Palo Alto Firewalls - Basic Command Line Parameters
The following are command line parameters that can be run on most Palo Alto firewalls today.
Interfaces and Routes
Show full route table
show routing route
Display logical interfaces and configured zones
show interface logical
Show routers applied to interfaces
show routing interface
Sessions
List all sessions in the device
show session all
Display information about a particular session
show session id 1234
Show session table utilization and pipe the output to a match statement.
show session info | match utilization
Policies
Policies in Palo Alto firewalls are first match. Rules cannot be chained together, although negation is possible. FQDN objects may be used in a policy statement for outbound traffic. However, inbound statements with a FQDN object as a source IP address should never be used in firewall policies.
Display FQDN resolutions and relevant TTLs that are currently used in a security policy
request system fqdn show
System Limits
Palo Alto allows the system limits to be displayed in a sysctl-like manner. Display all system configurations and limits using the following command
show system state
Filter output to show all ethernet interface counters
show sysetm state filter net.s1.eth*
Max system limits (good for displaying session limits and other policy/object limits)
show system state filter cfg.general.max*
Monitor Filters
Advanced monitor filters can be applied using conjugated filter statements.
Show log traffic to/from 10.40.134.169 between 14:25-14:45.
( receive_time geq '2015/03/12 14:25:00' ) and ( receive_time leq '2015/03/12 14:45:00' ) and ( addr in 10.40.134.169 )
Testing Policies from the CLI
Routing
The test routing statement is useful when trying to determine the direction of traffic in the routing plane of the firewall. When running these commands, take note of the the interface traffic is routed towards. For example, default route traffic toward the outside zone should always point towards an external interface.
Validate the route to 8.8.8.8 in the outside virtual router.
test routing fib-lookup virtual-router outside-vr ip 8.8.8.8
Validate the outside router points towards the inside-vr for 10.17.8.1.
test routing fib-lookup virtual-router outside-vr ip 10.17.8.1
Validate the default route of the inside virtual router.
test routing fib-looking virtual-router inside-vr ip 0.0.0.0
NAT Policy
NAT policies can be checked using test nat-policy-match. Here, we check the outbound NAT policy for an inside client to outside client on TCP (protocol 6) port 80.
test nat-policy-match from inside to outside source 10.40.176.10 destination 163.192.13.10 destination-port 80 protocol 6
The running NAT policies can also be listed in the command line interface
show running nat-policy
Security Policy
The test command also applies to security policies in a similar manner as NAT policies.
Validate SSL traffic is allowed from an inside client to outside server.
test security-policy-match from inside to outside source 10.40.183.66 destination 4.3.2.1 destination-port 443 application ssl protocol 6
Check ICMP “echo request” from inside to Google's DNS cache.
test security-policy-match from inside to outside source 10.40.32.10 destination 8.8.8.8 application ping protocol 1
The running security policy can always be displayed from the command line interface.
show running security-policy
System Health
Interactively view the applications crossing the Palo Alto in a `top'-like output.
show system statistics applications
The same command can be used to view sessions. This is useful for monitoring concurrent sessions, throughput, etc.
show system statistics session
Show USER-ID lease times
show user ip-user-mapping-mp ip 0.0.0.0
Show connection state to DC’s
show user server-monitor state all
Show USER-ID clients
show user user-id-service client all
Show the last 10 entries of given log
tail lines 10 mp-log ms.log
tail lines 10 mp-log useridd.log
Show CPU usage and memory backplane
tail follow yes mp-log mp-monitor.log
Test security rules
test security-policy-match source destination protocol
test security-policy-match source destination protocol
test security-policy-match application twitter-posting source-user DOMAIN\USER destination 0.0.0.0 destination-port 80 source 0.0.0.0 protocol 6
test security-policy-match application google-analytics source-user DOMAIN\USER destination 0.0.0.0 destination-port 443 source 0.0.0.0 protocol 6
* Please use the comment form below. Comments are moderated.*
Comments 1
very good commands