Palo Alto Firewall CLI Commands

Merhaba ,

Palo Alto güvenlik duvarı yönetimi ve yapılandırma işlemleri için her ne kadar web arayüzünü kullansakta bazen komut satırı üzerinde de işlem yapmamız gerekiyor. Aşağıdaki komutlar haricinde birde Panorama için kullanılan CLI komutları bulunmaktadır. Panorama kurulum ve kullanım ile ilgili makaleler sonrasında bu komutlarıda paylaşacağım.

Device Management CLI Commands

Description Command
Show general system health information. > show system info
Show percent usage of disk partitions. > show system disk-space
Show the maximum log file size. > show system logdb-quota
Show running processes. > show system software status
Show processes running in the management plane. > show system resources
Show resource utilization in the dataplane. > show running resource-monitor
Show the licenses installed on the device. > request license info
Show when commits, downloads, and/or upgrades are completed. > show jobs processed
Show session information. > show session info
Show information about a specific session. > show session id <session-id>
Show the running security policy. > show running security-policy
Show the authentication logs. > less mp-log authd.log
Restart the device. > request restart system
Show the administrators who are currently logged in to the web interface, CLI, or API. > show admins
Show the administrators who can access the web interface, CLI, or API, regardless of whether those administrators are currently logged in.

When you run this command on the firewall, the output includes both local administrators and those pushed from a Panorama template.

> show admins all
Configure the management interface as a DHCP client.
For a successful commit, you must include each of the parameters: accept-dhcp-domain, accept-dhcp-hostname, send-client-id, and send-hostname.
# set deviceconfig system type dhcp-client accept-dhcp-domain <yes|no> accept-dhcp-hostname <yes|no> send-client-id <yes|no> send-hostname <yes|no>

Network CLI Commands

Description Command
Display the routing table > show routing route
Look at routes for a specific destination > show routing fib virtual-router <name> | match <x.x.x.x/Y>
Show the NAT policy table > show running nat-policy
Test the NAT policy > test nat-policy-match
Show NAT pool utilization > show running ippool> show running global-ippool
Show IPSec counters > show vpn flow
Show a list of all IPSec gateways and their configurations > show vpn gateway
Show IKE phase 1 SAs > show vpn ike-sa
Show IKE phase 2 SAs > show vpn ipsec-sa
Show a list of auto-key IPSec tunnel configurations > show vpn tunnel
Show BFD profiles > show routing bfd active-profile [<name>]
Show BFD details > show routing bfd details [interface <name>] [local-ip <ip>] [multihop] [peer-ip <ip>] [session-id] [virtual-router <name>]
Show BFD statistics on dropped sessions > show routing bfd drop-counters session-id <session-id>
Show counters of transmitted, received, and dropped BFD packets > show counter global | match bfd
Clear counters of transmitted, received, and dropped BFD packets > clear routing bfd counters session-id all | <1-1024>
Clear BFD sessions for debugging purposes > clear routing bfd session-state session-id all | <1-1024>
Set the native VLAN ID > set session pvst-native-vlan-id <vid>
Drop all STP BPDU packets > set session drop-stp-packet
Verify PVST+ BPDU rewrite configuration, native VLAN ID, and STP BPDU packet drop > show vlan all
Show counter of times the 802.1Q tag and PVID fields in a PVST+ BPDU packet do not match > show counter globalLook at the flow_pvid_inconsistent counter.
Ping from the management (MGT) interface to a destination IP address > ping host <destination-ip-address>
Ping from a dataplane interface to a destination IP address > ping source <ip-address-on-dataplane> host <destination-ip-address>
Show network statistics > request netstat statistics yes

User-ID CLI Commands

View all User-ID agents configured to send user mappings to the Palo Alto Networks device:

To see all configured Windows-based agents:
> show user user-id-agent state all

To see if the PAN-OS-integrated agent is configured:
> show user server-monitor state all

View the configuration of a User-ID agent from the Palo Alto Networks device:
> show user user-id-agent config name <agent-name>

View group mapping information:
> show user group-mapping statistics
> show user group-mapping state all
> show user group list
> show user group name <group-name>

View all user mappings on the Palo Alto Networks device:
> show user ip-user-mapping all

Show user mappings filtered by a username string (if the string includes the domain name, use two backslashes before the username):
> show user ip-user-mapping all | match <domain>\\<username-string>

Show user mappings for a specific IP address:
> show user ip-user-mapping ip <ip-address>

Show usernames:
> show user user-ids

View the most recent addresses learned from a particular User-ID agent:
> show log userid datasourcename equal <agent-name> direction equal backward

View mappings from a particular type of authentication service:
> show log userid datasourcetype equal <authentication-service>

where <authentication-service> can be authenticate , client-cert , directory-server , exchange-server , globalprotect , kerberos , netbios-probing , ntlm , unknown , vpn-client , or wmi-probing .
For example, to view all user mappings from the Kerberos server, you would enter the following command:
> show log userid datasourcetype equal kerberos

View mappings learned using a particular type of user mapping:
> show log userid datasource equal <datasource>

Where <datasource> can be be agent , captive-portal , event-log , ha , probing , server-session-monitor , ts-agent , unknown , vpn-client , or xml-api .
For example, to view all user mappings from the XML API, you would enter the following command:
> show log userid datasourcetype equal xml-api

Find a user mapping based on an email address:
> show user email-lookup
+ base Default base distinguished name (DN) to use for searches
+ bind-dn bind distinguished name
+ bind-password bind password
+ domain Domain name to be used for username
+ group-object group object class(comma-separated)
+ name-attribute name attribute
+ proxy-agent agent ip or host name.
+ proxy-agent-port user-id agent listening port, default is 5007
+ use-ssl use-ssl
* email email address
> mail-attribute mail attribute
> server ldap server ip or host name.
> server-port ldap server listening port

For example:
> show user email-lookup base “DC=lab,DC=sg,DC=acme,DC=local” bind-dn
“CN=Administrator,CN=Users,DC=lab,DC=sg,DC=acme,DC=local” bind-password
acme use-ssl no email [email protected] mail-attribute mail server server-port 389

Clear the User-ID cache:
clear user-cache all
Clear a User-ID mapping for a specific IP address:
clear user-cache ip <ip-address/netmask>


2 yorum

Bir yanıt bırakın

E-posta hesabınız yayımlanmayacak.