Palo Alto Cheat Sheet – Networking

General Routing Commands

Display the routing table
> show routing route

Look at routes for a specific destination
> show routing fib virtual-router | match

Change the ARP cache timeout setting from the default of 1800 seconds.
> set system setting arp-cache-timeout <60-65536>

View the ARP cache timeout setting.
> show system setting arp-cache-timeout

NAT

Show the NAT policy table
> show running nat-policy

Test the NAT policy
> test nat-policy-match

Show NAT pool utilization
> show running ippool
> show running global-ippool

IPSec

Show IPSec counters
> show vpn flow

Show a list of all IPSec gateways and their configurations
> show vpn gateway

Show IKE phase 1 SAs
> show vpn ike-sa

Show IKE phase 2 SAs
> show vpn ipsec-sa

Show a list of auto-key IPSec tunnel configurations
> show vpn tunnel

BFD

Show BFD profiles
> show routing bfd active-profile []

Show BFD details
> show routing bfd details [interface ] [local-ip ] [multihop][peer-ip ] [session-id] [virtual-router ]

Show BFD statistics on dropped sessions
> show routing bfd drop-counters session-id

Show counters of transmitted, received, and dropped BFD packets
> show counter global | match bfd

Clear counters of transmitted, received, and dropped BFD packets
> clear routing bfd counters session-id all | <1-1024>

Clear BFD sessions for debugging purposes
> clear routing bfd session-state session-id all | <1-1024>

PVST+

Set the native VLAN ID
> set session pvst-native-vlan-id

Drop all STP BPDU packets
> set session drop-stp-packet

Verify PVST+ BPDU rewrite configuration, native VLAN ID, and STP BPDU packet drop
> show vlan all

Show counter of times the 802.1Q tag and PVID fields in a PVST+ BPDU packet do not match
> show counter global

Look at the flow_pvid_inconsistent counter.

Troubleshooting

Ping from the management (MGT) interface to a destination IP address
> ping host

Ping from a dataplane interface to a destination IP address
> ping source host

Show network statistics
> show netstat statistics yes

Source:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking.html

More Stories
IPSEC VPN Timeout Issue between Cisco ASA and PA