request commit-lock remove admin <admin name>

[ # ]

test url <url>

[ # ]

show system setting ssl-decrypt exclude-cache        !! View cache of urls to NOT decrypt
set ssl decrypt ssl-exclude <url>
delete ssl decrypt ssl-exclude <url>

Documentation

[ # ]

debug dataplane packet-diag set filter on
debug dataplane packet-diag set filter match source <ip> destination-port <port>
debug dataplane packet-diag set filter pre-parsematch yes                                !! Useful for capturing packets before being dropped due to routing
debug dataplane packet-diag set capture stage drop file <capture-drop.pcap>                !! Capture only dropped packets
debug dataplane packet-diag set capture stage receive file <capture-rx.pcap>            !! Capture packets received by the Palo Alto device
debug dataplane packet-diag set capture stage firewall file <capture-fw.pcap>            !! Capture packets passing through IPS, policies, etc.
debug dataplane packet-diag set capture stage transmit file <capture-tx.pcap>            !! Capture packets being transmitted out from the Palo Alto device
debug dataplane packet-diag set capture on
debug dataplane packet-diag show setting                                                !! View your configured capture
view-pcap follow yes filter-pcap <pcap-name>                                            !! tail -f capture file

debug dataplane packet-diag set capture off
debug dataplane packet-diag set filter off
debug dataplane packet-diag clear filter all
debug dataplane packet-diag clear capture all

scp export filter-pcap from <file name> to <username@host:path>                            !! Export capture using SCP

Notes:

  • A maximum number of 4 filters can be defined at one time

Documentation

[ # ]

set deviceconfig system hostname <hostname> ip-address <ip> netmask <netmask> default-gateway <gateway-ip> dns-setting server primary <dns-ip>

[ # ]

request high-availability state suspend    !! passive firewall
Upgrade passive to 4.1.7

request high-availability state suspend   !! Current old version active firewall
request high-availability state functional   !! Newly upgraded firewall (Outage until this command completes)
Upgrade old active firewall to 4.1.7

request high-availability state functional - Newly upgraded firewall

Notes:

  • HA processes can take up to 5 minutes to start up after reboot

[ # ]

test nat-policy-match source <source> destination <dest> protocol 6 destination-port <tcp port>
test security-policy-match source <source> destination <dest> protocol 6 destination-port <tcp port>

Documentation

[ # ]

show system info

[ # ]

request high-availability state suspend                     // Fail master to peer and set to ineligible
request high-availability state functional                    // Set device back as eligible
show high-availability state                        // View current HA state
show high-availability link                            // View current HA link state 
show high-availability all                             // View high-availability state information
show high-availability control-link                     // View the control link statistics
show high-availability state-synchronization         // View the synchronization state to the peer device

[ # ]

set cli pager off
set cli config-output-format set

Notes:

  • These commands may not output in order so cannot be relied on when implementing to a blank configuration

[ # ]