request chassis cluster failover redundancy-group 1 node <node>

Notes:

  • Node refers to the node number (0 or 1) to failover to

[ # ]

request high-availability state suspend    !! passive firewall
Upgrade passive to 4.1.7

request high-availability state suspend   !! Current old version active firewall
request high-availability state functional   !! Newly upgraded firewall (Outage until this command completes)
Upgrade old active firewall to 4.1.7

request high-availability state functional - Newly upgraded firewall

Notes:

  • HA processes can take up to 5 minutes to start up after reboot

[ # ]

test url <url>

[ # ]

show system setting ssl-decrypt exclude-cache        !! View cache of urls to NOT decrypt
set ssl decrypt ssl-exclude <url>
delete ssl decrypt ssl-exclude <url>

Documentation

[ # ]

debug dataplane packet-diag set filter on
debug dataplane packet-diag set filter match source <ip> destination-port <port>
debug dataplane packet-diag set filter pre-parsematch yes                                !! Useful for capturing packets before being dropped due to routing
debug dataplane packet-diag set capture stage drop file <capture-drop.pcap>                !! Capture only dropped packets
debug dataplane packet-diag set capture stage receive file <capture-rx.pcap>            !! Capture packets received by the Palo Alto device
debug dataplane packet-diag set capture stage firewall file <capture-fw.pcap>            !! Capture packets passing through IPS, policies, etc.
debug dataplane packet-diag set capture stage transmit file <capture-tx.pcap>            !! Capture packets being transmitted out from the Palo Alto device
debug dataplane packet-diag set capture on
debug dataplane packet-diag show setting                                                !! View your configured capture
view-pcap follow yes filter-pcap <pcap-name>                                            !! tail -f capture file

debug dataplane packet-diag set capture off
debug dataplane packet-diag set filter off
debug dataplane packet-diag clear filter all
debug dataplane packet-diag clear capture all

scp export filter-pcap from <file name> to <username@host:path>                            !! Export capture using SCP

Notes:

  • A maximum number of 4 filters can be defined at one time

Documentation

[ # ]

show vpn flow  // View active tunnels
show vpn flow tunnel-id <id>  // More information about the tunnel from above

show vpn ike-sa
show vpn ipsec-sa

clear vpn ike-sa <gateway-name>
clear vpn ipsec-sa <tunnel name>

test vpn ike-sa gateway <gateway-name>
test vpn ipsec-sa tunnel <tunnel name>

Documentation

[ # ]

set deviceconfig system hostname <hostname> ip-address <ip> netmask <netmask> default-gateway <gateway-ip> dns-setting server primary <dns-ip>

[ # ]

request commit-lock remove admin <admin name>

[ # ]

cf ipsec status

[ # ]

route get <ip address>
region

[ # ]