show chassis routing-engine

[ # ]

debug dataplane packet-diag set filter on
debug dataplane packet-diag set filter match source <ip> destination-port <port>
debug dataplane packet-diag set filter pre-parsematch yes                                !! Useful for capturing packets before being dropped due to routing
debug dataplane packet-diag set capture stage drop file <capture-drop.pcap>                !! Capture only dropped packets
debug dataplane packet-diag set capture stage receive file <capture-rx.pcap>            !! Capture packets received by the Palo Alto device
debug dataplane packet-diag set capture stage firewall file <capture-fw.pcap>            !! Capture packets passing through IPS, policies, etc.
debug dataplane packet-diag set capture stage transmit file <capture-tx.pcap>            !! Capture packets being transmitted out from the Palo Alto device
debug dataplane packet-diag set capture on
debug dataplane packet-diag show setting                                                !! View your configured capture
view-pcap follow yes filter-pcap <pcap-name>                                            !! tail -f capture file

debug dataplane packet-diag set capture off
debug dataplane packet-diag set filter off
debug dataplane packet-diag clear filter all
debug dataplane packet-diag clear capture all

scp export filter-pcap from <file name> to <username@host:path>                            !! Export capture using SCP

Notes:

  • A maximum number of 4 filters can be defined at one time

Documentation

[ # ]

set deviceconfig system hostname <hostname> ip-address <ip> netmask <netmask> default-gateway <gateway-ip> dns-setting server primary <dns-ip>

[ # ]

request commit-lock remove admin <admin name>

[ # ]

cf ipsec status

[ # ]

route get <ip address>
region

[ # ]

  1. Log into Sidewinder Admin
  2. High Availability -> Select the current standby (backup) firewall
  3. Set the Mode to Primary
  4. Login CLI and reboot the firewall we are setting to primary (master)
  5. When the firewall comes back up, reboot the previous master (do not set firewall as standby in sidewinder admin)

[ # ]

show configuration security ike
show configuration security ipsec
show security ike security-associations
show security ipsec security-associations
show security ipsec satatisticss index <IndexFromSA>
clear security ike security-associations
clear security ipsec security-associations

[ # ]

request security ike debug-enable local remote level
show log /var/log/kmd
request security ike debug-disable

Notes:

  • This enables logging to the KMD log without the need to commit

  • SUMMARY: This is another option for typical ike/ipsec traceoptions to selectively troubleshoot VPN issues
  • PROBLEM OR GOAL: Enabling ike/ipsec traceoptions on the system can be very CPU intensive and can contribute to performance issues. Troubleshooting can be difficult with traceoptions as multiple VPNs may appear in the traceoptions output

Documentation

[ # ]

set system services web-management limits debug-level 9
commit
run show log httpd.log | match powered

Documentation

[ # ]