>
    Strata Copilot
    CLI Cheat Sheet: Networking
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. CLI Cheat Sheet: Networking
    Download PDF
    Next-Generation Firewall

    CLI Cheat Sheet: Networking

    Table of Contents

    CLI Cheat Sheet: Networking

    Important CLI commands for PAN-OS network configuration including interfaces, routing, VLANs, and network troubleshooting.
    Where Can I Use This?What Do I Need?
    NGFW (Managed by PAN-OS or Panorama)
    • No prerequisites needed
    Use the following table to quickly locate commands for common networking tasks:
    If you want to . . .
    Use . . .
    General Routing Commands
    • Display the routing table
    		 
    > show routing route
    • Look at routes for a specific destination
    		 
    > show routing fib virtual-router <name> | match <x.x.x.x/Y>
    • Change the ARP cache timeout setting from the default of 1800 seconds.
    		 
    > set system setting arp-cache-timeout <60-65536>
    • View the ARP cache timeout setting.
    		 
    > show system setting arp-cache-timeout
    AE Interfaces
    • On PA-7050 and PA-7080 firewalls that have an aggregate interface group of interfaces located on different line cards, implement proper handling of fragmented packets that the firewall receives on multiple interfaces of the AE group.
    		 
    > set ae-frag redistribution-policy hash
    NAT
    • Show the NAT policy table
    		 
    > show running nat-policy
    • Test the NAT policy
    		 
    > test nat-policy-match
    • Show NAT pool utilization
    		 
    > show running ippool 
> show running global-ippool
    IPSec
    • Show IPSec counters
    		 
    > show vpn flow
    • Show a list of all IPSec gateways and their configurations
    		 
    > show vpn gateway
    • Show IKE phase 1 SAs
    		 
    > show vpn ike-sa
    • Show IKE phase 2 SAs
    		 
    > show vpn ipsec-sa
    • Show a list of auto-key IPSec tunnel configurations
    		 
    > show vpn tunnel
    • Set IPSec mode
    		 
    > set network tunnel ipsec <name_of_tunnel> ipsec-mode [tunnel | transport]
    LSVPN (PAN-OS 11.0.1 and later releases)
    • (Portal) Change the current satellite cookie expiration time
    		 
    > request global-protect-portal set-satellite-cookie-expiration value <0-5>
    • (Portal) Show current satellite cookie expiration time
    		 
    > show global-protect-portal satellite-cookie-expiration
    • (Satellite) Display current satellite authentication cookie's generation time
    		 
    > show global-protect-satellite satellite
    LSVPN (Serial number and IP Address Authentication Method) (PAN-OS 11.1.3 and later releases)
    • (Portal) Add a new satellite device IP address to the satellite IP allow list
    		 
    >  set global-protect global-protect-portal portal <portal_name> satellite-serialnumberip-auth satellite-ip-allowlist entry <value>
    Where <value> is the IPv4 address, IPv6 address, IP range, or IP subnet of the new satellite device you want to add.
    • (Portal) Exclude a specific range of IP address from the satellite-ip-allowlist that you don't wish to configure as a satellite
    		 
    >  set global-protect global-protect-portal portal <portal_name> satellite-serialnumberip-auth satellite-ip-exclude-from range <ip-address> exclude-list <value>
    Where satellite-ip-exclude-from range <ip-address> is the IPv4 or IPv6 subnet or range of the IP address that you want to exclude from configuring as a satellite device. The IP address that you want to exclude must be within the IP address range that you configured in the satellite-ip-allowlist.
    • (Portal) Configure retry interval for serial number and IP address authentication in case of failure
    		 
    >  set global-protect global-protect-portal portal <name> satellite-serialnumberip-auth retry-interval <5-8600>
    The retry interval range is 5 to 86,400 seconds and the default value is 5 seconds.
    • (Portal) Enable the serial number and IP address authentication method on the firewall that is configured as a portal. By default this method is disabled.
    		 
    > set global-protect-portal satellite-serialnumberip-auth enable
    • (Portal) Disable serial number and IP address authentication method on the firewall that is configured as a portal
    		 
    > set global-protect-portal satellite-serialnumberip-auth disable
    • (Portal) View all the information related to the serial number and IP address authentication method 
    > show global-protect-portal global-protect-portal <name> satellite-serialnumberip-auth all
    • (Portal) View if the serial number and IP address authentication method is enabled or disabled on the firewall that is configured as a portal
    		 
    > show global-protect-portal satellite-serialnumberip-auth status
    • (Portal) View the serial number and IP address retry interval configured on the portal
    		 
    > show global-protect-portal global-protect-portal portal <name> satellite-serialnumberip-auth retry-interval
    • (Portal) View all the allowed satellite device IP addresses configured on the portal
    		 
    > show global-protect-portal global-protect-portal portal <name> satellite-serialnumberip-auth satellite-ip-allowlist
    • (Portal) Delete a satellite device IP address from the satellite IP list on the portal
    		 
    > delete global-protect global-protect-portal portal <portal_name> satellite-ip-list allowlist-entry ip-address <value>
    Where <value> is the IPv4 address, IPv6 address, IP range, or IP subnet of the satellite device you want to delete.
    • (Portal) Delete a satellite device IP address from the satellite IP exclude list on the portal
    		 
    > delete global-protect global-protect-portal portal <portal_name>
satellite-ip-list excludelist-entry ip <value>
    Where <value> is the IPv4 address, IPv6 address, IP range, or IP subnet of the satellite device you want to delete from the exclude list entry.
    • (Portal) Delete all the satellite devices IP address from the satellite IP list on the portal. Executing this command is equal to not configuring any satellite IP address on the portal.
    		 
    > delete global-protect global-protect-portal portal <name> satellite-ip-allowlist satellite-ip-allowlist-all
    BFD
    • Show BFD profiles
    		 
    > show routing bfd active-profile [<name>]
    • Show BFD details
    		 
    > show routing bfd details [interface <name>] [local-ip <ip>] [multihop][peer-ip <ip>] [session-id] [virtual-router <name>]
    • Show BFD statistics on dropped sessions
    		 
    > show routing bfd drop-counters session-id <session-id>
    • Show counters of transmitted, received, and dropped BFD packets
    		 
    > show counter global | match bfd
    • Clear counters of transmitted, received, and dropped BFD packets
    		 
    > clear routing bfd counters session-id all | <1-1024>
    • Clear BFD sessions for debugging purposes
    		 
    > clear routing bfd session-state session-id all | <1-1024>
    PVST+
    • Set the native VLAN ID
    		 
    > set session pvst-native-vlan-id <vid>
    • Drop all STP BPDU packets
    		 
    > set session drop-stp-packet
    • Verify PVST+ BPDU rewrite configuration, native VLAN ID, and STP BPDU packet drop
    		 
    > show vlan all
    • Show counter of times the 802.1Q tag and PVID fields in a PVST+ BPDU packet do not match
    > show counter global
    Look at the flow_pvid_inconsistent counter.
    Troubleshooting
    • Ping from the management (MGT) interface to a destination IP address
    		 
    > ping host <destination-ip-address>
    • Ping from a dataplane interface to a destination IP address
    		 
    > ping source <ip-address-on-dataplane> host <destination-ip-address>
    • Show network statistics
    		 
    > show netstat statistics yes
    Advanced Routing
    • View FIB table entries
    		 
    > show advanced-routing fib
    > show advanced-routing fib afi <ipv4|ipv6|both>
    > show advanced-routing fib ecmp <no|yes>
    • View RIB entries
    		 
    > show advanced-routing route
    > show advanced-routing route afi <ipv4|ipv6|both>
    > show advanced-routing route destination <ip/netmask>
    > show advanced-routing route logical-router  <logical-router-name>
    > show advanced-routing route type <bgp|connect|ospf|ospfv3|static>
    • View interface information
    		 
    > show advanced-routing logical-router <logical-router-name>
    • View resource information
    		 
    > show advanced-routing resource logical-router <logical-router-name>
    • View the static route path monitor
    		 
    > show advanced-routing static-route-path-monitor
    • View routing information for OSPFv2 and the link-state database
    		 
    > show advanced-routing ospf area
    > show advanced-routing ospf dumplsdb
    > show advanced-routing ospf graceful-restart
    > show advanced-routing ospf interface
    > show advanced-routing ospf lsdb
    > show advanced-routing ospf neighbor
    > show advanced-routing ospf summary
    > show advanced-routing ospf virt-link
    > show advanced-routing ospf virt-neighbor
    • View routing information for OSPFv3 and the link-state database
    		 
    > show advanced-routing ospfv3 area
    > show advanced-routing ospfv3 dumplsdb
    > show advanced-routing ospfv3 graceful-restart
    > show advanced-routing ospfv3 interface
    > show advanced-routing ospfv3 lsdb
    > show advanced-routing ospfv3 neighbor
    > show advanced-routing ospfv3 summary
    > show advanced-routing ospfv3 virt-link
    > show advanced-routing ospfv3 virt-neighbor
    • View BGP routing information
    		 
    > show advanced-routing bgp summary logical-router <logical-router-name>
    > show advanced-routing bgp peer detail peer-name <peer-name> logical-router <logical-router-name>
    > show advanced-routing bgp peer received-routes peer-name <peer-name> afi <ipv4|ipv6|both> logical-router <logical-router-name>
    > show advanced-routing bgp peer filtered-routes peer-name <peer-name> afi <ipv4|ipv6|both> logical-router <logical-router-name>
    > show advanced-routing bgp peer advertised-routes peer-name <peer-name> afi <ipv4|ipv6|both> logical-router <logical-router-name>
    > show advanced-routing bgp peer dampened-routes peer-name <peer-name> afi <ipv4|ipv6|both> logical-router <logical-router-name>
    > show advanced-routing bgp peer status peer-name <peer-name> logical-router <logical-router-name>
    > show advanced-routing bgp peer-groups group-name <group-name> logical-router <logical-router-name>
    > show advanced-routing bgp filters route-map logical-router <logical-router-name> [ipv4|ipv6] name <route-map-name>
    • View BGP routing information (continued)
    		 
    > show advanced-routing bgp filters access-list logical-router <logical-router-name> [ipv4|ipv6] name <access-list-name>
    > show advanced-routing bgp filters prefix-list logical-router <logical-router-name> [ipv4|ipv6] name <prefix-list-name>
    > show advanced-routing bgp route afi <ipv4|ipv6|both> logical-router <logical-router-name>
    > show advanced-routing bgp peer advertised-routes peer-name <peer-name> afi <ipv4|ipv6|both> logical-router <logical-router-name>
    QoS
    • Enable lockless QoS
    		 
    >  set lockless-qos yes
    • Disable lockless QoS
    		 
    >  set lockless-qos no
    • View lockless QoS enable status
    		 
    >  show lockless-qos enable
    • View the list of ports with the number of cores allocated for the QoS process by lockless QoS
    		 
    >  show lockless-qos if-core-mapping
    • (PAN-OS 11.1.3 and later releases) View the number of cores allocated for the lockless QoS feature
    		 
    >  show lockless-qos core-num

    © 2025 Palo Alto Networks, Inc. All rights reserved.