PAN-OS CLI Quick Start
    : CLI Cheat Sheet: Networking
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS CLI Quick Start
    4. CLI Cheat Sheets
    5. CLI Cheat Sheet: Networking
    Download PDF

    PAN-OS CLI Quick Start

    CLI Cheat Sheet: Networking

    Table of Contents

    CLI Cheat Sheet: Networking

    Use the following table to quickly locate commands for common networking tasks:
    If you want to . . .
    Use . . .
    General Routing Commands
    • Display the routing table
    > show routing route
    • Look at routes for a specific destination
    > show routing fib virtual-router <name> | match <x.x.x.x/Y>
    • Change the ARP cache timeout setting from the default of 1800 seconds.
    > set system setting arp-cache-timeout <60-65536>
    • View the ARP cache timeout setting.
    > show system setting arp-cache-timeout
    AE Interfaces
    • On PA-7050 and PA-7080 firewalls that have an aggregate interface group of interfaces located on different line cards, implement proper handling of fragmented packets that the firewall receives on multiple interfaces of the AE group.
    > set ae-frag redistribution-policy hash
    NAT
    • (PAN-OS 10.1.7 and later 10.1 releases) Enable persistent NAT for DIPP
    > set system setting persistent-dipp enable yes
    • Show the NAT policy table
    > show running nat-policy
    • Test the NAT policy
    > test nat-policy-match
    • Show NAT pool utilization
    > show running ippool 
> show running global-ippool
    IPSec
    • Show IPSec counters
    > show vpn flow
    • Show a list of all IPSec gateways and their configurations
    > show vpn gateway
    • Show IKE phase 1 SAs
    > show vpn ike-sa
    • Show IKE phase 2 SAs
    > show vpn ipsec-sa
    • Show a list of auto-key IPSec tunnel configurations
    > show vpn tunnel
    LSVPN (PAN-OS 10.1.7 and later 10.1 releases)
    • (Portal) Change the current satellite cookie expiration time
    > request global-protect-portal set-satellite-cookie-expiration value <0-5>
    • (Portal) Show current satellite cookie expiration time
    > show global-protect-portal satellite-cookie-expiration
    • (Satellite) Display current satellite authentication cookie's generation time
    > show global-protect-satellite satellite
    BFD
    • Show BFD profiles
    > show routing bfd active-profile [<name>]
    • Show BFD details
    > show routing bfd details [interface <name>] [local-ip <ip>] [multihop][peer-ip <ip>] [session-id] [virtual-router <name>]
    • Show BFD statistics on dropped sessions
    > show routing bfd drop-counters session-id <session-id>
    • Show counters of transmitted, received, and dropped BFD packets
    > show counter global | match bfd
    • Clear counters of transmitted, received, and dropped BFD packets
    > clear routing bfd counters session-id all | <1-1024>
    • Clear BFD sessions for debugging purposes
    > clear routing bfd session-state session-id all | <1-1024>
    PVST+
    • Set the native VLAN ID
    > set session pvst-native-vlan-id <vid>
    • Drop all STP BPDU packets
    > set session drop-stp-packet
    • Verify PVST+ BPDU rewrite configuration, native VLAN ID, and STP BPDU packet drop
    > show vlan all
    • Show counter of times the 802.1Q tag and PVID fields in a PVST+ BPDU packet do not match
    > show counter global
    Look at the flow_pvid_inconsistent counter.
    Troubleshooting
    • Ping from the management (MGT) interface to a destination IP address
    > ping host <destination-ip-address>
    • Ping from a dataplane interface to a destination IP address
    > ping source <ip-address-on-dataplane> host <destination-ip-address>
    • Show network statistics
    > show netstat statistics yes

    © 2024 Palo Alto Networks, Inc. All rights reserved.