PAN-OS CLI Quick Start

Version 10.0

paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal www.paloaltonetworks.com/documentation.
• To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/
document-search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
[email protected].

Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com

© 2020-2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
April 28, 2021

2 PAN-OS CLI QUICK START |

Table of Contents
Get Started with the CLI...................................................................................5
Access the CLI..............................................................................................................................................7
Verify SSH Connection to Firewall.........................................................................................................8
Refresh SSH Keys and Configure Key Options for Management Interface Connection..........12
Give Administrators Access to the CLI............................................................................................... 17
Administrative Privileges............................................................................................................ 17
Set Up a Firewall Administrative Account and Assign CLI Privileges.............................. 18
Set Up a Panorama Administrative Account and Assign CLI Privileges.......................... 18
Change CLI Modes................................................................................................................................... 19
Navigate the CLI....................................................................................................................................... 20
Find a Command....................................................................................................................................... 21
View the Entire Command Hierarchy..................................................................................... 21
Find a Specific Command Using a Keyword Search............................................................22
Get Help on Command Syntax..............................................................................................................24
Get Help on a Command........................................................................................................... 24
Interpret the Command Help....................................................................................................24
Customize the CLI.................................................................................................................................... 27

Use the CLI.........................................................................................................29

View Settings and Statistics................................................................................................................... 31
Modify the Configuration....................................................................................................................... 34
Commit Configuration Changes............................................................................................................ 36
Test the Configuration.............................................................................................................................38
Test the Authentication Configuration................................................................................... 38
Test Policy Matches.................................................................................................................... 39
Load Configurations................................................................................................................................. 41
Load Configuration Settings from a Text File....................................................................... 41
Load a Partial Configuration......................................................................................................42
Use Secure Copy to Import and Export Files.................................................................................... 46
Export a Saved Configuration from One Firewall and Import it into Another............... 46
Export and Import a Complete Log Database (logdb).........................................................47
CLI Jump Start........................................................................................................................................... 48

CLI Cheat Sheets.............................................................................................. 51

CLI Cheat Sheet: Device Management............................................................................................... 53
CLI Cheat Sheet: User-ID....................................................................................................................... 55
CLI Cheat Sheet: HA................................................................................................................................58
CLI Cheat Sheet: Networking................................................................................................................ 60
CLI Cheat Sheet: VSYS............................................................................................................................63
CLI Cheat Sheet: Panorama................................................................................................................... 65

CLI Changes in PAN-OS 10.0........................................................................69

Load Commands Changed in PAN-OS 10.0...................................................................................... 71
Load Commands Removed in PAN-OS 10.0..................................................................................... 72
Revert Commands Changed in PANOS-10.0.....................................................................................73
Set Commands Introduced in PAN-OS 10.0......................................................................................74
Set Commands Changed in PAN-OS 10.0....................................................................................... 106

TABLE OF CONTENTS iii

 Set Commands Removed in PAN-OS 10.0...................................................................................... 111
Show Commands Introduced in PAN-OS 10.0...............................................................................117
Show Commands Removed in PAN-OS 10.0..................................................................................126

iv TABLE OF CONTENTS
Get Started with the CLI
Every Palo Alto Networks device includes a command-line interface (CLI) that allows you to
monitor and configure the device. Although this guide does not provide detailed command
reference information, it does provide the information you need to learn how to use the CLI. It
includes information to help you find the command you need and how to get syntactical help
after you find it. It also explains how to verify the SSH connection to the firewall when you
access the CLI remotely, and how to refresh the SSH keys and configure key options when
connecting to the management interface.

> Access the CLI

> Verify SSH Connection to Firewall
> Refresh SSH Keys and Configure Key Options for Management Interface Connection
> Give Administrators Access to the CLI
> Change CLI Modes
> Navigate the CLI
> Find a Command
> Get Help on Command Syntax
> Customize the CLI

5
6 PAN-OS CLI QUICK START | Get Started with the CLI
© 2021 Palo Alto Networks, Inc.
Access the CLI
Use a terminal emulator, such as PuTTY, to connect to the CLI of a Palo Alto Networks device in one of the
following ways:
• SSH Connection—To ensure you are logging in to your firewall and not a malicious device, you can verify
the SSH connection to the firewall when you perform initial configuration. After you have completed
initial configuration, you can establish a CLI connection over the network using a secure shell (SSH)
connection.
• Serial Connection—If you have not yet completed initial configuration or if you chose not to enable SSH
on the Palo Alto Networks device, you can establish a direct serial connection from a serial interface on
your management computer to the Console port on the device.

STEP 1 | Launch the terminal emulation software and select the type of connection (Serial or SSH).
• To establish an SSH connection, enter the hostname or IP address of the device you want to connect
to and set the port to 22.
• To establish a Serial connection, connect a serial interface on management computer to the Console
port on the device. Configure the Serial connection settings in the terminal emulation software as
follows:
• Data rate: 9600
• Data bits: 8
• Parity: none
• Stop bits: 1
• Flow control: none

STEP 2 | When prompted to log in, enter your administrative username.

The default superuser username is admin. To set up CLI access for other administrative users, see Give
Administrators Access to the CLI.
If prompted to acknowledge the login banner, enter Yes.

STEP 3 | Enter the administrative password.

The default superuser password is admin. However, for security reasons you should immediately
change the admin password.
After you log in, the message of the day displays, followed by the CLI prompt in Operational mode:

username@hostname>

You can tell you are in operational mode because the command prompt ends with a >.

PAN-OS CLI QUICK START | Get Started with the CLI 7

© 2021 Palo Alto Networks, Inc.
Verify SSH Connection to Firewall
Palo Alto Networks firewalls come with Secure Shell (SSH) preconfigured; firewalls can act as both an SSH
server and an SSH client. You can verify your SSH connection to the management port of the firewall during
remote access to ensure that, when you log in remotely, you are logging in to the firewall. You can also
refresh the SSH keys and specify other options for the keys.
After you initially log in through the console to the command-line interface (CLI), the firewall boots up
and displays six fingerprints (hashed SSH keys). When you then remotely access the management port
on the firewall for the first time, the SSH client presents a fingerprint to you and it must match one of the
fingerprints you noted from the console login. This match verifies that the firewall you access remotely is
your firewall and that there is no malicious device between your device and the firewall intercepting Hello
packets or presenting a false fingerprint.
You can also Refresh SSH Keys and Configure Key Options for Management Interface Connection.

To ensure you are logging in to your firewall, perform this task when you first access your
firewall remotely (when you Perform Initial Configuration) and whenever you change the
default host key type or regenerate the host keys for the management port.

STEP 1 | Perform Initial Configuration and note the fingerprints that the firewall displays upon booting
up.
When you connect to the console port (Step 3 of Perform Initial Configuration), the firewall boots up
and displays SSH fingerprints. Make note of these fingerprints.
If the firewall is in FIPS-CC mode, it displays the fingerprints in sha1 hash in base64 encoding, as in the
following example:
SSH Fingerprints
-------------------
256 +nvDTw9G6FpjVRYCN7qYWMmZxB0 (ECDSA)
384 Slx984ndSKeRU+YOkNh9R/4u8IM (ECDSA)
521 sph8wuC3Y/p6zvFr0sGnrzim3wo (ECDSA)
2048 kK3+bBRaJpJQOM+qE8Bl9SKCQPg (RSA)
3072 gtFBWm65/+D7dqUdDDc3P6hJu1g (RSA)
4096 CQnLFnMF1BfBwV7y5bhYQyawpcc (RSA)
If the firewall is in non-FIPS-CC mode, it displays the fingerprints in md5 hash in hex encoding, as in the
following example:
SSH Public key fingerprints:
256 5c:73:5c:88:ea:ba:04:f7:9a:72:07:67:74:20:0c:09 (ECDSA)
384 f2:69:5c:0b:e2:26:e1:39:ca:2f:46:00:df:d5:aa:c0 (ECDSA)
521 8f:00:fa:d0:b9:a5:c5:4d:9d:f5:cd:0d:2c:86:99:25 (ECDSA)
2048 0c:01:69:54:1e:21:08:9d:65:37:3b:50:4a:03:70:d6 (RSA)
3072 1f:ae:d8:1a:b6:8d:9a:4b:c2:fd:74:ca:dc:4f:ca:19 (RSA)
4096 38:88:fb:62:07:19:cf:89:88:a0:6d:22:4b:fa:f4:23 (RSA)

8 PAN-OS CLI QUICK START | Get Started with the CLI

© 2021 Palo Alto Networks, Inc.
STEP 2 | (Optional) Display fingerprints from the SSH server (the firewall).
Display the fingerprints using the CLI if you forgot to note the fingerprints that the SSH server displayed
upon boot up or if you regenerated a host key or changed your default host key type. To effectively
compare fingerprints, specify the same format that your SSH client uses (the device from which you will
remotely log in): either base64 or hex format, and hash-type format of md5, sha1, or sha256.

There is no md5 hash type in FIPS-CC mode.

The following example displays SSH server fingerprints in hex format and md5 hash type.
admin@PA-3060> show ssh-fingerprints format hex hash-type md5
SSH Public key fingerprints:
256 5c:73:5c:88:ea:ba:04:f7:9a:72:07:67:74:20:0c:09 (ECDSA)
384 f2:69:5c:0b:e2:26:e1:39:ca:2f:46:00:df:d5:aa:c0 (ECDSA)
521 8f:00:fa:d0:b9:a5:c5:4d:9d:f5:cd:0d:2c:86:99:25 (ECDSA)
2048 0c:01:69:54:1e:21:08:9d:65:37:3b:50:4a:03:70:d6 (RSA)
3072 1f:ae:d8:1a:b6:8d:9a:4b:c2:fd:74:ca:dc:4f:ca:19 (RSA)
4096 38:88:fb:62:07:19:cf:89:88:a0:6d:22:4b:fa:f4:23 (RSA)

STEP 3 | Continue to Perform Initial Configuration on the firewall so that you assign an IP address to the
management interface and commit your changes.

STEP 4 | Disconnect the firewall from your computer.

STEP 5 | Initiate remote access to the firewall and view the fingerprint.
Using terminal emulation software, such as PuTTY, launch an SSH management session to the firewall
using the IP address you assigned to it.

PAN-OS CLI QUICK START | Get Started with the CLI 9

© 2021 Palo Alto Networks, Inc.
 Before you can proceed with the connection, the SSH client presents a fingerprint as in the following
example:

10 PAN-OS CLI QUICK START | Get Started with the CLI

© 2021 Palo Alto Networks, Inc.
 If you have already logged in to the firewall (and have not changed the key), the
SSH client already has the key stored in its database and therefore doesn’t present a
fingerprint.

STEP 6 | Verify matching fingerprints.

1. Verify that the fingerprint that the SSH client (PuTTY) presented matches one of the fingerprints you
noted from logging in to the console port in the first step.
2. A match verifies that the firewall you remotely accessed is the same firewall you connected to on the
console port. You typically want the SSH client to update its cache, so respond to the warning with
Yes to continue connecting. In this example, the fingerprint in the preceding graphic matches the
RSA 2048 fingerprint from the SSH server (firewall) in Step 1 (and Step 2) of this procedure.
If there is no match or you receive a mismatch warning, you aren’t connecting to the expected
device; Cancel the connection attempt.
If you see a match but you don’t want the SSH client to update its cache, respond with No, which
allows you to continue connecting. Respond with No if the firewall is configured with multiple default
host keys and you want to connect using a specific host key without updating the SSH client cache.

To verify your SSH connection to the firewall after you have regenerated a host key or
changed the default host key type, perform a procedure similar to this one, starting with
logging in to the console port. In this case, Step 2 is required; execute the show ssh-
fingerprints CLI command (with the applicable format and hash-type) and note the
one fingerprint that displays. Omit Step 3 and continue with Step 4, finishing the rest of
the procedure. Verify that the fingerprint from the SSH client matches the fingerprint you
noted from Step 2.

PAN-OS CLI QUICK START | Get Started with the CLI 11

© 2021 Palo Alto Networks, Inc.
Refresh SSH Keys and Configure Key Options
for Management Interface Connection
When you verify your Secure Shell (SSH) connection to the firewall, the verification uses SSH keys. To
change the default host key type, generate a new pair of public and private SSH host keys, and configure
other SSH settings, create an SSH service profile.
The following examples show how to configure various SSH settings for a management SSH service profile
after you access the CLI. The settings marked as recommended provide a stronger security posture. (See
Refresh HA1 SSH Keys and Configure Key Options for SSH HA profile examples.)

If you are using SSH to access the CLI of the firewall in FIPS-CC mode, you must set
automatic rekeying parameters for session keys.

Palo Alto Networks allows you to specify only recommended ciphers, key exchange
algorithms, and message authentication algorithms for the SSH configurations below.
Also note that, to use the same SSH connection settings for each Dedicated Log Collector
(M-Series or Panorama™ virtual appliances in Log Collector mode) in a Collector Group,
you must configure an SSH service profile from the Panorama management server, Commit
the changes to Panorama, and then Push the configuration to the Log Collectors. You can
use the set log-collector-group <name> general-setting management ssh
commands.

Each of the following configuration steps includes a commit and an SSH service restart if you
perform only one step (except when you create a profile without configuring any settings).
Otherwise, you can set multiple SSH options and then commit your changes and restart SSH
when you’re done.

• Create an SSH service profile to exercise greater control over SSH connections to your
management interface.
This example creates a Management - Server profile without configuring any settings.
1. admin@PA-3260> configure
2. admin@PA-3260# set deviceconfig system ssh profiles mgmt-profiles server-
profiles <name>
3. admin@PA-3260# commit
4. admin@PA-3260# exit
5. To verify that the new profile has been created and view the settings for any existing profiles:
admin@PA-3260> configure
admin@PA-3260# show deviceconfig system ssh profiles

• (Optional) Set the SSH server to use only the specified encryption ciphers.
By default, SSH allows all supported ciphers for encryption of CLI management sessions. When you
set one or more ciphers in an SSH service profile, the SSH server advertises only those ciphers while
connecting and, if the SSH client tries to connect using a different cipher, the server terminates the
connection.
1. admin@PA-3260> configure

12 PAN-OS CLI QUICK START | Get Started with the CLI

© 2021 Palo Alto Networks, Inc.
 2. admin@PA-3260# set deviceconfig system ssh profiles mgmt-profiles server-
profiles <name> ciphers <cipher>
aes128-cbc—AES 128-bit cipher with Cipher Block Chaining
aes128-ctr—AES 128-bit cipher with Counter Mode
aes128-gcm—AES 128-bit cipher with GCM (Galois/Counter Mode)
aes192-cbc—AES 192-bit cipher with Cipher Block Chaining
aes192-ctr—AES 192-bit cipher with Counter Mode
aes256-cbc—AES 256-bit cipher with Cipher Block Chaining
aes256-ctr—(Recommended) AES 256-bit cipher with Counter Mode
aes256-gcm—(Recommended) AES 256-bit cipher with GCM
3. admin@PA-3260# commit
4. admin@PA-3260# exit
5. admin@PA-3260> set ssh service-restart mgmt
6. To verify the ciphers have been updated:
admin@PA-3260> configure
admin@PA-3260# show deviceconfig system ssh profiles mgmt-profiles server-
profiles ciphers

• (Optional) Set the default host key type.

The firewall uses a default host key type of RSA 2048 unless you change it. The SSH connection uses
only the default host key type (not other host key types) to authenticate the firewall. You can change the
default host key type; the choices are ECDSA (256, 384, or 521) or RSA (2048, 3072, or 4096).
Change the default host key type if you prefer a longer RSA key length or if you prefer ECDSA rather
than RSA. This example sets the default host key type for a management profile to the recommended
ECDSA key of 256 bits. It also restarts SSH for the management connection so the new key type takes
effect.
1. admin@PA-3260> configure
2. admin@PA-3260# set deviceconfig system ssh profiles mgmt-profiles server-
profiles <name> default-hostkey key-type ECDSA 256
3. admin@PA-3260# commit
4. admin@PA-3260# exit
5. admin@PA-3260> set ssh service-restart mgmt
6. To verify the host key has been updated:
admin@PA-3260> configure
admin@PA-3260# show deviceconfig system ssh profiles mgmt-profiles server-
profiles <name> default-hostkey

• (Optional) Delete a cipher from the set of ciphers you selected to encrypt your CLI sessions.
This example deletes the AES CBC cipher with 128-bit key.
1. admin@PA-3260> configure
2. admin@PA-3260# delete deviceconfig system ssh profiles mgmt-profiles
server-profiles <name> ciphers aes128-cbc
3. admin@PA-3260# commit
4. admin@PA-3260# exit

PAN-OS CLI QUICK START | Get Started with the CLI 13

© 2021 Palo Alto Networks, Inc.
 5. admin@PA-3260> set ssh service-restart mgmt
6. To verify the cipher has been deleted:
admin@PA-3260> configure
admin@PA-3260# show deviceconfig system ssh profiles mgmt-profiles server-
profiles <name> ciphers

• (Optional) Set the session key exchange algorithms the SSH server will support.
By default, the SSH server advertises all the key exchange algorithms to the SSH client.

If you are using an ECDSA default key type, best practice is to use an ECDH key
algorithm.

1. admin@PA-3260> configure
2. admin@PA-3260# set deviceconfig system ssh profiles mgmt-profiles server-
profiles <name> kex <value>
diffie-hellman-group14-sha1—Diffie-Hellman group 14 with SHA1 hash
ecdh-sha2-nistp256—(Recommended) Elliptic-Curve Diffie-Hellman over National Institute of
Standards and Technology (NIST) P-256 with SHA2-256 hash
ecdh-sha2-nistp384—(Recommended) Elliptic-Curve Diffie-Hellman over NIST P-384 with
SHA2-384 hash
ecdh-sha2-nistp521—(Recommended) Elliptic-Curve Diffie-Hellman over NIST P-521 with
SHA2-521 hash
3. admin@PA-3260# commit
4. admin@PA-3260# exit
5. admin@PA-3260> set ssh service-restart mgmt
6. To verify the key exchange algorithms have been updated:
admin@PA-3260> configure
admin@PA-3260# show deviceconfig system ssh profiles mgmt-profiles server-
profiles

• (Optional) Set the message authentication codes (MAC) the SSH server will support.
By default, the server advertises all of the MAC algorithms to the client.
1. admin@PA-3260> configure
2. admin@PA-3260# set deviceconfig system ssh profiles mgmt-profiles server-
profiles <name> mac <value>
hmac-sha1—MAC with SHA1 cryptographic hash
hmac-sha2-256—(Recommended) MAC with SHA2-256 cryptographic hash
hmac-sha2-512—(Recommended) MAC with SHA2-512 cryptographic hash
3. admin@PA-3260# commit
4. admin@PA-3260# exit
5. admin@PA-3260> set ssh service-restart mgmt
6. To verify the MAC algorithms have been updated:
admin@PA-3260> configure

14 PAN-OS CLI QUICK START | Get Started with the CLI

© 2021 Palo Alto Networks, Inc.
 admin@PA-3260# show deviceconfig system ssh profiles mgmt-profiles server-
profiles

• (Optional) Regenerate ECDSA or RSA host keys for SSH to replace the existing keys.
The remote device uses the host keys to authenticate the firewall. Regenerate your default host key at
the frequency you determine necessary for security purposes. This example regenerates the ECDSA 256
default host key because that is the default host key type set in an earlier step.

Regenerating a host key does not change your default host key type. To regenerate the
default host key you are using, you must specify your default host key type and length
when you regenerate. Regenerating a host key that isn’t your default host key type simply
regenerates a key that you aren’t using and therefore has no effect.

1. admin@PA-3260> configure
2. admin@PA-3260# set deviceconfig system ssh regenerate-hostkeys mgmt key-
type ECDSA key-length 256
3. admin@PA-3260# commit
4. admin@PA-3260> exit
5. admin@PA-3260> set ssh service-restart mgmt

• (Optional) Set rekey parameters to establish when automatic rekeying of the session keys
occurs.
The session keys are used to encrypt traffic between the remote device and the management interface.
The parameters you can set are data volume (in megabytes), time interval (seconds), and packet count.
After any one rekey parameter reaches its configured value, SSH initiates a key exchange.
You can set a second or third parameter if you aren’t sure the parameter you configured will reach its
value as fast as you want rekeying to occur. The first parameter to reach its configured value will prompt
a rekey, then the firewall will reset all rekey parameters.
1. admin@PA-3260> configure
2. admin@PA-3260# set deviceconfig system ssh profiles mgmt-profiles server-
profiles <name> session-rekey data 32
Rekeying occurs after the volume of data (in megabytes) is transmitted following the previous rekey.
The default is based on the cipher you use and ranges from 1GB to 4GB. The range is 10MB to
4,000MB. Alternatively, you can enter set deviceconfig system ssh profiles mgmt-
profiles server-profiles <name> session-rekey data default, which sets the data
parameter to the default value of the individual cipher you are using.
3. admin@PA-3260# set deviceconfig system ssh profiles mgmt-profiles server-
profiles <name> session-rekey interval 3600
Rekeying occurs after the specified time interval (in seconds) passes following the previous rekey. By
default, time-based rekeying is disabled (set to none). The range is 10 to 3,600.

If you are configuring the management interface in FIPS-CC mode, you must set a
time interval within the range; you cannot leave it disabled.
4. admin@PA-3260# set deviceconfig system ssh profiles mgmt-profiles server-
profiles <name> session-rekey packets 27
n
Rekeying occurs after the defined number of packets (2 ) are transmitted following the previous
14
rekey. For example, 14 configures that a maximum of 2 packets are transmitted before a rekey
28 12 27
occurs. The default is 2 . The range is 12 to 27 (2 to 2 ). Alternatively, you can enter set

PAN-OS CLI QUICK START | Get Started with the CLI 15

© 2021 Palo Alto Networks, Inc.
 deviceconfig system ssh profiles mgmt-profiles server-profiles <name>
28
session-rekey packets default, which sets the packets parameter to 2 .

Choose rekeying parameters based on your type of traffic and network speeds (in
addition to FIPS-CC requirements if they apply to you). Don’t set the parameters so
low that they affect SSH performance.
5. admin@PA-3260# commit
6. admin@PA-3260# exit
7. admin@PA-3260> set ssh service-restart mgmt
8. To verify the changes:
admin@PA-3260> configure
admin@PA-3260# show deviceconfig system ssh profiles mgmt-profiles server-
profiles <name> session-rekey

• Activate the profile by selecting the profile and restarting SSH service.
1. admin@PA-3260> configure
2. admin@PA-3260# set deviceconfig system ssh mgmt server-profile <name>
3. admin@PA-3260# commit
4. admin@PA-3260# exit
5. admin@PA-3260> set ssh service-restart mgmt
6. To verify the correct profile is in use:
admin@PA-3260> configure
admin@PA-3260# show deviceconfig system ssh mgmt

16 PAN-OS CLI QUICK START | Get Started with the CLI

© 2021 Palo Alto Networks, Inc.
Give Administrators Access to the CLI
Administrative accounts specify roles and authentication methods for the administrators of Palo Alto
Networks firewalls. Every Palo Alto Networks firewall has a predefined default administrative account
(admin) that provides full read-write access (also known as superuser access) to the firewall. As a best
practice, create an administrative account for each person who will be performing configuration tasks on
the firewall or Panorama so that you have an audit trail of changes.
• Administrative Privileges
• Set Up a Firewall Administrative Account and Assign CLI Privileges
• Set Up a Panorama Administrative Account and Assign CLI Privileges

Administrative Privileges
Privilege levels determine which commands an administrator can run as well as what information is
viewable. Each administrative role has an associated privilege level. You can use dynamic roles, which are
predefined roles that provide default privilege levels. Or, you can create custom firewall administrator roles
or Panorama administrator roles and assign one of the following CLI privilege levels to each role:

You must follow the Best Practices for Securing Admin Access to ensure that you are
securing access to your management network in a way that will prevent successful attacks.

Privilege Level Description

superuser Has full access to the Palo Alto Networks device (firewall or Panorama) and
can define new administrator accounts and virtual systems. You must have
superuser privileges to create an administrative user with superuser privileges.

superreader Has complete read-only access to the device.

vsysadmin Has access to selected virtual systems (vsys) on the firewall to create and
manage specific aspects of virtual systems. A virtual system administrator
doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers,
IPSec tunnels, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or network
profiles.

vsysreader Has read-only access to selected virtual systems on the firewall and specific
aspects of virtual systems. A virtual system administrator with read-only
access doesn’t have access to network interfaces, VLANs, virtual wires, virtual
routers, IPSec tunnels, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or network
profiles.

deviceadmin Has full access to all firewall settings except for defining new accounts or
virtual systems.

devicereader Has read-only access to all firewall settings except password profiles (no
access) and administrator accounts (only the logged in account is visible).

panorama-admin Has full access to Panorama except for the following actions:
• Create, modify, or delete Panorama or device administrators and roles.
• Export, validate, revert, save, load, or import a configuration.

PAN-OS CLI QUICK START | Get Started with the CLI 17

© 2021 Palo Alto Networks, Inc.
 Privilege Level Description
• Schedule configuration exports.

Set Up a Firewall Administrative Account and Assign CLI Privileges

To set up a custom firewall administrative role and assign CLI privileges, use the following workflow:

STEP 1 | Configure an Admin Role profile.

1. Select Device > Admin Roles and then click Add.
2. Enter a Name to identify the role.
3. For the scope of the Role, select Device or Virtual System.
4. Define access to the Command Line:
• Device role—superuser, superreader, deviceadmin, devicereader, or None.
• Virtual System role—vsysadmin, vsysreader, or None.
5. Click OK to save the profile.

STEP 2 | Configure an administrator account.

1. Select Device > Administrators and click Add.
2. Enter a user Name. If you will use local database authentication, this must match the name of a user
account in the local database.
3. If you configured an Authentication Profile or authentication sequence for the user, select it in the
drop-down. If you select None, you must enter a Password and Confirm Password.
4. If you configured a custom role for the user, set the Administrator Type to Role Based and select the
Admin Role Profile. Otherwise, set the Administrator Type to Dynamic and select a dynamic role.
5. Click OK and Commit.

Set Up a Panorama Administrative Account and Assign CLI

Privileges
To set up a custom Panorama administrative role and assign CLI privileges, use the following workflow:

STEP 1 | Configure an Admin Role profile.

1. Select Panorama > Admin Roles and then click Add.
2. Enter a Name to identify the role.
3. For the scope of the Role, select Panorama.
4. Select the Command Line tab and select an access level: superuser, superreader, panorama-admin,
or None.
5. Click OK to save the profile.

STEP 2 | Configure an administrator account.

1. Select Panorama > Administrators and click Add.
2. Enter a user Name.
3. If you configured an Authentication Profile or authentication sequence for the user, select it in the
drop-down. If you select None, you must enter a Password and Confirm Password.
4. If you configured a custom role for the user, set the Administrator Type to Custom Panorama Admin
and select the Admin Role Profile. Otherwise, set the Administrator Type to Dynamic and select a
dynamic Admin Role.
5. Click OK and Commit, for the Commit Type select Panorama, and click Commit again.

18 PAN-OS CLI QUICK START | Get Started with the CLI

© 2021 Palo Alto Networks, Inc.
Change CLI Modes
The CLI provides two command modes:
• Operational—Use operational mode to view information about the firewall and the traffic running
through it or to view information about Panorama or a Log Collector. Additionally, use operational mode
commands to perform operations such as restarting, loading a configuration, or shutting down. When
you log in, the CLI opens in operational mode.
• Configuration—Use configuration mode to view and modify the configuration.
You can switch between operational and configuration modes at any time, as follows:

• To switch from operational mode to configuration mode:

username@hostname> configure
Entering configuration mode
[edit]
username@hostname#

Notice that the command prompt changes from a > to a #, indicating that you successfully changed
modes.

• To switch from configuration mode to operational mode, use either the quit or exit
command:

username@hostname# quit
Exiting configuration mode
username@hostname>

• To enter an operational mode command while in configuration mode, use the run command,
for example:

username@hostname# run ping host 10.1.1.2

PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data
...
username@hostname#

PAN-OS CLI QUICK START | Get Started with the CLI 19

© 2021 Palo Alto Networks, Inc.
Navigate the CLI
CLI commands are organized in a hierarchical structure. To display a segment of the current hierarchy, use
the show command. Entering show displays the complete hierarchy, while entering show with keywords
displays a segment of the hierarchy.
For example, the following command displays the configuration hierarchy for the Ethernet interface
segment of the hierarchy:

username@hostname>
configure
Entering configuration mode
[edit]
username@hostname#
show network interface ethernet
ethernet {
ethernet1/1 {
virtual-wire;
}
ethernet1/2 {
virtual-wire;
}
ethernet1/3 {
layer2 {
units {
ethernet1/3.1;
}
}
}
ethernet1/4;
}
[edit]
username@hostname#

20 PAN-OS CLI QUICK START | Get Started with the CLI

© 2021 Palo Alto Networks, Inc.
Find a Command
The find command helps you find a command when you don't know where to start looking in the
hierarchy. The command—which is available in all CLI modes—has two forms. Used alone, find command
displays the entire command hierarchy. Used with the keyword parameter, find command keyword displays
all commands that contain the specified keyword.

You can also view a complete listing of all Operational Commands and Configure Commands
or view the CLI Changes in PAN-OS 10.0.

• View the Entire Command Hierarchy

• Find a Specific Command Using a Keyword Search

View the Entire Command Hierarchy

Use find command without any parameters to display the entire command hierarchy in the current
command mode. For example, running this command from operational mode on a VM-Series Palo Alto
Networks device yields the following (partial result):

username@hostname> find command

target set <value>
target show
schedule uar-report user <value> user-group <value> skip-detailed-browsing
<yes|no> title <value> period <value> start-time <value> end-time <value>
vsys <value>
schedule botnet-report period <last-calendar-day|last-24-hrs> topn <1-500>
query <value>
clear arp <value>|<all>
clear neighbor <value>|<all>
clear mac <value>|<all>
clear job id <0-4294967295>
clear query id <0-4294967295>
clear query all-by-session
clear report id <0-4294967295>
clear report all-by-session
clear report cache
clear log traffic
clear log threat
clear log config
clear log system
clear log alarm
clear log acc
clear log hipmatch
clear log userid
clear log iptag
clear wildfire counters
clear counter interface
clear counter global name <value>
clear counter global filter category <value> severity <value> aspect <value>
pac
ket-filter <yes|no>
clear counter all
clear session id <1-4294967295>
clear session all filter nat <none|source|destination|both> ssl-decrypt <yes|
no> type <flow|predict> state <initial|opening|active|discard|closing|closed>
from <value> to <value> source <ip/netmask> destination <ip/netmask> source-

PAN-OS CLI QUICK START | Get Started with the CLI 21

© 2021 Palo Alto Networks, Inc.
 user <value> destination-user <value> source-port <1-65535> destination-port
<1-65535> protocol <1-255> application <value> rule <value> nat-rule <value>
qos-rule <value> pbf-rule <value> dos-rule <value> hw-interface <value> min-
kb <1-1048576> qos-node-id <0-5000>|<-2> qos-class <1-8> vsys-name <value>|
<any>
clear application-signature statistics
clear nat-rule-cache rule <value>
clear statistics
clear high-availability control-link statistics
clear high-availability transitions
clear vpn ike-sa gateway <value>
clear vpn ipsec-sa tunnel <value>
clear vpn ike-preferred-version gateway <value>
clear vpn ike-hashurl
clear vpn flow tunnel-id <1-2147483648>
clear dhcp lease all expired-only
clear dhcp lease interface clear dhcp lease interface <name> ip <ip/netmask>
:

Find a Specific Command Using a Keyword Search

Use find command keyword to locate all commands that have a specified keyword.

username@hostname# find command keyword <keyword>

For example, suppose you want to configure certificate authentication and you want the Palo Alto
Networks device to get the username from a field in the certificate, but you don’t know the command. In
this case you might use find command keyword to search for commands that contain username in the
command syntax.

username@hostname > configure

Entering configuration mode

[edit]
username@hostname # find command keyword username
show shared certificate-profile <name> username-field
set deviceconfig system log-export-schedule <name> protocol ftp username
<value>
set deviceconfig system log-export-schedule <name> protocol scp username
<value>
set deviceconfig setting wildfire session-info-select exclude-username <yes|
no>
set mgt-config password-complexity block-username-inclusion <yes|no>
set network interface ethernet <name> layer3 pppoe username <value>
set shared authentication-profile <name> username-modifier <value>|<validate>|
<%USERINPUT%|%USERINPUT%@%USERDOMAIN%|%USERDOMAIN%\%USERINPUT%>
set shared certificate-profile <name> username-field
set shared certificate-profile <name> username-field subject <common-name>
set shared certificate-profile <name> username-field subject-alt <email|
principal-name>
set vm-info-source <name> VMware-ESXi username <value>
set vm-info-source <name> VMware-vCenter username <value>
set user-id-collector setting ntlm-username <value>
set user-id-collector syslog-parse-profile <name> regex-identifier username-
regex <value>
set user-id-collector syslog-parse-profile <name> field-identifier username-
prefix <value>

22 PAN-OS CLI QUICK START | Get Started with the CLI

© 2021 Palo Alto Networks, Inc.
set user-id-collector syslog-parse-profile <name> field-identifier username-
delimiter <value>
[edit]
username@hostname #

From the resulting lists of commands, you can identify that the command you need is:

username@hostname # set shared certificate-profile <name> username-field

If you’re not sure exactly what to enter in the command line, you can then Get Help on Command Syntax.

PAN-OS CLI QUICK START | Get Started with the CLI 23

© 2021 Palo Alto Networks, Inc.
Get Help on Command Syntax
After you Find a Command you can get help on the specific command syntax by using the built-in CLI help.
To get help, enter a ? at any level of the hierarchy.
• Get Help on a Command
• Interpret the Command Help

Get Help on a Command

For example, suppose you want to configure the primary DNS server settings on the Palo Alto Networks
device using find command keyword with dns as the keyword value, you already know that the
command is set deviceconfig system dns-setting, but you’re not exactly sure how to use the
command to set the primary DNS server setting. In this case, you would enter as much of the command as
you know (or start typing it and press Tab for automatic command completion), and then add a question
mark at the end of the line before pressing Enter, like this:

username@hostname# set deviceconfig system dns-setting ?

> dns-proxy-object Dns proxy object to use for resolving fqdns
> servers Primary and secondary dns servers
<Enter> Finish input

Notice that the question mark doesn’t appear in the command line when you type it, but a list of the
available commands appears. You can continue getting syntactical help all through the hierarchy:

username@hostname# set deviceconfig system dns-setting servers ?

+ primary Primary DNS server IP address
+ secondary Secondary DNS server IP address
<Enter> Finish input

username@hostname# set deviceconfig system dns-setting servers primary ?

<ip> <ip>

Use the Tab key in the middle of entering a command and the command will automatically
complete, provided there are no other commands that match the letters you have typed
thus far. For example, if you type set dev and then press Tab, the CLI will recognize that
the command you are entering is deviceconfig and automatically finish populating the
command line.

Interpret the Command Help

Use the following table to help interpret the command options you see when you use the ? to get help.

Symbol Description

* Indicates that the option is required.

For example, when importing a configuration over secure copy (SCP),
specifying the from parameter is required, as indicated by the * from
notation.

username@hostname#> scp import configuration ?

24 PAN-OS CLI QUICK START | Get Started with the CLI

© 2021 Palo Alto Networks, Inc.
Symbol Description
+ remote-port SSH port number on remote host
+ source-ip Set source address to specified interface
address
* from Source (username@host:path)

> Indicates that there are additional nested commands.

For example, when configuring DNS settings, there are additional nested
commands for configuring a DNS proxy object and for specifying primary and
secondary DNS servers:

username@hostname# set deviceconfig system dns-setting ?

> dns-proxy-object Dns proxy object to use for
resolving fqdns
> servers Primary and secondary dns servers
<Enter> Finish input

+ Indicates that the option has an associated value that you must enter.
For example, when setting up a high availability configuration, notice that the
+ enabled notation indicates that you must supply a value for this option:

username@hostname# set deviceconfig high-availability ?

+ enabled enabled
> group HA group configuration
> interface HA interface configuration
<Enter> Finish input
Getting help for the enabled option shows that you must
enter a value of yes or no:
admin@PA-3060# set deviceconfig high-availability
enabled ?
no no
yes yes

| Allows you to filter command output. You can either specify a match value,
which will only show command output that matches the value you specify,
or you can specify an except value, which will only show command output
except for the value you specify.
For example, use the | match option to display only the app-version in the
output of the show system info command:

username@hostname> show system info | match app-version

app-version: 8087-5126

Similarly, to show all users in your group lists who are not part of your
organization, you should show the user group list, but exclude the
organizational unit (ou) for your organization. Notice that, although there are
a total of 4555 user-to-group mappings, with the | except filter you can
easily see the small list of users who are part of external groups:

username@hostname> show user group list | except ou=acme

PAN-OS CLI QUICK START | Get Started with the CLI 25

© 2021 Palo Alto Networks, Inc.
 Symbol Description
cn=sap_globaladmin,cn=users,dc=acme,dc=local
cn=dnsupdateproxy,ou=admin groups,ou=administrator
accounts,dc=acme,dc=local
cn=dhcp administrators,ou=admin groups,ou=administrator
accounts,dc=acme,dc=local
cn=helpservicesgroup,cn=users,dc=acme,dc=local
cn=exchange domain servers,cn=users,dc=acme,dc=local
cn=network configuration
operators,cn=builtin,dc=acme,dc=local
cn=dhcp users,ou=admin groups,ou=administrator
accounts,dc=acme,dc=local
cn=exchange windows permissions,ou=microsoft exchange
security groups,dc=acme,dc=local
cn=wins users,cn=users,dc=acme,dc=local
cn=enterprise read-only domain
controllers,cn=users,dc=acme,dc=local
cn=print-server-admins,ou=admin groups,ou=administrator
accounts,dc=acme,dc=local
cn=telnetclients,cn=users,dc=acme,dc=local
cn=servicenowpasswordreset,ou=admin
groups,ou=administrator accounts,dc=acme,dc=local
cn=delegated setup,ou=microsoft exchange security
groups,dc=acme,dc=local
Total: 4555
* : Custom Group
</result></response>
username@hostname>

26 PAN-OS CLI QUICK START | Get Started with the CLI

© 2021 Palo Alto Networks, Inc.
Customize the CLI
• Specify how long an administrative session to the management interface (CLI or web interface)
can remain idle before logging the administrator out:

username@hostname# set deviceconfig setting management idle-timeout ?

0 never
<value> <1-1440>

If you want to set the CLI timeout value to a value different from the global management
idle-timeout value, use the set cli timeout command in operational mode.

• Specify the format for command output:

username@hostname> set cli config-output-format ?

default default
json json
set set
xml xml

For example, in the default setting the config-output-format looks like this:

username@hostname# show deviceconfig system dns-setting servers

servers {
primary 1.2.3.4;
secondary 1.2.3.5;
}

Changing the setting to set results in output that looks like this:

username@hostname# show deviceconfig system dns-setting servers

set deviceconfig system dns-setting servers primary 1.2.3.4
set deviceconfig system dns-setting servers secondary 1.2.3.5
[edit]
[edit]

Changing the setting to xml results in output that looks like this:

username@hostname# show deviceconfig system dns-setting servers

<response status="success" code="19">
<result total-count="1" count="1">
<servers>
<primary>1.2.3.4</primary>
<secondary>1.2.3.5</secondary>
</servers>
</result>
</response>

PAN-OS CLI QUICK START | Get Started with the CLI 27

© 2021 Palo Alto Networks, Inc.
 • Switch to scripting mode. In scripting mode, you can copy and paste commands from a text file
directly into the CLI. Although you can do this without scripting-mode enabled (up to 20 lines).
If you cut-and-paste a block of text into the CLI, examine the output of the lines you pasted. If
you see lines that are truncated or generate errors, you may have to re-paste a smaller section
of text, or switch to scripting-mode:

username@hostname> set cli scripting-mode on

When in scripting-mode, you cannot use Tab to complete commands or use ? to get
help on command syntax. When you are done pasting commands, switch back to regular
mode using the set cli scripting-mode off command.

28 PAN-OS CLI QUICK START | Get Started with the CLI

Use the CLI
Now that you know how to Find a Command and Get Help on Command Syntax, you are ready
to start using the CLI to manage your Palo Alto Networks firewalls or Panorama. The following
topics describe how to use the CLI to view information about the device and how to modify
the configuration of the device. In addition, more advanced topics show how to import partial
configurations and how to use the test commands to validate that a configuration is working as
expected.

> View Settings and Statistics

> Modify the Configuration
> Commit Configuration Changes
> Test the Configuration
> Load Configurations
> Use Secure Copy to Import and Export Files
> CLI Jump Start

29
30 PAN-OS CLI QUICK START | Use the CLI
© 2021 Palo Alto Networks, Inc.
View Settings and Statistics
Use show commands to view configuration settings and statistics about the performance of the firewall or
Panorama and about the traffic and threats identified on the firewall. You can use show commands in both
Operational and Configure mode. For example, the show system info command shows information
about the device itself:

admin@PA-850> show system info

hostname: PA-850
ip-address: 10.10.10.23
public-ip-address: unknown
netmask: 255.255.255.0
default-gateway: 10.10.10.1
ip-assignment: static
ipv6-address: unknown
ipv6-link-local-address: fe80::d6f4:beff:febe:ba00/64
ipv6-default-gateway:
mac-address: d4:f4:be:be:ba:00
time: Tue Feb 12 08:40:09 2019
uptime: 6 days, 11:51:18
family: 800
model: PA-850
serial: 011901000300
cloud-mode: non-cloud
sw-version: 9.0.0-c300
global-protect-client-package-version: 0.0.0
app-version: 8114-5254
app-release-date: 2019/01/16 15:14:11 PST
av-version: 2860-3370
av-release-date: 2019/01/16 10:05:59 PST
threat-version: 8114-5254
threat-release-date: 2019/01/16 15:14:11 PST
wf-private-version: 0
wf-private-release-date: unknown
url-db: paloaltonetworks
wildfire-version: 314895-317564
wildfire-release-date: 2019/01/16 18:20:09 PST
url-filtering-version: 20190201.20201
global-protect-datafile-version: unknown
global-protect-datafile-release-date: unknown
global-protect-clientless-vpn-version: 0
global-protect-clientless-vpn-release-date:
logdb-version: 9.0.10
platform-family: 800
vpn-disable-mode: off
multi-vsys: off
operational-mode: normal

admin@PA-3220>

The show session info command shows details about the sessions running through the Palo Alto
Networks device.

admin@PA-850> show session info

PAN-OS CLI QUICK START | Use the CLI 31

© 2021 Palo Alto Networks, Inc.
 target-dp: *.dp0

--------------------------------------------------------------------------------
Number of sessions supported: 196606
Number of allocated sessions: 0
Number of active TCP sessions: 0
Number of active UDP sessions: 0
Number of active ICMP sessions: 0
Number of active GTPc sessions: 0
Number of active GTPu sessions: 0
Number of pending GTPu sessions: 0
Number of active BCAST sessions: 0
Number of active MCAST sessions: 0
Number of active predict sessions: 0
Number of active SCTP sessions: 0
Number of active SCTP associations: 0
Session table utilization: 0%
Number of sessions created since bootup: 5044051
Packet rate: 0/s
Throughput: 0 kbps
New connection establish rate: 0 cps

--------------------------------------------------------------------------------
Session timeout
TCP default timeout: 3600 secs
TCP session timeout before SYN-ACK received: 5 secs
TCP session timeout before 3-way handshaking: 10 secs
TCP half-closed session timeout: 120 secs
TCP session timeout in TIME_WAIT: 15 secs
TCP session delayed ack timeout: 250 millisecs
TCP session timeout for unverified RST: 30 secs
UDP default timeout: 30 secs
ICMP default timeout: 6 secs
SCTP default timeout: 3600 secs
SCTP timeout before INIT-ACK received: 5 secs
SCTP timeout before COOKIE received: 60 secs
SCTP timeout before SHUTDOWN received: 30 secs
other IP default timeout: 30 secs
Captive Portal session timeout: 30 secs
Session timeout in discard state:
TCP: 90 secs, UDP: 60 secs, SCTP: 60 secs, other IP protocols: 60
secs

--------------------------------------------------------------------------------
Session accelerated aging: True
Accelerated aging threshold: 80% of utilization
Scaling factor: 2 X

--------------------------------------------------------------------------------
Session setup
TCP - reject non-SYN first packet: True
Hardware session offloading: True
Hardware UDP session offloading: True
IPv6 firewalling: True
Strict TCP/IP checksum: True
Strict TCP RST sequence: True
Reject TCP small initial window: False
ICMP Unreachable Packet Rate: 200 pps

--------------------------------------------------------------------------------

32 PAN-OS CLI QUICK START | Use the CLI

© 2021 Palo Alto Networks, Inc.
 Application trickling scan parameters:
Timeout to determine application trickling: 10 secs
Resource utilization threshold to start scan: 80%
Scan scaling factor over regular aging: 8

--------------------------------------------------------------------------------
Session behavior when resource limit is reached: drop

--------------------------------------------------------------------------------
Pcap token bucket rate : 10485760

--------------------------------------------------------------------------------
Max pending queued mcast packets per session : 0

--------------------------------------------------------------------------------

PAN-OS CLI QUICK START | Use the CLI 33

© 2021 Palo Alto Networks, Inc.
Modify the Configuration
You can also modify the device configuration from the CLI using the set, delete, and edit commands (if
your administrative role has a Privilege Level that allows you to write to the configuration). In most cases
you must be in Configure mode to modify the configuration.

• To change the value of a setting, use a set command. For example, to configure an NTP server,
you would enter the complete hierarchy to the NTP server setting followed by the value you
want to set:

admin@PA-3060# set deviceconfig system ntp-servers primary-ntp-server ntp-

server-address pool.ntp.org

To target a command to a specific virtual system (vsys), enter the following operational
mode command: set system setting target-vsys <vsys-name>. To go back
to issuing commands that apply to the firewall instead of the targeted vsys, use set
system target-vsys none.

• To change to a different location in the configuration hierarchy and/or to modify a setting,

use the edit command. The edit commands are very similar to the set commands, except
that when you enter an edit command, you switch context to the corresponding node in the
command hierarchy. This can be useful if you need to enter several commands in a node that
is nested far down in the command hierarchy. For example, if you want to configure all of
the NTP server settings, instead of entering the full command syntax each time using the set
command, you could use the edit command to move to the ntp-servers node as follows:

[edit]
admin@PA-3060# edit deviceconfig system ntp-servers
[edit deviceconfig system ntp-servers]
admin@PA-3060#

Notice that when you enter the command, your new location in the command hierarchy is displayed.
You can now use the set command to configure the NTP server settings without entering the entire
command hierarchy:

admin@PA-3060# set secondary-ntp-server ntp-server-address 10.1.2.3

Use the up command to move up a level in the command hierarchy. Use the top
command to move back to the top of the command hierarchy.

• To delete an existing configuration setting, use a delete command. For example, to delete the
secondary NTP server address, you would enter the following command:

admin@PA-3060# delete deviceconfig system ntp-servers secondary-ntp-server

ntp-server-address

When deleting configuration settings or objects using the CLI, the device does not check
for dependencies like it does in the web interface. Therefore, when you use delete

34 PAN-OS CLI QUICK START | Use the CLI

© 2021 Palo Alto Networks, Inc.
from the CLI, you must manually search the configuration for other places where the
configuration object might be referenced. For example, before you delete an application
filter group named browser-based business, you should search the CLI for that value to
see if it is used anywhere in profiles or policies, using the following command:

admin@PA-3060> show config running | match "browser-based

business"

Notice that because the object you are matching on has a space in it, you must enclose it
in quotation marks.

PAN-OS CLI QUICK START | Use the CLI 35

© 2021 Palo Alto Networks, Inc.
Commit Configuration Changes
Any change in the Palo Alto Networks device configuration is first written to the candidate configuration.
The change only takes effect on the device when you commit it. Committing a configuration applies the
change to the running configuration, which is the configuration that the device actively uses. Upon commit,
the device performs both a syntactic validation (of configuration syntax) and a semantic validation (whether
the configuration is complete and makes sense). As a best practice, validate configuration changes prior
to committing so that you can fix any errors that will cause a commit failure, thereby ensuring that the
commit will succeed. This is particularly useful in environments with a strict change window.
The firewall and Panorama queue commit operations so that you can initiate a new commit while a
previous commit is in progress. The firewall and Panorama perform commits in the order you and other
administrators initiate them but prioritize automatic commits such as content database installations and
FQDN refreshes. If the queue already has the maximum number of administrator-initiated commits (this
varies by appliance model), the firewall or Panorama must begin processing a commit (remove it from the
queue) before you can initiate a new commit.

To see details (such as queue positions or Job-IDs) about commits that are pending, in
progress, completed, or failed, run the operational command show jobs all. To see the
messages and description for a particular commit, run show jobs id <job-id>.

STEP 1 | (Optional but recommended) Validate the configuration:

1. Enter the validate command:

admin@PA-3060> configure
admin@PA-3060# validate full
Validate job enqueued with jobid 3041
3041
2. View the validation results using the job ID that was displayed when you entered the validate
command. Verify that the job finished (FIN) and that the configuration is valid as shown in the
following example:

[edit]
admin@PA-3060# exit
Exiting configuration mode
admin@PA-3060> show jobs id 3041

Enqueued Dequeued ID Type Status Result Completed

------------------------------------------------------------------------------------
2015/05/18
14:00:40 14:00:40 3041 Validate FIN OK 14:01:11
Warnings:EBL(vsys1/Palo Alto Networks Malicious IP List) Unable to fetch
external list. Using old copy for refresh.
vsys1 (vsys1)
vsys1: Rule 'rule1' application dependency warning:
Application 'propalms' requires 'web-browsing' be allowed
Application 'open-vpn' requires 'ssl' be allowed
Application 'open-vpn' requires 'web-browsing' be allowed
Application 'files.to' requires 'web-browsing' be allowed
Application 'gigaup' requires 'ftp' be allowed
Application 'dazhihui' requires 'web-browsing' be allowed
Application 'fasp' requires 'ssh' be allowed
Application 'vidsoft' requires 'web-browsing' be allowed

36 PAN-OS CLI QUICK START | Use the CLI

© 2021 Palo Alto Networks, Inc.
 Application 'ipp' requires 'web-browsing' be allowed
Application 'flexnet-installanywhere' requires 'web-browsing' be
allowed
(Module: device)
Details:Configuration is valid
3. If the validation fails, fix any errors and then repeat steps 1 and 2.

STEP 2 | After successfully validating the configuration, save it to the running configuration by
performing a commit of all or a portion of the configuration:
• Commit the entire configuration:

admin@PA-3060> configure
admin@PA-3060# commit
• Commit part of the configuration on a firewall with multiple virtual systems:

admin@PA-3060# commit partial ?

+ description Enter commit description
+ device-and-network device-and-network
+ shared-object shared-object
> admin admin
> no-vsys no-vsys
> vsys vsys
<Enter> Finish input

When doing a partial commit from the CLI, you must specify what part of the configuration to
exclude from the commit. You can also filter the configuration changes by administrator. For
example, the following command commits only the changes that an administrator with the username
jsmith made to the vsys1 configuration and to shared objects:

admin@PA-3060# commit partial admin jsmith vsys vsys1 device-and-network

excluded
• Commit part of the configuration on a firewall that does not have multiple virtual systems mode
enabled:

admin@PA-220# commit partial ?

+ description Enter commit description
+ device-and-network device-and-network
+ policy-and-objects policy-and-objects
+ shared-object shared-object
> admin admin
<Enter> Finish input

For example, if you made a change in the Security policy only, you might want to commit just the
policy and objects portion of the configuration as follows:

admin@PA-220# commit partial device-and-network excluded

If the commit takes a long time, you can press Ctrl+C to access the command line
while the commit continues as a background process.

PAN-OS CLI QUICK START | Use the CLI 37

© 2021 Palo Alto Networks, Inc.
Test the Configuration
Use the CLI-only test commands to test that your configuration works as expected. For example, you
can test that your policy rulebases are working as expected, that your authentication configuration will
enable the Palo Alto Networks device to successfully connect to authentication services, that a custom URL
category matches expected sites, that your IPSec/IKE VPN settings are configured properly, that your User-
ID syslog parsing profiles are working properly, and many more things.
The following sections show examples of how to use some of the test commands:
• Test the Authentication Configuration
• Test Policy Matches

Test the Authentication Configuration

Use the test authentication command to determine if your firewall or Panorama management server
can communicate with a back-end authentication server and if the authentication request was successful.
You can additionally test authentication profiles used for GlobalProtect and Captive Portal authentication.
You can perform authentication tests on the candidate configuration, so that you know the configuration is
correct before committing.
Connectivity testing is supported for local database authentication and for external authentication servers
that use multi-factor authentication (MFA), RADIUS, TACACS+, LDAP, Kerberos, or SAML.

STEP 1 | (Vsys-specific authentication profiles only) Specify which virtual system contains the
authentication profile you want to test. This is only necessary if you are testing an
authentication profile that is specific to a single virtual system (that is, you do not need to do
this if the authentication profile is shared).

admin@PA-3060> set system setting target-vsys <vsys-name>

For example, to test an authentication profile in vsys2 you would enter the following command:

admin@PA-3060> set system setting target-vsys vsys2

The set system setting target-vsys command is not persistent across sessions.

STEP 2 | Test an authentication profile by entering the following command:

admin@PA-3060> test authentication authentication-profile <authentication-

profile-name> username <username> password

You will be prompted for the password associated with the user account.

Profile names are case-sensitive. Also, if the authentication profile has a username
modifier defined, you must enter it with the username. For example, if the username
modifier is %USERINPUT%@%USERDOMAIN%, for a user named bzobrist in domain
acme.com, you would need to enter [email protected] as the username.

38 PAN-OS CLI QUICK START | Use the CLI

© 2021 Palo Alto Networks, Inc.
 For example, run the following command to test connectivity with a Kerberos server defined in an
authentication profile named Corp, using the login for the LDAP user credentials for user bzobrist:

admin@PA-3060> test authentication authentication-profile Corp username

bzobrist password
Enter password :

Target vsys is not specified, user "bzobrist" is assumed to be configured

with a
shared auth profile.

Do allow list check before sending out authentication request...

name "bzobrist" is in group "all"

Authentication to KERBEROS server at '10.1.2.10' for user 'bzobrist'

Realm: 'ACME.LOCAL'
Egress: 10.55.0.21
KERBEROS configuration file is created
KERBEROS authcontext is created. Now authenticating ...
Kerberos principal is created
Sending authentication request to KDC...
Authentication succeeded!

Authentication succeeded for user "bzobrist"

Test Policy Matches

You can use test commands to verify that your policies are working as expected.

• Test a security policy rule.

Use the test security-policy-match command to determine whether a security policy rule is
configured correctly. For example, suppose you have a user mcanha in your marketing department
who is responsible for posting company updates to Twitter. Instead of adding a new rule just for that
user, you want to test whether twitter will be allowed via an existing rule. By running the following test
command, you can see that the user mcanha is indeed allowed to post to twitter based on your existing
Allowed Personal Apps security policy rule:

admin@PA-3060> test security-policy-match application twitter-posting

source-user acme\mcanha destination 199.59.150.7 destination-port 80 source
10.40.14.197 protocol 6

"Allowed Personal Apps" {

from trust;
source any;
source-region none;
to untrust;
destination any;
destination-region none;
user any;
category any;
application/service [ twitter-posting/tcp/any/80 twitter-posting/
tcp/any/443 finger/tcp/any/79 finger/udp/any/79 irc-base/tcp/any/6665-6669
vidsoft/tcp/any/51222 vidsoft/tcp/any/80 vidsoft/tcp/any/443 vidsoft/tcp/
any/1853 vidsoft/udp/any/51222 vidsoft/udp/any/1853 rtsp/tcp/any/554 rtsp/
udp/any/554 kkbox/tcp/any/80 yahoo-mail/tcp/any/80 yahoo-mail/tcp/any/143 0
msn-base/tcp/any/443 msn-base/tcp/any/1863 msn-base/tcp/any/7001 msn-base/

PAN-OS CLI QUICK START | Use the CLI 39

© 2021 Palo Alto Networks, Inc.
 udp/any/7001 ebuddy/tcp/any/80 gmail-base/tcp/any/80 gmail-base/tcp/any/443
hovrs/tcp/any/443 hov application/service(implicit) [ http/tcp/any/80 http/
tcp/any/443 http/tcp/any/6788 http/tcp/any/6789 http/tcp/any/7456 http/tcp/
any/8687 http/tcp/any/9100 http/tcp/any/9200 http/udp/any/1513 http/udp/
any/1514 jabber/tcp/any/any jabber/tcp/any/80 jabber/tcp/any/443 jabber/tcp/
any/5228 jabber/tcp/any/25553 jabber/udp/any/any stun/tcp/any/any stun/tcp/
any/3158 stun/udp/any/any web-browsing/any/any/any web-browsing/tcp/any/any
web-browsing/tcp/any/80 action allow;
icmp-unreachable: no
terminal yes;
}

• Test an Authentication policy rule.

Use the test authentication-policy-match command to test your Authentication policy. For
example, you want to make sure that all users accessing Salesforce are authenticated. You would use the
following test command to make sure that if users are not identified using any other mechanism, the
Authentication policy will force them to authenticate:

admin@PA-3060> test authentication-policy-match from trust to untrust source

192.168.201.10 destination 96.43.144.26

Matched rule: 'salesforce' action: web-form

• Test a Decryption policy rule.

Use the test decryption-policy-match category command to test whether traffic to a specific
destination and URL category will be decrypted according to your policy rules. For example, to verify
that your no-decrypt policy for traffic to financial services sites is not being decrypted, you would enter
a command similar to the following:

admin@PA-3060> test decryption-policy-match category financial-services from

trust source 10.40.14.197 destination 159.45.2.143

Matched rule: 'test' action: no-decrypt

40 PAN-OS CLI QUICK START | Use the CLI

© 2021 Palo Alto Networks, Inc.
Load Configurations
• Load Configuration Settings from a Text File
• Load a Partial Configuration

Load Configuration Settings from a Text File

In scripting mode, you can copy and paste commands from a text file directly into the CLI. This is a quick
and easy way to copy several configuration settings from one Palo Alto Networks device to another.

STEP 1 | On the device from which you want to copy configuration commands, set the CLI output mode
to set:

admin@fw1> set cli config-output-format set

STEP 2 | Show the part of the configuration you want to copy. For example, to copy the SNMP
configuration you would enter the following command:

admin@fw1# show deviceconfig system snmp-setting

set deviceconfig system snmp-setting snmp-system location Headquarters
set deviceconfig system snmp-setting snmp-system contact snmp-
[email protected]
set deviceconfig system snmp-setting access-setting version v2c snmp-
community-string public

When pasting commands into the command line, make sure you are entering them in
the proper order to avoid errors. Sometimes commands shown in the CLI are not the
order in which they must be configured on the device (for example, if you are pasting
a configuration from a firewall into Panorama). If you see errors, check whether the
command that generated the error is dependent on a later command. In these cases,
you can usually just reenter the command. Also make sure you are pasting sections of a
configuration in a logical order. For example, you should not copy security policy rules if
you have not yet configured the objects the rules rely on, such as zones, security profiles,
or address groups.

STEP 3 | Copy the commands to a text editor such as Notepad and edit the settings as desired.

STEP 4 | On the second device, paste the commands into the command line.

There is a limit to the amount of text that can be copied into the SSH buffer
(approximately 20 lines). If you cut-and-paste a large block of text into the CLI, examine
the output of the lines you pasted. If you see lines that are truncated or generate errors,
you may have to re-paste a smaller section of text, or switch to scripting mode using
the set cli scripting-mode on operational mode command, which increases the
buffer significantly.

STEP 5 | Commit Configuration Changes.

PAN-OS CLI QUICK START | Use the CLI 41

© 2021 Palo Alto Networks, Inc.
Load a Partial Configuration
Use the load config partial command to copy a section of a configuration file in XML. The
configuration can be:
• A saved configuration file from a Palo Alto Networks firewall or from Panorama
• A local configuration (for example, running-confg.xml or candidate-config.xml)
• An imported configuration file from a firewall or Panorama
To load a partial configuration, you must identify the configuration file you want to copy from and, if it is
not local, import it onto the device (see Use Secure Copy to Import and Export Files for an example of how
to import a saved configuration).

If you are managing more than two or three firewalls, consider using Panorama for central
management and monitoring of your firewalls.

To specify what part of the configuration to load, you must find the xpath location, which specifies the XML
node in the configuration file you are loading from and the node in the local candidate configuration you are
loading to.
The format of the command is:

admin@PA-3060# load config partial mode [append|merge|replace] from-

xpath <source-xpath> to-xpath <destination-xpath> from <filename>

Use the information in the following topics to determine the appropriate Xpath location formats and use
them to load a configuration object from one configuration to another:
• Xpath Location Formats Determined by Device Configuration
• Load a Partial Configuration into Another Configuration Using Xpath Values

Xpath Location Formats Determined by Device Configuration

You specify the source and destination of the load partial command using xpath locations, which
specify the XML node in the configuration you are copying from (from-xpath) and the XML node in the
candidate configuration you are copying to (to-xpath). Determining the correct xpath is a critical part
of using this command. The following table shows the format for the from-xpath and to-xpath on
different types of devices. Notice that the from-xpath begins at devices or shared, whereas the to-
xpath begins with /config.

Type of Xpath Formats

Device
Configuration

Multi-vsys from-xpath
Firewall
devices/entry[@name='localhost.localdomain']/vsys/
entry[@name='vsys-ID']/<object>

to-xpath

42 PAN-OS CLI QUICK START | Use the CLI

© 2021 Palo Alto Networks, Inc.
 Type of Xpath Formats
Device
Configuration

/config/devices/entry[@name='localhost.localdomain']/vsys/
entry[@name='vsys-ID']/<object>

Single-vsys from-xpath
Firewall
devices/entry[@name='localhost.localdomain']/vsys/
entry[@name='vsys1']/<object>

to-xpath

/config/devices/entry[@name='localhost.localdomain']/vsys/
entry[@name='vsys1']/<object>

Panorama from-xpath
Shared
Object shared/<object>

to-xpath

/config/shared/<object>

Panorama from-xpath
Device
Group devices/entry[@name='localhost.localdomain']/device-group/
Object entry[@name='device-group-name']/ <object>

to-xpath

/config/devices/entry[@name='localhost.localdomain']/device-
group/entry[@name='device-group- name']/<object>

Load a Partial Configuration into Another Configuration Using Xpath

Values
STEP 1 | Find the xpath values to use to load the partial configuration.
1. Log in to the web interface on the device and go to the following URL:
https://<device-ip-address>/api

PAN-OS CLI QUICK START | Use the CLI 43

© 2021 Palo Alto Networks, Inc.
 2. Select Configuration Commands.
3. Drill down until you find the configuration object you want to load from one configuration to
another.
For example, to find the application group xpath on a multi-vsys firewall, you would select
Configuration Commands > devices > localhost.localdomain > vsys > <vsys-name> > application-
group. After you drill down to the node you want to load, make note of the XPath that is displayed in
the text box.

You can also find the xpath from the CLI debug mode (use the operational mode
command debug mode on to enable this), and then enter the configuration mode
show command that shows the object you are interested in copying. For example, to
see the xpath for the application object configuration in vsys1, you would enter the
show vsys vsys1 application command. Look for the section of the output that
begins with <requestcmd="get" obj=". This signals the beginning of the xpath. In
the following example, the highlighted section is the xpath for the application objects in
vsys1:

admin@PA-3060# show vsys vsys1 application

(container-tag: vsys container-tag: entry key-tag: name value:
vsys1 container-tag: application)
((eol-matched: . #t) (eol-matched: . #t) (eol-
matched: . #t) (xpath-prefix: . /config/devices/
entry[@name='localhost.localdomain']) (context-inserted-at-end-
p: . #f))

44 PAN-OS CLI QUICK START | Use the CLI

© 2021 Palo Alto Networks, Inc.
 /usr/local/bin/pan_ms_client --config-mode=default --set-
prefix='set vsys vsys1 ' --cookie=2588252477840140 <<'EOF' |/
usr/bin/less -X -E -M
<request cmd="get" obj="/config/devices/
entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/
application"></request>
EOF
4. After you find the xpath for the node you want to load, identify the appropriate from- and to- Xpath
Location Formats Determined by Device Configuration to load the partial configuration.

STEP 2 | Use the load config partial command to copy sections of the configuration you just
imported. For example, you would use the following command to load the application filters
you configured on fw1 from a saved configuration file, fw1-config.xml, you imported from fw1
(a single-vsys firewall) to vsys3 on fw2. Notice that even though fw1 does not have multiple
virtual system support, the xpath still points to the vsys1 (the default vsys ID on single-vsys
firewalls):

admin@fw2# load config partial mode merge from-xpath devices/

entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application-
filter to-xpath/config/devices/entry[@name='localhost.localdomain']/vsys/
entry[@name='vsys3']/application-filter from fw1-config.xml

The quotation marks around the hostname and the vsys name (if applicable) must be
neutral. The command will fail if there are opened or closed quotation marks.

STEP 3 | Commit Configuration Changes.

PAN-OS CLI QUICK START | Use the CLI 45

© 2021 Palo Alto Networks, Inc.
Use Secure Copy to Import and Export Files
Secure Copy (SCP) is a convenient way to import and export files onto or off of a Palo Alto Networks
device. For, example, you can use SCP to upload a new OS version to a device that does not have internet
access, or you can export a configuration or logs from one device to import on another. The SCP commands
require that you have an account (username and password) on the SCP server.

Because the file for the entire log database is too large for an export or import to be practical
on the following models, they do not support the scp export logdb or scp import
logdb commands: Panorama virtual appliance running Panorama 6.0 or later releases,
Panorama M-Series appliances (all releases), and PA-7000 Series firewall (all releases).

• Export a Saved Configuration from One Firewall and Import it into Another
• Export and Import a Complete Log Database (logdb)

Export a Saved Configuration from One Firewall and Import it into

Another
After you import the saved configuration, you can then Load a Partial Configuration from the first firewall
onto the second firewall.

STEP 1 | On the first firewall, save the current configuration to a named configuration snapshot using
the save config to <filename> command in configuration mode. For example:

admin@PA-fw1# save config to fw1-config

STEP 2 | Export the named configuration snapshot and log database to an SCP-enabled server using the
scp export command in operational mode. When prompted, enter the password for your SCP
server account.

admin@fw1> scp export configuration from <named-config-file>

to <username@host:path>

For an SCP server running on Windows, the destination folder/filename path for both the export and
import commands requires a drive letter followed by a colon. For example:

admin@fw1> scp export configuration from fw1-config.xml to

[email protected]:c:/fw-config

STEP 3 | Log in to the firewall to which you want to copy the configuration and logs, and then import
the configuration snapshot and log database. When prompted, enter the password for your
SCP server account.

admin@fw2> scp import configuration from <username@host:path_to_named-

config-file>

For example (on a Windows-based SCP server):

46 PAN-OS CLI QUICK START | Use the CLI

© 2021 Palo Alto Networks, Inc.
 admin@fw2> scp import configuration from [email protected]:c:/fw-configs/fw1-
config.xml

Export and Import a Complete Log Database (logdb)

STEP 1 | Export a log database to an SCP-enabled server using the scp export command in operational
mode. When prompted, enter the password for your SCP server account.

admin@fw1> scp export logdb to <username@host:path_to_destination_filename>

For an SCP server running on Windows, the destination folder/filename path for both the export and
import commands requires a drive letter followed by a colon. For example:

admin@fw1> scp export logdb to [email protected]:c:/fw-logs/fw1-logdb

STEP 2 | Log in to the firewall on which to import a log database, and then enter the import command.
When prompted, enter the password for your SCP server account.

admin@fw2> scp import logdb

from <username@host:path_to_destination_filename>

For example (on a Windows-based SCP server):

admin@fw2> scp import logdb from [email protected]:c:/fw-logs/fw1-logdb

PAN-OS CLI QUICK START | Use the CLI 47

© 2021 Palo Alto Networks, Inc.
CLI Jump Start
The following table provides quick start information for configuring the features of Palo Alto Networks
devices from the CLI. Where applicable for firewalls with multiple virtual systems (vsys), the table also
shows the location to configure shared settings and vsys-specific settings.

To configure... Start here...

MGT interface
# set deviceconfig system ip-address

admin password
# set mgt-config users admin password

DNS
# set deviceconfig system dns-setting servers

NTP
# set deviceconfig system ntp-servers

Interfaces
# set network interface

System settings
# set deviceconfig system

Zones
# set zone <name>
# set vsys <name> zone <name>

Security Profiles
# set profiles
HIP Objects/Profiles # set vsys <name> profiles
URL Filtering Profiles # set shared profiles

WildFire Analysis
Profiles

Server Profiles
# set server-profile
# set vsys <name> server-profile
# set shared server-profile

Authentication
Profiles # set authentication-profile
# set vsys <name> authentication-profile
# set shared authentication-profile

48 PAN-OS CLI QUICK START | Use the CLI

© 2021 Palo Alto Networks, Inc.
To configure... Start here...

Certificate Profiles
# set certificate-profile
# set vsys <name> certificate-profile
# set shared certificate-profile

Policy
# set rulebase
# set vsys vsys1 rulebase

Log Quotas
# set deviceconfig setting management quota-settings

User-ID
# set user-id-agent
# set vsys <name> user-id-agent
# set user-id-collector
# set vsys <name> user-id-collector

HA
# set deviceconfig high-availability

AutoFocus Settings
# set deviceconfig setting autofocus

WildFire Settings
# set deviceconfig setting wildfire

Panorama
# set deviceconfig system panorama-server

Restart
> request restart system

PAN-OS CLI QUICK START | Use the CLI 49

© 2021 Palo Alto Networks, Inc.
50 PAN-OS CLI QUICK START | Use the CLI
CLI Cheat Sheets
> CLI Cheat Sheet: Device Management
> CLI Cheat Sheet: User-ID
> CLI Cheat Sheet: Networking
> CLI Cheat Sheet: VSYS
> CLI Cheat Sheet: Panorama

51
52 PAN-OS CLI QUICK START | CLI Cheat Sheets
© 2021 Palo Alto Networks, Inc.
CLI Cheat Sheet: Device Management
Use the following table to quickly locate commands for common device management tasks:

If you want to... Use...

• Show general system health information.

> show system info

• Show percent usage of disk partitions. Include

the optional files parameter to show > show system disk-space files
information about inodes, which track file
storage.

• Show the maximum log file size.

> show system logdb-quota

• Show running processes.

> show system software status

• Show processes running in the management

plane. > show system resources

• Show resource utilization in the dataplane.

> show running resource-monitor

• Show the licenses installed on the device.

> request license info

• Show when commits, downloads, and/or

upgrades are completed. > show jobs processed

• Show session information.

> show session info

• Show information about a specific session.

> show session id <session-id>

• Show the running security policy.

> show running security-policy

• Show the authentication logs.

> less mp-log authd.log

PAN-OS CLI QUICK START | CLI Cheat Sheets 53

© 2021 Palo Alto Networks, Inc.
 If you want to... Use...

• Restart the device.

> request restart system

• Show the administrators who are currently

logged in to the web interface, CLI, or API. > show admins

• Show the administrators who can access

the web interface, CLI, or API, regardless of > show admins all
whether those administrators are currently
logged in.
When you run this command on the firewall,
the output includes local administrators,
remote administrators, and all administrators
pushed from a Panorama template. Remote
administrators are listed regardless of when
they last logged in.

• Configure the management interface as a

DHCP client.
For a successful commit, you must include each
of the parameters: accept-dhcp-domain,
accept-dhcp-hostname, send-client-
id, and send-hostname.
# set deviceconfig system type dhcp-
client accept-dhcp-domain <yes|no>
accept-dhcp-hostname <yes|no> send-
client-id <yes|no> send-hostname
<yes|no>

54 PAN-OS CLI QUICK START | CLI Cheat Sheets

© 2021 Palo Alto Networks, Inc.
CLI Cheat Sheet: User-ID
Use the following commands to perform common User-ID configuration and monitoring tasks.

To see more comprehensive logging information enable debug mode on the agent using
the debug user-id log-ip-user-mapping yes command. When you are done
troubleshooting, disable debug mode using debug user-id log-ip-user-mapping
no.

CLI Cheat Sheet: User-ID

View all User-ID agents configured to send user mappings to the Palo Alto Networks device:
• To see all configured Windows-based agents:

> show user user-id-agent state all

• To see if the PAN-OS-integrated agent is configured:

> show user server-monitor state all

View how many log messages came in from syslog senders and how many entries the User-ID agent
successfully mapped:

> show user server-monitor statistics

View the configuration of a User-ID agent from the Palo Alto Networks device:

> show user user-id-agent config name <agent-name>

View group mapping information:

> show user group-mapping statistics

> show user group-mapping state all
> show user group list
> show user group name <group-name>

View all user mappings on the Palo Alto Networks device:

> show user ip-user-mapping all

Show user mappings filtered by a username string (if the string includes the domain name, use two
backslashes before the username):

> show user ip-user-mapping all | match <domain>\\<username-string>

Show user mappings for a specific IP address:

PAN-OS CLI QUICK START | CLI Cheat Sheets 55

© 2021 Palo Alto Networks, Inc.
 CLI Cheat Sheet: User-ID

> show user ip-user-mapping ip <ip-address>

Show usernames:

> show user user-ids

View the most recent addresses learned from a particular User-ID agent:

> show log userid datasourcename equal <agent-name> direction equal backward

View mappings from a particular type of authentication service:

> show log userid datasourcetype equal <authentication-service>

where <authentication-service> can be authenticate, client-cert, directory-server,

exchange-server, globalprotect, kerberos, netbios-probing, ntlm, unknown, vpn-
client, or wmi-probing.
For example, to view all user mappings from the Kerberos server, you would enter the following
command:

> show log userid datasourcetype equal kerberos

View mappings learned using a particular type of user mapping:

> show log userid datasource equal <datasource>

where <datasource> can be agent, captive-portal, event-log, ha, probing, server-

session-monitor, ts-agent, unknown, vpn-client, or xml-api.
For example, to view all user mappings from the XML API, you would enter the following command:

> show log userid datasourcetype equal xml-api

Find a user mapping based on an email address:

> show user email-lookup

+ base Default base distinguished name (DN) to use for
searches
+ bind-dn bind distinguished name
+ bind-password bind password
+ domain Domain name to be used for username
+ group-object group object class(comma-separated)
+ name-attribute name attribute
+ proxy-agent agent ip or host name.
+ proxy-agent-port user-id agent listening port, default is 5007
+ use-ssl use-ssl
* email email address
> mail-attribute mail attribute

56 PAN-OS CLI QUICK START | CLI Cheat Sheets

© 2021 Palo Alto Networks, Inc.
CLI Cheat Sheet: User-ID
> server ldap server ip or host name.
> server-port ldap server listening port

For example:

> show user email-lookup base "DC=lab,DC=sg,DC=acme,DC=local" bind-dn

"CN=Administrator,CN=Users,DC=lab,DC=sg,DC=acme,DC=local" bind-password
acme use-ssl no email [email protected] mail-attribute mail server
10.1.1.1 server-port 389 labsg\user1

Clear the User-ID cache:

clear user-cache all

Clear a User-ID mapping for a specific IP address:

clear user-cache ip <ip-address/netmask>

PAN-OS CLI QUICK START | CLI Cheat Sheets 57

© 2021 Palo Alto Networks, Inc.
CLI Cheat Sheet: HA
Use the following table to quickly locate commands for HA tasks.

If you want to ... Use ...

• View all HA cluster configuration content.

> show high-availability cluster all

• View HA cluster flap statistics.

> show high-availability cluster flap-
Cluster flap count is reset statistics
when the HA device moves
from suspended to functional
and vice versa. Cluster flap
count also resets when non-
functional hold time expires.

• View status of the HA4 interface.

> show high-availability cluster ha4-
status

• View status of the HA4 backup interface.

> show high-availability cluster ha4-
backup-status

• View information about the type and number

of synchronized messages to or from an HA > show high-availability cluster
cluster. session-synchronization

• View HA cluster state and configuration

information. > show high-availability cluster state

• View HA cluster statistics, such as counts

received messages and dropped packets for > show high-availability cluster
various reasons. statistics

• Clear HA cluster statistics.

> clear high-availability cluster
statistics

• Clear session cache.

> request high-availability cluster
clear-cache

58 PAN-OS CLI QUICK START | CLI Cheat Sheets

© 2021 Palo Alto Networks, Inc.
If you want to ... Use ...

• Request full session cache synchronization.

> request high-availability cluster
sync-from

PAN-OS CLI QUICK START | CLI Cheat Sheets 59

© 2021 Palo Alto Networks, Inc.
CLI Cheat Sheet: Networking
Use the following table to quickly locate commands for common networking tasks:

If you want to . . . Use . . .

General Routing Commands

• Display the routing table

> show routing route

• Look at routes for a specific

destination > show routing fib virtual-router <name> |
match <x.x.x.x/Y>

• Change the ARP cache timeout

setting from the default of 1800 > set system setting arp-cache-
seconds. timeout <60-65536>

• View the ARP cache timeout

setting. > show system setting arp-cache-timeout

NAT

• Show the NAT policy table

> show running nat-policy

• Test the NAT policy

> test nat-policy-match

• Show NAT pool utilization

> show running ippool
> show running global-ippool

IPSec

• Show IPSec counters

> show vpn flow

• Show a list of all IPSec gateways

and their configurations > show vpn gateway

• Show IKE phase 1 SAs

> show vpn ike-sa

60 PAN-OS CLI QUICK START | CLI Cheat Sheets

© 2021 Palo Alto Networks, Inc.
If you want to . . . Use . . .

• Show IKE phase 2 SAs

> show vpn ipsec-sa

• Show a list of auto-key IPSec

tunnel configurations > show vpn tunnel

BFD

• Show BFD profiles

> show routing bfd active-profile [<name>]

• Show BFD details

> show routing bfd details [interface <name>]
[local-ip <ip>] [multihop][peer-ip <ip>]
[session-id] [virtual-router <name>]

• Show BFD statistics on dropped

sessions > show routing bfd drop-counters session-
id <session-id>

• Show counters of transmitted,

received, and dropped BFD > show counter global | match bfd
packets

• Clear counters of transmitted,

received, and dropped BFD > clear routing bfd counters session-id all
packets | <1-1024>

• Clear BFD sessions for debugging

purposes > clear routing bfd session-state session-id
all | <1-1024>

PVST+

• Set the native VLAN ID

> set session pvst-native-vlan-id <vid>

• Drop all STP BPDU packets

> set session drop-stp-packet

• Verify PVST+ BPDU rewrite

configuration, native VLAN ID, > show vlan all
and STP BPDU packet drop

• Show counter of times the 802.1Q

tag and PVID fields in a PVST+ > show counter global
BPDU packet do not match

PAN-OS CLI QUICK START | CLI Cheat Sheets 61

© 2021 Palo Alto Networks, Inc.
 If you want to . . . Use . . .
Look at the flow_pvid_inconsistent counter.

Troubleshooting

• Ping from the management (MGT)

interface to a destination IP > ping host <destination-ip-address>
address

• Ping from a dataplane interface to

a destination IP address > ping source <ip-address-on-dataplane>
host <destination-ip-address>

• Show network statistics

> show netstat statistics yes

62 PAN-OS CLI QUICK START | CLI Cheat Sheets

© 2021 Palo Alto Networks, Inc.
CLI Cheat Sheet: VSYS
Use the following commands to administer a Palo Alto Networks firewall with multiple virtual system
(multi-vsys) capability. You must have superuser, superuser (read-only), device administrator, or device
administrator (read-only) access to use these commands. These commands are not available for virtual
system administrator or virtual system administrator (read-only) roles.

If you want to . . . Use . . .

• Find out if the firewall is in multi-vsys

mode admin@PA> show system info | match vsys
multi-vsys: on

• View a list of virtual systems

configured on the firewall admin@PA> set system setting target-vsys ?
none none
After adding a new virtual vsys1 vsys1
vsys2 vsys2
system from the CLI, you
<value> <value>
must log out and log back
in to see the new virtual
system within the CLI.

• Switch to a particular vsys so that you

can issue commands and view data admin@PA> set system setting target-
specific to that vsys vsys <vsys-name>

For example, use the following command to switch to

vsys2; note that the vsys name is case sensitive:

> set system setting target-vsys vsys2

Session target vsys changed to vsys2
admin@PA-vsys2>

Notice that the command prompt now shows the name of

the vsys you are now administering.

• View the maximum number of sessions

allowed, in use, and throttled admin@PA> show session meter

Example output:

VSYS Maximum Current Throttled

1 10 30 1587

Maximum indicates the maximum number of sessions

allowed per dataplane, Current indicates the number of
sessions being used by the virtual system, and Throttled
indicates the number of sessions denied for the virtual

PAN-OS CLI QUICK START | CLI Cheat Sheets 63

© 2021 Palo Alto Networks, Inc.
 If you want to . . . Use . . .
system because the sessions exceeded the Maximum
number multiplied by the number of dataplanes in the
system.

As shown in this example, on a PA-5200

Series or PA-7000 Series firewall, the
Current number of sessions being used can
be greater than the Maximum configured
for Sessions Limit (Device > Virtual
Systems > Resource) because there are
multiple dataplanes per virtual system. The
Sessions Limit you configure on a PA-5200
or PA-7000 Series firewall is per dataplane,
and will result in a higher maximum per
virtual system.

• View the User-ID mappings in the vsys

admin@PA-vsys2> show user ip-user-mapping
all

• Return to configuring the firewall

globally admin@PA-vsys2> set system setting target-
vsys none
admin@PA>

64 PAN-OS CLI QUICK START | CLI Cheat Sheets

© 2021 Palo Alto Networks, Inc.
CLI Cheat Sheet: Panorama
Use the following commands on Panorama to perform common configuration and monitoring tasks for the
Panorama management server (M-Series appliance in Panorama mode), Dedicated Log Collectors (M-Series
appliances in Log Collector mode), and managed firewalls.

To view system information about a Panorama virtual appliance or M-Series appliance (for
example, job history, system resources, system health, or logged-in administrators), see CLI
Cheat Sheet: Device Management.
A Dedicated Log Collector mode has no web interface for administrative access, only a
command line interface (CLI).

If you want to . . . Use . . .

M-Series Appliance Mode of Operation (Panorama, Log Collector, or PAN-DB Private Cloud Mode)

Switching the mode reboots the M-Series appliance, deletes any existing log data, and
deletes all configurations except the management access settings.

• Display the current operational mode.

>
show system info |
match system-mode

• Switch from Panorama mode to Log Collector mode.

>
request system
system-mode logger

• Switch from Panorama mode to PAN-DB private cloud

mode (M-500 appliance only). >
request system
system-mode panurldb

• Switch an M-Series appliance from Log Collector mode

or PAN-DB private cloud mode (M-500 appliance only) to >
Panorama mode. request system
system-mode panorama

• Switch the Panorama virtual appliance from Legacy mode

to Panorama mode. >
request system
system-mode panorama

PAN-OS CLI QUICK START | CLI Cheat Sheets 65

© 2021 Palo Alto Networks, Inc.
 If you want to . . . Use . . .

• Switch the Panorama virtual appliance from Panorama

mode to Legacy mode. >
request system
system-mode legacy

Panorama Management Server

• Change the output for show commands to a format that

you can run as CLI commands. >
set cli config-
output-mode set

The following is an example of the

output for the show device-group
command after setting the output
format:

#
show device-group
branch-offices
set device-group
branch-offices devices
set device-group
branch-offices pre-rulebase
...

• Enable or disable the connection between a firewall and

Panorama. You must enter this command from the firewall >
CLI. set panorama [off |
on]

• Synchronize the configuration of M-Series appliance high

availability (HA) peers. >
request high-
availability sync-to-remote
[running-config | candidate-
config]

• Reboot multiple firewalls or Dedicated Log Collectors.

>
request batch reboot
[devices | log-collectors]
<serial-number>

66 PAN-OS CLI QUICK START | CLI Cheat Sheets

© 2021 Palo Alto Networks, Inc.
If you want to . . . Use . . .

• Change the interval in seconds (default is 10; range is

5 to 60) at which Panorama polls devices (firewalls and >
Log Collectors) to determine the progress of software or set dlsrvr poll-
content updates. Panorama displays the progress when interval
<5-60>
you deploy the updates to devices. Decreasing the interval
makes the progress report more accurate but increases
traffic between Panorama and the devices.

Device Groups and Templates

• Show the history of device group commits, status of the

connection to Panorama, and other information for the >
firewalls assigned to a device group. show devicegroups
name
<device-group-name>

• Show the history of template commits, status of the

connection to Panorama, and other information for the >
firewalls assigned to a template. show templates name
<template-name>

• Show all the policy rules and objects pushed from

Panorama to a firewall. You must enter this command >
from the firewall CLI. show config pushed-
shared-policy

• Show all the network and device settings pushed from

Panorama to a firewall. You must enter this command >
from the firewall CLI. show config pushed-
template

Log Collection

• Show the current rate at which the Panorama

management server or a Dedicated Log Collector receives >
firewall logs. debug log-collector
log-collection-stats show
incoming-logs

• Show the quantity and status of logs that Panorama or a

Dedicated Log Collector forwarded to external servers >
(such as syslog servers) as well as the auto-tagging status debug log-collector
of the logs. Tracking dropped logs helps you troubleshoot log-collection-stats show
log-forwarding-stats
connectivity issues.

PAN-OS CLI QUICK START | CLI Cheat Sheets 67

© 2021 Palo Alto Networks, Inc.
 If you want to . . . Use . . .

• Show status information for log forwarding to the

Panorama management server or a Dedicated Log >
Collector from a particular firewall (such as the last show logging-status
received and generated log of each type). device
<firewall-serial-
When you run this command at the firewall CLI (skip the number>
device <firewall-serial-number> argument), the
output also shows how many logs the firewall has forwarded.

• Clear logs by type.

>
Running this command on the Panorama management server clear log [acc |
clears logs that Panorama and Dedicated Log Collectors alarm | config | hipmatch |
generated, as well as any firewall logs that the Panorama system]
management server collected. Running this command on a
Dedicated Log Collector clears the logs that it collected from
firewalls.

68 PAN-OS CLI QUICK START | CLI Cheat Sheets

CLI Changes in PAN-OS 10.0
This chapter identifies the PAN-OS 10.0 CLI configure commands changed since the PAN-OS
9.1 release:

> Changed Load Commands

> Removed Load Commands
> Changed Revert Commands
> New Set Commands
> Changed Set Commands
> Removed Set Commands
> New Show Commands
> Removed Show Commands

69
70 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0
© 2021 Palo Alto Networks, Inc.
Load Commands Changed in PAN-OS 10.0
We modified the following commands in the 10.0 release to include the skip-validate command.

load config key<value>|<default> regenerate-rule-uuid-all <yes|no> skip-

validate <yes|no> from <value>

load config key <value>|<default> regenerate-rule-uuid-all <yes|no> skip-

validate <yes|no> version <value>| <1-1048576>

load config key <value>|<default> regenerate-rule-uuid-all <yes|no> skip-

validate <yes|no> last-saved

load config key <value>|<default> regenerate-rule-uuid-all <yes|no>

skip-validate <yes|no> partial shared-objects < include> shared-policies
<included> from <value from-xpath <value> to x-path <value> mode <merge|
replace|append> device-group

load config key <value>|<default> regenerate-rule-uuid-all <yes|no>

skip-validate <yes|no> partial shared-objects < include> shared-policies
<included> from <value from-xpath <value> to x-path <value> mode <merge|
replace|append> device-group [ <device-group1> <device-group2>... ]

load config key <value>|<default> regenerate-rule-uuid-all <yes|no>

skip-validate <yes|no> partial shared-objects < include> shared-policies
<included> from <value from-xpath <value> to x-path <value> mode <merge|
replace|append> template

load config key <value>|<default> regenerate-rule-uuid-all <yes|no>

skip-validate <yes|no> partial shared-objects < include> shared-policies
<included> from <value from-xpath <value> to x-path <value> mode <merge|
replace|append> template [ <template1 <template2>... ]

load config key <value>|<default> regenerate-rule-uuid-all <yes|no>

skip-validate <yes|no> partial shared-objects < include> shared-policies
<included> from <value from-xpath <value> to x-path <value> mode <merge|
replace|append> template-stack

load config key <value>|<default> regenerate-rule-uuid-all <yes|no>

skip-validate <yes|no> partial shared-objects < include> shared-policies
<included> from <value from-xpath <value> to x-path <value> mode <merge|
replace|append> template-stack [ <template-stack1 <template-stack2>... ]

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 71

© 2021 Palo Alto Networks, Inc.
Load Commands Removed in PAN-OS 10.0
The following commands are no longer available in the 10.0 release.

load config key <value>|<default> regenerate-rule-uuid-all <yes|no> from

<value>
load config key <value>|<default> regenerate-rule-uuid-all <yes|no> version
<value>|<1-1048576>
load config key <value>|<default> regenerate-rule-uuid-all <yes|no> last-
saved

load config key <value>|<default> regenerate-rule-uuid-all <yes|no> partial

shared-objects <included> shared-policies <included> from <value> from-
xpath <value> to-xpath <value> mode <merge|replace|append> device-group
load config key <value>|<default> regenerate-rule-uuid-all <yes|no> partial
shared-objects <included> shared-policies <included> from <value> from-
xpath <value> to-xpath <value> mode <merge|replace|append> device-group
[ <device-group1> <device-group2>... ]

load config key <value>|<default> regenerate-rule-uuid-all <yes|no> partial

shared-objects <included> shared-policies <included> from <value> from-
xpath <value> to-xpath <value> mode <merge|replace|append> template
load config key <value>|<default> regenerate-rule-uuid-all <yes|no> partial
shared-objects <included> shared-policies <included> from <value> from-
xpath <value> to-xpath <value> mode <merge|replace|append> template
[ <template1> <template2>... ]

load config key <value>|<default> regenerate-rule-uuid-all <yes|no> partial

shared-objects <included> shared-policies <included> from <value> from-
xpath <value> to-xpath <value> mode <merge|replace|append> template-stack
load config key <value>|<default> regenerate-rule-uuid-all <yes|no> partial
shared-objects <included> shared-policies <included> from <value> from-
xpath <value> to-xpath <value> mode <merge|replace|append> template-stack
[ <template-stack1> <template-stack2>... ]

72 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
Revert Commands Changed in PANOS-10.0
The following commands are modified in the 10.0 release.
Added skip-validate option.

revert config skip-validate<yes|no> partial shared-object <excluded> device-

and-network <excluded> admin

revert config skip-validate <yes|no> partial shared-object <excluded>

device-and-network <excluded> admin [ <admin1> <admin2>... ]

revert config skip-validate <yes|no> partial shared-object <excluded>

device-and-network <excluded> vsys

revert config skip-validate <yes|no> partial shared-object <excluded>

device-and-network <excluded> no-vsys

revert config skip-validate <yes|no> partial shared-object <excluded>

device-and-network <excluded> [<vsys> <vsys2>...]

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 73

© 2021 Palo Alto Networks, Inc.
Set Commands Introduced in PAN-OS 10.0
The following commands are new in the 10.0 release:

set deviceconfig system lcaas-use-proxy <yes|no>

set deviceconfig system ssh profiles

set deviceconfig system ssh
set deviceconfig system ssh
set deviceconfig system ssh
<ciphers2>... ]
set deviceconfig system ssh
<mac2>... ]
set deviceconfig system ssh
<kex2>... ]
set deviceconfig system ssh
set deviceconfig system ssh
type
set deviceconfig system ssh
type ECDSA <256|384|521>
set deviceconfig system ssh
type RSA <2048|3072|4096>
set deviceconfig system ssh
set deviceconfig system ssh
<10-4000>|<default>
set deviceconfig system ssh
packets <12-27>|<default>
profiles ha-profiles
profiles ha-profiles <name>
profiles ha-profiles <name> ciphers [ <ciphers1>
profiles ha-profiles <name> mac [ <mac1>
profiles ha-profiles <name> kex [ <kex1>
profiles ha-profiles <name> default-hostkey
profiles ha-profiles <name> default-hostkey key-
profiles ha-profiles <name> default-hostkey key-
profiles ha-profiles <name> default-hostkey key-
profiles ha-profiles <name> session-rekey
profiles ha-profiles <name> session-rekey data
profiles ha-profiles <name> session-rekey

set deviceconfig system ssh profiles mgmt-profiles client-profiles

set deviceconfig system ssh profiles mgmt-profiles client-profiles <name>

set deviceconfig system ssh profiles mgmt-profiles server-profiles

set deviceconfig system ssh profiles mgmt-profiles server-profiles <name>

set deviceconfig system ssh profiles mgmt-profiles server-profiles <name>

ciphers [ <ciphers1> <ciphers2>... ]

set deviceconfig system ssh profiles mgmt-profiles server-profiles <name>

mac [ <mac1> <mac2>... ]

set deviceconfig system ssh profiles mgmt-profiles server-profiles <name>

kex [ <kex1> <kex2>... ]

set deviceconfig system ssh profiles mgmt-profiles server-profiles <name>

default-hostkey
set deviceconfig system ssh profiles mgmt-profiles server-profiles <name>
default-hostkey key-type
set deviceconfig system ssh profiles mgmt-profiles server-profiles <name>
default-hostkey key-type ECDSA <256|384|521>

set deviceconfig system ssh profiles mgmt-profiles server-profiles <name>

default-hostkey key-type RSA <2048|3072|4096>

74 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
set deviceconfig system ssh profiles mgmt-profiles server-profiles <name>
default-hostkey key-type all
set deviceconfig system ssh profiles mgmt-profiles server-profiles <name>
session-rekey

set deviceconfig system ssh profiles mgmt-profiles server-profiles <name>

session-rekey data <10-4000>|<default>

set deviceconfig system ssh profiles mgmt-profiles server-profiles <name>

session-rekey interval <10-3600>|<default>

set deviceconfig system ssh profiles mgmt-profiles server-profiles <name>

session-rekey packets <12-27>|<default>

set deviceconfig system device-telemetry

set deviceconfig system device-telemetry product-usage <yes|no>
set deviceconfig system device-telemetry device-health-performance <yes|no>
set deviceconfig system device-telemetry threat-prevention <yes|no>
set deviceconfig system device-telemetry region <value>

set deviceconfig system ssh ha

set deviceconfig system
set deviceconfig system
set deviceconfig system
set deviceconfig system
set deviceconfig system
set deviceconfig system
to-peer <yes|no>
set deviceconfig system
sync-to-peer <yes|no>
set deviceconfig system
sync-to-peer <yes|no>
set deviceconfig system
to-peer <yes|no>
ssh ha ha-profile <value>
ssh mgmt
ssh mgmt client-profile <value>
ssh mgmt server-profile <value>
update-schedule wildfire recurring real-time
update-schedule wildfire recurring every-min sync-
update-schedule wildfire recurring every-15-mins
update-schedule wildfire recurring every-30-mins
update-schedule wildfire recurring every-hour sync-

set deviceconfig setting filemgr-service-setting

set deviceconfig setting filemgr-service-setting filemgr-server<value>
set deviceconfig setting captive-portal
set deviceconfig setting captive-portal number-workers <2-12>
set deviceconfig setting captive-portal disable-token <yes|no>
set deviceconfig setting wildfire real-time-cloud-server <value>
set deviceconfig setting ssl-decrypt fptcp-rwin-max <524288-8388608>

set deviceconfig setting session packet-buffer-protection-monitor-only<yes|

no>
set deviceconfig setting session packet-buffer-protection-block-countdown
<0-99>
set deviceconfig setting session packet-buffer-protection-use-latency <yes|
no>
set deviceconfig setting session packet-buffer-protection-latency-alert
<1-20000>
set deviceconfig setting session packet-buffer-protection-latency-activate
<1-20000>

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 75

© 2021 Palo Alto Networks, Inc.
 set deviceconfig setting
countdown <1-20000>
set deviceconfig setting
tolerate <1-20000>
set deviceconfig setting
set deviceconfig setting
session packet-buffer-protection-latency-block-
session packet-buffer-protection-latency-max-
session tcp-retransmit-scan <yes|no>
session dhcp-bcast-session-on <yes|no>

set deviceconfig setting logging enhanced-application-logging disable-global

dp-channel
set deviceconfig setting management secure-conn-client enable-secure-user-
id-communication<yes|no>
set deviceconfig setting management secure-conn-server
set deviceconfig setting management secure-conn-server ssl-tls-service-
profile <value>
set deviceconfig setting management secure-conn-server certificate-profile
<value>
set deviceconfig setting management secure-conn-server enable-secure-user-
id-communication <yes|no>
set deviceconfig setting management quota-settings log-expiration-period
decryption <1-2000>
set deviceconfig setting management quota-settings log-expiration-period
desum <1-2000>
set deviceconfig setting management quota-settings log-expiration-period
hourlydesum <1-2000>
set deviceconfig setting management quota-settings log-expiration-period
dailydesum <1-2000>
set deviceconfig setting management quota-settings log-expiration-period
weeklydesum <1-2000>
set deviceconfig setting management quota-settings disk-quota desum <float>
set deviceconfig setting management quota-settings disk-quota decryption
<float>
set deviceconfig setting management quota-settings disk-quota hourlydesum
<float>
set deviceconfig setting management quota-settings disk-quota dailydesum
<float>
set deviceconfig setting management quota-settings disk-quota weeklydesum
<float>
set deviceconfig setting management admin-session
set deviceconfig setting management admin-session max-session-count <1-4>
set deviceconfig setting management admin-session max-session-time <value>
set deviceconfig setting management admin-session max-session-count <0-4>
set deviceconfig setting management common-criteria-alarm-generation log-
databases-alarm-threshold decryption <0-100>

set deviceconfig setting tunnel-acceleration <yes|no>

set deviceconfig setting iot
set deviceconfig setting iot edge
set deviceconfig setting iot edge disable-device-cert <yes|no>
set deviceconfig setting iot edge address <ip/netmask>|<value>

set deviceconfig high-availability interface ha4

set deviceconfig high-availability interface ha4 ip-address <ip/netmask>
set deviceconfig high-availability interface ha4-backup
set deviceconfig high-availability interface ha4-backup port <value>

76 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
set deviceconfig high-availability interface ha4-backup ip-address <ip/
netmask>
set deviceconfig high-availability interface ha4-backup netmask <value>

set deviceconfig high-availability cluster

set deviceconfig high-availability
set deviceconfig high-availability
set deviceconfig high-availability
<0-30>
set deviceconfig high-availability
<5000-60000>
set deviceconfig high-availability
set deviceconfig high-availability
set deviceconfig high-availability
set deviceconfig high-availability
address <ip/netmask>
set deviceconfig high-availability
backup-ip-address <ip/netmask>
set deviceconfig high-availability
synchronization <enabled|disabled>
set deviceconfig high-availability
<value>
set deviceconfig high-availability
<1-60>
cluster enabled <yes|no>
cluster cluster-id <1-99>
cluster cluster-synchronization-timeout
cluster cluster-keepalive-threshold
cluster description <value>
cluster cluster-members
cluster cluster-members <name>
cluster cluster-members <name> ha4-ip-
cluster cluster-members <name> ha4-
cluster cluster-members <name> session-
cluster cluster-members <name> comments
cluster monitor-fail-hold-down-time

set deviceconfig high-availability group mode active-active network-

configuration sync logical-router<yes|no>
set deviceconfig high-availability group monitoring path-monitoring path-
group virtual-wire <name> destination-ip-group
set deviceconfig high-availability group monitoring path-monitoring path-
group virtual-wire <name> destination-ip-group <name>

set deviceconfig high-availability group monitoring path-monitoring path-

group virtual-wire <name> destination-ip-group <name> destination-ip
[ <destination-ip1> <destination-ip2>... ]

set deviceconfig high-availability group monitoring path-monitoring path-

group virtual-wire <name> destination-ip-group <name> enabled <yes|no>

set deviceconfig high-availability group monitoring path-monitoring path-

group virtual-wire <name> destination-ip-group <name> failure-condition
<any|all>

set deviceconfig high-availability group monitoring path-monitoring path-

group vlan<name> destination-ip-group
set deviceconfig high-availability group monitoring path-monitoring path-
group vlan <name> destination-ip-group <name>

set deviceconfig high-availability group monitoring path-monitoring

path-group vlan <name> destination-ip-group <name> destination-ip
[ <destination-ip1> <destination-ip2>... ]

set deviceconfig high-availability group monitoring path-monitoring path-

group vlan <name> destination-ip-group <name> enabled <yes|no>

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 77

© 2021 Palo Alto Networks, Inc.
 set deviceconfig high-availability group monitoring path-monitoring path-
group vlan <name> destination-ip-group <name> failure-condition <any|all>
set deviceconfig high-availability group monitoring path-monitoring path-
group virtual-router <name> destination-ip-group
set deviceconfig high-availability group monitoring path-monitoring path-
group virtual-router <name> destination-ip-group <name>

set deviceconfig high-availability group monitoring path-monitoring path-

group virtual-router <name> destination-ip-group <name> destination-ip
[ <destination-ip1> <destination-ip2>... ]

set deviceconfig high-availability group monitoring path-monitoring path-

group virtual-router <name> destination-ip-group <name> enabled <yes|no>

set deviceconfig high-availability group monitoring path-monitoring path-

group virtual-router <name> destination-ip-group <name> failure-condition
<any|all>

set deviceconfig high-availability group monitoring path-monitoring path-

group logical-router
set deviceconfig high-availability group monitoring path-monitoring path-
group logical-router <name>

set deviceconfig high-availability group monitoring path-monitoring path-

group logical-router <name> enabled <yes|no>
set deviceconfig high-availability group monitoring path-monitoring path-
group logical-router <name> failure-condition <any|all>

set deviceconfig high-availability group monitoring path-monitoring path-

group logical-router <name> ping-interval <200-60000>

set deviceconfig high-availability group monitoring path-monitoring path-

group logical-router <name> ping-count <3-10>

set deviceconfig high-availability group monitoring path-monitoring path-

group logical-router <name> destination-ip-group

set deviceconfig high-availability group monitoring path-monitoring path-

group logical-router <name> destination-ip-group <name>

set deviceconfig high-availability group monitoring path-monitoring path-

group logical-router <name> destination-ip-group <name> destination-ip
[ <destination-ip1> <destination-ip2>... ]

set deviceconfig high-availability group monitoring path-monitoring path-

group logical-router <name> destination-ip-group <name> enabled <yes|no>

set deviceconfig high-availability group monitoring path-monitoring path-

group logical-router <name> destination-ip-group <name> failure-condition
<any|all>

set mgt-config users <name> preferences saved-log-query decryption

set mgt-config users <name> preferences saved-log-query decryption <name>
set mgt-config users <name> preferences saved-log-query decryption <name>
query <value>

78 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
set network profiles zone-protection-profile <name> l2-sec-group-tag-
protection
set network profiles zone-protection-profile <name> l2-sec-group-tag-
protection tags
set network profiles zone-protection-profile <name> l2-sec-group-tag-
protection tags <name>
set network profiles zone-protection-profile <name> l2-sec-group-tag-
protection tags <name> tag <value>
set network profiles zone-protection-profile <name> l2-sec-group-tag-
protection tags <name> enable <yes|no>

set network logical-router

set network logical-router <name>
set network logical-router <name> vrf
set network logical-router <name> vrf <name>
set network logical-router <name> vrf <name> interface [ <interface1>
<interface2>... ]
set network logical-router <name> vrf <name> bgp
set network logical-router <name> vrf <name> bgp enable <yes|no>
set network logical-router <name> vrf <name> bgp router-id <ip/netmask>
set network logical-router <name> vrf <name> bgp enforce-first-as <yes|no>
set network logical-router <name> vrf <name> bgp fast-external-failover
<yes|no>
set network logical-router <name> vrf <name> bgp ecmp-multi-as <yes|no>
set network logical-router <name> vrf <name> bgp local-as <1-4294967295>
set network logical-router <name> vrf <name> bgp med
set network logical-router <name> vrf <name> bgp med always-compare-med
<yes|no>
set network logical-router <name> vrf <name> bgp med deterministic-med-
comparison <yes|no>
set network logical-router <name> vrf <name> bgp default-local-preference
<0-4294967295>
set network logical-router <name> vrf <name> bgp graceful-restart
set network logical-router <name> vrf <name> bgp graceful-restart enable
<yes|no>
set network logical-router <name> vrf <name> bgp graceful-restart stale-
route-time <1-3600>
set network logical-router <name> vrf <name> bgp graceful-restart max-peer-
restart-time <1-3600>

set network logical-router <name> vrf <name> bgp peer-group

set network logical-router <name> vrf <name> bgp peer-group <name>
set network logical-router <name> vrf <name> bgp peer-group <name> enable
<yes|no>
set network logical-router <name> vrf <name> bgp peer-group <name> type
set network logical-router <name> vrf <name> bgp peer-group <name> type ibgp
set network logical-router <name> vrf <name> bgp peer-group <name> type ebgp
set network logical-router <name> vrf <name> bgp peer-group <name> address-
family
set network logical-router <name> vrf <name> bgp peer-group <name> address-
family ipv4
set network logical-router <name> vrf <name> bgp peer-group <name> address-
family ipv4 unicast <value>
set network logical-router <name> vrf <name> bgp peer-group <name> address-
family ipv6

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 79

© 2021 Palo Alto Networks, Inc.
 set network logical-router <name> vrf <name> bgp peer-group <name> address-
family ipv6 unicast <value>
set network logical-router <name> vrf <name> bgp peer-group <name>
connection-options
set network logical-router <name> vrf <name> bgp peer-group <name>
connection-options timers <value>
set network logical-router <name> vrf <name> bgp peer-group <name>
connection-options multihop <0-255>
set network logical-router <name> vrf <name> bgp peer-group <name>
connection-options authentication <value>

set network logical-router <name> vrf <name> bgp peer-group <name> peer
set network logical-router <name> vrf <name> bgp peer-group <name> peer
<name>
set network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> enable <yes|no>
set network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> peer-as <1-4294967295>
set network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> enable-sender-side-loop-detection <yes|no>
set network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> address-family
set network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> address-family inherit <yes|no>
set network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> address-family ipv4
set network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> address-family ipv4 unicast <value>
set network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> address-family ipv6
set network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> address-family ipv6 unicast <value>
set network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> local-address
set network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> local-address interface <value>
set network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> local-address ip <value>
set network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> peer-address
set network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> peer-address ip <value>|<ip/netmask>|<validate>
set network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> connection-options
set network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> connection-options timers <value>|<inherit>
set network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> connection-options multihop <0-255>|<inherit>
set network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> connection-options authentication <value>|<inherit>

set network logical-router <name> vrf <name> bgp redistribution-rule

set network logical-router <name> vrf <name> bgp redistribution-rule ipv4
set network logical-router <name> vrf <name> bgp redistribution-rule ipv4
unicast <value>
set network logical-router <name> vrf <name> bgp redistribution-rule ipv6
set network logical-router <name> vrf <name> bgp redistribution-rule ipv6
unicast <value>

80 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
set network logical-router <name> vrf <name> bgp address-family-identifier
set network logical-router <name> vrf <name> bgp address-family-identifier
ipv4
set network logical-router <name> vrf <name> bgp address-family-identifier
ipv4 network
set network logical-router <name> vrf <name> bgp address-family-identifier
ipv4 network <name>
set network logical-router <name> vrf <name> bgp address-family-identifier
ipv4 network <name> unicast <yes|no>
set network logical-router <name> vrf <name> bgp address-family-identifier
ipv6
set network logical-router <name> vrf <name> bgp address-family-identifier
ipv6 network
set network logical-router <name> vrf <name> bgp address-family-identifier
ipv6 network <name>
set network logical-router <name> vrf <name> bgp address-family-identifier
ipv6 network <name> unicast <yes|no>

set network logical-router <name> vrf <name> routing-table

set network logical-router <name> vrf <name> routing-table ip
set network logical-router <name> vrf <name> routing-table ip static-route
set network logical-router <name> vrf <name> routing-table ip static-route
<name>
set network logical-router <name> vrf <name> routing-table ip static-route
<name> destination <value>|<ip/netmask>
set network logical-router <name> vrf <name> routing-table ip static-route
<name> interface <value>
set network logical-router <name> vrf <name> routing-table ip static-route
<name> nexthop
set network logical-router <name> vrf <name> routing-table ip static-route
<name> nexthop discard
set network logical-router <name> vrf <name> routing-table ip static-route
<name> nexthop ip-address <value>|<ip/netmask>
set network logical-router <name> vrf <name> routing-table ip static-route
<name> admin-dist <10-240>
set network logical-router <name> vrf <name> routing-table ip static-route
<name> metric <1-65535>
set network logical-router <name> vrf <name> routing-table ip static-route
<name> path-monitor
set network logical-router <name> vrf <name> routing-table ip static-route
<name> path-monitor enable <yes|no>
set network logical-router <name> vrf <name> routing-table ip static-route
<name> path-monitor failure-condition <any|all>
set network logical-router <name> vrf <name> routing-table ip static-route
<name> path-monitor hold-time <0-1440>
set network logical-router <name> vrf <name> routing-table ip static-route
<name> path-monitor monitor-destinations
set network logical-router <name> vrf <name> routing-table ip static-route
<name> path-monitor monitor-destinations <name>
set network logical-router <name> vrf <name> routing-table ip static-route
<name> path-monitor monitor-destinations <name> enable <yes|no>
set network logical-router <name> vrf <name> routing-table ip static-route
<name> path-monitor monitor-destinations <name> source <value>|<DHCP>
set network logical-router <name> vrf <name> routing-table ip static-route
<name> path-monitor monitor-destinations <name> destination <value>
set network logical-router <name> vrf <name> routing-table ip static-route
<name> path-monitor monitor-destinations <name> interval <1-60>

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 81

© 2021 Palo Alto Networks, Inc.
 set network logical-router <name> vrf <name> routing-table ip static-route
<name> path-monitor monitor-destinations <name> count <3-10>

set network logical-router <name> vrf <name> routing-table ipv6

set network logical-router <name> vrf <name> routing-table ipv6 static-route
set network logical-router <name> vrf <name> routing-table ipv6 static-route
<name>
set network logical-router <name> vrf <name> routing-table ipv6 static-route
<name> destination <value>|<ip/netmask>
set network logical-router <name> vrf <name> routing-table ipv6 static-route
<name> interface <value>
set network logical-router <name> vrf <name> routing-table ipv6 static-route
<name> nexthop
set network logical-router <name> vrf <name> routing-table ipv6 static-route
<name> nexthop discard
set network logical-router <name> vrf <name> routing-table ipv6 static-route
<name> nexthop ipv6-address <value>|<ip/netmask>
set network logical-router <name> vrf <name> routing-table ipv6 static-route
<name> admin-dist <10-240>
set network logical-router <name> vrf <name> routing-table ipv6 static-route
<name> metric <1-65535>
set network logical-router <name> vrf <name> routing-table ipv6 static-route
<name> path-monitor
set network logical-router <name> vrf <name> routing-table ipv6 static-route
<name> path-monitor enable <yes|no>
set network logical-router <name> vrf <name> routing-table ipv6 static-route
<name> path-monitor failure-condition <any|all>
set network logical-router <name> vrf <name> routing-table ipv6 static-route
<name> path-monitor hold-time <0-1440>
set network logical-router <name> vrf <name> routing-table ipv6 static-route
<name> path-monitor monitor-destinations
set network logical-router <name> vrf <name> routing-table ipv6 static-route
<name> path-monitor monitor-destinations <name>
set network logical-router <name> vrf <name> routing-table ipv6 static-route
<name> path-monitor monitor-destinations <name> enable <yes|no>
set network logical-router <name> vrf <name> routing-table ipv6 static-route
<name> path-monitor monitor-destinations <name> source <value>
set network logical-router <name> vrf <name> routing-table ipv6 static-route
<name> path-monitor monitor-destinations <name> destination <value>
set network logical-router <name> vrf <name> routing-table ipv6 static-route
<name> path-monitor monitor-destinations <name> interval <1-60>
set network logical-router <name> vrf <name> routing-table ipv6 static-route
<name> path-monitor monitor-destinations <name> count <3-10>

set network logical-router <name> vrf <name> ecmp

set network logical-router <name> vrf <name> ecmp enable <yes|no>
set network logical-router <name> vrf <name> ecmp algorithm
set network logical-router <name> vrf <name> ecmp algorithm ip-modulo
set network logical-router <name> vrf <name> ecmp algorithm ip-hash
set network logical-router <name> vrf <name> ecmp algorithm ip-hash src-only
<yes|no>
set network logical-router <name> vrf <name> ecmp algorithm ip-hash use-port
<yes|no>
set network logical-router <name> vrf <name> ecmp algorithm ip-hash hash-
seed <0-4294967295>
set network logical-router <name> vrf <name> ecmp algorithm weighted-round-
robin

82 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
set network logical-router <name> vrf <name> ecmp algorithm weighted-round-
robin interface
set network logical-router <name> vrf <name> ecmp algorithm weighted-round-
robin interface <name>
set network logical-router <name> vrf <name> ecmp algorithm weighted-round-
robin interface <name> weight <1-255>
set network logical-router <name> vrf <name> ecmp algorithm balanced-round-
robin
set network logical-router <name> vrf <name> ecmp max-path <2-4>
set network logical-router <name> vrf <name> ecmp symmetric-return <yes|no>
set network logical-router <name> vrf <name> ecmp strict-source-path <yes|
no>

set network routing-profile

set network routing-profile bgp
set network routing-profile bgp auth-profile
set network routing-profile bgp auth-profile <name>
set network routing-profile bgp auth-profile <name> secret <value>
set network routing-profile bgp timer-profile
set network routing-profile bgp timer-profile <name>
set network routing-profile bgp timer-profile <name> keep-alive-interval
<1-1200>
set network routing-profile bgp timer-profile <name> hold-time <3-3600>
set network routing-profile bgp timer-profile <name> min-route-adv-interval
<1-600>
set network routing-profile bgp address-family-profile
set network routing-profile bgp address-family-profile <name>
set network routing-profile bgp address-family-profile <name> ipv4
set network routing-profile bgp address-family-profile <name> ipv4 unicast
set network routing-profile bgp address-family-profile <name> ipv4 unicast
add-path
set network routing-profile bgp address-family-profile <name> ipv4 unicast
add-path tx-all-paths <yes|no>
set network routing-profile bgp address-family-profile <name> ipv4 unicast
add-path tx-bestpath-per-AS <yes|no>
set network routing-profile bgp address-family-profile <name> ipv4 unicast
allowas-in
set network routing-profile bgp address-family-profile <name> ipv4 unicast
allowas-in origin
set network routing-profile bgp address-family-profile <name> ipv4 unicast
allowas-in occurrence <1-10>
set network routing-profile bgp address-family-profile <name> ipv4 unicast
as-override <yes|no>
set network routing-profile bgp address-family-profile <name> ipv4 unicast
default-originate <yes|no>
set network routing-profile bgp address-family-profile <name> ipv4 unicast
maximum-prefix
set network routing-profile bgp address-family-profile <name> ipv4 unicast
maximum-prefix num_prefixes <1-4294967295>
set network routing-profile bgp address-family-profile <name> ipv4 unicast
maximum-prefix threshold <1-100>
set network routing-profile bgp address-family-profile <name> ipv4 unicast
maximum-prefix action
set network routing-profile bgp address-family-profile <name> ipv4 unicast
maximum-prefix action warning-only
set network routing-profile bgp address-family-profile <name> ipv4 unicast
maximum-prefix action restart
set network routing-profile bgp address-family-profile <name> ipv4 unicast
maximum-prefix action restart interval <1-65535>

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 83

© 2021 Palo Alto Networks, Inc.
 set network routing-profile bgp address-family-profile <name> ipv4 unicast
next-hop
set network routing-profile bgp address-family-profile <name> ipv4 unicast
next-hop self
set network routing-profile bgp address-family-profile <name> ipv4 unicast
next-hop self-force
set network routing-profile bgp address-family-profile <name> ipv4 unicast
remove-private-AS
set network routing-profile bgp address-family-profile <name> ipv4 unicast
remove-private-AS all
set network routing-profile bgp address-family-profile <name> ipv4 unicast
remove-private-AS replace-AS
set network routing-profile bgp address-family-profile <name> ipv4 unicast
route-reflector-client <yes|no>
set network routing-profile bgp address-family-profile <name> ipv4 unicast
send-community
set network routing-profile bgp address-family-profile <name> ipv4 unicast
send-community all
set network routing-profile bgp address-family-profile <name> ipv4 unicast
send-community both
set network routing-profile bgp address-family-profile <name> ipv4 unicast
send-community extended
set network routing-profile bgp address-family-profile <name> ipv4 unicast
send-community large
set network routing-profile bgp address-family-profile <name> ipv4 unicast
send-community standard

set network routing-profile bgp address-family-profile <name> ipv6

set network routing-profile bgp address-family-profile <name> ipv6 unicast
set network routing-profile bgp address-family-profile <name> ipv6 unicast
add-path
set network routing-profile bgp address-family-profile <name> ipv6 unicast
add-path tx-all-paths <yes|no>
set network routing-profile bgp address-family-profile <name> ipv6 unicast
add-path tx-bestpath-per-AS <yes|no>
set network routing-profile bgp address-family-profile <name> ipv6 unicast
allowas-in
set network routing-profile bgp address-family-profile <name> ipv6 unicast
allowas-in origin
set network routing-profile bgp address-family-profile <name> ipv6 unicast
allowas-in occurrence <1-10>
set network routing-profile bgp address-family-profile <name> ipv6 unicast
as-override <yes|no>
set network routing-profile bgp address-family-profile <name> ipv6 unicast
default-originate <yes|no>
set network routing-profile bgp address-family-profile <name> ipv6 unicast
maximum-prefix
set network routing-profile bgp address-family-profile <name> ipv6 unicast
maximum-prefix num_prefixes <1-4294967295>
set network routing-profile bgp address-family-profile <name> ipv6 unicast
maximum-prefix threshold <1-100>
set network routing-profile bgp address-family-profile <name> ipv6 unicast
maximum-prefix action
set network routing-profile bgp address-family-profile <name> ipv6 unicast
maximum-prefix action warning-only
set network routing-profile bgp address-family-profile <name> ipv6 unicast
maximum-prefix action restart
set network routing-profile bgp address-family-profile <name> ipv6 unicast
maximum-prefix action restart interval <1-65535>

84 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
set network routing-profile bgp address-family-profile <name> ipv6 unicast
next-hop
set network routing-profile bgp address-family-profile <name> ipv6 unicast
next-hop self
set network routing-profile bgp address-family-profile <name> ipv6 unicast
next-hop self-force
set network routing-profile bgp address-family-profile <name> ipv6 unicast
remove-private-AS
set network routing-profile bgp address-family-profile <name> ipv6 unicast
remove-private-AS all
set network routing-profile bgp address-family-profile <name> ipv6 unicast
remove-private-AS replace-AS
set network routing-profile bgp address-family-profile <name> ipv6 unicast
route-reflector-client <yes|no>
set network routing-profile bgp address-family-profile <name> ipv6 unicast
send-community
set network routing-profile bgp address-family-profile <name> ipv6 unicast
send-community all
set network routing-profile bgp address-family-profile <name> ipv6 unicast
send-community both
set network routing-profile bgp address-family-profile <name> ipv6 unicast
send-community extended
set network routing-profile bgp address-family-profile <name> ipv6 unicast
send-community large
set network routing-profile bgp address-family-profile <name> ipv6 unicast
send-community standard

set network routing-profile bgp redistribution-profile

set network routing-profile bgp redistribution-profile <name>
set network routing-profile bgp redistribution-profile <name> ipv4
set network routing-profile bgp redistribution-profile <name> ipv4 unicast
set network routing-profile bgp redistribution-profile <name> ipv4 unicast
static
set network routing-profile bgp redistribution-profile <name> ipv4 unicast
static enable <yes|no>
set network routing-profile bgp redistribution-profile <name> ipv4 unicast
static metric <1-65535>
set network routing-profile bgp redistribution-profile <name> ipv4 unicast
connected
set network routing-profile bgp redistribution-profile <name> ipv4 unicast
connected enable <yes|no>
set network routing-profile bgp redistribution-profile <name> ipv4 unicast
connected metric <1-65535>
set network routing-profile bgp redistribution-profile <name> ipv6
set network routing-profile bgp redistribution-profile <name> ipv6 unicast
set network routing-profile bgp redistribution-profile <name> ipv6 unicast
static
set network routing-profile bgp redistribution-profile <name> ipv6 unicast
static enable <yes|no>
set network routing-profile bgp redistribution-profile <name> ipv6 unicast
static metric <1-65535>
set network routing-profile bgp redistribution-profile <name> ipv6 unicast
connected
set network routing-profile bgp redistribution-profile <name> ipv6 unicast
connected enable <yes|no>
set network routing-profile bgp redistribution-profile <name> ipv6 unicast
connected metric <1-65535>

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 85

© 2021 Palo Alto Networks, Inc.
 set network dhcp interface <name> server reserved <name> description <value>
set network shared-gateway <name> log-settings email <name> server <name>
protocol <SMTP|TLS>
set network shared-gateway <name> log-settings email <name> server <name>
port <1-65535>
set network shared-gateway <name> log-settings email <name> server <name>
tls-version <1.2|1.1>
set network shared-gateway <name> log-settings email <name> server <name>
auth <Auto|Login|Plain>
set network shared-gateway <name> log-settings email <name> server <name>
certificate-profile <value>
set network shared-gateway <name> log-settings email <name> server <name>
username <value>
set network shared-gateway <name> log-settings email <name> server <name>
password <value>
set network shared-gateway <name> log-settings email <name> format
decryption <value>
set network shared-gateway <name> log-settings syslog <name> format
decryption <value>

set network shared-gateway <name> log-settings http <name> format decryption

set network shared-gateway <name> log-settings http <name> format decryption
name <value>
set network shared-gateway <name> log-settings http <name> format decryption
url-format <value>
set network shared-gateway <name> log-settings http <name> format decryption
headers
set network shared-gateway <name> log-settings http <name> format decryption
headers <name>
set network shared-gateway <name> log-settings http <name> format decryption
headers <name> value <value>
set network shared-gateway <name> log-settings http <name> format decryption
params
set network shared-gateway <name> log-settings http <name> format decryption
params <name>
set network shared-gateway <name> log-settings http <name> format decryption
params <name> value <value>
set network shared-gateway <name> log-settings http <name> format decryption
payload <value>

set network shared-gateway <name> log-settings profiles <name> match-list

<name> quarantine <yes|no>
set network shared-gateway <name> rulebase sdwan rules <name> saas-quality-
profile <value>
set network shared-gateway <name> rulebase sdwan rules <name> error-
correction-profile <value>

set shared device-object

set shared device-object <name>
set shared device-object <name> description <value>
set shared device-object <name> category [ <category1> <category2>... ]
set shared device-object <name> profile [ <profile1> <profile2>... ]
set shared device-object <name> osfamily [ <osfamily1> <osfamily2>... ]
set shared device-object <name> os [ <os1> <os2>... ]
set shared device-object <name> model [ <model1> <model2>... ]

86 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
set shared device-object <name> vendor [ <vendor1> <vendor2>... ]

set shared profiles virus <name> mlav-engine-filebased-enabled

set shared profiles virus <name> mlav-engine-filebased-enabled <name>
set shared profiles virus <name> mlav-engine-filebased-enabled <name> mlav-
policy-action <enable|enable(alert-only)|disable>
set shared profiles virus <name> decoder <name> mlav-action <default|allow|
alert|drop|reset-client|reset-server|reset-both>

set shared profiles virus <name> mlav-exception

set shared profiles virus <name> mlav-exception <name>
set shared profiles virus <name> mlav-exception <name> filename <value>
set shared profiles virus <name> mlav-exception <name> description <value>

set shared profiles spyware <name> botnet-domains dns-security-categories

set shared profiles spyware <name> botnet-domains dns-security-categories
<name>
set shared profiles spyware <name> botnet-domains dns-security-categories
<name> action <default|allow|block|sinkhole>
set shared profiles spyware <name> botnet-domains dns-security-categories
<name> log-level <default|none|low|informational|medium|high|critical>
set shared profiles spyware <name> botnet-domains dns-security-categories
<name> packet-capture <disable|single-packet|extended-capture>

set shared profiles spyware <name> botnet-domains whitelist

set shared profiles spyware <name> botnet-domains whitelist <name>
set shared profiles spyware <name> botnet-domains whitelist <name>
description <value>
set shared profiles url-filtering <name> mlav-category-exception [ <mlav-
category-exception1> <mlav-category-exception2>... ]

set shared profiles url-filtering <name> mlav-engine-urlbased-enabled

set shared profiles url-filtering <name> mlav-engine-urlbased-enabled <name>
set shared profiles url-filtering <name> mlav-engine-urlbased-enabled <name>
mlav-policy-action <block|alert|allow>

set shared profiles sdwan-saas-quality

set shared profiles sdwan-saas-quality
set shared profiles sdwan-saas-quality
set shared profiles sdwan-saas-quality
address
set shared profiles sdwan-saas-quality
address <name>
set shared profiles sdwan-saas-quality
address <name> probe-interval <1-3600>
set shared profiles sdwan-saas-quality
set shared profiles sdwan-saas-quality
fqdn-name <value>
<name>
<name> monitor-mode adaptive
<name> monitor-mode static-ip ip-
<name> monitor-mode static-ip ip-
<name> monitor-mode static-ip ip-
<name> monitor-mode static-ip fqdn
<name> monitor-mode static-ip fqdn

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 87

© 2021 Palo Alto Networks, Inc.
 set shared profiles sdwan-saas-quality <name> monitor-mode static-ip fqdn
probe-interval <1-3600>
set shared profiles sdwan-saas-quality <name> monitor-mode http-https
set shared profiles sdwan-saas-quality <name> monitor-mode http-https
monitored-url <value>
set shared profiles sdwan-saas-quality <name> monitor-mode http-https probe-
interval <1-3600>

set shared profiles sdwan-error-correction

set shared profiles sdwan-error-correction <name>
set shared profiles sdwan-error-correction <name> activation-threshold
<1-99>
set shared profiles sdwan-error-correction <name> mode
set shared profiles sdwan-error-correction <name> mode forward-error-
correction
set shared profiles sdwan-error-correction <name> mode forward-error-
correction ratio <10% (20:2)|20% (20:4)|30% (20:6)|40% (20:8)|50% (20:10)>
set shared profiles sdwan-error-correction <name> mode forward-error-
correction transmit-hold-timer <1-5000>
set shared profiles sdwan-error-correction <name> mode packet-duplication
set shared profiles sdwan-error-correction <name> mode packet-duplication
transmit-hold-timer-pd <1-5000>

set shared profiles decryption <name> ssl-forward-proxy block-tls13-

downgrade-no-resource <yes|no>
set shared profiles decryption <name> ssl-inbound-proxy block-tls13-
downgrade-no-resource <yes|no>

set shared profiles decryption <name> ssl-protocol-settings enc-algo-

chacha20-poly1305 <yes|no>
set shared external-list <name> type predefined-url
set shared external-list <name> type predefined-url exception-list
[ <exception-list1> <exception-list2>... ]
set shared external-list <name> type predefined-url description <value>
set shared external-list <name> type predefined-url url <value>

set shared reports <name> type appstat group-by <serial|vsys_name|

device_name|vsys|name|risk|day-of-receive_time|hour-of-receive_time|quarter-
hour-of-receive_time|subcategory-of-name|category-of-name|risk-of-name|
container-of-name|technology-of-name>

set shared reports <name> type appstat sortby <nbytes|nsess|npkts|nthreats>

set shared reports <name> type decryption
set shared reports <name> type decryption aggregate-by [ <aggregate-by1>
<aggregate-by2>... ]

set shared reports <name> type decryption group-by <serial|time_generated|

src|dst|natsrc|natdst|rule|srcuser|dstuser|srcloc|dstloc|app|vsys|from|
to|inbound_if|outbound_if|sport|dport|natsport|natdport|proto|action|
tunnel|rule_uuid|s_encrypted|vsys_name|device_name|tls_version|tls_keyxchg|
tls_enc|tls_auth|ec_curve|err_index|root_status|proxy_type|policy_name|cn|
issuer_cn|root_cn|sni|error|src_dag|dst_dag|src_edl|dst_edl|container_id|
pod_namespace|pod_name|src_category|src_profile|src_model|src_vendor|

88 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
src_osfamily|src_osversion|src_host|src_mac|dst_category|dst_profile|
dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|day-of-
receive_time|hour-of-receive_time|quarter-hour-of-receive_time>

set shared reports <name> type decryption values [ <values1> <values2>... ]

set shared reports <name> type decryption labels [ <labels1> <labels2>... ]
set shared reports <name> type decryption sortby <repeatcnt|nunique-of-
src_profile|nunique-of-dst_profile>

set shared reports <name> type desum

set shared reports <name> type desum aggregate-by [ <aggregate-by1>
<aggregate-by2>... ]

set shared reports <name> type desum group-by <serial|time_generated|

vsys_name|device_name|app|src|dst|srcuser|dstuser|vsys|tls_version|
tls_keyxchg|tls_enc|tls_auth|policy_name|sni|error|err_index|src_edl|
dst_edl|container_id|pod_namespace|pod_name|src_category|src_profile|
src_model|src_vendor|src_osfamily|src_osversion|src_host|src_mac|
dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|
dst_host|dst_mac|src_dag|dst_dag|day-of-receive_time|hour-of-receive_time|
quarter-hour-of-receive_time|outbound_if|inbound_if|rule|dport|sport|proto>

set shared reports <name> type desum values [ <values1> <values2>... ]

set shared reports <name> type desum labels [ <labels1> <labels2>... ]
set shared reports <name> type desum sortby <repeatcnt|nunique-of-
src_profile|nunique-of-dst_profile>

set shared reports <name> type threat group-by <serial|time_generated|

src|dst|natsrc|natdst|rule|srcuser|dstuser|srcloc|dstloc|app|vsys|from|
to|inbound_if|outbound_if|sport|dport|natsport|natdport|proto|action|
tunnel|rule_uuid|s_encrypted|vsys_name|device_name|parent_session_id|
parent_start_time|threatid|category|severity|direction|http_method|
nssai_sst|http2_connection|xff_ip|threat_name|src_edl|dst_edl|
dynusergroup_name|hostid|partial_hash|src_category|src_profile|src_model|
src_vendor|src_osfamily|src_osversion|src_host|src_mac|dst_category|
dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|
dst_mac|container_id|pod_namespace|pod_name|misc|src_dag|dst_dag|day-of-
receive_time|hour-of-receive_time|quarter-hour-of-receive_time|subcategory-
of-app|category-of-app|technology-of-app|risk-of-app|container-of-app|pbf-
s2c|pbf-c2s|flag-nat|flag-pcap|subtype|transaction|captive-portal|flag-
proxy|non-std-dport|tunnelid|monitortag|users|category-of-threatid|threat-
type>

set shared reports <name> type wildfire group-by <app|category|category-

of-app|dport|dst|dstuser|from|inbound_if|misc|natdport|natdst|natsport|
natsrc|outbound_if|proto|risk-of-app|rule|rule_uuid|sport|src|srcuser|
subcategory-of-app|technology-of-app|container-of-app|to|dstloc|srcloc|
vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-of-receive_time|
vsys_name|device_name|filetype|filename|filedigest|tunnelid|monitortag|
parent_session_id|parent_start_time|http2_connection|tunnel|xff_ip|src_dag|
dst_dag|src_edl|dst_edl>
set shared reports <name> type data values [ <values1> <values2>... ]
set shared reports <name> type data labels [ <labels1> <labels2>... ]
set shared reports <name> type data sortby <repeatcnt|nunique-of-users>
set shared reports <name> type data aggregate-by [ <aggregate-by1>
<aggregate-by2>... ]

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 89

© 2021 Palo Alto Networks, Inc.
 set shared reports <name> type data group-by <action|app|category-of-
app|direction|dport|dst|dstuser|from|inbound_if|misc|natdport|natdst|
natsport|natsrc|outbound_if|proto|risk-of-app|rule|rule_uuid|severity|
sport|src|srcuser|subcategory-of-app|subtype|technology-of-app|container-
of-app|threatid|to|dstloc|srcloc|vsys|quarter-hour-of-receive_time|
hour-of-receive_time|day-of-receive_time|vsys_name|device_name|data-
type|filename|tunnelid|monitortag|parent_session_id|parent_start_time|
http2_connection|tunnel|xff_ip|src_dag|dst_dag|src_edl|dst_edl|src_category|
src_profile|src_model|src_vendor|src_osfamily|src_osversion|src_host|
src_mac|dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|
dst_osversion|dst_host|dst_mac>

set shared reports <name> type thsum group-by <serial|time_generated|

vsys_name|device_name|app|src|dst|rule|threatid|srcuser|dstuser|srcloc|
dstloc|xff_ip|vsys|from|to|dport|action|severity|inbound_if|outbound_if|
category|parent_session_id|parent_start_time|tunnel|direction|assoc_id|
ppid|http2_connection|rule_uuid|threat_name|src_edl|dst_edl|hostid|
dynusergroup_name|nssai_sst|src_category|src_profile|src_model|src_vendor|
src_osfamily|src_osversion|src_host|src_mac|dst_category|dst_profile|
dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|
container_id|pod_namespace|pod_name|src_dag|dst_dag|day-of-receive_time|
hour-of-receive_time|quarter-hour-of-receive_time|subcategory-of-app|
category-of-app|technology-of-app|risk-of-app|container-of-app|subtype|
tunnelid|monitortag|category-of-threatid|threat-type>

set shared reports <name> type thsum sortby <sessions|count|nunique-of-apps|

nunique-of-users|nunique-of-src_profile|nunique-of-dst_profile>

set shared reports <name> type traffic group-by <serial|time_generated|

src|dst|natsrc|natdst|rule|srcuser|dstuser|srcloc|dstloc|app|vsys|from|
to|inbound_if|outbound_if|sport|dport|natsport|natdport|proto|action|
tunnel|rule_uuid|s_encrypted|vsys_name|device_name|parent_session_id|
parent_start_time|category|session_end_reason|action_source|nssai_sst|
nssai_sd|http2_connection|xff_ip|dynusergroup_name|src_edl|dst_edl|hostid|
session_owner|policy_id|src_category|src_profile|src_model|src_vendor|
src_osfamily|src_osversion|src_host|src_mac|dst_category|dst_profile|
dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|
container_id|pod_namespace|pod_name|src_dag|dst_dag|day-of-receive_time|
hour-of-receive_time|quarter-hour-of-receive_time|pbf-s2c|pbf-c2s|decrypt-
mirror|threat-type|flag-nat|flag-pcap|captive-portal|flag-proxy|non-std-
dport|transaction|sym-return|sessionid|sesscache_l7_done|subcategory-of-
app|category-of-app|technology-of-app|risk-of-app|container-of-app|tunnelid|
monitortag>

set shared reports <name> type traffic sortby <repeatcnt|bytes|bytes_sent|

bytes_received|packets|pkts_sent|pkts_received|chunks|chunks_sent|
chunks_received|nunique-of-users|elapsed|nunique-of-src_profile|nunique-of-
dst_profile>

set shared reports <name> type urlsum group-by <serial|time_generated|

vsys_name|device_name|app|category|src|dst|rule|srcuser|dstuser|srcloc|
dstloc|vsys|from|to|dev_serial|inbound_if|outbound_if|dport|action|tunnel|
url_domain|user_agent|http_method|http2_connection|parent_session_id|
parent_start_time|rule_uuid|xff_ip|src_edl|dst_edl|hostid|dynusergroup_name|
nssai_sst|src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|container_id|
pod_namespace|pod_name|url_category_list|src_dag|dst_dag|day-of-
receive_time|hour-of-receive_time|quarter-hour-of-receive_time|nunique-of-

90 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
users|tunnelid|monitortag|subcategory-of-app|category-of-app|technology-of-
app|risk-of-app|container-of-app>

set shared reports <name> type trsum group-by <serial|time_generated|

vsys_name|device_name|app|src|dst|xff_ip|rule|srcuser|dstuser|srcloc|dstloc|
category|vsys|from|to|sessions|dport|action|tunnel|inbound_if|outbound_if|
parent_session_id|parent_start_time|assoc_id|http2_connection|rule_uuid|
src_edl|dst_edl|dynusergroup_name|s_decrypted|s_encrypted|hostid|nssai_sst|
src_category|src_profile|src_model|src_vendor|src_osfamily|src_osversion|
src_host|src_mac|dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|
dst_osversion|dst_host|dst_mac|container_id|pod_namespace|pod_name|
src_dag|dst_dag|day-of-receive_time|hour-of-receive_time|quarter-hour-of-
receive_time|subcategory-of-app|category-of-app|technology-of-app|risk-of-
app|container-of-app|tunnelid|monitortag|standard-ports-of-app|ncontent>

set shared reports <name> type trsum sortby <bytes|sessions|bytes_sent|

bytes_received|nthreats|nftrans|ndpmatches|nurlcount|chunks|chunks_sent|
chunks_received|ncontent|nunique-of-apps|nunique-of-users|nunique-of-
src_profile|nunique-of-dst_profile>

set shared reports <name> type userid group-by <serial|time_generated|

vsys_name|device_name|vsys|ip|user|datasourcename|beginport|endport|
datasource|datasourcetype|factortype|factorcompletiontime|factorno|tag_name|
day-of-receive_time|hour-of-receive_time|quarter-hour-of-receive_time|
subtype>

set shared reports <name> type auth group-by <serial|time_generated|

vsys_name|device_name|vsys|ip|user|normalize_user|object|authpolicy|
authid|vendor|clienttype|event|factorno|authproto|rule_uuid|src_category|
src_profile|src_model|src_vendor|src_osfamily|src_osversion|src_host|
src_mac|day-of-receive_time|hour-of-receive_time|quarter-hour-of-
receive_time|serverprofile|desc|src_category|src_profile|src_model|
src_vendor|src_osfamily|src_osversion|src_host|src_mac>

set shared reports <name> type iptag group-by <serial|time_generated|

vsys_name|device_name|vsys|ip|tag_name|event_id|datasourcename|
datasource_type|datasource_subtype|day-of-receive_time|hour-of-receive_time|
quarter-hour-of-receive_time>

set shared reports <name> type hipmatch group-by <serial|time_generated|

vsys_name|device_name|srcuser|vsys|machinename|src|matchname|os|matchtype|
srcipv6|hostid|devcategory|profile|model|vendor|osfamily|osversion|mac|
devhost|source|day-of-receive_time|hour-of-receive_time|quarter-hour-of-
receive_time|hostname|osfamily|osversion>

set shared log-settings userid match-list <name> quarantine <yes|no>

set shared log-settings hipmatch match-list <name> quarantine <yes|no>
set shared log-settings correlation match-list <name> quarantine <yes|no>

set shared log-settings email <name> server <name> protocol <SMTP|TLS>

set shared log-settings email <name> server <name> port <1-65535>
set shared log-settings email <name> server <name> tls-version <1.2|1.1>
set shared log-settings email <name> server <name> auth <Auto|Login|Plain>
set shared log-settings email <name> server <name> certificate-profile
<value>
set shared log-settings email <name> server <name> username <value>
set shared log-settings email <name> server <name> password <value>

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 91

© 2021 Palo Alto Networks, Inc.
 set shared log-settings email <name> format decryption <value>
set shared log-settings syslog <name> format decryption <value>
set shared log-settings http <name> format decryption
set shared log-settings http <name> format decryption name <value>
set shared log-settings http <name> format decryption headers
set shared log-settings http <name> format decryption headers <name>
set shared log-settings http <name> format decryption headers <name> value
<value>
set shared log-settings http <name> format decryption params
set shared log-settings http <name> format decryption params <name>
set shared log-settings http <name> format decryption params <name> value
<value>
set shared log-settings http <name> format decryption payload <value>

set shared log-settings profile <name> match-list <name> quarantine <yes|no>

set shared ssl-tls-service-profile <name> protocol-settings enc-algo-
chacha20-poly1305 <yes|no>

set shared admin-role <name> role device webui monitor logs decryption
<enable|disable>
set shared admin-role <name> role device webui objects devices <enable|read-
only|disable>
set shared admin-role <name> role device webui objects sdwan sdwan-saas-
quality-profile <enable|read-only|disable>
set shared admin-role <name> role device webui objects sdwan sdwan-error-
correction-profile <enable|read-only|disable>
set shared admin-role <name> role device webui network routing
set shared admin-role <name> role device webui network routing logical-
routers <enable|read-only|disable>
set shared admin-role <name> role device webui network routing routing-
profiles
set shared admin-role <name> role device webui network routing routing-
profiles bgp <enable|read-only|disable>
set shared admin-role <name> role device webui device data-redistribution
<enable|read-only|disable>
set shared admin-role <name> role device webui device device-quarantine
<enable|read-only|disable>
set shared admin-role <name> role device webui device certificate-management
ssh-service-profile <enable|read-only|disable>
set shared admin-role <name> role device webui device policy-recommendation
<enable|read-only|disable>

set shared admin-role <name> role device webui operations

set shared admin-role <name> role device webui operations reboot <enable|
disable>
set shared admin-role <name> role device webui operations generate-tech-
support-file <enable|disable>
set shared admin-role <name> role device webui operations generate-stats-
dump-file <enable|disable>
set shared admin-role <name> role device webui operations download-core-
files <enable|disable>
set shared admin-role <name> role device xmlapi iot <enable|disable>

92 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
set shared admin-role <name> role device restapi
set shared admin-role <name> role device restapi objects
set shared admin-role <name> role device restapi objects addresses <enable|
read-only|disable>
set shared admin-role <name> role device restapi objects address-groups
<enable|read-only|disable>
set shared admin-role <name> role device restapi objects regions <enable|
read-only|disable>
set shared admin-role <name> role device restapi objects dynamic-user-groups
<enable|read-only|disable>
set shared admin-role <name> role device restapi objects applications
<enable|read-only|disable>
set shared admin-role <name> role device restapi objects application-groups
<enable|read-only|disable>
set shared admin-role <name> role device restapi objects application-filters
<enable|read-only|disable>
set shared admin-role <name> role device restapi objects services <enable|
read-only|disable>
set shared admin-role <name> role device restapi objects service-groups
<enable|read-only|disable>
set shared admin-role <name> role device restapi objects tags <enable|read-
only|disable>
set shared admin-role <name> role device restapi objects devices <enable|
read-only|disable>
set shared admin-role <name> role device restapi objects external-dynamic-
lists <enable|read-only|disable>
set shared admin-role <name> role device restapi objects custom-data-
patterns <enable|read-only|disable>
set shared admin-role <name> role device restapi objects custom-spyware-
signatures <enable|read-only|disable>
set shared admin-role <name> role device restapi objects custom-
vulnerability-signatures <enable|read-only|disable>
set shared admin-role <name> role device restapi objects custom-url-
categories <enable|read-only|disable>
set shared admin-role <name> role device restapi objects antivirus-security-
profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi objects anti-spyware-
security-profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi objects vulnerability-
protection-security-profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi objects url-filtering-
security-profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi objects file-blocking-
security-profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi objects wildfire-analysis-
security-profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi objects data-filtering-
security-profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi objects dos-protection-
security-profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi objects security-profile-
groups <enable|read-only|disable>
set shared admin-role <name> role device restapi objects log-forwarding-
profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi objects authentication-
enforcements <enable|read-only|disable>
set shared admin-role <name> role device restapi objects decryption-profiles
<enable|read-only|disable>
set shared admin-role <name> role device restapi objects decryption-
forwarding-profiles <enable|read-only|disable>

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 93

© 2021 Palo Alto Networks, Inc.
 set shared admin-role <name> role device restapi objects schedules <enable|
read-only|disable>
set shared admin-role <name> role device restapi objects sdwan-path-quality-
profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi objects sdwan-traffic-
distribution-profiles <enable|read-only|disable>

set shared admin-role <name> role device restapi policies

set shared admin-role <name> role device restapi policies security-rules
<enable|read-only|disable>
set shared admin-role <name> role device restapi policies nat-rules <enable|
read-only|disable>
set shared admin-role <name> role device restapi policies qos-rules <enable|
read-only|disable>
set shared admin-role <name> role device restapi policies policy-based-
forwarding-rules <enable|read-only|disable>
set shared admin-role <name> role device restapi policies decryption-rules
<enable|read-only|disable>
set shared admin-role <name> role device restapi policies tunnel-inspection-
rules <enable|read-only|disable>
set shared admin-role <name> role device restapi policies application-
override-rules <enable|read-only|disable>
set shared admin-role <name> role device restapi policies authentication-
rules <enable|read-only|disable>
set shared admin-role <name> role device restapi policies dos-rules <enable|
read-only|disable>
set shared admin-role <name> role device restapi policies sdwan-rules
<enable|read-only|disable>

set shared admin-role <name> role device restapi network

set shared admin-role <name> role device restapi network aggregate-ethernet-
interfaces <enable|read-only|disable>
set shared admin-role <name> role device restapi network ethernet-interfaces
<enable|read-only|disable>
set shared admin-role <name> role device restapi network vlan-interfaces
<enable|read-only|disable>
set shared admin-role <name> role device restapi network loopback-interfaces
<enable|read-only|disable>
set shared admin-role <name> role device restapi network tunnel-interfaces
<enable|read-only|disable>
set shared admin-role <name> role device restapi network zones <enable|read-
only|disable>
set shared admin-role <name> role device restapi network vlans <enable|read-
only|disable>
set shared admin-role <name> role device restapi network virtual-wires
<enable|read-only|disable>
set shared admin-role <name> role device restapi network virtual-routers
<enable|read-only|disable>
set shared admin-role <name> role device restapi network logical-routers
<enable|read-only|disable>
set shared admin-role <name> role device restapi network bgp-routing-
profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi network ipsec-tunnels
<enable|read-only|disable>
set shared admin-role <name> role device restapi network gre-tunnels
<enable|read-only|disable>
set shared admin-role <name> role device restapi network dhcp-servers
<enable|read-only|disable>

94 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
set shared admin-role <name> role device restapi network dhcp-relays
<enable|read-only|disable>
set shared admin-role <name> role device restapi network dns-proxies
<enable|read-only|disable>
set shared admin-role <name> role device restapi network qos-interfaces
<enable|read-only|disable>
set shared admin-role <name> role device restapi network lldp <enable|read-
only|disable>
set shared admin-role <name> role device restapi network ike-gateway-
network-profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi network ipsec-crypto-
network-profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi network ike-crypto-network-
profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi network tunnel-monitor-
network-profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi network interface-
management-network-profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi network zone-protection-
network-profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi network qos-network-
profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi network lldp-network-
profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi network bfd-network-
profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi network sdwan-interfaces
<enable|read-only|disable>
set shared admin-role <name> role device restapi network sdwan-interface-
profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi device
set shared admin-role <name> role device restapi device virtual-systems
<enable|read-only|disable>

set shared admin-role <name> role vsys webui monitor logs decryption
<enable|disable>
set shared admin-role <name> role vsys webui objects devices <enable|read-
only|disable>
set shared admin-role <name> role vsys webui objects sdwan sdwan-saas-
quality-profile <enable|read-only|disable>
set shared admin-role <name> role vsys webui objects sdwan sdwan-error-
correction-profile <enable|read-only|disable>
set shared admin-role <name> role vsys webui device setup telemetry <read-
only|disable>
set shared admin-role <name> role vsys webui device data-redistribution
<enable|read-only|disable>
set shared admin-role <name> role vsys webui device device-quarantine
<enable|read-only|disable>
set shared admin-role <name> role vsys webui device certificate-management
ssh-service-profile <enable|read-only|disable>
set shared admin-role <name> role vsys webui device policy-recommendation
<enable|read-only|disable>

set shared admin-role <name> role vsys webui operations

set shared admin-role <name> role vsys webui operations reboot <enable|
disable>
set shared admin-role <name> role vsys webui operations generate-tech-
support-file <enable|disable>

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 95

© 2021 Palo Alto Networks, Inc.
 set shared admin-role <name> role vsys webui operations generate-stats-dump-
file <enable|disable>
set shared admin-role <name> role vsys webui operations download-core-files
<enable|disable>
set shared admin-role <name> role vsys xmlapi iot <enable|disable>

set shared admin-role <name> role vsys restapi

set shared admin-role <name> role vsys restapi objects
set shared admin-role <name> role vsys restapi objects addresses <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi objects address-groups
<enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects regions <enable|read-
only|disable>
set shared admin-role <name> role vsys restapi objects dynamic-user-groups
<enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects applications <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi objects application-groups
<enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects application-filters
<enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects services <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi objects service-groups
<enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects tags <enable|read-
only|disable>
set shared admin-role <name> role vsys restapi objects devices <enable|read-
only|disable>
set shared admin-role <name> role vsys restapi objects external-dynamic-
lists <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects custom-data-patterns
<enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects custom-spyware-
signatures <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects custom-vulnerability-
signatures <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects custom-url-categories
<enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects antivirus-security-
profiles <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects anti-spyware-
security-profiles <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects vulnerability-
protection-security-profiles <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects url-filtering-
security-profiles <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects file-blocking-
security-profiles <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects wildfire-analysis-
security-profiles <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects data-filtering-
security-profiles <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects dos-protection-
security-profiles <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects security-profile-
groups <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects log-forwarding-
profiles <enable|read-only|disable>

96 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
set shared admin-role <name> role vsys restapi objects authentication-
enforcements <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects decryption-profiles
<enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects decryption-
forwarding-profiles <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects schedules <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi objects sdwan-path-quality-
profiles <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects sdwan-traffic-
distribution-profiles <enable|read-only|disable>

set shared admin-role <name> role vsys restapi policies

set shared admin-role <name> role vsys restapi policies security-rules
<enable|read-only|disable>
set shared admin-role <name> role vsys restapi policies nat-rules <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi policies qos-rules <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi policies policy-based-
forwarding-rules <enable|read-only|disable>
set shared admin-role <name> role vsys restapi policies decryption-rules
<enable|read-only|disable>
set shared admin-role <name> role vsys restapi policies tunnel-inspection-
rules <enable|read-only|disable>
set shared admin-role <name> role vsys restapi policies application-
override-rules <enable|read-only|disable>
set shared admin-role <name> role vsys restapi policies authentication-rules
<enable|read-only|disable>
set shared admin-role <name> role vsys restapi policies dos-rules <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi policies sdwan-rules <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi network
set shared admin-role <name> role vsys restapi network zones <enable|read-
only|disable>
set shared admin-role <name> role vsys restapi device
set shared admin-role <name> role vsys restapi device virtual-systems
<enable|read-only|disable>

set shared icd

set shared icd cloud-addr
set shared icd cloud-addr address<value>
set shared icd cloud-addr port <80-65535>

set vsys <name> import network logical-router [ <logical-router1> <logical-

router2>... ]
set vsys <name> log-settings email <name> server <name> protocol <SMTP|TLS>
set vsys <name> log-settings email <name> server <name> port <1-65535>
set vsys <name> log-settings email <name> server <name> tls-version <1.2|
1.1>
set vsys <name> log-settings email <name> server <name> auth <Auto|Login|
Plain>

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 97

© 2021 Palo Alto Networks, Inc.
 set vsys <name> log-settings email <name> server <name> certificate-profile
<value>
set vsys <name> log-settings email <name> server <name> username <value>
set vsys <name> log-settings email <name> server <name> password <value>

set vsys <name> log-settings email <name> format decryption <value>

set vsys <name> log-settings syslog <name> format decryption <value>
set vsys <name> log-settings http <name> format decryption
set vsys <name> log-settings http <name> format decryption name <value>
set vsys <name> log-settings http <name> format decryption url-format
<value>
set vsys <name> log-settings http <name> format decryption headers
set vsys <name> log-settings http <name> format decryption headers <name>
set vsys <name> log-settings http <name> format decryption headers <name>
value <value>
set vsys <name> log-settings http <name> format decryption params
set vsys <name> log-settings http <name> format decryption params <name>
set vsys <name> log-settings http <name> format decryption params <name>
value <value>
set vsys <name> log-settings http <name> format decryption payload <value>

set vsys<name> log-settings profiles <name> match-list <name> quarantine

<yes|no>
set vsys <name> ssl-tls-service-profile <name> protocol-settings enc-algo-
chacha20-poly1305 <yes|no>

set vsys <name> redistribution-agent

set vsys <name> redistribution-agent <name>
set vsys <name> redistribution-agent <name> serial-number <value>
set vsys <name> redistribution-agent <name> host-port
set vsys <name> redistribution-agent <name> host-port host <ip/netmask>|
<value>
set vsys <name> redistribution-agent <name> host-port ldap-proxy <yes|no>
set vsys <name> redistribution-agent <name> host-port port <1-65535>
set vsys <name> redistribution-agent <name> host-port collectorname <value>
set vsys <name> redistribution-agent <name> host-port secret <value>
set vsys <name> redistribution-agent <name> disabled <yes|no>
set vsys <name> redistribution-agent <name> ip-user-mappings <yes|no>
set vsys <name> redistribution-agent <name> ip-tags <yes|no>
set vsys <name> redistribution-agent <name> user-tags <yes|no>
set vsys <name> redistribution-agent <name> hip <yes|no>
set vsys <name> redistribution-agent <name> quarantine-list <yes|no>

set vsys <name> ipuser-include-exclude-list

set vsys <name> ipuser-include-exclude-list
set vsys <name> ipuser-include-exclude-list
set vsys <name> ipuser-include-exclude-list
disabled <yes|no>
set vsys <name> ipuser-include-exclude-list
discovery <include|exclude>
set vsys <name> ipuser-include-exclude-list
network-address <ip/netmask>
set vsys <name> ipuser-include-exclude-list
include-exclude-network
include-exclude-network <name>
include-exclude-network <name>
include-exclude-network <name>
include-exclude-network <name>
include-exclude-network-sequence

98 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
set vsys <name> ipuser-include-exclude-list include-exclude-network-sequence
include-exclude-network [ <include-exclude-network1> <include-exclude-
network2>... ]

set vsys <name> iptag-include-exclude-list

set vsys <name> iptag-include-exclude-list include-exclude-network
set vsys <name> iptag-include-exclude-list include-exclude-network <name>
set vsys <name> iptag-include-exclude-list include-exclude-network <name>
disabled <yes|no>
set vsys <name> iptag-include-exclude-list include-exclude-network <name>
discovery <include|exclude>
set vsys <name> iptag-include-exclude-list include-exclude-network <name>
network-address <ip/netmask>
set vsys <name> iptag-include-exclude-list include-exclude-network-sequence
set vsys <name> iptag-include-exclude-list include-exclude-network-sequence
include-exclude-network [ <include-exclude-network1> <include-exclude-
network2>... ]

set vsys <name> redistribution-collector

set vsys <name> redistribution-collector setting
set vsys <name> redistribution-collector setting collectorname <value>
set vsys <name> redistribution-collector setting secret <value>
set vsys <name> user-id-collector syslog-parse-profile <name> field-
identifier address-per-log <1-3>

set vsys <name> zone <name> enable-device-identification <yes|no>

set vsys <name> zone <name>
set vsys <name> zone <name>
<include-list2>... ]
set vsys <name> zone <name>
<exclude-list2>... ]
device-acl
device-acl include-list [ <include-list1>
device-acl exclude-list [ <exclude-list1>

set vsys <name> sdwan-interface-profile <name> vpn-data-tunnel-support <yes|

no>
set vsys <name> sdwan-interface-profile <name> error-correction <yes|no>

set vsys <name> global-protect global-protect-portal <name> portal-config

client-auth <name> auto-retrieve-passcode <yes|no>
set vsys <name> global-protect global-protect-portal <name> portal-config
log-success <yes|no>
set vsys <name> global-protect global-protect-portal <name> portal-config
log-fail <yes|no>
set vsys <name> global-protect global-protect-portal <name> portal-config
log-setting <value>
set vsys <name> global-protect global-protect-portal <name> client-config
configs <name> hip-collection custom-checks linux
set vsys <name> global-protect global-protect-portal <name> client-config
configs <name> hip-collection custom-checks linux process-list [ <process-
list1> <process-list2>... ]
set vsys <name> global-protect global-protect-gateway <name> client-auth
<name> auto-retrieve-passcode <yes|no>

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 99

© 2021 Palo Alto Networks, Inc.
 set vsys <name> global-protect global-protect-gateway <name> block-
quarantined-devices <yes|no>
set vsys <name> global-protect global-protect-gateway <name> log-success
<yes|no>
set vsys <name> global-protect global-protect-gateway <name> log-fail <yes|
no>
set vsys <name> global-protect global-protect-gateway <name> log-setting
<value>

set vsys <name> profiles virus <name> mlav-engine-filebased-enabled

set vsys <name> profiles virus <name> mlav-engine-filebased-enabled <name>
set vsys <name> profiles virus <name> mlav-engine-filebased-enabled <name>
mlav-policy-action <enable|enable(alert-only)|disable>
set vsys <name> profiles virus <name> decoder <name> mlav-action <default|
allow|alert|drop|reset-client|reset-server|reset-both>
set vsys <name> profiles virus <name> mlav-exception
set vsys <name> profiles virus <name> mlav-exception <name>
set vsys <name> profiles virus <name> mlav-exception <name> filename <value>
set vsys <name> profiles virus <name> mlav-exception <name> description
<value>

set vsys <name> profiles spyware <name> botnet-domains dns-security-

categories

set vsys <name> profiles spyware <name> botnet-domains dns-security-

categories <name>

set vsys <name> profiles spyware <name> botnet-domains dns-security-

categories <name> action <default|allow|block|sinkhole>

set vsys <name> profiles spyware <name> botnet-domains dns-security-

categories <name> log-level <default|none|low|informational|medium|high|
critical>

set vsys <name> profiles spyware <name> botnet-domains dns-security-

categories <name> packet-capture <disable|single-packet|extended-capture>

set vsys <name> profiles spyware <name> botnet-domains whitelist

set vsys <name> profiles spyware <name> botnet-domains whitelist <name>

set vsys <name> profiles spyware <name> botnet-domains whitelist <name>

description <value>

set vsys <name> profiles url-filtering <name> mlav-category-exception

[ <mlav-category-exception1> <mlav-category-exception2>... ]
set vsys <name> profiles url-filtering <name> mlav-engine-urlbased-enabled
set vsys <name> profiles url-filtering <name> mlav-engine-urlbased-enabled
<name>
set vsys <name> profiles url-filtering <name> mlav-engine-urlbased-enabled
<name> mlav-policy-action <block|alert|allow>

set vsys <name> profiles sdwan-saas-quality

100 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
set vsys <name> profiles sdwan-saas-quality <name>
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode adaptive
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode static-ip
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode static-ip
ip-address
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode static-ip
ip-address <name>
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode static-ip
ip-address <name> probe-interval <1-3600>
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode static-ip
fqdn
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode static-ip
fqdn fqdn-name <value>
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode static-ip
fqdn probe-interval <1-3600>
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode http-https
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode http-https
monitored-url <value>
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode http-https
probe-interval <1-3600>

set vsys <name> profiles sdwan-error-correction

set vsys <name> profiles sdwan-error-correction <name>
set vsys <name> profiles sdwan-error-correction <name> activation-threshold
<1-99>
set vsys <name> profiles sdwan-error-correction <name> mode
set vsys <name> profiles sdwan-error-correction <name> mode forward-error-
correction
set vsys <name> profiles sdwan-error-correction <name> mode forward-error-
correction ratio <10% (20:2)|20% (20:4)|30% (20:6)|40% (20:8)|50% (20:10)>
set vsys <name> profiles sdwan-error-correction <name> mode forward-error-
correction transmit-hold-timer <1-5000>
set vsys <name> profiles sdwan-error-correction <name> mode packet-
duplication
set vsys <name> profiles sdwan-error-correction <name> mode packet-
duplication transmit-hold-timer-pd <1-5000>
set vsys <name> profiles decryption <name> ssl-forward-proxy block-tls13-
downgrade-no-resource <yes|no>
set vsys <name> profiles decryption <name> ssl-inbound-proxy block-tls13-
downgrade-no-resource <yes|no>

set vsys <name> profiles decryption <name> ssl-protocol-settings enc-algo-

chacha20-poly1305 <yes|no>

set vsys <name> reports <name> type appstat group-by <serial|vsys_name|

device_name|vsys|name|risk|day-of-receive_time|hour-of-receive_time|quarter-
hour-of-receive_time|subcategory-of-name|category-of-name|risk-of-name|
container-of-name|technology-of-name>

set vsys <name> reports <name> type appstat sortby <nbytes|nsess|npkts|

nthreats>

set vsys <name> reports <name> type decryption

set vsys <name> reports <name> type decryption aggregate-by [ <aggregate-

by1> <aggregate-by2>... ]

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 101

© 2021 Palo Alto Networks, Inc.
 set vsys <name> reports <name> type decryption group-by <serial|
time_generated|src|dst|natsrc|natdst|rule|srcuser|dstuser|srcloc|dstloc|
app|vsys|from|to|inbound_if|outbound_if|sport|dport|natsport|natdport|
proto|action|tunnel|rule_uuid|s_encrypted|vsys_name|device_name|tls_version|
tls_keyxchg|tls_enc|tls_auth|ec_curve|err_index|root_status|proxy_type|
policy_name|cn|issuer_cn|root_cn|sni|error|src_dag|dst_dag|src_edl|dst_edl|
container_id|pod_namespace|pod_name|src_category|src_profile|src_model|
src_vendor|src_osfamily|src_osversion|src_host|src_mac|dst_category|
dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|
dst_mac|day-of-receive_time|hour-of-receive_time|quarter-hour-of-
receive_time>

set vsys <name> reports <name> type decryption sortby <repeatcnt|nunique-of-

src_profile|nunique-of-dst_profile>

set vsys <name> reports <name> type desum

set vsys <name> reports <name> type desum aggregate-by [ <aggregate-by1>

<aggregate-by2>... ]

set vsys <name> reports <name> type desum group-by <serial|time_generated|

vsys_name|device_name|app|src|dst|srcuser|dstuser|vsys|tls_version|
tls_keyxchg|tls_enc|tls_auth|policy_name|sni|error|err_index|src_edl|
dst_edl|container_id|pod_namespace|pod_name|src_category|src_profile|
src_model|src_vendor|src_osfamily|src_osversion|src_host|src_mac|
dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|
dst_host|dst_mac|src_dag|dst_dag|day-of-receive_time|hour-of-receive_time|
quarter-hour-of-receive_time|outbound_if|inbound_if|rule|dport|sport|proto>

set vsys <name> reports <name> type desum values [ <values1> <values2>... ]

set vsys <name> reports <name> type desum labels [ <labels1> <labels2>... ]

set vsys <name> reports <name> type desum sortby <repeatcnt|nunique-of-

src_profile|nunique-of-dst_profile>

set vsys <name> reports <name> type threat group-by <serial|time_generated|

src|dst|natsrc|natdst|rule|srcuser|dstuser|srcloc|dstloc|app|vsys|from|
to|inbound_if|outbound_if|sport|dport|natsport|natdport|proto|action|
tunnel|rule_uuid|s_encrypted|vsys_name|device_name|parent_session_id|
parent_start_time|threatid|category|severity|direction|http_method|
nssai_sst|http2_connection|xff_ip|threat_name|src_edl|dst_edl|
dynusergroup_name|hostid|partial_hash|src_category|src_profile|src_model|
src_vendor|src_osfamily|src_osversion|src_host|src_mac|dst_category|
dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|
dst_mac|container_id|pod_namespace|pod_name|misc|src_dag|dst_dag|day-of-
receive_time|hour-of-receive_time|quarter-hour-of-receive_time|subcategory-
of-app|category-of-app|technology-of-app|risk-of-app|container-of-app|pbf-
s2c|pbf-c2s|flag-nat|flag-pcap|subtype|transaction|captive-portal|flag-
proxy|non-std-dport|tunnelid|monitortag|users|category-of-threatid|threat-
type>

set vsys <name> reports <name> type wildfire group-by <app|category|

category-of-app|dport|dst|dstuser|from|inbound_if|misc|natdport|natdst|
natsport|natsrc|outbound_if|proto|risk-of-app|rule|rule_uuid|sport|src|
srcuser|subcategory-of-app|technology-of-app|container-of-app|to|dstloc|
srcloc|vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-of-
receive_time|vsys_name|device_name|filetype|filename|filedigest|tunnelid|
monitortag|parent_session_id|parent_start_time|http2_connection|tunnel|
xff_ip|src_dag|dst_dag|src_edl|dst_edl>

set vsys <name> reports <name> type data values [ <values1> <values2>... ]

102 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
set vsys <name> reports <name> type data labels [ <labels1> <labels2>... ]

set vsys <name> reports <name> type data sortby <repeatcnt|nunique-of-users>

set vsys <name> reports <name> type data

set vsys <name> reports <name> type data aggregate-by [ <aggregate-by1>

<aggregate-by2>... ]

set vsys <name> reports <name> type data group-by <action|app|category-

of-app|direction|dport|dst|dstuser|from|inbound_if|misc|natdport|natdst|
natsport|natsrc|outbound_if|proto|risk-of-app|rule|rule_uuid|severity|
sport|src|srcuser|subcategory-of-app|subtype|technology-of-app|container-
of-app|threatid|to|dstloc|srcloc|vsys|quarter-hour-of-receive_time|
hour-of-receive_time|day-of-receive_time|vsys_name|device_name|data-
type|filename|tunnelid|monitortag|parent_session_id|parent_start_time|
http2_connection|tunnel|xff_ip|src_dag|dst_dag|src_edl|dst_edl|src_category|
src_profile|src_model|src_vendor|src_osfamily|src_osversion|src_host|
src_mac|dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|
dst_osversion|dst_host|dst_mac>

set vsys <name> reports <name> type thsum group-by <serial|time_generated|

vsys_name|device_name|app|src|dst|rule|threatid|srcuser|dstuser|srcloc|
dstloc|xff_ip|vsys|from|to|dport|action|severity|inbound_if|outbound_if|
category|parent_session_id|parent_start_time|tunnel|direction|assoc_id|
ppid|http2_connection|rule_uuid|threat_name|src_edl|dst_edl|hostid|
dynusergroup_name|nssai_sst|src_category|src_profile|src_model|src_vendor|
src_osfamily|src_osversion|src_host|src_mac|dst_category|dst_profile|
dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|
container_id|pod_namespace|pod_name|src_dag|dst_dag|day-of-receive_time|
hour-of-receive_time|quarter-hour-of-receive_time|subcategory-of-app|
category-of-app|technology-of-app|risk-of-app|container-of-app|subtype|
tunnelid|monitortag|category-of-threatid|threat-type>

set vsys <name> reports <name> type thsum sortby <sessions|count|nunique-of-

apps|nunique-of-users|nunique-of-src_profile|nunique-of-dst_profile>

set vsys <name> reports <name> type traffic group-by <serial|time_generated|

src|dst|natsrc|natdst|rule|srcuser|dstuser|srcloc|dstloc|app|vsys|from|
to|inbound_if|outbound_if|sport|dport|natsport|natdport|proto|action|
tunnel|rule_uuid|s_encrypted|vsys_name|device_name|parent_session_id|
parent_start_time|category|session_end_reason|action_source|nssai_sst|
nssai_sd|http2_connection|xff_ip|dynusergroup_name|src_edl|dst_edl|hostid|
session_owner|policy_id|src_category|src_profile|src_model|src_vendor|
src_osfamily|src_osversion|src_host|src_mac|dst_category|dst_profile|
dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|
container_id|pod_namespace|pod_name|src_dag|dst_dag|day-of-receive_time|
hour-of-receive_time|quarter-hour-of-receive_time|pbf-s2c|pbf-c2s|decrypt-
mirror|threat-type|flag-nat|flag-pcap|captive-portal|flag-proxy|non-std-
dport|transaction|sym-return|sessionid|sesscache_l7_done|subcategory-of-
app|category-of-app|technology-of-app|risk-of-app|container-of-app|tunnelid|
monitortag>

set vsys <name> reports <name> type traffic sortby <repeatcnt|bytes|

bytes_sent|bytes_received|packets|pkts_sent|pkts_received|chunks|
chunks_sent|chunks_received|nunique-of-users|elapsed|nunique-of-src_profile|
nunique-of-dst_profile>

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 103

© 2021 Palo Alto Networks, Inc.
 set vsys <name> reports <name> type urlsum group-by <serial|time_generated|
vsys_name|device_name|app|category|src|dst|rule|srcuser|dstuser|srcloc|
dstloc|vsys|from|to|dev_serial|inbound_if|outbound_if|dport|action|tunnel|
url_domain|user_agent|http_method|http2_connection|parent_session_id|
parent_start_time|rule_uuid|xff_ip|src_edl|dst_edl|hostid|dynusergroup_name|
nssai_sst|src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|container_id|
pod_namespace|pod_name|url_category_list|src_dag|dst_dag|day-of-
receive_time|hour-of-receive_time|quarter-hour-of-receive_time|nunique-of-
users|tunnelid|monitortag|subcategory-of-app|category-of-app|technology-of-
app|risk-of-app|container-of-app>

set vsys <name> reports <name> type trsum group-by <serial|time_generated|

vsys_name|device_name|app|src|dst|xff_ip|rule|srcuser|dstuser|srcloc|dstloc|
category|vsys|from|to|sessions|dport|action|tunnel|inbound_if|outbound_if|
parent_session_id|parent_start_time|assoc_id|http2_connection|rule_uuid|
src_edl|dst_edl|dynusergroup_name|s_decrypted|s_encrypted|hostid|nssai_sst|
src_category|src_profile|src_model|src_vendor|src_osfamily|src_osversion|
src_host|src_mac|dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|
dst_osversion|dst_host|dst_mac|container_id|pod_namespace|pod_name|
src_dag|dst_dag|day-of-receive_time|hour-of-receive_time|quarter-hour-of-
receive_time|subcategory-of-app|category-of-app|technology-of-app|risk-of-
app|container-of-app|tunnelid|monitortag|standard-ports-of-app|ncontent>

set vsys <name> reports <name> type trsum sortby <bytes|sessions|bytes_sent|

bytes_received|nthreats|nftrans|ndpmatches|nurlcount|chunks|chunks_sent|
chunks_received|ncontent|nunique-of-apps|nunique-of-users|nunique-of-
src_profile|nunique-of-dst_profile>

set vsys <name> reports <name> type tunnelsum group-by <action|app|category-

of-app|dst|risk-of-app|rule|rule_uuid|src|subcategory-of-app|technology-of-
app|container-of-app|dstloc|srcloc|vsys|quarter-hour-of-receive_time|hour-
of-receive_time|day-of-receive_time|serial|vsys_name|device_name|tunnelid|
monitortag|parent_session_id|parent_start_time|tunnel|tunnel_insp_rule|
src_dag|dst_dag|src_edl|dst_edl>

set vsys <name> reports <name> type userid group-by <serial|time_generated|

vsys_name|device_name|vsys|ip|user|datasourcename|beginport|endport|
datasource|datasourcetype|factortype|factorcompletiontime|factorno|tag_name|
day-of-receive_time|hour-of-receive_time|quarter-hour-of-receive_time|
subtype>

set vsys <name> reports <name> type auth group-by <serial|time_generated|

vsys_name|device_name|vsys|ip|user|normalize_user|object|authpolicy|
authid|vendor|clienttype|event|factorno|authproto|rule_uuid|src_category|
src_profile|src_model|src_vendor|src_osfamily|src_osversion|src_host|
src_mac|day-of-receive_time|hour-of-receive_time|quarter-hour-of-
receive_time|serverprofile|desc|src_category|src_profile|src_model|
src_vendor|src_osfamily|src_osversion|src_host|src_mac>

set vsys <name> reports <name> type auth sortby <repeatcnt|time_generated|

vendor>

set vsys <name> reports <name> type iptag group-by <serial|time_generated|

vsys_name|device_name|vsys|ip|tag_name|event_id|datasourcename|
datasource_type|datasource_subtype|day-of-receive_time|hour-of-receive_time|
quarter-hour-of-receive_time>

set vsys <name> reports <name> type hipmatch group-by <serial|

time_generated|vsys_name|device_name|srcuser|vsys|machinename|src|matchname|
os|matchtype|srcipv6|hostid|devcategory|profile|model|vendor|osfamily|

104 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
osversion|mac|devhost|source|day-of-receive_time|hour-of-receive_time|
quarter-hour-of-receive_time|hostname|osfamily|osversion>

set vsys <name> external-list <name> type predefined-url

set vsys <name> external-list <name> type predefined-url exception-list
[ <exception-list1> <exception-list2>... ]
set vsys <name> external-list <name> type predefined-url description <value>
set vsys <name> external-list <name> type predefined-url url <value>

set vsys <name> device-object

set vsys <name> device-object <name>
set vsys <name> device-object <name> description <value>
set vsys <name> device-object <name> category [ <category1>
<category2>... ]
set vsys <name> device-object <name> profile [ <profile1> <profile2>... ]
set vsys <name> device-object <name> osfamily [ <osfamily1>
<osfamily2>... ]
set vsys <name> device-object <name> os [ <os1> <os2>... ]
set vsys <name> device-object <name> model [ <model1> <model2>... ]
set vsys <name> device-object <name> vendor [ <vendor1> <vendor2>... ]

set vsys <name> rulebase security rules <name> source-hip [ <source-hip1>

<source-hip2>... ]
set vsys <name> rulebase security rules <name> destination-hip
[ <destination-hip1> <destination-hip2>... ]
set vsys <name> rulebase decryption rules <name> source-hip [ <source-hip1>
<source-hip2>... ]
set vsys <name> rulebase decryption rules <name> destination-hip
[ <destination-hip1> <destination-hip2>... ]
set vsys <name> rulebase decryption rules <name> log-success <yes|no>
set vsys <name> rulebase decryption rules <name> log-fail <yes|no>
set vsys <name> rulebase decryption rules <name> log-setting <value>
set vsys <name> rulebase authentication rules <name> source-hip [ <source-
hip1> <source-hip2>... ]
set vsys <name> rulebase authentication rules <name> destination-hip
[ <destination-hip1> <destination-hip2>... ]
set vsys <name> rulebase qos rules <name> source-hip [ <source-hip1>
<source-hip2>... ]
set vsys <name> rulebase qos rules <name> destination-hip [ <destination-
hip1> <destination-hip2>... ]
set vsys <name> rulebase sdwan rules <name> saas-quality-profile <value>
set vsys <name> rulebase sdwan rules <name> error-correction-profile <value>

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 105

© 2021 Palo Alto Networks, Inc.
Set Commands Changed in PAN-OS 10.0
The following commands are modified in the 10.0 release.
Added decryption as an option for log-type.

set devicecongif system log-export-schedule<name> log-type <traffic|threat|

tunnel|userid|iptag|auth|url|hipmatch|wildfire|decryption|globalprotect>

Added every-hour as on option for recurring wildfire commands.

set deviceconfig system update-schedule wildfire recurring every-hour sync-

to-peer <yes|no>

Changed yes/no option to 0,1,2.

set deviceconfig setting ctd x-forwarded-for<0|1|2>

Added ha1 port <value> and ha1 port-backup <value>.

set deviceconfig high-availability interface ha1 port<value> <ha1-a|ha1-b|

management>
set deviceconfig high-availability interface ha1-backup port <value> <ha1-a|
ha1-b|management>

Added infinite and disable options also changed flap-max from 0-16 to 1-16.

set deviceconfig high-availability group election-option timers advanced

flap-max<1-16>|<infinite|disable>

Added decryption option.

set network shared-gateway<name> match-list <name> log-type <traffic|threat|

wildfire|url|data|tunnel|auth|decryption>

set shared log-settings profiles <name> match-list <name> log-type <traffic|

threat|wildfire|url|data|tunnel|auth|decryption>

set vsys log-settings profiles <name> match-list <name> log-type <traffic|

threat|wildfire|url|data|tunnel|auth|decryption>

Added xffr-address option.

set network shared-gateway<name> log-setting profiles <name> log-type <name>

actions <name> type tagging target <source-address|destination-address|
xffr-address|user>

Added TSL1-3 option.

106 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
 set shared profiles decryption<name> ssl-protocol-settings min-version
<sslv3|tls1-0|tls1-1|tls1-2|tls1-3>

set shared profiles decryption <name> ssl-protocol-settings max-version

<sslv3|tls1-0|tls1-1|tls1-2|tls1-3>

set shared ssl-tls-service-profile <name> ssl-protocol-settings max-version

<tls1-0|tls1-1|tls1-2|tls1-3|max>

set vsys <name> ssl-tls-service-profile <name> ssl-protocol-settings max-

version <tls1-0|tls1-1|tls1-2|tls1-3|max>

set vsys <name> profiles decryption <name> ssl-protocol-settings min-version

<tls1-0|tls1-1|tls1-2|tls1-3>

set vsys <name> ssl-tls-service-profile <name> ssl-protocol-settings max-

version <tls1-0|tls1-1|tls1-2|tls1-3|max>

Added60 and 90 day options.

set shared reports<name> period <last-15-minutes|last-hour|last-6-hrs|

last-12-hour|last-24-hours|last-calendar-day|last-7-days|last-7-calendar-
days|last-30-days|last-30-calendar-days|last-60-days|last-60-calendar-days|
last-90-days|last-90-calendar-days|last-calendar-month>

Added nunique-of-src-profile and nunique-of-dst_profile.

set shared reports<name> type threat sortby <repeatcnt|nunique-of-users|

nunique-of-src_profile|nunique-of-dst_profile>

set shared reports <name> type urlsum sortby <repeatcnt|nunique-of-users|

nunique-of-src_profile|nunique-of-dst_profile>

set vsys <name> type threat sortby <repeatcnt|nunique-of-users|nunique-of-

src_profile|nunique-of-dst_profile>

set vsys <name> reports <name> type urlsum sortby <repeatcnt|nunique-of-

users|nunique-of-src_profile|nunique-of-dst_profile>

Added xff_ip|src_dag|dst_dag|src_ed1|dst_ed1 options.

set vsys<name> reports <name> type wildfire group-by <app|category|

category-of-app|dport|dst|dstuser|from|inbound_if|misc|natdport|natdst|
natsport|natsrc|outbound_if|proto|risk-of-app|rule|rule_uuid|sport|src|
srcuser|subcategory-of-app|technology-of-app|container-of-app|to|dstloc|
srcloc|vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-of-
receive_time|vsys_name|device_name|filetype|filename|filedigest|tunnelid|
monitortag|parent_session_id|parent_start_time|http2_connection|tunnel|
xff_ip|src_dag|dst_dag|src_edl|dst_edl>

set shared reports<name> type wildfire group-by <app|category|category-

of-app|dport|dst|dstuser|from|inbound_if|misc|natdport|natdst|natsport|
natsrc|outbound_if|proto|risk-of-app|rule|rule_uuid|sport|src|srcuser|
subcategory-of-app|technology-of-app|container-of-app|to|dstloc|srcloc|
vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-of-receive_time|
vsys_name|device_name|filetype|filename|filedigest|tunnelid|monitortag|

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 107

© 2021 Palo Alto Networks, Inc.
 parent_session_id|parent_start_time|http2_connection|tunnel|xff_ip|src_dag|
dst_dag|src_edl|dst_edl>

Added src_dag|dst_dag|src_ed1|dst_ed1 options.

set shared reports<name> type trsum sortby <bytes|sessions|bytes_sent|

bytes_received|nthreats|nftrans|ndpmatches|nurlcount|chunks|chunks_sent|
chunks_received|ncontent|nunique-of-apps|nunique-of-users|nunique-of-
src_profile|nunique-of-dst_profile>

set shared reports <name> type tunnelsum group-by <action|app|category-of-

app|dst|risk-of-app|rule|rule_uuid|src|subcategory-of-app|technology-of-
app|containerof-app|dstloc|srcloc|vsys|quarter-hour-of-receive_time|hour-
of-receive_time|day-of-receive_time|serial|vsys_name|device_name|tunnelid|
monitortag|parent_session_id|parent_start_time|tunnel|tunnel_insp_rule|
src_dag|dst_dag|src_edl|dst_edl>

set vsys <name> reports <name> type tunnel group-by <action|app|category-

of-app|dport|dst|dstuser|from|inbound_if|natdport|natdst|natsport|
natsrc|outbound_if|proto|risk-of-app|rule|rule_uuid|sessionid|sport|src|
srcuser|subcategory-of-app|technology-of-app|container-of-app|to|dstloc|
srcloc|vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-of-
receive_time|vsys_name|device_name|tunnelid|monitortag|parent_session_id|
parent_start_time|session_end_reason|action_source|tunnel|tunnel_insp_rule|
src_dag|dst_dag|src_edl|dst_edl>

set vsys <name> reports <name> type tunnlesum group-by <action|app|category-

of-app|dst|risk-of-app|rule|rule_uuid|src|subcategory-of-app|technology-of-
app|container-of-app|dstloc|srcloc|vsys|quarter-hour-of-receive_time|hour-
of-receive_timeday-of-receive_time|serial|vsys_name|device_name|tunnelid|
monitortag|parent_session_id|parent_start_time|tunnel|tunnel_insp_rule|
src_dag|dst_dag|src_edl|dst_edl>

Added nunique-of-hostid option.

set shared reports<name> type globalprotect sortby <repeatcnt|nunique-of-

ips|nunique-of-gateways|nunique-of-users|nunique-of-hostid>

set vsys <name> reports <name> type globalprotect sortby <repeatcnt|nunique-

of-ips|nunique-of-gateways|nunique-of-users|nunique-of-hostid>

Added vsys|gateway|selection_type|response_time|priority|attempted_gateways
options.

set vsys<name> reports <name> type globalprotect sortby <serial|

time_generated|vsys_name|device_name|vsys|eventid|status|stage|auth_method|
tunnel_type|portal|srcuser|srcregion|machinename|public_ip|public_ipv6|
private_ip|private_ipv6|hostid|serialnumber|client_ver|client_os|
client_os_ver|login_duration|connect_method|reason|error_code|error|opaque|
gateway|selection_type|response_time|priority|attempted_gateways|day-of-
receive_time|hour-of-receive_time|quarter-hour-of-receive_time>

set shared reports<name> type globalprotect group-by <serial|time_generated|

vsys_name|device_name|vsys|eventid|status|stage|auth_method|tunnel_type|
portal|srcuser|srcregion|machinename|public_ip|public_ipv6|private_ip|
private_ipv6|hostid|serialnumber|client_ver|client_os|client_os_ver|
login_duration|connect_method|reason|error_code|error|opaque|gateway|

108 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
 selection_type|response_time|priority|attempted_gateways|day-of-
receive_time|hour-of-receive_time|quarter-hour-of-receive_time>

Added xff-address option.

set shared log-settings userid match-list<name> actions <name> type tagging

target <source-address|destination-address|xff-address|user>

set shared log-settings iptag match-list <name> actions <name> type tagging
target <source-address|destination-address|xff-address|user>

set shared log-settings globalprotect match-list <name> actions <name> type

target <source-address|destination-address|xff-address|user>

set shared log-settings hipmatch match-list <name> actions <name> type

target <source-address|destination-address|xff-address|user>

set shared log-settings correlation match-list <name> actions <name> type

target <source-address|destination-address|xff-address|user>

set shared log-settings profiles match-list <name> actions <name> type

target <source-address|destination-address|xff-address|user>

set vsys log-settings profiles <name> match-list <name> actions <name> type
target <source-address|destination-address|xff-address|user>

Changed 1-10000 to float.

set vsys<name> sdwan-interface-profile <name> maximum-download <float>

set vsys <name> sdwan-interface-profile <name> maximum-upload <float>

Added options to:

set vsys<name> reports <name> type url group-by <action|app|category|

category-of-app|direction|dport|dst|dstuser|from|inbound_if|misc|
http_headers|natdport|natdst|natsport|natsrc|outbound_if|proto|risk-
of-app|rule|rule_uuid|severity|sport|src|srcuser|subcategory-of-app|
technology-of-app|container-of-app|to|dstloc|srcloc|vsys|quarter-hour-
of-receive_time|hour-of-receive_time|day-of-receive_time|contenttype|
user_agent|device_name|vsys_name|url|tunnelid|monitortag|parent_session_id|
parent_start_time|http2_connection|tunnel|http_method|url_category_list|
xff_ip|container_id|pod_namespace|pod_name|src_dag|dst_dag|src_edl|dst_edl|
src_category|src_profile|src_model|src_vendor|src_osfamily|src_osversion|
src_host|src_mac|dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|
dst_osversion|dst_host|dst_mac>

Added Xff_ip|src_dag|dst_dag|src_ed1|dst_ed1 options.

set vsys<name> reports <name> type wildfire group-by <app|category|category-

of-app|dport|dst|dstuser|from|inbound_if|misc|natdport|natdst|natsport|
natsrc|outbound_if|proto|risk-of-app|rule|rule_uuid|sport|src|srcuser|
subcategory-of-app|technology-of-app|container-of-app|to|dstloc|srcloc|
vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-of-receive_time|
vsys_name|device_name|filetype|filename|filedigest|tunnelid|monitortag|
parent_session_id|parent_start_time|http2_connection|tunnel|xff_ip|src_dag|
dst_dag|src_edl|dst_edl>

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 109

© 2021 Palo Alto Networks, Inc.
 Added xff_ip|src_dag|dst_dag| options.

set vsys<name> reports <name> type data group-by <app|category|category-

of-app|dport|dst|dstuser|from|inbound_if|misc|natdport|natdst|natsport|
natsrc|outbound_if|proto|risk-of-app|rule|rule_uuid|sport|src|srcuser|
subcategory-of-app|technology-of-app|container-of-app|to|dstloc|srcloc|
vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-of-receive_time|
vsys_name|device_name|filetype|filename|filedigest|tunnelid|monitortag|
parent_session_id|parent_start_time|http2_connection|tunnel|xff_ip|src_dag|
dst_dag>

110 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
Set Commands Removed in PAN-OS 10.0
The following commands are no longer available in the 10.0 release.
Replaced set deviceconfig system ssh ciphers with set deviceconfig system ssh
profiles.

set deviceconfig system ssh ciphers

set deviceconfig system ssh mac
set deviceconfig system ssh kex

Replaced set deviceconfig system ssh ciphers, kex, mac mgmt with set deviceconfig
system ssh profiles mgmt-profiles and set deviceconfig system ssh mgmt

set deviceconfig system ssh ciphers mgmt

set deviceconfig system ssh mac mgmt
set deviceconfig system ssh kex mgmt

The following commands are no longer available.

set deviceconfig system ssh default-hostkey

set deviceconfig system ssh default-hostkey ha
set deviceconfig system ssh default-hostkey ha key-type
set deviceconfig system ssh default-hostkey ha key-type ECDSA<256|384|521>
set deviceconfig system ssh default-hostkey ha key-type RSA <2048|3072|4096>
set deviceconfig system ssh default-hostkey mgmt
set deviceconfig system ssh default-hostkey mgmt key-type
set deviceconfig system ssh default-hostkey mgmt key-type ECDSA <256|384|
521>
set deviceconfig system ssh default-hostkey mgmt key-type RSA <2048|3072|
4096>
set deviceconfig system ssh default-hostkey mgmt key-type all

set deviceconfig system ssh session-rekey

set deviceconfig system ssh session-rekey ha
set deviceconfig system ssh session-rekey ha data<10-4000>|<default>
set deviceconfig system ssh session-rekey ha interval <10-3600>|<none>
set deviceconfig system ssh session-rekey ha packets <12-27>|<default>
set deviceconfig system ssh session-rekey mgmt
set deviceconfig system ssh session-rekey mgmt data <10-4000>|<default>
set deviceconfig system ssh session-rekey mgmt interval <10-3600>|<none>
set deviceconfig system ssh session-rekey mgmt packets <12-27>|<default>

set deviceconfig high-availability group monitoring path-monitoring path-

group virtual-wire<name> destination-ip [ <destination-ip1> <destination-
ip2>... ]
set deviceconfig high-availability group monitoring path-monitoring path-
group vlan <name> destination-ip [ <destination-ip1> <destination-ip2>... ]
set deviceconfig high-availability group monitoring path-monitoring
path-group virtual-router <name> destination-ip [ <destination-ip1>
<destination-ip2>... ]

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 111

© 2021 Palo Alto Networks, Inc.
 set shared profiles hip-objects<name> host-info criteria os contains IoT
<value>
set shared profiles url-filtering <name> categorychange [ <categorychange1>
<categorychange2>... ]

set shared reports <name> type appstat group-by <category-of-name|name|

risk|risk-of-name|technology-of-name|container-of-name|vsys|quarter-hour-of-
receive_time|hour-of-receive_time|day-of-receive_time|vsys_name>

set shared reports <name> type appstat group-by <category-of-name|name|

risk|risk-of-name|subcategory-of-name|technology-of-name|container-of-name|
vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-of-receive_time|
vsys_name>

set shared reports <name> type appstat sortby <nbytes|npkts|nsess|nthreats>

set shared reports <name> type threat group-by <action|app|category-of-

app|category-of-threatid|direction|dport|dst|dstuser|from|inbound_if|
misc|natdport|natdst|natsport|natsrc|outbound_if|proto|risk-of-app|rule|
rule_uuid|severity|sport|src|srcuser|subcategory-of-app|subtype|technology-
of-app|container-of-app|threatid|to|dstloc|srcloc|vsys|quarter-hour-of-
receive_time|hour-of-receive_time|day-of-receive_time|vsys_name|device_name|
threat-type|tunnelid|monitortag|parent_session_id|parent_start_time|
http2_connection|tunnel|http_method>

set shared reports <name> type thsum sortby <count|nunique-of-users>

set shared reports <name> type traffic group-by <action|app|category|

category-of-app|dport|dst|dstuser|from|inbound_if|natdport|natdst|natsport|
natsrc|outbound_if|proto|risk-of-app|rule|rule_uuid|sessionid|sport|src|
srcuser|subcategory-of-app|technology-of-app|container-of-app|to|dstloc|
srcloc|vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-of-
receive_time|session_end_reason|vsys_name|device_name|action_source|
tunnelid|monitortag|parent_session_id|parent_start_time|http2_connection|
tunnel>

set shared reports <name> type urlsum group-by <app|src|srcuser|category|

dst|dstuser|rule|rule_uuid|dstloc|srcloc|vsys_name|device_name|from|
to|serial|inbound_if|outbound_if|dport|action|url_domain|user_agent|
category-of-app|subcategory-of-app|risk-of-app|vsys|quarter-hour-of-
receive_time|hour-of-receive_time|day-of-receive_time|tunnelid|monitortag|
parent_session_id|parent_start_time|http2_connection|tunnel|http_method|
url_category_list|dynusergroup_name>

set shared reports <name> type trsum group-by <action|app|category|category-

of-app|dport|dst|dstuser|from|inbound_if|outbound_if|risk-of-app|rule|
rule_uuid|src|srcuser|subcategory-of-app|technology-of-app|container-of-
app|to|dstloc|srcloc|vsys|quarter-hour-of-receive_time|hour-of-receive_time|
day-of-receive_time|serial|vsys_name|device_name|tunnelid|monitortag|
parent_session_id|parent_start_time|http2_connection|tunnel>

set shared reports <name> type trsum sortby <bytes|sessions|bytes_sent|

bytes_received|nthreats|nftrans|ndpmatches|nurlcount|ncontent|nunique-of-
users|nunique-of-apps>

set shared reports <name> type userid group-by <vsys|quarter-hour-of-

receive_time|hour-of-receive_time|day-of-receive_time|vsys_name|device_name|

112 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
ip|user|datasourcename|beginport|endport|datasource|datasourcetype|
factortype|factorcompletiontime|factorno|subtype>

set shared reports <name> type auth group-by <time_generated|vsys|quarter-

hour-of-receive_time|hour-of-receive_time|day-of-receive_time|vsys_name|
device_name|ip|user|normalize_user|object|authpolicy|authid|vendor|
clienttype|serverprofile|desc|event|factorno|authproto|rule_uuid>

set shared reports <name> type iptag group-by <time_generated|vsys|

quarter-hour-of-receive_time|hour-of-receive_time|day-of-receive_time|
vsys_name|device_name|ip|tag_name|event_id|datasourcename|datasource_type|
datasource_subtype>

set shared reports <name> type hipmatch group-by <machinename|matchname|

src|srcipv6|srcuser|matchtype|vsys|device_name|vsys_name|os|quarter-hour-of-
receive_time|hour-of-receive_time|day-of-receive_time>

set shared reports <name> type hipmatch group-by <machinename|matchname|

src|srcipv6|srcuser|matchtype|vsys|device_name|vsys_name|os|quarter-hour-of-
receive_time|hour-of-receive_time|day-of-receive_time>

set shared reports <name> type hipmatch labels [ <labels1> <labels2>... ]

set shared reports <name> type hipmatch last-match-by <time_generated>

set shared reports <name> type hipmatch sortby <repeatcnt>

set shared admin-role<name> role device webui network global-protect device-

block-list <enable|read-only|disable>

set vsys <name> ssl-tls-service-profile <name> protocol-settings max-version

<tls1-0|tls1-1|tls1-2|max>
set vsys <name> user-id-agent
set vsys <name> user-id-agent <name>
set vsys <name> user-id-agent <name> serial-number <value>
set vsys <name> user-id-agent <name> host-port
set vsys <name> user-id-agent <name> host-port host <ip/netmask>|<value>
set vsys <name> user-id-agent <name> host-port port <1-65535>
set vsys <name> user-id-agent <name> host-port ldap-proxy <yes|no>
set vsys <name> user-id-agent <name> host-port ntlm-auth <yes|no>
set vsys <name> user-id-agent <name> host-port collectorname <value>
set vsys <name> user-id-agent <name> host-port secret <value>
set vsys <name> user-id-agent <name> disabled <yes|no>
set vsys <name> user-id-agent <name> enable-hip-collection <yes|no>
set vsys <name> user-id-agent-sequence
set vsys <name> user-id-agent-sequence user-id-agents [ <user-id-agents1>
<user-id-agents2>... ]
set vsys <name> user-id-collector setting collectorname <value>
set vsys <name> user-id-collector setting secret <value>

set vsys <name> profiles hip-objects <name> host-info criteria os contains

IoT <value>

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 113

© 2021 Palo Alto Networks, Inc.
 set vsys <name> reports <name> period <last-15-minutes|last-hour|last-6-hrs|
last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-7-calendar-days|
last-calendar-week|last-30-days|last-30-calendar-days|last-calendar-month>

set vsys <name> reports <name> type appstat group-by <category-of-name|name|

risk|risk-of-name|subcategory-of-name|technology-of-name|container-of-name|
vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-of-receive_time|
vsys_name>

set vsys <name> reports <name> type appstat sortby <nbytes|npkts|nsess|

nthreats>

set vsys <name> reports <name> type threat group-by <action|app|category-

of-app|category-of-threatid|direction|dport|dst|dstuser|from|inbound_if|
misc|natdport|natdst|natsport|natsrc|outbound_if|proto|risk-of-app|rule|
rule_uuid|severity|sport|src|srcuser|subcategory-of-app|subtype|technology-
of-app|container-of-app|threatid|to|dstloc|srcloc|vsys|quarter-hour-of-
receive_time|hour-of-receive_time|day-of-receive_time|vsys_name|device_name|
threat-type|tunnelid|monitortag|parent_session_id|parent_start_time|
http2_connection|tunnel|http_method>

set vsys <name> reports <name> type url group-by <action|app|category|

category-of-app|direction|dport|dst|dstuser|from|inbound_if|misc|
http_headers|natdport|natdst|natsport|natsrc|outbound_if|proto|risk-of-app|
rule|rule_uuid|severity|sport|src|srcuser|subcategory-of-app|technology-
of-app|container-of-app|to|dstloc|srcloc|vsys|quarter-hour-of-receive_time|
hour-of-receive_time|day-of-receive_time|contenttype|user_agent|vsys_name|
device_name|url|tunnelid|monitortag|parent_session_id|parent_start_time|
http2_connection|tunnel|http_method|url_category_list>

set vsys <name> reports <name> type wildfire group-by <app|category|

category-of-app|dport|dst|dstuser|from|inbound_if|misc|natdport|natdst|
natsport|natsrc|outbound_if|proto|risk-of-app|rule|rule_uuid|sport|src|
srcuser|subcategory-of-app|technology-of-app|container-of-app|to|dstloc|
srcloc|vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-of-
receive_time|vsys_name|device_name|filetype|filename|filedigest|tunnelid|
monitortag|parent_session_id|parent_start_time|http2_connection|tunnel>

set vsys <name> reports <name> type data group-by <action|app|category-

of-app|direction|dport|dst|dstuser|from|inbound_if|misc|natdport|natdst|
natsport|natsrc|outbound_if|proto|risk-of-app|rule|rule_uuid|severity|
sport|src|srcuser|subcategory-of-app|subtype|technology-of-app|container-
of-app|threatid|to|dstloc|srcloc|vsys|quarter-hour-of-receive_time|hour-of-
receive_time|day-of-receive_time|vsys_name|device_name|data-type|filename|
tunnelid|monitortag|parent_session_id|parent_start_time|http2_connection|
tunnel>

set vsys <name> reports <name> type thsum group-by <action|app|category-

of-app|category-of-threatid|direction|dport|dst|dstuser|from|inbound_if|
outbound_if|risk-of-app|rule|rule_uuid|severity|src|srcuser|subcategory-
of-app|subtype|technology-of-app|container-of-app|to|threatid|dstloc|
srcloc|vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-
of-receive_time|serial|vsys_name|device_name|threat-type|tunnelid|
monitortag|parent_session_id|parent_start_time|http2_connection|tunnel|
dynusergroup_name>

set vsys <name> reports <name> type thsum sortby <count|nunique-of-users>

set vsys <name> reports <name> type traffic group-by <action|app|category|

category-of-app|dport|dst|dstuser|from|inbound_if|natdport|natdst|natsport|

114 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
natsrc|outbound_if|proto|risk-of-app|rule|rule_uuid|sessionid|sport|src|
srcuser|subcategory-of-app|technology-of-app|container-of-app|to|dstloc|
srcloc|vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-of-
receive_time|session_end_reason|vsys_name|device_name|action_source|
tunnelid|monitortag|parent_session_id|parent_start_time|http2_connection|
tunnel>

set vsys <name> reports <name> type traffic sortby <bytes|bytes_sent|

bytes_received|elapsed|packets|pkts_sent|pkts_received|repeatcnt|nunique-of-
users>

set vsys <name> reports <name> type urlsum group-by <app|src|srcuser|

category|dst|dstuser|rule|rule_uuid|dstloc|srcloc|vsys_name|device_name|
from|to|serial|inbound_if|outbound_if|dport|action|url_domain|user_agent|
category-of-app|subcategory-of-app|risk-of-app|vsys|quarter-hour-of-
receive_time|hour-of-receive_time|day-of-receive_time|tunnelid|monitortag|
parent_session_id|parent_start_time|http2_connection|tunnel|http_method|
url_category_list|dynusergroup_name>

set vsys <name> reports <name> type urlsum sortby <repeatcnt|nunique-of-

users>

set vsys <name> reports <name> type trsum group-by <action|app|category|

category-of-app|dport|dst|dstuser|from|inbound_if|outbound_if|risk-of-
app|rule|rule_uuid|src|srcuser|subcategory-of-app|technology-of-app|
container-of-app|to|dstloc|srcloc|vsys|quarter-hour-of-receive_time|hour-
of-receive_time|day-of-receive_time|serial|vsys_name|device_name|tunnelid|
monitortag|parent_session_id|parent_start_time|http2_connection|tunnel>

set vsys <name> reports <name> type trsum sortby <bytes|sessions|bytes_sent|

bytes_received|nthreats|nftrans|ndpmatches|nurlcount|ncontent|nunique-of-
users|nunique-of-apps>

set vsys<name> reports <name> type tunnel group-by <action|app|category-

of-app|dport|dst|dstuser|from|inbound_if|natdport|natdst|natsport|
natsrc|outbound_if|proto|risk-of-app|rule|rule_uuid|sessionid|sport|src|
srcuser|subcategory-of-app|technology-of-app|container-of-app|to|dstloc|
srcloc|vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-of-
receive_time|vsys_name|device_name|tunnelid|monitortag|parent_session_id|
parent_start_time|session_end_reason|action_source|tunnel|tunnel_insp_rule>

set vsys <name> reports <name> type tunnelsum group-by <action|app|category-

of-app|dst|risk-of-app|rule|rule_uuid|src|subcategory-of-app|technology-of-
app|container-of-app|dstloc|srcloc|vsys|quarter-hour-of-receive_time|hour-
of-receive_time|day-of-receive_time|serial|vsys_name|device_name|tunnelid|
monitortag|parent_session_id|parent_start_time|tunnel|tunnel_insp_rule>

set vsys <name> reports <name> type userid group-by <vsys|quarter-hour-of-

receive_time|hour-of-receive_time|day-of-receive_time|vsys_name|device_name|
ip|user|datasourcename|beginport|endport|datasource|datasourcetype|
factortype|factorcompletiontime|factorno|subtype>

set vsys <name> reports <name> type auth group-by <time_generated|vsys|

quarter-hour-of-receive_time|hour-of-receive_time|day-of-receive_time|
vsys_name|device_name|ip|user|normalize_user|object|authpolicy|authid|
vendor|clienttype|serverprofile|desc|event|factorno|authproto|rule_uuid>

set vsys <name> reports <name> type auth sortby <repeatcnt|vendor|

time_generated>

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 115

© 2021 Palo Alto Networks, Inc.
 set vsys <name> reports <name> type iptag group-by <time_generated|vsys|
quarter-hour-of-receive_time|hour-of-receive_time|day-of-receive_time|
vsys_name|device_name|ip|tag_name|event_id|datasourcename|datasource_type|
datasource_subtype>

116 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
Show Commands Introduced in PAN-OS 10.0
The following commands are new in the 10.0 release.

show deviceconfig system ssh profiles ha-profiles<name>show deviceconfig

system ssh ciphers have been replaced with new show deviceconfig system ssh
profiles

show deviceconfig system ssh profiles ha-profiles <name>

show deviceconfig system ssh profiles
show deviceconfig system ssh profiles
key-type
show deviceconfig system ssh profiles
show deviceconfig system ssh profiles
show deviceconfig system ssh profiles
show deviceconfig system ssh profiles
show deviceconfig system ssh profiles
show deviceconfig system ssh profiles
default-hostkey
show deviceconfig system ssh profiles
default-hostkey key-type
show deviceconfig system ssh profiles
default-hostkey key-type all
show deviceconfig system ssh profiles
session-rekey
show deviceconfig system ssh mgmt
ha-profiles <name> default-hostkey
ha-profiles <name> default-hostkey
ha-profiles <name> session-rekey
mgmt-profiles client-profiles
mgmt-profiles client-profiles <name>
mgmt-profiles server-profiles
mgmt-profiles server-profiles <name>
mgmt-profiles server-profiles <name>
mgmt-profiles server-profiles <name>
mgmt-profiles server-profiles <name>
mgmt-profiles server-profiles <name>

show deviceconfig system device-telemetry

show deviceconfig system update-schedule wildfire recurring real-time

show deviceconfig setting filemgr-service-setting
show deviceconfig setting captive-portal
show deviceconfig setting logging enhanced-application-logging disable-
global dp-channel
show deviceconfig setting management secure-conn-server
show deviceconfig setting management admin-session
show deviceconfig setting iot
show deviceconfig setting iot edge

show deviceconfig high-availability interface ha4

show deviceconfig high-availability interface ha4-backup
show deviceconfig high-availability cluster
show deviceconfig high-availability cluster cluster-members
show deviceconfig high-availability cluster cluster-members<name>

show deviceconfig high-availability group monitoring path-monitoring path-

group virtual-wire<name> destination-ip-group

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 117

© 2021 Palo Alto Networks, Inc.
 show deviceconfig high-availability group monitoring path-monitoring path-
group virtual-wire <name> destination-ip-group <name>

show deviceconfig high-availability group monitoring path-monitoring path-

group vlan <name> destination-ip-group

show deviceconfig high-availability group monitoring path-monitoring path-

group vlan <name> destination-ip-group <name>

show deviceconfig high-availability group monitoring path-monitoring path-

group virtual-router <name> destination-ip-group

show deviceconfig high-availability group monitoring path-monitoring path-

group virtual-router <name> destination-ip-group <name>

show deviceconfig high-availability group monitoring path-monitoring path-

group logical-router

show deviceconfig high-availability group monitoring path-monitoring path-

group logical-router <name>

show deviceconfig high-availability group monitoring path-monitoring path-

group logical-router <name> destination-ip-group

show deviceconfig high-availability group monitoring path-monitoring path-

group logical-router <name> destination-ip-group <name>

show mgt-config users<name> preferences saved-log-query decryption

show mgt-config users <name> preferences saved-log-query decryption <name>

show network profiles zone-protection-profile <name> l2-sec-group-tag-

protection
show network profiles zone-protection-profile <name> l2-sec-group-tag-
protection tags
show network profiles zone-protection-profile <name> l2-sec-group-tag-
protection tags <name>

show network logical-router

show network logical-router<name>
show network logical-router <name> vrf
show network logical-router <name> vrf <name>
show network logical-router <name> vrf <name> bgp
show network logical-router <name> vrf <name> bgp med
show network logical-router <name> vrf <name> bgp graceful-restart
show network logical-router <name> vrf <name> bgp peer-group
show network logical-router <name> vrf <name> bgp peer-group <name>
show network logical-router <name> vrf <name> bgp peer-group <name> type
show network logical-router <name> vrf <name> bgp peer-group <name> type
ibgp
show network logical-router <name> vrf <name> bgp peer-group <name> type
ebgp
show network logical-router <name> vrf <name> bgp peer-group <name> address-
family
show network logical-router <name> vrf <name> bgp peer-group <name> address-
family ipv4

118 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
show network logical-router <name> vrf <name> bgp peer-group <name> address-
family ipv6
show network logical-router <name> vrf <name> bgp peer-group <name>
connection-options
show network logical-router <name> vrf <name> bgp peer-group <name> peer
show network logical-router <name> vrf <name> bgp peer-group <name> peer
<name>
show network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> address-family
show network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> address-family ipv4
show network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> address-family ipv6
show network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> local-address
show network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> peer-address
show network logical-router <name> vrf <name> bgp peer-group <name> peer
<name> connection-options
show network logical-router <name> vrf <name> bgp redistribution-rule
show network logical-router <name> vrf <name> bgp redistribution-rule ipv4
show network logical-router <name> vrf <name> bgp redistribution-rule ipv6
show network logical-router <name> vrf <name> bgp address-family-identifier
show network logical-router <name> vrf <name> bgp address-family-identifier
ipv4
show network logical-router <name> vrf <name> bgp address-family-identifier
ipv4 network
show network logical-router <name> vrf <name> bgp address-family-identifier
ipv4 network <name>
show network logical-router <name> vrf <name> bgp address-family-identifier
ipv6
show network logical-router <name> vrf <name> bgp address-family-identifier
ipv6 network
show network logical-router <name> vrf <name> bgp address-family-identifier
ipv6 network <name>
show network logical-router <name> vrf <name> routing-table
show network logical-router <name> vrf <name> routing-table ip
show network logical-router <name> vrf <name> routing-table ip static-route
show network logical-router <name> vrf <name> routing-table ip static-route
<name>
show network logical-router <name> vrf <name> routing-table ip static-route
<name> nexthop
show network logical-router <name> vrf <name> routing-table ip static-route
<name> nexthop discard
show network logical-router <name> vrf <name> routing-table ip static-route
<name> path-monitor
show network logical-router <name> vrf <name> routing-table ip static-route
<name> path-monitor monitor-destinations
show network logical-router <name> vrf <name> routing-table ip static-route
<name> path-monitor monitor-destinations <name>
show network logical-router <name> vrf <name> routing-table ipv6
show network logical-router <name> vrf <name> routing-table ipv6 static-
route
show network logical-router <name> vrf <name> routing-table ipv6 static-
route <name>
show network logical-router <name> vrf <name> routing-table ipv6 static-
route <name> nexthop
show network logical-router <name> vrf <name> routing-table ipv6 static-
route <name> nexthop discard
show network logical-router <name> vrf <name> routing-table ipv6 static-
route <name> path-monitor

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 119

© 2021 Palo Alto Networks, Inc.
 show network logical-router <name> vrf <name> routing-table ipv6 static-
route <name> path-monitor monitor-destinations
show network logical-router <name> vrf <name> routing-table ipv6 static-
route <name> path-monitor monitor-destinations <name>
show network logical-router <name> vrf <name> ecmp
show network logical-router <name> vrf <name> ecmp algorithm
show network logical-router <name> vrf <name> ecmp algorithm ip-modulo
show network logical-router <name> vrf <name> ecmp algorithm ip-hash
show network logical-router <name> vrf <name> ecmp algorithm weighted-round-
robin
show network logical-router <name> vrf <name> ecmp algorithm weighted-round-
robin interface
show network logical-router <name> vrf <name> ecmp algorithm weighted-round-
robin interface <name>
show network logical-router <name> vrf <name> ecmp algorithm balanced-round-
robin

show network routing-profile

show network routing-profile bgp
show network routing-profile bgp auth-profile
show network routing-profile bgp auth-profile<name>
show network routing-profile bgp timer-profile
show network routing-profile bgp timer-profile <name>
show network routing-profile bgp address-family-profile
show network routing-profile bgp address-family-profile <name>
show network routing-profile bgp address-family-profile <name> ipv4
show network routing-profile bgp address-family-profile <name> ipv4 unicast
show network routing-profile bgp address-family-profile <name> ipv4 unicast
add-path
show network routing-profile bgp address-family-profile <name> ipv4 unicast
allowas-in
show network routing-profile bgp address-family-profile <name> ipv4 unicast
allowas-in origin
show network routing-profile bgp address-family-profile <name> ipv4 unicast
maximum-prefix
show network routing-profile bgp address-family-profile <name> ipv4 unicast
maximum-prefix action
show network routing-profile bgp address-family-profile <name> ipv4 unicast
maximum-prefix action warning-only
show network routing-profile bgp address-family-profile <name> ipv4 unicast
maximum-prefix action restart
show network routing-profile bgp address-family-profile <name> ipv4 unicast
next-hop
show network routing-profile bgp address-family-profile <name> ipv4 unicast
next-hop self
show network routing-profile bgp address-family-profile <name> ipv4 unicast
next-hop self-force
show network routing-profile bgp address-family-profile <name> ipv4 unicast
remove-private-AS
show network routing-profile bgp address-family-profile <name> ipv4 unicast
remove-private-AS all
show network routing-profile bgp address-family-profile <name> ipv4 unicast
remove-private-AS replace-AS
show network routing-profile bgp address-family-profile <name> ipv4 unicast
send-community
show network routing-profile bgp address-family-profile <name> ipv4 unicast
send-community all
show network routing-profile bgp address-family-profile <name> ipv4 unicast
send-community both

120 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
show network routing-profile bgp address-family-profile <name> ipv4 unicast
send-community extended
show network routing-profile bgp address-family-profile <name> ipv4 unicast
send-community large
show network routing-profile bgp address-family-profile <name> ipv4 unicast
send-community standard
show network routing-profile bgp address-family-profile <name> ipv6
show network routing-profile bgp address-family-profile <name> ipv6 unicast
show network routing-profile bgp address-family-profile <name> ipv6 unicast
add-path
show network routing-profile bgp address-family-profile <name> ipv6 unicast
allowas-in
show network routing-profile bgp address-family-profile <name> ipv6 unicast
allowas-in origin
show network routing-profile bgp address-family-profile <name> ipv6 unicast
maximum-prefix
show network routing-profile bgp address-family-profile <name> ipv6 unicast
maximum-prefix action
show network routing-profile bgp address-family-profile <name> ipv6 unicast
maximum-prefix action warning-only
show network routing-profile bgp address-family-profile <name> ipv6 unicast
maximum-prefix action restart
show network routing-profile bgp address-family-profile <name> ipv6 unicast
next-hop
show network routing-profile bgp address-family-profile <name> ipv6 unicast
next-hop self
show network routing-profile bgp address-family-profile <name> ipv6 unicast
next-hop self-force
show network routing-profile bgp address-family-profile <name> ipv6 unicast
remove-private-AS
show network routing-profile bgp address-family-profile <name> ipv6 unicast
remove-private-AS all
show network routing-profile bgp address-family-profile <name> ipv6 unicast
remove-private-AS replace-AS
show network routing-profile bgp address-family-profile <name> ipv6 unicast
send-community
show network routing-profile bgp address-family-profile <name> ipv6 unicast
send-community all
show network routing-profile bgp address-family-profile <name> ipv6 unicast
send-community both
show network routing-profile bgp address-family-profile <name> ipv6 unicast
send-community extended
show network routing-profile bgp address-family-profile <name> ipv6 unicast
send-community large
show network routing-profile bgp address-family-profile <name> ipv6 unicast
send-community standard
show network routing-profile bgp redistribution-profile
show network routing-profile bgp redistribution-profile <name>
show network routing-profile bgp redistribution-profile <name> ipv4
show network routing-profile bgp redistribution-profile <name> ipv4 unicast
show network routing-profile bgp redistribution-profile <name> ipv4 unicast
static
show network routing-profile bgp redistribution-profile <name> ipv4 unicast
connected
show network routing-profile bgp redistribution-profile <name> ipv6
show network routing-profile bgp redistribution-profile <name> ipv6 unicast
show network routing-profile bgp redistribution-profile <name> ipv6 unicast
static

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 121

© 2021 Palo Alto Networks, Inc.
 show network routing-profile bgp redistribution-profile <name> ipv6 unicast
connected

show network shared-gateway <name> log-settings http <name> format

decryption
show network shared-gateway <name> log-settings http <name> format
decryption headers
show network shared-gateway <name> log-settings http <name> format
decryption headers <name>
show network shared-gateway <name> log-settings http <name> format
decryption params
show network shared-gateway <name> log-settings http <name> format
decryption params <name>

show shared device-object

show shared device-object<name>

Added support for mlav-engine

show shared profiles virus <name> mlav-engine-filebased-enabled
show shared profiles virus <name> mlav-engine-filebased-enabled <name>
show shared profiles virus <name> mlav-exception
show shared profiles virus <name> mlav-exception <name>

Added support for botnet-domains:

show shared profiles spyware <name>
show shared profiles spyware <name>
<name>
show shared profiles spyware <name>
show shared profiles spyware <name>
botnet-domains dns-security-categories
botnet-domains dns-security-categories
botnet-domains whitelist
botnet-domains whitelist <name>

show shared profiles url-filtering <name> mlav-engine-urlbased-enabled

show shared profiles url-filtering <name> mlav-engine-urlbased-enabled
<name>

Added suppoprt for SaaS quality profiles:

show shared profiles sdwan-saas-quality
show shared profiles sdwan-saas-quality <name>
show shared profiles sdwan-saas-quality <name> monitor-mode
show shared profiles sdwan-saas-quality <name> monitor-mode adaptive
show shared profiles sdwan-saas-quality <name> monitor-mode static-ip
show shared profiles sdwan-saas-quality <name> monitor-mode static-ip ip-
address
show shared profiles sdwan-saas-quality <name> monitor-mode static-ip ip-
address <name>
show shared profiles sdwan-saas-quality <name> monitor-mode static-ip fqdn
show shared profiles sdwan-saas-quality <name> monitor-mode http-https

122 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
Added support for SDWAN error correction:
show shared profiles sdwan-error-correction
show shared profiles sdwan-error-correction <name>
show shared profiles sdwan-error-correction <name> mode
show shared profiles sdwan-error-correction <name> mode forward-error-
correction
show shared profiles sdwan-error-correction <name> mode packet-duplication

show shared external-list <name> type predefined-url

show shared reports <name> type decryption
show shared reports <name> type desum
show shared reports <name> type data

show shared log-settings http <name> format decryption

show shared log-settings http <name> format decryption headers
show shared log-settings http <name> format decryption headers <name>
show shared log-settings http <name> format decryption params
show shared log-settings http <name> format decryption params <name>
show vsys <name> log-settings http <name> format decryption
show vsys <name> log-settings http <name> format decryption headers
show vsys <name> log-settings http <name> format decryption headers <name>
show vsys <name> log-settings http <name> format decryption params
show vsys <name> log-settings http <name> format decryption params <name>

show shared admin-role <name> role device webui network routing

show shared admin-role <name> role device webui network routing routing-
profiles
show shared admin-role <name> role device webui operations
show shared admin-role <name> role device restapi
show shared admin-role <name> role device restapi objects
show shared admin-role <name> role device restapi policies
show shared admin-role <name> role device restapi network
show shared admin-role <name> role device restapi device

show shared admin-role <name> role vsys webui operations

show shared admin-role <name> role vsys restapi
show shared admin-role <name> role vsys restapi objects
show shared admin-role <name> role vsys restapi policies
show shared admin-role <name> role vsys restapi network
show shared admin-role <name> role vsys restapi device

show shared icd

show shared icd cloud-addr

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 123

© 2021 Palo Alto Networks, Inc.
 show vsys <name> redistribution-agent
show vsys <name> redistribution-agent <name>
show vsys <name> redistribution-agent <name> host-port
show vsys <name> ipuser-include-exclude-list
show vsys <name> ipuser-include-exclude-list include-exclude-network
show vsys <name> ipuser-include-exclude-list include-exclude-network <name>
show vsys <name> ipuser-include-exclude-list include-exclude-network-
sequence
show vsys <name> iptag-include-exclude-list
show vsys <name> iptag-include-exclude-list include-exclude-network
show vsys <name> iptag-include-exclude-list include-exclude-network <name>
show vsys <name> iptag-include-exclude-list include-exclude-network-sequence
show vsys <name> redistribution-collector
show vsys <name> redistribution-collector setting
show vsys <name> zone <name> device-acl
show vsys <name> global-protect global-protect-portal <name> client-config
configs <name> hip-collection custom-checks linux

show vsys <name> profiles virus <name> mlav-engine-filebased-enabled

show vsys <name> profiles virus <name> mlav-engine-filebased-enabled <name>
show vsys <name> profiles virus <name> mlav-exception
show vsys <name> profiles virus <name> mlav-exception <name>
show vsys <name> profiles spyware <name> botnet-domains dns-security-
categories
show vsys <name> profiles spyware <name> botnet-domains dns-security-
categories <name>
show vsys <name> profiles spyware <name> botnet-domains whitelist
show vsys <name> profiles spyware <name> botnet-domains whitelist <name>
show vsys <name> profiles url-filtering <name> mlav-engine-urlbased-enabled
show vsys <name> profiles url-filtering <name> mlav-engine-urlbased-enabled
<name>

show vsys <name> profiles sdwan-saas-quality

show vsys <name> profiles sdwan-saas-quality <name>
show vsys <name> profiles sdwan-saas-quality <name> monitor-mode
show vsys <name> profiles sdwan-saas-quality <name> monitor-mode adaptive
show vsys <name> profiles sdwan-saas-quality <name> monitor-mode static-ip
show vsys <name> profiles sdwan-saas-quality <name> monitor-mode static-ip
ip-address
show vsys <name> profiles sdwan-saas-quality <name> monitor-mode static-ip
ip-address <name>
show vsys <name> profiles sdwan-saas-quality <name> monitor-mode static-ip
fqdn
show vsys <name> profiles sdwan-saas-quality <name> monitor-mode http-https
show vsys <name> profiles sdwan-error-correction
show vsys <name> profiles sdwan-error-correction <name>
show vsys <name> profiles sdwan-error-correction <name> mode
show vsys <name> profiles sdwan-error-correction <name> mode forward-error-
correction
show vsys <name> profiles sdwan-error-correction <name> mode packet-
duplication

124 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0

© 2021 Palo Alto Networks, Inc.
show vsys <name> reports <name> type decryption
show vsys <name> reports <name> type desum
show vsys <name> reports <name> type data
show vsys <name> external-list <name> type predefined-url
show vsys <name> device-object
show vsys <name> device-object <name>

PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0 125

© 2021 Palo Alto Networks, Inc.
Show Commands Removed in PAN-OS 10.0
The following commands are no longer available in the 10.0 release.
Replaced show deviceconfig system ssh ciphers, mac, and kex with show deviceconfig
system profiles commands.

show deviceconfig system ssh ciphers ha

show deviceconfig system ssh kex
show deviceconfig system ssh mac ha

Replaced show deviceconfig system cipher mgmt with show deviceconfig system ssh mgmt.

show deviceconfig system ssh ciphers mgmt

show deviceconfig system ssh default-hostkey

show deviceconfig system ssh session-rekey

how vsys<name> user-id-agent

126 PAN-OS CLI QUICK START | CLI Changes in PAN-OS 10.0