Saturday, September 6, 2025

CLI Cheat Sheet: HA

 

Use the following table to quickly locate commands for HA tasks.
If you want to ...
Use ...
  • View all HA cluster configuration content.
> show high-availability cluster all
  • View HA cluster flap statistics.
    Cluster flap count is reset when the HA device moves from suspended to functional and vice versa. Cluster flap count also resets when non-functional hold time expires.
> show high-availability cluster flap-statistics
  • View status of the HA4 interface.
> show high-availability cluster ha4-status
  • View status of the HA4 backup interface.
> show high-availability cluster ha4-backup-status
  • View information about the type and number of synchronized messages to or from an HA cluster.
> show high-availability cluster session-synchronization
  • View HA cluster state and configuration information.
> show high-availability cluster state
  • View HA cluster statistics, such as counts received messages and dropped packets for various reasons.
> show high-availability cluster statistics
  • Clear HA cluster statistics.
> clear high-availability cluster statistics
  • Clear session cache.
> request high-availability cluster clear-cache
  • Request full session cache synchronization.
> request high-availability cluster sync-from
Posted by at

CLI Cheat Sheet: User-ID

 

CLI Cheat Sheet: User-ID
View all User-ID agents configured to send user mappings to the Palo Alto Networks device:
  • To see all configured Windows-based agents:
> show user user-id-agent state all
  • To see if the PAN-OS-integrated agent is configured:
> show user server-monitor state all
View how many log messages came in from syslog senders and how many entries the User-ID agent successfully mapped:
> show user server-monitor statistics
View the configuration of a User-ID agent from the Palo Alto Networks device:
> show user user-id-agent config name <agent-name>
View group mapping information:
> show user group-mapping statistics 
> show user group-mapping state all 
> show user group list 
> show user group name <group-name>
View all user mappings on the Palo Alto Networks device:
> show user ip-user-mapping all
Show user mappings filtered by a username string (if the string includes the domain name, use two backslashes before the username):
> show user ip-user-mapping all | match <domain>\\<username-string>
Show user mappings for a specific IP address:
> show user ip-user-mapping ip <ip-address>
Show usernames:
> show user user-ids
View the most recent addresses learned from a particular User-ID agent:
> show log userid datasourcename equal <agent-name> direction equal backward
View mappings from a particular type of authentication service:
> show log userid datasourcetype equal <authentication-service>
where <authentication-service> can be authenticateclient-certdirectory-serverexchange-serverglobalprotectkerberosnetbios-probingntlmunknownvpn-client, or wmi-probing.
For example, to view all user mappings from the Kerberos server, you would enter the following command:
> show log userid datasourcetype equal kerberos
View mappings learned using a particular type of user mapping:
> show log userid datasource equal <datasource>
where <datasource> can be agentcaptive-portalevent-loghaprobingserver-session-monitorts-agentunknownvpn-client, or xml-api.
For example, to view all user mappings from the XML API, you would enter the following command:
> show log userid datasourcetype equal xml-api
Find a user mapping based on an email address:
> show user email-lookup 
+ base               Default base distinguished name (DN) to use for searches 
+ bind-dn            bind distinguished name 
+ bind-password      bind password 
+ domain             Domain name to be used for username 
+ group-object       group object class(comma-separated) 
+ name-attribute     name attribute 
+ proxy-agent        agent ip or host name. 
+ proxy-agent-port   user-id agent listening port, default is 5007 
+ use-ssl            use-ssl 
* email              email address 
> mail-attribute     mail attribute 
> server             ldap server ip or host name. 
> server-port        ldap server listening port
For example:
> show user email-lookup base "DC=lab,DC=sg,DC=acme,DC=local" bind-dn "CN=Administrator,CN=Users,DC=lab,DC=sg,DC=acme,DC=local" bind-password acme use-ssl no email user1@lab.sg.acme.local mail-attribute mail server 10.1.1.1 server-port 389 labsg\user1
Clear the User-ID cache:
clear user-cache all
Clear a User-ID mapping for a specific IP address:
clear user-cache ip <ip-address/netmask>
Posted by at

CLI Cheat Sheet: Device Management

 

f you want to...
Use...
General Commands
  • Show general system health information.
> show system info
  • Show percent usage of disk partitions. Include the optional files parameter to show information about inodes, which track file storage.
> show system disk-space files
  • Show the maximum log file size.
> show system logdb-quota
  • Show running processes.
> show system software status
  • Show processes running in the management plane.
> show system resources
  • Show resource utilization in the dataplane.
> show running resource-monitor
  • Show the licenses installed on the device.
> request license info
  • Show when commits, downloads, and/or upgrades are completed.
> show jobs processed
  • Show session information.
> show session info
  • Show information about a specific session.
> show session id <session-id>
  • Show the running security policy.
> show running security-policy
  • Show the authentication logs.
> less mp-log authd.log
  • Restart the device.
> request restart system
  • Show the administrators who are currently logged in to the web interface, CLI, or API.
> show admins
  • Show the administrators who can access the web interface, CLI, or API, regardless of whether those administrators are currently logged in.
    When you run this command on the firewall, the output includes local administrators, remote administrators, and all administrators pushed from a Panorama template. Remote administrators are listed regardless of when they last logged in.
> show admins all
  • Configure the management interface as a DHCP client.
    For a successful commit, you must include each of the parameters: accept-dhcp-domainaccept-dhcp-hostnamesend-client-id, and send-hostname.
# set deviceconfig system type dhcp-client accept-dhcp-domain <yes|no> accept-dhcp-hostname <yes|no> send-client-id <yes|no> send-hostname <yes|no>
Posted by at

PAN-OS CLI Quick Start

 

PAN-OS CLI Quick Start


To configure...
Start here...
MGT interface
# set deviceconfig system ip-address
admin password
# set mgt-config users admin password
DNS
# set deviceconfig system dns-setting servers
NTP
# set deviceconfig system ntp-servers
Interfaces
# set network interface
System settings
# set deviceconfig system
Zones
# set zone <name> 
# set vsys <name> zone <name>
Security Profiles
HIP Objects/Profiles
URL Filtering Profiles
WildFire Analysis Profiles
# set profiles 
# set vsys <name> profiles 
# set shared profiles
Server Profiles
# set server-profile 
# set vsys <name> server-profile 
# set shared server-profile
Authentication Profiles
# set authentication-profile 
# set vsys <name> authentication-profile 
# set shared authentication-profile
Certificate Profiles
# set certificate-profile 
# set vsys <name> certificate-profile 
# set shared certificate-profile
Policy
# set rulebase 
# set vsys vsys1 rulebase
Log Quotas
# set deviceconfig setting management quota-settings
User-ID
# set user-id-agent 
# set vsys <name> user-id-agent 
# set user-id-collector 
# set vsys <name> user-id-collector
HA
# set deviceconfig high-availability
AutoFocus Settings
# set deviceconfig setting autofocus
WildFire Settings
# set deviceconfig setting wildfire
Panorama
# set deviceconfig system panorama-server
Restart
> request restart system
Posted by at
Subscribe to: Posts (Atom)