope {protocol-data-unit | session} | and-condition <name> {or-condition <name>} { operator {equal-to | greater-than | less-than} | { context {ftp-req-param-len | http-req-content-length | http-req-header-length | http-req-param-length | httpreq-uri-path-length | http-rsp-code | http-rsp-contentlength | http-rsp-total-headers-len | imap-req-cmdparam-len | imap-req-first-param-len | imap-req-paramlen-from-second | smtp-req-helo-argument-length | smtpreq-mail-argument-length | smtp-req-rcpt-argumentlength | telnet-req-client-data | telnet-rsp-serverdata | <value>} | pattern <value> | qualifier <name> {value <value>} } operator pattern-match { context {file-html-body | file-office-content | file-pdfbody | ftp-req-params | ftp-rsp-banner | http-reqheaders | http-req-host-header | http-req-mime-formdata | http-req-params | http-req-uri-path | http-rspheaders | imap-req-cmd-line | imap-req-first-param | imap-req-params-after-first-param | rtsp-req-headers | rtsp-req-uri-path | smtp-req-argument | smtp-rspcontent | ssl-req-client-hello | ssl-rsp-certificate |
Palo Alto Networks
set threats
ssl-rsp-server-hello | telnet-req-client-data | telnetrsp-server-data | <value>} | value <value> | qualifier <name> {value <value>} } } } } } }
Options
> spyware Spyware threat ID (15000-18000) + bugtraq Bugtraq ID value or list of values enclosed in [ ] + comment Spyware threat ID comment + cve CVE number (e.g., CVE-1999-0001) or list of values enclosed in [ ] + direction Direction value + reference Reference URL or list of values enclosed in [ ] + severity Severity value + threatname Threat name (alphanumeric string [ 0-9a-zA-Z._-]) + vendor Vendor reference ID (e.g., MS03-026) or list of values enclosed in [ ] > default-action Default action (block IP address, alert, drop packets, reset client, reset server, or reset both) > block-ip Block IP address + duration Duration for block IP address (1-3600) + track-by Track by source or source and destination > signature Spyware signature > combination Combination signature + order-free Order free (no or yes) > and-condition And-condition name > or-condition Or-condition name + threat-id Threat ID value > time-attribute Time attribute options + interval Interval value (1-3600) + threshold Threshold value (1-255) + track-by Track by destination, source, or source and destination > standard Standard signature + comment Signature comment + order-free Order free (no or yes) + scope Protocol data unit transaction or session > and-condition And-condition name > or-condition Or-condition name > operator Operator (equal to, greater than, or less than) + context Select from the list provided or specify a value + value Value (0-4294967295) > qualifier Qualifier name; option to specify value > operator Operator pattern match + context Select from the list provided or specify a value + pattern Pattern value > qualifier Qualifier name; option to specify value > vulnerability Vulnerability threat ID (41000-45000) + bugtraq Bugtraq ID value or list of values enclosed in [ ] + comment Spyware threat ID comment
Palo Alto Networks
set threats
+ cve CVE number (e.g., CVE-1999-0001) or list of values enclosed in [ ] + direction Direction value (client to server, server to client, or both) + reference Reference URL or list of values enclosed in [ ] + severity Severity value (critical, high, informational, low, medium) + threatname Threat name (alphanumeric string [ 0-9a-zA-Z._-]) + vendor Vendor reference ID (e.g., MS03-026) or list of values enclosed in [ ] > affected-host Affected host client or server > default-action Default action (block IP address, alert, drop packets, reset client, reset server, or reset both) > block-ip Block IP address + duration Duration for block IP address (1-3600) + track-by Track by source or source and destination > signature Vulnerability signature > combination Combination signature + order-free Order free (no or yes) > and-condition And-condition name > or-condition Or-condition name + threat-id Threat ID value (select from list or enter a value) > time-attribute Time attribute options + interval Interval value (1-3600) + threshold Threshold value (1-255) + track-by Track by destination, source, or source and destination > standard Standard signature + comment Signature comment + order-free Order free (no or yes) + scope Protocol data unit transaction or session > and-condition And-condition name > or-condition Or-condition name > operator Operator (equal to, greater than, or less than) + context Select from the list provided or specify a value + value Value (0-4294967295) > qualifier Qualifier name; option to specify value > operator Operator pattern match + context Select from the list provided or specify a value + pattern Pattern value > qualifier Qualifier name; option to specify value

Palo Alto Networks
set ts-agent
set ts-agent
Configures a terminal server (TS) agent on the firewall. The TS agent runs on a terminal server and identifies individual users that the terminal server supports. This arrangement allows the firewall to support multiple users with the same source IP address. The TS agent monitors the remote user sessions and reserves a different TCP/UDP source port range for each user session. After a port range is allocated for the user session, the TS agent provides information to map the source port range to the user name. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
set ts-agent <name> { ip-address <ip_address> | ip-list <value> | port <port_number> }
Options
<name> Specifies the terminal server agent to configure + ip-address Terminal server agent IP address (x.x.x.x or IPv6) + ip-list Terminal server alternative IP address list (x.x.x.x or IPv6 or list of values enclosed in [ ])) + port Terminal server agent listening port number (1-65535)

Palo Alto Networks
set url-admin-override
set url-admin-override
Configures URL administrative override settings that are used when a page is blocked by the URL filtering profile and the Override action is specified. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
set user-admin-override { password <value> | server-certificate <value> | mode { redirect address {<host_name> | <ip/netmask>} | transparent } }
Options
+ password Password for URL administrative override + server-certificate SSL server certificate file name > mode Override mode > redirect Redirect mode + address Set IP address or host name for URL administrative override transparent Transparent mode

Palo Alto Networks
set url-content-types
set url-content-types
Defines the HTML content types that will be available for custom pages and other services.
Syntax
set url-content-types <value>
Options
+ url-content-types Content type string or list of values enclosed in [ ]

Palo Alto Networks
set userid-agent
set userid-agent
Configures a User Identification Agent (User-ID Agent). A User-ID Agent is a Palo Alto Networks application that is installed on your network to obtain needed mapping information between IP addresses and network users. The User-ID Agent collects user-to-IP address mapping information automatically and provides it to the firewall for use in security policies and logging. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
yntax
set userid-agent <name> { disabled {no | yes} | ip-address <ip_address> | port <port_number> }
Options
<name> Specifies the user ID agent to configure + disabled Disabled (no or yes) + ip-address PAN user ID agent IP address (x.x.x.x or IPv6) + port PAN user ID agent listening port (1-65535; default = 5007)

Palo Alto Networks
set vsys import
set vsys import

Specifies settings for importing configuration files to the firewall. For more information, refer to the section for the type of file that you want to import in the Palo Alto Networks Administrators Guide. Note: This command is available only when virtual systems are enabled. Refer to set system setting on page 338, and Using Configuration Commands with Virtual Systems on page 23.
Syntax
set vsys <name> import { dns-proxy <value> | visible-vsys <value> | network | { interface <value> | virtual-router <value> | virtual-wire <value> | vlan <value> } resource { max-application-override-rules <value> | max-concurrent-ssl-vpn-tunnels <value> | max-cp-rules <value> | max-dos-rules <value> | max-nat-rules <value> | max-pbf-rules <value> | max-qos-rules <value> | max-security-rules <value> | max-sessions <value> | max-site-to-site-vpn-tunnels <value> | max-ssl-decryption-rules <value> } }
Options
vsys <name> Specifies the virtual system to configure + dns-proxy DNS proxy object to use for resolving FQDNs + visible-vsys Make other virtual system visible to this virtual system to create inter-vsys traffic (member value or list of values enclosed in [ ]) > network Network configuration + interface Import interface (member value or list of values enclosed in [ ]) + virtual-router Import virtual router (member value or list of values enclosed in [ ]) + virtual-wire Import virtual wire (member value or list of values enclosed in [ ]) + vlan Import VLAN (member value or list of values enclosed in [ ]) > resource Limits on resources used by this virtual system
Palo Alto Networks
set vsys import
+ max-application-override-rules Maximum number of application override rules allowed for this virtual system (0-2000) + max-concurrent-ssl-vpn-tunnels Maximum number of concurrent SSL VPN tunnels allowed for this virtual system (0-10000) + max-cp-rules Maximum number of captive portal rules allowed for this virtual system (0-2000) + max-dos-rules Maximum number of Denial of Service (DoS) rules allowed for this virtual system (01000) + max-nat-rules Maximum number of NAT rules allowed for this virtual system (0-4000) + max-pbf-rules Maximum number of policy based forwarding rules allowed for this virtual system (0500) + max-qos-rules Maximum number of QoS rules allowed for this virtual system (0-2000) + max-security-rules Maximum number of security rules allowed for this virtual system (0-20000) + max-sessions Maximum number of sessions allowed for this virtual system (0-2097151) + max-site-to-site-vpn-tunnels Maximum number of site to site vpn tunnels allowed for this virtual system (0-10000) + max-ssl-decryption-rules Maximum number of ssl decryption rules allowed for this virtual system (02000)

Palo Alto Networks
set zone
set zone
Configures security zones, which identify source and destination interfaces on the firewall for use in security policies. For more information, refer to the Network Configuration chapter in the Palo Alto Networks Administrators Guide.
Syntax
set zone <name> { enable-user-identification {no | yes} | network | { layer2 <value> | layer3 <value> | log-setting <value> | tap <value> | virtual-wire <value> | zone-protection-profile <value> } user-acl { + exclude-list <value> | + include-list <value> } }
Options
<name> Specifies the zone to configure + enable-user-identification Enable user identification > network Network configuration + layer2 Layer2 interfaces (member value or list of values enclosed in [ ]) + layer3 Layer3 interfaces (member value or list of values enclosed in [ ]) + log-setting Log setting for forwarding scan logs + tap Tap mode interfaces (member value or list of values enclosed in [ ]) + virtual-wire Virtual-wire interfaces (member value or list of values enclosed in [ ]) + zone-protection-profile Zone protection profile name > user-acl User Access Control List (ACL) configuration + exclude-list Exclude list (address, address-group, IP/netmask, or list of values enclosed in [ ]) + include-list Include list (address, address-group, IP/netmask, or list of values enclosed in [ ])

Palo Alto Networks
show
show
Displays information about the current candidate configuration.
Syntax
show <context>
Options
<context> Specifies a path through the hierarchy. For available contexts in the hierarchy, refer to the copy configuration commands in this chapter.
Sample Output
The following command shows the full candidate hierarchy.
username@hostname# show
The following commands can be used to display the hierarchy segment for network interface.
Specify context on the command line:

show network interface
Use the edit command to move to the level of the hierarchy, and then use the show command without specifying context:
edit network interface [edit network interface] show

Palo Alto Networks
show predefined
show predefined
Displays information about predefined objects available for use with other commands.
Syntax
show predefined { application <name> | application-container <name> | application-filter <name> | application-group <name> | application-type <name> | private-application <name> | profile-group <name> | profiles <name> | region <name> | reports <name> | service <name> | service-group <name> | sig-default <name> | signature <name> | threats <name> | url-categories <name> }
Options
application Select from the list (press <tab> for a list) application-container Select from the list (press <tab> for a list) application-filter Select from the list (press <tab> for a list) application-group Select from the list (press <tab> for a list) application-type Select from the list (press <tab> for a list) private-application Select from the list (press <tab> for a list) profile-group Select from the list (press <tab> for a list) profiles Select from the list (press <tab> for a list) region Select from the list (press <tab> for a list) reports Select from the list (press <tab> for a list) service Select from the list (press <tab> for a list) service-group Select from the list (press <tab> for a list) sig-default Select from the list (press <tab> for a list) signature Select from the list (press <tab> for a list) threats Select from the list (press <tab> for a list) url-categories Select from the list (press <tab> for a list)

Palo Alto Networks
top
top
Changes context to the top hierarchy level.
Syntax
top
Options
None
Sample Output
The following command changes context from the network level of the hierarchy to the top level.
[edit network] username@hostname# top [edit] username@hostname#

All
Palo Alto Networks
up
up
Changes context to the next higher hierarchy level.
Syntax
up
Options
None
Sample Output
The following command changes context from the network interface level of the hierarchy to the network level.
[edit network interface] username@hostname# up [edit network] username@hostname#

All
Palo Alto Networks
Chapter 4
Operational Mode Commands

This chapter contains command reference pages for the following operational mode commands:
clear on page 232 configure on page 237 debug authd on page 238 debug cli on page 239 debug cryptod on page 240 debug dataplane on page 241 debug device-server on page 251 debug dhcpd on page 256 debug dnsproxyd on page 257 debug global-protect on page 258 debug high-availability-agent on page 259 debug ike on page 260 debug keymgr on page 261 debug l3svc on page 262 debug ldap-server on page 263 debug log-receiver on page 264 debug management-server on page 265 debug master-service on page 267 debug netconfig-agent on page 268 debug pppoed on page 269 debug rasmgr on page 270
Palo Alto Networks
Operational Mode Commands 227
debug routing on page 271 debug software on page 273 debug ssl-vpn on page 275 debug sslmgr on page 276 debug swm on page 278 debug system on page 279 debug tac-login on page 280 debug vardata-receiver on page 281 delete on page 282 exit on page 284 ftp on page 285 grep on page 286 less on page 287 ls on page 288 netstat on page 289 ping on page 291 quit on page 293 request acknowledge on page 294 request anti-virus on page 295 request certificate on page 297 request commit-lock on page 299 request config-lock on page 300 request content on page 301 request data-filtering on page 303 request device-registration on page 304 request global-protect-client on page 305 request global-protect-gateway on page 306 request global-protect-portal on page 307 request high-availability on page 308 request license on page 309 request master-key on page 310
228 Operational Mode Commands
Palo Alto Networks
request password-hash on page 311 request quota-enforcement on page 312 request restart on page 313 request ssl-vpn on page 314 request support on page 315 request system on page 316 request tech-support on page 318 request url-filtering on page 319 request vpnclient on page 320 schedule on page 321 scp export on page 322 scp import on page 324 set application on page 326 set cli on page 328 set clock on page 330 set data-access-password on page 331 set management-server on page 332 set panorama on page 333 set password on page 334 set serial-number on page 335 set session on page 336 set system setting on page 338 show admins on page 340 show arp on page 341 show authentication on page 342 show chassis-ready on page 343 show cli on page 344 show clock on page 345 show commit-locks on page 346 show config on page 347 show config-locks on page 348
Palo Alto Networks
show counter on page 349 show device on page 350 show device-messages on page 351 show devicegroups on page 352 show dhcp on page 353 show dns-proxy on page 354 show dos-protection on page 355 show fips-mode on page 356 show global-protect-gateway on page 357 show high-availability on page 358 show interface on page 360 show jobs on page 361 show location on page 362 show log on page 363 show mac on page 371 show management-clients on page 372 show neighbor on page 373 show ntp on page 374 show object on page 375 show panorama-certificate on page 376 show panorama-status on page 377 show pbf on page 378 show pppoe on page 379 show qos on page 380 show query on page 381 show report on page 382 show resource on page 384 show routing on page 385 show running on page 390 show session on page 394 show ssl-vpn on page 398
Palo Alto Networks
show statistics on page 400 show system on page 401 show threat on page 404 show user on page 405 show virtual-wire on page 407 show vlan on page 408 show vpn on page 409 show zone-protection on page 411 ssh on page 412 tail on page 413 telnet on page 414 test on page 415 tftp export on page 419 tftp import on page 421 traceroute on page 423 view-pcap on page 425
Palo Alto Networks
clear
clear
Resets information, counters, sessions, or statistics.
Syntax
clear { application-signature statistics | arp {all | <interface_name>} | counter | { all | global | { aspect {aa | arp | dos | forward | ipfrag | mgmt | mld | nd | offload | parse | pktproc | qos | resource | session | system | tunnel} | category {aho | appid | ctd | dfa | dlp | flow | fpga | ha | log | nat | packet | proxy | session | ssh | ssl | tcp | url | zip} | packet-filter {no | yes} | severity {drop | error | info | warn} } interface } dhcp lease | { all | interface <value> { expired-only | ip <ip> | mac <mac_address> } } dns-proxy | { cache {all | name <name>} domain-name <value> | statistics {all | name <value>} } dos-protection | { rule <name> statistics | zone <name> blocked {all | source <ip/netmask>} } high-availability {control-link statistics | transitions} | job id <value> | log {acc | alarm | config | system | threat | traffic} | mac {all | <value>} | nat-rule-cache rule <name> | neighbor {all | <interface_name>} | pbf rule {all | name <name>} | pppoe interface <name> |
Palo Alto Networks
clear
query {all-by-session | id <value>} | report {all-by-session | id <value>} | routing bgp virtual-router <name> | { dampening {prefix <ip/netmask> | peer <value>} | stat peer <value> } session | { all | { filter application <value> | filter destination <ip_address> | filter destination-port <port_number> | filter destination-user {known-user | unknown | <value>} | filter dos-rule <rule_name> | filter from <zone> | filter hw-interface <interface_name> | filter min-kb <value> | filter nat {both | destination | none | source} | filter nat-rule <rule_name> | filter pbf-rule <rule_name> | filter protocol <value> | filter qos-class <value> | filter qos-node-id <value> | filter qos-rule <rule_name> | filter rule <rule_name> | filter source <ip_address> | filter source-port <port_number> | filter source-user {known-user | unknown | <value>} | filter ssl-decrypt {no | yes} | filter state {active | closed | closing | discard | initial | opening} | filter to <zone> | filter type {flow | predict} | filter vsys-name <value> } id <value> } statistics | uid-gids-cache {all | uid <value>} | url-cache | user-cache {all | ip <ip/netmask>} | vpn { flow {tunnel-id <value>} | ike-sa {gateway <value>} | ipsec-sa {tunnel <value>} } }
Palo Alto Networks
clear
Options
> application-signature Clears application signature statistics > arp Clears Address Resolution Protocol (ARP) information for a specified interface, loopback, or VLAN, or all > counter Clears counters > all Clears all counters > global Clears global counters only > filter Apply counter filters + aspect Counter aspect aa HA Active/Active mode arp ARP procesing dos DoS protection forward Packet forwarding ipfrag IP fragment processing mgmt Management plane packet mld MLD procesing nd ND procesing offload Hardware offload parse Packet parsing pktproc Packet processing qos QoS enforcement resource Resource management session Session setup/teardown system System function tunnel Tunnel encryption/decryption + category Counter category aho AHO match engine appid Application identification ctd Content identification dfa DFA match engine dlp DLP flow Packet processing fpga FPGA ha High Availability log Logging nat Network Address Translation packet Packet buffer proxy TCP proxy session Session management ssh SSH termination ssl SSL termination tcp TCP reordering url URL filtering zip ZIP processing + packet-filter Counters for packet that matches debug filter (no or yes) + severity Counter for severity (drop, error, informational, or warning) > name Counter name > interface Clears interface counters only > dhcp Clears Dynamic Host Configuration Protocol (DHCP) leases > all Clears leases on all interfaces > interface Clears leases on a specific interface > expired-only Clears expired leases > ip Clears lease for the specified IP address (x.x.x.x or IPv6)
Palo Alto Networks
clear
> mac Clears lease for the specified MAC address (xx:xx:xx:xx:xx:xx) > dns-proxy Clears DNS proxy information > cache Clears DNS proxy cache > all Clears all DNS proxy caches (option to provide the domain name) > name Clears DNS proxy object name (option to provide the domain name) > statistics Clears DNS proxy statistics > all Clears all DNS proxy statistics > name Clears DNS proxy object name > dos-protection Clears Denial of Service (DoS) protection-related information > rule DoS protection rule name > zone Source zone name > all Clears all IP addresses > source Specify source IP addresses to unblock (x.x.x.x/y or IPv6/netmask) > high-availability Clears high-availability statistics > control-link Clears high-availability control-link information > transitions Clears high-availability transition statistics > job Clears download jobs (0-4294967295) > log Removes logs on disk > acc ACC database > alarm Alarm logs > config Configuration logs > system System logs > threat Threat logs > traffic Traffic logs > mac Clears MAC information (all or specific VLAN MAC information dot1q-vlan) > nat-rule-cache Clears the specified dynamic IP Network Address Translation (NAT) rule IP pool cache > neighbor Clears the neighbor cache (all or specified interface neighbor cache entries) > pbf Clears policy-based forwarding (PBF) runtime rules (all or specified rules) > pppoe Clears the specified Point-to-Point Protocol over Ethernet (PPPoE) interface connection > query Clears query jobs (all queries for the session, or by ID 0-4294967295) > report Clears report jobs (all reports for the session, or by ID 0-4294967295) > routing Clears BGP virtual router information > dampening Resets BGP route dampening status (option to filter by prefix or by BGP peer) > stat Clears statistic counters (option to filter by BGP peer) > session Clears a specified session or all sessions > all Clears all sessions; the following filter options are available: + application Application name (press <tab> for a list of applications) + destination Destination IP address + destination-port Destination port (1-65535) + destination-user Destination user (select known-user or unknown, or enter a user name) + dos-rule DoS protection rule name + from From zone + hw-interface Hardware interface + min-kb Minimum KB of byte count (1-1048576) + nat If session is NAT (select Both source and destination NAT, Destination NAT, No NAT, or Source NAT) + nat-rule NAT rule name + pbf-rule Policy-based forwarding rule name + protocol IP protocol value (1-255) + qos-class QoS class (1-8) + qos-node-id QoS node-id value (-2 for bypass mode; 0-5000 for regular or tunnel mode) + qos-rule QoS rule name + rule Security rule name + source Source IP address + source-port Source port (1-65535)
Palo Alto Networks
clear
+ source-user Source user (select known-user or unknown, or enter a user name) + ssl-decrypt Session is decrypted (no or yes) + state Flow state active Active state closed Closed state closing Closing state discard Discard state initial Initial state opening Inactive state + to To zone + type Flow type (flow = regular flow; predict = predict flow) + vsys-name Virtual system name > id Clears specific session (1-2147483648) > statistics Clears all statistics > uid-gids-cache Clears the user ID to group IDs (uid-gids) cache in the data plane (all or specified user ID, 12147483647) > url-cache Clears the URL cache in the data plane > user-cache Clears the IP-to-user cache in the data plane (all or specified IP, x.x.x.x/y or IPv6) > vpn Clears Internet Key Exchange (IKE) or IP Security (IPSec) VPN runtime objects > flow Clears the VPN tunnel on the data plane. Specify the tunnel or press Enter to apply to all tunnels. > ike-sa Removes the active IKE Security Association (SA) and stops all ongoing key negotiations. Specify the gateway or press Enter to apply to all gateways. > ipsec-sa Deactivates the IPsec SA for a tunnel or all tunnels. Specify the tunnel or press Enter to apply to all tunnels.
Sample Output
The following command clears the session with ID 2245.
username@hostname> clear session id 2245 Session 2245 cleared username@hostname>

Palo Alto Networks
configure
configure
Enters Configuration mode.
Syntax
configure
Options
None
Sample Output
To enter Configuration mode from Operational mode, enter the following command.
username@hostname> configure Entering configuration mode [edit] username@hostname#

Palo Alto Networks
debug authd
debug authd
Defines settings for authd service debug logging.
Syntax
debug authd {off | on | show}
Options
> off Turns off debug logging > on Turns on authd service debug logging > show Displays current debug logging setting
Sample Output
The following command turns the authd debugging option on.
admin@PA-HDF> debug authd on admin@PA-HDF>

superuser, vsysadmin
Palo Alto Networks
debug cli
debug cli
Defines settings and display information for debugging the CLI connection.
Syntax
debug cli { detail | enable-internal-command | off | on | show }
Options
> detail Shows details information about the CLI connection > enable-internal-command Enables an internal CLI command > off Turns the debugging option off > on Turns the debugging option on > show Shows whether this command is on or off
Sample Output
The following command shows details of the CLI connection.
admin@PA-HDF> debug cli detail Environment variables : (USER . admin) (LOGNAME . admin) (HOME . /home/admin) (PATH . /usr/local/bin:/bin:/usr/bin) (MAIL . /var/mail/admin) (SHELL . /bin/bash) (SSH_CLIENT . 10.31.1.104 1109 22) (SSH_CONNECTION . 10.31.1.104 1109 10.1.7.2 22) (SSH_TTY . /dev/pts/0) (TERM . vt100) (LINES . 24) (COLUMNS . 80) (PAN_BASE_DIR . /opt/pancfg/mgmt) PAN_BUILD_TYPE : DEVELOPMENT Total Heap : 7.00 M Used : 5.51 M Nursery : 0.12 M admin@PA-HDF>

Palo Alto Networks
debug cryptod
debug cryptod
Sets the debug options for the cryptod daemon.
Syntax
debug cryptod global {off | on | show}
Options
> show Shows whether this command is on or off > off Turns the debugging option off > on Turns the debugging option on
Sample Output
The following command displays the current cryptod debugging setting.
admin@PA-HDF> debug cryptod global show sw.cryptod.runtime.debug.level: debug
admin@PA-HDF>

Palo Alto Networks
debug dataplane
debug dataplane
Configures settings for debugging the data plane.
Syntax
debug dataplane { device switch-dx | { fdb {dump | index <value>} | port-based-vlan port <value> | register read <value> | uplink | vlan-table {dump | index <value>} | } flow-control {disable | enable} | fpga | { set {sw_aho | sw_dfa | sw_dlp} {no | yes} | state } internal | { pdt | { nac | { aho dump {table <value>} instance <value> | dfa dump {table <value>} instance <value> | info instance <value> | stats instance <value> } oct { bootmem {avail | named} | csr rd reg <value> | fpa show | pip stats {port <port_number>} | pko | { debug {port <port_number>} | stats {all {no | yes} | port <port_number>} pow debug {all {no | yes}} } } vif {address | link | route <value> | rule | vr} } memory status | monitor detail {off | on | show} | nat sync-ippool rule <rule_name> |
Palo Alto Networks
debug dataplane
packet-diag | { clear | { all | capture | { all | stage {drop | firewall | receive | transmit} trigger application } filter {all | <filter_index>} | log { counter {all | <value>} | feature | { all | appid {agt | all | basic | dfa | policy} ctd {all | basic | detector | sml | url} flow {ager | all | arp | basic | ha | nd misc {all | misc} | module {aho | all | dfa | scan | url} | pow {all | basic} | proxy {all | basic} | ssl {all | basic} | tcp {all | fptcp | reass} | tunnel {ager | flow} | zip {all | basic} } log } } set | { capture | { off | on | stage {drop | firewall | receive | transmit} { byte-count <value> | packet-count <value> | file <file_name> | } trigger application { byte-count <value> | packet-count <value> | file <file_name> | from <application_name> | to <application_name> } }
| | | np | receive} |
Palo Alto Networks
debug dataplane
filter | { index <value> | match | { destination <ip_address> | destination-port <port> | ingress-interface <interface_name> | ipv6-only {no | yes} | non-ip {exclude | include | only} | protocol <value> | source <ip_address> | source-port <port> } off | on | pre-parse-match {yes | no} } log { counter <value> | feature | { all | appid {agt | all | basic | dfa | policy} | ctd {all | basic | detector | sml | url} | flow {ager | all | arp | basic | ha | nd | np | receive} | misc {all | misc} | module {aho | all | dfa | scan | url} | pow {all | basic} | proxy {all | basic} | ssl {all | basic} | tcp {all | fptcp | reass} | tunnel {ager | flow} | zip {all | basic} } log-option {aggregate-to-single-file | throttle} {no | yes} | off | on } } show setting } pool | { check {hardware <value> | software <value>} | statistics } pow | { performance {all} | status } process {comm | ha-agent | mprelay | task} {on | off | show} |
Palo Alto Networks
debug dataplane
reset | { appid {cache | statistics | unknown-cache {destination <ip_address>}} | ctd url-block-cache {lockout} | dos | { block-table | classification-table | rule <name> classification-table | zone <name> block-table {all | source <ip_address>} } logging | pow | ssl-decrypt { certificate-cache | certificate-status | exclude-cache | host-certificate-cache | notify-cache {source <ip_address>} } } show | { ctd | { aggregate-table | athreat {tid <value>} | driveby-table | sml-cache | threat {cid <value> | id <value>} | version } dos | { block-table | classification-table | rule <name> classification-table | zone <name> block-table } url-cache statistics } task-heartbeat {off| on | show} | tcp state | test { nat-policy-add | { destination <ip_address> | destination-port <port_number> | from <zone> | protocol <value> | source <ip_address> | source-port <port_number> |
Palo Alto Networks
debug dataplane
to <zone> } nat-policy-del { destination <ip_address> | destination-port <port_number> | from <zone> | protocol <value> | source <ip_address> | source-port <port_number> | to <zone> | translate-source <ip_address> | translate-source-port <port_number> } } }
Options
> device Debugs data plane hardware component > fdb Debugs fdb (option to dump or provide index, 0-65535) > port-based-vlan Debugs port-based VLAN port (0-32) > register Debugs register read (0-4294967295) > uplink Debugs uplink > vlan-table Debugs VLAN table (option to dump or provide index, 0-4095) > flow-control Enables or disables flow control > fpga Debugs the field programmable gate array (FPGA) content > set Sets the runtime flag (option to use only software for aho, dfa, or dlp) > state Shows the FPGA state > internal Debugs data plane internal state > pdt Internal diagnostic tool > nac Options are aho dump, dfa dump, info, and stats > oct Options are bootmem, csr, fpa, pip, pko, and pow > vif Shows virtual interface configuration (address, link, route, rule, or vr) > memory Examines data plane memory > monitor Debugs data plane monitor details (off, on, or show current debug setting) > nat Debugs the specified Network Address Translation (NAT) sync IP pool rule > packet-diag Performs packet captures and configures pcap filter and trigger criterion > clear Clears packet-related diagnosis parameters > all Clears all settings and turns off log/capture > capture Clears capture setting > all All settings > stage Capture at processing stage (drop, firewall, receive, or transmit) > trigger Capture triggered by event > filter Clears packet filter (all or specified filter index, 1-4) > log Clears log setting > counter Disables logging for global counter changes (all or specified counter value) > feature Disables feature/module to log > all Disables all > appid Disables appid logging (agt, all, basic, dfa, or policy) > ctd Disables ctd logging (all, basic, detector, sml, or url) > flow Disables flow logging (ager, all, arp, basic, ha, nd, np, or receive) > misc Disables misc logging (all or miscellaneous) > module Disables module logging (aho, all, dfa, scan, or url)
Palo Alto Networks
debug dataplane
> pow Disables pow logging(all or basic) > proxy Disables proxy logging (all or basic) > ssl Disables SSL logging (all or basic) > tcp Disables TCP logging (all, fptcp, or reass) > tunnel Disables tunnel logging (ager or flow) > zip Disables zip logging (all or basic) > log Clears debug logs > set Sets packet-related debugging parameters > capture Debugs capture setting > off Disables debug capture > on Enables debug capture > stage Packet capture at processing stage (drop, firewall, receive, or transmit) + byte-count Maximum byte count before filter stops (1-1073741824) + packet-count Maximum packet count before filter stops (1-1073741824) * file Saved file name (alphanumeric string [ 0-9a-zA-Z._-]) > trigger Packet capture triggered by event + byte-count Maximum byte count before filter stops (1-1073741824) + packet-count Maximum packet count before filter stops (1-1073741824) * file Saved file name (alphanumeric string [ 0-9a-zA-Z._-]) * from From application (enter an application name or press <tab> to view a list) * to To application (enter an application name or press <tab> to view a list) > filter Debugs filter setting > index Modifies debug filter with specified index (1-4) > match Adds a new debug filter and specifies matching options + destination Destination IP address (x.x.x.x or IPv6) + destination-port Destination port (1-65535) + ingress-interface Ingress hardware interface name + ipv6-only IPv6 packet only (no or yes) + non-ip Non-IP packet exclude Exclude non-IP packet include Include non-IP packet only Non-IP packet only + protocol IP protocol value (1-255) + source Source IP address (x.x.x.x or IPv6) + source-port Source port (1-65535) > off Disables debug filter > on Enables debug filter > pre-parse-match Matches value for packet before parsing (no or yes) > log Debugs log setting > counter Enables logging for global counter changes (enter a value or press <tab> to view a list) > feature Enables feature/module to log > all Enables all > appid Enables appid logging (agt, all, basic, dfa, or policy) > ctd Enables ctd logging (all, basic, detector, sml, or url) > flow Enables flow logging (ager, all, arp, basic, ha, nd, np, or receive) > misc Enables misc logging (all or miscellaneous) > module Enables module logging (aho, all, dfa, scan, or url) > pow Enables pow logging(all or basic) > proxy Enables proxy logging (all or basic) > ssl Enables SSL logging (all or basic) > tcp Enables TCP logging (all, fptcp, or reass) > tunnel Enables tunnel logging (ager or flow) > zip Enables zip logging (all or basic) > log-option Logging output options
Palo Alto Networks
debug dataplane
> aggregate-to-single-file Aggregates all logs to dp-log 'pan_packet_diag.log' (no or yes) > throttle Enables log throttling to minimize performance impact (no or yes) > off Disables debug logging > on Enables debug logging > show Shows packet-related diagnosis information > pool Debugs buffer pools, including checks of hardware and software utilization and buffer pool statistics > check Checks buffer pools utilization > hardware Checks hardware-managed pools utilization (0-255) > software Checks software-managed pools utilization (0-255) > statistics Shows buffer pools statistics > pow Debugs the packet scheduling engine > performance Shows peformance > status Displays packet scheduling engine status > process Debugs specified data plane process > comm Debugs pan_comm process (off, on, or show) > ha-agent Debugs dataplane high-availability agent (off, on, or show) > mprelay Debugs management plane relay agent (off, on, or show) > task Debugs packet processing tasks (off, on, or show) > reset Resets the settings for debugging the data plane > appid Clears appid unknown cache > cache cache > statistics statistics > unknown-cache Clears all unknown cache in dataplane + destination destination IP address (x.x.x.x/y or IPv6/netmask) > ctd Clears ctd setting + lockout URL block cache lockout > dos Resets DoS protection dataplane information > block-table Resets whole block table > classification-table Resets whole classification table > rule DoS protection rule name > zone Source zone name > all Clears all IPs > source Specify Source IP(s) to unblock (x.x.x.x/y or IPv6/netmask) > logging Resets data plane logging settings > pow Resets pow performance stats > ssl-decrypt Clears ssl-decrypt certificate cache > certificate-cache Clears all ssl-decrypt certificate cache in dataplane > certificate-status Clears all ssl-decrypt certificate CRL status cached in dataplane > exclude-cache Clears all exclude cache in dataplane > host-certificate-cache Clears all SSL certificates stored in host > notify-cache Clears all ssl-decrypt notify-user cache in dataplane + source Source IP address (x.x.x.x/y or IPv6/netmask) > show Shows data plane running information > ctd Debugs CTD > aggregate-table Shows aggregate table > athreat Shows active threats stat + tid Shows tid mask stat (0-0x0fffffff) > driveby-table Shows drive by table > sml-cache Shows sml cache table > threat Shows threat db * cid Shows details for condition id (0-1024) * id Shows threat id (0-0x0fffffff) > version Shows ctd content version > dos Shows DoS protection dataplane information
Palo Alto Networks
debug dataplane
> block-table Shows whole block table > classification-table Shows whole classification table > rule DoS protection rule name > zone Source zone name > url-cache Shows url-cache statistics > task-heartbeat Debugs data plane task heartbeat (off, on, or show) > tcp Examines the TCP state of the data plane > test Uses test cases to verify system settings > nat-policy-add Tests NAT policy translate + destination Destination IP address (x.x.x.x or IPv6) + destination-port Destination port (1-65535) + from From zone + protocol IP protocol value (1-255) + source Source IP address (x.x.x.x or IPv6) + source-port Source port (1-65535) + to To zone > nat-policy-del Tests NAT policy delete + destination Destination IP address (x.x.x.x or IPv6) + destination-port Destination port (1-65535) + from From zone + protocol IP protocol value (1-255) + source Source IP address (x.x.x.x or IPv6) + source-port Source port (1-65535) + to To zone + translate-source Translated source IP address (x.x.x.x or IPv6) + translate-source-port Translated source port (1-65535)
Sample Output
The following command shows the statistics for the data plane buffer pools.
admin@PA-HDF> debug dataplane pool statistics Hardware Pools [ 0] Packet Buffers [ 1] Work Queue Entries [ 2] Output Buffers [ 3] DFA Result DFA Result [ 4] Timer Buffers Timer Buffers [ 5] PAN_FPA_LWM_POOL [ 6] PAN_FPA_ZIP_POOL [ 7] PAN_FPA_BLAST_POOL Software Pools [ 0] software packet [ 1] software packet [ 2] software packet [ 3] software packet [ 4] software packet [ 5] Pktlog logs [ 6] Pktlog threats [ 7] Pktlog packet [ 8] Pktlog large [ 9] CTD Flow
: : : : : : : : : :
57241/57344 229284/229376 1000/1024 2048/2048 4092/4096 8192/8192 1024/1024 64/64
0x8000000410000000 0x8000000417000000 0x8000000418c00000 0x8000000419100000 0x8000000418d00000 0x8000000419300000 0x8000000419500000 0x8000000419700000
buffer buffer buffer buffer buffer
0 1 2 3 4
: : : : : : : : : :
16352/16384 8192/8192 8191/8192 4191/4192 256/256 10000/10000 4999/5000 5000/5000 56/56 261712/262144
0x8000000021b40680 0x8000000022354780 0x8000000022b5e880 0x8000000023b68980 0x800000002c079c00 0x800000002d0a74e0 0x800000002d2c2ea0 0x800000002d3d0c00 0x800000002dc626a0 0x80000000412e3080
Palo Alto Networks
debug dataplane
[10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24]
CTD AV Block SML VM Fields SML VM Vchecks Detector Threats CTD DLP FLOW CTD DLP DATA CTD DECODE FILTER Regex Results TIMER Chunk FPTCP segs Proxy session SSL Handshake State SSL State SSH Handshake State SSH State
: : : : : : : : : : : : : : :
32/32 261695/262144 65536/65536 261699/262144 65532/65536 4096/4096 16380/16384 2048/2048 131072/131072 32768/32768 1024/1024 1024/1024 2048/2048 64/64 512/512
0x8000000058ef02e8 0x8000000058ef8468 0x8000000059838568 0x8000000059988668 0x800000005adf24d0 0x800000005b6425d0 0x800000005ba476d8 0x800000005bafc088 0x8000000063f3a7c0 0x8000000065fda8c0 0x80000000660829c0 0x80000000660d9ec0 0x80000000662773c0 0x80000000662edcc0 0x800000006633b8c0
Software Packet Buffer Usage Stats AskSize UseSize AllocSize 2295 9207 9472 0 0 0 1396 1612 1832 33064 33064 33064 0 0 0
MaxRawPerc 53 99 99 100 0
MaxPerc 100 100 100 100 0
The following command displays the settings for data plane packet diagnostics.
admin@PA-HDF> debug dataplane packet-diag show setting ----------------------------------------------------------------------Packet diagnosis setting: ----------------------------------------------------------------------Packet filter Enabled: no Match pre-parsed packet: no ----------------------------------------------------------------------Logging Enabled: no Log-throttle: no Aggregate-to-single-file: yes Output file size: 3306 of 10485760 Bytes Features: Counters: ----------------------------------------------------------------------Packet capture Enabled: no -----------------------------------------------------------------------
The following example sets up a packet capture session. Note: For detailed technotes, search the Palo Alto Networks support site at https://live.paloaltonetworks.com/community/knowledgepoint. 1. Create a filter to limit the amount of data that the packet capture will collect. In this configuration, only traffic for sessions sourced from IP 10.16.0.33 will be captured.
admin@PA-HDF> debug dataplane packet-diag set filter match source 10.16.0.33
2. Enable the filter.

admin@PA-HDF> debug dataplane packet-diag set filter on
Palo Alto Networks
debug dataplane
3. Create a capture trigger that will begin capturing the pcap when an App-ID changes from webbrowsing to gmail.
admin@PA-HDF> debug dataplane packet-diag set capture trigger application from web-browsing to gmail-base file gmailpcap
4. Enable the capture.

admin@PA-HDF> debug dataplane packet-diag set capture on
5. Verify that the packet capture collected data.

admin@PA-HDF> debug dataplane packet-diag show setting
6. After the capture is complete, disable it to prevent performance degradation due to filtering and PCAP.
admin@PA-HDF> debug dataplane packet-diag set filter off admin@PA-HDF> debug dataplane packet-diag set capture off
7. View the packet capture on the firewall.

admin@PA-HDF> view-pcap filter-pcap gmailpcap
Or, export the packet capture for viewing on another machine.

admin@PA-HDF> scp export filter-pcap from gmailpcap to account@10.0.0.1:/

superuser vsysadmin
Palo Alto Networks
debug device-server
debug device-server
Configures settings for debugging the device server.
Syntax
debug device-server { bc-url-db | { bloom-stats | bloom-verify-basedb | cache-clear | cache-enable {no | yes} | cache-load | cache-resize <value> | cache-save | db-info | show-stats } clear | dump | { dynamic-url | { database {category <value> | start-from <value>} | statistics } hip-profile-database <value> | hip-report {computer <value> | ip <value> | user <value>} | idmgr type <type> | logging statistics | ts-agent {config | user-IDs} | user-group name <name> | userid-agent {ip-user {match-user <name>}} } off | on | refresh | { user-group {all | ip <ip_address>} | user-id {ip <ip_address> | agent <value>} } reset | { brightcloud-database | captive-portal {ip-address <ip/netmask>} | config | id-manager | ldap-agent | logging statistics | pan-agent all |
Palo Alto Networks
debug device-server
pan-ntlm-agent all | ts-agent {all | <value>} | url {dynamic-url-size <value> | dynamic-url-timeout <value>} | userid-agent {all | <value>} } save | { dynamic-url-database | hip-profile-database } set | { agent {all | basic | conn | detail | group | ha | ntlm | sslvpn | tsa} | all | base {all | config} | config {all | basic | fpga | hip | tdb} | hip {all | basic | detail | ha} | ldap {all | basic | detail} | misc {all | basic} | tdb {aho | all | basic} | url {all | basic | ha | match | stat} | userid {all | basic | detail} } show | test | { admin-override-password <value> | cp-login {ip-address <ip/netmask> | user <value>} | dynamic-url {async | cloud | unknown-only} {no | yes} | hip-profile-database {size <value>} | hip-report | { copy {no | yes} | computer <value> | ip <value> | user <value> } ntlm-login {id <value> | ip-address <ip/netmask>} | url-category <value> | url-update-server } unset { agent {all | basic | conn | detail | group | ha | ntlm | sslvpn | tsa} | all | base {all | config} | config {all | basic | fpga | hip | tdb} | hip {all | basic | detail | ha} | ldap {all | basic | detail} | misc {all | basic} | tdb {aho | all | basic} | url {all | basic | ha | match | stat} | userid {all | basic | detail} }
Palo Alto Networks
debug device-server
Options
> bc-url-db Debugs BrightCloud URL database > bloom-stats Shows bloom filter stats > bloom-verify-basedb Verifies base database with bloom filter > cache-clear Clears database access cache > cache-enable Enables/disables cache for database access > cache-load Loads database access cache > cache-resize Resizes database cache (1-1000000) > cache-save Saves database access cache > db-info Shows database info > show-stats Shows URL database access statistics > clear Clears all debug logs > dump Dumps the debug data > dynamic-url Dumps dynamic URLs > database Dumps dynamic url db + category Dumps only the URL category (press <tab> for a list of categories) + start-from Dumps dynamic URL database starting from index (1-1000000) > statistics Dumps URL categorization statistics > hip-profile-database Dumps HIP profile database + start-from Dump hip-profile db starting from index (1-131072) > hip-report Dumps HIP report (computer, IP, or user) > idmgr Dumps ID manager data > computer Only computer name and id > custom-url-filter Only custom URL filter name and id > global-interface Only global interface name and id > global-rib-instance Only global RIB instance name and id > global-tunnel Only global tunnel name and id > global-vlan Only global VLAN name and id > global-vlan-domain Only global VLAN domain name and id > global-vrouter Only global vrouter name and id > gp-gateway Only GlobalProtect gateway name and id > hip-object HIP object name and id > hip-profile HIP profile name and id > ike-gateway Only IKE gateway name and id > nat-rule Only NAT rule name and id > pbf-rule PBF rule name and id > security-rule Only security rule name and id > shared-application Only shared application name and id > shared-custom-url-category Only shared custom URL category name and id > shared-gateway Shared gateway > ssl-rule Only SSL rule name and id > user Only user name and id > user-group Only user group name and id > vsys Only vsys name and id > vsys-application Only vsys application name and id > vsys-custom-url-category Only vsys custom URL category name and id > zone Only zone name and id > logging Dumps logging statistics > ts-agent Dumps terminal server agent data > config Dumps terminal server agent configuration data > user-IDs Dumps terminal server agent user IDs
Palo Alto Networks
debug device-server
> user-group Dumps user group data > userid-agent Dumps userid agent stats > ip-user Dumps userid-agent IP-to-user mapping + match-user Matching user name > off Turns off debug logging > on Turns on debug logging > refresh Refreshes the user-group data > user-group Refreshes user group data > all Refreshes all PAN agents > ip Refreshes PAN agent for IP address > userid Refetches from userid agent + ip Query IP address * agent Specify userid agent > reset Clears logging data > brightcloud-database Deletes brightcloud database to allow a fresh restart > captive-portal Clears captive portal information (x.x.x.x/y or IPv6/netmask) > config Clears last config object > id-manager Clears ID manager cache file > ldap-agent Reconnects to LDAP daemon > logging Clears logging statistics > pan-agent Clears PAN-agent state > pan-ntlm-agent Clears PAN-NTLM-agent state > ts-agent Reconnects terminal server agent (all or specify one agent) > url Resets URL > dynamic-url-size Sets dynamic URL maximum entry count (10-1000000) > dynamic-url-timeout Sets dynamic URL entry timeout in minutes (1-43200) > userid-agent Reconnects userid agent (all or specify one agent) > save Saves data > dynamic-url-database Saves the dynamic URL database > hip-profile-database Saves the HIP profile database > set Sets debugging values > agent Sets agent debugging values (all, basic, conn, detail, group, ha, ntlm, sslvpn, tsa) > all Sets all debugging values > base Sets base debugging values (all, config) > config Sets config debugging values (all, basic, fpga, hip, tdb) > hip Sets HIP debugging values (all, basic, detail, ha) > ldap Sets LDAP debugging values (all, basic, detail) > misc Sets misc debugging values (all, basic) > tdb Sets tdb debugging values (aho, all basic) > url Sets URL debugging values (all, basic, ha, match, stat) > userid Sets userid debugging values (all, basic, detail) > show Displays current debug log settings > test Tests the current settings > admin-override-password Tests URL admin override password > cp-login Tests captive portal login * ip-address Dot format IP address (x.x.x.x/y or IPv6/netmask) * user Fully qualified user name > dynamic-url Tests batch dynamic URL categorization + async Run test asynchronously or not + cloud Send to cloud or not + unknown-only Only output URL if category is unknown > hip-profile-database Tests batch HIP profile database population + size Batch size (1-65536) > hip-report Tests create HIP report (copy, computer, IP address, user)
Palo Alto Networks
debug device-server
> ntlm-login Tests NTLM login * id User ID (1-500000) * ip-address Dot format IP address (x.x.x.x/y or IPv6/netmask) > url-category Gets URL categorization from code (1-4192) > url-update-server Tests URL database server connectivity > unset Removes current settings > agent Removes current agent settings (all, basic, conn, detail, group, ha, ntlm, sslvpn, tsa) > all Removes all current settings > base Removes current base settings (all, config) > config Removes current config settings (all, basic, fpga, hip, tdb) > hip Removes current HIP settings (all, basic, detail, ha) > ldap Removes current LDAP settings (all, basic, detail) > misc Removes current misc settings (all, basic) > tdb Removes current tdb settings (aho, all basic) > url Removes current URL settings (all, basic, ha, match, stat) > userid Removes current userid settings (all, basic, detail)
Sample Output
The following command turns off debug logging for the device server.
admin@PA-HDF> debug device-server off admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug dhcpd
debug dhcpd
Configures settings for debugging the Dynamic Host Configuration Protocol (DHCP) daemon.
Syntax
debug dhcpd { global {on | off | show} | pcap {delete | on | off | show | view} }
Options
> global Defines settings for the global DHCP daemon > pcap Defines settings for debugging packet capture
Sample Output
The following command displays current global DHCP daemon settings.
admin@PA-HDF> debug dhcpd global show sw.dhcpd.runtime.debug.level: debug admin@PA-HDF>

Palo Alto Networks
debug dnsproxyd
debug dnsproxyd
Configures settings for the Domain Name Server (DNS) proxy daemon.
Syntax
debug dnsproxyd { global {off | on | show} | show {batches | connections | objects | persistent} }
Options
> global Controls debug levels > show Shows DNS proxy debug information > batches Displays DNS proxy batch requests > connections Displays DNS proxy connections > objects Displays DNS proxy object debug > persistent Displays DNS proxy persistent cache entries on disk
Sample Output
The following command displays the DNS proxy object debug.
admin@PA-HDF> debug dnsproxyd show objects --------------CFG OBJS--------------CFG obj name: mgmt-obj (0x1039ff74) --------------RT OBJS--------------RT obj name: mgmt-obj (0x1020ae28) obj addr:0x1020ae28 def_name_servers:0x1037a384 tom:0x101b08e4 dnscache:0x101b09e4 Interface:mgmt-if 10.1.7.16 -------IP OBJ HASH TBL-------------ip: 10.1.7.16 for dns rt obj:mgmt-obj
admin@PA-HDF>

Palo Alto Networks
debug global-protect
debug global-protect
Configures settings for debugging the GlobalProtect portal.
Syntax
debug global-protect portal {interval <value> | off | on}
Options
> interval Interval to send HIP report (60-86400) > off Turn off debugging > on Turn on debugging
Sample Output
The following command turns on GlobalProtect debugging.
admin@PA-HDF> debug global-protect portal on admin@PA-HDF>

Palo Alto Networks
debug high-availability-agent
debug high-availability-agent
Configures settings for debugging the high availability agent. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
debug high-availability-agent { clear | internal-dump | model-check | off | on | show }
Options
> clear Clears the debug logs > internal-dump Dumps the internal state of the agent to its log > model-check Turns model checking with the peer on or off > off Turns the debugging option off > on Turns the debugging option on > show Shows whether this command is on or off
Sample Output
The following command turns modeling checking on for the high availability agent.
admin@PA-HDF> debug high-availability-agent model-check on admin@PA-HDF>

Palo Alto Networks
debug ike
debug ike
Configures settings for debugging Internet Key Exchange (IKE) daemon. For more information, refer to the Configuring IPSec Tunnels chapter in the Palo Alto Networks Administrators Guide.
Syntax
debug ike { global {off | on | show} | pcap {delete | off | on | show | view} | socket | stat }
Options
> global Configures global settings > pcap Configures packet capture settings > socket Configures socket settings > stat Shows IKE daemon statistics
Sample Output
The following command turns on the global options for debugging the IKE daemon.
admin@PA-HDF> debug ike global on admin@PA-HDF>

Palo Alto Networks
debug keymgr
debug keymgr
Configures settings for debugging the key manager daemon.
Syntax
debug keymgr { list-as | off | on | show }
Options
> list-sa Lists the IPSec security associations (SAs) that are stored in the key manager daemon > off Turns the settings off > on Turns the settings on > show Shows key manager daemon information
Sample Output
The following command shows the current information on the key manager daemon.
admin@PA-HDF> debug keymgr show sw.keymgr.debug.global: normal admin@PA-HDF>

Palo Alto Networks
debug l3svc
debug l3svc
Configures settings for debugging the Layer 3 Switched Virtual Connection (L3SVC).
Syntax
debug l3svc { clear | off | on {debug | dump | error | info | warn} | pcap {delete | off | on | show | view} | reset user-cache {all | <value>} | show user-cache }
Options
> clear Clears the debug logs > off Turns the debugging option off > on Turns the debugging option on > pcap Configures packet capture settings > reset Resets the user cache > show Displays the user cache
Sample Output
The following command turns on L3SVC debugging.
admin@PA-HDF> debug l3svc on debug admin@PA-HDF>

Palo Alto Networks
debug ldap-server
debug ldap-server
Configures settings for debugging Lightweight Directory Access Protocol (LDAP) servers. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
debug ldap-server { clear | off | on {debug | dump | error | info | warn} | refresh server {all | <server_name>} | reset {bind | server {all | <value>}} | stats }
Options
> clear Clears the debug settings > off Turns the debugging option off > on Turns debug logging on > refresh Refreshes data for the specified server or all servers > reset Resets the binding socket or the server agent(s) > stats Shows LDAP server statistics
Sample Output
The following command sets the debug level to error.
admin@PA-HDF> debug ldap-server on debug level set to error admin@PA-HDF>

Palo Alto Networks
debug log-receiver
debug log-receiver
Configures settings for debugging the log receiver daemon.
Syntax
debug log-receiver { container-page {entries <value> | off | on | timeout <value>} | fwd {off | on | show} | off | on {debug | dump | normal} | show | statistics | }
Options
> container-page Configures container page usage > entries Specifies cache entries (4-65536) > off Turns off container page caching > on Turns on container page caching > timeout Specifies cache timeout (1-86400) > fwd Configures forwarding > off Turns off forwarding > on Turns on forwarding > show Shows whether this command is on or off > off Turns the debugging option off > on Turns the debugging option on (option to select debug, dump, or normal) > show Shows whether this command is on or off > statistics Shows log receiver daemon statistics
Sample Output
The following command turns log receiver debugging on.
admin@PA-HDF> debug log-receiver on admin@PA-HDF>

Palo Alto Networks
debug management-server
Configures settings for debugging the management server.
Syntax
debug management-server clear | client { disable {authd | device | dhcpd | ha_agent | ikemgr | l3svc | ldapd | logrcvr | npagent | pppoed | rasmgr | routed | sslmgr | sslvpn} | enable {device | dhcpd | ha_agent | ikemgr | l3svc | logrcvr | npagent | pppoed | rasmgr | routed | sslmgr} } off | on {debug | dump | error | info | warn} | set | { all | comm {all | basic | detail} | panorama {all | basic | detail} | proxy {all | basic | detail} | server {all | basic | detail} } show | unset { all | comm {all | basic | detail} | panorama {all | basic | detail} | proxy {all | basic | detail} | server {all | basic | detail} } }
Options
> clear Clears all debug logs > client Enables or disables management server client processes authd authd daemon device Device server dhcpd DHCP server ha_agent High-Availability server ikemgr IKE manager l3svc HTTP Daemon ldapd LDAP Daemon logrcvr Log Receiver daemon npagent Network Processor agent pppoed PPPoE daemon rasmgr Remote Access Daemon
Palo Alto Networks
routed Routing daemon sslmgr sslmgr daemon sslvpn sslvpn daemon > off Turns off debug logging > on Turns on management server debug logging debug Only output error, warning, info and debug logs dump Output all logs error Only output error logs info Only output error, warning and info logs warn Only output error and warning logs > set Turns on management server component debug logging > all Debug logging for all components > comm Comm debug logging (all, basic, detail) > panorama Panorama debug logging (all, basic, detail) > proxy Proxy debug logging (all, basic, detail) > server Server debug logging (all, basic, detail) > show Displays current debug logging setting > unset Turns off management server component debug logging > all Debug logging for all components > comm Comm debug logging (all, basic, detail) > panorama Panorama debug logging (all, basic, detail) > proxy Proxy debug logging (all, basic, detail) > server Server debug logging (all, basic, detail)
Sample Output
The following example turns management server debugging on.
admin@PA-HDF> debug management-server on (null) admin@PA-HDF>
The following example enables the management server network processor agent.
admin@PA-HDF> debug management-server client enable npagent admin@PA-HDF>

Palo Alto Networks
debug master-service
debug master-service
Configures settings for debugging the master service.
Syntax
debug master-service { internal-dump | off | on {debug | dump | error | info | warn} | show }
Options
> internal-dump Dumps internal state of service to its log > off Turns off debug logging > on Turns on masterd service debug logging debug Only output error, warning, info and debug logs dump Output all logs error Only output error logs info Only output error, warning and info logs warn Only output error and warning logs > show Displays current debug logging setting
Sample Output
The following command dumps the internal state of the master server to the log.
admin@PA-HDF> debug master-service internal-dump admin@PA-HDF>

Palo Alto Networks
debug netconfig-agent
debug netconfig-agent
Defines settings for debugging the network configuration agent.
Syntax
debug netconfig-agent {off | on | show}
Options
> show Displays current debug setting > off Turns off network configuration agent debugging > on Turns on network configuration agent debugging
Sample Output
The following command turns on debugging of the network configuration agent.
admin@PA-HDF> debug netconfig-agent on admin@PA-HDF>

Palo Alto Networks
debug pppoed
debug pppoed
Configures settings for debugging the Point-to-Point Protocol over Ethernet (PPPoE) daemon. The firewall can be configured to be a PPPoE termination point to support connectivity in a Digital Subscriber Line (DSL) environment where there is a DSL modem but no other PPPoE device to terminate the connection. For more information, refer to the Network Configuration chapter in the Palo Alto Networks Administrators Guide.
Syntax
debug pppoed { global {off | on | show} | pcap | { delete | off | on {virtualrouter <value>} | show | view } show interface {all | <interface_name>} }
Options
> global Sets debugging options > pcap Performs packet capture (option to filter result by virtual router) > show interface Shows PPPoE debug infomation (all or specify an interface)
Sample Output
The following command turns packet capture debugging off.
admin@PA-HDF> debug pppoed pcap off debug level set to error admin@PA-HDF>

Palo Alto Networks
debug rasmgr
debug rasmgr
Configures settings for debugging the remote access service daemon.
Syntax
debug rasmgr { off | on {debug | dump | normal} | show | }
Options
> off Turns the debugging option off > on Turns the debugging option on (option to specify debug, dump, or normal) > show Shows whether this command is on or off
Sample Output
The following command shows the debug settings for the remote access service daemon.
admin@PA-HDF> debug rasmgr show sw.rasmgr.debug.global: normal admin@PA-HDF>

Palo Alto Networks
debug routing
debug routing
Configures settings for debugging the route daemon.
Syntax
debug routing { fib {flush | stats} | global {off | on | show} | list-mib | mib <value> | pcap | { all {delete | off | on | view} | bgp {delete | off | on | view} | ospf {delete | off | on | view} | rip {delete | off | on | view} | show } restart | socket }
Options
> fib Turns on debugging for the forwarding table > flush Forces forwarding table sync > stats Shows route message stats > global Turns on global debugging > list-mib Shows the routing list with management information base (MIB) names > mib Shows the MIB tables > pcap Shows packet capture data (all, BGP, OSPF, RIP) > restart Restarts the routing process > socket Shows socket data
Sample Output
The following command displays the MIB tables for routing.
admin@PA-HDF> debug routing list-mib i3EmuTable (1 entries) ========================== sckTable (0 entries) sckSimInterfaceTable (0 entries) sckEiTable (0 entries) sckEaTable (0 entries) i3Table (0 entries) i3EiTable (0 entries) i3EaTable (0 entries) i3EtTable (0 entries) i3EmTable (0 entries)
Palo Alto Networks
debug routing
dcSMLocationTable (0 entries) dcSMHMTestActionObjects (0 entries) siNode (0 entries) siOSFailures (0 entries) siTraceControl (0 entries) siExecAction (0 entries) ... admin@PA-HDF>

Palo Alto Networks
debug software
debug software
Configures software processes debugging features.
Syntax
debug software { core {device-server | log-receiver | management-server | pan-comm | rasmgr | routed | sslvpn-web-server | web-server} | fd-limit {limit <value> | service <value>} | no-fd-limit service <value> | no-virt-limit service <value> |t restart {device-server | log-receiver | management-server | pan-comm | rasmgr | routed | sslvpn-web-server | web-server} | trace {device-server | log-receiver | management-server | sslvpn-webserver | web-server} | virt-limit {limit <value> | service <value>} }
Options
> core Debugs process core > device-server Device server process > log-receiver Log Receiver server process > management-server Management server process > pan-comm Data plane communication process > rasmgr SSL VPN daemon > routed Routing process > sslvpn-web-server SSL VPN Web server process > web-server Web server process > fd-limit Sets open fd limit (0-4294967295) and service value > no-fd-limit Disables open fd limit service > no-virt-limit Disables maximum virtual memory limit service > restart Restarts processes > device-server Device server process > log-receiver Log Receiver server process > management-server Management server process > pan-comm Data plane communication process > rasmgr SSL VPN daemon > routed Routing process > sslvpn-web-server SSL VPN Web server process > web-server Web server process > trace Gets process backtraces > device-server Device server process > log-receiver Log Receiver server process > management-server Management server process > sslvpn-web-server SSL VPN Web server process > web-server Web server process > virt-limit Sets maximum virtual memory limit (0-4294967295) and service value
Palo Alto Networks
debug software
Sample Output
The following command restarts the web server.
admin@PA-HDF> debug software restart web-server admin@PA-HDF>

Palo Alto Networks
debug ssl-vpn
debug ssl-vpn
Sets debugging options for the Secure Socket Layer (SSL)-virtual private network (VPN) web server. For more information, refer to the Configuring SSL VPNs chapter in the Palo Alto Networks Administrators Guide.
Syntax
debug ssl-vpn { global | { off | on {debug | dump | error | info} | show } socket }
Options
> global Turns debugging on or off at on the global level and shows debugging results (option to turn on debug, dump, error, or info) > socket Debugs on the socket level
Sample Output
The following command displays socket level information.
admin@PA-HDF> debug ssl-vpn socket
Proto Recv-Q Send-Q Local Address Program name tcp 0 0 0.0.0.0:20077 appweb tcp 0 0 0.0.0.0:20088 appweb Foreign Address 0.0.0.0:* 0.0.0.0:* State LISTEN LISTEN PID/ 1674/ 1674/
admin@PA-HDF>

Palo Alto Networks
debug sslmgr
debug sslmgr
Sets debugging options for the Secure Socket Layer (SSL) manager daemon that validates certificates for the Certificate Revocation List (CRL) and the Online Certificate Status Protocol (OCSP). Each trusted certificate authority (CA) maintains CRLs to determine if an SSL certificate is valid (not revoked) for SSL decryption. The OCSP can also be used to dynamically check the revocation status of a certificate.
Syntax
debug sslmgr { delete {crl | ocsp} {all | <value>} | off | on {debug | dump | error | info | warn} | save oscp | show | statistics | tar-all-crl | view {crl <value> | ocsp {all | <value>}} }
Options
delete Removes the CRL/OCSP cache > crl Delete CRL cache (all or specify CRL to delete) > ocsp Delete OCSP cache (all or specify URL) off Turns the manager daemon off on Turns the manager daemon on (debug, dump, error, info, or warn) save Saves the contents of the OCSP cache show Displays the contents of the OCSP cache statistics Displays the CRL/OCSP statistics tar-all-crl Saves all CRL files to a tar file view Displays the CRL/OCSP cache > crl View CRL cache > ocsp View OCSP cache (all or specify URL)
Sample Output
The following command displays the CRL cache.
admin@PA-HDF> debug sslmgr view crl http://EVIntl-crl.verisign.com/EVIntl2006.crl http://EVSecure-crl.verisign.com/EVSecure2006.crl http://EVSecure-crl.verisign.com/pca3-g5.crl http://SVRC3SecureSunMicrosystems-MPKI-crl.verisign.com/ SunMicrosystemsIncClassBUnified/LatestCRLSrv.crl http://SVRIntl-crl.verisign.com/SVRIntl.crl http://SVRSecure-crl.verisign.com/SVRSecure2005.crl http://certificates.godaddy.com/repository/gdroot.crl ... admin@PA-HDF>
Palo Alto Networks
debug sslmgr

Palo Alto Networks
debug swm
debug swm
Configures settings for debugging the Palo Alto Networks software manager.
Syntax
debug swm { history | info {image <image_name>} | install {image <image_name> | patch <value>} | list | log | refresh content | revert | status | unlock }
Options
> history Shows history of software install operations > info Displays info on current or specified image > install Installs specified image and optional patch > list Lists software versions available for install > log Shows log of PAN Software Manager > refresh Reverts back to last successfully installed content > revert Reverts back to last successfully installed software > status Shows status of PAN Software Manager > unlock Unlocks PAN Software Manager
Sample Output
The following command shows the list of available software versions.
admin@PA-HDF> debug swm list 3.1.0-c4.dev 3.1.0-c1.dev_base 3.0.0-c207 3.0.0-c206 admin@PA-HDF>

Palo Alto Networks
debug system
debug system
Defines settings for system debugging actions.
Syntax
debug system {check-fragment | disk-sync | maintenance-mode}
Options
> check-fragment Checks disk fragmentation > disk-sync Flushes all writes out to disk > maintenance-mode Reboots the system to maintenance mode
Sample Output
The following command reboots the system to maintenance mode.
admin@PA-HDF> debug system maintenance-mode admin@PA-HDF>

Palo Alto Networks
debug tac-login
debug tac-login
Configures settings for debugging the Palo Alto Networks Technical Assistance Center (TAC) connection.
Syntax
debug tac-login {challenge | permanently-disable | response}
Options
> challenge Gets challenge value for TAC login > permanently-disable Permanently turns off TAC login debugging > response Runs verification of challenge response for TAC login
Sample Output
The following command turns TAC login debugging on.
admin@PA-HDF> debug tac-login on admin@PA-HDF>

Palo Alto Networks
debug vardata-receiver
debug vardata-receiver
Configures settings for debugging the variable data daemon.
Syntax
debug vardata-receiver { off on {debug | dump | normal} | show statistics }
Options
> off Turns the debugging option off > on Turns the debugging option on (debug, dump, or normal) > show Shows whether this command is on or off > statistics Shows variable data daemon statistics
Sample Output
The following command shows statistics for the variable data daemon.
admin@PA-HDF> debug vardata-receiver statistics admin@PA-HDF>

Palo Alto Networks
delete
delete
Removes specified types of files from disk or restore the default comfort pages that are presented when files or URLs are blocked.
Syntax
delete { admin-sessions | anti-virus update <file_name> | config saved <file_name> | config-audit-history | content update <file_name> | core {data-plane file <file_name> | management-plane file <file_name>} | data-capture directory <directory_name> | debug-filter file <file_name> | dynamic-url host {all | name <value>} | global-protect-client {image <file_name> | version <value>} | high-availability-key | hip-report | { all | report {computer <value> | ip <value> | user <value>} } license key| logo | pcap directory <directory_name> | policy-cache | report | { custom scope {shared | <vsys_name>} | predefined scope shared report-name <report_name> | summary scope {shared | <vsys_name>} } runtime-user-db | software {image <file_name> | version <value>} | threat-pcap directory <directory_name> | unknown-pcap directory <directory_name> | user-file ssh-known-hosts | user-group-cache | vpnclient {image <file_name> | version <value>} }
Options
> admin-sessions Removes all active administrative sessions > anti-virus Removes anti-virus updates on disk > config Removes configuration files > config-audit-history Removes the configuration audit history > content Removes content updates > core Removes core management or data plane cores > data-capture Removes data capture files
Palo Alto Networks
delete
> debug-filter Removes debugging packet capture files on disk > dynamic-url Deletes dynamic database > global-protect-client Removes GlobalProtect client software images on disk > high-availability-key Removes the high availability peer encryption key > hip-report Deletes Host IP (HIP) reports in disk > license Removes a license key file > logo Removes a custom logo file > pcap Removes packet capture files > policy-cache Removes cached policy compilations > report Removes specified reports > runtime-user-db Deletes runtime user database (requires commit for rebuilding) > software Removes a software image > threat-pcap Removes threat packet capture files in a specified directory > unknown-pcap Removes packet capture files for unknown sessions > user-file Removes user account settings > user-group-cache Deletes user group cache files in disk > vpnclient Removes the VPN client software image
Sample Output
The following command deletes the saved configuration file named running-config.xml.bak.
username@hostname> delete config saved running-config.xml.bak username@hostname>

Palo Alto Networks
exit
exit
Exits the PAN-OS CLI. Note: The exit command is the same as the quit command.
Syntax
exit
Options
None

All
Palo Alto Networks
ftp
ftp
Uses FTP to export log files. The logs that may be exported are data, threat, traffic or URL logs.
Syntax
ftp export log {data | threat | traffic | url} { max-log-count <value> | passive-mode equal {no | yes} | query <value> | remote-port <port_number> | unexported-only equal {no | yes} | end-time equal <value> | start-time equal <value> | to <value> }
Options
+ max-log-count Maximum number of logs to export (0-65535) + passive-mode Use ftp passive mode + query Query value + remote-port FTP port number on remote host (1-65535) + unexported-only Filter logs that are not previously exported * end-time End date and time YYYY/MM/DD@hh:mm:ss (e.g. 2006/08/01@10:00:00) * start-time Start date and time YYYY/MM/DD@hh:mm:ss (e.g. 2006/08/01@10:00:00) * to Destination (username:password@host) or (username@host)

All
Palo Alto Networks
grep
grep
Finds and lists lines from log files that match a specified pattern.
Syntax
grep { after-context <number> | before-context <number> | context <number> | count | ignore-case {no | yes} | invert-match {no | yes} | line-number {no | yes} | max-count <number> | no-filename {no | yes} | pattern <value> | dp-log <file_name> | mp-log <file_name> }
Options
+ after-context Prints the matching lines plus the specified number of lines that follow the matching lines + before-context Prints the matching lines plus the specified number of lines that precede the matching lines + context Prints the specified number of lines in the file for output context + count Specifies whether a count is included in the results + ignore-case Ignores case distinctions + invert-match Selects non-matching lines instead of matching lines + line-number Adds the line number at the beginning of each line of output + max-count Stops reading a file after the specified number of matching lines + no-filename Does not add the filename prefix for output * pattern Indicates the string to be matched > dp-log Indicates the data plane log file to search for the pattern (press <tab> for a list of file names) > mp-log Indicates the management plane log file to search for the pattern (press <tab> for a list of file names)
Sample Output
The following command searches the brdagent.log file for occurrences of the string HEARTBEAT.
username@hostname> grep dp-log sysdagent.log * Jan 20 14:35:48 HEARTBEAT: Heartbeat failure Jan 20 14:35:53 HEARTBEAT: Heartbeat failure Jan 20 14:35:54 HEARTBEAT: Heartbeat failure Jan 20 14:35:55 HEARTBEAT: Heartbeat failure username@hostname> pattern HEARTBEAT on on on on core core core core 4 1 8 2

All
Palo Alto Networks
less
less
Lists the contents of the specified log file.
Syntax
less { custom-page <filename> | dp-backtrace <filename> | dp-log <filename> | mp-backtrace <filename> | mp-global <filename> | mp-log <filename> | webserver-log <filename> }
Options
> custom-page Lists contents of the specified custom page file (press <tab> for a list of log files) > dp-backtrace Lists contents of the specified data plane backtrace file (press <tab> for a list of log files) > dp-log Lists contents of the specified data plane log file (press <tab> for a list of log files) > mp-backtrace Lists contents of the specified management plane backtrace file (press <tab> for a list of log files) > mp-global Lists contents of the specified management plane global log file (press <tab> for a list of log files) > mp-log Lists contents of the specified management plane log file (press <tab> for a list of log files) > webserver-log Lists contents of the specified webserver log file (press <tab> for a list of log files)
Sample Output
The following command lists the contents of the web server error log.
username@hostname> default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main default:2 main ... less webserver-log error.log Configuration for Mbedthis Appweb -------------------------------------------Host: pan-mgmt2 CPU: i686 OS: LINUX Distribution: unknown Unknown OS: LINUX Version: 2.4.0.0 BuildType: RELEASE Started at: Mon Mar 2 12

All
Palo Alto Networks
ls
ls
Displays debug file listings.
Syntax
ls { long-format {no | yes} | reverse-order {no | yes} | sort-by-time {no | yes} | content {cache | decoders | global | pan_appversion | pan_threatversion | scripts | threats | apps | <content>} | custom-page <value> | dp-backtrace <filename> | dp-log <filename> | global <filename> | mp-backtrace <filename> | mp-global <filename> | mp-log <filename> | webserver-log <filename> }
Options
+ long-format File listing format (use long format) + reverse-order File listing order (list in reverse order) + sort-by-time Sort file listing by time > content Specify content to display > custom-page Custom page (select value from the list provided; press <tab> for list) > dp-backtrace DP backtrace file (select file from the list provided; press <tab> for list) > dp-log DP logs (select file from the list provided; press <tab> for list) > global Global files (select file from the list provided; press <tab> for list) > mp-backtrace MP backtrace file (select file from the list provided; press <tab> for list) > mp-global MP global files (select file from the list provided; press <tab> for list) > mp-log MP logs (select file from the list provided; press <tab> for list) > webserver-log Web server logs (select file from the list provided; press <tab> for list)

All
Palo Alto Networks
netstat
netstat
Displays network connections and statistics.
Syntax
netstat { all {no | yes} | cache {no | yes} | continuous {no | yes} | extend {no | yes} | fib {no | yes} | groups {no | yes} | interfaces {no | yes} | listening {no | yes} | numeric {no | yes} | numeric-hosts {no | yes} | numeric-ports numeric-users {no | yes} | programs {no | yes} | route {no | yes} | statistics {no | yes} | symbolic {no | yes} | timers {no | yes} | verbose {no | yes} }
Options
+ all Display all sockets (default = connected) + cache Display routing cache instead of Forwarding Information Base (FIB) + continuous Continuous listing + extend Display other/more information + fib Display FIB (default) + groups Display multicast group memberships + interfaces Display interface table + listening Display listening server sockets + numeric Do not resolve names + numeric-hosts Do not resolve host names + numeric-ports Do not resolve port names + numeric-users Do not resolve user names + programs Display PID/Program name for sockets + route Display routing table + statistics Display networking statistics (like SNMP) + symbolic Resolve hardware names + timers Display timers + verbose Display full details
Palo Alto Networks
netstat
Sample Output
The following command shows an excerpt from the output of the netstat command.
username@hostname> netstat all yes ... Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 5366 /tmp/ssh-lClRtS1936/ agent.1936 unix 2 [ ] DGRAM 959 @/org/kernel/udev/udevd unix 18 [ ] DGRAM 4465 /dev/log ...

All
Palo Alto Networks
ping
ping
Checks network connectivity to a host.
Syntax
ping { bypass-routing {no | yes} | count <value> | do-not-fragment {no | yes} | inet6 {no | yes} | interval <value> | no-resolve {no | yes} | pattern <value> | size <value> | source <value> | tos <value> | ttl <value> | verbose {no | yes} | host <value> }
Options
> bypass-routing Sends the ping request directly to the host on a direct attached network, bypassing usual routing table > count Specifies the number of ping requests to be sent (1-2,000,000,000) > do-not-fragment Prevents packet fragmentation by use of the do-not-fragment bit in the packets IP header > inet6 Specifies that the ping packets will use IP version 6 > interval Specifies how often the ping packets are sent (0 to 2000000000 seconds) > no-resolve Provides IP address only without resolving to hostnames > pattern Specifies a custom string to include in the ping request (you can specify up to 12 padding bytes to fill out the packet that is sent as an aid in diagnosing data-dependent problems) > size Specifies the size of the ping packets (0-65468 bytes) > source Specifies the source IP address for the ping command > tos Specifies the type of service (TOS) treatment for the packets by way of the TOS bit for the IP header in the ping packet (1-255) > ttl Specifies the time-to-live (TTL) value for the ping packet (IPv6 hop-limit value) (0-255 hops) > verbose Requests complete details of the ping request. * host Specifies the host name or IP address of the remote host
Palo Alto Networks
ping
Sample Output
The following command checks network connectivity to the host 66.102.7.104, specifying 4 ping packets and complete details of the transmission.
username@hostname> ping count 4 verbose yes host 66.102.7.104 PING 66.102.7.104 (66.102.7.104) 56(84) bytes of data. 64 bytes from 66.102.7.104: icmp_seq=0 ttl=243 time=316 ms 64 bytes from 66.102.7.104: icmp_seq=1 ttl=243 time=476 ms 64 bytes from 66.102.7.104: icmp_seq=2 ttl=243 time=376 ms 64 bytes from 66.102.7.104: icmp_seq=3 ttl=243 time=201 ms --- 66.102.7.104 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 3023ms rtt min/avg/max/mdev = 201.718/342.816/476.595/99.521 ms, pipe 2 username@hostname>

Palo Alto Networks
quit
quit
Exits the current session for the firewall. Note: The quit command is the same as the exit command.
Syntax
quit
Options
None

All
Palo Alto Networks
request acknowledge
request acknowledge
Acknowledges alarm logs.
Syntax
request acknowledge logid <value>
Options
<value> Specifies the log ID

Palo Alto Networks
request anti-virus
request anti-virus
Upgrade and downgrade antivirus packages and obtain information about the packages. For more information, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
request anti-virus { downgrade install {previous | <value>} |
upgrade
{ check | download latest {sync-to-peer {no | yes}} | info | install { commit {no | yes} | sync-to-peer {no | yes} | file <filename> | version latest } } }
Options
> downgrade Installs a previous version > upgrade Performs anti-virus upgrade functions > check Obtains information on available packages from the Palo Alto Networks server > download Downloads anti-virus packages + sync-to-peer Sends a copy to HA peer > info Shows information about available anti-virus packages > install Installs anti-virus packages + commit Indicates whether the installed package will be committed to the firewall + sync-to-peer Indicates whether a copy of the package will be provided to another high-availability peer firewall > file Specifies the name of the file containing the anti-virus package > version Specifies the latest version of the anti-virus software package
Sample Output
The following command displays information on the anti-virus packages that are available for installation.
username@hostname> request anti-virus upgrade info Version Size Released on Downloaded ------------------------------------------------------------------------46-93 44MB 2009/11/19 11:50:38 yes username@hostname>
Palo Alto Networks
request anti-virus

Palo Alto Networks
request certificate
request certificate
Generate a self-signed security certificate. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
request certificate generate { ca {no | yes} | country-code <value> | digest <value> | email <value> | filename <value> | locality <value> | nbits <value> | organization <value> | organization-unit <value> | signed-by <value> | state <value> | certificate-name <value> | name <value> | passphrase <value> }
Options
+ ca Make this a signing certificate + country-code Two-character code for the country in which the certificate will be used + digest Digest Algorithm (md5, sh1, sha256, sha384, sha512) + email Email address of the contact person + filename File name for the certificate + locality Locality (city, campus, or other local area) + nbits Length of the key (number of bits in the certificate 1024, 15360, 2048, 3072, 512) + organization Organization using the certificate + organization-unit Department using the certificate + signed-by CA for the signing certificate + state Two-character code for the state or province in which the certificate will be used * certificate-name Name of the certificate object * name IP address or fully qualified domain name (FQDN) to appear on the certificate * passphrase Pass phrase for encrypting private key
Sample Output
The following command requests a self-signed certificate for the web interface with length 1024 and IP address 1.1.1.1.
username@hostname> request certificate self-signed nbits 1024 name 1.1.1.1 foruse-by web-interface username@hostname>
Palo Alto Networks
request certificate

Palo Alto Networks
request commit-lock
request commit-lock
Sets options for locking commits.
Syntax
request commit-lock { add {comment <value>} | remove {admin <value>} }
Options
> add Prevents other users from committing + comment Comment value > remove Releases commit lock previously held + admin Administrator holding the lock

Palo Alto Networks
request config-lock
request config-lock
Sets options for locking configurations.
Syntax
request config-lock {add {comment <value>} | remove}
Options
> add Prevents other users from changing the configuration > remove Releases a previously held configuration lock

Palo Alto Networks
request content
request content
Perform application level upgrade operations. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
request content { downgrade install {previous | <value>} |
upgrade
{ check | download latest {sync-to-peer {no | yes}} | info | install { commit {no | yes} | sync-to-peer {no | yes} | file <filename> | version latest } } }
Options
> downgrade Installs a previous content version > upgrade Performs content upgrade functions > check Obtains information on available packages from the Palo Alto Networks server > download Downloads content packages + sync-to-peer Sends a copy to HA peer > info Shows information about available content packages > install Installs content packages + commit Indicates whether the installed package will be committed to the firewall + sync-to-peer Indicates whether a copy of the package will be provided to another high-availability peer firewall > file Specifies the name of the file containing the content package > version Specifies the latest version of the content software package
Sample Output
The following command lists information about the firewall server software.
username@hostname> request content upgrade check Version Size Released on Downloaded ------------------------------------------------------------------------13-25 10MB 2007/04/19 15:25:02 yes username@hostname>
Palo Alto Networks
request content

Palo Alto Networks
request data-filtering
request data-filtering
Assign passwords for data filtering. For more information, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
request data-filtering access-password { create password <value> | delete | modify old-password <value> new-password <value> }
Options
> create Creates the specified password > delete Deletes the data filtering password (when this command is issued, the system prompts for confirmation and warns that logged data will be deleted and logging will be stopped) > modify Changes the specified old password to the new password
Sample Output
The following command assigns the specified password for data filtering.
username@hostname> request data-filtering access-password create password mypwd username@hostname>

Palo Alto Networks
request device-registration
request device-registration
Performs device registration.
Syntax
request device-registration username <user> password <pwd>
Options
* username Specify the support portal user name for device access * password Specify the support portal password for device access
Sample Output
The following command registers the device with the specified user name and password.
username@hostname> request device-registration username admin password adminpwd username@hostname>

Palo Alto Networks
request global-protect-client
request global-protect-client
Performs GlobalProtect client package operations.
Syntax
request global-protect-client software { activate {file <file_name> | version <value>} | check | download | { sync-to-peer {no | yes} | file <file_name> | version <value> } info }
Options
> activate Activate a downloaded software package > file Upgrade to a software package by filename (press <tab> for list) > version Upgrade to a software package by version (press <tab> for list) > check Get information from Palo Alto Networks server > download Download software packages + sync-to-peer Send a copy to HA peer > file Downloaded software packages by filename (press <tab> for list) > version Download software packages by version (press <tab> for list) > info Show information about available software packages

Palo Alto Networks
request global-protect-gateway
request global-protect-gateway
Requests performance of GlobalProtect gateway functions.
Syntax
request global-protect-gateway { client-logout | { computer <value> | domain <value> | gateway <value> | reason force-logout | user <value> } unlock { is-seq {no | yes} | auth-profile <value> | user <value> | vsys <value> } }
Options
> client-logout GlobalProtect gateway user logout + computer User's computer name + domain User's domain name * gateway Name of the GlobalProtect gateway * reason Reason of logout * user User name > unlock Unlock locked users + is-seq Is this authentication sequence? * auth-profile Auth Profile * user User name * vsys Virtual System

Palo Alto Networks
request global-protect-portal
request global-protect-portal
Requests performance of GlobalProtect portal functions.
Syntax
request global-protect-portal ticket { challenge-first-value <value> | challenge-second-value <value> | duration <value> | portal <value> }
Options
* challenge-first-value First challege string (0-65535) * challenge-second-value Second challege string (0-65535) * duration Agent user override duration in minutes (0-65535) * portal Name of the GlobalProtect portal

Palo Alto Networks
request high-availability
request high-availability
Performs high-availability operations. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
request high-availability { state {functional | suspend} | sync-to-remote {candidate-config | clock | disk-state | running-config | runtime-state} }
Options
> state Sets the HA state of the device > functional Sets the HA state to a functional state > suspend Sets the HA state to suspended > sync-to-remote Performs configuration sync operations > candidate-config Syncs candidate configuration to peer > clock Syncs the local time and date to the peer > disk-state Syncs required on-disk state to peer > running-config Syncs running configuration to peer > runtime-state Syncs the runtime synchronization state to peer
Sample Output
The following command sets the high-availability state of the device to the suspended state.
username@hostname> request high-availability state suspend username@hostname>

Palo Alto Networks
request license
request license
Performs license-related operations. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
request license {fetch <auth-code> | info | install}
Options
> fetch Gets a new license key using an authentication code + auth-code Specifies the authentication code to use in fetching the license > info Displays information about currently owned licenses > install Installs a license key
Sample Output
The following command requests a new license key with the authentication code 123456.
username@hostname> request fetch auth-code 123456
username@hostname>

Palo Alto Networks
request master-key
request master-key
Changes the master key.
Syntax
request master-key new-master-key <value> {current-master-key <value>}
Options
+ current-master-key Specifies the current master key * new-master-key Specifies a new master key

Palo Alto Networks
request password-hash
request password-hash
Generates a hashed string for the user password.
Syntax
request password-hash password <pwd>
Options
password Specifies the plain text password that requires the hash string
Sample Output
The following command generates a hash of the specified password.
username@hostname> request password-hash password mypassword $1$flhvdype$qupuRAx4SWWuZcjhxn0ED.

Palo Alto Networks
request quota-enforcement
Enforces disk quotas for logs and packet captures.
Syntax
Options
None
Sample Output
The following command enforces the disk quotas.
username@hostname> request quota-enforcement

Palo Alto Networks
request restart
request restart
Restarts the system or software modules. CAUTION: Using this command causes the firewall to reboot, resulting in the temporary disruption of network traffic. Unsaved or uncommitted changes will be lost.
Syntax
request restart {dataplane | software | system}
Options
> dataplane Restarts the data plane software > software Restarts all system software > system Reboots the system
Sample Output
The following command restarts all the firewall software.
username@hostname> request restart software

Palo Alto Networks
request ssl-vpn
request ssl-vpn
Forces logout from a Secure Socket Layer (SSL) virtual private network (VPN) session. For more information, refer to the Configuring SSL VPNs chapter in the Palo Alto Networks Administrators Guide.
Syntax
request ssl-vpn { client-logout | { computer <value> | domain <value> | portal <value> | reason force-logout | user <value> } unlock { is-seq {no | yes} | auth-profile <value> | user <value> | vsys <value> } }
Options
> client-logout SSL VPN user logout + computer User's computer name + domain User's domain name * portal Name of the SSL VPN portal * reason Reason of logout * user User name > unlock Unlock locked users + is-seq Is this authentication sequence? * auth-profile Auth Profile * user User name * vsys Virtual System
Sample Output
The following command forces a logout of the specified user.
username@hostname> request ssl-vpn client-logout domain paloaltonetworks.com portal sslportal user ssmith reason force-logout

Palo Alto Networks
request support
request support
Obtains technical support information.
Syntax
request support {check | info}
Options
> check Gets support information from the Palo Alto Networks update server > info Shows downloaded support information
Sample Output
The following command shows downloaded support information.
username@hostname> request support info 0 Support Home https://support.paloaltonetworks.com Manage Cases https://support.paloaltonetworks.com/pa-portal/ index.php?option=com_pan&task=vie wcases&Itemid=100 Download User Identification Agent https://support.paloaltonetworks.com/pa-portal/ index.php?option=com_pan&task=sw_ updates&Itemid=135 866-898-9087 support@paloaltonetworks.com November 07, 2009 Standard 10 x 5 phone support; repair and replace hardware service username@hostname>

Palo Alto Networks
request system
request system
Performs system functions, including self testing, downloading system software, and requesting information about the available software packages.
Syntax
request system { self-test | { crypto | force-crypto-failure | software-integrity } fqdn {refresh | show} | private-data-reset | software { check | download {file <file> | version <version>} | info | install {file <file> | version <version>} } }
Options
> self-test This option is available in Common Criteria (CC) mode and Federal Information Processing Standard 140-2 (FIPS 140-2) mode (for more information, refer to Chapter 5, Maintenance Mode) > crypto Performs a self-test on all of the cryptographic algorithms the system has on it; if a failure occurs, the system will go into maintenance mode > force-crypto-failure Causes the system to reboot and fail the specified cryptographic self-test when it reboots; if a failure occurs, the system will go into maintenance mode > software-integrity Performs a software integrity test; if a failure occurs, the system will go into maintenance mode > fqdn Performs FQDN refresh/reset functions > refresh Force-refreshes all FQDNs used in rules > show Displays FQDNs used in rules and their IP addresses > private-data-reset Removes all of the logs and resets the configuration but does not reset content and software versions > software Performs system software installation functions > check Gets information from PaloAlto Networks server > download Downloads software packages > info Shows information about available software packages > install Installs a downloaded software package
Palo Alto Networks
request system
Sample Output
The following command requests information about the software packages that are available for download.
username@hostname> request system software info Version Filename Size Released Downloaded ------------------------------------------------------------------------3.0.1 panos.4050-3.0.1.tar.gz 127MB 2010/02/07 00:00:00 no 3.1.0 panos.4050-3.1.0.tar.gz 127MB 2009/02/07 00:00:00 no username@hostname>

Palo Alto Networks
request tech-support
request tech-support
Obtains information to assist technical support in troubleshooting.
Syntax
request technical support dump
Options
None
Sample Output
The following command creates a dump for technical support.
username@hostname> request tech-support dump Exec job enqueued with jobid 1 1

Palo Alto Networks
request url-filtering
request url-filtering
Performs URL filtering operations. For more information, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
request url-filtering { download status | install | { database | { major-version <value> | md5 <value> | minor-version <value> } signed-database } revert | upgrade {brightcloud {test}} }
Options
> download Shows status of information download for URL filtering > install Installs uploaded URL database > database Installs uploaded BrightCloud database * major-version Major BrightCloud database version * md5 MD5 of BrightCloud database * minor-version Minor BrightCloud database version > signed-database Installs signed uploaded BrightCloud database > revert Reverts last URL database > upgrade Upgrades to latest version + brightcloud Upgrades BrightCloud database (where present) + test Captures initial download in filter-pcap test_bc_download.pcap
Sample Output
The following command upgrades the BrightCloud database.
username@hostname> request url-filtering upgrade brightcloud

Palo Alto Networks
request vpnclient
request vpnclient
Performs VPN client package operations. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
request vpnclient software { activate {file <file_name> | version <value>} | check | download | { sync-to-peer {no | yes} | file <file_name> | version <value> } info }
Options
> activate Activate a downloaded software package > file Upgrade to a software package by filename (press <tab> for list) > version Upgrade to a software package by version (press <tab> for list) > check Get information from Palo Alto Networks server > download Download software packages + sync-to-peer Send a copy to HA peer > file Downloaded software packages by filename (press <tab> for list) > version Download software packages by version (press <tab> for list) > info Show information about available software packages
Sample Output
The following command displays information about the available software packages.
username@hostname> request vpnclient software info Version Size Released on Downloaded ------------------------------------------------------------------------1.0.0-c54 916KB 2009/03/04 15:04:33 no 1.0.0-c53 916KB 2009/03/04 14:09:17 no 1.0.0-c52 916KB 2009/03/04 11:49:51 no 1.0.0-c51 916KB 2009/03/03 16:45:38 no

Palo Alto Networks
schedule
schedule
Schedules test jobs. Botnet and UAR reports may be scheduled.
Syntax
schedule { botnet-report | { period {last-24-hrs | last-calendar-day} | query <value> | topn <value> } commit | uar-report { end-time <value> | period <value> | start-time <value> | title <value> | user <username> | } }
Options
> botnet-report Schedule botnet report + period Report period (last 24 hours or last calendar day) + query Query value + topn TopN value > commit Commit configured schedule > uar-report Schedule user access UAR report + end-time Report end time + period Period to be covered in report + start-time Report start time + title Report title * user Specify user

Palo Alto Networks
scp export
scp export
Uses SCP (secure copy) to upload files from the device to another system. Use this command to copy files between the firewall and another host.
Syntax
scp export <option> {remote-port <port_number> | source-ip <ip_address> | to <target>} { application-block-page | application-pcap {from <file_name>} | captive-portal-text | configuration {from <file_name>} | core-file {data-plane | management-plane} {from <file_name>} | crl {from <file_name>} | debug-pcap {from <file_name>} | file-block-continue-page | file-block-page | filter-pcap {from <file_name>} | high-availability-key {from <file_name>} | inbound-proxy-key {from <value>} | log {data | threat | traffic | url} | { max-log-count <value> | query <value> | unexported-only equal {no | yes} | end-time <value> | start-time <value> | } log-file {data-plane | management-plane} {from <file_name>} | logdb | pdf-reports {from <file_name>} | ssl-cert-status-page | ssl-decryption-certificate | ssl-optout-text | sslvpn-custom-login-page | stats-dump | tech-support | threat-pcap {from <file_name>} | url-block-page | url-coach-text | virus-block-page | web-interface-certificate }
Options
+ remote-port SSH port number on remote host (1-65535) + source-ip Set source address to specified interface address (x.x.x.x or IPv6) * to Destination (username@host:path) > application-block-page Use scp to export application block comfort page
Palo Alto Networks
scp export
> application-pcap Use scp to export an application packet capture file * from pcap file name > captive-portal-text Use scp to export text to be included in a captive portal > configuration Use scp to export a configuration file * from File name > core-file Use scp to export a core file > data-plane Use scp to export a data plane core file * from File name > management-plane Use scp to export a management plane core file * from File name > crl Use scp to export a crl.tgz file * from File name > debug-pcap Use scp to export packet capture generated for the purpose of debugging daemons * from pcap file name > file-block-continue-page Use scp to export a file containing comfort pages to be presented when files are blocked > file-block-page Use scp to export file block comfort page > filter-pcap Use scp to export filter packet capture * from pcap file name > high-availability-key Use scp to export a high-availability peer encryption key * from File name > inbound-proxy-key Use scp to export an inbound proxy key * from Value (0-7) > log Use scp to export a log in comma-separated values (CSV) format (data, threat, traffic, or URL log) + max-log-count max number of logs to export (0-65535) + query query value + unexported-only filter logs that are not previously exported (no or yes) * end-time date and time YYYY/MM/DD@hh:mm:ss (e.g. 2006/08/01@10:00:00) * start-time date and time YYYY/MM/DD@hh:mm:ss (e.g. 2006/08/01@10:00:00) > log-file Use scp to export log file > data-plane Use scp to export data-plane core-file > management-plane Use scp to export management-plane core-file > logdb Use scp to export a log database > pdf-reports Use scp to export PDF reports * from File name > ssl-cert-status-page Use scp to export an SSL certificate status page > ssl-decryption-certificate Use scp to export an SSL decryption certificate > ssl-optout-text Use scp to export SSL optout text > sslvpn-custom-login-page Use scp to export an SSL VPN login page > stats-dump Use scp to export a log database in CSV format > tech-support Use scp to export technical support information > threat-pcap Use scp to export threat packet capture * from pcap file name > url-block-page Use scp to export a comfort page to be presented when files are blocked due to a blocked URL > url-coach-text Use scp to export text to be presented when files are blocked due to a blocked URL > virus-block-page Use scp to export a comfort page to be presented when files are blocked due to a virus > web-interface-certificate Use scp to export a web interface certificate

Palo Alto Networks
scp import
scp import
Uses SCP (secure copy) to download files to the device. Use this command to download a customizable HTML replacement message (comfort page) in place of a malware infected file. For more information, refer to the Custom Pages appendix in the Palo Alto Networks Administrators Guide.
Syntax
scp import <option> {remote-port <port_number> | source-ip <ip_address> | from <source>} { anti-virus | application-block-page | captive-portal-text | certificate | configuration | content | file-block-continue-page | file-block-page | global-protect-client | global-protect-portal-custom-help-page {profile <profile_name>} | global-protect-portal-custom-login-page {profile <profile_name>} | high-availability-key | license | logdb | private-key {passphrase <value>} | software | ssl-cert-status-page | ssl-optout-text | sslvpn-custom-login-page {profile <profile_name>} | url-block-page | url-coach-text | url-database | virus-block-page | vpnclient }
Options
+ remote-port SSH port number on remote host (1-65535) + source-ip Set source address to specified interface address (x.x.x.x or IPv6) * from Source (username@host:path) > anti-virus Use scp to import anti-virus content > application-block-page Use scp to import application block comfort page > captive-portal-text Use scp to import text to be used in a captive portal > certificate Use scp to import an X.509 certificate > configuration Use scp to import a configuration file > content Use scp to import database content > file-block-continue-page Use scp to import a blocked file continue page > file-block-page Use scp to import a file containing comfort pages to be presented when files are blocked > global-protect-client Use scp to import globalProtect client package > global-protect-portal-custom-help-page Use scp to import GlobalProtect portal custom help page * profile For GlobalProtect portal profile
Palo Alto Networks
scp import
> global-protect-portal-custom-login-page Use scp to import GlobalProtect portal custom login page * profile For GlobalProtect portal profile > high-availability-key Use scp to import a high-availability peer encryption key > license Use scp to import a license file > logdb Use scp to import a log database > private-key Use scp to import an X.509 key * passphrase Passphrase for private key > software Use scp to import a software package > ssl-cert-status-page Use scp to import an SSL certificate status page > ssl-optout-text Use scp to import SSL optout text > sslvpn-custom-login-page Use scp to import an SSL VPN custom login page * profile For SSL VPN profile > url-block-page Use scp to import a comfort page to be presented when files are blocked due to a blocked URL > url-coach-text Use scp to import coach text about possible actions on the URL comfort page > url-database Use scp to import a URL database package > virus-block-page Use scp to import a virus block comfort page > vpnclient Use scp to import a VPN client package
Sample Output
The following command imports a license file from a file in user1s account on the machine with IP address 10.0.3.4.
username@hostname> scp import certificate from user1@10.0.3.4:/tmp/ certificatefile

Palo Alto Networks
set application
set application
Configures parameters for system behavior when applications are blocked. For more information, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
set application { cache {no | yes} | dump | { off | on { application <name> | destination <ip_address> | destination-port <port_number> | destination-user <value> | from <zone> | limit <value> | protocol <value> | rule <name> | source <ip_address> | source-port <port_number> | source-user <value> | to <zone> } } dump-unknown {no | yes} | heuristics {no | yes} | notify-user {no | yes} | supernode {no | yes} | }
Options
> cache Enables or disables the application cache > dump Enables or disables the application packet capture. The following options determine the contents of the dump: + application Specified application + destination Destination IP address of the session + destination-port Destination port + destination-user Destination user + from Specified zone + limit Maximum number of sessions to capture + protocol Specified protocol + rule Specified rule name + source Source IP address for the session + source-port Specified source port + source-user Specified source user + to Specified zone
Palo Alto Networks
set application
> dump-unknown Enables or disables capture of unknown applications > heuristics Enables or disables heuristics detection for applications > notify-user Enables or disables user notification when an application is blocked > supernode Enables or disables detection of super nodes for peer-to-peer applications that have designated supernodes on the Internet
Sample Output
The following command turns packet capture for unknown applications off.
username@hostname> set application dump-unknown off username@hostname>

Palo Alto Networks
set cli
set cli
Configures scripting and pager options for the PAN-OS CLI. Options are included to display configuration commands in default format, XML format, or as operational set commands.
Syntax
set cli { config-output-format {default | set | xml} | confirmation-prompt {off | on} | hide-ip | hide-user | pager {off | on} | scripting-mode {off | on} | terminal {height <value> | type <value> | width <value>} | timeout idle {never | value>} }
Options
> config-output-format Sets the output format for the configuration file to the default, XML format, or set command format > configuration-prompt Enables or disables presentation of a confirmation prompt for some configuration commands > hide-ip Hides the last octet of the IP address in logs > hide-user Hides user names in logs > scripting-mode Toggles scripting mode (scripting mode will modify the CLI output such that special characters used for formatting are suppressed) > pager Enables or disables pagers > terminal Sets terminal parameters for CLI access > height Sets terminal height (1-500) > type Sets terminal type (press <tab> for list) > width Sets terminal width (1-500) > timeout Sets administrative session timeout values + idle Idle timeout (never or 0-1440 minutes; default = 60 minutes)
Sample Output
The following command sequence sets the configuration mode to use set command format for output and then displays the output of the show system log-export-schedule command in Configuration mode.
username@hostname> set cli config-output-format set username@hostname> configure Entering configuration mode [edit] username@hostname# edit deviceconfig [edit deviceconfig] username@hostname# show system log-export-schedule set deviceconfig system log-export-schedule 10.16.0.97 description 10.16.0.97 set deviceconfig system log-export-schedule 10.16.0.97 enable yes
Palo Alto Networks
set cli
set deviceconfig system log-export-schedule set deviceconfig system log-export-schedule set deviceconfig system log-export-schedule 10.16.0.97 set deviceconfig system log-export-schedule set deviceconfig system log-export-schedule mode yes set deviceconfig system log-export-schedule admin set deviceconfig system log-export-schedule mZDB7rbW5y8= username@hostname#
10.16.0.97 log-type threat 10.16.0.97 start-time 03:00 10.16.0.97 protocol ftp hostname 10.16.0.97 protocol ftp port 21 10.16.0.97 protocol ftp passive10.16.0.97 protocol ftp username 10.16.0.97 protocol ftp password
The following command sequence shows the same example after XML is specified as the command output format.
username@hostname> set cli config-output-format xml username@hostname> configure Entering configuration mode [edit] username@hostname# edit deviceconfig [edit deviceconfig] username@hostname# show system log-export-schedule <log-export-schedule> <entry name="10.16.0.97"> <description>10.16.0.97</description> <enable>yes</enable> <log-type>threat</log-type> <start-time>03:00</start-time> <protocol> <ftp> <hostname>10.16.0.97</hostname> <port>21</port> <passive-mode>yes</passive-mode> <username>admin</username> <password>mZDB7rbW5y8=</password> </ftp> </protocol> </entry> </log-export-schedule> [edit deviceconfig] [edit deviceconfig] username@hostname#

Palo Alto Networks
set clock
set clock
Configures the system date and time.
Syntax
set clock {date <value> | time <value>}
Options
+ date Specify the date in yyyy/mm/dd format + time Specify the time in hh:mm:ss format (hh: 0-23, mm: 0-59, ss: 0-59)
Sample Output
The following command sets the system date and time.
username@hostname> set clock date 2009/03/20 time 14:32:00 username@hostname>

Palo Alto Networks
set data-access-password
set data-access-password
Configures the access password for the data filtering logs. The data filtering log records information on the security policies that help prevent sensitive information such as credit card or social security numbers from leaving the area protected by the firewall.
Syntax
set data-access-password <pwd>
Options
<pwd> Specifies the password for accessing data filtering logs
Sample Output
The following command sets the password for data filtering logs.
username@hostname> set data-access password 12345678 username@hostname>

Palo Alto Networks
set management-server
set management-server
Configures parameters for the management server, which manages configuration, reports, and authentication for the firewall.
Syntax
set management-server { logging unlock }
Options
> logging Sets the following logging options: import-end Exit import mode import-start Enter import mode off Disable logging on Allow logging > unlock Specifies the serial number or software license key
Sample Output
The following command enables logging on the management server.
username@hostname> set management-server logging on username@hostname>

Palo Alto Networks
set panorama
set panorama
Enables or disables the connection between the firewall and Panorama. For more information, refer to the Central Management of Devices chapter in the Palo Alto Networks Administrators Guide.
Syntax
set panorama {off | on}
Options
on Enables the connection between the firewall and Panorama off Disables the connection between the firewall and Panorama
Sample Output
The following command disables the connection between the firewall and Panorama.
username@hostname> set panorama off username@hostname>

Palo Alto Networks
set password
set password
Configures the firewall password. When you issue this command, the system prompts you to enter the old and new password and to confirm the new password.
Syntax
set password
Options
None
Sample Output
The following example shows how to reset the firewall password.
username@hostname> Enter old password Enter new password Confirm password Password changed username@hostname> set password : (enter the old password) : (enter the new password0 : (reenter the new password)

Palo Alto Networks
set serial-number
set serial-number
(Panorama only) Configures the serial number of the Panorama machine. The serial number must be set for Panorama to connect to the update server.
Syntax
set serial-number <value>
Options
<value> Specifies the serial number or software license key
Sample Output
The following command sets the Panorama serial number to 123456.
username@hostname> set serial-number 123456 username@hostname>

Palo Alto Networks
set session
set session
Configures parameters for the networking session.
Syntax
set session { accelerated-aging-enable {no | yes} | accelerated-aging-scaling-factor <value> | accelerated-aging-threshold <value> | default | offload {no | yes} | scan-scaling-factor <value> | scan-threshold <value> | tcp-reject-non-syn {no | yes} | timeout-default <value> | timeout-discard-default <value> | timeout-discard-tcp <value> | timeout-discard-udp <value> | timeout-icmp <value> | timeout-scan <value> | timeout-tcp <value> | timeout-tcphandshake <value> | timeout-tcpinit <value> | timeout-tcpwait <value> | timeout-udp <value> }
Options
> accelerated-aging-enable Enables or disables accelerated session aging > accelerated-aging-scaling-factor Sets the accelerated session aging scaling factor (power of 2, between 2-16) > accelerated-aging-threshold Sets the accelerated aging threshold as a percentage of session utilization (50-99) > default Restores all session settings to default values > offload Enables or disables hardware session offload (Some firewall models have specialized hardware to manage TCP, UDP, and ICMP sessions. This option enables or disables this capability. If it is disabled, the sessions are managed by the firewall software.) > scan-scaling-factor Sets scan scaling factor (2-16) > scan-threshold Resource utilization threshold to trigger session scan (50-99) > tcp-reject-non-syn Rejects non-synchronized TCP packets for session setup (no or yes) > timeout-default Sets the session default timeout value in seconds (1-15999999) > timeout-discard-default Sets timeout of non-TCP/UDP session in discard state (1-15999999) > timeout-discard-tcp Sets timeout of TCP session in discard state (1-15999999) > timeout-discard-udp Sets timeout of UDP session in discard state (1-15999999) > timeout-icmp Sets the session timeout value for ICMP commands (1-15999999) > timeout-scan Application trickling timeout value in seconds (5-30) > timeout-tcp Sets the session timeout value for TCP commands (1-15999999) > timeout-tcphandshake Sets session tcp handshake timeout value in seconds (1-60) > timeout-tcpinit Sets the initial TCP timeout value in seconds (1-60) > timeout-tcpwait Sets the session TCP wait timeout value in seconds (1-60) > timeout-udp Sets the session timeout value for UDP commands (1-15999999)
Palo Alto Networks
set session
Sample Output
The following command sets the TCP timeout to 1 second.
username@hostname> set session timeout-tcpwait 1 username@hostname>

Palo Alto Networks
set system setting
set system setting

Configures system operational parameters.
Syntax
set system setting { ctd | { strip-x-fwd-for {no | yes} | x-forwarded-for {no | yes} } logging | { default | default-policy-logging <value> | log-suppression {no | yes} | max-log-rate <value> | max-packet-rate <value> } multi-vsys {off | on}| pow | { wqe-inuse-check {no | yes} | wqe-tag-check {no | yes} } shared-policy {disable | enable | import-and-disable} | ssl-decrypt | { answer-timeout <value> | notify-user {no | yes} | skip-ssl {no | yes} | skip-ssl-decrypt {no | yes} } target-vsys {none | <vsystem>} | url-database <name> | url-filtering-feature {cache | filter} {false | true} | zip enable {yes | no} }
Options
> ctd > strip-x-fwd-for Whether or not to strip x-forwarded-for from HTTP headers > x-forwarded-for Enables or disables parsing of the x-forwarded-for attribute > logging Sets logging parameters > default Restores logging parameters to the default settings > default-policy-logging Sets the default log policy > log-suppression Enables or disables log suppression (1-300) > max-packet-rate value Sets the maximum packet rate for logging (0-50000) > max-log-rate value Sets the maximum logging rate (0-2560)
Palo Alto Networks
set system setting
> multi-vsys Enables or disables multiple virtual systems > pow Enables or disables the Linux pow function Work Queue Entry (WQE) checks > shared-policy Enables, disables, or imports and disables shared policies > ssl-decrypt Sets SSL decryption parameters > answer-timeout Set ssl-decrypt answer timeout value (1-86400) > notify-user Enable/disable notify user web page > skip-ssl Enable/disable SSL decryption > skip-ssl-decrypt Enable/disable ssl-decrypt > target-vsys Enable the specified virtual system for operational commands > url-database Set the URL database > url-filtering-feature Change URL filtering feature settings > cache Enable/disable Base DB cache feature for URL filtering > filter Enable/disable Bloom filter feature for URL filtering > zip Enables or disables decompression of traffic for content scanning purposes
Sample Output
The following command enables logging suppression.
username@hostname> set system setting logging log-suppression yes username@hostname>

superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
show admins
show admins
Displays information about the active firewall administrators.
Syntax
show admins {all}
Options
all Lists the names of all administrators
Sample Output
The following command displays administrator information for the 10.0.0.32 firewall.
username@hostname> show admins | match 10.0.0 Admin From Type Session-start Idle-for -------------------------------------------------------------------------admin 10.0.0.132 Web 02/19 09:33:07 00:00:12s username@hostname>

Palo Alto Networks
show arp
show arp
Displays current Address Resolution Protocol (ARP) entries.
Syntax
show arp <interface_name>
Options
<interface_name> Specifies the interface for which the ARP table is displayed all Displays information for all ARP tables ethernetn/m Displays information for the specified interface loopback Displays loopback information vlan Displays VLAN information
Sample Output
The following command displays ARP information for the ethernet1/1 interface.
username@hostname> show arp ethernet1/1 maximum of entries supported : default timeout: total ARP entries in table : total ARP entries shown : status: s - static, c - complete, i username@hostname> 8192 1800 seconds 0 0 - incomplete

Palo Alto Networks
show authentication
show authentication
Displays authentication information.
Syntax
show authentication {allowlist | groupdb | groupnames}
Options
> allowlist Displays the authentication allow list > groupdb Lists the group authentication databases > groupnames Lists the distinct group names
Sample Output
The following command shows the list of users that are allowed to access the firewall.
username@hostname> show authentication allowlist vsysname ---------vsys1 vsys1 profilename ----------SSLVPN wtam-SSLVPN username ---------------------------paloaltonetwork\domain users group1
username@hostname>

Palo Alto Networks
show chassis-ready
show chassis-ready
Shows whether the data plane has a running policy.
Syntax
show chassis-ready
Options
None
Sample Output
The following command shows that the data plane has a currently running policy.
username@hostname> show chassis-ready yes username@hostname>

Palo Alto Networks
show cli
show cli
Displays information about the current CLI session.
Syntax
show cli info
Options
None
Sample Output
The following command shows information about the current CLI session.
username@hostname> show cli info Process ID : 2045 Pager : enabled Vsys configuration mode : disabled username@hostname>

Palo Alto Networks
show clock
show clock
Shows the current time on the firewall.
Syntax
show clock
Options
None
Sample Output
The following command shows the current time.
username@hostname> show clock Sun Feb 18 10:49:31 PST 2007 username@hostname>

Palo Alto Networks
show commit-locks
show commit-locks
Displays the list of administrators who hold commit locks.
Syntax
show commit-locks
Options
None

Palo Alto Networks
show config
show config
Displays the active configuration.
Syntax
show config
Options
None
Sample Output
The following command shows the configuration lines that pertain to VLANs.
username@hostname> show config | match vlan vlan { vlan; username@hostname>

Palo Alto Networks
show config-locks
show config-locks
Displays the list of administrators who hold configuration locks.
Syntax
show config-locks
Options
None

Palo Alto Networks
show counter
show counter
Displays system counter information.
Syntax
show counter {global | interface | management-server}
Options
> global Displays global system counter information > interface Displays system counter information grouped by interface > management-server Displays management server counter information
Sample Output
The following command displays all configuration counter information grouped according to interface.
username@hostname> show counter interface
hardware interface counters: -----------------------------------------------------------------------interface: ethernet1/1 -----------------------------------------------------------------------bytes received 0 bytes transmitted 0 packets received 0 packets transmitted 0 receive errors 0 packets dropped 0 -----------------------------------------------------------------------... username@hostname>

Palo Alto Networks
show device
show device
(Panorama only) Shows the state of managed devices. For more information, refer to the Central Management of Devices chapter in the Palo Alto Networks Administrators Guide.
Syntax
show device {all | connected}
Options
> all Displays information for all managed devices. > connected Displays information for all connected devices.
Sample Output
The following command shows information for connected devices.
username@hostname> show devices connected Serial Hostname IP Connected -------------------------------------------------------------------------PA04070001 pan-mgmt2 10.1.7.2 yes last push state: none
username@hostname>

superuser, superuser (read only), Panorama admin
Palo Alto Networks
show device-messages
show device-messages
(Panorama only) Displays the policy messages for devices. For more information, refer to the Central Management of Devices chapter in the Palo Alto Networks Administrators Guide.
Syntax
show device-messages {device | group}
Options
> device Displays the messages only for the specified device. > group Displays the messages only for the specified device group.
Sample Output
The following command shows the device messages for the device pan-mgmt2 and the group dg1.
username@hostname> show device-messages device pan-mgmt2 group dg1 username@hostname>

Palo Alto Networks
show devicegroups
show devicegroups
(Panorama only) Displays information about device groups. For more information, refer to the Central Management of Devices chapter in the Palo Alto Networks Administrators Guide.
Syntax
show devicegroups <name>
Options
<name> Displays the information only for the specified device group.
Sample Output
The following command shows information for the device group dg1.
username@hostname> show devicegroups dg1 ========================================================================== Group: dg3 Shared policy md5sum:dfc61be308c23e54e5cde039689e9d46 Serial Hostname IP Connected -------------------------------------------------------------------------PA04070001 pan-mgmt2 10.1.7.2 yes last push state: push succeeded vsys3 shared policy md5sum:dfc61be308c23e54e5cde039689e9d46(In Sync) username@hostname>

Palo Alto Networks
show dhcp
show dhcp
Displays information about Dynamic Host Control Protocol (DHCP) leases.
Syntax
show dhcp lease {<value> | all}
Options
<value> Identifies the interface (ethernetn/m) all Displays all the lease information.
Sample Output
The following command shows all lease information.
username@hostname> show dhcp all interface: ethernet1/9 ip mac expire 66.66.66.1 00:15:c5:60:a5:b0 Tue Mar 11 16:12:09 2008 66.66.66.2 00:15:c5:e1:0d:b0 Tue Mar 11 16:08:01 2008 username@hostname>

Palo Alto Networks
show dns-proxy
show dns-proxy
Displays information about the Domain Name Server (DNS) proxy.
Syntax
show dns-proxy { cache {all | name <value>} | settings {all | name <value>} | static-entries {all | name <value>} | statistics {all | name <value>} }
Options
> cache DNS proxy cache > all Displays all DNS proxy cache information > name Displays cache information for the specified DNS proxy object > settings DNS proxy settings > all Displays all DNS proxy settings > name Displays settings for the specified DNS proxy object > static-entries DNS proxy static entries > all Displays all DNS proxy static entries > name Displays static entries for the specified DNS proxy object > statistics DNS proxy statistics > all Displays all DNS proxy statistics > name Displays statistics for the specified DNS proxy object
Sample Output
The following command displays all of the DNS proxy settings in the current session.
username@hostname> show dns-proxy settings all Name: Nicks Proxy Interfaces: ethernet1/10.1 ethernet1/10.2 Default name servers: 68.87.76.182 68.87.78.134 Status: Enabled Match Rules: backhaul to corporate dns: engineering.paloaltonetworks.com *.paloaltonetworks.local *.local 10.0.0.2 10.0.0.3 My Company: *.mycompany.* 11.11.11.253 -------------------------------------username@hostname>

Palo Alto Networks
show dos-protection
show dos-protection
Displays information about the Denial of Service (DoS) protection.
Syntax
show dos-protection { rule <name> | { settings | statistics } zone <name> blocked source }
Options
> rule Displays settings and statistics about the specified rule > settings Show settings > statistics Show statistics > zone Displays information about the specified zone

Palo Alto Networks
show fips-mode
show fips-mode
Displays the status of the Federal Information Processing Standards (FIPS) 140-2 mode. For information about enabling and disabling FIPS mode, refer to Chapter 5, Maintenance Mode.
Syntax
show fips-mode
Options
None
Sample Output
The following command shows that FIPS mode is off.
username@hostname> show fips-mode off username@hostname>

Palo Alto Networks
show global-protect-gateway
show global-protect-gateway
Displays GlobalProtect gateway run-time objects.
Syntax
show global-protect-gateway { current-user | { domain <value> | gateway <value> | user <value> } flow | { name <value> | tunnel-id <value> } gateway name <value> | previous-user { domain <value> | gateway <value> | user <value> } }
Options
> current-user Displays current GlobalProtect gateway users + domain Displays users which domain name start with the string + gateway Displays for given GlobalProtect gateway + user Displays users which user name start with the string > flow Displays data plane GlobalProtect gateway tunnel information > name Displays for given GlobalProtect gateway tunnel > tunnel-id Displays specific tunnel information (1-65535) > gateway Displays list of GlobalProtect gateway configuration + name Displays for given GlobalProtect gateway > previous-user Displays previous user session for GlobalProtect gateway users + domain Displays users which domain name start with the string + gateway Displays for given GlobalProtect gateway + user Displays users which user name start with the string

Palo Alto Networks
show high-availability
Displays runtime information about the high availability subsystem. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
show high-availability { all | control-link statistics | dataplane-status | flap_statistics | interface <interface_name> | link-monitoring | path-monitoring | state | state-synchronization | transitions | virtual-address }
Options
> all Displays high availability information > control-link Displays control link statistic information > dataplane-status Displays data plane runtime status > flap-statistics Displays high availability preemptive/non-functional flap statistics > interface Displays high availability interface information > link-monitoring Displays link monitoring state > path-monitoring Displays path monitoring statistics > state Displays high availability state information > state-synchronization Displays state synchronization statistics > transitions Displays high availability transition statistic information > virtual-address Displays the virtual addresses configured on the firewall in active-active high availability mode, summarizing the virtual IPs and virtual MACs according to the interface on which they are configured
Sample Output
The following command shows information for the high availability subsystem.
username@hostname> show high-availability path-monitoring ---------------------------------------------------------------------------path monitoring: disabled total paths monitored: 0 ---------------------------------------------------------------------------username@hostname>
Palo Alto Networks
The following command displays the active-active virtual addresses.

username@hostname> show high-availability virtual-address Total interfaces with virtual address configured: 3 Total virtual addresses configured: 14 ---------------------------------------------------------------------------Interface: vlan.1 Virtual MAC: 00:1b:17:00:03:01 192.168.55.240 Active:yes Type:floating 192.168.55.241 Active:yes Type:floating ---------------------------------------------------------------------------Interface: vlan.2 Virtual MAC: 00:1b:17:00:03:01 192.168.56.241 Active:yes Type:ARP-load-sharing 192.168.56.240 Active:yes Type:ARP-load-sharing ---------------------------------------------------------------------------Interface: ethernet1/6 Virtual MAC: 00:1b:17:00:03:15 192.168.55.220 Active:yes Type:floating 192.168.55.221 Active:no Type:floating 192.168.55.222 Active:yes Type:floating 192.168.55.223 Active:no Type:floating 2001:0:0:0:0:0:c0a8:e7c8 Active:yes Type:floating 2001:0:0:0:0:0:c0a8:e7c9 Active:no Type:floating 2001:0:0:0:0:0:c0a8:e7d0 Active:yes Type:ARP-load-sharing 2001:0:0:0:0:0:c0a8:37d0 Active:yes Type:ARP-load-sharing 2001:0:0:0:0:0:c0a8:37c9 Active:no Type:floating 2001:0:0:0:0:0:c0a8:37c8 Active:yes Type:floating ---------------------------------------------------------------------------username@hostname>

Palo Alto Networks
show interface
show interface
Displays information about system interfaces. For more information, refer to the Networking chapter in the Palo Alto Networks Administrators Guide.
Syntax
show interface <interface_name>
Options
all Displays information for all ARP tables ethernetn/m Displays information for the specified interface hardware Displays all hardware interface information logical Displays all logical interface information loopback Displays loopback information management Displays management interface information tunnel Displays tunnel information vlan Displays VLAN information
Sample Output
The following command displays information about the ethernet1/2 interface.
username@hostname> show interface ethernet1/3 ---------------------------------------------------------------------------Name: ethernet1/3, ID: 18 Link status: Runtime link speed/duplex/state: unknown/unknown/down Configured link speed/duplex/state: auto/auto/auto Link is forced down due to link-state-pass-through MAC address: Port MAC address 00:1b:17:00:6f:12 Operation mode: virtual-wire ---------------------------------------------------------------------------Name: ethernet1/3, ID: 18 Operation mode: virtual-wire Virtual wire: vw34, peer interface: ethernet1/4 Interface management profile: N/A Service configured: Zone: vw34, virtual system: vsys1

Palo Alto Networks
show jobs
show jobs
Displays information about current system processes.
Syntax
show jobs {all | id <value> | pending | processed}
Options
> all Displays information for all jobs > id number Identifies the process by number (1-4294967296) > pending Displays recent jobs that are waiting to be executed > processed Displays recent jobs that have been processed
Sample Output
The following command lists jobs that have been processed in the current session.
username@hostname> show jobs processed Enqueued ID Type Status Result Completed -------------------------------------------------------------------------2007/02/18 09:34:39 2 AutoCom FIN OK 2007/02/18 09:34:40 2007/02/18 09:33:00 1 AutoCom FIN FAIL 2007/02/18 09:33:54 username@hostname>

Palo Alto Networks
show location
show location
Shows the geographic location of a firewall.
Syntax
show location ip <ip_address>
Options
<ip_address> Specifies the IP address of the firewall (x.x.x.x or IPv6)
Sample Output
The following command shows location information for the firewall 10.1.1.1.
username@hostname> show location ip 10.1.1.1 show location ip 201.52.0.0 201.52.0.0 Brazil username@hostname>

Palo Alto Networks
show log
show log
Displays system logs. For more information, refer to the Device Management chapter in the Palo Alto Networks Administrators Guide.
Syntax
show log {threat | config | system | traffic} <option> {equal | not-equal} <value> { alarm | { ack_admin equal <value> | admin equal <value> | csv-output equal {no | yes} | direction equal {backward | forward} | dstip equal <ip/netmask> | dstport equal <port_number> | end-time equal <value> | opaque contains <value> | receive_time in {last-12-hrs | last-15-minutes | last-24-hrs | last-30days | last-6-hrs | last-60-seconds | last-7-days | last-calendarday | last-calendar-month | last-hour} | rulegroup equal <value> | srcip equal <ip/netmask> | srcport equal <port_number> | start-time equal <value> | time_acknowledged equal <value> | vsys equal <value> | } appstat | { csv-output equal {no | yes} | direction equal {backward | forward} | end-time equal <value> | name {equal | not-equal} <value> | query equal <value> | receive_time in {last-12-hrs | last-15-minutes | last-24-hrs | last-30days | last-6-hrs | last-60-seconds | last-7-days | last-calendarday | last-calendar-month | last-hour} | risk {equal | greater-than-or equal | less-than-or-equal | not-equal} {1 | 2 | 3 | 4 | 5} | start-time equal <value> | type {equal | not-equal} <value> } config | { client {equal | not-equal} {cli | web} | cmd {equal | not-equal} {add | clone | commit | create | delete | edit | get | load-from-disk | move | rename | save-to-diak | set}| csv-output equal {no | yes} | direction equal {backward | forward} |
Palo Alto Networks
show log
end-time equal <value> | query equal <value> | receive_time in {last-12-hrs | last-15-minutes | last-24-hrs | last-30days | last-6-hrs | last-60-seconds | last-7-days | last-calendarday | last-calendar-month | last-hour} | result {equal | not-equal} {failed | succeeded | unauthorized} | start-time equal <value> } data | { action {equal | not-equal} {alert | allow | block-url | deny | drop | drop-all-packets | reset-both | reset-client | reset-server} | app {equal | not-equal} <value> | category {equal | not-equal} <value> | csv-output equal {no | yes} | direction equal {backward | forward} | dport {equal | not-equal} <port_number> | dst {in | not-in} <ip/netmask> | dstuser equal <user_name> | end-time equal <value> | from {equal | not-equal} <value> query equal <value> | receive_time in {last-12-hrs | last-15-minutes | last-24-hrs | last-30days | last-6-hrs | last-60-seconds | last-7-days | last-calendarday | last-calendar-month | last-hour} | rule {equal | not-equal} <value> | sport {equal | not-equal} <port_number> | src {in | not-in} <ip/netmask> | srcuser equal <user_name> | start-time equal <value> | suppress-threatid-mapping equal {no | yes} | to {equal | not-equal} <value> } hipmatch | { csv-output equal {no | yes} | machinename {equal | not-equal} <name> | matchname {equal | not-equal} <name> | matchtype {equal | not-equal} {object | profile} | query equal <value> | receive_time in {last-12-hrs | last-15-minutes | last-24-hrs | last-30days | last-6-hrs | last-60-seconds | last-7-days | last-calendarday | last-calendar-month | last-hour} | src {in | not-in} <ip/netmask> | srcuser equal <user_name> } system | { csv-output equal {no | yes} | direction equal {backward | forward} | end-time equal <value> | eventid {equal | not-equal} <value> id {equal | not-equal} <value> object {equal | not-equal} <value>
Palo Alto Networks
show log
opaque contains <value> | query equal <value> | receive_time in {last-12-hrs | last-15-minutes | last-24-hrs | last-30days | last-6-hrs | last-60-seconds | last-7-days | last-calendarday | last-calendar-month | last-hour} | severity {equal | greater-than-or equal | less-than-or-equal | notequal} {critical | high | informational | low | medium} | start-time equal <value> | subtype {equal | not-equal} <value> } threat | { action {equal | not-equal} {alert | allow | block-url | deny | drop | drop-all-packets | reset-both | reset-client | reset-server} | app {equal | not-equal} <value> | category {equal | not-equal} <value> | csv-output equal {no | yes} | direction equal {backward | forward} | dport {equal | not-equal} <port_number> | dst {in | not-in} <ip/netmask> | dstuser equal <user_name> | end-time equal <value> | from {equal | not-equal} <value> query equal <value> | receive_time in {last-12-hrs | last-15-minutes | last-24-hrs | last-30days | last-6-hrs | last-60-seconds | last-7-days | last-calendarday | last-calendar-month | last-hour} | rule {equal | not-equal} <value> | sport {equal | not-equal} <port_number> | src {in | not-in} <ip/netmask> | srcuser equal <user_name> | start-time equal <value> | suppress-threatid-mapping equal {no | yes} | to {equal | not-equal} <value> } thsum | { app {equal | not-equal} <value> | csv-output equal {no | yes} | direction equal {backward | forward} | dst in <value> | dstloc {equal | greater-than-or-equal | less-than-or-equal | not-equal} <value> | dstuser {equal | not-equal} <value> | end-time equal <value> | query equal <value> | receive_time in {last-12-hrs | last-15-minutes | last-24-hrs | last-30days | last-6-hrs | last-60-seconds | last-7-days | last-calendarday | last-calendar-month | last-hour} | rule {equal | not-equal} <value> | src in <value> | srcloc {equal | greater-than-or-equal | less-than-or-equal | not-equal} <value> | srcuser {equal | not-equal} <value> |
Palo Alto Networks
show log
start-time equal <value> | subtype {equal | not-equal} <value> | threatid {equal | greater-than-or-equal | less-than-or-equal | notequal} <value> } traffic | { action {equal | not-equal} {allow | deny | drop} | app {equal | not-equal} <value> | csv-output equal {no | yes} | direction equal {backward | forward} | dport {equal | not-equal} <port_number> | dst {in | not-in} <ip/netmask> | dstuser equal <user_name> | end-time equal <value> | from {equal | not-equal} <value> query equal <value> | receive_time in {last-12-hrs | last-15-minutes | last-24-hrs | last-30days | last-6-hrs | last-60-seconds | last-7-days | last-calendarday | last-calendar-month | last-hour} | rule {equal | not-equal} <value> | sport {equal | not-equal} <port_number> | src {in | not-in} <ip/netmask> | srcuser equal <user_name> | start-time equal <value> | to {equal | not-equal} <value> } trsum | { app {equal | not-equal} <value> | csv-output equal {no | yes} | direction equal {backward | forward} | dst in <value> | dstloc {equal | greater-than-or-equal | less-than-or-equal | not-equal} <value> | dstuser {equal | not-equal} <value> | end-time equal <value> | query equal <value> | receive_time in {last-12-hrs | last-15-minutes | last-24-hrs | last-30days | last-6-hrs | last-60-seconds | last-7-days | last-calendarday | last-calendar-month | last-hour} | rule {equal | not-equal} <value> | src in <value> | srcloc {equal | greater-than-or-equal | less-than-or-equal | not-equal} <value> | srcuser {equal | not-equal} <value> | start-time equal <value> } url { action {equal | not-equal} {alert | allow | block-url | deny | drop | drop-all-packets | reset-both | reset-client | reset-server} | app {equal | not-equal} <value> | category {equal | not-equal} <value> |
Palo Alto Networks
show log
csv-output equal {no | yes} | direction equal {backward | forward} | dport {equal | not-equal} <port_number> | dst {in | not-in} <ip/netmask> | dstuser equal <user_name> | end-time equal <value> | from {equal | not-equal} <value> query equal <value> | receive_time in {last-12-hrs | last-15-minutes | last-24-hrs | last-30days | last-6-hrs | last-60-seconds | last-7-days | last-calendarday | last-calendar-month | last-hour} | rule {equal | not-equal} <value> | sport {equal | not-equal} <port_number> | src {in | not-in} <ip/netmask> | srcuser equal <user_name> | start-time equal <value> | suppress-threatid-mapping equal {no | yes} | to {equal | not-equal} <value> } }
Options
> alarm Displays alarm logs + ack_admin Acknowledging admin name (alphanumeric string) + admin Admin name (alphanumeric string) + csv-output Equals CSV output (no or yes) + direction Backward or forward direction + dstip Destination IP address (x.x.x.x/y or IPv6/netmask) + dstport Destination port (0-65535) + end-time Ending date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) + opaque Opaque contains substring value + receive_time Receive time in the last specified time period (press <tab> for list) + rulegroup Rule group equals rule value + srcip Source IP address (x.x.x.x/y or IPv6/netmask) + srcport Source port (0-65535) + start-time Starting date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) + time_acknowledged Acknowledgement date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/ 01@10:00:00) + vsys Virtual system name > appstat Displays appstat logs + csv-output Equals CSV output (no or yes) + direction Backward or forward direction + end-time Ending date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) + name Equal or not equal to name value + query Equal to query value + receive_time Receive time in the last specified time period (press <tab> for list) + risk Risk equal to, greater than or equal to, less than or equal to, or not equal to (1-5) + start-time Starting date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) + type Type equal to or not equal to value > config Displays config logs + client Client equals or does not equal CLI or Web + cmd Command equals or does not equal (press <tab> for list for commands) + csv-output Equals CSV output (no or yes)
Palo Alto Networks
show log
+ direction Backward or forward direction + end-time Ending date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) + query Equal to query value + receive_time Receive time in the last specified time period (press <tab> for list) + result Result equals or does not equal failed, succeeded, or unauthorized + start-time Starting date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) > data Displays data logs + action Action equals or does not equal (press <tab> for list of actions) + app Equals or does not equal value + category URL category equals or does not equal (press <tab> for list of categories) + csv-output Equals CSV output (no or yes) + direction Backward or forward direction + dport Destination port equals or does not equal (0-65535) + dst Destination IP address in or not in (x.x.x.x/y or IPv6/netmask) + dstuser Equals destination user name + end-time Ending date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) + from Equals or does not equal value + query Equal to query value + receive_time Receive time in the last specified time period (press <tab> for list) + rule Equals or does not equal rule value + sport Source port equals or does not equal (0-65535) + src Source IP address in or not in (x.x.x.x/y or IPv6/netmask) + srcuser Equals source user name + start-time Starting date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) + suppress-threatid-mapping Suppress threat ID mapping (no or yes) + to Equals or does not equal value > hipmatch Displays host IP match logs + csv-output Equals CSV output (no or yes) + machinename Equals or does not equal machine name + matchname Equals or does not equal match name + matchtype Equals or does not equal object or profile + query Equal to query value + receive_time Receive time in the last specified time period (press <tab> for list) + src Source IP address in or not in (x.x.x.x/y or IPv6/netmask) + srcuser Equals source user name > system Displays system logs + csv-output Equals CSV output (no or yes) + direction Backward or forward direction + end-time Ending date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) + eventid Equals or does not equal value + id Equals or does not equal value + object Equals or does not equal value + opaque Opaque contains substring value + query Equal to query value + receive_time Receive time in the last specified time period (press <tab> for list) + severity Equal to, greater than or equal to, less than or equal to, or not equal to critical, high, informational, low, or medium + start-time Starting date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) + subtype Equal to subtype value > threat Displays threat logs + action Action equals or does not equal (press <tab> for list of actions) + app Equals or does not equal value + category URL category equals or does not equal (press <tab> for list of categories) + csv-output Equals CSV output (no or yes)
Palo Alto Networks
show log
+ direction Backward or forward direction + dport Destination port equals or does not equal (0-65535) + dst Destination IP address in or not in (x.x.x.x/y or IPv6/netmask) + dstuser Equals destination user name + end-time Ending date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) + from Equals or does not equal value + query Equal to query value + receive_time Receive time in the last specified time period (press <tab> for list) + rule Equals or does not equal rule value + sport Source port equals or does not equal (0-65535) + src Source IP address in or not in (x.x.x.x/y or IPv6/netmask) + srcuser Equals source user name + start-time Starting date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) + suppress-threatid-mapping Suppress threat ID mapping (no or yes) + to Equals or does not equal value > thsum Displays thsum logs + app Equals or does not equal value + csv-output Equals CSV output (no or yes) + direction Backward or forward direction + dst Destination in value + dstloc Destination equal to, greater than or equal to, less than or equal to, or not equal to value + dstuser Equals or does not equal value + end-time Ending date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) + query Equal to query value + receive_time Receive time in the last specified time period (press <tab> for list) + rule Equals or does not equal rule value + src Source in value + srcloc Source equal to, greater than or equal to, less than or equal to, or not equal to value + srcuser Equals or does not equal value + start-time Starting date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) + subtype Equals or does not equal value + threatid Equal to, greater than or equal to, less than or equal to, or not equal to value value > traffic Displays traffic logs + action Action equals or does not equal allow, deny, or drop + app Equals or does not equal value + csv-output Equals CSV output (no or yes) + direction Backward or forward direction + dport Destination port equals or does not equal (0-65535) + dst Destination IP address in or not in (x.x.x.x/y or IPv6/netmask) + dstuser Equals destination user name + end-time Ending date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) + from Equals or does not equal value + query Equal to query value + receive_time Receive time in the last specified time period (press <tab> for list) + rule Equals or does not equal rule value + sport Source port equals or does not equal (0-65535) + src Source IP address in or not in (x.x.x.x/y or IPv6/netmask) + srcuser Equals source user name + start-time Starting date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) + to Equals or does not equal value > trsum Displays trsum logs + app Equals or does not equal value + csv-output Equals CSV output (no or yes) + direction Backward or forward direction
Palo Alto Networks
show log
+ dst Destination in value + dstloc Destination equal to, greater than or equal to, less than or equal to, or not equal to value + dstuser Equals or does not equal value + end-time Ending date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) + query Equal to query value + receive_time Receive time in the last specified time period (press <tab> for list) + rule Equals or does not equal rule value + src Source in value + srcloc Source equal to, greater than or equal to, less than or equal to, or not equal to value + srcuser Equals or does not equal value + start-time Starting date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) > url Displays URL logs + action Action equals or does not equal (press <tab> for list of actions) + app Equals or does not equal value + category URL category equals or does not equal (press <tab> for list of categories) + csv-output Equals CSV output (no or yes) + direction Backward or forward direction + dport Destination port equals or does not equal (0-65535) + dst Destination IP address in or not in (x.x.x.x/y or IPv6/netmask) + dstuser Equals destination user name + end-time Ending date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) + from Equals or does not equal value + query Equal to query value + receive_time Receive time in the last specified time period (press <tab> for list) + rule Equals or does not equal rule value + sport Source port equals or does not equal (0-65535) + src Source IP address in or not in (x.x.x.x/y or IPv6/netmask) + srcuser Equals source user name + start-time Starting date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) + suppress-threatid-mapping Suppress threat ID mapping (no or yes) + to Equals or does not equal value
Sample Output
The following command shows the configuration log.
username@hostname> show log config Time Host Command Admin Client Result ============================================================================ === 03/05 22:04:16 10.0.0.135 edit admin Web Succeeded 03/05 22:03:22 10.0.0.135 edit admin Web Succeeded 03/05 22:03:22 10.0.0.135 create admin Web Succeeded 03/05 21:56:58 10.0.0.135 edit admin Web Succeeded ... username@hostname>

Palo Alto Networks
show mac
show mac
Displays MAC address information.
Syntax
show mac {all | <value>}
Options
all Displays all MAC information <value> Displays specified VLAN MAC information (dot1q-vlan name)
Sample Output
The following command lists all currently MAC address information.
username@hostname> show mac all maximum of entries supported : 8192 default timeout : 1800 seconds total MAC entries in table : 4 total MAC entries shown : 4 status: s - static, c - complete, i - incomplete vlan hw address interface status ttl --------------------------------------------------------------------------Vlan56 0:0:1:0:0:3 ethernet1/5 c 1087 Vlan56 0:0:1:0:0:4 ethernet1/6 c 1087 Vlan11-12 0:0:1:0:0:9 ethernet1/12 c 487 Vlan11-12 0:0:1:0:0:10 ethernet1/11 c 487 username@hostname>

Palo Alto Networks
show management-clients
Shows information about internal management server clients.
Syntax
Options
None
Sample Output
The following command shows information about the internal management server clients.
username@hostname> show management-clients Client PRI State Progress ------------------------------------------------------------------------routed 30 P2-ok 100 device 20 P2-ok 100 ikemgr 10 P2-ok 100 keymgr 10 init 0 (op cmds only) dhcpd 10 P2-ok 100 ha_agent 10 P2-ok 100 npagent 10 P2-ok 100 exampled 10 init 0 (op cmds only) Overall status: P2-ok. Progress: 0 Warnings: Errors:

Palo Alto Networks
show neighbor
show neighbor
Displays IPv6 neighbor information.
Syntax
show neighbor {all | mgt | <interface_name>}
Options
all Displays all IPv6 neighbor information mgt Displays host IPv6 neighbor information <interface_name> Displays IPv6 neighbor information for the specified interface
Sample Output
The following command displays all of the IPv6 neighbor information.
username@hostname> show neighbor all maximum of entries supported : default base reachable time: total neighbor entries in table : total neighbor entries shown : 1000 30 seconds 0 0
interface ip address hw address status ---------------------------------------------------------------------------username@hostname>

Palo Alto Networks
show ntp
show ntp
Displays the Network Time Protocol (NTP) synchronization state.
Syntax
show ntp
Options
None
Sample Output
The following command displays the NTP synchronization state.
username@hostname> show ntp NTP state: NTP synched to LOCAL username@hostname>

Palo Alto Networks
show object
show object
Shows the name of an address object with an IP address that exactly matches the address specified in the filter.
Syntax
show object {vsys <name>} ip <address>
Options
+ vsys Specifies the virtual system * ip Specifies the IP address (x.x.x.x or IPv6)
Sample Output
The following command shows the name of an address object, one-more, with IP address 3.3.3.3 that exists in virtual system vsys1.
username@hostname> show object vsys vsys1 ip 3.3.3.3 one-more username@hostname>

Palo Alto Networks
show panorama-certificate
Lists certificate information for connection between the firewall and Panorama. Primarily used for debugging purposes.
Syntax
Options
None
Sample Output
The following command shows that the firewall has a Panorama certificate key file client.pem.
username@hostname> show panorama-certificate -rw-r--r-- 1 root root 4.6K Jul 14 2008 client.pem username@hostname>

Palo Alto Networks
show panorama-status
Shows the Panorama connection status.
Syntax
Options
None
Sample Output
The following command shows information about the Panorama connection.
username@hostname> show panorama-status Panorama Server 1 : 10.1.7.90 State : Unknown username@hostname>

Palo Alto Networks
show pbf
show pbf
Displays runtime statistics for policy-based forwarding (PBF). For more information, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
show pbf rule {all | name <rule_name>}
Options
> all Displays information about all current policy-based forwarding rules > name Displays the runtime statistics for a specified policy-based forwarding rule
Sample Output
The following command shows the current PBF settings.
username@hostname> show pbf rule all Rule ID State R-Action Egress IF NextHop Interval Threshold Status M-Action KA sent KA got Packets Matched ========== ===== ======== ======== ============ ================ ======== ========= ====== ========= ======= ====== =============== r1 4 Normal Discard 0.0.0.0 0 0 UP Monitor 0 0 0 to-host 7 Normal Forward ethernet1/1 100.1.1.254 2 3 UP Fail-Over 1270 1270 0 to-tunnel 8 Normal Forward ethernet1/3 201.1.1.254 2 3 DOWN Fail-Over 23 23 2 r5 9 Normal Forward ethernet1/9 0.0.0.0 2 3 UP Fail-Over 0 0 3 username@hostname>

Palo Alto Networks
show pppoe
show pppoe
Displays statistics about the Point-to-Point Protocol over Ethernet (PPPoE) connections. The firewall can be configured to be a PPPoE termination point to support connectivity in a Digital Subscriber Line (DSL) environment where there is a DSL modem but no other PPPoE device to terminate the connection. For more information, refer to the Network Configuration chapter the Palo Alto Networks Administrators Guide.
Syntax
show pppoe interface {all | <interface_name>}
Options
all Displays PPPoE information for all interfaces <interface_name> Displays PPPoE information for the specified firewall interface
Sample Output
The following command shows PPPoE information for the ethernet1/4 interface.
username@hostname> show pppoe interface ethernet1/4
Interface PPPoE PPP State Username Access Concentrator MAC IP ethernet1/4 Initiating Disconnected pa4020 Access Concentrator 00:11:22:33:44:55 10.0.2.2
username@hostname>

Palo Alto Networks
show qos
show qos
Shows Quality of Service (QoS) runtime information. For more information, refer to the Configuring Quality of Service chapter in the Palo Alto Networks Administrators Guide.
Syntax
show qos interface <interface> { counter | match-rule | throughput <value> | tunnel-throughput <value> }
Options
* interface Specifies the QoS interface > counter Displays software-based QoS counters > match-rule Displays members of regular traffic configuration > throughput Displays throughput (last 3 seconds) of all classes under the specified node-ID ((0-65535) > tunnel-throughput Displays throughput (last 3 seconds) of all classes under the specified tunnel interface
Sample Output
The following command shows the QoS throughput for interface ethernet1/2, node default-group (ID 0):
username@hostname> show qos interface ethernet1/2 throughput 0 QoS throughput for interface ethernet1/2, node default-group (Qid 0): class 4: 362 kbps username@hostname>

Palo Alto Networks
show query
show query
Displays information about query jobs.
Syntax
show query {jobs | id <value>}
Options
> jobs Displays all job information > id Displays job information for the specified ID (1-4294967296)
Sample Output
The following command shows information about all current query jobs.
username@hostname> show query jobs Enqueued ID Last Upd -------------------------------------------------------------------------13:58:19 16 13:58:19 Type ID Dequeued? ----------------------------------------------------username@hostname>

Palo Alto Networks
show report
show report
Displays information about process jobs.
Syntax
show report { custom | { aggregate-fields equal <value> | database equal {appstat | threat | thsum | traffic | trsum} | query equal <value> | receive_time in {last-12-hrs | last-15-minutes | last-24-hrs | last-30days | last-6-hrs | last-60-seconds | last-7-days | last-calendarday | last-calendar-month | last-hour} | topn equal <value> | value-fields equal <value> } directory-listing | id <value> | jobs | predefined { end-time <value> | start-time <value> | name equal {top-applications | top-attackers | top-attackers-bycountries | top-attacks | top-connections | top-denied-applications | top-denied-destinations | top-denied-sources | top-destinationcountries | top-destinations | top-egress-interfaces | top-egresszones | top-http-applications | top-ingress-interfaces | topingress-zones | top-rules | top-source-countries | top-sources | top-spyware-threats | top-url-categories | top-url-user-behavior | top-url-users | top-victims | top-victims-by-countries | top-viruses | top-vulnerabilities | top-websites | unknown-tcp-connections | unknown-udp-connections} } }
Options
> custom Displays custom reports + aggregate-fields Report with comma-separated aggregate field names + database Data base report (appstat, threat, thsum, traffic, or trsum) + query Report formulated with the query string value + receive_time Report with the receive time in the specified time period (press <tab> for list) + topn Report of TopN return results + value-fields Report with comma-separated value field names > directory-listing Displays report of directory listings > id Displays reports by ID (1-4294967296) > jobs Reports all jobs > predefined Displays predefined reports
Palo Alto Networks
show report
+ end-time End date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) + start-time Start date and time YYYY/MM/DD@hh:mm:ss (e.g., 2011/08/01@10:00:00) * name Predefined report of the specified name (press <tab> for list)
Sample Output
The following command shows the pre-defined report top-applications.
username@hostname> show report predefined name equal top-applications <?xml version="1.0"?> <report reportname="top-applications" logtype="appstat"> <result name="Top applications" logtype="appstat" start="2011/01/01 0 0:00:00" start-epoch="1293868800" end="2011/01/01 23:59:59" end-epoch=" 1293955199" generated-at="2011/01/02 17:22:47" generated-at-epoch="1294 017767" range="Saturday, January 01, 2011"> <entry> <name>icmp</name> <nbytes>0</nbytes> <nsess>480</nsess> </entry> <entry> <name>ospf</name> <nbytes>3920</nbytes> <nsess>20</nsess> </entry> <entry> <name>ping</name> <nbytes>172</nbytes> <nsess>2</nsess> </entry> </result> </report> username@hostname> username@hostname>

Palo Alto Networks
show resource
show resource
Displays resource limits for policies, sessions, SSL VPN tunnels, and VPN tunnels.
Syntax
show resource limit {policies | session | ssl-vpn | vpn}
Options
> policies Displays the resource limit for policies > session Displays the resource limit of the session > ssl-vpn Displays the resource limit for SSL VPN tunnels > vpn Displays the resource limit for site-to-site VPN tunnels
Sample Output
The following command shows the session resource limit.
username@hostname> show resource limit session current session max session ----------------- ----------------3044 262143 username@hostname>

Palo Alto Networks
show routing
show routing
Displays routing run-time objects.
Syntax
show routing { fib {virtual-router <name>} | interface | protocol | { bgp | { loc-rib {nexthop <ip/netmask> | peer <value> | prefix <ip/netmask> | virtual-router <value>} | loc-rib-detail {nexthop <ip/netmask> | peer <value> | prefix <ip/ netmask> | virtual-router <value>} | peer {peer-name <value> | virtual-router <value>} | peer-group {group-name <value> | virtual-router <value>} | policy {aggregate | cond-adv | export | import} {virtual-router <value>} | rib-out {nexthop <ip/netmask> | peer <value> | prefix <ip/netmask> | virtual-router <value>} | rib-out-detail {nexthop <ip/netmask> | peer <value> | prefix <ip/ netmask> | virtual-router <value>} | summary {virtual-router <value>} } ospf | { area {virtual-router <value>} | dumplsdb {virtual-router <value>} | interface {virtual-router <value>} | lsdb {virtual-router <value>} | neighbor {virtual-router <value>} | summary {virtual-router <value>} | virt-link {virtual-router <value>} | virt-neighbor {virtual-router <value>} } redist | { all {virtual-router <value>} | bgp {virtual-router <value>} | ospf {virtual-router <value>} | rip {virtual-router <value>} } rip { database {virtual-router <value>} | interface {virtual-router <value>} | peer {virtual-router <value>} | summary {virtual-router <value>}
Palo Alto Networks
show routing
} } resource | route | { destination <ip/netmask>| interface <interface_name> | nexthop <ip/netmask> | type {bgp | connect | ospf | rip | static} | virtual-router <name> } summary {virtual-router <name>} }
Options
> fib Displays forwarding table entries (option to filter result by virtual router) > interface Displays interface status > protocol Displays dynamic routing protocol information > bgp Displays BGP information > loc-rib Displays BGP local-rib + nexthop Filters result by nexthop (x.x.x.x/y or IPv6/netmask) + peer Displays for given BGP peer + prefix Filters result by prefix (x.x.x.x/y or IPv6/netmask) + virtual-router Filters result by virtual router > loc-rib-detail Displays BGP local-rib + nexthop Filters result by nexthop (x.x.x.x/y or IPv6/netmask) + peer Displays for given BGP peer + prefix Filters result by prefix (x.x.x.x/y or IPv6/netmask) + virtual-router Filters result by virtual router > peer Displays BGP peer status + peer-name Displays for given BGP peer + virtual-router Filters result by virtual router > peer-group Displays BGP peer group status + group-name Displays for given BGP peer group + virtual-router Filters result by virtual router > policy Displays BGP route-map status + virtual-router Filters result by virtual router > aggregate Displays BGP aggregate policy > cond-adv Displays BGP conditional advertisement policy > export Displays BGP export policy > import Displays BGP import policy > rib-out Displays BGP routes sent to BGP peer + nexthop Filters result by nexthop (x.x.x.x/y or IPv6/netmask) + peer Displays for given BGP peer + prefix Filters result by prefix (x.x.x.x/y or IPv6/netmask) + virtual-router Filters result by virtual router > rib-out-detail Displays BGP routes sent to BGP peer + nexthop Filters result by nexthop (x.x.x.x/y or IPv6/netmask) + peer Displays for given BGP peer + prefix Filters result by prefix (x.x.x.x/y or IPv6/netmask) + virtual-router Filters result by virtual router > summary Displays BGP summary information + virtual-router Filters result by virtual router
Palo Alto Networks
show routing
> ospf Displays OSPF information > area Displays OSPF area status + virtual-router Filters result by virtual router > dumplsdb Displays OSPF LS database status with all details + virtual-router Filters result by virtual router > interface Displays OSPF interface status + virtual-router Filters result by virtual router > lsdb Displays OSPF LS database status + virtual-router Filters result by virtual router > neighbor Displays OSPF neighbor status + virtual-router Filters result by virtual router > summary Displays OSPF summary information + virtual-router Filters result by virtual router > virt-link Displays OSPF virtual link status + virtual-router Filters result by virtual router > virt-neighbor Displays OSPF virtual neighbor status + virtual-router Filters result by virtual router > redist Displays redistribution rule entries > all Displays all redist rules + virtual-router Filters result by virtual router > bgp Displays only BGP redist rules + virtual-router Filters result by virtual router > ospf Displays only OSPF redist rules + virtual-router Filters result by virtual router > rip Displays only RIP redist rules + virtual-router Filters result by virtual router > rip Displays RIP information > database Displays RIP route database + virtual-router Filters result by virtual router > interface Displays RIP interface status + virtual-router Filters result by virtual router > peer Displays RIP peer status + virtual-router Filters result by virtual router > summary Displays RIP summary information + virtual-router Filters result by virtual router > resource Displays resource usage > route Displays route entries + destination Filters result by destination network and mask (x.x.x.x/y or IPv6/netmask) + interface Filters result by network interface + nexthop Filters result by nexthop network and mask (x.x.x.x/y or IPv6/netmask) + type Filters result by type of routes (BGP, connect and host, OSPF, RIP, or static) + virtual-router Filters result by virtual router > summary Displays summary information + virtual-router Filters result by virtual router
Sample Output
The following command shows summary routing information for the virtual router vrl.
username@hostname> show routing summary virtual-router vr1 VIRTUAL ROUTER: vr1 (id 1) ========== OSPF
Palo Alto Networks
show routing
area id: 0.0.0.0 interface: 192.168.6.254 interface: 200.1.1.2 dynamic neighbors: IP 200.1.1.1 ID 200.1.1.1 area id: 1.1.1.1 interface: 1.1.1.1 interface: 1.1.2.1 interface: 1.1.3.1 interface: 2.1.1.1 static neighbor: IP 65.54.5.33 ID *down* static neighbor: IP 65.54.77.88 ID *down* interface: 22.22.22.22 interface: 35.1.15.40 interface: 192.168.7.254 dynamic neighbors: IP 35.1.15.1 ID 35.35.35.35 ========== RIP interface: 2.1.1.1 interface: 22.22.22.22 interface: 35.1.15.40 interface: 192.168.6.254 interface: 200.1.1.2 ========== INTERFACE ========== interface name: ethernet1/1 interface index: 16 virtual router: vr1 operation status: up IPv4 address: 22.22.22.22/24 IPv4 address: 35.1.15.40/24 ========== interface name: ethernet1/3 interface index: 18 virtual router: vr1 operation status: up IPv4 address: 200.1.1.2/24 ========== interface name: ethernet1/7 interface index: 22 virtual router: vr1 operation status: up IPv4 address: 1.1.1.1/24 IPv4 address: 1.1.2.1/24 IPv4 address: 1.1.3.1/24 ========== interface name: ethernet1/15 interface index: 30 virtual router: vr1 operation status: up IPv4 address: 192.168.6.254/24 ========== interface name: ethernet1/16 interface index: 31 virtual router: vr1 operation status: up IPv4 address: 192.168.7.254/24
Palo Alto Networks
show routing
========== interface name: interface index: virtual router: operation status: IPv4 address: username@hostname>
ethernet1/18 33 vr1 down 2.1.1.1/24
The following command shows dynamic routing protocol information for RIP.
username@hostname> show routing protocol rip summary ========== virtual router: reject default route: interval seconds: update intervals: expire intervals: delete intervals: interface: interface: interface: interface: interface: ========== virtual router: reject default route: interval seconds: update intervals: expire intervals: delete intervals: interface: interface: interface:
vr1 yes 1 30 180 120 2.1.1.1 22.22.22.22 35.1.15.40 192.168.6.254 200.1.1.2 newr yes 1 30 180 120 0.0.0.0 30.30.30.31 151.152.153.154

Palo Alto Networks
show running
show running
Displays running operational parameters.
Syntax
show running { appinfo2ip | application {cache | setting | statistics} | application-override-policy | application-signature | captive-portal-policy | decryption-policy | dos-policy | global-ippool | ippool | ipv6 {address} | logging | nat-policy | nat-rule-cache | nat-rule-ippool {rule <name>} {show-cache | show-freelist} {no | yes} | pbf-policy | qos-policy | resource-monitor {day | hour | minute | second | week} {last <value>} | rule-use | { rule-base {app-override | cp | decryption | dos | nat | pbf | qos | security} | type {unused | used} | vsys <name> } security-policy | ssl-cert-cn | tcp state | top-urls {category <value> | top <value>} | ts-agent-data {all | ip <ip/netmask> | source-user <value>} | tunnel flow | { all | { filter state {active | inactive | init} | filter type {ipsec | sslvpn} } context <value> | info | lookup | name <tunnel_name> | nexthop | operation-stats | tunnel-id <value> }
Palo Alto Networks
show running
url-license }
Options
> appinfo2ip Displays application-specific IP mapping information > application Displays application info (cache, setting, or statistics) > application-override-policy Displays currently deployed application override policy > application-signature Displays application signature statistics > captive-portal-policy Displays currently deployed captive-portal policy > decryption-policy Displays currently deployed decryption policy > dos-policy Displays currently deployed DoS policy > global-ippool Displays global IP pool status > ippool Displays IP pool usage > ipv6 Displays IPv6 information (option to show IPv6 addresses) > logging Displays log and packet logging rate > nat-policy Displays currently deployed Network Address Translation (NAT) policy > nat-rule-cache Displays all NAT rules of all versions in cache > nat-rule-ippool Displays specified NAT rule ippool usage + show-cache Displays reserve time cache + show-freelist Displays free list * rule Specifies NAT rule name > pbf-policy Displays currently deployed Policy-Based Forwarding policy > qos-policy Displays currently deployed QoS policy > resource-monitor Displays resource monitoring statistics > day Per-day monitoring statistics (last 1-7 days) > hour Per-hour monitoring statistics (last 1-24 hours) > minute Per-minute monitoring statistics (last 1-60 minutes) > second Per-second monitoring statistics (last 1-60 seconds) > week Per-week monitoring statistics (last 1-13 weeks) > rule-use Displays used/non-used policy rules * rule-base Rule base name app-override Application override policy cp Captive portal policy decryption SSL decryption policy dos DoS protection policy nat NAT policy pbf Policy-based Forwarding policy qos QoS policy security Security policy * type Rule use type (unused or used) * vsys Virtual system name > security-policy Displays currently deployed security policy > ssl-cert-cn Displays SSL certificate common name cache > tcp Displays TCP reassembly setup > top-urls Displays top-URLs statistics + category Specify the URL category + top First top elements (1-10000) > ts-agent-data Displays terminal server agent data > all Displays all terminal server agents data > ip Displays terminal server agent data for IP address (x.x.x.x/y or IPv6/netmask) > source-user Displays terminal server agent data for user > tunnel Displays runtime tunnel states > all Displays all tunnels + filter Specifies filters + state Tunnel state (active, inactive, initial state)
Palo Alto Networks
show running
+ type Tunnel type (IPSec or SSL-VPN tunnel) > context Displays encap/decap context (1-65535) > info Displays runtime statistics > lookup Displays runtime lookup structures > name Displays tunnel name > nexthop Displays nexthop resolution structures > operation-stats Displays tunnel setup/teardown/update operation statistics > tunnel-id Displays tunnel id (1-65535) > url-license Displays URL license information
Sample Output
The following command shows statistics for running applications.
username@hostname> show running application statistics Time: Wed Feb 17 15:16:30 2010 Vsys: 1 Number of apps: 31 App (report-as) sessions packets --------------- ---------- ---------15 495 188516 16 11 1803 32 464 467 36 518 16395 37 2 2574 42 1888 4101 44 1 1 48 29 686 50 2 7 79 2 185 86 9 115 109 1604 75513 147 155 374 193 0 3 225 12 272 280 77 217 318 48 85 452 2 139 453 1 9 491 21 1293 518 128 98192 658 6 70 674 53 1487 735 8 8446 796 1 16 852 1 117 872 49 2852 900 24 2206 980 32 573 1019 412 2679 1024 913 6971 --------------- ---------- ---------Total 6968 416364 username@hostname>
bytes -----------99646149 1319859 51055 1921997 273600 454433 422 225194 2741 97363 25843 55339483 33660 1018 71706 44906 30161 109886 1914 812870 96499118 18944 1122891 8385474 4215 87965 2296433 1179538 233308 200506 549052 -----------271041704
app changed ----------0 0 0 0 0 0 1 0 0 2 8 0 0 1 12 0 0 2 1 21 128 6 53 8 1 1 49 24 32 0 0 ----------350
threats ------0 0 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ------3
Palo Alto Networks
show running

Palo Alto Networks
show session
show session
Displays session information.
Syntax
show session { all | { filter { application <name> | count {no | yes} | destination <ip_address> | destination-port <port_number> | destination-user {known-user | unknown | <value>} | egress-interface <value> | from <zone> | hw-interface <value> | ingress-interface <value> | min-kb <value> | nat {both | destination | none | source} | nat-rule <rule_name> | pbf-rule <rule_name> | protocol <value> | qos-class <value> | qos-node-id <value> | qos-rule <rule_name> | rematch security-policy | rule <rule_name> | source <ip_address> | source-port <port_number> | source-user {known-user | unknown | <value>} | ssl-decrypt {no | yes} | start-at <value> | state {active | closed | closing | discard | initial | opening} | to <zone> | type {flow | predict} | vsys-name <name> } start-at <value> } id <number> | info | meter }
Options
> all Displays active sessions + filter Apply show session filter
Palo Alto Networks
show session
+ application Application name (press <tab> for list) + count Count number of sessions only (no or yes) + destination Destination IP address (x.x.x.x or IPv6) + destination-port Destination port (1-65535) + destination-user Destination user (known-user, unknown, or enter a value) + egress-interface Egress interface + from From zone + hw-interface Hardware interface + ingress-interface Ingress interface + min-kb Minimum KB of byte count (1-1048576) + nat If session is NAT (both, destination, none, or source) + nat-rule NAT rule name + pbf-rule Policy-based Forwarding rule name + protocol IP protocol value (1-255) + qos-class QoS class (1-8) + qos-node-id QoS node ID value (0-5000; -2 = bypass mode) + qos-rule QoS rule name + rematch Rematch sessions (security policy) + rule Security rule name + source Source IP address (x.x.x.x or IPv6) + source-port Source port (1-65535) + source-user Source user (known-user, unknown, or enter a value) + ssl-decrypt Session is decrypted (no or yes) + start-at Show next 1K sessions (1-2097152) + state Flow state (active, closed, closing, discard, initial, or opening) + to To zone + type Flow type (regular flow or predict) + vsys-name Virtual system name + start-at Show next 1K sessions (1-2097152) > id Displays specific session information (1-2147483648) > info Displays session statistics > meter Displays session metering statistics
Sample Output
The following command displays session statistics.
username@hostname> show session info
------------------------------------------------------------------------------number of sessions supported: 524287 number of active sessions: 498520 number of active TCP sessions: 0 number of active UDP sessions: 498518 number of active ICMP sessions: 0 number of active BCAST sessions: 0 number of active MCAST sessions: 0 number of predict sessions: 0 session table utilization: 95% number of sessions created since system bootup: 3072041 Packet rate: 0/s Throughput: 0 Kbps New connection establish rate: 0 cps ------------------------------------------------------------------------------session timeout TCP default timeout: 3600 seconds TCP session timeout before 3-way handshaking: 5 seconds
Palo Alto Networks
show session
TCP session timeout after FIN/RST: 30 seconds UDP default timeout: 3600 seconds ICMP default timeout: 6 seconds other IP default timeout: 30 seconds Session timeout in discard state: TCP: 90 seconds, UDP: 60 seconds, other IP protocols: 60 seconds ------------------------------------------------------------------------------session accelerated aging: enabled accelerated aging threshold: 80% of utilization scaling factor: 2 X ------------------------------------------------------------------------------session setup TCP - reject non-SYN first packet: yes hardware session offloading: yes IPv6 firewalling: no ------------------------------------------------------------------------------application trickling scan parameters: timeout to determine application trickling: 10 seconds resource utilization threshold to start scan: 80% scan scaling factor over regular aging: 8 -------------------------------------------------------------------------------
The following command lists statistics for the specified session.

username@hostname> show session id 371731
session 371731 c2s flow: source: 172.16.40.20[L3Intranet] dst: 84.72.62.7 sport: 49230 dport: 31162 proto: 17 dir: c2s state: ACTIVE type: FLOW ipver: 4 src-user: qa2003domain-b\kwisdom dst-user: unknown PBF rule: rule4(2) qos node: ethernet1/14, qos member N/A Qid 0 ez fid: 0x0d208003(13, 0, 0, 3) s2c flow: source: 84.72.62.7[L3Extranet] dst: 172.16.40.20 sport: 31162 dport: 49230 proto: 17 dir: s2c state: ACTIVE type: FLOW ipver: 4 src-user: unknown dst-user: qa2003domain-b\kwisdom ez fid: 0x0ca0703f(12, 2, 3, 63) start time : Fri Jan 15 15:55:56 2010 timeout : 1200 sec time to live : 1076 sec total byte count : 145 layer7 packet count : 0 vsys : vsys1 application : bittorrent rule : rule23 session to be logged at end : yes session in session ager : yes session sync'ed from HA peer : yes
Palo Alto Networks
show session
layer7 processing URL filtering enabled URL category ingress interface egress interface session QoS rule
: : : : : :
completed yes any ethernet1/13 ethernet1/14 default (class 4)

Palo Alto Networks
show ssl-vpn
show ssl-vpn
Displays Secure Socket Layer (SSL) virtual private network (VPN) runtime objects. For more information, refer to the Configuring SSL VPNs chapter in the Palo Alto Networks Administrators Guide.
Syntax
show ssl-vpn { current-user {domain <value> | portal <value> | user <value>} | flow {name <value> | tunnel-id <value>} | portal {name <value>} | previous-user {domain <value> | portal <value> | user <value>} }
Options
> current-user Displays current SSL VPN users + domain Displays users whose domain name starts with the string + portal Displays for specified SSL VPN portal + user Displays users whose user name starts with the string > flow Displays dataplane SSL-VPN tunnel information > name Displays for specified VPN tunnel > tunnel-id Displays specified tunnel information (1-65535) > portal Displays list of SSL VPN configuration + name Displays for specified SSL VPN portal > previous-user Displays previous user session for SSL VPN users + domain Displays users whose domain name starts with the string + portal Displays for specified SSL VPN portal + user Displays users whose user name starts with the string
Sample Output
The following command displays information on SSL-VPN tunnels.
username@hostname> show ssl-vpn flow ---------------------------------------------------------------------------total tunnels configured: 10 filter - type SSL-VPN, state any total SSL-VPN tunnel configured: total SSL-VPN tunnel shown: 2 2
name id local-i/f local-ip tunnel-i/f ---------------------------------------------------------------------------s1 2 tunnel.7 10.1.6.105 tunnel.7 rad 11 tunnel.8 10.1.6.106 tunnel.8 --------------------------------------------------------------------------username@hostname>
Palo Alto Networks
show ssl-vpn

Palo Alto Networks
show statistics
show statistics
Displays firewall statistics.
Syntax
show statistics
Options
None
Sample Output
The following command displays firewall statistics.
username@hostname> show statistics TASK PID N_PACKETS CONTINUE ERROR DROP BYPASS TERMINATE 0 0 0 0 0 0 0 0 1 806 6180587 6179536 39 0 0 1012 2 807 39312 37511 0 0 0 1801 3 808 176054840 173273080 2289 2777524 0 1947 4 809 112733251 111536151 1744 1194906 0 450 5 810 66052142 65225559 1271 825010 0 302 6 811 49682445 49028991 909 652227 0 318 7 812 43618777 43030638 712 587129 0 298 8 813 41255949 40706957 708 548031 0 253 9 814 42570163 42010404 714 558773 0 272 10 815 7332493 7332494 0 0 0 0 task 1(pid: 806) flow_mgmt task 2(pid: 807) flow_ctrl flow_host task 3(pid: 808) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 4(pid: 809) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 5(pid: 810) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 6(pid: 811) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 7(pid: 812) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 8(pid: 813) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 9(pid: 814) flow_lookup flow_fastpath flow_slowpath flow_forwarding flow_np task 10(pid: 815) appid_result

Palo Alto Networks
show system
show system
Displays system-related information.
Syntax
show system { disk-space | environmentals {fans | power | thermal} | files | info | logdb-quota | resources {follow} | services | setting | { ctd | { state | threat {application <value> | id <value> | profile <value>} | url-block-cache } jumbo-frame | logging | multi-vsys | pow | shared-policy | ssl-decrypt {certificate | certificate-cache | exclude-cache | memory {detail} | notify-cache | setting} | target-vsys | url-cache statistics | url-database | url-filtering-feature | zip } software status | state {browser | filter | filter-pretty} | statistics {vsys <name>} }
Options
> disk-space Reports file system disk space usage > environmentals Displays system environment state > files Lists important files in the system > info Displays system information > logdb-quota Reports log data base quotas > resources Displays system resources > services Displays system services > setting Displays system settings > ctd Displays ctd settings
Palo Alto Networks
show system
> state Displays ctd configure state > threat Displays threat stats (application, id, or profile) (0-4294967295) > url-block-cache Displays url block cache > jumbo-frame Displays Jumbo-Frame mode > logging Displays log and packet logging rate > multi-vsys Displays multiple virtual system mode > pow Displays pow > shared-policy Displays shared policy status > ssl-decrypt Displays SSL decryption > certificate Displays SSL decryption certificate > certificate-cache Displays SSL decryption certificate cache > exclude-cache Displays SSL decryption exclude cache > memory Displays SSL decryption memory usage (option to show detail) > notify-cache Displays SSL decryption notify cache > setting Displays SSL decryption settings > target-vsys Displays target virtual system for operational commands > url-cache Displays URL cache statistics > url-database Displays URL database > url-filtering-feature Displays URL filtering feature settings > zip Shows whether the firewall is configured to decompress traffic for content scanning purposes > software Displays software information > state Displays system state > browser Navigate in a text-mode browser > filter Filter by subtree/wildcard > filter-pretty Filter by subtree/wildcard w/ pretty printing > statistics Displays statistics
Sample Output
The following command displays system information.
username@hostname> show system info hostname: thunder ip-address: 10.1.7.1 netmask: 255.255.0.0 default-gateway: 10.1.0.1 ipv6-address: ipv6-default-gateway: mac-address: 00:13:72:3c:c9:e3 time: Tue Feb 9 10:02:57 2010
uptime: 0 days, 0:00:00 family: 4000 model: thunder serial: 06081420000021 sw-version: 4.0.0-c758.dev vpnclient-package-version: 1.0.0-c10 app-version: 158-450 av-version: 0 threat-version: 0 url-filtering-version: 2216 logdb-version: 3.0.0 username@hostname>
Palo Alto Networks
show system
The following command shows an example with the default threat action.
username@hostname> show system setting ctd threat 100000 application 109 profile 1 Profile 1 appid 109 , action 0 action 0 means default action. username@hostname>

Palo Alto Networks
show threat
show threat
Displays threat ID descriptions.
Syntax
show threat id <value>
Options
<value> Specifies the threat ID (1-4294967296)
Sample Output
The following command shows threat ID descriptions for ID 11172.
username@hostname> show threat id 11172 This signature detects the runtime behavior of the spyware MiniBug. MiniBug, also known as Weatherbug, installs other spyware, such as WeatherBug, and My Web Search Bar. It is also adware program that displays advertisements in its application window. medium http://www.spywareguide.com/product_show.php?id=2178 http://www.spyany.com/program/article_spw_rm_Minibug.htm username@hostname>

Palo Alto Networks
show user
show user
Displays user identification information. You can show information for a specified IP address, user, or all.
Syntax
show user { ip-port-user-mapping {all | ip <ip/netmask> | source-user <value>} | ip-user-mapping | { detail {no | yes} | no-group-only {no | yes} | type { AD | CP | GP | NTLM | SSL/VPN | UNKNOWN} | all | ip <ip/netmask> } ldap-server {server {all | <name>} | state} | local-user-db | { disabled {no |yes} | username <name> | vsys <name> } pan-agent | { config name <name> | statistics | user-IDs {match-user <value>} } pan-ntlm-agent statistics | ts-agent statistics | userid-agent statistics }
Options
> ip-port-user-mapping Displays terminal server agent data > all Displays all terminal server agents data > ip Displays terminal server agent data for IP address (x.x.x.x/y or IPv6/netmask) > source-user Displays terminal server agent data for user > ip-user-mapping Displays the data plane ip-user-mapping + detail Displays detail (no or yes) + no-group-only Displays no-group-only (no or yes) + type Displays type (AD, CP, GP, NTLM, SSL/VPN, or unknown) > all Displays all user/groups > ip Displays user/group info for IP address (x.x.x.x/y or IPv6/netmask) > ldap-server Displays LDAP server data > server Displays data of one or all servers > state Displays LDAP server states > local-user-db Displays the local user database
Palo Alto Networks
show user
+ disabled Filters by disabled/enabled + username Specifies ser name + vsys Specifies virtual system name > pan-agent Displays statistics for the user ID agent > config Displays Palo Alto Networks (PAN) agent client configuration name > statistics Displays PAN agent statistics > user-IDs Displays PAN agent user-IDs + match-user Matches user value > pan-ntlm-agent Displays statistics for the NTLM agent > ts-agent Displays statistics for the terminal services agent > userid-agent Displays user information for the Palo Alto Networks agent
Sample Output
The following command shows information about the Palo Alto Networks agent.
username@hostname> show user pan-agent statistics IP Address Port Vsys State Users Grps IPs Recei ved Pkts ---------------------------------------------------------------------------10.0.0.100 2011 vsys1 connected, ok 134 77 95 5757 10.1.200.22 2009 vsys1 connected, ok 5 864 2 1097 username@hostname>

Palo Alto Networks
show virtual-wire
show virtual-wire
Displays information about virtual wire interfaces. For more information, refer to the Network Configuration chapter in the Palo Alto Networks Administrators Guide.
Syntax
show virtual-wire {all | default-vwire | <value>}
Options
all Displays all virtual wire information default-vwire Displays information about the default virtual wire <value> Specifies a virtual wire interface
Sample Output
The following command displays information for the default virtual wire interface.
username@hostname> show virtual-wire default-vwire
total virtual-wire shown :
name interface1 interface2 -----------------------------------------------------------------------------default-vwire ethernet1/1 ethernet1/2 username@hostname>

Palo Alto Networks
show vlan
show vlan
Displays VLAN information. For more information, refer to the Network Configuration chapter in the Palo Alto Networks Administrators Guide.
Syntax
show vlan {all | <value>}
Options
all Shows information for all VLANs <value> Specifies a VLAN name
Sample Output
The following command displays information for all VLANs.
username@hostname> show vlan all total vlan shown : 2
name interface virtual interface layer3 forwarding ---------------------------------------------------------------------------TheTenOne ethernet1/1.1001 vlan.1001 enabled ethernet1/10.1001 ethernet1/2.1001 ethernet1/5.1001 ethernet1/6.1001 ethernet1/7.1001 ethernet1/8.1001 ethernet1/9.1001 ethernet1/4.1001 ae1 ethernet1/13.1001 TheTenTwo ethernet1/1.1002 vlan.1002 enabled ethernet1/2.1002 ethernet1/5.1002 ethernet1/6.1002 ethernet1/7.1002 ethernet1/8.1002 ethernet1/9.1002 ethernet1/10.1002 ethernet1/14 ethernet1/13.1002 username@hostname>

Palo Alto Networks
show vpn
show vpn
Displays Virtual Private Network (VPN) information. For more information, refer to the Configuring SSL VPNs chapter in the Palo Alto Networks Administrators Guide.
Syntax
show vpn { flow {name <name> | tunnel-id <value>} | gateway {name <name>} | ike-sa {gateway <value>} | ipsec-sa {tunnel <value>} | tunnel {name <name>} }
Options
> flow Displays information about the IPSec VPN tunnel on the data plane > name Specifies VPN tunnel name > tunnel-id Specifies VPN tunnel ID (1-65535) > gateway Displays Internet Key Exchange (IKE) gateway configuration + name Specifies IKE gateway > ike-sa Displays information about the active IKE Security Association (SA) + gateway Specifies IKE gateway > ipsec-sa Displays information about IPsec SA tunnels + tunnel Specifies VPN tunnel > tunnel Displays auto-key IPSec tunnel configuration + name Specifies VPN tunnel
Sample Output
The following command shows VPN information for the auto key IPsec tunnel k1.
username@hostname> show vpn tunnel name k1 TnID Name(Gateway) Local Proxy ID Local Proxy ID Proposals ------------------------------------------7 pan5gt(pan-5gt) 0.0.0.0/0 0.0.0.0/0 ESP tunl [DH2][AES128,3DES][SHA1] 90-sec Total 1 tunnels found, 0 ipsec sa found, 0 error username@hostname>
Palo Alto Networks
show vpn
The following command shows VPN information for the IKE gateway g2.
username@hostname> show vpn tunnel name g2 GwID Name Peer Address/ID Local Address/ID ---- --------------------------------3 falcon-kestrel 35.1.15.1 35.1.15.40 [PSK][DH2][AES128,3DES][SHA1] 28800-sec Total 1 gateways found, 0 ike sa found, 0 error. username@hostname>
Protocol Proposals ---------------Auto(main)

Palo Alto Networks
show zone-protection
show zone-protection
Displays the running configuration status and run time statistics for zone protection elements. For more information, refer to the Network Configuration chapter in the Palo Alto Networks Administrators Guide.
Syntax
show zone-protection {zone <zone_name>}
Options
<zone_name> Specifies the name of a zone
Sample Output
The following command shows statistics for the trust zone.
username@hostname> show zone-protection zone trust --------------------------------------------------------------------------Zone trust, vsys vsys1, profile custom-zone-protection ---------------------------------------------------------------------------tcp-syn enabled: no ---------------------------------------------------------------------------udp RED enabled: no ---------------------------------------------------------------------------icmp RED enabled: no ---------------------------------------------------------------------------other-ip RED enabled: no ---------------------------------------------------------------------------packet filter: discard-ip-spoof: enabled: no discard-ip-frag: enabled: no discard-icmp-ping-zero-id: enabled: no discard-icmp-frag: enabled: no discard-icmp-large-packet: enabled: no reply-icmp-timeexceeded: enabled: no username@hostname>

Palo Alto Networks
ssh
ssh
Opens a secure shell (SSH) connection to another host.
Syntax
ssh { inet {no | yes} | port <port_number> | source <ip_address> | v1 {no | yes} | v2 {no | yes} | host <value> }
Options
+ inet Force to IPv4 destination + port Port to connect to on the remote host (1-65535; default = 22)) + source Source address for SSH session + v1 Force SSH to try protocol version 1 only (default = version 2) + v2 Force SSH to try protocol version 2 only * host Host name or IP address of remote host
Sample Output
The following command opens an SSH connection to host 10.0.0.250 using SSH version 2.
username@hostname> ssh v2 user@10.0.0.250 user@10.0.0.250's password: #

Palo Alto Networks
tail
tail
Prints the last 10 lines of a debug file.
Syntax
tail { follow {no | yes} | lines <value> | dp-log <file> | mp-log <file> | webserver-log <file> }
Options
+ follow Outputs appended data as the file grows + lines Outputs the last N lines, instead of the last 10 (1-65535) > dp-log Data plane log file to display (press <tab> for list of files) > mp-log Management plane log file to display (press <tab> for list of files) > webserver-log Web server log file to display (press <tab> for list of files)
Sample Output
The following command displays the last 10 lines of the /var/log/pan/masterd.log file.
username@hostname> tail /var/log/pan/masterd.log [09:32:46] Successfully started process 'mgmtsrvr' instance '1' [09:32:47] Successfully started process 'appWeb' instance '1' [09:32:47] Started group 'pan' start script 'octeon' with options 'start' [09:32:48] Process 'appWeb' instance '1' exited normally with status '7' [09:32:48] Process 'appWeb' instance '1' has no further exit rules [09:32:53] Successfully started process 'pan-ez-agent' instance '1' [09:32:53] Process 'pan-ez-agent' instance '1' exited normally with status '0' [09:32:53] Process 'pan-ez-agent' instance '1' has no further exit rules [09:32:54] Successfully started process 'pan_netconfig_agent' instance '1' [09:32:54] Finished initial start of all processes username@hostname>

Palo Alto Networks
telnet
telnet
Opens a Telnet session to another host.
Syntax
telnet { 8bit {no | yes} | port <value> | host <value> }
Options
+ 8bit Use 8-bit data path (no or yes) + port Specifies the port to connect to on the remote host (0-65535) * host Specifies the host name or IP address of remote host
Sample Output
The following command opens a Telnet session to the host 1.2.5.5 using 8-bit data.
username@hostname> telnet 8bit 1.2.5.5

Palo Alto Networks
test
test
Runs tests based on installed security policies. For more information, refer to the Policies and Security Profiles chapter in the Palo Alto Networks Administrators Guide.
Syntax
test { arp gratuitous {interface <interface_name> | ip <ip/netmask>} | cp-policy-match {destination <ip_address> | from <zone> | source <ip_address> | to <zone>} | custom-url {rule <rule_name> | url <value>} | data-filtering {ccn <value> | pattern <value> | ssn <value>} | decryption-policy-match {application <name> | category <name> | destination <ip_address> | from <zone> | source <ip_address> | to <zone>} | dns-proxy query name <name> {source <ip_address>} {domain-name <name> | ip <ip_address>} | dos-policy-match {destination <ip_address> | destination-port <port_number> | from <zone> | from-interface <value> | protocol <value> | source <ip_address> | source-user <value> | to <zone> | to-interface <value>} | nat-policy-match {destination <ip_address> | destination-port <port_number> | from <zone> | ha-device-id <value> | protocol <value> | source <ip_address> | source-port <port_number> | to <zone> | tointerface <value>} | pbf-policy-match {application <name> | destination <ip_address> | destination-port <port_number> | from <zone> | from-interface <value> | ha-device-id <value> | protocol <value> | source <ip_address> | sourceuser <value>} | pppoe interface <interface_name> | qos-policy-match {application <name> | destination <ip_address> | destination-port <port_number> | from <zone> | protocol <value> | source <ip_address> | source-user <value> | to <zone>} | routing | { bgp virtual-router <name> { refresh peer <value> | restart {peer <value> | self} } fib-lookup {ip <ip_address> | virtual-router <value>} } security-policy-match {application <name> | destination <ip_address> | destination-port <port_number> | from <zone> | protocol <value> | showall {no | yes} | source <ip_address> | source-user <value> | to <zone>} | stats-service | url <value> | vpn {
Palo Alto Networks
test
ike-sa {gateway <value>} | ipsec {tunnel <value>} } }
Options
> arp Tests the Address Resolution Protocol (ARP) for the specified interface * interface Sends gratuitous ARP for specific interface * ip Sends gratuitous ARP to interface IP address (x.x.x.x/y or IPv6/netmask) > cp-policy-match Tests captive portal policy matches + destination Specifies the destination IP address (x.x.x.x or IPv6) + from Specifies the From zone + source Specifies the source IP address (x.x.x.x or IPv6) + to Specifies the To zone > custom-url Tests custom URL categorization * rule Specifies a security rule name * url Specifies the URL value > data-filtering Tests credit card number (CCN), social security number (SSN), or pattern matches > ccn Specifies a credit card number > pattern Specifies a pattern > ssn Specifies a social security number > decryption-policy-match Tests Secure Socket Layer (SSL) policy matches + application Specifies the application name to match (press <tab> for list) + category Specifies the category name to match (press <tab> for list) + destination Specifies the destination IP address (x.x.x.x or IPv6) + from Specifies the From zone + source Specifies the source IP address (x.x.x.x or IPv6) + to Specifies the To zone > dns-proxy Tests Domain Name Server (DNS) queries * source Specifies a source IP from the object's assigned interfaces to use (x.x.x.x or IPv6) > domain-name Specifies a fully qualified domain name > ip Specifies an IP address to reverse query (x.x.x.x or IPv6) > dos-policy-match Tests Denial of Service (DoS) policy matches + destination Specifies a destination IP address (x.x.x.x or IPv6) + destination-port Specifies a destination port number (1-65535) + from Specifies a From zone + from-interface Specifies a From interface value + protocol Specifies an IP protocol value (1-255) + source Specifies a source IP address (x.x.x.x or IPv6) + source-user Specifies a source user value + to Specifies a To zone + to-interface Specifies a To interface value > nat-policy-match Tests Network address Translation (NAT) policy matching + destination Specifies a destination IP address (x.x.x.x or IPv6) + destination-port Specifies a destination port number (1-65535) + from Specifies a From zone + ha-device-id Specifies the HA Active-Active device ID (0-1) + protocol Specifies an IP protocol value (1-255) + source Specifies a source IP address (x.x.x.x or IPv6) + source-port Specifies a source port number (1-65535) + to Specifies a To zone + to-interface Specifies an egress interface value > pbf-policy-match Tests Policy-based Forwarding (PBF) matching
Palo Alto Networks
test
+ application Specifies the application name to match (press <tab> for list) + destination Specifies a destination IP address (x.x.x.x or IPv6) + destination-port Specifies a destination port number (1-65535) + from Specifies a From zone + from-interface Specifies a From interface value + ha-device-id Specifies the HA Active-Active device ID (0-1) + protocol Specifies an IP protocol value (1-255) + source Specifies a source IP address (x.x.x.x or IPv6) + source-user Specifies a source user value > pppoe Tests Point-to-Point Protocol over Ethernet (PPPoE) connections > qos-policy-match Tests Quality of Service (QoS) policy matching + application Specifies the application name to match (press <tab> for list) + destination Specifies a destination IP address (x.x.x.x or IPv6) + destination-port Specifies a destination port number (1-65535) + from Specifies a From zone + protocol Specifies an IP protocol value (1-255) + source Specifies a source IP address (x.x.x.x or IPv6) + source-user Specifies a source user value + to Specifies a To zone > routing Tests routing. Options include: > bgp Restarts the Border Gateway Protocol (BGP) connections with the peer, or refreshes to trigger a resending of all routes > refresh Triggers specified BGP peer to resend all routes > restart Restarts BGP connection > peer Restarts the BGP connection with the specified peer > self Restarts the virtual router itself > fib-lookup Performs route lookup within the active route table * ip Specifies a destination IP address (x.x.x.x or IPv6) * virtual-router Performs route lookup within specified virtual-router > security-policy-match Tests security policy matching + application Specifies the application name to match (press <tab> for list) + destination Specifies a destination IP address (x.x.x.x or IPv6) + destination-port Specifies a destination port number (1-65535) + from Specifies a From zone + protocol Specifies an IP protocol value (1-255) + show-all Displays all potential match rules (no or yes) + source Specifies a source IP address (x.x.x.x or IPv6) + source-user Specifies a source user value + to Specifies a To zone > stats-service Tests statistics service > url Tests URL categorization > vpn Verifies Internet Key Exchange (IKE) and IP Security (IPSec) settings > ike-sa Performs the tests only for the negotiated IKE security association (SA) + gateway Specifies an IKE gateway to test > ipsec-sa Performs the tests for IPsec SA (and IKE SA if necessary) + tunnel Specifies a VPN tunnel to test
Palo Alto Networks
test
Sample Output
The following command tests whether the set of criteria matches any of the existing rules in the security rule base.
username@hostname> test security-policy-match from trust to untrust application google-talk source 10.0.0.1 destination 192.168.0.1 protocol 6 destination-port 80 source-user known-user Matched rule: 'rule1' action: allow username@hostname>

Palo Alto Networks
tftp export
tftp export
Uses Trivial File Transfer Protocol (TFTP) to export files from the firewall to another host. TFTP export actions must specify the management interface IP as the source IP address. TFTP export actions are not supported on in-band management ports.
Syntax
tftp export <option> {remote-port <port_number> | source-ip <ip_address> | to <host>} { application-block-page | application-pcap {from <file_name>} | captive-portal-text | configuration {from <file_name>} | core-file {data-plane | management-plane} {from <file_name>} | crl {from <file_name>} | debug-pcap {from <file_name>} | file-block-continue-page | file-block-page | filter-pcap {from <file_name>} | global-protect-portal-custom-help-page {name <file_name>} | global-protect-portal-custom-login-page {name <file_name>} | global-protect-portal-custom-welcome-page {name <file_name>} | high-availability-key {from <file_name>} | inbound-proxy-key {from <value>} | log-file {data-plane | management-plane} | ssl-cert-status-page | ssl-optout-text | sslvpn-custom-login-page {name <file_name>} | stats-dump | tech-support | threat-pcap {from <file_name>} | url-block-page | url-coach-text | virus-block-page | web-interface-certificate }
Options
+ remote-port TFTP server port number on remote host(1-65535) + source-ip Set source address to specified interface address (x.x.x.x or IPv6) * to TFTP host > application-block-page Exports application block comfort page > application-pcap Exports application packet capture > captive-portal-text Exports captive portal text > configuration Exports configuration > core-file Exports core file > crl Exports crl.tgz > debug-pcap Exports packet capture generated for purpose of debugging daemons > file-block-continue-page Exports file block continue comfort page > file-block-page Exports file block comfort page
Palo Alto Networks
tftp export
> filter-pcap Exports filter packet capture > global-protect-portal-custom-help-page Exports GlobalProtect help page > global-protect-portal-custom-login-page Exports GlobalProtect login page > global-protect-portal-custom-welcome-page Exports GlobalProtect welcome page > high-availability-key Exports High Availability peer encryption key > inbound-proxy-key Exports inbound proxy key > log-file Exports log- file > ssl-cert-status-page Exports SSL certificate revoked notification page > ssl-optout-text Exports SSL optout text > sslvpn-custom-login-page Exports SSL VPN custom login page > stats-dump Exports log data base in CSV format > tech-support Exports tech support info > threat-pcap Exports threat packet capture > url-block-page Exports URL block comfort page > url-coach-text Exports URL coach text > virus-block-page Exports virus block comfort page > web-interface-certificate Exports web interface certificate

Palo Alto Networks
tftp import
tftp import
Uses Trivial File Transfer Protocol (TFTP) to import files to the firewall from another host. TFTP import actions must specify the management interface IP as the destination IP address. TFTP import actions are not supported on in-band management ports.
Syntax
tftp import <option> {remote-port <port_number> | source-ip <ip_address> | file <source_path> | from <host>} | { anti-virus | application-block-page | captive-portal-text | certificate {certificate-name <certificate_name>} | configuration | content | file-block-continue-page | file-block-page | global-protect-client | global-protect-portal-custom-help-page {profile <profile_name>} | global-protect-portal-custom-login-page {profile <profile_name>} | global-protect-portal-custom-welcome-page {profile <profile_name>} | high-availability-key | license | private-key {certificate-name <certificate_name> | passphrase <value>} | signed-url-database | software | ssl-cert-status-page | ssl-optout-text | sslvpn-custom-login-page {profile <profile_name>} | url-block-page | url-coach-text | url-database | virus-block-page | vpnclient }
Options
+ remote-port TFTP server port number on remote host(1-65535) + source-ip Set source address to specified interface address (x.x.x.x or IPv6) * file Source path * from TFTP host > anti-virus Imports anti-virus content > application-block-page Imports application block comfort page > captive-portal-text Imports captive portal text > certificate Imports X.509 certificate > configuration Imports configuration > content Imports database content > file-block-continue-page Imports file block continue comfort page > file-block-page Imports file block comfort page > global-protect-client Imports GlobalProtect client package
Palo Alto Networks
tftp import
> global-protect-portal-custom-help-page Imports GlobalProtect portal custom help page > global-protect-portal-custom-login-page Imports GlobalProtect portal custom login page > global-protect-portal-custom-welcome-page Imports GlobalProtect portal custom welcome page > high-availability-key Imports High Availability peer encryption key > license Imports license file > private-key Imports SSL private key > signed-url-database Imports signed URL database package > software Imports software package > ssl-cert-status-page Imports SSL certificate revoked notification page > ssl-optout-text Imports SSL optout text > sslvpn-custom-login-page Imports SSL VPN custom login page > url-block-page Imports URL block comfort page > url-coach-text Imports URL coach text > url-database Imports URL database package > virus-block-page Imports virus block comfort page > vpnclient Imports VPN client package
Sample Output
The following command imports a license file from a file in user1s account on the machine with IP address 10.0.3.4.
username@hostname> tftp import ssl-certificate from user1@10.0.3.4:/tmp/ certificatefile username@hostname>

Palo Alto Networks
traceroute
traceroute
Displays information about the route packets take to another host.
Syntax
traceroute { bypass-routing {no | yes} | debug-socket {no | yes} | do-not-fragment {no | yes} | first-ttl <value> | gateway <value> | ipv4 {no | yes} | ipv6 {no | yes} | max-ttl <value> | no-resolve {no | yes} | pause <value> | port <value> | source <ip_address> | tos <value> {verbose} | wait <value> | host <value> }
Options
+ bypass-routing Sends the request directly to the host on a direct attached network, bypassing usual routing table + debug-socket Enables socket-level debugging + do-not-fragment Sets the do-not-fragment bit + first-ttl Sets the time-to-live (in number of hops) in the first outgoing probe packet + gateway Specifies a loose source router gateway (maximum = 8) + ipv4 Specifies that IPv4 is used + ipv6 Specifies that IPv6 is used + max-ttl Sets the maximum time-to-live in number of hops + no-resolve Does not attempt to print resolved domain names + pause Sets the time to pause between probes (in milliseconds) + port Sets the base port number used in probes (default for UDP = 33434; for TCP = 80; for ICMP = 1) + source Specifies the source IP address in outgoing probe packets + tos Specifies the type of service (TOS) treatment for the packets by way of the TOS bit for the IP header in the ping packet (0-255) + wait Specifies a delay in transmission of the traceroute request (in seconds) * host Specifies the IP address or name of the remote host (required)
Palo Alto Networks
traceroute
Sample Output
The following command displays information about the route from the firewall to www.google.com.
username@hostname> traceroute www.paloaltonetworks.com traceroute to www.paloaltonetworks.com (72.32.199.53), 30 hops max, 38 byte packets 1 10.1.0.1 (10.1.0.1) 0.399 ms 1.288 ms 0.437 ms 2 64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.910 ms dsl027-186189.sfo1.dsl.speakeasy.net (216.27.186.189) 1.012 ms 64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.865 ms 3 dsl027-182-001.sfo1.dsl.speakeasy.net (216.27.182.1) 16.768 ms 581.420 ms 64.3.142.37.ptr.us.xo.net (64.3.142.37) 219.190 ms 4 ge5-0-0.mar2.fremont-ca.us.xo.net (207.88.80.21) 228.551 ms 110.ge-0-00.cr1.sfo1.speakeasy.net (69.17.83.189) 12.352 ms ge5-0-0.mar2.fremontca.us.xo.net (207.88.80.21) 218.547 ms 5 ge-5-3-0.mpr3.pao1.us.above.net (209.249.11.177) 13.212 ms p4-00.rar2.sanjose-ca.us.xo.net (65.106.5.137) 273.935 ms 221.313 ms 6 p1-0.ir1.paloalto-ca.us.xo.net (65.106.5.178) 139.212 ms so-1-21.mpr1.sjc2.us.above.net (64.125.28.141) 13.348 ms p1-0.ir1.paloaltoca.us.xo.net (65.106.5.178) 92.795 ms 7 so-0-0-0.mpr2.sjc2.us.above.net (64.125.27.246) 12.069 ms 206.111.12.146.ptr.us.xo.net (206.111.12.146) 93.278 ms so-0-00.mpr2.sjc2.us.above.net (64.125.27.246) 556.033 ms 8 tbr1p013201.sffca.ip.att.net (12.123.13.66) 52.726 ms so-3-20.cr1.dfw2.us.above.net (64.125.29.54) 61.875 ms tbr1p013201.sffca.ip.att.net (12.123.13.66) 58.462 ms MPLS Label=32537 CoS=0 TTL=1 S=1 64.124.12.6.available.above.net (64.124.12.6) 74.828 ms tbr1cl3.la2ca.ip.att.net (12.122.10.26) 62.533 ms 64.124.12.6.available.above.net (64.124.12.6) 60.537 ms 10 tbr1cl20.dlstx.ip.att.net (12.122.10.49) 60.617 ms vlan901.core1.dfw1.rackspace.com (72.3.128.21) 59.881 ms 60.429 ms 11 gar1p360.dlrtx.ip.att.net (12.123.16.169) 108.713 ms aggr5a.dfw1.rackspace.net (72.3.129.19) 58.049 ms gar1p360.dlrtx.ip.att.net (12.123.16.169) 173.102 ms 12 72.32.199.53 (72.32.199.53) 342.977 ms 557.097 ms 60.899 ms username@hostname> 9

Palo Alto Networks
view-pcap
view-pcap
Displays the contents of packet capture files.
Syntax
view-pcap {application-pcap | debug-pcap | filter-pcap | threat-pcap} <file_name> { absolute-seq {no | yes} | delta {no | yes} | follow {no | yes} | hex {no | yes} | hex-ascii {no | yes} | hex-ascii-link {no | yes} | hex-link {no | yes} | link-header {no | yes} | no-dns-lookup {no | yes} | no-port-lookup {no | yes} | no-qualification {no | yes} | no-timestamp {no | yes} | timestamp {no | yes} | undecoded-NFS {no | yes} | unformatted-timestamp {no | yes} | verbose {no | yes} | verbose+ {no | yes} | verbose++ {no | yes} }
Options
+ absolute-seq Display the absolute TCP sequence numbers + delta Display a delta (in micro-seconds) between the current and previous lines + follow Monitor a pcap file in real time + hex Display each packet (minus link header) in hex + hex-ascii Display each packet (minus link header) in hex and ASCII + hex-ascii-link Display each packet (including link header) in hex and ASCII + hex-link Display each packet (including link header) in hex + link-header Display the link-level header on each dump line + no-dns-lookup Do not convert host addresses to names + no-port-lookup Do not convert protocol and port numbers to names + no-qualification Do not print domain name qualification of host names + no-timestamp Do not print a timestamp + timestamp Print a timestamp proceeded by date + undecoded-NFS Print undecoded NFS handles + unformatted-timestamp Print an unformatted timestamp + verbose Display verbose output + verbose+ Display more verbose output + verbose++ Dislplay the maximum output details > application-pcap Display application packet capture file specified by name > debug-pcap Display debug packet capture file specified by name > filter-pcap Display filter packet capture file specified by name > threat-pcap Display threat packet capture file specified by name
Palo Alto Networks
view-pcap
Sample Output
The following command displays the contents of the packet capture file /var/session/pan/filters/ syslog.pcap in ASCII and hex formats.
username@hostname> view-pcap hex-ascii /var/session/pan/filters/syslog.pcap reading from file /var/session/pan/filters/syslog.pcap, link-type EN10MB (Ethernet) 08:34:31.922899 IP 10.0.0.244.32884 > jdoe.paloaltonetworks.local.syslog: UDP, length 314 0x0000: 4500 0156 0000 4000 4011 2438 0a00 00f4 E..V..@.@.$8.... 0x0010: 0a00 006c 8074 0202 0142 d163 3c31 3137 ...l.t...B.c<117 0x0020: 3e41 7072 2020 3233 2030 383a 3334 3a33 >Apr..23.08:34:3 0x0030: 3420 312c 3034 2f32 3320 3038 3a33 343a 4.1,04/23.08:34: 0x0040: 3334 2c54 4852 4541 542c 7572 6c2c 312c 34,THREAT,url,1, 0x0050: 3034 2f32 3320 3038 3a33 343a 3235 2c31 04/23.08:34:25,1 0x0060: 302e 302e 302e 3838 2c32 3039 2e31 3331 0.0.0.88,209.131 0x0070: 2e33 362e 3135 382c 302e 302e 302e 302c .36.158,0.0.0.0, 0x0080: 302e 302e 302e 302c 6c32 2d6c 616e 2d6f 0.0.0.0,l2-lan-o 0x0090: 7574 2c77 6562 2d62 726f 7773 696e 672c ut,web-browsing, 0x00a0: 7673 7973 312c 6c32 2d6c 616e 2d74 7275 vsys1,l2-lan-tru 0x00b0: 7374 2c6c 322d 6c61 6e2d 756e 7472 7573 st,l2-lan-untrus 0x00c0: 742c 6574 6865 726e 6574 312f 3132 2c65 t,ethernet1/12,e 0x00d0: 7468 6572 6e65 7431 2f31 312c 466f 7277 thernet1/11,Forw 0x00e0: 6172 6420 746f 204d 696b 652c 3034 2f32 ard.to.Mike,04/2 0x00f0: 3320 3038 3a33 343a 3334 2c38 3336 3435 3.08:34:34,83645 0x0100: 372c 322c 3438 3632 2c38 302c 302c 302c 7,2,4862,80,0,0, 0x0110: 3078 302c 7463 7028 3629 2c61 6c65 7274 0x0,tcp(6),alert 0x0120: 2c77 7777 2e79 6168 6f6f 2e63 6f6d 2f70 ,www.yahoo.com/p 0x0130: 2e67 6966 3f2c 2c73 6561 7263 682d 656e .gif?,,search-en 0x0140: 6769 6e65 732c 696e 666f 726d 6174 696f gines,informatio 0x0150: 6e61 6c2c 3000 nal,0.

Palo Alto Networks
Chapter 5
Maintenance Mode
Maintenance mode provides support for error recovery and diagnostics, and allows you to reset the firewall to factory defaults. This chapter describes how to enter Maintenance mode:
Entering Maintenance Mode in the next section Using Maintenance Mode on page 430
Entering Maintenance Mode

The system enters Maintenance mode automatically if a critical error is discovered, or you can enter Maintenance mode explicitly when booting the firewall. Critical failure can be due to service errors, bootloader corruption, or disk file system errors. You can enter Maintenance mode in either of the following ways:
Serial cable to the serial port on the firewall. For serial cable specifications, refer to the Hardware Reference Guide for your firewall model. Secure Socket Layer (SSL). SSL access is supported if the firewall has already entered Maintenance mode (either automatically or explicitly during bootup).
Palo Alto Networks
Maintenance Mode 427
Entering Maintenance Mode Upon Bootup

To enter Maintenance mode upon bootup: 1. Press m when prompted by the bootloader.
2.
Press any key on your keyboard when prompted to stop the automatic boot, and then select Maint as the booting partition.
428 Maintenance Mode
Palo Alto Networks
Entering Maintenance Mode Automatically

If the system detects a critical error it will automatically fail over to Maintenance mode. When the firewall enters Maintenance mode, messages are displayed on the serial console, web interface, and CLI interface. The serial console displays the following message.
The web interface displays the following message.
Palo Alto Networks
The SSH interface displays the following message.

ATTENTION: A critical error has been detected preventing proper boot up of the device. Please contact Palo Alto Networks to resolve this issue at 866-898-9087 or support@paloaltonetworks.com. The system is in maintenance mode. Connect via serial console or with user 'maint' through ssh to access the recovery tool.
Using Maintenance Mode

The Maintenance mode main menu displays the following options.
Palo Alto Networks
The following table describes the Maintenance mode selections that are accessible without entering a password.
Table 4. General Maintenance Mode Options Option

Maintenance Entry Reason Get System Info FSCK (Disk Check) Log Files Disk Image Content Rollback Reboot
Description
Indicates why the system entered Maintenance mode and includes possible recovery steps. Displays basic information about the system. This information is useful when obtaining assistance from Customer Support. Provides the ability to run a file system check (FSCK) on various partitions. Allows viewing and copying of log files from the system. Allows the system to revert back to the previously installed software version. Allows a rollback to the previously installed content version. Reboots the firewall.
Some of the options are password protected to prevent accidental changes that could leave the system in an inoperative state. The password is intended as a safeguard and it not meant to be secret. The password is MA1NT (numeral 1).
Table 5. General Maintenance Mode Options Option

Factory Reset
Description
Returns the firewall into the factory default state. The reset includes an option to scrub the Config and Log partitions using a National Nuclear Security Administration (NNSA) or Department of Defense (DOD) compliant scrubbing algorithm. Note: Scrubbing can take up to six hours to complete. Enables and disables FIPS mode. For more information about support for FIPS 140-2, refer to the Federal Information Processing Standards Support appendix in the Palo
Set FIPS Mode
Alto Networks Administrators Guide.

Bootloader Recovery Disk Image Advanced Diagnostics Reprograms the main bootloader with the latest bootloader image on the system. Use this option if the failsafe bootloader is running and recovery of the main bootloader is required. (PA-2000 and PA-500 systems only) These options provide greater granularity and control over installation, including status, history, bootstrapping, and other commands. Tests the data plane booting and data plane memory, and run disk performance with bonnie++.
Palo Alto Networks
Palo Alto Networks
Appendix A PANORAMA HIERARCHY

This appendix presents the complete firewall configuration hierarchy for Panorama:
Panorama Hierarchy
deviceconfig { system { login-banner <value>; hostname <value>; domain <value>; ip-address <ip/netmask>; netmask <value>; default-gateway <ip/netmask>; ipv6-address <ip/netmask>; ipv6-default-gateway <ip/netmask>; authentication-profile <value>; client-certificate-profile <value>; dns-primary <ip/netmask>; dns-secondary <ip/netmask>; panorama-server <ip/netmask>; ntp-server-1 <value>; location <value>; contact <value>; ntp-server-2 <value>; update-server <value>; secure-proxy-server <value>; secure-proxy-port 1-1; secure-proxy-user <value>; secure-proxy-password <value>; snmp-community-string <value>; geo-location { latitude <value>; longitude <value>; } service { disable-http yes|no; disable-https yes|no; disable-telnet yes|no; disable-ssh yes|no; disable-icmp yes|no; disable-snmp yes|no; } permitted-ip { REPEAT... <name>;
Palo Alto Networks
433
} update-schedule { threats { recurring { daily { at <value>; action download-only|download-and-install; } OR... weekly { day-of-week sunday|monday|tuesday|wednesday|thursday|friday|saturday; at <value>; action download-only|download-and-install; } } } anti-virus { recurring { hourly { at 0-65535; action download-only|download-and-install; } OR... daily { at <value>; action download-only|download-and-install; } OR... weekly { day-of-week sunday|monday|tuesday|wednesday|thursday|friday|saturday; at <value>; action download-only|download-and-install; } threshold 1-1; sync-to-peer yes|no; } } } timezone W-SU|CST6CDT|Japan|Portugal|Hongkong|Mideast|Mideast/ Riyadh87|Mideast/Riyadh88|Mideast/Riyadh89|Eire|Poland|Factory|GBEire|America|America/Port_of_Spain|America/Indiana|America/Indiana/ Vevay|America/Indiana/Indianapolis|America/Indiana/Marengo|America/Indiana/ Knox|America/St_Johns|America/Grand_Turk|America/Tijuana|America/ Toronto|America/Araguaina|America/Virgin|America/El_Salvador|America/ Coral_Harbour|America/Jujuy|America/Mexico_City|America/Guyana|America/ Cayman|America/Ensenada|America/Fortaleza|America/Iqaluit|America/ Boa_Vista|America/Chihuahua|America/Nome|America/Cancun|America/ Cayenne|America/Recife|America/Panama|America/Caracas|America/ Costa_Rica|America/Cambridge_Bay|America/Martinique|America/ Yellowknife|America/Godthab|America/Sao_Paulo|America/Edmonton|America/ Fort_Wayne|America/Danmarkshavn|America/Barbados|America/Dawson|America/ Thunder_Bay|America/Tegucigalpa|America/Chicago|America/Guadeloupe|America/ Grenada|America/Anguilla|America/Kentucky|America/Kentucky/ Monticello|America/Kentucky/Louisville|America/Argentina|America/Argentina/ Jujuy|America/Argentina/Ushuaia|America/Argentina/Catamarca|America/ Argentina/San_Juan|America/Argentina/Mendoza|America/Argentina/ La_Rioja|America/Argentina/Buenos_Aires|America/Argentina/Tucuman|America/
434
Palo Alto Networks
Argentina/ComodRivadavia|America/Argentina/Cordoba|America/Argentina/ Rio_Gallegos|America/Mazatlan|America/Regina|America/Montevideo|America/ Catamarca|America/Los_Angeles|America/Campo_Grande|America/Aruba|America/ Manaus|America/Knox_IN|America/Rosario|America/St_Lucia|America/ Hermosillo|America/Denver|America/Detroit|America/Santiago|America/ Shiprock|America/Cuiaba|America/Dominica|America/Porto_Acre|America/ Curacao|America/Belize|America/Merida|America/Swift_Current|America/ Antigua|America/Adak|America/Indianapolis|America/Belem|America/ Miquelon|America/Louisville|America/Bogota|America/New_York|America/ Boise|America/Scoresbysund|America/Mendoza|America/Goose_Bay|America/ Yakutat|America/Eirunepe|America/Winnipeg|America/Buenos_Aires|America/ Menominee|America/Paramaribo|America/Thule|America/Montreal|America/ Jamaica|America/Monterrey|America/St_Thomas|America/Rio_Branco|America/ Lima|America/Juneau|America/La_Paz|America/Vancouver|America/ Rankin_Inlet|America/Puerto_Rico|America/St_Kitts|America/Halifax|America/ Guayaquil|America/Inuvik|America/Noronha|America/Nassau|America/Port-auPrince|America/Guatemala|America/Glace_Bay|America/Nipigon|America/ Cordoba|America/Bahia|America/Asuncion|America/Maceio|America/Atka|America/ North_Dakota|America/North_Dakota/Center|America/Managua|America/ Anchorage|America/Montserrat|America/Tortola|America/Dawson_Creek|America/ Santo_Domingo|America/Pangnirtung|America/Whitehorse|America/ St_Vincent|America/Porto_Velho|America/Havana|America/Phoenix|America/ Rainy_River|Indian|Indian/Christmas|Indian/Reunion|Indian/Comoro|Indian/ Cocos|Indian/Mauritius|Indian/Antananarivo|Indian/Mahe|Indian/ Mayotte|Indian/Kerguelen|Indian/Chagos|Indian/Maldives|GMT0|Canada|Canada/ Yukon|Canada/Saskatchewan|Canada/Central|Canada/Eastern|Canada/EastSaskatchewan|Canada/Atlantic|Canada/Pacific|Canada/Mountain|Canada/ Newfoundland|MET|ROK|US|US/Alaska|US/East-Indiana|US/Central|US/Eastern|US/ Samoa|US/Arizona|US/Pacific|US/Aleutian|US/Hawaii|US/Mountain|US/ Michigan|US/Indiana-Starke|MST|Mexico|Mexico/BajaSur|Mexico/General|Mexico/ BajaNorte|EST5EDT|Atlantic|Atlantic/Madeira|Atlantic/Cape_Verde|Atlantic/ St_Helena|Atlantic/Stanley|Atlantic/South_Georgia|Atlantic/ Jan_Mayen|Atlantic/Azores|Atlantic/Reykjavik|Atlantic/Canary|Atlantic/ Faeroe|Atlantic/Bermuda|HST|Antarctica|Antarctica/McMurdo|Antarctica/ Davis|Antarctica/South_Pole|Antarctica/Vostok|Antarctica/Rothera|Antarctica/ Mawson|Antarctica/DumontDUrville|Antarctica/Palmer|Antarctica/ Casey|Antarctica/Syowa|UTC|Iceland|Pacific|Pacific/Honolulu|Pacific/ Truk|Pacific/Niue|Pacific/Wake|Pacific/Apia|Pacific/Majuro|Pacific/ Norfolk|Pacific/Efate|Pacific/Enderbury|Pacific/Palau|Pacific/ Saipan|Pacific/Nauru|Pacific/Kiritimati|Pacific/Tahiti|Pacific/Guam|Pacific/ Tongatapu|Pacific/Fiji|Pacific/Rarotonga|Pacific/Samoa|Pacific/ Fakaofo|Pacific/Guadalcanal|Pacific/Port_Moresby|Pacific/Midway|Pacific/ Galapagos|Pacific/Yap|Pacific/Johnston|Pacific/Marquesas|Pacific/ Noumea|Pacific/Auckland|Pacific/Gambier|Pacific/Kwajalein|Pacific/ Kosrae|Pacific/Wallis|Pacific/Easter|Pacific/Chatham|Pacific/ Funafuti|Pacific/Pago_Pago|Pacific/Tarawa|Pacific/Pitcairn|Pacific/ Ponape|EET|EST|Greenwich|GMT|Cuba|Brazil|Brazil/Acre|Brazil/East|Brazil/ DeNoronha|Brazil/West|Turkey|Arctic|Arctic/Longyearbyen|NZCHAT|Zulu|Israel|Jamaica|Etc|Etc/GMT-14|Etc/GMT+6|Etc/GMT-10|Etc/GMT-2|Etc/ GMT-8|Etc/GMT+4|Etc/GMT0|Etc/GMT-12|Etc/GMT+11|Etc/GMT-11|Etc/GMT+12|Etc/ UTC|Etc/GMT-3|Etc/Greenwich|Etc/GMT-9|Etc/GMT|Etc/GMT+2|Etc/Zulu|Etc/GMT4|Etc/GMT+7|Etc/GMT+1|Etc/GMT+8|Etc/GMT-7|Etc/GMT-6|Etc/GMT+10|Etc/GMT5|Etc/GMT+0|Etc/GMT-1|Etc/GMT+3|Etc/GMT+5|Etc/GMT-13|Etc/UCT|Etc/ Universal|Etc/GMT+9|Etc/GMT-0|NZ|Europe|Europe/Vienna|Europe/Athens|Europe/ Tiraspol|Europe/Lisbon|Europe/Rome|Europe/Bratislava|Europe/Andorra|Europe/ Sofia|Europe/Kaliningrad|Europe/Zurich|Europe/Belfast|Europe/Oslo|Europe/ Samara|Europe/Malta|Europe/Chisinau|Europe/Moscow|Europe/Paris|Europe/ Minsk|Europe/Zaporozhye|Europe/Amsterdam|Europe/Tallinn|Europe/ Uzhgorod|Europe/Brussels|Europe/Vatican|Europe/Vaduz|Europe/
Palo Alto Networks
435
San_Marino|Europe/Nicosia|Europe/Berlin|Europe/Vilnius|Europe/Monaco|Europe/ Istanbul|Europe/Belgrade|Europe/Stockholm|Europe/Riga|Europe/Madrid|Europe/ Gibraltar|Europe/Copenhagen|Europe/Skopje|Europe/Budapest|Europe/ Dublin|Europe/Bucharest|Europe/Helsinki|Europe/Prague|Europe/ Sarajevo|Europe/London|Europe/Tirane|Europe/Zagreb|Europe/Kiev|Europe/ Warsaw|Europe/Ljubljana|Europe/Simferopol|Europe/Mariehamn|Europe/ Luxembourg|Singapore|ROC|Kwajalein|Egypt|PST8PDT|GMT+0|Asia|Asia/ Kuwait|Asia/Kamchatka|Asia/Thimphu|Asia/Macau|Asia/Gaza|Asia/Thimbu|Asia/ Pyongyang|Asia/Vladivostok|Asia/Katmandu|Asia/Sakhalin|Asia/Muscat|Asia/ Ashkhabad|Asia/Ulan_Bator|Asia/Riyadh|Asia/Riyadh87|Asia/Calcutta|Asia/ Yerevan|Asia/Shanghai|Asia/Baghdad|Asia/Makassar|Asia/Oral|Asia/ Hong_Kong|Asia/Jayapura|Asia/Omsk|Asia/Almaty|Asia/Saigon|Asia/Magadan|Asia/ Chungking|Asia/Hovd|Asia/Brunei|Asia/Novosibirsk|Asia/Dacca|Asia/Qatar|Asia/ Ulaanbaatar|Asia/Krasnoyarsk|Asia/Kuching|Asia/Qyzylorda|Asia/Karachi|Asia/ Anadyr|Asia/Yakutsk|Asia/Seoul|Asia/Choibalsan|Asia/Macao|Asia/ Samarkand|Asia/Yekaterinburg|Asia/Aqtobe|Asia/Riyadh88|Asia/Nicosia|Asia/ Pontianak|Asia/Urumqi|Asia/Irkutsk|Asia/Taipei|Asia/Harbin|Asia/ Istanbul|Asia/Colombo|Asia/Tel_Aviv|Asia/Jakarta|Asia/Amman|Asia/ Bahrain|Asia/Tokyo|Asia/Chongqing|Asia/Ashgabat|Asia/Singapore|Asia/ Aqtau|Asia/Baku|Asia/Bishkek|Asia/Dili|Asia/Tbilisi|Asia/Beirut|Asia/ Riyadh89|Asia/Damascus|Asia/Aden|Asia/Dubai|Asia/Manila|Asia/Vientiane|Asia/ Tehran|Asia/Kashgar|Asia/Dushanbe|Asia/Kabul|Asia/Bangkok|Asia/Rangoon|Asia/ Jerusalem|Asia/Dhaka|Asia/Kuala_Lumpur|Asia/Tashkent|Asia/Phnom_Penh|Asia/ Ujung_Pandang|CET|PRC|Africa|Africa/Kinshasa|Africa/Ndjamena|Africa/ Mbabane|Africa/Lagos|Africa/El_Aaiun|Africa/Douala|Africa/Kampala|Africa/ Mogadishu|Africa/Tripoli|Africa/Conakry|Africa/Niamey|Africa/Asmera|Africa/ Khartoum|Africa/Lubumbashi|Africa/Kigali|Africa/Johannesburg|Africa/ Blantyre|Africa/Malabo|Africa/Gaborone|Africa/Lome|Africa/Algiers|Africa/ Addis_Ababa|Africa/Brazzaville|Africa/Dakar|Africa/Nairobi|Africa/ Cairo|Africa/Banjul|Africa/Bamako|Africa/Bissau|Africa/Libreville|Africa/ Sao_Tome|Africa/Casablanca|Africa/Timbuktu|Africa/Nouakchott|Africa/ Freetown|Africa/Monrovia|Africa/Ceuta|Africa/Dar_es_Salaam|Africa/ Lusaka|Africa/Abidjan|Africa/Bujumbura|Africa/Maseru|Africa/Bangui|Africa/ Windhoek|Africa/Accra|Africa/Djibouti|Africa/Ouagadougou|Africa/PortoNovo|Africa/Tunis|Africa/Maputo|Africa/Harare|Africa/ Luanda|UCT|GB|Universal|Australia|Australia/Hobart|Australia/ Lord_Howe|Australia/Perth|Australia/South|Australia/Yancowinna|Australia/ Currie|Australia/Tasmania|Australia/Queensland|Australia/NSW|Australia/ Lindeman|Australia/Melbourne|Australia/Adelaide|Australia/ Victoria|Australia/Canberra|Australia/West|Australia/Brisbane|Australia/ Broken_Hill|Australia/Darwin|Australia/ACT|Australia/North|Australia/ Sydney|Australia/LHI|Iran|WET|Libya|MST7MDT|Chile|Chile/EasterIsland|Chile/ Continental|GMT-0|Navajo; } setting { management { idle-timeout 1-1; max-rows-in-csv-export 1-1; max-backup-versions 1-1; max-audit-versions 1-1; panorama-tcp-receive-timeout 1-1; panorama-tcp-send-timeout 1-1; panorama-ssl-send-retries 1-1; } } } mgt-config { users {
436
Palo Alto Networks
REPEAT... <name> { phash <value>; authentication-profile <value>; client-certificate-only yes|no; preferences { disable-dns yes|no; saved-log-query { traffic { REPEAT... <name> { query <value>; } } threat { REPEAT... <name> { query <value>; } } url { REPEAT... <name> { query <value>; } } data { REPEAT... <name> { query <value>; } } config { REPEAT... <name> { query <value>; } } system { REPEAT... <name> { query <value>; } } } } permissions { role-based { superreader yes; OR... superuser yes; OR... panorama-admin yes; OR... custom { profile <value>; device-groups [ <device-groups1> <device-groups2>... ]; devices { REPEAT...
Palo Alto Networks
437
<name> { vsys [ <vsys1> <vsys2>... ]; } } } } } } } devices { REPEAT... <name> { hostname <value>; ip <value>; disable-config-backup yes|no; } } access-domain { REPEAT... <name> { device-groups [ <device-groups1> <device-groups2>... ]; devices { REPEAT... <name> { vsys [ <vsys1> <vsys2>... ]; } } } } }
predefined; shared { authentication-profile { REPEAT... <name> { lockout { failed-attempts 0-65535; lockout-time 0-65535; } allow-list [ <allow-list1> <allow-list2>... ]; method { acl; OR... radius { server-profile <value>; } OR... ldap { server-profile <value>; login-attribute <value>; } } } } client-certificate-profile { REPEAT...
438
Palo Alto Networks
<name> { username-field { subject common-name; OR... subject-alt email|principal-name; } domain <value>; CA { REPEAT... <name> { default-ocsp-url <value>; ocsp-verify-ca <value>; } } use-crl yes|no; use-ocsp yes|no; crl-receive-timeout 1-1; ocsp-receive-timeout 1-1; cert-status-timeout 0-65535; block-unknown-cert yes|no; block-timeout-cert yes|no; } } cert { REPEAT... <name> { vsys <value>; common-name <value>; expires <value>; } } cacert { REPEAT... <name> { vsys <value>; common-name <value>; expires <value>; } } caccacert { REPEAT... <name> { vsys <value>; common-name <value>; expires <value>; } } cacverifyca { REPEAT... <name> { vsys <value>; common-name <value>; expires <value>; } } importcert { REPEAT... <name> { vsys <value>;
Palo Alto Networks
439
common-name <value>; expires <value>; } } address { REPEAT... <name> { ip-netmask <ip/netmask>; OR... ip-range <ip-range>; } } address-group { REPEAT... <name> [ <entry1> <entry2>... ]; } threats { vulnerability { REPEAT... <name> { threatname <value>; affected-host { client yes|no; server yes|no; } comment <value>; severity <value>; direction <value>; default-action alert|reset-client|reset-server|reset-both|droppackets; cve [ <cve1> <cve2>... ]; bugtraq [ <bugtraq1> <bugtraq2>... ]; vendor [ <vendor1> <vendor2>... ]; reference [ <reference1> <reference2>... ]; signature { REPEAT... <name> { comment <value>; scope protocol-data-unit|session; order-free yes|no; and-condition { REPEAT... <name> { or-condition { REPEAT... <name> { operator { less-than { value 0-65535; context <value>; qualifier { REPEAT... <name> { value 1-1<value>; } } } OR... equal-to {
440
Palo Alto Networks
value 0-65535; context <value>; qualifier { REPEAT... <name> { value 1-1<value>; } } } OR... greater-than { value 0-65535; context <value>; qualifier { REPEAT... <name> { value 1-1<value>; } } } OR... pattern-match { pattern <value>; context <value>; qualifier { REPEAT... <name> { value 1-1<value>; } } } } } } } } } } } } spyware { REPEAT... <name> { threatname <value>; comment <value>; severity <value>; direction <value>; default-action alert|reset-client|reset-server|reset-both|droppackets; cve [ <cve1> <cve2>... ]; bugtraq [ <bugtraq1> <bugtraq2>... ]; vendor [ <vendor1> <vendor2>... ]; reference [ <reference1> <reference2>... ]; signature { REPEAT... <name> { comment <value>; scope protocol-data-unit|session; order-free yes|no;
Palo Alto Networks
441
and-condition { REPEAT... <name> { or-condition { REPEAT... <name> { operator { less-than { value 0-65535; context <value>; qualifier { REPEAT... <name> { value 1-1<value>; } } } OR... equal-to { value 0-65535; context <value>; qualifier { REPEAT... <name> { value 1-1<value>; } } } OR... greater-than { value 0-65535; context <value>; qualifier { REPEAT... <name> { value 1-1<value>; } } } OR... pattern-match { pattern <value>; context <value>; qualifier { REPEAT... <name> { value 1-1<value>; } } } } } } } } } } } }
442
Palo Alto Networks
} application { REPEAT... <name> { default { port [ <port1> <port2>... ]; OR... ident-by-ip-protocol 0-65535; } category <value>; subcategory <value>; technology <value>; description <value>; timeout 0-65535; tcp-timeout 0-65535; udp-timeout 0-65535; risk 1-1; evasive-behavior yes|no; consume-big-bandwidth yes|no; used-by-malware yes|no; able-to-transfer-file yes|no; has-known-vulnerability yes|no; tunnel-other-application yes|no; prone-to-misuse yes|no; pervasive-use yes|no; tunnel-applications yes|no; decoder <value>; file-type-ident yes|no; virus-ident yes|no; spyware-ident yes|no; data-ident yes|no; parent-app <value>; signature { REPEAT... <name> { comment <value>; scope protocol-data-unit|session; order-free yes|no; and-condition { REPEAT... <name> { or-condition { REPEAT... <name> { context <value>; pattern <value>; method <value>; } } } } } } } } override { application { REPEAT... <name> {
Palo Alto Networks
443
timeout 0-65535; tcp-timeout 0-65535; udp-timeout 0-65535; risk 1-1; } } } application-filter { REPEAT... <name> { category [ <category1> <category2>... ]; subcategory [ <subcategory1> <subcategory2>... ]; technology [ <technology1> <technology2>... ]; evasive yes; excessive-bandwidth-use yes; used-by-malware yes; transfers-files yes; has-known-vulnerabilities yes; tunnels-other-apps yes; prone-to-misuse yes; pervasive yes; risk [ <risk1> <risk2>... ]; } } application-group { REPEAT... <name> [ <entry1> <entry2>... ]; } service { REPEAT... <name> { protocol { tcp { port <0-65535,...>; } OR... udp { port <0-65535,...>; } } } } service-group { REPEAT... <name> [ <entry1> <entry2>... ]; } server-profile { ldap { REPEAT... <name> { non-admin-use yes|no; server { REPEAT... <name> { address <ip/netmask><value>; port 1-1; } } ssl yes|no;
444
Palo Alto Networks
base <value>; bind-dn <value>; bind-passwd <value>; timelimit 1-1; retry-interval 1-1; } } radius { REPEAT... <name> { non-admin-use yes|no; domain <value>; timeout 1-1; retries 1-1; checkgroup yes|no; server { REPEAT... <name> { ip-address <ip/netmask>; port 0-65535; secret <value>; } } } } } log-settings { snmptrap { REPEAT... <name> { server { REPEAT... <name> { manager <ip/netmask>; community <value>; } } } } syslog { REPEAT... <name> { server { REPEAT... <name> { server <ip/netmask>; port 1-1; facility LOG_USER|LOG_LOCAL0|LOG_LOCAL1|LOG_LOCAL2|LOG_LOCAL3|LOG_LOCAL4|LOG_LOCAL5|L OG_LOCAL6|LOG_LOCAL7; } } } } email { REPEAT... <name> { server { REPEAT...
Palo Alto Networks
445
<name> { display-name <value>; from <value>; to <value>; and-also-to <value>; gateway <value>; } } } } system { informational { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } low { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } medium { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } high { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } }
446
Palo Alto Networks
critical { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } } config { any { send-to-panorama yes|no; send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } } profiles { REPEAT... <name> { alarm { informational { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } low { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } medium { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>;
Palo Alto Networks
447
} send-syslog { using-syslog-setting <value>; } } high { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } critical { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } } traffic { any { send-to-panorama yes|no; send-snmptrap { using-snmptrap-setting <value>; } send-email { using-email-setting <value>; } send-syslog { using-syslog-setting <value>; } } } } } } profiles { virus { REPEAT... <name> { description <value>; packet-capture yes|no; decoder { REPEAT... <name> { action default|allow|alert|block; } }
448
Palo Alto Networks
application { REPEAT... <name> { action default|allow|alert|block; } } threat-exception { REPEAT... <name>; } } } spyware { REPEAT... <name> { description <value>; phone-home-detection { simple { packet-capture yes|no; critical default|allow|alert|block; high default|allow|alert|block; medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } OR... custom { REPEAT... <name> { packet-capture yes|no; action default|alert|drop|drop-all-packets|reset-both|resetclient|reset-server; } } } threat-exception { REPEAT... <name>; } } } vulnerability { REPEAT... <name> { description <value>; simple { packet-capture yes|no; client { critical default|allow|alert|block; high default|allow|alert|block; medium default|allow|alert|block; low default|allow|alert|block; informational default|allow|alert|block; } server { critical default|allow|alert|block; high default|allow|alert|block; medium default|allow|alert|block; low default|allow|alert|block;
Palo Alto Networks
449
informational default|allow|alert|block; } } OR... custom { REPEAT... <name> { packet-capture yes|no; action default|alert|drop|drop-all-packets|reset-both|resetclient|reset-server; } } threat-exception { REPEAT... <name>; } } } url-filtering { REPEAT... <name> { description <value>; dynamic-url yes|no; license-expired block|allow; action block|continue|override|alert|allow; block-list [ <block-list1> <block-list2>... ]; allow-list [ <allow-list1> <allow-list2>... ]; allow [ <allow1> <allow2>... ]; alert [ <alert1> <alert2>... ]; block [ <block1> <block2>... ]; continue [ <continue1> <continue2>... ]; override [ <override1> <override2>... ]; } } file-blocking { REPEAT... <name> { description <value>; rules { REPEAT... <name> { application [ <application1> <application2>... ]; file-type [ <file-type1> <file-type2>... ]; direction upload|download|both; action alert|block; } } } } custom-url-category { REPEAT... <name> { description <value>; list [ <list1> <list2>... ]; } } data-objects { REPEAT... <name> {
450
Palo Alto Networks
description <value>; credit-card-numbers { weight 0-65535; } social-security-numbers { weight 0-65535; } social-security-numbers-without-dash { weight 0-65535; } pattern { REPEAT... <name> { regex <value>; weight 0-65535; } } } } data-filtering { REPEAT... <name> { description <value>; data-capture yes|no; rules { REPEAT... <name> { data-object <value>; application [ <application1> <application2>... ]; file-type [ <file-type1> <file-type2>... ]; direction upload|download|both; alert-threshold 0-65535; block-threshold 0-65535; } } } } } admin-role { REPEAT... <name> { description <value>; role { panorama { webui { dashboard enable|disable; acc enable|disable; monitor { logs { traffic enable|disable; threat enable|disable; url enable|disable; configuration enable|disable; system enable|disable; data-filtering enable|disable; } app-scope enable|disable; pdf-reports { manage-pdf-summary enable|disable;
Palo Alto Networks
451
pdf-summary-reports enable|disable; user-activity-report enable|disable; report-groups enable|disable; email-scheduler enable|disable; } custom-reports { application-statistics enable|disable; data-filtering-log enable|disable; threat-log enable|disable; threat-summary enable|disable; traffic-log enable|disable; traffic-summary enable|disable; url-log enable|disable; } view-custom-reports enable|disable; application-reports enable|disable; threat-reports enable|disable; url-filtering-reports enable|disable; traffic-reports enable|disable; } policies { security-rulebase enable|read-only|disable; nat-rulebase enable|read-only|disable; ssl-decryption-rulebase enable|read-only|disable; application-override-rulebase enable|read-only|disable; captive-portal-rulebase enable|read-only|disable; qos-rulebase enable|read-only|disable; } objects { addresses enable|read-only|disable; address-groups enable|read-only|disable; applications enable|read-only|disable; application-groups enable|read-only|disable; application-filters enable|read-only|disable; services enable|read-only|disable; service-groups enable|read-only|disable; custom-url-category enable|read-only|disable; custom-signatures { data-patterns enable|read-only|disable; spyware enable|read-only|disable; vulnerability enable|read-only|disable; } security-profiles { antivirus enable|read-only|disable; anti-spyware enable|read-only|disable; vulnerability-protection enable|read-only|disable; url-filtering enable|read-only|disable; file-blocking enable|read-only|disable; data-filtering enable|read-only|disable; } security-profile-groups enable|read-only|disable; log-forwarding enable|read-only|disable; schedules enable|read-only|disable; } network { interfaces enable|read-only|disable; zones enable|read-only|disable; vlans enable|read-only|disable; virtual-wires enable|read-only|disable;
452
Palo Alto Networks
virtual-routers enable|read-only|disable; ipsec-tunnels enable|read-only|disable; dhcp enable|read-only|disable; ssl-vpn enable|read-only|disable; qos enable|read-only|disable; network-profiles { ike-gateways enable|read-only|disable; ipsec-crypto enable|read-only|disable; ike-crypto enable|read-only|disable; tunnel-monitor enable|read-only|disable; interface-mgmt enable|read-only|disable; zone-protection enable|read-only|disable; qos-profile enable|read-only|disable; } } device { setup enable|read-only|disable; config-audit enable|disable; managed-devices enable|disable; device-groups enable|disable; admin-roles enable|read-only|disable; administrators enable|read-only|disable; virtual-systems enable|read-only|disable; user-identification enable|read-only|disable; high-availability enable|read-only|disable; certificates enable|read-only|disable; block-pages enable|read-only|disable; log-settings { system enable|read-only|disable; config enable|read-only|disable; } server-profile { snmp-trap enable|read-only|disable; syslog enable|read-only|disable; email enable|read-only|disable; radius enable|read-only|disable; ldap enable|read-only|disable; } local-user-database { users enable|read-only|disable; user-groups enable|read-only|disable; } authentication-profile enable|read-only|disable; client-certificate-profile enable|read-only|disable; access-domain enable|read-only|disable; scheduled-log-export enable|disable; software enable|read-only|disable; ssl-vpn-client enable|read-only|disable; dynamic-updates enable|read-only|disable; licenses enable|read-only|disable; support enable|read-only|disable; deployment { software enable|read-only|disable; ssl-vpn-client enable|read-only|disable; dynamic-updates enable|read-only|disable; licenses enable|read-only|disable; } } privacy {
Palo Alto Networks
453
show-full-ip-addresses enable|disable; show-user-names-in-logs-and-reports enable|disable; view-pcap-files enable|disable; } commit enable|disable; } cli superuser|superreader; } } } } profile-group { REPEAT... <name> { virus [ <virus1> <virus2>... ]; spyware [ <spyware1> <spyware2>... ]; vulnerability [ <vulnerability1> <vulnerability2>... ]; url-filtering [ <url-filtering1> <url-filtering2>... ]; file-blocking [ <file-blocking1> <file-blocking2>... ]; data-filtering [ <data-filtering1> <data-filtering2>... ]; } } schedule { REPEAT... <name> { recurring { weekly { sunday [ <sunday1> <sunday2>... ]; monday [ <monday1> <monday2>... ]; tuesday [ <tuesday1> <tuesday2>... ]; wednesday [ <wednesday1> <wednesday2>... ]; thursday [ <thursday1> <thursday2>... ]; friday [ <friday1> <friday2>... ]; saturday [ <saturday1> <saturday2>... ]; } OR... daily [ <daily1> <daily2>... ]; } OR... non-recurring [ <non-recurring1> <non-recurring2>... ]; } } report-group { REPEAT... <name> { title-page yes|no; custom-widget { REPEAT... <name> { predefined-report <value>; OR... custom-report <value>; OR... pdf-summary-report <value>; } } variable { REPEAT... <name> {
454
Palo Alto Networks
value <value>; } } } } email-scheduler { REPEAT... <name> { report-group <value>; email-profile <value>; recipient-emails <value>; recurring { disabled; OR... daily; OR... weekly sunday|monday|tuesday|wednesday|thursday|friday|saturday; } } } pdf-summary-report { REPEAT... <name> { header { caption <value>; } footer { note <value>; } predefined-widget { REPEAT... <name> { chart-type pie|line|bar|table; row 1-1; column 1-1; } } custom-widget { REPEAT... <name> { chart-type pie|line|bar|table; row 1-1; column 1-1; } } } } reports { REPEAT... <name> { disabled yes|no; query <value>; caption <value>; frequency daily|weekly; start-time <value>; end-time <value>; period last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-calendar-day|last-7-days|last-7-calendar-days|last-calendarweek|last-30-days;
Palo Alto Networks
455
topn 1-1; topm 1-1; type { appstat { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; group-by serial|category-of-name|name|risk|subcategory-ofname|technology-of-name|container-of-name|quarter-hour-of-receive_time|hourof-receive_time|day-of-receive_time; values [ <values1> <values2>... ]; labels [ <labels1> <labels2>... ]; sortby nbytes|npkts|nsess|nthreats; } OR... threat { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; group-by serial|action|app|category|category-ofapp|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|natsport|na tsrc|outbound_if|proto|risk-ofapp|rule|severity|sport|src|srcuser|subcategory-of-app|subtype|technologyof-app|container-of-app|threatid|to|vsys|quarter-hour-of-receive_time|hourof-receive_time|day-of-receive_time; values [ <values1> <values2>... ]; labels [ <labels1> <labels2>... ]; sortby repeatcnt; } OR... url { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; group-by serial|action|app|category|category-ofapp|direction|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|n atsport|natsrc|outbound_if|proto|risk-ofapp|rule|severity|sport|src|srcuser|subcategory-of-app|technology-ofapp|container-of-app|to|vsys|quarter-hour-of-receive_time|hour-ofreceive_time|day-of-receive_time; values [ <values1> <values2>... ]; labels [ <labels1> <labels2>... ]; sortby repeatcnt; } OR... data { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; group-by serial|action|app|category-ofapp|direction|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|n atsport|natsrc|outbound_if|proto|risk-ofapp|rule|severity|sport|src|srcuser|subcategory-of-app|subtype|technologyof-app|container-of-app|threatid|to|vsys|quarter-hour-of-receive_time|hourof-receive_time|day-of-receive_time; values [ <values1> <values2>... ]; labels [ <labels1> <labels2>... ]; sortby repeatcnt; } OR... thsum { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; group-by serial|app|category-of-app|dst|dstuser|risk-ofapp|rule|severity-of-threatid|src|srcuser|subcategory-ofapp|subtype|technology-of-app|container-of-app|threatid|quarter-hour-ofreceive_time|hour-of-receive_time|day-of-receive_time; values [ <values1> <values2>... ];
456
Palo Alto Networks
labels [ <labels1> <labels2>... ]; sortby count; } OR... traffic { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; group-by serial|action|app|category|category-ofapp|dport|dst|dstuser|flags|from|inbound_if|natdport|natdst|natsport|natsrc| outbound_if|proto|risk-of-app|rule|sport|src|srcuser|subcategory-ofapp|technology-of-app|container-of-app|to|vsys|quarter-hour-ofreceive_time|hour-of-receive_time|day-of-receive_time; values [ <values1> <values2>... ]; labels [ <labels1> <labels2>... ]; sortby bytes|elapsed|packets|repeatcnt; } OR... trsum { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; group-by serial|app|category|category-of-app|dst|dstuser|from|riskof-app|rule|src|srcuser|subcategory-of-app|technology-of-app|container-ofapp|to|quarter-hour-of-receive_time|hour-of-receive_time|day-ofreceive_time; values [ <values1> <values2>... ]; labels [ <labels1> <labels2>... ]; sortby bytes|sessions; } OR... panorama-threat { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; group-by serial|action|app|category|category-ofapp|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|natsport|na tsrc|outbound_if|proto|risk-ofapp|rule|severity|sport|src|srcuser|subcategory-of-app|subtype|technologyof-app|container-of-app|threatid|to|vsys|quarter-hour-of-receive_time|hourof-receive_time|day-of-receive_time; values [ <values1> <values2>... ]; labels [ <labels1> <labels2>... ]; sortby repeatcnt; } OR... panorama-url { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; group-by serial|action|app|category|category-ofapp|direction|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|n atsport|natsrc|outbound_if|proto|risk-ofapp|rule|severity|sport|src|srcuser|subcategory-of-app|technology-ofapp|container-of-app|to|vsys|quarter-hour-of-receive_time|hour-ofreceive_time|day-of-receive_time; values [ <values1> <values2>... ]; labels [ <labels1> <labels2>... ]; sortby repeatcnt; } OR... panorama-data { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; group-by serial|action|app|category-ofapp|direction|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|n atsport|natsrc|outbound_if|proto|risk-ofapp|rule|severity|sport|src|srcuser|subcategory-of-app|subtype|technology-
Palo Alto Networks
457
of-app|container-of-app|threatid|to|vsys|quarter-hour-of-receive_time|hourof-receive_time|day-of-receive_time; values [ <values1> <values2>... ]; labels [ <labels1> <labels2>... ]; sortby repeatcnt; } OR... panorama-traffic { aggregate-by [ <aggregate-by1> <aggregate-by2>... ]; group-by serial|action|app|category|category-ofapp|dport|dst|dstuser|flags|from|inbound_if|natdport|natdst|natsport|natsrc| outbound_if|proto|risk-of-app|rule|sport|src|srcuser|subcategory-ofapp|technology-of-app|container-of-app|to|vsys|quarter-hour-ofreceive_time|hour-of-receive_time|day-of-receive_time; values [ <values1> <values2>... ]; labels [ <labels1> <labels2>... ]; sortby bytes|elapsed|packets|repeatcnt; } } } } }
458
Palo Alto Networks
Appendix B PAN-OS CLI KEYBOARD SHORTCUTS

This appendix lists the supported keyboard shortcuts and Editor Macros (EMACS) commands supported in the PAN-OS CLI. Note: Some shortcuts depend upon the SSH client that is used to access the PAN-OS CLI. For some clients, the Meta key is the Control key; for some it is the Esc key.
Table 6 lists the keyboard shortcuts.
Table 6. Keyboard Shortcuts Item

Commands for Moving beginning-of-line (C-a) end-of-line (C-e) forward-char (C-f) backward-char (C-b) forward-word (M-f) backward-word (M-b) clear-screen (C-l) Move to the start of the current line. Move to the end of the line. Move forward a character. Move back a character. Move forward to the end of the next word. Words consist of alphanumeric characters (letters and digits). Move back to the start of this, or the previous, word. Words consist of alphanumeric characters (letters and digits). Clear the screen and place the current line at the top of the screen. If an argument is included, refresh the current line without clearing the screen.
Description
Commands for Manipulating Command History accept-line (Newline, Return) previous-history (C-p) next-history (C-n) beginning-of-history (M-<) end-of-history (M->) reverse-search-history (C-r) Accept the line regardless of where the cursor is. If the line is non-empty, add it to the history list. If the line is a modified history line, then restore the history line to its original state. Fetch the previous command from the history list, moving back in the list. Fetch the next command from the history list, moving forward in the list. Move to the first line in the history. Move to the end of the input history (the line currently being entered). Search backward starting at the current line and moving up through the history as necessary. This is an incremental search.
Palo Alto Networks
459
Table 6. Keyboard Shortcuts (Continued) Item

forward-search-history (C-s) non-incremental-reverse-searchhistory (M-p) non-incremental-forward-searchhistory (M-n) Commands for Changing Text delete-char (C-d) backward-delete-char (backspace) transpose-chars (C-t) Delete the character under the cursor. If point is at the beginning of the line, there are no characters in the line, and the last character typed was not C-d, then return EOF. Delete the character behind the cursor. Drag the character before point forward over the character at point. Point moves forward as well. If point is at the end of the line, then transpose the two characters before point. Drag the word behind the cursor past the word in front of the cursor moving the cursor over that word as well. Make the current (or following) word uppercase. With a negative argument, do the previous word, but do not move point. Make the current (or following) word lowercase. With a negative argument, change the previous word, but do not move point. Capitalize the current (or following) word. With a negative argument, do the previous word, but do not move point.
Description
Search forward starting at the current line and moving down through the history as necessary. This is an incremental search. Search backward through the history starting at the current line using a non-incremental search for a string supplied by the user. Search forward through the history using a non-incremental search for a string supplied by the user.
transpose-words (M-t) upcase-word (M-u) downcase-word (M-l) capitalize-word (M-c) Deleting and Yanking Text kill-line (C-k) backward-kill-line (Cx backspace) unix-line-discard (Cu) kill-word (M-d) backward-kill-word (Mbackspace) unix-word-backspace (C-w) yank (C-y) yank-pop (M-y) Completing Commands complete (TAB) possible-completions (?)
Delete the text from the current cursor position to the end of the line. Delete backward to the beginning of the line. Delete backward from point to the beginning of the line Delete from the cursor to the end of the current word, or if between words, to the end of the next word. Word boundaries are the same as those used by forward-word. Delete the word behind the cursor. Word boundaries are the same as those used by backward-word. Delete the word behind the cursor, using white space as a word boundary. The word boundaries are different from backward-kill-word. Place the top of the deleted section into the buffer at the cursor. Rotate the kill-ring, and yank the new top. Only works following yank or yank-pop.
Attempt to perform completion on the text before point. List the possible completions of the text before point.
460
Palo Alto Networks
Table 6. Keyboard Shortcuts (Continued) Item

undo (C-_, C-x C-u) revert-line (M-r)
Description
Perform an incremental undo, separately remembered for each line. Undo all changes made to this line. This is like typing the undo command enough times to return the line to its initial state.
Performing Miscellaneous Functions
Table 7 lists the EMACS commands.
Table 7. EMACS Commands Command

C-A C-B C-D C-E C-F C-G C-H C-I C-J C-K C-L C-M C-N C-P C-R C-S C-T C-U C-W C-Y C-_
Description
beginning-of-line backward-char delete-char end-of-line forward-char abort backward-delete-char complete accept-line kill-line clear-screen accept-line next-history previous-history reverse-search-history forward-search-history transpose-chars unix-line-discard unix-word-backspace yank undo
Emacs Standard bindings
Emacs Meta bindings M-C-H M-C-R M-< M-> backward-kill-word revert-line beginning-of-history end-of-history
Palo Alto Networks
461
Table 7. EMACS Commands (Continued) Command

? M-B M-C M-D M-F M-L M-N M-P M-R M-T M-U M-Y
Description
possible-completions backward-word capitalize-word kill-word forward-word downcase-word non-incremental-forward-search-history non-incremental-reverse-search-history revert-line transpose-words upcase-word yank-pop
462
Palo Alto Networks
Index
Symbols
# prompt 15 + option symbol 18 > option symbol 18 > prompt 15 ? symbol 17 configuration mode hierarchy 24 prompt 15 understanding 21 configure command 237 control key 18 conventions, typographical 10 copy command 37 critical errors, switching to maintenance mode 429
A
accessing the CLI 14
B
banner 15, 26 bootloader recovery 431 bootup 428
D
debug authd command 238, 279 debug cli command 239 debug cryptod command 240 debug dataplane command 241 debug device-server command 251 debug dhcpd command 256 debug dnsproxyd command 257 debug global-protect command 258 debug high-availability-agent command 259 debug ike command 260 debug keymgr command 261 debug l3svc command 262 debug ldap-server command 263 debug log-receiver command 264 debug management-server command 265 debug master-service command 267 debug netconfig-agent command 268 debug pppoed command 269 debug rasmgr command 270 debug routing command 271 debug software command 273 debug sslmgr command 276 debug ssl-vpn command 275 debug swm command 278 debug tac-login command 280 debug vardata-receiver command 281 delete command 38, 238, 268, 279 diagnostics 431 disk image 431
C
CC mode 316 changing modes 16 check command 35 clear command 232 CLI accessing 14 configuration mode 13 EMACS commands 461 keyboard shortcuts 459 operational model 13 prompt 15 structure 13 commands 28 conventions 15 display 28 messages 16 monitoring and troubleshooting 28 navigation 28 network access 28 option symbols 18 options 17 understanding 15 commit command 21, 36 configuration hierarchy 24 hierarchy paths 25
463 Index
Palo Alto Networks
E
edit banner 26 edit command banner 15 using 27, 39 errors, switching to maintenance mode 429 esc key 18 Ethernet interfaces 20 ethernet1/n 20 exit command 40, 284
modes changing 16, 17 configuration 21 operational 28 move command 43
N
navigating hierarchy 26 netstat command 289
F
factory reset 431 file system check (FSCK) 431 FIPS mode 316, 431 ftp command 285
O
operational mode command types 28 prompt 15 using 28
G
getting started 14 grep command 286
P
packet capture 249 Panorama hierarchy 433 password, maintenance mode 431 ping command 291 privilege levels 20
H
hierarchy configuration 24 navigating 26 new elements 26 Panorama 433 paths 25 hostname 15
Q
quit command 44, 293
R
rename command 45 request anti-virus command 295 request certificate command 297 request commit-lock command 299 request config-lock command 300 request content upgrade command 301 request data-filtering command 294, 303 request device-registration command 304 request global-protect-client command 305 request global-protect-gateway command 306 request global-protect-portal command 307 request high-availability command 308 request license command 309 request master-key command 310 request password-hash command 311 request quota-enforcement command 312 request restart command 313 request ssl-vpn command 314 request support command 315, 318 request system command 316 request url-filtering command 319 request vpnclient command 320 rollback 431 run command 46
I
interfaces 20
K
keyboard shortcuts 18, 459
L
less command 287 load command 41 ls command 288
M
maintenance mode about 427 diagnostics 431 entering automatically 429 entering upon bootup 428 password 431 serial console message 429 SSH message 430 web interface message 429 meta key 18
464 Index
Palo Alto Networks
S
save command 21, 47 schedule command 321 scp export command 322 scp import command 324 self-test 316 serial console maintenance mode 427 message 429 set address command 48 set address-group command 49 set application command 50 set application dump command 326 set application-filter command 53 set application-group command 55 set captive-portal command 56 set cli command 328, 331 set clock command 330 set command 186 set deviceconfig high-availability command 58 set deviceconfig setting command 64 set deviceconfig system command 71 set display-name command 78 set email-scheduler command 79 set global-protect command 80 set ldap-server command 83 set management-server command 332 set mgt-config command 84 set network dhcp command 86 set network dns-proxy command 88 set network ike command 90 set network interface command 94 set network profiles command 98 set network qos command 103 set network shared-gateway command 105 set network tunnel command 113 set network virtual-router bgp command 119 set network virtual-router command 117 set network virtual-router ospf command 131 set network virtual-router redist-profile command 134 set network virtual-router rip command 136 set network virtual-wire command 138 set network vlan command 139 set pan-agent command 140 set panorama command 333 set password command 334 set pdf-summary-report command 141 set profile-group command 142 set profiles command 143 set region command 156 set report-group command 157 set reports command 158 set rulebase command 163 set schedule command 172 set serial-number command 335 set service command 173 set service-group command 174 set session command 336
set setting command 175 set shared admin-role command 176 set shared allowed-applications command 183 set shared authentication-profile command 184 set shared botnet command 187 set shared certificate command 189 set shared client-certificate-profile command 190 set shared email-scheduler command 191 set shared local-user-database command 192 set shared log-settings command 193 set shared pdf-summary-report command 198 set shared report-group command 199 set shared reports command 200 set shared response-page command 205 set shared server-profile command 206 set shared ssl-decrypt command 208 set shared-override command 197 set ssl-decrypt command 209 set ssl-vpn command 210 set system setting command 338 set threats command 211 set ts-agent command 216 set url-admin-override command 217 set url-content-types command 218 set userid-agent command 219 set vsys import command 220 set zone command 222 shortcuts 18 show admins command 340 show arp command 341 show authentication command 342 show cli command 343, 344 show clock command 345 show command 24, 223 show commit-locks command 346 show config command 347 show config-locks command 348 show counter command 349 show device command 350 show devicegroups command 352 show device-messages command 351 show dhcp command 353 show dns-proxy command 354 show dos-protection command 355 show fips-mode command 356 show global-protect-gateway command 357 show high-availability command 358 show interface command 360 show jobs command 361 show location command 362 show log command 363 show mac command 371 show management-clients command 372 show neighbor command 373 show ntp command 374 show object command 375 show panorama-certificate command 376 show panorama-status command 377 show pbf command 378
Palo Alto Networks
Index 465
show pppoe command 379 show predefined command 224 show qos command 380 show query command 381 show report command 382 show resource command 384 show routing command 385 show running command 390 show session command 394 show ssl-vpn command 398 show statistics command 400 show system command 401 show threat command 404 show user pan-agent command 405 show virtual-wire command 407 show vlan command 408 show vpn command 409 show zone-protection command 411 ssh command 412 syntax checking 16 system 28 system information 431
T
tail command 413 telnet command 414 test command 415 tftp export command 419 tftp import command 421 top command 27, 225 traceroute command 423 typographical conventions 10
U
up command 27, 226 user name 15 user privileges 20
V
view-pccap command 425
466 Index
Palo Alto Networks

PAN-OS ™ Command Line Interface Reference Guide

Uploaded by

Copyright:

Available Formats

PAN-OS ™ Command Line Interface Reference Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PAN-OS ™ Command Line Interface Reference Guide

Uploaded by

Copyright:

Available Formats

What is the purpose of this document?

What is the purpose of this document?

What topics are covered in the document?

What topics are covered in the document?

PAN-OS Command Line Interface Reference Guide

1/16/11 Third/Final Review Draft- Palo Alto Networks COMPANY CONFIDENTIAL

Understanding the PAN-OS CLI Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Chapter 2 Understanding CLI Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Understanding Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Palo Alto Networks

Chapter 3 Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Palo Alto Networks

Chapter 4 Operational Mode Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Palo Alto Networks

Palo Alto Networks

Palo Alto Networks

414 415 419 421 423 425

Chapter 5 Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Entering Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Using

Palo Alto Networks

About This Guide

Palo Alto Networks

Palo Alto Networks

Notes, Cautions, and Warnings

Obtaining More Information

Palo Alto Networks

Palo Alto Networks

Understanding the PAN-OS CLI Structure

Chapter 3 describes each mode in detail.

Palo Alto Networks

Before You Begin

Use the following settings for direct console connection:

Accessing the PAN-OS CLI

Palo Alto Networks

Understanding the PAN-OS CLI Commands

Understanding the PAN-OS CLI Command Conventions

Palo Alto Networks

Understanding Command Messages

Example: Changing modes

Example: Invalid syntax

Palo Alto Networks

Using Operational and Configuration Modes

Displaying the PAN-OS CLI Command Options

To display a list of operational commands, enter ? at the command prompt.

Palo Alto Networks

Using Keyboard Shortcuts

Understanding Command Option Symbols

Table 1. Option Symbols Symbol

Palo Alto Networks

Restricting Command Output

Palo Alto Networks

app-version: 25-150 threat-version: 0 url-filtering-version: 0 logdb-version: 1.0.8 username@hostname>

The following sample displays only the system model information:

Understanding Privilege Levels

Table 2. Privilege Levels Level

Referring to Firewall Interfaces

Figure 1. Firewall Ethernet Interfaces

Palo Alto Networks

Understanding CLI Command Modes