HI THIS IS TO INFORM YOU ALL THAT THIS BLOG IS BELONGS TO RIYADH IT Experts CLUB IT MEMBERS & MOST WELCOME TO ANY INDIVIDUAL WHO INTERESTED TO POST THERE EXPERIENCE AND IDEAS,
"Striving for success without hard work is like trying to harvest where you haven't planted"
Tuesday, March 11, 2014
Palo Alto Firewall Commands (4.0 – 5.0)
Palo Alto
// Base Help
lab@infostruction> ? clear Clear runtime parameters configure Manipulate software configuration information debug Debug and diagnose exit Exit this session grep Searches file for lines containing a pattern match less Examine debug file content ping Ping hosts and networks quit Exit this session request Make system-level requests scp Use ssh to copy file to another host set Set operational parameters show Show operational parameters ssh Start a secure shell to another host tail Print the last 10 lines of debug file content username@hostname>
// Device configuration and RMA default login & password is admin/admin scp import configuration 22 user@host:/path/to/file set deviceconfig system hostname ip-address netmask default-gateway dns-setting server primary set password
// Administration check pending-changes **Check for uncommitted changes show config show config-locks request commit-lock remove admin save/load (saved config) -> set (candidate config) -> commit (active config) edit, up, top **Change hierarchy
// Privilege Levels superreader Has complete read-only access to the firewall. vsysadmin Has full access to a selected virtual system on the firewall. vsysreader Has read-only access to a selected virtual system on the firewall. deviceadmin Has full access to a selected device, except for defining new accounts or virtual systems. devicereader Has read-only access to a selected device.
// Health Commands show counter global | match drop show interface ethernetX/X show system state filter * | match over **Packet overruns. show session info **High concurrent sessions show running resource-monitor **CPU (app-id, decoders, session setup teardown) debug dataplane pool statistics **Work Queue and Segment reassembly. show counter global filter aspect resource **Resource counters, TCP window information. show system statistics **System Counters show system info **Show system information show network interface ethernet **Show Interface configuration show arp netstat all
// Failover – High Availability request high-availability state suspend // Fail the master firewall and set to ineligible. request high-availability state functional // Set current device to functional/eligible. request high-availability sync-to-remote // Force config and session sync to peer show high-availability state // Show current H/A status show high-availability all // Show high-availability information on current device. show high-availability link // Show H/A state of devices show high-availability state-synchronisation // View the sync state to the peer device show high-availability control-link // Show H/A link statistics
// HA Upgrade Process request high-availability state suspend – passive firewall Upgrade passive to 4.1.7 request high-availability state suspend – Current old version active firewall request high-availability state functional – Newly upgraded firewall (Outage until this command completes) Upgrade old active firewall to 4.1.7 request high-availability state functional – Newly upgraded firewall
Notes:
HA processes can take up to 5 minutes to start up after reboot
// Troubleshooting test nat-policy-match source destination protocol 6 destination-port test security-policy-match source destination protocol 6 destination-port test url **Provides URL category show routing show arp show session
// Packet Capture From the CLI:
Packet Filter
debug dataplane packet-diag set filter match source debug dataplane packet-diag set filter match destination debug dataplane packet-diag set filter on debug dataplane packet-diag show setting
Packet Capture
debug dataplane packet-diag set capture stage drop file debug dataplane packet-diag set capture stage transmit file debug dataplane packet-diag set capture stage receive file debug dataplane packet-diag set capture stage firewall file debug dataplane packet-diag set capture on
Clear Packer Filter or capture
debug dataplane packet-diag set filter off debug dataplane packet-diag set capture off debug dataplane packet-diag clear filter all debug dataplane packet-diag clear capture all
View PCAPs
view-pcap follow yes filter-pcap
Export the PCAPs
scp export filter-pcap from to = user1@192.168.1.1:c:/1/scp tftp export filter-pcap from to
// VPN Troubleshooting show vpn flow **View active tunnels show vpn flow tunnel-id **View additional information on tunnels based on ID show vpn ike-sa show vpn ipsec-sa clear vpn ike-sa clear vpn ipsec-sa test vpn ike-sa gateway test vpn ipsec-sa tunnel
Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.
No comments:
Post a Comment
Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.