Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #################################################
- ## ##
- ## Palo Alto Networks CLI Command Reference ##
- ## ##
- ## Consigas, Lars Meyer ##
- ## ##
- #################################################
- !!!! TAKE CAUTION ESPECIALLY ON EXECUTING THE DEBUG COMMANDS AS THEY CAN OVERLOAD THE SYSTEM !!!!!
- ##########################################################################################################
- ##
- ## SYSTEM INFORMATION AND DEBUG
- ##
- ############################################################
- ## GENERAL SYSTEM INFORMATION & STATUS
- ! SOFTWARE VERSIONS & SERIAL NUMBER
- show system info
- ! INTERFACES
- show interface all
- show interface management
- ! ROUTING
- show routing route
- ! CONFIGURATION
- show config running
- show config diff
- set cli pager off
- set cli config-output-format set
- ############################################################
- ## SOFTWARE AND UPDATES
- ## LICENSES
- request license info
- request license fetch
- request support info
- request support check
- ## CHECK CONNECTIVITY TO THE PALO ALTO UPDATE SERVICE
- ! CHECK SYSTEM LOG INCL. WHICH SOURCE IP IS USED TO CONNECT
- show log system direction equal backward | match updates.paloaltonetworks.com
- ! ONLY CHECK DNS RESOLUTION - SERVER IS NOT PINGABLE
- ping source IP.IP.IP.IP host updates.paloaltonetworks.com
- ! CHECK INTERNET CONNECTIVITY
- ping source IP.IP.IP.IP host 8.8.8.8
- ## SOFTWARE
- ! DOWNLOAD AND INSTALL
- request system software info
- debug swm list
- request system software check
- request system software download version X.X.X
- request system software install version X.X.X
- show jobs all
- ! CHECK SOFTWARE STATUS INCL. BOOT PARTIONS
- debug swm status
- debug swm info
- debug swm history
- ! REVERT BACK TO LAST SUCCESSFULLY INSTALLED SOFTWARE
- debug swm revert
- ## DYNAMIC UPDATES
- ! APPLICATION AND IPS SIGNATURES
- request content upgrade info
- request content upgrade check
- request content upgrade download latest
- request content upgrade install version latest
- ! ANTIVIRUS
- request anti-virus upgrade info
- request anti-virus upgrade check
- request anti-virus upgrade download latest
- request anti-virus upgrade install version latest
- ! URL
- request url-filtering download status vendor brightcloud
- request url-filtering upgrade brightcloud
- ! REBUILD CONTENT DB
- debug swm rebuild-content-db
- ## FACTORY RESET
- ! ONLY DELETE PRIVATE DATA
- request system private-data-reset
- ! On the console login with user "maint" and the serial number of the device as the password
- ############################################################
- ## SYSTEM STATISTICS
- ! SYSTEM APPLICATIONS AND THROUGHPUT IN REALTIME - PRESS "a" O "s" TO TOGGLE
- show system statistics session
- show system statistics application
- ! UTLILIZATION OF MANAGEMENT PLANE - PRESS "1" to toggle CPUs, "M" TO SORT PROCESSES BY MEMORY
- show system resources follow
- ! UTLILIZATION OF MANAGEMENT PLANE
- show running resource-monitor second last 60
- ! JOBS
- show jobs all
- show jobs id <ID>
- ! LOG AND DISKSPACE
- show system logdb-quota
- show system disk-space
- show running logging
- ! SYSTEM PROCESSES
- show system software status
- ! SYSTEM LOG FILES
- less mp-log <log-name>
- ! /[TERM] - search forward
- ! n - search next
- ! <Shift> + G - go to the end of the file
- ! ?[TERM] - search backward
- tail follow yes mp-log <log-name>
- less db-log <log-name>
- grep mp-log mp-monitor.log pattern <PATTERN>
- grep mp-log * pattern <PATTERN>
- ! TECH-SUPPORT FILE - GENERATE & COPY - DOES NOT NEED TO BE GENERATED BEFOREHAND
- scp export tech-support to username@host:path
- ! TECH SUPPORT SUMMARY CAN BE FOUND IN ./tmp/cli/techsupportXX
- ! RESTART MANAGEMENT PLANE
- debug software restart device-server
- debug software restart management-server
- debug software restart log-receiver
- ! DEBUG
- show system state | match debug
- ############################################################
- ## TROUBLESHOOT TRAFFIC PASSING THROUGH THE FIREWALL
- ## TRAFFIC LOG
- show log traffic direction equal backward src in IP.IP.IP.IP dst in IP.IP.IP.IP
- ! use "/" to search
- ## CAPTURE UNKNOWN APPLICATIONS
- show running application setting
- set application dump-unknown yes
- ## CONNECTIVITY CHECK
- ping source IP.IP.IP.IP host IP.IP.IP.IP
- show arp <INTERFACE>
- ## SESSIONS CURRENTLY ACTIVE
- show session meter
- show session info
- show session all filter source IP.IP.IP.IP
- show session id <ID>
- ## TRAFFIC COUNTER
- !! DEFINE FILTER TO SHOW ONLY COUNTER FOR SPECIFIC TRAFFIC
- debug dataplane packet-diag clear all
- debug dataplane packet-diag set filter match source IP.IP.IP.IP
- debug dataplane packet-diag set filter on
- debug dataplane packet-diag show setting
- !! GLOBAL COUNTER
- show counter global filter delta yes packet-filter yes
- show counter global filter delta yes packet-filter yes severity drop
- show counter interface <INTERFACE> !! FILTER DOES NOT APPLY TO THIS COMMAND
- !! CLEAR FILTER
- debug dataplane packet-diag clear all
- debug dataplane packet-diag clear filter-marked-session all
- ## DETAILED TRAFFIC FLOW LOGGING
- !!! CAREFUL - NEVER USE TRAFFIC FLOW LOGGING WITHOUT APPLYING AND ENABLING A FILTER !!!
- !!! ALWAYS DISABLE THE LOG AFTERWARDS !!!
- !! DEFINE FILTER
- debug dataplane packet-diag clear all
- debug dataplane packet-diag set filter match source IP.IP.IP.IP
- debug dataplane packet-diag set filter on
- debug dataplane packet-diag show setting
- !! ENABLE FLOW BASIC
- debug dataplane packet-diag clear log log
- debug dataplane packet-diag set log feature flow basic
- debug dataplane packet-diag set log on
- debug dataplane packet-diag show setting
- !! VIEW LOG
- debug dataplane packet-diag aggregate-logs
- less dp-log pan_packet_diag.log
- !! SHOW WHAT POLICY NAME IS ASSOCIATED WITH THE INDEX NUMBER
- debug device-server dump idmgr type security-rule all
- !! CLEAR AND RESET LOG FILE
- debug dataplane packet-diag clear log log
- !! DISABLE AND CLEAR LOGGING
- debug dataplane packet-diag clear all
- debug dataplane packet-diag clear log log
- ## PACKET CAPTURE
- !!! CAREFUL - NEVER USE PACKET CAPTURES WITHOUT APPLYING AND ENABLING A FILTER !!!
- !!! ALWAYS DISABLE THE CAPTURE AFTERWARDS !!!
- !! DEFINE FILTER
- debug dataplane packet-diag clear all
- debug dataplane packet-diag set filter match source IP.IP.IP.IP
- debug dataplane packet-diag set filter on
- debug dataplane packet-diag show setting
- !! ENABLE PACKET CAPTURE
- ! RECEIVE - PACKET RECEIVED BY THE DATAPLANE PROCESSOR
- debug dataplane packet-diag set capture stage receive file RX.pcap
- ! TRANSMIT - PACKET TRANSMITTED BY THE DATAPLANE PROCESSOR
- debug dataplane packet-diag set capture stage transmit file TX.pcap
- ! FIREWALL - WHEN THE PACKET HAS A SESSION MATCH OR A FIRST PACKET WITH A SESSION IS SUCCESSFULLY CREATED
- debug dataplane packet-diag set capture stage firewall file FW.pcap
- ! DROP - WHEN PACKET PROCESSING ENCOUNTERS AN ERROR AND THE PACKET IS TO BE DROPPED
- debug dataplane packet-diag set capture stage drop file DROP.pcap
- debug dataplane packet-diag set capture on
- debug dataplane packet-diag show setting
- !! VIEW AND COPY PCAP FILES
- view-pcap filter-pcap <FILENAME>
- view-pcap follow yes no-dns-lookup yes filter-pcap <FILENAME>
- scp export filter-pcap from <FILENAME>
- !! DISABLE AND DELETE PCAPS
- debug dataplane packet-diag clear all
- delete debug-filter file *
- ## DISABLE SESSION OFFLOADING !!! DISABLES FASTPATH !!! CAREFUL !!!
- !!! USE ONLY IF YOU KNOW WHAT YOU ARE DOING !!!
- set session offload no
- ## HARDWARE INTERFACE COUNTER
- show system state browser
- - shift+L - show port statistics
- - shift+U - enable updates
- - shift+Y - enable Tracking
- ############################################################
- ## ROUTING
- ! ROUTING TABLE AND PROTOCOL SUMMARY
- show routing route
- show routing summary
- ! TEST ROUTING LOOKUP
- test routing fib-lookup virtual-router <VR> ip <IP>
- ! DEBUG DYNAMIC ROUTING PROTOCOLS
- less mp-log routed.log
- debug routing pcap show
- debug routing pcap [ all | bgp | ospf | rip ] on
- ! VIEW DEBUG
- view-pcap verbose++ yes debug-pcap <FILENAME>
- ! DISABLE AND DELETE DEBUG
- debug routing pcap all off
- debug routing pcap all delete
- ############################################################
- ## USER IDENTIFICATION
- ! USER-ID AGENT STATUS
- show user user-id-agent state all
- ! IP TO USER MAPPING
- show user ip-user-mapping all
- ! USER TO GROUP MAPPING
- show user group-mapping state all
- show user user-IDs
- show user user-IDs match-user
- ! REFRESH USER TO IP MAPPING
- debug user-id refresh user-id
- ! REFRESH GROUP MAPPING
- debug user-id refresh group-mapping all
- show user group-mapping state all
- show user group list
- show user group name <group name>
- ! TEST WMI FUNCTIONALITY
- wmic /node:IP.IP.IP.IP /user:"domain\administrator" computersystem get username,name
- ## FILTER UID ENTRIES OF SPECIFIC AD SERVICE ACCOUNTS
- Filter UID entries by specific AD Service account(user)
- 1. On the AD where the User ID Agent is installed browse to the location where the User ID agent is installed.
- Example: C:\Program Files(86)\Palo Alto Networks\User-ID Agent\
- 2. In the "User-ID Agent" folder create a .txt file and name it : ignore_user_list.txt (make sure windows explorer is not hiding known extension as you could end up with a file named “ignore_user_list.txt.txt”)
- 3. In the "ignore_user_list.txt" file type one service account(username) per line ONLY. It is important that there is one username per line, no domain needed to be included.
- Example:
- administrator
- tsmith
- rsimson
- jtrivedy
- 4. Restart the UID Agent Service and clear the IP User mapping on the FireWall “clear user-cache all”
- 5. Verify that the service accounts do not show up under “Monitoring” and on the FireWall “show user ip-user-mapping all”
- ############################################################
- ## URL Categorization
- ! TEST AND UPDATE URL CATEGORY
- test url <URL>
- test url-info-cloud <URL>
- test url-info-host <URL>
- request url-filtering update url <URL>
- ! DATAPLANE URL CACHE
- show running url
- show running top-urls
- show running top-urls top 1000 | match unknown
- ! MANAGEMENT PLAN CACHE
- debug device-server dump dynamic-url database
- ! CLEAR URL CACHE ON MANAGEMENT & DATA-PLANE
- clear url-cache all
- delete dynamic-url host all
- ! ENABLE DYNAMIC LOOKUP GLOBALY (APPLIES ONLY TO BRIGHTCLOUD)
- set deviceconfig setting url dynamic-url yes
- ! DEBUG
- show counter global filter delta yes category url
- debug device-server bc-url-db db-info
- debug device-server bc-url-db show-stats
- debug device-server dump dynamic-url statistics
- debug device-server unset all
- debug device-server set url all
- debug device-server set url_trie all
- debug device-server on debug
- tail follow yes mp-log devsrv.log
- ! reset debug to default
- debug device-server off
- debug device-server unset all
- debug device-server on info
- debug device-server set config basic
- ! DELETE AND REINSTALL BRIGHTCLOUD DB
- debug device-server reset brightcloud-database
- request url-filtering upgrade brightcloud
- tail follow yes mp-log pan_bc_download.log
- ! PAN-DB CLI COMMANDS
- https://live.paloaltonetworks.com/docs/DOC-3608
- ############################################################
- ## Response Page Customization
- ! encode picture into base64 code
- http://www.webutils.pl/index.php?idx=base64
- ! ENABLE URL INJECTION INTO SSL WEBPAGES
- set deviceconfig setting ssl-decrypt url-proxy yes
- ############################################################
- # IPSEC
- ! VPN STATUS
- show vpn flow
- show vpn flow tunnel-id [ID]
- show vpn ike-sa
- show vpn tunnel
- ! CHECK CONNECTIVITY TO PEER
- ping source IP.IP.IP.IP host IP.IP.IP.IP
- ! SYSTEM LOG
- show log system direction equal backward subtype equal vpn
- ! CAPTURE VPN TRAFFIC
- debug ike pcap on
- debug ike pcap show
- ! INITIATE VPN TRAFFIC
- test vpn ipsec-sa tunnel [VPN-NAME]
- clear vpn ike-sa gateway all
- ! VIEW PCAP - VALUES ARE IN HEX
- view-pcap verbose++ yes debug-pcap ikemgr.pcap
- ! STOP PCAP AND CLEAR FILES
- debug ike pcap off
- debug ike pcap delete
- ! IKE DEBUG LOG
- debug ike global on debug
- tail follow yes mp-log ikemgr.log
- ############################################################
- # HA
- show high-availability all
- show high-availability state
- request high-availability sync-to-remote
- request high-availability state suspend
- request high-availability state functional
- ############################################################
- # QoS
- show session all
- show session id XX
- show qos interface ethernet1/x counter
- show qos interface ethernet1/x hw-counter
- ############################################################
- ## DECRYPTION
- show system setting ssl-decrypt exclude-cache
- show system setting ssl-decrypt setting
- show counter global filter categoty proxy
- debug dataplane pool statistics
- ! Check a private key
- openssl rsa -in privateKey.key -check
- ! Check a certificate
- openssl x509 -in certificate.crt -text -noout
- ! Check a PKCS#12 file (.pfx or .p12)
- openssl pkcs12 -info -in keyStore.p12
- ! Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
- openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
- ! Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
- openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
- !! Supported Cipher suites https://live.paloaltonetworks.com/docs/DOC-2401
- !! Test SSL Session https://www.ssllabs.com/ssltest/
- !! GENERATE CERTIFICATES VIA CLI
- request certificate generate signed-by "CA NAME" days-till-expiry 3650 organization "ORG" country-code IE email "name@domain.ie" certificate-name "CERT NAME" name FQDN
- ############################################################
- ## DOS
- show counter global filter aspect dos delta yes
- debug dataplane show dos block-table
- debug dataplane show dos classification-table
- !! CHECK THE RATE OF NEWLY ESTABLISHED SESSIONS AND PACKET RATE
- show system statistics session
- show session info
- grep dp-log dp-monitor.log pattern "New connection establish rate"
- grep dp-log dp-monitor.log pattern "Packet rate"
- ############################################################
- ## WILDFIRE
- show wildfire cloud-info
- test wildfire registration
- show wildfire status
- show wildfire statistics
- show wildfire disk-usage
- debug wildfire dp-status
- less mp-log varrcvr.log
- !! DETAILED WILDFIRE DEBUG
- debug vardata-receiver set all
- debug vardata-receiver on dump
- debug vardata-receiver on normal
- debug vardata-receiver unset all
- !! CHANGE TIMERS (NOT RECOMMENDED IN PRODUCTION)
- ! DISABLE BATCH FORWARDING
- debug wildfire batch-forward set disable <yes|no >
- ! CHANGE FILE COUNT THRESHOLD FOR A BATCH
- debug wildfire batch-forward set max-count <value> <1-200>
- ! CHANGE TIMEOUT THRESHOLD FOR A BATCH
- debug wildfire batch-forward set timeout <value> <60-240>
- ############################################################
- ## API
- ! KEY GENERATION
- https://hostname/api/?type=keygen&user=username&password=password
- https://hostname/esp/restapi.esp?type=config&action=show&key=KEYVALUE&xpath=devices/entry/vsys/entry/rulebase/security/rules
- !! REPORTING OVER API
- !1. Generate API key - https://hostname/api/?type=keygen&user=username&password=password
- !2. Run report
- ! a. Log into Panorama
- ! b. Go to https://hostname/api
- ! c. Then Select Reports > custom > Report name
- ! d. Click on the Rest API Url and note done the job number
- !3. Import report into Excel
- ! a. Select to Data > From Web
- ! b. Put in the URL https://HOSTNAME/api/?key=XXXX&type=report&reporttype=custom&reportname=XXXX&action=get&job-id=XXX best to copy the report name from URL in step 2 because it could like this if there are space or special charaters “NJ-Internet+In+-+HighRiskApps”
- ! c. Click Go and Import
- ! d. Delete the columns which are not necessary (A to V)
- show report jobs
- ############################################################
- ## MALWARE INDICATORS OF COMPROMISE
- ! UNIFIED LOG
- (( addr in 10.11.18.59 ) and ((( subtype neq url ) and ((category eq unknown) or (category eq proxy-avoidance-and-anonymizers) or (category eq phishing) or (category eq peer-to-peer) or (category eq parked) or (category eq malware) or (category eq dynamic-dns))) or (( subtype neq url ) and ( subtype neq file )) or ( addr.dst in 223.255.255.223 ))) or (( app neq pop3 ) and ( app eq dns ) and ( subtype eq spyware ))
- ! SUSPICIOUS INTERNET TRAFFIC
- ( addr.src in ) and ( zone.dst eq Internet ) and (( app eq incomplete ) or ( app eq not-applicable ) or ( app eq insufficient-data ) or (app eq unknown-p2p) or (app eq unknown-tcp) or (app eq unknown-udp)) and !( addr.dst in 169.254.0.0/16 ) and !( addr.dst in 10.0.0.0/8 ) and !( addr.dst in 192.168.0.0/16 ) and !( addr.dst in 172.16.0.0/12 ) and !( zone.src eq Internet )
- ! DNS SINKHOLE
- ( addr.src in ) and ( addr.dst in 223.255.255.223 )
- ! USER THREATS
- ( addr in )
- ! SUSPICIOUS URLS
- ( addr.src in ) and ((category eq unknown) or (category eq proxy-avoidance-and-anonymizers) or (category eq phishing) or (category eq peer-to-peer) or (category eq parked) or (category eq malware) or (category eq dynamic-dns))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement