Troubleshooting from the Command Line

Symptom:

Maybe the GUI is down, or you just want to capture troubleshooting information as text instead of a bunch of giant screenshots.

Problem:

When using command-line, Palo Alto is slightly different from Cisco;, there is a separate “configure” mode, but not a separate “enable” mode.  Below are the commands I use most often.

Solution:

System jobs (commit, upgrade, etc):
show jobs all
show jobs processed
show jobs id 1

Session load:
show system statistics app
show system statistics session
show session info
show admins

HA Status:
show high-availability all
show high-availability state
show high-availability transitions

System and services status:
show operational-mode
show clock
show ntp
show system resources
show system environmentals

Network status:
show virtual-wire all
show interface all
show interface ethernet1/1
show interface hardware

Intrusive commands, these will change the state of a firewall (reboot, etc):
request high-availability state suspend
request high-availability state functional
request restart system  (Performs a cold boot)

Other useful debugging commands:
test security-policy-match from trust to untrust source 10.1.1.1 destination 192.168.1.1 destination-port 53 protocol 17
tail dp0-log masterd.log
Comment:

For monitoring performance, SNMP has interface counters and some other statistics in the MIB.  Specifically, oid 1.3.6.1.4.1.25461.2.1.2.3.1 (panSessionUtilization) which shows the session table utilization percentage  0-100, also visible via CLI in “show session info”

Palo Alto can do PCAP for debugging, see https://live.paloaltonetworks.com/docs/DOC-1529  This is not recommended for long-term use, as there is a significant performance impact from PCAP.

Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.