Next-Generation Firewall
Get Help on Command Syntax
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
Get Help on Command Syntax
Access built-in help and syntax information for PAN-OS CLI commands to understand proper usage and parameters.
| Where Can I Use This? | What Do I Need? |
|---|---|
| NGFW (Managed by PAN-OS or Panorama) |
|
After you Find a Command you
can get help on the specific command syntax by using the built-in
CLI help. To get help, enter a ? at any level
of the hierarchy.
Get Help on a Command
Use CLI help features to display detailed information, options, and usage
examples for specific PAN-OS commands.
For example, suppose you want to configure the primary DNS server settings on the
Palo Alto Networks device using find command keyword with
dns as the keyword value, you already know that the
command is set deviceconfig system dns-setting, but you’re
not exactly sure how to use the command to set the primary DNS server setting. In
this case, you would enter as much of the command as you know (or start typing it
and press Tab for automatic command completion), and then add a question mark at the
end of the line before pressing Enter, like this:
username@hostname# set deviceconfig system dns-setting ?
> dns-proxy-object Dns proxy object to use for resolving fqdns
> servers Primary and secondary dns servers
<Enter> Finish input Notice that the question mark doesn’t appear in the command line when you type it,
but a list of the available commands appears. You can continue getting syntactical
help all through the hierarchy:
username@hostname# set deviceconfig system dns-setting servers ? + primary Primary DNS server IP address + secondary Secondary DNS server IP address <Enter> Finish input username@hostname# set deviceconfig system dns-setting servers primary ? <ip> <ip>
Use the Tab key in the middle of entering a command and the command will
automatically complete, provided there are no other commands that match the
letters you have typed thus far. For example, if you type set
dev and then press Tab, the CLI will recognize that the command
you are entering is deviceconfig and automatically finish
populating the command line.
Interpret the Command Help
Understand the format and symbols used in PAN-OS CLI help output to effectively
use command syntax and options.
Use the following table to help interpret the command options you see when you use
the ? to get help.
|
Symbol
|
Description
|
|---|---|
|
*
|
Indicates that the option is required.
For example, when importing a configuration over secure copy
(SCP), specifying the from parameter is
required, as indicated by the * from
notation.
username@hostname#> scp import configuration ?
+ remote-port SSH port number on remote host
+ source-ip Set source address to specified interface address
* from Source (username@host:path)
|
|
>
|
Indicates that there are additional nested commands.
For example, when configuring DNS settings, there are additional
nested commands for configuring a DNS proxy object and for
specifying primary and secondary DNS servers:
username@hostname# set deviceconfig system dns-setting ?
> dns-proxy-object Dns proxy object to use for resolving fqdns
> servers Primary and secondary dns servers
<Enter> Finish input
|
|
+
|
Indicates that the option has an associated value that you must
enter.
For example, when setting up a high availability configuration,
notice that the + enabled
notation indicates that you must supply a value for this
option:
username@hostname# set deviceconfig high-availability ? + enabled enabled > group HA group configuration > interface HA interface configuration <Enter> Finish input Getting help for the enabled option shows that you must enter a value of yes or no: admin@PA-3060# set deviceconfig high-availability enabled ? no no yes yes |
|
|
|
Allows you to filter command output. You can either specify a
match value, which will only show
command output that matches the value you specify, or you can
specify an except value, which will only
show command output except for the value you specify.
For example, use the | match option to
display only the app-version in the output of the show system
info command:
username@hostname> show system info | match app-version
app-version: 8087-5126
Similarly, to show all users in your group lists who are not part
of your organization, you should show the user group list, but
exclude the organizational unit (ou) for your organization.
Notice that, although there are a total of 4555 user-to-group
mappings, with the | except filter you
can easily see the small list of users who are part of external
groups:
username@hostname> show user group list | except ou=acme
cn=sap_globaladmin,cn=users,dc=acme,dc=local
cn=dnsupdateproxy,ou=admin groups,ou=administrator accounts,dc=acme,dc=local
cn=dhcp administrators,ou=admin groups,ou=administrator accounts,dc=acme,dc=local
cn=helpservicesgroup,cn=users,dc=acme,dc=local
cn=exchange domain servers,cn=users,dc=acme,dc=local
cn=network configuration operators,cn=builtin,dc=acme,dc=local
cn=dhcp users,ou=admin groups,ou=administrator accounts,dc=acme,dc=local
cn=exchange windows permissions,ou=microsoft exchange security groups,dc=acme,dc=local
cn=wins users,cn=users,dc=acme,dc=local
cn=enterprise read-only domain controllers,cn=users,dc=acme,dc=local
cn=print-server-admins,ou=admin groups,ou=administrator accounts,dc=acme,dc=local
cn=telnetclients,cn=users,dc=acme,dc=local
cn=servicenowpasswordreset,ou=admin groups,ou=administrator accounts,dc=acme,dc=local
cn=delegated setup,ou=microsoft exchange security groups,dc=acme,dc=local
Total: 4555
* : Custom Group
</result></response>
username@hostname>
|