Focus

PAN-OS CLI Quick Start

CLI Cheat Sheet: Networking

Table of Contents

CLI Cheat Sheet: Networking

Use the following table to quickly locate commands for common networking tasks:

If you want to . . .	Use . . .
General Routing Commands
Display the routing table	> show routing route
Look at routes for a specific destination	> show routing fib virtual-router `<name>` \| match `<x.x.x.x/Y>`
Change the ARP cache timeout setting from the default of 1800 seconds.	> set system setting arp-cache-timeout `<60-65536>`
View the ARP cache timeout setting.	> show system setting arp-cache-timeout
AE Interfaces
On PA-7050 and PA-7080 firewalls that have an aggregate interface group of interfaces located on different line cards, implement proper handling of fragmented packets that the firewall receives on multiple interfaces of the AE group.	> set ae-frag redistribution-policy hash
NAT
Show the NAT policy table	> show running nat-policy
Test the NAT policy	> test nat-policy-match
Show NAT pool utilization	> show running ippool > show running global-ippool
IPSec
Show IPSec counters	> show vpn flow
Show a list of all IPSec gateways and their configurations	> show vpn gateway
Show IKE phase 1 SAs	> show vpn ike-sa
Show IKE phase 2 SAs	> show vpn ipsec-sa
Show a list of auto-key IPSec tunnel configurations	> show vpn tunnel
LSVPN (LSVPN Cookie Expiry Extension) (`PAN-OS 10.2.4 and later 10.2 releases`)
(Portal) Change the current satellite cookie expiration time	> request global-protect-portal set-satellite-cookie-expiration value `<0-5>`
(Portal) Show current satellite cookie expiration time	> show global-protect-portal satellite-cookie-expiration
(Satellite) Display current satellite authentication cookie's generation time	> show global-protect-satellite satellite
LSVPN (Serial number and IP Address Authentication Method) (`PAN-OS 10.2.8 and later 10.2 releases`)
(Portal) Add a new satellite device IP address to the satellite IP allow list	> set global-protect global-protect-portal portal `<portal_name>` satellite-serialnumberip-auth satellite-ip-allowlist entry `<value>` Where <value> is the IPv4 address, IPv6 address, IP range, or IP subnet of the new satellite device you want to add.
(Portal) Exclude a specific range of IP address from the satellite-ip-allowlist that you don't wish to configure as a satellite	> set global-protect global-protect-portal portal `<portal_name>` satellite-serialnumberip-auth satellite-ip-exclude-from range `<ip-address>` exclude-list `<value>` Where `satellite-ip-exclude-from range <ip-address>` is the IPv4 or IPv6 subnet or range of the IP address that you want to exclude from configuring as a satellite device. The IP address that you want to exclude must be within the IP address range that you configured in the `satellite-ip-allowlist`.
(Portal) Configure retry interval for serial number and IP address authentication in case of failure	> set global-protect global-protect-portal portal `<name>` satellite-serialnumberip-auth retry-interval `<5-8600>` The retry interval range is 5 to 86,400 seconds and the default value is 5 seconds.
(Portal) Enable the serial number and IP address authentication method on the firewall that is configured as a portal. By default this method is disabled.	> set global-protect-portal satellite-serialnumberip-auth enable
(Portal) Disable serial number and IP address authentication method on the firewall that is configured as a portal	> set global-protect-portal satellite-serialnumberip-auth disable
(Portal) View all the information related to the serial number and IP address authentication method	> show global-protect-portal global-protect-portal `<name>` satellite-serialnumberip-auth all
(Portal) View if the serial number and IP address authentication method is enabled or disabled on the firewall that is configured as a portal	> show global-protect-portal satellite-serialnumberip-auth status
(Portal) View the serial number and IP address retry interval configured on the portal	> show global-protect-portal global-protect-portal portal `<name>` satellite-serialnumberip-auth retry-interval
(Portal) View all the allowed satellite device IP addresses configured on the portal	> show global-protect-portal global-protect-portal portal `<name>` satellite-serialnumberip-auth satellite-ip-allowlist
(Portal) Delete a satellite device IP address from the satellite IP list on the portal	> delete global-protect global-protect-portal portal `<portal_name>` satellite-ip-list allowlist-entry ip-address `<value>` Where <value> is the IPv4 address, IPv6 address, IP range, or IP subnet of the satellite device you want to delete.
(Portal) Delete a satellite device IP address from the satellite IP exclude list on the portal	> delete global-protect global-protect-portal portal `<portal_name>` satellite-ip-list excludelist-entry ip `<value>` Where <value> is the IPv4 address, IPv6 address, IP range, or IP subnet of the satellite device you want to delete from the exclude list entry.
(Portal) Delete all the satellite devices IP address from the satellite IP list on the portal. Executing this command is equal to not configuring any satellite IP address on the portal.	> delete global-protect global-protect-portal portal `<name>` satellite-ip-allowlist satellite-ip-allowlist-all
BFD
Show BFD profiles	> show routing bfd active-profile [`<name>`]
Show BFD details	> show routing bfd details [interface `<name>`] [local-ip `<ip>`] [multihop][peer-ip `<ip>`] [session-id] [virtual-router `<name>`]
Show BFD statistics on dropped sessions	> show routing bfd drop-counters session-id `<session-id>`
Show counters of transmitted, received, and dropped BFD packets	> show counter global \| match bfd
Clear counters of transmitted, received, and dropped BFD packets	> clear routing bfd counters session-id all \| `<1-1024>`
Clear BFD sessions for debugging purposes	> clear routing bfd session-state session-id all \| `<1-1024>`
PVST+
Set the native VLAN ID	> set session pvst-native-vlan-id `<vid>`
Drop all STP BPDU packets	> set session drop-stp-packet
Verify PVST+ BPDU rewrite configuration, native VLAN ID, and STP BPDU packet drop	> show vlan all
Show counter of times the 802.1Q tag and PVID fields in a PVST+ BPDU packet do not match	> show counter global Look at the flow_pvid_inconsistent counter.
Troubleshooting
Ping from the management (MGT) interface to a destination IP address	> ping host `<destination-ip-address>`
Ping from a dataplane interface to a destination IP address	> ping source `<ip-address-on-dataplane>` host `<destination-ip-address>`
Show network statistics	> show netstat statistics yes
Advanced Routing
View FIB table entries	> show advanced-routing fib > show advanced-routing fib afi `<ipv4\|ipv6\|both>` > show advanced-routing fib ecmp `<no\|yes>`
View RIB entries	> show advanced-routing route > show advanced-routing route afi `<ipv4\|ipv6\|both>` > show advanced-routing route destination `<ip/netmask>` > show advanced-routing route logical-router `<logical-router-name>` > show advanced-routing route type `<bgp\|connect\|ospf\|ospfv3\|static>`
View interface information	> show advanced-routing logical-router `<logical-router-name>`
View resource information	> show advanced-routing resource logical-router `<logical-router-name>`
View the static route path monitor	> show advanced-routing static-route-path-monitor
View routing information for OSPFv2 and the link-state database	> show advanced-routing ospf area > show advanced-routing ospf dumplsdb > show advanced-routing ospf graceful-restart > show advanced-routing ospf interface > show advanced-routing ospf lsdb > show advanced-routing ospf neighbor > show advanced-routing ospf summary > show advanced-routing ospf virt-link > show advanced-routing ospf virt-neighbor
View routing information for OSPFv3 and the link-state database	> show advanced-routing ospfv3 area > show advanced-routing ospfv3 dumplsdb > show advanced-routing ospfv3 graceful-restart > show advanced-routing ospfv3 interface > show advanced-routing ospfv3 lsdb > show advanced-routing ospfv3 neighbor > show advanced-routing ospfv3 summary > show advanced-routing ospfv3 virt-link > show advanced-routing ospfv3 virt-neighbor
View BGP routing information	> show advanced-routing bgp summary logical-router `<logical-router-name>` > show advanced-routing bgp peer detail peer-name `<peer-name>` logical-router `<logical-router-name>` > show advanced-routing bgp peer received-routes peer-name `<peer-name>` afi `<ipv4\|ipv6\|both>` logical-router `<logical-router-name>` > show advanced-routing bgp peer filtered-routes peer-name `<peer-name>` afi `<ipv4\|ipv6\|both>` logical-router `<logical-router-name>` > show advanced-routing bgp peer advertised-routes peer-name `<peer-name>` afi `<ipv4\|ipv6\|both>` logical-router `<logical-router-name>` > show advanced-routing bgp peer dampened-routes peer-name `<peer-name>` afi `<ipv4\|ipv6\|both>` logical-router `<logical-router-name>` > show advanced-routing bgp peer status peer-name `<peer-name>` logical-router `<logical-router-name>` > show advanced-routing bgp peer-groups group-name `<group-name>` logical-router `<logical-router-name>` > show advanced-routing bgp filters route-map logical-router `<logical-router-name>` [ipv4\|ipv6] name `<route-map-name>`
View BGP routing information (continued)	> show advanced-routing bgp filters access-list logical-router `<logical-router-name>` [ipv4\|ipv6] name `<access-list-name>` > show advanced-routing bgp filters prefix-list logical-router `<logical-router-name>` [ipv4\|ipv6] name `<prefix-list-name>` > show advanced-routing bgp route afi `<ipv4\|ipv6\|both>` logical-router `<logical-router-name>` > show advanced-routing bgp peer advertised-routes peer-name `<peer-name>` afi `<ipv4\|ipv6\|both>` logical-router `<logical-router-name>`
QoS (`PAN-OS 10.2.5 and later 10.2 releases`)
Enable lockless QoS	> set lockless-qos yes
Disable lockless QoS	> set lockless-qos no
View lockless QoS enable status	> show lockless-qos enable
View the list of ports with the number of cores allocated for the QoS process by lockless QoS	> show lockless-qos if-core-mapping

CLI Cheat Sheet: HA

CLI Cheat Sheet: VSYS