The management interface settings are under the system hierarchy.
Show system
To find out which management services have been enabled:
admin@PA-5050> show system services HTTP : Disabled HTTPS : Enabled Telnet : Disabled SSH : Enabled Ping : Enabled SNMP : Enabled admin@PA-5050>
To show system information such as PANOS version, management IP address/netmask/gateway, device model, device serial number, mac address of the management interface, product family, hostname:
admin@PA-5050> show system info hostname: PA-5050 ip-address: 192.168.1.1 netmask: 255.255.255.0 default-gateway: ipv6-address: ipv6-default-gateway: mac-address: 00:90:0b:27:ac:56 time: Mon Dec 10 04:50:41 2012 uptime: 0 days, 0:34:46 family: 5000 model: PA-5050 serial: 0009C102047 sw-version: 4.1.6 global-protect-client-package-version: 0.0.0 app-version: 255-1052 app-release-date: unknown av-version: 0 av-release-date: unknown threat-version: 0 threat-release-date: unknown url-filtering-version: 0 global-protect-datafile-version: 0 global-protect-datafile-release-date: Unknown logdb-version: 4.1.2 platform-family: 5000 vpn-disable: off multi-vsys: off admin@PA-5050>
You can filter the show system info output by using pipe.
Example I only want to know ip address of the management interface:
admin@PA-5050> show system info | match ip-address ip-address: 192.168.1.1 admin@PA-5050>
Unfortunately the piping option is limited, I cannot do nested pipe like JunOS from Juniper Networks and Linux.
The piping options are:
admin@PA-5050> show system info | except except match match
Another example to show software version (PANOS)
admin@PA-5050> show system info | match sw-version sw-version: 4.1.6 admin@PA-5050>
To show the solid state harddrive RAID status
admin@PA-5050> show system raid Overall RAID status Good -------------------------------------------------------------------------------- Drive status Disk id 1 Present Disk id 2 Missing admin@PA-5050>
Or use a more verbose output
admin@PA-5050> show system raid detail Overall RAID status Good -------------------------------------------------------------------------------- Drive status Disk id 1 Present (D2CSTK251A20-012) Disk id 2 Missing -------------------------------------------------------------------------------- Partition status panlogs clean, degraded Drive id 1 active sync maint clean, degraded Drive id 1 active sync sysroot0 clean, degraded Drive id 1 active sync sysroot1 clean, degraded Drive id 1 active sync pancfg clean, degraded Drive id 1 active sync panrepo clean, degraded Drive id 1 active sync swap clean, degraded Drive id 1 active sync admin@PA-5050>
Change the management IP address
To change the management interface you use set deviceconfig system command, there are a lot of things you can set with this command apart from ip address.
admin@PA-5050# set deviceconfig system ip-address 192.168.2.1 netmask 255.255.255.0 service disable-ssh no disable-https no disable-icmp no disable-snmp no [edit] admin@PA-5050#
The command above shows that the options can be nested.
admin@PA-5050# set deviceconfig system + authentication-profile Authentication profile to use for non-local admins. Only RADIUS method is supported. + client-certificate-profile profile for verifying client certificates + default-gateway Default gateway + domain domain + domain-lookup-url domain-lookup-url + fqdn-forcerefresh-time Seconds for Periodic Timer to force refresh FQDN object entries + fqdn-refresh-time Seconds for Periodic Timer to refresh expired FQDN object entries + hostname hostname + ip-address IP address for the management interface + ip-address-lookup-url ip-address-lookup-url + ipv6-address IPv6 address for the management interface + ipv6-default-gateway IPv6 Default gateway + locale system default locale + login-banner login-banner + netmask IP netmask for the management interface + ntp-server-1 Network Time Protocol server IP address + ntp-server-2 Network Time Protocol server IP address + panorama-server Panorama server (IP address or FQDN) + panorama-server-2 Panorama server 2 (IP address or FQDN) + secure-proxy-password Secure Proxy password to use + secure-proxy-port Port for secure proxy server + secure-proxy-server Secure Proxy server to use --more-- + secure-proxy-user Secure Proxy user name to use + speed-duplex Speed and duplex for the management interface + timezone timezone + update-server PaloAlto Networks update server + web-server-certificate certificate for secure web GUI > dns-setting dns-setting > geo-location Device geographic location > log-export-schedule Schedule for exporting logs > log-link External log link > permitted-ip permitted-ip > route route > service service > snmp-setting snmp-setting > update-schedule Schedule for downloading/installing updates <Enter> Finish input admin@PA-5050# set deviceconfig system
+ plus sign means there are additional options for set deviceconfig system command. > means there are additional nested options, if you see * means it is compulsory.
Whenever you make configuration changes always commit in order for the changed configuration to be activated, this concept is not new to people who have used JunOS before.
Enabling and disabling management services
You can disable and enable services from the management interface using set deviceconfig system command, the listed is the available services from the management interface.
admin@PA-5050# set deviceconfig system service + disable-http disable-http + disable-https disable-https + disable-icmp disable-icmp + disable-snmp disable-snmp + disable-ssh disable-ssh + disable-telnet disable-telnet <Enter> Finish input admin@PA-5050# set deviceconfig system service
SSH, HTTPS, SNMP and ICMP are enabled by default, however to learn how to enable these by yourself do this:
admin@PA-5050# set deviceconfig system service disable-https no disable-http yes disable-icmp no disable-snmp no disable-telnet yes disable-ssh no
The disable option only has yes or no options, very straight forward.
Use the edit command instead of using long string of set command
Treat edit like the Linux command cd.
Treat top command like the Linux command cd / where you are at the root of the directories, in Palo Alto case if you use top you are at the root of the hierarchy.
Treat up command like the Linux command cd .., you go up to an higher level of the current hierarchy in Palo Alto CLI.
Users of JunOS are very familiar with this concept.
I want to configure the management IP address, instead of using set deviceconfig system ip-address command, I can go to the deviceonfig system hierarchy straight away
admin@PA-5050# edit deviceconfig system [edit deviceconfig system] admin@PA-5050#
You can do the set ip-address and set netmask from here.
admin@PA-5050# set ip-address 192.168.1.1 [edit deviceconfig system] admin@PA-5050# set netmask 255.255.255.0 [edit deviceconfig system] admin@PA-5050#
If you want to go further down from the hierarchy such as service you can do this
admin@PA-5050# edit service [edit deviceconfig system service] admin@PA-5050# set + disable-http disable-http + disable-https disable-https + disable-icmp disable-icmp + disable-snmp disable-snmp + disable-ssh disable-ssh + disable-telnet disable-telnet <Enter> Finish input admin@PA-5050# set
If you want to go to the top of the hierarchy use top command.
admin@PA-5050# top [edit] admin@PA-5050#
As you can see above [edit] means you are at the top most of the hierarchy.
To go up one higher level of the hierarchy use up command.
[edit deviceconfig system] admin@PA-5050# up [edit deviceconfig] admin@PA-5050#
cyruslab 
2 thoughts on “Palo Alto Networks: Familiarize with PAN cli”