Palo Alto Networks: Familiarize with PAN cli

The management interface settings are under the system hierarchy.

Show system
To find out which management services have been enabled:

admin@PA-5050> show system services

HTTP       : Disabled
HTTPS      : Enabled
Telnet     : Disabled
SSH        : Enabled
Ping       : Enabled
SNMP       : Enabled

admin@PA-5050>

To show system information such as PANOS version, management IP address/netmask/gateway, device model, device serial number, mac address of the management interface, product family, hostname:

admin@PA-5050> show system info

hostname: PA-5050
ip-address: 192.168.1.1
netmask: 255.255.255.0
default-gateway:
ipv6-address:
ipv6-default-gateway:
mac-address: 00:90:0b:27:ac:56
time: Mon Dec 10 04:50:41 2012
uptime: 0 days, 0:34:46
family: 5000
model: PA-5050
serial: 0009C102047
sw-version: 4.1.6
global-protect-client-package-version: 0.0.0
app-version: 255-1052
app-release-date: unknown
av-version: 0
av-release-date: unknown
threat-version: 0
threat-release-date: unknown
url-filtering-version: 0
global-protect-datafile-version: 0
global-protect-datafile-release-date: Unknown
logdb-version: 4.1.2
platform-family: 5000
vpn-disable: off
multi-vsys: off

admin@PA-5050>

You can filter the show system info output by using pipe.
Example I only want to know ip address of the management interface:

admin@PA-5050> show system info | match ip-address
ip-address: 192.168.1.1
admin@PA-5050>

Unfortunately the piping option is limited, I cannot do nested pipe like JunOS from Juniper Networks and Linux.
The piping options are:

admin@PA-5050> show system info |
  except   except
  match    match

Another example to show software version (PANOS)

admin@PA-5050> show system info | match sw-version
sw-version: 4.1.6
admin@PA-5050>

To show the solid state harddrive RAID status

admin@PA-5050> show system raid


Overall RAID status                        Good
--------------------------------------------------------------------------------
Drive status
   Disk id 1                            Present
   Disk id 2                            Missing

admin@PA-5050>

Or use a more verbose output

admin@PA-5050> show system raid detail


Overall RAID status                        Good
--------------------------------------------------------------------------------
Drive status
   Disk id 1                            Present     (D2CSTK251A20-012)
   Disk id 2                            Missing
--------------------------------------------------------------------------------
Partition status

panlogs                        clean, degraded
   Drive id 1                      active sync

maint                          clean, degraded
   Drive id 1                      active sync

sysroot0                       clean, degraded
   Drive id 1                      active sync

sysroot1                       clean, degraded
   Drive id 1                      active sync

pancfg                         clean, degraded
   Drive id 1                      active sync

panrepo                        clean, degraded
   Drive id 1                      active sync

swap                           clean, degraded
   Drive id 1                      active sync

admin@PA-5050>

Change the management IP address
To change the management interface you use set deviceconfig system command, there are a lot of things you can set with this command apart from ip address.

admin@PA-5050# set deviceconfig system ip-address 192.168.2.1 netmask 255.255.255.0 service disable-ssh no disable-https no disable-icmp no disable-snmp no

[edit]
admin@PA-5050#

The command above shows that the options can be nested.

admin@PA-5050# set deviceconfig system
+ authentication-profile       Authentication profile to use for non-local admins. Only RADIUS method is supported.
+ client-certificate-profile   profile for verifying client certificates
+ default-gateway              Default gateway
+ domain                       domain
+ domain-lookup-url            domain-lookup-url
+ fqdn-forcerefresh-time       Seconds for Periodic Timer to force refresh FQDN object entries
+ fqdn-refresh-time            Seconds for Periodic Timer to refresh expired FQDN object entries
+ hostname                     hostname
+ ip-address                   IP address for the management interface
+ ip-address-lookup-url        ip-address-lookup-url
+ ipv6-address                 IPv6 address for the management interface
+ ipv6-default-gateway         IPv6 Default gateway
+ locale                       system default locale
+ login-banner                 login-banner
+ netmask                      IP netmask for the management interface
+ ntp-server-1                 Network Time Protocol server IP address
+ ntp-server-2                 Network Time Protocol server IP address
+ panorama-server              Panorama server (IP address or FQDN)
+ panorama-server-2            Panorama server 2 (IP address or FQDN)
+ secure-proxy-password        Secure Proxy password to use
+ secure-proxy-port            Port for secure proxy server
+ secure-proxy-server          Secure Proxy server to use
--more--
+ secure-proxy-user            Secure Proxy user name to use
+ speed-duplex                 Speed and duplex for the management interface
+ timezone                     timezone
+ update-server                PaloAlto Networks update server
+ web-server-certificate       certificate for secure web GUI
> dns-setting                  dns-setting
> geo-location                 Device geographic location
> log-export-schedule          Schedule for exporting logs
> log-link                     External log link
> permitted-ip                 permitted-ip
> route                        route
> service                      service
> snmp-setting                 snmp-setting
> update-schedule              Schedule for downloading/installing updates
  <Enter>                      Finish input

admin@PA-5050# set deviceconfig system

+ plus sign means there are additional options for set deviceconfig system command. > means there are additional nested options, if you see * means it is compulsory.

Whenever you make configuration changes always commit in order for the changed configuration to be activated, this concept is not new to people who have used JunOS before.

Enabling and disabling management services
You can disable and enable services from the management interface using set deviceconfig system command, the listed is the available services from the management interface.

admin@PA-5050# set deviceconfig system service
+ disable-http     disable-http
+ disable-https    disable-https
+ disable-icmp     disable-icmp
+ disable-snmp     disable-snmp
+ disable-ssh      disable-ssh
+ disable-telnet   disable-telnet
  <Enter>          Finish input

admin@PA-5050# set deviceconfig system service

SSH, HTTPS, SNMP and ICMP are enabled by default, however to learn how to enable these by yourself do this:

admin@PA-5050# set deviceconfig system service disable-https no disable-http yes disable-icmp no disable-snmp no disable-telnet yes disable-ssh no

The disable option only has yes or no options, very straight forward.

Use the edit command instead of using long string of set command

Treat edit like the Linux command cd.

Treat top command like the Linux command cd / where you are at the root of the directories, in Palo Alto case if you use top you are at the root of the hierarchy.

Treat up command like the Linux command cd .., you go up to an higher level of the current hierarchy in Palo Alto CLI.

Users of JunOS are very familiar with this concept.

I want to configure the management IP address, instead of using set deviceconfig system ip-address command, I can go to the deviceonfig system hierarchy straight away

admin@PA-5050# edit deviceconfig system
[edit deviceconfig system]
admin@PA-5050#

You can do the set ip-address and set netmask from here.

admin@PA-5050# set ip-address 192.168.1.1

[edit deviceconfig system]
admin@PA-5050# set netmask 255.255.255.0

[edit deviceconfig system]
admin@PA-5050#

If you want to go further down from the hierarchy such as service you can do this

admin@PA-5050# edit service
[edit deviceconfig system service]
admin@PA-5050# set
+ disable-http     disable-http
+ disable-https    disable-https
+ disable-icmp     disable-icmp
+ disable-snmp     disable-snmp
+ disable-ssh      disable-ssh
+ disable-telnet   disable-telnet
  <Enter>          Finish input

admin@PA-5050# set

If you want to go to the top of the hierarchy use top command.

admin@PA-5050# top
[edit]
admin@PA-5050#

As you can see above [edit] means you are at the top most of the hierarchy.

To go up one higher level of the hierarchy use up command.

[edit deviceconfig system]
admin@PA-5050# up
[edit deviceconfig]
admin@PA-5050#
Advertisements
This entry was posted in Firewall, Security and tagged , , . Bookmark the permalink.

2 Responses to Palo Alto Networks: Familiarize with PAN cli

  1. Pingback: On The Piped Active Set

  2. Pingback: Accredited Configuration Engineer | CCIE Security Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s