Symptom:

 Need to debug a problem on a Palo Alto firewall, these are CLI commands to use.

David Klein says ‘my CLI cheat sheet.  I put an “*” by the commands to use when looking for issues”

Problem:

 Any sort of debugging on a PA-2020 or other PA firewall, including running somewhat arbitrary packet captures with simple filters.

Solution:

CLI cheatsheet

show system info

show jobs processed
make sure autocom completed okay (especially after updates)

ping source int-ip-addr host ip-addr
source int-ip-addr is not needed when sourcing from mgmt interface

* show system statistics

* show interface ethernet1/?

show log traffic direction equal backward
shows latest log entries first

show log system direction equal backward
show log url direction equal backward

show system logdb-quota
show running logging

* show counter global

* debug dataplane pool statistics
look for buffer pool exhaustion (when first number of x/y gets close to 0)
show system state filter sys.monitor.mp.exports
show system state filter sys.monitor.dp.exports

show session all | match ip-addr
to find a particular session nnnnn
show session id nnnnn
to see details of that particular session

show routing route
to see route table

* show running resource-monitor
to see dataplane cpu stats
show system resources

tftp export configuration from running-config.xml to ip-addr
to save running-config to tftp server at ip-addr

tftp export stats-dump to ip-addr
to save data for AVR report to tftp server at ip-addr

———————–
Here is my cheat sheet for PANOS 3.1 manual packet captures in CLI:

Setup:
debug dataplane packet-diag set filter on
debug dataplane packet-diag set filter match source src_ip destination dest_ip
debug dataplane packet-diag set capture stage receive file mypcapfile.pcap
debug dataplane packet-diag set capture on
Generate traffic and then:
debug dataplane packet-diag set capture off
view-pcap filter-pcap mypcapfile.pcap
tftp export filter-pcap from mypcapfile.pcap to 10.10.10.10
Clean up:
debug dataplane packet-diag set capture off
debug dataplane packet-diag set filter off
debug dataplane packet-diag clear filter all
debug dataplane packet-diag clear capture stage receive
delete debug-filter file mypcapfile.pcap

Check settings:
debug dataplane packet-diag show setting