Monday, September 19, 2022

Palo Alto: Useful CLI Commands

Background 

Founded in 2005 by security visionary Nir Zuk
Earlier 2002-2005 CTO of Netsceen Juniper
Before 2000-2002 founder and CTP OneSecure – World’s First IPS
Before that 1994-1999 Principal Engineer at Checkpoint
Innovations: App-ID, User-ID (AD/Directory Service LDAP users can access certain sites) , Content-ID (URL Filtering, anti-virus protection, AntiSpyWare, SSL Decrypt, Data loss Prevention)
Builds Next Generation Firewalls that identifies and control more than 3000 applications which makes firewalls a strategic security device once again!

Strata PA- Series - ML Powered Next Generation Firewall - App-ID, User-ID, Content-ID, Device-ID
VM Series - Virtual Next-Generation Firewall - App-ID, User-ID, Content-ID, Device-ID
CN Series - Containerized Next generation firewall - App-ID, User-ID, Content-ID, Device-ID
Panaroma - Firewall Management 


Prisma Access - Secure Access - Service Edge
Prisma Cloud - Cloud Native Security Platform
Prisma SD-WAN

Cortex XDR - Extended Detection and Response
Cortex XSOAR
Expense 
Crypsis

Cloud Content Delivery Services (Content-ID)
DNS Security
Threat Prevention
URL Filtering
Wild Fire
IoT Security
Global Protect
SD-WAN
Data Lost Prevention
Prisma SaaS


Modules 
  1. Security Platform and Architecture
  2. Initial Configuration
  3. Interface Configuration
  4. Security and NAT Policies
  5. App-ID
  6. Content-ID
  7. URL Filtering
  8. Decryption
  9. WildFire
  10. User-ID
  11. GlobalProtect
  12. Site to Site VPNs
  13. Monitoring and Reporting
  14. Active/Passive High Availability
  15. Security Practices






Here is a list of useful CLI commands.  


cd "c:\Program Files\Palo Alto Networks\GlobalProtect"
PanGPS.exe -registerplap

General system health
show system info –provides the system’s management IP, serial number and code version
show system statistics – shows the real time throughput on the device
show system software status – shows whether various system processes are running
show jobs processed – used to see when commits, downloads, upgrades, etc. are completed
show system disk--space-- show percent usage of disk partitions
show system logdb--quota – shows the maximum log file sizes
debug dataplane internal vif link – show management interface (eth0) counters


To monitor CPUs
show system resources -- shows processes running in the management plane similar to “top” command
show running resource--monitor – used to see the resource utilization in the data plane, such as dataplane CPU utilization
less mp--log mp--monitor.log – Every 15 minutes the system runs a script to monitor management plane resource usage, output is stored in this file.
less dp--log dp--monitor.log -- Every 15 minutes the system runs a script to monitor dataplane resource usage, output is stored in this file.

General dropped packet troubleshooting
ping source <IP_addr_src_int> host <IP_addr_host> -- allows to ping from the specified FW source interface
ping host <IP> -- ping from the MGT interface
show session all | match – used to show specific sessions in the session table. You can
enter any text after the word match. A good example would be a source or destination IP or an application
show session all | filter destination <IP> dest--port <port>-- shows all sessions going to a particular dest IP and port
show session id – shows the specifics behind a particular session by entering the ID number after the word "id”
show counter interface – shows interface counters
show counter global | match drop – used to troubleshoot dropped packets
show counter global delta yes | match [ drop | error | frag ] – show counter changes
since last time ran this command, filter on particular keyword

NAT
show running nat--policy-- shows current NAT policy table
show running ippool-- use to see if NAT pool leak
test nat--policy--match – simulate traffic going through the device, what NAT policy will it match?

Routing
show routing route – displays the routing table
test routing fib--lookup virtual--router <VR_name> ip <IP_addr_trying_reach> -- finds which route in the routing table will be used to reach the IP address that you are testing

Policies
show running security--policy – shows the current policy set
test security--policy--match from trust to untrust destination <IP>-- simulate a packet going through the system, which policy will it match?


PAN Agent
show user pan--agent statistics – used to see if the agent is connected and operational. Status should be connected OK and you should see numbers under users, groups and IPs.
show pan--agent user--IDs -- used to see if the FW has pulled groups from the PANAgent
show user ip--user--mapping – used to see IP to username mappings on the FW
clear user--cache all – clears the user--ID cache
debug device--server reset pan--agent <name> -- reset the firewall’s connection to the specified agent

URL
test url <url or IP> – used to test the categorization of a URL on the FW
tail follow yes mp--log pan_bc_download.log – shows the BrightCloud database update logs
request url--filtering download status – shows the status of the database download (essentially the very last line from the pan_bc_download.log file)
debug dataplane show url--cache statistics– shows statistics on the URL cache
show counter global | match url – shows statistics on URL processing
clear url--cache – used to clear the URL cache-- cache contains 100k of the most popular URLs on this network
show log url direction equal backward-- view the URL log, most recent entries first

To test connectivity to the BrightCloud servers:
 ping host service.brightcloud.com
 ping host database.brightcloud.com

Log viewing / deleting1
show log [ system | traffic | threat ] direction equal backward – will take you to the end of the specified log
show log [ system | traffic | threat ] direction equal forward – will take you to beginning of the specified log
clear log [ traffic | threat | acc ] – clear everything in the specified log


Software, Content, and Licenses
To upgrade the software on the FW:
tftp import software from <IP_addr_tftp_server> file <filename>
request system software install file <filename>
request restart system
request system software [info | check | download | install ] –manipulate PANOS software from the CLI

To upgrade the content on the FW:
tftp import content from <IP_addr_tftp_server> file <filename>
request content upgrade install file <filename>
request content downgrade install previous –downgrade to the previous content version
request system private--data--reset-- to clear config and logs/reports
debug swm [ status | list | revert ] – will show possible code to install, or code that was installed. “revert” is used to revert to last running OS version without having to do a
factory reset (such as from 4.0 to back to 3.1)
request license info – shows the license installed on the device
delete license key ? – use to delete a license file if having issues and want to retrieve new licenses, use question mark to list file names, only delete the files you see fit


Config diff/force/cli format
show config diff-- compares two versions of the config
commit force-- perform a commit, even if there are errors
set cli config--output--format set-- use to view the config  in “set” format from within the configure prompt (#)

IPSec
To view detailed debug information for IPSec tunneling:
          1. debug ike global on debug
          2. less mp--log ikemgr.log

Misc
set deviceconfig setting session tcp--reject--non--syn no – used to ignore SYN when creating sessions; confirm command took effect with show session info
set deviceconfig setting session offload no –-- makes all packets go through CPU, otherwise all fastpath packets just go through EZ chip (turns off session offload to fastpath); confirm command took effect with show session info
debug dataplane pool statistics -- this will show the different dataplane buffers and can e used to see if the system is nearing capacity in certain functionality.


Palo Alto: How To Clear The ARP Cache

How do you clear the ARP cache?  This is not too hard.  Just SSH into the Palo Alto box.  Then run the command:

dk@PA-3020> clear arp all

All ARP entries are cleared.
dk@PA-3020>


I have an older PA-2050  I'm having to do a factory reset on it.  Below, you can see the output of what I had to do.  I simply reboot it, and during the 5 second window, type in "maint".

   Welcome to the PanOS Bootloader.

U-Boot 4.1.8.0-21 (Build time: Aug 27 2012 - 19:23:20)
BIST check passed.
KESTREL board revision major:2, minor:0, serial #: 0003C104442
OCTEON CN3120-CP pass 1.1, Core clock: 500 MHz, DDR clock: 265 MHz (530 Mhz data rate)
DRAM:  1024 MB
Clearing DRAM........ done
Using default environment

Flash: 64 MB
Net:   octeth0, octeth1, octeth2
 Bus 0 (CF Card): not available


USB:   (port 0) No USB devices found.



        Autoboot to default partition in 5 seconds.
        Enter 'maint' to boot to maint partition.

Entry: maint

Booting to maint mode.

Palo Alto: How To Determine What Ports Are 10 Gig Ports On Palo Alto PA-850 Series

What ports are 10Gig on the Palos?  Good question.  You cant tell by just looking at them, so you either know what they are or you do what I do.  Go into CLI and run the following command:

PA850-1(active)> show system state | match capability

cfg.capability.dfa.sw: 0x0
cfg.capability.regex.sw: 0x0
peer.cfg.capability.dfa.sw: 0x0
peer.cfg.capability.regex.sw: 0x0
sys.s1.ha1.capability: [ auto, 10Mb/s-half, 10Mb/s-full, 100Mb/s-half, 100Mb/s-full, 1Gb/s-half, 1Gb/s-full, ]
sys.s1.p1.capability: [ auto, 10Mb/s-half, 10Mb/s-full, 100Mb/s-half, 100Mb/s-full, 1Gb/s-half, 1Gb/s-full, ]
sys.s1.p10.capability: [ auto, 10Gb/s-full, ]
sys.s1.p11.capability: [ auto, 10Gb/s-full, ]
sys.s1.p12.capability: [ auto, 10Gb/s-full, ]
sys.s1.p2.capability: [ auto, 10Mb/s-half, 10Mb/s-full, 100Mb/s-half, 100Mb/s-full, 1Gb/s-half, 1Gb/s-full, ]
sys.s1.p3.capability: [ auto, 10Mb/s-half, 10Mb/s-full, 100Mb/s-half, 100Mb/s-full, 1Gb/s-half, 1Gb/s-full, ]
sys.s1.p4.capability: [ auto, 10Mb/s-half, 10Mb/s-full, 100Mb/s-half, 100Mb/s-full, 1Gb/s-half, 1Gb/s-full, ]
sys.s1.p5.capability: [ auto, 1Gb/s-full, ]
sys.s1.p6.capability: [ auto, 1Gb/s-full, ]
sys.s1.p7.capability: [ auto, 1Gb/s-full, ]
sys.s1.p8.capability: [ auto, 1Gb/s-full, ]
sys.s1.p9.capability: [ auto, 10Gb/s-full, ]

It looks like ports 9 - 12 are my 10Gig ports on the PA-850.


Firewall Setup
Tunnel Interface
Phase 1 Crypto
Phase 2 Crypto

192.69.180.132   
68.160.164.11  
18.235.195.121   
54.208.86.132  
152.195.50.6   



VPN Configuration
Proxy ID
Create Routes
Create Security Policy
Create Reverse Policy
Create Tunnel Interface
Check Tunnels

How Firwall works
Why we need it 


Module 2
Administrative controls
Initial Access to the system
Configuration management
Licensing and software update
Account administration 
Viewing and filtering logs


2 ways to access PA-220
gui - https
cli - console, telnet 
uid: admin
password: admin

To reset to factory default (if you know the firewall admin password) 
set system private-data-reset

If you do not know the admin passwordk you must place the firewall in maintainance mode 
at boot up time, type maint into the CLI through the console port 
at some point you can chose the action Reset to Factory Default


Console - uid/password admin
>configuration
# set deviceconfig system type static   
# set deviceconfig system ip-address 192.168.10.1 netmask 255.255.255.0
# commit

Module 3 Interface Configuration
Security Zones and interfaces
Tap interface
Virtual Wire interface
Layer 2 Interface
Layer 3 Interface
Virtual Router
Loopback Interface
Policy based Fowarding


Module 4 Security and NAT Policies
Security policy fundamental concepts
Security policy Administration
Network Address Translation
Source NAT configuration
Destination Configuration
https://www.youtube.com/watch?v=poQphxWb2MQ


License /Register device/feature set allowed
Palo Alto Portal  https://support.paloaltonetworks.com/Support/Index
Login to Customer Support account 
Assets 


Management settings
<Device><setup><Management><General Settings> <gear>
hostname:
Domain:
Time 






More Palo Alto HA Cluster Installs

Palo Alto has a great firewall solution. It's one of two firewall vendors that I highly recommend to companies.

October Palo Alto 850 HA Install

Palo Alto Firewall: Testing PBF (Policy Based Forwarding) In CLI

PBR (or PBF as Palo calls it), is a really great feature.  Policy Based Forwarding (in the network world, we call it policy based routing) is a feature where you can control where packets go without using the routing table.  You set a destination based on certain parameters that you define (like source, protocol, etc) and it catches this PBF policy BEFORE it hits the routing table.  Here is how you test it in CLI, to verify it works the way you want it to.

PA850-1(active)> test pbf-policy-match from L3-Inside application web-browsing source 192.168.1.5 destination 5.5.5.5 protocol 6 destination-port 443

"Exchange; index: 8" {
        id 9;
        from L3-Inside;
        source 192.168.1.5;
        destination any;
        user any;
        application/service  any/any/any/any;
        action Forward;
        symmetric-return no;
        forwarding-egress-IF/VSYS ethernet1/3;
        next-hop 68.68.68.68;
        terminal no;
}

Palo Alto Firewall: CLI Command To Verify Optic Module

Guys, real quick, if you need to check the SFP status to know if the Palo is seeing it or not, here is a CLI command to help you determine if it is.  The below is a Proline SFP.

killen@PA-850> show system state filter sys.s1.p9.phy

sys.s1.p9.phy: { 'link-partner': { }, 'media': SFP-Plus-Fiber, 'sfp': { 'connector': LC, 'encoding':
 8B10B, 'identifier': SFP, 'transceiver': 1000B-SX, 'vendor-name': PROLINE         , 'vendor-part-nu
mber': PAN-SFP-SX-PRO  , 'vendor-part-rev': A3  , }, 'type': Ethernet, }

Palo Alto Firewall: PBF (Policy Based Forwarding) Testing In CLI

Did you know you can test your policy based forwarding yourself in CLI on the Palo Alto firewall?  You sure can.  Below, Im testing my zone L3-Inside (my inside zone) to verify it will go out Ethernet 1/3 port.  Based on the response below, it looks like it does work without having to involve the server guys.

killen@PA850-1(active)> test pbf-policy-match from L3-Inside application web-browsing source 192.168.5.5 destination 77.77.77.77 protocol 6 destination-port 443

"Exchange; index: 8" {
        id 9;
        from L3-Inside;
        source 192.168.5.5;
        destination any;
        user any;
        application/service  any/any/any/any;
        action Forward;
        symmetric-return no;
        forwarding-egress-IF/VSYS ethernet1/3;
        next-hop 65.65.65.65;
        terminal no;
}

allen@PA850-1(active)>


Palo Alto Firewall: Adding A Static Route In CLI

Real quick, I think this is useful for adding a lot of static routes into a Palo Alto.  SSH in and do this in CLI and type "configure".  Then type out the following:
set network virtual-router [name of virtual router i.e. default] routing-table ip static-route [name of route i.e. Shanes-Route] admin-dist 10 destination [network/subnet mask i.e 10.10.10.0/24] interface [name of interface to be used outgoing i.e. ethernet1/1] nexthop ip-address [next hop ip i.e. 4.4.4.4]

Add 50 or so of them from notepad at one time, then type in "commit".  

Palo Alto Firewall: Verifying A Route In CLI

Real quick, how do you verify what interface a destination route goes out of the Palo Alto in CLI?  Here is what you do:
PA850-1(active)> test routing fib-lookup virtual-router vsys_router ip 192.168.1.5

--------------------------------------------------------------------------------
runtime route lookup
--------------------------------------------------------------------------------
virtual-router:   vsys_router
destination:      192.168.1.5
result:
  via 5.5.5.5 interface ethernet1/3, source 5.5.5.6, metric 10
--------------------------------------------------------------------------------

Right there it is.  Its ethernet1/3 in this case.  I wanted to know what interface 192.168.1.5 would be going out, and with the above command, it tells me.  Note that "vsys_router" is your virtual router that you have defined for routing.  It may be default in your case, or whatever you named it.
SSL Decrypt 
Most NGFWs have the ability to do SSL decryption, and its a really good idea to do so.  Many attacks now come through encrypted packets, and they need to be inspected.  If you have the capability to do SSL decryption, you should be doing this.

Palo Alto Firewall: PA-200 Replacement

I went on-site to a consumer to replace a PA-200 that was having some issues. I got the software, global protect, and app and threats to the same version and then did a restore from a backup I had taken.  It's not a bad price process to go through.

Palo Alto Firewall: Upgrade From 7.1.x To 8.0.9 On HA Pair

Well, what should have been an easy upgrade turned ugly on me today. I've upgraded many Palo Altos is my career. What a great product. But today, I spent three hours working through a Palo that wouldn't boot up after the upgrade to 7.1.17. Thankfully, it was an HA pair and the customer didn't experience any real downtime.
After a factory reset, getting to the same software version and importing the config back in, we were back to its original state again. So with a download of the base 8.0 software and a download and install of 8.0.9 on both units, all is good.
What does that STS amber LED mean?  Well, its still bootIng firewall services.  You can login to the console, but you still may have to wait for a few minutes for all the services to come up.  You should see a "System initializing; please wait... (CTRL-C to bypass)" in the CLI during this time.  When the STS amber LED goes green, then you should be good to go for CLI config.
I had a unit that kept the amber LED on STS. I had to do a factory reset to overcome this problem.
I've been working on a pair of Palo Alto 3020s in HA mode.  I really like the Palo Alto firewall.  Don't get me wrong, I like "working" on most firewalls.  But Palo Alto (and Check Point) just ranks to me as the best on the market.  I've been consistent in saying this for sure.  And working on this cluster, I certainly recall why.
Just FYI, I have noticed in the past few years, its been Palo Alto and Check Point at the top of the list for NGFWs.  For 2016, Gartner says that for sure.

NGFW 2016 Gartner Chart
This is interesting.  I have always believed Palo and CP were the leaders.  It still appears that way according to Gartner.


Palo Alto Firewall: Ping With A Source Address

Just a quick post today about ping in CLI.  You can use a particular source address of your choice that belongs to the Palo, should you need to.  Typically, you do need to if you are going across a VPN.  Here is the quick command, fill in your IPs of choice:

PA-3020> ping source 192.168.2.1 host 192.168.1.86

Ref https://www.shanekillen.com/search/label/Palo%20Alto%20Firewall