Common Palo Alto firewall commands for troubleshooting

Leave a Comment / By /

Common commands

sg@fw(active)> show 
sg@fw(active)> request
sg@fw(active)> test
sg@fw(active)> configure

test example

sg@fw(active)> test http-server address google.com protocol HTTP

System info. Able to find the basic info like the following
IP address, model, serial number, 

sg@fw(active)> show system info

Routing

sg@fw(active)> show routing route
sg@fw(active)> show routing route destination 10.123.3.0/24

Show NAT

sg@fw(active)> show running nat-policy
sg@fw(active)> test nat-policy-match destination 116.xx.xx.xx source 10.123.5.23 protocol 80

ippool

sg@fw(active)> show running ippool
sg@fw(active)> show running global-ippool

ping & traceroute

sg@fw(active)> ping host 10.123.0.11
sg@fw(active)> ping source 10.123.2.201 host 10.123.0.11

sg@fw(active)> traceroute host 10.123.0.11
sg@fw(active)> traceroute source 10.123.2.201 host 10.123.0.11

Check existing network (access or trunk)

Get-VMNetworkAdapterVlan -VMName "pa-firewall"

Set

Set-VMNetworkAdapterVlan -VMName "pa-firewall" -Trunk -AllowedVlanIdList 1-200 -NativeVlanId 1

Leave a Comment

Your email address will not be published. Required fields are marked *