Professional Documents
Culture Documents
Release 3.1
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
7
8
9
9
9
9
Chapter 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
Chapter 2
Understanding CLI Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
21
23
24
26
Understanding Operational Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Setting the Output Format for Configuration Commands . . . . . . . . . . . . . . . . . . . . 28
Chapter 3
Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Chapter 4
Operational Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug captive-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug cpld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug dataplane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug device-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug dhcpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug high-availability-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug ike . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug keymgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug ldap-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug log-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug management-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug master-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug pppoed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug rasmgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug sslmgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug swm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug tac-login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug vardata-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
grep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
less . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
53
55
56
57
58
59
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
81
82
84
85
86
quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
request anti-virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
request certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
request comfort-page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
request content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
request data-filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
request device-registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
request high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
request license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
request password-hash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
request restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
request ssl-decrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
request ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
request support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
request system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
request tech-support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
request url-filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
request vpnclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
scp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
set application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
set cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
set clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
set data-access-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
set management-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
set panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
set password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
set serial-number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
set session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
set system setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
show admins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
show authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
show chassis-ready . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
show cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
show clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
show config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
show counter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
show device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
show device-messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
show devicegroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
show dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
show fips-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
show high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
show interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
show jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
show location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
show log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
show mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
show management-clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
show management-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
show object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
show panorama-certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
show pbf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
show pppoe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
show qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show system setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show virtual-wire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show zone-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
view-pcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
149
150
151
152
156
158
161
162
163
165
167
168
169
170
171
173
174
175
176
177
179
181
183
Chapter 5
Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
185
Appendix A
Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
191
Appendix B
PAN-OS CLI Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
313
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
317
Preface
This preface contains the following sections:
Organization on page 7
Organization
This guide is organized as follows:
Preface 7
Chapter 5, Maintenance ModeDescribes how to enter Maintenance mode and use the
Maintenance mode options.
Typographical Conventions
This guide uses the following typographical conventions for special terms and instructions.
Convention
Meaning
Example
boldface
Names of commands,
keywords, and selectable
items in the web interface
italics
courier font
courier bold
font
# exit
[ ] (text enclosed
in angle brackets)
Optional parameters.
| (pipe symbol)
8 Preface
Symbol
Description
NOTE
Indicates helpful suggestions or supplementary information.
CAUTION
Indicates information about which the reader should be careful to avoid data loss or
equipment failure.
WARNING
Indicates potential danger that could involve bodily injury.
Related Documentation
The following additional documentation is provided with the firewall:
Quick Start
Online helpClick Help in the upper right corner of the GUI to access the online help
system.
Technical Support
For technical support, use the following methods:
Go to http://support.paloaltonetworks.com.
Preface 9
10 Preface
Chapter 1
Introduction
This chapter introduces and describes how to use the PAN-OS command line interface (CLI):
Operational modeView the state of the system, navigate the PAN-OS CLI, and enter
configuration mode.
Introduction 11
Getting Started
This section describes how to access and begin using the PAN-OS CLI:
Data bits: 8
Parity: none
Stop bits: 1
2.
3.
4.
The PAN-OS CLI opens in Operational mode, and the CLI prompt is displayed:
username@hostname>
12 Introduction
Example:
username@hostname>
When you enter Configuration mode, the prompt changes from > to #:
username@hostname>
(Operational mode)
username@hostname> configure
Entering configuration mode
[edit]
(Configuration mode)
username@hostname#
In Configuration mode, the current hierarchy context is shown by the [edit...] banner
presented in square brackets when a command is issued. Refer to Using the Edit Command
on page 27 for additional information on the edit command.
Introduction 13
Each time you enter a command the syntax is checked. If the syntax is correct, the command is
executed, and the candidate hierarchy changes are recorded. If the syntax is incorrect, an
invalid syntax message is presented, as in the following example:
username@hostname# set zone application 1.1.2.2
Unrecognized command
Invalid syntax.
[edit]
username@hostname#
14 Introduction
To enter Configuration mode from Operational mode, use the configure command:
username@hostname> configure
Entering configuration mode
[edit]
username@hostname#
To leave Configuration mode and return to Operational mode, use the quit or exit
command:
username@hostname# quit
Exiting configuration mode
username@hostname>
To enter an Operational mode command while in Configuration mode, use the run
command, as described in run on page 42.
Introduction 15
To display the available options for a specified command, enter the command followed
by ?.
Example:
admin@localhost> ping ?
username@hostname> ping
+ bypass-routing
Bypass routing table, use specified interface
+ count
Number of requests to send (1..2000000000 packets)
+ do-not-fragment Don't fragment echo request packets (IPv4)
+ inet
Force to IPv4 destination
+ interface
Source interface (multicast, all-ones, unrouted
packets)
+ interval
Delay between requests (seconds)
+ no-resolve
Don't attempt to print addresses symbolically
+ pattern
Hexadecimal fill pattern
+ record-route
Record and report packet's path (IPv4)
+ size
Size of request packets (0..65468 bytes)
+ source
Source address of echo request
+ tos
IP type-of-service value (0..255)
+ ttl
IP time-to-live value (IPv6 hop-limit value) (0..255
hops)
+ verbose
Display detailed output
+ wait
Delay after sending last packet (seconds)
<host>
Hostname or IP address of remote host
username@hostname> ping
16 Introduction
Description
>
There are additional command options for this command at this level.
Example: This command output shows options designated with + and >.
username@hostname# set
+ action
+ application
+ description
+ destination
+ disabled
+ from
+ log-end
+ log-setting
+ log-start
+ negate-destination
+ negate-source
+ schedule
+ service
+ source
+ to
> profiles
<Enter>
[edit]
username@hostname# set
Introduction 17
Example:
The following sample output is for the show system info command:
username@hostname> show system info
hostname: PA-HDF
ip-address: 10.1.7.10
netmask: 255.255.0.0
default-gateway: 10.1.0.1
mac-address: 00:15:E9:2E:34:33
time: Fri Aug 17 13:51:49 2007
uptime: 0 days, 23:19:23
devicename: PA-HDF
family: i386
model: pa-4050
serial: unknown
sw-version: 1.5.0.0-519
app-version: 25-150
threat-version: 0
url-filtering-version: 0
logdb-version: 1.0.8
username@hostname>
Description
superuser
Has full access to the firewall and can define new administrator accounts and
virtual systems.
superreader
vsysadmin
vsysreader
18 Introduction
ethernet1/15
11
13
15
10
12
14
16
ethernet1/2
ethernet1/16
Introduction 19
20 Introduction
Chapter 2
command)
(enter a configuration
[edit]
username@hostname# save config to snapshot.xml
Config saved to .snapshot.xml
[edit]
username@hostname#
Note: If you exit Configuration mode without issuing the save or commit
command, your configuration changes could be lost if power is lost to the firewall.
Active
Configuration
Saved
Configuration
Candidate
Configuration
Commit
Save
Load
Set
Maintaining a candidate configuration and separating the save and commit steps confers
important advantages when compared with traditional CLI architectures:
Distinguishing between the save and commit concepts allows multiple changes to be
made at the same time and reduces system vulnerability.
For example, if you want to remove an existing security policy and add a new one, using
a traditional CLI command structure would leave the system vulnerable for the period of
time between removal of the existing security policy and addition of the new one. With
the PAN-OS approach, you configure the new security policy before the existing policy is
removed, and then implement the new policy without leaving a window of vulnerability.
>
>
>
>
service
service-group
setting
ssl-exclude-cert
service
service-group
setting
ssl-exclude-cert
profiles interface
...
vlan
...
ethernet
virtual-wire virtual-router
...
aggregate-ethernet
vlan
...
ethernet1/1
link-duplex
auto
...
...
ethernet1/2
ethernet1/3 ethernet1/4
link-state
up
virtual-wire link-speed
1000
loopback
...
This command generates a new element in the hierarchy, as shown in Figure 4 and in the
output of the following show command:
[edit]
username@hostname# show network interface ethernet ethernet1/4
ethernet1/4 {
layer3 {
ip {
10.1.1.12/24;
}
}
}
[edit]
username@hostname#
network
profiles interface
...
vlan
...
ethernet
virtual-wire virtual-router
...
...
aggregate-ethernet
vlan
...
ethernet1/1
ethernet1/2
loopback
...
...
ethernet1/3 ethernet1/4
ip
10.1.1.12/24
indicates that the relative context is the top level of the hierarchy, whereas
[edit network profiles]
Use the commands listed in Table 3 to navigate through the configuration hierarchy.
Description
edit
up
top
level)
[edit network]
interface level)
(network level)
Note: The set command issued after using the up and top commands starts from
the new context.
Network accessOpen a window to another host. Includes ssh and telnet commands.
PAN-OS CLI navigation commandsEnter Configure mode or exit the PAN-OS CLI.
Includes configure, exit, and quit commands.
XML option:
username@hostname# show system log-export-schedule
<log-export-schedule>
<entry name="10.16.0.97">
<description>10.16.0.97</description>
<enable>yes</enable>
<log-type>threat</log-type>
<start-time>03:00</start-time>
<protocol>
<ftp>
<hostname>10.16.0.97</hostname>
<port>21</port>
<passive-mode>yes</passive-mode>
<username>admin</username>
<password>mZDB7rbW5y8=</password>
</ftp>
</protocol>
</entry>
</log-export-schedule>
[edit deviceconfig]
[edit deviceconfig]
username@hostname#
system log-export-schedule
log-export-schedule 10.16.0.97
log-export-schedule 10.16.0.97
log-export-schedule 10.16.0.97
log-export-schedule 10.16.0.97
log-export-schedule 10.16.0.97
description 10.16.0.97
enable yes
log-type threat
start-time 03:00
protocol ftp hostname
Chapter 3
check on page 32
commit on page 33
copy on page 34
delete on page 35
edit on page 36
exit on page 37
load on page 38
move on page 39
quit on page 40
rename on page 41
run on page 42
save on page 43
set on page 44
show on page 45
top on page 46
up on page 47
check
check
Check configuration status.
Syntax
check option
Options
data-access-passwd
pending-changes
Sample Output
The following command shows that there are currently no uncommitted changes.
username@hostname# check pending-changes
no
[edit]
username@hostname#
commit
commit
Make the current candidate configuration the active configuration on the firewall.
Syntax
commit
Options
None
Sample Output
The following command makes the current candidate configuration the active configuration.
# commit
copy
copy
Make a copy of a node in the hierarchy along with its children, and add the copy to the same
hierarchy level.
Syntax
copy [node1] to [node2]
Options
node1
node2
Sample Output
The following command, executed from the rule base security level of the hierarchy, makes a
copy of rule1, called rule2.
[edit rulebase security]
username@hostname# copy rules rule1 to rule2
[edit rulebase security]
username@hostname#
The following command shows the location of the new rule in the hierarchy.
[edit rulebase security]
username@hostname# show
security {
rules {
rule1 {
source [ any 1.1.1.1/32 ];
destination 1.1.1.2/32;
}
rule2 {
source [ any 1.1.1.1/32 ];
destination 1.1.1.2/32;
}
}
}
delete
delete
Remove a node from the candidate configuration along with all its children.
Note: No confirmation is requested when this command is entered.
Syntax
delete [node]
Options
node
Sample Output
The following command deletes the application myapp from the candidate configuration.
username@hostname# delete application myapp
[edit]
username@hostname#
edit
edit
Change context to a lower level in the configuration hierarchy.
Syntax
edit [context]
Options
context
Sample Output
The following command changes context from the top level to the network profiles level of
the hierarchy.
[edit]
username@hostname# edit rulebase
[edit rulebase]
username@hostname#
exit
exit
Exit from the current PAN-OS CLI level.
From Configuration mode, lower hierarchy levelsChanges context to one level up in the
hierarchy. Provides the same result as the up command.
Note: The exit command is the same as the quit command.
Syntax
exit
Options
None
Sample Output
The following command changes context from the network interface level to the network
level.
[edit network interface]
username@hostname# exit
[edit network]
username@hostname#
load
load
Assigns the last saved configuration or a specified configuration to be the candidate
configuration.
Syntax
load config [from filename]
Options
filename
Sample Output
The following command assigns output.xml to be the candidate configuration.
[edit]
username@hostname# load config from output.xml
command succeeded
[edit]
username@hostname#
move
move
Relocate a node in the hierarchy along with its children to be at another location at the same
hierarchy level.
Syntax
move element [bottom | top | after element | before element]
Options
element
element
placement
element2
Option
Description
bottom
top
after
before
Sample Output
The following command moves the security rule rule1 to the top of the rule base.
username@hostname# move rulebase security rules rule1 top
[edit]
username@hostname#
quit
quit
Exit from the current PAN-OS CLI level.
From Configuration mode, lower hierarchy levelsChanges context to one level up in the
hierarchy. Provides the same result as the up command.
Note: The exit and quit commands are interchangeable.
Syntax
quit
Options
None
Sample Output
The following command changes context from the network interface level to the network
level.
[edit log-settings]
username@hostname# quit
[edit]
username@hostname#
rename
rename
Change the name of a node in the hierarchy.
Syntax
rename [node1] to [node2]
Options
node1
node2
Sample Output
The following command changes the name of a node in the hierarchy from 1.1.1.1/24 to
1.1.1.2/24.
username@hostname# rename network interface vlan ip 1.1.1.1/24 to 1.1.1.2/24
run
run
Execute an Operational mode command while in Configuration mode.
Syntax
run [command]
Options
command
Sample Output
The following command executes a ping command to the IP address 1.1.1.2 from
Configuration mode.
username@hostname# run ping 1.1.1.2
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
...
username@hostname#
save
save
Saves a snapshot of the firewall configuration.
Note: This command saves the configuration on the firewall, but does not make
the configuration active. Use the commit command to make the current candidate
configuration active.
Syntax
save config [to filename]
Options
filename
Specifies the filename to store the configuration. The filename cannot include
a hyphen (-).
Sample Output
The following command saves a copy of the configuration to the file savefile.
[edit]
username@hostname# save config to savefile
Config saved to savefile
[edit]
username@hostname#
set
set
Changes a value in the candidate configuration. Changes are retained while the firewall is
powered until overwritten.
Note: To save the candidate configuration in non-volatile storage, use the save
command. To make the candidate configuration active, use the commit command.
Syntax
set [context]
Options
context
Sample Output
The following command assigns the ethernet1/4 interface to be a virtual wire interface.
[edit]
username@hostname# set network interface ethernet ethernet1/1 virtual-wire
[edit]
username@hostname#
The following command sets the VLAN IP address to 1.1.1.4/32 from the network interface
vlan level of the hierarchy.
[edit network interface vlan]
username@hostname# set ip 1.1.1.4/32
[edit network interface vlan]
username@hostname#
The following command locks an administrative user out for 15 minutes after 5 failed login
attempts.
username@hostname# set deviceconfig setting management admin-lockout 5
lockout-time 15
show
show
Display information about the current candidate configuration.
Syntax
show [context]
Options
context
Sample Output
The following command shows the full candidate hierarchy.
username@hostname# show
The following commands can be used to display the hierarchy segment for network interface.
Use the edit command to move to the level of the hierarchy, and then use the show
command without specifying context:
edit network interface
[edit network interface] show
top
top
Change context to the top hierarchy level.
Syntax
top
Options
None
Sample Output
The following command changes context from the network level of the hierarchy to the top
level.
[edit network]
username@hostname# top
[edit]
username@hostname#
up
up
Change context to the next higher hierarchy level.
Syntax
up
Options
None
Sample Output
The following command changes context from the network interface level of the hierarchy to
the network level.
[edit network interface]
username@hostname# up
[edit network]
username@hostname#
up
Chapter 4
clear on page 53
configure on page 55
delete on page 79
exit on page 81
grep on page 82
less on page 84
netstat on page 85
ping on page 86
quit on page 88
clear
clear
Reset information, counters, sessions, or statistics.
Syntax
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
application-signature statistics
arp option
counter option
dhcp lease option
high-availability option
job option
log option
mac option
nat-rule-cache option
pbf option
pppoe option
query option
report option
routing option
session option
statistics option
url-cache option
user-cache option
vpn option
Options
applicationsignature
statistics
arp
counter
dhcp lease
high-availability
job
log
Removes log files from disk. Specify the log type: acc, config, system,
threat, or traffic.
mac
nat-rule-cache
pbf
clear
pppoe
query
report
routing
session
statistics
vpn
Sample Output
The following command clears the session with ID 2245.
username@hostname> clear session id 2245
Session 2245 cleared
username@hostname>
configure
configure
Enter Configuration mode.
Syntax
configure
Options
None
Sample Output
To enter Configuration mode from Operational mode, enter the following command.
username@hostname> configure
Entering configuration mode
[edit]
username@hostname#
debug captive-portal
debug captive-portal
Define settings for debugging the captive portal daemon.
Syntax
debug captive-portal option
Options
show
off
on
Sample Output
The following command turns the debugging option on.
admin@PA-HDF> debug captive-portal on
admin@PA-HDF>
debug cli
debug cli
Define settings and display information for debugging the CLI connection.
Syntax
debug cli option
Options
detail
show
off
on
Sample Output
The following command shows details of the CLI connection.
admin@PA-HDF> debug cli detail
Environment variables :
(USER . admin)
(LOGNAME . admin)
(HOME . /home/admin)
(PATH . /usr/local/bin:/bin:/usr/bin)
(MAIL . /var/mail/admin)
(SHELL . /bin/bash)
(SSH_CLIENT . 10.31.1.104 1109 22)
(SSH_CONNECTION . 10.31.1.104 1109 10.1.7.2 22)
(SSH_TTY . /dev/pts/0)
(TERM . vt100)
(LINES . 24)
(COLUMNS . 80)
(PAN_BASE_DIR . /opt/pancfg/mgmt)
PAN_BUILD_TYPE : DEVELOPMENT
debug cpld
debug cpld
Debug the complex programmable logic device (CPLD).
Syntax
debug cpld
Options
None
Sample Output
N/A
debug dataplane
debug dataplane
Configure settings for debugging the data plane.
Syntax
debug dataplane option
Options
The available sub-options depend on the specified option.
device
flow-control
fpga
internal
memory
monitor
nat
packet-diag
pool
pow
process
Debug the data plane process for the high-availability agent (ha-agent)
and management plane relay agent (mprelay).
reset
show
task-heartbeat
tcp
test
Sample Output
The following command shows the statistics for the dataplane buffer pools.
admin@PA-HDF> debug dataplane pool statistics
The following command turns dataplane filtering on and sets filter parameters.
admin@PA-HDF> debug dataplane filter on
admin@PA-HDF> debug dataplane filter set source 10.1 11.2.3 file abc.pcap
debug dataplane
debug device-server
debug device-server
Configure settings for debugging the device server.
Syntax
debug device-server option
Options
clear
delete
Remove data.
dump
off
on
refresh
reset
save
Save data.
set
show
test
unset
Sample Output
The following command turns off debug logging for the device server.
admin@PA-HDF> debug device-server off
admin@PA-HDF>
debug dhcpd
debug dhcpd
Configure settings for debugging the Dynamic Host Configuration Protocol (DHCP) daemon.
Syntax
debug dhcpd option
Options
global
pcap
Sample Output
The following command shows current global DHCP daemon settings.
admin@PA-HDF> debug dhcpd global show
sw.dhcpd.runtime.debug.level: debug
admin@PA-HDF>
debug high-availability-agent
debug high-availability-agent
Configure settings for debugging the high availability agent.
Syntax
debug high-availability-agent option
Options
clear
internal-dump
model-check
off
on
show
Sample Output
The following command turns modeling checking on for the high availability agent.
admin@PA-HDF> debug high-availability-agent model-check on
admin@PA-HDF>
debug ike
debug ike
Configure settings for debugging Internet Key Exchange (IKE) daemon.
Syntax
debug ike option
Options
global
pcap
socket
stat
Sample Output
The following command turns on the global options for debugging the IKE daemon.
admin@PA-HDF> debug ike global on
admin@PA-HDF>
debug keymgr
debug keymgr
Configure settings for debugging the key manager daemon.
Syntax
debug keymgr option
Options
list-sa
Lists the IPSec security associations (SAs) that are stored in the key manager
daemon.
off
on
show
Sample Output
The following command shows the current information on the key manager daemon.
admin@PA-HDF> debug keymgr show
sw.keymgr.debug.global: normal
admin@PA-HDF>
debug ldap-server
debug ldap-server
Configure settings for debugging Lightweight Directory Access Protocol (LDAP) servers.
Syntax
debug ldap-server option
Options
clear
Off
on
stats
Sample Output
The following command sets the debug level to error.
admin@PA-HDF> debug ldap-server on
debug level set to error
admin@PA-HDF>
debug log-receiver
debug log-receiver
Configure settings for debugging the log receiver daemon.
Syntax
debug log-receiver option
Options
off
on
show
statistics
Sample Output
The following command turns log receiver debugging on.
admin@PA-HDF> debug log-receiver on
admin@PA-HDF>
debug management-server
debug management-server
Configure settings for debugging the management server.
Syntax
debug management-server option
Options
clear
client
off
on
phased-commit
show
Sample Output
The following example turns management server debugging on.
admin@PA-HDF> debug management-server on
(null)
admin@PA-HDF>
debug master-service
debug master-service
Configure settings for debugging the master service.
Syntax
debug master-service option
Options
clear
internal-dump
off
on
show
Sample Output
The following command dumps the internal state of the master server to the log.
admin@PA-HDF> debug master-service internal-dump
admin@PA-HDF>
debug pppoed
debug pppoed
Configure settings for debugging the Point-to-Point Protocol over Ethernet (PPPoE) daemon.
Syntax
debug pppoed option
Options
global
pcap
show interface
Sample Output
The following command turns packet capture debugging off.
admin@PA-HDF> debug pppoed pcap off
debug level set to error
admin@PA-HDF>
debug rasmgr
debug rasmgr
Configure settings for debugging the remote access service daemon.
Syntax
debug rasmgr option
Options
show
off
on
Sample Output
The following command shows the debug settings for the remote access service daemon.
admin@PA-HDF> debug rasmgr show
sw.rasmgr.debug.global: normal
admin@PA-HDF>
debug routing
debug routing
Configure settings for debugging the route daemon.
Syntax
debug routing option
Options
fib
global
list-mib Show the routing list with management information base (MIB) names.
mib
pcap
socket
Sample Output
The following command displays the MIB tables for routing.
admin@PA-HDF> debug routing list-mib
i3EmuTable (1 entries)
==========================
sckTable (0 entries)
sckSimInterfaceTable (0 entries)
sckEiTable (0 entries)
sckEaTable (0 entries)
i3Table (0 entries)
i3EiTable (0 entries)
i3EaTable (0 entries)
i3EtTable (0 entries)
i3EmTable (0 entries)
dcSMLocationTable (0 entries)
dcSMHMTestActionObjects (0 entries)
siNode (0 entries)
siOSFailures (0 entries)
siTraceControl (0 entries)
siExecAction (0 entries)
...
admin@PA-HDF>
debug software
debug software
Restart software processes to aid debugging.
Syntax
debug software restart option
Options
device-server
management-server
web-server
Sample Output
The following command restarts the web server.
admin@PA-HDF> debug software restart web-server
admin@PA-HDF>
debug ssl-vpn
debug ssl-vpn
Set debugging options for the Secure Socket Layer (SSL)-virtual private network (VPN) web
server.
Syntax
debug ssl-vpn <global | socket>
Options
global
socket
Sample Output
The following command displays socket level information.
admin@PA-HDF> debug ssl-vpn socket
Proto Recv-Q Send-Q Local Address
Program name
tcp
0
0 0.0.0.0:20077
appweb
tcp
0
0 0.0.0.0:20088
appweb
Foreign Address
State
PID/
0.0.0.0:*
LISTEN
1674/
0.0.0.0:*
LISTEN
1674/
admin@PA-HDF>
debug sslmgr
debug sslmgr
Set debugging options for the Secure Socket Layer (SSL) manager daemon that validates
certificates for the Certificate Revocation List (CRL) and the Online Certificate Status Protocol
(OCSP).
Syntax
debug sslmgr option
Options
delete
off
on
save
show
statistics
tar-all-crl
view
Sample Output
The following command displays the CRL cache.
admin@PA-HDF> debug sslmgr view crl
http://EVIntl-crl.verisign.com/EVIntl2006.crl
http://EVSecure-crl.verisign.com/EVSecure2006.crl
http://EVSecure-crl.verisign.com/pca3-g5.crl
http://SVRC3SecureSunMicrosystems-MPKI-crl.verisign.com/
SunMicrosystemsIncClassBUnified/LatestCRLSrv.crl
http://SVRIntl-crl.verisign.com/SVRIntl.crl
http://SVRSecure-crl.verisign.com/SVRSecure2005.crl
http://certificates.godaddy.com/repository/gdroot.crl
...
admin@PA-HDF>
debug swm
debug swm
Configure settings for debugging the Palo Alto Networks software manager.
Syntax
debug swm option
Options
command
history
list
refresh
revert
status
unlock
Sample Output
The following command shows the list of available software versions.
admin@PA-HDF> debug swm list
3.1.0-c4.dev
3.1.0-c1.dev_base
3.0.0-c207
3.0.0-c206
admin@PA-HDF>
debug tac-login
debug tac-login
Configure settings for debugging the Palo Alto Networks Technical Assistance Center (TAC)
connection.
Syntax
debug tac-login option
Options
enable
disable
permanently-disable
Sample Output
The following command turns TAC login debugging on.
admin@PA-HDF> debug tac-login on
admin@PA-HDF>
debug vardata-receiver
debug vardata-receiver
Configure settings for debugging the variable data daemon.
Syntax
debug vardata-receiver option
Options
off
on
show
statistics
Sample Output
The following command shows statistics for the variable data daemon.
admin@PA-HDF> debug vardata-receiver statistics
admin@PA-HDF>
delete
delete
Remove specified types of files from disk or restore the default comfort pages that are
presented when files or URLs are blocked.
Syntax
delete option
Options
admin-sessions
anti-virus
application-block-page
captive-portal-text
certificate
config
config-audit
content
core
data-capture
debug-filter
file-block-page
high-availability
license
logo
pcap
policy-cache
report
software
ssl-cert-status-page
ssl-optout-text
sslvpn-custom-login-page
threat-pcap
unknown-pcap
url-block-page
delete
url-coach-text
user-file
virus-block-page
vpnclient
Sample Output
The following command deletes the custom page presented to users when their applications
are blocked.
username@hostname> delete application-block-page
username@hostname>
exit
exit
Exit the PAN-OS CLI.
Note: The exit command is the same as the quit command.
Syntax
exit
Options
None
Sample Output
N/A
grep
grep
Find and list lines from log files that match a specified pattern.
Syntax
grep [after-context number] [before-context number] [context
number] [count] [ignore-case <yes | no>] [invert-match <yes | no>]
[line-number <yes | no>] [max-count number] [no-filename <yes |
no>] [pattern value] <dp-log | mp-log> file
Options
after-context
Prints the matching lines plus the specified number of lines that follow the
matching lines.
before-context
Prints the matching lines plus the specified number of lines that precede the
matching lines.
context
Prints the specified number of lines in the file for output context.
count
ignore-case
invert-match
line-number
max-count
no-filename
pattern
dp-log | mp-log
file
Indicates the type of file and file name to search for the pattern:
dp-logLogs associated with the data plane.
mp-logLogs associated with the management plane.
Sample Output
The following command searches the brdagent.log file for occurrences of the string
HEARTBEAT.
username@hostname> grep dp-log sysdagent.log
*
Jan 20 14:35:48 HEARTBEAT: Heartbeat failure
Jan 20 14:35:53 HEARTBEAT: Heartbeat failure
Jan 20 14:35:54 HEARTBEAT: Heartbeat failure
Jan 20 14:35:55 HEARTBEAT: Heartbeat failure
Jan 20 14:35:56 HEARTBEAT: Heartbeat failure
Jan 20 14:35:56 HEARTBEAT: Heartbeat failure
Jan 20 14:35:56 HEARTBEAT: Heartbeat failure
Jan 20 14:35:57 HEARTBEAT: Heartbeat failure
Jan 20 14:35:57 HEARTBEAT: Heartbeat failure
username@hostname>
pattern HEARTBEAT
on
on
on
on
on
on
on
on
on
core
core
core
core
core
core
core
core
core
4
1
8
2
5
15
3
7
6
grep
less
less
List the contents of the specified log file.
Syntax
less type file
Options
type
file
Sample Output
The following command lists the contents of the web server error log.
username@hostname>
default:2 main
default:2 main
default:2 main
default:2 main
default:2 main
default:2 main
default:2 main
default:2 main
default:2 main
default:2 main
...
netstat
netstat
Displays packet capture file content.
Syntax
netstat type <no | yes>
Options
type
no | yes
Sample Output
The following command shows an excerpt from the output of the netstat command.
username@hostname> netstat all yes
...
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags
Type
State
I-Node Path
unix 2
[ ACC ]
STREAM
LISTENING
5366
/tmp/ssh-lClRtS1936/
agent.1936
unix 2
[ ]
DGRAM
959
@/org/kernel/udev/udevd
unix 18
[ ]
DGRAM
4465
/dev/log
...
ping
ping
Check network connectivity to a host.
Syntax
ping [bypass-routing] [count] [do-not-fragment] [inet] [no
resolve] [pattern] [size] [source] [tos] [ttl] host
Options
bypass-routing
Sends the ping request directly to the host on a direct attached network,
bypassing usual routing table.
count
do-not-fragment
inet
interval
Specifies how often the ping packets are sent (0 to 2000000000 seconds).
no-resolve
pattern
Specifies a custom string to include in the ping request. You can specify up to
12 padding bytes to fill out the packet that is sent as an aid in diagnosing datadependent problems.
size
source
tos
Specifies the type of service (TOS) treatment for the packets by way of the TOS
bit for the IP header in the ping packet.
ttl
Specifies the time-to-live (TTL) value for the ping packet (IPv6 hop-limit
value) (0-255 hops).
verbose
host
Sample Output
The following command checks network connectivity to the host 66.102.7.104, specifying 4
ping packets and complete details of the transmission.
username@hostname> ping count 4 verbose 66.102.7.104
PING 66.102.7.104 (66.102.7.104) 56(84) bytes of data.
64 bytes from 66.102.7.104: icmp_seq=0 ttl=243 time=316
64 bytes from 66.102.7.104: icmp_seq=1 ttl=243 time=476
64 bytes from 66.102.7.104: icmp_seq=2 ttl=243 time=376
64 bytes from 66.102.7.104: icmp_seq=3 ttl=243 time=201
ms
ms
ms
ms
--- 66.102.7.104 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 3023ms
rtt min/avg/max/mdev = 201.718/342.816/476.595/99.521 ms, pipe 2
username@hostname>
ping
quit
quit
Exit the current session for the firewall.
Note: The quit command is the same as the exit command.
Syntax
quit
Options
None
Sample Output
N/A
request anti-virus
request anti-virus
Upgrade and downgrade anti-virus packages and obtain information about the packages
Syntax
request anti-virus downgrade install <previous | package>
request anti-virus upgrade check
request anti-virus upgrade download latest [sync-to-peer <no |
yes>]
request anti-virus upgrade info
request anti-virus upgrade install [commit <no | yes>]
[sync-to-peer <no | yes>] [file name | version latest]
Options
previous
package
check
latest
info
sync-to-peer
Indicates whether a copy of the package will be provided to another highavailability peer firewall.
commit
file
version
Sample Output
The following command displays information on the anti-virus packages that are available for
installation.
username@hostname> request anti-virus upgrade info
Version
Size
Released on Downloaded
------------------------------------------------------------------------46-93
44MB 2009/11/19 11:50:38
yes
username@hostname>
request certificate
request certificate
Generate a self-signed security certificate.
Syntax
request certificate install for-use-by option
request certificate self-signed option
request certificate verify for-use-by web-interface option
Options
install for-useby
self-signed
Requests the certificate for the embedded web interface. Options include:
certificatePublic certificate file.
key Private key file.
passphrasePass phrase for decrypting private key (required).
Sample Output
The following command requests a self-signed certificate for the web interface with length
1024 and IP address 1.1.1.1.
username@hostname> request certificate self-signed nbits 1024 name 1.1.1.1
for-use-by web-interface
username@hostname>
request certificate
request comfort-page
request comfort-page
Installs a user-defined comfort page.
Syntax
request comfort page install option
Options
option
Description
applicationblock-page
file-block-page
spyware-blockpage
url-block-page
virus-block-page
request content
request content
Perform application level upgrade operations.
Syntax
request content upgrade [check | download latest | info | install
latest]
Options
check
download latest
info
install latest
Sample Output
The following command lists information about the firewall server software.
username@hostname> request content upgrade check
Version
Size
Released on Downloaded
------------------------------------------------------------------------13-25
10MB 2007/04/19
15:25:02
yes
username@hostname>
request data-filtering
request data-filtering
Assign passwords for data filtering.
Syntax
request data-filtering access-password option
Options
option
Description
create password
pword
delete
Sample Output
The following command assigns the specified password for data filtering.
username@hostname> request data-filtering access-password create password
mypwd
username@hostname>
request device-registration
request device-registration
Perform device registration.
Syntax
request device-registration username user password pwd
Options
username
user
password
pwd
Sample Output
The following command registers the device with the specified user name and password.
username@hostname> request device-registration username admin password
adminpwd
username@hostname>
request high-availability
request high-availability
Perform high-availability operations.
Syntax
request high-availability option
Options
option
Description
clear-alarm-led
state
<functional |
suspended>
sync-to-remote
option
Sample Output
The following command sets the high-availability state of the device to the suspended state.
username@hostname> request high-availability state suspend
username@hostname>
request license
request license
Perform license-related operations.
Syntax
request license [fetch [auth-code] | info | install]
Options
fetch
auth-code
info
install
Sample Output
The following command requests a new license key with the authentication code 123456.
username@hostname> request fetch auth-code 123456
username@hostname>
request password-hash
request password-hash
Generate a hashed string for the user password.
Syntax
request password-hash password pwd
Options
pwd
Specify the clear text password that requires the hash string.
Sample Output
The following command generates a hash of the specified password.
username@hostname> request password-hash password mypassword
$1$flhvdype$qupuRAx4SWWuZcjhxn0ED.
request restart
request restart
Restart the system or software modules.
CAUTION: Using this command causes the firewall to reboot, resulting in the
temporary disruption of network traffic. Unsaved or uncommitted changes will be
lost.
Syntax
request restart [dataplane | software | system]
Options
dataplane
software
system
Sample Output
The following command restarts all the firewall software.
username@hostname> request restart software
request ssl-decrypt
request ssl-decrypt
Installs a user-defined Secure Socket Layer (SSL) decryption notification page.
Syntax
request ssl-decrypt install option
Options
ssl-cert-status-page
ssl-optout-text
Sample Output
The following command installs an SSL certification block comfort page.
username@hostname> request ssl-decrypt install ssl-cert-status-page
username@hostname>
request ssl-vpn
request ssl-vpn
Forces logout from a Secure Socket Layer (SSL) virtual private network (VPN) session.
Syntax
request ssl-vpn client-logout option
Options
option
Sample Output
The following command forces a logout of the specified user.
username@hostname> request ssl-vpn client-logout domain paloaltonetworks.com
port sslportal user ssmith reason force-logout
request support
request support
Obtain technical support information.
Syntax
request support [check | info]
Options
check
Get support information from the Palo Alto Networks update server.
info
Sample Output
The following command shows downloaded support information.
username@hostname> request support info
0
Support Home
https://support.paloaltonetworks.com
Manage Cases
https://support.paloaltonetworks.com/pa-portal/
index.php?option=com_pan&task=vie
wcases&Itemid=100
Download User Identification Agent
https://support.paloaltonetworks.com/pa-portal/
index.php?option=com_pan&task=sw_
updates&Itemid=135
866-898-9087
support@paloaltonetworks.com
November 07, 2009
Standard
10 x 5 phone support; repair and replace hardware service
username@hostname>
request system
request system
Download system software or request information about the available software packages.
Syntax
request system [fips [self-test-failure] | private-data-reset |
software [check | download [file | version] | info | install [file
| version] name]]
Options
fips selftestfailure
Simulates a system failure and reboot for Federal Information Processing Standards
(FIPS) 140-2.
privatedata-reset
Removes all of the logs and resets the configuration but does not reset content and
software versions.
check
download
info
install
Sample Output
The following command requests information about the software packages that are available
for download.
username@hostname> request system software info
Version
Filename
Size
Released Downloaded
------------------------------------------------------------------------3.0.1
panos.4050-3.0.1.tar.gz
127MB 2010/02/07 00:00:00
no
3.1.0
panos.4050-3.1.0.tar.gz
127MB 2009/02/07 00:00:00
no
username@hostname>
request tech-support
request tech-support
Obtain information to assist technical support in troubleshooting.
Syntax
request technical support dump
Options
None
Sample Output
The following command creates a dump for technical support.
username@hostname> request tech-support dump
Exec job enqueued with jobid 1
1
request url-filtering
request url-filtering
Perform URL filtering operations
Syntax
request url-filtering option
Options
upgrade
download
status
Sample Output
The following command upgrades the BrightCloud database.
username@hostname> request url-filtering upgrade brightcloud
request vpnclient
request vpnclient
Perform VPN client package operations.
Syntax
request vpnclient software option
Options
check
download
info
install
Sample Output
The following command displays information about the available software packages.
username@hostname> request vpnclient software info
Version
Size
Released on Downloaded
------------------------------------------------------------------------1.0.0-c54
916KB 2009/03/04 15:04:33
no
1.0.0-c53
916KB 2009/03/04 14:09:17
no
1.0.0-c52
916KB 2009/03/04 11:49:51
no
1.0.0-c51
916KB 2009/03/03 16:45:38
no
scp
scp
Copy files between the firewall and another host. Enables downloading of a customizable
HTML replacement message (comfort page) in place of a malware infected file.
Syntax
scp export export-option [control-plane | data-plane] to target
from source [remote-port portnumber] [source-ip address]
scp import import-option [source-ip address] [remote-port
portnumber] from source
Options
export export- Specifies the type of file to export to the other host.
option
Option
Description
applicationblock-page
application-pcap
captive-portaltext
configuration
Configuration file.
core-file
Core file.
crl
crl.tgz file.
debug pcap
file-block-page
filter-pcap
highavailability-key
inbound-proxykey
log
log-file
Log files.
logdb
Log database.
pdf-reports
PDF reports.
ssl-cert-status
ssl-decryptioncertificate
scp
export export- Specifies the type of file to export to the other host.
option
Option
Description
ssl-optout-text
stats-dump
tech-support
treat-pcap
url-block-page
url-coach-text
virus-block-page
web-interfacecertificate
import import- Specifies the type of file to import from the other host.
option
Option
Description
anti-virus
Anti-virus content.
applicationblock-page
captive-portaltext
configuration
Configuration file.
content
Database content.
file-block-page
highavailability-key
license
License file.
logdb
Log database.
private-key
software
Software package.
ssl-cert-statuspage
ssl-certificate
SSL certificate.
ssl-optout-text
sslvpn-customlogin-page
scp
import import- Specifies the type of file to import from the other host.
option
Option
Description
url-block-page
url-coach-text
url-database
virus-block-page
vpnclient
control-plane
data-plane
remote-port
portnumber
source-ip
address
to
from
Sample Output
The following command imports a license file from a file in user1s account on the machine
with IP address 10.0.3.4.
username@hostname> scp import ssl-certificate from user1@10.0.3.4:/tmp/
certificatefile
set application
set application
Set parameters for system behavior when applications are blocked.
Syntax
set application option
Options
cache <yes | no>
Enables (yes) or disables (no) detection of super nodes for peer-topeer applications that have designated supernodes on the Internet.
Sample Output
The following command turns packet capture for unknown applications off.
username@hostname> set application dump off
username@hostname>
set cli
set cli
Set scripting and pager options for the PAN-OS CLI. Options are included to display
configuration commands in default format, XML format, or as operational set commands.
Syntax
set cli option
Options
config-outputformat
Sets the output format for the configuration file to the default, XML format, or
set command format.
configurationprompt
hide-ip
hide-user
scripting-mode
pager
terminal
timeout
idle-value
session-value
off
on
Sample Output
The following command sequence sets the configuration mode to use set command format for
output and then displays the output of the show system log-export-schedule command in
Configuration mode.
username@hostname> set cli config-output-format set
username@hostname> configure
Entering configuration mode
[edit]
username@hostname# edit deviceconfig
[edit deviceconfig]
username@hostname# show system log-export-schedule
set deviceconfig
set deviceconfig
set deviceconfig
set deviceconfig
set deviceconfig
10.16.0.97
set deviceconfig
set deviceconfig
system
system
system
system
system
log-export-schedule
log-export-schedule
log-export-schedule
log-export-schedule
log-export-schedule
10.16.0.97
10.16.0.97
10.16.0.97
10.16.0.97
10.16.0.97
description 10.16.0.97
enable yes
log-type threat
start-time 03:00
protocol ftp hostname
set cli
mode yes
set deviceconfig system log-export-schedule 10.16.0.97 protocol ftp username
admin
set deviceconfig system log-export-schedule 10.16.0.97 protocol ftp password
mZDB7rbW5y8=
username@hostname#
The following command sequence shows the same example after XML is specified as the
command output format.
username@hostname> set cli config-output-format xml
username@hostname> configure
Entering configuration mode
[edit]
username@hostname# edit deviceconfig
[edit deviceconfig]
username@hostname# show system log-export-schedule
<log-export-schedule>
<entry name="10.16.0.97">
<description>10.16.0.97</description>
<enable>yes</enable>
<log-type>threat</log-type>
<start-time>03:00</start-time>
<protocol>
<ftp>
<hostname>10.16.0.97</hostname>
<port>21</port>
<passive-mode>yes</passive-mode>
<username>admin</username>
<password>mZDB7rbW5y8=</password>
</ftp>
</protocol>
</entry>
</log-export-schedule>
[edit deviceconfig]
[edit deviceconfig]
username@hostname#
set clock
set clock
Set the system date and time.
Syntax
set clock option
Options
date YYYY/MM/DD
time hh:mm:ss
Specify the time in hh:mm:ss format (hh: 0-23, mm: 0-59, ss: 0-59).
Sample Output
The following command sets the system date and time.
username@hostname> set clock date 2009/03/20 time 14:32:00
username@hostname>
set data-access-password
set data-access-password
Set the access password for the data filtering logs.
Syntax
set data-access-password pwd
Options
pwd
Sample Output
The following command sets the password for data filtering logs.
username@hostname> set data-access password 12345678
username@hostname>
set management-server
set management-server
Set parameters for the management server, which manages configuration, reports, and
authentication for the firewall.
Syntax
set management-server option
Options
logging option
unlock
Sample Output
The following command enables logging on the management server.
username@hostname> set management-server logging on
username@hostname>
set panorama
set panorama
Enable or disable connection between the firewall and Panorama.
Syntax
set panorama <off | on>
Options
on
off
Sample Output
The following command disables the connection between the firewall and Panorama.
username@hostname> set panorama off
username@hostname>
set password
set password
Set the firewall password. When you issue this command, the system prompts you to enter
the old and new password and to confirm the new password.
Syntax
set password
Options
None
Sample Output
The following example shows how to reset the firewall password.
username@hostname>
Enter old password
Enter new password
Confirm password
set password
: (enter the old password)
: (enter the new password0
: (reenter the new password)
Password changed
username@hostname>
set serial-number
set serial-number
(Panorama only) Configure the serial number of the Panorama machine. The serial number
must be set for Panorama to connect to the update server.
Syntax
set serial-number value
Options
value
Sample Output
The following command sets the Panorama serial number to 123456.
username@hostname> set serial-number 123456
username@hostname>
set session
set session
Set parameters for the networking session.
Syntax
set session [default | item value]
Options
default
item
value
Option
Value
Description
acceleratedaging-enable
no | yes
acceleratedaging-scalingfactor
Power of 2
acceleratedaging-threshold
Power of 2 (1-100)
offload
no | yes
tcp-reject-nonsyn
no | yes
timeout-default
Number of seconds
timeout-icmp
1-15999999
timeout-tcp
1-15999999
timeout-tcpinit
Number of seconds
timeout-tcpwait
Number of seconds
timeout-udp
1-15999999
set session
Sample Output
The following command sets the TCP timeout to 1 second.
username@hostname> set session timeout-tcpwait 1
username@hostname>
Syntax
set
set
set
set
set
set
set
set
set
system
system
system
system
system
system
system
system
system
setting
setting
setting
setting
setting
setting
setting
setting
setting
Options
ctd xforwardedfor
jumbo-frame
logging
multi-vsys
sharedpolicy
ssl-decrypt
target-vsys
url-database
zip
Sample Output
The following command enables logging suppression.
username@hostname> set system setting logging log-suppression yes
username@hostname>
show admins
show admins
Display information about the active firewall administrators.
Syntax
show admins [all]
Options
all
Sample Output
The following command displays administrator information for the 10.0.0.32 firewall.
username@hostname> show admins | match 10.0.0
Admin
From
Type Session-start
Idle-for
-------------------------------------------------------------------------admin
10.0.0.132
Web 02/19 09:33:07
00:00:12s
username@hostname>
show arp
show arp
Shows current Address Resolution Protocol (ARP) entries.
Syntax
show arp interface
Options
interface
ethernetn/m
loopback
vlan
Sample Output
The following command displays ARP information for the ethernet1/1 interface.
username@hostname> show arp ethernet1/1
maximum of entries supported :
default timeout:
total ARP entries in table :
total ARP entries shown :
status: s - static, c - complete, i
8192
1800 seconds
0
0
- incomplete
username@hostname>
show authentication
show authentication
Shows authentication information.
Syntax
show authentication option
Options
interface
Sample Output
The following command shows the list of users that are allowed to access the firewall.
username@hostname> show authentication allowlist
vsysname
---------vsys1
vsys1
profilename
----------SSLVPN
wtam-SSLVPN
username
---------------------------paloaltonetwork\domain users
group1
username@hostname>
show chassis-ready
show chassis-ready
Shows whether the dataplane has a running policy.
Syntax
show chassis-ready
Options
None
Sample Output
The following command shows that the dataplane has a currently running policy.
username@hostname> show chassis-ready
yes
username@hostname>
show cli
show cli
Shows information about the current CLI session.
Syntax
show cli info
Options
None
Sample Output
The following command shows information about the current CLI session.
username@hostname> show cli info
Process ID
: 2045
Pager
: enabled
Vsys configuration mode : disabled
username@hostname>
show clock
show clock
Shows the current time on the firewall.
Syntax
show clock
Options
None
Sample Output
The following command shows the current time.
username@hostname> show clock
Sun Feb 18 10:49:31 PST 2007
username@hostname>
show config
show config
Shows the active configuration.
Syntax
show config
Options
None
Sample Output
The following command shows the configuration lines that pertain to VLANs.
username@hostname> show config | match vlan
vlan {
vlan;
username@hostname>
show counter
show counter
Display system counter information.
Syntax
show counter [global | interface]
Options
global
interface
Sample Output
The following command displays all configuration counter information grouped according to
interface.
username@hostname> show counter interface
show device
show device
(Panorama only) Show the state of managed devices.
Syntax
show device-messages [all | connected]
Options
all
connected
Sample Output
The following command shows information for connected devices.
username@hostname> show devices connected
Serial
Hostname
IP
Connected
-------------------------------------------------------------------------PA04070001
pan-mgmt2
10.1.7.2
yes
last push state:
none
username@hostname>
show device-messages
show device-messages
(Panorama only) Show information on the policy messages for devices.
Syntax
show device-messages [device] [group]
Options
device
group
Sample Output
The following command shows the device messages for the device pan-mgmt2 and the group
dg1.
username@hostname> show device-messages device pan-mgmt2 group dg1
username@hostname>
show devicegroups
show devicegroups
(Panorama only) Show information on device groups.
Syntax
show devicegroups [name]
Options
name
Sample Output
The following command shows information for the device group dg1.
username@hostname> show devicegroups dg1
==========================================================================
Group: dg3 Shared policy md5sum:dfc61be308c23e54e5cde039689e9d46
Serial
Hostname
IP
Connected
-------------------------------------------------------------------------PA04070001
pan-mgmt2
10.1.7.2
yes
last push state: push succeeded
vsys3 shared policy md5sum:dfc61be308c23e54e5cde039689e9d46(In Sync)
username@hostname>
show dhcp
show dhcp
Show information on Dynamic Host Control Protocol (DHCP) leases.
Syntax
show dhcp lease <value | all>
Options
value
all
Sample Output
The following command shows all lease information.
username@hostname> show dhcp all
interface: ethernet1/9
ip
mac
expire
66.66.66.1
00:15:c5:60:a5:b0 Tue Mar 11 16:12:09 2008
66.66.66.2
00:15:c5:e1:0d:b0 Tue Mar 11 16:08:01 2008
username@hostname>
show fips-mode
show fips-mode
Show information on Federal Information Processing Standards (FIPS) 140-2 mode.
Syntax
show fips-mode
Options
None
Sample Output
The following command shows that FIPS mode is off.
username@hostname> show fips-mode
off
username@hostname>
show high-availability
show high-availability
Show runtime information for the high-availability subsystem.
Syntax
show high-availability [all | control-link statistics| linkmonitoring | path-monitoring | state | state-synchronization]
Options
all
control-link
statistics
link-monitoring
path-monitoring
state
statesynchronization
Sample Output
The following command information for the high-availability subsystem.
username@hostname> show high-availability path-monitoring
---------------------------------------------------------------------------path monitoring:
disabled
total paths monitored:
0
---------------------------------------------------------------------------username@hostname>
show interface
show interface
Display information about system interfaces.
Syntax
show interface interface
Options
element
ethernetn/m
hardware
logical
loopback
vlan
Sample Output
The following command displays information about the ethernet1/2 interface.
username@hostname> show interface ethernet1/3
---------------------------------------------------------------------------Name: ethernet1/3, ID: 18
Link status:
Runtime link speed/duplex/state: unknown/unknown/down
Configured link speed/duplex/state: auto/auto/auto
Link is forced down due to link-state-pass-through
MAC address:
Port MAC address 00:1b:17:00:6f:12
Operation mode: virtual-wire
---------------------------------------------------------------------------Name: ethernet1/3, ID: 18
Operation mode: virtual-wire
Virtual wire: vw34, peer interface: ethernet1/4
Interface management profile: N/A
Service configured:
Zone: vw34, virtual system: vsys1
show jobs
show jobs
Display information about current system processes.
Syntax
show jobs [all | id number | pending | processed]
Options
all
id number
pending
processed
Sample Output
The following command lists jobs that have been processed in the current session.
username@hostname> show jobs processed
Enqueued
ID
Type Status Result Completed
-------------------------------------------------------------------------2007/02/18 09:34:39
2 AutoCom
FIN
OK 2007/02/18 09:34:40
2007/02/18 09:33:00
1 AutoCom
FIN
FAIL 2007/02/18 09:33:54
username@hostname>
show location
show location
Show the geographic location of a firewall.
Syntax
show location ip address
Options
address
Sample Output
The following command shows location information for the firewall 10.1.1.1.
username@hostname> show location ip 10.1.1.1
show location ip 201.52.0.0
201.52.0.0
Brazil
username@hostname>
show log
show log
Display system logs.
Syntax
show log [threat | config | system | traffic] [equal | not-equal]
option value
Options
threat
config
system
traffic
option value
Restricts the output (the available options depend upon the keyword used in the
command (threat, config, system, traffic).
Option
Description
action
app
Application.
client
command
Command.
dport
Destination port.
dst
Destination IP address.
from
Source zone.
receivetime in
result
rule
Rule name.
severity
sport
Source port.
src
Source IP address.
to
Destination zone.
greater-thanor-equal
less-than-orequal
equal
not-equal
show log
Sample Output
The following command shows the configuration log.
username@hostname> show log config
Time
Host
Command
Admin
Client Result
============================================================================
===
03/05 22:04:16 10.0.0.135
edit
admin
Web
Succeeded
03/05 22:03:22 10.0.0.135
edit
admin
Web
Succeeded
03/05 22:03:22 10.0.0.135
create
admin
Web
Succeeded
03/05 21:56:58 10.0.0.135
edit
admin
Web
Succeeded
...
username@hostname>
show mac
show mac
Display MAC address information.
Syntax
show mac [value | all]
Options
value
all
Sample Output
The following command lists all currently MAC address information.
username@hostname> show mac all
maximum of entries supported :
8192
default timeout :
1800 seconds
total MAC entries in table :
4
total MAC entries shown :
4
status: s - static, c - complete, i - incomplete
vlan
hw address
interface
status
ttl
--------------------------------------------------------------------------Vlan56
0:0:1:0:0:3
ethernet1/5
c
1087
Vlan56
0:0:1:0:0:4
ethernet1/6
c
1087
Vlan11-12
0:0:1:0:0:9
ethernet1/12
c
487
Vlan11-12
0:0:1:0:0:10
ethernet1/11
c
487
username@hostname>
show management-clients
show management-clients
Show information about internal management server clients.
Syntax
show management-clients
Options
None
Sample Output
The following command shows information about the internal management server clients.
username@hostname> show management-clients
Client PRI
State Progress
------------------------------------------------------------------------routed 30
P2-ok
100
device 20
P2-ok
100
ikemgr 10
P2-ok
100
keymgr 10
init
0
(op cmds only)
dhcpd 10
P2-ok
100
ha_agent 10
P2-ok
100
npagent 10
P2-ok
100
exampled 10
init
0
(op cmds only)
Overall status: P2-ok. Progress: 0
Warnings:
Errors:
show management-interface
show management-interface
Show information about the state of the management interface.
Syntax
show management-interface
Options
None
Sample Output
The following command shows information about the management interface.
username@hostname> show management-interface
--------------------------------------------------------------------------Name: Management Interface
Link status:
Runtime link speed-duplex/state: 1Gb/s-full/Up
Configured link speed-duplex/state: auto/auto
MAC address:
Port MAC address 00:13:72:3c:c9:e3
--------------------------------------------------------------------------Port counters:
--------------------------------------------------------------------------rx-bytes
554989679
rx-packets
5535148
rx-drops
0
rx-errors
0
rx-multicast
6029
tx-bytes
86899026
tx-packets
250362
tx-drops
0
tx-errors
0
----------------------------------------------------------------------------
show object
show object
Shows the name of an address object with an IP address that exactly matches the address
specified in the filter.
Syntax
show object vsys name ip address
Options
vsys
ip
Sample Output
The following command shows the name of an address object, one-more, with IP address
3.3.3.3 that exists in virtual system vsys1.
username@hostname> show object vsys vsys1 ip 3.3.3.3
one-more
username@hostname>
show panorama-certificate
show panorama-certificate
Lists certificate information for connection between the firewall and Panorama. Primarily
used for debugging purposes.
Syntax
show panorama-certificate
Options
None
Sample Output
The following command shows that the firewall has a Panorama certificate key file
client.pem.
username@hostname> show panorama-certificate
-rw-r--r-- 1 root root 4.6K Jul 14 2008 client.pem
username@hostname>
show pbf
show pbf
Displays runtime statistics for policy-based forwarding (PBF).
Syntax
show pbf rule [<all> | <name rule-name>]
Options
all
name rule-name
Sample Output
The following command shows the current PBF settings.
username@hostname> show pbf rule all
Rule
ID
State
R-Action Egress IF
NextHop
Interval
Threshold Status M-Action KA sent KA got Packets Matched
========== ===== ======== ======== ============ ================ ========
========= ====== ========= ======= ====== ===============
r1
4
Normal Discard
0.0.0.0
0
0
UP
Monitor 0
0
0
to-host
7
Normal Forward ethernet1/1 100.1.1.254
2
3
UP
Fail-Over 1270
1270 0
to-tunnel 8
Normal Forward ethernet1/3 201.1.1.254
2
3
DOWN Fail-Over 23
23
2
r5
9
Normal Forward ethernet1/9 0.0.0.0
2
3
UP
Fail-Over 0
0
3
username@hostname>
show pppoe
show pppoe
Displays statistics about the Point-to-Point Protocol over Ethernet (PPPoE) connections.
Syntax
show pppoe interface <all | interfacename>
Options
all
interfacename
Sample Output
The following command shows PPPoE information for the ethernet1/4 interface.
username@hostname> show pppoe interface ethernet1/4
Interface
PPPoE
PPP State
Username Access Concentrator MAC IP
ethernet1/4 Initiating Disconnected pa4020
Access Concentrator 00:11:22:33:44:55 10.0.2.2
username@hostname>
show qos
show qos
Show quality of service (QoS) runtime information.
Syntax
show qos interface if option
Options
counter
hw-counter
match-rule
throughput
tunnelthroughput
Sample Output
The following command shows the QoS throughput for interface ethernet1/2, node defaultgroup (ID 0):
username@hostname> show qos interface ethernet1/2 throughput 0
QoS throughput for interface ethernet1/2, node default-group (Qid 0):
class 4:
362 kbps
username@hostname>
show query
show query
Show information about query jobs.
Syntax
show query <jobs | id value>
Options
jobs
id value
Sample Output
The following command shows information about all current query jobs.
username@hostname> show query jobs
Enqueued
ID Last Upd
-------------------------------------------------------------------------13:58:19
16 13:58:19
Type
ID Dequeued?
----------------------------------------------------username@hostname>
show report
show report
Displays information about process jobs.
Syntax
show [id number | jobs]
Options
id number
jobs
Sample Output
The following command shows the current jobs.
username@hostname> show report jobs
Enqueued
ID Last Updated
dev/skip/req/resp/proc
-------------------------------------------------------------------------username@hostname>
username@hostname>
show routing
show routing
Display routing run-time objects.
Syntax
show routing fib [virtual-router name]
show routing protocol [virtual-router name] ospf <area | dumplsdb
| interface | lsdb | neighbor | summary | virt-link | virtneighbor>
show routing protocol [virtual-router name] redist <all | ospf |
rip>
show routing protocol [virtual-router name] rip <database |
interface | peer | summary>
show routing resource
show routing route [destination ip/netmask][interface
interfacename] [nexthop ip/netmask][type <connect | ospf | rip |
static>]
[virtual-router name]
show routing summary
Options
fib
protocol ospf
area
dumplsdb
interface
lsdb
neighbor
summary
virt-link
virt-neighbor
show routing
protocol redist
protocol rip
protocol bgp
Shows redistribution rule entries. Specify one of the following (virtual router is
optional).
ospf
rip
all
Shows RIP information. Specify one of the following options (virtual router is
optional).
database
interface
peer
summary
Shows Border Gateway Protocol (BGP) information. Specify one of the following
options (virtual router is optional).
loc-rib
lob-rib-detail
peer
peer-group
policy
rib-out
rib-out-detail
summary
resource
route
summary
destination
interface
nexthop
type
virtual-router
show routing
Sample Output
The following command shows summary routing information for the virtual router vrl.
username@hostname> show routing summary virtual-router vr1
VIRTUAL ROUTER: vr1 (id 1)
==========
OSPF
area id:
0.0.0.0
interface:
192.168.6.254
interface:
200.1.1.2
dynamic neighbors:
IP 200.1.1.1 ID 200.1.1.1
area id:
1.1.1.1
interface:
1.1.1.1
interface:
1.1.2.1
interface:
1.1.3.1
interface:
2.1.1.1
static neighbor:
IP 65.54.5.33 ID *down*
static neighbor:
IP 65.54.77.88 ID *down*
interface:
22.22.22.22
interface:
35.1.15.40
interface:
192.168.7.254
dynamic neighbors:
IP 35.1.15.1 ID 35.35.35.35
==========
RIP
interface:
2.1.1.1
interface:
22.22.22.22
interface:
35.1.15.40
interface:
192.168.6.254
interface:
200.1.1.2
==========
INTERFACE
==========
interface name:
ethernet1/1
interface index:
16
virtual router:
vr1
operation status:
up
IPv4 address:
22.22.22.22/24
IPv4 address:
35.1.15.40/24
==========
interface name:
ethernet1/3
interface index:
18
virtual router:
vr1
operation status:
up
IPv4 address:
200.1.1.2/24
==========
interface name:
ethernet1/7
interface index:
22
virtual router:
vr1
operation status:
up
IPv4 address:
1.1.1.1/24
IPv4 address:
1.1.2.1/24
IPv4 address:
1.1.3.1/24
==========
interface name:
ethernet1/15
interface index:
30
show routing
virtual router:
operation status:
IPv4 address:
==========
interface name:
interface index:
virtual router:
operation status:
IPv4 address:
==========
interface name:
interface index:
virtual router:
operation status:
IPv4 address:
vr1
up
192.168.6.254/24
ethernet1/16
31
vr1
up
192.168.7.254/24
ethernet1/18
33
vr1
down
2.1.1.1/24
username@hostname>
The following command shows dynamic routing protocol information for RIP.
username@hostname> show routing protocol rip summary
==========
virtual router:
reject default route:
interval seconds:
update intervals:
expire intervals:
delete intervals:
interface:
interface:
interface:
interface:
interface:
==========
virtual router:
reject default route:
interval seconds:
update intervals:
expire intervals:
delete intervals:
interface:
interface:
interface:
vr1
yes
1
30
180
120
2.1.1.1
22.22.22.22
35.1.15.40
192.168.6.254
200.1.1.2
newr
yes
1
30
180
120
0.0.0.0
30.30.30.31
151.152.153.154
show running
show running
Shows running operational parameters
Syntax
show running option
Options
appinfo2ip
application
applicationoverride-policy
applicationsignature
captive-portalpolicy
global-ippool
ippool
nat-policy
nat-rule-cache
nat-rule-ippool
pbf-policy
qos-policy
resource-monitor
rule-use
security-policy
ssl-cert-cn
ssl-policy
tcp
top-urls
ts-agent-data
tunnel
url-license
user
show running
Sample Output
The following command shows statistics for running applications.
username@hostname> show running application statistics
Time: Wed Feb 17 15:16:30 2010
Vsys: 1
Number of apps: 31
App (report-as) sessions
packets
--------------- ---------- ---------15
495
188516
16
11
1803
32
464
467
36
518
16395
37
2
2574
42
1888
4101
44
1
1
48
29
686
50
2
7
79
2
185
86
9
115
109
1604
75513
147
155
374
193
0
3
225
12
272
280
77
217
318
48
85
452
2
139
453
1
9
491
21
1293
518
128
98192
658
6
70
674
53
1487
735
8
8446
796
1
16
852
1
117
872
49
2852
900
24
2206
980
32
573
1019
412
2679
1024
913
6971
--------------- ---------- ---------Total
6968
416364
bytes
-----------99646149
1319859
51055
1921997
273600
454433
422
225194
2741
97363
25843
55339483
33660
1018
71706
44906
30161
109886
1914
812870
96499118
18944
1122891
8385474
4215
87965
2296433
1179538
233308
200506
549052
-----------271041704
app changed
----------0
0
0
0
0
0
1
0
0
2
8
0
0
1
12
0
0
2
1
21
128
6
53
8
1
1
49
24
32
0
0
----------350
threats
------0
0
3
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
------3
username@hostname>
show session
show session
Show session information.
Syntax
show session all
show session id number
show session info
show session meter
show session start-at number
Options
all
id number
info
meter
start-at number
Displays the next 64K sessions starting with the specified session.
Sample Output
The following command displays session statistics.
username@hostname> show session info
------------------------------------------------------------------------------number of sessions supported:
524287
number of active sessions:
498520
number of active TCP sessions:
0
number of active UDP sessions:
498518
number of active ICMP sessions:
0
number of active BCAST sessions:
0
number of active MCAST sessions:
0
number of predict sessions:
0
session table utilization:
95%
number of sessions created since system bootup: 3072041
Packet rate:
0/s
Throughput:
0 Kbps
New connection establish rate:
0 cps
------------------------------------------------------------------------------session timeout
TCP default timeout:
3600 seconds
TCP session timeout before 3-way handshaking:
5 seconds
TCP session timeout after FIN/RST:
30 seconds
UDP default timeout:
3600 seconds
ICMP default timeout:
6 seconds
other IP default timeout:
30 seconds
Session timeout in discard state:
TCP: 90 seconds, UDP: 60 seconds, other IP protocols: 60 seconds
-------------------------------------------------------------------------------
show session
371731
c2s flow:
source:
172.16.40.20[L3Intranet]
dst:
84.72.62.7
sport:
49230
dport:
31162
proto:
17
dir:
c2s
state:
ACTIVE
type:
FLOW
ipver:
4
src-user: qa2003domain-b\kwisdom
dst-user: unknown
PBF rule: rule4(2)
qos node: ethernet1/14, qos member N/A Qid 0
ez fid:
0x0d208003(13, 0, 0, 3)
s2c flow:
source:
84.72.62.7[L3Extranet]
dst:
172.16.40.20
sport:
31162
dport:
49230
proto:
17
dir:
s2c
state:
ACTIVE
type:
FLOW
ipver:
4
src-user: unknown
dst-user: qa2003domain-b\kwisdom
ez fid:
0x0ca0703f(12, 2, 3, 63)
start time
: Fri Jan 15 15:55:56 2010
timeout
: 1200 sec
time to live
: 1076 sec
total byte count
: 145
layer7 packet count
: 0
vsys
: vsys1
application
: bittorrent
rule
: rule23
session to be logged at end
: yes
session in session ager
: yes
session sync'ed from HA peer
: yes
layer7 processing
: completed
URL filtering enabled
: yes
URL category
: any
ingress interface
: ethernet1/13
egress interface
: ethernet1/14
session QoS rule
: default (class 4)
show session
show ssl-vpn
show ssl-vpn
Show Secure Socket Layer (SSL) virtual private network (VPN) runtime objects.
Syntax
show ssl-vpn option
Options
flow
portal
Sample Output
The following command displays information on SSL-VPN tunnels.
username@hostname> show ssl-vpn flow
---------------------------------------------------------------------------total tunnels configured:
10
name
id
local-i/f
local-ip
tunnel-i/f
---------------------------------------------------------------------------s1
2
tunnel.7
10.1.6.105
tunnel.7
rad
11
tunnel.8
10.1.6.106
tunnel.8
--------------------------------------------------------------------------username@hostname>
show statistics
show statistics
Show firewall statistics.
Syntax
show statistics
Options
None
Sample Output
The following command displays firewall statistics.
username@hostname> show statistics
TASK
PID N_PACKETS CONTINUE
ERROR
DROP
BYPASS TERMINATE
0
0
0
0
0
0
0
0
1
806
6180587
6179536
39
0
0
1012
2
807
39312
37511
0
0
0
1801
3
808 176054840 173273080
2289
2777524
0
1947
4
809 112733251 111536151
1744
1194906
0
450
5
810 66052142 65225559
1271
825010
0
302
6
811 49682445 49028991
909
652227
0
318
7
812 43618777 43030638
712
587129
0
298
8
813 41255949 40706957
708
548031
0
253
9
814 42570163 42010404
714
558773
0
272
10
815
7332493
7332494
0
0
0
0
task 1(pid:
806) flow_mgmt
task 2(pid:
807) flow_ctrl flow_host
task 3(pid:
808) flow_lookup flow_fastpath flow_slowpath flow_forwarding
flow_np
task 4(pid:
809) flow_lookup flow_fastpath flow_slowpath flow_forwarding
flow_np
task 5(pid:
810) flow_lookup flow_fastpath flow_slowpath flow_forwarding
flow_np
task 6(pid:
811) flow_lookup flow_fastpath flow_slowpath flow_forwarding
flow_np
task 7(pid:
812) flow_lookup flow_fastpath flow_slowpath flow_forwarding
flow_np
task 8(pid:
813) flow_lookup flow_fastpath flow_slowpath flow_forwarding
flow_np
task 9(pid:
814) flow_lookup flow_fastpath flow_slowpath flow_forwarding
flow_np
task 10(pid:
815) appid_result
show system
show system
Show system related information.
Syntax
show
show
show
show
show
show
show
show
show
show
system
system
system
system
system
system
system
system
system
system
disk-space
files
info
logdb-quota
resources
services
setting option
software status
state option
statistics
Options
disk-space
files
info
logdb-quota
resources
services
Show the current system services and whether they are running.
setting
statistics
Show device, packet rate, throughput, and session information. Enter q to quit
or h to get help.
show system
Sample Output
The following command displays system information.
username@hostname> show system info
hostname: thunder
ip-address: 10.1.7.1
netmask: 255.255.0.0
default-gateway: 10.1.0.1
ipv6-address:
ipv6-default-gateway:
mac-address: 00:13:72:3c:c9:e3
time: Tue Feb
9 10:02:57 2010
Syntax
show
prof
show
show
show
show
show
show
show
show
show
show
show
setting
setting
setting
setting
setting
setting
setting
setting
setting
setting
setting
ctd state
ctd url-block-cache
jumbo-frame
logging
multi-vsys
shared-policy
ssl-decrypt option
target-vsys
url-cache statistics
url-database
zip
Options
ctd
Shows the ctd state settings and URL block timeouts. Options include:
stateShow the configuration state.
threatShow the threat status.
url-block-cacheShow the URL block cache.
threat
state
url-blockcache
jumbo-frame
logging
multi-vsys
sharedpolicy
ssl-decrypt
target-vsys
url-cache
url-database
zip
Sample Output
The following command shows an example with the default threat action.
username@hostname> show system setting ctd threat 100000 application 109
profile 1
Profile 1 appid 109 , action 0
action 0 means default action.
username@hostname>
show threat
show threat
Show threat ID descriptions.
Syntax
show threat id value
Options
value
Sample Output
The following command shows threat ID descriptions for ID 11172.
username@hostname> show threat id 11172
This signature detects the runtime behavior of the spyware MiniBug. MiniBug,
also known as Weatherbug, installs other spyware, such as WeatherBug, and My
Web Search Bar. It is also adware program that displays advertisements in its
application window.
medium
http://www.spywareguide.com/product_show.php?id=2178
http://www.spyany.com/program/article_spw_rm_Minibug.htm
username@hostname>
show user
show user
Show user identification information. You can show information for a specified IP address,
user, or all.
Syntax
show
show
show
show
show
show
show
show
user
user
user
user
user
user
user
user
ip-port-user-mapping option
ip-user option
ldap-server option
local-user-db option
pan-agent option
pan-ntlm-agent option
ts-agent option
userid-agent option
Options
ip-portShow terminal server agent data.
user-mapping
ip-user
ldap
local-userdb
pan-agent
pang-ntlmagent
ts-agent
userid-agent Displays user information for the Palo Alto Networks agent.
Sample Output
The following command shows information about the Palo Alto Networks agent.
username@hostname> show user pan-agent statistics
IP Address
Port
Vsys
State
Users Grps IPs
Recei
ved Pkts
---------------------------------------------------------------------------10.0.0.100
2011
vsys1
connected, ok
134
77
95
5757
10.1.200.22
2009
vsys1
connected, ok
5
864 2
1097
username@hostname>
show virtual-wire
show virtual-wire
Show information about virtual wire interfaces.
Syntax
show virtual-wire [value | all]
Options
value
all
Sample Output
The following command displays information for the default virtual wire interface.
username@hostname> show virtual-wire default-vwire
name
interface1
interface2
-----------------------------------------------------------------------------default-vwire
ethernet1/1
ethernet1/2
username@hostname>
show vlan
show vlan
Show VLAN information.
Syntax
show vlan [value | all]
Options
value
all
Sample Output
The following command displays information for all VLANs.
username@hostname> show vlan all
vlan {
Vlan56 {
interface [
stp {
enabled
}
rstp {
enabled
}
}
Vlan11-12 {
interface [
stp {
enabled
}
rstp {
enabled
}
}
}
ethernet1/5 ethernet1/6 ];
no;
no;
ethernet1/11 ethernet1/12 ];
no;
no;
username@hostname>
show vpn
show vpn
Show VPN information.
Syntax
show
show
show
show
show
vpn
vpn
vpn
vpn
vpn
Options
flow
Shows information about the VPN tunnel on the data plane. Specify the tunnel or press
Enter to apply to all tunnels.
gateway
Shows Internet Key Exchange (IKE) gateway information. Specify the gateway or press
Enter to apply to all gateways.
ike-sa
Shows information about the active IKE Security Association (SA). Specify the gateway
or press Enter to apply to all gateways.
ipsec-sa
Shows information about IPsec SA tunnels. Specify the tunnel or press Enter to apply to
all tunnels.
tunnel
Shows information about auto-key IPSec tunnels. Specify the tunnel or press Enter to
apply to all tunnels.
name
Shows information about the VPN tunnel. Specify the tunnel or press Enter to apply to
all tunnels.
Sample Output
The following command shows VPN information for the auto key IPsec tunnel k1.
username@hostname> show vpn tunnel name k1
TnID Name(Gateway)
Local Proxy ID
Local Proxy ID
Proposals
------------------------------------------7 pan5gt(pan-5gt)
0.0.0.0/0
0.0.0.0/0
ESP tunl
[DH2][AES128,3DES][SHA1] 90-sec
Total 1 tunnels found, 0 ipsec sa found, 0 error
username@hostname>
The following command shows VPN information for the IKE gateway g2.
username@hostname> show vpn tunnel name g2
GwID Name
Peer Address/ID
Local Address/ID
---- --------------------------------3 falcon-kestrel
35.1.15.1
35.1.15.40
[PSK][DH2][AES128,3DES][SHA1] 28800-sec
Protocol
Proposals
---------------Auto(main)
show vpn
show zone-protection
show zone-protection
Shows the running configuration status and run time statistics for zone protection elements.
Syntax
show zone-protection [zone zonename]
Options
zonename
Sample Output
The following command shows statistics for the trust zone.
username@hostname> show zone-protection zone trust
--------------------------------------------------------------------------Zone trust, vsys vsys1, profile custom-zone-protection
---------------------------------------------------------------------------tcp-syn
enabled: no
---------------------------------------------------------------------------udp
RED enabled: no
---------------------------------------------------------------------------icmp
RED enabled: no
---------------------------------------------------------------------------other-ip
RED enabled: no
---------------------------------------------------------------------------packet filter:
discard-ip-spoof:
enabled: no
discard-ip-frag:
enabled: no
discard-icmp-ping-zero-id:
enabled: no
discard-icmp-frag:
enabled: no
discard-icmp-large-packet:
enabled: no
reply-icmp-timeexceeded:
enabled: no
username@hostname>
ssh
ssh
Open a secure shell (SSH) connection to another host.
Syntax
ssh [inet] [port number] [source address] [v1 | v2] [user@]host
Options
inet
port
source
version
user@
host
Sample Output
The following command opens an SSH connection to host 10.0.0.250 using SSH version 2.
username@hostname> ssh v2 user@10.0.0.250
user@10.0.0.250's password:
#
tail
tail
Print the last 10 lines of a debug file.
Syntax
tail [follow] [lines] file
Options
follow
lines
file
Sample Output
The following command displays the last 10 lines of the /var/log/pan/masterd.log file.
username@hostname> tail /var/log/pan/masterd.log
[09:32:46] Successfully started process 'mgmtsrvr' instance '1'
[09:32:47] Successfully started process 'appWeb' instance '1'
[09:32:47] Started group 'pan' start script 'octeon' with options 'start'
[09:32:48] Process 'appWeb' instance '1' exited normally with status '7'
[09:32:48] Process 'appWeb' instance '1' has no further exit rules
[09:32:53] Successfully started process 'pan-ez-agent' instance '1'
[09:32:53] Process 'pan-ez-agent' instance '1' exited normally with status
'0'
[09:32:53] Process 'pan-ez-agent' instance '1' has no further exit rules
[09:32:54] Successfully started process 'pan_netconfig_agent' instance '1'
[09:32:54] Finished initial start of all processes
username@hostname>
telnet
telnet
Open a Telnet session to another host.
Syntax
telnet [8bit] [port] host
Options
8bit
port
host
Sample Output
The following command opens a Telnet session to the host 1.2.5.5 using 8-bit data.
username@hostname> telnet 8bit 1.2.5.5
test
test
Run tests based on installed security policies.
Syntax
test options
Options
cp-policy-match
Tests captive portal policy matches. Specify the source and destination
IP addresses and destination zone.
custom-url
Tests custom URL categorization. Specify the security rule name and
URL.
data-filtering
nat-policy-match
pbf-policy-match
pppoe
qos-policy-match
routing
security-policymatch
Tests security policy matching. Specify the application name, source and
destination IP addresses, ports, zone, protocol, and user.
ssl-policy-match
Tests Secure Socket Layer (SSL) policy matching. Specify the category
name, source and destination IP addresses and zones.
url
vpn
test
Sample Output
The following command tests whether the set of criteria matches any of the existing rules in
the security rule base.
username@hostname> test security-policy-match from trust to untrust
application google-talk source 10.0.0.1 destination 192.168.0.1 protocol 6
destination-port 80 source-user known-user
Matched rule: 'rule1' action: allow
username@hostname>
tftp
tftp
Use Trivial File Transfer Protocol (TFTP) to copy files between the firewall and another host.
Syntax
tftp export option
tftp import option
Options
export
Specifies the type of file to export to the other host. Options include:
applicationApplication block comfort page.
application-pcapApplication packet capture file.
captive-portal-textText to be included in a captive portal.
configurationConfiguration file.
core-fileCore file.
crlcrl.tgz file.
debug-pcapInternet Key Exchange (IKE) negotiation packet capture file.
file-block-pageFile containing comfort pages to be presented when files are
blocked.
filter-pcapFilter packet capture.
high-availability-keyHigh availability peer encryption key.
inbound-proxy-keyKey for inbound proxy.
log-fileLog files.
ssl-cert-status-pageUse TFTP to export ssl cert revoked notify page.
ssl-decryption-certificateUse TFTP to export the Secure Socket Layer (SSL)
decryption certificate.
ssl-optout-text SSL optout text.
stats-dumplog database in CSV format.
tech-supportTechnical support information.
threat-pcapThreat packet capture.
url-block-pageComfort page to be presented when files are blocked due to a
blocked URL.
url-coach-textURL coach text.
virus-block-pageComfort page that is presented when files are blocked due
to a virus.
web-interface-certificateWeb interface certificate.
tftp
import
Specifies the type of file to import from the other host. Options include;
anti-virusAnti-virus content.
application-block-pageApplication block comfort page.
captive-portal-textCaptive portal text.
configurationConfiguration information.
contentDatabase content.
file-block-pageFile block comfort page.
high-availability-keyHigh-availability peer encryption key.
licenseLicense file.
private-keySSL private key.
softwareSoftware package.
ssl-cert-status-pageSSL certification revocation notification page.
ssl-certificateSSL certificate.
ssl-optout-textSSL optout text.
sslvpn-custom-login-pageSSLVPN custom login page.
url-block-pageURSL block comfort page.
url-coach-textURL coach text.
url-databaseURL database package.
virus-block-pageVirus block comfort page.
vpnclientVPN client package.
Sample Output
The following command imports a license file from a file in user1s account on the machine
with IP address 10.0.3.4.
username@hostname> tftp import ssl-certificate from user1@10.0.3.4:/tmp/
certificatefile
username@hostname>
traceroute
traceroute
Display information about the route packets take to another host.
Syntax
traceroute [bypass-routing][debug-socket][do-not-fragment]
[first-ttl option][gateway][ipv4 | ipv6][max-ttl ttl]
[no-resolve][pause][source ip] [tos] [verbose] [wait] host name
Options
bypass-routing
Sends the request directly to the host on a direct attached network, bypassing
usual routing table.
debug-socket
do-not-fragment
first-ttl
Sets the time-to-live in the first outgoing probe packet in number of hops.
gateway
ipv4
ipv6
max-ttl
no-resolve
pause
port
Sets the base port number used in probes (default udp/33434 tcp/80 icmp/1).
source
tos
Specifies the type of service (TOS) treatment for the packets by way of the TOS
bit for the IP header in the ping packet (0-255).
wait
host name
traceroute
Sample Output
The following command displays information about the route from the firewall to
www.google.com.
username@hostname> traceroute www.paloaltonetworks.com
traceroute to www.paloaltonetworks.com (72.32.199.53), 30 hops max, 38 byte
packets
1 10.1.0.1 (10.1.0.1) 0.399 ms 1.288 ms 0.437 ms
2 64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.910 ms dsl027-186189.sfo1.dsl.speakeasy.net (216.27.186.189) 1.012 ms
64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.865 ms
3 dsl027-182-001.sfo1.dsl.speakeasy.net (216.27.182.1) 16.768 ms 581.420
ms 64.3.142.37.ptr.us.xo.net (64.3.142.37) 219.190 ms
4 ge5-0-0.mar2.fremont-ca.us.xo.net (207.88.80.21) 228.551 ms 110.ge-0-00.cr1.sfo1.speakeasy.net (69.17.83.189) 12.352 ms ge5-0-0.mar2.fremontca.us.xo.net (207.88.80.21) 218.547 ms
5 ge-5-3-0.mpr3.pao1.us.above.net (209.249.11.177) 13.212 ms p4-00.rar2.sanjose-ca.us.xo.net (65.106.5.137) 273.935 ms 221.313 ms
6 p1-0.ir1.paloalto-ca.us.xo.net (65.106.5.178) 139.212 ms so-1-21.mpr1.sjc2.us.above.net (64.125.28.141) 13.348 ms p1-0.ir1.paloaltoca.us.xo.net (65.106.5.178) 92.795 ms
7 so-0-0-0.mpr2.sjc2.us.above.net (64.125.27.246) 12.069 ms
206.111.12.146.ptr.us.xo.net (206.111.12.146) 93.278 ms so-0-00.mpr2.sjc2.us.above.net (64.125.27.246) 556.033 ms
8 tbr1p013201.sffca.ip.att.net (12.123.13.66) 52.726 ms so-3-20.cr1.dfw2.us.above.net (64.125.29.54) 61.875 ms
tbr1p013201.sffca.ip.att.net (12.123.13.66) 58.462 ms
MPLS Label=32537 CoS=0 TTL=1 S=1
9 64.124.12.6.available.above.net (64.124.12.6) 74.828 ms
tbr1cl3.la2ca.ip.att.net (12.122.10.26) 62.533 ms
64.124.12.6.available.above.net (64.124.12.6) 60.537 ms
10 tbr1cl20.dlstx.ip.att.net (12.122.10.49) 60.617 ms
vlan901.core1.dfw1.rackspace.com (72.3.128.21) 59.881 ms 60.429 ms
11 gar1p360.dlrtx.ip.att.net (12.123.16.169) 108.713 ms
aggr5a.dfw1.rackspace.net (72.3.129.19) 58.049 ms gar1p360.dlrtx.ip.att.net
(12.123.16.169) 173.102 ms
12 72.32.199.53 (72.32.199.53) 342.977 ms 557.097 ms 60.899 ms
username@hostname>
view-pcap
view-pcap
Examine the content of packet capture files.
Syntax
view-pcap option filename
Options
option
filename
Description
absolute-seq
delta
hex
hex-ascii
hex-ascii-link
hex-link
link-header
no-dns-lookup
no-port-lookup
no-qualification
timestamp
undecoded-nfs
unformattedtimestamp
verbose
verbose+
verbose++
view-pcap
Sample Output
The following command displays the contents of the packet capture file /var/session/pan/filters/
syslog.pcap in ASCII and hex formats.
Chapter 5
Maintenance Mode
Maintenance mode provides support for error recovery and diagnostics, and allows you to
reset the firewall to factory defaults.
This chapter describes how to enter Maintenance mode:
Serial cable to the serial port on the firewall. For serial cable specifications, refer to the
Hardware Reference Guide for your firewall model.
Secure Socket Layer (SSL). SSL access is supported if the firewall has already entered
Maintenance mode (either automatically or explicitly during bootup).
2.
Press any key on your keyboard when prompted to stop the automatic boot, and then
select Maint as the booting partition.
The following table describes the Maintenance mode selections that are accessible without
entering a password.
Description
Maintenance Entry
Reason
Indicates why the system entered Maintenance mode and includes possible
recovery steps.
Displays basic information about the system. This information is useful when
obtaining assistance from Customer Support.
Provides the ability to run a file system check (FSCK) on various partitions.
Log Files
Disk Image
Allows the system to revert back to the previously installed software version.
Content Rollback
Reboot
Some of the options are password protected to prevent accidental changes that could leave the
system in an inoperative state. The password is intended as a safeguard and it not meant to be
secret. The password is MA1NT (numeral 1).
Description
Factory Reset
Returns the firewall into the factory default state. The reset includes an option
to scrub the Config and Log partitions using a National Nuclear Security
Administration (NNSA) or Department of Defense (DOD) compliant scrubbing
algorithm.
Note: Scrubbing can take up to six hours to complete.
Bootloader
Recovery
Reprograms the main bootloader with the latest bootloader image on the
system. Use this option if the failsafe bootloader is running and recovery of the
main bootloader is required. (PA-2000 and PA-500 systems only)
Disk Image
Advanced
Diagnostics
Tests the dataplane booting and dataplane memory, and run disk performance
with bonnie++.
Appendix A
CONFIGURATION HIERARCHY
This appendix presents the complete firewall configuration hierarchies for the application
identification firewall and for Panorama:
Firewall Hierarchy
deviceconfig {
system {
login-banner <value>;
hostname <value>;
domain <value>;
speed-duplex auto-negotiate|10Mbps-half-duplex|10Mbps-full-duplex|100Mbps-halfduplex|100Mbps-full-duplex|1Gbps-half-duplex|1Gbps-full-duplex;
ip-address <ip/netmask>;
netmask <value>;
default-gateway <ip/netmask>;
ipv6-address <ip/netmask>;
ipv6-default-gateway <ip/netmask>;
authentication-profile <value>;
client-certificate-profile <value>;
dns-primary <ip/netmask>;
dns-secondary <ip/netmask>;
panorama-server <ip/netmask>;
ntp-server-1 <value>;
location <value>;
contact <value>;
ntp-server-2 <value>;
update-server <value>;
secure-proxy-server <value>;
secure-proxy-port 1-1;
secure-proxy-user <value>;
secure-proxy-password <value>;
snmp-community-string <value>;
domain-lookup-url <value>;
ip-address-lookup-url <value>;
geo-location {
latitude <value>;
191
longitude <value>;
}
service {
disable-http yes|no;
disable-https yes|no;
disable-telnet yes|no;
disable-ssh yes|no;
disable-icmp yes|no;
disable-snmp yes|no;
}
permitted-ip {
REPEAT...
<name>;
}
route {
service {
REPEAT...
<name> {
source-address <value>;
}
}
destination {
REPEAT...
<name> {
source-address <value>;
}
}
}
log-link {
REPEAT...
<name> {
url <value>;
}
}
log-export-schedule {
REPEAT...
<name> {
description <value>;
enable yes|no;
log-type traffic|threat|url|data;
start-time <value>;
protocol {
ftp {
hostname <value>;
port 1-1;
username <value>;
password <value>;
passive-mode yes|no;
}
}
}
}
update-schedule {
threats {
192
recurring {
daily {
at <value>;
action download-only|download-and-install;
}
OR...
weekly {
day-of-week sunday|monday|tuesday|wednesday|thursday|friday|saturday;
at <value>;
action download-only|download-and-install;
}
threshold 1-1;
sync-to-peer yes|no;
}
}
anti-virus {
recurring {
hourly {
at 0-65535;
action download-only|download-and-install;
}
OR...
daily {
at <value>;
action download-only|download-and-install;
}
OR...
weekly {
day-of-week sunday|monday|tuesday|wednesday|thursday|friday|saturday;
at <value>;
action download-only|download-and-install;
}
threshold 1-1;
sync-to-peer yes|no;
}
}
url-database {
recurring {
daily {
at <value>;
action download-and-install;
}
OR...
weekly {
day-of-week sunday|monday|tuesday|wednesday|thursday|friday|saturday;
at <value>;
action download-and-install;
}
}
}
}
timezone W-SU|CST6CDT|Japan|Portugal|Hongkong|Mideast|Mideast/
Riyadh87|Mideast/Riyadh88|Mideast/Riyadh89|Eire|Poland|Factory|GBEire|America|America/Port_of_Spain|America/Indiana|America/Indiana/
193
Vevay|America/Indiana/Indianapolis|America/Indiana/Marengo|America/Indiana/
Knox|America/St_Johns|America/Grand_Turk|America/Tijuana|America/
Toronto|America/Araguaina|America/Virgin|America/El_Salvador|America/
Coral_Harbour|America/Jujuy|America/Mexico_City|America/Guyana|America/
Cayman|America/Ensenada|America/Fortaleza|America/Iqaluit|America/
Boa_Vista|America/Chihuahua|America/Nome|America/Cancun|America/
Cayenne|America/Recife|America/Panama|America/Caracas|America/
Costa_Rica|America/Cambridge_Bay|America/Martinique|America/
Yellowknife|America/Godthab|America/Sao_Paulo|America/Edmonton|America/
Fort_Wayne|America/Danmarkshavn|America/Barbados|America/Dawson|America/
Thunder_Bay|America/Tegucigalpa|America/Chicago|America/Guadeloupe|America/
Grenada|America/Anguilla|America/Kentucky|America/Kentucky/
Monticello|America/Kentucky/Louisville|America/Argentina|America/Argentina/
Jujuy|America/Argentina/Ushuaia|America/Argentina/Catamarca|America/Argentina/
San_Juan|America/Argentina/Mendoza|America/Argentina/La_Rioja|America/
Argentina/Buenos_Aires|America/Argentina/Tucuman|America/Argentina/
ComodRivadavia|America/Argentina/Cordoba|America/Argentina/
Rio_Gallegos|America/Mazatlan|America/Regina|America/Montevideo|America/
Catamarca|America/Los_Angeles|America/Campo_Grande|America/Aruba|America/
Manaus|America/Knox_IN|America/Rosario|America/St_Lucia|America/
Hermosillo|America/Denver|America/Detroit|America/Santiago|America/
Shiprock|America/Cuiaba|America/Dominica|America/Porto_Acre|America/
Curacao|America/Belize|America/Merida|America/Swift_Current|America/
Antigua|America/Adak|America/Indianapolis|America/Belem|America/
Miquelon|America/Louisville|America/Bogota|America/New_York|America/
Boise|America/Scoresbysund|America/Mendoza|America/Goose_Bay|America/
Yakutat|America/Eirunepe|America/Winnipeg|America/Buenos_Aires|America/
Menominee|America/Paramaribo|America/Thule|America/Montreal|America/
Jamaica|America/Monterrey|America/St_Thomas|America/Rio_Branco|America/
Lima|America/Juneau|America/La_Paz|America/Vancouver|America/
Rankin_Inlet|America/Puerto_Rico|America/St_Kitts|America/Halifax|America/
Guayaquil|America/Inuvik|America/Noronha|America/Nassau|America/Port-auPrince|America/Guatemala|America/Glace_Bay|America/Nipigon|America/
Cordoba|America/Bahia|America/Asuncion|America/Maceio|America/Atka|America/
North_Dakota|America/North_Dakota/Center|America/Managua|America/
Anchorage|America/Montserrat|America/Tortola|America/Dawson_Creek|America/
Santo_Domingo|America/Pangnirtung|America/Whitehorse|America/
St_Vincent|America/Porto_Velho|America/Havana|America/Phoenix|America/
Rainy_River|Indian|Indian/Christmas|Indian/Reunion|Indian/Comoro|Indian/
Cocos|Indian/Mauritius|Indian/Antananarivo|Indian/Mahe|Indian/Mayotte|Indian/
Kerguelen|Indian/Chagos|Indian/Maldives|GMT0|Canada|Canada/Yukon|Canada/
Saskatchewan|Canada/Central|Canada/Eastern|Canada/East-Saskatchewan|Canada/
Atlantic|Canada/Pacific|Canada/Mountain|Canada/
Newfoundland|MET|ROK|US|US/Alaska|US/East-Indiana|US/Central|US/
Eastern|US/Samoa|US/Arizona|US/Pacific|US/Aleutian|US/Hawaii|US/
Mountain|US/Michigan|US/Indiana-Starke|MST|Mexico|Mexico/BajaSur|Mexico/
General|Mexico/BajaNorte|EST5EDT|Atlantic|Atlantic/Madeira|Atlantic/
Cape_Verde|Atlantic/St_Helena|Atlantic/Stanley|Atlantic/South_Georgia|Atlantic/
Jan_Mayen|Atlantic/Azores|Atlantic/Reykjavik|Atlantic/Canary|Atlantic/
Faeroe|Atlantic/Bermuda|HST|Antarctica|Antarctica/McMurdo|Antarctica/
Davis|Antarctica/South_Pole|Antarctica/Vostok|Antarctica/Rothera|Antarctica/
Mawson|Antarctica/DumontDUrville|Antarctica/Palmer|Antarctica/Casey|Antarctica/
Syowa|UTC|Iceland|Pacific|Pacific/Honolulu|Pacific/Truk|Pacific/Niue|Pacific/
Wake|Pacific/Apia|Pacific/Majuro|Pacific/Norfolk|Pacific/Efate|Pacific/
194
Enderbury|Pacific/Palau|Pacific/Saipan|Pacific/Nauru|Pacific/Kiritimati|Pacific/
Tahiti|Pacific/Guam|Pacific/Tongatapu|Pacific/Fiji|Pacific/Rarotonga|Pacific/
Samoa|Pacific/Fakaofo|Pacific/Guadalcanal|Pacific/Port_Moresby|Pacific/
Midway|Pacific/Galapagos|Pacific/Yap|Pacific/Johnston|Pacific/Marquesas|Pacific/
Noumea|Pacific/Auckland|Pacific/Gambier|Pacific/Kwajalein|Pacific/Kosrae|Pacific/
Wallis|Pacific/Easter|Pacific/Chatham|Pacific/Funafuti|Pacific/Pago_Pago|Pacific/
Tarawa|Pacific/Pitcairn|Pacific/
Ponape|EET|EST|Greenwich|GMT|Cuba|Brazil|Brazil/Acre|Brazil/East|Brazil/
DeNoronha|Brazil/West|Turkey|Arctic|Arctic/Longyearbyen|NZCHAT|Zulu|Israel|Jamaica|Etc|Etc/GMT-14|Etc/GMT+6|Etc/GMT-10|Etc/GMT2|Etc/GMT-8|Etc/GMT+4|Etc/GMT0|Etc/GMT-12|Etc/GMT+11|Etc/GMT-11|Etc/
GMT+12|Etc/UTC|Etc/GMT-3|Etc/Greenwich|Etc/GMT-9|Etc/GMT|Etc/GMT+2|Etc/
Zulu|Etc/GMT-4|Etc/GMT+7|Etc/GMT+1|Etc/GMT+8|Etc/GMT-7|Etc/GMT-6|Etc/
GMT+10|Etc/GMT-5|Etc/GMT+0|Etc/GMT-1|Etc/GMT+3|Etc/GMT+5|Etc/GMT13|Etc/UCT|Etc/Universal|Etc/GMT+9|Etc/GMT-0|NZ|Europe|Europe/
Vienna|Europe/Athens|Europe/Tiraspol|Europe/Lisbon|Europe/Rome|Europe/
Bratislava|Europe/Andorra|Europe/Sofia|Europe/Kaliningrad|Europe/Zurich|Europe/
Belfast|Europe/Oslo|Europe/Samara|Europe/Malta|Europe/Chisinau|Europe/
Moscow|Europe/Paris|Europe/Minsk|Europe/Zaporozhye|Europe/
Amsterdam|Europe/Tallinn|Europe/Uzhgorod|Europe/Brussels|Europe/
Vatican|Europe/Vaduz|Europe/San_Marino|Europe/Nicosia|Europe/Berlin|Europe/
Vilnius|Europe/Monaco|Europe/Istanbul|Europe/Belgrade|Europe/Stockholm|Europe/
Riga|Europe/Madrid|Europe/Gibraltar|Europe/Copenhagen|Europe/Skopje|Europe/
Budapest|Europe/Dublin|Europe/Bucharest|Europe/Helsinki|Europe/Prague|Europe/
Sarajevo|Europe/London|Europe/Tirane|Europe/Zagreb|Europe/Kiev|Europe/
Warsaw|Europe/Ljubljana|Europe/Simferopol|Europe/Mariehamn|Europe/
Luxembourg|Singapore|ROC|Kwajalein|Egypt|PST8PDT|GMT+0|Asia|Asia/
Kuwait|Asia/Kamchatka|Asia/Thimphu|Asia/Macau|Asia/Gaza|Asia/Thimbu|Asia/
Pyongyang|Asia/Vladivostok|Asia/Katmandu|Asia/Sakhalin|Asia/Muscat|Asia/
Ashkhabad|Asia/Ulan_Bator|Asia/Riyadh|Asia/Riyadh87|Asia/Calcutta|Asia/
Yerevan|Asia/Shanghai|Asia/Baghdad|Asia/Makassar|Asia/Oral|Asia/
Hong_Kong|Asia/Jayapura|Asia/Omsk|Asia/Almaty|Asia/Saigon|Asia/
Magadan|Asia/Chungking|Asia/Hovd|Asia/Brunei|Asia/Novosibirsk|Asia/
Dacca|Asia/Qatar|Asia/Ulaanbaatar|Asia/Krasnoyarsk|Asia/Kuching|Asia/
Qyzylorda|Asia/Karachi|Asia/Anadyr|Asia/Yakutsk|Asia/Seoul|Asia/
Choibalsan|Asia/Macao|Asia/Samarkand|Asia/Yekaterinburg|Asia/Aqtobe|Asia/
Riyadh88|Asia/Nicosia|Asia/Pontianak|Asia/Urumqi|Asia/Irkutsk|Asia/Taipei|Asia/
Harbin|Asia/Istanbul|Asia/Colombo|Asia/Tel_Aviv|Asia/Jakarta|Asia/Amman|Asia/
Bahrain|Asia/Tokyo|Asia/Chongqing|Asia/Ashgabat|Asia/Singapore|Asia/
Aqtau|Asia/Baku|Asia/Bishkek|Asia/Dili|Asia/Tbilisi|Asia/Beirut|Asia/
Riyadh89|Asia/Damascus|Asia/Aden|Asia/Dubai|Asia/Manila|Asia/Vientiane|Asia/
Tehran|Asia/Kashgar|Asia/Dushanbe|Asia/Kabul|Asia/Bangkok|Asia/Rangoon|Asia/
Jerusalem|Asia/Dhaka|Asia/Kuala_Lumpur|Asia/Tashkent|Asia/Phnom_Penh|Asia/
Ujung_Pandang|CET|PRC|Africa|Africa/Kinshasa|Africa/Ndjamena|Africa/
Mbabane|Africa/Lagos|Africa/El_Aaiun|Africa/Douala|Africa/Kampala|Africa/
Mogadishu|Africa/Tripoli|Africa/Conakry|Africa/Niamey|Africa/Asmera|Africa/
Khartoum|Africa/Lubumbashi|Africa/Kigali|Africa/Johannesburg|Africa/
Blantyre|Africa/Malabo|Africa/Gaborone|Africa/Lome|Africa/Algiers|Africa/
Addis_Ababa|Africa/Brazzaville|Africa/Dakar|Africa/Nairobi|Africa/Cairo|Africa/
Banjul|Africa/Bamako|Africa/Bissau|Africa/Libreville|Africa/Sao_Tome|Africa/
Casablanca|Africa/Timbuktu|Africa/Nouakchott|Africa/Freetown|Africa/
Monrovia|Africa/Ceuta|Africa/Dar_es_Salaam|Africa/Lusaka|Africa/Abidjan|Africa/
Bujumbura|Africa/Maseru|Africa/Bangui|Africa/Windhoek|Africa/Accra|Africa/
Djibouti|Africa/Ouagadougou|Africa/Porto-Novo|Africa/Tunis|Africa/Maputo|Africa/
195
Harare|Africa/Luanda|UCT|GB|Universal|Australia|Australia/Hobart|Australia/
Lord_Howe|Australia/Perth|Australia/South|Australia/Yancowinna|Australia/
Currie|Australia/Tasmania|Australia/Queensland|Australia/NSW|Australia/
Lindeman|Australia/Melbourne|Australia/Adelaide|Australia/Victoria|Australia/
Canberra|Australia/West|Australia/Brisbane|Australia/Broken_Hill|Australia/
Darwin|Australia/ACT|Australia/North|Australia/Sydney|Australia/
LHI|Iran|WET|Libya|MST7MDT|Chile|Chile/EasterIsland|Chile/Continental|GMT0|Navajo;
}
setting {
nat {
reserve-ip yes|no;
reserve-time 1-1;
}
jumbo-frame {
mtu 512-512;
}
url {
dynamic-url-timeout 1-1;
}
application {
identify-unknown-traffic-by-port yes|no;
dump-unknown on|off;
cache yes|no;
cache-threshold 1-1;
supernode yes|no;
heuristics yes|no;
notify-user yes|no;
}
ctd {
x-forwarded-for yes|no;
url-coach-timeout 1-1;
url-admin-timeout 1-1;
url-lockout-timeout 1-1;
url-wait-timeout 1-1;
http-proxy-use-transaction yes|no;
bypass-exceed-queue yes|no;
}
ssl-decrypt {
url-proxy yes|no;
notify-user yes|no;
answer-timeout 1-1;
crl yes|no;
ocsp yes|no;
crl-receive-timeout 1-1;
ocsp-receive-timeout 1-1;
block-unknown-cert yes|no;
block-timeout-cert yes|no;
cert-status-timeout 0-65535;
deny-setup-failure yes|no;
}
session {
timeout-tcp 1-1;
timeout-udp 1-1;
196
timeout-icmp 1-1;
timeout-default 1-1;
timeout-tcpinit 1-1;
timeout-tcpwait 1-1;
timeout-discard-tcp 1-1;
timeout-discard-udp 1-1;
timeout-discard-default 1-1;
timeout-scan 5-5;
scan-threshold 50-50;
scan-scaling-factor 2-2;
accelerated-aging-enable yes|no;
accelerated-aging-threshold 50-50;
accelerated-aging-scaling-factor 2-2;
tcp-reject-non-syn yes|no;
offload yes|no;
ipv6-firewalling yes|no;
}
tcp {
drop-out-of-wnd yes|no;
bypass-exceed-oo-queue yes|no;
out-of-sync reject|bypass|ignore;
}
zip {
enable yes|no;
sw yes|no;
}
config {
rematch yes|no;
}
logging {
max-log-rate 0-65535;
max-packet-rate 0-65535;
log-suppression yes|no;
}
management {
idle-timeout 1-1;
send-hostname-in-syslog yes|no;
traffic-stop-on-logdb-full yes|no;
max-rows-in-csv-export 1-1;
max-audit-versions 1-1;
panorama-tcp-receive-timeout 1-1;
panorama-tcp-send-timeout 1-1;
panorama-ssl-send-retries 1-1;
}
}
high-availability {
enabled yes|no;
interface {
ha1 {
port <value>;
encryption {
enabled yes|no;
}
link-speed auto|10|100|1000;
197
link-duplex auto|full|half;
ip-address <ip/netmask>;
netmask <value>;
default-gateway <ip/netmask>;
monitor-hold-time 1000-1000;
}
ha2 {
port <value>;
link-speed auto|10|100|1000;
link-duplex auto|full|half;
ip-address <ip/netmask>;
netmask <value>;
default-gateway <ip/netmask>;
}
}
group {
REPEAT...
<name> {
description <value>;
election-option {
device-priority 0-65535;
preemptive yes|no;
passive-hold-time 0-65535;
hello-interval 8000-8000;
hello-interval 1000-1000;
heartbeat-interval 1000-1000;
passive-link-state shutdown|auto;
flap-max 0-65535;
monitor-fail-hold-time 1-1;
preemption-hold-time 1-1;
}
peer-ip <ip/netmask>;
state-synchronization {
enabled yes|no;
transport {
ethernet {
destination-mac-address <value>;
}
OR...
ip {
destination-ip <ip/netmask>;
}
OR...
udp {
destination-ip <ip/netmask>;
destination-port 1-1;
}
}
}
monitoring {
path-monitoring {
enabled yes|no;
failure-condition any|all;
path-group {
198
virtual-wire {
REPEAT...
<name> {
enabled yes|no;
failure-condition any|all;
source-ip <ip/netmask>;
destination-ip [ <destination-ip1> <destination-ip2>... ];
}
}
vlan {
REPEAT...
<name> {
enabled yes|no;
failure-condition any|all;
source-ip <ip/netmask>;
destination-ip [ <destination-ip1> <destination-ip2>... ];
}
}
virtual-router {
REPEAT...
<name> {
enabled yes|no;
failure-condition any|all;
destination-ip [ <destination-ip1> <destination-ip2>... ];
}
}
}
}
link-monitoring {
enabled yes|no;
failure-condition any|all;
link-group {
REPEAT...
<name> {
enabled yes|no;
failure-condition any|all;
interface [ <interface1> <interface2>... ];
}
}
}
}
}
}
}
}
mgt-config {
users {
REPEAT...
<name> {
phash <value>;
authentication-profile <value>;
client-certificate-only yes|no;
preferences {
199
disable-dns yes|no;
saved-log-query {
traffic {
REPEAT...
<name> {
query <value>;
}
}
threat {
REPEAT...
<name> {
query <value>;
}
}
url {
REPEAT...
<name> {
query <value>;
}
}
data {
REPEAT...
<name> {
query <value>;
}
}
config {
REPEAT...
<name> {
query <value>;
}
}
system {
REPEAT...
<name> {
query <value>;
}
}
}
}
permissions {
role-based {
vsysreader {
REPEAT...
<name> {
vsys [ <vsys1> <vsys2>... ];
}
}
OR...
vsysadmin {
REPEAT...
<name> {
vsys [ <vsys1> <vsys2>... ];
}
200
}
OR...
devicereader [ <devicereader1> <devicereader2>... ];
OR...
deviceadmin [ <deviceadmin1> <deviceadmin2>... ];
OR...
superreader yes;
OR...
superuser yes;
OR...
custom {
profile <value>;
vsys [ <vsys1> <vsys2>... ];
}
}
}
}
}
access-domain {
REPEAT...
<name> {
vsys [ <vsys1> <vsys2>... ];
}
}
}
network {
profiles {
monitor-profile {
REPEAT...
<name> {
interval 2-2;
threshold 2-2;
action wait-recover|fail-over;
}
}
interface-management-profile {
REPEAT...
<name> {
http yes|no;
https yes|no;
ping yes|no;
ssh yes|no;
telnet yes|no;
snmp yes|no;
permitted-ip {
REPEAT...
<name>;
}
}
}
zone-protection-profile {
REPEAT...
<name> {
201
description <value>;
scan {
REPEAT...
<name> {
action allow|alert|block;
interval 2-2;
threshold 2-2;
}
}
flood {
tcp-syn {
enable yes|no;
red {
alarm-rate 0-65535;
activate-rate 1-1;
maximal-rate 1-1;
}
OR...
syn-cookies {
alarm-rate 0-65535;
activate-rate 0-65535;
maximal-rate 1-1;
}
}
udp {
enable yes|no;
red {
alarm-rate 0-65535;
activate-rate 1-1;
maximal-rate 1-1;
}
}
icmp {
enable yes|no;
red {
alarm-rate 0-65535;
activate-rate 1-1;
maximal-rate 1-1;
}
}
other-ip {
enable yes|no;
red {
alarm-rate 0-65535;
activate-rate 1-1;
maximal-rate 1-1;
}
}
}
tcp-reject-non-syn global|yes|no;
discard-ip-spoof yes|no;
discard-ip-frag yes|no;
discard-icmp-ping-zero-id yes|no;
discard-icmp-frag yes|no;
202
discard-icmp-large-packet yes|no;
suppress-icmp-timeexceeded yes|no;
suppress-icmp-needfrag yes|no;
}
}
}
interface {
ethernet {
REPEAT...
<name> {
link-speed <value>;
link-duplex <value>;
link-state auto|up|down;
tap;
OR...
ha;
OR...
virtual-wire;
OR...
layer2 {
units {
REPEAT...
<name> {
tag 1-1;
}
}
}
OR...
layer3 {
mtu 576-576;
ip {
REPEAT...
<name>;
}
OR...
pppoe {
enable yes|no;
authentication auto|CHAP|PAP;
static-address {
ip <ip/netmask>;
}
username <value>;
password <value>;
create-default-route yes|no;
default-route-metric 1-1;
access-concentrator <value>;
service <value>;
auto-connect yes|no;
auto-connect-timeout 0-65535;
idle-disconnect 0-65535;
clear-on-disconnect yes|no;
}
arp {
REPEAT...
203
<name> {
hw-address <value>;
}
}
interface-management-profile <value>;
units {
REPEAT...
<name> {
mtu 576-576;
ip {
REPEAT...
<name>;
}
arp {
REPEAT...
<name> {
hw-address <value>;
}
}
interface-management-profile <value>;
tag 1-1;
}
}
}
OR...
aggregate-group <value>;
}
}
aggregate-ethernet {
REPEAT...
<name> {
virtual-wire;
OR...
layer2 {
units {
REPEAT...
<name> {
tag 1-1;
}
}
}
OR...
layer3 {
mtu 576-576;
ip {
REPEAT...
<name>;
}
arp {
REPEAT...
<name> {
hw-address <value>;
}
}
204
interface-management-profile <value>;
units {
REPEAT...
<name> {
mtu 576-576;
ip {
REPEAT...
<name>;
}
arp {
REPEAT...
<name> {
hw-address <value>;
}
}
interface-management-profile <value>;
tag 1-1;
}
}
}
}
}
vlan {
mtu 576-576;
ip {
REPEAT...
<name>;
}
arp {
REPEAT...
<name> {
hw-address <value>;
interface <value>;
}
}
interface-management-profile <value>;
units {
REPEAT...
<name> {
mtu 576-576;
ip {
REPEAT...
<name>;
}
arp {
REPEAT...
<name> {
hw-address <value>;
interface <value>;
}
}
interface-management-profile <value>;
}
}
205
}
loopback {
mtu 576-576;
ip {
REPEAT...
<name>;
}
interface-management-profile <value>;
unnumbered {
source-interface <value>;
}
units {
REPEAT...
<name> {
mtu 576-576;
ip {
REPEAT...
<name>;
}
interface-management-profile <value>;
unnumbered {
source-interface <value>;
}
}
}
}
tunnel {
mtu 576-576;
ip {
REPEAT...
<name>;
}
interface-management-profile <value>;
unnumbered {
source-interface <value>;
}
units {
REPEAT...
<name> {
mtu 576-576;
ip {
REPEAT...
<name>;
}
interface-management-profile <value>;
unnumbered {
source-interface <value>;
}
}
}
}
}
ike {
gateway {
206
REPEAT...
<name> {
peer-address {
ip <ip/netmask>;
OR...
dynamic;
}
local-address {
interface <value>;
ip <value>;
}
peer-id {
id <value>;
type ipaddr|fqdn|ufqdn|keyid;
}
local-id {
id <value>;
type ipaddr|fqdn|ufqdn|keyid;
}
authentication {
pre-shared-key {
key <value>;
}
OR...
certificate {
peer-cert <value>;
local-cert <value>;
}
}
protocol {
ikev1 {
enable yes|no;
exchange-mode auto|main|aggressive;
ike-crypto-profile <value>;
dpd {
enable yes|no;
interval 2-2;
retry 2-2;
}
commit-bit yes|no;
initial-contact yes|no;
}
ikev2 {
enable yes|no;
ike-crypto-profile <value>;
require-cookie yes|no;
send-peer-id yes|no;
}
}
protocol-common {
nat-traversal {
enable yes|no;
keep-alive-interval 2-2;
}
207
passive-mode yes|no;
}
}
}
crypto-profiles {
ike-crypto-profiles {
REPEAT...
<name> {
encryption [ <encryption1> <encryption2>... ];
hash [ <hash1> <hash2>... ];
dh-group [ <dh-group1> <dh-group2>... ];
lifetime {
seconds 180-180;
OR...
minutes 3-3;
OR...
hours 1-1;
OR...
days 1-1;
}
}
}
ipsec-crypto-profiles {
REPEAT...
<name> {
esp {
encryption [ <encryption1> <encryption2>... ];
authentication [ <authentication1> <authentication2>... ];
}
OR...
ah {
authentication [ <authentication1> <authentication2>... ];
}
dh-group no-pfs|group1|group2|group5|group14;
lifetime {
seconds 180-180;
OR...
minutes 3-3;
OR...
hours 1-1;
OR...
days 1-1;
}
lifesize {
kb 1-1;
OR...
mb 1-1;
OR...
gb 1-1;
OR...
tb 1-1;
}
}
}
208
}
}
tunnel {
hop {
REPEAT...
<name> {
tunnel-interface <value>;
peer-address {
ip <ip/netmask>;
}
local-address {
interface <value>;
ip <ip/netmask>;
}
}
}
ipsec {
REPEAT...
<name> {
tunnel-interface <value>;
anti-replay yes|no;
copy-tos yes|no;
tunnel-monitor {
enable yes|no;
destination-ip <ip/netmask>;
tunnel-monitor-profile <value>;
}
manual-key {
peer-address {
ip <ip/netmask>;
}
local-address {
interface <value>;
ip <value>;
}
local-spi <value>;
remote-spi <value>;
esp {
encryption {
algorithm 3des|aes128|aes192|aes256|null;
key <value>;
}
authentication {
md5 {
key <value>;
}
OR...
sha1 {
key <value>;
}
OR...
none;
}
}
209
OR...
ah {
md5 {
key <value>;
}
OR...
sha1 {
key <value>;
}
}
}
OR...
auto-key {
ike-gateway {
REPEAT...
<name> {
as-nexthop <ip/netmask>;
}
}
ipsec-crypto-profile <value>;
proxy-id {
REPEAT...
<name> {
local <ip/netmask>;
remote <ip/netmask>;
protocol {
number 1-1;
OR...
any;
OR...
tcp {
local-port 0-65535;
remote-port 0-65535;
}
OR...
udp {
local-port 0-65535;
remote-port 0-65535;
}
}
}
}
}
}
}
ssl-vpn {
REPEAT...
<name> {
tunnel-interface <value>;
local-address {
interface <value>;
ip <value>;
}
ipsec {
210
enable yes|no;
server-udp-port 1-1;
}
ssl {
server-port 1-1;
}
http-redirect yes|no;
max-user 1-1;
client {
ip-pool [ <ip-pool1> <ip-pool2>... ];
dns-server [ <dns-server1> <dns-server2>... ];
wins-server [ <wins-server1> <wins-server2>... ];
dns-suffix [ <dns-suffix1> <dns-suffix2>... ];
split-tunneling {
access-route [ <access-route1> <access-route2>... ];
}
}
}
}
}
vlan {
REPEAT...
<name> {
interface [ <interface1> <interface2>... ];
mac {
REPEAT...
<name> {
interface <value>;
}
}
virtual-interface {
interface <value>;
l3-forwarding yes|no;
}
}
}
qos {
profile {
REPEAT...
<name> {
aggregate-bandwidth {
egress-max <float>;
egress-guaranteed <float>;
}
class {
REPEAT...
<name> {
priority real-time|high|medium|low;
class-bandwidth {
egress-max <float>;
egress-guaranteed <float>;
}
round-trip-time 0-65535;
}
211
}
}
}
interface {
REPEAT...
<name> {
enabled yes|no;
interface-bandwidth {
egress-max <float>;
}
tunnel-traffic {
groups {
REPEAT...
<name> {
members {
REPEAT...
<name> {
qos-profile <value>;
}
}
}
}
default-group {
per-tunnel-qos-profile <value>;
}
bandwidth {
egress-max <float>;
egress-guaranteed <float>;
}
}
regular-traffic {
groups {
REPEAT...
<name> {
members {
REPEAT...
<name> {
qos-profile <value>;
match {
local-address {
interface <value>;
address [ <address1> <address2>... ];
}
}
}
}
}
}
default-group {
qos-profile <value>;
}
bandwidth {
egress-max <float>;
egress-guaranteed <float>;
212
}
}
}
}
}
spanning-tree {
REPEAT...
<name> {
vlan <value>;
mode rstp|per-vlan-rstp;
port {
REPEAT...
<name> {
priority 0-65535;
cost 0-65535;
link-type auto|edge|point-to-point;
}
}
bridge-priority 0-65535;
port-priority 0-65535;
port-cost 0-65535;
time {
hello-time 1-1;
max-age 6-6;
forward-delay 4-4;
}
}
}
virtual-wire {
REPEAT...
<name> {
interface1 <value>;
interface2 <value>;
tag-allowed <0-65535,...>;
multicast-firewalling {
enable yes|no;
}
link-state-pass-through {
enable yes|no;
}
}
}
virtual-router {
REPEAT...
<name> {
interface [ <interface1> <interface2>... ];
routing-table {
ip {
static-route {
REPEAT...
<name> {
destination <ip/netmask>;
interface <value>;
nexthop {
213
receive;
OR...
discard;
OR...
ip-address <ip/netmask>;
OR...
tunnel <value>;
}
admin-dist 10-10;
metric 1-1;
option {
passive;
no-install;
}
}
}
}
}
protocol {
redist-profile {
REPEAT...
<name> {
priority 1-1;
filter {
type [ <type1> <type2>... ];
interface [ <interface1> <interface2>... ];
destination [ <destination1> <destination2>... ];
nexthop [ <nexthop1> <nexthop2>... ];
ospf {
path-type [ <path-type1> <path-type2>... ];
area [ <area1> <area2>... ];
tag [ <tag1> <tag2>... ];
}
bgp {
community [ <community1> <community2>... ];
extended-community [ <extended-community1> <extended-community2>... ];
}
}
action {
no-redist;
OR...
redist {
new-metric 1-1;
}
}
}
}
rip {
enable yes|no;
reject-default-route yes|no;
allow-redist-default-route yes|no;
timers {
interval-seconds 1-1;
update-intervals 1-1;
214
expire-intervals 1-1;
delete-intervals 1-1;
}
auth-profile {
REPEAT...
<name> {
password <value>;
OR...
md5 {
REPEAT...
<name> {
key <value>;
preferred yes|no;
}
}
}
}
interface {
REPEAT...
<name> {
enable yes|no;
default-route {
disable;
OR...
advertise {
metric 1-1;
}
}
authentication <value>;
mode normal|passive|send-only;
}
}
export-rules [ <export-rules1> <export-rules2>... ];
}
ospf {
router-id <ip/netmask>;
enable yes|no;
reject-default-route yes|no;
allow-redist-default-route yes|no;
rfc1583 yes|no;
flood-prevention {
hello {
enable yes|no;
max-packet 1-1;
}
lsa {
enable yes|no;
max-packet 1-1;
}
}
auth-profile {
REPEAT...
<name> {
password <value>;
215
OR...
md5 {
REPEAT...
<name> {
key <value>;
preferred yes|no;
}
}
}
}
area {
REPEAT...
<name> {
type {
normal;
OR...
stub {
accept-summary yes|no;
default-route {
disable;
OR...
advertise {
metric 1-1;
}
}
}
OR...
nssa {
accept-summary yes|no;
default-route {
disable;
OR...
advertise {
metric 1-1;
type ext-1|ext-2;
}
}
nssa-ext-range {
REPEAT...
<name> {
advertise;
OR...
suppress;
}
}
}
}
range {
REPEAT...
<name> {
advertise;
OR...
suppress;
}
216
}
interface {
REPEAT...
<name> {
enable yes|no;
passive yes|no;
link-type {
broadcast;
OR...
p2p;
OR...
p2mp;
}
metric 1-1;
priority 0-65535;
hello-interval 0-65535;
dead-counts 3-3;
retransmit-interval 1-1;
transit-delay 1-1;
authentication <value>;
neighbor {
REPEAT...
<name> {
metric 1-1;
}
}
}
}
virtual-link {
REPEAT...
<name> {
neighbor-id <ip/netmask>;
transit-area-id <value>;
enable yes|no;
hello-interval 0-65535;
dead-counts 3-3;
retransmit-interval 1-1;
transit-delay 1-1;
passive yes|no;
authentication <value>;
}
}
}
}
export-rules {
REPEAT...
<name> {
new-path-type ext-1|ext-2;
new-tag 1-1<ip/netmask>;
}
}
}
bgp {
enable yes|no;
217
router-id <ip/netmask>;
reject-default-route yes|no;
allow-redist-default-route yes|no;
install-route yes|no;
local-as 1-1;
routing-options {
as-format 2-byte|4-byte;
med {
always-compare-med yes|no;
deterministic-med-comparison yes|no;
}
default-local-preference 0-65535;
outbound-route-filter {
enable yes|no;
max-received-entries 0-65535;
cisco-prefix-mode yes|no;
}
graceful-restart {
enable yes|no;
stale-route-time 1-1;
local-restart-time 1-1;
max-peer-restart-time 1-1;
}
reflector-cluster-id <ip/netmask>;
confederation-member-as 1-1;
aggregate {
aggregate-med yes|no;
}
}
auth-profile {
REPEAT...
<name> {
secret <value>;
}
}
dampening-profile {
REPEAT...
<name> {
enable yes|no;
cutoff <float>;
reuse <float>;
max-hold-time 1-1;
decay-half-life-reachable 1-1;
decay-half-life-unreachable 1-1;
}
}
peer-group {
REPEAT...
<name> {
enable yes|no;
aggregated-confed-as-path yes|no;
soft-reset-with-stored-info yes|no;
type {
ibgp {
218
export-nexthop original|use-self;
}
OR...
ebgp-confed {
export-nexthop original|use-self;
}
OR...
ibgp-confed {
export-nexthop original|use-self;
}
OR...
ebgp {
import-nexthop original|use-peer;
export-nexthop resolve|use-self;
remove-private-as yes|no;
}
}
peer {
REPEAT...
<name> {
enable yes|no;
local-address {
interface <value>;
ip <value>;
}
peer-address {
ip <ip/netmask>;
}
peer-as 1-1;
connection-options {
multihop 0-65535;
hold-time 3-3;
keep-alive-interval 1-1;
open-delay-time 0-65535;
idle-hold-time 1-1;
incoming-bgp-connection {
remote-port 0-65535;
allow yes|no;
}
outgoing-bgp-connection {
local-port 0-65535;
allow yes|no;
}
authentication <value>;
}
reflector-client non-client|client|meshed-client;
peering-type bilateral|unspecified;
aggregated-confed-as-path yes|no;
max-prefixes 1-1;
max-orf-entries 1-1;
soft-reset-with-stored-info yes|no;
}
}
}
219
}
policy {
import {
rules {
REPEAT...
<name> {
enable yes|no;
used-by [ <used-by1> <used-by2>... ];
match {
afi ip|ipv6;
safi ip|ipv6;
address-prefix {
REPEAT...
<name> {
exact yes|no;
}
}
nexthop [ <nexthop1> <nexthop2>... ];
from-peer [ <from-peer1> <from-peer2>... ];
med 0-65535;
as-path {
regex <value>;
}
community {
regex <value>;
}
extended-community {
regex <value>;
}
}
action {
deny;
OR...
allow {
dampening <value>;
update {
local-preference 0-65535;
med 0-65535;
weight 0-65535;
nexthop <ip/netmask>;
origin igp|egp|incomplete;
as-path-limit 1-1;
as-path {
none;
OR...
remove;
OR...
prepend 1-1;
OR...
remove-and-prepend 1-1;
}
community {
none;
OR...
220
remove-all;
OR...
remove-regex <value>;
OR...
append [ <append1> <append2>... ];
OR...
overwrite [ <overwrite1> <overwrite2>... ];
}
extended-community {
none;
OR...
remove-all;
OR...
remove-regex <value>;
OR...
append [ <append1> <append2>... ];
OR...
overwrite [ <overwrite1> <overwrite2>... ];
}
}
}
}
}
}
}
export {
rules {
REPEAT...
<name> {
enable yes|no;
used-by [ <used-by1> <used-by2>... ];
match {
afi ip|ipv6;
safi ip|ipv6;
address-prefix {
REPEAT...
<name> {
exact yes|no;
}
}
nexthop [ <nexthop1> <nexthop2>... ];
from-peer [ <from-peer1> <from-peer2>... ];
med 0-65535;
as-path {
regex <value>;
}
community {
regex <value>;
}
extended-community {
regex <value>;
}
}
action {
221
deny;
OR...
allow {
update {
local-preference 0-65535;
med 0-65535;
nexthop <ip/netmask>;
origin igp|egp|incomplete;
as-path-limit 1-1;
as-path {
none;
OR...
remove;
OR...
prepend 1-1;
OR...
remove-and-prepend 1-1;
}
community {
none;
OR...
remove-all;
OR...
remove-regex <value>;
OR...
append [ <append1> <append2>... ];
OR...
overwrite [ <overwrite1> <overwrite2>... ];
}
extended-community {
none;
OR...
remove-all;
OR...
remove-regex <value>;
OR...
append [ <append1> <append2>... ];
OR...
overwrite [ <overwrite1> <overwrite2>... ];
}
}
}
}
}
}
}
conditional-advertisement {
policy {
REPEAT...
<name> {
enable yes|no;
used-by [ <used-by1> <used-by2>... ];
non-exist-filters {
REPEAT...
222
<name> {
enable yes|no;
match {
afi ip|ipv6;
safi ip|ipv6;
address-prefix {
REPEAT...
<name> {
exact yes|no;
}
}
nexthop [ <nexthop1> <nexthop2>... ];
from-peer [ <from-peer1> <from-peer2>... ];
med 0-65535;
as-path {
regex <value>;
}
community {
regex <value>;
}
extended-community {
regex <value>;
}
}
}
}
advertise-filters {
REPEAT...
<name> {
enable yes|no;
match {
afi ip|ipv6;
safi ip|ipv6;
address-prefix {
REPEAT...
<name> {
exact yes|no;
}
}
nexthop [ <nexthop1> <nexthop2>... ];
from-peer [ <from-peer1> <from-peer2>... ];
med 0-65535;
as-path {
regex <value>;
}
community {
regex <value>;
}
extended-community {
regex <value>;
}
}
}
}
223
}
}
}
aggregation {
address {
REPEAT...
<name> {
prefix <ip/netmask>;
enable yes|no;
summary yes|no;
as-set yes|no;
aggregate-route-attributes {
local-preference 0-65535;
med 0-65535;
weight 0-65535;
nexthop <ip/netmask>;
origin igp|egp|incomplete;
as-path-limit 1-1;
as-path {
none;
OR...
remove;
OR...
prepend 1-1;
OR...
remove-and-prepend 1-1;
}
community {
none;
OR...
remove-all;
OR...
remove-regex <value>;
OR...
append [ <append1> <append2>... ];
OR...
overwrite [ <overwrite1> <overwrite2>... ];
}
extended-community {
none;
OR...
remove-all;
OR...
remove-regex <value>;
OR...
append [ <append1> <append2>... ];
OR...
overwrite [ <overwrite1> <overwrite2>... ];
}
}
suppress-filters {
REPEAT...
<name> {
enable yes|no;
224
match {
afi ip|ipv6;
safi ip|ipv6;
address-prefix {
REPEAT...
<name> {
exact yes|no;
}
}
nexthop [ <nexthop1> <nexthop2>... ];
from-peer [ <from-peer1> <from-peer2>... ];
med 0-65535;
as-path {
regex <value>;
}
community {
regex <value>;
}
extended-community {
regex <value>;
}
}
}
}
advertise-filters {
REPEAT...
<name> {
enable yes|no;
match {
afi ip|ipv6;
safi ip|ipv6;
address-prefix {
REPEAT...
<name> {
exact yes|no;
}
}
nexthop [ <nexthop1> <nexthop2>... ];
from-peer [ <from-peer1> <from-peer2>... ];
med 0-65535;
as-path {
regex <value>;
}
community {
regex <value>;
}
extended-community {
regex <value>;
}
}
}
}
}
}
225
}
}
redist-rules {
REPEAT...
<name> {
enable yes|no;
set-origin igp|egp|incomplete;
set-med 0-65535;
set-local-preference 0-65535;
set-as-path-limit 1-1;
set-community [ <set-community1> <set-community2>... ];
set-extended-community [ <set-extended-community1> <set-extendedcommunity2>... ];
}
}
}
}
admin-dists {
static 10-10;
ospf-int 10-10;
ospf-ext 10-10;
ibgp 10-10;
ebgp 10-10;
rip 10-10;
}
}
}
dns-proxy {
REPEAT...
<name> {
enabled yes|no;
interface [ <interface1> <interface2>... ];
domain-servers {
REPEAT...
<name> {
cacheable yes|no;
domain-name [ <domain-name1> <domain-name2>... ];
name-servers [ <name-servers1> <name-servers2>... ];
}
}
cache {
enabled yes|no;
size 1024-1024;
timeout 4-4;
}
static-entries {
REPEAT...
<name> {
domain <value>;
address [ <address1> <address2>... ];
}
}
tcp-queries {
enabled yes|no;
226
max-pending-requests 1024-1024;
}
udp-queries {
retries {
interval 1-1;
attempts 1-1;
}
}
}
}
dhcp {
interface {
REPEAT...
<name> {
server {
mode enabled|disabled|auto;
probe-ip yes|no;
option {
lease {
unlimited;
OR...
timeout 0-65535;
}
dns [ <dns1> <dns2>... ];
wins [ <wins1> <wins2>... ];
nis [ <nis1> <nis2>... ];
ntp [ <ntp1> <ntp2>... ];
gateway <ip/netmask>;
pop3-server <ip/netmask>;
smtp-server <ip/netmask>;
dns-suffix <value>;
}
ip-pool [ <ip-pool1> <ip-pool2>... ];
reserved {
REPEAT...
<name> {
mac <value>;
}
}
}
OR...
relay {
enabled yes|no;
server [ <server1> <server2>... ];
}
}
}
}
shared-gateway {
REPEAT...
<name> {
display-name <value>;
import {
network {
227
228
facility
LOG_USER|LOG_LOCAL0|LOG_LOCAL1|LOG_LOCAL2|LOG_LOCAL3|LOG_LOCAL
4|LOG_LOCAL5|LOG_LOCAL6|LOG_LOCAL7;
}
}
}
}
email {
REPEAT...
<name> {
server {
REPEAT...
<name> {
display-name <value>;
from <value>;
to <value>;
and-also-to <value>;
gateway <value>;
}
}
}
}
profiles {
REPEAT...
<name> {
alarm {
informational {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
low {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
medium {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
229
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
high {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
critical {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
}
traffic {
any {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
}
}
}
}
rulebase {
nat {
rules {
REPEAT...
230
<name> {
from [ <from1> <from2>... ];
to [ <to1> <to2>... ];
to-interface <value>;
source [ <source1> <source2>... ];
destination [ <destination1> <destination2>... ];
service <value>;
source-translation {
dynamic-ip-and-port {
translated-address [ <translated-address1> <translated-address2>... ];
OR...
interface-address {
interface <value>;
ip <value>;
}
}
OR...
dynamic-ip {
translated-address <value><ip/netmask><ip-range>;
}
OR...
static-ip {
translated-address <value><ip/netmask><ip-range>;
bi-directional yes|no;
}
}
destination-translation {
translated-address <value><ip/netmask><ip-range>;
translated-port 1-1;
}
disabled yes|no;
description <value>;
}
}
}
pbf {
rules {
REPEAT...
<name> {
from {
zone [ <zone1> <zone2>... ];
OR...
interface [ <interface1> <interface2>... ];
}
source [ <source1> <source2>... ];
destination [ <destination1> <destination2>... ];
source-user [ <source-user1> <source-user2>... ];
service [ <service1> <service2>... ];
application [ <application1> <application2>... ];
action {
forward {
egress-interface <value>;
nexthop {
ip-address <ip/netmask>;
231
}
monitor {
profile <value>;
disable-if-unreachable yes|no;
ip-address <ip/netmask>;
}
}
OR...
discard;
OR...
no-pbf;
}
schedule <value>;
disabled yes|no;
description <value>;
negate-source yes|no;
negate-destination yes|no;
}
}
}
}
service {
REPEAT...
<name> {
protocol {
tcp {
port <0-65535,...>;
}
OR...
udp {
port <0-65535,...>;
}
}
}
}
service-group {
REPEAT...
<name> [ <entry1> <entry2>... ];
}
}
}
}
predefined {
signature {
REPEAT...
<name> {
application <value>;
protocol <value>;
description <value>;
dynamic yes|no;
rules {
REPEAT...
<name> {
232
direction client-to-server|server-to-client|any;
match {
string {
pattern <value>;
encrypt yes|no;
ignore-case yes|no;
offset 0-65535;
depth 0-65535;
per-packet-match yes|no;
payload-length-validate {
byte-offset 0-65535;
discount 0-65535;
number-of-bytes 1|2|3|4;
endian little|big;
}
source-port-validate {
byte-offset 0-65535;
endian little|big;
}
}
header {
source-ip <value>;
destination-ip <value>;
source-port <value>;
destination-port <value>;
l3-payload-length <value>;
l4-payload-length <value>;
packet-sequence <value>;
}
}
}
}
rule-match match-in-order|match-all|match-any;
}
}
application-type {
REPEAT...
category {
<name> {
description <value>;
}
}
technology {
<name> {
description <value>;
}
}
}
url-categories {
REPEAT...
<name> {
malware yes|no;
description <value>;
}
233
}
sig-default {
default-parent-app <value>;
}
private-application {
REPEAT...
<name> {
correlate {
key-by [ <key-by1> <key-by2>... ];
rule-match match-all|match-any;
interval 1-1;
rules {
REPEAT...
entry {
protocol tcp|udp;
interval 1-1;
threshold 1-1;
track-by [ <track-by1> <track-by2>... ];
}
}
}
default {
port [ <port1> <port2>... ];
OR...
ident-by-ip-protocol <0-65535,...>;
OR...
ident-by-icmp-type <0-65535,...>;
OR...
ident-by-icmp6-type <0-65535,...>;
}
tunnel-applications [ <tunnel-applications1> <tunnel-applications2>... ];
deny-action drop|drop-reset;
use-applications [ <use-applications1> <use-applications2>... ];
application-container [ <application-container1> <application-container2>... ];
alg yes|no;
appident yes|no;
virus-ident yes|no;
spyware-ident yes|no;
child <value>;
decode <value>;
threat-id <1-1,...>;
per-direction-regex yes|no;
enable-ssl-decryption yes|no;
enable-source-cache yes|no;
preemptive yes|no;
ident-by-sport yes|no;
ident-by-dport yes|no;
ident-by-sport-potential yes|no;
ident-by-dport-potential yes|no;
source-cache-timeout 0-65535;
source-cache-threshold 0-65535;
risk 1-1;
type <value>;
category <value>;
234
description <value>;
timeout 0-65535;
tcp-timeout 0-65535;
udp-timeout 0-65535;
discard-timeout 0-65535;
tcp-discard-timeout 0-65535;
udp-discard-timeout 0-65535;
evasive-behavior yes|no;
consume-big-bandwidth yes|no;
carry-malware yes|no;
used-by-malware yes|no;
able-to-transfer-file yes|no;
has-known-vulnerability yes|no;
tunnel-other-application yes|no;
report-as <value>;
prone-to-misuse yes|no;
pervasive-use yes|no;
references {
REPEAT...
<name> {
link <value>;
}
}
reference <value>;
}
}
application {
REPEAT...
<name> {
correlate {
key-by [ <key-by1> <key-by2>... ];
rule-match match-all|match-any;
interval 1-1;
rules {
REPEAT...
entry {
protocol tcp|udp;
interval 1-1;
threshold 1-1;
track-by [ <track-by1> <track-by2>... ];
}
}
}
default {
port [ <port1> <port2>... ];
OR...
ident-by-ip-protocol <0-65535,...>;
OR...
ident-by-icmp-type <0-65535,...>;
OR...
ident-by-icmp6-type <0-65535,...>;
}
tunnel-applications [ <tunnel-applications1> <tunnel-applications2>... ];
deny-action drop|drop-reset;
235
236
references {
REPEAT...
<name> {
link <value>;
}
}
functions [ <functions1> <functions2>... ];
}
}
profiles {
virus {
REPEAT...
<name> {
description <value>;
decoder {
REPEAT...
<name> {
action default|allow|alert|block;
}
}
application {
REPEAT...
<name> {
action default|allow|alert|block;
}
}
}
}
spyware {
REPEAT...
<name> {
description <value>;
phone-home-detection {
simple {
critical default|allow|alert|block;
high default|allow|alert|block;
medium default|allow|alert|block;
low default|allow|alert|block;
informational default|allow|alert|block;
}
OR...
custom {
REPEAT...
<name> {
packet-capture yes|no;
action default|alert|drop|drop-all-packets|reset-both|reset-client|reset-server;
}
}
}
}
}
vulnerability {
REPEAT...
<name> {
237
description <value>;
simple {
client {
critical default|allow|alert|block;
high default|allow|alert|block;
medium default|allow|alert|block;
low default|allow|alert|block;
informational default|allow|alert|block;
}
server {
critical default|allow|alert|block;
high default|allow|alert|block;
medium default|allow|alert|block;
low default|allow|alert|block;
informational default|allow|alert|block;
}
}
OR...
custom {
REPEAT...
<name> {
packet-capture yes|no;
action default|alert|drop|drop-all-packets|reset-both|reset-client|reset-server;
}
}
}
}
url-filtering {
REPEAT...
<name> {
description <value>;
dynamic-url yes|no;
license-expired block|allow;
action block|continue|override|alert|allow;
block-list [ <block-list1> <block-list2>... ];
allow-list [ <allow-list1> <allow-list2>... ];
allow [ <allow1> <allow2>... ];
alert [ <alert1> <alert2>... ];
block [ <block1> <block2>... ];
continue [ <continue1> <continue2>... ];
override [ <override1> <override2>... ];
}
}
}
profile-group {
REPEAT...
<name> {
virus [ <virus1> <virus2>... ];
spyware [ <spyware1> <spyware2>... ];
vulnerability [ <vulnerability1> <vulnerability2>... ];
url-filtering [ <url-filtering1> <url-filtering2>... ];
}
}
service {
238
REPEAT...
<name> {
protocol {
any;
OR...
tcp {
port <0-65535,...>;
}
OR...
udp {
port <0-65535,...>;
}
OR...
ip {
ip-protocol <0-65535,...>;
}
}
}
}
service-group {
REPEAT...
<name> [ <entry1> <entry2>... ];
}
reports {
REPEAT...
<name> {
disabled yes|no;
query <value>;
caption <value>;
frequency daily|weekly;
start-time <value>;
end-time <value>;
delta 1-1;
period last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-hrs|last-calendarday|last-7-days|last-7-calendar-days|last-calendar-week|last-30-days;
topn 1-1;
topm 1-1;
type {
appstat {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by category-of-name|name|risk|subcategory-of-name|technology-ofname|container-of-name|quarter-hour-of-receive_time|hour-of-receive_time|day-ofreceive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby nbytes|npkts|nsess|nthreats;
}
OR...
threat {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
239
group-by action|app|category|category-ofapp|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|natsport|natsrc|o
utbound_if|proto|risk-of-app|rule|severity|sport|src|srcuser|subcategory-ofapp|subtype|technology-of-app|container-of-app|threatid|to|vsys|quarter-hour-ofreceive_time|hour-of-receive_time|day-of-receive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby repeatcnt;
}
OR...
thsum {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by app|category-of-app|dst|dstuser|risk-of-app|rule|severity-ofthreatid|src|srcuser|subcategory-of-app|subtype|technology-of-app|container-ofapp|threatid|quarter-hour-of-receive_time|hour-of-receive_time|day-of-receive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby count;
}
OR...
traffic {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by action|app|category|category-ofapp|dport|dst|dstuser|flags|from|inbound_if|natdport|natdst|natsport|natsrc|outboun
d_if|proto|risk-of-app|rule|sport|src|srcuser|subcategory-of-app|technology-ofapp|container-of-app|to|vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-ofreceive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby bytes|elapsed|packets|repeatcnt;
}
OR...
trsum {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by app|category|category-of-app|dst|dstuser|from|risk-ofapp|rule|src|srcuser|subcategory-of-app|technology-of-app|container-of-app|to|quarterhour-of-receive_time|hour-of-receive_time|day-of-receive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby bytes|sessions;
}
}
}
}
threats {
phone-home {
REPEAT...
<name> {
category <value>;
severity critical|high|medium|low|informational;
host client|server;
app <value>;
}
}
240
vulnerability {
REPEAT...
<name> {
category code-execution|overflow|sql-injection|info-leak|email-worm|networm|adware|keylogger|datatheft|phishing|spam|botnet|rootkit|trojan|backdoor|virus|emailflooder|spamtool|hacktool|dos|suspicious|other-malware|user-defined;
severity critical|high|medium|low|informational;
affected-host {
client yes|no;
server yes|no;
}
}
}
}
ssl-exclude-cert [ <ssl-exclude-cert1> <ssl-exclude-cert2>... ];
}
shared {
local-user-database {
user {
REPEAT...
<name> {
phash <value>;
disabled yes|no;
}
}
user-group {
REPEAT...
<name> {
user [ <user1> <user2>... ];
}
}
}
authentication-profile {
REPEAT...
<name> {
non-admin-authentication yes|no;
lockout {
failed-attempts 1-1;
failed-attempts 0-65535;
lockout-time 0-65535;
}
allow-list [ <allow-list1> <allow-list2>... ];
method {
acl;
OR...
local-database;
OR...
radius {
server-profile <value>;
}
OR...
ldap {
241
server-profile <value>;
login-attribute <value>;
}
}
}
}
client-certificate-profile {
REPEAT...
<name> {
username-field {
subject common-name;
OR...
subject-alt email|principal-name;
}
domain <value>;
CA {
REPEAT...
<name> {
default-ocsp-url <value>;
ocsp-verify-ca <value>;
}
}
use-crl yes|no;
use-ocsp yes|no;
crl-receive-timeout 1-1;
ocsp-receive-timeout 1-1;
cert-status-timeout 0-65535;
block-unknown-cert yes|no;
block-timeout-cert yes|no;
}
}
override {
application {
REPEAT...
<name> {
timeout 0-65535;
tcp-timeout 0-65535;
udp-timeout 0-65535;
risk 1-1;
}
}
}
signature {
REPEAT...
<name> {
engine-version <value>;
application <value>;
protocol <value>;
rules {
REPEAT...
<name> {
direction client-to-server|server-to-client|any;
match {
string {
242
pattern <value>;
ignore-case yes|no;
offset 0-65535;
depth 0-65535;
per-packet-match yes|no;
payload-length-validate {
byte-offset 0-65535;
discount 1-1;
number-of-bytes 1|2|4;
endian little|big;
}
}
OR...
header {
source-ip <value>;
destination-ip <value>;
source-port <value>;
destination-port <value>;
l3-payload-length <value>;
l4-payload-length <value>;
}
}
}
rule-match match-in-order|match-all|match-any;
}
}
}
cert {
REPEAT...
<name> {
vsys <value>;
common-name <value>;
expires <value>;
}
}
cacert {
REPEAT...
<name> {
vsys <value>;
common-name <value>;
expires <value>;
}
}
caccacert {
REPEAT...
<name> {
vsys <value>;
common-name <value>;
expires <value>;
}
}
cacverifyca {
REPEAT...
<name> {
243
vsys <value>;
common-name <value>;
expires <value>;
}
}
importcert {
REPEAT...
<name> {
vsys <value>;
common-name <value>;
expires <value>;
}
}
allowed-applications {
enable-all {
except [ <except1> <except2>... ];
}
OR...
disable-all {
except [ <except1> <except2>... ];
}
}
address {
REPEAT...
<name> {
ip-netmask <ip/netmask>;
OR...
ip-range <ip-range>;
}
}
address-group {
REPEAT...
<name> [ <entry1> <entry2>... ];
}
threats {
vulnerability {
REPEAT...
<name> {
threatname <value>;
affected-host {
client yes|no;
server yes|no;
}
comment <value>;
severity <value>;
direction <value>;
default-action alert|reset-client|reset-server|reset-both|drop-packets;
cve [ <cve1> <cve2>... ];
bugtraq [ <bugtraq1> <bugtraq2>... ];
vendor [ <vendor1> <vendor2>... ];
reference [ <reference1> <reference2>... ];
signature {
REPEAT...
<name> {
244
comment <value>;
scope protocol-data-unit|session;
order-free yes|no;
and-condition {
REPEAT...
<name> {
or-condition {
REPEAT...
<name> {
operator {
less-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
equal-to {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
greater-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
pattern-match {
pattern <value>;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
}
245
}
}
}
}
}
}
}
}
spyware {
REPEAT...
<name> {
threatname <value>;
comment <value>;
severity <value>;
direction <value>;
default-action alert|reset-client|reset-server|reset-both|drop-packets;
cve [ <cve1> <cve2>... ];
bugtraq [ <bugtraq1> <bugtraq2>... ];
vendor [ <vendor1> <vendor2>... ];
reference [ <reference1> <reference2>... ];
signature {
REPEAT...
<name> {
comment <value>;
scope protocol-data-unit|session;
order-free yes|no;
and-condition {
REPEAT...
<name> {
or-condition {
REPEAT...
<name> {
operator {
less-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
equal-to {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
246
OR...
greater-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
pattern-match {
pattern <value>;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
}
}
}
}
}
}
}
}
}
}
application {
REPEAT...
<name> {
default {
port [ <port1> <port2>... ];
OR...
ident-by-ip-protocol <0-65535,...>;
OR...
ident-by-icmp-type <0-65535,...>;
OR...
ident-by-icmp6-type <0-65535,...>;
}
category <value>;
subcategory <value>;
technology <value>;
description <value>;
timeout 0-65535;
tcp-timeout 0-65535;
udp-timeout 0-65535;
risk 1-1;
evasive-behavior yes|no;
consume-big-bandwidth yes|no;
247
used-by-malware yes|no;
able-to-transfer-file yes|no;
has-known-vulnerability yes|no;
tunnel-other-application yes|no;
tunnel-applications yes|no;
prone-to-misuse yes|no;
pervasive-use yes|no;
file-type-ident yes|no;
virus-ident yes|no;
spyware-ident yes|no;
data-ident yes|no;
parent-app <value>;
signature {
REPEAT...
<name> {
comment <value>;
scope protocol-data-unit|session;
order-free yes|no;
and-condition {
REPEAT...
<name> {
or-condition {
REPEAT...
<name> {
pattern-match {
pattern <value>;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
}
}
}
}
}
}
}
}
application-filter {
REPEAT...
<name> {
category [ <category1> <category2>... ];
subcategory [ <subcategory1> <subcategory2>... ];
technology [ <technology1> <technology2>... ];
evasive yes;
excessive-bandwidth-use yes;
used-by-malware yes;
transfers-files yes;
has-known-vulnerabilities yes;
tunnels-other-apps yes;
248
prone-to-misuse yes;
pervasive yes;
risk [ <risk1> <risk2>... ];
}
}
application-group {
REPEAT...
<name> [ <entry1> <entry2>... ];
}
service {
REPEAT...
<name> {
protocol {
tcp {
port <0-65535,...>;
}
OR...
udp {
port <0-65535,...>;
}
}
}
}
service-group {
REPEAT...
<name> [ <entry1> <entry2>... ];
}
server-profile {
ldap {
REPEAT...
<name> {
non-admin-use yes|no;
server {
REPEAT...
<name> {
address <ip/netmask><value>;
port 1-1;
}
}
ssl yes|no;
base <value>;
bind-dn <value>;
bind-password <value>;
timelimit 1-1;
bind-timelimit 1-1;
retry-interval 1-1;
}
}
radius {
REPEAT...
<name> {
non-admin-use yes|no;
domain <value>;
timeout 1-1;
249
retries 1-1;
checkgroup yes|no;
server {
REPEAT...
<name> {
ip-address <ip/netmask>;
port 0-65535;
secret <value>;
}
}
}
}
}
log-settings {
snmptrap {
REPEAT...
<name> {
server {
REPEAT...
<name> {
manager <value>;
community <value>;
}
}
}
}
syslog {
REPEAT...
<name> {
server {
REPEAT...
<name> {
server <value>;
port 1-1;
facility
LOG_USER|LOG_LOCAL0|LOG_LOCAL1|LOG_LOCAL2|LOG_LOCAL3|LOG_LOCAL
4|LOG_LOCAL5|LOG_LOCAL6|LOG_LOCAL7;
}
}
}
}
email {
REPEAT...
<name> {
server {
REPEAT...
<name> {
display-name <value>;
from <value>;
to <value>;
and-also-to <value>;
gateway <value>;
}
}
250
}
}
system {
informational {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
low {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
medium {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
high {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
critical {
send-to-panorama yes|no;
send-snmptrap {
251
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
}
config {
any {
send-to-panorama yes|no;
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
}
profiles {
REPEAT...
<name> {
alarm {
informational {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
low {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
medium {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
252
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
high {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
critical {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
}
traffic {
any {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
}
}
}
}
profiles {
virus {
REPEAT...
<name> {
description <value>;
253
packet-capture yes|no;
decoder {
REPEAT...
<name> {
action default|allow|alert|block;
}
}
application {
REPEAT...
<name> {
action default|allow|alert|block;
}
}
threat-exception {
REPEAT...
<name>;
}
}
}
spyware {
REPEAT...
<name> {
description <value>;
phone-home-detection {
simple {
packet-capture yes|no;
critical default|allow|alert|block;
high default|allow|alert|block;
medium default|allow|alert|block;
low default|allow|alert|block;
informational default|allow|alert|block;
}
OR...
custom {
REPEAT...
<name> {
packet-capture yes|no;
action default|alert|drop|drop-all-packets|reset-both|reset-client|reset-server;
}
}
}
threat-exception {
REPEAT...
<name>;
}
}
}
vulnerability {
REPEAT...
<name> {
description <value>;
simple {
packet-capture yes|no;
client {
254
critical default|allow|alert|block;
high default|allow|alert|block;
medium default|allow|alert|block;
low default|allow|alert|block;
informational default|allow|alert|block;
}
server {
critical default|allow|alert|block;
high default|allow|alert|block;
medium default|allow|alert|block;
low default|allow|alert|block;
informational default|allow|alert|block;
}
}
OR...
custom {
REPEAT...
<name> {
packet-capture yes|no;
action default|alert|drop|drop-all-packets|reset-both|reset-client|reset-server;
}
}
threat-exception {
REPEAT...
<name>;
}
}
}
url-filtering {
REPEAT...
<name> {
description <value>;
dynamic-url yes|no;
license-expired block|allow;
action block|continue|override|alert|allow;
block-list [ <block-list1> <block-list2>... ];
allow-list [ <allow-list1> <allow-list2>... ];
allow [ <allow1> <allow2>... ];
alert [ <alert1> <alert2>... ];
block [ <block1> <block2>... ];
continue [ <continue1> <continue2>... ];
override [ <override1> <override2>... ];
}
}
file-blocking {
REPEAT...
<name> {
description <value>;
rules {
REPEAT...
<name> {
application [ <application1> <application2>... ];
file-type [ <file-type1> <file-type2>... ];
direction upload|download|both;
255
action alert|block;
}
}
}
}
custom-url-category {
REPEAT...
<name> {
description <value>;
list [ <list1> <list2>... ];
}
}
data-objects {
REPEAT...
<name> {
description <value>;
credit-card-numbers {
weight 0-65535;
}
social-security-numbers {
weight 0-65535;
}
social-security-numbers-without-dash {
weight 0-65535;
}
pattern {
REPEAT...
<name> {
regex <value>;
weight 0-65535;
}
}
}
}
data-filtering {
REPEAT...
<name> {
description <value>;
data-capture yes|no;
rules {
REPEAT...
<name> {
data-object <value>;
application [ <application1> <application2>... ];
file-type [ <file-type1> <file-type2>... ];
direction upload|download|both;
alert-threshold 0-65535;
block-threshold 0-65535;
}
}
}
}
}
admin-role {
256
REPEAT...
<name> {
description <value>;
role {
device {
webui {
dashboard enable|disable;
acc enable|disable;
monitor {
logs {
traffic enable|disable;
threat enable|disable;
url enable|disable;
configuration enable|disable;
system enable|disable;
data-filtering enable|disable;
}
app-scope enable|disable;
session-browser enable|disable;
pdf-reports {
manage-pdf-summary enable|disable;
pdf-summary-reports enable|disable;
user-activity-report enable|disable;
report-groups enable|disable;
email-scheduler enable|disable;
}
custom-reports {
application-statistics enable|disable;
data-filtering-log enable|disable;
threat-log enable|disable;
threat-summary enable|disable;
traffic-log enable|disable;
traffic-summary enable|disable;
url-log enable|disable;
}
view-custom-reports enable|disable;
application-reports enable|disable;
threat-reports enable|disable;
url-filtering-reports enable|disable;
traffic-reports enable|disable;
}
policies {
security-rulebase enable|read-only|disable;
nat-rulebase enable|read-only|disable;
ssl-decryption-rulebase enable|read-only|disable;
application-override-rulebase enable|read-only|disable;
captive-portal-rulebase enable|read-only|disable;
qos-rulebase enable|read-only|disable;
pbf-rulebase enable|read-only|disable;
}
objects {
addresses enable|read-only|disable;
address-groups enable|read-only|disable;
applications enable|read-only|disable;
257
application-groups enable|read-only|disable;
application-filters enable|read-only|disable;
services enable|read-only|disable;
service-groups enable|read-only|disable;
custom-url-category enable|read-only|disable;
custom-signatures {
data-patterns enable|read-only|disable;
spyware enable|read-only|disable;
vulnerability enable|read-only|disable;
}
security-profiles {
antivirus enable|read-only|disable;
anti-spyware enable|read-only|disable;
vulnerability-protection enable|read-only|disable;
url-filtering enable|read-only|disable;
file-blocking enable|read-only|disable;
data-filtering enable|read-only|disable;
}
security-profile-groups enable|read-only|disable;
log-forwarding enable|read-only|disable;
schedules enable|read-only|disable;
}
network {
interfaces enable|read-only|disable;
zones enable|read-only|disable;
vlans enable|read-only|disable;
virtual-wires enable|read-only|disable;
virtual-routers enable|read-only|disable;
ipsec-tunnels enable|read-only|disable;
dhcp enable|read-only|disable;
ssl-vpn enable|read-only|disable;
qos enable|read-only|disable;
network-profiles {
ike-gateways enable|read-only|disable;
ipsec-crypto enable|read-only|disable;
ike-crypto enable|read-only|disable;
tunnel-monitor enable|read-only|disable;
interface-mgmt enable|read-only|disable;
zone-protection enable|read-only|disable;
qos-profile enable|read-only|disable;
}
}
device {
setup enable|read-only|disable;
config-audit enable|disable;
admin-roles enable|read-only|disable;
administrators enable|read-only|disable;
virtual-systems enable|read-only|disable;
shared-gateways enable|read-only|disable;
user-identification enable|read-only|disable;
high-availability enable|read-only|disable;
certificates enable|read-only|disable;
block-pages enable|read-only|disable;
log-settings {
258
system enable|read-only|disable;
config enable|read-only|disable;
}
server-profile {
snmp-trap enable|read-only|disable;
syslog enable|read-only|disable;
email enable|read-only|disable;
radius enable|read-only|disable;
ldap enable|read-only|disable;
}
local-user-database {
users enable|read-only|disable;
user-groups enable|read-only|disable;
}
authentication-profile enable|read-only|disable;
client-certificate-profile enable|read-only|disable;
access-domain enable|read-only|disable;
scheduled-log-export enable|disable;
software enable|read-only|disable;
ssl-vpn-client enable|read-only|disable;
dynamic-updates enable|read-only|disable;
licenses enable|read-only|disable;
support enable|read-only|disable;
}
privacy {
show-full-ip-addresses enable|disable;
show-user-names-in-logs-and-reports enable|disable;
view-pcap-files enable|disable;
}
commit enable|disable;
}
cli superuser|superreader|deviceadmin|devicereader;
}
OR...
vsys {
webui {
dashboard enable|disable;
acc enable|disable;
monitor {
logs {
traffic enable|disable;
threat enable|disable;
url enable|disable;
data-filtering enable|disable;
}
}
policies {
security-rulebase enable|read-only|disable;
nat-rulebase enable|read-only|disable;
ssl-decryption-rulebase enable|read-only|disable;
application-override-rulebase enable|read-only|disable;
captive-portal-rulebase enable|read-only|disable;
qos-rulebase enable|read-only|disable;
pbf-rulebase enable|read-only|disable;
259
}
objects {
addresses enable|read-only|disable;
addresse-groups enable|read-only|disable;
applications enable|read-only|disable;
application-groups enable|read-only|disable;
application-filters enable|read-only|disable;
services enable|read-only|disable;
service-groups enable|read-only|disable;
custom-signatures {
data-patterns enable|read-only|disable;
spyware enable|read-only|disable;
vulnerability enable|read-only|disable;
}
security-profiles {
antivirus enable|read-only|disable;
anti-spyware enable|read-only|disable;
vulnerability-protection enable|read-only|disable;
url-filtering enable|read-only|disable;
file-blocking enable|read-only|disable;
data-filtering enable|read-only|disable;
}
security-profile-groups enable|read-only|disable;
log-forwarding enable|read-only|disable;
schedules enable|read-only|disable;
}
network {
zones enable|read-only|disable;
ssl-vpn enable|read-only|disable;
}
device {
setup read-only|disable;
administrators enable|disable;
user-identification read-only|disable;
block-pages enable|read-only|disable;
log-settings {
system read-only|disable;
config read-only|disable;
}
server-profile {
snmp-trap enable|read-only|disable;
syslog enable|read-only|disable;
email enable|read-only|disable;
radius enable|read-only|disable;
ldap enable|read-only|disable;
}
local-user-database {
users enable|read-only|disable;
user-groups enable|read-only|disable;
}
authentication-profile enable|disable;
client-certificate-profile enable|disable;
access-domain enable|disable;
}
260
privacy {
show-full-ip-addresses enable|disable;
show-user-names-in-logs-and-reports enable|disable;
view-pcap-files enable|disable;
}
commit enable|disable;
}
cli vsysadmin|vsysreader;
}
}
}
}
profile-group {
REPEAT...
<name> {
virus [ <virus1> <virus2>... ];
spyware [ <spyware1> <spyware2>... ];
vulnerability [ <vulnerability1> <vulnerability2>... ];
url-filtering [ <url-filtering1> <url-filtering2>... ];
file-blocking [ <file-blocking1> <file-blocking2>... ];
data-filtering [ <data-filtering1> <data-filtering2>... ];
}
}
schedule {
REPEAT...
<name> {
recurring {
weekly {
sunday [ <sunday1> <sunday2>... ];
monday [ <monday1> <monday2>... ];
tuesday [ <tuesday1> <tuesday2>... ];
wednesday [ <wednesday1> <wednesday2>... ];
thursday [ <thursday1> <thursday2>... ];
friday [ <friday1> <friday2>... ];
saturday [ <saturday1> <saturday2>... ];
}
OR...
daily [ <daily1> <daily2>... ];
}
OR...
non-recurring [ <non-recurring1> <non-recurring2>... ];
}
}
report-group {
REPEAT...
<name> {
title-page yes|no;
predefined user-activity-report;
OR...
custom-widget {
REPEAT...
<name> {
predefined-report <value>;
OR...
261
custom-report <value>;
OR...
pdf-summary-report <value>;
OR...
log-view <value>;
}
}
variable {
REPEAT...
<name> {
value <value>;
}
}
}
}
email-scheduler {
REPEAT...
<name> {
report-group <value>;
email-profile <value>;
recipient-emails <value>;
recurring {
disabled;
OR...
daily;
OR...
weekly sunday|monday|tuesday|wednesday|thursday|friday|saturday;
}
}
}
pdf-summary-report {
REPEAT...
<name> {
header {
caption <value>;
}
footer {
note <value>;
}
predefined-widget {
REPEAT...
<name> {
chart-type pie|line|bar|table;
row 1-1;
column 1-1;
}
}
custom-widget {
REPEAT...
<name> {
chart-type pie|line|bar|table;
row 1-1;
column 1-1;
}
262
}
}
}
reports {
REPEAT...
<name> {
disabled yes|no;
query <value>;
caption <value>;
frequency daily|weekly;
start-time <value>;
end-time <value>;
period last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-hrs|last-calendarday|last-7-days|last-7-calendar-days|last-calendar-week|last-30-days;
topn 1-1;
topm 1-1;
type {
appstat {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by category-of-name|name|risk|risk-of-name|subcategory-ofname|technology-of-name|container-of-name|vsys|quarter-hour-of-receive_time|hour-ofreceive_time|day-of-receive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby nbytes|npkts|nsess|nthreats;
}
OR...
threat {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by action|app|category-ofapp|direction|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|natsport
|natsrc|outbound_if|proto|risk-of-app|rule|severity|sport|src|srcuser|subcategory-ofapp|subtype|technology-of-app|container-of-app|threatid|to|vsys|quarter-hour-ofreceive_time|hour-of-receive_time|day-of-receive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby repeatcnt;
}
OR...
url {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by action|app|category|category-ofapp|direction|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|natsport
|natsrc|outbound_if|proto|risk-of-app|rule|severity|sport|src|srcuser|subcategory-ofapp|technology-of-app|container-of-app|to|vsys|quarter-hour-of-receive_time|hour-ofreceive_time|day-of-receive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby repeatcnt;
}
OR...
data {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
263
group-by action|app|category-ofapp|direction|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|natsport
|natsrc|outbound_if|proto|risk-of-app|rule|severity|sport|src|srcuser|subcategory-ofapp|subtype|technology-of-app|container-of-app|threatid|to|vsys|quarter-hour-ofreceive_time|hour-of-receive_time|day-of-receive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby repeatcnt;
}
OR...
thsum {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by app|category-of-app|dst|dstuser|from|risk-of-app|rule|severity-ofthreatid|src|srcuser|subcategory-of-app|subtype|technology-of-app|container-ofapp|to|threatid|vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-ofreceive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby count;
}
OR...
traffic {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by action|app|category|category-ofapp|dport|dst|dstuser|flags|from|inbound_if|natdport|natdst|natsport|natsrc|outboun
d_if|proto|risk-of-app|rule|sessionid|sport|src|srcuser|subcategory-of-app|technologyof-app|container-of-app|to|vsys|quarter-hour-of-receive_time|hour-of-receive_time|dayof-receive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby bytes|elapsed|packets|repeatcnt;
}
OR...
trsum {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by app|category|category-of-app|dst|dstuser|from|risk-ofapp|rule|src|srcuser|subcategory-of-app|technology-of-app|container-ofapp|to|vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-of-receive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby bytes|sessions;
}
}
}
}
ssl-exclude-cert [ <ssl-exclude-cert1> <ssl-exclude-cert2>... ];
}
vsys {
REPEAT...
<name> {
display-name <value>;
setting {
nat {
264
reserve-ip yes|no;
reserve-time 1-1;
}
ssl-decrypt {
url-proxy yes|no;
notify-user yes|no;
answer-timeout 1-1;
crl yes|no;
ocsp yes|no;
block-unknown-cert yes|no;
block-timeout-cert yes|no;
cert-status-timeout 0-65535;
}
}
import {
network {
interface [ <interface1> <interface2>... ];
virtual-wire [ <virtual-wire1> <virtual-wire2>... ];
vlan [ <vlan1> <vlan2>... ];
virtual-router [ <virtual-router1> <virtual-router2>... ];
}
resource {
max-sessions 0-65535;
}
visible-vsys [ <visible-vsys1> <visible-vsys2>... ];
}
pan-agent {
REPEAT...
<name> {
ip-address <ip/netmask>;
port 1-1;
link-speed fast|medium|slow;
}
}
ts-agent {
REPEAT...
<name> {
ip-address <ip/netmask>;
port 1-1;
ip-list [ <ip-list1> <ip-list2>... ];
}
}
userid-agent {
REPEAT...
<name> {
ip-address <ip/netmask>;
port 1-1;
disabled yes|no;
}
}
ldap-server {
REPEAT...
<name> {
server-profile <value>;
265
disabled yes|no;
domain <value>;
group-filter <value>;
user-filter <value>;
update-interval 60-60;
group-object [ <group-object1> <group-object2>... ];
group-member [ <group-member1> <group-member2>... ];
group-name [ <group-name1> <group-name2>... ];
user-object [ <user-object1> <user-object2>... ];
user-name [ <user-name1> <user-name2>... ];
}
}
captive-portal {
enable-captive-portal yes|no;
idle-timer 5-5;
timer 5-5;
server-certificate <value>;
mode {
transparent;
OR...
redirect {
address <ip/netmask><value>;
session-cookie {
enable yes|no;
timeout 60-60;
roaming yes|no;
}
}
}
authentication-profile <value>;
ntlm-auth {
pan-agent <value>;
hostname <value>;
}
}
url-admin-override {
password <value>;
server-certificate <value>;
mode {
transparent;
OR...
redirect {
address <ip/netmask><value>;
}
}
}
ssl-exclude-cert [ <ssl-exclude-cert1> <ssl-exclude-cert2>... ];
local-user-database {
user {
REPEAT...
<name> {
phash <value>;
disabled yes|no;
}
266
}
user-group {
REPEAT...
<name> {
user [ <user1> <user2>... ];
}
}
}
authentication-profile {
REPEAT...
<name> {
lockout {
failed-attempts 0-65535;
lockout-time 0-65535;
}
allow-list [ <allow-list1> <allow-list2>... ];
method {
acl;
OR...
local-database;
OR...
radius {
server-profile <value>;
}
OR...
ldap {
server-profile <value>;
login-attribute <value>;
}
}
}
}
client-certificate-profile {
REPEAT...
<name> {
username-field {
subject common-name;
OR...
subject-alt email|principal-name;
}
domain <value>;
CA {
REPEAT...
<name> {
default-ocsp-url <value>;
ocsp-verify-ca <value>;
}
}
use-crl yes|no;
use-ocsp yes|no;
crl-receive-timeout 1-1;
ocsp-receive-timeout 1-1;
cert-status-timeout 0-65535;
block-unknown-cert yes|no;
267
block-timeout-cert yes|no;
}
}
ssl-vpn {
REPEAT...
<name> {
server-certificate <value>;
authentication-profile <value>;
client-certificate-profile <value>;
roles {
REPEAT...
<name> {
client-max-bandwidth {
client-to-gateway <float>;
gateway-to-client <float>;
}
login-lifetime {
minutes 3-3;
OR...
hours 1-1;
OR...
days 1-1;
}
inactivity-logout {
minutes 3-3;
OR...
hours 1-1;
OR...
days 1-1;
}
}
}
}
}
zone {
REPEAT...
<name> {
enable-user-identification yes|no;
dos-profile <value>;
dos-log-setting <value>;
network {
zone-protection-profile <value>;
log-setting <value>;
tap [ <tap1> <tap2>... ];
OR...
virtual-wire [ <virtual-wire1> <virtual-wire2>... ];
OR...
layer2 [ <layer21> <layer22>... ];
OR...
layer3 [ <layer31> <layer32>... ];
OR...
external [ <external1> <external2>... ];
}
user-acl {
268
269
expires <value>;
}
}
importcert {
REPEAT...
<name> {
vsys <value>;
common-name <value>;
expires <value>;
}
}
server-profile {
ldap {
REPEAT...
<name> {
server {
REPEAT...
<name> {
address <ip/netmask><value>;
port 1-1;
}
}
ssl yes|no;
disabled yes|no;
base <value>;
bind-dn <value>;
bind-password <value>;
timelimit 1-1;
bind-timelimit 1-1;
retry-interval 1-1;
}
}
radius {
REPEAT...
<name> {
domain <value>;
timeout 1-1;
retries 1-1;
checkgroup yes|no;
server {
REPEAT...
<name> {
ip-address <ip/netmask>;
secret <value>;
port 0-65535;
}
}
}
}
}
log-settings {
snmptrap {
REPEAT...
<name> {
270
server {
REPEAT...
<name> {
manager <value>;
community <value>;
}
}
}
}
syslog {
REPEAT...
<name> {
server {
REPEAT...
<name> {
server <value>;
port 1-1;
facility
LOG_USER|LOG_LOCAL0|LOG_LOCAL1|LOG_LOCAL2|LOG_LOCAL3|LOG_LOCAL
4|LOG_LOCAL5|LOG_LOCAL6|LOG_LOCAL7;
}
}
}
}
email {
REPEAT...
<name> {
server {
REPEAT...
<name> {
display-name <value>;
from <value>;
to <value>;
and-also-to <value>;
gateway <value>;
}
}
}
}
profiles {
REPEAT...
<name> {
alarm {
informational {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
271
}
low {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
medium {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
high {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
critical {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
}
traffic {
any {
send-to-panorama yes|no;
send-snmptrap {
272
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
}
}
}
}
schedule {
REPEAT...
<name> {
recurring {
weekly {
sunday [ <sunday1> <sunday2>... ];
monday [ <monday1> <monday2>... ];
tuesday [ <tuesday1> <tuesday2>... ];
wednesday [ <wednesday1> <wednesday2>... ];
thursday [ <thursday1> <thursday2>... ];
friday [ <friday1> <friday2>... ];
saturday [ <saturday1> <saturday2>... ];
}
OR...
daily [ <daily1> <daily2>... ];
}
OR...
non-recurring [ <non-recurring1> <non-recurring2>... ];
}
}
rulebase {
security {
rules {
REPEAT...
<name> {
from [ <from1> <from2>... ];
to [ <to1> <to2>... ];
source [ <source1> <source2>... ];
source-user [ <source-user1> <source-user2>... ];
destination [ <destination1> <destination2>... ];
service [ <service1> <service2>... ];
application [ <application1> <application2>... ];
action deny|allow;
option {
disable-server-response-inspection yes|no;
}
log-setting <value>;
schedule <value>;
negate-source yes|no;
negate-destination yes|no;
profile-setting {
273
profiles {
url-filtering [ <url-filtering1> <url-filtering2>... ];
data-filtering [ <data-filtering1> <data-filtering2>... ];
file-blocking [ <file-blocking1> <file-blocking2>... ];
virus [ <virus1> <virus2>... ];
spyware [ <spyware1> <spyware2>... ];
vulnerability [ <vulnerability1> <vulnerability2>... ];
}
OR...
group [ <group1> <group2>... ];
}
qos {
marking {
ip-dscp <value>;
OR...
ip-precedence <value>;
}
}
disabled yes|no;
log-start yes|no;
log-end yes|no;
description <value>;
}
}
}
nat {
rules {
REPEAT...
<name> {
from [ <from1> <from2>... ];
to [ <to1> <to2>... ];
to-interface <value>;
source [ <source1> <source2>... ];
destination [ <destination1> <destination2>... ];
service <value>;
source-translation {
dynamic-ip-and-port {
translated-address [ <translated-address1> <translated-address2>... ];
OR...
interface-address {
interface <value>;
ip <value>;
}
}
OR...
dynamic-ip {
translated-address <value><ip/netmask><ip-range>;
}
OR...
static-ip {
translated-address <value><ip/netmask><ip-range>;
bi-directional yes|no;
}
}
274
destination-translation {
translated-address <value><ip/netmask><ip-range>;
translated-port 1-1;
}
disabled yes|no;
description <value>;
}
}
}
qos {
rules {
REPEAT...
<name> {
from [ <from1> <from2>... ];
to [ <to1> <to2>... ];
source [ <source1> <source2>... ];
source-user [ <source-user1> <source-user2>... ];
destination [ <destination1> <destination2>... ];
service [ <service1> <service2>... ];
application [ <application1> <application2>... ];
action {
class 1|2|3|4|5|6|7|8;
}
schedule <value>;
negate-source yes|no;
negate-destination yes|no;
disabled yes|no;
description <value>;
}
}
}
application-override {
rules {
REPEAT...
<name> {
from [ <from1> <from2>... ];
to [ <to1> <to2>... ];
source [ <source1> <source2>... ];
destination [ <destination1> <destination2>... ];
protocol tcp|udp;
port <0-65535,...>;
application <value>;
disabled yes|no;
description <value>;
}
}
}
ssl-decryption {
rules {
REPEAT...
<name> {
from [ <from1> <from2>... ];
to [ <to1> <to2>... ];
source [ <source1> <source2>... ];
275
276
<name> {
from [ <from1> <from2>... ];
to [ <to1> <to2>... ];
source [ <source1> <source2>... ];
destination [ <destination1> <destination2>... ];
action captive-portal|no-captive-portal|ntlm-auth;
negate-source yes|no;
negate-destination yes|no;
disabled yes|no;
description <value>;
}
}
}
}
threats {
vulnerability {
REPEAT...
<name> {
threatname <value>;
affected-host {
client yes|no;
server yes|no;
}
comment <value>;
severity <value>;
direction <value>;
default-action alert|reset-client|reset-server|reset-both|drop-packets;
cve [ <cve1> <cve2>... ];
bugtraq [ <bugtraq1> <bugtraq2>... ];
vendor [ <vendor1> <vendor2>... ];
reference [ <reference1> <reference2>... ];
signature {
REPEAT...
<name> {
comment <value>;
scope protocol-data-unit|session;
order-free yes|no;
and-condition {
REPEAT...
<name> {
or-condition {
REPEAT...
<name> {
operator {
less-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
277
OR...
equal-to {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
greater-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
pattern-match {
pattern <value>;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
}
}
}
}
}
}
}
}
}
spyware {
REPEAT...
<name> {
threatname <value>;
comment <value>;
severity <value>;
direction <value>;
default-action alert|reset-client|reset-server|reset-both|drop-packets;
cve [ <cve1> <cve2>... ];
bugtraq [ <bugtraq1> <bugtraq2>... ];
vendor [ <vendor1> <vendor2>... ];
reference [ <reference1> <reference2>... ];
278
signature {
REPEAT...
<name> {
comment <value>;
scope protocol-data-unit|session;
order-free yes|no;
and-condition {
REPEAT...
<name> {
or-condition {
REPEAT...
<name> {
operator {
less-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
equal-to {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
greater-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
pattern-match {
pattern <value>;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
279
}
}
}
}
}
}
}
}
}
}
}
}
application {
REPEAT...
<name> {
default {
port [ <port1> <port2>... ];
OR...
ident-by-ip-protocol 0-65535;
OR...
ident-by-icmp-type <0-65535,...>;
OR...
ident-by-icmp6-type <0-65535,...>;
}
category <value>;
subcategory <value>;
technology <value>;
description <value>;
timeout 0-65535;
tcp-timeout 0-65535;
udp-timeout 0-65535;
risk 1-1;
evasive-behavior yes|no;
consume-big-bandwidth yes|no;
used-by-malware yes|no;
able-to-transfer-file yes|no;
has-known-vulnerability yes|no;
tunnel-other-application yes|no;
tunnel-applications yes|no;
prone-to-misuse yes|no;
pervasive-use yes|no;
file-type-ident yes|no;
virus-ident yes|no;
spyware-ident yes|no;
data-ident yes|no;
parent-app <value>;
signature {
REPEAT...
<name> {
comment <value>;
scope protocol-data-unit|session;
order-free yes|no;
and-condition {
REPEAT...
280
<name> {
or-condition {
REPEAT...
<name> {
pattern-match {
pattern <value>;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
}
}
}
}
}
}
}
}
application-filter {
REPEAT...
<name> {
category [ <category1> <category2>... ];
subcategory [ <subcategory1> <subcategory2>... ];
technology [ <technology1> <technology2>... ];
evasive yes;
excessive-bandwidth-use yes;
used-by-malware yes;
transfers-files yes;
has-known-vulnerabilities yes;
tunnels-other-apps yes;
prone-to-misuse yes;
pervasive yes;
risk [ <risk1> <risk2>... ];
}
}
application-group {
REPEAT...
<name> [ <entry1> <entry2>... ];
}
service {
REPEAT...
<name> {
protocol {
tcp {
port <0-65535,...>;
}
OR...
udp {
port <0-65535,...>;
}
281
}
}
}
service-group {
REPEAT...
<name> [ <entry1> <entry2>... ];
}
profiles {
virus {
REPEAT...
<name> {
description <value>;
packet-capture yes|no;
decoder {
REPEAT...
<name> {
action default|allow|alert|block;
}
}
application {
REPEAT...
<name> {
action default|allow|alert|block;
}
}
threat-exception {
REPEAT...
<name>;
}
}
}
spyware {
REPEAT...
<name> {
description <value>;
phone-home-detection {
simple {
packet-capture yes|no;
critical default|allow|alert|block;
high default|allow|alert|block;
medium default|allow|alert|block;
low default|allow|alert|block;
informational default|allow|alert|block;
}
OR...
custom {
REPEAT...
<name> {
packet-capture yes|no;
action default|alert|drop|drop-all-packets|reset-both|reset-client|reset-server;
}
}
}
threat-exception {
282
REPEAT...
<name>;
}
}
}
vulnerability {
REPEAT...
<name> {
description <value>;
simple {
packet-capture yes|no;
client {
critical default|allow|alert|block;
high default|allow|alert|block;
medium default|allow|alert|block;
low default|allow|alert|block;
informational default|allow|alert|block;
}
server {
critical default|allow|alert|block;
high default|allow|alert|block;
medium default|allow|alert|block;
low default|allow|alert|block;
informational default|allow|alert|block;
}
}
OR...
custom {
REPEAT...
<name> {
packet-capture yes|no;
action default|alert|drop|drop-all-packets|reset-both|reset-client|reset-server;
}
}
threat-exception {
REPEAT...
<name>;
}
}
}
url-filtering {
REPEAT...
<name> {
description <value>;
dynamic-url yes|no;
license-expired block|allow;
action block|continue|override|alert|allow;
block-list [ <block-list1> <block-list2>... ];
allow-list [ <allow-list1> <allow-list2>... ];
allow [ <allow1> <allow2>... ];
alert [ <alert1> <alert2>... ];
block [ <block1> <block2>... ];
continue [ <continue1> <continue2>... ];
override [ <override1> <override2>... ];
283
}
}
file-blocking {
REPEAT...
<name> {
description <value>;
rules {
REPEAT...
<name> {
application [ <application1> <application2>... ];
file-type [ <file-type1> <file-type2>... ];
direction upload|download|both;
action alert|block;
}
}
}
}
custom-url-category {
REPEAT...
<name> {
description <value>;
list [ <list1> <list2>... ];
}
}
data-objects {
REPEAT...
<name> {
description <value>;
credit-card-numbers {
weight 0-65535;
}
social-security-numbers {
weight 0-65535;
}
social-security-numbers-without-dash {
weight 0-65535;
}
pattern {
REPEAT...
<name> {
regex <value>;
weight 0-65535;
}
}
}
}
data-filtering {
REPEAT...
<name> {
description <value>;
data-capture yes|no;
rules {
REPEAT...
<name> {
284
data-object <value>;
application [ <application1> <application2>... ];
file-type [ <file-type1> <file-type2>... ];
direction upload|download|both;
alert-threshold 0-65535;
block-threshold 0-65535;
}
}
}
}
}
profile-group {
REPEAT...
<name> {
virus [ <virus1> <virus2>... ];
spyware [ <spyware1> <spyware2>... ];
vulnerability [ <vulnerability1> <vulnerability2>... ];
url-filtering [ <url-filtering1> <url-filtering2>... ];
file-blocking [ <file-blocking1> <file-blocking2>... ];
data-filtering [ <data-filtering1> <data-filtering2>... ];
}
}
}
}
285
Panorama Hierarchy
deviceconfig {
system {
login-banner <value>;
hostname <value>;
domain <value>;
ip-address <ip/netmask>;
netmask <value>;
default-gateway <ip/netmask>;
ipv6-address <ip/netmask>;
ipv6-default-gateway <ip/netmask>;
authentication-profile <value>;
client-certificate-profile <value>;
dns-primary <ip/netmask>;
dns-secondary <ip/netmask>;
panorama-server <ip/netmask>;
ntp-server-1 <value>;
location <value>;
contact <value>;
ntp-server-2 <value>;
update-server <value>;
secure-proxy-server <value>;
secure-proxy-port 1-1;
secure-proxy-user <value>;
secure-proxy-password <value>;
snmp-community-string <value>;
geo-location {
latitude <value>;
longitude <value>;
}
service {
disable-http yes|no;
disable-https yes|no;
disable-telnet yes|no;
disable-ssh yes|no;
disable-icmp yes|no;
disable-snmp yes|no;
}
permitted-ip {
REPEAT...
<name>;
}
update-schedule {
threats {
recurring {
daily {
at <value>;
action download-only|download-and-install;
}
OR...
weekly {
day-of-week
sunday|monday|tuesday|wednesday|thursday|friday|saturday;
at <value>;
action download-only|download-and-install;
}
}
286
}
anti-virus {
recurring {
hourly {
at 0-65535;
action download-only|download-and-install;
}
OR...
daily {
at <value>;
action download-only|download-and-install;
}
OR...
weekly {
day-of-week
sunday|monday|tuesday|wednesday|thursday|friday|saturday;
at <value>;
action download-only|download-and-install;
}
threshold 1-1;
sync-to-peer yes|no;
}
}
}
timezone W-SU|CST6CDT|Japan|Portugal|Hongkong|Mideast|Mideast/
Riyadh87|Mideast/Riyadh88|Mideast/Riyadh89|Eire|Poland|Factory|GBEire|America|America/Port_of_Spain|America/Indiana|America/Indiana/
Vevay|America/Indiana/Indianapolis|America/Indiana/Marengo|America/Indiana/
Knox|America/St_Johns|America/Grand_Turk|America/Tijuana|America/
Toronto|America/Araguaina|America/Virgin|America/El_Salvador|America/
Coral_Harbour|America/Jujuy|America/Mexico_City|America/Guyana|America/
Cayman|America/Ensenada|America/Fortaleza|America/Iqaluit|America/
Boa_Vista|America/Chihuahua|America/Nome|America/Cancun|America/
Cayenne|America/Recife|America/Panama|America/Caracas|America/
Costa_Rica|America/Cambridge_Bay|America/Martinique|America/
Yellowknife|America/Godthab|America/Sao_Paulo|America/Edmonton|America/
Fort_Wayne|America/Danmarkshavn|America/Barbados|America/Dawson|America/
Thunder_Bay|America/Tegucigalpa|America/Chicago|America/Guadeloupe|America/
Grenada|America/Anguilla|America/Kentucky|America/Kentucky/
Monticello|America/Kentucky/Louisville|America/Argentina|America/Argentina/
Jujuy|America/Argentina/Ushuaia|America/Argentina/Catamarca|America/
Argentina/San_Juan|America/Argentina/Mendoza|America/Argentina/
La_Rioja|America/Argentina/Buenos_Aires|America/Argentina/Tucuman|America/
Argentina/ComodRivadavia|America/Argentina/Cordoba|America/Argentina/
Rio_Gallegos|America/Mazatlan|America/Regina|America/Montevideo|America/
Catamarca|America/Los_Angeles|America/Campo_Grande|America/Aruba|America/
Manaus|America/Knox_IN|America/Rosario|America/St_Lucia|America/
Hermosillo|America/Denver|America/Detroit|America/Santiago|America/
Shiprock|America/Cuiaba|America/Dominica|America/Porto_Acre|America/
Curacao|America/Belize|America/Merida|America/Swift_Current|America/
Antigua|America/Adak|America/Indianapolis|America/Belem|America/
Miquelon|America/Louisville|America/Bogota|America/New_York|America/
Boise|America/Scoresbysund|America/Mendoza|America/Goose_Bay|America/
Yakutat|America/Eirunepe|America/Winnipeg|America/Buenos_Aires|America/
Menominee|America/Paramaribo|America/Thule|America/Montreal|America/
Jamaica|America/Monterrey|America/St_Thomas|America/Rio_Branco|America/
Lima|America/Juneau|America/La_Paz|America/Vancouver|America/
Rankin_Inlet|America/Puerto_Rico|America/St_Kitts|America/Halifax|America/
Guayaquil|America/Inuvik|America/Noronha|America/Nassau|America/Port-au-
287
Prince|America/Guatemala|America/Glace_Bay|America/Nipigon|America/
Cordoba|America/Bahia|America/Asuncion|America/Maceio|America/Atka|America/
North_Dakota|America/North_Dakota/Center|America/Managua|America/
Anchorage|America/Montserrat|America/Tortola|America/Dawson_Creek|America/
Santo_Domingo|America/Pangnirtung|America/Whitehorse|America/
St_Vincent|America/Porto_Velho|America/Havana|America/Phoenix|America/
Rainy_River|Indian|Indian/Christmas|Indian/Reunion|Indian/Comoro|Indian/
Cocos|Indian/Mauritius|Indian/Antananarivo|Indian/Mahe|Indian/
Mayotte|Indian/Kerguelen|Indian/Chagos|Indian/Maldives|GMT0|Canada|Canada/
Yukon|Canada/Saskatchewan|Canada/Central|Canada/Eastern|Canada/EastSaskatchewan|Canada/Atlantic|Canada/Pacific|Canada/Mountain|Canada/
Newfoundland|MET|ROK|US|US/Alaska|US/East-Indiana|US/Central|US/Eastern|US/
Samoa|US/Arizona|US/Pacific|US/Aleutian|US/Hawaii|US/Mountain|US/
Michigan|US/Indiana-Starke|MST|Mexico|Mexico/BajaSur|Mexico/General|Mexico/
BajaNorte|EST5EDT|Atlantic|Atlantic/Madeira|Atlantic/Cape_Verde|Atlantic/
St_Helena|Atlantic/Stanley|Atlantic/South_Georgia|Atlantic/
Jan_Mayen|Atlantic/Azores|Atlantic/Reykjavik|Atlantic/Canary|Atlantic/
Faeroe|Atlantic/Bermuda|HST|Antarctica|Antarctica/McMurdo|Antarctica/
Davis|Antarctica/South_Pole|Antarctica/Vostok|Antarctica/Rothera|Antarctica/
Mawson|Antarctica/DumontDUrville|Antarctica/Palmer|Antarctica/
Casey|Antarctica/Syowa|UTC|Iceland|Pacific|Pacific/Honolulu|Pacific/
Truk|Pacific/Niue|Pacific/Wake|Pacific/Apia|Pacific/Majuro|Pacific/
Norfolk|Pacific/Efate|Pacific/Enderbury|Pacific/Palau|Pacific/
Saipan|Pacific/Nauru|Pacific/Kiritimati|Pacific/Tahiti|Pacific/Guam|Pacific/
Tongatapu|Pacific/Fiji|Pacific/Rarotonga|Pacific/Samoa|Pacific/
Fakaofo|Pacific/Guadalcanal|Pacific/Port_Moresby|Pacific/Midway|Pacific/
Galapagos|Pacific/Yap|Pacific/Johnston|Pacific/Marquesas|Pacific/
Noumea|Pacific/Auckland|Pacific/Gambier|Pacific/Kwajalein|Pacific/
Kosrae|Pacific/Wallis|Pacific/Easter|Pacific/Chatham|Pacific/
Funafuti|Pacific/Pago_Pago|Pacific/Tarawa|Pacific/Pitcairn|Pacific/
Ponape|EET|EST|Greenwich|GMT|Cuba|Brazil|Brazil/Acre|Brazil/East|Brazil/
DeNoronha|Brazil/West|Turkey|Arctic|Arctic/Longyearbyen|NZCHAT|Zulu|Israel|Jamaica|Etc|Etc/GMT-14|Etc/GMT+6|Etc/GMT-10|Etc/GMT-2|Etc/
GMT-8|Etc/GMT+4|Etc/GMT0|Etc/GMT-12|Etc/GMT+11|Etc/GMT-11|Etc/GMT+12|Etc/
UTC|Etc/GMT-3|Etc/Greenwich|Etc/GMT-9|Etc/GMT|Etc/GMT+2|Etc/Zulu|Etc/GMT4|Etc/GMT+7|Etc/GMT+1|Etc/GMT+8|Etc/GMT-7|Etc/GMT-6|Etc/GMT+10|Etc/GMT5|Etc/GMT+0|Etc/GMT-1|Etc/GMT+3|Etc/GMT+5|Etc/GMT-13|Etc/UCT|Etc/
Universal|Etc/GMT+9|Etc/GMT-0|NZ|Europe|Europe/Vienna|Europe/Athens|Europe/
Tiraspol|Europe/Lisbon|Europe/Rome|Europe/Bratislava|Europe/Andorra|Europe/
Sofia|Europe/Kaliningrad|Europe/Zurich|Europe/Belfast|Europe/Oslo|Europe/
Samara|Europe/Malta|Europe/Chisinau|Europe/Moscow|Europe/Paris|Europe/
Minsk|Europe/Zaporozhye|Europe/Amsterdam|Europe/Tallinn|Europe/
Uzhgorod|Europe/Brussels|Europe/Vatican|Europe/Vaduz|Europe/
San_Marino|Europe/Nicosia|Europe/Berlin|Europe/Vilnius|Europe/Monaco|Europe/
Istanbul|Europe/Belgrade|Europe/Stockholm|Europe/Riga|Europe/Madrid|Europe/
Gibraltar|Europe/Copenhagen|Europe/Skopje|Europe/Budapest|Europe/
Dublin|Europe/Bucharest|Europe/Helsinki|Europe/Prague|Europe/
Sarajevo|Europe/London|Europe/Tirane|Europe/Zagreb|Europe/Kiev|Europe/
Warsaw|Europe/Ljubljana|Europe/Simferopol|Europe/Mariehamn|Europe/
Luxembourg|Singapore|ROC|Kwajalein|Egypt|PST8PDT|GMT+0|Asia|Asia/
Kuwait|Asia/Kamchatka|Asia/Thimphu|Asia/Macau|Asia/Gaza|Asia/Thimbu|Asia/
Pyongyang|Asia/Vladivostok|Asia/Katmandu|Asia/Sakhalin|Asia/Muscat|Asia/
Ashkhabad|Asia/Ulan_Bator|Asia/Riyadh|Asia/Riyadh87|Asia/Calcutta|Asia/
Yerevan|Asia/Shanghai|Asia/Baghdad|Asia/Makassar|Asia/Oral|Asia/
Hong_Kong|Asia/Jayapura|Asia/Omsk|Asia/Almaty|Asia/Saigon|Asia/Magadan|Asia/
Chungking|Asia/Hovd|Asia/Brunei|Asia/Novosibirsk|Asia/Dacca|Asia/Qatar|Asia/
Ulaanbaatar|Asia/Krasnoyarsk|Asia/Kuching|Asia/Qyzylorda|Asia/Karachi|Asia/
Anadyr|Asia/Yakutsk|Asia/Seoul|Asia/Choibalsan|Asia/Macao|Asia/
Samarkand|Asia/Yekaterinburg|Asia/Aqtobe|Asia/Riyadh88|Asia/Nicosia|Asia/
288
Pontianak|Asia/Urumqi|Asia/Irkutsk|Asia/Taipei|Asia/Harbin|Asia/
Istanbul|Asia/Colombo|Asia/Tel_Aviv|Asia/Jakarta|Asia/Amman|Asia/
Bahrain|Asia/Tokyo|Asia/Chongqing|Asia/Ashgabat|Asia/Singapore|Asia/
Aqtau|Asia/Baku|Asia/Bishkek|Asia/Dili|Asia/Tbilisi|Asia/Beirut|Asia/
Riyadh89|Asia/Damascus|Asia/Aden|Asia/Dubai|Asia/Manila|Asia/Vientiane|Asia/
Tehran|Asia/Kashgar|Asia/Dushanbe|Asia/Kabul|Asia/Bangkok|Asia/Rangoon|Asia/
Jerusalem|Asia/Dhaka|Asia/Kuala_Lumpur|Asia/Tashkent|Asia/Phnom_Penh|Asia/
Ujung_Pandang|CET|PRC|Africa|Africa/Kinshasa|Africa/Ndjamena|Africa/
Mbabane|Africa/Lagos|Africa/El_Aaiun|Africa/Douala|Africa/Kampala|Africa/
Mogadishu|Africa/Tripoli|Africa/Conakry|Africa/Niamey|Africa/Asmera|Africa/
Khartoum|Africa/Lubumbashi|Africa/Kigali|Africa/Johannesburg|Africa/
Blantyre|Africa/Malabo|Africa/Gaborone|Africa/Lome|Africa/Algiers|Africa/
Addis_Ababa|Africa/Brazzaville|Africa/Dakar|Africa/Nairobi|Africa/
Cairo|Africa/Banjul|Africa/Bamako|Africa/Bissau|Africa/Libreville|Africa/
Sao_Tome|Africa/Casablanca|Africa/Timbuktu|Africa/Nouakchott|Africa/
Freetown|Africa/Monrovia|Africa/Ceuta|Africa/Dar_es_Salaam|Africa/
Lusaka|Africa/Abidjan|Africa/Bujumbura|Africa/Maseru|Africa/Bangui|Africa/
Windhoek|Africa/Accra|Africa/Djibouti|Africa/Ouagadougou|Africa/PortoNovo|Africa/Tunis|Africa/Maputo|Africa/Harare|Africa/
Luanda|UCT|GB|Universal|Australia|Australia/Hobart|Australia/
Lord_Howe|Australia/Perth|Australia/South|Australia/Yancowinna|Australia/
Currie|Australia/Tasmania|Australia/Queensland|Australia/NSW|Australia/
Lindeman|Australia/Melbourne|Australia/Adelaide|Australia/
Victoria|Australia/Canberra|Australia/West|Australia/Brisbane|Australia/
Broken_Hill|Australia/Darwin|Australia/ACT|Australia/North|Australia/
Sydney|Australia/LHI|Iran|WET|Libya|MST7MDT|Chile|Chile/EasterIsland|Chile/
Continental|GMT-0|Navajo;
}
setting {
management {
idle-timeout 1-1;
max-rows-in-csv-export 1-1;
max-backup-versions 1-1;
max-audit-versions 1-1;
panorama-tcp-receive-timeout 1-1;
panorama-tcp-send-timeout 1-1;
panorama-ssl-send-retries 1-1;
}
}
}
mgt-config {
users {
REPEAT...
<name> {
phash <value>;
authentication-profile <value>;
client-certificate-only yes|no;
preferences {
disable-dns yes|no;
saved-log-query {
traffic {
REPEAT...
<name> {
query <value>;
}
}
threat {
REPEAT...
289
<name> {
query <value>;
}
}
url {
REPEAT...
<name> {
query <value>;
}
}
data {
REPEAT...
<name> {
query <value>;
}
}
config {
REPEAT...
<name> {
query <value>;
}
}
system {
REPEAT...
<name> {
query <value>;
}
}
}
}
permissions {
role-based {
superreader yes;
OR...
superuser yes;
OR...
panorama-admin yes;
OR...
custom {
profile <value>;
device-groups [ <device-groups1> <device-groups2>... ];
devices {
REPEAT...
<name> {
vsys [ <vsys1> <vsys2>... ];
}
}
}
}
}
}
}
devices {
REPEAT...
<name> {
hostname <value>;
ip <value>;
disable-config-backup yes|no;
}
290
}
access-domain {
REPEAT...
<name> {
device-groups [ <device-groups1> <device-groups2>... ];
devices {
REPEAT...
<name> {
vsys [ <vsys1> <vsys2>... ];
}
}
}
}
}
predefined;
shared {
authentication-profile {
REPEAT...
<name> {
lockout {
failed-attempts 0-65535;
lockout-time 0-65535;
}
allow-list [ <allow-list1> <allow-list2>... ];
method {
acl;
OR...
radius {
server-profile <value>;
}
OR...
ldap {
server-profile <value>;
login-attribute <value>;
}
}
}
}
client-certificate-profile {
REPEAT...
<name> {
username-field {
subject common-name;
OR...
subject-alt email|principal-name;
}
domain <value>;
CA {
REPEAT...
<name> {
default-ocsp-url <value>;
ocsp-verify-ca <value>;
}
}
use-crl yes|no;
use-ocsp yes|no;
291
crl-receive-timeout 1-1;
ocsp-receive-timeout 1-1;
cert-status-timeout 0-65535;
block-unknown-cert yes|no;
block-timeout-cert yes|no;
}
}
cert {
REPEAT...
<name> {
vsys <value>;
common-name <value>;
expires <value>;
}
}
cacert {
REPEAT...
<name> {
vsys <value>;
common-name <value>;
expires <value>;
}
}
caccacert {
REPEAT...
<name> {
vsys <value>;
common-name <value>;
expires <value>;
}
}
cacverifyca {
REPEAT...
<name> {
vsys <value>;
common-name <value>;
expires <value>;
}
}
importcert {
REPEAT...
<name> {
vsys <value>;
common-name <value>;
expires <value>;
}
}
address {
REPEAT...
<name> {
ip-netmask <ip/netmask>;
OR...
ip-range <ip-range>;
}
}
address-group {
REPEAT...
<name> [ <entry1> <entry2>... ];
}
292
threats {
vulnerability {
REPEAT...
<name> {
threatname <value>;
affected-host {
client yes|no;
server yes|no;
}
comment <value>;
severity <value>;
direction <value>;
default-action alert|reset-client|reset-server|reset-both|droppackets;
cve [ <cve1> <cve2>... ];
bugtraq [ <bugtraq1> <bugtraq2>... ];
vendor [ <vendor1> <vendor2>... ];
reference [ <reference1> <reference2>... ];
signature {
REPEAT...
<name> {
comment <value>;
scope protocol-data-unit|session;
order-free yes|no;
and-condition {
REPEAT...
<name> {
or-condition {
REPEAT...
<name> {
operator {
less-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
equal-to {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
greater-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
293
value 1-1<value>;
}
}
}
OR...
pattern-match {
pattern <value>;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
}
}
}
}
}
}
}
}
}
spyware {
REPEAT...
<name> {
threatname <value>;
comment <value>;
severity <value>;
direction <value>;
default-action alert|reset-client|reset-server|reset-both|droppackets;
cve [ <cve1> <cve2>... ];
bugtraq [ <bugtraq1> <bugtraq2>... ];
vendor [ <vendor1> <vendor2>... ];
reference [ <reference1> <reference2>... ];
signature {
REPEAT...
<name> {
comment <value>;
scope protocol-data-unit|session;
order-free yes|no;
and-condition {
REPEAT...
<name> {
or-condition {
REPEAT...
<name> {
operator {
less-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
294
}
OR...
equal-to {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
greater-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
pattern-match {
pattern <value>;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
}
}
}
}
}
}
}
}
}
}
application {
REPEAT...
<name> {
default {
port [ <port1> <port2>... ];
OR...
ident-by-ip-protocol 0-65535;
}
category <value>;
subcategory <value>;
technology <value>;
description <value>;
timeout 0-65535;
tcp-timeout 0-65535;
udp-timeout 0-65535;
295
risk 1-1;
evasive-behavior yes|no;
consume-big-bandwidth yes|no;
used-by-malware yes|no;
able-to-transfer-file yes|no;
has-known-vulnerability yes|no;
tunnel-other-application yes|no;
prone-to-misuse yes|no;
pervasive-use yes|no;
tunnel-applications yes|no;
decoder <value>;
file-type-ident yes|no;
virus-ident yes|no;
spyware-ident yes|no;
data-ident yes|no;
parent-app <value>;
signature {
REPEAT...
<name> {
comment <value>;
scope protocol-data-unit|session;
order-free yes|no;
and-condition {
REPEAT...
<name> {
or-condition {
REPEAT...
<name> {
context <value>;
pattern <value>;
method <value>;
}
}
}
}
}
}
}
}
override {
application {
REPEAT...
<name> {
timeout 0-65535;
tcp-timeout 0-65535;
udp-timeout 0-65535;
risk 1-1;
}
}
}
application-filter {
REPEAT...
<name> {
category [ <category1> <category2>... ];
subcategory [ <subcategory1> <subcategory2>... ];
technology [ <technology1> <technology2>... ];
evasive yes;
excessive-bandwidth-use yes;
used-by-malware yes;
296
transfers-files yes;
has-known-vulnerabilities yes;
tunnels-other-apps yes;
prone-to-misuse yes;
pervasive yes;
risk [ <risk1> <risk2>... ];
}
}
application-group {
REPEAT...
<name> [ <entry1> <entry2>... ];
}
service {
REPEAT...
<name> {
protocol {
tcp {
port <0-65535,...>;
}
OR...
udp {
port <0-65535,...>;
}
}
}
}
service-group {
REPEAT...
<name> [ <entry1> <entry2>... ];
}
server-profile {
ldap {
REPEAT...
<name> {
non-admin-use yes|no;
server {
REPEAT...
<name> {
address <ip/netmask><value>;
port 1-1;
}
}
ssl yes|no;
base <value>;
bind-dn <value>;
bind-passwd <value>;
timelimit 1-1;
retry-interval 1-1;
}
}
radius {
REPEAT...
<name> {
non-admin-use yes|no;
domain <value>;
timeout 1-1;
retries 1-1;
checkgroup yes|no;
server {
297
REPEAT...
<name> {
ip-address <ip/netmask>;
port 0-65535;
secret <value>;
}
}
}
}
}
log-settings {
snmptrap {
REPEAT...
<name> {
server {
REPEAT...
<name> {
manager <ip/netmask>;
community <value>;
}
}
}
}
syslog {
REPEAT...
<name> {
server {
REPEAT...
<name> {
server <ip/netmask>;
port 1-1;
facility
LOG_USER|LOG_LOCAL0|LOG_LOCAL1|LOG_LOCAL2|LOG_LOCAL3|LOG_LOCAL4|LOG_LOCAL5|L
OG_LOCAL6|LOG_LOCAL7;
}
}
}
}
email {
REPEAT...
<name> {
server {
REPEAT...
<name> {
display-name <value>;
from <value>;
to <value>;
and-also-to <value>;
gateway <value>;
}
}
}
}
system {
informational {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
298
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
low {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
medium {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
high {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
critical {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
}
config {
any {
send-to-panorama yes|no;
299
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
}
profiles {
REPEAT...
<name> {
alarm {
informational {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
low {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
medium {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
high {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
300
}
critical {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
}
traffic {
any {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
}
}
}
}
profiles {
virus {
REPEAT...
<name> {
description <value>;
packet-capture yes|no;
decoder {
REPEAT...
<name> {
action default|allow|alert|block;
}
}
application {
REPEAT...
<name> {
action default|allow|alert|block;
}
}
threat-exception {
REPEAT...
<name>;
}
}
}
spyware {
REPEAT...
<name> {
description <value>;
301
phone-home-detection {
simple {
packet-capture yes|no;
critical default|allow|alert|block;
high default|allow|alert|block;
medium default|allow|alert|block;
low default|allow|alert|block;
informational default|allow|alert|block;
}
OR...
custom {
REPEAT...
<name> {
packet-capture yes|no;
action default|alert|drop|drop-all-packets|reset-both|resetclient|reset-server;
}
}
}
threat-exception {
REPEAT...
<name>;
}
}
}
vulnerability {
REPEAT...
<name> {
description <value>;
simple {
packet-capture yes|no;
client {
critical default|allow|alert|block;
high default|allow|alert|block;
medium default|allow|alert|block;
low default|allow|alert|block;
informational default|allow|alert|block;
}
server {
critical default|allow|alert|block;
high default|allow|alert|block;
medium default|allow|alert|block;
low default|allow|alert|block;
informational default|allow|alert|block;
}
}
OR...
custom {
REPEAT...
<name> {
packet-capture yes|no;
action default|alert|drop|drop-all-packets|reset-both|resetclient|reset-server;
}
}
threat-exception {
REPEAT...
<name>;
}
302
}
}
url-filtering {
REPEAT...
<name> {
description <value>;
dynamic-url yes|no;
license-expired block|allow;
action block|continue|override|alert|allow;
block-list [ <block-list1> <block-list2>... ];
allow-list [ <allow-list1> <allow-list2>... ];
allow [ <allow1> <allow2>... ];
alert [ <alert1> <alert2>... ];
block [ <block1> <block2>... ];
continue [ <continue1> <continue2>... ];
override [ <override1> <override2>... ];
}
}
file-blocking {
REPEAT...
<name> {
description <value>;
rules {
REPEAT...
<name> {
application [ <application1> <application2>... ];
file-type [ <file-type1> <file-type2>... ];
direction upload|download|both;
action alert|block;
}
}
}
}
custom-url-category {
REPEAT...
<name> {
description <value>;
list [ <list1> <list2>... ];
}
}
data-objects {
REPEAT...
<name> {
description <value>;
credit-card-numbers {
weight 0-65535;
}
social-security-numbers {
weight 0-65535;
}
social-security-numbers-without-dash {
weight 0-65535;
}
pattern {
REPEAT...
<name> {
regex <value>;
weight 0-65535;
}
303
}
}
}
data-filtering {
REPEAT...
<name> {
description <value>;
data-capture yes|no;
rules {
REPEAT...
<name> {
data-object <value>;
application [ <application1> <application2>... ];
file-type [ <file-type1> <file-type2>... ];
direction upload|download|both;
alert-threshold 0-65535;
block-threshold 0-65535;
}
}
}
}
}
admin-role {
REPEAT...
<name> {
description <value>;
role {
panorama {
webui {
dashboard enable|disable;
acc enable|disable;
monitor {
logs {
traffic enable|disable;
threat enable|disable;
url enable|disable;
configuration enable|disable;
system enable|disable;
data-filtering enable|disable;
}
app-scope enable|disable;
pdf-reports {
manage-pdf-summary enable|disable;
pdf-summary-reports enable|disable;
user-activity-report enable|disable;
report-groups enable|disable;
email-scheduler enable|disable;
}
custom-reports {
application-statistics enable|disable;
data-filtering-log enable|disable;
threat-log enable|disable;
threat-summary enable|disable;
traffic-log enable|disable;
traffic-summary enable|disable;
url-log enable|disable;
}
view-custom-reports enable|disable;
application-reports enable|disable;
304
threat-reports enable|disable;
url-filtering-reports enable|disable;
traffic-reports enable|disable;
}
policies {
security-rulebase enable|read-only|disable;
nat-rulebase enable|read-only|disable;
ssl-decryption-rulebase enable|read-only|disable;
application-override-rulebase enable|read-only|disable;
captive-portal-rulebase enable|read-only|disable;
qos-rulebase enable|read-only|disable;
}
objects {
addresses enable|read-only|disable;
address-groups enable|read-only|disable;
applications enable|read-only|disable;
application-groups enable|read-only|disable;
application-filters enable|read-only|disable;
services enable|read-only|disable;
service-groups enable|read-only|disable;
custom-url-category enable|read-only|disable;
custom-signatures {
data-patterns enable|read-only|disable;
spyware enable|read-only|disable;
vulnerability enable|read-only|disable;
}
security-profiles {
antivirus enable|read-only|disable;
anti-spyware enable|read-only|disable;
vulnerability-protection enable|read-only|disable;
url-filtering enable|read-only|disable;
file-blocking enable|read-only|disable;
data-filtering enable|read-only|disable;
}
security-profile-groups enable|read-only|disable;
log-forwarding enable|read-only|disable;
schedules enable|read-only|disable;
}
network {
interfaces enable|read-only|disable;
zones enable|read-only|disable;
vlans enable|read-only|disable;
virtual-wires enable|read-only|disable;
virtual-routers enable|read-only|disable;
ipsec-tunnels enable|read-only|disable;
dhcp enable|read-only|disable;
ssl-vpn enable|read-only|disable;
qos enable|read-only|disable;
network-profiles {
ike-gateways enable|read-only|disable;
ipsec-crypto enable|read-only|disable;
ike-crypto enable|read-only|disable;
tunnel-monitor enable|read-only|disable;
interface-mgmt enable|read-only|disable;
zone-protection enable|read-only|disable;
qos-profile enable|read-only|disable;
}
}
device {
305
setup enable|read-only|disable;
config-audit enable|disable;
managed-devices enable|disable;
device-groups enable|disable;
admin-roles enable|read-only|disable;
administrators enable|read-only|disable;
virtual-systems enable|read-only|disable;
user-identification enable|read-only|disable;
high-availability enable|read-only|disable;
certificates enable|read-only|disable;
block-pages enable|read-only|disable;
log-settings {
system enable|read-only|disable;
config enable|read-only|disable;
}
server-profile {
snmp-trap enable|read-only|disable;
syslog enable|read-only|disable;
email enable|read-only|disable;
radius enable|read-only|disable;
ldap enable|read-only|disable;
}
local-user-database {
users enable|read-only|disable;
user-groups enable|read-only|disable;
}
authentication-profile enable|read-only|disable;
client-certificate-profile enable|read-only|disable;
access-domain enable|read-only|disable;
scheduled-log-export enable|disable;
software enable|read-only|disable;
ssl-vpn-client enable|read-only|disable;
dynamic-updates enable|read-only|disable;
licenses enable|read-only|disable;
support enable|read-only|disable;
deployment {
software enable|read-only|disable;
ssl-vpn-client enable|read-only|disable;
dynamic-updates enable|read-only|disable;
licenses enable|read-only|disable;
}
}
privacy {
show-full-ip-addresses enable|disable;
show-user-names-in-logs-and-reports enable|disable;
view-pcap-files enable|disable;
}
commit enable|disable;
}
cli superuser|superreader;
}
}
}
}
profile-group {
REPEAT...
<name> {
virus [ <virus1> <virus2>... ];
spyware [ <spyware1> <spyware2>... ];
306
307
weekly sunday|monday|tuesday|wednesday|thursday|friday|saturday;
}
}
}
pdf-summary-report {
REPEAT...
<name> {
header {
caption <value>;
}
footer {
note <value>;
}
predefined-widget {
REPEAT...
<name> {
chart-type pie|line|bar|table;
row 1-1;
column 1-1;
}
}
custom-widget {
REPEAT...
<name> {
chart-type pie|line|bar|table;
row 1-1;
column 1-1;
}
}
}
}
reports {
REPEAT...
<name> {
disabled yes|no;
query <value>;
caption <value>;
frequency daily|weekly;
start-time <value>;
end-time <value>;
period last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-calendar-day|last-7-days|last-7-calendar-days|last-calendarweek|last-30-days;
topn 1-1;
topm 1-1;
type {
appstat {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by serial|category-of-name|name|risk|subcategory-ofname|technology-of-name|container-of-name|quarter-hour-of-receive_time|hourof-receive_time|day-of-receive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby nbytes|npkts|nsess|nthreats;
}
OR...
threat {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by serial|action|app|category|category-of-
308
app|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|natsport|na
tsrc|outbound_if|proto|risk-ofapp|rule|severity|sport|src|srcuser|subcategory-of-app|subtype|technologyof-app|container-of-app|threatid|to|vsys|quarter-hour-of-receive_time|hourof-receive_time|day-of-receive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby repeatcnt;
}
OR...
url {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by serial|action|app|category|category-ofapp|direction|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|n
atsport|natsrc|outbound_if|proto|risk-ofapp|rule|severity|sport|src|srcuser|subcategory-of-app|technology-ofapp|container-of-app|to|vsys|quarter-hour-of-receive_time|hour-ofreceive_time|day-of-receive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby repeatcnt;
}
OR...
data {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by serial|action|app|category-ofapp|direction|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|n
atsport|natsrc|outbound_if|proto|risk-ofapp|rule|severity|sport|src|srcuser|subcategory-of-app|subtype|technologyof-app|container-of-app|threatid|to|vsys|quarter-hour-of-receive_time|hourof-receive_time|day-of-receive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby repeatcnt;
}
OR...
thsum {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by serial|app|category-of-app|dst|dstuser|risk-ofapp|rule|severity-of-threatid|src|srcuser|subcategory-ofapp|subtype|technology-of-app|container-of-app|threatid|quarter-hour-ofreceive_time|hour-of-receive_time|day-of-receive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby count;
}
OR...
traffic {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by serial|action|app|category|category-ofapp|dport|dst|dstuser|flags|from|inbound_if|natdport|natdst|natsport|natsrc|
outbound_if|proto|risk-of-app|rule|sport|src|srcuser|subcategory-ofapp|technology-of-app|container-of-app|to|vsys|quarter-hour-ofreceive_time|hour-of-receive_time|day-of-receive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby bytes|elapsed|packets|repeatcnt;
}
OR...
309
trsum {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by serial|app|category|category-of-app|dst|dstuser|from|riskof-app|rule|src|srcuser|subcategory-of-app|technology-of-app|container-ofapp|to|quarter-hour-of-receive_time|hour-of-receive_time|day-ofreceive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby bytes|sessions;
}
OR...
panorama-threat {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by serial|action|app|category|category-ofapp|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|natsport|na
tsrc|outbound_if|proto|risk-ofapp|rule|severity|sport|src|srcuser|subcategory-of-app|subtype|technologyof-app|container-of-app|threatid|to|vsys|quarter-hour-of-receive_time|hourof-receive_time|day-of-receive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby repeatcnt;
}
OR...
panorama-url {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by serial|action|app|category|category-ofapp|direction|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|n
atsport|natsrc|outbound_if|proto|risk-ofapp|rule|severity|sport|src|srcuser|subcategory-of-app|technology-ofapp|container-of-app|to|vsys|quarter-hour-of-receive_time|hour-ofreceive_time|day-of-receive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby repeatcnt;
}
OR...
panorama-data {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by serial|action|app|category-ofapp|direction|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|n
atsport|natsrc|outbound_if|proto|risk-ofapp|rule|severity|sport|src|srcuser|subcategory-of-app|subtype|technologyof-app|container-of-app|threatid|to|vsys|quarter-hour-of-receive_time|hourof-receive_time|day-of-receive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby repeatcnt;
}
OR...
panorama-traffic {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by serial|action|app|category|category-ofapp|dport|dst|dstuser|flags|from|inbound_if|natdport|natdst|natsport|natsrc|
outbound_if|proto|risk-of-app|rule|sport|src|srcuser|subcategory-ofapp|technology-of-app|container-of-app|to|vsys|quarter-hour-ofreceive_time|hour-of-receive_time|day-of-receive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
310
sortby bytes|elapsed|packets|repeatcnt;
}
}
}
}
}
311
312
Appendix B
PAN-OS CLI KEYBOARD SHORTCUTS
This appendix lists the supported keyboard shortcuts and Editor Macros (EMACS) commands
supported in the PAN-OS CLI.
Note: Some shortcuts depend upon the SSH client that is used to access the PAN-OS CLI. For
some clients, the Meta key is the Control key; for some it is the Esc key.
Description
end-of-line (C-e)
forward-char (C-f)
backward-char (C-b)
forward-word (M-f)
backward-word (M-b)
Move back to the start of this, or the previous, word. Words consist
of alphanumeric characters (letters and digits).
clear-screen (C-l)
Clear the screen and place the current line at the top of the screen. If
an argument is included, refresh the current line without clearing
the screen.
Accept the line regardless of where the cursor is. If the line is nonempty, add it to the history list. If the line is a modified history line,
then restore the history line to its original state.
previous-history (C-p)
Fetch the previous command from the history list, moving back in
the list.
next-history (C-n)
Fetch the next command from the history list, moving forward in
the list.
beginning-of-history (M-<)
313
Description
end-of-history (M->)
Move to the end of the input history (the line currently being
entered).
reverse-search-history (C-r)
forward-search-history (C-s)
non-incremental-reversesearch-history (M-p)
non-incremental-forwardsearch-history (M-n)
transpose-chars (C-t)
Drag the character before point forward over the character at point.
Point moves forward as well. If point is at the end of the line, then
transpose the two characters before point.
transpose-words (M-t)
Drag the word behind the cursor past the word in front of the
cursor moving the cursor over that word as well.
upcase-word (M-u)
downcase-word (M-l)
capitalize-word (M-c)
314
Delete the text from the current cursor position to the end of the
line.
unix-line-discard (Cu)
kill-word (M-d)
Delete from the cursor to the end of the current word, or if between
words, to the end of the next word. Word boundaries are the same
as those used by forward-word.
backward-kill-word (Mbackspace)
Delete the word behind the cursor. Word boundaries are the same
as those used by backward-word.
unix-word-backspace
(C-w)
Delete the word behind the cursor, using white space as a word
boundary. The word boundaries are different from backward-killword.
yank (C-y)
Place the top of the deleted section into the buffer at the cursor.
Description
yank-pop (M-y)
Rotate the kill-ring, and yank the new top. Only works following
yank or yank-pop.
Completing Commands
complete (TAB)
possible-completions
(?)
revert-line (M-r)
Undo all changes made to this line. This is like typing the undo
command enough times to return the line to its initial state.
Description
beginning-of-line
C-B
backward-char
C-D
delete-char
C-E
end-of-line
C-F
forward-char
C-G
abort
C-H
backward-delete-char
C-I
complete
C-J
accept-line
C-K
kill-line
C-L
clear-screen
C-M
accept-line
C-N
next-history
C-P
previous-history
C-R
reverse-search-history
C-S
forward-search-history
C-T
transpose-chars
C-U
unix-line-discard
C-W
unix-word-backspace
C-Y
yank
C-_
undo
315
Description
316
M-C-H
backward-kill-word
M-C-R
revert-line
M-<
beginning-of-history
M->
end-of-history
possible-completions
M-B
backward-word
M-C
capitalize-word
M-D
kill-word
M-F
forward-word
M-L
downcase-word
M-N
non-incremental-forward-search-history
M-P
non-incremental-reverse-search-history
M-R
revert-line
M-T
transpose-words
M-U
upcase-word
M-Y
yank-pop
Index
Symbols
# prompt 13
+ option symbol 17
> option symbol 17
> prompt 13
? symbol 15
A
accessing the CLI 12
B
banner 13, 26
bootloader recovery 189
bootup 186
C
changing modes 14
check command 32
clear command 53
CLI
accessing 12
configuration mode 11
EMACS commands 315
keyboard shortcuts 313
operational model 11
prompt 13
structure 11
commands 28
conventions 13
display 28
messages 14
monitoring and troubleshooting 28
navigation 28
network access 28
option symbols 17
options 15
understanding 13
commit command 21, 33
configuration
hierarchy 24
hierarchy paths 25
317 Index
configuration mode
hierarchy 24
prompt 13
understanding 21
configure command 55
control key 16
conventions, typographical 8
copy command 34
critical errors, switching to maintenance mode 187
D
debug captive-portal command 56
debug cli command 57
debug cpld command 58
debug dataplane command 59
debug device-server command 61
debug dhcpd command 62
debug high-availability-agent command 63
debug ike command 64
debug keymgr command 65
debug ldap-server command 66
debug log-receiver command 67
debug management-server command 68
debug master-service command 69
debug pppoed command 70
debug rasmgr command 71
debug routing command 72
debug software command 73
debug sslmgr command 75
debug ssl-vpn command 74
debug swm command 76
debug tac-login command 77
debug vardata-receiver command 78
delete command 35, 56
diagnostics 189
disk image 189
E
edit banner 26
edit command
banner 13
using 27, 36
errors, switching to maintenance mode 187
esc key 16
Ethernet interfaces 19
ethernet1/n 19
exit command 37, 81
operational mode
command types 28
prompt 13
using 28
G
getting started 12
grep command 82
H
hierarchy
complete 191
configuration 24
navigating 26
new elements 26
paths 25
hostname 13
I
interfaces 19
K
keyboard shortcuts 16, 313
L
less command 84
M
maintenance mode
about 185
diagnostics 189
entering automatically 187
entering upon bootup 186
password 189
serial console message 187
SSH message 188
web interface message 187
meta key 16
modes
changing 14, 15
configuration 21
operational 28
move command 39
N
navigating hierarchy 26
netstat command 85
318 Index
Q
quit command 40, 88
R
rename command 41
request anti-virus command 89
request certificate command 90
request content upgrade command 93
request data-filtering command 94
request device-registration command 95
request high-availability command 96
request license command 97
request password-hash command 98
request restart command 99
request ssl-decrypt command 100
request ssl-vpn command 101
request support command 102, 104
request system command 103
request url-filtering command 105
request vpnclient command 106
rollback 189
run command 42
S
save command 21, 43
scp command 107
serial console
maintenance mode 185
message 187
set application dump command 110
set cli command 111, 114
set clock command 113
set command 44
set management-server command 115
set panorama command 116
set password command 117
set serial-number command 118
set session command 119
set system setting command 121
shortcuts 16
show admins command 123
show arp command 124
show authentication command 125
show cli command 126, 127
show clock command 128
T
tail command 175
telnet command 176
test command 177
tftp command 92, 179
top command 27, 46
traceroute command 181
typographical conventions 8
U
up command 27, 47
user name 13
user privileges 18
V
view-pccap command 183
Index 319
320 Index