PAN OS 31 CLI Reference Guide

PAN-OS
Command Line Interface

Reference Guide
Release 3.1
PAN-OS Command Line Interface

Reference Guide
Release 3.1
2/27/10 Third/Final Review Draft- Palo Alto Networks

COMPANY CONFIDENTIAL
Palo Alto Networks, Inc.

www.paloaltonetworks.com
2010 Palo Alto Networks. All rights reserved.
Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks are
the property of their respective owners
Part number: 810-000048-00A
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Typographical Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Notes, Cautions, and Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Obtaining More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
7
8
9
9
9
9
Chapter 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
Understanding the PAN-OS CLI Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Accessing the PAN-OS CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Understanding the PAN-OS CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . 13
Understanding the PAN-OS CLI Command Conventions . . . . . . . . . . . . . . . . . . . . 13
Understanding Command Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Using Operational and Configuration Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Displaying the PAN-OS CLI Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Using Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Understanding Command Option Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Restricting Command Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Understanding Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Referring to Firewall Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 2
Understanding CLI Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
Understanding Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Using Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Configuration Commands with Virtual Systems . . . . . . . . . . . . . . . . . . . . . .
Understanding the Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Navigating Through the Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
23
24
26
Understanding Operational Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Setting the Output Format for Configuration Commands . . . . . . . . . . . . . . . . . . . . 28
Palo Alto Networks
Chapter 3
Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Chapter 4
Operational Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug captive-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug cpld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug dataplane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug device-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug dhcpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug high-availability-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug ike . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug keymgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug ldap-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug log-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug management-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug master-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug pppoed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug rasmgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug sslmgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug swm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug tac-login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
debug vardata-receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
grep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
less . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
53
55
56
57
58
59
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
81
82
84
85
86
Palo Alto Networks
quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
request anti-virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
request certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
request comfort-page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
request content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
request data-filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
request device-registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
request high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
request license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
request password-hash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
request restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
request ssl-decrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
request ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
request support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
request system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
request tech-support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
request url-filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
request vpnclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
scp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
set application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
set cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
set clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
set data-access-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
set management-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
set panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
set password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
set serial-number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
set session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
set system setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
show admins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
show authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
show chassis-ready . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
show cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
show clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
show config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
show counter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
show device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
show device-messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
show devicegroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
show dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
show fips-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
show high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
show interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
show jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
show location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
show log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
show mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
show management-clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
show management-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
show object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
show panorama-certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
show pbf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
show pppoe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Palo Alto Networks
show qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ssl-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show system setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show virtual-wire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show zone-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
view-pcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
149
150
151
152
156
158
161
162
163
165
167
168
169
170
171
173
174
175
176
177
179
181
183
Chapter 5
Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
185
Entering Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Using
Entering Maintenance Mode Upon Bootup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Entering Maintenance Mode Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Appendix A
Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
191
Firewall Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Panorama Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Appendix B
PAN-OS CLI Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
313
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
317
Palo Alto Networks
Preface
This preface contains the following sections:
About This Guide in the next section
Organization on page 7
Typographical Conventions on page 8
Notes, Cautions, and Warnings on page 9
Related Documentation on page 9
Obtaining More Information on page 9
Technical Support on page 9
About This Guide

This guide provides an overview of the PAN-OS command line interface (CLI), describes
how to access and use the CLI, and provides command reference pages for each of the CLI
commands.
This guide is intended for system administrators responsible for deploying, operating, and
maintaining the firewall and who require reference information about the PAN-OS CLI
commands that they want to execute on a per-device basis. For an explanation of features and
concepts, refer to the Palo Alto Networks Administrators Guide.
Organization
This guide is organized as follows:
Chapter 1, IntroductionIntroduces and describes how to use the PAN-OS CLI.
Chapter 2, Understanding CLI Command ModesDescribes the modes used to

interact with the PAN-OS CLI.
Chapter 3, Configuration Mode CommandsContains command reference pages for

Configuration mode commands.
Chapter 4, Operational Mode CommandsContains command reference pages for

Operational mode commands.
Palo Alto Networks
Preface 7
Chapter 5, Maintenance ModeDescribes how to enter Maintenance mode and use the
Maintenance mode options.
Appendix A, Configuration HierarchyContains command reference pages for

Operational mode commands.
Appendix B, PAN-OS CLI Keyboard ShortcutsDescribes the keyboard shortcuts

supported in the PAN-OS CLI.
Typographical Conventions
This guide uses the following typographical conventions for special terms and instructions.
Convention
Meaning
Example
boldface
Names of commands,
keywords, and selectable
items in the web interface
Use the configure command to enter

Configuration mode.
italics
Name of variables, files,

configuration elements,
directories, or Uniform
Resource Locators (URLs)
The address of the Palo Alto Networks home

page is
http://www.paloaltonetworks.com.
courier font
courier bold
font
element2 is a required variable for the move

command.
Command syntax, code

examples, and screen output
The show arp all command yields this output:
Text that you enter at the

command prompt
Enter the following command to exit from the

current PAN-OS CLI level:
username@hostname> show arp all

maximum of entries supported: 8192
default timeout: 1800 seconds
total ARP entries in table: 0
total ARP entries shown: 0
status: s - static, c - complete, i
- incomplete
# exit
[ ] (text enclosed
in angle brackets)
Optional parameters.
In the following command, 8bit and port are

optional parameters.
> telnet [8bit] [port] host
< > (text enclosed

in square
brackets)
Special keys or choice of

required options.
<tab> indicates that the tab key is pressed.
| (pipe symbol)
Choice of values, indicated by

a pipe symbol-separated list.
The request support command includes

options to get support information from the
update server or show downloaded support
information:
> delete core <control-plane |

data-plane> file filename
> request support [check | info]
8 Preface
Palo Alto Networks
Notes, Cautions, and Warnings

This guide uses the following symbols for notes, cautions, and warnings.
Symbol
Description
NOTE
Indicates helpful suggestions or supplementary information.
CAUTION
Indicates information about which the reader should be careful to avoid data loss or
equipment failure.
WARNING
Indicates potential danger that could involve bodily injury.
Related Documentation
The following additional documentation is provided with the firewall:
Quick Start
Hardware Reference Guide
Palo Alto Networks Administrators Guide
Obtaining More Information

To obtain more information about the firewall, refer to:
Palo Alto Networks websiteGo to http://www.paloaltonetworks.com.
Online helpClick Help in the upper right corner of the GUI to access the online help
system.
Technical Support
For technical support, use the following methods:
Go to http://support.paloaltonetworks.com.
Call 1-866-898-9087 (U.S, Canada, and Mexico).
Email us at: support@paloaltonetworks.com.
Palo Alto Networks
Preface 9
10 Preface
Palo Alto Networks
Chapter 1
Introduction
This chapter introduces and describes how to use the PAN-OS command line interface (CLI):
Understanding the PAN-OS CLI Structure in the next section
Getting Started on page 12
Understanding the PAN-OS CLI Commands on page 13
Understanding the PAN-OS CLI Structure

The PAN-OS CLI allows you to access the firewall, view status and configuration information,
and modify the configuration. Access to the PAN-OS CLI is provided through SSH, Telnet, or
direct console access.
The PAN-OS CLI operates in two modes:
Operational modeView the state of the system, navigate the PAN-OS CLI, and enter
configuration mode.
Configuration modeView and modify the configuration hierarchy.
Chapter 3 describes each mode in detail.
Palo Alto Networks
Introduction 11
Getting Started
This section describes how to access and begin using the PAN-OS CLI:
Before You Begin in the next section
Accessing the PAN-OS CLI on page 12
Before You Begin

Verify that the firewall is installed and that a SSH, Telnet, or direct console connection is
established.
Note: Refer to the Hardware Reference Guide for hardware installation
information and to the Quick Start for information on initial device configuration.
Use the following settings for direct console connection:
Data rate: 9600
Data bits: 8
Parity: none
Stop bits: 1
Flow control: None
Accessing the PAN-OS CLI

To access the PAN-OS CLI:
1.
Open the console connection.
2.
Enter the administrative user name. The default is admin.
3.
Enter the administrative password. The default is admin.
4.
The PAN-OS CLI opens in Operational mode, and the CLI prompt is displayed:
username@hostname>
12 Introduction
Palo Alto Networks
Understanding the PAN-OS CLI Commands

This section describes how to use the PAN-OS CLI commands and display command options:
Understanding the PAN-OS CLI Command Conventions in the next section
Understanding Command Messages on page 14
Using Operational and Configuration Modes on page 15
Displaying the PAN-OS CLI Command Options on page 15
Using Keyboard Shortcuts on page 16
Understanding Command Option Symbols on page 17
Understanding Privilege Levels on page 18
Referring to Firewall Interfaces on page 19
Understanding the PAN-OS CLI Command Conventions

The basic command prompt incorporates the user name and model of the firewall:
username@hostname>
Example:
username@hostname>
When you enter Configuration mode, the prompt changes from > to #:
username@hostname>
(Operational mode)
username@hostname> configure
Entering configuration mode
[edit]
(Configuration mode)
username@hostname#
In Configuration mode, the current hierarchy context is shown by the [edit...] banner
presented in square brackets when a command is issued. Refer to Using the Edit Command
on page 27 for additional information on the edit command.
Palo Alto Networks
Introduction 13
Understanding Command Messages

Messages may be displayed when you issue a command. The messages provide context
information and can help in correcting invalid commands. In the following examples, the
message is shown in bold.
Example: Unknown command
username@hostname# application-group
Unknown command: application-group
[edit network]
username@hostname#
Example: Changing modes

username@hostname# exit
Exiting configuration mode
username@hostname>
Example: Invalid syntax

username@hostname> debug 17
Unrecognized command
Invalid syntax.
username@hostname>
Each time you enter a command the syntax is checked. If the syntax is correct, the command is
executed, and the candidate hierarchy changes are recorded. If the syntax is incorrect, an
invalid syntax message is presented, as in the following example:
username@hostname# set zone application 1.1.2.2
Unrecognized command
Invalid syntax.
[edit]
username@hostname#
14 Introduction
Palo Alto Networks
Using Operational and Configuration Modes

When you log in, the PAN-OS CLI opens in Operational mode. You can move between
Operational and Configuration modes at any time.
To enter Configuration mode from Operational mode, use the configure command:
[edit]
username@hostname#
To leave Configuration mode and return to Operational mode, use the quit or exit
command:
username@hostname# quit
username@hostname>
To enter an Operational mode command while in Configuration mode, use the run
command, as described in run on page 42.
Displaying the PAN-OS CLI Command Options

Use ? (or Meta-H) to display a list of command option, based on context:
To display a list of operational commands, enter ? at the command prompt.

username@hostname> ?
clear
Clear runtime parameters
configure
Manipulate software configuration information
debug
Debug and diagnose
exit
Exit this session
grep
Searches file for lines containing a pattern match
less
Examine debug file content
ping
Ping hosts and networks
quit
Exit this session
request
Make system-level requests
scp
Use ssh to copy file to another host
set
Set operational parameters
show
Show operational parameters
ssh
Start a secure shell to another host
tail
Print the last 10 lines of debug file content
telnet
Start a telnet session to another host
username@hostname>
Palo Alto Networks
Introduction 15
To display the available options for a specified command, enter the command followed
by ?.
Example:
admin@localhost> ping ?
username@hostname> ping
+ bypass-routing
Bypass routing table, use specified interface
+ count
Number of requests to send (1..2000000000 packets)
+ do-not-fragment Don't fragment echo request packets (IPv4)
+ inet
Force to IPv4 destination
+ interface
Source interface (multicast, all-ones, unrouted
packets)
+ interval
Delay between requests (seconds)
+ no-resolve
Don't attempt to print addresses symbolically
+ pattern
Hexadecimal fill pattern
+ record-route
Record and report packet's path (IPv4)
+ size
Size of request packets (0..65468 bytes)
+ source
Source address of echo request
+ tos
IP type-of-service value (0..255)
+ ttl
IP time-to-live value (IPv6 hop-limit value) (0..255
hops)
+ verbose
Display detailed output
+ wait
Delay after sending last packet (seconds)
<host>
Hostname or IP address of remote host
username@hostname> ping
Using Keyboard Shortcuts

The PAN-OS CLI supports a variety of keyboard shortcuts. For a complete list, refer to
Appendix B, PAN-OS CLI Keyboard Shortcuts.
Note: Some shortcuts depend upon the SSH client that is used to access the
PAN-OS CLI. For some clients, the Meta key is the Control key; for some it is the
Esc key.
16 Introduction
Palo Alto Networks
Understanding Command Option Symbols

The symbol preceding an option can provide additional information about command syntax,
as described in Table 1.
Table 1. Option Symbols

Symbol
Description
This option is required.
>
There are additional nested options for this command.
There are additional command options for this command at this level.
The following example shows how these symbols are used.

Example: In the following command, the keyword from is required:
username@hostname> scp import configuration ?
+ remote-port
SSH port number on remote host
* from
Source (username@host:path)
username@hostname> scp import configuration
Example: This command output shows options designated with + and >.
username@hostname# set
+ action
+ application
+ description
+ destination
+ disabled
+ from
+ log-end
+ log-setting
+ log-start
+ negate-destination
+ negate-source
+ schedule
+ service
+ source
+ to
> profiles
<Enter>
[edit]
username@hostname# set
rulebase security rules rule1 ?

action
application
description
destination
disabled
from
log-end
log-setting
log-start
negate-destination
negate-source
schedule
service
source
to
profiles
Finish input
rulebase security rules rule1
Each option listed with + can be added to the command.

The profiles keyword (with >) has additional options:
username@hostname# set rulebase security rules rule1 profiles ?
+ virus
Help string for virus
+ spyware
Help string for spyware
+ vulnerability
Help string for vulnerability
+ group
Help string for group
<Enter>
Finish input
[edit]
username@hostname# set rulebase security rules rule1 profiles
Palo Alto Networks
Introduction 17
Restricting Command Output

Some operational commands include an option to restrict the displayed output. To restrict the
output, enter a pipe symbol followed by except or match and the value that is to be excluded
or included:
Example:
The following sample output is for the show system info command:
username@hostname> show system info
hostname: PA-HDF
ip-address: 10.1.7.10
netmask: 255.255.0.0
default-gateway: 10.1.0.1
mac-address: 00:15:E9:2E:34:33
time: Fri Aug 17 13:51:49 2007
uptime: 0 days, 23:19:23
devicename: PA-HDF
family: i386
model: pa-4050
serial: unknown
sw-version: 1.5.0.0-519
app-version: 25-150
threat-version: 0
url-filtering-version: 0
logdb-version: 1.0.8
username@hostname>
The following sample displays only the system model information:

username@hostname> show system info | match model
model: pa-4050
username@hostname>
Understanding Privilege Levels

Privilege levels determine which commands the user is permitted to execute and the
information the user is permitted to view. Table 2 describes the PAN-OS CLI privilege levels.
Table 2. Privilege Levels

Level
Description
superuser
Has full access to the firewall and can define new administrator accounts and
virtual systems.
superreader
Has complete read-only access to the firewall.
vsysadmin
Has full access to a selected virtual system on the firewall.
vsysreader
Has read-only access to a selected virtual system on the firewall.
18 Introduction
Palo Alto Networks
Referring to Firewall Interfaces

The Ethernet interfaces are numbered from left to right and top to bottom on the firewall, as
shown in Figure 1.
ethernet1/1
ethernet1/15
11
13
15
10
12
14
16
ethernet1/2
ethernet1/16
Figure 1. Firewall Ethernet Interfaces

Use these names when referring to the Ethernet interfaces within the PAN-OS CLI commands,
as in the following example:
username@hostname# set network interface ethernet ethernet1/4 virtual-wire
Palo Alto Networks
Introduction 19
20 Introduction
Palo Alto Networks
Chapter 2
Understanding CLI Command Modes

This chapter describes the modes used to interact with the PAN-OS CLI:
Understanding Configuration Mode in the next section
Understanding Operational Mode on page 28
Understanding Configuration Mode

When you enter Configuration mode and enter commands to configure the firewall, you are
modifying the candidate configuration. The modified candidate configuration is stored in
firewall memory and maintained while the firewall is running.
Each configuration command involves an action, and may also include keywords, options,
and values. Entering a command makes changes to the candidate configuration.
This section describes Configuration mode and the configuration hierarchy:
Using Configuration Mode Commands in the next section
Using Configuration Commands with Virtual Systems on page 23
Understanding the Configuration Hierarchy on page 24
Navigating Through the Hierarchy on page 26
Using Configuration Mode Commands

Use the following commands to store and apply configuration changes (see Figure 2):
save commandSaves the candidate configuration in firewall non-volatile storage. The

saved configuration is retained until overwritten by subsequent save commands. Note
that this command does not make the configuration active.
commit commandApplies the candidate configuration to the firewall. A committed

configuration becomes the active configuration for the device.
Palo Alto Networks
Understanding CLI Command Modes 21
set commandChanges a value in the candidate configuration.
load commandAssigns the last saved configuration or a specified configuration to be

the candidate configuration.
Example: Make and save a configuration change.

username@hostname# rename zone untrust to untrust1
command)
(enter a configuration
[edit]
username@hostname# save config to snapshot.xml
Config saved to .snapshot.xml
[edit]
username@hostname#
Example: Make a change to the candidate configuration.

[edit]
username@hostname# set network interface vlan ip 1.1.1.4/24
[edit]
username@hostname#
Example: Make the candidate configuration active on the device.

[edit]
username@hostname# commit
[edit]
username@hostname#
Note: If you exit Configuration mode without issuing the save or commit
command, your configuration changes could be lost if power is lost to the firewall.
Active
Configuration
Saved
Configuration
Candidate
Configuration
Commit
Save
Load
Set
Figure 2. Configuration Mode Command Relationship
22 Understanding CLI Command Modes
Palo Alto Networks
Maintaining a candidate configuration and separating the save and commit steps confers
important advantages when compared with traditional CLI architectures:
Distinguishing between the save and commit concepts allows multiple changes to be
made at the same time and reduces system vulnerability.
For example, if you want to remove an existing security policy and add a new one, using
a traditional CLI command structure would leave the system vulnerable for the period of
time between removal of the existing security policy and addition of the new one. With
the PAN-OS approach, you configure the new security policy before the existing policy is
removed, and then implement the new policy without leaving a window of vulnerability.
You can easily adapt commands for similar functions.

For example, if you are configuring two Ethernet interfaces, each with a different IP
address, you can edit the configuration for the first interface, copy the command, modify
only the interface and IP address, and then apply the change to the second interface.
The command structure is always consistent.

Because the candidate configuration is always unique, all the authorized changes to the
candidate configuration will be consistent with each other.
Using Configuration Commands with Virtual Systems

If multiple virtual systems are enabled, you must specify a virtual system as part of the
set command in order to see the available options, as in the following example.
[edit]
[edit]
username@hostname# set ?
> deviceconfig
deviceconfig
> mgt-config
mgt-config
> network
network configuration
> shared
shared
> vsys
vsys
[edit]
username@hostname# set vsys vsys1 ?
+ display-name
alphanumeric string [ 0-9a-zA-Z._-]
> address
address
> address-group
address-group
> application
application
> application-filter
application-filter
> application-group
application-group
> authentication-profile
authentication-profile
> captive-portal
captive-portal
> custom-url-category
custom-url-category
> import
Import predefined configured resources
> ldap-server
ldap-server
> local-user-database
local-user-database
> log-settings
log-settings
> pan-agent
pan-agent
> profile-group
profile-group
> profiles
profiles
> rulebase
rulebase
> schedule
schedule
Palo Alto Networks
>
>
>
>
service
service-group
setting
ssl-exclude-cert
service
service-group
setting
ssl-exclude-cert
Understanding the Configuration Hierarchy

The configuration for the firewall is organized in a hierarchical structure. To display a
segment of the current hierarchy, use the show command. Entering show displays the
complete hierarchy, while entering show with keywords displays a segment of the hierarchy.
For example, the following command displays the configuration hierarchy for the ethernet
interface segment of the hierarchy:
username@hostname# show network interface ethernet
ethernet {
ethernet1/1 {
virtual-wire;
}
ethernet1/2 {
virtual-wire;
}
ethernet1/3 {
layer2 {
units {
ethernet1/3.1;
}
}
}
ethernet1/4;
}
[edit]
username@hostname#
Palo Alto Networks
Understanding Hierarchy Paths

When you enter a command, path is traced through the hierarchy, as shown in Figure 3.
network
profiles interface
...
vlan
...
ethernet
virtual-wire virtual-router
...
aggregate-ethernet
vlan
...
ethernet1/1
link-duplex
auto
...
...
ethernet1/2
ethernet1/3 ethernet1/4
link-state
up
virtual-wire link-speed
1000
loopback
...
Figure 3. Sample Hierarchy Segment

For example, the following command assigns the IP address/netmask 10.1.1.12/24 to the
Layer 3 interface for the Ethernet port ethernet1/4:
[edit]
username@hostname# set network interface ethernet ethernet1/4 layer3 ip
10.1.1.12/24
[edit]
username@hostname#
Palo Alto Networks
This command generates a new element in the hierarchy, as shown in Figure 4 and in the
output of the following show command:
[edit]
username@hostname# show network interface ethernet ethernet1/4
ethernet1/4 {
layer3 {
ip {
10.1.1.12/24;
}
}
}
[edit]
username@hostname#
network
profiles interface
...
vlan
...
ethernet
virtual-wire virtual-router
...
...
aggregate-ethernet
vlan
...
ethernet1/1
ethernet1/2
loopback
...
...
ethernet1/3 ethernet1/4
ip
10.1.1.12/24
Figure 4. Sample Hierarchy Segment
Navigating Through the Hierarchy

The [edit...] banner presented below the Configure mode command prompt line shows the
current hierarchy context. For example, the banner
[edit]
indicates that the relative context is the top level of the hierarchy, whereas
[edit network profiles]
indicates that the relative context is at the network profiles node.
Palo Alto Networks
Use the commands listed in Table 3 to navigate through the configuration hierarchy.
Table 3. Navigation Commands

Command
Description
edit
Sets the context for configuration within the command hierarchy.
up
Changes the context to the next higher level in the hierarchy.
top
Changes the context to the highest level in the hierarchy.
Using the Edit Command

Use the edit command to change context to lower levels of the hierarchy, as in the following
examples:
Move from the top level to a lower level:

[edit] (top level)
username@hostname# edit network
[edit network]
username@hostname# (now at the network
level)
[edit network]
Move from one level to a lower level:

[edit network] (network level)
username@hostname# edit interface
[edit network interface]
admin@abce# (now at the network
interface level)
Using the Up and Top Commands

Use the up and top commands to move to higher levels in the hierarchy:
upchanges the context to one level up in the hierarchy.

Example:
admin@abce# up
[edit network]
username@hostname#
(network level)
(now at the network level)
topchanges context to the top level of the hierarchy.

Example:
[edit network interface vlan]
username@hostname# top
[edit]
username@hostname#
Palo Alto Networks
(network vlan level)
(now at network vlan level)
Note: The set command issued after using the up and top commands starts from
the new context.
Understanding Operational Mode

When you first log in, the PAN-OS CLI opens in Operational mode. Operational mode
commands involve actions that are executed immediately. They do not involve changes to the
configuration, and do not need to be saved or committed.
Operational mode commands are of several types:
Network accessOpen a window to another host. Includes ssh and telnet commands.
Monitoring and troubleshootingPerform diagnosis and analysis. Includes debug and

ping commands.
Display commandsDisplay or clear current information. Includes clear and show

commands.
PAN-OS CLI navigation commandsEnter Configure mode or exit the PAN-OS CLI.
Includes configure, exit, and quit commands.
System commandsMake system-level requests or restart. Includes set and request

commands.
Setting the Output Format for Configuration Commands

You can specify the output format for configuration commands by using the
set cli config-output-format command in Operational mode. Options include the default
format, XML format, and set command format.
The following examples show the difference in output for each of these options. For
information on setting these options, refer to set cli on page 111.
Default option:
username@hostname# show system log-export-schedule
log-export-schedule {
10.16.0.97 {
description 10.16.0.97;
enable yes;
log-type threat;
start-time 03:00;
protocol {
ftp {
hostname 10.16.0.97;
port 21;
passive-mode yes;
username admin;
password mZDB7rbW5y8=;
}
}
username@hostname#
Palo Alto Networks
XML option:
<log-export-schedule>
<entry name="10.16.0.97">
<description>10.16.0.97</description>
<enable>yes</enable>
<log-type>threat</log-type>
<start-time>03:00</start-time>
<protocol>
<ftp>
<hostname>10.16.0.97</hostname>
<port>21</port>
<passive-mode>yes</passive-mode>
<username>admin</username>
<password>mZDB7rbW5y8=</password>
</ftp>
</protocol>
</entry>
</log-export-schedule>
[edit deviceconfig]
[edit deviceconfig]
username@hostname#
set command option:

username@hostname# show
set deviceconfig system
username@hostname#
Palo Alto Networks
system log-export-schedule
log-export-schedule 10.16.0.97
description 10.16.0.97
enable yes
log-type threat
start-time 03:00
protocol ftp hostname
Palo Alto Networks
Chapter 3
Configuration Mode Commands

This chapter contains command reference pages for the following Configuration mode
command types:
check on page 32
commit on page 33
copy on page 34
delete on page 35
edit on page 36
exit on page 37
load on page 38
move on page 39
quit on page 40
rename on page 41
run on page 42
save on page 43
set on page 44
show on page 45
top on page 46
up on page 47
Palo Alto Networks
Configuration Mode Commands 31
check
check
Check configuration status.
Syntax
check option
Options
data-access-passwd
Check data access authentication status for this session.
pending-changes
Check for uncommitted changes.
Sample Output
The following command shows that there are currently no uncommitted changes.
username@hostname# check pending-changes
no
[edit]
username@hostname#
Required Privilege Level

superuser, vsysadmin, deviceadmin
32 Configuration Mode Commands
Palo Alto Networks
commit
commit
Make the current candidate configuration the active configuration on the firewall.
Syntax
commit
Options
None
Sample Output
The following command makes the current candidate configuration the active configuration.
# commit

Palo Alto Networks
copy
copy
Make a copy of a node in the hierarchy along with its children, and add the copy to the same
hierarchy level.
Syntax
copy [node1] to [node2]
Options
node1
Specifies the node to be copied.
node2
Specifies the name of the copy.
Sample Output
The following command, executed from the rule base security level of the hierarchy, makes a
copy of rule1, called rule2.
[edit rulebase security]
username@hostname# copy rules rule1 to rule2
username@hostname#
The following command shows the location of the new rule in the hierarchy.
security {
rules {
rule1 {
source [ any 1.1.1.1/32 ];
destination 1.1.1.2/32;
}
rule2 {
source [ any 1.1.1.1/32 ];
destination 1.1.1.2/32;
}
}
}

Palo Alto Networks
delete
delete
Remove a node from the candidate configuration along with all its children.
Note: No confirmation is requested when this command is entered.
Syntax
delete [node]
Options
node
Specifies the hierarchy node to delete.
Sample Output
The following command deletes the application myapp from the candidate configuration.
username@hostname# delete application myapp
[edit]
username@hostname#

Palo Alto Networks
edit
edit
Change context to a lower level in the configuration hierarchy.
Syntax
edit [context]
Options
context
Specifies a path through the hierarchy.
Sample Output
The following command changes context from the top level to the network profiles level of
the hierarchy.
[edit]
username@hostname# edit rulebase
[edit rulebase]
username@hostname#

Palo Alto Networks
exit
exit
Exit from the current PAN-OS CLI level.
From Operational modeExits the PAN-OS CLI.
From Configuration mode, top hierarchy levelExits Configuration mode, returning to

Operational mode.
From Configuration mode, lower hierarchy levelsChanges context to one level up in the
hierarchy. Provides the same result as the up command.
Note: The exit command is the same as the quit command.
Syntax
exit
Options
None
Sample Output
The following command changes context from the network interface level to the network
level.
[edit network]
username@hostname#
The following command changes from Configuration mode to Operational mode.

[edit]
username@hostname>

All
Palo Alto Networks
load
load
Assigns the last saved configuration or a specified configuration to be the candidate
configuration.
Syntax
load config [from filename]
Options
filename
Specifies the filename from which the configuration will be loaded.
Sample Output
The following command assigns output.xml to be the candidate configuration.
[edit]
username@hostname# load config from output.xml
command succeeded
[edit]
username@hostname#

Palo Alto Networks
move
move
Relocate a node in the hierarchy along with its children to be at another location at the same
hierarchy level.
Syntax
move element [bottom | top | after element | before element]
Options
element
Specifies the items to be moved.
element
placement
Specifies the new location of the element:
element2
Option
Description
bottom
Makes the element the last entry of the hierarchy level.
top
Makes the element the first entry of the hierarchy level.
after
Moves element to be after element2.
before
Moves element to be before element2.
Indicates the element after or before which element1 will be placed.
Sample Output
The following command moves the security rule rule1 to the top of the rule base.
username@hostname# move rulebase security rules rule1 top
[edit]
username@hostname#

Palo Alto Networks
quit
quit
Exit from the current PAN-OS CLI level.
From Operational modeExits the PAN-OS CLI.
From Configuration mode, top hierarchy levelExits Configuration mode, returning to

Operational mode.
From Configuration mode, lower hierarchy levelsChanges context to one level up in the
hierarchy. Provides the same result as the up command.
Note: The exit and quit commands are interchangeable.
Syntax
quit
Options
None
Sample Output
The following command changes context from the network interface level to the network
level.
[edit log-settings]
[edit]
username@hostname#
The following command changes from Configuration mode to Operational mode.

[edit]
username@hostname>

All
Palo Alto Networks
rename
rename
Change the name of a node in the hierarchy.
Syntax
rename [node1] to [node2]
Options
node1
Indicates the original node name.
node2
Indicates the new node name.
Sample Output
The following command changes the name of a node in the hierarchy from 1.1.1.1/24 to
1.1.1.2/24.
username@hostname# rename network interface vlan ip 1.1.1.1/24 to 1.1.1.2/24

Palo Alto Networks
run
run
Execute an Operational mode command while in Configuration mode.
Syntax
run [command]
Options
command
Specifies an Operational mode command.
Sample Output
The following command executes a ping command to the IP address 1.1.1.2 from
Configuration mode.
username@hostname# run ping 1.1.1.2
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
...
username@hostname#

Palo Alto Networks
save
save
Saves a snapshot of the firewall configuration.
Note: This command saves the configuration on the firewall, but does not make
the configuration active. Use the commit command to make the current candidate
configuration active.
Syntax
save config [to filename]
Options
filename
Specifies the filename to store the configuration. The filename cannot include
a hyphen (-).
Sample Output
The following command saves a copy of the configuration to the file savefile.
[edit]
username@hostname# save config to savefile
Config saved to savefile
[edit]
username@hostname#

Palo Alto Networks
set
set
Changes a value in the candidate configuration. Changes are retained while the firewall is
powered until overwritten.
Note: To save the candidate configuration in non-volatile storage, use the save
command. To make the candidate configuration active, use the commit command.
Syntax
set [context]
Options
context
Sample Output
The following command assigns the ethernet1/4 interface to be a virtual wire interface.
[edit]
username@hostname# set network interface ethernet ethernet1/1 virtual-wire
[edit]
username@hostname#
The following command sets the VLAN IP address to 1.1.1.4/32 from the network interface
vlan level of the hierarchy.
username@hostname# set ip 1.1.1.4/32
username@hostname#
The following command locks an administrative user out for 15 minutes after 5 failed login
attempts.
username@hostname# set deviceconfig setting management admin-lockout 5
lockout-time 15

Palo Alto Networks
show
show
Display information about the current candidate configuration.
Syntax
show [context]
Options
context
Sample Output
The following command shows the full candidate hierarchy.
The following commands can be used to display the hierarchy segment for network interface.
Specify context on the command line:

show network interface
Use the edit command to move to the level of the hierarchy, and then use the show
command without specifying context:
edit network interface
[edit network interface] show

Palo Alto Networks
top
top
Change context to the top hierarchy level.
Syntax
top
Options
None
Sample Output
The following command changes context from the network level of the hierarchy to the top
level.
[edit network]
username@hostname# top
[edit]
username@hostname#

All
Palo Alto Networks
up
up
Change context to the next higher hierarchy level.
Syntax
up
Options
None
Sample Output
The following command changes context from the network interface level of the hierarchy to
the network level.
username@hostname# up
[edit network]
username@hostname#

All
Palo Alto Networks
up
Palo Alto Networks
Chapter 4
Operational Mode Commands

This chapter contains command reference pages for the following operational mode
commands:
clear on page 53
configure on page 55
debug captive-portal on page 56
debug cli on page 57
debug cpld on page 58
debug dataplane on page 59
debug device-server on page 61
debug dhcpd on page 62
debug high-availability-agent on page 63
debug ike on page 64
debug keymgr on page 65
debug ldap-server on page 66
debug log-receiver on page 67
debug management-server on page 68
debug master-service on page 69
debug pppoed on page 70
debug rasmgr on page 71
debug routing on page 72
debug software on page 73
debug ssl-vpn on page 74
Palo Alto Networks
Operational Mode Commands 49
debug sslmgr on page 75
debug swm on page 76
debug tac-login on page 77
debug vardata-receiver on page 78
delete on page 79
exit on page 81
grep on page 82
less on page 84
netstat on page 85
ping on page 86
quit on page 88
request anti-virus on page 89
request certificate on page 90
request comfort-page on page 92
request content on page 93
request data-filtering on page 94
request device-registration on page 95
request high-availability on page 96
request license on page 97
request password-hash on page 98
request restart on page 99
request ssl-decrypt on page 100
request ssl-vpn on page 101
request support on page 102
request system on page 103
request tech-support on page 104
request url-filtering on page 105
request vpnclient on page 106
scp on page 107
set application on page 110
set cli on page 111
50 Operational Mode Commands
Palo Alto Networks
set clock on page 113
set data-access-password on page 114
set management-server on page 115
set panorama on page 116
set password on page 117
set serial-number on page 118
set session on page 119
set system setting on page 121
show admins on page 123
show arp on page 124
show authentication on page 125
show chassis-ready on page 126
show cli on page 127
show clock on page 128
show config on page 129
show counter on page 130
show device on page 131
show device-messages on page 132
show devicegroups on page 133
show dhcp on page 134
show fips-mode on page 135
show high-availability on page 136
show interface on page 137
show jobs on page 138
show location on page 139
show log on page 140
show mac on page 142
show management-clients on page 143
show management-interface on page 144
show object on page 145
show panorama-certificate on page 146
Palo Alto Networks
show pbf on page 147
show pppoe on page 148
show qos on page 149
show query on page 150
show report on page 151
show routing on page 152
show running on page 156
show session on page 158
show ssl-vpn on page 161
show statistics on page 162
show system on page 163
show system setting on page 165
show threat on page 167
show user on page 168
show virtual-wire on page 169
show vlan on page 170
show vpn on page 171
show zone-protection on page 173
ssh on page 174
tail on page 175
telnet on page 176
test on page 177
tftp on page 179
traceroute on page 181
view-pcap on page 183
Palo Alto Networks
clear
clear
Reset information, counters, sessions, or statistics.
Syntax
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
clear
application-signature statistics
arp option
counter option
dhcp lease option
high-availability option
job option
log option
mac option
nat-rule-cache option
pbf option
pppoe option
query option
report option
routing option
session option
statistics option
url-cache option
user-cache option
vpn option
Options
applicationsignature
statistics
Clears application-signature statistics.
arp
Clears Address Resolution Protocol (ARP) information for a specified

interface, loopback, or VLAN, or all.
counter
Clears interface counters. Specify all counters, global counters, or

interface counters.
dhcp lease
Clears Dynamic Host Configuration Protocol (DHCP) leases. Specify all

or specify an interface and optional IP address.
high-availability
Clears high availability statistics.
job
Clears download jobs. Specify the job ID.
log
Removes log files from disk. Specify the log type: acc, config, system,
threat, or traffic.
mac
Clears MAC address information for a specified VLAN or all addresses.
nat-rule-cache
Clears the specified dynamic-ip Network Address Translation (NAT)

rule ippool cache.
pbf
Clears policy based forwarding runtime statistics.
Palo Alto Networks
clear
pppoe
Clears the Point-to-Point Protocol over Ethernet (PPPoE) interface

connection.
query
Clears the query jobs list.
report
Clears the report jobs list.
routing
Clears routing information.
session
Clears a specified session or all sessions. Refer to show session on

page 158 for a description of the filter options when clearing all sessions.
statistics
Clears all statistics.
vpn
Clears Internet Key Exchange (IKE) or IP Security (IPSec) VPN run-time

objects:
flowClears the VPN tunnel on the data plane. Specify the tunnel or
press Enter to apply to all tunnels.
ike-saRemoves the active IKE Security Association (SA) and stops all
ongoing key negotiations. Specify the gateway or press Enter to apply
to all gateways.
ipsec-saDeactivates the IPsec SA for a tunnel or all tunnels. Specify
the tunnel or press Enter to apply to all tunnels.
Sample Output
The following command clears the session with ID 2245.
username@hostname> clear session id 2245
Session 2245 cleared
username@hostname>

Palo Alto Networks
configure
configure
Enter Configuration mode.
Syntax
configure
Options
None
Sample Output
To enter Configuration mode from Operational mode, enter the following command.
[edit]
username@hostname#

Palo Alto Networks
debug captive-portal
debug captive-portal
Define settings for debugging the captive portal daemon.
Syntax
debug captive-portal option
Options
show
Shows whether this command is on or off.
off
Turns the debugging option off.
on
Turns the debugging option on.
Sample Output
The following command turns the debugging option on.
admin@PA-HDF> debug captive-portal on
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug cli
debug cli
Define settings and display information for debugging the CLI connection.
Syntax
debug cli option
Options
detail
Shows details information about the CLI connection.
show
off
on
Sample Output
The following command shows details of the CLI connection.
admin@PA-HDF> debug cli detail
Environment variables :
(USER . admin)
(LOGNAME . admin)
(HOME . /home/admin)
(PATH . /usr/local/bin:/bin:/usr/bin)
(MAIL . /var/mail/admin)
(SHELL . /bin/bash)
(SSH_CLIENT . 10.31.1.104 1109 22)
(SSH_CONNECTION . 10.31.1.104 1109 10.1.7.2 22)
(SSH_TTY . /dev/pts/0)
(TERM . vt100)
(LINES . 24)
(COLUMNS . 80)
(PAN_BASE_DIR . /opt/pancfg/mgmt)
PAN_BUILD_TYPE : DEVELOPMENT
Total Heap : 7.00 M

Used
: 5.51 M
Nursery
: 0.12 M
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug cpld
debug cpld
Debug the complex programmable logic device (CPLD).
Syntax
debug cpld
Options
None
Sample Output
N/A

superuser vsysadmin
Palo Alto Networks
debug dataplane
debug dataplane
Configure settings for debugging the data plane.
Syntax
debug dataplane option
Options
The available sub-options depend on the specified option.
device
Debug data plane hardware component.
flow-control
Enable or disable flow control.
fpga
Debug the field programmable gate array (FPGA).
internal
Debug the data plane internal state.
memory
Examine data plane memory.
monitor
Debug data plane monitor details.
nat
Debug Network Address Translation (NAT).
packet-diag
Perform packet related diagnosis.
pool
Debug buffer pools, including checks of hardware and software

utilization and buffer pool statistics.
pow
Debug the packet scheduling engine.
process
Debug the data plane process for the high-availability agent (ha-agent)
and management plane relay agent (mprelay).
reset
Reset the settings for debugging the data plane.
show
Show data plane running information.
task-heartbeat
Debug the data plane task heartbeat.
tcp
Examine the TCP state of the data plane.
test
Use test cases to verify system settings.
Sample Output
The following command shows the statistics for the dataplane buffer pools.
admin@PA-HDF> debug dataplane pool statistics
The following command turns dataplane filtering on and sets filter parameters.
admin@PA-HDF> debug dataplane filter on
admin@PA-HDF> debug dataplane filter set source 10.1 11.2.3 file abc.pcap
Palo Alto Networks
debug dataplane

superuser vsysadmin
Palo Alto Networks
debug device-server
debug device-server
Configure settings for debugging the device server.
Syntax
debug device-server option
Options
clear
Clear all debug logs.
delete
Remove data.
dump
Dump the debug data.
off
Turn off debug logging.
on
Turn on debug logging.
refresh
Refresh the user-group data.
reset
Clear logging data.
save
Save data.
set
Set debugging values.
show
Display current debug log settings.
test
Test the current settings.
unset
Remove current settings.
Sample Output
The following command turns off debug logging for the device server.
admin@PA-HDF> debug device-server off
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug dhcpd
debug dhcpd
Configure settings for debugging the Dynamic Host Configuration Protocol (DHCP) daemon.
Syntax
debug dhcpd option
Options
global
Define settings for the global DHCP daemon.
pcap
Define settings for debugging packet capture.
Sample Output
The following command shows current global DHCP daemon settings.
admin@PA-HDF> debug dhcpd global show
sw.dhcpd.runtime.debug.level: debug
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug high-availability-agent
debug high-availability-agent
Configure settings for debugging the high availability agent.
Syntax
debug high-availability-agent option
Options
clear
Clear the debug logs.
internal-dump
Dump the internal state of the agent to its log.
model-check
Turn model checking with the peer on or off.
off
on
show
Sample Output
The following command turns modeling checking on for the high availability agent.
admin@PA-HDF> debug high-availability-agent model-check on
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug ike
debug ike
Configure settings for debugging Internet Key Exchange (IKE) daemon.
Syntax
debug ike option
Options
global
Configure global settings.
pcap
Configure packet capture settings.
socket
Configure socket settings.
stat
Show IKE daemon statistics.
Sample Output
The following command turns on the global options for debugging the IKE daemon.
admin@PA-HDF> debug ike global on
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug keymgr
debug keymgr
Configure settings for debugging the key manager daemon.
Syntax
debug keymgr option
Options
list-sa
Lists the IPSec security associations (SAs) that are stored in the key manager
daemon.
off
Turn the settings off.
on
Turn the settings on.
show
Show key manager daemon information.
Sample Output
The following command shows the current information on the key manager daemon.
admin@PA-HDF> debug keymgr show
sw.keymgr.debug.global: normal
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug ldap-server
debug ldap-server
Configure settings for debugging Lightweight Directory Access Protocol (LDAP) servers.
Syntax
debug ldap-server option
Options
clear
Clears the debug settings.
Off
on
Turns the debugging option on. Specify the option.
refresh server <name | all>
Refreshes data for the specified server or all servers.
reset <bind | server

<name | all>>
Resets the binding socket or specified server.
stats
Show LDAP server statistics.
Sample Output
The following command sets the debug level to error.
admin@PA-HDF> debug ldap-server on
debug level set to error
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug log-receiver
debug log-receiver
Configure settings for debugging the log receiver daemon.
Syntax
debug log-receiver option
Options
off
on
show
statistics
Show log receiver daemon statistics.
Sample Output
The following command turns log receiver debugging on.
admin@PA-HDF> debug log-receiver on
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug management-server
debug management-server
Configure settings for debugging the management server.
Syntax
debug management-server option
Options
clear
client
Debug the management server client.
off
Turn debugging off
on
Turn debugging on.
phased-commit
Set experimental mode for committing in phases.
show
Show management server debug statistics.
Sample Output
The following example turns management server debugging on.
admin@PA-HDF> debug management-server on
(null)
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug master-service
debug master-service
Configure settings for debugging the master service.
Syntax
debug master-service option
Options
clear
internal-dump
Dump the internal state of the server to the log.
off
Turn debugging off
on
Turn debugging on.
show
Show debug settings.
Sample Output
The following command dumps the internal state of the master server to the log.
admin@PA-HDF> debug master-service internal-dump
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug pppoed
debug pppoed
Configure settings for debugging the Point-to-Point Protocol over Ethernet (PPPoE) daemon.
Syntax
debug pppoed option
Options
global
Set debugging options.
pcap
Perform packet capture.
show interface
Show PPPoE debug infomation. Specify for an interface or all.
Sample Output
The following command turns packet capture debugging off.
admin@PA-HDF> debug pppoed pcap off
debug level set to error
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug rasmgr
debug rasmgr
Configure settings for debugging the remote access service daemon.
Syntax
debug rasmgr option
Options
show
Show whether this command is on or off.
off
Turn the debugging option off.
on
Turn the debugging option on.
Sample Output
The following command shows the debug settings for the remote access service daemon.
admin@PA-HDF> debug rasmgr show
sw.rasmgr.debug.global: normal
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug routing
debug routing
Configure settings for debugging the route daemon.
Syntax
debug routing option
Options
fib
Turn on debugging for the forwarding table.
global
Turn on global debugging.
list-mib Show the routing list with management information base (MIB) names.
mib
Show the MIB tables.
pcap
Show packet capture data.
socket
Show socket data.
Sample Output
The following command displays the MIB tables for routing.
admin@PA-HDF> debug routing list-mib
i3EmuTable (1 entries)
==========================
sckTable (0 entries)
sckSimInterfaceTable (0 entries)
sckEiTable (0 entries)
sckEaTable (0 entries)
i3Table (0 entries)
i3EiTable (0 entries)
i3EaTable (0 entries)
i3EtTable (0 entries)
i3EmTable (0 entries)
dcSMLocationTable (0 entries)
dcSMHMTestActionObjects (0 entries)
siNode (0 entries)
siOSFailures (0 entries)
siTraceControl (0 entries)
siExecAction (0 entries)
...
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug software
debug software
Restart software processes to aid debugging.
Syntax
debug software restart option
Options
device-server
Restart the device server.
management-server
Restart the management server.
web-server
Restart the web server.
Sample Output
The following command restarts the web server.
admin@PA-HDF> debug software restart web-server
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug ssl-vpn
debug ssl-vpn
Set debugging options for the Secure Socket Layer (SSL)-virtual private network (VPN) web
server.
Syntax
debug ssl-vpn <global | socket>
Options
global
Turn debugging on or off at on the global level and show debugging

results.
socket
Debug on the socket level.
Sample Output
The following command displays socket level information.
admin@PA-HDF> debug ssl-vpn socket
Proto Recv-Q Send-Q Local Address
Program name
tcp
0
0 0.0.0.0:20077
appweb
tcp
0
0 0.0.0.0:20088
appweb
Foreign Address
State
PID/
0.0.0.0:*
LISTEN
1674/
0.0.0.0:*
LISTEN
1674/
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug sslmgr
debug sslmgr
Set debugging options for the Secure Socket Layer (SSL) manager daemon that validates
certificates for the Certificate Revocation List (CRL) and the Online Certificate Status Protocol
(OCSP).
Syntax
debug sslmgr option
Options
delete
Remove the CRL/OCSP cache.
off
Turn the manager daemon off.
on
Turn the manager daemon on.
save
Save the contents of the OCSP cache.
show
Display the contents of the OCSP cache.
statistics
Display the CRL/OCSP statistics.
tar-all-crl
Save all CRL files to a tar file.
view
Display the CRL/OCSP cache (specify cache).
Sample Output
The following command displays the CRL cache.
admin@PA-HDF> debug sslmgr view crl
http://EVIntl-crl.verisign.com/EVIntl2006.crl
http://EVSecure-crl.verisign.com/EVSecure2006.crl
http://EVSecure-crl.verisign.com/pca3-g5.crl
http://SVRC3SecureSunMicrosystems-MPKI-crl.verisign.com/
SunMicrosystemsIncClassBUnified/LatestCRLSrv.crl
http://SVRIntl-crl.verisign.com/SVRIntl.crl
http://SVRSecure-crl.verisign.com/SVRSecure2005.crl
http://certificates.godaddy.com/repository/gdroot.crl
...
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug swm
debug swm
Configure settings for debugging the Palo Alto Networks software manager.
Syntax
debug swm option
Options
command
Run a software manager command.
history
Show the history of software installation operations.
list
List software versions that are available for installation.
refresh
Revert back to the last successfully installed content.
revert
Revert back to the last successfully installed software.
status
Show the status of the software manager.
unlock
Unlock the software manager.
Sample Output
The following command shows the list of available software versions.
admin@PA-HDF> debug swm list
3.1.0-c4.dev
3.1.0-c1.dev_base
3.0.0-c207
3.0.0-c206
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug tac-login
debug tac-login
Configure settings for debugging the Palo Alto Networks Technical Assistance Center (TAC)
connection.
Syntax
debug tac-login option
Options
enable
Enable TAC login.
disable
Disable TAC login.
permanently-disable
Turn off TAC login debugging permanently.
Sample Output
The following command turns TAC login debugging on.
admin@PA-HDF> debug tac-login on
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
debug vardata-receiver
debug vardata-receiver
Configure settings for debugging the variable data daemon.
Syntax
debug vardata-receiver option
Options
off
on
show
statistics
Show log receiver daemon statistics.
Sample Output
The following command shows statistics for the variable data daemon.
admin@PA-HDF> debug vardata-receiver statistics
admin@PA-HDF>

superuser vsysadmin
Palo Alto Networks
delete
delete
Remove specified types of files from disk or restore the default comfort pages that are
presented when files or URLs are blocked.
Syntax
delete option
Options
admin-sessions
Remove all active administrative sessions.
anti-virus
Remove anti-virus updates on disk.
application-block-page
Remove the custom page presented to users when their

applications are blocked.
captive-portal-text
Remove the text on the custom captive portal page.
certificate
Remove SSL certificate files.
config
Remove configuration files.
config-audit
Remove the configuration audit history.
content
Remove content updates.
core
Remove core control or data plane cores.
data-capture
Remove data capture files.
debug-filter
Remove debugging packet capture files on disk.
file-block-page
Remove the page presented to users when files are blocked.

Restores default page.
high-availability
Remove the high availability peer encryption key.
license
Remove a license key file.
logo
Remove a custom logo file.
pcap
Remove packet capture files.
policy-cache
Remove cached policy compilations.
report
Remove specified reports.
software
Remove a software image.
ssl-cert-status-page
Remove the custom page presented to users when an SSL

certificate is revoked.
ssl-optout-text
Remove the page presented to users when a web session is to

be decrypted. Restores default page.
sslvpn-custom-login-page
Remove the SSL VPN custom login page.
threat-pcap
Remove threat packet capture files in a specified directory.
unknown-pcap
Remove packet capture files for unknown sessions.
url-block-page
Remove the page presented to users when web pages are

blocked. Restores default page.
Palo Alto Networks
delete
url-coach-text
Remove the page presented to users. Restores default page.
user-file
Remove user account settings.
virus-block-page
Remove the page presented to users when web pages are

blocked.
vpnclient
Remove the VPN client software image.
Sample Output
The following command deletes the custom page presented to users when their applications
are blocked.
username@hostname> delete application-block-page
username@hostname>

Palo Alto Networks
exit
exit
Exit the PAN-OS CLI.
Note: The exit command is the same as the quit command.
Syntax
exit
Options
None
Sample Output
N/A

All
Palo Alto Networks
grep
grep
Find and list lines from log files that match a specified pattern.
Syntax
grep [after-context number] [before-context number] [context
number] [count] [ignore-case <yes | no>] [invert-match <yes | no>]
[line-number <yes | no>] [max-count number] [no-filename <yes |
no>] [pattern value] <dp-log | mp-log> file
Options
after-context
Prints the matching lines plus the specified number of lines that follow the
matching lines.
before-context
Prints the matching lines plus the specified number of lines that precede the
matching lines.
context
Prints the specified number of lines in the file for output context.
count
Specifies whether a count is included in the results.
ignore-case
Ignores case distinctions.
invert-match
Selects non-matching lines instead of matching lines.
line-number
Adds the line number at the beginning of each line of output.
max-count
Stops reading a file after the specified number of matching lines.
no-filename
Does not add the filename prefix for output.
pattern
Indicates the string to be matched.
dp-log | mp-log
file
Indicates the type of file and file name to search for the pattern:
dp-logLogs associated with the data plane.
mp-logLogs associated with the management plane.
Sample Output
The following command searches the brdagent.log file for occurrences of the string
HEARTBEAT.
username@hostname> grep dp-log sysdagent.log
*
Jan 20 14:35:48 HEARTBEAT: Heartbeat failure
username@hostname>
pattern HEARTBEAT
on
on
on
on
on
on
on
on
on
core
core
core
core
core
core
core
core
core
4
1
8
2
5
15
3
7
6
Palo Alto Networks
grep

All
Palo Alto Networks
less
less
List the contents of the specified log file.
Syntax
less type file
Options
type
Indicates the type of log file to be searched:

custom-page
dp-backtrace
dp-log
mp-backtrace
mp-log
webserver-log
file
Indicates the log file to be searched:
Sample Output
The following command lists the contents of the web server error log.
username@hostname>
default:2 main
default:2 main
default:2 main
default:2 main
default:2 main
default:2 main
default:2 main
default:2 main
default:2 main
default:2 main
...
less webserver-log error.log

Configuration for Mbedthis Appweb
-------------------------------------------Host:
pan-mgmt2
CPU:
i686
OS:
LINUX
Distribution:
unknown Unknown
OS:
LINUX
Version:
2.4.0.0
BuildType:
RELEASE
Started at:
Mon Mar 2 12

All
Palo Alto Networks
netstat
netstat
Displays packet capture file content.
Syntax
netstat type <no | yes>
Options
type
Indicates the packet capture file type:

allDisplay all sockets (default: connected).
cacheDisplay routing cache instead of Forwarding Information Base (FIB).
continuousContinuous listing.
extendDisplay other/more information.
fibDisplay FIB (default).
groupsDisplay multicast group memberships.
interfacesDisplay interface table.
listeningDisplay listening server sockets.
numericDo not resolve names.
numeric-hostsDo not resolve host names.
numeric-portsDo not resolve port names.
numeric-usersDo not resolve user names.
programsDisplay PID/Program name for sockets.
routeDisplay routing table.
statisticsDisplay networking statistics (like SNMP).
symbolicResolve hardware names.
timersDisplay timers.
verboseDisplay full details.
no | yes
Indicates whether the specified option is included in the output.
Sample Output
The following command shows an excerpt from the output of the netstat command.
username@hostname> netstat all yes
...
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags
Type
State
I-Node Path
unix 2
[ ACC ]
STREAM
LISTENING
5366
/tmp/ssh-lClRtS1936/
agent.1936
unix 2
[ ]
DGRAM
959
@/org/kernel/udev/udevd
unix 18
[ ]
DGRAM
4465
/dev/log
...

All
Palo Alto Networks
ping
ping
Check network connectivity to a host.
Syntax
ping [bypass-routing] [count] [do-not-fragment] [inet] [no
resolve] [pattern] [size] [source] [tos] [ttl] host
Options
bypass-routing
Sends the ping request directly to the host on a direct attached network,
bypassing usual routing table.
count
Specifies the number of ping requests to be sent.
do-not-fragment
Prevents packet fragmentation by use of the do-not-fragment bit in the

packets IP header.
inet
Specifies that the ping packets will use IP version 4.
interval
Specifies how often the ping packets are sent (0 to 2000000000 seconds).
no-resolve
Provides IP address only without resolving to hostnames.
pattern
Specifies a custom string to include in the ping request. You can specify up to
12 padding bytes to fill out the packet that is sent as an aid in diagnosing datadependent problems.
size
Specifies the size of the ping packets.
source
Specifies the source IP address for the ping command.
tos
Specifies the type of service (TOS) treatment for the packets by way of the TOS
bit for the IP header in the ping packet.
ttl
Specifies the time-to-live (TTL) value for the ping packet (IPv6 hop-limit
value) (0-255 hops).
verbose
Requests complete details of the ping request.
host
Specifies the host name or IP address of the remote host.
Sample Output
The following command checks network connectivity to the host 66.102.7.104, specifying 4
ping packets and complete details of the transmission.
username@hostname> ping count 4 verbose 66.102.7.104
PING 66.102.7.104 (66.102.7.104) 56(84) bytes of data.
64 bytes from 66.102.7.104: icmp_seq=0 ttl=243 time=316
ms
ms
ms
ms
--- 66.102.7.104 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 3023ms
rtt min/avg/max/mdev = 201.718/342.816/476.595/99.521 ms, pipe 2
username@hostname>
Palo Alto Networks
ping

Palo Alto Networks
quit
quit
Exit the current session for the firewall.
Note: The quit command is the same as the exit command.
Syntax
quit
Options
None
Sample Output
N/A

All
Palo Alto Networks
request anti-virus
request anti-virus
Upgrade and downgrade anti-virus packages and obtain information about the packages
Syntax
request anti-virus downgrade install <previous | package>
request anti-virus upgrade check
request anti-virus upgrade download latest [sync-to-peer <no |
yes>]
request anti-virus upgrade info
request anti-virus upgrade install [commit <no | yes>]
[sync-to-peer <no | yes>] [file name | version latest]
Options
previous
Installs the previous version.
package
Installs the specified anti-virus package.
check
Obtains information on available packages from the Palo Alto Networks

server.
latest
Specifies the latest available anti-virus package.
info
Requests information about available anti-virus packages.
sync-to-peer
Indicates whether a copy of the package will be provided to another highavailability peer firewall.
commit
Indicates whether the installed package will be committed to the firewall.
file
Specifies the name of the file containing the anti-virus package.
version
Specifies the latest version of the anti-virus software package.
Sample Output
The following command displays information on the anti-virus packages that are available for
installation.
username@hostname> request anti-virus upgrade info
Version
Size
Released on Downloaded
------------------------------------------------------------------------46-93
44MB 2009/11/19 11:50:38
yes
username@hostname>

Palo Alto Networks
request certificate
request certificate
Generate a self-signed security certificate.
Syntax
request certificate install for-use-by option
request certificate self-signed option
request certificate verify for-use-by web-interface option
Options
install for-useby
Installs the generated certificate of the specified type:

client-cert-ocsp-verify-caSecure Socket Layer (SSL) Client Certificate.
client-certificate-caSSL Client Certificate from Certificate Authority (CA).
inbound-proxyReverse proxy module.
ssl-decryptionSSL decryption module.
ssl-untrustedSSL decryption module for untrusted sites.
trusted-ca-certificateSSL decryption CA certificate.
web-interfaceEmbedded web interface.
self-signed
Generates the self-signed certificate. Options include:

country-codeTwo-character code for the country in which the certificate
will be used.
emailEmail address of the contact person.
localityCity, campus, or other local area.
nbits valueNumber of bits in the certificate (512 or 1024).
organizationOrganization using the certificate.
organization unitDepartment using the certificate.
stateTwo-character code for the state or province in which the certificate
will be used.
nameIP address or fully qualified domain name (FQDN) to appear on the
certificate (required).
passphrasePassphrase for encrypting the private key (required).
verify for-useby webcertificate
Requests the certificate for the embedded web interface. Options include:
certificatePublic certificate file.
key Private key file.
passphrasePass phrase for decrypting private key (required).
Sample Output
The following command requests a self-signed certificate for the web interface with length
1024 and IP address 1.1.1.1.
username@hostname> request certificate self-signed nbits 1024 name 1.1.1.1
for-use-by web-interface
username@hostname>
Palo Alto Networks
request certificate

Palo Alto Networks
request comfort-page
request comfort-page
Installs a user-defined comfort page.
Syntax
request comfort page install option
Options
option
Specifies the type of file to export to the other host.

Option
Description
applicationblock-page
Application packet capture file.
file-block-page
File containing comfort pages to be presented

when files are blocked.
spyware-blockpage
Comfort page to be presented when files are

blocked due to spyware.
url-block-page

blocked due to a blocked URL.
virus-block-page

blocked due to a virus.
The following command installs an application block page.

username@hostname> request comfort-page install application-block-page
Shared application-block-page installed successfully!
username@hostname>

Palo Alto Networks
request content
request content
Perform application level upgrade operations.
Syntax
request content upgrade [check | download latest | info | install
latest]
Options
check
Obtain information from the Palo Alto Networks server.
download latest
Download application identification packages.
info
Show information about the available application ID packages.
install latest
Install application identification packages.
Sample Output
The following command lists information about the firewall server software.
username@hostname> request content upgrade check
Version
Size
------------------------------------------------------------------------13-25
10MB 2007/04/19
15:25:02
yes
username@hostname>

Palo Alto Networks
request data-filtering
request data-filtering
Assign passwords for data filtering.
Syntax
request data-filtering access-password option
Options
option
Specifies one of the following options.

Option
Description
create password
pword
Creates the specified password.
modify oldpassword oldpwd

new-password
newpwd o
Changes the specified old password to the

new password.
delete
Deletes the data filtering password. When

this command is issued, the system prompts
for confirmation and warns that logged data
will be deleted and logging will be stopped.
Sample Output
The following command assigns the specified password for data filtering.
username@hostname> request data-filtering access-password create password
mypwd
username@hostname>

Palo Alto Networks
request device-registration
request device-registration
Perform device registration.
Syntax
request device-registration username user password pwd
Options
username
user
Specify the user name for device access.
password
pwd
Specify the password for device access.
Sample Output
The following command registers the device with the specified user name and password.
username@hostname> request device-registration username admin password
adminpwd
username@hostname>

Palo Alto Networks
request high-availability
request high-availability
Perform high-availability operations.
Syntax
request high-availability option
Options
option
Specifies one of the following options.

Option
Description
clear-alarm-led
Clears the high-availability alarm LED.
state
<functional |
suspended>
Changes the state to operational (functional) or suspended.
sync-to-remote
option
Performs synchronization operations:

candidate-configSynchronize the candidate configuration to peer.
clockSynchronize the local time and date to the peer.
disk-stateSynchronize required on-disk state to peer.
running-configSynchronize the running configuration
to peer.
runtime-stateSynchronize the runtime synchronization
state to peer.
Sample Output
The following command sets the high-availability state of the device to the suspended state.
username@hostname> request high-availability state suspend
username@hostname>

Palo Alto Networks
request license
request license
Perform license-related operations.
Syntax
request license [fetch [auth-code] | info | install]
Options
fetch
Gets a new license key using an authentication code.
auth-code
Specifies the authentication code to use in fetching the license.
info
Displays information about currently owned licenses.
install
Installs a license key.
Sample Output
The following command requests a new license key with the authentication code 123456.
username@hostname> request fetch auth-code 123456
username@hostname>

Palo Alto Networks
request password-hash
request password-hash
Generate a hashed string for the user password.
Syntax
request password-hash password pwd
Options
pwd
Specify the clear text password that requires the hash string.
Sample Output
The following command generates a hash of the specified password.
username@hostname> request password-hash password mypassword
$1$flhvdype$qupuRAx4SWWuZcjhxn0ED.

Palo Alto Networks
request restart
request restart
Restart the system or software modules.
CAUTION: Using this command causes the firewall to reboot, resulting in the
temporary disruption of network traffic. Unsaved or uncommitted changes will be
lost.
Syntax
request restart [dataplane | software | system]
Options
dataplane
Restarts the dataplane software.
software
Restarts all system software
system
Reboots the system.
Sample Output
The following command restarts all the firewall software.
username@hostname> request restart software

Palo Alto Networks
request ssl-decrypt
request ssl-decrypt
Installs a user-defined Secure Socket Layer (SSL) decryption notification page.
Syntax
request ssl-decrypt install option
Options
ssl-cert-status-page
Installs an SSL certificate block comfort page.
ssl-optout-text
Specifies the SSL output text for the page.
Sample Output
The following command installs an SSL certification block comfort page.
username@hostname> request ssl-decrypt install ssl-cert-status-page
username@hostname>

Palo Alto Networks
request ssl-vpn
request ssl-vpn
Forces logout from a Secure Socket Layer (SSL) virtual private network (VPN) session.
Syntax
request ssl-vpn client-logout option
Options
option
Specify the following required options:

portalSpecify the SSL VPN portal name.
domainSpecify the users domain name.
reason force-logoutSpecify to indicate that the logout is administrator-initiated.
userSpecify the user name.
Sample Output
The following command forces a logout of the specified user.
username@hostname> request ssl-vpn client-logout domain paloaltonetworks.com
port sslportal user ssmith reason force-logout

Palo Alto Networks
request support
request support
Obtain technical support information.
Syntax
request support [check | info]
Options
check
Get support information from the Palo Alto Networks update server.
info
Show downloaded support information.
Sample Output
The following command shows downloaded support information.
username@hostname> request support info
0
Support Home
https://support.paloaltonetworks.com
Manage Cases
https://support.paloaltonetworks.com/pa-portal/
index.php?option=com_pan&task=vie
wcases&Itemid=100
Download User Identification Agent
https://support.paloaltonetworks.com/pa-portal/
index.php?option=com_pan&task=sw_
updates&Itemid=135
866-898-9087
support@paloaltonetworks.com
November 07, 2009
Standard
10 x 5 phone support; repair and replace hardware service
username@hostname>

Palo Alto Networks
request system
request system
Download system software or request information about the available software packages.
Syntax
request system [fips [self-test-failure] | private-data-reset |
software [check | download [file | version] | info | install [file
| version] name]]
Options
fips selftestfailure
Simulates a system failure and reboot for Federal Information Processing Standards
(FIPS) 140-2.
privatedata-reset
Removes all of the logs and resets the configuration but does not reset content and
software versions.
check
Gets information from the Palo Alto Networks server.
download
Downloads software packages.
info
Shows information about the available software packages.
install
Downgrades to a downloaded software package.
Sample Output
The following command requests information about the software packages that are available
for download.
username@hostname> request system software info
Version
Filename
Size
Released Downloaded
------------------------------------------------------------------------3.0.1
panos.4050-3.0.1.tar.gz
127MB 2010/02/07 00:00:00
no
3.1.0
panos.4050-3.1.0.tar.gz
127MB 2009/02/07 00:00:00
no
username@hostname>

Palo Alto Networks
request tech-support
request tech-support
Obtain information to assist technical support in troubleshooting.
Syntax
request technical support dump
Options
None
Sample Output
The following command creates a dump for technical support.
username@hostname> request tech-support dump
Exec job enqueued with jobid 1
1

Palo Alto Networks
request url-filtering
request url-filtering
Perform URL filtering operations
Syntax
request url-filtering option
Options
upgrade
Upgrade to latest version. Optionally specify brightcloud to update the

BrightCloud database.
download
status
Show status of information download for URL filtering.
Sample Output
The following command upgrades the BrightCloud database.
username@hostname> request url-filtering upgrade brightcloud

Palo Alto Networks
request vpnclient
request vpnclient
Perform VPN client package operations.
Syntax
request vpnclient software option
Options
check
Obtain information from the Palo Alto Networks server.
download
Download software packages. Specify one of the following:

fileName of the file containing the software package.
versionSpecified software version.
info
Show downloaded support information.
install
Install the software as specified:

fileName of the file containing the software package.
versionSpecified software version.
Sample Output
The following command displays information about the available software packages.
username@hostname> request vpnclient software info
Version
Size
------------------------------------------------------------------------1.0.0-c54
916KB 2009/03/04 15:04:33
no
1.0.0-c53
916KB 2009/03/04 14:09:17
no
1.0.0-c52
916KB 2009/03/04 11:49:51
no
1.0.0-c51
916KB 2009/03/03 16:45:38
no

Palo Alto Networks
scp
scp
Copy files between the firewall and another host. Enables downloading of a customizable
HTML replacement message (comfort page) in place of a malware infected file.
Syntax
scp export export-option [control-plane | data-plane] to target
from source [remote-port portnumber] [source-ip address]
scp import import-option [source-ip address] [remote-port
portnumber] from source
Options
export export- Specifies the type of file to export to the other host.
option
Palo Alto Networks
Option
Description
Application block comfort page.
application-pcap
Application packet capture file.
captive-portaltext
Text to be included in a captive portal.
configuration
Configuration file.
core-file
Core file.
crl
crl.tgz file.
debug pcap
IKE negotiation packet capture file.
file-block-page
File containing comfort pages to be presented when

files are blocked.
filter-pcap
Export filter packet capture.
highavailability-key
High availability peer encryption key.
inbound-proxykey
Inbound proxy key.
log
Log in CSV format.
log-file
Log files.
logdb
Log database.
pdf-reports
PDF reports.
ssl-cert-status
SSL certificate status page.
ssl-decryptioncertificate
SSL decryption certificate.
scp
export export- Specifies the type of file to export to the other host.
option
Option
Description
ssl-optout-text
SSL optout text.
stats-dump
Log database in CSV format.
tech-support
Technical support information.
treat-pcap
Threat packet capture.
url-block-page
Comfort page to be presented when files are blocked

due to a blocked URL.
url-coach-text
Text to be presented when files are blocked due to a

blocked URL.
virus-block-page
Comfort page to be presented when files are blocked

due to a virus.
web-interfacecertificate
Web interface certificate.
import import- Specifies the type of file to import from the other host.
option
Option
Description
anti-virus
Anti-virus content.
Application block comfort page.
captive-portaltext
Text to be included in a captive portal.
configuration
Configuration file.
content
Database content.
file-block-page
File containing comfort pages to be presented

when files are blocked.
highavailability-key
High availability peer encryption key.
license
License file.
logdb
Log database.
private-key
SSL private key.
software
Software package.
ssl-cert-statuspage
SSL certificate status page.
ssl-certificate
SSL certificate.
ssl-optout-text
SSL optout text.
sslvpn-customlogin-page
SSL VPN custom login page.
Palo Alto Networks
scp
import import- Specifies the type of file to import from the other host.
option
Option
Description
url-block-page

blocked due to a blocked URL.
url-coach-text
Text about possible actions on URL comfort

page.
url-database
URL database package.
virus-block-page
Virus block comfort page.
vpnclient
VPN client package.
control-plane
Indicates that the file contains control information.
data-plane
Indicates that the file contains information about data traffic.
remote-port
portnumber
Specifies the port number on the remote host.
source-ip
address
Specifies the source IP address.
to
Specifies the destination user in the format username@host:path.
from
Specifies the source user in the format username@host:path.
Sample Output
The following command imports a license file from a file in user1s account on the machine
with IP address 10.0.3.4.
username@hostname> scp import ssl-certificate from user1@10.0.3.4:/tmp/
certificatefile

Palo Alto Networks
set application
set application
Set parameters for system behavior when applications are blocked.
Syntax
set application option
Options
cache <yes | no>
Enables (yes) or disables (no) the application cache.
dump <off | on option>
Enables (on) or disables (off) the application packet capture. The

following options determine the contents of the dump:
application Specified application.
destinationDestination IP address of the session.
destination-userDestination user.
destination-port Destination port.
zoneSpecified zone.
protocolSpecified protocol.
limit Maximum number of sessions to capture.
sourceSource IP address for the session.
source-userSpecified source user.
source-portSpecified source port.
dump-unknown <yes | no>
Enables (yes) or disables (no) capture of unknown applications.
heuristics <yes | no>
Enables (yes) or disables (no) heuristics detection for applications.
notify-user <yes | no>
Enables (yes) or disables (no) user notification when an application

is blocked.
supernode <yes | no>
Enables (yes) or disables (no) detection of super nodes for peer-topeer applications that have designated supernodes on the Internet.
Sample Output
The following command turns packet capture for unknown applications off.
username@hostname> set application dump off
username@hostname>

Palo Alto Networks
set cli
set cli
Set scripting and pager options for the PAN-OS CLI. Options are included to display
configuration commands in default format, XML format, or as operational set commands.
Syntax
set cli option
Options
config-outputformat
Sets the output format for the configuration file to the default, XML format, or
set command format.
configurationprompt
Enables or disables presentation of a confirmation prompt for some

configuration commands.
hide-ip
Hides or shows the last octet of the IP address in logs.
hide-user
Hides or shows user names in logs.
scripting-mode
Enables or disables scripting mode.
pager
Enables or disables pages.
terminal
Sets terminal parameters for CLI access.
timeout
Sets administrative session timeout values.
idle-value
Specifies the idle timeout (0-86400 seconds).
session-value
Specifies the administrative session timeout (0-86400 seconds).
off
Turns the option off.
on
Turns the option on.
Sample Output
The following command sequence sets the configuration mode to use set command format for
output and then displays the output of the show system log-export-schedule command in
Configuration mode.
username@hostname> set cli config-output-format set
[edit]
username@hostname# edit deviceconfig
[edit deviceconfig]
set deviceconfig
set deviceconfig
set deviceconfig
set deviceconfig
set deviceconfig
10.16.0.97
set deviceconfig
set deviceconfig
Palo Alto Networks
system
system
system
system
system
log-export-schedule
log-export-schedule
log-export-schedule
log-export-schedule
log-export-schedule
10.16.0.97
10.16.0.97
10.16.0.97
10.16.0.97
10.16.0.97
description 10.16.0.97
enable yes
log-type threat
start-time 03:00
protocol ftp hostname
system log-export-schedule 10.16.0.97 protocol ftp port 21

system log-export-schedule 10.16.0.97 protocol ftp passive-
set cli
mode yes
set deviceconfig system log-export-schedule 10.16.0.97 protocol ftp username
admin
set deviceconfig system log-export-schedule 10.16.0.97 protocol ftp password
mZDB7rbW5y8=
username@hostname#
The following command sequence shows the same example after XML is specified as the
command output format.
username@hostname> set cli config-output-format xml
[edit]
username@hostname# edit deviceconfig
[edit deviceconfig]
<log-export-schedule>
<entry name="10.16.0.97">
<description>10.16.0.97</description>
<enable>yes</enable>
<log-type>threat</log-type>
<start-time>03:00</start-time>
<protocol>
<ftp>
<hostname>10.16.0.97</hostname>
<port>21</port>
<passive-mode>yes</passive-mode>
<username>admin</username>
<password>mZDB7rbW5y8=</password>
</ftp>
</protocol>
</entry>
</log-export-schedule>
[edit deviceconfig]
[edit deviceconfig]
username@hostname#

Palo Alto Networks
set clock
set clock
Set the system date and time.
Syntax
set clock option
Options
date YYYY/MM/DD
Specify the date in yyyy/mm/dd format.
time hh:mm:ss
Specify the time in hh:mm:ss format (hh: 0-23, mm: 0-59, ss: 0-59).
Sample Output
The following command sets the system date and time.
username@hostname> set clock date 2009/03/20 time 14:32:00
username@hostname>

Palo Alto Networks
set data-access-password
set data-access-password
Set the access password for the data filtering logs.
Syntax
set data-access-password pwd
Options
pwd
Specifies the password.
Sample Output
The following command sets the password for data filtering logs.
username@hostname> set data-access password 12345678
username@hostname>

Palo Alto Networks
set management-server
set management-server
Set parameters for the management server, which manages configuration, reports, and
authentication for the firewall.
Syntax
set management-server option
Options
logging option
Sets the following logging options:

import-endExit import mode.
import-startEnter import mode.
offDisable logging.
onAllow logging.
unlock
Specifies the serial number or software license key.
Sample Output
The following command enables logging on the management server.
username@hostname> set management-server logging on
username@hostname>

Palo Alto Networks
set panorama
set panorama
Enable or disable connection between the firewall and Panorama.
Syntax
set panorama <off | on>
Options
on
Enables the connection between the firewall and Panorama.
off
Disables the connection between the firewall and Panorama.
Sample Output
The following command disables the connection between the firewall and Panorama.
username@hostname> set panorama off
username@hostname>

Palo Alto Networks
set password
set password
Set the firewall password. When you issue this command, the system prompts you to enter
the old and new password and to confirm the new password.
Syntax
set password
Options
None
Sample Output
The following example shows how to reset the firewall password.
username@hostname>
Enter old password
Enter new password
Confirm password
set password
: (enter the old password)
: (enter the new password0
: (reenter the new password)
Password changed
username@hostname>

Palo Alto Networks
set serial-number
set serial-number
(Panorama only) Configure the serial number of the Panorama machine. The serial number
must be set for Panorama to connect to the update server.
Syntax
set serial-number value
Options
value
Specifies the serial number or software license key.
Sample Output
The following command sets the Panorama serial number to 123456.
username@hostname> set serial-number 123456
username@hostname>

Palo Alto Networks
set session
set session
Set parameters for the networking session.
Syntax
set session [default | item value]
Options
default
Restores all session settings to the default values.
item
value
Specifies the debugging target or level.
Palo Alto Networks
Option
Value
Description
acceleratedaging-enable
no | yes
Enables or disables accelerated session

aging.
acceleratedaging-scalingfactor
Power of 2
Sets the accelerated session aging

scaling factor (power of 2).
acceleratedaging-threshold
Power of 2 (1-100)
Sets the accelerated aging threshold as

a percentage of session utilization.
offload
no | yes
Enables or disables hardware session

offload. Some firewall models have
specialized hardware to manage TCP,
UDP, and ICMP sessions. This option
command enables or disables this
capability. If it is disabled, the sessions
are managed by the firewall software.
tcp-reject-nonsyn
no | yes
Rejects non-synchronized TCP packets

for session setup.
timeout-default
Number of seconds
Sets the session default timeout value

in seconds.
timeout-icmp
1-15999999
Sets the session timeout value for

ICMP commands.
timeout-tcp
1-15999999
Sets the session timeout value for TCP

commands.
timeout-tcpinit
Number of seconds
Sets the initial TCP timeout value in

seconds.
timeout-tcpwait
Number of seconds
Sets the session TCP wait timeout

value in seconds.
timeout-udp
1-15999999
Sets the session timeout value for UDP

commands.
set session
Sample Output
The following command sets the TCP timeout to 1 second.
username@hostname> set session timeout-tcpwait 1
username@hostname>

Palo Alto Networks
set system setting
set system setting

Set system operational parameters.
Syntax
set
set
set
set
set
set
set
set
set
system
system
system
system
system
system
system
system
system
setting
setting
setting
setting
setting
setting
setting
setting
setting
ctd x-forwarded-for <no | yes>

jumbo-frame option
logging option
multi-vsys
shared-policy
ssl-decrypt option
target-vsys vssystem
url-database name
zip enable <yes | no>
Options
ctd xforwardedfor
Enables or disables parsing of the x-forwarded-for attribute.
jumbo-frame
Enables or disables jumbo frames.
logging
Sets logging parameters: Options include:

defaultRestores logging parameters to the default settings.
default-policy-loggingSets the default log policy.
log-suppressionEnables or disables log suppression.
max-packet-rate valueSets the maximum packet rate for logging.
max-log-rate valueSets the maximum logging rate.
multi-vsys
Enables or disables multiple virtual systems.
sharedpolicy
Enables, disables, or imports and disables shared policies.
ssl-decrypt
Sets SSL decryption parameters. Options include:

answer-timeoutSet ssl-decrypt answer timeout value.
notify-userEnable/disable notify user web page.
skip-sslEnable/disable SSL decryption.
skip-ssl-decryptEnable/disable ssl-decrypt.
target-vsys
Enable the specified virtual system for operational commands.
url-database
Set the URL database.
zip
Enables or disables decompression of traffic for content scanning purposes.
Palo Alto Networks
set system setting
Sample Output
The following command enables logging suppression.
username@hostname> set system setting logging log-suppression yes
username@hostname>

superuser, vsysadmin, deviceadmin, superreader, vsysreader
Palo Alto Networks
show admins
show admins
Display information about the active firewall administrators.
Syntax
show admins [all]
Options
all
Lists the names of all administrators.
Sample Output
The following command displays administrator information for the 10.0.0.32 firewall.
username@hostname> show admins | match 10.0.0
Admin
From
Type Session-start
Idle-for
-------------------------------------------------------------------------admin
10.0.0.132
Web 02/19 09:33:07
00:00:12s
username@hostname>

Palo Alto Networks
show arp
show arp
Shows current Address Resolution Protocol (ARP) entries.
Syntax
show arp interface
Options
interface
Specifies the interface for which the ARP table is displayed.

all
Shows information for all ARP tables.
ethernetn/m
Shows information for the specified interface.
loopback
Shows loopback information.
vlan
Shows VLAN information.
Sample Output
The following command displays ARP information for the ethernet1/1 interface.
username@hostname> show arp ethernet1/1
maximum of entries supported :
default timeout:
total ARP entries in table :
total ARP entries shown :
status: s - static, c - complete, i
8192
1800 seconds
0
0
- incomplete
username@hostname>

Palo Alto Networks
show authentication
show authentication
Shows authentication information.
Syntax
show authentication option
Options
interface
Specifies the following authentication information.

allowlistShows the authentication allow list.
groupdbLists the group authentication databases.
groupnamesLists the distinct group names.
Sample Output
The following command shows the list of users that are allowed to access the firewall.
username@hostname> show authentication allowlist
vsysname
---------vsys1
vsys1
profilename
----------SSLVPN
wtam-SSLVPN
username
---------------------------paloaltonetwork\domain users
group1
username@hostname>

Palo Alto Networks
show chassis-ready
show chassis-ready
Shows whether the dataplane has a running policy.
Syntax
show chassis-ready
Options
None
Sample Output
The following command shows that the dataplane has a currently running policy.
username@hostname> show chassis-ready
yes
username@hostname>

Palo Alto Networks
show cli
show cli
Shows information about the current CLI session.
Syntax
show cli info
Options
None
Sample Output
The following command shows information about the current CLI session.
username@hostname> show cli info
Process ID
: 2045
Pager
: enabled
Vsys configuration mode : disabled
username@hostname>

Palo Alto Networks
show clock
show clock
Shows the current time on the firewall.
Syntax
show clock
Options
None
Sample Output
The following command shows the current time.
username@hostname> show clock
Sun Feb 18 10:49:31 PST 2007
username@hostname>

Palo Alto Networks
show config
show config
Shows the active configuration.
Syntax
show config
Options
None
Sample Output
The following command shows the configuration lines that pertain to VLANs.
username@hostname> show config | match vlan
vlan {
vlan;
username@hostname>

Palo Alto Networks
show counter
show counter
Display system counter information.
Syntax
show counter [global | interface]
Options
global
Shows global system counter information.
interface
Shows system counter information grouped by interface.
Sample Output
The following command displays all configuration counter information grouped according to
interface.
username@hostname> show counter interface
hardware interface counters:

-----------------------------------------------------------------------interface: ethernet1/1
-----------------------------------------------------------------------bytes received
0
bytes transmitted
0
packets received
0
packets transmitted
0
receive errors
0
packets dropped
0
-----------------------------------------------------------------------...
username@hostname>

Palo Alto Networks
show device
show device
(Panorama only) Show the state of managed devices.
Syntax
show device-messages [all | connected]
Options
all
Shows information for all managed devices.
connected
Shows information for all connected devices.
Sample Output
The following command shows information for connected devices.
username@hostname> show devices connected
Serial
Hostname
IP
Connected
-------------------------------------------------------------------------PA04070001
pan-mgmt2
10.1.7.2
yes
last push state:
none
username@hostname>

superuser, superuser (read only), Panorama admin
Palo Alto Networks
show device-messages
show device-messages
(Panorama only) Show information on the policy messages for devices.
Syntax
show device-messages [device] [group]
Options
device
Shows the messages only for the specified device.
group
Shows the messages only for the specified device group.
Sample Output
The following command shows the device messages for the device pan-mgmt2 and the group
dg1.
username@hostname> show device-messages device pan-mgmt2 group dg1
username@hostname>

Palo Alto Networks
show devicegroups
show devicegroups
(Panorama only) Show information on device groups.
Syntax
show devicegroups [name]
Options
name
Shows the information only for the specified device group.
Sample Output
The following command shows information for the device group dg1.
username@hostname> show devicegroups dg1
==========================================================================
Group: dg3 Shared policy md5sum:dfc61be308c23e54e5cde039689e9d46
Serial
Hostname
IP
Connected
-------------------------------------------------------------------------PA04070001
pan-mgmt2
10.1.7.2
yes
last push state: push succeeded
vsys3 shared policy md5sum:dfc61be308c23e54e5cde039689e9d46(In Sync)
username@hostname>

Palo Alto Networks
show dhcp
show dhcp
Show information on Dynamic Host Control Protocol (DHCP) leases.
Syntax
show dhcp lease <value | all>
Options
value
Identifies the interface (ethernetn/m)
all
Shows all the lease information.
Sample Output
The following command shows all lease information.
username@hostname> show dhcp all
interface: ethernet1/9
ip
mac
expire
66.66.66.1
00:15:c5:60:a5:b0 Tue Mar 11 16:12:09 2008
66.66.66.2
00:15:c5:e1:0d:b0 Tue Mar 11 16:08:01 2008
username@hostname>

Palo Alto Networks
show fips-mode
show fips-mode
Show information on Federal Information Processing Standards (FIPS) 140-2 mode.
Syntax
show fips-mode
Options
None
Sample Output
The following command shows that FIPS mode is off.
username@hostname> show fips-mode
off
username@hostname>

Palo Alto Networks
show high-availability
show high-availability
Show runtime information for the high-availability subsystem.
Syntax
show high-availability [all | control-link statistics| linkmonitoring | path-monitoring | state | state-synchronization]
Options
all
Shows all high-availability information.
control-link
statistics
Shows control-link statistic information.
link-monitoring
Shows the link-monitoring state.
path-monitoring
Shows path-monitoring statistics.
state
Shows high-availability state information.
statesynchronization
Shows state synchronization statistics.
Sample Output
The following command information for the high-availability subsystem.
username@hostname> show high-availability path-monitoring
---------------------------------------------------------------------------path monitoring:
disabled
total paths monitored:
0
---------------------------------------------------------------------------username@hostname>

Palo Alto Networks
show interface
show interface
Display information about system interfaces.
Syntax
show interface interface
Options
element
Specifies the interface.

all
Shows information for all ARP tables.
ethernetn/m
Shows information for the specified interface.
hardware
Shows hardware information.
logical
Shows logical interface information.
loopback
Shows loopback information.
vlan
Shows VLAN information.
Sample Output
The following command displays information about the ethernet1/2 interface.
username@hostname> show interface ethernet1/3
---------------------------------------------------------------------------Name: ethernet1/3, ID: 18
Link status:
Runtime link speed/duplex/state: unknown/unknown/down
Configured link speed/duplex/state: auto/auto/auto
Link is forced down due to link-state-pass-through
MAC address:
Port MAC address 00:1b:17:00:6f:12
Operation mode: virtual-wire
---------------------------------------------------------------------------Name: ethernet1/3, ID: 18
Operation mode: virtual-wire
Virtual wire: vw34, peer interface: ethernet1/4
Interface management profile: N/A
Service configured:
Zone: vw34, virtual system: vsys1

Palo Alto Networks
show jobs
show jobs
Display information about current system processes.
Syntax
show jobs [all | id number | pending | processed]
Options
all
Shows information for all jobs.
id number
Identifies the process by number.
pending
Shows recent jobs that are waiting to be executed.
processed
Shows recent jobs that have been processed.
Sample Output
The following command lists jobs that have been processed in the current session.
username@hostname> show jobs processed
Enqueued
ID
Type Status Result Completed
-------------------------------------------------------------------------2007/02/18 09:34:39
2 AutoCom
FIN
OK 2007/02/18 09:34:40
2007/02/18 09:33:00
1 AutoCom
FIN
FAIL 2007/02/18 09:33:54
username@hostname>

Palo Alto Networks
show location
show location
Show the geographic location of a firewall.
Syntax
show location ip address
Options
address
Specifies the IP address of the firewall.
Sample Output
The following command shows location information for the firewall 10.1.1.1.
username@hostname> show location ip 10.1.1.1
show location ip 201.52.0.0
201.52.0.0
Brazil
username@hostname>

Palo Alto Networks
show log
show log
Display system logs.
Syntax
show log [threat | config | system | traffic] [equal | not-equal]
option value
Options
threat
Displays threat logs.
config
Displays configuration logs.
system
Displays system logs.
traffic
Displays traffic logs.
option value
Restricts the output (the available options depend upon the keyword used in the
command (threat, config, system, traffic).
Option
Description
action
Type of alarm action (alert, allow, or drop)
app
Application.
client
Type of client (CLI or web).
command
Command.
dport
Destination port.
dst
Destination IP address.
from
Source zone.
receivetime in
Time interval in which the information was received.
result
Result of the action (failed, succeeded, or unauthorized).
rule
Rule name.
severity
Level of importance (critical, high, medium, low, informational)
sport
Source port.
src
Source IP address.
to
Destination zone.
greater-thanor-equal
Indicates that the option is equal to the specified value.
less-than-orequal
Indicates that the option is not equal to the specified value.
equal
Indicates that the option is equal to the specified value.
not-equal
Indicates that the option is not equal to the specified value.
Palo Alto Networks
show log
Sample Output
The following command shows the configuration log.
username@hostname> show log config
Time
Host
Command
Admin
Client Result
============================================================================
===
03/05 22:04:16 10.0.0.135
edit
admin
Web
Succeeded
03/05 22:03:22 10.0.0.135
edit
admin
Web
Succeeded
03/05 22:03:22 10.0.0.135
create
admin
Web
Succeeded
03/05 21:56:58 10.0.0.135
edit
admin
Web
Succeeded
...
username@hostname>

Palo Alto Networks
show mac
show mac
Display MAC address information.
Syntax
show mac [value | all]
Options
value
Specifies a MAC address (aa:bb:cc:dd:ee:ff format).
all
MAC address (aa:bb:cc:dd:ee:ff format).
Sample Output
The following command lists all currently MAC address information.
username@hostname> show mac all
maximum of entries supported :
8192
default timeout :
1800 seconds
total MAC entries in table :
4
total MAC entries shown :
4
status: s - static, c - complete, i - incomplete
vlan
hw address
interface
status
ttl
--------------------------------------------------------------------------Vlan56
0:0:1:0:0:3
ethernet1/5
c
1087
Vlan56
0:0:1:0:0:4
ethernet1/6
c
1087
Vlan11-12
0:0:1:0:0:9
ethernet1/12
c
487
Vlan11-12
0:0:1:0:0:10
ethernet1/11
c
487
username@hostname>

Palo Alto Networks
show management-clients
Show information about internal management server clients.
Syntax
Options
None
Sample Output
The following command shows information about the internal management server clients.
username@hostname> show management-clients
Client PRI
State Progress
------------------------------------------------------------------------routed 30
P2-ok
100
device 20
P2-ok
100
ikemgr 10
P2-ok
100
keymgr 10
init
0
(op cmds only)
dhcpd 10
P2-ok
100
ha_agent 10
P2-ok
100
npagent 10
P2-ok
100
exampled 10
init
0
(op cmds only)
Overall status: P2-ok. Progress: 0
Warnings:
Errors:

Palo Alto Networks
show management-interface
Show information about the state of the management interface.
Syntax
Options
None
Sample Output
The following command shows information about the management interface.
username@hostname> show management-interface
--------------------------------------------------------------------------Name: Management Interface
Link status:
Runtime link speed-duplex/state: 1Gb/s-full/Up
Configured link speed-duplex/state: auto/auto
MAC address:
Port MAC address 00:13:72:3c:c9:e3
--------------------------------------------------------------------------Port counters:
--------------------------------------------------------------------------rx-bytes
554989679
rx-packets
5535148
rx-drops
0
rx-errors
0
rx-multicast
6029
tx-bytes
86899026
tx-packets
250362
tx-drops
0
tx-errors
0
----------------------------------------------------------------------------

Palo Alto Networks
show object
show object
Shows the name of an address object with an IP address that exactly matches the address
specified in the filter.
Syntax
show object vsys name ip address
Options
vsys
Specify the virtual system.
ip
Specify the IP address (required).
Sample Output
The following command shows the name of an address object, one-more, with IP address
3.3.3.3 that exists in virtual system vsys1.
username@hostname> show object vsys vsys1 ip 3.3.3.3
one-more
username@hostname>

Palo Alto Networks
show panorama-certificate
Lists certificate information for connection between the firewall and Panorama. Primarily
used for debugging purposes.
Syntax
Options
None
Sample Output
The following command shows that the firewall has a Panorama certificate key file
client.pem.
username@hostname> show panorama-certificate
-rw-r--r-- 1 root root 4.6K Jul 14 2008 client.pem
username@hostname>

Palo Alto Networks
show pbf
show pbf
Displays runtime statistics for policy-based forwarding (PBF).
Syntax
show pbf rule [<all> | <name rule-name>]
Options
all
Displays information about all current policy-based forwarding rules.
name rule-name
Displays the runtime statistics for a specified policy-based forwarding rule.
Sample Output
The following command shows the current PBF settings.
username@hostname> show pbf rule all
Rule
ID
State
R-Action Egress IF
NextHop
Interval
Threshold Status M-Action KA sent KA got Packets Matched
========== ===== ======== ======== ============ ================ ========
========= ====== ========= ======= ====== ===============
r1
4
Normal Discard
0.0.0.0
0
0
UP
Monitor 0
0
0
to-host
7
Normal Forward ethernet1/1 100.1.1.254
2
3
UP
Fail-Over 1270
1270 0
to-tunnel 8
2
3
DOWN Fail-Over 23
23
2
r5
9
2
3
UP
Fail-Over 0
0
3
username@hostname>

Palo Alto Networks
show pppoe
show pppoe
Displays statistics about the Point-to-Point Protocol over Ethernet (PPPoE) connections.
Syntax
show pppoe interface <all | interfacename>
Options
all
Displays PPPoE information for all interfaces.
interfacename
Displays PPPoE information for the specified firewall interface.
Sample Output
The following command shows PPPoE information for the ethernet1/4 interface.
username@hostname> show pppoe interface ethernet1/4
Interface
PPPoE
PPP State
Username Access Concentrator MAC IP
ethernet1/4 Initiating Disconnected pa4020
Access Concentrator 00:11:22:33:44:55 10.0.2.2
username@hostname>

Palo Alto Networks
show qos
show qos
Show quality of service (QoS) runtime information.
Syntax
show qos interface if option
Options
counter
Show software based QoS counters.
hw-counter
Show hardware QoS counters.
match-rule
Show members of regular traffic configuration.
throughput
Show throughput (last 3 seconds) of all classes under given node-ID.
tunnelthroughput
Show throughput (last 3 seconds) of all classes under given tunnel

interface.
Sample Output
The following command shows the QoS throughput for interface ethernet1/2, node defaultgroup (ID 0):
username@hostname> show qos interface ethernet1/2 throughput 0
QoS throughput for interface ethernet1/2, node default-group (Qid 0):
class 4:
362 kbps
username@hostname>

Palo Alto Networks
show query
show query
Show information about query jobs.
Syntax
show query <jobs | id value>
Options
jobs
Displays all job information.
id value
Displays job information for the specified ID.
Sample Output
The following command shows information about all current query jobs.
username@hostname> show query jobs
Enqueued
ID Last Upd
-------------------------------------------------------------------------13:58:19
16 13:58:19
Type
ID Dequeued?
----------------------------------------------------username@hostname>

Palo Alto Networks
show report
show report
Displays information about process jobs.
Syntax
show [id number | jobs]
Options
id number
Displays information about the job with the specified ID number.
jobs
Displays information on all jobs.
Sample Output
The following command shows the current jobs.
username@hostname> show report jobs
Enqueued
ID Last Updated
dev/skip/req/resp/proc
-------------------------------------------------------------------------username@hostname>
username@hostname>

Palo Alto Networks
show routing
show routing
Display routing run-time objects.
Syntax
show routing fib [virtual-router name]
show routing protocol [virtual-router name] ospf <area | dumplsdb
| interface | lsdb | neighbor | summary | virt-link | virtneighbor>
show routing protocol [virtual-router name] redist <all | ospf |
rip>
show routing protocol [virtual-router name] rip <database |
interface | peer | summary>
show routing resource
show routing route [destination ip/netmask][interface
interfacename] [nexthop ip/netmask][type <connect | ospf | rip |
static>]
[virtual-router name]
show routing summary
Options
fib
Shows forwarding table entries. Specify an individual virtual router or all.
protocol ospf
Shows OSPF information. Specify one of the following (virtual router is

optional).
area
Show OSPF area status.
dumplsdb
Shows the OSPF LS database details.
interface
Shows OSPF interface status.
lsdb
Shows the LS database status.
neighbor
Shows neighbor status.
summary
Shows OSPF summary status.
virt-link
Shows status of virtual links.
virt-neighbor
Shows OSPF virtual neighbor status.
Palo Alto Networks
show routing
protocol redist
protocol rip
protocol bgp
Shows redistribution rule entries. Specify one of the following (virtual router is
optional).
ospf
Shows OSPF rules
rip
Shows RIP rules.
all
Shows all redistribution rules.
Shows RIP information. Specify one of the following options (virtual router is
optional).
database
Shows RIP route database.
interface
Shows RIP interface status.
peer
Shows RIP peer status.
summary
Shows the RIP summary information.
Shows Border Gateway Protocol (BGP) information. Specify one of the following
options (virtual router is optional).
loc-rib
Shows BGP local RIB.
lob-rib-detail
Shows BGP local RIB detail.
peer
Shows BGP peer status.
peer-group
Shows BGP peer group status.
policy
Shows BGP route map status.
rib-out
Shows BGP routes sent to BGP peer.
rib-out-detail
Shows details of BGP routes sent to BGP peer.
summary
Shows BGP summary information.
resource
Shows resource usage.
route
Shows route entries. Optionally specify any of the following options.
summary
Palo Alto Networks
destination
Restricts the result to a specified subnet (IP

address/mask).
interface
Restricts the result to a specified network

interface.
nexthop
Restricts the result to a the next hop from the

firewall (IP address/mask).
type
Restricts the result according to type of route:

connect and host routes, ospf, rip, or static.
virtual-router
Restrict the result to a specified virtual router.
Shows summary information.
show routing
Sample Output
The following command shows summary routing information for the virtual router vrl.
username@hostname> show routing summary virtual-router vr1
VIRTUAL ROUTER: vr1 (id 1)
==========
OSPF
area id:
0.0.0.0
interface:
192.168.6.254
interface:
200.1.1.2
dynamic neighbors:
IP 200.1.1.1 ID 200.1.1.1
area id:
1.1.1.1
interface:
1.1.1.1
interface:
1.1.2.1
interface:
1.1.3.1
interface:
2.1.1.1
static neighbor:
IP 65.54.5.33 ID *down*
static neighbor:
IP 65.54.77.88 ID *down*
interface:
22.22.22.22
interface:
35.1.15.40
interface:
192.168.7.254
dynamic neighbors:
IP 35.1.15.1 ID 35.35.35.35
==========
RIP
interface:
2.1.1.1
interface:
22.22.22.22
interface:
35.1.15.40
interface:
192.168.6.254
interface:
200.1.1.2
==========
INTERFACE
==========
interface name:
ethernet1/1
interface index:
16
virtual router:
vr1
operation status:
up
IPv4 address:
22.22.22.22/24
IPv4 address:
35.1.15.40/24
==========
interface name:
ethernet1/3
interface index:
18
virtual router:
vr1
operation status:
up
IPv4 address:
200.1.1.2/24
==========
interface name:
ethernet1/7
interface index:
22
virtual router:
vr1
operation status:
up
IPv4 address:
1.1.1.1/24
IPv4 address:
1.1.2.1/24
IPv4 address:
1.1.3.1/24
==========
interface name:
ethernet1/15
interface index:
30
Palo Alto Networks
show routing
virtual router:
operation status:
IPv4 address:
==========
interface name:
interface index:
virtual router:
operation status:
IPv4 address:
==========
interface name:
interface index:
virtual router:
operation status:
IPv4 address:
vr1
up
192.168.6.254/24
ethernet1/16
31
vr1
up
192.168.7.254/24
ethernet1/18
33
vr1
down
2.1.1.1/24
username@hostname>
The following command shows dynamic routing protocol information for RIP.
username@hostname> show routing protocol rip summary
==========
virtual router:
reject default route:
interval seconds:
update intervals:
expire intervals:
delete intervals:
interface:
interface:
interface:
interface:
interface:
==========
virtual router:
reject default route:
interval seconds:
update intervals:
expire intervals:
delete intervals:
interface:
interface:
interface:
vr1
yes
1
30
180
120
2.1.1.1
22.22.22.22
35.1.15.40
192.168.6.254
200.1.1.2
newr
yes
1
30
180
120
0.0.0.0
30.30.30.31
151.152.153.154

Palo Alto Networks
show running
show running
Shows running operational parameters
Syntax
show running option
Options
appinfo2ip
Show application-specific IP mapping information.
application
Show application information.
applicationoverride-policy
Show currently deployed application override policy.
applicationsignature
Show application signature statistics.
captive-portalpolicy
Show currently deployed captive-portal policy.
global-ippool
Show global ippool status.
ippool
Show ippool usage.
nat-policy
Show currently deployed Network Address Translation (NAT) policy.
nat-rule-cache
Show all NAT rules of all versions in cache.
nat-rule-ippool
Show specified NAT rule ippool usage.
pbf-policy
Show currently deployed Policy-Based forwarding policy.
qos-policy
Show currently deployed quality of service (QoS) policy.
resource-monitor
Show resource monitoring statistics.
rule-use
Show used/non-used policy rules.
security-policy
Show currently deployed security policy.
ssl-cert-cn
Show ssl certificate common name cache.
ssl-policy
Show currently deployed Secure Socket Layer (SSL) policy.
tcp
Show TCP reassembly setup.
top-urls
Show top-URLs statistics.
ts-agent-data
Show terminal server agent data.
tunnel
Show runtime tunnel states.
url-license
Show URL license information.
user
Show all known users.
Palo Alto Networks
show running
Sample Output
The following command shows statistics for running applications.
username@hostname> show running application statistics
Time: Wed Feb 17 15:16:30 2010
Vsys: 1
Number of apps: 31
App (report-as) sessions
packets
--------------- ---------- ---------15
495
188516
16
11
1803
32
464
467
36
518
16395
37
2
2574
42
1888
4101
44
1
1
48
29
686
50
2
7
79
2
185
86
9
115
109
1604
75513
147
155
374
193
0
3
225
12
272
280
77
217
318
48
85
452
2
139
453
1
9
491
21
1293
518
128
98192
658
6
70
674
53
1487
735
8
8446
796
1
16
852
1
117
872
49
2852
900
24
2206
980
32
573
1019
412
2679
1024
913
6971
--------------- ---------- ---------Total
6968
416364
bytes
-----------99646149
1319859
51055
1921997
273600
454433
422
225194
2741
97363
25843
55339483
33660
1018
71706
44906
30161
109886
1914
812870
96499118
18944
1122891
8385474
4215
87965
2296433
1179538
233308
200506
549052
-----------271041704
app changed
----------0
0
0
0
0
0
1
0
0
2
8
0
0
1
12
0
0
2
1
21
128
6
53
8
1
1
49
24
32
0
0
----------350
threats
------0
0
3
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
------3
username@hostname>

Palo Alto Networks
show session
show session
Show session information.
Syntax
show session all
show session id number
show session info
show session meter
show session start-at number
Options
all
Displays all active sessions.
id number
Displays session statistics for the specified session.
info
Displays session statistics.
meter
Displays session metering statistics.
start-at number
Displays the next 64K sessions starting with the specified session.
Sample Output
The following command displays session statistics.
username@hostname> show session info
------------------------------------------------------------------------------number of sessions supported:
524287
number of active sessions:
498520
number of active TCP sessions:
0
number of active UDP sessions:
498518
number of active ICMP sessions:
0
number of active BCAST sessions:
0
number of active MCAST sessions:
0
number of predict sessions:
0
session table utilization:
95%
number of sessions created since system bootup: 3072041
Packet rate:
0/s
Throughput:
0 Kbps
New connection establish rate:
0 cps
------------------------------------------------------------------------------session timeout
TCP default timeout:
3600 seconds
TCP session timeout before 3-way handshaking:
5 seconds
TCP session timeout after FIN/RST:
30 seconds
UDP default timeout:
3600 seconds
ICMP default timeout:
6 seconds
other IP default timeout:
30 seconds
Session timeout in discard state:
TCP: 90 seconds, UDP: 60 seconds, other IP protocols: 60 seconds
-------------------------------------------------------------------------------
Palo Alto Networks
show session
session accelerated aging:

enabled
accelerated aging threshold:
80% of utilization
scaling factor:
2 X
------------------------------------------------------------------------------session setup
TCP - reject non-SYN first packet:
yes
hardware session offloading:
yes
IPv6 firewalling:
no
------------------------------------------------------------------------------application trickling scan parameters:
timeout to determine application trickling:
10 seconds
resource utilization threshold to start scan: 80%
scan scaling factor over regular aging:
8
-------------------------------------------------------------------------------
The following command lists statistics for the specified session.

username@hostname> show session id 371731
session
Palo Alto Networks
371731
c2s flow:
source:
172.16.40.20[L3Intranet]
dst:
84.72.62.7
sport:
49230
dport:
31162
proto:
17
dir:
c2s
state:
ACTIVE
type:
FLOW
ipver:
4
src-user: qa2003domain-b\kwisdom
dst-user: unknown
PBF rule: rule4(2)
qos node: ethernet1/14, qos member N/A Qid 0
ez fid:
0x0d208003(13, 0, 0, 3)
s2c flow:
source:
84.72.62.7[L3Extranet]
dst:
172.16.40.20
sport:
31162
dport:
49230
proto:
17
dir:
s2c
state:
ACTIVE
type:
FLOW
ipver:
4
src-user: unknown
dst-user: qa2003domain-b\kwisdom
ez fid:
0x0ca0703f(12, 2, 3, 63)
start time
: Fri Jan 15 15:55:56 2010
timeout
: 1200 sec
time to live
: 1076 sec
total byte count
: 145
layer7 packet count
: 0
vsys
: vsys1
application
: bittorrent
rule
: rule23
session to be logged at end
: yes
session in session ager
: yes
session sync'ed from HA peer
: yes
layer7 processing
: completed
URL filtering enabled
: yes
URL category
: any
ingress interface
: ethernet1/13
egress interface
: ethernet1/14
session QoS rule
: default (class 4)
show session

Palo Alto Networks
show ssl-vpn
show ssl-vpn
Show Secure Socket Layer (SSL) virtual private network (VPN) runtime objects.
Syntax
show ssl-vpn option
Options
flow
Displays dataplane SSL-VPN tunnel information.
portal
Displays the SSL-VPN configuration.
user uname domain

domname portal
portalname
Specifies the user, domain, and portal.
Sample Output
The following command displays information on SSL-VPN tunnels.
username@hostname> show ssl-vpn flow
---------------------------------------------------------------------------total tunnels configured:
10
filter - type SSL-VPN, state any

total SSL-VPN tunnel configured:
total SSL-VPN tunnel shown:
name
id
local-i/f
local-ip
tunnel-i/f
---------------------------------------------------------------------------s1
2
tunnel.7
10.1.6.105
tunnel.7
rad
11
tunnel.8
10.1.6.106
tunnel.8
--------------------------------------------------------------------------username@hostname>

Palo Alto Networks
show statistics
show statistics
Show firewall statistics.
Syntax
show statistics
Options
None
Sample Output
The following command displays firewall statistics.
username@hostname> show statistics
TASK
PID N_PACKETS CONTINUE
ERROR
DROP
BYPASS TERMINATE
0
0
0
0
0
0
0
0
1
806
6180587
6179536
39
0
0
1012
2
807
39312
37511
0
0
0
1801
3
808 176054840 173273080
2289
2777524
0
1947
4
809 112733251 111536151
1744
1194906
0
450
5
810 66052142 65225559
1271
825010
0
302
6
811 49682445 49028991
909
652227
0
318
7
812 43618777 43030638
712
587129
0
298
8
813 41255949 40706957
708
548031
0
253
9
814 42570163 42010404
714
558773
0
272
10
815
7332493
7332494
0
0
0
0
task 1(pid:
806) flow_mgmt
task 2(pid:
807) flow_ctrl flow_host
task 3(pid:
808) flow_lookup flow_fastpath flow_slowpath flow_forwarding
flow_np
task 4(pid:
flow_np
task 5(pid:
flow_np
task 6(pid:
flow_np
task 7(pid:
flow_np
task 8(pid:
flow_np
task 9(pid:
flow_np
task 10(pid:
815) appid_result

Palo Alto Networks
show system
show system
Show system related information.
Syntax
show
show
show
show
show
show
show
show
show
show
system
system
system
system
system
system
system
system
system
system
disk-space
files
info
logdb-quota
resources
services
setting option
software status
state option
statistics
Options
disk-space
Show system disk space utilization.
files
List important files in the system.
info
Show general system information.
logdb-quota
Display information about logging database quotas.
resources
Show information about system resources.
services
Show the current system services and whether they are running.
setting
Display detailed system information. Refer to show system setting on

page 165.
software status Show software version information.

state
Show the system tree. Options include:

browserDisplays the information in a text-mode browser.
filterAllows you to limit the information that is displayed. The * wildcard
can be used.
filter-prettyAllows you to limit the information that is displayed with formatted printing. The * wildcard can be used.
statistics
Palo Alto Networks
Show device, packet rate, throughput, and session information. Enter q to quit
or h to get help.
show system
Sample Output
The following command displays system information.
username@hostname> show system info
hostname: thunder
ip-address: 10.1.7.1
netmask: 255.255.0.0
default-gateway: 10.1.0.1
ipv6-address:
ipv6-default-gateway:
mac-address: 00:13:72:3c:c9:e3
time: Tue Feb
9 10:02:57 2010
uptime: 0 days, 0:00:00

family: 4000
model: thunder
serial: 06081420000021
sw-version: 4.0.0-c758.dev
vpnclient-package-version: 1.0.0-c10
app-version: 158-450
av-version: 0
threat-version: 0
url-filtering-version: 2216
logdb-version: 3.0.0
username@hostname>

Palo Alto Networks
show system setting
show system setting

Display system information.
Syntax
show
prof
show
show
show
show
show
show
show
show
show
show
show
system setting ctd threat application name id id# profile

system
system
system
system
system
system
system
system
system
system
system
setting
setting
setting
setting
setting
setting
setting
setting
setting
setting
setting
ctd state
ctd url-block-cache
jumbo-frame
logging
multi-vsys
shared-policy
ssl-decrypt option
target-vsys
url-cache statistics
url-database
zip
Options
ctd
Shows the ctd state settings and URL block timeouts. Options include:
stateShow the configuration state.
threatShow the threat status.
url-block-cacheShow the URL block cache.
threat
Shows information about the threat. Options include:

applicationSpecify the application name.
idSpecify the identifier.
profileSpecify the profile number.
state
Shows the configuration state.
url-blockcache
Shows the URL block cache.
jumbo-frame
Shows the jumbo frame mode.
logging
Shows log and packet log rates.
multi-vsys
Shows the multiple virtual system mode.
sharedpolicy
Shows the shared policy status.
ssl-decrypt
Shows information about SSL decryption. Options include:

certificateShow ssl-decrypt certificate.
certificate-cacheShow ssl-decrypt certificate cache.
exclude-cacheShow ssl-decrypt exclude cache.
memoryShow ssl-decrypt memory usage.
notify-cache Show ssl-decrypt notify cache.
settingShow ssl-decrypt settings.
Palo Alto Networks
show system setting
target-vsys
Shows the target virtual system for operational commands.
url-cache
Shows URL cache statistics.
url-database
Shows URL database information.
zip
Shows whether the firewall is configured to decompress traffic for content

scanning purposes.
Sample Output
The following command shows an example with the default threat action.
username@hostname> show system setting ctd threat 100000 application 109
profile 1
Profile 1 appid 109 , action 0
action 0 means default action.
username@hostname>

Palo Alto Networks
show threat
show threat
Show threat ID descriptions.
Syntax
show threat id value
Options
value
Specifies the threat ID.
Sample Output
The following command shows threat ID descriptions for ID 11172.
username@hostname> show threat id 11172
This signature detects the runtime behavior of the spyware MiniBug. MiniBug,
also known as Weatherbug, installs other spyware, such as WeatherBug, and My
Web Search Bar. It is also adware program that displays advertisements in its
application window.
medium
http://www.spywareguide.com/product_show.php?id=2178
http://www.spyany.com/program/article_spw_rm_Minibug.htm
username@hostname>

Palo Alto Networks
show user
show user
Show user identification information. You can show information for a specified IP address,
user, or all.
Syntax
show
show
show
show
show
show
show
show
user
user
user
user
user
user
user
user
ip-port-user-mapping option
ip-user option
ldap-server option
local-user-db option
pan-agent option
pan-ntlm-agent option
ts-agent option
userid-agent option
Options
ip-portShow terminal server agent data.
user-mapping
ip-user
Show the dataplane ip-user-mapping.
ldap
Show LDAP server data.
local-userdb
Show the local user database.
pan-agent
Show statistics for the User-ID Agent.
pang-ntlmagent
Show statistics for the NTLM agent.
ts-agent
Show statistics for the terminal services agent.
userid-agent Displays user information for the Palo Alto Networks agent.
Sample Output
The following command shows information about the Palo Alto Networks agent.
username@hostname> show user pan-agent statistics
IP Address
Port
Vsys
State
Users Grps IPs
Recei
ved Pkts
---------------------------------------------------------------------------10.0.0.100
2011
vsys1
connected, ok
134
77
95
5757
10.1.200.22
2009
vsys1
connected, ok
5
864 2
1097
username@hostname>

Palo Alto Networks
show virtual-wire
show virtual-wire
Show information about virtual wire interfaces.
Syntax
show virtual-wire [value | all]
Options
value
Specifies a virtual wire interface.
all
Shows information for all virtual wire interfaces.
Sample Output
The following command displays information for the default virtual wire interface.
username@hostname> show virtual-wire default-vwire
total virtual-wire shown :
name
interface1
interface2
-----------------------------------------------------------------------------default-vwire
ethernet1/1
ethernet1/2
username@hostname>

Palo Alto Networks
show vlan
show vlan
Show VLAN information.
Syntax
show vlan [value | all]
Options
value
Specifies a virtual wire interface.
all
Shows information for all virtual wire interfaces.
Sample Output
The following command displays information for all VLANs.
username@hostname> show vlan all
vlan {
Vlan56 {
interface [
stp {
enabled
}
rstp {
enabled
}
}
Vlan11-12 {
interface [
stp {
enabled
}
rstp {
enabled
}
}
}
ethernet1/5 ethernet1/6 ];
no;
no;
ethernet1/11 ethernet1/12 ];
no;
no;
username@hostname>

Palo Alto Networks
show vpn
show vpn
Show VPN information.
Syntax
show
show
show
show
show
vpn
vpn
vpn
vpn
vpn
flow [tunnel-id tunnelid]

gateway [gateway gatewayid]
ike-sa [gateway gatewayid]
ipsec-sa [tunnel tunnelid]
tunnel [name tunnelid]
Options
flow
Shows information about the VPN tunnel on the data plane. Specify the tunnel or press
Enter to apply to all tunnels.
gateway
Shows Internet Key Exchange (IKE) gateway information. Specify the gateway or press
Enter to apply to all gateways.
ike-sa
Shows information about the active IKE Security Association (SA). Specify the gateway
or press Enter to apply to all gateways.
ipsec-sa
Shows information about IPsec SA tunnels. Specify the tunnel or press Enter to apply to
all tunnels.
tunnel
Shows information about auto-key IPSec tunnels. Specify the tunnel or press Enter to
apply to all tunnels.
name
Shows information about the VPN tunnel. Specify the tunnel or press Enter to apply to
all tunnels.
Sample Output
The following command shows VPN information for the auto key IPsec tunnel k1.
username@hostname> show vpn tunnel name k1
TnID Name(Gateway)
Local Proxy ID
Local Proxy ID
Proposals
------------------------------------------7 pan5gt(pan-5gt)
0.0.0.0/0
0.0.0.0/0
ESP tunl
[DH2][AES128,3DES][SHA1] 90-sec
Total 1 tunnels found, 0 ipsec sa found, 0 error
username@hostname>
The following command shows VPN information for the IKE gateway g2.
username@hostname> show vpn tunnel name g2
GwID Name
Peer Address/ID
Local Address/ID
---- --------------------------------3 falcon-kestrel
35.1.15.1
35.1.15.40
[PSK][DH2][AES128,3DES][SHA1] 28800-sec
Protocol
Proposals
---------------Auto(main)
Total 1 gateways found, 0 ike sa found, 0 error.

username@hostname>
Palo Alto Networks
show vpn

Palo Alto Networks
show zone-protection
show zone-protection
Shows the running configuration status and run time statistics for zone protection elements.
Syntax
show zone-protection [zone zonename]
Options
zonename
Specifies the name of a zone.
Sample Output
The following command shows statistics for the trust zone.
username@hostname> show zone-protection zone trust
--------------------------------------------------------------------------Zone trust, vsys vsys1, profile custom-zone-protection
---------------------------------------------------------------------------tcp-syn
enabled: no
---------------------------------------------------------------------------udp
RED enabled: no
---------------------------------------------------------------------------icmp
RED enabled: no
---------------------------------------------------------------------------other-ip
RED enabled: no
---------------------------------------------------------------------------packet filter:
discard-ip-spoof:
enabled: no
discard-ip-frag:
enabled: no
discard-icmp-ping-zero-id:
enabled: no
discard-icmp-frag:
enabled: no
discard-icmp-large-packet:
enabled: no
reply-icmp-timeexceeded:
enabled: no
username@hostname>

Palo Alto Networks
ssh
ssh
Open a secure shell (SSH) connection to another host.
Syntax
ssh [inet] [port number] [source address] [v1 | v2] [user@]host
Options
inet
Specifies that IP version 4 be used.
port
Specifies a port on the other host. (default 22)
source
Specifies a source IP address.
version
Specifies SSH version 1 or 2 (default is version 2)
user@
Specifies a user name on the other host.
host
Specifies the IP address of the other host.
Sample Output
The following command opens an SSH connection to host 10.0.0.250 using SSH version 2.
username@hostname> ssh v2 user@10.0.0.250
user@10.0.0.250's password:
#

Palo Alto Networks
tail
tail
Print the last 10 lines of a debug file.
Syntax
tail [follow] [lines] file
Options
follow
Adds appended data as the file grows.
lines
Lists the last N lines, instead of the last 10.
file
Specifies the debug file.
Sample Output
The following command displays the last 10 lines of the /var/log/pan/masterd.log file.
username@hostname> tail /var/log/pan/masterd.log
[09:32:46] Successfully started process 'mgmtsrvr' instance '1'
[09:32:47] Successfully started process 'appWeb' instance '1'
[09:32:47] Started group 'pan' start script 'octeon' with options 'start'
[09:32:48] Process 'appWeb' instance '1' exited normally with status '7'
[09:32:48] Process 'appWeb' instance '1' has no further exit rules
[09:32:53] Successfully started process 'pan-ez-agent' instance '1'
[09:32:53] Process 'pan-ez-agent' instance '1' exited normally with status
'0'
[09:32:53] Process 'pan-ez-agent' instance '1' has no further exit rules
[09:32:54] Successfully started process 'pan_netconfig_agent' instance '1'
[09:32:54] Finished initial start of all processes
username@hostname>

Palo Alto Networks
telnet
telnet
Open a Telnet session to another host.
Syntax
telnet [8bit] [port] host
Options
8bit
Indicates that 8-bit data will be used.
port
Specifies the port number for the other host.
host
Specifies the IP address of the other host.
Sample Output
The following command opens a Telnet session to the host 1.2.5.5 using 8-bit data.
username@hostname> telnet 8bit 1.2.5.5

Palo Alto Networks
test
test
Run tests based on installed security policies.
Syntax
test options
Options
cp-policy-match
Tests captive portal policy matches. Specify the source and destination
IP addresses and destination zone.
custom-url
Tests custom URL categorization. Specify the security rule name and
URL.
data-filtering
Tests credit card number (CCN), social security number (SSN), or

pattern matches.
nat-policy-match
Tests Network address Translation (NAT) policy matching. Specify the

source and destination IP addresses, ports, zone, protocol, and egress
interface.
pbf-policy-match
Tests Policy Based forwarding (PBF) matching. Specify the application

name, source and destination IP addresses, ports, zone, protocol, and
user.
pppoe
Tests Point-to-Point Protocol over Ethernet (PPPoE) connections. Specify

the interface.
qos-policy-match
Tests quality of service (QoS) policy matching. Specify the application

name, source and destination IP addresses, ports, zone, protocol, and
user.
routing
Tests routing. Options include:

bgpRestart the Border Gateway Protocol (BGP) connections with the
peer, or refresh to trigger a resending of all routes. For restart, specify
the peer and virtual router. For refresh, specify the peer or virtual
router, or whether the restart is for this firewall.
fib-lookupPerform route lookup within the active route table.
Specify the IP address and virtual router.
security-policymatch
Tests security policy matching. Specify the application name, source and
destination IP addresses, ports, zone, protocol, and user.
ssl-policy-match
Tests Secure Socket Layer (SSL) policy matching. Specify the category
name, source and destination IP addresses and zones.
url
Tests URL matching in the data plane. Specify the URL.
vpn
Verifies Internet Key Exchange (IKE) and IP Security (IPSec) settings.

Options include:
ike-saPerforms the tests only for the negotiated IKE security association (SA). Specify a gateway or press Enter to run the test for all gateways.
ipsec-saPerforms the tests for IPsec SA (and IKE SA if necessary).
Specify a tunnel or press Enter to run the test for all tunnels.
Palo Alto Networks
test
Sample Output
The following command tests whether the set of criteria matches any of the existing rules in
the security rule base.
username@hostname> test security-policy-match from trust to untrust
application google-talk source 10.0.0.1 destination 192.168.0.1 protocol 6
destination-port 80 source-user known-user
Matched rule: 'rule1' action: allow
username@hostname>

Palo Alto Networks
tftp
tftp
Use Trivial File Transfer Protocol (TFTP) to copy files between the firewall and another host.
Syntax
tftp export option
tftp import option
Options
export
Specifies the type of file to export to the other host. Options include:
applicationApplication block comfort page.
application-pcapApplication packet capture file.
captive-portal-textText to be included in a captive portal.
configurationConfiguration file.
core-fileCore file.
crlcrl.tgz file.
debug-pcapInternet Key Exchange (IKE) negotiation packet capture file.
file-block-pageFile containing comfort pages to be presented when files are
blocked.
filter-pcapFilter packet capture.
high-availability-keyHigh availability peer encryption key.
inbound-proxy-keyKey for inbound proxy.
log-fileLog files.
ssl-cert-status-pageUse TFTP to export ssl cert revoked notify page.
ssl-decryption-certificateUse TFTP to export the Secure Socket Layer (SSL)
decryption certificate.
ssl-optout-text SSL optout text.
stats-dumplog database in CSV format.
tech-supportTechnical support information.
threat-pcapThreat packet capture.
url-block-pageComfort page to be presented when files are blocked due to a
blocked URL.
url-coach-textURL coach text.
virus-block-pageComfort page that is presented when files are blocked due
to a virus.
web-interface-certificateWeb interface certificate.
Palo Alto Networks
tftp
import
Specifies the type of file to import from the other host. Options include;
anti-virusAnti-virus content.
application-block-pageApplication block comfort page.
captive-portal-textCaptive portal text.
configurationConfiguration information.
contentDatabase content.
file-block-pageFile block comfort page.
high-availability-keyHigh-availability peer encryption key.
licenseLicense file.
private-keySSL private key.
softwareSoftware package.
ssl-cert-status-pageSSL certification revocation notification page.
ssl-certificateSSL certificate.
ssl-optout-textSSL optout text.
sslvpn-custom-login-pageSSLVPN custom login page.
url-block-pageURSL block comfort page.
url-coach-textURL coach text.
url-databaseURL database package.
virus-block-pageVirus block comfort page.
vpnclientVPN client package.
Sample Output
The following command imports a license file from a file in user1s account on the machine
with IP address 10.0.3.4.
username@hostname> tftp import ssl-certificate from user1@10.0.3.4:/tmp/
certificatefile
username@hostname>

Palo Alto Networks
traceroute
traceroute
Display information about the route packets take to another host.
Syntax
traceroute [bypass-routing][debug-socket][do-not-fragment]
[first-ttl option][gateway][ipv4 | ipv6][max-ttl ttl]
[no-resolve][pause][source ip] [tos] [verbose] [wait] host name
Options
bypass-routing
Sends the request directly to the host on a direct attached network, bypassing
usual routing table.
debug-socket
Enables socket level debugging.
do-not-fragment
Sets the do-not-fragment bit.
first-ttl
Sets the time-to-live in the first outgoing probe packet in number of hops.
gateway
Specifies a loose source router gateway (maximum 8).
ipv4
Specifies that IPv4 is used.
ipv6
Specifies that IPv6 is used.
max-ttl
Sets the maximum time-to-live in number of hops.
no-resolve
Does not attempt to print resolved domain names.
pause
Sets the time to pause between probes (milliseconds).
port
Sets the base port number used in probes (default udp/33434 tcp/80 icmp/1).
source
Specifies the source IP address for the command.
tos
Specifies the type of service (TOS) treatment for the packets by way of the TOS
bit for the IP header in the ping packet (0-255).
wait
Specifies a delay in transmission of the traceroute request (seconds).
host name
Specifies the IP address or domain name of the other host (required).
Palo Alto Networks
traceroute
Sample Output
The following command displays information about the route from the firewall to
www.google.com.
username@hostname> traceroute www.paloaltonetworks.com
traceroute to www.paloaltonetworks.com (72.32.199.53), 30 hops max, 38 byte
packets
1 10.1.0.1 (10.1.0.1) 0.399 ms 1.288 ms 0.437 ms
2 64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.910 ms dsl027-186189.sfo1.dsl.speakeasy.net (216.27.186.189) 1.012 ms
64.0.27.225.ptr.us.xo.net (64.0.27.225) 1.865 ms
3 dsl027-182-001.sfo1.dsl.speakeasy.net (216.27.182.1) 16.768 ms 581.420
ms 64.3.142.37.ptr.us.xo.net (64.3.142.37) 219.190 ms
4 ge5-0-0.mar2.fremont-ca.us.xo.net (207.88.80.21) 228.551 ms 110.ge-0-00.cr1.sfo1.speakeasy.net (69.17.83.189) 12.352 ms ge5-0-0.mar2.fremontca.us.xo.net (207.88.80.21) 218.547 ms
5 ge-5-3-0.mpr3.pao1.us.above.net (209.249.11.177) 13.212 ms p4-00.rar2.sanjose-ca.us.xo.net (65.106.5.137) 273.935 ms 221.313 ms
6 p1-0.ir1.paloalto-ca.us.xo.net (65.106.5.178) 139.212 ms so-1-21.mpr1.sjc2.us.above.net (64.125.28.141) 13.348 ms p1-0.ir1.paloaltoca.us.xo.net (65.106.5.178) 92.795 ms
7 so-0-0-0.mpr2.sjc2.us.above.net (64.125.27.246) 12.069 ms
206.111.12.146.ptr.us.xo.net (206.111.12.146) 93.278 ms so-0-00.mpr2.sjc2.us.above.net (64.125.27.246) 556.033 ms
8 tbr1p013201.sffca.ip.att.net (12.123.13.66) 52.726 ms so-3-20.cr1.dfw2.us.above.net (64.125.29.54) 61.875 ms
tbr1p013201.sffca.ip.att.net (12.123.13.66) 58.462 ms
MPLS Label=32537 CoS=0 TTL=1 S=1
9 64.124.12.6.available.above.net (64.124.12.6) 74.828 ms
tbr1cl3.la2ca.ip.att.net (12.122.10.26) 62.533 ms
64.124.12.6.available.above.net (64.124.12.6) 60.537 ms
10 tbr1cl20.dlstx.ip.att.net (12.122.10.49) 60.617 ms
vlan901.core1.dfw1.rackspace.com (72.3.128.21) 59.881 ms 60.429 ms
11 gar1p360.dlrtx.ip.att.net (12.123.16.169) 108.713 ms
aggr5a.dfw1.rackspace.net (72.3.129.19) 58.049 ms gar1p360.dlrtx.ip.att.net
(12.123.16.169) 173.102 ms
12 72.32.199.53 (72.32.199.53) 342.977 ms 557.097 ms 60.899 ms
username@hostname>

Palo Alto Networks
view-pcap
view-pcap
Examine the content of packet capture files.
Syntax
view-pcap option filename
Options
option
filename
Palo Alto Networks
Specifies the type of information to report.

Option
Description
absolute-seq
Displays absolute TCP sequence numbers.
delta
Displays a delta (in micro-seconds) between current and

previous line.
hex
Displays each packet (minus link header) in hex.
hex-ascii
Displays each packet (minus link header) in hex and ASCII.
hex-ascii-link
Displays each packet (including link header) in hex and

ASCII.
hex-link
Displays each packet (including link header) in hex.
link-header
Displays the link-level header on each dump line.
no-dns-lookup
Does not convert host addresses to names.
no-port-lookup
Does not convert protocol and port numbers to names.
no-qualification
Does not print domain name qualification of host names.
timestamp
Displays timestamp proceeded by date.
undecoded-nfs
Displays undecoded NFS handles.
unformattedtimestamp
Displays an unformatted timestamp.
verbose
Displays verbose output.
verbose+
Displays more verbose output.
verbose++
Displays the maximum output details..
Name of the packet capture file.
view-pcap
Sample Output
The following command displays the contents of the packet capture file /var/session/pan/filters/
syslog.pcap in ASCII and hex formats.
username@hostname> view-pcap hex-ascii /var/session/pan/filters/syslog.pcap

reading from file /var/session/pan/filters/syslog.pcap, link-type EN10MB
(Ethernet)
08:34:31.922899 IP 10.0.0.244.32884 > jdoe.paloaltonetworks.local.syslog:
UDP, length 314
0x0000: 4500 0156 0000 4000 4011 2438 0a00 00f4 E..V..@.@.$8....
0x0010: 0a00 006c 8074 0202 0142 d163 3c31 3137 ...l.t...B.c<117
0x0020: 3e41 7072 2020 3233 2030 383a 3334 3a33 >Apr..23.08:34:3
0x0030: 3420 312c 3034 2f32 3320 3038 3a33 343a 4.1,04/23.08:34:
0x0040: 3334 2c54 4852 4541 542c 7572 6c2c 312c 34,THREAT,url,1,
0x0050: 3034 2f32 3320 3038 3a33 343a 3235 2c31 04/23.08:34:25,1
0x0060: 302e 302e 302e 3838 2c32 3039 2e31 3331 0.0.0.88,209.131
0x0070: 2e33 362e 3135 382c 302e 302e 302e 302c .36.158,0.0.0.0,
0x0080: 302e 302e 302e 302c 6c32 2d6c 616e 2d6f 0.0.0.0,l2-lan-o
0x0090: 7574 2c77 6562 2d62 726f 7773 696e 672c ut,web-browsing,
0x00a0: 7673 7973 312c 6c32 2d6c 616e 2d74 7275 vsys1,l2-lan-tru
0x00b0: 7374 2c6c 322d 6c61 6e2d 756e 7472 7573 st,l2-lan-untrus
0x00c0: 742c 6574 6865 726e 6574 312f 3132 2c65 t,ethernet1/12,e
0x00d0: 7468 6572 6e65 7431 2f31 312c 466f 7277 thernet1/11,Forw
0x00e0: 6172 6420 746f 204d 696b 652c 3034 2f32 ard.to.Mike,04/2
0x00f0: 3320 3038 3a33 343a 3334 2c38 3336 3435 3.08:34:34,83645
0x0100: 372c 322c 3438 3632 2c38 302c 302c 302c 7,2,4862,80,0,0,
0x0110: 3078 302c 7463 7028 3629 2c61 6c65 7274 0x0,tcp(6),alert
0x0120: 2c77 7777 2e79 6168 6f6f 2e63 6f6d 2f70 ,www.yahoo.com/p
0x0130: 2e67 6966 3f2c 2c73 6561 7263 682d 656e .gif?,,search-en
0x0140: 6769 6e65 732c 696e 666f 726d 6174 696f gines,informatio
0x0150: 6e61 6c2c 3000
nal,0.

Palo Alto Networks
Chapter 5
Maintenance Mode
Maintenance mode provides support for error recovery and diagnostics, and allows you to
reset the firewall to factory defaults.
This chapter describes how to enter Maintenance mode:
Entering Maintenance Mode in the next section
Using Maintenance Mode on page 188
Entering Maintenance Mode

The system enters Maintenance mode automatically if a critical error is discovered, or you can
enter Maintenance mode explicitly when booting the firewall. Critical failure can be due to
service errors, bootloader corruption, or disk file system errors.
You can enter Maintenance mode in either of the following ways:
Serial cable to the serial port on the firewall. For serial cable specifications, refer to the
Hardware Reference Guide for your firewall model.
Secure Socket Layer (SSL). SSL access is supported if the firewall has already entered
Maintenance mode (either automatically or explicitly during bootup).
Palo Alto Networks
Maintenance Mode 185
Entering Maintenance Mode Upon Bootup

To enter Maintenance mode upon bootup:
1.
Press m when prompted by the bootloader.
2.
Press any key on your keyboard when prompted to stop the automatic boot, and then
select Maint as the booting partition.
186 Maintenance Mode
Palo Alto Networks
Entering Maintenance Mode Automatically

If the system detects a critical error it will automatically fail over to Maintenance mode. When
the firewall enters Maintenance mode, messages are displayed on the serial console, web
interface, and CLI interface.
The serial console displays the following message.
The web interface displays the following message.
Palo Alto Networks
The SSH interface displays the following message.

ATTENTION: A critical error has been detected preventing proper boot up
of the device. Please contact Palo Alto Networks to resolve this issue at
866-898-9087 or support@paloaltonetworks.com.
The system is in maintenance mode. Connect via serial console or with user
'maint' through ssh to access the recovery tool.
Using Maintenance Mode

The Maintenance mode main menu displays the following options.
Palo Alto Networks
The following table describes the Maintenance mode selections that are accessible without
entering a password.
Table 4. General Maintenance Mode Options

Option
Description
Maintenance Entry
Reason
Indicates why the system entered Maintenance mode and includes possible
recovery steps.
Get System Info
Displays basic information about the system. This information is useful when
obtaining assistance from Customer Support.
FSCK (Disk Check)
Provides the ability to run a file system check (FSCK) on various partitions.
Log Files
Allows viewing and copying of log files from the system.
Disk Image
Allows the system to revert back to the previously installed software version.
Content Rollback
Allows a rollback to the previously installed content version.
Reboot
Reboots the firewall.
Some of the options are password protected to prevent accidental changes that could leave the
system in an inoperative state. The password is intended as a safeguard and it not meant to be
secret. The password is MA1NT (numeral 1).
Table 5. General Maintenance Mode Options

Option
Description
Factory Reset
Returns the firewall into the factory default state. The reset includes an option
to scrub the Config and Log partitions using a National Nuclear Security
Administration (NNSA) or Department of Defense (DOD) compliant scrubbing
algorithm.
Note: Scrubbing can take up to six hours to complete.
Bootloader
Recovery
Reprograms the main bootloader with the latest bootloader image on the
system. Use this option if the failsafe bootloader is running and recovery of the
main bootloader is required. (PA-2000 and PA-500 systems only)
Disk Image
Advanced
These options provide greater granularity and control over installation,

including status, history, bootstrapping, and other commands.
Diagnostics
Tests the dataplane booting and dataplane memory, and run disk performance
with bonnie++.
Palo Alto Networks
Palo Alto Networks
Appendix A
CONFIGURATION HIERARCHY
This appendix presents the complete firewall configuration hierarchies for the application
identification firewall and for Panorama:
Firewall Hierarchy in the next section
Panorama Hierarchy on page 286
Firewall Hierarchy
deviceconfig {
system {
login-banner <value>;
hostname <value>;
domain <value>;
speed-duplex auto-negotiate|10Mbps-half-duplex|10Mbps-full-duplex|100Mbps-halfduplex|100Mbps-full-duplex|1Gbps-half-duplex|1Gbps-full-duplex;
ip-address <ip/netmask>;
netmask <value>;
default-gateway <ip/netmask>;
ipv6-address <ip/netmask>;
ipv6-default-gateway <ip/netmask>;
authentication-profile <value>;
client-certificate-profile <value>;
dns-primary <ip/netmask>;
dns-secondary <ip/netmask>;
panorama-server <ip/netmask>;
ntp-server-1 <value>;
location <value>;
contact <value>;
update-server <value>;
secure-proxy-server <value>;
secure-proxy-port 1-1;
secure-proxy-user <value>;
secure-proxy-password <value>;
snmp-community-string <value>;
domain-lookup-url <value>;
ip-address-lookup-url <value>;
geo-location {
latitude <value>;
Palo Alto Networks
191
longitude <value>;
}
service {
disable-http yes|no;
disable-https yes|no;
disable-telnet yes|no;
disable-ssh yes|no;
disable-icmp yes|no;
disable-snmp yes|no;
}
permitted-ip {
REPEAT...
<name>;
}
route {
service {
REPEAT...
<name> {
source-address <value>;
}
}
destination {
REPEAT...
<name> {
source-address <value>;
}
}
}
log-link {
REPEAT...
<name> {
url <value>;
}
}
log-export-schedule {
REPEAT...
<name> {
description <value>;
enable yes|no;
log-type traffic|threat|url|data;
start-time <value>;
protocol {
ftp {
hostname <value>;
port 1-1;
username <value>;
password <value>;
passive-mode yes|no;
}
}
}
}
update-schedule {
threats {
192
Palo Alto Networks
recurring {
daily {
at <value>;
action download-only|download-and-install;
}
OR...
weekly {
day-of-week sunday|monday|tuesday|wednesday|thursday|friday|saturday;
at <value>;
}
threshold 1-1;
sync-to-peer yes|no;
}
}
anti-virus {
recurring {
hourly {
at 0-65535;
}
OR...
daily {
at <value>;
}
OR...
weekly {
at <value>;
}
threshold 1-1;
}
}
url-database {
recurring {
daily {
at <value>;
action download-and-install;
}
OR...
weekly {
at <value>;
action download-and-install;
}
}
}
}
timezone W-SU|CST6CDT|Japan|Portugal|Hongkong|Mideast|Mideast/
Riyadh87|Mideast/Riyadh88|Mideast/Riyadh89|Eire|Poland|Factory|GBEire|America|America/Port_of_Spain|America/Indiana|America/Indiana/
Palo Alto Networks
193
Vevay|America/Indiana/Indianapolis|America/Indiana/Marengo|America/Indiana/
Knox|America/St_Johns|America/Grand_Turk|America/Tijuana|America/
Toronto|America/Araguaina|America/Virgin|America/El_Salvador|America/
Coral_Harbour|America/Jujuy|America/Mexico_City|America/Guyana|America/
Cayman|America/Ensenada|America/Fortaleza|America/Iqaluit|America/
Boa_Vista|America/Chihuahua|America/Nome|America/Cancun|America/
Cayenne|America/Recife|America/Panama|America/Caracas|America/
Costa_Rica|America/Cambridge_Bay|America/Martinique|America/
Yellowknife|America/Godthab|America/Sao_Paulo|America/Edmonton|America/
Fort_Wayne|America/Danmarkshavn|America/Barbados|America/Dawson|America/
Thunder_Bay|America/Tegucigalpa|America/Chicago|America/Guadeloupe|America/
Grenada|America/Anguilla|America/Kentucky|America/Kentucky/
Monticello|America/Kentucky/Louisville|America/Argentina|America/Argentina/
Jujuy|America/Argentina/Ushuaia|America/Argentina/Catamarca|America/Argentina/
San_Juan|America/Argentina/Mendoza|America/Argentina/La_Rioja|America/
Argentina/Buenos_Aires|America/Argentina/Tucuman|America/Argentina/
ComodRivadavia|America/Argentina/Cordoba|America/Argentina/
Rio_Gallegos|America/Mazatlan|America/Regina|America/Montevideo|America/
Catamarca|America/Los_Angeles|America/Campo_Grande|America/Aruba|America/
Manaus|America/Knox_IN|America/Rosario|America/St_Lucia|America/
Hermosillo|America/Denver|America/Detroit|America/Santiago|America/
Shiprock|America/Cuiaba|America/Dominica|America/Porto_Acre|America/
Curacao|America/Belize|America/Merida|America/Swift_Current|America/
Antigua|America/Adak|America/Indianapolis|America/Belem|America/
Miquelon|America/Louisville|America/Bogota|America/New_York|America/
Boise|America/Scoresbysund|America/Mendoza|America/Goose_Bay|America/
Yakutat|America/Eirunepe|America/Winnipeg|America/Buenos_Aires|America/
Menominee|America/Paramaribo|America/Thule|America/Montreal|America/
Jamaica|America/Monterrey|America/St_Thomas|America/Rio_Branco|America/
Lima|America/Juneau|America/La_Paz|America/Vancouver|America/
Rankin_Inlet|America/Puerto_Rico|America/St_Kitts|America/Halifax|America/
Guayaquil|America/Inuvik|America/Noronha|America/Nassau|America/Port-auPrince|America/Guatemala|America/Glace_Bay|America/Nipigon|America/
Cordoba|America/Bahia|America/Asuncion|America/Maceio|America/Atka|America/
North_Dakota|America/North_Dakota/Center|America/Managua|America/
Anchorage|America/Montserrat|America/Tortola|America/Dawson_Creek|America/
Santo_Domingo|America/Pangnirtung|America/Whitehorse|America/
St_Vincent|America/Porto_Velho|America/Havana|America/Phoenix|America/
Rainy_River|Indian|Indian/Christmas|Indian/Reunion|Indian/Comoro|Indian/
Cocos|Indian/Mauritius|Indian/Antananarivo|Indian/Mahe|Indian/Mayotte|Indian/
Kerguelen|Indian/Chagos|Indian/Maldives|GMT0|Canada|Canada/Yukon|Canada/
Saskatchewan|Canada/Central|Canada/Eastern|Canada/East-Saskatchewan|Canada/
Atlantic|Canada/Pacific|Canada/Mountain|Canada/
Newfoundland|MET|ROK|US|US/Alaska|US/East-Indiana|US/Central|US/
Eastern|US/Samoa|US/Arizona|US/Pacific|US/Aleutian|US/Hawaii|US/
Mountain|US/Michigan|US/Indiana-Starke|MST|Mexico|Mexico/BajaSur|Mexico/
General|Mexico/BajaNorte|EST5EDT|Atlantic|Atlantic/Madeira|Atlantic/
Cape_Verde|Atlantic/St_Helena|Atlantic/Stanley|Atlantic/South_Georgia|Atlantic/
Jan_Mayen|Atlantic/Azores|Atlantic/Reykjavik|Atlantic/Canary|Atlantic/
Faeroe|Atlantic/Bermuda|HST|Antarctica|Antarctica/McMurdo|Antarctica/
Davis|Antarctica/South_Pole|Antarctica/Vostok|Antarctica/Rothera|Antarctica/
Mawson|Antarctica/DumontDUrville|Antarctica/Palmer|Antarctica/Casey|Antarctica/
Syowa|UTC|Iceland|Pacific|Pacific/Honolulu|Pacific/Truk|Pacific/Niue|Pacific/
Wake|Pacific/Apia|Pacific/Majuro|Pacific/Norfolk|Pacific/Efate|Pacific/
194
Palo Alto Networks
Enderbury|Pacific/Palau|Pacific/Saipan|Pacific/Nauru|Pacific/Kiritimati|Pacific/
Tahiti|Pacific/Guam|Pacific/Tongatapu|Pacific/Fiji|Pacific/Rarotonga|Pacific/
Samoa|Pacific/Fakaofo|Pacific/Guadalcanal|Pacific/Port_Moresby|Pacific/
Midway|Pacific/Galapagos|Pacific/Yap|Pacific/Johnston|Pacific/Marquesas|Pacific/
Noumea|Pacific/Auckland|Pacific/Gambier|Pacific/Kwajalein|Pacific/Kosrae|Pacific/
Wallis|Pacific/Easter|Pacific/Chatham|Pacific/Funafuti|Pacific/Pago_Pago|Pacific/
Tarawa|Pacific/Pitcairn|Pacific/
Ponape|EET|EST|Greenwich|GMT|Cuba|Brazil|Brazil/Acre|Brazil/East|Brazil/
DeNoronha|Brazil/West|Turkey|Arctic|Arctic/Longyearbyen|NZCHAT|Zulu|Israel|Jamaica|Etc|Etc/GMT-14|Etc/GMT+6|Etc/GMT-10|Etc/GMT2|Etc/GMT-8|Etc/GMT+4|Etc/GMT0|Etc/GMT-12|Etc/GMT+11|Etc/GMT-11|Etc/
GMT+12|Etc/UTC|Etc/GMT-3|Etc/Greenwich|Etc/GMT-9|Etc/GMT|Etc/GMT+2|Etc/
Zulu|Etc/GMT-4|Etc/GMT+7|Etc/GMT+1|Etc/GMT+8|Etc/GMT-7|Etc/GMT-6|Etc/
GMT+10|Etc/GMT-5|Etc/GMT+0|Etc/GMT-1|Etc/GMT+3|Etc/GMT+5|Etc/GMT13|Etc/UCT|Etc/Universal|Etc/GMT+9|Etc/GMT-0|NZ|Europe|Europe/
Vienna|Europe/Athens|Europe/Tiraspol|Europe/Lisbon|Europe/Rome|Europe/
Bratislava|Europe/Andorra|Europe/Sofia|Europe/Kaliningrad|Europe/Zurich|Europe/
Belfast|Europe/Oslo|Europe/Samara|Europe/Malta|Europe/Chisinau|Europe/
Moscow|Europe/Paris|Europe/Minsk|Europe/Zaporozhye|Europe/
Amsterdam|Europe/Tallinn|Europe/Uzhgorod|Europe/Brussels|Europe/
Vatican|Europe/Vaduz|Europe/San_Marino|Europe/Nicosia|Europe/Berlin|Europe/
Vilnius|Europe/Monaco|Europe/Istanbul|Europe/Belgrade|Europe/Stockholm|Europe/
Riga|Europe/Madrid|Europe/Gibraltar|Europe/Copenhagen|Europe/Skopje|Europe/
Budapest|Europe/Dublin|Europe/Bucharest|Europe/Helsinki|Europe/Prague|Europe/
Sarajevo|Europe/London|Europe/Tirane|Europe/Zagreb|Europe/Kiev|Europe/
Warsaw|Europe/Ljubljana|Europe/Simferopol|Europe/Mariehamn|Europe/
Luxembourg|Singapore|ROC|Kwajalein|Egypt|PST8PDT|GMT+0|Asia|Asia/
Kuwait|Asia/Kamchatka|Asia/Thimphu|Asia/Macau|Asia/Gaza|Asia/Thimbu|Asia/
Pyongyang|Asia/Vladivostok|Asia/Katmandu|Asia/Sakhalin|Asia/Muscat|Asia/
Ashkhabad|Asia/Ulan_Bator|Asia/Riyadh|Asia/Riyadh87|Asia/Calcutta|Asia/
Yerevan|Asia/Shanghai|Asia/Baghdad|Asia/Makassar|Asia/Oral|Asia/
Hong_Kong|Asia/Jayapura|Asia/Omsk|Asia/Almaty|Asia/Saigon|Asia/
Magadan|Asia/Chungking|Asia/Hovd|Asia/Brunei|Asia/Novosibirsk|Asia/
Dacca|Asia/Qatar|Asia/Ulaanbaatar|Asia/Krasnoyarsk|Asia/Kuching|Asia/
Qyzylorda|Asia/Karachi|Asia/Anadyr|Asia/Yakutsk|Asia/Seoul|Asia/
Choibalsan|Asia/Macao|Asia/Samarkand|Asia/Yekaterinburg|Asia/Aqtobe|Asia/
Riyadh88|Asia/Nicosia|Asia/Pontianak|Asia/Urumqi|Asia/Irkutsk|Asia/Taipei|Asia/
Harbin|Asia/Istanbul|Asia/Colombo|Asia/Tel_Aviv|Asia/Jakarta|Asia/Amman|Asia/
Bahrain|Asia/Tokyo|Asia/Chongqing|Asia/Ashgabat|Asia/Singapore|Asia/
Aqtau|Asia/Baku|Asia/Bishkek|Asia/Dili|Asia/Tbilisi|Asia/Beirut|Asia/
Riyadh89|Asia/Damascus|Asia/Aden|Asia/Dubai|Asia/Manila|Asia/Vientiane|Asia/
Tehran|Asia/Kashgar|Asia/Dushanbe|Asia/Kabul|Asia/Bangkok|Asia/Rangoon|Asia/
Jerusalem|Asia/Dhaka|Asia/Kuala_Lumpur|Asia/Tashkent|Asia/Phnom_Penh|Asia/
Ujung_Pandang|CET|PRC|Africa|Africa/Kinshasa|Africa/Ndjamena|Africa/
Mbabane|Africa/Lagos|Africa/El_Aaiun|Africa/Douala|Africa/Kampala|Africa/
Mogadishu|Africa/Tripoli|Africa/Conakry|Africa/Niamey|Africa/Asmera|Africa/
Khartoum|Africa/Lubumbashi|Africa/Kigali|Africa/Johannesburg|Africa/
Blantyre|Africa/Malabo|Africa/Gaborone|Africa/Lome|Africa/Algiers|Africa/
Addis_Ababa|Africa/Brazzaville|Africa/Dakar|Africa/Nairobi|Africa/Cairo|Africa/
Banjul|Africa/Bamako|Africa/Bissau|Africa/Libreville|Africa/Sao_Tome|Africa/
Casablanca|Africa/Timbuktu|Africa/Nouakchott|Africa/Freetown|Africa/
Monrovia|Africa/Ceuta|Africa/Dar_es_Salaam|Africa/Lusaka|Africa/Abidjan|Africa/
Bujumbura|Africa/Maseru|Africa/Bangui|Africa/Windhoek|Africa/Accra|Africa/
Djibouti|Africa/Ouagadougou|Africa/Porto-Novo|Africa/Tunis|Africa/Maputo|Africa/
Palo Alto Networks
195
Harare|Africa/Luanda|UCT|GB|Universal|Australia|Australia/Hobart|Australia/
Lord_Howe|Australia/Perth|Australia/South|Australia/Yancowinna|Australia/
Currie|Australia/Tasmania|Australia/Queensland|Australia/NSW|Australia/
Lindeman|Australia/Melbourne|Australia/Adelaide|Australia/Victoria|Australia/
Canberra|Australia/West|Australia/Brisbane|Australia/Broken_Hill|Australia/
Darwin|Australia/ACT|Australia/North|Australia/Sydney|Australia/
LHI|Iran|WET|Libya|MST7MDT|Chile|Chile/EasterIsland|Chile/Continental|GMT0|Navajo;
}
setting {
nat {
reserve-ip yes|no;
reserve-time 1-1;
}
jumbo-frame {
mtu 512-512;
}
url {
dynamic-url-timeout 1-1;
}
application {
identify-unknown-traffic-by-port yes|no;
dump-unknown on|off;
cache yes|no;
cache-threshold 1-1;
supernode yes|no;
heuristics yes|no;
notify-user yes|no;
}
ctd {
x-forwarded-for yes|no;
url-coach-timeout 1-1;
url-admin-timeout 1-1;
url-lockout-timeout 1-1;
url-wait-timeout 1-1;
http-proxy-use-transaction yes|no;
bypass-exceed-queue yes|no;
}
ssl-decrypt {
url-proxy yes|no;
notify-user yes|no;
answer-timeout 1-1;
crl yes|no;
ocsp yes|no;
crl-receive-timeout 1-1;
ocsp-receive-timeout 1-1;
block-unknown-cert yes|no;
block-timeout-cert yes|no;
cert-status-timeout 0-65535;
deny-setup-failure yes|no;
}
session {
timeout-tcp 1-1;
timeout-udp 1-1;
196
Palo Alto Networks
timeout-icmp 1-1;
timeout-default 1-1;
timeout-tcpinit 1-1;
timeout-tcpwait 1-1;
timeout-discard-tcp 1-1;
timeout-discard-udp 1-1;
timeout-discard-default 1-1;
timeout-scan 5-5;
scan-threshold 50-50;
scan-scaling-factor 2-2;
accelerated-aging-enable yes|no;
accelerated-aging-threshold 50-50;
accelerated-aging-scaling-factor 2-2;
tcp-reject-non-syn yes|no;
offload yes|no;
ipv6-firewalling yes|no;
}
tcp {
drop-out-of-wnd yes|no;
bypass-exceed-oo-queue yes|no;
out-of-sync reject|bypass|ignore;
}
zip {
enable yes|no;
sw yes|no;
}
config {
rematch yes|no;
}
logging {
max-log-rate 0-65535;
max-packet-rate 0-65535;
log-suppression yes|no;
}
management {
idle-timeout 1-1;
send-hostname-in-syslog yes|no;
traffic-stop-on-logdb-full yes|no;
max-rows-in-csv-export 1-1;
max-audit-versions 1-1;
panorama-tcp-receive-timeout 1-1;
panorama-tcp-send-timeout 1-1;
panorama-ssl-send-retries 1-1;
}
}
high-availability {
enabled yes|no;
interface {
ha1 {
port <value>;
encryption {
enabled yes|no;
}
link-speed auto|10|100|1000;
Palo Alto Networks
197
link-duplex auto|full|half;
netmask <value>;
monitor-hold-time 1000-1000;
}
ha2 {
port <value>;
link-speed auto|10|100|1000;
link-duplex auto|full|half;
netmask <value>;
}
}
group {
REPEAT...
<name> {
election-option {
device-priority 0-65535;
preemptive yes|no;
passive-hold-time 0-65535;
hello-interval 8000-8000;
heartbeat-interval 1000-1000;
passive-link-state shutdown|auto;
flap-max 0-65535;
monitor-fail-hold-time 1-1;
preemption-hold-time 1-1;
}
peer-ip <ip/netmask>;
state-synchronization {
enabled yes|no;
transport {
ethernet {
destination-mac-address <value>;
}
OR...
ip {
destination-ip <ip/netmask>;
}
OR...
udp {
destination-port 1-1;
}
}
}
monitoring {
path-monitoring {
enabled yes|no;
failure-condition any|all;
path-group {
198
Palo Alto Networks
virtual-wire {
REPEAT...
<name> {
enabled yes|no;
source-ip <ip/netmask>;
destination-ip [ <destination-ip1> <destination-ip2>... ];
}
}
vlan {
REPEAT...
<name> {
enabled yes|no;
source-ip <ip/netmask>;
}
}
virtual-router {
REPEAT...
<name> {
enabled yes|no;
}
}
}
}
link-monitoring {
enabled yes|no;
link-group {
REPEAT...
<name> {
enabled yes|no;
interface [ <interface1> <interface2>... ];
}
}
}
}
}
}
}
}
mgt-config {
users {
REPEAT...
<name> {
phash <value>;
client-certificate-only yes|no;
preferences {
Palo Alto Networks
199
disable-dns yes|no;
saved-log-query {
traffic {
REPEAT...
<name> {
query <value>;
}
}
threat {
REPEAT...
<name> {
query <value>;
}
}
url {
REPEAT...
<name> {
query <value>;
}
}
data {
REPEAT...
<name> {
query <value>;
}
}
config {
REPEAT...
<name> {
query <value>;
}
}
system {
REPEAT...
<name> {
query <value>;
}
}
}
}
permissions {
role-based {
vsysreader {
REPEAT...
<name> {
vsys [ <vsys1> <vsys2>... ];
}
}
OR...
vsysadmin {
REPEAT...
<name> {
}
200
Palo Alto Networks
}
OR...
devicereader [ <devicereader1> <devicereader2>... ];
OR...
deviceadmin [ <deviceadmin1> <deviceadmin2>... ];
OR...
superreader yes;
OR...
superuser yes;
OR...
custom {
profile <value>;
}
}
}
}
}
access-domain {
REPEAT...
<name> {
}
}
}
network {
profiles {
monitor-profile {
REPEAT...
<name> {
interval 2-2;
threshold 2-2;
action wait-recover|fail-over;
}
}
interface-management-profile {
REPEAT...
<name> {
http yes|no;
https yes|no;
ping yes|no;
ssh yes|no;
telnet yes|no;
snmp yes|no;
permitted-ip {
REPEAT...
<name>;
}
}
}
zone-protection-profile {
REPEAT...
<name> {
Palo Alto Networks
201
scan {
REPEAT...
<name> {
action allow|alert|block;
interval 2-2;
threshold 2-2;
}
}
flood {
tcp-syn {
enable yes|no;
red {
alarm-rate 0-65535;
activate-rate 1-1;
maximal-rate 1-1;
}
OR...
syn-cookies {
alarm-rate 0-65535;
activate-rate 0-65535;
maximal-rate 1-1;
}
}
udp {
enable yes|no;
red {
alarm-rate 0-65535;
activate-rate 1-1;
maximal-rate 1-1;
}
}
icmp {
enable yes|no;
red {
alarm-rate 0-65535;
activate-rate 1-1;
maximal-rate 1-1;
}
}
other-ip {
enable yes|no;
red {
alarm-rate 0-65535;
activate-rate 1-1;
maximal-rate 1-1;
}
}
}
tcp-reject-non-syn global|yes|no;
discard-ip-spoof yes|no;
discard-ip-frag yes|no;
discard-icmp-ping-zero-id yes|no;
discard-icmp-frag yes|no;
202
Palo Alto Networks
discard-icmp-large-packet yes|no;
suppress-icmp-timeexceeded yes|no;
suppress-icmp-needfrag yes|no;
}
}
}
interface {
ethernet {
REPEAT...
<name> {
link-speed <value>;
link-duplex <value>;
link-state auto|up|down;
tap;
OR...
ha;
OR...
virtual-wire;
OR...
layer2 {
units {
REPEAT...
<name> {
tag 1-1;
}
}
}
OR...
layer3 {
mtu 576-576;
ip {
REPEAT...
<name>;
}
OR...
pppoe {
enable yes|no;
authentication auto|CHAP|PAP;
static-address {
ip <ip/netmask>;
}
username <value>;
password <value>;
create-default-route yes|no;
default-route-metric 1-1;
access-concentrator <value>;
service <value>;
auto-connect yes|no;
auto-connect-timeout 0-65535;
idle-disconnect 0-65535;
clear-on-disconnect yes|no;
}
arp {
REPEAT...
Palo Alto Networks
203
<name> {
hw-address <value>;
}
}
interface-management-profile <value>;
units {
REPEAT...
<name> {
mtu 576-576;
ip {
REPEAT...
<name>;
}
arp {
REPEAT...
<name> {
hw-address <value>;
}
}
tag 1-1;
}
}
}
OR...
aggregate-group <value>;
}
}
aggregate-ethernet {
REPEAT...
<name> {
virtual-wire;
OR...
layer2 {
units {
REPEAT...
<name> {
tag 1-1;
}
}
}
OR...
layer3 {
mtu 576-576;
ip {
REPEAT...
<name>;
}
arp {
REPEAT...
<name> {
hw-address <value>;
}
}
204
Palo Alto Networks
units {
REPEAT...
<name> {
mtu 576-576;
ip {
REPEAT...
<name>;
}
arp {
REPEAT...
<name> {
hw-address <value>;
}
}
tag 1-1;
}
}
}
}
}
vlan {
mtu 576-576;
ip {
REPEAT...
<name>;
}
arp {
REPEAT...
<name> {
hw-address <value>;
interface <value>;
}
}
units {
REPEAT...
<name> {
mtu 576-576;
ip {
REPEAT...
<name>;
}
arp {
REPEAT...
<name> {
hw-address <value>;
interface <value>;
}
}
}
}
Palo Alto Networks
205
}
loopback {
mtu 576-576;
ip {
REPEAT...
<name>;
}
unnumbered {
source-interface <value>;
}
units {
REPEAT...
<name> {
mtu 576-576;
ip {
REPEAT...
<name>;
}
unnumbered {
}
}
}
}
tunnel {
mtu 576-576;
ip {
REPEAT...
<name>;
}
unnumbered {
}
units {
REPEAT...
<name> {
mtu 576-576;
ip {
REPEAT...
<name>;
}
unnumbered {
}
}
}
}
}
ike {
gateway {
206
Palo Alto Networks
REPEAT...
<name> {
peer-address {
ip <ip/netmask>;
OR...
dynamic;
}
local-address {
interface <value>;
ip <value>;
}
peer-id {
id <value>;
type ipaddr|fqdn|ufqdn|keyid;
}
local-id {
id <value>;
type ipaddr|fqdn|ufqdn|keyid;
}
authentication {
pre-shared-key {
key <value>;
}
OR...
certificate {
peer-cert <value>;
local-cert <value>;
}
}
protocol {
ikev1 {
enable yes|no;
exchange-mode auto|main|aggressive;
ike-crypto-profile <value>;
dpd {
enable yes|no;
interval 2-2;
retry 2-2;
}
commit-bit yes|no;
initial-contact yes|no;
}
ikev2 {
enable yes|no;
ike-crypto-profile <value>;
require-cookie yes|no;
send-peer-id yes|no;
}
}
protocol-common {
nat-traversal {
enable yes|no;
keep-alive-interval 2-2;
}
Palo Alto Networks
207
passive-mode yes|no;
}
}
}
crypto-profiles {
ike-crypto-profiles {
REPEAT...
<name> {
encryption [ <encryption1> <encryption2>... ];
hash [ <hash1> <hash2>... ];
dh-group [ <dh-group1> <dh-group2>... ];
lifetime {
seconds 180-180;
OR...
minutes 3-3;
OR...
hours 1-1;
OR...
days 1-1;
}
}
}
ipsec-crypto-profiles {
REPEAT...
<name> {
esp {
encryption [ <encryption1> <encryption2>... ];
authentication [ <authentication1> <authentication2>... ];
}
OR...
ah {
authentication [ <authentication1> <authentication2>... ];
}
dh-group no-pfs|group1|group2|group5|group14;
lifetime {
seconds 180-180;
OR...
minutes 3-3;
OR...
hours 1-1;
OR...
days 1-1;
}
lifesize {
kb 1-1;
OR...
mb 1-1;
OR...
gb 1-1;
OR...
tb 1-1;
}
}
}
208
Palo Alto Networks
}
}
tunnel {
hop {
REPEAT...
<name> {
tunnel-interface <value>;
peer-address {
ip <ip/netmask>;
}
local-address {
interface <value>;
ip <ip/netmask>;
}
}
}
ipsec {
REPEAT...
<name> {
anti-replay yes|no;
copy-tos yes|no;
tunnel-monitor {
enable yes|no;
tunnel-monitor-profile <value>;
}
manual-key {
peer-address {
ip <ip/netmask>;
}
local-address {
interface <value>;
ip <value>;
}
local-spi <value>;
remote-spi <value>;
esp {
encryption {
algorithm 3des|aes128|aes192|aes256|null;
key <value>;
}
authentication {
md5 {
key <value>;
}
OR...
sha1 {
key <value>;
}
OR...
none;
}
}
Palo Alto Networks
209
OR...
ah {
md5 {
key <value>;
}
OR...
sha1 {
key <value>;
}
}
}
OR...
auto-key {
ike-gateway {
REPEAT...
<name> {
as-nexthop <ip/netmask>;
}
}
ipsec-crypto-profile <value>;
proxy-id {
REPEAT...
<name> {
local <ip/netmask>;
remote <ip/netmask>;
protocol {
number 1-1;
OR...
any;
OR...
tcp {
local-port 0-65535;
remote-port 0-65535;
}
OR...
udp {
local-port 0-65535;
}
}
}
}
}
}
}
ssl-vpn {
REPEAT...
<name> {
local-address {
interface <value>;
ip <value>;
}
ipsec {
210
Palo Alto Networks
enable yes|no;
server-udp-port 1-1;
}
ssl {
server-port 1-1;
}
http-redirect yes|no;
max-user 1-1;
client {
ip-pool [ <ip-pool1> <ip-pool2>... ];
dns-server [ <dns-server1> <dns-server2>... ];
wins-server [ <wins-server1> <wins-server2>... ];
dns-suffix [ <dns-suffix1> <dns-suffix2>... ];
split-tunneling {
access-route [ <access-route1> <access-route2>... ];
}
}
}
}
}
vlan {
REPEAT...
<name> {
mac {
REPEAT...
<name> {
interface <value>;
}
}
virtual-interface {
interface <value>;
l3-forwarding yes|no;
}
}
}
qos {
profile {
REPEAT...
<name> {
aggregate-bandwidth {
egress-max <float>;
egress-guaranteed <float>;
}
class {
REPEAT...
<name> {
priority real-time|high|medium|low;
class-bandwidth {
egress-max <float>;
}
round-trip-time 0-65535;
}
Palo Alto Networks
211
}
}
}
interface {
REPEAT...
<name> {
enabled yes|no;
interface-bandwidth {
egress-max <float>;
}
tunnel-traffic {
groups {
REPEAT...
<name> {
members {
REPEAT...
<name> {
qos-profile <value>;
}
}
}
}
default-group {
per-tunnel-qos-profile <value>;
}
bandwidth {
egress-max <float>;
}
}
regular-traffic {
groups {
REPEAT...
<name> {
members {
REPEAT...
<name> {
match {
local-address {
interface <value>;
address [ <address1> <address2>... ];
}
}
}
}
}
}
default-group {
}
bandwidth {
egress-max <float>;
212
Palo Alto Networks
}
}
}
}
}
spanning-tree {
REPEAT...
<name> {
vlan <value>;
mode rstp|per-vlan-rstp;
port {
REPEAT...
<name> {
priority 0-65535;
cost 0-65535;
link-type auto|edge|point-to-point;
}
}
bridge-priority 0-65535;
port-priority 0-65535;
port-cost 0-65535;
time {
hello-time 1-1;
max-age 6-6;
forward-delay 4-4;
}
}
}
virtual-wire {
REPEAT...
<name> {
interface1 <value>;
interface2 <value>;
tag-allowed <0-65535,...>;
multicast-firewalling {
enable yes|no;
}
link-state-pass-through {
enable yes|no;
}
}
}
virtual-router {
REPEAT...
<name> {
routing-table {
ip {
static-route {
REPEAT...
<name> {
destination <ip/netmask>;
interface <value>;
nexthop {
Palo Alto Networks
213
receive;
OR...
discard;
OR...
OR...
tunnel <value>;
}
admin-dist 10-10;
metric 1-1;
option {
passive;
no-install;
}
}
}
}
}
protocol {
redist-profile {
REPEAT...
<name> {
priority 1-1;
filter {
type [ <type1> <type2>... ];
destination [ <destination1> <destination2>... ];
nexthop [ <nexthop1> <nexthop2>... ];
ospf {
path-type [ <path-type1> <path-type2>... ];
area [ <area1> <area2>... ];
tag [ <tag1> <tag2>... ];
}
bgp {
community [ <community1> <community2>... ];
extended-community [ <extended-community1> <extended-community2>... ];
}
}
action {
no-redist;
OR...
redist {
new-metric 1-1;
}
}
}
}
rip {
enable yes|no;
reject-default-route yes|no;
allow-redist-default-route yes|no;
timers {
interval-seconds 1-1;
update-intervals 1-1;
214
Palo Alto Networks
expire-intervals 1-1;
delete-intervals 1-1;
}
auth-profile {
REPEAT...
<name> {
password <value>;
OR...
md5 {
REPEAT...
<name> {
key <value>;
preferred yes|no;
}
}
}
}
interface {
REPEAT...
<name> {
enable yes|no;
default-route {
disable;
OR...
advertise {
metric 1-1;
}
}
authentication <value>;
mode normal|passive|send-only;
}
}
export-rules [ <export-rules1> <export-rules2>... ];
}
ospf {
router-id <ip/netmask>;
enable yes|no;
rfc1583 yes|no;
flood-prevention {
hello {
enable yes|no;
max-packet 1-1;
}
lsa {
enable yes|no;
max-packet 1-1;
}
}
auth-profile {
REPEAT...
<name> {
password <value>;
Palo Alto Networks
215
OR...
md5 {
REPEAT...
<name> {
key <value>;
preferred yes|no;
}
}
}
}
area {
REPEAT...
<name> {
type {
normal;
OR...
stub {
accept-summary yes|no;
default-route {
disable;
OR...
advertise {
metric 1-1;
}
}
}
OR...
nssa {
accept-summary yes|no;
default-route {
disable;
OR...
advertise {
metric 1-1;
type ext-1|ext-2;
}
}
nssa-ext-range {
REPEAT...
<name> {
advertise;
OR...
suppress;
}
}
}
}
range {
REPEAT...
<name> {
advertise;
OR...
suppress;
}
216
Palo Alto Networks
}
interface {
REPEAT...
<name> {
enable yes|no;
passive yes|no;
link-type {
broadcast;
OR...
p2p;
OR...
p2mp;
}
metric 1-1;
priority 0-65535;
dead-counts 3-3;
retransmit-interval 1-1;
transit-delay 1-1;
neighbor {
REPEAT...
<name> {
metric 1-1;
}
}
}
}
virtual-link {
REPEAT...
<name> {
neighbor-id <ip/netmask>;
transit-area-id <value>;
enable yes|no;
dead-counts 3-3;
retransmit-interval 1-1;
transit-delay 1-1;
passive yes|no;
}
}
}
}
export-rules {
REPEAT...
<name> {
new-path-type ext-1|ext-2;
new-tag 1-1<ip/netmask>;
}
}
}
bgp {
enable yes|no;
Palo Alto Networks
217
router-id <ip/netmask>;
install-route yes|no;
local-as 1-1;
routing-options {
as-format 2-byte|4-byte;
med {
always-compare-med yes|no;
deterministic-med-comparison yes|no;
}
default-local-preference 0-65535;
outbound-route-filter {
enable yes|no;
max-received-entries 0-65535;
cisco-prefix-mode yes|no;
}
graceful-restart {
enable yes|no;
stale-route-time 1-1;
local-restart-time 1-1;
max-peer-restart-time 1-1;
}
reflector-cluster-id <ip/netmask>;
confederation-member-as 1-1;
aggregate {
aggregate-med yes|no;
}
}
auth-profile {
REPEAT...
<name> {
secret <value>;
}
}
dampening-profile {
REPEAT...
<name> {
enable yes|no;
cutoff <float>;
reuse <float>;
max-hold-time 1-1;
decay-half-life-reachable 1-1;
decay-half-life-unreachable 1-1;
}
}
peer-group {
REPEAT...
<name> {
enable yes|no;
aggregated-confed-as-path yes|no;
soft-reset-with-stored-info yes|no;
type {
ibgp {
218
Palo Alto Networks
export-nexthop original|use-self;
}
OR...
ebgp-confed {
}
OR...
ibgp-confed {
}
OR...
ebgp {
import-nexthop original|use-peer;
export-nexthop resolve|use-self;
remove-private-as yes|no;
}
}
peer {
REPEAT...
<name> {
enable yes|no;
local-address {
interface <value>;
ip <value>;
}
peer-address {
ip <ip/netmask>;
}
peer-as 1-1;
connection-options {
multihop 0-65535;
hold-time 3-3;
keep-alive-interval 1-1;
open-delay-time 0-65535;
idle-hold-time 1-1;
incoming-bgp-connection {
allow yes|no;
}
outgoing-bgp-connection {
local-port 0-65535;
allow yes|no;
}
}
reflector-client non-client|client|meshed-client;
peering-type bilateral|unspecified;
aggregated-confed-as-path yes|no;
max-prefixes 1-1;
max-orf-entries 1-1;
soft-reset-with-stored-info yes|no;
}
}
}
Palo Alto Networks
219
}
policy {
import {
rules {
REPEAT...
<name> {
enable yes|no;
used-by [ <used-by1> <used-by2>... ];
match {
afi ip|ipv6;
safi ip|ipv6;
address-prefix {
REPEAT...
<name> {
exact yes|no;
}
}
from-peer [ <from-peer1> <from-peer2>... ];
med 0-65535;
as-path {
regex <value>;
}
community {
regex <value>;
}
extended-community {
regex <value>;
}
}
action {
deny;
OR...
allow {
dampening <value>;
update {
local-preference 0-65535;
med 0-65535;
weight 0-65535;
nexthop <ip/netmask>;
origin igp|egp|incomplete;
as-path-limit 1-1;
as-path {
none;
OR...
remove;
OR...
prepend 1-1;
OR...
remove-and-prepend 1-1;
}
community {
none;
OR...
220
Palo Alto Networks
remove-all;
OR...
remove-regex <value>;
OR...
append [ <append1> <append2>... ];
OR...
overwrite [ <overwrite1> <overwrite2>... ];
}
none;
OR...
remove-all;
OR...
OR...
OR...
}
}
}
}
}
}
}
export {
rules {
REPEAT...
<name> {
enable yes|no;
match {
afi ip|ipv6;
safi ip|ipv6;
address-prefix {
REPEAT...
<name> {
exact yes|no;
}
}
med 0-65535;
as-path {
regex <value>;
}
community {
regex <value>;
}
regex <value>;
}
}
action {
Palo Alto Networks
221
deny;
OR...
allow {
update {
med 0-65535;
as-path-limit 1-1;
as-path {
none;
OR...
remove;
OR...
prepend 1-1;
OR...
}
community {
none;
OR...
remove-all;
OR...
OR...
OR...
}
none;
OR...
remove-all;
OR...
OR...
OR...
}
}
}
}
}
}
}
conditional-advertisement {
policy {
REPEAT...
<name> {
enable yes|no;
non-exist-filters {
REPEAT...
222
Palo Alto Networks
<name> {
enable yes|no;
match {
afi ip|ipv6;
safi ip|ipv6;
address-prefix {
REPEAT...
<name> {
exact yes|no;
}
}
med 0-65535;
as-path {
regex <value>;
}
community {
regex <value>;
}
regex <value>;
}
}
}
}
advertise-filters {
REPEAT...
<name> {
enable yes|no;
match {
afi ip|ipv6;
safi ip|ipv6;
address-prefix {
REPEAT...
<name> {
exact yes|no;
}
}
med 0-65535;
as-path {
regex <value>;
}
community {
regex <value>;
}
regex <value>;
}
}
}
}
Palo Alto Networks
223
}
}
}
aggregation {
address {
REPEAT...
<name> {
prefix <ip/netmask>;
enable yes|no;
summary yes|no;
as-set yes|no;
aggregate-route-attributes {
med 0-65535;
weight 0-65535;
as-path-limit 1-1;
as-path {
none;
OR...
remove;
OR...
prepend 1-1;
OR...
}
community {
none;
OR...
remove-all;
OR...
OR...
OR...
}
none;
OR...
remove-all;
OR...
OR...
OR...
}
}
suppress-filters {
REPEAT...
<name> {
enable yes|no;
224
Palo Alto Networks
match {
afi ip|ipv6;
safi ip|ipv6;
address-prefix {
REPEAT...
<name> {
exact yes|no;
}
}
med 0-65535;
as-path {
regex <value>;
}
community {
regex <value>;
}
regex <value>;
}
}
}
}
advertise-filters {
REPEAT...
<name> {
enable yes|no;
match {
afi ip|ipv6;
safi ip|ipv6;
address-prefix {
REPEAT...
<name> {
exact yes|no;
}
}
med 0-65535;
as-path {
regex <value>;
}
community {
regex <value>;
}
regex <value>;
}
}
}
}
}
}
Palo Alto Networks
225
}
}
redist-rules {
REPEAT...
<name> {
enable yes|no;
set-origin igp|egp|incomplete;
set-med 0-65535;
set-local-preference 0-65535;
set-as-path-limit 1-1;
set-community [ <set-community1> <set-community2>... ];
set-extended-community [ <set-extended-community1> <set-extendedcommunity2>... ];
}
}
}
}
admin-dists {
static 10-10;
ospf-int 10-10;
ospf-ext 10-10;
ibgp 10-10;
ebgp 10-10;
rip 10-10;
}
}
}
dns-proxy {
REPEAT...
<name> {
enabled yes|no;
domain-servers {
REPEAT...
<name> {
cacheable yes|no;
domain-name [ <domain-name1> <domain-name2>... ];
name-servers [ <name-servers1> <name-servers2>... ];
}
}
cache {
enabled yes|no;
size 1024-1024;
timeout 4-4;
}
static-entries {
REPEAT...
<name> {
domain <value>;
address [ <address1> <address2>... ];
}
}
tcp-queries {
enabled yes|no;
226
Palo Alto Networks
max-pending-requests 1024-1024;
}
udp-queries {
retries {
interval 1-1;
attempts 1-1;
}
}
}
}
dhcp {
interface {
REPEAT...
<name> {
server {
mode enabled|disabled|auto;
probe-ip yes|no;
option {
lease {
unlimited;
OR...
timeout 0-65535;
}
dns [ <dns1> <dns2>... ];
wins [ <wins1> <wins2>... ];
nis [ <nis1> <nis2>... ];
ntp [ <ntp1> <ntp2>... ];
gateway <ip/netmask>;
pop3-server <ip/netmask>;
smtp-server <ip/netmask>;
dns-suffix <value>;
}
ip-pool [ <ip-pool1> <ip-pool2>... ];
reserved {
REPEAT...
<name> {
mac <value>;
}
}
}
OR...
relay {
enabled yes|no;
server [ <server1> <server2>... ];
}
}
}
}
shared-gateway {
REPEAT...
<name> {
display-name <value>;
import {
network {
Palo Alto Networks
227

}
}
zone {
REPEAT...
<name> {
dos-profile <value>;
dos-log-setting <value>;
network {
zone-protection-profile <value>;
log-setting <value>;
layer3 [ <layer31> <layer32>... ];
OR...
external [ <external1> <external2>... ];
}
user-acl {
include-list [ <include-list1> <include-list2>... ];
exclude-list [ <exclude-list1> <exclude-list2>... ];
}
}
}
address {
REPEAT...
<name> {
ip-netmask <ip/netmask>;
OR...
ip-range <ip-range>;
}
}
address-group {
REPEAT...
<name> [ <entry1> <entry2>... ];
}
log-settings {
snmptrap {
REPEAT...
<name> {
server {
REPEAT...
<name> {
manager <value>;
community <value>;
}
}
}
}
syslog {
REPEAT...
<name> {
server {
REPEAT...
<name> {
server <value>;
port 1-1;
228
Palo Alto Networks
facility
LOG_USER|LOG_LOCAL0|LOG_LOCAL1|LOG_LOCAL2|LOG_LOCAL3|LOG_LOCAL
4|LOG_LOCAL5|LOG_LOCAL6|LOG_LOCAL7;
}
}
}
}
email {
REPEAT...
<name> {
server {
REPEAT...
<name> {
from <value>;
to <value>;
and-also-to <value>;
gateway <value>;
}
}
}
}
profiles {
REPEAT...
<name> {
alarm {
informational {
send-to-panorama yes|no;
send-snmptrap {
using-snmptrap-setting <value>;
}
send-email {
using-email-setting <value>;
}
send-syslog {
using-syslog-setting <value>;
}
}
low {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
medium {
send-snmptrap {
Palo Alto Networks
229
}
send-email {
}
send-syslog {
}
}
high {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
critical {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
}
traffic {
any {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
}
}
}
}
rulebase {
nat {
rules {
REPEAT...
230
Palo Alto Networks
<name> {
from [ <from1> <from2>... ];
to [ <to1> <to2>... ];
to-interface <value>;
source [ <source1> <source2>... ];
service <value>;
source-translation {
dynamic-ip-and-port {
translated-address [ <translated-address1> <translated-address2>... ];
OR...
interface-address {
interface <value>;
ip <value>;
}
}
OR...
dynamic-ip {
translated-address <value><ip/netmask><ip-range>;
}
OR...
static-ip {
bi-directional yes|no;
}
}
destination-translation {
translated-port 1-1;
}
disabled yes|no;
}
}
}
pbf {
rules {
REPEAT...
<name> {
from {
zone [ <zone1> <zone2>... ];
OR...
}
source-user [ <source-user1> <source-user2>... ];
service [ <service1> <service2>... ];
application [ <application1> <application2>... ];
action {
forward {
egress-interface <value>;
nexthop {
Palo Alto Networks
231
}
monitor {
profile <value>;
disable-if-unreachable yes|no;
}
}
OR...
discard;
OR...
no-pbf;
}
schedule <value>;
disabled yes|no;
negate-source yes|no;
negate-destination yes|no;
}
}
}
}
service {
REPEAT...
<name> {
protocol {
tcp {
port <0-65535,...>;
}
OR...
udp {
port <0-65535,...>;
}
}
}
}
service-group {
REPEAT...
}
}
}
}
predefined {
signature {
REPEAT...
<name> {
application <value>;
protocol <value>;
dynamic yes|no;
rules {
REPEAT...
<name> {
232
Palo Alto Networks
direction client-to-server|server-to-client|any;
match {
string {
pattern <value>;
encrypt yes|no;
ignore-case yes|no;
offset 0-65535;
depth 0-65535;
per-packet-match yes|no;
payload-length-validate {
byte-offset 0-65535;
discount 0-65535;
number-of-bytes 1|2|3|4;
endian little|big;
}
source-port-validate {
endian little|big;
}
}
header {
source-ip <value>;
destination-ip <value>;
source-port <value>;
destination-port <value>;
l3-payload-length <value>;
packet-sequence <value>;
}
}
}
}
rule-match match-in-order|match-all|match-any;
}
}
application-type {
REPEAT...
category {
<name> {
}
}
technology {
<name> {
}
}
}
url-categories {
REPEAT...
<name> {
malware yes|no;
}
Palo Alto Networks
233
}
sig-default {
default-parent-app <value>;
}
private-application {
REPEAT...
<name> {
correlate {
key-by [ <key-by1> <key-by2>... ];
rule-match match-all|match-any;
interval 1-1;
rules {
REPEAT...
entry {
protocol tcp|udp;
interval 1-1;
threshold 1-1;
track-by [ <track-by1> <track-by2>... ];
}
}
}
default {
port [ <port1> <port2>... ];
OR...
ident-by-ip-protocol <0-65535,...>;
OR...
ident-by-icmp-type <0-65535,...>;
OR...
ident-by-icmp6-type <0-65535,...>;
}
tunnel-applications [ <tunnel-applications1> <tunnel-applications2>... ];
deny-action drop|drop-reset;
use-applications [ <use-applications1> <use-applications2>... ];
application-container [ <application-container1> <application-container2>... ];
alg yes|no;
appident yes|no;
virus-ident yes|no;
spyware-ident yes|no;
child <value>;
decode <value>;
threat-id <1-1,...>;
per-direction-regex yes|no;
enable-ssl-decryption yes|no;
enable-source-cache yes|no;
preemptive yes|no;
ident-by-sport yes|no;
ident-by-dport yes|no;
ident-by-sport-potential yes|no;
ident-by-dport-potential yes|no;
source-cache-timeout 0-65535;
source-cache-threshold 0-65535;
risk 1-1;
type <value>;
category <value>;
234
Palo Alto Networks
timeout 0-65535;
tcp-timeout 0-65535;
udp-timeout 0-65535;
discard-timeout 0-65535;
tcp-discard-timeout 0-65535;
udp-discard-timeout 0-65535;
evasive-behavior yes|no;
consume-big-bandwidth yes|no;
carry-malware yes|no;
used-by-malware yes|no;
able-to-transfer-file yes|no;
has-known-vulnerability yes|no;
tunnel-other-application yes|no;
report-as <value>;
prone-to-misuse yes|no;
pervasive-use yes|no;
references {
REPEAT...
<name> {
link <value>;
}
}
reference <value>;
}
}
application {
REPEAT...
<name> {
correlate {
key-by [ <key-by1> <key-by2>... ];
rule-match match-all|match-any;
interval 1-1;
rules {
REPEAT...
entry {
protocol tcp|udp;
interval 1-1;
threshold 1-1;
track-by [ <track-by1> <track-by2>... ];
}
}
}
default {
OR...
OR...
OR...
}
tunnel-applications [ <tunnel-applications1> <tunnel-applications2>... ];
deny-action drop|drop-reset;
Palo Alto Networks
235
use-applications [ <use-applications1> <use-applications2>... ];

application-container [ <application-container1> <application-container2>... ];
alg yes|no;
appident yes|no;
virus-ident yes|no;
decode <value>;
threat-id <1-1,...>;
per-direction-regex yes|no;
preemptive yes|no;
ident-by-sport yes|no;
ident-by-dport yes|no;
ident-by-sport-potential yes|no;
ident-by-dport-potential yes|no;
risk 1-1;
type <value>;
category <value>;
subcategory <value>;
technology <value>;
timeout 0-65535;
discard-timeout 0-65535;
tcp-discard-timeout 0-65535;
udp-discard-timeout 0-65535;
carry-malware yes|no;
references {
REPEAT...
<name> {
link <value>;
}
}
reference <value>;
}
}
application-group {
REPEAT...
<name> {
member <value>;
}
}
application-container {
REPEAT...
<name> {
236
Palo Alto Networks
references {
REPEAT...
<name> {
link <value>;
}
}
functions [ <functions1> <functions2>... ];
}
}
profiles {
virus {
REPEAT...
<name> {
decoder {
REPEAT...
<name> {
action default|allow|alert|block;
}
}
application {
REPEAT...
<name> {
}
}
}
}
spyware {
REPEAT...
<name> {
phone-home-detection {
simple {
critical default|allow|alert|block;
high default|allow|alert|block;
medium default|allow|alert|block;
low default|allow|alert|block;
informational default|allow|alert|block;
}
OR...
custom {
REPEAT...
<name> {
packet-capture yes|no;
action default|alert|drop|drop-all-packets|reset-both|reset-client|reset-server;
}
}
}
}
}
vulnerability {
REPEAT...
<name> {
Palo Alto Networks
237
simple {
client {
}
server {
}
}
OR...
custom {
REPEAT...
<name> {
}
}
}
}
url-filtering {
REPEAT...
<name> {
dynamic-url yes|no;
license-expired block|allow;
action block|continue|override|alert|allow;
block-list [ <block-list1> <block-list2>... ];
allow-list [ <allow-list1> <allow-list2>... ];
allow [ <allow1> <allow2>... ];
alert [ <alert1> <alert2>... ];
block [ <block1> <block2>... ];
continue [ <continue1> <continue2>... ];
override [ <override1> <override2>... ];
}
}
}
profile-group {
REPEAT...
<name> {
virus [ <virus1> <virus2>... ];
spyware [ <spyware1> <spyware2>... ];
vulnerability [ <vulnerability1> <vulnerability2>... ];
url-filtering [ <url-filtering1> <url-filtering2>... ];
}
}
service {
238
Palo Alto Networks
REPEAT...
<name> {
protocol {
any;
OR...
tcp {
port <0-65535,...>;
}
OR...
udp {
port <0-65535,...>;
}
OR...
ip {
ip-protocol <0-65535,...>;
}
}
}
}
service-group {
REPEAT...
}
reports {
REPEAT...
<name> {
disabled yes|no;
query <value>;
caption <value>;
frequency daily|weekly;
start-time <value>;
end-time <value>;
delta 1-1;
period last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-hrs|last-calendarday|last-7-days|last-7-calendar-days|last-calendar-week|last-30-days;
topn 1-1;
topm 1-1;
type {
appstat {
aggregate-by [ <aggregate-by1> <aggregate-by2>... ];
group-by category-of-name|name|risk|subcategory-of-name|technology-ofname|container-of-name|quarter-hour-of-receive_time|hour-of-receive_time|day-ofreceive_time;
values [ <values1> <values2>... ];
labels [ <labels1> <labels2>... ];
sortby nbytes|npkts|nsess|nthreats;
}
OR...
threat {
Palo Alto Networks
239
group-by action|app|category|category-ofapp|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|natsport|natsrc|o
utbound_if|proto|risk-of-app|rule|severity|sport|src|srcuser|subcategory-ofapp|subtype|technology-of-app|container-of-app|threatid|to|vsys|quarter-hour-ofreceive_time|hour-of-receive_time|day-of-receive_time;
sortby repeatcnt;
}
OR...
thsum {
group-by app|category-of-app|dst|dstuser|risk-of-app|rule|severity-ofthreatid|src|srcuser|subcategory-of-app|subtype|technology-of-app|container-ofapp|threatid|quarter-hour-of-receive_time|hour-of-receive_time|day-of-receive_time;
sortby count;
}
OR...
traffic {
group-by action|app|category|category-ofapp|dport|dst|dstuser|flags|from|inbound_if|natdport|natdst|natsport|natsrc|outboun
d_if|proto|risk-of-app|rule|sport|src|srcuser|subcategory-of-app|technology-ofapp|container-of-app|to|vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-ofreceive_time;
sortby bytes|elapsed|packets|repeatcnt;
}
OR...
trsum {
group-by app|category|category-of-app|dst|dstuser|from|risk-ofapp|rule|src|srcuser|subcategory-of-app|technology-of-app|container-of-app|to|quarterhour-of-receive_time|hour-of-receive_time|day-of-receive_time;
sortby bytes|sessions;
}
}
}
}
threats {
phone-home {
REPEAT...
<name> {
category <value>;
severity critical|high|medium|low|informational;
host client|server;
app <value>;
}
}
240
Palo Alto Networks
vulnerability {
REPEAT...
<name> {
category code-execution|overflow|sql-injection|info-leak|email-worm|networm|adware|keylogger|datatheft|phishing|spam|botnet|rootkit|trojan|backdoor|virus|emailflooder|spamtool|hacktool|dos|suspicious|other-malware|user-defined;
severity critical|high|medium|low|informational;
affected-host {
client yes|no;
server yes|no;
}
}
}
}
ssl-exclude-cert [ <ssl-exclude-cert1> <ssl-exclude-cert2>... ];
}
shared {
local-user-database {
user {
REPEAT...
<name> {
phash <value>;
disabled yes|no;
}
}
user-group {
REPEAT...
<name> {
user [ <user1> <user2>... ];
}
}
}
authentication-profile {
REPEAT...
<name> {
non-admin-authentication yes|no;
lockout {
failed-attempts 1-1;
lockout-time 0-65535;
}
method {
acl;
OR...
local-database;
OR...
radius {
server-profile <value>;
}
OR...
ldap {
Palo Alto Networks
241
login-attribute <value>;
}
}
}
}
client-certificate-profile {
REPEAT...
<name> {
username-field {
subject common-name;
OR...
subject-alt email|principal-name;
}
domain <value>;
CA {
REPEAT...
<name> {
default-ocsp-url <value>;
ocsp-verify-ca <value>;
}
}
use-crl yes|no;
use-ocsp yes|no;
}
}
override {
application {
REPEAT...
<name> {
timeout 0-65535;
risk 1-1;
}
}
}
signature {
REPEAT...
<name> {
engine-version <value>;
protocol <value>;
rules {
REPEAT...
<name> {
direction client-to-server|server-to-client|any;
match {
string {
242
Palo Alto Networks
pattern <value>;
ignore-case yes|no;
offset 0-65535;
depth 0-65535;
per-packet-match yes|no;
payload-length-validate {
discount 1-1;
number-of-bytes 1|2|4;
endian little|big;
}
}
OR...
header {
source-ip <value>;
destination-ip <value>;
source-port <value>;
destination-port <value>;
}
}
}
rule-match match-in-order|match-all|match-any;
}
}
}
cert {
REPEAT...
<name> {
vsys <value>;
common-name <value>;
expires <value>;
}
}
cacert {
REPEAT...
<name> {
vsys <value>;
expires <value>;
}
}
caccacert {
REPEAT...
<name> {
vsys <value>;
expires <value>;
}
}
cacverifyca {
REPEAT...
<name> {
Palo Alto Networks
243
vsys <value>;
expires <value>;
}
}
importcert {
REPEAT...
<name> {
vsys <value>;
expires <value>;
}
}
allowed-applications {
enable-all {
except [ <except1> <except2>... ];
}
OR...
disable-all {
except [ <except1> <except2>... ];
}
}
address {
REPEAT...
<name> {
OR...
}
}
address-group {
REPEAT...
}
threats {
vulnerability {
REPEAT...
<name> {
threatname <value>;
affected-host {
client yes|no;
server yes|no;
}
comment <value>;
severity <value>;
direction <value>;
default-action alert|reset-client|reset-server|reset-both|drop-packets;
cve [ <cve1> <cve2>... ];
bugtraq [ <bugtraq1> <bugtraq2>... ];
vendor [ <vendor1> <vendor2>... ];
reference [ <reference1> <reference2>... ];
signature {
REPEAT...
<name> {
244
Palo Alto Networks
comment <value>;
scope protocol-data-unit|session;
order-free yes|no;
and-condition {
REPEAT...
<name> {
or-condition {
REPEAT...
<name> {
operator {
less-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
equal-to {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
greater-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
pattern-match {
pattern <value>;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
}
Palo Alto Networks
245
}
}
}
}
}
}
}
}
spyware {
REPEAT...
<name> {
threatname <value>;
comment <value>;
severity <value>;
direction <value>;
cve [ <cve1> <cve2>... ];
signature {
REPEAT...
<name> {
comment <value>;
order-free yes|no;
and-condition {
REPEAT...
<name> {
or-condition {
REPEAT...
<name> {
operator {
less-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
equal-to {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
246
Palo Alto Networks
OR...
greater-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
pattern-match {
pattern <value>;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
}
}
}
}
}
}
}
}
}
}
application {
REPEAT...
<name> {
default {
OR...
OR...
OR...
}
category <value>;
technology <value>;
timeout 0-65535;
risk 1-1;
Palo Alto Networks
247
tunnel-applications yes|no;
file-type-ident yes|no;
virus-ident yes|no;
data-ident yes|no;
parent-app <value>;
signature {
REPEAT...
<name> {
comment <value>;
order-free yes|no;
and-condition {
REPEAT...
<name> {
or-condition {
REPEAT...
<name> {
pattern-match {
pattern <value>;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
}
}
}
}
}
}
}
}
application-filter {
REPEAT...
<name> {
category [ <category1> <category2>... ];
subcategory [ <subcategory1> <subcategory2>... ];
technology [ <technology1> <technology2>... ];
evasive yes;
excessive-bandwidth-use yes;
used-by-malware yes;
transfers-files yes;
has-known-vulnerabilities yes;
tunnels-other-apps yes;
248
Palo Alto Networks
prone-to-misuse yes;
pervasive yes;
risk [ <risk1> <risk2>... ];
}
}
application-group {
REPEAT...
}
service {
REPEAT...
<name> {
protocol {
tcp {
port <0-65535,...>;
}
OR...
udp {
port <0-65535,...>;
}
}
}
}
service-group {
REPEAT...
}
server-profile {
ldap {
REPEAT...
<name> {
non-admin-use yes|no;
server {
REPEAT...
<name> {
address <ip/netmask><value>;
port 1-1;
}
}
ssl yes|no;
base <value>;
bind-dn <value>;
bind-password <value>;
timelimit 1-1;
bind-timelimit 1-1;
retry-interval 1-1;
}
}
radius {
REPEAT...
<name> {
domain <value>;
timeout 1-1;
Palo Alto Networks
249
retries 1-1;
checkgroup yes|no;
server {
REPEAT...
<name> {
port 0-65535;
secret <value>;
}
}
}
}
}
log-settings {
snmptrap {
REPEAT...
<name> {
server {
REPEAT...
<name> {
manager <value>;
community <value>;
}
}
}
}
syslog {
REPEAT...
<name> {
server {
REPEAT...
<name> {
server <value>;
port 1-1;
facility
}
}
}
}
email {
REPEAT...
<name> {
server {
REPEAT...
<name> {
from <value>;
to <value>;
gateway <value>;
}
}
250
Palo Alto Networks
}
}
system {
informational {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
low {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
medium {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
high {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
critical {
send-snmptrap {
Palo Alto Networks
251
}
send-email {
}
send-syslog {
}
}
}
config {
any {
send-email {
}
send-syslog {
}
}
}
profiles {
REPEAT...
<name> {
alarm {
informational {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
low {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
medium {
send-snmptrap {
}
252
Palo Alto Networks
send-email {
}
send-syslog {
}
}
high {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
critical {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
}
traffic {
any {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
}
}
}
}
profiles {
virus {
REPEAT...
<name> {
Palo Alto Networks
253
decoder {
REPEAT...
<name> {
}
}
application {
REPEAT...
<name> {
}
}
threat-exception {
REPEAT...
<name>;
}
}
}
spyware {
REPEAT...
<name> {
simple {
}
OR...
custom {
REPEAT...
<name> {
}
}
}
threat-exception {
REPEAT...
<name>;
}
}
}
vulnerability {
REPEAT...
<name> {
simple {
client {
254
Palo Alto Networks
}
server {
}
}
OR...
custom {
REPEAT...
<name> {
}
}
threat-exception {
REPEAT...
<name>;
}
}
}
url-filtering {
REPEAT...
<name> {
dynamic-url yes|no;
}
}
file-blocking {
REPEAT...
<name> {
rules {
REPEAT...
<name> {
file-type [ <file-type1> <file-type2>... ];
direction upload|download|both;
Palo Alto Networks
255
action alert|block;
}
}
}
}
custom-url-category {
REPEAT...
<name> {
list [ <list1> <list2>... ];
}
}
data-objects {
REPEAT...
<name> {
credit-card-numbers {
weight 0-65535;
}
social-security-numbers {
weight 0-65535;
}
social-security-numbers-without-dash {
weight 0-65535;
}
pattern {
REPEAT...
<name> {
regex <value>;
weight 0-65535;
}
}
}
}
data-filtering {
REPEAT...
<name> {
data-capture yes|no;
rules {
REPEAT...
<name> {
data-object <value>;
alert-threshold 0-65535;
block-threshold 0-65535;
}
}
}
}
}
admin-role {
256
Palo Alto Networks
REPEAT...
<name> {
role {
device {
webui {
dashboard enable|disable;
acc enable|disable;
monitor {
logs {
traffic enable|disable;
threat enable|disable;
url enable|disable;
configuration enable|disable;
system enable|disable;
data-filtering enable|disable;
}
app-scope enable|disable;
session-browser enable|disable;
pdf-reports {
manage-pdf-summary enable|disable;
pdf-summary-reports enable|disable;
user-activity-report enable|disable;
report-groups enable|disable;
email-scheduler enable|disable;
}
custom-reports {
application-statistics enable|disable;
data-filtering-log enable|disable;
threat-log enable|disable;
threat-summary enable|disable;
traffic-log enable|disable;
traffic-summary enable|disable;
url-log enable|disable;
}
view-custom-reports enable|disable;
application-reports enable|disable;
threat-reports enable|disable;
url-filtering-reports enable|disable;
traffic-reports enable|disable;
}
policies {
security-rulebase enable|read-only|disable;
nat-rulebase enable|read-only|disable;
ssl-decryption-rulebase enable|read-only|disable;
application-override-rulebase enable|read-only|disable;
captive-portal-rulebase enable|read-only|disable;
qos-rulebase enable|read-only|disable;
pbf-rulebase enable|read-only|disable;
}
objects {
addresses enable|read-only|disable;
address-groups enable|read-only|disable;
applications enable|read-only|disable;
Palo Alto Networks
257
application-groups enable|read-only|disable;
application-filters enable|read-only|disable;
services enable|read-only|disable;
service-groups enable|read-only|disable;
custom-url-category enable|read-only|disable;
custom-signatures {
data-patterns enable|read-only|disable;
spyware enable|read-only|disable;
vulnerability enable|read-only|disable;
}
security-profiles {
antivirus enable|read-only|disable;
anti-spyware enable|read-only|disable;
vulnerability-protection enable|read-only|disable;
url-filtering enable|read-only|disable;
file-blocking enable|read-only|disable;
data-filtering enable|read-only|disable;
}
security-profile-groups enable|read-only|disable;
log-forwarding enable|read-only|disable;
schedules enable|read-only|disable;
}
network {
interfaces enable|read-only|disable;
zones enable|read-only|disable;
vlans enable|read-only|disable;
virtual-wires enable|read-only|disable;
virtual-routers enable|read-only|disable;
ipsec-tunnels enable|read-only|disable;
dhcp enable|read-only|disable;
ssl-vpn enable|read-only|disable;
qos enable|read-only|disable;
network-profiles {
ike-gateways enable|read-only|disable;
ipsec-crypto enable|read-only|disable;
ike-crypto enable|read-only|disable;
tunnel-monitor enable|read-only|disable;
interface-mgmt enable|read-only|disable;
zone-protection enable|read-only|disable;
qos-profile enable|read-only|disable;
}
}
device {
setup enable|read-only|disable;
config-audit enable|disable;
admin-roles enable|read-only|disable;
administrators enable|read-only|disable;
virtual-systems enable|read-only|disable;
shared-gateways enable|read-only|disable;
user-identification enable|read-only|disable;
high-availability enable|read-only|disable;
certificates enable|read-only|disable;
block-pages enable|read-only|disable;
log-settings {
258
Palo Alto Networks
system enable|read-only|disable;
config enable|read-only|disable;
}
server-profile {
snmp-trap enable|read-only|disable;
syslog enable|read-only|disable;
email enable|read-only|disable;
radius enable|read-only|disable;
ldap enable|read-only|disable;
}
users enable|read-only|disable;
user-groups enable|read-only|disable;
}
authentication-profile enable|read-only|disable;
client-certificate-profile enable|read-only|disable;
access-domain enable|read-only|disable;
scheduled-log-export enable|disable;
software enable|read-only|disable;
ssl-vpn-client enable|read-only|disable;
dynamic-updates enable|read-only|disable;
licenses enable|read-only|disable;
support enable|read-only|disable;
}
privacy {
show-full-ip-addresses enable|disable;
show-user-names-in-logs-and-reports enable|disable;
view-pcap-files enable|disable;
}
commit enable|disable;
}
cli superuser|superreader|deviceadmin|devicereader;
}
OR...
vsys {
webui {
acc enable|disable;
monitor {
logs {
url enable|disable;
}
}
policies {
pbf-rulebase enable|read-only|disable;
Palo Alto Networks
259
}
objects {
addresse-groups enable|read-only|disable;
custom-signatures {
}
security-profiles {
}
}
network {
}
device {
setup read-only|disable;
administrators enable|disable;
user-identification read-only|disable;
log-settings {
system read-only|disable;
config read-only|disable;
}
server-profile {
}
}
authentication-profile enable|disable;
client-certificate-profile enable|disable;
access-domain enable|disable;
}
260
Palo Alto Networks
privacy {
}
}
cli vsysadmin|vsysreader;
}
}
}
}
profile-group {
REPEAT...
<name> {
file-blocking [ <file-blocking1> <file-blocking2>... ];
data-filtering [ <data-filtering1> <data-filtering2>... ];
}
}
schedule {
REPEAT...
<name> {
recurring {
weekly {
sunday [ <sunday1> <sunday2>... ];
monday [ <monday1> <monday2>... ];
tuesday [ <tuesday1> <tuesday2>... ];
wednesday [ <wednesday1> <wednesday2>... ];
thursday [ <thursday1> <thursday2>... ];
friday [ <friday1> <friday2>... ];
saturday [ <saturday1> <saturday2>... ];
}
OR...
daily [ <daily1> <daily2>... ];
}
OR...
non-recurring [ <non-recurring1> <non-recurring2>... ];
}
}
report-group {
REPEAT...
<name> {
title-page yes|no;
predefined user-activity-report;
OR...
custom-widget {
REPEAT...
<name> {
predefined-report <value>;
OR...
Palo Alto Networks
261
custom-report <value>;
OR...
pdf-summary-report <value>;
OR...
log-view <value>;
}
}
variable {
REPEAT...
<name> {
value <value>;
}
}
}
}
email-scheduler {
REPEAT...
<name> {
report-group <value>;
email-profile <value>;
recipient-emails <value>;
recurring {
disabled;
OR...
daily;
OR...
weekly sunday|monday|tuesday|wednesday|thursday|friday|saturday;
}
}
}
pdf-summary-report {
REPEAT...
<name> {
header {
caption <value>;
}
footer {
note <value>;
}
predefined-widget {
REPEAT...
<name> {
chart-type pie|line|bar|table;
row 1-1;
column 1-1;
}
}
custom-widget {
REPEAT...
<name> {
row 1-1;
column 1-1;
}
262
Palo Alto Networks
}
}
}
reports {
REPEAT...
<name> {
disabled yes|no;
query <value>;
caption <value>;
start-time <value>;
end-time <value>;
period last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24-hrs|last-calendarday|last-7-days|last-7-calendar-days|last-calendar-week|last-30-days;
topn 1-1;
topm 1-1;
type {
appstat {
group-by category-of-name|name|risk|risk-of-name|subcategory-ofname|technology-of-name|container-of-name|vsys|quarter-hour-of-receive_time|hour-ofreceive_time|day-of-receive_time;
}
OR...
threat {
group-by action|app|category-ofapp|direction|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|natsport
|natsrc|outbound_if|proto|risk-of-app|rule|severity|sport|src|srcuser|subcategory-ofapp|subtype|technology-of-app|container-of-app|threatid|to|vsys|quarter-hour-ofreceive_time|hour-of-receive_time|day-of-receive_time;
sortby repeatcnt;
}
OR...
url {
group-by action|app|category|category-ofapp|direction|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|natsport
|natsrc|outbound_if|proto|risk-of-app|rule|severity|sport|src|srcuser|subcategory-ofapp|technology-of-app|container-of-app|to|vsys|quarter-hour-of-receive_time|hour-ofreceive_time|day-of-receive_time;
sortby repeatcnt;
}
OR...
data {
Palo Alto Networks
263
group-by action|app|category-ofapp|direction|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|natsport
|natsrc|outbound_if|proto|risk-of-app|rule|severity|sport|src|srcuser|subcategory-ofapp|subtype|technology-of-app|container-of-app|threatid|to|vsys|quarter-hour-ofreceive_time|hour-of-receive_time|day-of-receive_time;
sortby repeatcnt;
}
OR...
thsum {
group-by app|category-of-app|dst|dstuser|from|risk-of-app|rule|severity-ofthreatid|src|srcuser|subcategory-of-app|subtype|technology-of-app|container-ofapp|to|threatid|vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-ofreceive_time;
sortby count;
}
OR...
traffic {
group-by action|app|category|category-ofapp|dport|dst|dstuser|flags|from|inbound_if|natdport|natdst|natsport|natsrc|outboun
d_if|proto|risk-of-app|rule|sessionid|sport|src|srcuser|subcategory-of-app|technologyof-app|container-of-app|to|vsys|quarter-hour-of-receive_time|hour-of-receive_time|dayof-receive_time;
}
OR...
trsum {
group-by app|category|category-of-app|dst|dstuser|from|risk-ofapp|rule|src|srcuser|subcategory-of-app|technology-of-app|container-ofapp|to|vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-of-receive_time;
}
}
}
}
}
vsys {
REPEAT...
<name> {
setting {
nat {
264
Palo Alto Networks
reserve-ip yes|no;
reserve-time 1-1;
}
ssl-decrypt {
url-proxy yes|no;
notify-user yes|no;
answer-timeout 1-1;
crl yes|no;
ocsp yes|no;
}
}
import {
network {
virtual-wire [ <virtual-wire1> <virtual-wire2>... ];
vlan [ <vlan1> <vlan2>... ];
virtual-router [ <virtual-router1> <virtual-router2>... ];
}
resource {
max-sessions 0-65535;
}
visible-vsys [ <visible-vsys1> <visible-vsys2>... ];
}
pan-agent {
REPEAT...
<name> {
port 1-1;
link-speed fast|medium|slow;
}
}
ts-agent {
REPEAT...
<name> {
port 1-1;
ip-list [ <ip-list1> <ip-list2>... ];
}
}
userid-agent {
REPEAT...
<name> {
port 1-1;
disabled yes|no;
}
}
ldap-server {
REPEAT...
<name> {
Palo Alto Networks
265
disabled yes|no;
domain <value>;
group-filter <value>;
user-filter <value>;
update-interval 60-60;
group-object [ <group-object1> <group-object2>... ];
group-member [ <group-member1> <group-member2>... ];
group-name [ <group-name1> <group-name2>... ];
user-object [ <user-object1> <user-object2>... ];
user-name [ <user-name1> <user-name2>... ];
}
}
captive-portal {
enable-captive-portal yes|no;
idle-timer 5-5;
timer 5-5;
server-certificate <value>;
mode {
transparent;
OR...
redirect {
session-cookie {
enable yes|no;
timeout 60-60;
roaming yes|no;
}
}
}
ntlm-auth {
pan-agent <value>;
hostname <value>;
}
}
url-admin-override {
password <value>;
mode {
transparent;
OR...
redirect {
}
}
}
user {
REPEAT...
<name> {
phash <value>;
disabled yes|no;
}
266
Palo Alto Networks
}
user-group {
REPEAT...
<name> {
user [ <user1> <user2>... ];
}
}
}
REPEAT...
<name> {
lockout {
}
method {
acl;
OR...
local-database;
OR...
radius {
}
OR...
ldap {
}
}
}
}
REPEAT...
<name> {
username-field {
OR...
}
domain <value>;
CA {
REPEAT...
<name> {
}
}
use-crl yes|no;
use-ocsp yes|no;
Palo Alto Networks
267
}
}
ssl-vpn {
REPEAT...
<name> {
roles {
REPEAT...
<name> {
client-max-bandwidth {
client-to-gateway <float>;
gateway-to-client <float>;
}
login-lifetime {
minutes 3-3;
OR...
hours 1-1;
OR...
days 1-1;
}
inactivity-logout {
minutes 3-3;
OR...
hours 1-1;
OR...
days 1-1;
}
}
}
}
}
zone {
REPEAT...
<name> {
enable-user-identification yes|no;
dos-profile <value>;
dos-log-setting <value>;
network {
zone-protection-profile <value>;
tap [ <tap1> <tap2>... ];
OR...
virtual-wire [ <virtual-wire1> <virtual-wire2>... ];
OR...
OR...
OR...
external [ <external1> <external2>... ];
}
user-acl {
268
Palo Alto Networks
include-list [ <include-list1> <include-list2>... ];

exclude-list [ <exclude-list1> <exclude-list2>... ];
}
}
}
address {
REPEAT...
<name> {
OR...
}
}
address-group {
REPEAT...
}
user {
REPEAT...
<name>;
}
user-group {
REPEAT...
}
cert {
REPEAT...
<name> {
vsys <value>;
expires <value>;
}
}
cacert {
REPEAT...
<name> {
vsys <value>;
expires <value>;
}
}
caccacert {
REPEAT...
<name> {
vsys <value>;
expires <value>;
}
}
cacverifyca {
REPEAT...
<name> {
vsys <value>;
Palo Alto Networks
269
expires <value>;
}
}
importcert {
REPEAT...
<name> {
vsys <value>;
expires <value>;
}
}
server-profile {
ldap {
REPEAT...
<name> {
server {
REPEAT...
<name> {
port 1-1;
}
}
ssl yes|no;
disabled yes|no;
base <value>;
bind-dn <value>;
bind-password <value>;
timelimit 1-1;
bind-timelimit 1-1;
retry-interval 1-1;
}
}
radius {
REPEAT...
<name> {
domain <value>;
timeout 1-1;
retries 1-1;
checkgroup yes|no;
server {
REPEAT...
<name> {
secret <value>;
port 0-65535;
}
}
}
}
}
log-settings {
snmptrap {
REPEAT...
<name> {
270
Palo Alto Networks
server {
REPEAT...
<name> {
manager <value>;
community <value>;
}
}
}
}
syslog {
REPEAT...
<name> {
server {
REPEAT...
<name> {
server <value>;
port 1-1;
facility
}
}
}
}
email {
REPEAT...
<name> {
server {
REPEAT...
<name> {
from <value>;
to <value>;
gateway <value>;
}
}
}
}
profiles {
REPEAT...
<name> {
alarm {
informational {
send-snmptrap {
}
send-email {
}
send-syslog {
}
Palo Alto Networks
271
}
low {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
medium {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
high {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
critical {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
}
traffic {
any {
send-snmptrap {
272
Palo Alto Networks
}
send-email {
}
send-syslog {
}
}
}
}
}
}
schedule {
REPEAT...
<name> {
recurring {
weekly {
}
OR...
}
OR...
}
}
rulebase {
security {
rules {
REPEAT...
<name> {
to [ <to1> <to2>... ];
action deny|allow;
option {
disable-server-response-inspection yes|no;
}
schedule <value>;
profile-setting {
Palo Alto Networks
273
profiles {
}
OR...
group [ <group1> <group2>... ];
}
qos {
marking {
ip-dscp <value>;
OR...
ip-precedence <value>;
}
}
disabled yes|no;
log-start yes|no;
log-end yes|no;
}
}
}
nat {
rules {
REPEAT...
<name> {
to [ <to1> <to2>... ];
to-interface <value>;
service <value>;
source-translation {
dynamic-ip-and-port {
translated-address [ <translated-address1> <translated-address2>... ];
OR...
interface-address {
interface <value>;
ip <value>;
}
}
OR...
dynamic-ip {
}
OR...
static-ip {
bi-directional yes|no;
}
}
274
Palo Alto Networks
destination-translation {
translated-port 1-1;
}
disabled yes|no;
}
}
}
qos {
rules {
REPEAT...
<name> {
to [ <to1> <to2>... ];
action {
class 1|2|3|4|5|6|7|8;
}
schedule <value>;
disabled yes|no;
}
}
}
application-override {
rules {
REPEAT...
<name> {
to [ <to1> <to2>... ];
protocol tcp|udp;
port <0-65535,...>;
disabled yes|no;
}
}
}
ssl-decryption {
rules {
REPEAT...
<name> {
to [ <to1> <to2>... ];
Palo Alto Networks
275

action decrypt|no-decrypt;
disabled yes|no;
reverse-key <value>;
}
}
}
pbf {
rules {
REPEAT...
<name> {
from {
zone [ <zone1> <zone2>... ];
OR...
}
action {
forward {
egress-interface <value>;
nexthop {
}
monitor {
profile <value>;
disable-if-unreachable yes|no;
}
}
OR...
discard;
OR...
no-pbf;
}
schedule <value>;
disabled yes|no;
}
}
}
captive-portal {
rules {
REPEAT...
276
Palo Alto Networks
<name> {
to [ <to1> <to2>... ];
action captive-portal|no-captive-portal|ntlm-auth;
disabled yes|no;
}
}
}
}
threats {
vulnerability {
REPEAT...
<name> {
threatname <value>;
affected-host {
client yes|no;
server yes|no;
}
comment <value>;
severity <value>;
direction <value>;
cve [ <cve1> <cve2>... ];
signature {
REPEAT...
<name> {
comment <value>;
order-free yes|no;
and-condition {
REPEAT...
<name> {
or-condition {
REPEAT...
<name> {
operator {
less-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
Palo Alto Networks
277
OR...
equal-to {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
greater-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
pattern-match {
pattern <value>;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
}
}
}
}
}
}
}
}
}
spyware {
REPEAT...
<name> {
threatname <value>;
comment <value>;
severity <value>;
direction <value>;
cve [ <cve1> <cve2>... ];
278
Palo Alto Networks
signature {
REPEAT...
<name> {
comment <value>;
order-free yes|no;
and-condition {
REPEAT...
<name> {
or-condition {
REPEAT...
<name> {
operator {
less-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
equal-to {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
greater-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
pattern-match {
pattern <value>;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
Palo Alto Networks
279
}
}
}
}
}
}
}
}
}
}
}
}
application {
REPEAT...
<name> {
default {
OR...
ident-by-ip-protocol 0-65535;
OR...
OR...
}
category <value>;
technology <value>;
timeout 0-65535;
risk 1-1;
virus-ident yes|no;
data-ident yes|no;
parent-app <value>;
signature {
REPEAT...
<name> {
comment <value>;
order-free yes|no;
and-condition {
REPEAT...
280
Palo Alto Networks
<name> {
or-condition {
REPEAT...
<name> {
pattern-match {
pattern <value>;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
}
}
}
}
}
}
}
}
REPEAT...
<name> {
evasive yes;
pervasive yes;
}
}
application-group {
REPEAT...
}
service {
REPEAT...
<name> {
protocol {
tcp {
port <0-65535,...>;
}
OR...
udp {
port <0-65535,...>;
}
Palo Alto Networks
281
}
}
}
service-group {
REPEAT...
}
profiles {
virus {
REPEAT...
<name> {
decoder {
REPEAT...
<name> {
}
}
application {
REPEAT...
<name> {
}
}
threat-exception {
REPEAT...
<name>;
}
}
}
spyware {
REPEAT...
<name> {
simple {
}
OR...
custom {
REPEAT...
<name> {
}
}
}
threat-exception {
282
Palo Alto Networks
REPEAT...
<name>;
}
}
}
vulnerability {
REPEAT...
<name> {
simple {
client {
}
server {
}
}
OR...
custom {
REPEAT...
<name> {
}
}
threat-exception {
REPEAT...
<name>;
}
}
}
url-filtering {
REPEAT...
<name> {
dynamic-url yes|no;
Palo Alto Networks
283
}
}
file-blocking {
REPEAT...
<name> {
rules {
REPEAT...
<name> {
action alert|block;
}
}
}
}
REPEAT...
<name> {
}
}
data-objects {
REPEAT...
<name> {
weight 0-65535;
}
weight 0-65535;
}
weight 0-65535;
}
pattern {
REPEAT...
<name> {
regex <value>;
weight 0-65535;
}
}
}
}
data-filtering {
REPEAT...
<name> {
rules {
REPEAT...
<name> {
284
Palo Alto Networks
}
}
}
}
}
profile-group {
REPEAT...
<name> {
}
}
}
}
Palo Alto Networks
285
Panorama Hierarchy
deviceconfig {
system {
login-banner <value>;
hostname <value>;
domain <value>;
netmask <value>;
ipv6-address <ip/netmask>;
ipv6-default-gateway <ip/netmask>;
dns-primary <ip/netmask>;
dns-secondary <ip/netmask>;
panorama-server <ip/netmask>;
location <value>;
contact <value>;
update-server <value>;
secure-proxy-server <value>;
secure-proxy-port 1-1;
secure-proxy-user <value>;
secure-proxy-password <value>;
snmp-community-string <value>;
geo-location {
latitude <value>;
longitude <value>;
}
service {
disable-http yes|no;
disable-https yes|no;
disable-telnet yes|no;
disable-ssh yes|no;
disable-icmp yes|no;
disable-snmp yes|no;
}
permitted-ip {
REPEAT...
<name>;
}
update-schedule {
threats {
recurring {
daily {
at <value>;
}
OR...
weekly {
day-of-week
sunday|monday|tuesday|wednesday|thursday|friday|saturday;
at <value>;
}
}
286
Palo Alto Networks
}
anti-virus {
recurring {
hourly {
at 0-65535;
}
OR...
daily {
at <value>;
}
OR...
weekly {
day-of-week
sunday|monday|tuesday|wednesday|thursday|friday|saturday;
at <value>;
}
threshold 1-1;
}
}
}
timezone W-SU|CST6CDT|Japan|Portugal|Hongkong|Mideast|Mideast/
Riyadh87|Mideast/Riyadh88|Mideast/Riyadh89|Eire|Poland|Factory|GBEire|America|America/Port_of_Spain|America/Indiana|America/Indiana/
Vevay|America/Indiana/Indianapolis|America/Indiana/Marengo|America/Indiana/
Knox|America/St_Johns|America/Grand_Turk|America/Tijuana|America/
Toronto|America/Araguaina|America/Virgin|America/El_Salvador|America/
Coral_Harbour|America/Jujuy|America/Mexico_City|America/Guyana|America/
Cayman|America/Ensenada|America/Fortaleza|America/Iqaluit|America/
Boa_Vista|America/Chihuahua|America/Nome|America/Cancun|America/
Cayenne|America/Recife|America/Panama|America/Caracas|America/
Costa_Rica|America/Cambridge_Bay|America/Martinique|America/
Yellowknife|America/Godthab|America/Sao_Paulo|America/Edmonton|America/
Fort_Wayne|America/Danmarkshavn|America/Barbados|America/Dawson|America/
Thunder_Bay|America/Tegucigalpa|America/Chicago|America/Guadeloupe|America/
Grenada|America/Anguilla|America/Kentucky|America/Kentucky/
Monticello|America/Kentucky/Louisville|America/Argentina|America/Argentina/
Jujuy|America/Argentina/Ushuaia|America/Argentina/Catamarca|America/
Argentina/San_Juan|America/Argentina/Mendoza|America/Argentina/
La_Rioja|America/Argentina/Buenos_Aires|America/Argentina/Tucuman|America/
Argentina/ComodRivadavia|America/Argentina/Cordoba|America/Argentina/
Rio_Gallegos|America/Mazatlan|America/Regina|America/Montevideo|America/
Catamarca|America/Los_Angeles|America/Campo_Grande|America/Aruba|America/
Manaus|America/Knox_IN|America/Rosario|America/St_Lucia|America/
Hermosillo|America/Denver|America/Detroit|America/Santiago|America/
Shiprock|America/Cuiaba|America/Dominica|America/Porto_Acre|America/
Curacao|America/Belize|America/Merida|America/Swift_Current|America/
Antigua|America/Adak|America/Indianapolis|America/Belem|America/
Miquelon|America/Louisville|America/Bogota|America/New_York|America/
Boise|America/Scoresbysund|America/Mendoza|America/Goose_Bay|America/
Yakutat|America/Eirunepe|America/Winnipeg|America/Buenos_Aires|America/
Menominee|America/Paramaribo|America/Thule|America/Montreal|America/
Jamaica|America/Monterrey|America/St_Thomas|America/Rio_Branco|America/
Lima|America/Juneau|America/La_Paz|America/Vancouver|America/
Rankin_Inlet|America/Puerto_Rico|America/St_Kitts|America/Halifax|America/
Guayaquil|America/Inuvik|America/Noronha|America/Nassau|America/Port-au-
Palo Alto Networks
287
Prince|America/Guatemala|America/Glace_Bay|America/Nipigon|America/
Cordoba|America/Bahia|America/Asuncion|America/Maceio|America/Atka|America/
North_Dakota|America/North_Dakota/Center|America/Managua|America/
Anchorage|America/Montserrat|America/Tortola|America/Dawson_Creek|America/
Santo_Domingo|America/Pangnirtung|America/Whitehorse|America/
St_Vincent|America/Porto_Velho|America/Havana|America/Phoenix|America/
Rainy_River|Indian|Indian/Christmas|Indian/Reunion|Indian/Comoro|Indian/
Cocos|Indian/Mauritius|Indian/Antananarivo|Indian/Mahe|Indian/
Mayotte|Indian/Kerguelen|Indian/Chagos|Indian/Maldives|GMT0|Canada|Canada/
Yukon|Canada/Saskatchewan|Canada/Central|Canada/Eastern|Canada/EastSaskatchewan|Canada/Atlantic|Canada/Pacific|Canada/Mountain|Canada/
Newfoundland|MET|ROK|US|US/Alaska|US/East-Indiana|US/Central|US/Eastern|US/
Samoa|US/Arizona|US/Pacific|US/Aleutian|US/Hawaii|US/Mountain|US/
Michigan|US/Indiana-Starke|MST|Mexico|Mexico/BajaSur|Mexico/General|Mexico/
BajaNorte|EST5EDT|Atlantic|Atlantic/Madeira|Atlantic/Cape_Verde|Atlantic/
St_Helena|Atlantic/Stanley|Atlantic/South_Georgia|Atlantic/
Jan_Mayen|Atlantic/Azores|Atlantic/Reykjavik|Atlantic/Canary|Atlantic/
Faeroe|Atlantic/Bermuda|HST|Antarctica|Antarctica/McMurdo|Antarctica/
Davis|Antarctica/South_Pole|Antarctica/Vostok|Antarctica/Rothera|Antarctica/
Mawson|Antarctica/DumontDUrville|Antarctica/Palmer|Antarctica/
Casey|Antarctica/Syowa|UTC|Iceland|Pacific|Pacific/Honolulu|Pacific/
Truk|Pacific/Niue|Pacific/Wake|Pacific/Apia|Pacific/Majuro|Pacific/
Norfolk|Pacific/Efate|Pacific/Enderbury|Pacific/Palau|Pacific/
Saipan|Pacific/Nauru|Pacific/Kiritimati|Pacific/Tahiti|Pacific/Guam|Pacific/
Tongatapu|Pacific/Fiji|Pacific/Rarotonga|Pacific/Samoa|Pacific/
Fakaofo|Pacific/Guadalcanal|Pacific/Port_Moresby|Pacific/Midway|Pacific/
Galapagos|Pacific/Yap|Pacific/Johnston|Pacific/Marquesas|Pacific/
Noumea|Pacific/Auckland|Pacific/Gambier|Pacific/Kwajalein|Pacific/
Kosrae|Pacific/Wallis|Pacific/Easter|Pacific/Chatham|Pacific/
Funafuti|Pacific/Pago_Pago|Pacific/Tarawa|Pacific/Pitcairn|Pacific/
Ponape|EET|EST|Greenwich|GMT|Cuba|Brazil|Brazil/Acre|Brazil/East|Brazil/
DeNoronha|Brazil/West|Turkey|Arctic|Arctic/Longyearbyen|NZCHAT|Zulu|Israel|Jamaica|Etc|Etc/GMT-14|Etc/GMT+6|Etc/GMT-10|Etc/GMT-2|Etc/
GMT-8|Etc/GMT+4|Etc/GMT0|Etc/GMT-12|Etc/GMT+11|Etc/GMT-11|Etc/GMT+12|Etc/
UTC|Etc/GMT-3|Etc/Greenwich|Etc/GMT-9|Etc/GMT|Etc/GMT+2|Etc/Zulu|Etc/GMT4|Etc/GMT+7|Etc/GMT+1|Etc/GMT+8|Etc/GMT-7|Etc/GMT-6|Etc/GMT+10|Etc/GMT5|Etc/GMT+0|Etc/GMT-1|Etc/GMT+3|Etc/GMT+5|Etc/GMT-13|Etc/UCT|Etc/
Universal|Etc/GMT+9|Etc/GMT-0|NZ|Europe|Europe/Vienna|Europe/Athens|Europe/
Tiraspol|Europe/Lisbon|Europe/Rome|Europe/Bratislava|Europe/Andorra|Europe/
Sofia|Europe/Kaliningrad|Europe/Zurich|Europe/Belfast|Europe/Oslo|Europe/
Samara|Europe/Malta|Europe/Chisinau|Europe/Moscow|Europe/Paris|Europe/
Minsk|Europe/Zaporozhye|Europe/Amsterdam|Europe/Tallinn|Europe/
Uzhgorod|Europe/Brussels|Europe/Vatican|Europe/Vaduz|Europe/
San_Marino|Europe/Nicosia|Europe/Berlin|Europe/Vilnius|Europe/Monaco|Europe/
Istanbul|Europe/Belgrade|Europe/Stockholm|Europe/Riga|Europe/Madrid|Europe/
Gibraltar|Europe/Copenhagen|Europe/Skopje|Europe/Budapest|Europe/
Dublin|Europe/Bucharest|Europe/Helsinki|Europe/Prague|Europe/
Sarajevo|Europe/London|Europe/Tirane|Europe/Zagreb|Europe/Kiev|Europe/
Warsaw|Europe/Ljubljana|Europe/Simferopol|Europe/Mariehamn|Europe/
Luxembourg|Singapore|ROC|Kwajalein|Egypt|PST8PDT|GMT+0|Asia|Asia/
Kuwait|Asia/Kamchatka|Asia/Thimphu|Asia/Macau|Asia/Gaza|Asia/Thimbu|Asia/
Pyongyang|Asia/Vladivostok|Asia/Katmandu|Asia/Sakhalin|Asia/Muscat|Asia/
Ashkhabad|Asia/Ulan_Bator|Asia/Riyadh|Asia/Riyadh87|Asia/Calcutta|Asia/
Yerevan|Asia/Shanghai|Asia/Baghdad|Asia/Makassar|Asia/Oral|Asia/
Hong_Kong|Asia/Jayapura|Asia/Omsk|Asia/Almaty|Asia/Saigon|Asia/Magadan|Asia/
Chungking|Asia/Hovd|Asia/Brunei|Asia/Novosibirsk|Asia/Dacca|Asia/Qatar|Asia/
Ulaanbaatar|Asia/Krasnoyarsk|Asia/Kuching|Asia/Qyzylorda|Asia/Karachi|Asia/
Anadyr|Asia/Yakutsk|Asia/Seoul|Asia/Choibalsan|Asia/Macao|Asia/
Samarkand|Asia/Yekaterinburg|Asia/Aqtobe|Asia/Riyadh88|Asia/Nicosia|Asia/
288
Palo Alto Networks
Pontianak|Asia/Urumqi|Asia/Irkutsk|Asia/Taipei|Asia/Harbin|Asia/
Istanbul|Asia/Colombo|Asia/Tel_Aviv|Asia/Jakarta|Asia/Amman|Asia/
Bahrain|Asia/Tokyo|Asia/Chongqing|Asia/Ashgabat|Asia/Singapore|Asia/
Aqtau|Asia/Baku|Asia/Bishkek|Asia/Dili|Asia/Tbilisi|Asia/Beirut|Asia/
Riyadh89|Asia/Damascus|Asia/Aden|Asia/Dubai|Asia/Manila|Asia/Vientiane|Asia/
Tehran|Asia/Kashgar|Asia/Dushanbe|Asia/Kabul|Asia/Bangkok|Asia/Rangoon|Asia/
Jerusalem|Asia/Dhaka|Asia/Kuala_Lumpur|Asia/Tashkent|Asia/Phnom_Penh|Asia/
Ujung_Pandang|CET|PRC|Africa|Africa/Kinshasa|Africa/Ndjamena|Africa/
Mbabane|Africa/Lagos|Africa/El_Aaiun|Africa/Douala|Africa/Kampala|Africa/
Mogadishu|Africa/Tripoli|Africa/Conakry|Africa/Niamey|Africa/Asmera|Africa/
Khartoum|Africa/Lubumbashi|Africa/Kigali|Africa/Johannesburg|Africa/
Blantyre|Africa/Malabo|Africa/Gaborone|Africa/Lome|Africa/Algiers|Africa/
Addis_Ababa|Africa/Brazzaville|Africa/Dakar|Africa/Nairobi|Africa/
Cairo|Africa/Banjul|Africa/Bamako|Africa/Bissau|Africa/Libreville|Africa/
Sao_Tome|Africa/Casablanca|Africa/Timbuktu|Africa/Nouakchott|Africa/
Freetown|Africa/Monrovia|Africa/Ceuta|Africa/Dar_es_Salaam|Africa/
Lusaka|Africa/Abidjan|Africa/Bujumbura|Africa/Maseru|Africa/Bangui|Africa/
Windhoek|Africa/Accra|Africa/Djibouti|Africa/Ouagadougou|Africa/PortoNovo|Africa/Tunis|Africa/Maputo|Africa/Harare|Africa/
Luanda|UCT|GB|Universal|Australia|Australia/Hobart|Australia/
Lord_Howe|Australia/Perth|Australia/South|Australia/Yancowinna|Australia/
Currie|Australia/Tasmania|Australia/Queensland|Australia/NSW|Australia/
Lindeman|Australia/Melbourne|Australia/Adelaide|Australia/
Victoria|Australia/Canberra|Australia/West|Australia/Brisbane|Australia/
Broken_Hill|Australia/Darwin|Australia/ACT|Australia/North|Australia/
Sydney|Australia/LHI|Iran|WET|Libya|MST7MDT|Chile|Chile/EasterIsland|Chile/
Continental|GMT-0|Navajo;
}
setting {
management {
idle-timeout 1-1;
max-rows-in-csv-export 1-1;
max-backup-versions 1-1;
max-audit-versions 1-1;
panorama-tcp-receive-timeout 1-1;
panorama-tcp-send-timeout 1-1;
panorama-ssl-send-retries 1-1;
}
}
}
mgt-config {
users {
REPEAT...
<name> {
phash <value>;
client-certificate-only yes|no;
preferences {
disable-dns yes|no;
saved-log-query {
traffic {
REPEAT...
<name> {
query <value>;
}
}
threat {
REPEAT...
Palo Alto Networks
289
<name> {
query <value>;
}
}
url {
REPEAT...
<name> {
query <value>;
}
}
data {
REPEAT...
<name> {
query <value>;
}
}
config {
REPEAT...
<name> {
query <value>;
}
}
system {
REPEAT...
<name> {
query <value>;
}
}
}
}
permissions {
role-based {
superreader yes;
OR...
superuser yes;
OR...
panorama-admin yes;
OR...
custom {
profile <value>;
device-groups [ <device-groups1> <device-groups2>... ];
devices {
REPEAT...
<name> {
}
}
}
}
}
}
}
devices {
REPEAT...
<name> {
hostname <value>;
ip <value>;
disable-config-backup yes|no;
}
290
Palo Alto Networks
}
access-domain {
REPEAT...
<name> {
device-groups [ <device-groups1> <device-groups2>... ];
devices {
REPEAT...
<name> {
}
}
}
}
}
predefined;
shared {
REPEAT...
<name> {
lockout {
}
method {
acl;
OR...
radius {
}
OR...
ldap {
}
}
}
}
REPEAT...
<name> {
username-field {
OR...
}
domain <value>;
CA {
REPEAT...
<name> {
}
}
use-crl yes|no;
use-ocsp yes|no;
Palo Alto Networks
291
}
}
cert {
REPEAT...
<name> {
vsys <value>;
expires <value>;
}
}
cacert {
REPEAT...
<name> {
vsys <value>;
expires <value>;
}
}
caccacert {
REPEAT...
<name> {
vsys <value>;
expires <value>;
}
}
cacverifyca {
REPEAT...
<name> {
vsys <value>;
expires <value>;
}
}
importcert {
REPEAT...
<name> {
vsys <value>;
expires <value>;
}
}
address {
REPEAT...
<name> {
OR...
}
}
address-group {
REPEAT...
}
292
Palo Alto Networks
threats {
vulnerability {
REPEAT...
<name> {
threatname <value>;
affected-host {
client yes|no;
server yes|no;
}
comment <value>;
severity <value>;
direction <value>;
default-action alert|reset-client|reset-server|reset-both|droppackets;
cve [ <cve1> <cve2>... ];
signature {
REPEAT...
<name> {
comment <value>;
order-free yes|no;
and-condition {
REPEAT...
<name> {
or-condition {
REPEAT...
<name> {
operator {
less-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
equal-to {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
greater-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
Palo Alto Networks
293
value 1-1<value>;
}
}
}
OR...
pattern-match {
pattern <value>;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
}
}
}
}
}
}
}
}
}
spyware {
REPEAT...
<name> {
threatname <value>;
comment <value>;
severity <value>;
direction <value>;
default-action alert|reset-client|reset-server|reset-both|droppackets;
cve [ <cve1> <cve2>... ];
signature {
REPEAT...
<name> {
comment <value>;
order-free yes|no;
and-condition {
REPEAT...
<name> {
or-condition {
REPEAT...
<name> {
operator {
less-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
294
Palo Alto Networks
}
OR...
equal-to {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
greater-than {
value 0-65535;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
OR...
pattern-match {
pattern <value>;
context <value>;
qualifier {
REPEAT...
<name> {
value 1-1<value>;
}
}
}
}
}
}
}
}
}
}
}
}
}
application {
REPEAT...
<name> {
default {
OR...
ident-by-ip-protocol 0-65535;
}
category <value>;
technology <value>;
timeout 0-65535;
Palo Alto Networks
295
risk 1-1;
decoder <value>;
virus-ident yes|no;
data-ident yes|no;
parent-app <value>;
signature {
REPEAT...
<name> {
comment <value>;
order-free yes|no;
and-condition {
REPEAT...
<name> {
or-condition {
REPEAT...
<name> {
context <value>;
pattern <value>;
method <value>;
}
}
}
}
}
}
}
}
override {
application {
REPEAT...
<name> {
timeout 0-65535;
risk 1-1;
}
}
}
REPEAT...
<name> {
evasive yes;
296
Palo Alto Networks
pervasive yes;
}
}
application-group {
REPEAT...
}
service {
REPEAT...
<name> {
protocol {
tcp {
port <0-65535,...>;
}
OR...
udp {
port <0-65535,...>;
}
}
}
}
service-group {
REPEAT...
}
server-profile {
ldap {
REPEAT...
<name> {
server {
REPEAT...
<name> {
port 1-1;
}
}
ssl yes|no;
base <value>;
bind-dn <value>;
bind-passwd <value>;
timelimit 1-1;
retry-interval 1-1;
}
}
radius {
REPEAT...
<name> {
domain <value>;
timeout 1-1;
retries 1-1;
checkgroup yes|no;
server {
Palo Alto Networks
297
REPEAT...
<name> {
port 0-65535;
secret <value>;
}
}
}
}
}
log-settings {
snmptrap {
REPEAT...
<name> {
server {
REPEAT...
<name> {
manager <ip/netmask>;
community <value>;
}
}
}
}
syslog {
REPEAT...
<name> {
server {
REPEAT...
<name> {
server <ip/netmask>;
port 1-1;
facility
LOG_USER|LOG_LOCAL0|LOG_LOCAL1|LOG_LOCAL2|LOG_LOCAL3|LOG_LOCAL4|LOG_LOCAL5|L
OG_LOCAL6|LOG_LOCAL7;
}
}
}
}
email {
REPEAT...
<name> {
server {
REPEAT...
<name> {
from <value>;
to <value>;
gateway <value>;
}
}
}
}
system {
informational {
send-snmptrap {
}
298
Palo Alto Networks
send-email {
}
send-syslog {
}
}
low {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
medium {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
high {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
critical {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
}
config {
any {
Palo Alto Networks
299
send-email {
}
send-syslog {
}
}
}
profiles {
REPEAT...
<name> {
alarm {
informational {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
low {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
medium {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
high {
send-snmptrap {
}
send-email {
}
send-syslog {
}
300
Palo Alto Networks
}
critical {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
}
traffic {
any {
send-snmptrap {
}
send-email {
}
send-syslog {
}
}
}
}
}
}
profiles {
virus {
REPEAT...
<name> {
decoder {
REPEAT...
<name> {
}
}
application {
REPEAT...
<name> {
}
}
threat-exception {
REPEAT...
<name>;
}
}
}
spyware {
REPEAT...
<name> {
Palo Alto Networks
301
simple {
}
OR...
custom {
REPEAT...
<name> {
action default|alert|drop|drop-all-packets|reset-both|resetclient|reset-server;
}
}
}
threat-exception {
REPEAT...
<name>;
}
}
}
vulnerability {
REPEAT...
<name> {
simple {
client {
}
server {
}
}
OR...
custom {
REPEAT...
<name> {
action default|alert|drop|drop-all-packets|reset-both|resetclient|reset-server;
}
}
threat-exception {
REPEAT...
<name>;
}
302
Palo Alto Networks
}
}
url-filtering {
REPEAT...
<name> {
dynamic-url yes|no;
}
}
file-blocking {
REPEAT...
<name> {
rules {
REPEAT...
<name> {
action alert|block;
}
}
}
}
REPEAT...
<name> {
}
}
data-objects {
REPEAT...
<name> {
weight 0-65535;
}
weight 0-65535;
}
weight 0-65535;
}
pattern {
REPEAT...
<name> {
regex <value>;
weight 0-65535;
}
Palo Alto Networks
303
}
}
}
data-filtering {
REPEAT...
<name> {
rules {
REPEAT...
<name> {
}
}
}
}
}
admin-role {
REPEAT...
<name> {
role {
panorama {
webui {
acc enable|disable;
monitor {
logs {
url enable|disable;
configuration enable|disable;
system enable|disable;
}
app-scope enable|disable;
pdf-reports {
manage-pdf-summary enable|disable;
pdf-summary-reports enable|disable;
user-activity-report enable|disable;
report-groups enable|disable;
email-scheduler enable|disable;
}
custom-reports {
application-statistics enable|disable;
data-filtering-log enable|disable;
threat-log enable|disable;
threat-summary enable|disable;
traffic-log enable|disable;
traffic-summary enable|disable;
url-log enable|disable;
}
view-custom-reports enable|disable;
application-reports enable|disable;
304
Palo Alto Networks
threat-reports enable|disable;
url-filtering-reports enable|disable;
traffic-reports enable|disable;
}
policies {
}
objects {
address-groups enable|read-only|disable;
custom-url-category enable|read-only|disable;
custom-signatures {
}
security-profiles {
}
}
network {
interfaces enable|read-only|disable;
vlans enable|read-only|disable;
virtual-wires enable|read-only|disable;
virtual-routers enable|read-only|disable;
ipsec-tunnels enable|read-only|disable;
dhcp enable|read-only|disable;
qos enable|read-only|disable;
network-profiles {
ike-gateways enable|read-only|disable;
ipsec-crypto enable|read-only|disable;
ike-crypto enable|read-only|disable;
tunnel-monitor enable|read-only|disable;
interface-mgmt enable|read-only|disable;
zone-protection enable|read-only|disable;
qos-profile enable|read-only|disable;
}
}
device {
Palo Alto Networks
305
setup enable|read-only|disable;
config-audit enable|disable;
managed-devices enable|disable;
device-groups enable|disable;
admin-roles enable|read-only|disable;
administrators enable|read-only|disable;
virtual-systems enable|read-only|disable;
user-identification enable|read-only|disable;
high-availability enable|read-only|disable;
certificates enable|read-only|disable;
log-settings {
system enable|read-only|disable;
config enable|read-only|disable;
}
server-profile {
}
}
authentication-profile enable|read-only|disable;
client-certificate-profile enable|read-only|disable;
access-domain enable|read-only|disable;
scheduled-log-export enable|disable;
support enable|read-only|disable;
deployment {
}
}
privacy {
}
}
cli superuser|superreader;
}
}
}
}
profile-group {
REPEAT...
<name> {
306
Palo Alto Networks

}
}
schedule {
REPEAT...
<name> {
recurring {
weekly {
}
OR...
}
OR...
}
}
report-group {
REPEAT...
<name> {
title-page yes|no;
custom-widget {
REPEAT...
<name> {
predefined-report <value>;
OR...
custom-report <value>;
OR...
pdf-summary-report <value>;
}
}
variable {
REPEAT...
<name> {
value <value>;
}
}
}
}
email-scheduler {
REPEAT...
<name> {
report-group <value>;
email-profile <value>;
recipient-emails <value>;
recurring {
disabled;
OR...
daily;
OR...
Palo Alto Networks
307
weekly sunday|monday|tuesday|wednesday|thursday|friday|saturday;
}
}
}
pdf-summary-report {
REPEAT...
<name> {
header {
caption <value>;
}
footer {
note <value>;
}
predefined-widget {
REPEAT...
<name> {
row 1-1;
column 1-1;
}
}
custom-widget {
REPEAT...
<name> {
row 1-1;
column 1-1;
}
}
}
}
reports {
REPEAT...
<name> {
disabled yes|no;
query <value>;
caption <value>;
start-time <value>;
end-time <value>;
period last-60-seconds|last-15-minutes|last-hour|last-12-hrs|last-24hrs|last-calendar-day|last-7-days|last-7-calendar-days|last-calendarweek|last-30-days;
topn 1-1;
topm 1-1;
type {
appstat {
group-by serial|category-of-name|name|risk|subcategory-ofname|technology-of-name|container-of-name|quarter-hour-of-receive_time|hourof-receive_time|day-of-receive_time;
}
OR...
threat {
group-by serial|action|app|category|category-of-
308
Palo Alto Networks
app|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|natsport|na
tsrc|outbound_if|proto|risk-ofapp|rule|severity|sport|src|srcuser|subcategory-of-app|subtype|technologyof-app|container-of-app|threatid|to|vsys|quarter-hour-of-receive_time|hourof-receive_time|day-of-receive_time;
sortby repeatcnt;
}
OR...
url {
group-by serial|action|app|category|category-ofapp|direction|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|n
atsport|natsrc|outbound_if|proto|risk-ofapp|rule|severity|sport|src|srcuser|subcategory-of-app|technology-ofapp|container-of-app|to|vsys|quarter-hour-of-receive_time|hour-ofreceive_time|day-of-receive_time;
sortby repeatcnt;
}
OR...
data {
group-by serial|action|app|category-ofapp|direction|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|n
atsport|natsrc|outbound_if|proto|risk-ofapp|rule|severity|sport|src|srcuser|subcategory-of-app|subtype|technologyof-app|container-of-app|threatid|to|vsys|quarter-hour-of-receive_time|hourof-receive_time|day-of-receive_time;
sortby repeatcnt;
}
OR...
thsum {
group-by serial|app|category-of-app|dst|dstuser|risk-ofapp|rule|severity-of-threatid|src|srcuser|subcategory-ofapp|subtype|technology-of-app|container-of-app|threatid|quarter-hour-ofreceive_time|hour-of-receive_time|day-of-receive_time;
sortby count;
}
OR...
traffic {
group-by serial|action|app|category|category-ofapp|dport|dst|dstuser|flags|from|inbound_if|natdport|natdst|natsport|natsrc|
outbound_if|proto|risk-of-app|rule|sport|src|srcuser|subcategory-ofapp|technology-of-app|container-of-app|to|vsys|quarter-hour-ofreceive_time|hour-of-receive_time|day-of-receive_time;
}
OR...
Palo Alto Networks
309
trsum {
group-by serial|app|category|category-of-app|dst|dstuser|from|riskof-app|rule|src|srcuser|subcategory-of-app|technology-of-app|container-ofapp|to|quarter-hour-of-receive_time|hour-of-receive_time|day-ofreceive_time;
}
OR...
panorama-threat {
group-by serial|action|app|category|category-ofapp|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|natsport|na
tsrc|outbound_if|proto|risk-ofapp|rule|severity|sport|src|srcuser|subcategory-of-app|subtype|technologyof-app|container-of-app|threatid|to|vsys|quarter-hour-of-receive_time|hourof-receive_time|day-of-receive_time;
sortby repeatcnt;
}
OR...
panorama-url {
group-by serial|action|app|category|category-ofapp|direction|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|n
atsport|natsrc|outbound_if|proto|risk-ofapp|rule|severity|sport|src|srcuser|subcategory-of-app|technology-ofapp|container-of-app|to|vsys|quarter-hour-of-receive_time|hour-ofreceive_time|day-of-receive_time;
sortby repeatcnt;
}
OR...
panorama-data {
group-by serial|action|app|category-ofapp|direction|dport|dst|dstuser|flags|from|inbound_if|misc|natdport|natdst|n
atsport|natsrc|outbound_if|proto|risk-ofapp|rule|severity|sport|src|srcuser|subcategory-of-app|subtype|technologyof-app|container-of-app|threatid|to|vsys|quarter-hour-of-receive_time|hourof-receive_time|day-of-receive_time;
sortby repeatcnt;
}
OR...
panorama-traffic {
group-by serial|action|app|category|category-ofapp|dport|dst|dstuser|flags|from|inbound_if|natdport|natdst|natsport|natsrc|
outbound_if|proto|risk-of-app|rule|sport|src|srcuser|subcategory-ofapp|technology-of-app|container-of-app|to|vsys|quarter-hour-ofreceive_time|hour-of-receive_time|day-of-receive_time;
310
Palo Alto Networks
}
}
}
}
}
Palo Alto Networks
311
312
Palo Alto Networks
Appendix B
PAN-OS CLI KEYBOARD SHORTCUTS
This appendix lists the supported keyboard shortcuts and Editor Macros (EMACS) commands
supported in the PAN-OS CLI.
Note: Some shortcuts depend upon the SSH client that is used to access the PAN-OS CLI. For
some clients, the Meta key is the Control key; for some it is the Esc key.
Table 6 lists the keyboard shortcuts.
Table 6. Keyboard Shortcuts

Item
Description
Commands for Moving

beginning-of-line (C-a)
Move to the start of the current line.
end-of-line (C-e)
Move to the end of the line.
forward-char (C-f)
Move forward a character.
backward-char (C-b)
Move back a character.
forward-word (M-f)
Move forward to the end of the next word. Words consist of

alphanumeric characters (letters and digits).
backward-word (M-b)
Move back to the start of this, or the previous, word. Words consist
of alphanumeric characters (letters and digits).
clear-screen (C-l)
Clear the screen and place the current line at the top of the screen. If
an argument is included, refresh the current line without clearing
the screen.
Commands for Manipulating Command History

accept-line (Newline, Return)
Accept the line regardless of where the cursor is. If the line is nonempty, add it to the history list. If the line is a modified history line,
then restore the history line to its original state.
previous-history (C-p)
Fetch the previous command from the history list, moving back in
the list.
next-history (C-n)
Fetch the next command from the history list, moving forward in
the list.
beginning-of-history (M-<)
Move to the first line in the history.
Palo Alto Networks
313
Table 6. Keyboard Shortcuts (Continued)

Item
Description
end-of-history (M->)
Move to the end of the input history (the line currently being
entered).
reverse-search-history (C-r)
Search backward starting at the current line and moving up

through the history as necessary. This is an incremental search.
forward-search-history (C-s)
Search forward starting at the current line and moving down

through the history as necessary. This is an incremental search.
non-incremental-reversesearch-history (M-p)
Search backward through the history starting at the current line

using a non-incremental search for a string supplied by the user.
non-incremental-forwardsearch-history (M-n)
Search forward through the history using a non-incremental search

for a string supplied by the user.
Commands for Changing Text

delete-char (C-d)
backward-delete-char
(backspace)
Delete the character under the cursor. If point is at the beginning of

the line, there are no characters in the line, and the last character
typed was not C-d, then return EOF.
Delete the character behind the cursor.
transpose-chars (C-t)
Drag the character before point forward over the character at point.
Point moves forward as well. If point is at the end of the line, then
transpose the two characters before point.
transpose-words (M-t)
Drag the word behind the cursor past the word in front of the
cursor moving the cursor over that word as well.
upcase-word (M-u)
Make the current (or following) word uppercase. With a negative

argument, do the previous word, but do not move point.
downcase-word (M-l)
Make the current (or following) word lowercase. With a negative

argument, change the previous word, but do not move point.
capitalize-word (M-c)
Capitalize the current (or following) word. With a negative

argument, do the previous word, but do not move point.
Deleting and Yanking Text

kill-line (C-k)
314
Delete the text from the current cursor position to the end of the
line.
backward-kill-line (Cx backspace)
Delete backward to the beginning of the line.
unix-line-discard (Cu)
Delete backward from point to the beginning of the line
kill-word (M-d)
Delete from the cursor to the end of the current word, or if between
words, to the end of the next word. Word boundaries are the same
as those used by forward-word.
backward-kill-word (Mbackspace)
Delete the word behind the cursor. Word boundaries are the same
as those used by backward-word.
unix-word-backspace
(C-w)
Delete the word behind the cursor, using white space as a word
boundary. The word boundaries are different from backward-killword.
yank (C-y)
Place the top of the deleted section into the buffer at the cursor.
Palo Alto Networks
Table 6. Keyboard Shortcuts (Continued)

Item
Description
yank-pop (M-y)
Rotate the kill-ring, and yank the new top. Only works following
yank or yank-pop.
Completing Commands
complete (TAB)
Attempt to perform completion on the text before point.
possible-completions
(?)
List the possible completions of the text before point.
Performing Miscellaneous Functions

undo (C-_, C-x C-u)
Perform an incremental undo, separately remembered for each line.
revert-line (M-r)
Undo all changes made to this line. This is like typing the undo
command enough times to return the line to its initial state.
Table 7 lists the EMACS commands.
Table 7. EMACS Commands

Command
Description
Emacs Standard bindings

C-A
beginning-of-line
C-B
backward-char
C-D
delete-char
C-E
end-of-line
C-F
forward-char
C-G
abort
C-H
backward-delete-char
C-I
complete
C-J
accept-line
C-K
kill-line
C-L
clear-screen
C-M
accept-line
C-N
next-history
C-P
previous-history
C-R
reverse-search-history
C-S
forward-search-history
C-T
transpose-chars
C-U
unix-line-discard
C-W
unix-word-backspace
C-Y
yank
C-_
undo
Palo Alto Networks
315
Table 7. EMACS Commands (Continued)

Command
Description
Emacs Meta bindings
316
M-C-H
backward-kill-word
M-C-R
revert-line
M-<
beginning-of-history
M->
end-of-history
possible-completions
M-B
backward-word
M-C
capitalize-word
M-D
kill-word
M-F
forward-word
M-L
downcase-word
M-N
non-incremental-forward-search-history
M-P
non-incremental-reverse-search-history
M-R
revert-line
M-T
transpose-words
M-U
upcase-word
M-Y
yank-pop
Palo Alto Networks
Index
Symbols
# prompt 13
+ option symbol 17
> option symbol 17
> prompt 13
? symbol 15
A
accessing the CLI 12
B
banner 13, 26
bootloader recovery 189
bootup 186
C
changing modes 14
check command 32
clear command 53
CLI
accessing 12
configuration mode 11
EMACS commands 315
keyboard shortcuts 313
operational model 11
prompt 13
structure 11
commands 28
conventions 13
display 28
messages 14
monitoring and troubleshooting 28
navigation 28
network access 28
option symbols 17
options 15
understanding 13
commit command 21, 33
configuration
hierarchy 24
hierarchy paths 25
317 Index
configuration mode
hierarchy 24
prompt 13
understanding 21
configure command 55
control key 16
conventions, typographical 8
copy command 34
critical errors, switching to maintenance mode 187
D
debug captive-portal command 56
debug cli command 57
debug cpld command 58
debug dataplane command 59
debug device-server command 61
debug dhcpd command 62
debug high-availability-agent command 63
debug ike command 64
debug keymgr command 65
debug ldap-server command 66
debug log-receiver command 67
debug management-server command 68
debug master-service command 69
debug pppoed command 70
debug rasmgr command 71
debug routing command 72
debug software command 73
debug sslmgr command 75
debug ssl-vpn command 74
debug swm command 76
debug tac-login command 77
debug vardata-receiver command 78
delete command 35, 56
diagnostics 189
disk image 189
E
edit banner 26
edit command
banner 13
using 27, 36
errors, switching to maintenance mode 187
esc key 16
Palo Alto Networks
Ethernet interfaces 19
ethernet1/n 19
exit command 37, 81
operational mode
command types 28
prompt 13
using 28
factory reset 189

file system check (FSCK) 189
G
getting started 12
grep command 82
H
hierarchy
complete 191
configuration 24
navigating 26
new elements 26
paths 25
hostname 13
I
interfaces 19
K
keyboard shortcuts 16, 313
L
less command 84
M
maintenance mode
about 185
diagnostics 189
entering automatically 187
entering upon bootup 186
password 189
serial console message 187
SSH message 188
web interface message 187
meta key 16
modes
changing 14, 15
configuration 21
operational 28
move command 39
N
navigating hierarchy 26
netstat command 85
318 Index
password, maintenance mode 189

ping command 86
privilege levels 18
Q
quit command 40, 88
R
rename command 41
request anti-virus command 89
request certificate command 90
request content upgrade command 93
request data-filtering command 94
request device-registration command 95
request high-availability command 96
request license command 97
request password-hash command 98
request restart command 99
request ssl-decrypt command 100
request ssl-vpn command 101
request support command 102, 104
request system command 103
request url-filtering command 105
request vpnclient command 106
rollback 189
run command 42
S
save command 21, 43
scp command 107
serial console
maintenance mode 185
message 187
set application dump command 110
set cli command 111, 114
set clock command 113
set command 44
set management-server command 115
set panorama command 116
set password command 117
set serial-number command 118
set session command 119
set system setting command 121
shortcuts 16
show admins command 123
show arp command 124
show authentication command 125
show cli command 126, 127
show clock command 128
Palo Alto Networks
show command 24, 45

show config command 129
show counter command 130
show device command 131
show devicegroups command 133
show device-messages command 132
show dhcp command 134
show fips command 135
show high-availability command 136
show interface command 137
show jobs command 138
show location command 139
show log command 140
show mac command 142
show management-clients command 143
show management-interface command 144
show object command 145
show panorama-certificate command 146
show pbf command 147
show pppoe command 148
show qos command 149
show query command 150
show report command 151
show routing command 152
show running command 156
show session command 158
show ssl-vpn command 161
show statistics command 162
show system command 163
show system setting command 165
show threat command 167
show user pan-agent command 168
show virtual-wire command 169
show vlan command 170
show vpn command 171
show zone-protection command 173
ssh command 174
syntax checking 14
system 28
system information 189
T
tail command 175
telnet command 176
test command 177
tftp command 92, 179
top command 27, 46
traceroute command 181
typographical conventions 8
U
up command 27, 47
user name 13
user privileges 18
V
view-pccap command 183
Palo Alto Networks
Index 319
320 Index
Palo Alto Networks

PAN OS 31 CLI Reference Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PAN OS 31 CLI Reference Guide

Uploaded by

Copyright:

Available Formats

PAN-OS

Command Line Interface

PAN-OS Command Line Interface

2/27/10 Third/Final Review Draft- Palo Alto Networks

Palo Alto Networks, Inc.

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Understanding the PAN-OS CLI Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Understanding Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Palo Alto Networks

Palo Alto Networks

Palo Alto Networks

Entering Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Entering Maintenance Mode Upon Bootup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Firewall Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Palo Alto Networks

About This Guide in the next section

Typographical Conventions on page 8

Notes, Cautions, and Warnings on page 9

Related Documentation on page 9

Obtaining More Information on page 9

Technical Support on page 9

About This Guide

Chapter 1, IntroductionIntroduces and describes how to use the PAN-OS CLI.

Chapter 2, Understanding CLI Command ModesDescribes the modes used to

Chapter 3, Configuration Mode CommandsContains command reference pages for

Chapter 4, Operational Mode CommandsContains command reference pages for

Palo Alto Networks

Appendix A, Configuration HierarchyContains command reference pages for

Appendix B, PAN-OS CLI Keyboard ShortcutsDescribes the keyboard shortcuts

Use the configure command to enter

Name of variables, files,

The address of the Palo Alto Networks home

element2 is a required variable for the move

Command syntax, code

The show arp all command yields this output:

Text that you enter at the

Enter the following command to exit from the

username@hostname> show arp all

In the following command, 8bit and port are

< > (text enclosed

Special keys or choice of

<tab> indicates that the tab key is pressed.

Choice of values, indicated by

The request support command includes

> delete core <control-plane |

> request support [check | info]

Palo Alto Networks

Notes, Cautions, and Warnings

Hardware Reference Guide

Palo Alto Networks Administrators Guide

Obtaining More Information

Palo Alto Networks websiteGo to http://www.paloaltonetworks.com.

Call 1-866-898-9087 (U.S, Canada, and Mexico).

Email us at: support@paloaltonetworks.com.

Palo Alto Networks

Palo Alto Networks

Understanding the PAN-OS CLI Structure in the next section

Getting Started on page 12

Understanding the PAN-OS CLI Commands on page 13

Understanding the PAN-OS CLI Structure

Configuration modeView and modify the configuration hierarchy.

Chapter 3 describes each mode in detail.

Palo Alto Networks

Before You Begin in the next section