admin@PA-VM#set deviceconfig system ip-address netmask default-gateway dns-setting servers primary

If you have every worked on any
Juniper Box with JUNOS CLI, you will feel at home when working on Palo
Alto Firewall Appliance....

Operational Mode and Configuration Modes

username@hostname> (Operational mode)

username@hostname> configure

Entering configuration mode


username@hostname# (Configuration mode)

Moving between Modes

up—changes the context to one level up in the hierarchy.


[edit network interface] (network level)

@abce# up

[edit network]

username@hostname# (now at the network level)

top—changes context to the top level of the hierarchy.


[edit network interface vlan] (network vlan level)

username@hostname# top


username@hostname# (now at network vlan level)

Changing modes

username@hostname# exit

Software Version, Mgmt Address etc.

dmin@PA-VM> show system info


admin@PA-VM> show system info | match model

model: PA-VM

Find commands with following keyword

username@hostname# find command keyword hsm

Restart Appliance

>request restart system

Show Configuration Hierarchy

username@hostname# show network interface ethernet

ethernet {

  ethernet1/1 {



  ethernet1/2 {



  ethernet1/3 {

    layer2 {

    units {









Configure IP Address to a given Port

IP address/netmask to the Layer 3 interface for the Ethernet port ethernet1/4:


username@hostname# set network interface ethernet ethernet1/4 layer3 ip10.1.1.12/24

Check pending changes (uncommitted)

username@hostname# check pending-changes

Saves a snapshot of the firewall configuration or the device state files

username@hostname# save config to savefile

Get Hw Address of Interfaces

show system state | match hwaddr

Routing Table

> show routing route

Show running-configuration



admin@PA-VM> less mp-log  ? (you will see all possible logs)

Packet Capture:-

admin@PA-VM> debug dataplane packet-diag set log on 

admin@PA-VM> debug dataplane packet-diag set filter on

admin@PA-VM> debug dataplane packet-diag set filter match source <ip Address>

Removing Filters

If setting command shows two filters configured and we want to remove on of them, then we can use

admin@PA-VM> debug dataplane packet-diag clear filter <filter number>

Export pcap file

scp export filter-pcap from <file> to <SCP_serv>

Viewing Packet Hitting Filter in live mode

admin@PA-VM> view-pcap follow yes filter-pcap test1_capture 

Show Packet Capture Setting

admin@PA-VM> debug dataplane packet-diag show setting

Management Traffic Capture:-

Their Mgmt Interface is eth0

admin@PA-VM> tcpdump filter "dst"

Press Ctrl-C to stop capturing

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes


11 packets captured

22 packets received by filter

0 packets dropped by kernel

admin@PA-VM> tcpdump filter "dst"

admin@PA-VM> view-pcap mgmt-pcap mgmt.pcap

Show all Sessions

>show session all

'업무이야기 > PaloAlto' 카테고리의 다른 글

Palo Alto Firewall Appliance PA-VM - Useful Commands  (0) 2018.05.08