: CLI Cheat Sheet: Panorama
Focus
Focus

CLI Cheat Sheet: Panorama

Table of Contents
End-of-Life (EoL)

CLI Cheat Sheet: Panorama

Use the following commands on Panorama to perform common configuration and monitoring tasks for the Panorama management server (M-Series appliance in Panorama mode), Dedicated Log Collectors (M-Series appliances in Log Collector mode), and managed firewalls.
To view system information about a Panorama virtual appliance or M-Series appliance (for example, job history, system resources, system health, or logged-in administrators), see CLI Cheat Sheet: Device Management.
A Dedicated Log Collector mode has no web interface for administrative access, only a command line interface (CLI).
If you want to . . .
Use . . .
M-Series Appliance Mode of Operation (Panorama, Log Collector, or PAN-DB Private Cloud Mode)
Switching the mode reboots the M-Series appliance, deletes any existing log data, and deletes all configurations except the management access settings.
  • Display the current operational mode.
>
								show system info | match system-mode
							
  • Switch from Panorama mode to Log Collector mode.
>
								request system system-mode logger
							
  • Switch from Panorama mode to PAN-DB private cloud mode (M-500 appliance only).
>
								request system system-mode panurldb
							
  • Switch an M-Series appliance from Log Collector mode or PAN-DB private cloud mode (M-500 appliance only) to Panorama mode.
>
								request system system-mode panorama
							
  • Switch the Panorama virtual appliance from Legacy mode to Panorama mode.
>
								request system system-mode panorama
							
  • Switch the Panorama virtual appliance from Panorama mode to Legacy mode.
>
								request system system-mode legacy
							
Panorama Management Server
  • Change the output for show commands to a format that you can run as CLI commands.
>
								set cli config-output-mode set
							
The following is an example of the output for the show device-group command after setting the output format:
#
								show device-group branch-offices
								set device-group branch-offices devices
								set device-group branch-offices pre-rulebase
								... 
							
  • Enable or disable the connection between a firewall and Panorama. You must enter this command from the firewall CLI.
>
								set panorama [off | on]
							
  • Synchronize the configuration of M-Series appliance high availability (HA) peers.
>
								request high-availability sync-to-remote [running-config | candidate-config]
							
  • Reboot multiple firewalls or Dedicated Log Collectors.
>
								request batch reboot [devices | log-collectors]
									<serial-number>
								
							
  • Change the interval in seconds (default is 10; range is 5 to 60) at which Panorama polls devices (firewalls and Log Collectors) to determine the progress of software or content updates. Panorama displays the progress when you deploy the updates to devices. Decreasing the interval makes the progress report more accurate but increases traffic between Panorama and the devices.
>
								set dlsrvr poll-interval
									<5-60>
								
							
Device Groups and Templates
  • Show the history of device group commits, status of the connection to Panorama, and other information for the firewalls assigned to a device group.
>
								show devicegroups name
									<device-group-name>
								
							
  • Show the history of template commits, status of the connection to Panorama, and other information for the firewalls assigned to a template.
>
								show templates name
									<template-name>
								
							
  • Show all the policy rules and objects pushed from Panorama to a firewall. You must enter this command from the firewall CLI.
>
								show config pushed-shared-policy
							
  • Show all the network and device settings pushed from Panorama to a firewall. You must enter this command from the firewall CLI.
>
								show config pushed-template
							
Log Collection
  • Show the current rate at which the Panorama management server or a Dedicated Log Collector receives firewall logs.
>
								debug log-collector log-collection-stats show incoming-logs
							
  • Show the quantity and status of logs that Panorama or a Dedicated Log Collector forwarded to external servers (such as syslog servers) as well as the auto-tagging status of the logs. Tracking dropped logs helps you troubleshoot connectivity issues.
>
								debug log-collector log-collection-stats show log-forwarding-stats
							
  • Show status information for log forwarding to the Panorama management server or a Dedicated Log Collector from a particular firewall (such as the last received and generated log of each type).
When you run this command at the firewall CLI (skip the device <firewall-serial-number> argument), the output also shows how many logs the firewall has forwarded.
>
								show logging-status device
									<firewall-serial-number>
								
							
  • Clear logs by type.
Running this command on the Panorama management server clears logs that Panorama and Dedicated Log Collectors generated, as well as any firewall logs that the Panorama management server collected. Running this command on a Dedicated Log Collector clears the logs that it collected from firewalls.
>
								clear log [acc | alarm | config | hipmatch | system]