CLI Cheat Sheet: Networking
Table of Contents
PAN.OS 11.1 & Later
Expand all | Collapse all
-
- Set Commands Introduced in PAN-OS 11.1
- Set Commands Removed in PAN-OS 11.1
- Show Commands Introduced in PAN-OS 11.1
- Set Commands Introduced in PAN-OS 11.2
- Set Commands Changed in PAN-OS 11.2
- Set Commands Removed in PAN-OS 11.2
- Show Commands Introduced in PAN-OS 11.2
- Show Commands Removed in PAN-OS 11.2
CLI Cheat Sheet: Networking
Use the following table to quickly locate commands for
common networking tasks:
If you want to .
. . | Use . . . |
---|---|
General Routing Commands
| |
|
> show routing route
|
|
> show routing fib virtual-router <name> | match <x.x.x.x/Y>
|
|
> set system setting arp-cache-timeout <60-65536>
|
|
> show system setting arp-cache-timeout
|
AE Interfaces
| |
|
> set ae-frag redistribution-policy hash
|
NAT
| |
|
> show running nat-policy
|
|
> test nat-policy-match
|
|
> show running ippool > show running global-ippool |
IPSec
| |
|
> show vpn flow
|
|
> show vpn gateway
|
|
> show vpn ike-sa
|
|
> show vpn ipsec-sa
|
|
> show vpn tunnel
|
|
> set network tunnel ipsec <name_of_tunnel> ipsec-mode [tunnel | transport]
|
LSVPN (PAN-OS 11.0.1 and later releases)
| |
|
> request global-protect-portal set-satellite-cookie-expiration value <0-5>
|
|
> show global-protect-portal satellite-cookie-expiration
|
|
> show global-protect-satellite satellite
|
LSVPN (Serial number and IP Address Authentication Method)
(PAN-OS 11.1.3 and later releases)
| |
|
> set global-protect global-protect-portal portal <portal_name> satellite-serialnumberip-auth satellite-ip-allowlist entry <value>
Where <value> is the IPv4 address, IPv6 address,
IP range, or IP subnet of the new satellite device you want to
add.
|
|
> set global-protect global-protect-portal portal <portal_name> satellite-serialnumberip-auth satellite-ip-exclude-from range <ip-address> exclude-list <value>
Where satellite-ip-exclude-from range
<ip-address> is the IPv4 or IPv6 subnet or range of
the IP address that you want to exclude from configuring as a
satellite device. The IP address that you want to exclude must be
within the IP address range that you configured in the
satellite-ip-allowlist.
|
|
> set global-protect global-protect-portal portal <name> satellite-serialnumberip-auth retry-interval <5-8600>
The retry interval range is 5 to 86,400 seconds and the default value
is 5 seconds.
|
|
> set global-protect-portal satellite-serialnumberip-auth enable
|
|
> set global-protect-portal satellite-serialnumberip-auth disable
|
|
> show global-protect-portal global-protect-portal <name> satellite-serialnumberip-auth all
|
|
> show global-protect-portal satellite-serialnumberip-auth status
|
|
> show global-protect-portal global-protect-portal portal <name> satellite-serialnumberip-auth retry-interval
|
|
> show global-protect-portal global-protect-portal portal <name> satellite-serialnumberip-auth satellite-ip-allowlist
|
|
> delete global-protect global-protect-portal portal <portal_name> satellite-ip-list allowlist-entry ip-address <value>
Where <value> is the IPv4 address, IPv6 address,
IP range, or IP subnet of the satellite device you want to
delete.
|
|
> delete global-protect global-protect-portal portal <portal_name>
satellite-ip-list excludelist-entry ip <value>
Where <value> is the IPv4 address, IPv6 address,
IP range, or IP subnet of the satellite device you want to delete
from the exclude list entry.
|
|
> delete global-protect global-protect-portal portal <name> satellite-ip-allowlist satellite-ip-allowlist-all
|
BFD
| |
|
> show routing bfd active-profile [<name>]
|
|
> show routing bfd details [interface <name>] [local-ip <ip>] [multihop][peer-ip <ip>] [session-id] [virtual-router <name>]
|
|
> show routing bfd drop-counters session-id <session-id>
|
|
> show counter global | match bfd
|
|
> clear routing bfd counters session-id all | <1-1024>
|
|
> clear routing bfd session-state session-id all | <1-1024>
|
PVST+
| |
|
> set session pvst-native-vlan-id <vid>
|
|
> set session drop-stp-packet
|
|
> show vlan all
|
| > show counter global Look
at the flow_pvid_inconsistent
counter. |
Troubleshooting
| |
|
> ping host <destination-ip-address>
|
|
> ping source <ip-address-on-dataplane> host <destination-ip-address>
|
|
> show netstat statistics yes
|
Advanced Routing
| |
|
> show advanced-routing fib
> show advanced-routing fib afi <ipv4|ipv6|both>
> show advanced-routing fib ecmp <no|yes>
|
|
> show advanced-routing route
> show advanced-routing route afi <ipv4|ipv6|both>
> show advanced-routing route destination <ip/netmask>
> show advanced-routing route logical-router <logical-router-name>
> show advanced-routing route type <bgp|connect|ospf|ospfv3|static>
|
|
> show advanced-routing logical-router <logical-router-name>
|
|
> show advanced-routing resource logical-router <logical-router-name>
|
|
> show advanced-routing static-route-path-monitor
|
|
> show advanced-routing ospf area
> show advanced-routing ospf dumplsdb
> show advanced-routing ospf graceful-restart
> show advanced-routing ospf interface
> show advanced-routing ospf lsdb
> show advanced-routing ospf neighbor
> show advanced-routing ospf summary
> show advanced-routing ospf virt-link
> show advanced-routing ospf virt-neighbor
|
|
> show advanced-routing ospfv3 area
> show advanced-routing ospfv3 dumplsdb
> show advanced-routing ospfv3 graceful-restart
> show advanced-routing ospfv3 interface
> show advanced-routing ospfv3 lsdb
> show advanced-routing ospfv3 neighbor
> show advanced-routing ospfv3 summary
> show advanced-routing ospfv3 virt-link
> show advanced-routing ospfv3 virt-neighbor
|
|
> show advanced-routing bgp summary logical-router <logical-router-name>
> show advanced-routing bgp peer detail peer-name <peer-name> logical-router <logical-router-name>
> show advanced-routing bgp peer received-routes peer-name <peer-name> afi <ipv4|ipv6|both> logical-router <logical-router-name>
> show advanced-routing bgp peer filtered-routes peer-name <peer-name> afi <ipv4|ipv6|both> logical-router <logical-router-name>
> show advanced-routing bgp peer advertised-routes peer-name <peer-name> afi <ipv4|ipv6|both> logical-router <logical-router-name>
> show advanced-routing bgp peer dampened-routes peer-name <peer-name> afi <ipv4|ipv6|both> logical-router <logical-router-name>
> show advanced-routing bgp peer status peer-name <peer-name> logical-router <logical-router-name>
> show advanced-routing bgp peer-groups group-name <group-name> logical-router <logical-router-name>
> show advanced-routing bgp filters route-map logical-router <logical-router-name> [ipv4|ipv6] name <route-map-name>
|
|
> show advanced-routing bgp filters access-list logical-router <logical-router-name> [ipv4|ipv6] name <access-list-name>
> show advanced-routing bgp filters prefix-list logical-router <logical-router-name> [ipv4|ipv6] name <prefix-list-name>
> show advanced-routing bgp route afi <ipv4|ipv6|both> logical-router <logical-router-name>
> show advanced-routing bgp peer advertised-routes peer-name <peer-name> afi <ipv4|ipv6|both> logical-router <logical-router-name>
|
QoS
| |
|
> set lockless-qos yes
|
|
> set lockless-qos no
|
|
> show lockless-qos enable
|
|
> show lockless-qos if-core-mapping
|
|
> show lockless-qos core-num
|