paloalto

1. #################################################
2. ## ##
3. ## Palo Alto Networks CLI Command Reference ##
4. ## ##
5. ## Consigas, Lars Meyer ##
6. ## ##
7. #################################################
8.  
9.  
10. !!!! TAKE CAUTION ESPECIALLY ON EXECUTING THE DEBUG COMMANDS AS THEY CAN OVERLOAD THE SYSTEM !!!!!
11.  
12.  
13.  
14. ##########################################################################################################
15. ##
16. ## SYSTEM INFORMATION AND DEBUG
17. ##
18.  
19. ############################################################
20. ## GENERAL SYSTEM INFORMATION & STATUS
21.  
22. ! SOFTWARE VERSIONS & SERIAL NUMBER
23. show system info
24.  
25. ! INTERFACES
26. show interface all
27. show interface management
28.  
29. ! ROUTING
30. show routing route
31.  
32. ! CONFIGURATION
33. show config running
34. show config diff
35. set cli pager off
36. set cli config-output-format set
37.  
38.  
39. ############################################################
40. ## SOFTWARE AND UPDATES
41.  
42. ## LICENSES
43. request license info
44. request license fetch
45. request support info
46. request support check
47.  
48. ## CHECK CONNECTIVITY TO THE PALO ALTO UPDATE SERVICE
49. ! CHECK SYSTEM LOG INCL. WHICH SOURCE IP IS USED TO CONNECT
50. show log system direction equal backward | match updates.paloaltonetworks.com
51. ! ONLY CHECK DNS RESOLUTION - SERVER IS NOT PINGABLE
52. ping source IP.IP.IP.IP host updates.paloaltonetworks.com
53. ! CHECK INTERNET CONNECTIVITY
54. ping source IP.IP.IP.IP host 8.8.8.8
55.  
56. ## SOFTWARE
57. ! DOWNLOAD AND INSTALL
58. request system software info
59. debug swm list
60. request system software check
61. request system software download version X.X.X
62. request system software install version X.X.X
63. show jobs all
64.  
65. ! CHECK SOFTWARE STATUS INCL. BOOT PARTIONS
66. debug swm status
67. debug swm info
68. debug swm history
69.  
70. ! REVERT BACK TO LAST SUCCESSFULLY INSTALLED SOFTWARE
71. debug swm revert
72.  
73. ## DYNAMIC UPDATES
74. ! APPLICATION AND IPS SIGNATURES
75. request content upgrade info
76. request content upgrade check
77. request content upgrade download latest
78. request content upgrade install version latest
79. ! ANTIVIRUS
80. request anti-virus upgrade info
81. request anti-virus upgrade check
82. request anti-virus upgrade download latest
83. request anti-virus upgrade install version latest
84. ! URL
85. request url-filtering download status vendor brightcloud
86. request url-filtering upgrade brightcloud
87.  
88. ! REBUILD CONTENT DB
89. debug swm rebuild-content-db
90.  
91. ## FACTORY RESET
92. ! ONLY DELETE PRIVATE DATA
93. request system private-data-reset
94. ! On the console login with user "maint" and the serial number of the device as the password
95.  
96. ############################################################
97. ## SYSTEM STATISTICS
98.  
99. ! SYSTEM APPLICATIONS AND THROUGHPUT IN REALTIME - PRESS "a" O "s" TO TOGGLE
100. show system statistics session
101. show system statistics application
102.  
103. ! UTLILIZATION OF MANAGEMENT PLANE - PRESS "1" to toggle CPUs, "M" TO SORT PROCESSES BY MEMORY
104. show system resources follow
105.  
106. ! UTLILIZATION OF MANAGEMENT PLANE
107. show running resource-monitor second last 60
108.  
109. ! JOBS
110. show jobs all
111. show jobs id <ID>
112.  
113. ! LOG AND DISKSPACE
114. show system logdb-quota
115. show system disk-space
116. show running logging
117.  
118. ! SYSTEM PROCESSES
119. show system software status
120.  
121. ! SYSTEM LOG FILES
122. less mp-log <log-name>
123. ! /[TERM] - search forward
124. ! n - search next
125. ! <Shift> + G - go to the end of the file
126. ! ?[TERM] - search backward
127.  
128. tail follow yes mp-log <log-name>
129. less db-log <log-name>
130. grep mp-log mp-monitor.log pattern <PATTERN>
131. grep mp-log * pattern <PATTERN>
132.  
133. ! TECH-SUPPORT FILE - GENERATE & COPY - DOES NOT NEED TO BE GENERATED BEFOREHAND
134. scp export tech-support to username@host:path
135. ! TECH SUPPORT SUMMARY CAN BE FOUND IN ./tmp/cli/techsupportXX
136.  
137. ! RESTART MANAGEMENT PLANE
138. debug software restart device-server
139. debug software restart management-server
140. debug software restart log-receiver
141.  
142. ! DEBUG
143. show system state | match debug
144.  
145.  
146. ############################################################
147. ## TROUBLESHOOT TRAFFIC PASSING THROUGH THE FIREWALL
148.  
149. ## TRAFFIC LOG
150. show log traffic direction equal backward src in IP.IP.IP.IP dst in IP.IP.IP.IP
151. ! use "/" to search
152.  
153. ## CAPTURE UNKNOWN APPLICATIONS
154. show running application setting
155. set application dump-unknown yes
156.  
157. ## CONNECTIVITY CHECK
158. ping source IP.IP.IP.IP host IP.IP.IP.IP
159. show arp <INTERFACE>
160.  
161.  
162. ## SESSIONS CURRENTLY ACTIVE
163. show session meter
164. show session info
165. show session all filter source IP.IP.IP.IP
166. show session id <ID>
167.  
168.  
169. ## TRAFFIC COUNTER
170. !! DEFINE FILTER TO SHOW ONLY COUNTER FOR SPECIFIC TRAFFIC
171. debug dataplane packet-diag clear all
172. debug dataplane packet-diag set filter match source IP.IP.IP.IP
173. debug dataplane packet-diag set filter on
174. debug dataplane packet-diag show setting
175.  
176. !! GLOBAL COUNTER
177. show counter global filter delta yes packet-filter yes
178. show counter global filter delta yes packet-filter yes severity drop
179. show counter interface <INTERFACE> !! FILTER DOES NOT APPLY TO THIS COMMAND
180.  
181. !! CLEAR FILTER
182. debug dataplane packet-diag clear all
183. debug dataplane packet-diag clear filter-marked-session all
184.  
185. ## DETAILED TRAFFIC FLOW LOGGING
186. !!! CAREFUL - NEVER USE TRAFFIC FLOW LOGGING WITHOUT APPLYING AND ENABLING A FILTER !!!
187. !!! ALWAYS DISABLE THE LOG AFTERWARDS !!!
188. !! DEFINE FILTER
189. debug dataplane packet-diag clear all
190. debug dataplane packet-diag set filter match source IP.IP.IP.IP
191. debug dataplane packet-diag set filter on
192. debug dataplane packet-diag show setting
193.  
194. !! ENABLE FLOW BASIC
195. debug dataplane packet-diag clear log log
196. debug dataplane packet-diag set log feature flow basic
197. debug dataplane packet-diag set log on
198. debug dataplane packet-diag show setting
199.  
200. !! VIEW LOG
201. debug dataplane packet-diag aggregate-logs
202. less dp-log pan_packet_diag.log
203.  
204. !! SHOW WHAT POLICY NAME IS ASSOCIATED WITH THE INDEX NUMBER
205. debug device-server dump idmgr type security-rule all
206.  
207.  
208. !! CLEAR AND RESET LOG FILE
209. debug dataplane packet-diag clear log log
210.  
211. !! DISABLE AND CLEAR LOGGING
212. debug dataplane packet-diag clear all
213. debug dataplane packet-diag clear log log
214.  
215.  
216. ## PACKET CAPTURE
217. !!! CAREFUL - NEVER USE PACKET CAPTURES WITHOUT APPLYING AND ENABLING A FILTER !!!
218. !!! ALWAYS DISABLE THE CAPTURE AFTERWARDS !!!
219. !! DEFINE FILTER
220. debug dataplane packet-diag clear all
221. debug dataplane packet-diag set filter match source IP.IP.IP.IP
222. debug dataplane packet-diag set filter on
223. debug dataplane packet-diag show setting
224.  
225. !! ENABLE PACKET CAPTURE
226. ! RECEIVE - PACKET RECEIVED BY THE DATAPLANE PROCESSOR
227. debug dataplane packet-diag set capture stage receive file RX.pcap
228. ! TRANSMIT - PACKET TRANSMITTED BY THE DATAPLANE PROCESSOR
229. debug dataplane packet-diag set capture stage transmit file TX.pcap
230. ! FIREWALL - WHEN THE PACKET HAS A SESSION MATCH OR A FIRST PACKET WITH A SESSION IS SUCCESSFULLY CREATED
231. debug dataplane packet-diag set capture stage firewall file FW.pcap
232. ! DROP - WHEN PACKET PROCESSING ENCOUNTERS AN ERROR AND THE PACKET IS TO BE DROPPED
233. debug dataplane packet-diag set capture stage drop file DROP.pcap
234. debug dataplane packet-diag set capture on
235. debug dataplane packet-diag show setting
236.  
237. !! VIEW AND COPY PCAP FILES
238. view-pcap filter-pcap <FILENAME>
239. view-pcap follow yes no-dns-lookup yes filter-pcap <FILENAME>
240. scp export filter-pcap from <FILENAME>
241.  
242. !! DISABLE AND DELETE PCAPS
243. debug dataplane packet-diag clear all
244. delete debug-filter file *
245.  
246.  
247. ## DISABLE SESSION OFFLOADING !!! DISABLES FASTPATH !!! CAREFUL !!!
248. !!! USE ONLY IF YOU KNOW WHAT YOU ARE DOING !!!
249. set session offload no
250.  
251.  
252. ## HARDWARE INTERFACE COUNTER
253. show system state browser
254. - shift+L - show port statistics
255. - shift+U - enable updates
256. - shift+Y - enable Tracking
257.  
258.  
259. ############################################################
260. ## ROUTING
261.  
262. ! ROUTING TABLE AND PROTOCOL SUMMARY
263. show routing route
264. show routing summary
265.  
266. ! TEST ROUTING LOOKUP
267. test routing fib-lookup virtual-router <VR> ip <IP>
268.  
269. ! DEBUG DYNAMIC ROUTING PROTOCOLS
270. less mp-log routed.log
271.  
272. debug routing pcap show
273. debug routing pcap [ all | bgp | ospf | rip ] on
274.  
275. ! VIEW DEBUG
276. view-pcap verbose++ yes debug-pcap <FILENAME>
277. ! DISABLE AND DELETE DEBUG
278. debug routing pcap all off
279. debug routing pcap all delete
280.  
281.  
282.  
283. ############################################################
284. ## USER IDENTIFICATION
285.  
286. ! USER-ID AGENT STATUS
287. show user user-id-agent state all
288.  
289. ! IP TO USER MAPPING
290. show user ip-user-mapping all
291.  
292. ! USER TO GROUP MAPPING
293. show user group-mapping state all
294. show user user-IDs
295. show user user-IDs match-user
296.  
297. ! REFRESH USER TO IP MAPPING
298. debug user-id refresh user-id
299.  
300. ! REFRESH GROUP MAPPING
301. debug user-id refresh group-mapping all
302. show user group-mapping state all
303. show user group list
304. show user group name <group name>
305.  
306. ! TEST WMI FUNCTIONALITY
307. wmic /node:IP.IP.IP.IP /user:"domain\administrator" computersystem get username,name
308.  
309.  
310. ## FILTER UID ENTRIES OF SPECIFIC AD SERVICE ACCOUNTS
311.  
312. Filter UID entries by specific AD Service account(user)
313. 1. On the AD where the User ID Agent is installed browse to the location where the User ID agent is installed.
314. Example: C:\Program Files(86)\Palo Alto Networks\User-ID Agent\
315. 2. In the "User-ID Agent" folder create a .txt file and name it : ignore_user_list.txt (make sure windows explorer is not hiding known extension as you could end up with a file named “ignore_user_list.txt.txt”)
316. 3. In the "ignore_user_list.txt" file type one service account(username) per line ONLY. It is important that there is one username per line, no domain needed to be included.
317. Example:
318. administrator
319. tsmith
320. rsimson
321. jtrivedy
322. 4. Restart the UID Agent Service and clear the IP User mapping on the FireWall “clear user-cache all”
323. 5. Verify that the service accounts do not show up under “Monitoring” and on the FireWall “show user ip-user-mapping all”
324.  
325.  
326.  
327. ############################################################
328. ## URL Categorization
329.  
330. ! TEST AND UPDATE URL CATEGORY
331. test url <URL>
332. test url-info-cloud <URL>
333. test url-info-host <URL>
334. request url-filtering update url <URL>
335.  
336.  
337. ! DATAPLANE URL CACHE
338. show running url
339. show running top-urls
340. show running top-urls top 1000 | match unknown
341.  
342. ! MANAGEMENT PLAN CACHE
343. debug device-server dump dynamic-url database
344.  
345. ! CLEAR URL CACHE ON MANAGEMENT & DATA-PLANE
346. clear url-cache all
347. delete dynamic-url host all
348.  
349. ! ENABLE DYNAMIC LOOKUP GLOBALY (APPLIES ONLY TO BRIGHTCLOUD)
350. set deviceconfig setting url dynamic-url yes
351.  
352. ! DEBUG
353. show counter global filter delta yes category url
354. debug device-server bc-url-db db-info
355. debug device-server bc-url-db show-stats
356. debug device-server dump dynamic-url statistics
357.  
358. debug device-server unset all
359. debug device-server set url all
360. debug device-server set url_trie all
361. debug device-server on debug
362.  
363. tail follow yes mp-log devsrv.log
364.  
365. ! reset debug to default
366. debug device-server off
367. debug device-server unset all
368. debug device-server on info
369. debug device-server set config basic
370.  
371. ! DELETE AND REINSTALL BRIGHTCLOUD DB
372. debug device-server reset brightcloud-database
373. request url-filtering upgrade brightcloud
374. tail follow yes mp-log pan_bc_download.log
375.  
376. ! PAN-DB CLI COMMANDS
377. https://live.paloaltonetworks.com/docs/DOC-3608
378.  
379. ############################################################
380. ## Response Page Customization
381.  
382. ! encode picture into base64 code
383. http://www.webutils.pl/index.php?idx=base64
384.  
385. ! ENABLE URL INJECTION INTO SSL WEBPAGES
386. set deviceconfig setting ssl-decrypt url-proxy yes
387.  
388.  
389. ############################################################
390. # IPSEC
391.  
392. ! VPN STATUS
393. show vpn flow
394. show vpn flow tunnel-id [ID]
395. show vpn ike-sa
396. show vpn tunnel
397.  
398. ! CHECK CONNECTIVITY TO PEER
399. ping source IP.IP.IP.IP host IP.IP.IP.IP
400.  
401. ! SYSTEM LOG
402. show log system direction equal backward subtype equal vpn
403.  
404. ! CAPTURE VPN TRAFFIC
405. debug ike pcap on
406. debug ike pcap show
407.  
408. ! INITIATE VPN TRAFFIC
409. test vpn ipsec-sa tunnel [VPN-NAME]
410. clear vpn ike-sa gateway all
411.  
412. ! VIEW PCAP - VALUES ARE IN HEX
413. view-pcap verbose++ yes debug-pcap ikemgr.pcap
414.  
415. ! STOP PCAP AND CLEAR FILES
416. debug ike pcap off
417. debug ike pcap delete
418.  
419. ! IKE DEBUG LOG
420. debug ike global on debug
421. tail follow yes mp-log ikemgr.log
422.  
423.  
424. ############################################################
425. # HA
426.  
427. show high-availability all
428. show high-availability state
429. request high-availability sync-to-remote
430. request high-availability state suspend
431. request high-availability state functional
432.  
433.  
434. ############################################################
435. # QoS
436. show session all
437. show session id XX
438. show qos interface ethernet1/x counter
439. show qos interface ethernet1/x hw-counter
440.  
441.  
442. ############################################################
443. ## DECRYPTION
444. show system setting ssl-decrypt exclude-cache
445. show system setting ssl-decrypt setting
446. show counter global filter categoty proxy
447. debug dataplane pool statistics
448.  
449. ! Check a private key
450. openssl rsa -in privateKey.key -check
451. ! Check a certificate
452. openssl x509 -in certificate.crt -text -noout
453. ! Check a PKCS#12 file (.pfx or .p12)
454. openssl pkcs12 -info -in keyStore.p12
455.  
456. ! Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
457. openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
458. ! Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
459. openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
460.  
461. !! Supported Cipher suites https://live.paloaltonetworks.com/docs/DOC-2401
462. !! Test SSL Session https://www.ssllabs.com/ssltest/
463.  
464. !! GENERATE CERTIFICATES VIA CLI
465. request certificate generate signed-by "CA NAME" days-till-expiry 3650 organization "ORG" country-code IE email "name@domain.ie" certificate-name "CERT NAME" name FQDN
466.  
467. ############################################################
468. ## DOS
469. show counter global filter aspect dos delta yes
470. debug dataplane show dos block-table
471. debug dataplane show dos classification-table
472.  
473. !! CHECK THE RATE OF NEWLY ESTABLISHED SESSIONS AND PACKET RATE
474. show system statistics session
475. show session info
476. grep dp-log dp-monitor.log pattern "New connection establish rate"
477. grep dp-log dp-monitor.log pattern "Packet rate"
478.  
479.  
480. ############################################################
481. ## WILDFIRE
482.  
483. show wildfire cloud-info
484. test wildfire registration
485. show wildfire status
486. show wildfire statistics
487. show wildfire disk-usage
488. debug wildfire dp-status
489. less mp-log varrcvr.log
490.  
491. !! DETAILED WILDFIRE DEBUG
492. debug vardata-receiver set all
493. debug vardata-receiver on dump
494.  
495. debug vardata-receiver on normal
496. debug vardata-receiver unset all
497.  
498. !! CHANGE TIMERS (NOT RECOMMENDED IN PRODUCTION)
499. ! DISABLE BATCH FORWARDING
500. debug wildfire batch-forward set disable <yes|no >
501.  
502. ! CHANGE FILE COUNT THRESHOLD FOR A BATCH
503. debug wildfire batch-forward set max-count <value> <1-200>
504.  
505. ! CHANGE TIMEOUT THRESHOLD FOR A BATCH
506. debug wildfire batch-forward set timeout <value> <60-240>
507.  
508.  
509.  
510. ############################################################
511. ## API
512.  
513. ! KEY GENERATION
514. https://hostname/api/?type=keygen&user=username&password=password
515.  
516. https://hostname/esp/restapi.esp?type=config&action=show&key=KEYVALUE&xpath=devices/entry/vsys/entry/rulebase/security/rules
517.  
518.  
519. !! REPORTING OVER API
520. !1. Generate API key - https://hostname/api/?type=keygen&user=username&password=password
521. !2. Run report
522. ! a. Log into Panorama
523. ! b. Go to https://hostname/api
524. ! c. Then Select Reports > custom > Report name
525. ! d. Click on the Rest API Url and note done the job number
526. !3. Import report into Excel
527. ! a. Select to Data > From Web
528. ! b. Put in the URL https://HOSTNAME/api/?key=XXXX&type=report&reporttype=custom&reportname=XXXX&action=get&job-id=XXX best to copy the report name from URL in step 2 because it could like this if there are space or special charaters “NJ-Internet+In+-+HighRiskApps”
529. ! c. Click Go and Import
530. ! d. Delete the columns which are not necessary (A to V)
531.  
532. show report jobs
533.  
534.  
535. ############################################################
536. ## MALWARE INDICATORS OF COMPROMISE
537.  
538. ! UNIFIED LOG
539. (( addr in 10.11.18.59 ) and ((( subtype neq url ) and ((category eq unknown) or (category eq proxy-avoidance-and-anonymizers) or (category eq phishing) or (category eq peer-to-peer) or (category eq parked) or (category eq malware) or (category eq dynamic-dns))) or (( subtype neq url ) and ( subtype neq file )) or ( addr.dst in 223.255.255.223 ))) or (( app neq pop3 ) and ( app eq dns ) and ( subtype eq spyware ))
540.  
541. ! SUSPICIOUS INTERNET TRAFFIC
542. ( addr.src in ) and ( zone.dst eq Internet ) and (( app eq incomplete ) or ( app eq not-applicable ) or ( app eq insufficient-data ) or (app eq unknown-p2p) or (app eq unknown-tcp) or (app eq unknown-udp)) and !( addr.dst in 169.254.0.0/16 ) and !( addr.dst in 10.0.0.0/8 ) and !( addr.dst in 192.168.0.0/16 ) and !( addr.dst in 172.16.0.0/12 ) and !( zone.src eq Internet )
543.  
544. ! DNS SINKHOLE
545. ( addr.src in ) and ( addr.dst in 223.255.255.223 )
546.  
547. ! USER THREATS
548. ( addr in )
549.  
550. ! SUSPICIOUS URLS
551. ( addr.src in ) and ((category eq unknown) or (category eq proxy-avoidance-and-anonymizers) or (category eq phishing) or (category eq peer-to-peer) or (category eq parked) or (category eq malware) or (category eq dynamic-dns))