Managing a Palo Alto Firewall efficiently requires knowing key commands, troubleshooting techniques, and best practices. Here are some must-know things for every firewall admin:
1. Basic System Management
Check system status:
show system info
Check system resources (CPU, memory, disk usage):
show system resources
Reboot the firewall:
request restart system
Check uptime:
show system uptime
Check all active sessions:
show session all
Filter sessions by source/destination IP:
show session all filter source <SRC-IP>
show session all filter destination <DST-IP>
2. Network & Routing Troubleshooting
Check the routing table:
show routing route
Find the next-hop for a specific destination:
test routing fib lookup virtual-router default ip <DESTINATION-IP>
Ping a destination from the firewall:
ping source <SOURCE-IP> host <DESTINATION-IP>
Traceroute to check the network path:
traceroute host <DESTINATION-IP>
Check the ARP table (useful for connectivity issues):
show arp all
3. Security & Policy Management
show running security-policy
Check which rule is applied to a session:
show session id <SESSION-ID>
Find a security policy allowing/blocking a specific IP:
show rulebase security rules | match <IP-ADDRESS>
Manually clear a session (useful for stuck sessions):
clear session id <SESSION-ID>
4. NAT & Traffic Flow Troubleshooting
Check NAT rules applied to traffic:
show running nat-policy
Check NAT translations in real-time:
show session id <SESSION-ID> | match NAT
Find which NAT rule applies to a specific traffic flow:
test nat-policy-match protocol 6 source <SRC-IP> destination <DST-IP> destination-port <PORT>
5. Logs & Debugging
View system logs:
show log system direction backward
View traffic logs:
show log traffic direction backward
Check dropped packets (counters):
show counter global filter packet-filter yes delta yes
Enable debug mode for detailed logs:
debug dataplane packet-diag set capture on
Download tech support logs (for TAC support):
request tech-support dump
High Availability (HA) & Failover
show high-availability state
Manually trigger a failover:
request high-availability state suspend
View HA synchronization status:
show high-availability all
Synchronize configuration between HA peers:
request high-availability sync-to-peer
6. Best Practices for Palo Alto Admins
Use Application-Based Policies: Avoid generic “any-any” rules and use App-ID for better security.
Enable Logging for Important Rules: Ensure “Log at Session End” is enabled for visibility.
Use Security Profiles: Apply Antivirus, Anti-Spyware, and URL Filtering to security policies.
Regular Backups: Export configurations regularly:
scp export configuration from running-config.xml to <backup-location>
Keep PAN-OS Updated: Always run a stable and supported PAN-OS version.
Monitor System Health: Regularly check CPU, session utilization, and logs for anomalies.