PAN-OS CLI Quick Start
  • PAN-OS CLI Quick Start
  • All PAN-OS Documentation
  • All Documentation
PAN-OS CLI Quick Start
: Modify the Configuration
Focus
Download PDF
Focus
  1. Home
  2. PAN-OS
  3. PAN-OS CLI Quick Start
  4. Use the CLI
  5. Modify the Configuration
Download PDF

PAN-OS CLI Quick Start

Modify the Configuration

Table of Contents
End-of-Life (EoL)

Modify the Configuration

You can also modify the device configuration from the CLI using the set, delete, and edit commands (if your administrative role has a Privilege Level that allows you to write to the configuration). In most cases you must be in Configure mode to modify the configuration.
  • To change the value of a setting, use a set command. For example, to configure an NTP server, you would enter the complete hierarchy to the NTP server setting followed by the value you want to set:
    admin@PA-3060# set deviceconfig system ntp-servers primary-ntp-server ntp-server-address pool.ntp.org
    To target a command to a specific virtual system (vsys), enter the following operational mode command: set system setting target-vsys <vsys-name>. To go back to issuing commands that apply to the firewall instead of the targeted vsys, use set system target-vsys none.
  • To change to a different location in the configuration hierarchy and/or to modify a setting, use the edit command. The edit commands are very similar to the set commands, except that when you enter an edit command, you switch context to the corresponding node in the command hierarchy. This can be useful if you need to enter several commands in a node that is nested far down in the command hierarchy. For example, if you want to configure all of the NTP server settings, instead of entering the full command syntax each time using the set command, you could use the edit command to move to the ntp-servers node as follows:
    [edit] 
admin@PA-3060# edit deviceconfig system ntp-servers 
[edit deviceconfig system ntp-servers] 
admin@PA-3060#
    Notice that when you enter the command, your new location in the command hierarchy is displayed. You can now use the set command to configure the NTP server settings without entering the entire command hierarchy:
    admin@PA-3060# set secondary-ntp-server ntp-server-address 10.1.2.3
    Use the up command to move up a level in the command hierarchy. Use the top command to move back to the top of the command hierarchy.
  • To delete an existing configuration setting, use a delete command. For example, to delete the secondary NTP server address, you would enter the following command:
    admin@PA-3060# delete deviceconfig system ntp-servers secondary-ntp-server ntp-server-address
    When deleting configuration settings or objects using the CLI, the device does not check for dependencies like it does in the web interface. Therefore, when you use delete from the CLI, you must manually search the configuration for other places where the configuration object might be referenced. For example, before you delete an application filter group named browser-based business, you should search the CLI for that value to see if it is used anywhere in profiles or policies, using the following command:
    admin@PA-3060> show config running | match "browser-based business"
    Notice that because the object you are matching on has a space in it, you must enclose it in quotation marks.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.