Palo Alto Firewall CLI Commands
Merhaba ,
Palo Alto güvenlik duvarı yönetimi ve yapılandırma işlemleri için her ne kadar web arayüzünü kullansakta bazen komut satırı üzerinde de işlem yapmamız gerekiyor. Aşağıdaki komutlar haricinde birde Panorama için kullanılan CLI komutları bulunmaktadır. Panorama kurulum ve kullanım ile ilgili makaleler sonrasında bu komutlarıda paylaşacağım.
Device Management CLI Commands
| Description | Command |
| Show general system health information. | > show system info |
| Show percent usage of disk partitions. | > show system disk-space |
| Show the maximum log file size. | > show system logdb-quota |
| Show running processes. | > show system software status |
| Show processes running in the management plane. | > show system resources |
| Show resource utilization in the dataplane. | > show running resource-monitor |
| Show the licenses installed on the device. | > request license info |
| Show when commits, downloads, and/or upgrades are completed. | > show jobs processed |
| Show session information. | > show session info |
| Show information about a specific session. | > show session id <session-id> |
| Show the running security policy. | > show running security-policy |
| Show the authentication logs. | > less mp-log authd.log |
| Restart the device. | > request restart system |
| Show the administrators who are currently logged in to the web interface, CLI, or API. | > show admins |
| Show the administrators who can access the web interface, CLI, or API, regardless of whether those administrators are currently logged in.
When you run this command on the firewall, the output includes both local administrators and those pushed from a Panorama template. |
> show admins all |
| Configure the management interface as a DHCP client. For a successful commit, you must include each of the parameters: accept-dhcp-domain, accept-dhcp-hostname, send-client-id, and send-hostname. |
# set deviceconfig system type dhcp-client accept-dhcp-domain <yes|no> accept-dhcp-hostname <yes|no> send-client-id <yes|no> send-hostname <yes|no> |
Network CLI Commands
| Description | Command |
| Display the routing table | > show routing route |
| Look at routes for a specific destination | > show routing fib virtual-router <name> | match <x.x.x.x/Y> |
| NAT | |
| Show the NAT policy table | > show running nat-policy |
| Test the NAT policy | > test nat-policy-match |
| Show NAT pool utilization | > show running ippool> show running global-ippool |
| IPSec | |
| Show IPSec counters | > show vpn flow |
| Show a list of all IPSec gateways and their configurations | > show vpn gateway |
| Show IKE phase 1 SAs | > show vpn ike-sa |
| Show IKE phase 2 SAs | > show vpn ipsec-sa |
| Show a list of auto-key IPSec tunnel configurations | > show vpn tunnel |
| BFD | |
| Show BFD profiles | > show routing bfd active-profile [<name>] |
| Show BFD details | > show routing bfd details [interface <name>] [local-ip <ip>] [multihop] [peer-ip <ip>] [session-id] [virtual-router <name>] |
| Show BFD statistics on dropped sessions | > show routing bfd drop-counters session-id <session-id> |
| Show counters of transmitted, received, and dropped BFD packets | > show counter global | match bfd |
| Clear counters of transmitted, received, and dropped BFD packets | > clear routing bfd counters session-id all | <1-1024> |
| Clear BFD sessions for debugging purposes | > clear routing bfd session-state session-id all | <1-1024> |
| PVST+ | |
| Set the native VLAN ID | > set session pvst-native-vlan-id <vid> |
| Drop all STP BPDU packets | > set session drop-stp-packet |
| Verify PVST+ BPDU rewrite configuration, native VLAN ID, and STP BPDU packet drop | > show vlan all |
| Show counter of times the 802.1Q tag and PVID fields in a PVST+ BPDU packet do not match | > show counter globalLook at the flow_pvid_inconsistent counter. |
| Troubleshooting | |
| Ping from the management (MGT) interface to a destination IP address | > ping host <destination-ip-address> |
| Ping from a dataplane interface to a destination IP address | > ping source <ip-address-on-dataplane> host <destination-ip-address> |
| Show network statistics | > request netstat statistics yes |
User-ID CLI Commands
View all User-ID agents configured to send user mappings to the Palo Alto Networks device:
To see all configured Windows-based agents:
> show user user-id-agent state all
To see if the PAN-OS-integrated agent is configured:
> show user server-monitor state all
View the configuration of a User-ID agent from the Palo Alto Networks device:
> show user user-id-agent config name <agent-name>
View group mapping information:
> show user group-mapping statistics
> show user group-mapping state all
> show user group list
> show user group name <group-name>
View all user mappings on the Palo Alto Networks device:
> show user ip-user-mapping all
Show user mappings filtered by a username string (if the string includes the domain name, use two backslashes before the username):
> show user ip-user-mapping all | match <domain>\\<username-string>
Show user mappings for a specific IP address:
> show user ip-user-mapping ip <ip-address>
Show usernames:
> show user user-ids
View the most recent addresses learned from a particular User-ID agent:
> show log userid datasourcename equal <agent-name> direction equal backward
View mappings from a particular type of authentication service:
> show log userid datasourcetype equal <authentication-service>
where <authentication-service> can be authenticate , client-cert , directory-server , exchange-server , globalprotect , kerberos , netbios-probing , ntlm , unknown , vpn-client , or wmi-probing .
For example, to view all user mappings from the Kerberos server, you would enter the following command:
> show log userid datasourcetype equal kerberos
View mappings learned using a particular type of user mapping:
> show log userid datasource equal <datasource>
Where <datasource> can be be agent , captive-portal , event-log , ha , probing , server-session-monitor , ts-agent , unknown , vpn-client , or xml-api .
For example, to view all user mappings from the XML API, you would enter the following command:
> show log userid datasourcetype equal xml-api
Find a user mapping based on an email address:
> show user email-lookup
+ base Default base distinguished name (DN) to use for searches
+ bind-dn bind distinguished name
+ bind-password bind password
+ domain Domain name to be used for username
+ group-object group object class(comma-separated)
+ name-attribute name attribute
+ proxy-agent agent ip or host name.
+ proxy-agent-port user-id agent listening port, default is 5007
+ use-ssl use-ssl
* email email address
> mail-attribute mail attribute
> server ldap server ip or host name.
> server-port ldap server listening port
For example:
> show user email-lookup base “DC=lab,DC=sg,DC=acme,DC=local” bind-dn
“CN=Administrator,CN=Users,DC=lab,DC=sg,DC=acme,DC=local” bind-password
acme use-ssl no email [email protected] mail-attribute mail server
10.1.1.1 server-port 389
labsg\user1
Clear the User-ID cache:
clear user-cache all
Clear a User-ID mapping for a specific IP address:
clear user-cache ip <ip-address/netmask>
Palo Alto Firewall CLI Commands - Yorumlar
Yapılan Yorumlar
Very nice but can we have the full list of commands please ?
Hello,
You can check all commands from the link below.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli
BENZER İÇERİKLERİlginizi çekebilecek diğer içerikler
Palo Alto Firewall Panorama Configuration 04 Nisan 2020
Palo Alto Firewall Port Forwarding 13 Mart 2020