: Use CLI Commands for SD-WAN Tasks
Focus
Focus

Use CLI Commands for SD-WAN Tasks

Table of Contents

Use CLI Commands for SD-WAN Tasks

Use CLI commands to view and clear SD-WAN information and view SD-WAN global counters.
Use the following CLI commands to view and clear SD-WAN information and view SD-WAN global counters. You can also view VPN tunnel information, BGP information, and SD-WAN interface information.
If you want to ...
Use ...
View or Clear SD-WAN Information
  • View path names and IDs for an SD-WAN interface, their state, local and peer IP addresses, and tunnel interface number.
> show sdwan connection all | <sdwan-interface>
  • View the number and percentage of sessions distributed to each tunnel member of a virtual SD-WAN interface.
> show sdwan session distribution policy-name <sdwan-policy-name>
  • View the names of SD-WAN policy rules that send traffic to the specified virtual SD-WAN interface, along with the traffic distribution method, configured latency, jitter, and packet loss thresholds, link tags identified for the rule, and member tunnel interfaces.
> show sdwan rule vif sdwan.x
  • View SD-WAN events such as path selection and path quality measurements.
    For PAN-0S 10.0.0 and 10.0.1, when you make an SD-WAN configuration change (such as a Path Quality profile change) that results in a different SD-WAN path being selected, the traffic log does not count or log the path change.
> show sdwan event
  • Clear SD-WAN events.
> clear sdwan event
  • View latency, jitter, and packet loss on a virtual SD-WAN interface (specify interface number or name).
    Latency, jitter, and packet loss measurements are taken and averaged over three timeframes. Each timeframe has a health version, which increments when a health parameter value (that exceeds the threshold) changes. In addition to the real time measurement, there is a current use measurement, which displays the value of the parameter the last time the real-time value change exceeded the threshold.
> show sdwan path-monitor stats vif <sdwan.x>
> show sdwan path-monitor stats vif <sdwan-interface-name>
  • View the name of the SD-WAN policy rule that the specified session matches, the source and destination tunnel interfaces, the configured latency, jitter, and packet loss percentage for the rule, and the traffic distribution method.
    For PAN-0S 10.0.0 and 10.0.1, when you make an SD-WAN configuration change (such as a Path Quality profile change) that results in a different SD-WAN path being selected, the traffic log does not count or log the path change.
> show sdwan session path-select session-id <session-id>
  • View monitoring mode for the virtual SD-WAN link (Aggressive or Relaxed) and update intervals.
> show sdwan path-monitor parameter path-name <sdwan-path-name>
  • View monitoring mode for the virtual SD-WAN interface (Aggressive or Relaxed), update intervals, and probe statistics.
> show sdwan path-monitor parameter vif <sdwan.x>
View Global Counters to Troubleshoot SD-WAN
  • On a branch, verify that the number of SD-WAN probe Request packets transmitted equals the number of probe Reply packets received.
    On a branch firewall, most SD-WAN tunnels are the initiator, which means the tunnel will have SD-WAN path-monitor probing enabled.
> show counter global filter delta yes
flow_sdwan_prob_req_tx
flow_sdwan_prob_reply_rx
  • On a hub, verify that the number of SD-WAN probe Request packets received equals the number of probe Reply packets transmitted.
    On a hub firewall, most SD-WAN tunnels are the responder, which means the tunnel will have SD-WAN path-monitor probing disabled.
> show counter global filter delta yes
flow_sdwan_prob_req_rx
flow_sdwan_prob_reply_tx
View VPN Tunnel Information
  • View all tunnels created on firewall.
> show vpn flow
  • View details of individual tunnels identified by name.
> show vpn flow name <name>
  • View details of individual tunnels identified by ID.
> show vpn flow tunnel-id <tunnel-id>
  • View Internet Key Exchange (IKE) Phase 1 and Phase 2 details for all tunnels.
> show vpn ike-sa
  • View IKEv2 security associations (SAs) and IKEv2 IPSec child SAs of a specific gateway.
> show vpn ike-sa gateway <gateway>
  • View tunnel details.
> show vpn tunnel
View BGP Information
  • View BGP summary for a virtual router.
> show routing protocol bgp summary virtual-router <virtual-router>
  • View BGP peer summary.
> show routing protocol bgp peer peer-name <peer-name> virtual-router <virtual-router>
  • View summary of local routing information base (RIB).
> show routing protocol bgp loc-rib
View SD-WAN Interface Information among RIB and FIB
  • View new SD-WAN egress interface.
> show routing route
  • View SD-WAN interfaces in forwarding information base (FIB).
> show routing fib
Initiate IKE/IPSec Negotiation
  • Initiate an IKE negotiation with the designated gateway.
> test vpn ike-sa gateway <gateway>
  • Initiate an IPSec negotiation for the designated tunnel.
> test vpn ipsec-sa tunnel  <tunnel>