Troubleshooting from the Command Line


Maybe the GUI is down, or you just want to capture troubleshooting information as text instead of a bunch of giant screenshots.


When using command-line, Palo Alto is slightly different from Cisco;, there is a separate “configure” mode, but not a separate “enable” mode.  Below are the commands I use most often.


System jobs (commit, upgrade, etc):
show jobs all
show jobs processed
show jobs id 1

Session load:
show system statistics app
show system statistics session
show session info
show admins

HA Status:
show high-availability all
show high-availability state
show high-availability transitions

System and services status:
show operational-mode
show clock
show ntp
show system resources
show system environmentals

Network status:
show virtual-wire all
show interface all
show interface ethernet1/1
show interface hardware

Intrusive commands, these will change the state of a firewall (reboot, etc):
request high-availability state suspend
request high-availability state functional
request restart system  (Performs a cold boot)

Other useful debugging commands:
test security-policy-match from trust to untrust source destination destination-port 53 protocol 17
tail dp0-log masterd.log

For monitoring performance, SNMP has interface counters and some other statistics in the MIB.  Specifically, oid (panSessionUtilization) which shows the session table utilization percentage  0-100, also visible via CLI in “show session info”

Palo Alto can do PCAP for debugging, see  This is not recommended for long-term use, as there is a significant performance impact from PCAP.

Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.