!!!!
TAKE CAUTION ESPECIALLY ON EXECUTING THE DEBUG COMMANDS AS THEY CAN OVERLOAD
THE SYSTEM !!!!!
###################################################################################
#######################
##
## SYSTEM INFORMATION AND DEBUG
##
############################################################
## GENERAL SYSTEM INFORMATION & STATUS
! SOFTWARE VERSIONS & SERIAL NUMBER
show system info
! INTERFACES
show interface all
show interface management
! ROUTING
show routing route
! CONFIGURATION
show config running
show config diff
set cli pager off
set cli config-output-format set
############################################################
## SOFTWARE AND UPDATES
## LICENSES
request license info
request license fetch
request support info
request support check
## CHECK CONNECTIVITY TO THE PALO ALTO UPDATE SERVICE
! CHECK SYSTEM LOG INCL. WHICH SOURCE IP IS USED TO CONNECT
show log system direction equal backward | match updates.paloaltonetworks.com
! ONLY CHECK DNS RESOLUTION - SERVER IS NOT PINGABLE
ping source IP.IP.IP.IP host updates.paloaltonetworks.com
! CHECK INTERNET CONNECTIVITY
ping source IP.IP.IP.IP host 8.8.8.8
## SOFTWARE
! DOWNLOAD AND INSTALL
request system software info
debug swm list
request system software check
request system software download version X.X.X
request system software install version X.X.X
show jobs all
! CHECK SOFTWARE STATUS INCL. BOOT PARTIONS
debug swm status
debug swm info
debug swm history
! REVERT BACK TO LAST SUCCESSFULLY INSTALLED SOFTWARE
debug swm revert
## DYNAMIC UPDATES
! APPLICATION AND IPS SIGNATURES
request content upgrade info
request content upgrade check
request content upgrade download latest
request content upgrade install version latest
! ANTIVIRUS
request anti-virus upgrade info
request anti-virus upgrade check
request anti-virus upgrade download latest
request anti-virus upgrade install version latest
! URL
request url-filtering download status vendor brightcloud
request url-filtering upgrade brightcloud
## FACTORY RESET
! ONLY DELETE PRIVATE DATA
request system private-data-reset
! On the console login with user "maint" and the serial number of the device as the
password
############################################################
## SYSTEM STATISTICS
! SYSTEM APPLICATIONS AND THROUGHPUT IN REALTIME - PRESS "a" O "s" TO TOGGLE
show system statistics session
show system statistics application
! UTLILIZATION OF MANAGEMENT PLANE - PRESS "1" to toggle CPUs, "M" TO SORT
PROCESSES BY MEMORY
show system resources follow
! UTLILIZATION OF MANAGEMENT PLANE
show running resource-monitor second last 60
! JOBS
show jobs all
show jobs id <ID>
! LOG AND DISKSPACE
show system logdb-quota
show system disk-space
show running logging
! SYSTEM PROCESSES
show system software status
! SYSTEM LOG FILES
less mp-log <log-name>
! /[TERM] - search forward
! n - search next
! <Shift> + G - go to the end of the file
! ?[TERM] - search backward
tail follow yes mp-log <log-name>
less db-log <log-name>
grep mp-log mp-monitor.log pattern <PATTERN>
grep mp-log * pattern <PATTERN>
! TECH-SUPPORT FILE - GENERATE & COPY - DOES NOT NEED TO BE GENERATED BEFOREHAND
scp export tech-support to username@host:path
! TECH SUPPORT SUMMARY CAN BE FOUND IN ./tmp/cli/techsupportXX
! RESTART MANAGEMENT PLANE
debug software restart device-server
debug software restart management-server
debug software restart log-receiver
! DEBUG
show system state | match debug
############################################################
## TROUBLESHOOT TRAFFIC PASSING THROUGH THE FIREWALL
## TRAFFIC LOG
show log traffic direction equal backward src in IP.IP.IP.IP dst in IP.IP.IP.IP
! use "/" to search
## CAPTURE UNKNOWN APPLICATIONS
show running application setting
set application dump-unknown yes
## CONNECTIVITY CHECK
ping source IP.IP.IP.IP host IP.IP.IP.IP
show arp <INTERFACE>
## SESSIONS CURRENTLY ACTIVE
show session meter
show session info
show session all filter source IP.IP.IP.IP
show session id <ID>
show session distribution statistics
## TRAFFIC COUNTER
!! DEFINE FILTER TO SHOW ONLY COUNTER FOR SPECIFIC TRAFFIC
debug dataplane packet-diag clear all
debug dataplane packet-diag set filter match source IP.IP.IP.IP
debug dataplane packet-diag set filter on
debug dataplane packet-diag show setting
!! GLOBAL COUNTER
show counter global filter delta yes packet-filter yes
show counter global filter delta yes packet-filter yes severity drop
show counter interface <INTERFACE> !! FILTER DOES NOT APPLY TO THIS COMMAND
!! CLEAR FILTER
debug dataplane packet-diag clear all
debug dataplane packet-diag clear filter-marked-session all
## DETAILED TRAFFIC FLOW LOGGING
!!! CAREFUL - NEVER USE TRAFFIC FLOW LOGGING WITHOUT APPLYING AND ENABLING A FILTER
!!!
!!! ALWAYS DISABLE THE LOG AFTERWARDS !!!
!! DEFINE FILTER
debug dataplane packet-diag clear all
debug dataplane packet-diag set filter match source IP.IP.IP.IP
debug dataplane packet-diag set filter on
debug dataplane packet-diag show setting
!! ENABLE FLOW BASIC
debug dataplane packet-diag clear log log
debug dataplane packet-diag set log feature flow basic
debug dataplane packet-diag set log on
debug dataplane packet-diag show setting
!! VIEW LOG
debug dataplane packet-diag aggregate-logs
less dp-log pan_packet_diag.log
!! SHOW WHAT POLICY NAME IS ASSOCIATED WITH THE INDEX NUMBER
debug device-server dump idmgr type security-rule all
!! CLEAR AND RESET LOG FILE
debug dataplane packet-diag clear log log
!! DISABLE AND CLEAR LOGGING
debug dataplane packet-diag clear all
debug dataplane packet-diag clear log log
## PACKET CAPTURE
!!! CAREFUL - NEVER USE PACKET CAPTURES WITHOUT APPLYING AND ENABLING A FILTER !!!
!!! ALWAYS DISABLE THE CAPTURE AFTERWARDS !!!
!! DEFINE FILTER
debug dataplane packet-diag clear all
debug dataplane packet-diag set filter match source IP.IP.IP.IP
debug dataplane packet-diag set filter on
debug dataplane packet-diag show setting
debug dataplane packet-diag set log counter"tcp_drop_out_of_wnd"
!! ENABLE PACKET CAPTURE
! RECEIVE - PACKET RECEIVED BY THE DATAPLANE PROCESSOR
debug dataplane packet-diag set capture stage receive file RX.pcap
! TRANSMIT - PACKET TRANSMITTED BY THE DATAPLANE PROCESSOR
debug dataplane packet-diag set capture stage transmit file TX.pcap
! FIREWALL - WHEN THE PACKET HAS A SESSION MATCH OR A FIRST PACKET WITH A SESSION
IS SUCCESSFULLY CREATED
debug dataplane packet-diag set capture stage firewall file FW.pcap
! DROP - WHEN PACKET PROCESSING ENCOUNTERS AN ERROR AND THE PACKET IS TO BE DROPPED
debug dataplane packet-diag set capture stage drop file DROP.pcap
debug dataplane packet-diag set capture on
debug dataplane packet-diag show setting
!! VIEW AND COPY PCAP FILES
view-pcap filter-pcap <FILENAME>
view-pcap follow yes no-dns-lookup yes filter-pcap <FILENAME>
scp export filter-pcap from <FILENAME>
!! DISABLE AND DELETE PCAPS
debug dataplane packet-diag clear all
delete debug-filter file *
## DISABLE SESSION OFFLOADING !!! DISABLES FASTPATH !!! CAREFUL !!!
!!! USE ONLY IF YOU KNOW WHAT YOU ARE DOING !!!
set session offload no
##PACKET CAPTURE ON MANAGEMENT INTERFACE (TCPDUMP)
tcpdump filter "host IP.IP.IP.IP and port 22"
!!VIEW DE PCAP
view-pcap mgmt-pcap mgmt.pcap
## HARDWARE INTERFACE COUNTER
show system state browser
- shift+L - show port statistics
- shift+U - enable updates
- shift+Y - enable Tracking
## POLICY MATCH
TCP --> 6
UDP --> 17
ICMP --> 1
ESP --> 50
Ejemplo:
test security-policy-match source 10.52.134.201 destination 10.52.158.98
application ssl protocol 6 destination-port 443
############################################################
## ROUTING
! ROUTING TABLE AND PROTOCOL SUMMARY
show routing route
show routing summary
! TEST ROUTING LOOKUP
test routing fib-lookup virtual-router <VR> ip <IP>
! DEBUG DYNAMIC ROUTING PROTOCOLS
less mp-log routed.log
debug routing pcap show
debug routing pcap [ all | bgp | ospf | rip ] on
! VIEW DEBUG
view-pcap verbose++ yes debug-pcap <FILENAME>
! DISABLE AND DELETE DEBUG
debug routing pcap all off
debug routing pcap all delete
############################################################
## USER IDENTIFICATION
! USER-ID AGENT STATUS
show user user-id-agent state all
! IP TO USER MAPPING
show user ip-user-mapping all
! USER TO GROUP MAPPING
show user group-mapping state all
show user user-IDs
show user user-IDs match-user
! REFRESH USER TO IP MAPPING
debug user-id refresh user-id
! REFRESH GROUP MAPPING
debug user-id refresh group-mapping all
show user group-mapping state all
show user group list
show user group name <group name>
! TEST WMI FUNCTIONALITY
wmic /node:IP.IP.IP.IP /user:"domain\administrator" computersystem get
username,name
## FILTER UID ENTRIES OF SPECIFIC AD SERVICE ACCOUNTS
Filter UID entries by specific AD Service account(user)
1. On the AD where the User ID Agent is installed browse to the location where the
User ID agent is installed.
Example: C:\Program Files(86)\Palo Alto Networks\User-ID Agent\
2. In the "User-ID Agent" folder create a .txt file and name it :
ignore_user_list.txt (make sure windows explorer is not hiding known extension as
you could end up with a file named �ignore_user_list.txt.txt�)
3. In the "ignore_user_list.txt" file type one service account(username) per line
ONLY. It is important that there is one username per line, no domain needed to be
included.
Example:
administrator
tsmith
rsimson
jtrivedy
4. Restart the UID Agent Service and clear the IP User mapping on the FireWall
�clear user-cache all�
5. Verify that the service accounts do not show up under �Monitoring� and on the
FireWall �show user ip-user-mapping all�
############################################################
## URL Categorization
! TEST AND UPDATE URL CATEGORY
test url <URL>
test url-info-cloud <URL>
test url-info-host <URL>
request url-filtering update url <URL>
! DATAPLANE URL CACHE
show running url
show running top-urls
show running top-urls top 1000 | match unknown
! MANAGEMENT PLAN CACHE
debug device-server dump dynamic-url database
! CLEAR URL CACHE ON MANAGEMENT & DATA-PLANE
clear url-cache all
delete dynamic-url host all
! ENABLE DYNAMIC LOOKUP GLOBALY (APPLIES ONLY TO BRIGHTCLOUD)
set deviceconfig setting url dynamic-url yes
! DEBUG
show counter global filter delta yes category url
debug device-server bc-url-db db-info
debug device-server bc-url-db show-stats
debug device-server dump dynamic-url statistics
debug device-server unset all
debug device-server set url all
debug device-server set url_trie all
debug device-server on debug
tail follow yes mp-log devsrv.log
! reset debug to default
debug device-server off
debug device-server unset all
debug device-server on info
debug device-server set config basic
! DELETE AND REINSTALL BRIGHTCLOUD DB
debug device-server reset brightcloud-database
request url-filtering upgrade brightcloud
tail follow yes mp-log pan_bc_download.log
! PAN-DB CLI COMMANDS
https://live.paloaltonetworks.com/docs/DOC-3608
############################################################
## Response Page Customization
! encode picture into base64 code
http://www.webutils.pl/index.php?idx=base64
! ENABLE URL INJECTION INTO SSL WEBPAGES
set deviceconfig setting ssl-decrypt url-proxy yes
############################################################
# IPSEC
! VPN STATUS
show vpn flow
show vpn flow tunnel-id [ID]
show vpn ike-sa
show vpn tunnel
! CHECK CONNECTIVITY TO PEER
ping source IP.IP.IP.IP host IP.IP.IP.IP
! SYSTEM LOG
show log system direction equal backward subtype equal vpn
! CAPTURE VPN TRAFFIC
debug ike pcap on
debug ike pcap show
! INITIATE VPN TRAFFIC
test vpn ipsec-sa tunnel [VPN-NAME]
clear vpn ike-sa gateway all
! VIEW PCAP - VALUES ARE IN HEX
view-pcap verbose++ yes debug-pcap ikemgr.pcap
! STOP PCAP AND CLEAR FILES
debug ike pcap off
debug ike pcap delete
! IKE DEBUG LOG
debug ike global on debug
tail follow yes mp-log ikemgr.log
############################################################
# HA
show high-availability all
show high-availability state
request high-availability sync-to-remote
request high-availability state suspend
request high-availability state functional
############################################################
# QoS
show session all
show session id XX
show qos interface ethernet1/x counter
show qos interface ethernet1/x hw-counter
############################################################
## DECRYPTION
show system setting ssl-decrypt exclude-cache
show system setting ssl-decrypt setting
show counter global filter categoty proxy
debug dataplane pool statistics
! Check a private key
openssl rsa -in privateKey.key -check
! Check a certificate
openssl x509 -in certificate.crt -text -noout
! Check a PKCS#12 file (.pfx or .p12)
openssl pkcs12 -info -in keyStore.p12
! Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to
PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
! Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in
certificate.crt -certfile CACert.crt
!! Supported Cipher suites https://live.paloaltonetworks.com/docs/DOC-2401
!! Test SSL Session https://www.ssllabs.com/ssltest/
!! GENERATE CERTIFICATES VIA CLI
request certificate generate signed-by "CA NAME" days-till-expiry 3650 organization
"ORG" country-code IE email "name@domain.ie" certificate-name "CERT NAME" name FQDN
############################################################
## DOS
show counter global filter aspect dos delta yes
debug dataplane show dos block-table
debug dataplane show dos classification-table
!! CHECK THE RATE OF NEWLY ESTABLISHED SESSIONS AND PACKET RATE
show system statistics session
show session info
grep dp-log dp-monitor.log pattern "New connection establish rate"
grep dp-log dp-monitor.log pattern "Packet rate"
############################################################
## WILDFIRE
show wildfire cloud-info
test wildfire registration
show wildfire status
show wildfire statistics
show wildfire disk-usage
debug wildfire dp-status
less mp-log varrcvr.log
!! DETAILED WILDFIRE DEBUG
debug vardata-receiver set all
debug vardata-receiver on dump
debug vardata-receiver on normal
debug vardata-receiver unset all
!! CHANGE TIMERS (NOT RECOMMENDED IN PRODUCTION)
! DISABLE BATCH FORWARDING
debug wildfire batch-forward set disable <yes|no >
! CHANGE FILE COUNT THRESHOLD FOR A BATCH
debug wildfire batch-forward set max-count <value> <1-200>
! CHANGE TIMEOUT THRESHOLD FOR A BATCH
debug wildfire batch-forward set timeout <value> <60-240>
############################################################
## API
! KEY GENERATION
https://hostname/api/?type=keygen&user=username&password=password
https://hostname/esp/restapi.esp?
type=config&action=show&key=KEYVALUE&xpath=devices/entry/vsys/entry/rulebase/
security/rules
!! REPORTING OVER API
!1. Generate API key - https://hostname/api/?
type=keygen&user=username&password=password
!2. Run report
! a. Log into Panorama
! b. Go to https://hostname/api
! c. Then Select Reports > custom > Report name
! d. Click on the Rest API Url and note done the job number
!3. Import report into Excel
! a. Select to Data > From Web
! b. Put in the URL https://HOSTNAME/api/?
key=XXXX&type=report&reporttype=custom&reportname=XXXX&action=get&job-id=XXX best
to copy the report name from URL in step 2 because it could like this if there are
space or special charaters �NJ-Internet+In+-+HighRiskApps�
! c. Click Go and Import
! d. Delete the columns which are not necessary (A to V)
show report jobs
############################################################
## MALWARE INDICATORS OF COMPROMISE
! DNS SINKHOLE
( addr.src in ) and ( addr.dst in 223.255.255.223 )
! SUSPICIOUS INTERNET TRAFFIC
( addr.src in ) and ( zone.dst eq Internet ) and (( app eq incomplete ) or ( app
eq not-applicable ) or ( app eq insufficient-data ) or (app eq unknown-p2p) or (app
eq unknown-tcp) or (app eq unknown-udp)) and !( addr.dst in 169.254.0.0/16 ) and !(
addr.dst in 10.0.0.0/8 ) and !( addr.dst in 192.168.0.0/16 ) and !( addr.dst in
172.16.0.0/12 ) and !( zone.src eq Internet )
! USER THREATS
( addr in )
! SUSPICIOUS URLS
( addr.src in ) and ((category eq unknown) or (category eq proxy-avoidance-and-
anonymizers) or (category eq phishing) or (category eq peer-to-peer) or (category
eq parked) or (category eq malware) or (category eq dynamic-dns))
############################################################
## PANTS TIPS AND TRICKS
SysD
- phy - interface information including SFP brand etc
- leds - shows which LEDs are on including the ones of the HA peer
- core - show how many cores are used
- env - environmental information incl. temp
- error -
Counters
- session_svc_cp - Sessions allocated for captive-portal
- ctd_cp_drop - The number of sessions dropped because of captive portal page
###################################################################################
#######################
##
## CUSTOM REPORTS
##
! GENERATES STATS DUMP FILE FOR SPECIFIC PERIOD (LAST 7 DAYS PER DEFAULT)
tftp export stats-dump start-time equal 2011/11/15@00:00:00 end-time equal
2011/12/05@00:00:00 to YOUR_PC_IP_ADDR
edit shared
set reports "Top Applicaciones" type appstat sortby nbytes
set reports "Top Applicaciones" type appstat group-by technology-of-name
set reports "Top Applicaciones" type appstat aggregate-by name
set reports "Top Applicaciones" type appstat aggregate-by category-of-name
set reports "Top Applicaciones" type appstat aggregate-by subcategory-of-name
set reports "Top Applicaciones" type appstat aggregate-by risk
set reports "Top Applicaciones" type appstat values nbytes
set reports "Top Applicaciones" type appstat values nsess
set reports "Top Applicaciones" type appstat values nthreats
set reports "Top Applicaciones" period last-7-days
set reports "Top Applicaciones" topn 50
set reports "Top Applicaciones" topm 25
set reports "Top Applicaciones" query "(name neq unassigned-ip-prot) and (name neq
unknown-tcp) and (name neq unknown-udp) and (name neq insufficient-data)"
set reports "Top Applicaciones" frequency daily
set reports "Top Threats" type threat sortby repeatcnt
set reports "Top Threats" type threat group-by subtype
set reports "Top Threats" type threat aggregate-by threatid
set reports "Top Threats" type threat aggregate-by app
set reports "Top Threats" type threat aggregate-by proto
set reports "Top Threats" type threat aggregate-by severity
set reports "Top Threats" type threat values repeatcnt
set reports "Top Threats" topn 50
set reports "Top Threats" topm 10
set reports "Top Threats" period last-7-days
set reports "Top Threats" query "(severity neq low) or (severity neq
informational)"
set reports "Top Threats" frequency daily
set reports "Spyware infected Clients" type threat sortby repeatcnt
set reports "Spyware infected Clients" type threat group-by threatid
set reports "Spyware infected Clients" type threat aggregate-by dst
set reports "Spyware infected Clients" type threat aggregate-by subtype
set reports "Spyware infected Clients" type threat aggregate-by app
set reports "Spyware infected Clients" type threat aggregate-by severity
set reports "Spyware infected Clients" type threat values repeatcnt
set reports "Spyware infected Clients" topn 25
set reports "Spyware infected Clients" topm 25
set reports "Spyware infected Clients" query "threatid geq 10000 AND threatid leq
20000 and ((addr.dst in 192.168.0.0/16) or (addr.dst in 172.16.0.0/12) or (addr.dst
in 10.0.0.0/8))"
set reports "Spyware infected Clients" period last-7-days
set reports "Spyware infected Clients" frequency daily
set reports "Top Threats - Virus" type threat sortby repeatcnt
set reports "Top Threats - Virus" type threat aggregate-by threatid
set reports "Top Threats - Virus" type threat aggregate-by app
set reports "Top Threats - Virus" type threat aggregate-by severity
set reports "Top Threats - Virus" type threat values repeatcnt
set reports "Top Threats - Virus" topn 50
set reports "Top Threats - Virus" topm 10
set reports "Top Threats - Virus" period last-7-days
set reports "Top Threats - Virus" query "(severity neq low) and (subtype eq virus)"
set reports "Top Threats - Virus" frequency daily
set reports "Top Threats - Vulnerability" type threat sortby repeatcnt
set reports "Top Threats - Vulnerability" type threat aggregate-by threatid
set reports "Top Threats - Vulnerability" type threat aggregate-by app
set reports "Top Threats - Vulnerability" type threat aggregate-by severity
set reports "Top Threats - Vulnerability" type threat values repeatcnt
set reports "Top Threats - Vulnerability" topn 50
set reports "Top Threats - Vulnerability" topm 10
set reports "Top Threats - Vulnerability" period last-7-days
set reports "Top Threats - Vulnerability" query "(severity neq low) and (subtype eq
vulnerability)"
set reports "Top Threats - Vulnerability" frequency daily
set reports "Top Threats - Spyware" type threat sortby repeatcnt
set reports "Top Threats - Spyware" type threat aggregate-by threatid
set reports "Top Threats - Spyware" type threat aggregate-by app
set reports "Top Threats - Spyware" type threat aggregate-by severity
set reports "Top Threats - Spyware" type threat values repeatcnt
set reports "Top Threats - Spyware" topn 50
set reports "Top Threats - Spyware" topm 10
set reports "Top Threats - Spyware" period last-7-days
set reports "Top Threats - Spyware" query "(severity neq low) and (subtype eq
spyware)"
set reports "Top Threats - Spyware" frequency daily
set reports "Top External URLs" type url sortby repeatcnt
set reports "Top External URLs" type url aggregate-by category
set reports "Top External URLs" type url values repeatcnt
set reports "Top External URLs" topn 25
set reports "Top External URLs" topm 10
set reports "Top External URLs" query "(addr.dst notin '192.168.0.0/16') and
(addr.dst notin '172.16.0.0/12') and (addr.dst notin '10.0.0.0/8')"
set reports "Top External URLs" period last-7-days
set reports "Top External URLs" frequency daily
set log-settings email "Reports AB and BC" server Mail-Server display-name
"PaloAlto POC"
set log-settings email "Reports AB and BC" server Mail-Server from
PaloAlto@customer.ie
set log-settings email "Reports AB and BC" server Mail-Server to ab@ab.ie
set log-settings email "Reports AB and BC" server Mail-Server and-also-to bc@bc.ie
set log-settings email "Reports AB and BC" server Mail-Server gateway
mail1.eircom.net
set report-group "PaloAlto Daily Reports" custom-widget 1 custom-report "Top
Applicaciones"
set report-group "PaloAlto Daily Reports" custom-widget 2 custom-report "Top
External URLs"
set report-group "PaloAlto Daily Reports" custom-widget 3 custom-report "Top
Threats"
set report-group "PaloAlto Daily Reports" custom-widget 4 custom-report "Top
Threats - Spyware"
set report-group "PaloAlto Daily Reports" custom-widget 5 custom-report "Top
Threats - Virus"
set report-group "PaloAlto Daily Reports" custom-widget 6 custom-report "Top
Threats - Vulnerability"
set report-group "PaloAlto Daily Reports" custom-widget 7 custom-report "Spyware
infected Clients"
set report-group "PaloAlto Daily Reports" title-page yes
set report-group "PaloAlto Daily Reports" variable title value "PaloAlto Weekly
Reports"
set email-scheduler "PaloAlto Daily Reports" report-group "PaloAlto Daily Reports"
set email-scheduler "PaloAlto Daily Reports" email-profile "Reports AB and BC"
set email-scheduler "PaloAlto Daily Reports" recurring daily