PAN-OS CLI Quick Start

Version 10.1

docs.paloaltonetworks.com
 Contact Informaon
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support.html

About the Documentaon

• For the most recent version of this guide or for access to related documentaon, visit the
Technical Documentaon portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or quesons for us? Leave a comment on any page in the portal, or write to us
at documenta[email protected].

Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
©2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto
Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks menoned herein may be trademarks of their respecve
companies.

Last Revised
May 27, 2021

PAN-OS CLI Quick Start Version Version 10.1 2 ©2021 Palo Alto Networks, Inc.
Table of Contents
Get Started with the CLI.................................................................................. 5
Access the CLI.............................................................................................................................. 6
Verify SSH Connecon to Firewall..........................................................................................7
Refresh SSH Keys and Configure Key Opons for Management Interface
Connecon.................................................................................................................................. 13
Give Administrators Access to the CLI................................................................................ 19
Administrave Privileges..............................................................................................19
Set Up a Firewall Administrave Account and Assign CLI Privileges................ 20
Set Up a Panorama Administrave Account and Assign CLI Privileges............ 20
Change CLI Modes....................................................................................................................22
Navigate the CLI........................................................................................................................23
Find a Command....................................................................................................................... 24
View the Enre Command Hierarchy....................................................................... 24
Find a Specific Command Using a Keyword Search.............................................. 25
Get Help on Command Syntax.............................................................................................. 27
Get Help on a Command.............................................................................................27
Interpret the Command Help......................................................................................27
Customize the CLI.....................................................................................................................30

Use the CLI........................................................................................................ 33

View Sengs and Stascs................................................................................................... 34
Modify the Configuraon........................................................................................................37
Commit Configuraon Changes.............................................................................................39
Test the Configuraon............................................................................................................. 42
Test the Authencaon Configuraon..................................................................... 42
Test Policy Matches.......................................................................................................43
Load Configuraons..................................................................................................................46
Load Configuraon Sengs from a Text File..........................................................46
Load a Paral Configuraon....................................................................................... 47
Use Secure Copy to Import and Export Files..................................................................... 52
Export a Saved Configuraon from One Firewall and Import it into
Another.............................................................................................................................52
Export and Import a Complete Log Database (logdb)........................................... 53
CLI Jump Start............................................................................................................................54

CLI Cheat Sheets..............................................................................................57

CLI Cheat Sheet: Device Management................................................................................ 58
CLI Cheat Sheet: User-ID........................................................................................................60
CLI Cheat Sheet: HA................................................................................................................ 63

PAN-OS CLI Quick Start Version Version 10.1 3 ©2021 Palo Alto Networks, Inc.
Table of Contents

CLI Cheat Sheet: Networking.................................................................................................65

CLI Cheat Sheet: VSYS............................................................................................................ 68
CLI Cheat Sheet: Panorama....................................................................................................70

CLI Changes in PAN-OS 10.1....................................................................... 75

Set Commands Introduced in PAN-OS 10.1...................................................................... 76
Set Commands Changed in PAN-OS 10.1.......................................................................... 96
Set Commands Removed in PAN-OS 10.1......................................................................... 98
Show Commands Introduced in PAN-OS 10.1................................................................109
Show Commands Changed in PAN-OS 10.1....................................................................112
Show Commands Removed in PAN-OS 10.1...................................................................113

CLI Command Hierarchy for PAN-OS 10.1.............................................115

PAN-OS 10.1 CLI Ops Command Hierarchy....................................................................116
PAN-OS 10.1 Configure CLI Command Hierarchy......................................................... 285

PAN-OS CLI Quick Start Version Version 10.1 4 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI
Every Palo Alto Networks device includes a command-line interface (CLI) that allows
you to monitor and configure the device. Although this guide does not provide
detailed command reference informaon, it does provide the informaon you need to
learn how to use the CLI. It includes informaon to help you find the command you
need and how to get syntaccal help aer you find it. It also explains how to verify
the SSH connecon to the firewall when you access the CLI remotely, and how to
refresh the SSH keys and configure key opons when connecng to the management
interface.

> Access the CLI

> Verify SSH Connecon to Firewall
> Refresh SSH Keys and Configure Key Opons for Management Interface
Connecon
> Give Administrators Access to the CLI
> Change CLI Modes
> Navigate the CLI
> Find a Command
> Get Help on Command Syntax
> Customize the CLI

5
Get Started with the CLI

Access the CLI

Use a terminal emulator, such as PuTTY, to connect to the CLI of a Palo Alto Networks device in
one of the following ways:
• SSH Connecon—To ensure you are logging in to your firewall and not a malicious device, you
can verify the SSH connecon to the firewall when you perform inial configuraon. Aer you
have completed inial configuraon, you can establish a CLI connecon over the network using
a secure shell (SSH) connecon.
• Serial Connecon—If you have not yet completed inial configuraon or if you chose not to
enable SSH on the Palo Alto Networks device, you can establish a direct serial connecon from
a serial interface on your management computer to the Console port on the device.
STEP 1 | Launch the terminal emulaon soware and select the type of connecon (Serial or SSH).
• To establish an SSH connecon, enter the hostname or IP address of the device you want to
connect to and set the port to 22.
• To establish a Serial connecon, connect a serial interface on management computer to
the Console port on the device. Configure the Serial connecon sengs in the terminal
emulaon soware as follows:
• Data rate: 9600
• Data bits: 8
• Parity: none
• Stop bits: 1
• Flow control: none

STEP 2 | When prompted to log in, enter your administrave username.

The default superuser username is admin. To set up CLI access for other administrave users,
see Give Administrators Access to the CLI.
If prompted to acknowledge the login banner, enter Yes.

STEP 3 | Enter the administrave password.

The default superuser password is admin. However, for security reasons you should
immediately change the admin password.
Aer you log in, the message of the day displays, followed by the CLI prompt in Operaonal
mode:

username@hostname>

You can tell you are in operaonal mode because the command prompt ends with a >.

PAN-OS CLI Quick Start Version Version 10.1 6 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

Verify SSH Connecon to Firewall

Palo Alto Networks firewalls come with Secure Shell (SSH) preconfigured; firewalls can act as both
an SSH server and an SSH client. You can verify your SSH connecon to the management port of
the firewall during remote access to ensure that, when you log in remotely, you are logging in to
the firewall. You can also refresh the SSH keys and specify other opons for the keys.
Aer you inially log in through the console to the command-line interface (CLI), the firewall
boots up and displays six fingerprints (hashed SSH keys). When you then remotely access the
management port on the firewall for the first me, the SSH client presents a fingerprint to you
and it must match one of the fingerprints you noted from the console login. This match verifies
that the firewall you access remotely is your firewall and that there is no malicious device between
your device and the firewall intercepng Hello packets or presenng a false fingerprint.
You can also Refresh SSH Keys and Configure Key Opons for Management Interface Connecon.

To ensure you are logging in to your firewall, perform this task when you first access your
firewall remotely (when you Perform Inial Configuraon) and whenever you change the
default host key type or regenerate the host keys for the management port.

PAN-OS CLI Quick Start Version Version 10.1 7 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

STEP 1 | Perform Inial Configuraon and note the fingerprints that the firewall displays upon boong
up.
When you connect to the console port (Step 3 of Perform Inial Configuraon), the firewall
boots up and displays SSH fingerprints. Make note of these fingerprints.
If the firewall is in FIPS-CC mode, it displays the fingerprints in sha1 hash in base64 encoding,
as in the following example:
SSH Fingerprints
-------------------
256 +nvDTw9G6FpjVRYCN7qYWMmZxB0 (ECDSA)
384 Slx984ndSKeRU+YOkNh9R/4u8IM (ECDSA)
521 sph8wuC3Y/p6zvFr0sGnrzim3wo (ECDSA)
2048 kK3+bBRaJpJQOM+qE8Bl9SKCQPg (RSA)
3072 gtFBWm65/+D7dqUdDDc3P6hJu1g (RSA)
4096 CQnLFnMF1BfBwV7y5bhYQyawpcc (RSA)
If the firewall is in non-FIPS-CC mode, it displays the fingerprints in md5 hash in hex encoding,
as in the following example:
SSH Public key fingerprints:
256 5c:73:5c:88:ea:ba:04:f7:9a:72:07:67:74:20:0c:09 (ECDSA)
384 f2:69:5c:0b:e2:26:e1:39:ca:2f:46:00:df:d5:aa:c0 (ECDSA)
521 8f:00:fa:d0:b9:a5:c5:4d:9d:f5:cd:0d:2c:86:99:25 (ECDSA)
2048 0c:01:69:54:1e:21:08:9d:65:37:3b:50:4a:03:70:d6 (RSA)
3072 1f:ae:d8:1a:b6:8d:9a:4b:c2:fd:74:ca:dc:4f:ca:19 (RSA)
4096 38:88:fb:62:07:19:cf:89:88:a0:6d:22:4b:fa:f4:23 (RSA)

STEP 2 | (Oponal) Display fingerprints from the SSH server (the firewall).
Display the fingerprints using the CLI if you forgot to note the fingerprints that the SSH server
displayed upon boot up or if you regenerated a host key or changed your default host key
type. To effecvely compare fingerprints, specify the same format that your SSH client uses

PAN-OS CLI Quick Start Version Version 10.1 8 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

(the device from which you will remotely log in): either base64 or hex format, and hash-type
format of md5, sha1, or sha256.

There is no md5 hash type in FIPS-CC mode.

The following example displays SSH server fingerprints in hex format and md5 hash type.
admin@PA-3060> show ssh-fingerprints format hex hash-type md5
SSH Public key fingerprints:
256 5c:73:5c:88:ea:ba:04:f7:9a:72:07:67:74:20:0c:09 (ECDSA)
384 f2:69:5c:0b:e2:26:e1:39:ca:2f:46:00:df:d5:aa:c0 (ECDSA)
521 8f:00:fa:d0:b9:a5:c5:4d:9d:f5:cd:0d:2c:86:99:25 (ECDSA)
2048 0c:01:69:54:1e:21:08:9d:65:37:3b:50:4a:03:70:d6 (RSA)
3072 1f:ae:d8:1a:b6:8d:9a:4b:c2:fd:74:ca:dc:4f:ca:19 (RSA)
4096 38:88:fb:62:07:19:cf:89:88:a0:6d:22:4b:fa:f4:23 (RSA)

STEP 3 | Connue to Perform Inial Configuraon on the firewall so that you assign an IP address to
the management interface and commit your changes.

STEP 4 | Disconnect the firewall from your computer.

PAN-OS CLI Quick Start Version Version 10.1 9 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

STEP 5 | Iniate remote access to the firewall and view the fingerprint.
Using terminal emulaon soware, such as PuTTY, launch an SSH management session to the
firewall using the IP address you assigned to it.

Before you can proceed with the connecon, the SSH client presents a fingerprint as in the
following example:

PAN-OS CLI Quick Start Version Version 10.1 10 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

If you have already logged in to the firewall (and have not changed the key), the SSH
client already has the key stored in its database and therefore doesn’t present a
fingerprint.

STEP 6 | Verify matching fingerprints.

1. Verify that the fingerprint that the SSH client (PuTTY) presented matches one of the
fingerprints you noted from logging in to the console port in the first step.
2. A match verifies that the firewall you remotely accessed is the same firewall you
connected to on the console port. You typically want the SSH client to update its
cache, so respond to the warning with Yes to connue connecng. In this example, the
fingerprint in the preceding graphic matches the RSA 2048 fingerprint from the SSH
server (firewall) in Step 1 (and Step 2) of this procedure.
If there is no match or you receive a mismatch warning, you aren’t connecng to the
expected device; Cancel the connecon aempt.
If you see a match but you don’t want the SSH client to update its cache, respond
with No, which allows you to connue connecng. Respond with No if the firewall is

PAN-OS CLI Quick Start Version Version 10.1 11 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

configured with mulple default host keys and you want to connect using a specific host
key without updang the SSH client cache.

To verify your SSH connecon to the firewall aer you have regenerated a host key or
changed the default host key type, perform a procedure similar to this one, starng
with logging in to the console port. In this case, Step 2 is required; execute the show
ssh-fingerprints CLI command (with the applicable format and hash-type) and
note the one fingerprint that displays. Omit Step 3 and connue with Step 4, finishing
the rest of the procedure. Verify that the fingerprint from the SSH client matches the
fingerprint you noted from Step 2.

PAN-OS CLI Quick Start Version Version 10.1 12 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

Refresh SSH Keys and Configure Key Opons for

Management Interface Connecon
When you verify your Secure Shell (SSH) connecon to the firewall, the verificaon uses SSH
keys. To change the default host key type, generate a new pair of public and private SSH host
keys, and configure other SSH sengs, create an SSH service profile.
The following examples show how to configure various SSH sengs for a management SSH
service profile aer you access the CLI. The sengs marked as recommended provide a stronger
security posture. (See Refresh HA1 SSH Keys and Configure Key Opons for SSH HA profile
examples.)

If you are using SSH to access the CLI of the firewall in FIPS-CC mode, you must set
automac rekeying parameters for session keys.

Palo Alto Networks allows you to specify only recommended ciphers, key exchange
algorithms, and message authencaon algorithms for the SSH configuraons below.
Also note that, to use the same SSH connecon sengs for each Dedicated Log Collector
(M-Series or Panorama™ virtual appliances in Log Collector mode) in a Collector Group,
you must configure an SSH service profile from the Panorama management server,
Commit the changes to Panorama, and then Push the configuraon to the Log Collectors.
You can use the set log-collector-group <name> general-setting
management ssh commands.

Each of the following configuraon steps includes a commit and an SSH service restart
if you perform only one step (except when you create a profile without configuring any
sengs). Otherwise, you can set mulple SSH opons and then commit your changes and
restart SSH when you’re done.

Create an SSH service profile to exercise greater control over SSH connecons to your
management interface.
This example creates a Management - Server profile without configuring any sengs.
1. admin@PA-3260> configure
2. admin@PA-3260# set deviceconfig system ssh profiles mgmt-profiles
server-profiles <name>
3. admin@PA-3260# commit
4. admin@PA-3260# exit
5. To verify that the new profile has been created and view the sengs for any exisng
profiles:
admin@PA-3260> configure
admin@PA-3260# show deviceconfig system ssh profiles

PAN-OS CLI Quick Start Version Version 10.1 13 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

(Oponal) Set the SSH server to use only the specified encrypon ciphers.
By default, SSH allows all supported ciphers for encrypon of CLI management sessions. When
you set one or more ciphers in an SSH service profile, the SSH server adverses only those
ciphers while connecng and, if the SSH client tries to connect using a different cipher, the
server terminates the connecon.
1. admin@PA-3260> configure
2. admin@PA-3260# set deviceconfig system ssh profiles mgmt-profiles
server-profiles <name> ciphers <cipher>
aes128-cbc—AES 128-bit cipher with Cipher Block Chaining
aes128-ctr—AES 128-bit cipher with Counter Mode
aes128-gcm—AES 128-bit cipher with GCM (Galois/Counter Mode)
aes192-cbc—AES 192-bit cipher with Cipher Block Chaining
aes192-ctr—AES 192-bit cipher with Counter Mode
aes256-cbc—AES 256-bit cipher with Cipher Block Chaining
aes256-ctr—(Recommended) AES 256-bit cipher with Counter Mode
aes256-gcm—(Recommended) AES 256-bit cipher with GCM
3. admin@PA-3260# commit
4. admin@PA-3260# exit
5. admin@PA-3260> set ssh service-restart mgmt
6. To verify the ciphers have been updated:
admin@PA-3260> configure
admin@PA-3260# show deviceconfig system ssh profiles mgmt-profiles
server-profiles ciphers

(Oponal) Set the default host key type.

The firewall uses a default host key type of RSA 2048 unless you change it. The SSH
connecon uses only the default host key type (not other host key types) to authencate the
firewall. You can change the default host key type; the choices are ECDSA (256, 384, or 521) or
RSA (2048, 3072, or 4096).
Change the default host key type if you prefer a longer RSA key length or if you prefer ECDSA
rather than RSA. This example sets the default host key type for a management profile to the

PAN-OS CLI Quick Start Version Version 10.1 14 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

recommended ECDSA key of 256 bits. It also restarts SSH for the management connecon so
the new key type takes effect.
1. admin@PA-3260> configure
2. admin@PA-3260# set deviceconfig system ssh profiles mgmt-profiles
server-profiles <name> default-hostkey key-type ECDSA 256
3. admin@PA-3260# commit
4. admin@PA-3260# exit
5. admin@PA-3260> set ssh service-restart mgmt
6. To verify the host key has been updated:
admin@PA-3260> configure
admin@PA-3260# show deviceconfig system ssh profiles mgmt-profiles
server-profiles <name> default-hostkey

(Oponal) Delete a cipher from the set of ciphers you selected to encrypt your CLI sessions.
This example deletes the AES CBC cipher with 128-bit key.
1. admin@PA-3260> configure
2. admin@PA-3260# delete deviceconfig system ssh profiles mgmt-
profiles server-profiles <name> ciphers aes128-cbc
3. admin@PA-3260# commit
4. admin@PA-3260# exit
5. admin@PA-3260> set ssh service-restart mgmt
6. To verify the cipher has been deleted:
admin@PA-3260> configure
admin@PA-3260# show deviceconfig system ssh profiles mgmt-profiles
server-profiles <name> ciphers

PAN-OS CLI Quick Start Version Version 10.1 15 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

(Oponal) Set the session key exchange algorithms the SSH server will support.
By default, the SSH server adverses all the key exchange algorithms to the SSH client.

If you are using an ECDSA default key type, best pracce is to use an ECDH key
algorithm.

1. admin@PA-3260> configure
2. admin@PA-3260# set deviceconfig system ssh profiles mgmt-profiles
server-profiles <name> kex <value>
diffie-hellman-group14-sha1—Diffie-Hellman group 14 with SHA1 hash
ecdh-sha2-nistp256—(Recommended) Ellipc-Curve Diffie-Hellman over Naonal
Instute of Standards and Technology (NIST) P-256 with SHA2-256 hash
ecdh-sha2-nistp384—(Recommended) Ellipc-Curve Diffie-Hellman over NIST
P-384 with SHA2-384 hash
ecdh-sha2-nistp521—(Recommended) Ellipc-Curve Diffie-Hellman over NIST
P-521 with SHA2-521 hash
3. admin@PA-3260# commit
4. admin@PA-3260# exit
5. admin@PA-3260> set ssh service-restart mgmt
6. To verify the key exchange algorithms have been updated:
admin@PA-3260> configure
admin@PA-3260# show deviceconfig system ssh profiles mgmt-profiles
server-profiles

(Oponal) Set the message authencaon codes (MAC) the SSH server will support.
By default, the server adverses all of the MAC algorithms to the client.
1. admin@PA-3260> configure
2. admin@PA-3260# set deviceconfig system ssh profiles mgmt-profiles
server-profiles <name> mac <value>
hmac-sha1—MAC with SHA1 cryptographic hash
hmac-sha2-256—(Recommended) MAC with SHA2-256 cryptographic hash
hmac-sha2-512—(Recommended) MAC with SHA2-512 cryptographic hash
3. admin@PA-3260# commit
4. admin@PA-3260# exit
5. admin@PA-3260> set ssh service-restart mgmt
6. To verify the MAC algorithms have been updated:
admin@PA-3260> configure
admin@PA-3260# show deviceconfig system ssh profiles mgmt-profiles
server-profiles

PAN-OS CLI Quick Start Version Version 10.1 16 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

(Oponal) Regenerate ECDSA or RSA host keys for SSH to replace the exisng keys.
The remote device uses the host keys to authencate the firewall. Regenerate your default
host key at the frequency you determine necessary for security purposes. This example
regenerates the ECDSA 256 default host key because that is the default host key type set in an
earlier step.

Regenerang a host key does not change your default host key type. To regenerate the
default host key you are using, you must specify your default host key type and length
when you regenerate. Regenerang a host key that isn’t your default host key type
simply regenerates a key that you aren’t using and therefore has no effect.

1. admin@PA-3260> configure
2. admin@PA-3260# set deviceconfig system ssh regenerate-hostkeys
mgmt key-type ECDSA key-length 256
3. admin@PA-3260# commit
4. admin@PA-3260> exit
5. admin@PA-3260> set ssh service-restart mgmt

(Oponal) Set rekey parameters to establish when automac rekeying of the session keys
occurs.
The session keys are used to encrypt traffic between the remote device and the management
interface. The parameters you can set are data volume (in megabytes), me interval (seconds),
and packet count. Aer any one rekey parameter reaches its configured value, SSH iniates a
key exchange.
You can set a second or third parameter if you aren’t sure the parameter you configured will
reach its value as fast as you want rekeying to occur. The first parameter to reach its configured
value will prompt a rekey, then the firewall will reset all rekey parameters.
1. admin@PA-3260> configure
2. admin@PA-3260# set deviceconfig system ssh profiles mgmt-profiles
server-profiles <name> session-rekey data 32
Rekeying occurs aer the volume of data (in megabytes) is transmied following the
previous rekey. The default is based on the cipher you use and ranges from 1GB to 4GB.
The range is 10MB to 4,000MB. Alternavely, you can enter set deviceconfig
system ssh profiles mgmt-profiles server-profiles <name>

PAN-OS CLI Quick Start Version Version 10.1 17 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

session-rekey data default, which sets the data parameter to the default value
of the individual cipher you are using.
3. admin@PA-3260# set deviceconfig system ssh profiles mgmt-profiles
server-profiles <name> session-rekey interval 3600
Rekeying occurs aer the specified me interval (in seconds) passes following the
previous rekey. By default, me-based rekeying is disabled (set to none). The range is 10
to 3,600.

If you are configuring the management interface in FIPS-CC mode, you must set
a me interval within the range; you cannot leave it disabled.
4. admin@PA-3260# set deviceconfig system ssh profiles mgmt-profiles
server-profiles <name> session-rekey packets 27
n
Rekeying occurs aer the defined number of packets (2 ) are transmied following
14
the previous rekey. For example, 14 configures that a maximum of 2 packets are
28 12 27
transmied before a rekey occurs. The default is 2 . The range is 12 to 27 (2 to 2 ).
Alternavely, you can enter set deviceconfig system ssh profiles mgmt-
profiles server-profiles <name> session-rekey packets default,
28
which sets the packets parameter to 2 .

Choose rekeying parameters based on your type of traffic and network speeds (in
addion to FIPS-CC requirements if they apply to you). Don’t set the parameters
so low that they affect SSH performance.
5. admin@PA-3260# commit
6. admin@PA-3260# exit
7. admin@PA-3260> set ssh service-restart mgmt
8. To verify the changes:
admin@PA-3260> configure
admin@PA-3260# show deviceconfig system ssh profiles mgmt-profiles
server-profiles <name> session-rekey

Acvate the profile by selecng the profile and restarng SSH service.
1. admin@PA-3260> configure
2. admin@PA-3260# set deviceconfig system ssh mgmt server-profile
<name>
3. admin@PA-3260# commit
4. admin@PA-3260# exit
5. admin@PA-3260> set ssh service-restart mgmt
6. To verify the correct profile is in use:
admin@PA-3260> configure
admin@PA-3260# show deviceconfig system ssh mgmt

PAN-OS CLI Quick Start Version Version 10.1 18 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

Give Administrators Access to the CLI

Administrave accounts specify roles and authencaon methods for the administrators
of Palo Alto Networks firewalls. Every Palo Alto Networks firewall has a predefined default
administrave account (admin) that provides full read-write access (also known as superuser
access) to the firewall. As a best pracce, create an administrave account for each person who
will be performing configuraon tasks on the firewall or Panorama so that you have an audit trail
of changes.
• Administrave Privileges
• Set Up a Firewall Administrave Account and Assign CLI Privileges
• Set Up a Panorama Administrave Account and Assign CLI Privileges

Administrave Privileges
Privilege levels determine which commands an administrator can run as well as what informaon
is viewable. Each administrave role has an associated privilege level. You can use dynamic roles,
which are predefined roles that provide default privilege levels. Or, you can create custom firewall
administrator roles or Panorama administrator roles and assign one of the following CLI privilege
levels to each role:

You must follow the Best Pracces for Securing Admin Access to ensure that you are
securing access to your management network in a way that will prevent successful aacks.

Privilege Level Descripon

superuser Has full access to the Palo Alto Networks device (firewall or Panorama)
and can define new administrator accounts and virtual systems. You
must have superuser privileges to create an administrave user with
superuser privileges.

superreader Has complete read-only access to the device.

vsysadmin Has access to selected virtual systems (vsys) on the firewall to create
and manage specific aspects of virtual systems. A virtual system
administrator doesn’t have access to network interfaces, VLANs, virtual
wires, virtual routers, IPSec tunnels, GRE tunnels, DHCP, DNS Proxy,
QoS, LLDP, or network profiles.

vsysreader Has read-only access to selected virtual systems on the firewall and
specific aspects of virtual systems. A virtual system administrator with
read-only access doesn’t have access to network interfaces, VLANs,
virtual wires, virtual routers, IPSec tunnels, GRE tunnels, DHCP, DNS
Proxy, QoS, LLDP, or network profiles.

deviceadmin Has full access to all firewall sengs except for defining new accounts
or virtual systems.

PAN-OS CLI Quick Start Version Version 10.1 19 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

Privilege Level Descripon

devicereader Has read-only access to all firewall sengs except password profiles
(no access) and administrator accounts (only the logged in account is
visible).

panorama-admin Has full access to Panorama except for the following acons:
• Create, modify, or delete Panorama or device administrators and
roles.
• Export, validate, revert, save, load, or import a configuraon.
• Schedule configuraon exports.

Set Up a Firewall Administrave Account and Assign CLI Privileges

To set up a custom firewall administrave role and assign CLI privileges, use the following
workflow:
STEP 1 | Configure an Admin Role profile.
1. Select Device > Admin Roles and then click Add.
2. Enter a Name to idenfy the role.
3. For the scope of the Role, select Device or Virtual System.
4. Define access to the Command Line:
• Device role—superuser, superreader, deviceadmin, devicereader, or None.
• Virtual System role—vsysadmin, vsysreader, or None.
5. Click OK to save the profile.

STEP 2 | Configure an administrator account.

1. Select Device > Administrators and click Add.
2. Enter a user Name. If you will use local database authencaon, this must match the
name of a user account in the local database.
3. If you configured an Authencaon Profile or authencaon sequence for the user,
select it in the drop-down. If you select None, you must enter a Password and Confirm
Password.
4. If you configured a custom role for the user, set the Administrator Type to Role Based
and select the Admin Role Profile. Otherwise, set the Administrator Type to Dynamic
and select a dynamic role.
5. Click OK and Commit.

Set Up a Panorama Administrave Account and Assign CLI

Privileges
To set up a custom Panorama administrave role and assign CLI privileges, use the following
workflow:

PAN-OS CLI Quick Start Version Version 10.1 20 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

STEP 1 | Configure an Admin Role profile.

1. Select Panorama > Admin Roles and then click Add.
2. Enter a Name to idenfy the role.
3. For the scope of the Role, select Panorama.
4. Select the Command Line tab and select an access level: superuser, superreader,
panorama-admin, or None.
5. Click OK to save the profile.

STEP 2 | Configure an administrator account.

1. Select Panorama > Administrators and click Add.
2. Enter a user Name.
3. If you configured an Authencaon Profile or authencaon sequence for the user,
select it in the drop-down. If you select None, you must enter a Password and Confirm
Password.
4. If you configured a custom role for the user, set the Administrator Type to Custom
Panorama Admin and select the Admin Role Profile. Otherwise, set the Administrator
Type to Dynamic and select a dynamic Admin Role.
5. Click OK and Commit, for the Commit Type select Panorama, and click Commit again.

PAN-OS CLI Quick Start Version Version 10.1 21 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

Change CLI Modes

The CLI provides two command modes:
• Operaonal—Use operaonal mode to view informaon about the firewall and the traffic
running through it or to view informaon about Panorama or a Log Collector. Addionally, use
operaonal mode commands to perform operaons such as restarng, loading a configuraon,
or shung down. When you log in, the CLI opens in operaonal mode.
• Configuraon—Use configuraon mode to view and modify the configuraon.
You can switch between operaonal and configuraon modes at any me, as follows:

To switch from operaonal mode to configuraon mode:

username@hostname> configure
Entering configuration mode
[edit]
username@hostname#

Noce that the command prompt changes from a > to a #, indicang that you successfully
changed modes.

To switch from configuraon mode to operaonal mode, use either the quit or exit
command:

username@hostname# quit
Exiting configuration mode
username@hostname>

To enter an operaonal mode command while in configuraon mode, use the run command,
for example:

username@hostname# run ping host 10.1.1.2

PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data
...
username@hostname#

PAN-OS CLI Quick Start Version Version 10.1 22 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

Navigate the CLI

CLI commands are organized in a hierarchical structure. To display a segment of the current
hierarchy, use the show command. Entering show displays the complete hierarchy, while entering
show with keywords displays a segment of the hierarchy.
For example, the following command displays the configuraon hierarchy for the Ethernet
interface segment of the hierarchy:

username@hostname>
configure
Entering configuration mode
[edit]
username@hostname#
show network interface ethernet
ethernet {
  ethernet1/1 {
    virtual-wire;
  }
  ethernet1/2 {
      virtual-wire;
  }
  ethernet1/3 {
    layer2 {
      units {
        ethernet1/3.1;
      }
    }
  }
  ethernet1/4;
}
[edit]
username@hostname#

PAN-OS CLI Quick Start Version Version 10.1 23 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

Find a Command
The find command helps you find a command when you don't know where to start looking in
the hierarchy. The command—which is available in all CLI modes—has two forms. Used alone,
find command displays the enre command hierarchy. Used with the keyword parameter, find
command keyword displays all commands that contain the specified keyword.

You can also view a complete lisng of all Operaonal Commands and Configure
Commands or view the CLI Changes in PAN-OS 10.1.

• View the Enre Command Hierarchy

• Find a Specific Command Using a Keyword Search

View the Enre Command Hierarchy

Use find command without any parameters to display the enre command hierarchy in the
current command mode. For example, running this command from operaonal mode on a VM-
Series Palo Alto Networks device yields the following (paral result):

username@hostname> find command

target set <value>
target show
schedule uar-report user <value> user-group <value> skip-detailed-
browsing <yes|no> title <value> period <value> start-time <value>
end-time <value> vsys <value>
schedule botnet-report period <last-calendar-day|last-24-hrs> topn
<1-500> query <value>
clear arp <value>|<all>
clear neighbor <value>|<all>
clear mac <value>|<all>
clear job id <0-4294967295>
clear query id <0-4294967295>
clear query all-by-session
clear report id <0-4294967295>
clear report all-by-session
clear report cache
clear log traffic
clear log threat
clear log config
clear log system
clear log alarm
clear log acc
clear log hipmatch
clear log userid
clear log iptag
clear wildfire counters
clear counter interface
clear counter global name <value>
clear counter global filter category <value> severity <value> aspect
<value> pac
ket-filter <yes|no>
clear counter all

PAN-OS CLI Quick Start Version Version 10.1 24 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

clear session id <1-4294967295>

clear session all filter nat <none|source|destination|both> ssl-
decrypt <yes|no> type <flow|predict> state <initial|opening|active|
discard|closing|closed> from <value> to <value> source <ip/netmask>
destination <ip/netmask> source-user <value> destination-user
<value> source-port <1-65535> destination-port <1-65535> protocol
<1-255> application <value> rule <value> nat-rule <value> qos-rule
<value> pbf-rule <value> dos-rule <value> hw-interface <value> min-
kb <1-1048576> qos-node-id <0-5000>|<-2> qos-class <1-8> vsys-name
<value>|<any>
clear application-signature statistics
clear nat-rule-cache rule <value>
clear statistics
clear high-availability control-link statistics
clear high-availability transitions
clear vpn ike-sa gateway <value>
clear vpn ipsec-sa tunnel <value>
clear vpn ike-preferred-version gateway <value>
clear vpn ike-hashurl
clear vpn flow tunnel-id <1-2147483648>
clear dhcp lease all expired-only
clear dhcp lease interface clear dhcp lease interface <name> ip <ip/
netmask>
:

Find a Specific Command Using a Keyword Search

Use find command keyword to locate all commands that have a specified keyword.

username@hostname# find command keyword <keyword>

For example, suppose you want to configure cerficate authencaon and you want the Palo
Alto Networks device to get the username from a field in the cerficate, but you don’t know the
command. In this case you might use find command keyword to search for commands that
contain username in the command syntax.

username@hostname > configure

Entering configuration mode

[edit]
username@hostname # find command keyword username
show shared certificate-profile <name> username-field
set deviceconfig system log-export-schedule <name> protocol ftp
username <value>
set deviceconfig system log-export-schedule <name> protocol scp
username <value>
set deviceconfig setting wildfire session-info-select exclude-
username <yes|no>
set mgt-config password-complexity block-username-inclusion <yes|no>
set network interface ethernet <name> layer3 pppoe username <value>

PAN-OS CLI Quick Start Version Version 10.1 25 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

set shared authentication-profile <name> username-modifier <value>|

<validate>|<%USERINPUT%|%USERINPUT%@%USERDOMAIN%|%USERDOMAIN%\
%USERINPUT%>
set shared certificate-profile <name> username-field
set shared certificate-profile <name> username-field subject <common-
name>
set shared certificate-profile <name> username-field subject-alt
<email|principal-name>
set vm-info-source <name> VMware-ESXi username <value>
set vm-info-source <name> VMware-vCenter username <value>
set user-id-collector setting ntlm-username <value>
set user-id-collector syslog-parse-profile <name> regex-identifier
username-regex <value>
set user-id-collector syslog-parse-profile <name> field-identifier
username-prefix <value>
set user-id-collector syslog-parse-profile <name> field-identifier
username-delimiter <value>
[edit]
username@hostname #

From the resulng lists of commands, you can idenfy that the command you need is:

username@hostname # set shared certificate-profile <name> username-

field

If you’re not sure exactly what to enter in the command line, you can then Get Help on Command
Syntax.

PAN-OS CLI Quick Start Version Version 10.1 26 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

Get Help on Command Syntax

Aer you Find a Command you can get help on the specific command syntax by using the built-in
CLI help. To get help, enter a ? at any level of the hierarchy.
• Get Help on a Command
• Interpret the Command Help

Get Help on a Command

For example, suppose you want to configure the primary DNS server sengs on the Palo Alto
Networks device using find command keyword with dns as the keyword value, you already
know that the command is set deviceconfig system dns-setting, but you’re not exactly
sure how to use the command to set the primary DNS server seng. In this case, you would enter
as much of the command as you know (or start typing it and press Tab for automac command
compleon), and then add a queson mark at the end of the line before pressing Enter, like this:

username@hostname# set deviceconfig system dns-setting ?

> dns-proxy-object Dns proxy object to use for resolving fqdns
> servers Primary and secondary dns servers
<Enter> Finish input

Noce that the queson mark doesn’t appear in the command line when you type it, but a list
of the available commands appears. You can connue geng syntaccal help all through the
hierarchy:

username@hostname# set deviceconfig system dns-setting servers ?

+ primary Primary DNS server IP address
+ secondary Secondary DNS server IP address
  <Enter> Finish input

username@hostname# set deviceconfig system dns-setting servers

primary ?
<ip> <ip>

Use the Tab key in the middle of entering a command and the command will automacally
complete, provided there are no other commands that match the leers you have typed
thus far. For example, if you type set dev and then press Tab, the CLI will recognize that
the command you are entering is deviceconfig and automacally finish populang the
command line.

Interpret the Command Help

Use the following table to help interpret the command opons you see when you use the ? to get
help.

PAN-OS CLI Quick Start Version Version 10.1 27 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

Symbol Descripon

* Indicates that the opon is required.

For example, when imporng a configuraon over secure copy (SCP),
specifying the from parameter is required, as indicated by the * from
notaon.

username@hostname#> scp import configuration ?

+ remote-port   SSH port number on remote host
+ source-ip     Set source address to specified i
nterface address
* from          Source (username@host:path)

> Indicates that there are addional nested commands.

For example, when configuring DNS sengs, there are addional
nested commands for configuring a DNS proxy object and for
specifying primary and secondary DNS servers:

username@hostname# set deviceconfig system dns-se

tting ?
> dns-proxy-object   Dns proxy object to use for
resolving fqdns
> servers            Primary and secondary dns se
rvers
  <Enter>            Finish input

+ Indicates that the opon has an associated value that you must enter.
For example, when seng up a high availability configuraon, noce
that the + enabled notaon indicates that you must supply a value
for this opon:

username@hostname# set deviceconfig high-availabi

lity ?
+ enabled enabled
> group HA group configuration
> interface HA interface configuration
<Enter> Finish input
Getting help for the enabled option shows that yo
u must enter a value of yes or no:
admin@PA-3060# set deviceconfig high-availability
enabled ?
  no    no
  yes   yes

| Allows you to filter command output. You can either specify a match
value, which will only show command output that matches the value

PAN-OS CLI Quick Start Version Version 10.1 28 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

Symbol Descripon
you specify, or you can specify an except value, which will only show
command output except for the value you specify.
For example, use the | match opon to display only the app-version
in the output of the show system info command:

username@hostname> show system info | match app-v

ersion
app-version: 8087-5126

Similarly, to show all users in your group lists who are not part of your
organizaon, you should show the user group list, but exclude the
organizaonal unit (ou) for your organizaon. Noce that, although
there are a total of 4555 user-to-group mappings, with the | except
filter you can easily see the small list of users who are part of external
groups:

username@hostname> show user group list | except

ou=acme

cn=sap_globaladmin,cn=users,dc=acme,dc=local
cn=dnsupdateproxy,ou=admin groups,ou=administrato
r accounts,dc=acme,dc=local
cn=dhcp administrators,ou=admin groups,ou=adminis
trator accounts,dc=acme,dc=local
cn=helpservicesgroup,cn=users,dc=acme,dc=local
cn=exchange domain servers,cn=users,dc=acme,dc=lo
cal
cn=network configuration operators,cn=builtin,dc=
acme,dc=local
cn=dhcp users,ou=admin groups,ou=administrator ac
counts,dc=acme,dc=local
cn=exchange windows permissions,ou=microsoft exch
ange security groups,dc=acme,dc=local
cn=wins users,cn=users,dc=acme,dc=local
cn=enterprise read-only domain controllers,cn=use
rs,dc=acme,dc=local
cn=print-server-admins,ou=admin groups,ou=adminis
trator accounts,dc=acme,dc=local
cn=telnetclients,cn=users,dc=acme,dc=local
cn=servicenowpasswordreset,ou=admin groups,ou=adm
inistrator accounts,dc=acme,dc=local
cn=delegated setup,ou=microsoft exchange security
groups,dc=acme,dc=local
Total: 4555
* : Custom Group
</result></response>
username@hostname>

PAN-OS CLI Quick Start Version Version 10.1 29 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

Customize the CLI

Specify how long an administrave session to the management interface (CLI or web interface)
can remain idle before logging the administrator out:

username@hostname# set deviceconfig setting management idle-

timeout ?
  0        never
  <value>  <1-1440>

If you want to set the CLI meout value to a value different from the global
management idle-timeout value, use the set cli timeout command in
operaonal mode.

Specify the format for command output:

username@hostname> set cli config-output-format ?

  default   default
  json      json
  set       set
  xml       xml

For example, in the default seng the config-output-format looks like this:

username@hostname# show deviceconfig system dns-setting servers

servers {
primary 1.2.3.4;
secondary 1.2.3.5;
}

Changing the seng to set results in output that looks like this:

username@hostname# show deviceconfig system dns-setting servers

set deviceconfig system dns-setting servers primary 1.2.3.4
set deviceconfig system dns-setting servers secondary 1.2.3.5
[edit]
[edit]

Changing the seng to xml results in output that looks like this:

username@hostname# show deviceconfig system dns-setting servers

<response status="success" code="19">
  <result total-count="1" count="1">
    <servers>
      <primary>1.2.3.4</primary>
<secondary>1.2.3.5</secondary>        
    </servers>

PAN-OS CLI Quick Start Version Version 10.1 30 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

  </result>
</response>

Switch to scripng mode. In scripng mode, you can copy and paste commands from a text file
directly into the CLI. Although you can do this without scripng-mode enabled (up to 20 lines).
If you cut-and-paste a block of text into the CLI, examine the output of the lines you pasted. If
you see lines that are truncated or generate errors, you may have to re-paste a smaller secon
of text, or switch to scripting-mode:

username@hostname> set cli scripting-mode on

When in scripng-mode, you cannot use Tab to complete commands or use ? to get
help on command syntax. When you are done pasng commands, switch back to
regular mode using the set cli scripting-mode off command.

PAN-OS CLI Quick Start Version Version 10.1 31 ©2021 Palo Alto Networks, Inc.
Get Started with the CLI

PAN-OS CLI Quick Start Version Version 10.1 32 ©2021 Palo Alto Networks, Inc.
Use the CLI
Now that you know how to Find a Command and Get Help on Command Syntax,
you are ready to start using the CLI to manage your Palo Alto Networks firewalls
or Panorama. The following topics describe how to use the CLI to view informaon
about the device and how to modify the configuraon of the device. In addion, more
advanced topics show how to import paral configuraons and how to use the test
commands to validate that a configuraon is working as expected.

> View Sengs and Stascs

> Modify the Configuraon
> Commit Configuraon Changes
> Test the Configuraon
> Load Configuraons
> Use Secure Copy to Import and Export Files
> CLI Jump Start

33
Use the CLI

View Sengs and Stascs

Use show commands to view configuraon sengs and stascs about the performance of the
firewall or Panorama and about the traffic and threats idenfied on the firewall. You can use show
commands in both Operaonal and Configure mode. For example, the show system info
command shows informaon about the device itself:

admin@PA-850> show system info

hostname: PA-850
ip-address: 10.10.10.23
public-ip-address: unknown
netmask: 255.255.255.0
default-gateway: 10.10.10.1
ip-assignment: static
ipv6-address: unknown
ipv6-link-local-address: fe80::d6f4:beff:febe:ba00/64
ipv6-default-gateway:
mac-address: d4:f4:be:be:ba:00
time: Tue Feb 12 08:40:09 2019
uptime: 6 days, 11:51:18
family: 800
model: PA-850
serial: 011901000300
cloud-mode: non-cloud
sw-version: 9.0.0-c300
global-protect-client-package-version: 0.0.0
app-version: 8114-5254
app-release-date: 2019/01/16 15:14:11 PST
av-version: 2860-3370
av-release-date: 2019/01/16 10:05:59 PST
threat-version: 8114-5254
threat-release-date: 2019/01/16 15:14:11 PST
wf-private-version: 0
wf-private-release-date: unknown
url-db: paloaltonetworks
wildfire-version: 314895-317564
wildfire-release-date: 2019/01/16 18:20:09 PST
url-filtering-version: 20190201.20201
global-protect-datafile-version: unknown
global-protect-datafile-release-date: unknown
global-protect-clientless-vpn-version: 0
global-protect-clientless-vpn-release-date:
logdb-version: 9.0.10
platform-family: 800
vpn-disable-mode: off
multi-vsys: off
operational-mode: normal

admin@PA-3220>

PAN-OS CLI Quick Start Version Version 10.1 34 ©2021 Palo Alto Networks, Inc.
Use the CLI

The show session info command shows details about the sessions running through the Palo
Alto Networks device.

admin@PA-850> show session info

target-dp: *.dp0

-------------------------------------------------------------------------------
Number of sessions supported: 196606
Number of allocated sessions: 0
Number of active TCP sessions: 0
Number of active UDP sessions: 0
Number of active ICMP sessions: 0
Number of active GTPc sessions: 0
Number of active GTPu sessions: 0
Number of pending GTPu sessions: 0
Number of active BCAST sessions: 0
Number of active MCAST sessions: 0
Number of active predict sessions: 0
Number of active SCTP sessions: 0
Number of active SCTP associations: 0
Session table utilization: 0%
Number of sessions created since bootup: 5044051
Packet rate: 0/s
Throughput: 0 kbps
New connection establish rate: 0 cps

-------------------------------------------------------------------------------
Session timeout
TCP default timeout: 3600 secs
TCP session timeout before SYN-ACK received: 5 secs
TCP session timeout before 3-way handshaking: 10 secs
TCP half-closed session timeout: 120 secs
TCP session timeout in TIME_WAIT: 15 secs
TCP session delayed ack timeout: 250
millisecs
TCP session timeout for unverified RST: 30 secs
UDP default timeout: 30 secs
ICMP default timeout: 6 secs
SCTP default timeout: 3600 secs
SCTP timeout before INIT-ACK received: 5 secs
SCTP timeout before COOKIE received: 60 secs
SCTP timeout before SHUTDOWN received: 30 secs
other IP default timeout: 30 secs
Captive Portal session timeout: 30 secs
Session timeout in discard state:
TCP: 90 secs, UDP: 60 secs, SCTP: 60 secs, other IP
protocols: 60 secs

-------------------------------------------------------------------------------
Session accelerated aging: True
Accelerated aging threshold: 80% of
utilization
Scaling factor: 2 X

PAN-OS CLI Quick Start Version Version 10.1 35 ©2021 Palo Alto Networks, Inc.
Use the CLI

-------------------------------------------------------------------------------
Session setup
TCP - reject non-SYN first packet: True
Hardware session offloading: True
Hardware UDP session offloading: True
IPv6 firewalling: True
Strict TCP/IP checksum: True
Strict TCP RST sequence: True
Reject TCP small initial window: False
ICMP Unreachable Packet Rate: 200 pps

-------------------------------------------------------------------------------
Application trickling scan parameters:
Timeout to determine application trickling: 10 secs
Resource utilization threshold to start scan: 80%
Scan scaling factor over regular aging: 8

-------------------------------------------------------------------------------
Session behavior when resource limit is reached: drop

-------------------------------------------------------------------------------
Pcap token bucket rate : 10485760

-------------------------------------------------------------------------------
Max pending queued mcast packets per session : 0

-------------------------------------------------------------------------------

PAN-OS CLI Quick Start Version Version 10.1 36 ©2021 Palo Alto Networks, Inc.
Use the CLI

Modify the Configuraon

You can also modify the device configuraon from the CLI using the set, delete, and edit
commands (if your administrave role has a Privilege Level that allows you to write to the
configuraon). In most cases you must be in Configure mode to modify the configuraon.

To change the value of a seng, use a set command. For example, to configure an NTP server,
you would enter the complete hierarchy to the NTP server seng followed by the value you
want to set:

admin@PA-3060# set deviceconfig system ntp-servers primary-ntp-

server ntp-server-address pool.ntp.org

To target a command to a specific virtual system (vsys), enter the following operaonal
mode command: set system setting target-vsys <vsys-name>. To go
back to issuing commands that apply to the firewall instead of the targeted vsys, use
set system target-vsys none.

To change to a different locaon in the configuraon hierarchy and/or to modify a seng,

use the edit command. The edit commands are very similar to the set commands, except
that when you enter an edit command, you switch context to the corresponding node in the
command hierarchy. This can be useful if you need to enter several commands in a node that
is nested far down in the command hierarchy. For example, if you want to configure all of the
NTP server sengs, instead of entering the full command syntax each me using the set
command, you could use the edit command to move to the ntp-servers node as follows:

[edit]
admin@PA-3060# edit deviceconfig system ntp-servers
[edit deviceconfig system ntp-servers]
admin@PA-3060#

Noce that when you enter the command, your new locaon in the command hierarchy is
displayed. You can now use the set command to configure the NTP server sengs without
entering the enre command hierarchy:

admin@PA-3060# set secondary-ntp-server ntp-server-address 10.1.2.3

Use the up command to move up a level in the command hierarchy. Use the top
command to move back to the top of the command hierarchy.

PAN-OS CLI Quick Start Version Version 10.1 37 ©2021 Palo Alto Networks, Inc.
Use the CLI

To delete an exisng configuraon seng, use a delete command. For example, to delete the
secondary NTP server address, you would enter the following command:

admin@PA-3060# delete deviceconfig system ntp-servers secondary-

ntp-server ntp-server-address

When deleng configuraon sengs or objects using the CLI, the device does not
check for dependencies like it does in the web interface. Therefore, when you use
delete from the CLI, you must manually search the configuraon for other places
where the configuraon object might be referenced. For example, before you delete
an applicaon filter group named browser-based business, you should search the CLI
for that value to see if it is used anywhere in profiles or policies, using the following
command:

admin@PA-3060> show config running | match "browser-based

business"

Noce that because the object you are matching on has a space in it, you must enclose
it in quotaon marks.

PAN-OS CLI Quick Start Version Version 10.1 38 ©2021 Palo Alto Networks, Inc.
Use the CLI

Commit Configuraon Changes

Any change in the Palo Alto Networks device configuraon is first wrien to the candidate
configuraon. The change only takes effect on the device when you commit it. Comming a
configuraon applies the change to the running configuraon, which is the configuraon that
the device acvely uses. Upon commit, the device performs both a syntacc validaon (of
configuraon syntax) and a semanc validaon (whether the configuraon is complete and makes
sense). As a best pracce, validate configuraon changes prior to comming so that you can
fix any errors that will cause a commit failure, thereby ensuring that the commit will succeed. This
is parcularly useful in environments with a strict change window.
The firewall and Panorama queue commit operaons so that you can iniate a new commit while
a previous commit is in progress. The firewall and Panorama perform commits in the order you
and other administrators iniate them but priorize automac commits such as content database
installaons and FQDN refreshes. If the queue already has the maximum number of administrator-
iniated commits (this varies by appliance model), the firewall or Panorama must begin processing
a commit (remove it from the queue) before you can iniate a new commit.

To see details (such as queue posions or Job-IDs) about commits that are pending, in
progress, completed, or failed, run the operaonal command show jobs all. To see
the messages and descripon for a parcular commit, run show jobs id <job-id>.

STEP 1 | (Oponal but recommended) Validate the configuraon:

1. Enter the validate command:

admin@PA-3060> configure
admin@PA-3060# validate full
Validate job enqueued with jobid 3041
3041

2. View the validaon results using the job ID that was displayed when you entered the
validate command. Verify that the job finished (FIN) and that the configuraon is valid as
shown in the following example:

[edit]
admin@PA-3060# exit
Exiting configuration mode
admin@PA-3060> show jobs id 3041

Enqueued              Dequeued       ID             Type    Status Result
-------------------------------------------------------------------------
2015/05/18
14:00:40   14:00:40     3041         Validate       FIN     OK  14:01:11
Warnings:EBL(vsys1/Palo Alto Networks Malicious IP List)
Unable to fetch external list. Using old copy for refresh.
vsys1 (vsys1)
    vsys1: Rule 'rule1' application dependency warning:
        Application 'propalms' requires 'web-browsing' be
allowed
        Application 'open-vpn' requires 'ssl' be allowed

PAN-OS CLI Quick Start Version Version 10.1 39 ©2021 Palo Alto Networks, Inc.
Use the CLI

        Application 'open-vpn' requires 'web-browsing' be

allowed
        Application 'files.to' requires 'web-browsing' be
allowed
        Application 'gigaup' requires 'ftp' be allowed
        Application 'dazhihui' requires 'web-browsing' be
allowed
        Application 'fasp' requires 'ssh' be allowed
        Application 'vidsoft' requires 'web-browsing' be
allowed
        Application 'ipp' requires 'web-browsing' be allowed
        Application 'flexnet-installanywhere' requires 'web-
browsing' be allowed
(Module: device)
Details:Configuration is valid

3. If the validaon fails, fix any errors and then repeat steps 1 and 2.

STEP 2 | Aer successfully validang the configuraon, save it to the running configuraon by
performing a commit of all or a poron of the configuraon:
• Commit the enre configuraon:

admin@PA-3060> configure
admin@PA-3060# commit

• Commit part of the configuraon on a firewall with mulple virtual systems:

admin@PA-3060# commit partial ?

+ description          Enter commit description
+ device-and-network   device-and-network
+ shared-object        shared-object
> admin                admin
> no-vsys              no-vsys
> vsys                 vsys
  <Enter>              Finish input

When doing a paral commit from the CLI, you must specify what part of the configuraon
to exclude from the commit. You can also filter the configuraon changes by administrator.
For example, the following command commits only the changes that an administrator with
the username jsmith made to the vsys1 configuraon and to shared objects:

admin@PA-3060# commit partial admin jsmith vsys vsys1 device-and-

network excluded

• Commit part of the configuraon on a firewall that does not have mulple virtual systems
mode enabled:

admin@PA-220# commit partial ?

+ description          Enter commit description
+ device-and-network device-and-network
+ policy-and-objects policy-and-objects
+ shared-object        shared-object

PAN-OS CLI Quick Start Version Version 10.1 40 ©2021 Palo Alto Networks, Inc.
Use the CLI

> admin                admin
<Enter> Finish input

For example, if you made a change in the Security policy only, you might want to commit
just the policy and objects poron of the configuraon as follows:

admin@PA-220# commit partial device-and-network excluded

If the commit takes a long me, you can press Ctrl+C to access the command line
while the commit connues as a background process.

PAN-OS CLI Quick Start Version Version 10.1 41 ©2021 Palo Alto Networks, Inc.
Use the CLI

Test the Configuraon

Use the CLI-only test commands to test that your configuraon works as expected. For example,
you can test that your policy rulebases are working as expected, that your authencaon
configuraon will enable the Palo Alto Networks device to successfully connect to authencaon
services, that a custom URL category matches expected sites, that your IPSec/IKE VPN sengs
are configured properly, that your User-ID syslog parsing profiles are working properly, and many
more things.
The following secons show examples of how to use some of the test commands:
• Test the Authencaon Configuraon
• Test Policy Matches

Test the Authencaon Configuraon

Use the test authentication command to determine if your firewall or Panorama
management server can communicate with a back-end authencaon server and if the
authencaon request was successful. You can addionally test authencaon profiles used for
GlobalProtect and Capve Portal authencaon. You can perform authencaon tests on the
candidate configuraon, so that you know the configuraon is correct before comming.
Connecvity tesng is supported for local database authencaon and for external authencaon
servers that use mul-factor authencaon (MFA), RADIUS, TACACS+, LDAP, Kerberos, or SAML.
STEP 1 | (Vsys-specific authencaon profiles only) Specify which virtual system contains the
authencaon profile you want to test. This is only necessary if you are tesng an
authencaon profile that is specific to a single virtual system (that is, you do not need to do
this if the authencaon profile is shared).

admin@PA-3060> set system setting target-vsys <vsys-name>

For example, to test an authencaon profile in vsys2 you would enter the following
command:

admin@PA-3060> set system setting target-vsys vsys2

The set system setting target-vsys command is not persistent across

sessions.

PAN-OS CLI Quick Start Version Version 10.1 42 ©2021 Palo Alto Networks, Inc.
Use the CLI

STEP 2 | Test an authencaon profile by entering the following command:

admin@PA-3060> test authentication authentication-

profile <authentication-profile-name> username <username> password

You will be prompted for the password associated with the user account.

Profile names are case-sensive. Also, if the authencaon profile has a username
modifier defined, you must enter it with the username. For example, if the username
modifier is %USERINPUT%@%USERDOMAIN%, for a user named bzobrist in domain
acme.com, you would need to enter [email protected] as the username.

For example, run the following command to test connecvity with a Kerberos server defined
in an authencaon profile named Corp, using the login for the LDAP user credenals for user
bzobrist:

admin@PA-3060> test authentication authentication-profile Corp

username bzobrist password
Enter password :

Target vsys is not specified, user "bzobrist" is assumed to be

configured with a
shared auth profile.

Do allow list check before sending out authentication request...

name "bzobrist" is in group "all"

Authentication to KERBEROS server at '10.1.2.10' for user

'bzobrist'
Realm: 'ACME.LOCAL'
Egress: 10.55.0.21
KERBEROS configuration file is created
KERBEROS authcontext is created. Now authenticating ...
Kerberos principal is created
Sending authentication request to KDC...
Authentication succeeded!

Authentication succeeded for user "bzobrist"

Test Policy Matches

You can use test commands to verify that your policies are working as expected.

Test a security policy rule.

Use the test security-policy-match command to determine whether a security policy
rule is configured correctly. For example, suppose you have a user mcanha in your markeng
department who is responsible for posng company updates to Twier. Instead of adding a
new rule just for that user, you want to test whether twier will be allowed via an exisng rule.

PAN-OS CLI Quick Start Version Version 10.1 43 ©2021 Palo Alto Networks, Inc.
Use the CLI

By running the following test command, you can see that the user mcanha is indeed allowed to
post to twier based on your exisng Allowed Personal Apps security policy rule:

admin@PA-3060> test security-policy-match application twitter-

posting source-user acme\mcanha destination 199.59.150.7
destination-port 80 source 10.40.14.197 protocol 6

"Allowed Personal Apps" {

        from trust;
        source any;
        source-region none;
        to untrust;
        destination any;
        destination-region none;
        user any;
        category any;
        application/service [ twitter-posting/tcp/any/80 twitter-
posting/tcp/any/443 finger/tcp/any/79 finger/udp/any/79 irc-base/
tcp/any/6665-6669 vidsoft/tcp/any/51222 vidsoft/tcp/any/80 vidsoft/
tcp/any/443 vidsoft/tcp/any/1853 vidsoft/udp/any/51222 vidsoft/
udp/any/1853 rtsp/tcp/any/554 rtsp/udp/any/554 kkbox/tcp/any/80
yahoo-mail/tcp/any/80 yahoo-mail/tcp/any/143 0 msn-base/tcp/
any/443 msn-base/tcp/any/1863 msn-base/tcp/any/7001 msn-base/udp/
any/7001 ebuddy/tcp/any/80 gmail-base/tcp/any/80 gmail-base/tcp/
any/443 hovrs/tcp/any/443 hov application/service(implicit) [ http/
tcp/any/80 http/tcp/any/443 http/tcp/any/6788 http/tcp/any/6789
http/tcp/any/7456 http/tcp/any/8687 http/tcp/any/9100 http/tcp/
any/9200 http/udp/any/1513 http/udp/any/1514 jabber/tcp/any/any
jabber/tcp/any/80 jabber/tcp/any/443 jabber/tcp/any/5228 jabber/
tcp/any/25553 jabber/udp/any/any stun/tcp/any/any stun/tcp/any/3158
stun/udp/any/any web-browsing/any/any/any web-browsing/tcp/any/any
web-browsing/tcp/any/80        action allow;
        icmp-unreachable: no
        terminal yes;
}

Test an Authencaon policy rule.

Use the test authentication-policy-match command to test your Authencaon
policy. For example, you want to make sure that all users accessing Salesforce are
authencated. You would use the following test command to make sure that if users are
not idenfied using any other mechanism, the Authencaon policy will force them to
authencate:

admin@PA-3060> test authentication-policy-match from trust to

untrust source 192.168.201.10 destination 96.43.144.26

Matched rule: 'salesforce' action: web-form

Test a Decrypon policy rule.

Use the test decryption-policy-match category command to test whether traffic
to a specific desnaon and URL category will be decrypted according to your policy rules. For

PAN-OS CLI Quick Start Version Version 10.1 44 ©2021 Palo Alto Networks, Inc.
Use the CLI

example, to verify that your no-decrypt policy for traffic to financial services sites is not being
decrypted, you would enter a command similar to the following:

admin@PA-3060> test decryption-policy-match category financial-

services from trust source 10.40.14.197 destination 159.45.2.143

Matched rule: 'test' action: no-decrypt

PAN-OS CLI Quick Start Version Version 10.1 45 ©2021 Palo Alto Networks, Inc.
Use the CLI

Load Configuraons
• Load Configuraon Sengs from a Text File
• Load a Paral Configuraon

Load Configuraon Sengs from a Text File

In scripng mode, you can copy and paste commands from a text file directly into the CLI. This is a
quick and easy way to copy several configuraon sengs from one Palo Alto Networks device to
another.
STEP 1 | On the device from which you want to copy configuraon commands, set the CLI output
mode to set:

admin@fw1> set cli config-output-format set

STEP 2 | Show the part of the configuraon you want to copy. For example, to copy the SNMP
configuraon you would enter the following command:

admin@fw1# show deviceconfig system snmp-setting

set deviceconfig system snmp-setting snmp-system location
Headquarters
set deviceconfig system snmp-setting snmp-system contact snmp-
[email protected]
set deviceconfig system snmp-setting access-setting version v2c
snmp-community-string public

When pasng commands into the command line, make sure you are entering them in
the proper order to avoid errors. Somemes commands shown in the CLI are not the
order in which they must be configured on the device (for example, if you are pasng
a configuraon from a firewall into Panorama). If you see errors, check whether the
command that generated the error is dependent on a later command. In these cases,
you can usually just reenter the command. Also make sure you are pasng secons
of a configuraon in a logical order. For example, you should not copy security policy
rules if you have not yet configured the objects the rules rely on, such as zones, security
profiles, or address groups.

STEP 3 | Copy the commands to a text editor such as Notepad and edit the sengs as desired.

STEP 4 | On the second device, paste the commands into the command line.

There is a limit to the amount of text that can be copied into the SSH buffer
(approximately 20 lines). If you cut-and-paste a large block of text into the CLI,
examine the output of the lines you pasted. If you see lines that are truncated or
generate errors, you may have to re-paste a smaller secon of text, or switch to
scripng mode using the set cli scripting-mode on operaonal mode
command, which increases the buffer significantly.

PAN-OS CLI Quick Start Version Version 10.1 46 ©2021 Palo Alto Networks, Inc.
Use the CLI

STEP 5 | Commit Configuraon Changes.

Load a Paral Configuraon

Use the load config partial command to copy a secon of a configuraon file in XML. The
configuraon can be:
• A saved configuraon file from a Palo Alto Networks firewall or from Panorama
• A local configuraon (for example, running-confg.xml or candidate-config.xml)
• An imported configuraon file from a firewall or Panorama
To load a paral configuraon, you must idenfy the configuraon file you want to copy from and,
if it is not local, import it onto the device (see Use Secure Copy to Import and Export Files for an
example of how to import a saved configuraon).

If you are managing more than two or three firewalls, consider using Panorama for central
management and monitoring of your firewalls.

To specify what part of the configuraon to load, you must find the xpath locaon, which specifies
the XML node in the configuraon file you are loading from and the node in the local candidate
configuraon you are loading to.
The format of the command is:

admin@PA-3060# load config partial mode [append|merge|replace] from-

xpath <source-xpath> to-xpath <destination-xpath> from <filename>

Use the informaon in the following topics to determine the appropriate Xpath locaon formats
and use them to load a configuraon object from one configuraon to another:
• Xpath Locaon Formats Determined by Device Configuraon
• Load a Paral Configuraon into Another Configuraon Using Xpath Values

Xpath Locaon Formats Determined by Device Configuraon

You specify the source and desnaon of the load partial command using xpath locaons,
which specify the XML node in the configuraon you are copying from (from-xpath) and the
XML node in the candidate configuraon you are copying to (to-xpath). Determining the correct
xpath is a crical part of using this command. The following table shows the format for the from-
xpath and to-xpath on different types of devices. Noce that the from-xpath begins at
devices or shared, whereas the to-xpath begins with /config.

Type of Xpath Formats

Device
Configuraon

Mul-vsys from-xpath
Firewall

PAN-OS CLI Quick Start Version Version 10.1 47 ©2021 Palo Alto Networks, Inc.
Use the CLI

Type of Xpath Formats

Device
Configuraon

devices/entry[@name='localhost.localdomain']/vsys/entry[@
name='vsys-ID']/<object>

to-xpath

/config/devices/entry[@name='localhost.localdomain']/vsys
/entry[@name='vsys-ID']/<object>

Single-vsys from-xpath
Firewall
devices/entry[@name='localhost.localdomain']/vsys/entry[@
name='vsys1']/<object>

to-xpath

/config/devices/entry[@name='localhost.localdomain']/vsys
/entry[@name='vsys1']/<object>

Panorama from-xpath
Shared
Object shared/<object>

to-xpath

/config/shared/<object>

Panorama from-xpath
Device
Group devices/entry[@name='localhost.localdomain']/device-group
Object /entry[@name='device-group-name']/ <object>

to-xpath

/config/devices/entry[@name='localhost.localdomain']/devi
ce-group/entry[@name='device-group- name']/<object>

Load a Paral Configuraon into Another Configuraon Using Xpath Values

PAN-OS CLI Quick Start Version Version 10.1 48 ©2021 Palo Alto Networks, Inc.
Use the CLI

STEP 1 | Find the xpath values to use to load the paral configuraon.
1. Log in to the web interface on the device and go to the following URL:
https://<device-ip-address>/api

2. Select Configuraon Commands.

3. Drill down unl you find the configuraon object you want to load from one
configuraon to another.
For example, to find the applicaon group xpath on a mul-vsys firewall, you would
select Configuraon Commands > devices > localhost.localdomain > vsys > <vsys-name>

PAN-OS CLI Quick Start Version Version 10.1 49 ©2021 Palo Alto Networks, Inc.
Use the CLI

> applicaon-group. Aer you drill down to the node you want to load, make note of the
XPath that is displayed in the text box.

You can also find the xpath from the CLI debug mode (use the operaonal mode
command debug mode on to enable this), and then enter the configuraon
mode show command that shows the object you are interested in copying. For
example, to see the xpath for the applicaon object configuraon in vsys1, you
would enter the show vsys vsys1 application command. Look for
the secon of the output that begins with <requestcmd="get" obj=".
This signals the beginning of the xpath. In the following example, the highlighted
secon is the xpath for the applicaon objects in vsys1:

admin@PA-3060# show vsys vsys1 application

(container-tag: vsys container-tag: entry key-tag:
name value: vsys1 container-tag: application)
((eol-matched: . #t) (eol-matched: . #t) (eol-
matched: . #t) (xpath-prefix: . /config/devices/
entry[@name='localhost.localdomain']) (context-
inserted-at-end-p: . #f))
/usr/local/bin/pan_ms_client --config-
mode=default --set-prefix='set vsys vsys1 ' --
cookie=2588252477840140 <<'EOF' |/usr/bin/less -X -E
-M
<request cmd="get" obj="/config/devices/
entry[@name='localhost.localdomain']/vsys/
entry[@name='vsys1']/application"></request>
EOF

4. Aer you find the xpath for the node you want to load, idenfy the appropriate from-
and to- Xpath Locaon Formats Determined by Device Configuraon to load the paral
configuraon.

STEP 2 | Use the load config partial command to copy secons of the configuraon you just
imported. For example, you would use the following command to load the applicaon filters
you configured on fw1 from a saved configuraon file, fw1-config.xml, you imported from
fw1 (a single-vsys firewall) to vsys3 on fw2. Noce that even though fw1 does not have

PAN-OS CLI Quick Start Version Version 10.1 50 ©2021 Palo Alto Networks, Inc.
Use the CLI

mulple virtual system support, the xpath sll points to the vsys1 (the default vsys ID on
single-vsys firewalls):

admin@fw2# load config partial mode merge from-xpath

devices/entry[@name='localhost.localdomain']/vsys/
entry[@name='vsys1']/application-filter to-xpath/config/devices/
entry[@name='localhost.localdomain']/vsys/entry[@name='vsys3']/
application-filter from fw1-config.xml

The quotaon marks around the hostname and the vsys name (if applicable) must be
neutral. The command will fail if there are opened or closed quotaon marks.

STEP 3 | Commit Configuraon Changes.

PAN-OS CLI Quick Start Version Version 10.1 51 ©2021 Palo Alto Networks, Inc.
Use the CLI

Use Secure Copy to Import and Export Files

Secure Copy (SCP) is a convenient way to import and export files onto or off of a Palo Alto
Networks device. For, example, you can use SCP to upload a new OS version to a device that does
not have internet access, or you can export a configuraon or logs from one device to import on
another. The SCP commands require that you have an account (username and password) on the
SCP server.

Because the file for the enre log database is too large for an export or import to be
praccal on the following models, they do not support the scp export logdb or scp
import logdb commands: Panorama virtual appliance running Panorama 6.0 or later
releases, Panorama M-Series appliances (all releases), and PA-7000 Series firewall (all
releases).

• Export a Saved Configuraon from One Firewall and Import it into Another
• Export and Import a Complete Log Database (logdb)

Export a Saved Configuraon from One Firewall and Import it into

Another
Aer you import the saved configuraon, you can then Load a Paral Configuraon from the first
firewall onto the second firewall.
STEP 1 | On the first firewall, save the current configuraon to a named configuraon snapshot using
the save config to <filename> command in configuraon mode. For example:

admin@PA-fw1# save config to fw1-config

STEP 2 | Export the named configuraon snapshot and log database to an SCP-enabled server using
the scp export command in operaonal mode. When prompted, enter the password for
your SCP server account.

admin@fw1> scp export configuration from <named-config-file>

to <username@host:path>

For an SCP server running on Windows, the desnaon folder/filename path for both the
export and import commands requires a drive leer followed by a colon. For example:

admin@fw1> scp export configuration from fw1-config.xml to

[email protected]:c:/fw-config

PAN-OS CLI Quick Start Version Version 10.1 52 ©2021 Palo Alto Networks, Inc.
Use the CLI

STEP 3 | Log in to the firewall to which you want to copy the configuraon and logs, and then import
the configuraon snapshot and log database. When prompted, enter the password for your
SCP server account.

admin@fw2> scp import configuration

from <username@host:path_to_named-config-file>

For example (on a Windows-based SCP server):

admin@fw2> scp import configuration from [email protected]:c:/fw-

configs/fw1-config.xml

Export and Import a Complete Log Database (logdb)

STEP 1 | Export a log database to an SCP-enabled server using the scp export command in
operaonal mode. When prompted, enter the password for your SCP server account.

admin@fw1> scp export logdb

to <username@host:path_to_destination_filename>

For an SCP server running on Windows, the desnaon folder/filename path for both the
export and import commands requires a drive leer followed by a colon. For example:

admin@fw1> scp export logdb to [email protected]:c:/fw-logs/fw1-

logdb

STEP 2 | Log in to the firewall on which to import a log database, and then enter the import command.
When prompted, enter the password for your SCP server account.

admin@fw2> scp import logdb

from <username@host:path_to_destination_filename>

For example (on a Windows-based SCP server):

admin@fw2> scp import logdb from [email protected]:c:/fw-logs/fw1-

logdb

PAN-OS CLI Quick Start Version Version 10.1 53 ©2021 Palo Alto Networks, Inc.
Use the CLI

CLI Jump Start

The following table provides quick start informaon for configuring the features of Palo Alto
Networks devices from the CLI. Where applicable for firewalls with mulple virtual systems (vsys),
the table also shows the locaon to configure shared sengs and vsys-specific sengs.

To configure... Start here...

MGT interface
# set deviceconfig system ip-address

admin password
# set mgt-config users admin password

DNS
# set deviceconfig system dns-setting servers

NTP
# set deviceconfig system ntp-servers

Interfaces
# set network interface

System sengs
# set deviceconfig system

Zones
# set zone <name>
# set vsys <name> zone <name>

Security Profiles
# set profiles
HIP Objects/ # set vsys <name> profiles
Profiles # set shared profiles
URL Filtering
Profiles
WildFire Analysis
Profiles

Server Profiles
# set server-profile
# set vsys <name> server-profile
# set shared server-profile

PAN-OS CLI Quick Start Version Version 10.1 54 ©2021 Palo Alto Networks, Inc.
Use the CLI

To configure... Start here...

Authencaon
Profiles # set authentication-profile
# set vsys <name> authentication-profile
# set shared authentication-profile

Cerficate Profiles
# set certificate-profile
# set vsys <name> certificate-profile
# set shared certificate-profile

Policy
# set rulebase
# set vsys vsys1 rulebase

Log Quotas
# set deviceconfig setting management quota-setting
s

User-ID
# set user-id-agent
# set vsys <name> user-id-agent
# set user-id-collector
# set vsys <name> user-id-collector

HA
# set deviceconfig high-availability

AutoFocus Sengs
# set deviceconfig setting autofocus

WildFire Sengs
# set deviceconfig setting wildfire

Panorama
# set deviceconfig system panorama-server

Restart
> request restart system

PAN-OS CLI Quick Start Version Version 10.1 55 ©2021 Palo Alto Networks, Inc.
Use the CLI

PAN-OS CLI Quick Start Version Version 10.1 56 ©2021 Palo Alto Networks, Inc.
CLI Cheat Sheets
> CLI Cheat Sheet: Device Management
> CLI Cheat Sheet: User-ID
> CLI Cheat Sheet: Networking
> CLI Cheat Sheet: VSYS
> CLI Cheat Sheet: Panorama

57
CLI Cheat Sheets

CLI Cheat Sheet: Device Management

Use the following table to quickly locate commands for common device management tasks:

If you want to... Use...

• Show general system health informaon.

> show system info

• Show percent usage of disk parons.

Include the oponal files parameter > show system disk-space files
to show informaon about inodes, which
track file storage.

• Show the maximum log file size.

> show system logdb-quota

• Show running processes.

> show system software status

• Show processes running in the

management plane. > show system resources

• Show resource ulizaon in the dataplane.

> show running resource-monitor

• Show the licenses installed on the device.

> request license info

• Show when commits, downloads, and/or

upgrades are completed. > show jobs processed

• Show session informaon.

> show session info

• Show informaon about a specific session.

> show session id <session-id>

• Show the running security policy.

> show running security-policy

PAN-OS CLI Quick Start Version Version 10.1 58 ©2021 Palo Alto Networks, Inc.
CLI Cheat Sheets

If you want to... Use...

• Show the authencaon logs.

> less mp-log authd.log

• Restart the device.

> request restart system

• Show the administrators who are currently

logged in to the web interface, CLI, or API. > show admins

• Show the administrators who can access

the web interface, CLI, or API, regardless of > show admins all
whether those administrators are currently
logged in.
When you run this command on the
firewall, the output includes local
administrators, remote administrators, and
all administrators pushed from a Panorama
template. Remote administrators are listed
regardless of when they last logged in.

• Configure the management interface as a

DHCP client.
For a successful commit, you must include
each of the parameters: accept-dhcp-
domain, accept-dhcp-hostname,
send-client-id, and send-hostname.
# set deviceconfig system type d
hcp-client accept-dhcp-domain <y
es|no> accept-dhcp-hostname <yes
|no> send-client-id <yes|no> sen
d-hostname <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 59 ©2021 Palo Alto Networks, Inc.
CLI Cheat Sheets

CLI Cheat Sheet: User-ID

Use the following commands to perform common User-ID configuraon and monitoring tasks.

To see more comprehensive logging informaon enable debug mode on the agent using
the debug user-id log-ip-user-mapping yes command. When you are
done troubleshoong, disable debug mode using debug user-id log-ip-user-
mapping no.

CLI Cheat Sheet: User-ID

View all User-ID agents configured to send user mappings to the Palo Alto Networks device:
• To see all configured Windows-based agents:

> show user user-id-agent state all

• To see if the PAN-OS-integrated agent is configured:

> show user server-monitor state all

View how many log messages came in from syslog senders and how many entries the User-ID
agent successfully mapped:

> show user server-monitor statistics

View the configuraon of a User-ID agent from the Palo Alto Networks device:

> show user user-id-agent config name <agent-name>

View group mapping informaon:

> show user group-mapping statistics

> show user group-mapping state all
> show user group list
> show user group name <group-name>

View all user mappings on the Palo Alto Networks device:

> show user ip-user-mapping all

Show user mappings filtered by a username string (if the string includes the domain name, use
two backslashes before the username):

PAN-OS CLI Quick Start Version Version 10.1 60 ©2021 Palo Alto Networks, Inc.
CLI Cheat Sheets

CLI Cheat Sheet: User-ID

> show user ip-user-mapping all | match <domain>\\<username-string>

Show user mappings for a specific IP address:

> show user ip-user-mapping ip <ip-address>

Show usernames:

> show user user-ids

View the most recent addresses learned from a parcular User-ID agent:

> show log userid datasourcename equal <agent-name> direction equal

backward

View mappings from a parcular type of authencaon service:

> show log userid datasourcetype equal <authentication-service>

where <authencaon-service> can be authenticate, client-cert, directory-server,

exchange-server, globalprotect, kerberos, netbios-probing, ntlm, unknown,
vpn-client, or wmi-probing.
For example, to view all user mappings from the Kerberos server, you would enter the following
command:

> show log userid datasourcetype equal kerberos

View mappings learned using a parcular type of user mapping:

> show log userid datasource equal <datasource>

where <datasource> can be agent, captive-portal, event-log, ha, probing, server-

session-monitor, ts-agent, unknown, vpn-client, or xml-api.
For example, to view all user mappings from the XML API, you would enter the following
command:

> show log userid datasourcetype equal xml-api

Find a user mapping based on an email address:

> show user email-lookup

PAN-OS CLI Quick Start Version Version 10.1 61 ©2021 Palo Alto Networks, Inc.
CLI Cheat Sheets

CLI Cheat Sheet: User-ID

+ base Default base distinguished name (DN) to use fo
r searches
+ bind-dn bind distinguished name
+ bind-password bind password
+ domain Domain name to be used for username
+ group-object group object class(comma-separated)
+ name-attribute name attribute
+ proxy-agent agent ip or host name.
+ proxy-agent-port user-id agent listening port, default is 5007
+ use-ssl use-ssl
* email email address
> mail-attribute mail attribute
> server ldap server ip or host name.
> server-port ldap server listening port

For example:

> show user email-lookup base "DC=lab,DC=sg,DC=acme,DC=local" bind-

dn "CN=Administrator,CN=Users,DC=lab,DC=sg,DC=acme,DC=local" bind-p
assword acme use-ssl no email [email protected] mail-attribut
e mail server 10.1.1.1 server-port 389 labsg\user1

Clear the User-ID cache:

clear user-cache all

Clear a User-ID mapping for a specific IP address:

clear user-cache ip <ip-address/netmask>

PAN-OS CLI Quick Start Version Version 10.1 62 ©2021 Palo Alto Networks, Inc.
CLI Cheat Sheets

CLI Cheat Sheet: HA

Use the following table to quickly locate commands for HA tasks.

If you want to ... Use ...

• View all HA cluster configuraon content.

> show high-availability cluster
all

• View HA cluster flap stascs.

> show high-availability cluster
Cluster flap count is reset flap-statistics
when the HA device moves
from suspended to funconal
and vice versa. Cluster flap
count also resets when non-
funconal hold me expires.

• View status of the HA4 interface.

> show high-availability cluster
ha4-status

• View status of the HA4 backup interface.

> show high-availability cluster
ha4-backup-status

• View informaon about the type and

number of synchronized messages to or > show high-availability cluster
from an HA cluster. session-synchronization

• View HA cluster state and configuraon

informaon. > show high-availability cluster
state

• View HA cluster stascs, such as counts

received messages and dropped packets > show high-availability cluster
for various reasons. statistics

• Clear HA cluster stascs.

> clear high-availability cluste
r statistics

PAN-OS CLI Quick Start Version Version 10.1 63 ©2021 Palo Alto Networks, Inc.
CLI Cheat Sheets

If you want to ... Use ...

• Clear session cache.

> request high-availability clus
ter clear-cache

• Request full session cache

synchronizaon. > request high-availability clus
ter sync-from

PAN-OS CLI Quick Start Version Version 10.1 64 ©2021 Palo Alto Networks, Inc.
CLI Cheat Sheets

CLI Cheat Sheet: Networking

Use the following table to quickly locate commands for common networking tasks:

If you want to . . . Use . . .

General Roung Commands

• Display the roung table

> show routing route

• Look at routes for a specific

desnaon > show routing fib virtual-router <name>
| match <x.x.x.x/Y>

• Change the ARP cache meout

seng from the default of > set system setting arp-cache-timeout <
1800 seconds. 60-65536>

• View the ARP cache meout

seng. > show system setting arp-cache-timeout

AE Interfaces

• On PA-7050 and PA-7080

firewalls that have an aggregate > set ae-frag redistribution-policy hash
interface group of interfaces
located on different line cards,
implement proper handling of
fragmented packets that the
firewall receives on mulple
interfaces of the AE group.

NAT

• Show the NAT policy table

> show running nat-policy

• Test the NAT policy

> test nat-policy-match

• Show NAT pool ulizaon

> show running ippool
> show running global-ippool

PAN-OS CLI Quick Start Version Version 10.1 65 ©2021 Palo Alto Networks, Inc.
CLI Cheat Sheets

If you want to . . . Use . . .

IPSec

• Show IPSec counters

> show vpn flow

• Show a list of all IPSec

gateways and their > show vpn gateway
configuraons

• Show IKE phase 1 SAs

> show vpn ike-sa

• Show IKE phase 2 SAs

> show vpn ipsec-sa

• Show a list of auto-key IPSec

tunnel configuraons > show vpn tunnel

BFD

• Show BFD profiles

> show routing bfd active-profile [<name
>]

• Show BFD details

> show routing bfd details [interface <n
ame>] [local-ip <ip>] [multihop][peer-ip
<ip>] [session-id] [virtual-router <nam
e>]

• Show BFD stascs on

dropped sessions > show routing bfd drop-counters session
-id <session-id>

• Show counters of transmied,

received, and dropped BFD > show counter global | match bfd
packets

• Clear counters of transmied,

received, and dropped BFD > clear routing bfd counters session-id
packets all | <1-1024>

PAN-OS CLI Quick Start Version Version 10.1 66 ©2021 Palo Alto Networks, Inc.
CLI Cheat Sheets

If you want to . . . Use . . .

• Clear BFD sessions for

debugging purposes > clear routing bfd session-state sessio
n-id all | <1-1024>

PVST+

• Set the nave VLAN ID

> set session pvst-native-vlan-id <vid>

• Drop all STP BPDU packets

> set session drop-stp-packet

• Verify PVST+ BPDU rewrite

configuraon, nave VLAN ID, > show vlan all
and STP BPDU packet drop

• Show counter of mes the

802.1Q tag and PVID fields in > show counter global
a PVST+ BPDU packet do not
match Look at the flow_pvid_inconsistent counter.

Troubleshoong

• Ping from the management

(MGT) interface to a > ping host <destination-ip-address>
desnaon IP address

• Ping from a dataplane interface

to a desnaon IP address > ping source <ip-address-on-dataplane>
host <destination-ip-address>

• Show network stascs

> show netstat statistics yes

PAN-OS CLI Quick Start Version Version 10.1 67 ©2021 Palo Alto Networks, Inc.
CLI Cheat Sheets

CLI Cheat Sheet: VSYS

Use the following commands to administer a Palo Alto Networks firewall with mulple
virtual system (mul-vsys) capability. You must have superuser, superuser (read-only), device
administrator, or device administrator (read-only) access to use these commands. These
commands are not available for virtual system administrator or virtual system administrator (read-
only) roles.

If you want to . . . Use . . .

• Find out if the firewall is in mul-

vsys mode admin@PA> show system info | match vs
ys
multi-vsys: on

• View a list of virtual systems

configured on the firewall admin@PA> set system setting target-v
sys ?
Aer adding a new none none
vsys1 vsys1
virtual system from the vsys2 vsys2
CLI, you must log out and <value> <value>
log back in to see the new
virtual system within the
CLI.

• Switch to a parcular vsys so that

you can issue commands and view admin@PA> set system setting target-v
data specific to that vsys sys <vsys-name>

For example, use the following command to switch to

vsys2; note that the vsys name is case sensive:

> set system setting target-vsys vsys

2
Session target vsys changed to vsys2
admin@PA-vsys2>

Noce that the command prompt now shows the

name of the vsys you are now administering.

• View the maximum number of

sessions allowed, in use, and admin@PA> show session meter
throled
Example output:

VSYS  Maximum  Current  Throttled

PAN-OS CLI Quick Start Version Version 10.1 68 ©2021 Palo Alto Networks, Inc.
CLI Cheat Sheets

If you want to . . . Use . . .

1      10       30      1587

Maximum indicates the maximum number of sessions

allowed per dataplane, Current indicates the number
of sessions being used by the virtual system, and
Throled indicates the number of sessions denied
for the virtual system because the sessions exceeded
the Maximum number mulplied by the number of
dataplanes in the system.

As shown in this example, on a PA-5200

Series or PA-7000 Series firewall, the
Current number of sessions being used can
be greater than the Maximum configured
for Sessions Limit (Device > Virtual
Systems > Resource) because there are
mulple dataplanes per virtual system.
The Sessions Limit you configure on a
PA-5200 or PA-7000 Series firewall is
per dataplane, and will result in a higher
maximum per virtual system.

• View the User-ID mappings in the

vsys admin@PA-vsys2> show user ip-user-map
ping all

• Return to configuring the firewall

globally admin@PA-vsys2> set system setting ta
rget-vsys none
admin@PA>

PAN-OS CLI Quick Start Version Version 10.1 69 ©2021 Palo Alto Networks, Inc.
CLI Cheat Sheets

CLI Cheat Sheet: Panorama

Use the following commands on Panorama to perform common configuraon and monitoring
tasks for the Panorama management server (M-Series appliance in Panorama mode), Dedicated
Log Collectors (M-Series appliances in Log Collector mode), and managed firewalls.

To view system informaon about a Panorama virtual appliance or M-Series appliance (for
example, job history, system resources, system health, or logged-in administrators), see CLI
Cheat Sheet: Device Management.
A Dedicated Log Collector mode has no web interface for administrave access, only a
command line interface (CLI).

If you want to . . . Use . . .

M-Series Appliance Mode of Operaon (Panorama, Log Collector, or PAN-DB Private Cloud
Mode)

Switching the mode reboots the M-Series appliance, deletes any exisng log data, and
deletes all configuraons except the management access sengs.

• Display the current operaonal mode.

>
show system info
| match system-mode

• Switch from Panorama mode to Log Collector mode.

>
request system s
ystem-mode logger

• Switch from Panorama mode to PAN-DB private

cloud mode (M-500 appliance only). >
request system s
ystem-mode panurldb

• Switch an M-Series appliance from Log Collector

mode or PAN-DB private cloud mode (M-500 >
appliance only) to Panorama mode. request system s
ystem-mode panorama

• Switch the Panorama virtual appliance from Legacy

mode to Panorama mode. >

PAN-OS CLI Quick Start Version Version 10.1 70 ©2021 Palo Alto Networks, Inc.
CLI Cheat Sheets

If you want to . . . Use . . .

request system s
ystem-mode panorama

• Switch the Panorama virtual appliance from

Panorama mode to Legacy mode. >
request system s
ystem-mode legacy

Panorama Management Server

• Change the output for show commands to a format

that you can run as CLI commands. >
set cli config-o
utput-mode set

The following is an example of the

output for the show device-
group command aer seng the
output format:

#
show device-grou
p branch-offices
set device-group
branch-offices devices
set device-group
branch-offices pre-rule
base
...

• Enable or disable the connecon between a firewall

and Panorama. You must enter this command from >
the firewall CLI. set panorama [of
f | on]

• Synchronize the configuraon of M-Series appliance

high availability (HA) peers. >
request high-ava
ilability sync-to-remote
[running-config | candi
date-config]

PAN-OS CLI Quick Start Version Version 10.1 71 ©2021 Palo Alto Networks, Inc.
CLI Cheat Sheets

If you want to . . . Use . . .

• Reboot mulple firewalls or Dedicated Log

Collectors. >
request batch re
boot [devices | log-coll
ectors]
<serial-number>

• Change the interval in seconds (default is 10; range

is 5 to 60) at which Panorama polls devices (firewalls >
and Log Collectors) to determine the progress of set dlsrvr poll-
soware or content updates. Panorama displays interval
<5-60>
the progress when you deploy the updates to
devices. Decreasing the interval makes the progress
report more accurate but increases traffic between
Panorama and the devices.

Device Groups and Templates

• Show the history of device group commits, status of

the connecon to Panorama, and other informaon >
for the firewalls assigned to a device group. show devicegroup
s name
<device-group-n
ame>

• Show the history of template commits, status of the

connecon to Panorama, and other informaon for >
the firewalls assigned to a template. show templates n
ame
<template-name>

• Show all the policy rules and objects pushed from

Panorama to a firewall. You must enter this command >
from the firewall CLI. show config push
ed-shared-policy

• Show all the network and device sengs pushed

from Panorama to a firewall. You must enter this >
command from the firewall CLI. show config push
ed-template

PAN-OS CLI Quick Start Version Version 10.1 72 ©2021 Palo Alto Networks, Inc.
CLI Cheat Sheets

If you want to . . . Use . . .

Log Collecon

• Show the current rate at which the Panorama

management server or a Dedicated Log Collector >
receives firewall logs. debug log-collec
tor log-collection-stats
show incoming-logs

• Show the quanty and status of logs that Panorama

or a Dedicated Log Collector forwarded to external >
servers (such as syslog servers) as well as the auto- debug log-collec
tagging status of the logs. Tracking dropped logs tor log-collection-stats
show log-forwarding-sta
helps you troubleshoot connecvity issues. ts

• Show status informaon for log forwarding to the

Panorama management server or a Dedicated Log >
Collector from a parcular firewall (such as the last show logging-sta
received and generated log of each type). tus device
<firewall-seria
When you run this command at the firewall CLI (skip the l-number>
device <firewall-serial-number> argument),
the output also shows how many logs the firewall has
forwarded.

• Clear logs by type.

>
Running this command on the Panorama management clear log [acc |
server clears logs that Panorama and Dedicated Log alarm | config | hipmat
Collectors generated, as well as any firewall logs that ch | system]
the Panorama management server collected. Running
this command on a Dedicated Log Collector clears the
logs that it collected from firewalls.

PAN-OS CLI Quick Start Version Version 10.1 73 ©2021 Palo Alto Networks, Inc.
CLI Cheat Sheets

PAN-OS CLI Quick Start Version Version 10.1 74 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1
This chapter idenfies the PAN-OS 10.1 CLI configure commands changed since the
PAN-OS 10.1 release:

> New Set Commands

> Changed Set Commands
> Removed Set Commands
> New Show Commands
> Changed Show Commands
> Removed Show Commands

75
CLI Changes in PAN-OS 10.1

Set Commands Introduced in PAN-OS 10.1

The following commands are new in the 10.1 release:

set deviceconfig system non-ui-authentication-profile <value>

set deviceconfig system hsm-settings provider ncipher-nshield-connect

set deviceconfig system hsm-settings provider ncipher-nshield-connect

hsm-server

set deviceconfig system hsm-settings provider ncipher-nshield-connect

hsm-server <name>

set deviceconfig system hsm-settings provider ncipher-nshield-connect

hsm-server <name> server-address <ip/netmask>

set deviceconfig system hsm-settings provider ncipher-nshield-connect

rfs-address <ip/netmask>

set deviceconfig system snmp-setting access-setting version v3 users

<name> authproto <SHA|SHA-224|SHA-256|SHA-384|SHA-512>

set deviceconfig system snmp-setting access-setting version v3 users

<name> privproto <AES|AES-192|AES-256>

set deviceconfig setting hawkeye

set deviceconfig setting hawkeye public-cloud-server <value>

set deviceconfig setting ctd cloud-dns-privacy-mask <yes|no>

set deviceconfig setting ctd cloudapp-implicit-policy-enforce <yes|

no>

set deviceconfig setting ctd shm-quota-threshold <50-80>

set deviceconfig setting ctd shared-memory-quota-dlp <0-100>

set deviceconfig setting ctd shared-memory-quota-iot <0-100>

set deviceconfig setting ctd shared-memory-quota-ace <0-100>

set deviceconfig setting ssl-decrypt scan-handshake <yes|no>

set deviceconfig setting management admin-session max-session-count

<0-4>

set deviceconfig setting management audit-tracking

set deviceconfig setting management audit-tracking op-commands <yes|

no>

PAN-OS CLI Quick Start Version Version 10.1 76 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set deviceconfig setting management audit-tracking ui-actions <yes|

no>

set deviceconfig setting management audit-tracking send-syslog

<value>

set deviceconfig setting cloudapp

set deviceconfig setting cloudapp disable <yes|no>

set deviceconfig setting cloudapp cloudapp-srvr-addr

set deviceconfig setting cloudapp cloudapp-srvr-addr address <ip/

netmask>|<value>

set network interface ethernet<name> layer3 bonjour

set network interface ethernet <name> layer3 bonjour enable <yes|no>

set network interface ethernet <name> layer3 sdwan-link-settings

upstream-nat

set network interface ethernet <name> layer3 sdwan-link-settings

upstream-nat enable <yes|no>

set network interface ethernet <name> layer3 sdwan-link-settings

upstream-nat static-ip

set network interface ethernet <name> layer3 sdwan-link-settings

upstream-nat static-ip ip-address <value>|<ip/netmask>

set network interface ethernet <name> layer3 sdwan-link-settings

upstream-nat static-ip fqdn <value>

set network interface ethernet <name> layer3 sdwan-link-settings

upstream-nat ddns

set network interface ethernet <name> layer3 units <name> sdwan-link-

settings

set network interface ethernet <name> layer3 units <name> sdwan-link-

settings enable <yes|no>

set network interface ethernet <name> layer3 units <name> sdwan-link-

settings sdwan-interface-profile <value>

set network interface ethernet <name> layer3 units <name> sdwan-link-

settings upstream-nat

set network interface ethernet <name> layer3 units <name> sdwan-link-

settings upstream-nat enable <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 77 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set network interface ethernet <name> layer3 units <name> sdwan-link-

settings upstream-nat static-ip

set network interface ethernet <name> layer3 units <name> sdwan-link-

settings upstream-nat static-ip ip-address <value>|<ip/netmask>

set network interface ethernet <name> layer3 units <name> sdwan-link-

settings upstream-nat static-ip fqdn <value>

set network interface ethernet <name> layer3 units <name> sdwan-link-

settings upstream-nat ddns

set network interface ethernet <name> layer3 units <name> bonjour

set network interface ethernet <name> layer3 units <name> bonjour

enable <yes|no>

set network interface ethernet <name> layer3 units <name> ip <name>

sdwan-gateway <ip/netmask>

set network interface aggregate-ethernet <name> layer3 bonjour

set network interface aggregate-ethernet <name> layer3 bonjour enable

<yes|no>

set network interface aggregate-ethernet <name> layer3 ip <name>

sdwan-gateway <ip/netmask>

set network interface aggregate-ethernet <name> layer3 sdwan-link-

settings

set network interface aggregate-ethernet <name> layer3 sdwan-link-

settings enable <yes|no>

set network interface aggregate-ethernet <name> layer3 sdwan-link-

settings sdwan-interface-profile <value>

set network interface aggregate-ethernet <name> layer3 sdwan-link-

settings upstream-nat

set network interface aggregate-ethernet <name> layer3 sdwan-link-

settings upstream-nat enable <yes|no>

set network interface aggregate-ethernet <name> layer3 sdwan-link-

settings upstream-nat static-ip

set network interface aggregate-ethernet <name> layer3 sdwan-link-

settings upstream-nat static-ip ip-address <value>|<ip/netmask>

set network interface aggregate-ethernet <name> layer3 sdwan-link-

settings upstream-nat static-ip fqdn <value>

PAN-OS CLI Quick Start Version Version 10.1 78 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set network interface aggregate-ethernet <name> layer3 sdwan-link-

settings upstream-nat ddns

set network interface aggregate-ethernet <name> layer3 units <name>

bonjour

set network interface aggregate-ethernet <name> layer3 units <name>

bonjour enable <yes|no>

set network interface aggregate-ethernet <name> layer3 units <name>

ip <name> sdwan-gateway <ip/netmask>

set network interface aggregate-ethernet <name> layer3 units <name>

sdwan-link-settings

set network interface aggregate-ethernet <name> layer3 units <name>

sdwan-link-settings enable <yes|no>

set network interface aggregate-ethernet <name> layer3 units <name>

sdwan-link-settings sdwan-interface-profile <value>

set network interface aggregate-ethernet <name> layer3 units <name>

sdwan-link-settings upstream-nat

set network interface aggregate-ethernet <name> layer3 units <name>

sdwan-link-settings upstream-nat enable <yes|no>

set network interface aggregate-ethernet <name> layer3 units <name>

sdwan-link-settings upstream-nat static-ip

set network interface aggregate-ethernet <name> layer3 units <name>

sdwan-link-settings upstream-nat static-ip ip-address <value>|<ip/
netmask>

set network interface aggregate-ethernet <name> layer3 units <name>

sdwan-link-settings upstream-nat static-ip fqdn <value>

set network interface aggregate-ethernet <name> layer3 units <name>

sdwan-link-settings upstream-nat ddns

set network interface loopback df-ignore <yes|no>

set network interface sdwan units <name> link-tag <value>

set network tunnel ipsec<name> anti-replay-window <64|128|256|512|

1024|2048|4096>

set network virtual-router <name> routing-table ip static-route

<name> path-monitor monitor-destinations <name> source <value>|
<DHCP|PPPOE>

PAN-OS CLI Quick Start Version Version 10.1 79 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set network logical-router <name> vrf <name> routing-table ip static-

route <name> path-monitor monitor-destinations <name> source <value>|
<DHCP|PPPOE>

set network shared-gateway <name> service <name> protocol tcp port

<0-65535,...>

set network shared-gateway <name> service <name> protocol tcp source-

port <0-65535,...>

set network shared-gateway <name> service <name> protocol udp port

<0-65535,...>

set network shared-gateway <name> service <name> protocol udp source-

port <0-65535,...>

set network shared-gateway <name> log-settings snmptrap <name>

version v3 server <name> authproto <SHA|SHA-224|SHA-256|SHA-384|
SHA-512>

set network shared-gateway <name> log-settings snmptrap <name>

version v3 server <name> privproto <AES|AES-192|AES-256>

set network shared-gateway <name> rulebase network-packet-broker

set network shared-gateway <name> rulebase network-packet-broker

rules

set network shared-gateway <name> rulebase network-packet-broker

rules <name>

set network shared-gateway <name> rulebase network-packet-broker

rules <name> from [ <from1> <from2>... ]

set network shared-gateway <name> rulebase network-packet-broker

rules <name> to [ <to1> <to2>... ]

set network shared-gateway <name> rulebase network-packet-broker

rules <name> source [ <source1> <source2>... ]

set network shared-gateway <name> rulebase network-packet-broker

rules <name> source-user [ <source-user1> <source-user2>... ]

set network shared-gateway <name> rulebase network-packet-broker

rules <name> destination [ <destination1> <destination2>... ]

set network shared-gateway <name> rulebase network-packet-broker

rules <name> application [ <application1> <application2>... ]

set network shared-gateway <name> rulebase network-packet-broker

rules <name> service [ <service1> <service2>... ]

set network shared-gateway <name> rulebase network-packet-broker

rules <name> tag [ <tag1> <tag2>... ]

PAN-OS CLI Quick Start Version Version 10.1 80 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set network shared-gateway <name> rulebase network-packet-broker

rules <name> negate-source <yes|no>

set network shared-gateway <name> rulebase network-packet-broker

rules <name> negate-destination <yes|no>

set network shared-gateway <name> rulebase network-packet-broker

rules <name> disabled <yes|no>

set network shared-gateway <name> rulebase network-packet-broker

rules <name> description <value>

set network shared-gateway <name> rulebase network-packet-broker

rules <name> group-tag <value>

set network shared-gateway <name> rulebase network-packet-broker

rules <name> source-hip [ <source-hip1> <source-hip2>... ]

set network shared-gateway <name> rulebase network-packet-broker

rules <name> destination-hip [ <destination-hip1> <destination-
hip2>... ]

set network shared-gateway <name> rulebase network-packet-broker

rules <name> traffic-type

set network shared-gateway <name> rulebase network-packet-broker

rules <name> traffic-type tls-decrypted <yes|no>

set network shared-gateway <name> rulebase network-packet-broker

rules <name> traffic-type tls-encrypted <yes|no>

set network shared-gateway <name> rulebase network-packet-broker

rules <name> traffic-type non-tls <yes|no>

set network shared-gateway <name> rulebase network-packet-broker

rules <name> action

set network shared-gateway <name> rulebase network-packet-broker

rules <name> action packet-broker-profile <value>

set shared service<name> protocol tcp port <0-65535,...>

set shared service <name> protocol tcp source-port <0-65535,...>

set shared service <name> protocol udp port <0-65535,...>

set shared service <name> protocol udp source-port <0-65535,...>

set shared profiles hip-objects <name> anti-malware criteria product-

version within versions <1-1>

set shared profiles hip-objects <name> anti-malware criteria product-

version not-within versions <1-1>

PAN-OS CLI Quick Start Version Version 10.1 81 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set shared profiles sdwan-saas-quality <name> monitor-mode static-ip

ip-address <name> probe-interval <1-60>

set shared profiles sdwan-saas-quality <name> monitor-mode static-ip

fqdn probe-interval <1-60>

set shared profiles sdwan-saas-quality <name> monitor-mode http-https

probe-interval <3-60>

set shared profiles sdwan-error-correction <name> mode forward-error-

correction recovery-duration <1-5000>

set shared profiles sdwan-error-correction <name> mode packet-

duplication recovery-duration-pd <1-5000>

set shared reports<name> type thsum group-by <serial|time_generated|

vsys_name|device_name|app|src|dst|rule|threatid|srcuser|dstuser|
srcloc|dstloc|xff_ip|vsys|from|to|dev_serial|dport|action|severity|
inbound_if|outbound_if|category|category-of-app|subcategory-of-app|
technology-of-app|container-of-app|risk-of-app|parent_session_id|
parent_start_time|tunnel|direction|assoc_id|ppid|http2_connection|
rule_uuid|threat_name|src_edl|dst_edl|hostid|dynusergroup_name|
nssai_sst|src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|container_id|
pod_namespace|pod_name|src_dag|dst_dag|day-of-receive_time|hour-
of-receive_time|quarter-hour-of-receive_time|subtype|tunnelid|
monitortag|category-of-threatid|threat-type>

set shared reports <name> type traffic group-by <serial|

time_generated|src|dst|natsrc|natdst|rule|srcuser|dstuser|srcloc|
dstloc|app|vsys|from|to|inbound_if|outbound_if|sport|dport|natsport|
natdport|proto|action|tunnel|rule_uuid|s_encrypted|category-of-
app|subcategory-of-app|technology-of-app|container-of-app|risk-
of-app|vsys_name|device_name|parent_session_id|parent_start_time|
category|session_end_reason|action_source|nssai_sst|nssai_sd|
http2_connection|xff_ip|dynusergroup_name|src_edl|dst_edl|hostid|
session_owner|policy_id|offloaded|src_category|src_profile|src_model|
src_vendor|src_osfamily|src_osversion|src_host|src_mac|dst_category|
dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|
dst_mac|container_id|pod_namespace|pod_name|src_dag|dst_dag|day-of-
receive_time|hour-of-receive_time|quarter-hour-of-receive_time|pbf-
s2c|pbf-c2s|decrypt-mirror|threat-type|flag-nat|flag-pcap|captive-
portal|flag-proxy|non-std-dport|transaction|sym-return|sessionid|
flag-decrypt-fwd|tunnelid|monitortag>

set shared reports <name> type urlsum group-by <serial|

time_generated|vsys_name|device_name|app|category|src|dst|rule|
srcuser|dstuser|srcloc|dstloc|vsys|from|to|dev_serial|inbound_if|
outbound_if|dport|action|tunnel|url_domain|user_agent|http_method|
http2_connection|category-of-app|subcategory-of-app|technology-of-
app|container-of-app|risk-of-app|parent_session_id|parent_start_time|
rule_uuid|xff_ip|src_edl|dst_edl|hostid|dynusergroup_name|nssai_sst|

PAN-OS CLI Quick Start Version Version 10.1 82 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|container_id|
pod_namespace|pod_name|url_category_list|src_dag|dst_dag|day-of-
receive_time|hour-of-receive_time|quarter-hour-of-receive_time|
tunnelid|monitortag>

set shared reports <name> type trsum group-by <serial|time_generated|

vsys_name|device_name|app|src|dst|xff_ip|rule|srcuser|dstuser|
srcloc|dstloc|category|vsys|from|to|dev_serial|dport|action|
tunnel|inbound_if|outbound_if|category-of-app|subcategory-of-app|
technology-of-app|container-of-app|risk-of-app|parent_session_id|
parent_start_time|assoc_id|http2_connection|rule_uuid|src_edl|
dst_edl|dynusergroup_name|s_decrypted|s_encrypted|hostid|nssai_sst|
src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|container_id|
pod_namespace|pod_name|src_dag|dst_dag|day-of-receive_time|hour-
of-receive_time|quarter-hour-of-receive_time|tunnelid|monitortag|
standard-ports-of-app>

set shared reports <name> type auth group-by <serial|time_generated|

vsys_name|device_name|vsys|ip|user|normalize_user|object|authpolicy|
authid|vendor|clienttype|event|factorno|authproto|rule_uuid|
src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|day-of-receive_time|hour-of-
receive_time|quarter-hour-of-receive_time|serverprofile|desc>

set shared reports<name> type hipmatch group-by <serial|

time_generated|vsys_name|device_name|srcuser|vsys|machinename|src|
matchname|os|matchtype|srcipv6|hostid|mac|day-of-receive_time|hour-
of-receive_time|quarter-hour-of-receive_time>

set shared reports <name> type hipmatch last-match-by <>

set shared authentication-profile <name> method cloud

set shared authentication-profile <name> method cloud region

set shared authentication-profile <name> method cloud region

region_id <value>

set shared authentication-profile <name> method cloud region tenant

set shared authentication-profile <name> method cloud region tenant

tenant_id <value>

set shared authentication-profile <name> method cloud region tenant

profile

set shared authentication-profile <name> method cloud region tenant

profile profile_id <value>

PAN-OS CLI Quick Start Version Version 10.1 83 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set shared authentication-profile <name> method cloud region tenant

profile mfa

set shared authentication-profile <name> method cloud region tenant

profile mfa force-mfa <value>

set shared authentication-profile <name> method cloud clock-skew

<1-900>

set shared log-settings snmptrap <name> version v3 server <name>

authproto <SHA|SHA-224|SHA-256|SHA-384|SHA-512>

set shared log-settings snmptrap <name> version v3 server <name>

privproto <AES|AES-192|AES-256>

set shared ssl-tls-service-profile <name> protocol-settings max-

version <tls1-0|tls1-1|tls1-2|max>

set shared admin-role <name> role device webui policies network-

packet-broker-rulebase <enable|read-only|disable>

set shared admin-role <name> role device webui objects packet-broker-

profile <enable|read-only|disable>

set shared admin-role <name> role device webui device plugins

<enable|disable>

set shared admin-role <name> role device webui device policy-

recommendations

set shared admin-role <name> role device webui device policy-

recommendations iot <enable|read-only|disable>

set shared admin-role <name> role device webui device policy-

recommendations saas <enable|read-only|disable>

set shared admin-role <name> role device restapi objects packet-

broker-profiles <enable|read-only|disable>

set shared admin-role <name> role device restapi objects sdwan-saas-

quality-profiles <enable|read-only|disable>

set shared admin-role <name> role device restapi objects sdwan-error-

correction-profiles <enable|read-only|disable>

set shared admin-role <name> role device restapi policies network-

packet-broker-rules <enable|read-only|disable>

set shared admin-role <name> role device restapi device log-

interface-setting <enable|read-only|disable>

set shared admin-role <name> role device restapi system

set shared admin-role <name> role device restapi system configuration

<enable|read-only|disable>

PAN-OS CLI Quick Start Version Version 10.1 84 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set shared admin-role <name> role vsys webui policies network-packet-

broker-rulebase <enable|read-only|disable>

set shared admin-role <name> role vsys webui objects packet-broker-

profile <enable|read-only|disable>

set shared admin-role <name> role vsys webui device policy-

recommendations

set shared admin-role <name> role vsys webui device policy-

recommendations iot <enable|read-only|disable>

set shared admin-role <name> role vsys webui device policy-

recommendations saas <enable|read-only|disable>

set shared admin-role <name> role vsys restapi objects packet-broker-

profiles <enable|read-only|disable>

set shared admin-role <name> role vsys restapi objects sdwan-saas-

quality-profiles <enable|read-only|disable>

set shared admin-role <name> role vsys restapi objects sdwan-error-

correction-profiles <enable|read-only|disable>

set shared admin-role <name> role vsys restapi policies network-

packet-broker-rules <enable|read-only|disable>

set shared admin-role <name> role vsys restapi device log-interface-

setting <enable|read-only|disable>

set shared admin-role <name> role vsys restapi system

set shared admin-role <name> role vsys restapi system configuration

<enable|read-only|disable>

set shared user-id-hub

set shared user-id-hub vsys <value>

set shared user-id-hub ip-user-mapping <yes|no>

set shared user-id-hub user-group-mapping <yes|no>

set vsys<name> authentication-profile <name> method cloud

set vsys <name> authentication-profile <name> method cloud region

set vsys <name> authentication-profile <name> method cloud region

region_id <value>

set vsys <name> authentication-profile <name> method cloud region

tenant

PAN-OS CLI Quick Start Version Version 10.1 85 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set vsys <name> authentication-profile <name> method cloud region

tenant tenant_id <value>

set vsys <name> authentication-profile <name> method cloud region

tenant profile

set vsys <name> authentication-profile <name> method cloud region

tenant profile profile_id <value>

set vsys <name> authentication-profile <name> method cloud region

tenant profile mfa

set vsys <name> authentication-profile <name> method cloud region

tenant profile mfa force-mfa <value>

set vsys <name> authentication-profile <name> method cloud clock-skew

<1-900>

set vsys <name> log-settings snmptrap <name> version v3 server <name>

authproto <SHA|SHA-224|SHA-256|SHA-384|SHA-512>

set vsys <name> log-settings snmptrap <name> version v3 server <name>

privproto <AES|AES-192|AES-256>

set vsys <name> ssl-tls-service-profile <name> protocol-settings max-

version <tls1-0|tls1-1|tls1-2|max>

set vsys <name> cloud-identity-engine

set vsys <name> cloud-identity-engine <name>

set vsys <name> cloud-identity-engine <name> region <value>

set vsys <name> cloud-identity-engine <name> cloud-identity-engine-

instance <value>

set vsys <name> cloud-identity-engine <name> domain <value>

set vsys <name> cloud-identity-engine <name> update-interval <5-1440>

set vsys <name> cloud-identity-engine <name> enabled <yes|no>

set vsys <name> cloud-identity-engine <name> primary-user <value>

set vsys <name> cloud-identity-engine <name> user-email <value>

set vsys <name> cloud-identity-engine <name> alt-username-1 <value>

set vsys <name> cloud-identity-engine <name> alt-username-2 <value>

set vsys <name> cloud-identity-engine <name> alt-username-3 <value>

set vsys <name> cloud-identity-engine <name> group-name <value>

set vsys <name> cloud-identity-engine <name> group-email <value>

PAN-OS CLI Quick Start Version Version 10.1 86 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set vsys <name> cloud-identity-engine <name> endpoint-serial-number

<value>

set vsys <name> sdwan-interface-profile <name> vpn-failover-metric

<1-65535>

set vsys <name> global-protect global-protect-gateway <name> roles

<name> inactivity-logout <5-43200>

set vsys <name> profiles hip-objects <name> anti-malware criteria

product-version within versions <1-1>

set vsys <name> profiles hip-objects <name> anti-malware criteria

product-version not-within versions <1-1>

set vsys <name> profiles sdwan-saas-quality <name> monitor-mode

static-ip ip-address <name> probe-interval <1-60>

set vsys <name> profiles sdwan-saas-quality <name> monitor-mode http-

https probe-interval <3-60>

set vsys <name> profiles sdwan-error-correction <name> mode packet-

duplication recovery-duration-pd <1-5000>

set vsys <name> profiles packet-broker

set vsys <name> profiles packet-broker <name>

set vsys <name> profiles packet-broker <name> description <value>

set vsys <name> profiles packet-broker <name> interface-primary

<value>

set vsys <name> profiles packet-broker <name> transparent

set vsys <name> profiles packet-broker <name> transparent enable-ipv6

<yes|no>

set vsys <name> profiles packet-broker <name> routed

set vsys <name> profiles packet-broker <name> routed security-chain

set vsys <name> profiles packet-broker <name> routed security-chain

<name>

set vsys <name> profiles packet-broker <name> routed security-chain

<name> enable <yes|no>

set vsys <name> profiles packet-broker <name> routed security-chain

<name> first-device <ip/netmask>

set vsys <name> profiles packet-broker <name> routed security-chain

<name> first-device-description <value>

PAN-OS CLI Quick Start Version Version 10.1 87 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set vsys <name> profiles packet-broker <name> routed security-chain

<name> last-device <ip/netmask>

set vsys <name> profiles packet-broker <name> routed security-chain

<name> last-device-description <value>

set vsys <name> profiles packet-broker <name> routed distribution

<round-robin|ip-modulo|ip-hash|lowest-latency>

set vsys <name> profiles packet-broker <name> health-check

set vsys <name> profiles packet-broker <name> health-check failure-

action <bypass|block>

set vsys <name> profiles packet-broker <name> health-check failure-

condition <any|all>

set vsys <name> profiles packet-broker <name> health-check path-

enable <yes|no>

set vsys <name> profiles packet-broker <name> health-check path-

interval-s <1-60>

set vsys <name> profiles packet-broker <name> health-check path-

recovery-hold-s <0-65535>

set vsys <name> profiles packet-broker <name> health-check http-

enable <yes|no>

set vsys <name> profiles packet-broker <name> health-check http-count

<1-10>

set vsys <name> profiles packet-broker <name> health-check http-

interval-s <1-60>

set vsys <name> profiles packet-broker <name> health-check http-

latency-enable <yes|no>

set vsys <name> profiles packet-broker <name> health-check http-

latency-maximum-ms <10-65535>

set vsys <name> profiles packet-broker <name> health-check http-

latency-duration-s <1-65535>

set vsys <name> profiles packet-broker <name> health-check http-

latency-log-exceeded <yes|no>

set vsys <name> service <name> protocol tcp port <0-65535,...>

set vsys <name> service <name> protocol udp port <0-65535,...>

set vsys <name> service <name> protocol udp source-port <0-65535,...>

set vsys <name> authentication-profile <name> method cloud

set vsys <name> authentication-profile <name> method cloud region

PAN-OS CLI Quick Start Version Version 10.1 88 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set vsys <name> authentication-profile <name> method cloud region

region_id <value>

set vsys <name> authentication-profile <name> method cloud region

tenant

set vsys <name> authentication-profile <name> method cloud region

tenant tenant_id <value>

set vsys <name> authentication-profile <name> method cloud region

tenant profile

set vsys <name> authentication-profile <name> method cloud region

tenant profile profile_id <value>

set vsys <name> authentication-profile <name> method cloud region

tenant profile mfa

set vsys <name> authentication-profile <name> method cloud region

tenant profile mfa force-mfa <value>

set vsys <name> authentication-profile <name> method cloud clock-skew

<1-900>

set vsys <name> log-settings snmptrap <name> version v3 server <name>

authproto <SHA|SHA-224|SHA-256|SHA-384|SHA-512>

set vsys <name> log-settings snmptrap <name> version v3 server <name>

privproto <AES|AES-192|AES-256>

set vsys <name> ssl-tls-service-profile <name> protocol-settings max-

version <tls1-0|tls1-1|tls1-2|max>

set vsys<name> cloud-identity-engine

set vsys <name> cloud-identity-engine <name>

set vsys <name> cloud-identity-engine <name> region <value>

set vsys <name> cloud-identity-engine <name> cloud-identity-engine-

instance <value>

set vsys <name> cloud-identity-engine <name> domain <value>

set vsys <name> cloud-identity-engine <name> update-interval <5-1440>

set vsys <name> cloud-identity-engine <name> enabled <yes|no>

set vsys <name> cloud-identity-engine <name> primary-user <value>

set vsys <name> cloud-identity-engine <name> user-email <value>

set vsys <name> cloud-identity-engine <name> alt-username-1 <value>

PAN-OS CLI Quick Start Version Version 10.1 89 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set vsys <name> cloud-identity-engine <name> alt-username-2 <value>

set vsys <name> cloud-identity-engine <name> alt-username-3 <value>

set vsys <name> cloud-identity-engine <name> group-name <value>

set vsys <name> cloud-identity-engine <name> group-email <value>

set vsys <name> cloud-identity-engine <name> endpoint-serial-number

<value>

set vsys <name> sdwan-interface-profile <name> vpn-failover-metric

<1-65535>

set vsys <name> global-protect global-protect-gateway <name> roles

<name> inactivity-logout <5-43200>

set vsys <name> profiles hip-objects <name> anti-malware criteria

product-version within versions <1-1>

set vsys <name> profiles hip-objects <name> anti-malware criteria

product-version not-within versions <1-1>

set vsys <name> profiles sdwan-saas-quality <name> monitor-mode

static-ip ip-address <name> probe-interval <1-60>

set vsys <name> profiles sdwan-saas-quality <name> monitor-mode http-

https probe-interval <3-60>

set vsys <name> profiles sdwan-error-correction <name> mode packet-

duplication recovery-duration-pd <1-5000>

set vsys <name> profiles packet-broker

set vsys <name> profiles packet-broker <name>

set vsys <name> profiles packet-broker <name> description <value>

set vsys <name> profiles packet-broker <name> interface-primary

<value>

set vsys <name> profiles packet-broker <name> transparent

set vsys <name> profiles packet-broker <name> transparent enable-ipv6

<yes|no>

set vsys <name> profiles packet-broker <name> routed

set vsys <name> profiles packet-broker <name> routed security-chain

set vsys <name> profiles packet-broker <name> routed security-chain

<name>

set vsys <name> profiles packet-broker <name> routed security-chain

<name> enable <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 90 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set vsys <name> profiles packet-broker <name> routed security-chain

<name> first-device <ip/netmask>

set vsys <name> profiles packet-broker <name> routed security-chain

<name> first-device-description <value>

set vsys <name> profiles packet-broker <name> routed security-chain

<name> last-device <ip/netmask>

set vsys <name> profiles packet-broker <name> routed security-chain

<name> last-device-description <value>

set vsys <name> profiles packet-broker <name> routed distribution

<round-robin|ip-modulo|ip-hash|lowest-latency>

set vsys <name> profiles packet-broker <name> health-check

set vsys <name> profiles packet-broker <name> health-check failure-

action <bypass|block>

set vsys <name> profiles packet-broker <name> health-check failure-

condition <any|all>

set vsys <name> profiles packet-broker <name> health-check path-

enable <yes|no>

set vsys <name> profiles packet-broker <name> health-check path-

interval-s <1-60>

set vsys <name> profiles packet-broker <name> health-check path-

recovery-hold-s <0-65535>

set vsys <name> profiles packet-broker <name> health-check http-

enable <yes|no>

set vsys <name> profiles packet-broker <name> health-check http-count

<1-10>

set vsys <name> profiles packet-broker <name> health-check http-

interval-s <1-60>

set vsys <name> profiles packet-broker <name> health-check http-

latency-enable <yes|no>

set vsys <name> profiles packet-broker <name> health-check http-

latency-maximum-ms <10-65535>

set vsys <name> profiles packet-broker <name> health-check http-

latency-duration-s <1-65535>

set vsys <name> profiles packet-broker <name> health-check http-

latency-log-exceeded <yes|no>

set vsys <name> service <name> protocol tcp port <0-65535,...>

PAN-OS CLI Quick Start Version Version 10.1 91 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set vsys <name> service <name> protocol udp port <0-65535,...>

set vsys <name> service <name> protocol udp source-port <0-65535,...>

set vsys <name> reports <name> type decryption group-by <serial|

time_generated|src|dst|natsrc|natdst|rule|srcuser|dstuser|srcloc|
dstloc|app|vsys|from|to|inbound_if|outbound_if|sport|dport|natsport|
natdport|proto|action|tunnel|rule_uuid|s_encrypted|category-of-app|
subcategory-of-app|technology-of-app|container-of-app|risk-of-app|
vsys_name|device_name|tls_version|tls_keyxchg|tls_enc|tls_auth|
ec_curve|err_index|root_status|proxy_type|policy_name|cn|issuer_cn|
root_cn|sni|error|src_dag|dst_dag|src_edl|dst_edl|container_id|
pod_namespace|pod_name|src_category|src_profile|src_model|src_vendor|
src_osfamily|src_osversion|src_host|src_mac|dst_category|dst_profile|
dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|day-
of-receive_time|hour-of-receive_time|quarter-hour-of-receive_time>

set vsys <name> reports <name> type desum group-by <serial|

time_generated|vsys_name|device_name|category-of-app|subcategory-
of-app|technology-of-app|container-of-app|risk-of-app|app|src|
dst|srcuser|dstuser|vsys|tls_version|tls_keyxchg|tls_enc|tls_auth|
sni|error|err_index|src_edl|dst_edl|container_id|pod_namespace|
pod_name|src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|src_dag|
dst_dag|day-of-receive_time|hour-of-receive_time|quarter-hour-of-
receive_time>

set vsys <name> reports <name> type threat group-by <serial|

time_generated|src|dst|natsrc|natdst|rule|srcuser|dstuser|srcloc|
dstloc|app|vsys|from|to|inbound_if|outbound_if|sport|dport|natsport|
natdport|proto|action|tunnel|rule_uuid|s_encrypted|category-of-app|
subcategory-of-app|technology-of-app|container-of-app|risk-of-app|
vsys_name|device_name|parent_session_id|parent_start_time|threatid|
category|severity|direction|http_method|nssai_sst|filedigest|
filetype|http2_connection|xff_ip|threat_name|src_edl|dst_edl|
dynusergroup_name|hostid|partial_hash|src_category|src_profile|
src_model|src_vendor|src_osfamily|src_osversion|src_host|src_mac|
dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|
dst_osversion|dst_host|dst_mac|container_id|pod_namespace|pod_name|
misc|src_dag|dst_dag|day-of-receive_time|hour-of-receive_time|
quarter-hour-of-receive_time|pbf-s2c|pbf-c2s|flag-nat|flag-pcap|
subtype|transaction|captive-portal|flag-proxy|non-std-dport|tunnelid|
monitortag|users|category-of-threatid|threat-type>

set vsys <name> reports <name> type thsum group-by

<serial|time_generated|vsys_name|device_name|app|src|dst|rule|
threatid|srcuser|dstuser|srcloc|dstloc|xff_ip|vsys|from|to|
dev_serial|dport|action|severity|inbound_if|outbound_if|category|

PAN-OS CLI Quick Start Version Version 10.1 92 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

category-of-app|subcategory-of-app|technology-of-app|container-
of-app|risk-of-app|parent_session_id|parent_start_time|tunnel|
direction|assoc_id|ppid|http2_connection|rule_uuid|threat_name|
src_edl|dst_edl|hostid|dynusergroup_name|nssai_sst|src_category|
src_profile|src_model|src_vendor|src_osfamily|src_osversion|src_host|
src_mac|dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|
dst_osversion|dst_host|dst_mac|container_id|pod_namespace|pod_name|
src_dag|dst_dag|day-of-receive_time|hour-of-receive_time|quarter-
hour-of-receive_time|subtype|tunnelid|monitortag|category-of-
threatid|threat-type>

set vsys <name> reports <name> type traffic group-by <serial|

time_generated|src|dst|natsrc|natdst|rule|srcuser|dstuser|srcloc|
dstloc|app|vsys|from|to|inbound_if|outbound_if|sport|dport|natsport|
natdport|proto|action|tunnel|rule_uuid|s_encrypted|category-of-
app|subcategory-of-app|technology-of-app|container-of-app|risk-
of-app|vsys_name|device_name|parent_session_id|parent_start_time|
category|session_end_reason|action_source|nssai_sst|nssai_sd|
http2_connection|xff_ip|dynusergroup_name|src_edl|dst_edl|hostid|
session_owner|policy_id|offloaded|src_category|src_profile|src_model|
src_vendor|src_osfamily|src_osversion|src_host|src_mac|dst_category|
dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|
dst_mac|container_id|pod_namespace|pod_name|src_dag|dst_dag|day-of-
receive_time|hour-of-receive_time|quarter-hour-of-receive_time|pbf-
s2c|pbf-c2s|decrypt-mirror|threat-type|flag-nat|flag-pcap|captive-
portal|flag-proxy|non-std-dport|transaction|sym-return|sessionid|
flag-decrypt-fwd|tunnelid|monitortag>

set vsys <name> reports <name> type urlsum group-by <serial|

time_generated|vsys_name|device_name|app|category|src|dst|rule|
srcuser|dstuser|srcloc|dstloc|vsys|from|to|dev_serial|inbound_if|
outbound_if|dport|action|tunnel|url_domain|user_agent|http_method|
http2_connection|category-of-app|subcategory-of-app|technology-of-
app|container-of-app|risk-of-app|parent_session_id|parent_start_time|
rule_uuid|xff_ip|src_edl|dst_edl|hostid|dynusergroup_name|nssai_sst|
src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|container_id|
pod_namespace|pod_name|url_category_list|src_dag|dst_dag|day-of-
receive_time|hour-of-receive_time|quarter-hour-of-receive_time|
tunnelid|monitortag>

set vsys <name> reports <name> type trsum group-by <serial|

time_generated|vsys_name|device_name|app|src|dst|xff_ip|rule|srcuser|
dstuser|srcloc|dstloc|category|vsys|from|to|dev_serial|dport|action|
tunnel|inbound_if|outbound_if|category-of-app|subcategory-of-app|
technology-of-app|container-of-app|risk-of-app|parent_session_id|
parent_start_time|assoc_id|http2_connection|rule_uuid|src_edl|
dst_edl|dynusergroup_name|s_decrypted|s_encrypted|hostid|nssai_sst|
src_category|src_profile|src_model|src_vendor|src_osfamily|

PAN-OS CLI Quick Start Version Version 10.1 93 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|container_id|
pod_namespace|pod_name|src_dag|dst_dag|day-of-receive_time|hour-
of-receive_time|quarter-hour-of-receive_time|tunnelid|monitortag|
standard-ports-of-app>

set vsys <name> reports <name> type auth group-by <serial|

time_generated|vsys_name|device_name|vsys|ip|user|normalize_user|
object|authpolicy|authid|vendor|clienttype|event|factorno|authproto|
rule_uuid|src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|day-of-receive_time|hour-of-
receive_time|quarter-hour-of-receive_time|serverprofile|desc>

set vsys <name> reports <name> type hipmatch group-by <serial|

time_generated|vsys_name|device_name|srcuser|vsys|machinename|src|
matchname|os|matchtype|srcipv6|hostid|mac|day-of-receive_time|hour-
of-receive_time|quarter-hour-of-receive_time>

set vsys <name> reports <name> type hipmatch last-match-by <>

set vsys <name> rulebase decryption rules <name> action <no-decrypt|

decrypt>

set vsys <name> rulebase network-packet-broker

set vsys <name> rulebase network-packet-broker rules

set vsys <name> rulebase network-packet-broker rules <name>

set vsys <name> rulebase network-packet-broker rules <name> from

[ <from1> <from2>... ]

set vsys <name> rulebase network-packet-broker rules <name> to

[ <to1> <to2>... ]

set vsys <name> rulebase network-packet-broker rules <name> source

[ <source1> <source2>... ]

set vsys <name> rulebase network-packet-broker rules <name> source-

user [ <source-user1> <source-user2>... ]

set vsys <name> rulebase network-packet-broker rules <name>

destination [ <destination1> <destination2>... ]

set vsys <name> rulebase network-packet-broker rules <name>

application [ <application1> <application2>... ]

set vsys <name> rulebase network-packet-broker rules <name> service

[ <service1> <service2>... ]

PAN-OS CLI Quick Start Version Version 10.1 94 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set vsys <name> rulebase network-packet-broker rules <name> tag

[ <tag1> <tag2>... ]

set vsys <name> rulebase network-packet-broker rules <name> negate-

source <yes|no>

set vsys <name> rulebase network-packet-broker rules <name> negate-

destination <yes|no>

set vsys <name> rulebase network-packet-broker rules <name> disabled

<yes|no>

set vsys <name> rulebase network-packet-broker rules <name>

description <value>

set vsys <name> rulebase network-packet-broker rules <name> group-tag

<value>

set vsys <name> rulebase network-packet-broker rules <name> source-

hip [ <source-hip1> <source-hip2>... ]

set vsys <name> rulebase network-packet-broker rules <name>

destination-hip [ <destination-hip1> <destination-hip2>... ]

set vsys <name> rulebase network-packet-broker rules <name> traffic-

type

set vsys <name> rulebase network-packet-broker rules <name> traffic-

type tls-decrypted <yes|no>

set vsys <name> rulebase network-packet-broker rules <name> traffic-

type tls-encrypted <yes|no>

set vsys <name> rulebase network-packet-broker rules <name> traffic-

type non-tls <yes|no>

set vsys <name> rulebase network-packet-broker rules <name> action

set vsys <name> rulebase network-packet-broker rules <name> action

packet-broker-profile <value>

PAN-OS CLI Quick Start Version Version 10.1 95 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

Set Commands Changed in PAN-OS 10.1

The following commands are modified in the 10.1 release.
Added category-of-app, subcategory-of-app, technology-of-app, container-of-app, and risk-of-app
filters to the following commands:

set shared reports <name> type decryption group-by <serial|

time_generated|src|dst|natsrc|natdst|rule|srcuser|dstuser|srcloc|
dstloc|app|vsys|from|to|inbound_if|outbound_if|sport|dport|natsport|
natdport|proto|action|tunnel|rule_uuid|s_encrypted|category-of-
app|subcategory-of-app|technology-of-app|container-of-app|risk-of-
app|vsys_name|device_name|tls_version|tls_keyxchg|tls_enc|tls_auth|
ec_curve|err_index|root_status|proxy_type|policy_name|cn|issuer_cn|
root_cn|sni|error|src_dag|dst_dag|src_edl|dst_edl|container_id|
pod_namespace|pod_name|src_category|src_profile|src_model|src_vendor|
src_osfamily|src_osversion|src_host|src_mac|dst_category|dst_profile|
dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|day-
of-receive_time|hour-of-receive_time|quarter-hour-of-receive_time>

set shared reports <name> type desum group-by <serial|time_generated|

vsys_name|device_name|category-of-app|subcategory-of-app|technology-
of-app|container-of-app|risk-of-app|app|src|dst|srcuser|dstuser|
vsys|tls_version|tls_keyxchg|tls_enc|tls_auth|sni|error|err_index|
src_edl|dst_edl|container_id|pod_namespace|pod_name|src_category|
src_profile|src_model|src_vendor|src_osfamily|src_osversion|src_host|
src_mac|dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|
dst_osversion|dst_host|dst_mac|src_dag|dst_dag|day-of-receive_time|
hour-of-receive_time|quarter-hour-of-receive_time>

set shared reports <name> type threat group-by <serial|

time_generated|src|dst|natsrc|natdst|rule|srcuser|dstuser|srcloc|
dstloc|app|vsys|from|to|inbound_if|outbound_if|sport|dport|natsport|
natdport|proto|action|tunnel|rule_uuid|s_encrypted|category-of-app|
subcategory-of-app|technology-of-app|container-of-app|risk-of-app|
vsys_name|device_name|parent_session_id|parent_start_time|threatid|
category|severity|direction|http_method|nssai_sst|filedigest|
filetype|http2_connection|xff_ip|threat_name|src_edl|dst_edl|
dynusergroup_name|hostid|partial_hash|src_category|src_profile|
src_model|src_vendor|src_osfamily|src_osversion|src_host|src_mac|
dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|
dst_osversion|dst_host|dst_mac|container_id|pod_namespace|pod_name|
misc|src_dag|dst_dag|day-of-receive_time|hour-of-receive_time|
quarter-hour-of-receive_time|pbf-s2c|pbf-c2s|flag-nat|flag-pcap|
subtype|transaction|captive-portal|flag-proxy|non-std-dport|tunnelid|
monitortag|users|category-of-threatid|threat-type>

The following command range changed from 1-3600 to 1-60:

set vsys <name> profiles sdwan-saas-quality <name> monitor-mode

static-ip fqdn probe-interval <1-60>

PAN-OS CLI Quick Start Version Version 10.1 96 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

The following command changed transmit-hold-mer to recovery-duraon:

set vsys <name> profiles sdwan-error-correction <name> mode forward-

error-correction recovery-duration <1-5000>

All commands following set vsys <name> profiles forwardingopons changed to set
vsys <name> profiles packet-broker.

PAN-OS CLI Quick Start Version Version 10.1 97 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

Set Commands Removed in PAN-OS 10.1

The following commands are no longer available in the 10.1 release.

set deviceconfig system hsm-settings provider thales-nshield-connect

set deviceconfig system hsm-settings provider thales-nshield-connect

hsm-server

set deviceconfig system hsm-settings provider thales-nshield-connect

hsm-server <name>

set deviceconfig system hsm-settings provider thales-nshield-connect

hsm-server <name> server-address <ip/netmask>

set deviceconfig system hsm-settings provider thales-nshield-connect

rfs-address <ip/netmask>

set deviceconfig system ssh profiles mgmt-profiles client-profiles

set deviceconfig system ssh profiles mgmt-profiles client-

profiles<name>

set deviceconfig system ssh mgmt client-profile <value>

set deviceconfig setting filemgr-service-setting

set deviceconfig setting filemgr-service-setting filemgr-

server<value>

set deviceconfig setting session dhcp-bcast-session-on <yes|no>

set deviceconfig setting logging enhanced-application-logging

disable-global dp-channel

set deviceconfig setting management admin-session max-session-count

<1-4>

set network virtual-router<name> routing-table ip static-route <name>

path-monitor monitor-destinations <name> source <value>|<DHCP>

set network logical-router <name> vrf <name> routing-table ip static-

route <name> path-monitor monitor-destinations <name> source <value>|
<DHCP>

set network shared-gateway <name> service <name> protocol tcp port

<value>

PAN-OS CLI Quick Start Version Version 10.1 98 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set network shared-gateway <name> service <name> protocol tcp source-

port <value>

set network shared-gateway <name> service <name> protocol udp port

<value>

set network shared-gateway <name> service <name> protocol udp source-

port <value>

set shared service<name> protocol tcp port <value>

set shared service <name> protocol tcp source-port <value>

set shared service <name> protocol udp port <value>

set shared service <name> protocol udp source-port <value>

set shared profiles hip-objects<name> anti-malware criteria product-

version within versions <1-65535>

set shared profiles hip-objects <name> anti-malware criteria product-

version not-within versions <1-65535>

set shared profiles sdwan-saas-quality <name> monitor-mode static-ip

ip-address <name> probe-interval <1-3600>

set shared profiles sdwan-saas-quality <name> monitor-mode static-ip

fqdn probe-interval <1-3600>

set shared profiles sdwan-saas-quality <name> monitor-mode http-https

probe-interval <1-3600>

set shared profiles sdwan-error-correction<name> mode forward-error-

correction transmit-hold-timer <1-5000>

set shared profiles sdwan-error-correction <name> mode packet-

duplication transmit-hold-timer-pd <1-5000>

set shared reports<name> type decryption group-by <serial|

time_generated|src|dst|natsrc|natdst|rule|srcuser|dstuser|srcloc|
dstloc|app|vsys|from|to|inbound_if|outbound_if|sport|dport|natsport|
natdport|proto|action|tunnel|rule_uuid|s_encrypted|vsys_name|
device_name|tls_version|tls_keyxchg|tls_enc|tls_auth|ec_curve|
err_index|root_status|proxy_type|policy_name|cn|issuer_cn|root_cn|
sni|error|src_dag|dst_dag|src_edl|dst_edl|container_id|pod_namespace|

PAN-OS CLI Quick Start Version Version 10.1 99 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

pod_name|src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|day-of-
receive_time|hour-of-receive_time|quarter-hour-of-receive_time>

set shared reports <name> type desum group-by <serial|time_generated|

vsys_name|device_name|app|src|dst|srcuser|dstuser|vsys|tls_version|
tls_keyxchg|tls_enc|tls_auth|policy_name|sni|error|err_index|
src_edl|dst_edl|container_id|pod_namespace|pod_name|src_category|
src_profile|src_model|src_vendor|src_osfamily|src_osversion|src_host|
src_mac|dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|
dst_osversion|dst_host|dst_mac|src_dag|dst_dag|day-of-receive_time|
hour-of-receive_time|quarter-hour-of-receive_time|outbound_if|
inbound_if|rule|dport|sport|proto>

set shared reports <name> type threat group-by <serial|

time_generated|src|dst|natsrc|natdst|rule|srcuser|dstuser|srcloc|
dstloc|app|vsys|from|to|inbound_if|outbound_if|sport|dport|natsport|
natdport|proto|action|tunnel|rule_uuid|s_encrypted|vsys_name|
device_name|parent_session_id|parent_start_time|threatid|category|
severity|direction|http_method|nssai_sst|http2_connection|xff_ip|
threat_name|src_edl|dst_edl|dynusergroup_name|hostid|partial_hash|
src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|container_id|
pod_namespace|pod_name|misc|src_dag|dst_dag|day-of-receive_time|
hour-of-receive_time|quarter-hour-of-receive_time|subcategory-of-app|
category-of-app|technology-of-app|risk-of-app|container-of-app|pbf-
s2c|pbf-c2s|flag-nat|flag-pcap|subtype|transaction|captive-portal|
flag-proxy|non-std-dport|tunnelid|monitortag|users|category-of-
threatid|threat-type>

set shared reports <name> type data group-by <action|app|category-

of-app|direction|dport|dst|dstuser|from|inbound_if|misc|natdport|
natdst|natsport|natsrc|outbound_if|proto|risk-of-app|rule|rule_uuid|
severity|sport|src|srcuser|subcategory-of-app|subtype|technology-
of-app|container-of-app|threatid|to|dstloc|srcloc|vsys|quarter-hour-
of-receive_time|hour-of-receive_time|day-of-receive_time|vsys_name|
device_name|data-type|filename|tunnelid|monitortag|parent_session_id|
parent_start_time|http2_connection|tunnel|xff_ip|src_dag|dst_dag>

set shared reports<name> type data values [ <values1> <values2>... ]

set shared reports <name> type data labels [ <labels1>

<labels2>... ]

set shared reports <name> type data sortby <repeatcnt|nunique-of-

users>

set shared reports <name> type data

set shared reports <name> type data aggregate-by [ <aggregate-by1>

<aggregate-by2>... ]

PAN-OS CLI Quick Start Version Version 10.1 100 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set shared reports <name> type thsum group-by

<serial|time_generated|vsys_name|device_name|app|src|dst|rule|
threatid|srcuser|dstuser|srcloc|dstloc|xff_ip|vsys|from|to|dport|
action|severity|inbound_if|outbound_if|category|parent_session_id|
parent_start_time|tunnel|direction|assoc_id|ppid|http2_connection|
rule_uuid|threat_name|src_edl|dst_edl|hostid|dynusergroup_name|
nssai_sst|src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|container_id|
pod_namespace|pod_name|src_dag|dst_dag|day-of-receive_time|hour-
of-receive_time|quarter-hour-of-receive_time|subcategory-of-app|
category-of-app|technology-of-app|risk-of-app|container-of-app|
subtype|tunnelid|monitortag|category-of-threatid|threat-type>

set shared reports <name> type traffic group-by <serial|

time_generated|src|dst|natsrc|natdst|rule|srcuser|dstuser|srcloc|
dstloc|app|vsys|from|to|inbound_if|outbound_if|sport|dport|
natsport|natdport|proto|action|tunnel|rule_uuid|s_encrypted|
vsys_name|device_name|parent_session_id|parent_start_time|category|
session_end_reason|action_source|nssai_sst|nssai_sd|http2_connection|
xff_ip|dynusergroup_name|src_edl|dst_edl|hostid|session_owner|
policy_id|src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|container_id|
pod_namespace|pod_name|src_dag|dst_dag|day-of-receive_time|hour-of-
receive_time|quarter-hour-of-receive_time|pbf-s2c|pbf-c2s|decrypt-
mirror|threat-type|flag-nat|flag-pcap|captive-portal|flag-proxy|
non-std-dport|transaction|sym-return|sessionid|sesscache_l7_done|
subcategory-of-app|category-of-app|technology-of-app|risk-of-app|
container-of-app|tunnelid|monitortag>

set shared reports <name> type urlsum group-by <serial|

time_generated|vsys_name|device_name|app|category|src|dst|rule|
srcuser|dstuser|srcloc|dstloc|vsys|from|to|dev_serial|inbound_if|
outbound_if|dport|action|tunnel|url_domain|user_agent|http_method|
http2_connection|parent_session_id|parent_start_time|rule_uuid|
xff_ip|src_edl|dst_edl|hostid|dynusergroup_name|nssai_sst|
src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|container_id|
pod_namespace|pod_name|url_category_list|src_dag|dst_dag|day-of-
receive_time|hour-of-receive_time|quarter-hour-of-receive_time|
nunique-of-users|tunnelid|monitortag|subcategory-of-app|category-of-
app|technology-of-app|risk-of-app|container-of-app>

set shared reports <name> type trsum group-by <serial|time_generated|

vsys_name|device_name|app|src|dst|xff_ip|rule|srcuser|dstuser|
srcloc|dstloc|category|vsys|from|to|sessions|dport|action|tunnel|
inbound_if|outbound_if|parent_session_id|parent_start_time|assoc_id|
http2_connection|rule_uuid|src_edl|dst_edl|dynusergroup_name|
s_decrypted|s_encrypted|hostid|nssai_sst|src_category|src_profile|
src_model|src_vendor|src_osfamily|src_osversion|src_host|src_mac|
dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|
dst_osversion|dst_host|dst_mac|container_id|pod_namespace|pod_name|
src_dag|dst_dag|day-of-receive_time|hour-of-receive_time|quarter-

PAN-OS CLI Quick Start Version Version 10.1 101 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

hour-of-receive_time|subcategory-of-app|category-of-app|technology-
of-app|risk-of-app|container-of-app|tunnelid|monitortag|standard-
ports-of-app|ncontent>

set shared reports <name> type auth group-by <serial|time_generated|

vsys_name|device_name|vsys|ip|user|normalize_user|object|authpolicy|
authid|vendor|clienttype|event|factorno|authproto|rule_uuid|
src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|day-of-receive_time|hour-of-
receive_time|quarter-hour-of-receive_time|serverprofile|desc|
src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac>

set shared reports <name> type hipmatch group-by <serial|

time_generated|vsys_name|device_name|srcuser|vsys|machinename|src|
matchname|os|matchtype|srcipv6|hostid|devcategory|profile|model|
vendor|osfamily|osversion|mac|devhost|source|day-of-receive_time|
hour-of-receive_time|quarter-hour-of-receive_time|hostname|osfamily|
osversion>

set shared reports <name> type hipmatch last-match-by

<time_generated>

set shared ssl-tls-service-profile<name> protocol-settings max-

version <tls1-0|tls1-1|tls1-2|tls1-3|max>

set shared ssl-tls-service-profile <name> protocol-settings enc-algo-

chacha20-poly1305 <yes|no>

set shared admin-role <name> role device webui objects decryption

decryption-forwarding-profile <enable|read-only|disable>

set shared admin-role <name> role device webui device policy-

recommendation <enable|read-only|disable>

set shared admin-role <name> role device restapi objects decryption-

forwarding-profiles <enable|read-only|disable>

set shared admin-role <name> role vsys webui objects decryption

decryption-forwarding-profile <enable|read-only|disable>

set shared admin-role <name> role vsys webui device policy-

recommendation <enable|read-only|disable>

set shared admin-role <name> role vsys restapi objects decryption-

forwarding-profiles <enable|read-only|disable>

set shared user-id-hub <value>

set shared icd

PAN-OS CLI Quick Start Version Version 10.1 102 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set shared icd cloud-addr

set shared icd cloud-addr address<value>

set shared icd cloud-addr port <80-65535>

set vsys<name> ssl-tls-service-profile <name> protocol-settings max-

version <tls1-0|tls1-1|tls1-2|tls1-3|max>

set vsys <name> ssl-tls-service-profile <name> protocol-settings enc-

algo-chacha20-poly1305 <yes|no>

set vsys <name> ipuser-include-exclude-list include-exclude-network-

sequence

set vsys <name> ipuser-include-exclude-list include-exclude-network-

sequence include-exclude-network [ <include-exclude-network1>
<include-exclude-network2>... ]

set vsys <name> iptag-include-exclude-list include-exclude-network-

sequence

set vsys <name> iptag-include-exclude-list include-exclude-network-

sequence include-exclude-network [ <include-exclude-network1>
<include-exclude-network2>... ]

set vsys<name> captive-portal ntlm-auth

set vsys <name> captive-portal ntlm-auth attempts <1-10>

set vsys <name> captive-portal ntlm-auth timeout <1-60>

set vsys <name> captive-portal ntlm-auth reversion-time <60-3600>

set vsys <name> user-id-collector setting enable-ntlm <yes|no>

set vsys <name> user-id-collector setting ntlm-domain <value>

set vsys <name> user-id-collector setting ntlm-username <value>

set vsys <name> user-id-collector setting ntlm-password <value>

set vsys<name> global-protect global-protect-gateway <name> roles

<name> inactivity-logout

set vsys <name> global-protect global-protect-gateway <name> roles

<name> inactivity-logout minutes <120-43200>

PAN-OS CLI Quick Start Version Version 10.1 103 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set vsys <name> global-protect global-protect-gateway <name> roles

<name> inactivity-logout hours <2-720>

set vsys <name> global-protect global-protect-gateway <name> roles

<name> inactivity-logout days <1-30>

set vsys <name> global-protect global-protect-gateway <name> roles

<name> disconnect-on-idle

set vsys <name> global-protect global-protect-gateway <name> roles

<name> disconnect-on-idle minutes <5-43200>

set vsys <name> profiles hip-objects <name> anti-malware criteria

product-version within versions <1-65535>

set vsys <name> profiles hip-objects <name> anti-malware criteria

product-version not-within versions <1-65535>

set vsys <name> profiles sdwan-saas-quality <name> monitor-mode

static-ip ip-address <name> probe-interval <1-3600>

set vsys <name> profiles sdwan-saas-quality <name> monitor-mode http-

https probe-interval <1-3600>

set vsys <name> profiles sdwan-error-correction <name> mode packet-

duplication transmit-hold-timer-pd <1-5000>

set vsys<name> profiles forwarding <name> description <value>

set vsys <name> profiles forwarding <name> interface-primary <value>

set vsys <name> profiles forwarding <name> interface-secondary

<value>

set vsys <name> profiles forwarding <name> transparent

set vsys <name> profiles forwarding <name> transparent enable-ipv6

<yes|no>

set vsys <name> profiles forwarding <name> routed

set vsys <name> profiles forwarding <name> routed security-chain

set vsys <name> profiles forwarding <name> routed security-chain

<name>

set vsys <name> profiles forwarding <name> routed security-chain

<name> enable <yes|no>

set vsys <name> profiles forwarding <name> routed security-chain

<name> first-device <ip/netmask>

set vsys <name> profiles forwarding <name> routed security-chain

<name> first-device-description <value>

PAN-OS CLI Quick Start Version Version 10.1 104 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set vsys <name> profiles forwarding <name> routed security-chain

<name> last-device <ip/netmask>

set vsys <name> profiles forwarding <name> routed security-chain

<name> last-device-description <value>

set vsys <name> profiles forwarding <name> routed distribution

<round-robin|ip-modulo|ip-hash|lowest-latency>

set vsys <name> profiles forwarding <name> health-check failure-

action <bypass|block>

set vsys <name> profiles forwarding <name> health-check failure-

condition <any|all>

set vsys <name> profiles forwarding <name> health-check path-enable

<yes|no>

set vsys <name> profiles forwarding <name> health-check path-

interval-s <1-60>

set vsys <name> profiles forwarding <name> health-check path-

recovery-hold-s <0-65535>

set vsys <name> profiles forwarding <name> health-check http-enable

<yes|no>

set vsys <name> profiles forwarding <name> health-check http-count

<1-10>

set vsys <name> profiles forwarding <name> health-check http-

interval-s <1-60>

set vsys <name> profiles forwarding <name> health-check http-latency-

enable <yes|no>

set vsys <name> profiles forwarding <name> health-check http-latency-

maximum-ms <10-65535>

set vsys <name> profiles forwarding <name> health-check http-latency-

duration-s <1-65535>

set vsys <name> profiles forwarding <name> health-check http-latency-

log-exceeded <yes|no>

set vsys<name> service <name> protocol tcp port <value>

set vsys <name> service <name> protocol tcp source-port <value>

set vsys <name> service <name> protocol udp port <value>

PAN-OS CLI Quick Start Version Version 10.1 105 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set vsys <name> service <name> protocol udp source-port <value>

set vsys<name> reports <name> type decryption group-by <serial|

time_generated|src|dst|natsrc|natdst|rule|srcuser|dstuser|srcloc|
dstloc|app|vsys|from|to|inbound_if|outbound_if|sport|dport|natsport|
natdport|proto|action|tunnel|rule_uuid|s_encrypted|vsys_name|
device_name|tls_version|tls_keyxchg|tls_enc|tls_auth|ec_curve|
err_index|root_status|proxy_type|policy_name|cn|issuer_cn|root_cn|
sni|error|src_dag|dst_dag|src_edl|dst_edl|container_id|pod_namespace|
pod_name|src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|day-of-
receive_time|hour-of-receive_time|quarter-hour-of-receive_time>

set vsys <name> reports <name> type desum group-by <serial|

time_generated|vsys_name|device_name|app|src|dst|srcuser|dstuser|
vsys|tls_version|tls_keyxchg|tls_enc|tls_auth|policy_name|sni|
error|err_index|src_edl|dst_edl|container_id|pod_namespace|pod_name|
src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|src_dag|
dst_dag|day-of-receive_time|hour-of-receive_time|quarter-hour-of-
receive_time|outbound_if|inbound_if|rule|dport|sport|proto>

set vsys <name> reports <name> type threat group-by <serial|

time_generated|src|dst|natsrc|natdst|rule|srcuser|dstuser|srcloc|
dstloc|app|vsys|from|to|inbound_if|outbound_if|sport|dport|natsport|
natdport|proto|action|tunnel|rule_uuid|s_encrypted|vsys_name|
device_name|parent_session_id|parent_start_time|threatid|category|
severity|direction|http_method|nssai_sst|http2_connection|xff_ip|
threat_name|src_edl|dst_edl|dynusergroup_name|hostid|partial_hash|
src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|container_id|
pod_namespace|pod_name|misc|src_dag|dst_dag|day-of-receive_time|
hour-of-receive_time|quarter-hour-of-receive_time|subcategory-of-app|
category-of-app|technology-of-app|risk-of-app|container-of-app|pbf-
s2c|pbf-c2s|flag-nat|flag-pcap|subtype|transaction|captive-portal|
flag-proxy|non-std-dport|tunnelid|monitortag|users|category-of-
threatid|threat-type>

set vsys <name> reports <name> type data group-by <action|app|

category-of-app|direction|dport|dst|dstuser|from|inbound_if|misc|
natdport|natdst|natsport|natsrc|outbound_if|proto|risk-of-app|rule|
rule_uuid|severity|sport|src|srcuser|subcategory-of-app|subtype|
technology-of-app|container-of-app|threatid|to|dstloc|srcloc|
vsys|quarter-hour-of-receive_time|hour-of-receive_time|day-of-
receive_time|vsys_name|device_name|data-type|filename|tunnelid|
monitortag|parent_session_id|parent_start_time|http2_connection|
tunnel|xff_ip|src_dag|dst_dag>

PAN-OS CLI Quick Start Version Version 10.1 106 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

set vsys<name> reports <name> type data values [ <values1>

<values2>... ]

set vsys <name> reports <name> type data labels [ <labels1>

<labels2>... ]

set vsys <name> reports <name> type data sortby <repeatcnt|nunique-

of-users>

set vsys <name> reports <name> type data

set vsys <name> reports <name> type data aggregate-by [ <aggregate-

by1> <aggregate-by2>... ]

set vsys<name> reports <name> type thsum group-by <serial|

time_generated|vsys_name|device_name|app|src|dst|rule|threatid|
srcuser|dstuser|srcloc|dstloc|xff_ip|vsys|from|to|dport|action|
severity|inbound_if|outbound_if|category|parent_session_id|
parent_start_time|tunnel|direction|assoc_id|ppid|http2_connection|
rule_uuid|threat_name|src_edl|dst_edl|hostid|dynusergroup_name|
nssai_sst|src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|container_id|
pod_namespace|pod_name|src_dag|dst_dag|day-of-receive_time|hour-
of-receive_time|quarter-hour-of-receive_time|subcategory-of-app|
category-of-app|technology-of-app|risk-of-app|container-of-app|
subtype|tunnelid|monitortag|category-of-threatid|threat-type>

set vsys <name> reports <name> type traffic group-by <serial|

time_generated|src|dst|natsrc|natdst|rule|srcuser|dstuser|srcloc|
dstloc|app|vsys|from|to|inbound_if|outbound_if|sport|dport|
natsport|natdport|proto|action|tunnel|rule_uuid|s_encrypted|
vsys_name|device_name|parent_session_id|parent_start_time|category|
session_end_reason|action_source|nssai_sst|nssai_sd|http2_connection|
xff_ip|dynusergroup_name|src_edl|dst_edl|hostid|session_owner|
policy_id|src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|container_id|
pod_namespace|pod_name|src_dag|dst_dag|day-of-receive_time|hour-of-
receive_time|quarter-hour-of-receive_time|pbf-s2c|pbf-c2s|decrypt-
mirror|threat-type|flag-nat|flag-pcap|captive-portal|flag-proxy|
non-std-dport|transaction|sym-return|sessionid|sesscache_l7_done|
subcategory-of-app|category-of-app|technology-of-app|risk-of-app|
container-of-app|tunnelid|monitortag>

set vsys <name> reports <name> type urlsum group-by <serial|

time_generated|vsys_name|device_name|app|category|src|dst|rule|
srcuser|dstuser|srcloc|dstloc|vsys|from|to|dev_serial|inbound_if|
outbound_if|dport|action|tunnel|url_domain|user_agent|http_method|
http2_connection|parent_session_id|parent_start_time|rule_uuid|
xff_ip|src_edl|dst_edl|hostid|dynusergroup_name|nssai_sst|
src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|container_id|

PAN-OS CLI Quick Start Version Version 10.1 107 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

pod_namespace|pod_name|url_category_list|src_dag|dst_dag|day-of-
receive_time|hour-of-receive_time|quarter-hour-of-receive_time|
nunique-of-users|tunnelid|monitortag|subcategory-of-app|category-of-
app|technology-of-app|risk-of-app|container-of-app>

set vsys <name> reports <name> type trsum group-by <serial|

time_generated|vsys_name|device_name|app|src|dst|xff_ip|rule|
srcuser|dstuser|srcloc|dstloc|category|vsys|from|to|sessions|
dport|action|tunnel|inbound_if|outbound_if|parent_session_id|
parent_start_time|assoc_id|http2_connection|rule_uuid|src_edl|
dst_edl|dynusergroup_name|s_decrypted|s_encrypted|hostid|nssai_sst|
src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|container_id|
pod_namespace|pod_name|src_dag|dst_dag|day-of-receive_time|hour-
of-receive_time|quarter-hour-of-receive_time|subcategory-of-app|
category-of-app|technology-of-app|risk-of-app|container-of-app|
tunnelid|monitortag|standard-ports-of-app|ncontent>

set vsys<name> reports <name> type auth group-by <serial|

time_generated|vsys_name|device_name|vsys|ip|user|normalize_user|
object|authpolicy|authid|vendor|clienttype|event|factorno|
authproto|rule_uuid|src_category|src_profile|src_model|src_vendor|
src_osfamily|src_osversion|src_host|src_mac|day-of-receive_time|
hour-of-receive_time|quarter-hour-of-receive_time|serverprofile|
desc|src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac>

set vsys <name> reports <name> type hipmatch group-by <serial|

time_generated|vsys_name|device_name|srcuser|vsys|machinename|src|
matchname|os|matchtype|srcipv6|hostid|devcategory|profile|model|
vendor|osfamily|osversion|mac|devhost|source|day-of-receive_time|
hour-of-receive_time|quarter-hour-of-receive_time|hostname|osfamily|
osversion>

set vsys <name> reports <name> type hipmatch last-match-by

<time_generated>

set vsys <name> rulebase decryption rules <name> action <no-decrypt|

decrypt|decrypt-and-forward>

set vsys <name> rulebase decryption rules <name> forwarding-profile

<value>

PAN-OS CLI Quick Start Version Version 10.1 108 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

Show Commands Introduced in PAN-OS 10.1

The following commands are new in the 10.1 release.

show deviceconfig setting hawkeye

show deviceconfig setting management audit-tracking

show deviceconfig setting cloudapp

show deviceconfig setting cloudapp cloudapp-srvr-addr

show network interface ethernet <name> layer3 bonjour

show network interface ethernet <name> layer3 sdwan-link-settings

upstream-nat

show network interface ethernet <name> layer3 sdwan-link-settings

upstream-nat static-ip

show network interface ethernet <name> layer3 sdwan-link-settings

upstream-nat ddns

show network interface ethernet <name> layer3 units <name> sdwan-

link-settings

show network interface ethernet <name> layer3 units <name> sdwan-

link-settings upstream-nat

show network interface ethernet <name> layer3 units <name> sdwan-

link-settings upstream-nat static-ip

show network interface ethernet <name> layer3 units <name> sdwan-

link-settings upstream-nat ddns

show network interface ethernet <name> layer3 units <name> bonjour

show network interface aggregate-ethernet <name> layer3 bonjour

show network interface aggregate-ethernet <name> layer3 sdwan-link-

settings

show network interface aggregate-ethernet <name> layer3 sdwan-link-

settings upstream-nat

show network interface aggregate-ethernet <name> layer3 sdwan-link-

settings upstream-nat static-ip

show network interface aggregate-ethernet <name> layer3 sdwan-link-

settings upstream-nat ddns

show network interface aggregate-ethernet <name> layer3 units <name>

bonjour

PAN-OS CLI Quick Start Version Version 10.1 109 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

show network interface aggregate-ethernet <name> layer3 units <name>

sdwan-link-settings

show network interface aggregate-ethernet <name> layer3 units <name>

sdwan-link-settings upstream-nat

show network interface aggregate-ethernet <name> layer3 units <name>

sdwan-link-settings upstream-nat static-ip

show network interface aggregate-ethernet <name> layer3 units <name>

sdwan-link-settings upstream-nat ddns

show network shared-gateway<name> rulebase network-packet-broker

show network shared-gateway <name> rulebase network-packet-broker

rules

show network shared-gateway <name> rulebase network-packet-broker

rules <name>

show network shared-gateway <name> rulebase network-packet-broker

rules <name> traffic-type

show network shared-gateway <name> rulebase network-packet-broker

rules <name> action

show shared authentication-profile <name> method cloud

show shared authentication-profile <name> method cloud region

show shared authentication-profile <name> method cloud region tenant

show shared authentication-profile <name> method cloud region tenant

profile

show shared authentication-profile <name> method cloud region tenant

profile mfa

show shared admin-role <name> role device webui device policy-

recommendations

show shared admin-role <name> role device restapi system

show shared admin-role <name> role vsys webui device policy-

recommendations

show shared admin-role <name> role vsys restapi system

show shared user-id-hub

show vsys<name> authentication-profile <name> method cloud

PAN-OS CLI Quick Start Version Version 10.1 110 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

show vsys <name> authentication-profile <name> method cloud region

show vsys <name> authentication-profile <name> method cloud region

tenant

show vsys <name> authentication-profile <name> method cloud region

tenant profile

show vsys <name> authentication-profile <name> method cloud region

tenant profile mfa

show vsys <name> cloud-identity-engine

show vsys <name> cloud-identity-engine <name>

show vsys<name> profiles packet-broker

show vsys <name> profiles packet-broker <name>

show vsys <name> profiles packet-broker <name> transparent

show vsys <name> profiles packet-broker <name> routed

show vsys <name> profiles packet-broker <name> routed security-chain

show vsys <name> profiles packet-broker <name> routed security-chain

<name>

show vsys <name> profiles packet-broker <name> health-check

show vsys <name> rulebase network-packet-broker

show vsys <name> rulebase network-packet-broker rules

show vsys <name> rulebase network-packet-broker rules <name>

show vsys <name> rulebase network-packet-broker rules <name> traffic-

type

show vsys <name> rulebase network-packet-broker rules <name> action

PAN-OS CLI Quick Start Version Version 10.1 111 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

Show Commands Changed in PAN-OS 10.1

The following commands are modified in the 10.1 release:
The following commands changed thakes to ncipher:

show deviceconfig system hsm-settings provider ncipher-nshield-

connect

show deviceconfig system hsm-settings provider ncipher-nshield-

connect hsm-server

show deviceconfig system hsm-settings provider ncipher-nshield-

connect hsm-server <name>

PAN-OS CLI Quick Start Version Version 10.1 112 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

Show Commands Removed in PAN-OS 10.1

The following commands are no longer available in the 10.1 release.

show deviceconfig system ssh profiles mgmt-profiles client-profiles

show deviceconfig system ssh profiles mgmt-profiles client-profiles

<name>

show deviceconfig setting filemgr-service-setting

show deviceconfig setting logging enhanced-application-logging

disable-global dp-channel

show shared icd

show shared icd cloud-addr

show vsys <name> ipuser-include-exclude-list include-exclude-network-

sequence

show vsys <name> iptag-include-exclude-list include-exclude-network-

sequence

show vsys <name> captive-portal ntlm-auth

show vsys <name> global-protect global-protect-gateway <name> roles

<name> inactivity-logout

show vsys <name> global-protect global-protect-gateway <name> roles

<name> disconnect-on-idle

show vsys <name> profiles forwarding

show vsys <name> profiles forwarding <name>

show vsys <name> profiles forwarding <name> transparent

show vsys <name> profiles forwarding <name> routed

show vsys <name> profiles forwarding <name> routed security-chain

show vsys <name> profiles forwarding <name> routed security-chain

<name>

show vsys <name> profiles forwarding <name> health-check

show vsys <name> reports <name> type data

PAN-OS CLI Quick Start Version Version 10.1 113 ©2021 Palo Alto Networks, Inc.
CLI Changes in PAN-OS 10.1

PAN-OS CLI Quick Start Version Version 10.1 114 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS
10.1
These topics list all of the CLI commands available with PAN-OS.

> PAN-OS 10.1 CLI Ops Command Hierarchy

> PAN-OS 10.1 CLI Configure Command Hierarchy

115
CLI Command Hierarchy for PAN-OS 10.1

PAN-OS 10.1 CLI Ops Command Hierarchy

target set <value>
target show
schedule uar-report user <value> user-group <value> dyn-user-group <value> skip-detailed-
browsing <yes|no> tle <value> filter <value> period <value> start-me <value> end-me
<value> vsys <value>
schedule saas-applicaons-usage-report skip-detailed-report <yes|no> period <value> vsys
<value> limit-max-subcat <value> all
schedule saas-applicaons-usage-report skip-detailed-report <yes|no> period <value> vsys
<value> limit-max-subcat <value> all entry include-user-groups-info <yes|no> user-groups
schedule saas-applicaons-usage-report skip-detailed-report <yes|no> period <value> vsys
<value> limit-max-subcat <value> all entry include-user-groups-info <yes|no> user-groups [ <user-
groups1> <user-groups2>... ]
schedule saas-applicaons-usage-report skip-detailed-report <yes|no> period <value> vsys
<value> limit-max-subcat <value> selected-zone
schedule saas-applicaons-usage-report skip-detailed-report <yes|no> period <value> vsys
<value> limit-max-subcat <value> selected-zone entry include-user-groups-info <yes|no> zone
<value> user-groups
schedule saas-applicaons-usage-report skip-detailed-report <yes|no> period <value> vsys
<value> limit-max-subcat <value> selected-zone entry include-user-groups-info <yes|no> zone
<value> user-groups [ <user-groups1> <user-groups2>... ]
schedule saas-applicaons-usage-report skip-detailed-report <yes|no> period <value> vsys
<value> limit-max-subcat <value> selected-user-group
schedule saas-applicaons-usage-report skip-detailed-report <yes|no> period <value> vsys
<value> limit-max-subcat <value> selected-user-group entry user-group <value>
schedule botnet-report period <last-calendar-day|last-24-hrs> topn <1-500> query <value>
clear mac <value>|<all>
clear audit-comment xpath <value>
clear policy-app-usage-data ruleuuid <value>
clear rule-hit-count vsys vsys-name <name> rule-base <name> rules all
clear rule-hit-count vsys vsys-name <name> rule-base <name> rules list
clear rule-hit-count vsys vsys-name <name> rule-base <name> rules list [ <list1> <list2>... ]
clear job id <0-4294967295>
clear query id <0-4294967295>
clear query all-by-session
clear report id <0-4294967295>
clear report all-by-session

PAN-OS CLI Quick Start Version Version 10.1 116 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

clear report cache

clear log traffic
clear log threat
clear log gtp
clear log sctp
clear log userid
clear log auth
clear log decrypon
clear log config
clear log globalprotect
clear log trace
clear log system
clear log alarm
clear log acc
clear log hipmatch
clear log iptag
clear wildfire counters
clear counter interface
clear counter global name <value>
clear counter global filter category <value> severity <value> aspect <value> packet-filter <yes|no>
clear counter all
clear session id <1-4294967295>
clear session all filter nat <none|source|desnaon|both> ssl-decrypt <yes|no> decrypt-forwarded
<yes|no> hp2-connecon <yes|no> tunnel-inspected <yes|no> tunnel-decap <yes|no> decrypt-
mirror <yes|no> type <flow|predict|tunnel|forward|vni> state <inial|opening|acve|discard|
closing|closed> vni-id <0-16777215> from <value> to <value> source <ip/netmask> desnaon
<ip/netmask> source-user <value> desnaon-user <value> source-port <1-65535> desnaon-
port <1-65535> protocol <1-255> applicaon <value> rule <value> nat-rule <value> qos-rule
<value> pbf-rule <value> dos-rule <value> sdwan-rule <value> hw-interface <value> min-kb
<1-1048576> min-age <1-4194304> min-queued-l7 <1-1048576> qos-node-id <0-5000>|<-2>
qos-class <1-8> vsys-name <value>|<any> ctd-ver <1-255>
clear fwd-cache id <1-4294967295>
clear fwd-cache all
clear applicaon-signature stascs
clear nat-rule-cache rule <value>
clear bonjour interface

PAN-OS CLI Quick Start Version Version 10.1 117 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

clear sdwan event

clear sdwan pool unsuccess
clear stascs
clear dos-block-table all filter source-ip <ip/netmask> ingress-zone <value> dos-profile <value>
slot <1-20>
clear dos-block-table drop-counter
clear arp interface
clear arp interface <name> ip <ip/netmask>
clear arp interface <name> mac <value>
clear neighbor ndp-monitor <value>
clear neighbor interface
clear neighbor interface <name> ipv6 <ip/netmask>
clear neighbor interface <name> mac <value>
clear high-availability control-link stascs
clear high-availability transions
clear high-availability cluster stascs <value>|<all>
clear vpn ike-sa gateway <value>
clear vpn ipsec-sa tunnel <value>
clear vpn ike-preferred-version gateway <value>
clear vpn ike-hashurl
clear vpn flow tunnel-id <1-2147483648>
clear dhcp lease all expired-only
clear dhcp lease interface
clear dhcp lease interface <name> ip <ip/netmask>
clear dhcp lease interface <name> mac <value>
clear dhcp lease interface <name> expired-only
clear roung bgp virtual-router
clear roung bgp virtual-router <name> stat peer <value>
clear roung bgp virtual-router <name> dampening peer <value> prefix <ip/netmask> afi <ipv4|
ipv6> safi <unicast|mulcast>
clear roung mulcast igmp stascs virtual-router <value>
clear roung mulcast pim stascs virtual-router <value>
clear roung bfd counters session-id <1-1024>|<all>
clear roung bfd session-state session-id <1-1024>|<all>

PAN-OS CLI Quick Start Version Version 10.1 118 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

clear pppoe interface <value>

clear dns-proxy stascs name <value>
clear dns-proxy stascs all
clear dns-proxy cache name
clear dns-proxy cache all domain-name <value>
clear dns-proxy dns-signature cache fqdn <value>
clear dns-proxy dns-signature counters
clear pbf rule name <value>
clear pbf rule all
clear pbf return-mac name <value>
clear pbf return-mac all
clear dos-protecon rule
clear dos-protecon rule <name> stascs
clear dos-protecon zone
clear dos-protecon zone <name> blocked source <ip/netmask>
clear dos-protecon zone <name> blocked all
clear uappid-filtergroup-mapping id <1-4294967295>
clear uappid-filtergroup-mapping all
clear uappid-policy-cache id <1-4294967295>
clear uappid-policy-cache all
clear user-cache ip <ip/netmask>
clear user-cache all type <UIA|XMLAPI|CP|SSO|GP|AD|EDIR|SYSLOG|GP-CLIENTLESSVPN|
REDIST|UNKNOWN>
clear cookie-surrogate-cache username <value>
clear cookie-surrogate-cache all
clear user-cache-mp ip <ip/netmask>
clear user-cache-mp all type <UIA|XMLAPI|REDIST|CP|SSO|GP|AD|EDIR|SYSLOG|GP-
CLIENTLESSVPN|UNKNOWN>
clear device-cache-mp ip <ip/netmask>
clear device-cache-mp all
clear xml-api mulusersystem ip <ip/netmask>
clear xml-api mulusersystem all
clear uid-cache uid <1-2147483647>
clear uid-cache all

PAN-OS CLI Quick Start Version Version 10.1 119 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

clear uid-map-cache uid <1-2147483647>

clear uid-map-cache all
clear user-policy-cache uid <1-2147483647>
clear user-policy-cache all
clear url-cache url <value>
clear url-cache all
clear global-protect redirect locaon
clear global-protect-portal stascs portal <value>
clear auto-tag vsys <value> ip <ip/netmask>
clear auto-tag vsys <value> user <value>
clear auto-tag vsys <value> users
clear auto-tag vsys <value> users [ <users1> <users2>... ]
clear auto-tag vsys <value> tag-dest
clear auto-tag vsys <value> tag-dest <name> registraon localhost
clear auto-tag vsys <value> tag-dest <name> registraon panorama
clear auto-tag vsys <value> tag-dest <name> registraon remote hp-profile <value>
clear auto-tag vsys <value> tag-dest <name> tags
clear auto-tag vsys <value> tag-dest <name> tags [ <tags1> <tags2>... ]
clear lldp counters interface <value>
clear lldp counters all
clear lacp counters aggregate-ethernet <value>|<all>
clear ssl-decrypt exclude-cache server <value> applicaon <ssl|ssh>
delete plugins app-data <value>
delete hip-report all logout-only <yes|no> expired-days <1-365>
delete hip-report report user <value> ip <ip/netmask> computer <value>
delete hip-profile-database all
delete hip-profile-database check-delete-all-status
delete hip-profile-database entry ip <ip/netmask> vsys <value>
delete hip-mdm-cache mobile-id <value>
delete user-group-cache
delete device-serialno host serialno <value>
delete device-serialno host all
delete device-serialno host all-from-cloud

PAN-OS CLI Quick Start Version Version 10.1 120 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

delete device-serialno host all-from-ldap

delete url-database url <value>
delete url-database all
delete wildfire-realme-cache virus-paern-type <PE|Hash|ALL>
delete wildfire-realme-stats
delete admin-sessions username <value>
delete config-audit-history
delete runme-user-db
delete authencaon user-file ssh-known-hosts user username <value>|<all> ip <ip/netmask>
delete authencaon user-file ssh-known-hosts self
delete auth strict-username-check
delete report predefined scope
delete report predefined scope <name> report-name
delete report custom scope
delete report custom scope <name> report-name
delete report summary scope
delete report summary scope <name> report-name
delete policy-cache
delete config saved <value>
delete soware version <value>
delete global-protect-client image <value>
delete global-protect-client version <value>
delete license key <value>
delete license token-file <value>
delete iot cache old-iot
delete iot cache curr-iot version <value> type <decoder|sml|dfa|tdb|aho-regex|all>
delete content update <value>
delete content cache old-content
delete content cache curr-content version <value> type <decoder|sml|dfa|tdb|aho-regex|all>
delete an-virus update <value>
delete wildfire update <value>
delete global-protect-clientless-vpn update <value>
delete dnsproxy file <value>

PAN-OS CLI Quick Start Version Version 10.1 121 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

delete wf-private update <value>

delete high-availability-key
delete high-availability-known-hosts
delete logo
delete debug-log mp-log file <value>
delete debug-log mp-global file <value>
delete debug-log dp-log file <value>
delete pprof management-plane file <value>
delete core data-plane file <value>
delete core management-plane file <value>
delete core large-core file <value>
delete pcap directory <value>
delete data-capture directory <value>
delete unknown-pcap directory <value>
delete debug-filter file <value>
delete ssh-authencaon-public-key
delete sslmgr-store satellite-info portal name <value> serialno <value> state <assigned|
unassigned>
delete sslmgr-store cerficate-info portal name <value> serialno <value> db-serialno <value>
delete sslmgr-store satellite-info-revoke-cerficate portal <value> serialno
delete sslmgr-store satellite-info-revoke-cerficate portal <value> serialno [ <serialno1>
<serialno2>... ]
delete log-collector preference-list
show interface <value>|<management|hardware|logical|all>
show transceiver <value>|<all>
show transceiver-detail <value>|<all>
show transceiver-monitor-rate <value>
show virtual-wire <value>|<all>
show vlan <value>|<all>
show mac <value>|<all>
show management-server candidate config-size
show management-server last-commied config-size
show oss-license
show running url <value>

PAN-OS CLI Quick Start Version Version 10.1 122 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show running url-info <value>

show running ml-lookup-cache
show running mlav-model status
show running logging
show running url-license
show running tcp state
show running rule-use highlight vsys <value> rule-base <security|nat|qos|pbf|sdwan|decrypon|
app-override|authencaon|dos|tunnel-inspect|network-packet-broker> type <used|unused>
show running rule-use hit-count vsys <value> rule-base <security|nat|qos|pbf|sdwan|decrypon|
app-override|authencaon|dos|tunnel-inspect|network-packet-broker> rules rule-name <value>
show running rule-use hit-count vsys <value> rule-base <security|nat|qos|pbf|sdwan|decrypon|
app-override|authencaon|dos|tunnel-inspect|network-packet-broker> rules all
show running nat-rule-cache
show running global-ippool summary-only <yes|no>
show running nat-rule-ippool rule <value> show-cache <yes|no> show-freelist <yes|no>
show running ippool
show running security-policy-addresses
show running nat-policy-addresses
show running authencaon-policy-addresses
show running tunnel-inspect-policy-addresses
show running decrypon-policy-addresses
show running qos-policy-addresses
show running applicaon-override-policy-addresses
show running pbf-policy-addresses
show running sdwan-policy-addresses
show running dos-policy-addresses
show running security-policy
show running nat-policy
show running ndp-proxy interface <value>
show running authencaon-policy
show running tunnel-inspect-policy
show running decrypon-policy
show running qos-policy
show running applicaon-override-policy

PAN-OS CLI Quick Start Version Version 10.1 123 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show running pbf-policy

show running sdwan-policy
show running npb-policy
show running dos-policy
show running applicaon-signature stascs
show running applicaon cache all
show running applicaon disabled
show running applicaon seng
show running applicaon stascs
show running resource-monitor second last <1-60>
show running resource-monitor minute last <1-60>
show running resource-monitor hour last <1-24>
show running resource-monitor day last <1-7>
show running resource-monitor week last <1-13>
show running resource-monitor ingress-backlogs
show running tunnel flow name <value>
show running tunnel flow tunnel-id <1-65535>
show running tunnel flow context <1-4294967295>
show running tunnel flow info
show running tunnel flow operaon-stats
show running tunnel flow lookup
show running tunnel flow nexthop
show running tunnel flow all filter type <ipsec|sslvpn> state <init|acve|inacve>
show running url-cache stascs
show running url-cache all
show running network-packet-broker stascs
show running network-packet-broker status
show running dns-cache stascs
show running ssl-cert-cn
show running appinfo2ip saddr <value> daddr <value> msaddr <value> mdaddr <value> sport
<1-65536> dport <1-65536> msport <1-65536> mdport <1-65536> srczone <value> dstzone
<value> vsys-id <1-255> appid <1-10000>
show running ipv6 address
show parent-info info

PAN-OS CLI Quick Start Version Version 10.1 124 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show parent-info all

show parent-info filter saddr <value> daddr <value> msaddr <value> mdaddr <value> sport
<1-65536> dport <1-65536>
show api-key-expiraon-ts
show rule-hit-count vsys vsys-name <name> rule-base <name> rules all
show rule-hit-count vsys vsys-name <name> rule-base <name> rules list
show rule-hit-count vsys vsys-name <name> rule-base <name> rules list [ <list1> <list2>... ]
show bad-custom-signature
show applicaons vsys <value> list
show applicaons vsys <value> list [ <list1> <list2>... ]
show sp-metadata capve-portal authprofile <value> ip-hostname <value>
show sp-metadata global-protect authprofile <value> ip-hostname <value>
show sp-metadata management authprofile <value> ip-hostname <value>
show max-num-images
show ssh-fingerprints hash-type <md5|sha1|sha256> format <hex|base64>
show ssl-conn-on-cert fail-all-conns
show ssl-conn-on-cert fail-syslog-conns
show syslogng-ssl-conn-validaon
show device-telemetry details
show device-telemetry collect-now
show device-telemetry sengs
show device-telemetry stats all
show device-telemetry stats product-usage
show device-telemetry stats device-health-performance
show device-telemetry stats threat-prevenon
show device-telemetry region-list
show logging-status verbose <yes|no>
show management-clients
show config-locks vsys <value>|<all>
show commit-locks vsys <value>|<all>
show panorama-status
show panorama-cerficates
show device-cerficate status
show device-cerficate info

PAN-OS CLI Quick Start Version Version 10.1 125 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show chassis-ready
show vm-monitor source state <value>|<all>
show vm-monitor source stascs
show vm-monitor source all
show user ip-user-mapping ip <ip/netmask>
show user ip-user-mapping all opon <detail|count> type <UIA|CP|SSO|GP|XMLAPI|AD|EDIR|
SYSLOG|GP-CLIENTLESSVPN|REDIST|UNKNOWN>
show user ip-user-mapping-mp limit <1-10000> start-point <1-512000> ip <ip/netmask>
show user ip-user-mapping-mp limit <1-10000> start-point <1-512000> all opon <detail|count>
type <UIA|XMLAPI|REDIST|CP|SSO|GP|AD|EDIR|SYSLOG|GP-CLIENTLESSVPN|UNKNOWN>
show user ip-port-user-mapping ip <ip/netmask>
show user ip-port-user-mapping source-user <value>
show user ip-port-user-mapping all
show user ip-port-user-mapping-mp ip <ip/netmask>
show user ip-port-user-mapping-mp source-user <value>
show user ip-port-user-mapping-mp all
show user group-policy-dp gid <1-4294967295>
show user group-policy-dp all
show user group-policy-dp any-user
show user group-policy-dp known-user
show user group-policy-dp unknown-user
show user user-policy-dp uid <1-4294967295>
show user user-policy-dp all
show user user-cache-dp uid <1-4294967295>
show user user-cache-dp all
show user cookie-surrogate-cache-dp username <value>
show user cookie-surrogate-cache-dp all
show user uid2primeuid-dp uid <1-4294967295>
show user uid2primeuid-dp all
show user local-user-db vsys <value> username <value> disabled <yes|no>
show user group name <value>
show user user-id-agent state <value>|<all>
show user user-id-agent stascs
show user user-id-agent config name <value>

PAN-OS CLI Quick Start Version Version 10.1 126 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show user user-id-agent config all

show user group-mapping-service query <all|local|remote>
show user group-mapping-service status
show user user-id-service client <value>|<all|all-details>
show user user-id-service status
show user user-id-service ipuser-update-list opon <count>
show user ts-agent state <value>|<all>
show user ts-agent stascs
show user xml-api mulusersystem
show user group-mapping state <value>|<all>
show user group-mapping stascs
show user group-mapping naming-context server <ip/netmask>|<value> sp_vsys_id <value>
server-port <1-65535> use-ssl <yes|no> is-acve-directory <yes|no> proxy-agent <ip/netmask>|
<value> proxy-agent-port <1-65535>
show user group-selecon sp_vsys_id <value> use-ssl <yes|no> verify-server-cerficate <yes|
no> base <value> bind-dn <value> bind-password <value> name-aribute <value> group-object
<value> container-object <value> filter <value> search-scope <one|subtree> proxy-agent <ip/
netmask>|<value> proxy-agent-port <1-65535> force <yes|no> server
show user group-selecon sp_vsys_id <value> use-ssl <yes|no> verify-server-cerficate <yes|
no> base <value> bind-dn <value> bind-password <value> name-aribute <value> group-object
<value> container-object <value> filter <value> search-scope <one|subtree> proxy-agent <ip/
netmask>|<value> proxy-agent-port <1-65535> force <yes|no> server [ <server1> <server2>... ]
show user group-selecon sp_vsys_id <value> use-ssl <yes|no> verify-server-cerficate <yes|
no> base <value> bind-dn <value> bind-password <value> name-aribute <value> group-object
<value> container-object <value> filter <value> search-scope <one|subtree> proxy-agent <ip/
netmask>|<value> proxy-agent-port <1-65535> force <yes|no> server-port
show user group-selecon sp_vsys_id <value> use-ssl <yes|no> verify-server-cerficate <yes|
no> base <value> bind-dn <value> bind-password <value> name-aribute <value> group-object
<value> container-object <value> filter <value> search-scope <one|subtree> proxy-agent <ip/
netmask>|<value> proxy-agent-port <1-65535> force <yes|no> server-port [ <server-port1>
<server-port2>... ]
show user email-lookup email <value>|<all>
show user hip-report user <value> ip <ip/netmask> computer <value>
show user user-ids match-user <value>
show user user-ids all opon <count>
show user user-aributes user <value>|<all>
show user server-monitor state <value>|<all>
show user server-monitor stascs

PAN-OS CLI Quick Start Version Version 10.1 127 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show user server-monitor auto-discover domain <value>

show user credenal-filter stascs
show user credenal-filter group-mapping
show user ldap-device-serialno serialno <value>
show user ldap-device-serialno all
show user cloud-identy-engine status name <value>
show user cloud-identy-engine status all
show user cloud-identy-engine stascs name <value>
show user cloud-identy-engine stascs all
show user cloud-identy-engine client stascs
show iot ip-device-mapping ip <ip/netmask>
show iot ip-device-mapping all opon <count>
show iot ip-device-mapping-mp ip <ip/netmask>
show iot ip-device-mapping-mp all opon <count|content-errors>
show iot dp-quaranne-cache ip <ip/netmask>
show iot dp-quaranne-cache all opon <count>
show iot host-cache hosd <value>
show iot host-cache all opon <count>
show iot icd stascs all
show iot icd stascs cache
show iot icd stascs conn
show iot icd stascs dataplane
show iot icd stascs verdict
show iot icd version
show iot eal all
show iot eal conn
show iot eal dpi-eal
show iot eal hipreport-eal
show iot eal response-me
show iot eal dpi-stats subtype <value>
show iot eal dpi-stats all
show policy-recommendaon iot max-count <1-65535> start <0-65535>
show policy-recommendaon saas max-count <1-65535> start <0-65535>

PAN-OS CLI Quick Start Version Version 10.1 128 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show redistribuon agent state <value>|<all>

show redistribuon agent stascs
show redistribuon service client <value>|<all|all-details>
show redistribuon service status
show cloud-appid applicaon <value>
show cloud-appid connecon-to-cloud
show cloud-appid version
show cloud-appid applicaon-filter all
show cloud-appid applicaon-filter opon vsys <value> name <value>
show cloud-appid app-to-filtergroup-mapping batch-idx <1-1000000> all
show cloud-appid app-to-filtergroup-mapping batch-idx <1-1000000> count
show cloud-appid app-to-filtergroup-mapping batch-idx <1-1000000> stascs
show cloud-appid applicaon-group all
show cloud-appid applicaon-group opon vsys <value> name <value>
show cloud-appid task task-index <value>
show cloud-appid task all opon <detail>
show cloud-appid task stascs
show cloud-appid transacon trans-index <value>
show cloud-appid transacon all opon <detail>
show cloud-appid cloud-app-data container container-id <value>
show cloud-appid cloud-app-data container container-name <value>
show cloud-appid cloud-app-data container all
show cloud-appid cloud-app-data container stascs
show cloud-appid cloud-app-data applicaon app-id <value>
show cloud-appid cloud-app-data applicaon cloud-app-name <value>
show cloud-appid cloud-app-data applicaon all
show cloud-appid cloud-app-data applicaon stascs
show cloud-appid cloud-app-data app-metadata payload
show cloud-appid cloud-app-data app-metadata stascs
show cloud-appid signature-dp appid <value>
show cloud-appid signature-dp pending-request
show cloud-appid signature-dp stascs
show cloud-appid signature-dp applicaon-dp-all

PAN-OS CLI Quick Start Version Version 10.1 129 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show cloud-appid signature-dp app-sig-mapping

show cloud-appid signature-dp app-container-mapping
show cloud-appid signature-dp app-signature signature-id <value>
show cloud-appid signature-dp app-signature cloud-app-name <value>
show cloud-appid signature-dp app-signature all
show cloud-appid signature-dp app-signature stascs
show cloud-appid signature-dp threat-signature threat-id <value>
show cloud-appid signature-dp threat-signature cloud-app-name <value>
show cloud-appid signature-dp threat-signature all
show cloud-appid signature-dp threat-signature stascs
show cloud-appid overlap-appid
show cloud-appid ha-info
show cloud-appid app-objects-in-policy
show authencaon locked-users vsys <value> auth-profile <value> is-seq <yes|no>
show authencaon service-principal vsys <value> authencaon-profile <value>
show authencaon allowlist
show authencaon groupdb
show authencaon groupnames
show authencaon local-user-db vsys <value> username <value> disabled <yes|no>
show authencaon stascs username <value>
show auth strict-username-check
show logrcvr ip-cache vsys <value> ip <ip/netmask> type <Device-ID|Quaranne>
show cloud-auth-service-regions force_refresh <yes|no>
show cloud-auth-service-metadata region_id <value> force_refresh <yes|no>
show cloud-auth-service-tenants region_id <value>
show cloud-auth-service-profiles tenant_id <value> region_id <value>
show dhcp server sengs <value>|<all>
show dhcp server lease interface <value>|<all> show-expired <yes|no>
show dhcp client state <value>|<vlan|all>
show dhcp client mgmt-interface-state
show pppoe interface <value>|<all>
show dns-proxy sengs name <value>
show dns-proxy sengs all

PAN-OS CLI Quick Start Version Version 10.1 130 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show dns-proxy sengs mgmt-obj

show dns-proxy socket-count all
show dns-proxy stascs name <value>
show dns-proxy stascs all
show dns-proxy stascs mgmt-obj
show dns-proxy cache name <value>
show dns-proxy cache filter FQDN <value> type <RR_A|RR_AAAA|RR_CNAME|RR_MX|RR_PTR>
name <value>
show dns-proxy cache filter FQDN <value> type <RR_A|RR_AAAA|RR_CNAME|RR_MX|RR_PTR>
all
show dns-proxy cache filter FQDN <value> type <RR_A|RR_AAAA|RR_CNAME|RR_MX|RR_PTR>
mgmt-obj
show dns-proxy cache dump file <value> name <value>
show dns-proxy cache dump file <value> filter FQDN <value> type <RR_A|RR_AAAA|RR_CNAME|
RR_MX|RR_PTR> name <value>
show dns-proxy cache dump file <value> filter FQDN <value> type <RR_A|RR_AAAA|RR_CNAME|
RR_MX|RR_PTR> all
show dns-proxy cache dump file <value> filter FQDN <value> type <RR_A|RR_AAAA|RR_CNAME|
RR_MX|RR_PTR> mgmt-obj
show dns-proxy cache dump file <value> all
show dns-proxy cache dump file <value> mgmt-obj
show dns-proxy cache all
show dns-proxy cache mgmt-obj
show dns-proxy stac-entries name <value>
show dns-proxy stac-entries filter FQDN <value> type <RR_A|RR_AAAA|RR_CNAME|RR_MX|
RR_PTR> name <value>
show dns-proxy stac-entries filter FQDN <value> type <RR_A|RR_AAAA|RR_CNAME|RR_MX|
RR_PTR> all
show dns-proxy stac-entries dump file <value> name <value>
show dns-proxy stac-entries dump file <value> filter FQDN <value> type <RR_A|RR_AAAA|
RR_CNAME|RR_MX|RR_PTR> name <value>
show dns-proxy stac-entries dump file <value> filter FQDN <value> type <RR_A|RR_AAAA|
RR_CNAME|RR_MX|RR_PTR> all
show dns-proxy stac-entries dump file <value> all
show dns-proxy stac-entries all
show dns-proxy ddns interface name <value>|<vlan|all>
show dns-proxy fqdn name <value>

PAN-OS CLI Quick Start Version Version 10.1 131 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show dns-proxy fqdn all

show dns-proxy fqdn mgmt-obj
show dns-proxy dns-signature info
show dns-proxy dns-signature cache fqdn <value>
show dns-proxy dns-signature counters
show dns-proxy dns-signature content
show dos-protecon rule
show dos-protecon rule <name> stascs
show dos-protecon rule <name> sengs
show dos-protecon zone
show dos-protecon zone <name> blocked source
show operaonal-mode
show config saved <value>
show config list admins paral shared-object <excluded> device-and-network <excluded> admin
show config list admins paral shared-object <excluded> device-and-network <excluded> admin
[ <admin1> <admin2>... ]
show config list admins paral shared-object <excluded> device-and-network <excluded> no-vsys
show config list admins paral shared-object <excluded> device-and-network <excluded> vsys
show config list admins paral shared-object <excluded> device-and-network <excluded> vsys
[ <vsys1> <vsys2>... ]
show config list changes paral shared-object <excluded> device-and-network <excluded> admin
show config list changes paral shared-object <excluded> device-and-network <excluded> admin
[ <admin1> <admin2>... ]
show config list changes paral shared-object <excluded> device-and-network <excluded> no-
vsys
show config list changes paral shared-object <excluded> device-and-network <excluded> vsys
show config list changes paral shared-object <excluded> device-and-network <excluded> vsys
[ <vsys1> <vsys2>... ]
show config list change-summary paral admin
show config list change-summary paral admin [ <admin1> <admin2>... ]
show config list audit-comments xpath <value>
show config diff
show config running xpath <value>
show config effecve-running xpath <value>
show config synced

PAN-OS CLI Quick Start Version Version 10.1 132 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show config synced-diff

show config candidate
show config pushed-shared-policy vsys <value>
show config pushed-template
show config merged
show config audit version <value>
show config audit base-version <value>
show config audit base-version-no-deletes <value>
show config audit info
show clock more
show wildfire status channel <public|private>
show wildfire stascs channel <public|private>
show wildfire telemetry-stascs channel <public|private>
show wildfire file-size-limits
show wildfire disk-usage
show wildfire cloud-info channel <public|private>
show cli info
show cli idle-meout
show cli permissions
show log traffic direcon equal <forward|backward>
show log traffic csv-output equal <yes|no>
show log traffic query equal <value>
show log traffic receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-hrs|
last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log traffic start-me equal <value>
show log traffic end-me equal <value>
show log traffic show-tracker equal <yes|no>
show log traffic src in <value>
show log traffic src not-in <value>
show log traffic dst in <value>
show log traffic dst not-in <value>
show log traffic rule equal <value>
show log traffic rule not-equal <value>
show log traffic rule_uuid equal <value>

PAN-OS CLI Quick Start Version Version 10.1 133 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log traffic rule_uuid not-equal <value>

show log traffic app equal <value>
show log traffic app not-equal <value>
show log traffic from equal <value>
show log traffic from not-equal <value>
show log traffic to equal <value>
show log traffic to not-equal <value>
show log traffic sport equal <1-65535>
show log traffic sport not-equal <1-65535>
show log traffic dport equal <1-65535>
show log traffic dport not-equal <1-65535>
show log traffic acon equal <allow|deny|drop|reset-client|reset-server|reset-both|drop-icmp>
show log traffic acon not-equal <allow|deny|drop|reset-client|reset-server|reset-both|drop-icmp>
show log traffic srcuser equal <value>
show log traffic dstuser equal <value>
show log traffic session-end-reason equal <unknown|aged-out|decoder|tcp-reuse|tcp-fin|tcp-rst-
from-server|tcp-rst-from-client|resources-unavailable|policy-deny|threat|decrypt-error|decrypt-
unsupport-param|decrypt-cert-validaon|n/a>
show log traffic session-end-reason not-equal <unknown|aged-out|decoder|tcp-reuse|tcp-fin|
tcp-rst-from-server|tcp-rst-from-client|resources-unavailable|policy-deny|threat|decrypt-error|
decrypt-unsupport-param|decrypt-cert-validaon|n/a>
show log traffic hp2_connecon equal <0-4294967295>
show log traffic hp2_connecon not-equal <0-4294967295>
show log threat suppress-thread-mapping equal <yes|no>
show log threat pcap-dump equal <yes|no>
show log threat direcon equal <forward|backward>
show log threat csv-output equal <yes|no>
show log threat query equal <value>
show log threat receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-hrs|
last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log threat start-me equal <value>
show log threat end-me equal <value>
show log threat src in <value>
show log threat src not-in <value>
show log threat dst in <value>

PAN-OS CLI Quick Start Version Version 10.1 134 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log threat dst not-in <value>

show log threat rule equal <value>
show log threat rule not-equal <value>
show log threat rule_uuid equal <value>
show log threat rule_uuid not-equal <value>
show log threat app equal <value>
show log threat app not-equal <value>
show log threat from equal <value>
show log threat from not-equal <value>
show log threat to equal <value>
show log threat to not-equal <value>
show log threat sport equal <1-65535>
show log threat sport not-equal <1-65535>
show log threat dport equal <1-65535>
show log threat dport not-equal <1-65535>
show log threat acon equal <alert|allow|deny|drop|drop-all|drop-reset|drop-packet|reset-client|
reset-server|reset-both|block|block-connue|block-override|block-url|block-ip|connue|override|
sinkhole>
show log threat acon not-equal <alert|allow|deny|drop|drop-all|drop-reset|drop-packet|reset-
client|reset-server|reset-both|block|block-connue|block-override|block-url|block-ip|connue|
override|sinkhole>
show log threat srcuser equal <value>
show log threat dstuser equal <value>
show log threat category equal <value>
show log threat category not-equal <value>
show log wildfire direcon equal <forward|backward>
show log wildfire csv-output equal <yes|no>
show log wildfire query equal <value>
show log wildfire receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-
hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log wildfire start-me equal <value>
show log wildfire end-me equal <value>
show log wildfire src in <value>
show log wildfire src not-in <value>
show log wildfire dst in <value>

PAN-OS CLI Quick Start Version Version 10.1 135 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log wildfire dst not-in <value>

show log wildfire rule equal <value>
show log wildfire rule not-equal <value>
show log wildfire rule_uuid equal <value>
show log wildfire rule_uuid not-equal <value>
show log wildfire app equal <value>
show log wildfire app not-equal <value>
show log wildfire from equal <value>
show log wildfire from not-equal <value>
show log wildfire to equal <value>
show log wildfire to not-equal <value>
show log wildfire sport equal <1-65535>
show log wildfire sport not-equal <1-65535>
show log wildfire dport equal <1-65535>
show log wildfire dport not-equal <1-65535>
show log wildfire srcuser equal <value>
show log wildfire dstuser equal <value>
show log wildfire category equal <benign|grayware|malicious|phishing>
show log wildfire category not-equal <benign|grayware|malicious|phishing>
show log url suppress-thread-mapping equal <yes|no>
show log url direcon equal <forward|backward>
show log url csv-output equal <yes|no>
show log url query equal <value>
show log url receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-hrs|
last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log url start-me equal <value>
show log url end-me equal <value>
show log url src in <value>
show log url src not-in <value>
show log url dst in <value>
show log url dst not-in <value>
show log url rule equal <value>
show log url rule not-equal <value>
show log url rule_uuid equal <value>

PAN-OS CLI Quick Start Version Version 10.1 136 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log url rule_uuid not-equal <value>

show log url app equal <value>
show log url app not-equal <value>
show log url from equal <value>
show log url from not-equal <value>
show log url to equal <value>
show log url to not-equal <value>
show log url sport equal <1-65535>
show log url sport not-equal <1-65535>
show log url dport equal <1-65535>
show log url dport not-equal <1-65535>
show log url acon equal <alert|allow|deny|drop|drop-all|reset-client|reset-server|reset-both|
block-url>
show log url acon not-equal <alert|allow|deny|drop|drop-all|reset-client|reset-server|reset-both|
block-url>
show log url srcuser equal <value>
show log url dstuser equal <value>
show log url category equal <value>
show log url category not-equal <value>
show log data suppress-thread-mapping equal <yes|no>
show log data direcon equal <forward|backward>
show log data csv-output equal <yes|no>
show log data query equal <value>
show log data receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-hrs|
last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log data start-me equal <value>
show log data end-me equal <value>
show log data src in <value>
show log data src not-in <value>
show log data dst in <value>
show log data dst not-in <value>
show log data rule equal <value>
show log data rule not-equal <value>
show log data rule_uuid equal <value>

PAN-OS CLI Quick Start Version Version 10.1 137 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log data rule_uuid not-equal <value>

show log data app equal <value>
show log data app not-equal <value>
show log data from equal <value>
show log data from not-equal <value>
show log data to equal <value>
show log data to not-equal <value>
show log data sport equal <1-65535>
show log data sport not-equal <1-65535>
show log data dport equal <1-65535>
show log data dport not-equal <1-65535>
show log data acon equal <alert|allow|deny|drop|drop-all|reset-client|reset-server|reset-both|
block-url|wildfire-upload-success|wildfire-upload-fail|wildfire-upload-skip>
show log data acon not-equal <alert|allow|deny|drop|drop-all|reset-client|reset-server|reset-both|
block-url|wildfire-upload-success|wildfire-upload-fail|wildfire-upload-skip>
show log data srcuser equal <value>
show log data dstuser equal <value>
show log data category equal <value>
show log data category not-equal <value>
show log tunnel direcon equal <forward|backward>
show log tunnel csv-output equal <yes|no>
show log tunnel query equal <value>
show log tunnel receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-hrs|
last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log tunnel start-me equal <value>
show log tunnel end-me equal <value>
show log tunnel src in <value>
show log tunnel src not-in <value>
show log tunnel dst in <value>
show log tunnel dst not-in <value>
show log tunnel rule equal <value>
show log tunnel rule not-equal <value>
show log tunnel rule_uuid equal <value>
show log tunnel rule_uuid not-equal <value>

PAN-OS CLI Quick Start Version Version 10.1 138 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log tunnel app equal <value>

show log tunnel app not-equal <value>
show log tunnel from equal <value>
show log tunnel from not-equal <value>
show log tunnel to equal <value>
show log tunnel to not-equal <value>
show log tunnel sport equal <1-65535>
show log tunnel sport not-equal <1-65535>
show log tunnel dport equal <1-65535>
show log tunnel dport not-equal <1-65535>
show log tunnel acon equal <allow|deny|drop|reset-client|reset-server|reset-both|drop-icmp>
show log tunnel acon not-equal <allow|deny|drop|reset-client|reset-server|reset-both|drop-
icmp>
show log tunnel srcuser equal <value>
show log tunnel dstuser equal <value>
show log tunnel severity equal <crical|high|medium|low|informaonal>
show log tunnel severity not-equal <crical|high|medium|low|informaonal>
show log tunnel severity greater-than-or-equal <crical|high|medium|low|informaonal>
show log tunnel severity less-than-or-equal <crical|high|medium|low|informaonal>
show log tunnel tunnelid equal <value>
show log tunnel tunnelid not-equal <value>
show log tunnel monitortag equal <value>
show log tunnel monitortag not-equal <value>
show log config direcon equal <forward|backward>
show log config csv-output equal <yes|no>
show log config query equal <value>
show log config receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-hrs|
last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log config start-me equal <value>
show log config end-me equal <value>
show log config client equal <web|cli>
show log config client not-equal <web|cli>
show log config cmd equal <add|clone|commit|create|delete|edit|get|load-from-disk|move|rename|
save-to-disk|set>

PAN-OS CLI Quick Start Version Version 10.1 139 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log config cmd not-equal <add|clone|commit|create|delete|edit|get|load-from-disk|move|

rename|save-to-disk|set>
show log config result equal <succeeded|failed|unauthorized>
show log config result not-equal <succeeded|failed|unauthorized>
show log system direcon equal <forward|backward>
show log system csv-output equal <yes|no>
show log system query equal <value>
show log system receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-hrs|
last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log system start-me equal <value>
show log system end-me equal <value>
show log system opaque contains <value>
show log system severity equal <crical|high|medium|low|informaonal>
show log system severity not-equal <crical|high|medium|low|informaonal>
show log system severity greater-than-or-equal <crical|high|medium|low|informaonal>
show log system severity less-than-or-equal <crical|high|medium|low|informaonal>
show log system subtype equal <value>
show log system subtype not-equal <value>
show log system object equal <value>
show log system object not-equal <value>
show log system evend equal <value>
show log system evend not-equal <value>
show log system id equal <value>
show log system id not-equal <value>
show log alarm opaque contains <value>
show log alarm direcon equal <forward|backward>
show log alarm csv-output equal <yes|no>
show log alarm query equal <value>
show log alarm receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-hrs|
last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log alarm start-me equal <value>
show log alarm end-me equal <value>
show log alarm vsys equal <value>
show log alarm admin equal <value>

PAN-OS CLI Quick Start Version Version 10.1 140 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log alarm src equal <value>

show log alarm dst equal <value>
show log alarm sport equal <0-65535>
show log alarm dport equal <0-65535>
show log alarm ack_admin equal <value>
show log alarm rulegroup equal <value>
show log alarm me_acknowledged equal <value>
show log appstat direcon equal <forward|backward>
show log appstat csv-output equal <yes|no>
show log appstat query equal <value>
show log appstat receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-
hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log appstat start-me equal <value>
show log appstat end-me equal <value>
show log appstat name equal <value>
show log appstat name not-equal <value>
show log appstat risk equal <1|2|3|4|5>
show log appstat risk not-equal <1|2|3|4|5>
show log appstat risk greater-than-or-equal <1|2|3|4|5>
show log appstat risk less-than-or-equal <1|2|3|4|5>
show log decrypon direcon equal <forward|backward>
show log decrypon csv-output equal <yes|no>
show log decrypon query equal <value>
show log decrypon receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|
last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log decrypon start-me equal <value>
show log decrypon end-me equal <value>
show log decrypon show-tracker equal <yes|no>
show log decrypon src in <value>
show log decrypon src not-in <value>
show log decrypon dst in <value>
show log decrypon dst not-in <value>
show log decrypon proxy_type equal <forward|inbound|globalprotect|globalprotect_tunnel|
nodecrypt|clientless_vpn|broker|ssh|cleartext|remote_host>

PAN-OS CLI Quick Start Version Version 10.1 141 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log decrypon policy_name equal <value>

show log decrypon policy_name not-equal <value>
show log decrypon sni equal <value>
show log decrypon sni not-equal <value>
show log decrypon tls_keyxchg equal <annon|rsa|dh3|ecdhe>
show log decrypon tls_version equal <Unknown|SSL2.0|SSL3.0|TLS1.0|TLS1.1|TLS1.2|TLS1.2+>
show log decrypon tls_enc equal <ANULL|RC4_40|RC4_56|RC4_128|DES_CBC|DES40_CBC|
3DES_EDE_CBC|AES_128_CBC|AES_256_CBC|AES_128_GCM|AES_256_GCM>
show log decrypon tls_auth equal <ANULL|MD2|MD5|SHA|SHA256|SHA384|SHA512|AEAD>
show log decrypon ec_curve equal <sect163k1|sect163r1|sect163r2|sect193r1|
sect193r2|sect233k1|sect233r1|sect239k1|sect283k1|sect283r1|sect409k1|sect409r1|
sect571k1|sect571r1|secp160k1|secp160r1|secp192k1|secp224k1|secp224r1|secp256k1|
X9_62_prime192v1|X9_62_prime256v1|secp384r1|secp521k1>
show log decrypon rule equal <value>
show log decrypon rule not-equal <value>
show log decrypon app equal <value>
show log decrypon app not-equal <value>
show log decrypon from equal <value>
show log decrypon from not-equal <value>
show log decrypon to equal <value>
show log decrypon to not-equal <value>
show log decrypon sport equal <1-65535>
show log decrypon sport not-equal <1-65535>
show log decrypon dport equal <1-65535>
show log decrypon dport not-equal <1-65535>
show log decrypon acon equal <allow|deny|drop|reset-client|reset-server|reset-both|drop-
icmp>
show log decrypon acon not-equal <allow|deny|drop|reset-client|reset-server|reset-both|drop-
icmp>
show log decrypon srcuser equal <value>
show log decrypon dstuser equal <value>
show log trsum direcon equal <forward|backward>
show log trsum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-hrs|
last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log trsum csv-output equal <yes|no>
show log trsum query equal <value>

PAN-OS CLI Quick Start Version Version 10.1 142 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log trsum start-me equal <value>

show log trsum end-me equal <value>
show log trsum app equal <value>
show log trsum app not-equal <value>
show log trsum src in <value>
show log trsum dst in <value>
show log trsum rule equal <value>
show log trsum rule not-equal <value>
show log trsum rule_uuid equal <value>
show log trsum rule_uuid not-equal <value>
show log trsum srcuser equal <value>
show log trsum srcuser not-equal <value>
show log trsum dstuser equal <value>
show log trsum dstuser not-equal <value>
show log trsum srcloc equal <value>
show log trsum srcloc not-equal <value>
show log trsum srcloc greater-than-or-equal <value>
show log trsum srcloc less-than-or-equal <value>
show log trsum dstloc equal <value>
show log trsum dstloc not-equal <value>
show log trsum dstloc greater-than-or-equal <value>
show log trsum dstloc less-than-or-equal <value>
show log hourlytrsum direcon equal <forward|backward>
show log hourlytrsum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|
last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log hourlytrsum csv-output equal <yes|no>
show log hourlytrsum query equal <value>
show log hourlytrsum start-me equal <value>
show log hourlytrsum end-me equal <value>
show log hourlytrsum app equal <value>
show log hourlytrsum app not-equal <value>
show log hourlytrsum src in <value>
show log hourlytrsum dst in <value>
show log hourlytrsum rule equal <value>

PAN-OS CLI Quick Start Version Version 10.1 143 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log hourlytrsum rule not-equal <value>

show log hourlytrsum rule_uuid equal <value>
show log hourlytrsum rule_uuid not-equal <value>
show log hourlytrsum srcuser equal <value>
show log hourlytrsum srcuser not-equal <value>
show log hourlytrsum dstuser equal <value>
show log hourlytrsum dstuser not-equal <value>
show log hourlytrsum srcloc equal <value>
show log hourlytrsum srcloc not-equal <value>
show log hourlytrsum srcloc greater-than-or-equal <value>
show log hourlytrsum srcloc less-than-or-equal <value>
show log hourlytrsum dstloc equal <value>
show log hourlytrsum dstloc not-equal <value>
show log hourlytrsum dstloc greater-than-or-equal <value>
show log hourlytrsum dstloc less-than-or-equal <value>
show log dailytrsum direcon equal <forward|backward>
show log dailytrsum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-
hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log dailytrsum csv-output equal <yes|no>
show log dailytrsum query equal <value>
show log dailytrsum start-me equal <value>
show log dailytrsum end-me equal <value>
show log dailytrsum app equal <value>
show log dailytrsum app not-equal <value>
show log dailytrsum src in <value>
show log dailytrsum dst in <value>
show log dailytrsum rule equal <value>
show log dailytrsum rule not-equal <value>
show log dailytrsum rule_uuid equal <value>
show log dailytrsum rule_uuid not-equal <value>
show log dailytrsum srcuser equal <value>
show log dailytrsum srcuser not-equal <value>
show log dailytrsum dstuser equal <value>
show log dailytrsum dstuser not-equal <value>

PAN-OS CLI Quick Start Version Version 10.1 144 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log dailytrsum srcloc equal <value>

show log dailytrsum srcloc not-equal <value>
show log dailytrsum srcloc greater-than-or-equal <value>
show log dailytrsum srcloc less-than-or-equal <value>
show log dailytrsum dstloc equal <value>
show log dailytrsum dstloc not-equal <value>
show log dailytrsum dstloc greater-than-or-equal <value>
show log dailytrsum dstloc less-than-or-equal <value>
show log weeklytrsum direcon equal <forward|backward>
show log weeklytrsum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|
last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log weeklytrsum csv-output equal <yes|no>
show log weeklytrsum query equal <value>
show log weeklytrsum start-me equal <value>
show log weeklytrsum end-me equal <value>
show log weeklytrsum app equal <value>
show log weeklytrsum app not-equal <value>
show log weeklytrsum src in <value>
show log weeklytrsum dst in <value>
show log weeklytrsum rule equal <value>
show log weeklytrsum rule not-equal <value>
show log weeklytrsum rule_uuid equal <value>
show log weeklytrsum rule_uuid not-equal <value>
show log weeklytrsum srcuser equal <value>
show log weeklytrsum srcuser not-equal <value>
show log weeklytrsum dstuser equal <value>
show log weeklytrsum dstuser not-equal <value>
show log weeklytrsum srcloc equal <value>
show log weeklytrsum srcloc not-equal <value>
show log weeklytrsum srcloc greater-than-or-equal <value>
show log weeklytrsum srcloc less-than-or-equal <value>
show log weeklytrsum dstloc equal <value>
show log weeklytrsum dstloc not-equal <value>
show log weeklytrsum dstloc greater-than-or-equal <value>

PAN-OS CLI Quick Start Version Version 10.1 145 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log weeklytrsum dstloc less-than-or-equal <value>

show log thsum direcon equal <forward|backward>
show log thsum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-hrs|
last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log thsum csv-output equal <yes|no>
show log thsum query equal <value>
show log thsum start-me equal <value>
show log thsum end-me equal <value>
show log thsum app equal <value>
show log thsum app not-equal <value>
show log thsum src in <value>
show log thsum dst in <value>
show log thsum rule equal <value>
show log thsum rule not-equal <value>
show log thsum rule_uuid equal <value>
show log thsum rule_uuid not-equal <value>
show log thsum srcuser equal <value>
show log thsum srcuser not-equal <value>
show log thsum dstuser equal <value>
show log thsum dstuser not-equal <value>
show log thsum srcloc equal <value>
show log thsum srcloc not-equal <value>
show log thsum srcloc greater-than-or-equal <value>
show log thsum srcloc less-than-or-equal <value>
show log thsum dstloc equal <value>
show log thsum dstloc not-equal <value>
show log thsum dstloc greater-than-or-equal <value>
show log thsum dstloc less-than-or-equal <value>
show log thsum thread equal <value>
show log thsum thread not-equal <value>
show log thsum thread greater-than-or-equal <value>
show log thsum thread less-than-or-equal <value>
show log thsum subtype equal <aack|url|virus|spyware|vulnerability|file|scan|flood|packet|
resource|data|wildfire|wildfire-virus>

PAN-OS CLI Quick Start Version Version 10.1 146 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log thsum subtype not-equal <aack|url|virus|spyware|vulnerability|file|scan|flood|packet|

resource|data|wildfire|wildfire-virus>
show log hourlythsum direcon equal <forward|backward>
show log hourlythsum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|
last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log hourlythsum csv-output equal <yes|no>
show log hourlythsum query equal <value>
show log hourlythsum start-me equal <value>
show log hourlythsum end-me equal <value>
show log hourlythsum app equal <value>
show log hourlythsum app not-equal <value>
show log hourlythsum src in <value>
show log hourlythsum dst in <value>
show log hourlythsum rule equal <value>
show log hourlythsum rule not-equal <value>
show log hourlythsum rule_uuid equal <value>
show log hourlythsum rule_uuid not-equal <value>
show log hourlythsum srcuser equal <value>
show log hourlythsum srcuser not-equal <value>
show log hourlythsum dstuser equal <value>
show log hourlythsum dstuser not-equal <value>
show log hourlythsum srcloc equal <value>
show log hourlythsum srcloc not-equal <value>
show log hourlythsum srcloc greater-than-or-equal <value>
show log hourlythsum srcloc less-than-or-equal <value>
show log hourlythsum dstloc equal <value>
show log hourlythsum dstloc not-equal <value>
show log hourlythsum dstloc greater-than-or-equal <value>
show log hourlythsum dstloc less-than-or-equal <value>
show log hourlythsum thread equal <value>
show log hourlythsum thread not-equal <value>
show log hourlythsum thread greater-than-or-equal <value>
show log hourlythsum thread less-than-or-equal <value>

PAN-OS CLI Quick Start Version Version 10.1 147 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log hourlythsum subtype equal <aack|url|virus|spyware|vulnerability|file|scan|flood|packet|

resource|data|wildfire|wildfire-virus>
show log hourlythsum subtype not-equal <aack|url|virus|spyware|vulnerability|file|scan|flood|
packet|resource|data|wildfire|wildfire-virus>
show log dailythsum direcon equal <forward|backward>
show log dailythsum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|
last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log dailythsum csv-output equal <yes|no>
show log dailythsum query equal <value>
show log dailythsum start-me equal <value>
show log dailythsum end-me equal <value>
show log dailythsum app equal <value>
show log dailythsum app not-equal <value>
show log dailythsum src in <value>
show log dailythsum dst in <value>
show log dailythsum rule equal <value>
show log dailythsum rule not-equal <value>
show log dailythsum rule_uuid equal <value>
show log dailythsum rule_uuid not-equal <value>
show log dailythsum srcuser equal <value>
show log dailythsum srcuser not-equal <value>
show log dailythsum dstuser equal <value>
show log dailythsum dstuser not-equal <value>
show log dailythsum srcloc equal <value>
show log dailythsum srcloc not-equal <value>
show log dailythsum srcloc greater-than-or-equal <value>
show log dailythsum srcloc less-than-or-equal <value>
show log dailythsum dstloc equal <value>
show log dailythsum dstloc not-equal <value>
show log dailythsum dstloc greater-than-or-equal <value>
show log dailythsum dstloc less-than-or-equal <value>
show log dailythsum thread equal <value>
show log dailythsum thread not-equal <value>
show log dailythsum thread greater-than-or-equal <value>

PAN-OS CLI Quick Start Version Version 10.1 148 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log dailythsum thread less-than-or-equal <value>

show log dailythsum subtype equal <aack|url|virus|spyware|vulnerability|file|scan|flood|packet|
resource|data|wildfire|wildfire-virus>
show log dailythsum subtype not-equal <aack|url|virus|spyware|vulnerability|file|scan|flood|
packet|resource|data|wildfire|wildfire-virus>
show log weeklythsum direcon equal <forward|backward>
show log weeklythsum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|
last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log weeklythsum csv-output equal <yes|no>
show log weeklythsum query equal <value>
show log weeklythsum start-me equal <value>
show log weeklythsum end-me equal <value>
show log weeklythsum app equal <value>
show log weeklythsum app not-equal <value>
show log weeklythsum src in <value>
show log weeklythsum dst in <value>
show log weeklythsum rule equal <value>
show log weeklythsum rule not-equal <value>
show log weeklythsum rule_uuid equal <value>
show log weeklythsum rule_uuid not-equal <value>
show log weeklythsum srcuser equal <value>
show log weeklythsum srcuser not-equal <value>
show log weeklythsum dstuser equal <value>
show log weeklythsum dstuser not-equal <value>
show log weeklythsum srcloc equal <value>
show log weeklythsum srcloc not-equal <value>
show log weeklythsum srcloc greater-than-or-equal <value>
show log weeklythsum srcloc less-than-or-equal <value>
show log weeklythsum dstloc equal <value>
show log weeklythsum dstloc not-equal <value>
show log weeklythsum dstloc greater-than-or-equal <value>
show log weeklythsum dstloc less-than-or-equal <value>
show log weeklythsum thread equal <value>
show log weeklythsum thread not-equal <value>

PAN-OS CLI Quick Start Version Version 10.1 149 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log weeklythsum thread greater-than-or-equal <value>

show log weeklythsum thread less-than-or-equal <value>
show log weeklythsum subtype equal <aack|url|virus|spyware|vulnerability|file|scan|flood|packet|
resource|data|wildfire|wildfire-virus>
show log weeklythsum subtype not-equal <aack|url|virus|spyware|vulnerability|file|scan|flood|
packet|resource|data|wildfire|wildfire-virus>
show log urlsum direcon equal <forward|backward>
show log urlsum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-hrs|
last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log urlsum csv-output equal <yes|no>
show log urlsum query equal <value>
show log urlsum start-me equal <value>
show log urlsum end-me equal <value>
show log urlsum app equal <value>
show log urlsum app not-equal <value>
show log urlsum src in <value>
show log urlsum dst in <value>
show log urlsum rule equal <value>
show log urlsum rule not-equal <value>
show log urlsum rule_uuid equal <value>
show log urlsum rule_uuid not-equal <value>
show log urlsum srcuser equal <value>
show log urlsum srcuser not-equal <value>
show log urlsum dstuser equal <value>
show log urlsum dstuser not-equal <value>
show log urlsum srcloc equal <value>
show log urlsum srcloc not-equal <value>
show log urlsum srcloc greater-than-or-equal <value>
show log urlsum srcloc less-than-or-equal <value>
show log urlsum dstloc equal <value>
show log urlsum dstloc not-equal <value>
show log urlsum dstloc greater-than-or-equal <value>
show log urlsum dstloc less-than-or-equal <value>
show log hourlyurlsum direcon equal <forward|backward>

PAN-OS CLI Quick Start Version Version 10.1 150 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log hourlyurlsum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|

last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log hourlyurlsum csv-output equal <yes|no>
show log hourlyurlsum query equal <value>
show log hourlyurlsum start-me equal <value>
show log hourlyurlsum end-me equal <value>
show log hourlyurlsum app equal <value>
show log hourlyurlsum app not-equal <value>
show log hourlyurlsum src in <value>
show log hourlyurlsum dst in <value>
show log hourlyurlsum rule equal <value>
show log hourlyurlsum rule not-equal <value>
show log hourlyurlsum rule_uuid equal <value>
show log hourlyurlsum rule_uuid not-equal <value>
show log hourlyurlsum srcuser equal <value>
show log hourlyurlsum srcuser not-equal <value>
show log hourlyurlsum dstuser equal <value>
show log hourlyurlsum dstuser not-equal <value>
show log hourlyurlsum srcloc equal <value>
show log hourlyurlsum srcloc not-equal <value>
show log hourlyurlsum srcloc greater-than-or-equal <value>
show log hourlyurlsum srcloc less-than-or-equal <value>
show log hourlyurlsum dstloc equal <value>
show log hourlyurlsum dstloc not-equal <value>
show log hourlyurlsum dstloc greater-than-or-equal <value>
show log hourlyurlsum dstloc less-than-or-equal <value>
show log dailyurlsum direcon equal <forward|backward>
show log dailyurlsum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|
last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log dailyurlsum csv-output equal <yes|no>
show log dailyurlsum query equal <value>
show log dailyurlsum start-me equal <value>
show log dailyurlsum end-me equal <value>
show log dailyurlsum app equal <value>

PAN-OS CLI Quick Start Version Version 10.1 151 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log dailyurlsum app not-equal <value>

show log dailyurlsum src in <value>
show log dailyurlsum dst in <value>
show log dailyurlsum rule equal <value>
show log dailyurlsum rule not-equal <value>
show log dailyurlsum rule_uuid equal <value>
show log dailyurlsum rule_uuid not-equal <value>
show log dailyurlsum srcuser equal <value>
show log dailyurlsum srcuser not-equal <value>
show log dailyurlsum dstuser equal <value>
show log dailyurlsum dstuser not-equal <value>
show log dailyurlsum srcloc equal <value>
show log dailyurlsum srcloc not-equal <value>
show log dailyurlsum srcloc greater-than-or-equal <value>
show log dailyurlsum srcloc less-than-or-equal <value>
show log dailyurlsum dstloc equal <value>
show log dailyurlsum dstloc not-equal <value>
show log dailyurlsum dstloc greater-than-or-equal <value>
show log dailyurlsum dstloc less-than-or-equal <value>
show log weeklyurlsum direcon equal <forward|backward>
show log weeklyurlsum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|
last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log weeklyurlsum csv-output equal <yes|no>
show log weeklyurlsum query equal <value>
show log weeklyurlsum start-me equal <value>
show log weeklyurlsum end-me equal <value>
show log weeklyurlsum app equal <value>
show log weeklyurlsum app not-equal <value>
show log weeklyurlsum src in <value>
show log weeklyurlsum dst in <value>
show log weeklyurlsum rule equal <value>
show log weeklyurlsum rule not-equal <value>
show log weeklyurlsum rule_uuid equal <value>
show log weeklyurlsum rule_uuid not-equal <value>

PAN-OS CLI Quick Start Version Version 10.1 152 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log weeklyurlsum srcuser equal <value>

show log weeklyurlsum srcuser not-equal <value>
show log weeklyurlsum dstuser equal <value>
show log weeklyurlsum dstuser not-equal <value>
show log weeklyurlsum srcloc equal <value>
show log weeklyurlsum srcloc not-equal <value>
show log weeklyurlsum srcloc greater-than-or-equal <value>
show log weeklyurlsum srcloc less-than-or-equal <value>
show log weeklyurlsum dstloc equal <value>
show log weeklyurlsum dstloc not-equal <value>
show log weeklyurlsum dstloc greater-than-or-equal <value>
show log weeklyurlsum dstloc less-than-or-equal <value>
show log gtpsum direcon equal <forward|backward>
show log gtpsum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-
hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log gtpsum csv-output equal <yes|no>
show log gtpsum query equal <value>
show log gtpsum start-me equal <value>
show log gtpsum end-me equal <value>
show log gtpsum app equal <value>
show log gtpsum app not-equal <value>
show log gtpsum src in <value>
show log gtpsum dst in <value>
show log gtpsum rule equal <value>
show log gtpsum rule not-equal <value>
show log gtpsum rule_uuid equal <value>
show log gtpsum rule_uuid not-equal <value>
show log gtpsum srcloc equal <value>
show log gtpsum srcloc not-equal <value>
show log gtpsum srcloc greater-than-or-equal <value>
show log gtpsum srcloc less-than-or-equal <value>
show log gtpsum dstloc equal <value>
show log gtpsum dstloc not-equal <value>
show log gtpsum dstloc greater-than-or-equal <value>

PAN-OS CLI Quick Start Version Version 10.1 153 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log gtpsum dstloc less-than-or-equal <value>

show log gtpsum imsi equal <value>
show log gtpsum imsi not-equal <value>
show log gtpsum imei equal <value>
show log gtpsum imei not-equal <value>
show log gtpsum parent_session_id equal <value>
show log gtpsum parent_session_id not-equal <value>
show log hourlygtpsum direcon equal <forward|backward>
show log hourlygtpsum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|
last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log hourlygtpsum csv-output equal <yes|no>
show log hourlygtpsum query equal <value>
show log hourlygtpsum start-me equal <value>
show log hourlygtpsum end-me equal <value>
show log hourlygtpsum app equal <value>
show log hourlygtpsum app not-equal <value>
show log hourlygtpsum src in <value>
show log hourlygtpsum dst in <value>
show log hourlygtpsum rule equal <value>
show log hourlygtpsum rule not-equal <value>
show log hourlygtpsum rule_uuid equal <value>
show log hourlygtpsum rule_uuid not-equal <value>
show log hourlygtpsum srcloc equal <value>
show log hourlygtpsum srcloc not-equal <value>
show log hourlygtpsum srcloc greater-than-or-equal <value>
show log hourlygtpsum srcloc less-than-or-equal <value>
show log hourlygtpsum dstloc equal <value>
show log hourlygtpsum dstloc not-equal <value>
show log hourlygtpsum dstloc greater-than-or-equal <value>
show log hourlygtpsum dstloc less-than-or-equal <value>
show log hourlygtpsum imsi equal <value>
show log hourlygtpsum imsi not-equal <value>
show log hourlygtpsum imei equal <value>
show log hourlygtpsum imei not-equal <value>

PAN-OS CLI Quick Start Version Version 10.1 154 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log hourlygtpsum parent_session_id equal <value>

show log hourlygtpsum parent_session_id not-equal <value>
show log dailygtpsum direcon equal <forward|backward>
show log dailygtpsum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|
last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log dailygtpsum csv-output equal <yes|no>
show log dailygtpsum query equal <value>
show log dailygtpsum start-me equal <value>
show log dailygtpsum end-me equal <value>
show log dailygtpsum app equal <value>
show log dailygtpsum app not-equal <value>
show log dailygtpsum src in <value>
show log dailygtpsum dst in <value>
show log dailygtpsum rule equal <value>
show log dailygtpsum rule not-equal <value>
show log dailygtpsum rule_uuid equal <value>
show log dailygtpsum rule_uuid not-equal <value>
show log dailygtpsum srcloc equal <value>
show log dailygtpsum srcloc not-equal <value>
show log dailygtpsum srcloc greater-than-or-equal <value>
show log dailygtpsum srcloc less-than-or-equal <value>
show log dailygtpsum dstloc equal <value>
show log dailygtpsum dstloc not-equal <value>
show log dailygtpsum dstloc greater-than-or-equal <value>
show log dailygtpsum dstloc less-than-or-equal <value>
show log dailygtpsum imsi equal <value>
show log dailygtpsum imsi not-equal <value>
show log dailygtpsum imei equal <value>
show log dailygtpsum imei not-equal <value>
show log dailygtpsum parent_session_id equal <value>
show log dailygtpsum parent_session_id not-equal <value>
show log weeklygtpsum direcon equal <forward|backward>
show log weeklygtpsum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|
last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>

PAN-OS CLI Quick Start Version Version 10.1 155 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log weeklygtpsum csv-output equal <yes|no>

show log weeklygtpsum query equal <value>
show log weeklygtpsum start-me equal <value>
show log weeklygtpsum end-me equal <value>
show log weeklygtpsum app equal <value>
show log weeklygtpsum app not-equal <value>
show log weeklygtpsum src in <value>
show log weeklygtpsum dst in <value>
show log weeklygtpsum rule equal <value>
show log weeklygtpsum rule not-equal <value>
show log weeklygtpsum rule_uuid equal <value>
show log weeklygtpsum rule_uuid not-equal <value>
show log weeklygtpsum srcloc equal <value>
show log weeklygtpsum srcloc not-equal <value>
show log weeklygtpsum srcloc greater-than-or-equal <value>
show log weeklygtpsum srcloc less-than-or-equal <value>
show log weeklygtpsum dstloc equal <value>
show log weeklygtpsum dstloc not-equal <value>
show log weeklygtpsum dstloc greater-than-or-equal <value>
show log weeklygtpsum dstloc less-than-or-equal <value>
show log weeklygtpsum imsi equal <value>
show log weeklygtpsum imsi not-equal <value>
show log weeklygtpsum imei equal <value>
show log weeklygtpsum imei not-equal <value>
show log weeklygtpsum parent_session_id equal <value>
show log weeklygtpsum parent_session_id not-equal <value>
show log desum direcon equal <forward|backward>
show log desum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-hrs|
last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log desum csv-output equal <yes|no>
show log desum query equal <value>
show log desum start-me equal <value>
show log desum end-me equal <value>
show log desum src in <value>

PAN-OS CLI Quick Start Version Version 10.1 156 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log desum dst in <value>

show log desum vsys equal <value>
show log desum vsys not-equal <value>
show log desum srcuser equal <value>
show log desum srcuser not-equal <value>
show log desum dstuser equal <value>
show log desum dstuser not-equal <value>
show log desum from equal <value>
show log desum from not-equal <value>
show log desum to equal <value>
show log desum to not-equal <value>
show log desum tls_version equal <Unknown|SSL2.0|SSL3.0|TLS1.0|TLS1.1|TLS1.2|TLS1.2+>
show log desum tls_keyxchg equal <annon|rsa|dh3|ecdhe>
show log desum tls_enc equal <ANULL|RC4_40|RC4_56|RC4_128|DES_CBC|DES40_CBC|
3DES_EDE_CBC|AES_128_CBC|AES_256_CBC|AES_128_GCM|AES_256_GCM>
show log desum tls_auth equal <ANULL|MD2|MD5|SHA|SHA256|SHA384|SHA512|AEAD>
show log desum policy_name equal <value>
show log desum policy_name not-equal <value>
show log desum sni equal <value>
show log desum sni not-equal <value>
show log desum error equal <value>
show log desum error not-equal <value>
show log hourlydesum direcon equal <forward|backward>
show log hourlydesum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|
last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log hourlydesum csv-output equal <yes|no>
show log hourlydesum query equal <value>
show log hourlydesum start-me equal <value>
show log hourlydesum end-me equal <value>
show log hourlydesum src in <value>
show log hourlydesum dst in <value>
show log hourlydesum vsys equal <value>
show log hourlydesum vsys not-equal <value>
show log hourlydesum srcuser equal <value>

PAN-OS CLI Quick Start Version Version 10.1 157 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log hourlydesum srcuser not-equal <value>

show log hourlydesum dstuser equal <value>
show log hourlydesum dstuser not-equal <value>
show log hourlydesum from equal <value>
show log hourlydesum from not-equal <value>
show log hourlydesum to equal <value>
show log hourlydesum to not-equal <value>
show log hourlydesum tls_version equal <Unknown|SSL2.0|SSL3.0|TLS1.0|TLS1.1|TLS1.2|
TLS1.2+>
show log hourlydesum tls_keyxchg equal <annon|rsa|dh3|ecdhe>
show log hourlydesum tls_enc equal <ANULL|RC4_40|RC4_56|RC4_128|DES_CBC|DES40_CBC|
3DES_EDE_CBC|AES_128_CBC|AES_256_CBC|AES_128_GCM|AES_256_GCM>
show log hourlydesum tls_auth equal <ANULL|MD2|MD5|SHA|SHA256|SHA384|SHA512|AEAD>
show log hourlydesum policy_name equal <value>
show log hourlydesum policy_name not-equal <value>
show log hourlydesum sni equal <value>
show log hourlydesum sni not-equal <value>
show log hourlydesum error equal <value>
show log hourlydesum error not-equal <value>
show log dailydesum direcon equal <forward|backward>
show log dailydesum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|
last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log dailydesum csv-output equal <yes|no>
show log dailydesum query equal <value>
show log dailydesum start-me equal <value>
show log dailydesum end-me equal <value>
show log dailydesum src in <value>
show log dailydesum dst in <value>
show log dailydesum vsys equal <value>
show log dailydesum vsys not-equal <value>
show log dailydesum srcuser equal <value>
show log dailydesum srcuser not-equal <value>
show log dailydesum dstuser equal <value>
show log dailydesum dstuser not-equal <value>

PAN-OS CLI Quick Start Version Version 10.1 158 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log dailydesum from equal <value>

show log dailydesum from not-equal <value>
show log dailydesum to equal <value>
show log dailydesum to not-equal <value>
show log dailydesum tls_version equal <Unknown|SSL2.0|SSL3.0|TLS1.0|TLS1.1|TLS1.2|TLS1.2+>
show log dailydesum tls_keyxchg equal <annon|rsa|dh3|ecdhe>
show log dailydesum tls_enc equal <ANULL|RC4_40|RC4_56|RC4_128|DES_CBC|DES40_CBC|
3DES_EDE_CBC|AES_128_CBC|AES_256_CBC|AES_128_GCM|AES_256_GCM>
show log dailydesum tls_auth equal <ANULL|MD2|MD5|SHA|SHA256|SHA384|SHA512|AEAD>
show log dailydesum policy_name equal <value>
show log dailydesum policy_name not-equal <value>
show log dailydesum sni equal <value>
show log dailydesum sni not-equal <value>
show log dailydesum error equal <value>
show log dailydesum error not-equal <value>
show log weeklydesum direcon equal <forward|backward>
show log weeklydesum receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|
last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log weeklydesum csv-output equal <yes|no>
show log weeklydesum query equal <value>
show log weeklydesum start-me equal <value>
show log weeklydesum end-me equal <value>
show log weeklydesum src in <value>
show log weeklydesum dst in <value>
show log weeklydesum vsys equal <value>
show log weeklydesum vsys not-equal <value>
show log weeklydesum srcuser equal <value>
show log weeklydesum srcuser not-equal <value>
show log weeklydesum dstuser equal <value>
show log weeklydesum dstuser not-equal <value>
show log weeklydesum from equal <value>
show log weeklydesum from not-equal <value>
show log weeklydesum to equal <value>
show log weeklydesum to not-equal <value>

PAN-OS CLI Quick Start Version Version 10.1 159 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log weeklydesum tls_version equal <Unknown|SSL2.0|SSL3.0|TLS1.0|TLS1.1|TLS1.2|

TLS1.2+>
show log weeklydesum tls_keyxchg equal <annon|rsa|dh3|ecdhe>
show log weeklydesum tls_enc equal <ANULL|RC4_40|RC4_56|RC4_128|DES_CBC|DES40_CBC|
3DES_EDE_CBC|AES_128_CBC|AES_256_CBC|AES_128_GCM|AES_256_GCM>
show log weeklydesum tls_auth equal <ANULL|MD2|MD5|SHA|SHA256|SHA384|SHA512|
AEAD>
show log weeklydesum policy_name equal <value>
show log weeklydesum policy_name not-equal <value>
show log weeklydesum sni equal <value>
show log weeklydesum sni not-equal <value>
show log weeklydesum error equal <value>
show log weeklydesum error not-equal <value>
show log hipmatch direcon equal <forward|backward>
show log hipmatch csv-output equal <yes|no>
show log hipmatch query equal <value>
show log hipmatch receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-
hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log hipmatch start-me equal <value>
show log hipmatch end-me equal <value>
show log hipmatch src in <value>
show log hipmatch src not-in <value>
show log hipmatch srcuser equal <value>
show log hipmatch machinename equal <value>
show log hipmatch machinename not-equal <value>
show log hipmatch os equal <value>
show log hipmatch os not-equal <value>
show log hipmatch matchname equal <value>
show log hipmatch matchname not-equal <value>
show log hipmatch matchtype equal <object|profile>
show log hipmatch matchtype not-equal <object|profile>
show log iptag direcon equal <forward|backward>
show log iptag csv-output equal <yes|no>
show log iptag query equal <value>

PAN-OS CLI Quick Start Version Version 10.1 160 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log iptag receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-hrs|

last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log iptag start-me equal <value>
show log iptag end-me equal <value>
show log iptag vsys equal <value>
show log iptag ip in <value>
show log iptag ip not-in <value>
show log iptag tag_name equal <value>
show log iptag tag_name not-equal <value>
show log iptag event_id equal <unknown|login|logout|meout|register|unregister>
show log iptag event_id not-equal <unknown|login|logout|meout|register|unregister>
show log iptag datasource_type equal <unknown|xml-api|ha|vm-monitor>
show log iptag datasource_type not-equal <unknown|xml-api|ha|vm-monitor>
show log iptag datasource_subtype equal <unknown|VMware_ESXi|VMware_vCenter|AWS-VPC|
User-id-Agent|Google-Compute-Engine>
show log iptag datasource_subtype not-equal <unknown|VMware_ESXi|VMware_vCenter|AWS-
VPC|User-id-Agent|Google-Compute-Engine>
show log iptag datasourcename equal <value>
show log iptag datasourcename not-equal <value>
show log iptag ip_subnet_range equal <value>
show log iptag ip_subnet_range not-equal <value>
show log mdm receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-hrs|
last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log userid direcon equal <forward|backward>
show log userid csv-output equal <yes|no>
show log userid query equal <value>
show log userid receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-hrs|
last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log userid start-me equal <value>
show log userid end-me equal <value>
show log userid vsys equal <value>
show log userid ip in <value>
show log userid ip not-in <value>
show log userid user equal <value>
show log userid datasourcename equal <value>

PAN-OS CLI Quick Start Version Version 10.1 161 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log userid datasource equal <unknown|agent|ts-agent|event-log|probing|server-session-

monitor|capve-portal|vpn-client|xml-api|ha|syslog>
show log userid datasourcetype equal <unknown|directory-server|exchange-server|wmi-probing|
netbios-probing|client-cert|ntlm|kerberos|authencate|globalprotect|vpn-client>
show log userid beginport equal <1-65535>
show log userid beginport not-equal <1-65535>
show log userid endport equal <1-65535>
show log userid endport not-equal <1-65535>
show log auth direcon equal <forward|backward>
show log auth csv-output equal <yes|no>
show log auth query equal <value>
show log auth receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-hrs|
last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log auth start-me equal <value>
show log auth end-me equal <value>
show log auth vsys equal <value>
show log auth ip in <value>
show log auth ip not-in <value>
show log auth user equal <value>
show log auth authpolicy equal <value>
show log auth vendor equal <value>
show log auth clienype equal <unknown|Admin UI|CLI|GlobalProtect Portal|GlobalProtect
Gateway|Clientless VPN|Authencaon Portal>
show log corr direcon equal <forward|backward>
show log corr csv-output equal <yes|no>
show log corr query equal <value>
show log corr receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-hrs|
last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log corr start-me equal <value>
show log corr end-me equal <value>
show log corr objectname equal <value>
show log corr src in <value>
show log corr src not-in <value>
show log corr srcuser equal <value>
show log corr severity equal <crical|high|medium|low|informaonal>

PAN-OS CLI Quick Start Version Version 10.1 162 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log corr severity not-equal <crical|high|medium|low|informaonal>

show log corr severity greater-than-or-equal <crical|high|medium|low|informaonal>
show log corr severity less-than-or-equal <crical|high|medium|low|informaonal>
show log corr-categ direcon equal <forward|backward>
show log corr-categ csv-output equal <yes|no>
show log corr-categ query equal <value>
show log corr-categ receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-
hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log corr-categ start-me equal <value>
show log corr-categ end-me equal <value>
show log corr-categ object-category equal <value>
show log corr-categ src in <value>
show log corr-categ src not-in <value>
show log corr-categ srcuser equal <value>
show log corr-categ severity equal <crical|high|medium|low|informaonal>
show log corr-categ severity not-equal <crical|high|medium|low|informaonal>
show log corr-categ severity greater-than-or-equal <crical|high|medium|low|informaonal>
show log corr-categ severity less-than-or-equal <crical|high|medium|low|informaonal>
show log corr-detail object-name equal <value>
show log corr-detail match-oid equal <value>
show log globalprotect direcon equal <forward|backward>
show log globalprotect csv-output equal <yes|no>
show log globalprotect query equal <value>
show log globalprotect receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|
last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log globalprotect start-me equal <value>
show log globalprotect end-me equal <value>
show log globalprotect vsys equal <value>
show log globalprotect client_ver equal <value>
show log globalprotect client_ver not-equal <value>
show log globalprotect auth_method equal <value>
show log globalprotect auth_method not-equal <value>
show log globalprotect machinename equal <value>
show log globalprotect machinename not-equal <value>

PAN-OS CLI Quick Start Version Version 10.1 163 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show log globalprotect machinename contains <value>

show log globalprotect hosd equal <value>
show log globalprotect hosd not-equal <value>
show log globalprotect portal_or_gateway equal <value>
show log globalprotect portal_or_gateway not-equal <value>
show log globalprotect receive_me equal <value>
show log globalprotect receive_me not-equal <value>
show log globalprotect private_ip equal <value>
show log globalprotect private_ip not-equal <value>
show log globalprotect private_ip in <value>
show log globalprotect public_ip equal <value>
show log globalprotect public_ip not-equal <value>
show log globalprotect public_ip in <value>
show log globalprotect srcregion equal <value>
show log globalprotect srcregion not-equal <value>
show log globalprotect srcuser equal <value>
show log globalprotect srcuser not-equal <value>
show log trace direcon equal <forward|backward>
show log trace csv-output equal <yes|no>
show log trace query equal <value>
show log trace receive_me in <last-60-seconds|last-15-minutes|last-hour|last-6-hrs|last-12-hrs|
last-24-hrs|last-calendar-day|last-7-days|last-30-days|last-calendar-month>
show log trace start-me equal <value>
show log trace end-me equal <value>
show log trace sessionid equal <0-4294967295>
show log trace sessionid not-equal <0-4294967295>
show counter interface <value>|<management|all>
show counter rate <value>
show counter management-server
show counter global name <value>
show counter global filter category <value> severity <value> aspect <value> delta <yes|no>
packet-filter <yes|no> value <all|non-zero>
show ntp
show high-availability interface <ha1|ha1-backup|ha2|ha2-backup|ha3|ha4|ha4-backup>

PAN-OS CLI Quick Start Version Version 10.1 164 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show high-availability all

show high-availability state
show high-availability link-monitoring
show high-availability path-monitoring
show high-availability ha2_keepalive
show high-availability virtual-address
show high-availability state-synchronizaon
show high-availability control-link stascs
show high-availability transions
show high-availability flap-stascs
show high-availability session-reestablish-status
show high-availability pre-negoaon summary
show high-availability cluster all
show high-availability cluster state
show high-availability cluster session-synchronizaon all
show high-availability cluster session-synchronizaon device device-name <value>
show high-availability cluster session-synchronizaon device device-id <value>
show high-availability cluster ha4-status
show high-availability cluster flap-stascs
show high-availability cluster ha4-backup-status
show high-availability cluster stascs all
show high-availability cluster stascs device device-name <value>
show high-availability cluster stascs device device-id <value>
show session id <1-4294967295>
show session info
show session rematch
show session packet-buffer-protecon buffer-latency
show session packet-buffer-protecon zones
show session meter
show session all start-at <1-2097152> filter nat <none|source|desnaon|both> ssl-decrypt
<yes|no> decrypt-forwarded <yes|no> hp2-connecon <yes|no> hp2-stream <yes|no>
tunnel-inspected <yes|no> tunnel-decap <yes|no> decrypt-mirror <yes|no> count <yes|no> type
<flow|predict|tunnel|forward|vni> state <inial|opening|acve|discard|closing|closed> vni-id
<0-16777215> from <value> to <value> source <ip/netmask> desnaon <value> source-user
<value> desnaon-user <value> source-port <1-65535> desnaon-port <1-65535> protocol

PAN-OS CLI Quick Start Version Version 10.1 165 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

<1-255> applicaon <value> rule <value> nat-rule <value> qos-rule <value> pbf-rule <value>
sdwan-rule <value> hw-interface <value> ingress-interface <value> egress-interface <value> min-
kb <1-1048576> min-age <1-4194304> min-queued-l7 <1-1048576> qos-node-id <0-5000>|
<-2> qos-class <1-8> vsys-name <value>|<any> ctd-ver <1-255> rematch <security-policy>
show session lag-flow-key-type
show session cache md5 <value>
show session cache all filter from <value> applicaon <value> promoted <yes|no> local-session-id
<1-4294967295>
show session change-smac-in-resp status
show session tcp-retransmit-scan status
show session tcp-o-app status
show zone-protecon zone <value>
show stascs
show arp
show plugins packages
show plugins installed
show plugins mandatory
show neighbor interface
show neighbor ndp-monitor
show admins all
show admins local
show predefined xpath <value>
show predefined-iot xpath <value>
show jobs id <1-4294967295>
show jobs all
show jobs pending
show jobs processed
show threat id <1-4294967295,...> fqdn <value> match <value> match-id <1-4294967295,...>
show locaon ip <ip/netmask>
show object stac ip <ip/netmask> vsys <value>
show object dynamic-address-group name <value>
show object dynamic-address-group all
show object registered-ip limit <1-500> start-point <1-100000> ip <ip/netmask>
show object registered-ip limit <1-500> start-point <1-100000> iprange <ip-range>
show object registered-ip limit <1-500> start-point <1-100000> all opon <count|file>

PAN-OS CLI Quick Start Version Version 10.1 166 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show object registered-user user <value>

show object registered-user all start-point <1-524288> limit <1-500> opon <count|file>
show report id <1-4294967295>
show report directory-lisng
show report jobs
show report cache cache_id <1-4294967295>
show report cache info
show report exec_mgr batch_id <1-4294967295>
show report exec_mgr info
show report predefined name equal <bandwidth-trend|risk-trend|risky-users|spyware-infected-
hosts|threat-trend|top-applicaon-categories|top-applicaons|top-aacker-sources|top-aacker-
desnaons|top-aackers-by-source-countries|top-aackers-by-desnaon-countries|top-
aacks|top-blocked-url-categories|top-blocked-url-user-behavior|top-blocked-url-users|top-
blocked-websites|top-connecons|top-denied-applicaons|top-denied-desnaons|top-denied-
sources|top-desnaon-countries|top-desnaons|top-egress-interfaces|top-egress-zones|top-
hp-applicaons|top-ingress-interfaces|top-ingress-zones|top-rules|top-source-countries|top-
sources|top-spyware-threats|top-technology-categories|top-url-categories|top-url-user-behavior|
top-url-users|top-users|top-vicm-sources|top-vicm-desnaons|top-vicms-by-source-
countries|top-vicms-by-desnaon-countries|top-viruses|top-vulnerabilies|top-websites|
unknown-tcp-connecons|unknown-udp-connecons|wildfire-file-digests>
show report predefined start-me equal <value>
show report predefined end-me equal <value>
show report custom database equal <appstat|trsum|thsum|urlsum|tunnelsum|gtpsum|
sctpsum|desum|traffic|threat|url|wildfire|data|hipmatch|userid|tunnel|auth|gtp|sctp|decrypon|
globalprotect>
show report custom topn equal <value>
show report custom receive_me in <last-15-minutes|last-hour|last-6-hrs|last-12-hrs|last-24-
hrs|last-calendar-day|last-7-days|last-7-calendar-day|last-calendar-week|last-30-days|last-30-
calendar-day|last-calendar-month>
show report custom query equal <value>
show report custom aggregate-fields equal <value>
show report custom value-fields equal <value>
show query effecve-queries query <value> logtypes
show query effecve-queries query <value> logtypes [ <logtypes1> <logtypes2>... ]
show query result id <1-4294967295> skip <0-4294967295>
show query jobs
show query corr-detail id <1-4294967295>
show url-cloud status

PAN-OS CLI Quick Start Version Version 10.1 167 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show chassis inventory

show dos-block-table all start-at <1-2097152> filter source-ip <ip/netmask> ingress-zone <value>
dos-profile <value> slot <1-20> type <hw|sw>
show dos-block-table hardware start-at <1-2097152> filter source-ip <ip/netmask> ingress-zone
<value> dos-profile <value> slot <1-20>
show dos-block-table soware start-at <1-2097152> filter source-ip <ip/netmask> ingress-zone
<value> dos-profile <value> slot <1-20>
show dos-block-table summary
show system packet-path-test status
show system soware status
show system masterkey-properes
show system info
show system last-commit-info
show system services
show system state filter <value>
show system state filter-prey <value>
show system state browser
show system crypto entropy-status
show system environmentals slot <value>
show system environmentals fans slot <value>
show system environmentals thermal slot <value>
show system environmentals power slot <value>
show system stascs session
show system stascs applicaon vsys <value>
show system resources follow
show system disk-space files
show system logdb-quota
show system files
show system seng arp-cache-meout
show system seng rule-hit-count
show system seng logging log-compression
show system seng packet-descriptor-monitor
show system seng mp-memory-monitor
show system seng zip

PAN-OS CLI Quick Start Version Version 10.1 168 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show system seng packet

show system seng ul
show system seng pow
show system seng ctd state
show system seng ctd threat id <1-4294967295> applicaon <0-4294967295> profile
<0-4294967295>
show system seng ctd url-block-cache
show system seng ctd lscan-mode
show system seng ctd sml-token
show system seng mp-vr-vif-install-only-host-route
show system seng fast-fail-over
show system seng delay-interface-process
show system seng rip-poison-reverse
show system seng appid-match
show system seng ctd-mode
show system seng dfa-mode
show system seng jumbo-frame
show system seng icmp6-error
show system seng ip6-defrag-meout
show system seng hardware-acl-blocking-enable
show system seng hardware-acl-blocking-duraon
show system seng lro
show system seng conn-tracker
show system seng dpdk-pkt-io
show system seng capve-portal-workers
show system seng mul-vsys
show system seng url-database
show system seng url-cache stascs
show system seng url-cache all
show system seng ssl-decrypt gp-cookie-cache user <value>
show system seng ssl-decrypt seng
show system seng ssl-decrypt cerficate-cache
show system seng ssl-decrypt cerficate
show system seng ssl-decrypt nofy-cache

PAN-OS CLI Quick Start Version Version 10.1 169 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show system seng ssl-decrypt exclude-cache

show system seng ssl-decrypt session-cache
show system seng ssl-decrypt dns-cache
show system seng ssl-decrypt rewrite-stats
show system seng ssl-decrypt hsm-request
show system seng ssl-decrypt memory detail
show system seng shared-policy
show system seng template
show system seng target-vsys
show system bootstrap status
show system ztp status
show pbf rule name <value>
show pbf rule all
show pbf return-mac name <value>
show pbf return-mac all
show bonjour interface
show sdwan connecon <value>|<all>
show sdwan path-monitor parameter path-name <value>
show sdwan path-monitor parameter vif <value>
show sdwan path-monitor parameter all-dp <all>
show sdwan path-monitor parameter adapve <all>
show sdwan path-monitor parameter acve <all|ip|fqdn|url>
show sdwan path-monitor parameter conn-idx <0-65534>
show sdwan path-monitor stats path-name <value>
show sdwan path-monitor stats vif <value>
show sdwan path-monitor stats all-dp <yes>
show sdwan path-monitor stats adapve <all>
show sdwan path-monitor stats acve <all|ip|fqdn|url>
show sdwan path-monitor stats dia-vif <all|idx|name>
show sdwan path-monitor stats conn-idx <0-65534>
show sdwan path-monitor dia-anypath packet-buffer <all>
show sdwan path-monitor policy-map
show sdwan session path-select session-id <1-4294967295>

PAN-OS CLI Quick Start Version Version 10.1 170 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show sdwan session log session-id <1-4294967295>

show sdwan session distribuon policy-name <value>
show sdwan event
show sdwan pool details
show sdwan rule vif <value>|<all>
show sdwan details basic
show sdwan details session id <1-4294967295>
show sdwan details conn idx <0-4294967295>
show sdwan details vif idx <0-4294967295>
show sdwan details rule idx <0-4294967295>
show sdwan details rule id <0-4294967295>
show sdwan details fec-en idx <0-4294967295>
show sdwan details fec-de idx <0-4294967295>
show sdwan details pd idx <0-4294967295>
show qos interface
show qos interface <name> throughput <0-65535>
show qos interface <name> show-regular-node <0-65535>|<regular>
show qos interface <name> tunnel-throughput <value>
show qos interface <name> show-tunnel-node <0-65535>|<tunnel>
show qos interface <name> match-rule
show qos interface <name> counter
show qos interface <name> hw-counter
show qos interface <name> show-bypass-node
show qos interface <name> show-all-levels
show tunnel-acceleraon
show vpn gateway name <value>
show vpn gateway match <value>
show vpn tunnel name <value>
show vpn tunnel match <value>
show vpn ike-sa gateway <value>
show vpn ike-sa match <value>
show vpn ike-sa detail gateway <value>
show vpn ike-hashurl

PAN-OS CLI Quick Start Version Version 10.1 171 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vpn ipsec-sa tunnel <value>

show vpn ipsec-sa match <value>
show vpn ipsec-sa summary
show vpn flow name <value>
show vpn flow tunnel-id <1-65535>
show global-protect-firewall summary firewall-client-version-last-acvity-me
show global-protect-gateway gateway name <value> type <remote-user|satellite>
show global-protect-gateway stascs gateway <value> domain <value>
show global-protect-gateway current-user gateway <value> domain <value> user <value>
show global-protect-gateway current-satellite gateway <value> satellite <value>
show global-protect-gateway previous-user gateway <value> domain <value> user <value>
show global-protect-gateway previous-satellite gateway <value> satellite <value>
show global-protect-gateway flow name <value>
show global-protect-gateway flow tunnel-id <1-65535>
show global-protect-gateway flow-site-to-site name <value>
show global-protect-gateway flow-site-to-site tunnel-id <1-65535>
show global-protect-gateway summary all
show global-protect-gateway summary detail name <value>
show global-protect-satellite interface <value>|<all>
show global-protect-satellite satellite name <value>
show global-protect-satellite current-gateway satellite <value> gateway <value>
show global-protect-mdm state <value>|<all>
show global-protect-mdm stascs
show advanced-roung fib afi <ipv4|ipv6|both>
show advanced-roung route type <bgp|stac|connect> afi <ipv4|ipv6|both>
show advanced-roung stac-route-path-monitor
show advanced-roung bgp summary
show advanced-roung bgp route afi <ipv4|ipv6|both>
show advanced-roung bgp peer-groups
show advanced-roung bgp peer detail peer-name <value>
show advanced-roung bgp peer rib-out peer-name <value> afi <ipv4|ipv6|both>
show advanced-roung bgp peer status
show roung interface

PAN-OS CLI Quick Start Version Version 10.1 172 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show roung resource

show roung summary virtual-router <value>
show roung fib virtual-router <value> ecmp <yes|no> afi <both|ipv4|ipv6>
show roung route desnaon <ip/netmask> interface <value> nexthop <ip/netmask> type
<stac|connect|bgp|ospf|rip> virtual-router <value> count <1-524288> ecmp <yes|no> afi <both|
ipv4|ipv6> safi <both|unicast|mulcast>
show roung mulcast route group <ip/netmask> source <ip/netmask> interface <value> virtual-
router <value>
show roung mulcast fib group <ip/netmask> source <ip/netmask> interface <value> virtual-
router <value>
show roung mulcast group-permission interface <value> virtual-router <value>
show roung mulcast igmp interface virtual-router <value>
show roung mulcast igmp membership interface <value> virtual-router <value>
show roung mulcast igmp stascs interface <value>
show roung mulcast pim interface virtual-router <value>
show roung mulcast pim neighbor virtual-router <value>
show roung mulcast pim group-mapping group <ip/netmask> virtual-router <value>
show roung mulcast pim elected-bsr
show roung mulcast pim state virtual-router <value> group <ip/netmask> interface <value>
source <ip/netmask>|<any> rpt-only <yes|no>
show roung mulcast pim stascs interface <value> neighbor <ip/netmask>
show roung protocol redist all virtual-router <value>
show roung protocol redist bgp virtual-router <value>
show roung protocol redist ospf virtual-router <value>
show roung protocol redist ospfv3 virtual-router <value>
show roung protocol redist rip virtual-router <value>
show roung protocol bgp summary virtual-router <value>
show roung protocol bgp peer peer-name <value> virtual-router <value>
show roung protocol bgp peer-group group-name <value> virtual-router <value>
show roung protocol bgp policy virtual-router <value> aggregate
show roung protocol bgp policy virtual-router <value> import
show roung protocol bgp policy virtual-router <value> export
show roung protocol bgp policy virtual-router <value> cond-adv
show roung protocol bgp loc-rib peer <value> prefix <ip/netmask> nexthop <ip/netmask>
virtual-router <value> count <1-524288> afi <ipv4|ipv6|both> safi <unicast|mulcast|both>

PAN-OS CLI Quick Start Version Version 10.1 173 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show roung protocol bgp rib-out peer <value> prefix <ip/netmask> nexthop <ip/netmask>
virtual-router <value> count <1-524288> afi <ipv4|ipv6|both> safi <unicast|mulcast|both>
show roung protocol bgp loc-rib-detail peer <value> prefix <ip/netmask> nexthop <ip/netmask>
virtual-router <value> count <1-524288> afi <ipv4|ipv6|both> safi <unicast|mulcast|both>
show roung protocol bgp rib-out-detail peer <value> prefix <ip/netmask> nexthop <ip/netmask>
virtual-router <value> count <1-524288> afi <ipv4|ipv6|both> safi <unicast|mulcast|both>
show roung protocol ospf summary virtual-router <value>
show roung protocol ospf area virtual-router <value>
show roung protocol ospf interface virtual-router <value>
show roung protocol ospf virt-link virtual-router <value>
show roung protocol ospf neighbor virtual-router <value>
show roung protocol ospf virt-neighbor virtual-router <value>
show roung protocol ospf lsdb virtual-router <value>
show roung protocol ospf dumplsdb virtual-router <value>
show roung protocol ospf graceful-restart virtual-router <value>
show roung protocol ospfv3 summary virtual-router <value>
show roung protocol ospfv3 area virtual-router <value>
show roung protocol ospfv3 interface brief <yes|no> virtual-router <value>
show roung protocol ospfv3 virt-link virtual-router <value>
show roung protocol ospfv3 neighbor brief <yes|no> virtual-router <value>
show roung protocol ospfv3 virt-neighbor brief <yes|no> virtual-router <value>
show roung protocol ospfv3 lsdb scope <link-local|area-local|as-local|all> adv-rtr <ip/netmask>
area-id <ip/netmask> lsa-id <ip/netmask> hexdump <yes|no> filter-type-area <inter-area-prefix|
inter-area-router|intra-area-prefix|network|router|nssa> virtual-router <value>
show roung protocol ospfv3 dumplsdb scope <link-local|area-local|as-local|all> adv-rtr <ip/
netmask> area-id <ip/netmask> lsa-id <ip/netmask> hexdump <yes|no> filter-type-area <inter-
area-prefix|inter-area-router|intra-area-prefix|network|router|nssa> virtual-router <value>
show roung protocol ospfv3 graceful-restart virtual-router <value>
show roung protocol rip summary virtual-router <value>
show roung protocol rip interface virtual-router <value>
show roung protocol rip peer virtual-router <value>
show roung protocol rip database virtual-router <value>
show roung bfd details virtual-router <value> interface <value> local-ip <value> peer-ip <value>
mulhop <yes|no> session-id <1-1024>
show roung bfd summary virtual-router <value> interface <value> local-ip <value> peer-ip
<value> mulhop <yes|no> session-id <1-1024>

PAN-OS CLI Quick Start Version Version 10.1 174 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show roung bfd acve-profile name <value>

show roung bfd drop-counters session-id <1-1024>
show roung path-monitor virtual-router <value>
show resource limit policies
show resource limit session
show resource limit ssl-vpn
show resource limit vpn
show sslmgr-store satellite-info portal name <value> serialno <value> state <assigned|
unassigned>
show sslmgr-store cerficate-info issuer <value>
show sslmgr-store cerficate-info portal name <value> serialno <value> db-serialno <value>
show sslmgr-store serialno-cerficate-info db-serialno <value>
show sslmgr-store config-cerficate-info db-serialno <value> issuer-subjectname-hash <value>
show sslmgr-store config-ca-cerficate subjectname-hash <value> publickey-hash <value>
show sslmgr-max-check-cert-jobs
show global-protect redirect
show global-protect locaon
show global-protect worker-threads
show global-protect sysd-health
show hsm client-address
show hsm ha-status
show hsm client-version
show hsm client-version-list
show hsm info
show hsm nshield-connect-rfs
show hsm state
show hsm servers
show hsm slots
show lacp aggregate-ethernet <value>|<all>
show lldp config <value>|<all>
show lldp counters <value>|<all>
show lldp local <value>|<all>
show lldp neighbors <value>|<all>
show log-collector preference-list

PAN-OS CLI Quick Start Version Version 10.1 175 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show license-token-files name <value>

show wildfire-realme-cache virus-paern-type <PE|Hash|ALL>
show wildfire-realme-cache total
show wildfire-realme-stats
show wildfire-realme-cloud-status
show global-protect-portal stascs portal <value>
show global-protect-portal current-user portal <value> filter-user user <value>
show global-protect-portal current-user portal <value> filter-user match-user <value>
show global-protect-portal current-user portal <value> filter-user id <value>
show global-protect-portal current-user portal <value> filter-user all-users
show global-protect-portal cookie-cache portal <value> filter-user user <value>
show global-protect-portal cookie-cache portal <value> filter-user match-user <value>
show global-protect-portal cookie-cache portal <value> filter-user id <value>
show global-protect-portal cookie-cache portal <value> filter-user all-users
show global-protect-portal summary all
show global-protect-portal summary detail name <value>
show netstat route <yes|no> interfaces <yes|no> groups <yes|no> stascs <yes|no> verbose
<yes|no> numeric <yes|no> numeric-hosts <yes|no> numeric-ports <yes|no> numeric-users <yes|
no> symbolic <yes|no> extend <yes|no> programs <yes|no> connuous <yes|no> listening <yes|
no> all <yes|no> mers <yes|no> fib <yes|no> cache <yes|no> notrim <yes|no>
show obsolete-disabled-ssl-exclusions
show mlav lookup-cache
show mlav request-stats
show mlav meta-data
show mlav mlav-info
show mlav cloud-status
show ctd-agent status shm
show ctd-agent status workers
show ctd-agent status errors
show ctd-agent version
show ctd-agent config
show ctd-agent dp-config
show ctd-agent stascs
debug cli <on|off|include-compleon|exclude-compleon|mestamp|detail|show>

PAN-OS CLI Quick Start Version Version 10.1 176 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug device-telemetry refresh-dest-server

debug list-blocked-paral-xpaths
debug list-admin-history
debug set-content-download-retry aempts <1-3>
debug log-output-need-u8 no
debug log-output-need-u8 yes
debug log-output-need-u8 show
debug run-panorama-predefined-report no
debug run-panorama-predefined-report yes
debug run-panorama-predefined-report show
debug predefined-report-default disabled
debug predefined-report-default enabled
debug predefined-report-default show
debug logview role <value> slot <value> severity <value> quiet <yes|no> display-forward <yes|
no> thorough <yes|no> max-logs <100-20000> component <value> start-me <value> end-me
<value>
debug system disk-smart-info disk-1
debug system disk-paron-info
debug system process-info
debug system maintenance-mode
debug system disk-sync
debug system check-fragment
debug system ssh-key-reset management
debug system ssh-key-reset high-availability
debug system ssh-key-reset all
debug syslog-ng stats
debug syslog-ng start
debug syslog-ng stop
debug syslog-ng restart
debug syslog-ng status
debug syslog-ng reload
debug syslog-ng debug debug on
debug syslog-ng debug debug off
debug syslog-ng debug trace on

PAN-OS CLI Quick Start Version Version 10.1 177 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug syslog-ng debug trace off

debug syslog-ng debug verbose on
debug syslog-ng debug verbose off
debug syslogng-params reset-to-default-sengs
debug syslogng-params sengs me-reopen <1-900> dst-keep-alive <yes|no> so-keepalive <yes|
no> tcp-keepalive-intvl <0-1800> tcp-keepalive-me <0-7200> tcp-keepalive-probes <0-64>
debug syslogng-params show
debug swm list
debug swm log
debug swm history
debug swm status
debug swm unlock
debug swm revert
debug swm rebuild-content-db
debug swm refresh content
debug swm info image <value>
debug swm install image <value> patch <value>
debug swm delete image <value>
debug swm load image <value>
debug swm load-uploaded image <value>
debug soware core <dhcp|device-server|management-server|web-server|web-backend|l3-
service|sslvpn-web-server|rasmgr|log-receiver|routed|distributord|iotd|user-id|vardata-receiver|
ikemgr|keymgr|satd|sslmgr|dnsproxy|l2ctrl|authd|snmpd|cord|configd|reportd|pan-comm|ifmgr|
pan-dssd>
debug soware fd-limit service <value> limit <0-4294967295>
debug soware no-fd-limit service <value>
debug soware virt-limit service <value> limit <0-4194303>
debug soware no-virt-limit service <value>
debug soware phy-limit service <value> limit <0-4194303>
debug soware no-phy-limit service <value>
debug soware logging-level show level service <value>
debug soware logging-level show feature service <value>
debug soware logging-level show feature-defs service <value>
debug soware logging-level set level default service <value>
debug soware logging-level set level error service <value>

PAN-OS CLI Quick Start Version Version 10.1 178 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug soware logging-level set level warn service <value>

debug soware logging-level set level info service <value>
debug soware logging-level set level debug service <value>
debug soware logging-level set level dump service <value>
debug soware logging-level set feature service <value> mask <value>
debug soware pprof service <value>
debug soware no-pprof service <value>
debug soware memsize_tracked
debug soware resource subsystem <value> plane <value> slot <0-64> show configuraon
debug soware resource subsystem <value> plane <value> slot <0-64> set group <value> limit
<value> value <value>
debug soware disk-usage cleanup threshold <90-100> deep
debug soware disk-usage aggressive-cleaning enable
debug soware disk-usage aggressive-cleaning disable
debug soware disk-usage dangling-fds target-name <value> target-slot <value>
debug soware kernelcfg zram-swap enable
debug soware kernelcfg zram-swap disable
debug soware kernelcfg zram-swap show run-me
debug soware kernelcfg zram-swap show config
debug soware kernelcfg zram-swap modify num-dev <1-4> disk-size <512-64000> mem-limit-
percent <5-50> host-mem-threshold <64-64000>
debug soware generate-sar-report current-date
debug soware restart process <crypto|dhcp|device-server|ikemgr|keymgr|management-server|
web-server|web-backend|l3-service|sslvpn-web-server|rasmgr|log-receiver|routed|user-id|vardata-
receiver|pppoe|satd|sslmgr|dnsproxy|l2ctrl|ntp|authd|snmpd|cord|configd|reportd|pan-comm|ifmgr|
distributord|icd|iotd|dscd|pan-dssd|ctd-agent> core <yes>
debug soware large-core show-reserved-space
debug soware trace device-server
debug soware trace management-server
debug soware trace web-server
debug soware trace web-backend
debug soware trace l3-service
debug soware trace sslvpn-web-server
debug soware trace ikemgr
debug soware trace keymgr

PAN-OS CLI Quick Start Version Version 10.1 179 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug soware trace log-receiver

debug soware trace user-id
debug soware trace vardata-receiver
debug soware trace ifmgr
debug soware trace configd
debug soware trace reportd
debug soware trace iotd
debug sysd top fetch
debug sysd top modify
debug sysd summary
debug sysd process-query command <value> process <value> trarg <10-100>
debug sysd prefix-query command <value> prefix <value>
debug high-availability on <error|warn|info|debug|dump>
debug high-availability flap-interface interface <ha1|ha1-backup|ha2|ha2-backup|ha3|ha4|ha4-
backup>
debug high-availability off
debug high-availability show
debug high-availability internal-dump
debug high-availability dataplane-status
debug master-service on <error|warn|info|debug|dump>
debug master-service off
debug master-service show
debug master-service internal-dump
debug logdb-usage
debug reportd on <error|warn|info|debug|dump|all|general|cache|cache-detail|batch-mgr|exec-
mgr|job-kill|unified-log|search-engine-query-normal|search-engine-query-detail|search-engine-api|
search-engine-req-resp|search-engine-report-mgr|search-engine-report-req|search-engine-report-
resp|search-engine-cache-mgr>
debug reportd off <reset|all|general|cache|cache-detail|batch-mgr|exec-mgr|job-kill|unified-log|
search-engine-query-normal|search-engine-query-detail|search-engine-api|search-engine-req-
resp|search-engine-report-mgr|search-engine-report-req|search-engine-report-resp|search-
engine-cache-mgr>
debug reportd set-meout <300-18000>
debug reportd corr-mgr on <general|object|instance|sync|filter|back-query|log-match|msg|db|
acon|summary|noficaon|all>

PAN-OS CLI Quick Start Version Version 10.1 180 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug reportd corr-mgr off <general|object|instance|sync|filter|back-query|log-match|msg|db|

acon|summary|noficaon|all>
debug reportd corr-mgr stats show object <value>
debug reportd corr-mgr stats clear object <value>
debug reportd corr-mgr show brief
debug reportd corr-mgr show object id <value>
debug reportd corr-mgr show object list
debug reportd corr-mgr show instance summary
debug reportd corr-mgr show instance search category <value> type <value> skip <value>
contains <value>
debug reportd corr-mgr show filter search object <value> name <value> start-index <value>
contains <value> skip <value>
debug reportd corr-mgr show failed serialize
debug reportd corr-mgr show failed deserialize
debug reportd corr-mgr show failed acon
debug reportd corr-mgr show failed summary
debug reportd corr-mgr show back-query status <constructed|pending|working|executed>
debug reportd send-request-to-7k yes
debug reportd send-request-to-7k no
debug reportd send-request-to-7k show
debug reportd show
debug reportd contmgr status
debug management-server on <error|warn|info|debug|dump>
debug management-server db-rollup <on|off>
debug management-server req-stats <enable|disable>
debug management-server memory <info|trim>
debug management-server rule-hit <yes|no>
debug management-server app-config-trigger <yes|no>
debug management-server autofocus <on|off>
debug management-server unified-log <on|off>
debug management-server secure-conn show mgmt config file <current|previous|new>
debug management-server secure-conn show mgmt detail
debug management-server secure-conn show ha config file <current|previous|new>
debug management-server secure-conn show scep-cert-renewal-me

PAN-OS CLI Quick Start Version Version 10.1 181 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug management-server secure-conn show scep-cert-retry-on-failure-interval

debug management-server secure-conn set scep-cert-renewal-me <0-300000>
debug management-server secure-conn set scep-cert-retry-on-failure-interval <0-300000>
debug management-server vld stats cc
debug management-server conn
debug management-server log-forwarding-congeson-ctrl set reno
debug management-server log-forwarding-congeson-ctrl set default
debug management-server log-forwarding-congeson-ctrl show
debug management-server log-forwarding-stats
debug management-server corr-mgr on <general|object|instance|sync|filter|back-query|log-match|
msg|db|acon|summary|noficaon|all>
debug management-server corr-mgr off <general|object|instance|sync|filter|back-query|log-match|
msg|db|acon|summary|noficaon|all>
debug management-server corr-mgr stats show object <value>
debug management-server corr-mgr stats clear object <value>
debug management-server corr-mgr show brief
debug management-server corr-mgr show object id <value>
debug management-server corr-mgr show object list
debug management-server corr-mgr show instance summary
debug management-server corr-mgr show instance search category <value> type <value> skip
<value> contains <value>
debug management-server corr-mgr show filter search object <value> name <value> start-index
<value> contains <value> skip <value>
debug management-server corr-mgr show failed serialize
debug management-server corr-mgr show failed deserialize
debug management-server corr-mgr show failed acon
debug management-server corr-mgr show failed summary
debug management-server corr-mgr show back-query status <constructed|pending|working|
executed>
debug management-server telemetry-triggers per-signature-limit <0-200>
debug management-server telemetry-triggers raw-threat-log-limit <0-3000>
debug management-server telemetry-triggers related-threat-log-limit <0-150>
debug management-server telemetry-triggers correlated-threat-log-limit <0-150>
debug management-server telemetry-triggers counters reset
debug management-server telemetry-triggers counters show

PAN-OS CLI Quick Start Version Version 10.1 182 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug management-server off
debug management-server clear
debug management-server show
debug management-server show-predef-hash
debug management-server check-predef-hash
debug management-server db-intervals start-me <value> end-me <value> period <last-hour|
last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-7-calendar-days|last-calendar-week|
last-30-days|last-30-calendar-days|last-calendar-month> db <trsum|hourlytrsum|dailytrsum|
weeklytrsum|thsum|hourlythsum|dailythsum|weeklythsum|urlsum|hourlyurlsum|dailyurlsum|
weeklyurlsum|gtpsum|hourlygtpsum|dailygtpsum|weeklygtpsum|sctpsum|hourlysctpsum|
dailysctpsum|weeklysctpsum|desum|hourlydesum|dailydesum|weeklydesum>
debug management-server rolledup-intervals start-me <value> end-me <value> period <last-
hour|last-12-hrs|last-24-hrs|last-calendar-day|last-7-days|last-7-calendar-days|last-calendar-
week|last-30-days|last-30-calendar-days|last-calendar-month> db <trsum|thsum|urlsum|gtpsum|
sctpsum|desum>
debug management-server log-collector-agent-status
debug management-server client disable <value>
debug management-server client enable <value>
debug management-server snmp-memory-map show
debug management-server snmp-memory-map clear
debug management-server device-monitoring enable <yes|no>
debug management-server last-candidatecfg-audit info
debug management-server last-candidatecfg-audit show version <value>
debug management-server last-candidatecfg-audit diff base-version <value> version <value>
debug management-server disable-cms-conn-check yes
debug management-server disable-cms-conn-check no
debug management-server disable-cms-conn-check show
debug management-server rule-hit-purge
debug management-server app-usage-data-purge
debug management-server set comm <basic|detail|all>
debug management-server set panorama <basic|detail|all>
debug management-server set proxy <basic|detail|all>
debug management-server set server <basic|detail|all>
debug management-server set cfg <basic|detail|all>
debug management-server set log <basic|detail|all>
debug management-server set logacon <basic|detail|all>

PAN-OS CLI Quick Start Version Version 10.1 183 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug management-server set logquery <basic|detail|all>

debug management-server set report <basic|detail|all>
debug management-server set commit <basic|detail|all>
debug management-server set schema <basic|detail|all>
debug management-server set content <basic|detail|all>
debug management-server set auth <basic|detail|all>
debug management-server set fqdn <basic|detail|all>
debug management-server set sengs <basic|detail|all>
debug management-server set logforwarding <basic|detail|all>
debug management-server set commoncriteria <basic|detail|all>
debug management-server set lock <basic|detail|all>
debug management-server set all
debug management-server unset comm <basic|detail|all>
debug management-server unset panorama <basic|detail|all>
debug management-server unset proxy <basic|detail|all>
debug management-server unset server <basic|detail|all>
debug management-server unset cfg <basic|detail|all>
debug management-server unset log <basic|detail|all>
debug management-server unset logacon <basic|detail|all>
debug management-server unset logquery <basic|detail|all>
debug management-server unset report <basic|detail|all>
debug management-server unset commit <basic|detail|all>
debug management-server unset schema <basic|detail|all>
debug management-server unset content <basic|detail|all>
debug management-server unset auth <basic|detail|all>
debug management-server unset fqdn <basic|detail|all>
debug management-server unset sengs <basic|detail|all>
debug management-server unset logforwarding <basic|detail|all>
debug management-server unset commoncriteria <basic|detail|all>
debug management-server unset lock <basic|detail|all>
debug management-server unset all
debug management-server template dump-config from <local|template|merged> xpath <value>
debug management-server user info name <value>

PAN-OS CLI Quick Start Version Version 10.1 184 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug management-server user bitmap

debug management-server dg-ctxt vsys <value>
debug management-server contmgr status
debug authencaon on <error|warn|info|debug|dump>
debug authencaon off
debug authencaon show
debug authencaon show-pending-requests
debug authencaon show-acve-requests
debug authencaon connecon-show protocol-type <TACACS+|LDAP|Kerberos|RADIUS>
connecon-id <0-4294967295>
debug authencaon connecon-debug-on protocol-type <TACACS+|LDAP|Kerberos|RADIUS>
connecon-id <0-4294967295> debug-prefix <value>
debug authencaon connecon-debug-off protocol-type <TACACS+|LDAP|Kerberos|RADIUS>
connecon-id <0-4294967295>
debug cord on <error|warn|info|debug|dump>
debug cord corr-mgr on <general|object|instance|sync|filter|back-query|log-match|msg|db|acon|
summary|noficaon|all>
debug cord corr-mgr off <general|object|instance|sync|filter|back-query|log-match|msg|db|acon|
summary|noficaon|all>
debug cord corr-mgr stats show object <value>
debug cord corr-mgr stats clear object <value>
debug cord corr-mgr show brief
debug cord corr-mgr show object id <value>
debug cord corr-mgr show object list
debug cord corr-mgr show instance summary
debug cord corr-mgr show instance search category <value> type <value> skip <value> contains
<value>
debug cord corr-mgr show filter search object <value> name <value> start-index <value> contains
<value> skip <value>
debug cord corr-mgr show failed serialize
debug cord corr-mgr show failed deserialize
debug cord corr-mgr show failed acon
debug cord corr-mgr show failed summary
debug cord corr-mgr show back-query status <constructed|pending|working|executed>
debug cord off
debug cord show

PAN-OS CLI Quick Start Version Version 10.1 185 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug cord stats show

debug cord stats clear
debug cord object-stats show
debug cord object-stats clear
debug cord object-stats show-seng
debug cord object-stats set off
debug cord object-stats set on
debug cord delete db
debug cord delete events objectname <value>
debug cord delete instances match <value>
debug device-server on <error|warn|info|debug|dump>
debug device-server set third-party <libcurl|all>
debug device-server set misc <misc|all>
debug device-server set base <config|ha|id|all>
debug device-server set url <basic|cloud|ha|match|rfs|stat|all>
debug device-server set mlav <basic|cache|cloud|all>
debug device-server set wfrt <basic|cloud|all>
debug device-server set url_trie <basic|stat|all>
debug device-server set config <basic|tdb|fpga|fqdn|dag|dpupdates|all>
debug device-server set tdb <basic|aho|all>
debug device-server set all
debug device-server unset third-party <libcurl|all>
debug device-server unset base <config|ha|id|all>
debug device-server unset misc <misc|all>
debug device-server unset url <basic|all>
debug device-server unset config <basic|tdb|fpga|all>
debug device-server unset tdb <basic|aho|all>
debug device-server unset mlav <basic|cache|cloud|all>
debug device-server unset wfrt <basic|cloud|all>
debug device-server unset all
debug device-server test url-category <1-16383>
debug device-server test admin-override-password <value>
debug device-server test botnet-domain

PAN-OS CLI Quick Start Version Version 10.1 186 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug device-server test dynamic-url cloud <yes|no> unknown-only <yes|no> async <yes|no>
debug device-server test nw_id opons <value>
debug device-server test idmgr-change-max type global-interface new-max-id <1-16383>
debug device-server test idmgr-change-max type global-vrouter new-max-id <1-249>
debug device-server test idmgr-change-max type security-rule new-max-id <1-16383>
debug device-server test idmgr-change-max type ssl-rule new-max-id <1-4096>
debug device-server test idmgr-change-max type shared-custom-url-category new-max-id
<11052-11150>
debug device-server test idmgr-change-max type vsys-custom-url-category new-max-id
<11152-14000>
debug device-server test idmgr-change-max type shared-applicaon new-max-id <1-16383>
debug device-server test idmgr-change-max type vsys-applicaon new-max-id <3585-10000>
debug device-server test idmgr-change-max type zone new-max-id <1-16383>
debug device-server test idmgr-change-max type hip-profile new-max-id <1-16383>
debug device-server test idmgr-restore-default-max type global-interface
debug device-server test idmgr-restore-default-max type global-vrouter
debug device-server test idmgr-restore-default-max type security-rule
debug device-server test idmgr-restore-default-max type ssl-rule
debug device-server test idmgr-restore-default-max type shared-custom-url-category
debug device-server test idmgr-restore-default-max type vsys-custom-url-category
debug device-server test idmgr-restore-default-max type shared-applicaon
debug device-server test idmgr-restore-default-max type vsys-applicaon
debug device-server test idmgr-restore-default-max type zone
debug device-server test idmgr-restore-default-max type hip-profile
debug device-server reset logging stascs
debug device-server reset id-manager type all
debug device-server reset id-manager type edl-domain
debug device-server reset id-manager type edl-ip
debug device-server reset id-manager type global-interface
debug device-server reset id-manager type global-rib-instance
debug device-server reset id-manager type global-tunnel
debug device-server reset id-manager type global-vlan
debug device-server reset id-manager type global-vlan-domain
debug device-server reset id-manager type global-vrouter

PAN-OS CLI Quick Start Version Version 10.1 187 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug device-server reset id-manager type ike-gateway

debug device-server reset id-manager type nat-rule
debug device-server reset id-manager type pbf-rule
debug device-server reset id-manager type sdwan-rule
debug device-server reset id-manager type network-packet-broker-rule
debug device-server reset id-manager type sdwan-link-tag
debug device-server reset id-manager type security-rule
debug device-server reset id-manager type shared-applicaon
debug device-server reset id-manager type shared-applicaon-filter
debug device-server reset id-manager type shared-applicaon-group
debug device-server reset id-manager type custom-url-filter
debug device-server reset id-manager type shared-gateway
debug device-server reset id-manager type shared-region
debug device-server reset id-manager type shared-custom-url-category
debug device-server reset id-manager type shared-edl-url-category
debug device-server reset id-manager type shared-header-insert-hosts
debug device-server reset id-manager type ssl-rule
debug device-server reset id-manager type tci-rule
debug device-server reset id-manager type vsys
debug device-server reset id-manager type vsys-applicaon
debug device-server reset id-manager type vsys-applicaon-filter
debug device-server reset id-manager type vsys-applicaon-group
debug device-server reset id-manager type vsys-custom-url-category
debug device-server reset id-manager type vsys-edl-url-category
debug device-server reset id-manager type vsys-header-insert-hosts
debug device-server reset id-manager type vsys-region
debug device-server reset id-manager type zone
debug device-server reset id-manager type hp-header-insert-header-value
debug device-server reset id-manager type hip-profile
debug device-server reset id-manager type hip-object
debug device-server reset config
debug device-server reset com stascs
debug device-server pcap show

PAN-OS CLI Quick Start Version Version 10.1 188 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug device-server pcap on virtualrouter <value>

debug device-server pcap off
debug device-server pcap delete
debug device-server pcap view
debug device-server pan-url-db db-info
debug device-server pan-url-db db-perf
debug device-server pan-url-db show-stats
debug device-server pan-url-db cloud-reelect
debug device-server pan-url-db test-seedurl
debug device-server pan-url-db db-backup back-duraon <5-480> back-threshold <3-30>
debug device-server shadow-rule-check-disable on
debug device-server shadow-rule-check-disable off
debug device-server shadow-rule-check-disable show
debug device-server app-depedency-check-disable on
debug device-server app-depedency-check-disable off
debug device-server app-depedency-check-disable show
debug device-server cp-allow-encrypted-disable on
debug device-server cp-allow-encrypted-disable off
debug device-server cp-allow-encrypted-disable show
debug device-server mlav clear-cache
debug device-server mlav revert-model filetype-id <1-255>
debug device-server mlav set-cloud-url url <value>
debug device-server mlav set-cloud-url default
debug device-server shadow-rule-check-disable on
debug device-server shadow-rule-check-disable off
debug device-server shadow-rule-check-disable show
debug device-server app-depedency-check-disable on
debug device-server app-depedency-check-disable off
debug device-server app-depedency-check-disable show
debug device-server cp-deny-non-tcp on
debug device-server cp-deny-non-tcp off
debug device-server cp-deny-non-tcp show
debug device-server cp-deny-tcp on

PAN-OS CLI Quick Start Version Version 10.1 189 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug device-server cp-deny-tcp off

debug device-server cp-deny-tcp show
debug device-server trigger AddrObjRefresh
debug device-server dump memory <summary|detail>
debug device-server dump fqdn type policy vsys <value> fqdn-name <value>
debug device-server dump fqdn type pbf vsys <value> fqdn-name <value>
debug device-server dump fqdn type dnat vsys <value> fqdn-name <value>
debug device-server dump dynamic-address-group vsys <value> ip <ip/netmask>
debug device-server dump dynamic-address-group vsys <value> iprange <ip-range>
debug device-server dump dynamic-address-group vsys <value> detail
debug device-server dump pan-url-db stascs
debug device-server dump regips ip <ip/netmask>
debug device-server dump regips iprange <ip-range>
debug device-server dump regips tag <value>
debug device-server dump regips summary
debug device-server dump tag-table tag <value>
debug device-server dump idmgr high-availability state
debug device-server dump idmgr redis type shared-app-signature id <1-32767>
debug device-server dump idmgr redis type shared-app-signature name <value>
debug device-server dump idmgr redis type shared-app-signature all
debug device-server dump idmgr redis type shared-url-filtering id <1-250>
debug device-server dump idmgr redis type shared-url-filtering name <value>
debug device-server dump idmgr redis type shared-url-filtering all
debug device-server dump idmgr redis type vsys-app-signature id <32768-65535>
debug device-server dump idmgr redis type vsys-app-signature name <value>
debug device-server dump idmgr redis type vsys-app-signature all
debug device-server dump idmgr redis type vsys-url-filtering id <251-5000>
debug device-server dump idmgr redis type vsys-url-filtering name <value>
debug device-server dump idmgr redis type vsys-url-filtering all
debug device-server dump idmgr redis type log-seng id <1-65535>
debug device-server dump idmgr redis type log-seng name <value>
debug device-server dump idmgr redis type log-seng all
debug device-server dump idmgr redis type shared-qos-profile id <1-65535>

PAN-OS CLI Quick Start Version Version 10.1 190 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug device-server dump idmgr redis type shared-qos-profile name <value>

debug device-server dump idmgr redis type shared-qos-profile all
debug device-server dump idmgr redis type shared-qos-group id <1-255>
debug device-server dump idmgr redis type shared-qos-group name <value>
debug device-server dump idmgr redis type shared-qos-group all
debug device-server dump idmgr redis type shared-qos-member id <1-65535>
debug device-server dump idmgr redis type shared-qos-member name <value>
debug device-server dump idmgr redis type shared-qos-member all
debug device-server dump idmgr redis type qos-rule id <1-65535>
debug device-server dump idmgr redis type qos-rule name <value>
debug device-server dump idmgr redis type qos-rule all
debug device-server dump idmgr redis type shared-bgp-peergrp id <1-2047>
debug device-server dump idmgr redis type shared-bgp-peergrp name <value>
debug device-server dump idmgr redis type shared-bgp-peergrp all
debug device-server dump idmgr redis type shared-bgp-peer id <1-2047>
debug device-server dump idmgr redis type shared-bgp-peer name <value>
debug device-server dump idmgr redis type shared-bgp-peer all
debug device-server dump idmgr redis type shared-bgp-aggr-address id <1-2047>
debug device-server dump idmgr redis type shared-bgp-aggr-address name <value>
debug device-server dump idmgr redis type shared-bgp-aggr-address all
debug device-server dump idmgr redis type auth-rule id <1-65535>
debug device-server dump idmgr redis type auth-rule name <value>
debug device-server dump idmgr redis type auth-rule all
debug device-server dump idmgr redis type override-rule id <1-65535>
debug device-server dump idmgr redis type override-rule name <value>
debug device-server dump idmgr redis type override-rule all
debug device-server dump idmgr redis type dos-rule id <1-65535>
debug device-server dump idmgr redis type dos-rule name <value>
debug device-server dump idmgr redis type dos-rule all
debug device-server dump idmgr redis type interface-group id <1-255>
debug device-server dump idmgr redis type interface-group name <value>
debug device-server dump idmgr redis type interface-group all
debug device-server dump idmgr redis type macl-rule id <1-4095>

PAN-OS CLI Quick Start Version Version 10.1 191 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug device-server dump idmgr redis type macl-rule name <value>

debug device-server dump idmgr redis type macl-rule all
debug device-server dump idmgr redis type ospfv3-virtual-link id <1-4095>
debug device-server dump idmgr redis type ospfv3-virtual-link name <value>
debug device-server dump idmgr redis type ospfv3-virtual-link all
debug device-server dump idmgr redis type zone id <1-4294967295>
debug device-server dump idmgr redis type zone name <value>
debug device-server dump idmgr redis type zone all
debug device-server dump idmgr redis type vsys id <1-4294967295>
debug device-server dump idmgr redis type vsys name <value>
debug device-server dump idmgr redis type vsys all
debug device-server dump idmgr redis type dns-proxy id <1-512>
debug device-server dump idmgr redis type dns-proxy name <value>
debug device-server dump idmgr redis type dns-proxy all
debug device-server dump idmgr redis type monitor-tag id <1-4095>
debug device-server dump idmgr redis type monitor-tag name <value>
debug device-server dump idmgr redis type monitor-tag all
debug device-server dump idmgr redis type global-tunnel id <1-65535>
debug device-server dump idmgr redis type global-tunnel name <value>
debug device-server dump idmgr redis type global-tunnel all
debug device-server dump idmgr redis type global-interface id <1-4294967295>
debug device-server dump idmgr redis type global-interface name <value>
debug device-server dump idmgr redis type global-interface all
debug device-server dump idmgr redis type global-if-counter id <1-4294967295>
debug device-server dump idmgr redis type global-if-counter name <value>
debug device-server dump idmgr redis type global-if-counter all
debug device-server dump idmgr redis type global-vlan-domain id <1-4294967295>
debug device-server dump idmgr redis type global-vlan-domain name <value>
debug device-server dump idmgr redis type global-vlan-domain all
debug device-server dump idmgr redis type global-vlan id <1-4294967295>
debug device-server dump idmgr redis type global-vlan name <value>
debug device-server dump idmgr redis type global-vlan all
debug device-server dump idmgr redis type global-vrouter id <1-4294967295>

PAN-OS CLI Quick Start Version Version 10.1 192 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug device-server dump idmgr redis type global-vrouter name <value>

debug device-server dump idmgr redis type global-vrouter all
debug device-server dump idmgr redis type global-rib-instance id <1-4294967295>
debug device-server dump idmgr redis type global-rib-instance name <value>
debug device-server dump idmgr redis type global-rib-instance all
debug device-server dump idmgr redis type shared-applicaon id <1-4294967295>
debug device-server dump idmgr redis type shared-applicaon name <value>
debug device-server dump idmgr redis type shared-applicaon all
debug device-server dump idmgr redis type shared-applicaon-filter id <1-5000>
debug device-server dump idmgr redis type shared-applicaon-filter name <value>
debug device-server dump idmgr redis type shared-applicaon-filter all
debug device-server dump idmgr redis type shared-applicaon-group id <1-5000>
debug device-server dump idmgr redis type shared-applicaon-group name <value>
debug device-server dump idmgr redis type shared-applicaon-group all
debug device-server dump idmgr redis type custom-url-filter id <1-4294967295>
debug device-server dump idmgr redis type custom-url-filter name <value>
debug device-server dump idmgr redis type custom-url-filter all
debug device-server dump idmgr redis type vsys-applicaon id <1-4096>
debug device-server dump idmgr redis type vsys-applicaon name <value>
debug device-server dump idmgr redis type vsys-applicaon all
debug device-server dump idmgr redis type vsys-applicaon-filter id <5001-10000>
debug device-server dump idmgr redis type vsys-applicaon-filter name <value>
debug device-server dump idmgr redis type vsys-applicaon-filter all
debug device-server dump idmgr redis type vsys-applicaon-group id <5001-10000>
debug device-server dump idmgr redis type vsys-applicaon-group name <value>
debug device-server dump idmgr redis type vsys-applicaon-group all
debug device-server dump idmgr redis type security-rule id <1-4096>
debug device-server dump idmgr redis type security-rule name <value>
debug device-server dump idmgr redis type security-rule all
debug device-server dump idmgr redis type nat-rule id <1-4096>
debug device-server dump idmgr redis type nat-rule name <value>
debug device-server dump idmgr redis type nat-rule all
debug device-server dump idmgr redis type ssl-rule id <1-4096>

PAN-OS CLI Quick Start Version Version 10.1 193 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug device-server dump idmgr redis type ssl-rule name <value>

debug device-server dump idmgr redis type ssl-rule all
debug device-server dump idmgr redis type tci-rule id <1-2048>
debug device-server dump idmgr redis type tci-rule name <value>
debug device-server dump idmgr redis type tci-rule all
debug device-server dump idmgr redis type ike-gateway id <1-4096>
debug device-server dump idmgr redis type ike-gateway name <value>
debug device-server dump idmgr redis type ike-gateway all
debug device-server dump idmgr redis type pbf-rule id <1-4096>
debug device-server dump idmgr redis type pbf-rule name <value>
debug device-server dump idmgr redis type pbf-rule all
debug device-server dump idmgr redis type sdwan-rule id <1-4096>
debug device-server dump idmgr redis type sdwan-rule name <value>
debug device-server dump idmgr redis type sdwan-rule all
debug device-server dump idmgr redis type network-packet-broker-rule id <1-4096>
debug device-server dump idmgr redis type network-packet-broker-rule name <value>
debug device-server dump idmgr redis type network-packet-broker-rule all
debug device-server dump idmgr redis type sdwan-link-tag id <1-256>
debug device-server dump idmgr redis type sdwan-link-tag name <value>
debug device-server dump idmgr redis type sdwan-link-tag all
debug device-server dump idmgr redis type shared-custom-url-category id <1-4294967295>
debug device-server dump idmgr redis type shared-custom-url-category name <value>
debug device-server dump idmgr redis type shared-custom-url-category all
debug device-server dump idmgr redis type shared-edl-url-category id <1-4294967295>
debug device-server dump idmgr redis type shared-edl-url-category name <value>
debug device-server dump idmgr redis type shared-edl-url-category all
debug device-server dump idmgr redis type shared-header-insert-hosts id <1-4294967295>
debug device-server dump idmgr redis type shared-header-insert-hosts name <value>
debug device-server dump idmgr redis type shared-header-insert-hosts all
debug device-server dump idmgr redis type vsys-custom-url-category id <1-4294967295>
debug device-server dump idmgr redis type vsys-custom-url-category name <value>
debug device-server dump idmgr redis type vsys-custom-url-category all
debug device-server dump idmgr redis type vsys-edl-url-category id <1-4294967295>

PAN-OS CLI Quick Start Version Version 10.1 194 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug device-server dump idmgr redis type vsys-edl-url-category name <value>

debug device-server dump idmgr redis type vsys-edl-url-category all
debug device-server dump idmgr redis type vsys-header-insert-hosts id <1-4294967295>
debug device-server dump idmgr redis type vsys-header-insert-hosts name <value>
debug device-server dump idmgr redis type vsys-header-insert-hosts all
debug device-server dump idmgr redis type shared-gateway id <1-4096>
debug device-server dump idmgr redis type shared-gateway name <value>
debug device-server dump idmgr redis type shared-gateway all
debug device-server dump idmgr redis type shared-region id <1-1023>
debug device-server dump idmgr redis type shared-region name <value>
debug device-server dump idmgr redis type shared-region all
debug device-server dump idmgr redis type vsys-region id <1024-3071>
debug device-server dump idmgr redis type vsys-region name <value>
debug device-server dump idmgr redis type vsys-region all
debug device-server dump idmgr redis type hp-header-insert-header-value id <1-4294967295>
debug device-server dump idmgr redis type hp-header-insert-header-value name <value>
debug device-server dump idmgr redis type hp-header-insert-header-value all
debug device-server dump idmgr redis type global-iot-dev-category id <1-4294967295>
debug device-server dump idmgr redis type global-iot-dev-category name <value>
debug device-server dump idmgr redis type global-iot-dev-category all
debug device-server dump idmgr redis type global-iot-dev-profile id <1-4294967295>
debug device-server dump idmgr redis type global-iot-dev-profile name <value>
debug device-server dump idmgr redis type global-iot-dev-profile all
debug device-server dump idmgr redis type global-iot-dev-osfamily id <1-4294967295>
debug device-server dump idmgr redis type global-iot-dev-osfamily name <value>
debug device-server dump idmgr redis type global-iot-dev-osfamily all
debug device-server dump idmgr redis type global-iot-dev-os id <1-4294967295>
debug device-server dump idmgr redis type global-iot-dev-os name <value>
debug device-server dump idmgr redis type global-iot-dev-os all
debug device-server dump idmgr redis type global-iot-dev-model id <1-4294967295>
debug device-server dump idmgr redis type global-iot-dev-model name <value>
debug device-server dump idmgr redis type global-iot-dev-model all
debug device-server dump idmgr redis type global-iot-dev-vendor id <1-4294967295>

PAN-OS CLI Quick Start Version Version 10.1 195 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug device-server dump idmgr redis type global-iot-dev-vendor name <value>

debug device-server dump idmgr redis type global-iot-dev-vendor all
debug device-server dump idmgr redis type hip-profile id <1-1024>
debug device-server dump idmgr redis type hip-profile name <value>
debug device-server dump idmgr redis type hip-profile all
debug device-server dump idmgr redis type hip-object id <1-65535>
debug device-server dump idmgr redis type hip-object name <value>
debug device-server dump idmgr redis type hip-object all
debug device-server dump idmgr redis type edl-domain id <1-30>
debug device-server dump idmgr redis type edl-domain name <value>
debug device-server dump idmgr redis type edl-domain all
debug device-server dump idmgr redis type edl-ip id <1-64>
debug device-server dump idmgr redis type edl-ip name <value>
debug device-server dump idmgr redis type edl-ip all
debug device-server dump idmgr type shared-app-signature id <1-32767>
debug device-server dump idmgr type shared-app-signature name <value>
debug device-server dump idmgr type shared-app-signature all
debug device-server dump idmgr type shared-url-filtering id <1-250>
debug device-server dump idmgr type shared-url-filtering name <value>
debug device-server dump idmgr type shared-url-filtering all
debug device-server dump idmgr type vsys-app-signature id <32768-65535>
debug device-server dump idmgr type vsys-app-signature name <value>
debug device-server dump idmgr type vsys-app-signature all
debug device-server dump idmgr type vsys-url-filtering id <251-5000>
debug device-server dump idmgr type vsys-url-filtering name <value>
debug device-server dump idmgr type vsys-url-filtering all
debug device-server dump idmgr type log-seng id <1-65535>
debug device-server dump idmgr type log-seng name <value>
debug device-server dump idmgr type log-seng all
debug device-server dump idmgr type shared-qos-profile id <1-65535>
debug device-server dump idmgr type shared-qos-profile name <value>
debug device-server dump idmgr type shared-qos-profile all
debug device-server dump idmgr type shared-qos-group id <1-255>

PAN-OS CLI Quick Start Version Version 10.1 196 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug device-server dump idmgr type shared-qos-group name <value>

debug device-server dump idmgr type shared-qos-group all
debug device-server dump idmgr type shared-qos-member id <1-65535>
debug device-server dump idmgr type shared-qos-member name <value>
debug device-server dump idmgr type shared-qos-member all
debug device-server dump idmgr type qos-rule id <1-65535>
debug device-server dump idmgr type qos-rule name <value>
debug device-server dump idmgr type qos-rule all
debug device-server dump idmgr type shared-bgp-peergrp id <1-2047>
debug device-server dump idmgr type shared-bgp-peergrp name <value>
debug device-server dump idmgr type shared-bgp-peergrp all
debug device-server dump idmgr type shared-bgp-peer id <1-2047>
debug device-server dump idmgr type shared-bgp-peer name <value>
debug device-server dump idmgr type shared-bgp-peer all
debug device-server dump idmgr type shared-bgp-aggr-address id <1-2047>
debug device-server dump idmgr type shared-bgp-aggr-address name <value>
debug device-server dump idmgr type shared-bgp-aggr-address all
debug device-server dump idmgr type auth-rule id <1-65535>
debug device-server dump idmgr type auth-rule name <value>
debug device-server dump idmgr type auth-rule all
debug device-server dump idmgr type override-rule id <1-65535>
debug device-server dump idmgr type override-rule name <value>
debug device-server dump idmgr type override-rule all
debug device-server dump idmgr type dos-rule id <1-65535>
debug device-server dump idmgr type dos-rule name <value>
debug device-server dump idmgr type dos-rule all
debug device-server dump idmgr type interface-group id <1-255>
debug device-server dump idmgr type interface-group name <value>
debug device-server dump idmgr type interface-group all
debug device-server dump idmgr type macl-rule id <1-4095>
debug device-server dump idmgr type macl-rule name <value>
debug device-server dump idmgr type macl-rule all
debug device-server dump idmgr type ospfv3-virtual-link id <1-4095>

PAN-OS CLI Quick Start Version Version 10.1 197 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug device-server dump idmgr type ospfv3-virtual-link name <value>

debug device-server dump idmgr type ospfv3-virtual-link all
debug device-server dump idmgr type zone id <1-4294967295>
debug device-server dump idmgr type zone name <value>
debug device-server dump idmgr type zone all
debug device-server dump idmgr type vsys id <1-4294967295>
debug device-server dump idmgr type vsys name <value>
debug device-server dump idmgr type vsys all
debug device-server dump idmgr type dns-proxy id <1-512>
debug device-server dump idmgr type dns-proxy name <value>
debug device-server dump idmgr type dns-proxy all
debug device-server dump idmgr type monitor-tag id <1-4095>
debug device-server dump idmgr type monitor-tag name <value>
debug device-server dump idmgr type monitor-tag all
debug device-server dump idmgr type global-tunnel id <1-65535>
debug device-server dump idmgr type global-tunnel name <value>
debug device-server dump idmgr type global-tunnel all
debug device-server dump idmgr type global-interface id <1-4294967295>
debug device-server dump idmgr type global-interface name <value>
debug device-server dump idmgr type global-interface all
debug device-server dump idmgr type global-if-counter id <1-4294967295>
debug device-server dump idmgr type global-if-counter name <value>
debug device-server dump idmgr type global-if-counter all
debug device-server dump idmgr type global-vlan-domain id <1-4294967295>
debug device-server dump idmgr type global-vlan-domain name <value>
debug device-server dump idmgr type global-vlan-domain all
debug device-server dump idmgr type global-vlan id <1-4294967295>
debug device-server dump idmgr type global-vlan name <value>
debug device-server dump idmgr type global-vlan all
debug device-server dump idmgr type global-vrouter id <1-4294967295>
debug device-server dump idmgr type global-vrouter name <value>
debug device-server dump idmgr type global-vrouter all
debug device-server dump idmgr type global-rib-instance id <1-4294967295>

PAN-OS CLI Quick Start Version Version 10.1 198 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug device-server dump idmgr type global-rib-instance name <value>

debug device-server dump idmgr type global-rib-instance all
debug device-server dump idmgr type shared-applicaon id <1-4294967295>
debug device-server dump idmgr type shared-applicaon name <value>
debug device-server dump idmgr type shared-applicaon all
debug device-server dump idmgr type shared-applicaon-filter id <1-5000>
debug device-server dump idmgr type shared-applicaon-filter name <value>
debug device-server dump idmgr type shared-applicaon-filter all
debug device-server dump idmgr type shared-applicaon-group id <1-5000>
debug device-server dump idmgr type shared-applicaon-group name <value>
debug device-server dump idmgr type shared-applicaon-group all
debug device-server dump idmgr type custom-url-filter id <1-4294967295>
debug device-server dump idmgr type custom-url-filter name <value>
debug device-server dump idmgr type custom-url-filter all
debug device-server dump idmgr type vsys-applicaon id <1-4096>
debug device-server dump idmgr type vsys-applicaon name <value>
debug device-server dump idmgr type vsys-applicaon all
debug device-server dump idmgr type vsys-applicaon-filter id <5001-10000>
debug device-server dump idmgr type vsys-applicaon-filter name <value>
debug device-server dump idmgr type vsys-applicaon-filter all
debug device-server dump idmgr type vsys-applicaon-group id <5001-10000>
debug device-server dump idmgr type vsys-applicaon-group name <value>
debug device-server dump idmgr type vsys-applicaon-group all
debug device-server dump idmgr type security-rule id <1-4096>
debug device-server dump idmgr type security-rule name <value>
debug device-server dump idmgr type security-rule all
debug device-server dump idmgr type nat-rule id <1-4096>
debug device-server dump idmgr type nat-rule name <value>
debug device-server dump idmgr type nat-rule all
debug device-server dump idmgr type ssl-rule id <1-4096>
debug device-server dump idmgr type ssl-rule name <value>
debug device-server dump idmgr type ssl-rule all
debug device-server dump idmgr type tci-rule id <1-2048>

PAN-OS CLI Quick Start Version Version 10.1 199 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug device-server dump idmgr type tci-rule name <value>

debug device-server dump idmgr type tci-rule all
debug device-server dump idmgr type ike-gateway id <1-4096>
debug device-server dump idmgr type ike-gateway name <value>
debug device-server dump idmgr type ike-gateway all
debug device-server dump idmgr type pbf-rule id <1-4096>
debug device-server dump idmgr type pbf-rule name <value>
debug device-server dump idmgr type pbf-rule all
debug device-server dump idmgr type sdwan-rule id <1-4096>
debug device-server dump idmgr type sdwan-rule name <value>
debug device-server dump idmgr type sdwan-rule all
debug device-server dump idmgr type network-packet-broker-rule id <1-4096>
debug device-server dump idmgr type network-packet-broker-rule name <value>
debug device-server dump idmgr type network-packet-broker-rule all
debug device-server dump idmgr type sdwan-link-tag id <1-256>
debug device-server dump idmgr type sdwan-link-tag name <value>
debug device-server dump idmgr type sdwan-link-tag all
debug device-server dump idmgr type shared-custom-url-category id <1-4294967295>
debug device-server dump idmgr type shared-custom-url-category name <value>
debug device-server dump idmgr type shared-custom-url-category all
debug device-server dump idmgr type shared-edl-url-category id <1-4294967295>
debug device-server dump idmgr type shared-edl-url-category name <value>
debug device-server dump idmgr type shared-edl-url-category all
debug device-server dump idmgr type shared-header-insert-hosts id <1-4294967295>
debug device-server dump idmgr type shared-header-insert-hosts name <value>
debug device-server dump idmgr type shared-header-insert-hosts all
debug device-server dump idmgr type vsys-custom-url-category id <1-4294967295>
debug device-server dump idmgr type vsys-custom-url-category name <value>
debug device-server dump idmgr type vsys-custom-url-category all
debug device-server dump idmgr type vsys-edl-url-category id <1-4294967295>
debug device-server dump idmgr type vsys-edl-url-category name <value>
debug device-server dump idmgr type vsys-edl-url-category all
debug device-server dump idmgr type edl-domain id <1-30>

PAN-OS CLI Quick Start Version Version 10.1 200 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug device-server dump idmgr type edl-domain name <value>

debug device-server dump idmgr type edl-domain all
debug device-server dump idmgr type edl-ip id <1-64>
debug device-server dump idmgr type edl-ip name <value>
debug device-server dump idmgr type edl-ip all
debug device-server dump idmgr type vsys-header-insert-hosts id <1-4294967295>
debug device-server dump idmgr type vsys-header-insert-hosts name <value>
debug device-server dump idmgr type vsys-header-insert-hosts all
debug device-server dump idmgr type shared-gateway id <1-4096>
debug device-server dump idmgr type shared-gateway name <value>
debug device-server dump idmgr type shared-gateway all
debug device-server dump idmgr type shared-region id <1-1023>
debug device-server dump idmgr type shared-region name <value>
debug device-server dump idmgr type shared-region all
debug device-server dump idmgr type vsys-region id <1024-3071>
debug device-server dump idmgr type vsys-region name <value>
debug device-server dump idmgr type vsys-region all
debug device-server dump idmgr type hp-header-insert-header-value id <1-4294967295>
debug device-server dump idmgr type hp-header-insert-header-value name <value>
debug device-server dump idmgr type hp-header-insert-header-value all
debug device-server dump idmgr type global-iot-dev-category id <1-4294967295>
debug device-server dump idmgr type global-iot-dev-category name <value>
debug device-server dump idmgr type global-iot-dev-category all
debug device-server dump idmgr type global-iot-dev-profile id <1-4294967295>
debug device-server dump idmgr type global-iot-dev-profile name <value>
debug device-server dump idmgr type global-iot-dev-profile all
debug device-server dump idmgr type global-iot-dev-osfamily id <1-4294967295>
debug device-server dump idmgr type global-iot-dev-osfamily name <value>
debug device-server dump idmgr type global-iot-dev-osfamily all
debug device-server dump idmgr type global-iot-dev-os id <1-4294967295>
debug device-server dump idmgr type global-iot-dev-os name <value>
debug device-server dump idmgr type global-iot-dev-os all
debug device-server dump idmgr type global-iot-dev-model id <1-4294967295>

PAN-OS CLI Quick Start Version Version 10.1 201 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug device-server dump idmgr type global-iot-dev-model name <value>

debug device-server dump idmgr type global-iot-dev-model all
debug device-server dump idmgr type global-iot-dev-vendor id <1-4294967295>
debug device-server dump idmgr type global-iot-dev-vendor name <value>
debug device-server dump idmgr type global-iot-dev-vendor all
debug device-server dump idmgr type hip-profile id <1-1024>
debug device-server dump idmgr type hip-profile name <value>
debug device-server dump idmgr type hip-profile all
debug device-server dump idmgr type hip-object id <1-65535>
debug device-server dump idmgr type hip-object name <value>
debug device-server dump idmgr type hip-object all
debug device-server dump logging stascs
debug device-server dump com all
debug device-server dump com opcmd
debug device-server dump com sshkey
debug device-server dump com status
debug device-server dump com url
debug device-server dump com mlav
debug device-server off
debug device-server clear
debug device-server show
debug mprelay on dump
debug mprelay on debug
debug mprelay on info
debug mprelay on warn
debug mprelay on error
debug mprelay off
debug mprelay show
debug netconfig-agent on dump
debug netconfig-agent on debug
debug netconfig-agent on info
debug netconfig-agent on warn
debug netconfig-agent on error

PAN-OS CLI Quick Start Version Version 10.1 202 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug netconfig-agent off
debug netconfig-agent show
debug tac-login permanently-disable
debug tac-login challenge
debug tac-login response
debug lpmgrd status
debug lpmgrd dump idmgr type user id <1-4294967295>
debug lpmgrd dump idmgr type user name <value>
debug lpmgrd dump idmgr type user all
debug lpmgrd dump idmgr type user-group id <1-4294967295>
debug lpmgrd dump idmgr type user-group name <value>
debug lpmgrd dump idmgr type user-group all
debug lpmgrd dump idmgr type computer id <1-4294967295>
debug lpmgrd dump idmgr type computer name <value>
debug lpmgrd dump idmgr type computer all
debug lpmgrd dump idmgr type hip-profile id <1-1024>
debug lpmgrd dump idmgr type hip-profile name <value>
debug lpmgrd dump idmgr type hip-profile all
debug lpmgrd dump idmgr type hip-object id <1-65535>
debug lpmgrd dump idmgr type hip-object name <value>
debug lpmgrd dump idmgr type hip-object all
debug lpmgrd dump idmgr type shared-app-signature id <1-32767>
debug lpmgrd dump idmgr type shared-app-signature name <value>
debug lpmgrd dump idmgr type shared-app-signature all
debug lpmgrd dump idmgr type shared-url-filtering id <1-250>
debug lpmgrd dump idmgr type shared-url-filtering name <value>
debug lpmgrd dump idmgr type shared-url-filtering all
debug lpmgrd dump idmgr type vsys-app-signature id <32768-65535>
debug lpmgrd dump idmgr type vsys-app-signature name <value>
debug lpmgrd dump idmgr type vsys-app-signature all
debug lpmgrd dump idmgr type vsys-url-filtering id <251-5000>
debug lpmgrd dump idmgr type vsys-url-filtering name <value>
debug lpmgrd dump idmgr type vsys-url-filtering all

PAN-OS CLI Quick Start Version Version 10.1 203 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug lpmgrd dump idmgr type log-seng id <1-65535>

debug lpmgrd dump idmgr type log-seng name <value>
debug lpmgrd dump idmgr type log-seng all
debug lpmgrd dump idmgr type shared-qos-profile id <1-65535>
debug lpmgrd dump idmgr type shared-qos-profile name <value>
debug lpmgrd dump idmgr type shared-qos-profile all
debug lpmgrd dump idmgr type shared-qos-group id <1-255>
debug lpmgrd dump idmgr type shared-qos-group name <value>
debug lpmgrd dump idmgr type shared-qos-group all
debug lpmgrd dump idmgr type shared-qos-member id <1-65535>
debug lpmgrd dump idmgr type shared-qos-member name <value>
debug lpmgrd dump idmgr type shared-qos-member all
debug lpmgrd dump idmgr type qos-rule id <1-65535>
debug lpmgrd dump idmgr type qos-rule name <value>
debug lpmgrd dump idmgr type qos-rule all
debug lpmgrd dump idmgr type shared-bgp-peergrp id <1-2047>
debug lpmgrd dump idmgr type shared-bgp-peergrp name <value>
debug lpmgrd dump idmgr type shared-bgp-peergrp all
debug lpmgrd dump idmgr type shared-bgp-peer id <1-2047>
debug lpmgrd dump idmgr type shared-bgp-peer name <value>
debug lpmgrd dump idmgr type shared-bgp-peer all
debug lpmgrd dump idmgr type shared-bgp-aggr-address id <1-2047>
debug lpmgrd dump idmgr type shared-bgp-aggr-address name <value>
debug lpmgrd dump idmgr type shared-bgp-aggr-address all
debug lpmgrd dump idmgr type override-rule id <1-65535>
debug lpmgrd dump idmgr type override-rule name <value>
debug lpmgrd dump idmgr type override-rule all
debug lpmgrd dump idmgr type dos-rule id <1-65535>
debug lpmgrd dump idmgr type dos-rule name <value>
debug lpmgrd dump idmgr type dos-rule all
debug lpmgrd dump idmgr type interface-group id <1-255>
debug lpmgrd dump idmgr type interface-group name <value>
debug lpmgrd dump idmgr type interface-group all

PAN-OS CLI Quick Start Version Version 10.1 204 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug lpmgrd dump idmgr type macl-rule id <1-4095>

debug lpmgrd dump idmgr type macl-rule name <value>
debug lpmgrd dump idmgr type macl-rule all
debug lpmgrd dump idmgr type ospfv3-virtual-link id <1-4095>
debug lpmgrd dump idmgr type ospfv3-virtual-link name <value>
debug lpmgrd dump idmgr type ospfv3-virtual-link all
debug lpmgrd dump idmgr type zone id <1-4294967295>
debug lpmgrd dump idmgr type zone name <value>
debug lpmgrd dump idmgr type zone all
debug lpmgrd dump idmgr type vsys id <1-4294967295>
debug lpmgrd dump idmgr type vsys name <value>
debug lpmgrd dump idmgr type vsys all
debug lpmgrd dump idmgr type global-tunnel id <1-65535>
debug lpmgrd dump idmgr type global-tunnel name <value>
debug lpmgrd dump idmgr type global-tunnel all
debug lpmgrd dump idmgr type global-interface id <1-4294967295>
debug lpmgrd dump idmgr type global-interface name <value>
debug lpmgrd dump idmgr type global-interface all
debug lpmgrd dump idmgr type global-if-counter id <1-4294967295>
debug lpmgrd dump idmgr type global-if-counter name <value>
debug lpmgrd dump idmgr type global-if-counter all
debug lpmgrd dump idmgr type global-vlan-domain id <1-4294967295>
debug lpmgrd dump idmgr type global-vlan-domain name <value>
debug lpmgrd dump idmgr type global-vlan-domain all
debug lpmgrd dump idmgr type global-vlan id <1-4294967295>
debug lpmgrd dump idmgr type global-vlan name <value>
debug lpmgrd dump idmgr type global-vlan all
debug lpmgrd dump idmgr type global-vrouter id <1-4294967295>
debug lpmgrd dump idmgr type global-vrouter name <value>
debug lpmgrd dump idmgr type global-vrouter all
debug lpmgrd dump idmgr type global-rib-instance id <1-4294967295>
debug lpmgrd dump idmgr type global-rib-instance name <value>
debug lpmgrd dump idmgr type global-rib-instance all

PAN-OS CLI Quick Start Version Version 10.1 205 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug lpmgrd dump idmgr type shared-applicaon id <1-4294967295>

debug lpmgrd dump idmgr type shared-applicaon name <value>
debug lpmgrd dump idmgr type shared-applicaon all
debug lpmgrd dump idmgr type custom-url-filter id <1-4294967295>
debug lpmgrd dump idmgr type custom-url-filter name <value>
debug lpmgrd dump idmgr type custom-url-filter all
debug lpmgrd dump idmgr type vsys-applicaon id <1-4096>
debug lpmgrd dump idmgr type vsys-applicaon name <value>
debug lpmgrd dump idmgr type vsys-applicaon all
debug lpmgrd dump idmgr type security-rule id <1-4096>
debug lpmgrd dump idmgr type security-rule name <value>
debug lpmgrd dump idmgr type security-rule all
debug lpmgrd dump idmgr type nat-rule id <1-4096>
debug lpmgrd dump idmgr type nat-rule name <value>
debug lpmgrd dump idmgr type nat-rule all
debug lpmgrd dump idmgr type ssl-rule id <1-4096>
debug lpmgrd dump idmgr type ssl-rule name <value>
debug lpmgrd dump idmgr type ssl-rule all
debug lpmgrd dump idmgr type tci-rule id <1-2048>
debug lpmgrd dump idmgr type tci-rule name <value>
debug lpmgrd dump idmgr type tci-rule all
debug lpmgrd dump idmgr type ike-gateway id <1-4096>
debug lpmgrd dump idmgr type ike-gateway name <value>
debug lpmgrd dump idmgr type ike-gateway all
debug lpmgrd dump idmgr type pbf-rule id <1-4096>
debug lpmgrd dump idmgr type pbf-rule name <value>
debug lpmgrd dump idmgr type pbf-rule all
debug lpmgrd dump idmgr type sdwan-rule id <1-4096>
debug lpmgrd dump idmgr type sdwan-rule name <value>
debug lpmgrd dump idmgr type sdwan-rule all
debug lpmgrd dump idmgr type network-packet-broker-rule id <1-4096>
debug lpmgrd dump idmgr type network-packet-broker-rule name <value>
debug lpmgrd dump idmgr type network-packet-broker-rule all

PAN-OS CLI Quick Start Version Version 10.1 206 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug lpmgrd dump idmgr type sdwan-link-tag id <1-256>

debug lpmgrd dump idmgr type sdwan-link-tag name <value>
debug lpmgrd dump idmgr type sdwan-link-tag all
debug lpmgrd dump idmgr type shared-custom-url-category id <1-4294967295>
debug lpmgrd dump idmgr type shared-custom-url-category name <value>
debug lpmgrd dump idmgr type shared-custom-url-category all
debug lpmgrd dump idmgr type shared-edl-url-category id <1-4294967295>
debug lpmgrd dump idmgr type shared-edl-url-category name <value>
debug lpmgrd dump idmgr type shared-edl-url-category all
debug lpmgrd dump idmgr type shared-header-insert-hosts id <1-4294967295>
debug lpmgrd dump idmgr type shared-header-insert-hosts name <value>
debug lpmgrd dump idmgr type shared-header-insert-hosts all
debug lpmgrd dump idmgr type vsys-custom-url-category id <1-4294967295>
debug lpmgrd dump idmgr type vsys-custom-url-category name <value>
debug lpmgrd dump idmgr type vsys-custom-url-category all
debug lpmgrd dump idmgr type vsys-edl-url-category id <1-4294967295>
debug lpmgrd dump idmgr type vsys-edl-url-category name <value>
debug lpmgrd dump idmgr type vsys-edl-url-category all
debug lpmgrd dump idmgr type edl-domain id <1-30>
debug lpmgrd dump idmgr type edl-domain name <value>
debug lpmgrd dump idmgr type edl-domain all
debug lpmgrd dump idmgr type edl-ip id <1-64>
debug lpmgrd dump idmgr type edl-ip name <value>
debug lpmgrd dump idmgr type edl-ip all
debug lpmgrd dump idmgr type vsys-header-insert-hosts id <1-4294967295>
debug lpmgrd dump idmgr type vsys-header-insert-hosts name <value>
debug lpmgrd dump idmgr type vsys-header-insert-hosts all
debug lpmgrd dump idmgr type shared-gateway id <1-4096>
debug lpmgrd dump idmgr type shared-gateway name <value>
debug lpmgrd dump idmgr type shared-gateway all
debug lpmgrd dump idmgr type shared-region id <1-1023>
debug lpmgrd dump idmgr type shared-region name <value>
debug lpmgrd dump idmgr type shared-region all

PAN-OS CLI Quick Start Version Version 10.1 207 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug lpmgrd dump idmgr type vsys-region id <1024-3071>

debug lpmgrd dump idmgr type vsys-region name <value>
debug lpmgrd dump idmgr type vsys-region all
debug dataplane ctd-agent global on <warn|normal|debug|dump>
debug dataplane ctd-agent global off
debug dataplane ctd-agent global show
debug dataplane ctd-agent clear all
debug dataplane ctd-agent set source <ip/netmask>
debug dataplane ctd-agent set host <value>
debug dataplane ctd-agent set port <1-65535>
debug dataplane ctd-agent set ace-debug <value>
debug dataplane ctd-agent session id <1-4294967295>
debug dataplane ctd-agent config profile
debug dataplane ctd-agent config policy
debug dataplane ctd-agent license
debug dataplane ctd-agent device-cert
debug dataplane cloud-appid show all-apps
debug dataplane cloud-appid show filter-sig-id
debug dataplane cloud-appid show database details
debug dataplane cloud-appid show app-sig type <tcp|udp>
debug dataplane cloud-appid show detecon apps-detected
debug dataplane cloud-appid show detecon signatures-matched
debug dataplane cloud-appid show cache stascs
debug dataplane cloud-appid show cache entries
debug dataplane cloud-appid show app-counts
debug dataplane cloud-appid lookup name <value>
debug dataplane cloud-appid lookup global-id <1-2147483647>
debug dataplane cloud-appid lookup local-id <1-65535>
debug dataplane cloud-appid lookup filter-sig-id <1-2147483647>
debug dataplane cloud-appid reset cache appid <32768-4294967295>
debug dataplane cloud-appid reset cache hash-slot <0-1048575>
debug dataplane cloud-appid reset cache all
debug dataplane cloud-appid set report-overlap enable

PAN-OS CLI Quick Start Version Version 10.1 208 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug dataplane cloud-appid set report-overlap disable

debug dataplane cloud-appid set report-overlap default
debug dataplane flush-log
debug dataplane test url <value>
debug dataplane test url-bloom <value>
debug dataplane test uappid-filtergroup-mapping uappid <1-4294967295> filters
debug dataplane test uappid-filtergroup-mapping uappid <1-4294967295> filters [ <filters1>
<filters2>... ]
debug dataplane test uappid-policy-cache uappid <1-4294967295> vsysid <1-256> policy-type
<SEC|APPOV|DECR|NAT|AUTH|QOS|PBF|DOS|TCI|SDWAN|NPB>
debug dataplane test dump-nw-id-ebl-tble
debug dataplane test dump-nw-id-vsys-tble vsysid <1-65535>
debug dataplane test nw-id-lookup vsysid <1-65535> lookup-id-imsi <value> lookup-id-imei
<value> lookup-id-nssai <0-255>
debug dataplane test tunnel-tables
debug dataplane test url-from-file max-per-sec <1-65535>
debug dataplane test nat-policy-add from <value> to <value> source <ip/netmask> desnaon
<ip/netmask> protocol <1-255> source-port <1-65535> desnaon-port <1-65535> protocol
<1-255>
debug dataplane test nat-policy-del from <value> to <value> source <ip/netmask> translate-
source <ip/netmask> desnaon <ip/netmask> protocol <1-255> source-port <1-65535>
translate-source-port <1-65535> desnaon-port <1-65535> protocol <1-255>
debug dataplane packet-path-test test proc <value>
debug dataplane packet-path-test counter
debug dataplane nat sync-ippool rule <value>
debug dataplane nat stac-mapping add from-ip <ip/netmask> to-ip <ip/netmask> from-port
<1-65535> to-port <1-65535>
debug dataplane nat stac-mapping show
debug dataplane nat stac-mapping del from-ip <ip/netmask> from-port <1-65535>
debug dataplane mmdbg status
debug dataplane mmdbg leakiller memory-pool show top-ref
debug dataplane mmdbg leakiller memory-pool show cur-ref
debug dataplane mmdbg leakiller memory-pool show all-ref
debug dataplane mmdbg leakiller memory-pool enable yes
debug dataplane mmdbg leakiller memory-pool enable no
debug dataplane mmdbg leakiller swbuf-pool show top-ref

PAN-OS CLI Quick Start Version Version 10.1 209 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug dataplane mmdbg leakiller swbuf-pool show cur-ref

debug dataplane mmdbg leakiller swbuf-pool show all-ref
debug dataplane mmdbg leakiller swbuf-pool enable yes
debug dataplane mmdbg leakiller swbuf-pool enable no
debug dataplane mmdbg pool-debug overflow-check enable
debug dataplane mmdbg pool-debug overflow-check disable
debug dataplane mmdbg pool-debug reuse-check enable
debug dataplane mmdbg pool-debug reuse-check disable
debug dataplane mmdbg obj-trace ev_num_per_q set <128-65536>
debug dataplane mmdbg obj-trace symbol lvl <1-3>
debug dataplane mmdbg obj-trace stop enable
debug dataplane mmdbg obj-trace stop disable
debug dataplane mmdbg obj-trace session level basic
debug dataplane mmdbg obj-trace session level medium
debug dataplane mmdbg obj-trace session level verbose
debug dataplane mmdbg obj-trace session level disable
debug dataplane mmdbg obj-trace wqe leak-dump num <16-1024>
debug dataplane mmdbg obj-trace wqe trace-type normal
debug dataplane mmdbg obj-trace wqe trace-type leak
debug dataplane mmdbg obj-trace wqe delay-free enable
debug dataplane mmdbg obj-trace wqe delay-free disable
debug dataplane mmdbg obj-trace wqe level basic
debug dataplane mmdbg obj-trace wqe level medium
debug dataplane mmdbg obj-trace wqe level verbose
debug dataplane mmdbg obj-trace wqe level disable
debug dataplane mmdbg obj-trace wqe extra-trace yes
debug dataplane mmdbg obj-trace wqe extra-trace no
debug dataplane mmdbg obj-trace shared-pool-192 level basic
debug dataplane mmdbg obj-trace shared-pool-192 level medium
debug dataplane mmdbg obj-trace shared-pool-192 level verbose
debug dataplane mmdbg obj-trace shared-pool-192 level disable
debug dataplane mmdbg obj-trace shared-pool-24 level basic
debug dataplane mmdbg obj-trace shared-pool-24 level medium

PAN-OS CLI Quick Start Version Version 10.1 210 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug dataplane mmdbg obj-trace shared-pool-24 level verbose

debug dataplane mmdbg obj-trace shared-pool-24 level disable
debug dataplane mmdbg watchpoint address s1dp0 <value>
debug dataplane policy switch-cache
debug dataplane show url-cache stascs
debug dataplane show dp-user-cache stascs
debug dataplane show dns-cache stascs
debug dataplane show dns-cache query fqdn <value>
debug dataplane show dns-cache print
debug dataplane show dos rule
debug dataplane show dos rule <name> classificaon-table
debug dataplane show dos zone
debug dataplane show dos zone <name> block-table
debug dataplane show dos classificaon-table
debug dataplane show dos block-table
debug dataplane show dos free-list
debug dataplane show com stascs
debug dataplane show ctd session <1-4294967295>
debug dataplane show ctd regex-stats dump
debug dataplane show ctd regex-group dump
debug dataplane show ctd aggregate-table
debug dataplane show ctd memory-state
debug dataplane show ctd driveby-table
debug dataplane show ctd sml-cache
debug dataplane show ctd version
debug dataplane show ctd threat id <0-7040000> cid <0-1024>
debug dataplane show ctd pcap-cache
debug dataplane show ctd dns-cache entries host <value> show-expired <yes|no>
debug dataplane show ctd dns-cache stats
debug dataplane show ctd wf-cache virus-paern-type <PE|DNS|Hash|ALL>
debug dataplane show ctd wf-stats
debug dataplane show ctd lscan database context prefix <value>
debug dataplane show ctd lscan database context-list

PAN-OS CLI Quick Start Version Version 10.1 211 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug dataplane show ctd lscan database details

debug dataplane show ctd lscan sml-token appid <1-4294967295>
debug dataplane show ctd lscan sml-scope appid <1-4294967295>
debug dataplane show ctd lscan app-sig type <tcp|udp>
debug dataplane show ctd dns-id-cache
debug dataplane show ctd feature-forward forward-info session-id <1-4294967295>
debug dataplane show ctd feature-forward forward-entry-summary
debug dataplane show ctd feature-forward shared-memory-stats
debug dataplane show ctd feature-forward ctd-agent-running-cores
debug dataplane show ctd credenal-enforcement group-mapping vsys <value>
debug dataplane show ctd credenal-enforcement domain-credenal
debug dataplane show ctd wildfire max
debug dataplane show pow no-desched
debug dataplane show cfg-memstat stascs
debug dataplane show enhanced-applicaon-logging
debug dataplane show memory-pool stascs
debug dataplane show ssl-decrypt session <1-4294967295>
debug dataplane show ssl-decrypt bitmask-version <value>
debug dataplane show ssl-decrypt bitmask-cipher <value>
debug dataplane show ssl-decrypt ssl-stats
debug dataplane show ssl-decrypt dns-cache
debug dataplane show hp2 session <1-4294967295>
debug dataplane show hp2 stream-session <1-4294967295>
debug dataplane show username-cache
debug dataplane show cookie-surrogate-cache
debug dataplane show app-filter-policy vsys <value> filter-id <1-10000>
debug dataplane show app-group-policy vsys <value> group-id <10001-20000>
debug dataplane show uappid-in-policy id <10000000-4294967295>
debug dataplane show uappid-filtergroup-mapping id <1-4294967295>
debug dataplane show uappid-policy-cache uappid <1-4294967295>
debug dataplane show unknown-uappid-cache id <1-4294967295>
debug dataplane show no-sess-owner-query-limit
debug dataplane reset logging

PAN-OS CLI Quick Start Version Version 10.1 212 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug dataplane reset pow

debug dataplane reset appid cache
debug dataplane reset appid stascs
debug dataplane reset appid unknown-cache desnaon <ip/netmask>
debug dataplane reset ssl-decrypt cerficate-cache
debug dataplane reset ssl-decrypt cerficate-status
debug dataplane reset ssl-decrypt gp-cookie-cache
debug dataplane reset ssl-decrypt nofy-cache source <ip/netmask>
debug dataplane reset ssl-decrypt dns-cache
debug dataplane reset ssl-decrypt session-cache
debug dataplane reset ssl-decrypt dns-cache
debug dataplane reset ssl-decrypt rewrite-stats
debug dataplane reset ssl-decrypt hsm-request
debug dataplane reset ctd ctdf-water-mark
debug dataplane reset ctd regex-stats
debug dataplane reset ctd url-block-cache lockout
debug dataplane reset ctd dns-cache host <value>
debug dataplane reset ctd dns-id-cache
debug dataplane reset ctd dns-cache-stats
debug dataplane reset ctd wf-cache virus-paern-type <PE|DNS|Hash|ALL>
debug dataplane reset ctd wf-stats
debug dataplane reset dos rule
debug dataplane reset dos rule <name> classificaon-table
debug dataplane reset dos zone
debug dataplane reset dos zone <name> block-table source <ip/netmask>
debug dataplane reset dos zone <name> block-table all
debug dataplane reset dos classificaon-table
debug dataplane reset dos block-table
debug dataplane reset username-cache
debug dataplane reset ml-lookup-cache
debug dataplane reset dns-cache fqdn <value>
debug dataplane reset dns-cache all
debug dataplane set ip4-ignore-df yes

PAN-OS CLI Quick Start Version Version 10.1 213 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug dataplane set ip4-ignore-df no

debug dataplane set ip6-host-pmtu-excepon-check yes
debug dataplane set ip6-host-pmtu-excepon-check no
debug dataplane set ip6-ucast-mac-check yes
debug dataplane set ip6-ucast-mac-check no
debug dataplane set ip6-roung-hdr-check yes
debug dataplane set ip6-roung-hdr-check no
debug dataplane set ip6-mcast-fwd-check on
debug dataplane set ip6-mcast-fwd-check off
debug dataplane set ip6-mcast-fwd-check show
debug dataplane set ssl-decrypt blk-send-reset yes
debug dataplane set ssl-decrypt blk-send-reset no
debug dataplane set ssl-decrypt ecdhe-aggressive-keying yes
debug dataplane set ssl-decrypt ecdhe-aggressive-keying no
debug dataplane set pbf-no-return-mac-learning on
debug dataplane set pbf-no-return-mac-learning off
debug dataplane set pbf-no-return-mac-learning show
debug dataplane set blocked-forward upload yes
debug dataplane set blocked-forward upload no
debug dataplane set jumboframe-buffer-adjustment yes
debug dataplane set jumboframe-buffer-adjustment no
debug dataplane set ctd autogen <yes|no>
debug dataplane set ctd wildfire max <0-5000>
debug dataplane set pow no-desched yes
debug dataplane set pow no-desched no
debug dataplane oprofile opcontrol start
debug dataplane oprofile opcontrol stop
debug dataplane oprofile opcontrol status
debug dataplane oprofile opcontrol shutdown
debug dataplane oprofile opreport details
debug dataplane oprofile opreport symbols
debug dataplane appinfo clear
debug dataplane packet-diag aggregate-logs log_name <value> strip_tags <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 214 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug dataplane packet-diag set tag <1-65535>

debug dataplane packet-diag set filter pre-parse-match <yes|no>
debug dataplane packet-diag set filter offload <yes|no>
debug dataplane packet-diag set filter on
debug dataplane packet-diag set filter off
debug dataplane packet-diag set filter index
debug dataplane packet-diag set filter index <name> match ingress-interface <value> source
<ip/netmask> desnaon <value> source-port <1-65535> desnaon-port <1-65535> source-
netmask <1-128> desnaon-netmask <1-128> protocol <1-255> non-ip <exclude|include|only>
ipv6-only <yes|no> lacp <yes|no>
debug dataplane packet-diag set filter match ingress-interface <value> source <ip/netmask>
desnaon <value> source-port <1-65535> desnaon-port <1-65535> source-netmask
<1-128> desnaon-netmask <1-128> protocol <1-255> non-ip <exclude|include|only> ipv6-only
<yes|no> lacp <yes|no>
debug dataplane packet-diag set capture snaplen <40-65535>
debug dataplane packet-diag set capture username <value>
debug dataplane packet-diag set capture on
debug dataplane packet-diag set capture off
debug dataplane packet-diag set capture trigger applicaon from <value> to <value> file <value>
packet-count <1-209715200> byte-count <1-209715200>
debug dataplane packet-diag set capture stage receive file <value> packet-count <1-209715200>
byte-count <1-209715200>
debug dataplane packet-diag set capture stage firewall file <value> packet-count <1-209715200>
byte-count <1-209715200>
debug dataplane packet-diag set capture stage drop file <value> packet-count <1-209715200>
byte-count <1-209715200>
debug dataplane packet-diag set capture stage transmit file <value> packet-count
<1-209715200> byte-count <1-209715200>
debug dataplane packet-diag set capture stage clientless-vpn-client file <value> packet-count
<1-209715200> byte-count <1-209715200> detail-level <0-2>
debug dataplane packet-diag set capture stage clientless-vpn-server file <value> packet-count
<1-209715200> byte-count <1-209715200> detail-level <0-2>
debug dataplane packet-diag set log meout <0-3600>
debug dataplane packet-diag set log buffer-threshold <60-100>
debug dataplane packet-diag set log cpu-threshold <60-100>
debug dataplane packet-diag set log counter <value>
debug dataplane packet-diag set log on
debug dataplane packet-diag set log off

PAN-OS CLI Quick Start Version Version 10.1 215 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug dataplane packet-diag set log log-opon throle <yes|no>

debug dataplane packet-diag set log feature base <config|id|ha|all>
debug dataplane packet-diag set log feature tdb <basic|aho|all>
debug dataplane packet-diag set log feature cfg <basic|config|agent|all>
debug dataplane packet-diag set log feature tcp <reass|fptcp|rexmt|all>
debug dataplane packet-diag set log feature ssl <basic|offload|all>
debug dataplane packet-diag set log feature proxy <basic|all>
debug dataplane packet-diag set log feature pow <basic|all>
debug dataplane packet-diag set log feature zip <basic|all>
debug dataplane packet-diag set log feature misc <misc|all>
debug dataplane packet-diag set log feature module <aho|dfa|scan|url|all>
debug dataplane packet-diag set log feature flow <basic|ager|ha|np|arp|nd|receive|pred|log|o|
track|cluster|sdwan|sdwan_probe|o|all>
debug dataplane packet-diag set log feature tunnel <flow|ager>
debug dataplane packet-diag set log feature ctd <basic|dns|sml|url|detector|mlav|urlcat|error|voip|
autogen|wif|all>
debug dataplane packet-diag set log feature appid <agt|basic|policy|dfa|all>
debug dataplane packet-diag set log feature url_trie <basic|stat|all>
debug dataplane packet-diag set log feature hp2 <basic|all>
debug dataplane packet-diag set log feature all
debug dataplane packet-diag set filter-marked-session id <1-4294967295>
debug dataplane packet-diag clear all
debug dataplane packet-diag clear filter index <1-4>|<all> clear-marked-session <yes|no>
debug dataplane packet-diag clear capture trigger <global-counter|applicaon>
debug dataplane packet-diag clear capture stage <receive|firewall|drop|transmit|clientless-vpn-
client|clientless-vpn-server>
debug dataplane packet-diag clear capture all
debug dataplane packet-diag clear capture snaplen
debug dataplane packet-diag clear capture username
debug dataplane packet-diag clear log counter <value>|<all>
debug dataplane packet-diag clear log log
debug dataplane packet-diag clear log feature url_trie <basic|stat|all>
debug dataplane packet-diag clear log feature base <config|id|ha|all>
debug dataplane packet-diag clear log feature tdb <basic|aho|all>

PAN-OS CLI Quick Start Version Version 10.1 216 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug dataplane packet-diag clear log feature cfg <basic|config|agent|all>

debug dataplane packet-diag clear log feature tcp <reass|fptcp|rexmt|all>
debug dataplane packet-diag clear log feature ssl <basic|offload|all>
debug dataplane packet-diag clear log feature proxy <basic|all>
debug dataplane packet-diag clear log feature pow <basic|all>
debug dataplane packet-diag clear log feature zip <basic|all>
debug dataplane packet-diag clear log feature misc <misc|all>
debug dataplane packet-diag clear log feature module <aho|dfa|scan|url|all>
debug dataplane packet-diag clear log feature flow <basic|ager|ha|np|arp|nd|receive|pred|sdwan|
sdwan_probe|o|all>
debug dataplane packet-diag clear log feature tunnel <flow|ager>
debug dataplane packet-diag clear log feature ctd <basic|sml|url|detector|urlcat|error|voip|
autogen|wif|all>
debug dataplane packet-diag clear log feature appid <agt|basic|policy|dfa|all>
debug dataplane packet-diag clear log feature hp2 <basic|all>
debug dataplane packet-diag clear log feature all
debug dataplane packet-diag clear filter-marked-session id <1-4294967295>
debug dataplane packet-diag clear filter-marked-session all
debug dataplane packet-diag show seng
debug dataplane packet-diag show tag
debug dataplane packet-diag show filter-marked-session
debug dataplane nelow stascs
debug dataplane nelow clear
debug dataplane pool stascs
debug dataplane pool reset-max-usage
debug dataplane pool check hardware <0-255>
debug dataplane pool check soware <0-255>
debug dataplane pool set on name vcheck fid
debug dataplane pool set on name vcheck sessid
debug dataplane pool set on name vcheck fid-sessid
debug dataplane pool set on name dthreat d
debug dataplane pool set on name dthreat sessid
debug dataplane pool set on name dthreat d-sessid
debug dataplane pool set on name fptcp sessid-cid

PAN-OS CLI Quick Start Version Version 10.1 217 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug dataplane pool set sz-lockless disable

debug dataplane pool set sz-lockless enable
debug dataplane pool set openssl-cache disable
debug dataplane pool set openssl-cache enable
debug dataplane pool set openssl-leakiller disable
debug dataplane pool set openssl-leakiller enable
debug dataplane pool set off
debug dataplane pool show in-use top <1-100>
debug dataplane pool show history top <1-100>
debug dataplane pool show all top <1-100>
debug dataplane pool mem file <value> mode <value> start <value> size <1-2147483648>
debug dataplane pow status nonic
debug dataplane pow status nosleep
debug dataplane pow status niconly
debug dataplane pow performance all
debug dataplane memory status
debug dataplane memory dump bootmem enable log_disk_percent <1-50>
debug dataplane memory dump bootmem disable
debug dataplane memory dump bootmem show
debug dataplane memory dump bootmem delete file <value>
debug dataplane tcp state
debug dataplane pvst sys-id-ext-rewrite yes
debug dataplane pvst sys-id-ext-rewrite no
debug dataplane pvst sys-id-ext-rewrite show
debug dataplane internal pdt abort
debug dataplane internal pdt oct bgx config bgx <0-2>
debug dataplane internal pdt oct bgx status bgx <0-2>
debug dataplane internal pdt oct bootmem avail
debug dataplane internal pdt oct bootmem named
debug dataplane internal pdt oct csr rd reg <value>
debug dataplane internal pdt oct fpa show
debug dataplane internal pdt oct gmx stats port <0-31> clear <yes|no>
debug dataplane internal pdt oct pip stats port <0-31>

PAN-OS CLI Quick Start Version Version 10.1 218 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug dataplane internal pdt oct pko debug port <0-31>

debug dataplane internal pdt oct pko stats port <0-31>
debug dataplane internal pdt oct pko stats all <yes|no>
debug dataplane internal pdt oct pki dump
debug dataplane internal pdt oct pki stats
debug dataplane internal pdt oct pki port_config port <0-31>
debug dataplane internal pdt oct pko3 dump
debug dataplane internal pdt oct pko3 stats
debug dataplane internal pdt oct ilk stats
debug dataplane internal pdt oct ilk link
debug dataplane internal pdt oct portmap show
debug dataplane internal pdt oct pow debug all <yes|no>
debug dataplane internal pdt pci list
debug dataplane internal pdt nac show-all
debug dataplane internal pdt nac aho dump instance <0-1> table <0-1>
debug dataplane internal pdt nac dfa dump instance <0-1> table <0-1>
debug dataplane internal pdt nac info instance <0-1>
debug dataplane internal pdt nac stats instance <0-1>
debug dataplane internal pdt ce10 show-all
debug dataplane internal pdt ce10 cip ififo instance <0-65535>
debug dataplane internal pdt ce10 cip ofifo instance <0-65535>
debug dataplane internal pdt ce10 cip mfifo instance <0-65535>
debug dataplane internal pdt ce10 cip match_cnt instance <0-65535>
debug dataplane internal pdt ce10 cip status instance <0-65535>
debug dataplane internal pdt ce10 cip act_ace_acc_stats instance <0-65535>
debug dataplane internal pdt ce10 cip opb_status instance <0-65535>
debug dataplane internal pdt ce10 cip pfifo instance <0-65535>
debug dataplane internal pdt ce10 cip dlp_afifo instance <0-65535>
debug dataplane internal pdt ce10 cip dlp_mfifo instance <0-65535>
debug dataplane internal pdt ce10 dfa ififo instance <0-65535>
debug dataplane internal pdt ce10 dfa ofifo instance <0-65535>
debug dataplane internal pdt ce10 dfa match_cnt instance <0-65535>
debug dataplane internal pdt ce10 dfa status instance <0-65535>

PAN-OS CLI Quick Start Version Version 10.1 219 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug dataplane internal pdt ce10 dfa err_log instance <0-65535>

debug dataplane internal pdt ce10 dfa lookup_cnt instance <0-65535>
debug dataplane internal pdt ce10 dfa opb_status instance <0-65535>
debug dataplane internal pdt ce10 pbm status instance <0-65535>
debug dataplane internal pdt ce10 rd instance <0-65535> offset <0-131128> count <0-1024>
debug dataplane internal pdt ce10 show clocks instance <0-65535>
debug dataplane internal pdt ce10 show version instance <0-65535>
debug dataplane internal pdt ce10 show memory_status instance <0-65535>
debug dataplane internal pdt ce10 show in_stat instance <0-65535>
debug dataplane internal pdt ce10 dxge info instance <0-65535>
debug dataplane internal pdt ce10 dxge stats instance <0-65535> clear <yes|no>
debug dataplane internal pdt ce10 dxaui info instance <0-65535>
debug dataplane internal pdt fe100 rd offset <0-131071> count <0-4096>
debug dataplane internal pdt fe100 mem rd target_mem <0-262144> index <0-65535> module
<0-65535> dcnt <0-65535> phy_mode <0-65535>
debug dataplane internal pdt fe100 umctl2_reg rd dcfg <0-65535> offset <0-65535>
debug dataplane internal pdt fe100 dphy_reg rd dcfg <0-65535> block <0-65535> inst
<0-65535> rank_pair <0-65535> offset <0-65535>
debug dataplane internal pdt fe100 show config
debug dataplane internal pdt fe100 show fc clear <yes|no>
debug dataplane internal pdt fe100 show intr
debug dataplane internal pdt fe100 show latency ipq
debug dataplane internal pdt fe100 show latency par
debug dataplane internal pdt fe100 show latency lif
debug dataplane internal pdt fe100 show latency acl
debug dataplane internal pdt fe100 show latency dfp
debug dataplane internal pdt fe100 show latency flu
debug dataplane internal pdt fe100 show latency lef
debug dataplane internal pdt fe100 show latency qmm
debug dataplane internal pdt fe100 show latency lag
debug dataplane internal pdt fe100 show latency sem
debug dataplane internal pdt fe100 show latency tlu
debug dataplane internal pdt fe100 show latency egr
debug dataplane internal pdt fe100 show latency m

PAN-OS CLI Quick Start Version Version 10.1 220 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug dataplane internal pdt fe100 show latency fdt

debug dataplane internal pdt fe100 show latency fcm
debug dataplane internal pdt fe100 show latency tdi
debug dataplane internal pdt fe100 show latency all
debug dataplane internal pdt fe100 show stats port port <0-1> clear <yes|no>
debug dataplane internal pdt fe100 show stats tmi clear <yes|no>
debug dataplane internal pdt fe100 show stats nif clear <yes|no>
debug dataplane internal pdt fe100 show stats hif_err clear <yes|no>
debug dataplane internal pdt fe100 show stats ipq clear <yes|no>
debug dataplane internal pdt fe100 show stats par clear <yes|no>
debug dataplane internal pdt fe100 show stats lif clear <yes|no>
debug dataplane internal pdt fe100 show stats acl clear <yes|no>
debug dataplane internal pdt fe100 show stats dfp clear <yes|no>
debug dataplane internal pdt fe100 show stats flu clear <yes|no>
debug dataplane internal pdt fe100 show stats cfp clear <yes|no>
debug dataplane internal pdt fe100 show stats fwd clear <yes|no>
debug dataplane internal pdt fe100 show stats lef clear <yes|no>
debug dataplane internal pdt fe100 show stats qmm clear <yes|no>
debug dataplane internal pdt fe100 show stats lag clear <yes|no>
debug dataplane internal pdt fe100 show stats prw clear <yes|no>
debug dataplane internal pdt fe100 show stats sem clear <yes|no>
debug dataplane internal pdt fe100 show stats tlu clear <yes|no>
debug dataplane internal pdt fe100 show stats egr clear <yes|no>
debug dataplane internal pdt fe100 show stats m clear <yes|no>
debug dataplane internal pdt fe100 show stats fdt clear <yes|no>
debug dataplane internal pdt fe100 show stats fcm clear <yes|no>
debug dataplane internal pdt fe100 show stats tdi clear <yes|no>
debug dataplane internal pdt fe100 show stats all clear <yes|no>
debug dataplane internal pdt fe100 show status lif
debug dataplane internal pdt fe100 show status nif
debug dataplane internal pdt fe100 show status tmi
debug dataplane internal pdt fe100 show status ipq
debug dataplane internal pdt fe100 show status acl

PAN-OS CLI Quick Start Version Version 10.1 221 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug dataplane internal pdt fe100 show status dfp

debug dataplane internal pdt fe100 show status flu
debug dataplane internal pdt fe100 show status cfp
debug dataplane internal pdt fe100 show status fwd
debug dataplane internal pdt fe100 show status lef
debug dataplane internal pdt fe100 show status qmm
debug dataplane internal pdt fe100 show status lag
debug dataplane internal pdt fe100 show status prw
debug dataplane internal pdt fe100 show status sem
debug dataplane internal pdt fe100 show status tlu
debug dataplane internal pdt fe100 show status egr
debug dataplane internal pdt fe100 show status m
debug dataplane internal pdt fe100 show status fdt
debug dataplane internal pdt fe100 show status fcm
debug dataplane internal pdt fe100 show status tdi
debug dataplane internal pdt fe100 show status all
debug dataplane internal pdt fe100 mymac dump
debug dataplane internal pdt fe100 portmap dump
debug dataplane internal pdt fe100 nexthop dump type <DIRECT|IPV4|IPV6|MAC>
debug dataplane internal pdt fe100 smac dump
debug dataplane internal pdt fe100 flow lookup saddr <value> daddr <value> sport <0-65535>
dport <0-65535> zone <0-65535> proto <0-255>
debug dataplane internal pdt fe100 flow dump offset <0-65535> count <0-65535> verbose
<yes|no> saddr <value> daddr <value> sport <0-65535> dport <0-65535> proto <0-255> zone
<0-65535> flowid <0-2147483647>
debug dataplane internal pdt fe100 flow histo
debug dataplane internal pdt fe100 flow ctrs
debug dataplane internal pdt fe100 flow tbl_size
debug dataplane internal pdt fe100 mac dump offset <0-65535> count <0-65535>
debug dataplane internal pdt fe100 route dump pt <IPV4|IPV6> offset <0-65535> count
<0-65535>
debug dataplane internal pdt fe100 qmap dump pt <0-3> offset <0-65535> count <0-65535>
debug dataplane internal pdt fe100 mtp dump
debug dataplane internal pdt fe100 spm dump
debug dataplane internal pdt fe100 nif check_port

PAN-OS CLI Quick Start Version Version 10.1 222 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug dataplane internal pdt fe100 nif pkt_cap help

debug dataplane internal pdt fe100 nif pkt_cap display in <0-4>
debug dataplane internal pdt fe100 nif pkt_cap disable in <0-4>
debug dataplane internal pdt fe100 nif pkt_cap enable in <0-4> cont <yes|no>
debug dataplane internal pdt fe100 tmi check_port
debug dataplane internal pdt fe100 tmi pkt_cap help
debug dataplane internal pdt fe100 tmi pkt_cap display in <0-4>
debug dataplane internal pdt fe100 tmi pkt_cap disable in <0-4>
debug dataplane internal pdt fe100 tmi pkt_cap enable in <0-4> cont <yes|no>
debug dataplane internal pdt fe100 lif tbl_size
debug dataplane internal pdt fe100 lif access table <0-1>
debug dataplane internal pdt fe100 lif lookup table <0-1>
debug dataplane internal pdt fe100 lif dump count <0-65535> table <0-1> offset <0-65535>
debug dataplane internal pdt fe100 lif stats clear <yes|no>
debug dataplane internal pdt fe100 lef dump count <0-65535>
debug dataplane internal pdt fe100 parser dump
debug dataplane internal pdt fe100 acl dump count <0-65535> offset <0-65535>
debug dataplane internal pdt fe100 lag dump count <0-65535>
debug dataplane internal pdt fe100 predict dump count <0-65535> offset <0-65535>
debug dataplane internal pdt fe100 vsys dump count <0-65535> offset <0-65535>
debug dataplane internal pdt fe100 event fetch offset <0-65535>
debug dataplane internal pdt fe100 event dump count <0-65535> offset <0-65535>
debug dataplane internal pdt fe100 csr fifos
debug dataplane internal pdt fe100 csr intrs
debug dataplane internal pdt fe100 csr errs
debug dataplane internal pdt fe100 csr stats
debug dataplane internal pdt fe100 csr scan regex <value>
debug dataplane internal pdt fe100 csr rd addr <0-65535> name <value>
debug dataplane internal pdt fe100 debug check
debug dataplane internal pdt fe100 traffic info
debug dataplane internal pdt fe100 ddr eye in <0-6> threshold <0-65535>
debug dataplane internal pdt bcm counters chip
debug dataplane internal pdt bcm counters port

PAN-OS CLI Quick Start Version Version 10.1 223 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug dataplane internal pdt bcm counters graphical

debug dataplane internal pdt bcm lport shaper get lport <0-65535> fport <1-65535> type <0-6>
index <1-65535>
debug dataplane internal pdt bcm show flow flow_id <1-65535>
debug dataplane internal pdt bcm show queue non_empty
debug dataplane internal pdt bcm show queue full
debug dataplane internal pdt bcm show queue congeson
debug dataplane internal pdt bcm show congeson egress
debug dataplane internal pdt bcm show congeson ingress
debug dataplane internal pdt bcm show port name_mappings
debug dataplane internal pdt bcm show port status
debug dataplane internal vif route <0-255>
debug dataplane internal vif address
debug dataplane internal vif link
debug dataplane internal vif rule
debug dataplane internal vif vr
debug dataplane fpga set sw_aho <yes|no>
debug dataplane fpga set sw_dfa <yes|no>
debug dataplane fpga hw_aho offload-request-threshold <1-1024>
debug dataplane fpga hw_aho offload-bytes-threshold <0-9000>
debug dataplane fpga hw_dfa offload-request-threshold <1-1024>
debug dataplane fpga hw_dfa offload-bytes-threshold <0-9000>
debug dataplane fpga state
debug dataplane flow-control enable port <1-24>
debug dataplane flow-control disable port <1-24>
debug dataplane process comm on dump
debug dataplane process comm on debug
debug dataplane process comm on info
debug dataplane process comm on warn
debug dataplane process comm on error
debug dataplane process comm off
debug dataplane process comm show
debug dataplane process task on dump
debug dataplane process task on debug

PAN-OS CLI Quick Start Version Version 10.1 224 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug dataplane process task on info

debug dataplane process task on warn
debug dataplane process task on error
debug dataplane process task off
debug dataplane process task show
debug dataplane process task dynamic-filter show
debug dataplane process task dynamic-filter off
debug dataplane process task dynamic-filter on
debug dataplane process mprelay on dump
debug dataplane process mprelay on debug
debug dataplane process mprelay on info
debug dataplane process mprelay on warn
debug dataplane process mprelay on error
debug dataplane process mprelay off
debug dataplane process mprelay show
debug dataplane process grpcd on dump
debug dataplane process grpcd on debug
debug dataplane process grpcd on info
debug dataplane process grpcd on warn
debug dataplane process grpcd on error
debug dataplane process grpcd off
debug dataplane process grpcd show
debug dataplane process ha-agent on dump
debug dataplane process ha-agent on debug
debug dataplane process ha-agent on info
debug dataplane process ha-agent on warn
debug dataplane process ha-agent on error
debug dataplane process ha-agent off
debug dataplane process ha-agent show
debug dataplane process dssd on dump
debug dataplane process dssd on debug
debug dataplane process dssd on info
debug dataplane process dssd on warn

PAN-OS CLI Quick Start Version Version 10.1 225 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug dataplane process dssd on error

debug dataplane process dssd off
debug dataplane process dssd show
debug dataplane task-heartbeat on
debug dataplane task-heartbeat off
debug dataplane task-heartbeat show
debug dataplane monitor detail on
debug dataplane monitor detail off
debug dataplane monitor detail show
debug sslmgr on error
debug sslmgr on warn
debug sslmgr on info
debug sslmgr on debug
debug sslmgr on dump
debug sslmgr off
debug sslmgr show memory <summary|detail>
debug sslmgr show seng
debug sslmgr show ocsp-next-update-me
debug sslmgr show session-cache-stats
debug sslmgr stascs
debug sslmgr tar-all-crl
debug sslmgr save ocsp
debug sslmgr reset ssl-keys
debug sslmgr reset session-cache
debug sslmgr clear log
debug sslmgr set ocsp-next-update-me <1-10080>
debug sslmgr set disable-scep-auth-cookie <yes|no>
debug sslmgr set ocsp-validity-no-next-update <0-86400>
debug sslmgr set ocsp-validity-status-unavailable <0-86400>
debug sslmgr set crl-background-download on
debug sslmgr set crl-background-download off
debug sslmgr view crl <value>
debug sslmgr view ocsp <value>|<all>

PAN-OS CLI Quick Start Version Version 10.1 226 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug sslmgr view pending-crl-downloads

debug sslmgr delete crl <value>|<all>
debug sslmgr delete ocsp <value>|<all>
debug sslmgr test gp-client-cert-check cert-file <value> cert-profile <value>
debug sslmgr test show-cert-check-jobs
debug log-receiver corr-mgr on <general|object|instance|sync|filter|back-query|log-match|msg|db|
acon|summary|noficaon|all>
debug log-receiver corr-mgr off <general|object|instance|sync|filter|back-query|log-match|msg|db|
acon|summary|noficaon|all>
debug log-receiver corr-mgr stats show object <value>
debug log-receiver corr-mgr stats clear object <value>
debug log-receiver corr-mgr show brief
debug log-receiver corr-mgr show object id <value>
debug log-receiver corr-mgr show object list
debug log-receiver corr-mgr show instance summary
debug log-receiver corr-mgr show instance search category <value> type <value> skip <value>
contains <value>
debug log-receiver corr-mgr show filter search object <value> name <value> start-index <value>
contains <value> skip <value>
debug log-receiver corr-mgr show failed serialize
debug log-receiver corr-mgr show failed deserialize
debug log-receiver corr-mgr show failed acon
debug log-receiver corr-mgr show failed summary
debug log-receiver corr-mgr show back-query status <constructed|pending|working|executed>
debug log-receiver rawlog_fwd stats global show verbose
debug log-receiver rawlog_fwd stats global clear
debug log-receiver rawlog_fwd stats per-lc show
debug log-receiver rawlog_fwd stats per-lc clear
debug log-receiver rawlog_fwd on general on
debug log-receiver rawlog_fwd on buffer on
debug log-receiver rawlog_fwd on query on
debug log-receiver rawlog_fwd on hint on
debug log-receiver rawlog_fwd on migrate on
debug log-receiver rawlog_fwd on rawlog on
debug log-receiver rawlog_fwd off

PAN-OS CLI Quick Start Version Version 10.1 227 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug log-receiver rawlog_fwd clear hints-all

debug log-receiver rawlog_fwd show hints
debug log-receiver rawlog_fwd show hints-stats
debug log-receiver rawlog_fwd show hints-max
debug log-receiver rawlog_fwd show hints-expiraon-duraon
debug log-receiver rawlog_fwd show connmgr verbose <yes|no>
debug log-receiver rawlog_fwd show evtmgr
debug log-receiver rawlog_fwd set hints-max <0-20000>
debug log-receiver rawlog_fwd set hints-expiraon-duraon <0-846000>
debug log-receiver rawlog_fwd_trial stats global show verbose
debug log-receiver rawlog_fwd_trial connmgr
debug log-receiver rawlog_fwd_trial evtmgr
debug log-receiver dag disable-dag-logging <yes|no|show>
debug log-receiver dag always-include-dag <yes|no|show>
debug log-receiver dag on <general|mapping|injecon|interset>
debug log-receiver dag off <general|mapping|injecon|interset>
debug log-receiver dag dump ip-dag ip <ip/netmask> vsysid <1-255> len <0-128>
debug log-receiver dag dump rule-dag rule_uuid <value>
debug log-receiver dag dump dag-id vsysid <0-255> dag-name <value>
debug log-receiver dag dump id-dag dag-idx <0-4096>
debug log-receiver dag show
debug log-receiver ip-cache clear node-data vsysid <1-1024> ip <ip/netmask> len <1-128> type
<0-1024>
debug log-receiver ip-cache clear vsys-data vsysid <1-1024>
debug log-receiver edl disable-edl-logging <yes|no|show>
debug log-receiver edl on <general|mapping|injecon|interset>
debug log-receiver edl off <general|mapping|injecon|interset>
debug log-receiver edl dump ip-edl ip <ip/netmask> vsysid <1-255> len <0-128>
debug log-receiver edl dump rule-edl rule_uuid <value>
debug log-receiver edl dump edl-id vsysid <0-255> edl-name <value>
debug log-receiver edl dump id-edl edl-idx <0-4096>
debug log-receiver edl show
debug log-receiver contmgr status
debug log-receiver on normal

PAN-OS CLI Quick Start Version Version 10.1 228 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug log-receiver on debug

debug log-receiver on dump
debug log-receiver off
debug log-receiver show
debug log-receiver stascs
debug log-receiver per-second-stats on threat
debug log-receiver per-second-stats on all
debug log-receiver per-second-stats on traffic
debug log-receiver per-second-stats on decrypon
debug log-receiver per-second-stats on sctp
debug log-receiver per-second-stats on gtp
debug log-receiver per-second-stats on general
debug log-receiver per-second-stats off
debug log-receiver queue-stats
debug log-receiver cache-stats
debug log-receiver log-flow trace show
debug log-receiver log-flow counters
debug log-receiver memory info verbose
debug log-receiver memory trim
debug log-receiver memory per-second-stats on
debug log-receiver memory per-second-stats off
debug log-receiver log-forwarding status
debug log-receiver log-forwarding per-second-stats on
debug log-receiver log-forwarding per-second-stats off
debug log-receiver log-forwarding-connecons status
debug log-receiver log-forwarding-connecons per-second-stats on
debug log-receiver log-forwarding-connecons per-second-stats off
debug log-receiver correlaon stats show
debug log-receiver correlaon filters show
debug log-receiver dpi dump on
debug log-receiver dpi dump off
debug log-receiver dpi dump clear
debug log-receiver dpi dump format binary

PAN-OS CLI Quick Start Version Version 10.1 229 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug log-receiver dpi dump format base64

debug log-receiver nelow stascs
debug log-receiver nelow clear
debug log-receiver fwd on
debug log-receiver fwd off
debug log-receiver fwd show
debug log-receiver container-page meout <1-86400>
debug log-receiver container-page entries <4-65536>
debug log-receiver container-page on
debug log-receiver container-page off
debug log-receiver telemetry-triggers on
debug log-receiver telemetry-triggers off
debug log-receiver telemetry-triggers counters
debug wildfire dp-status
debug wildfire transion-file-list
debug wildfire content-info
debug wildfire file-digest sha256 <value>
debug wildfire reset dp-receiver
debug wildfire reset file-cache
debug wildfire reset log-cache channel <public|private>
debug wildfire reset report-cache channel <public|private>
debug wildfire reset forwarding channel <public|private>
debug wildfire reset all
debug wildfire upload-log show channel <public|private>
debug wildfire upload-log log max-size <1-50>
debug wildfire upload-log log extended-log <yes|no>
debug wildfire upload-log log disable
debug wildfire upload-log log enable
debug wildfire upload-log log sengs
debug wildfire file-cache disable
debug wildfire file-cache enable
debug wildfire server-selecon disable
debug wildfire server-selecon enable

PAN-OS CLI Quick Start Version Version 10.1 230 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug wildfire cloud-info channel <public|private> set cloud-type <wf-public|wf-app>

debug wildfire cloud-info channel <public|private> set add-file-type <value>
debug wildfire cloud-info channel <public|private> set delete-file-type <value>
debug wildfire batch-forward set disable <yes|no>
debug wildfire batch-forward set max-count <1-200>
debug wildfire batch-forward set meout <60-240>
debug wildfire report-process channel <public|private> set last-report-id
<0-18446744073709551615>
debug vardata-receiver on <normal|debug|dump>
debug vardata-receiver set third-party <libcurl|all>
debug vardata-receiver set all
debug vardata-receiver unset third-party <libcurl|all>
debug vardata-receiver unset all
debug vardata-receiver off
debug vardata-receiver show
debug vardata-receiver stascs
debug rasmgr on normal
debug rasmgr on debug
debug rasmgr on dump
debug rasmgr off
debug rasmgr show gateway
debug rasmgr show user
debug rasmgr show satellite
debug rasmgr delay-nh-update reset
debug rasmgr delay-nh-update delay-0.1s
debug rasmgr delay-nh-update delay-0.5s
debug rasmgr delay-nh-update delay-1s
debug rasmgr delay-nh-update delay-2s
debug rasmgr stascs reset
debug rasmgr stascs all
debug rasmgr src-ip-trie gateway-name <value>
debug rasmgr ippool reset-all
debug rasmgr gateway
debug rasmgr gateway <name> on <normal|debug|dump>

PAN-OS CLI Quick Start Version Version 10.1 231 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug rasmgr gateway <name> off

debug rasmgr gateway <name> reset
debug rasmgr user
debug rasmgr user <name> domain <value> computer <value> on <normal|debug|dump>
debug rasmgr user <name> domain <value> computer <value> off
debug rasmgr user <name> domain <value> computer <value> reset
debug rasmgr satellite
debug rasmgr satellite <name> on <normal|debug|dump>
debug rasmgr satellite <name> off
debug rasmgr satellite <name> reset
debug satd on normal
debug satd on debug
debug satd on dump
debug satd off
debug satd show
debug satd failed-refresh-meout satellite name <value> portal-refresh-me <0-10> gateway-
refresh-me <0-10>
debug satd stascs reset
debug satd stascs all
debug satd dump cerficate-pool global <acve|alternate>
debug satd dump cerficate-pool satellite <value>
debug ike global on <error|warn|normal|debug|dump>
debug ike global off
debug ike global show
debug ike gateway
debug ike gateway <name> on <error|warn|normal|debug|dump>
debug ike gateway <name> off
debug ike tunnel
debug ike tunnel <name> on <error|warn|normal|debug|dump>
debug ike tunnel <name> off
debug ike tunnel <name> clear
debug ike tunnel <name> stats
debug ike pcap show
debug ike pcap on

PAN-OS CLI Quick Start Version Version 10.1 232 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug ike pcap off

debug ike pcap delete
debug ike pcap view
debug ike socket
debug ike stat isakmp counter <value>
debug ike stat ipsec counter <value>
debug ike stat crlocsp
debug ike stat queue
debug ike stat auth
debug ike stat sadb
debug ike stat v2i_sa
debug ike stat v2r_sa
debug ike stat v1i_sa
debug ike stat v1r_sa
debug ike stat natka
debug ike stat user
debug ike stat rcp
debug ike stat fqdn name <value>
debug ike stat fd
debug ike stat socket-list
debug ike stat sched filter gwid <1-4294967295> d <1-65535> type <0-255> subtype <0-255>
debug keymgr global on <warn|normal|debug|dump>
debug keymgr global off
debug keymgr global show
debug keymgr tunnel id <1-65535> on <warn|normal|debug|dump>
debug keymgr tunnel id <1-65535> off
debug keymgr gateway id <1-4294967295> on <warn|normal|debug|dump>
debug keymgr gateway id <1-4294967295> off
debug keymgr queue
debug keymgr socket
debug keymgr list-sa
debug tund global on <warn|normal|debug|dump>
debug tund global off

PAN-OS CLI Quick Start Version Version 10.1 233 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug tund global show

debug tund tunnel id <1-65535> on <warn|normal|debug|dump>
debug tund tunnel id <1-65535> off
debug tund tunnel id <1-65535> show
debug tund clear all
debug sdwand global on <warn|normal|debug|dump>
debug sdwand global off
debug sdwand global show
debug sdwand clear all
debug sdwand path-monitor enable tunnel-id <0-1000000>
debug sdwand path-monitor enable all
debug sdwand path-monitor disable tunnel-id <0-1000000>
debug sdwand path-monitor disable all
debug sdwand feature show
debug sdwand saas hub interval <1-255>
debug sdwand saas branch interval <1-255>
debug dhcpd global on error
debug dhcpd global on warn
debug dhcpd global on info
debug dhcpd global on debug
debug dhcpd global on dump
debug dhcpd global off
debug dhcpd global show
debug dhcpd pcap show
debug dhcpd pcap on virtualrouter <value>
debug dhcpd pcap off
debug dhcpd pcap delete
debug dhcpd pcap view
debug dhcpd show objects
debug dhcpd high-availability ignore-config-sync yes
debug dhcpd high-availability ignore-config-sync no
debug dhcpd downgrade convert-db
debug license open-offload on

PAN-OS CLI Quick Start Version Version 10.1 234 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug license open-offload off

debug license show
debug l2ctrld global on error
debug l2ctrld global on warn
debug l2ctrld global on info
debug l2ctrld global on debug
debug l2ctrld global on dump
debug l2ctrld global off
debug l2ctrld global show
debug l2ctrld lldp on error
debug l2ctrld lldp on warn
debug l2ctrld lldp on info
debug l2ctrld lldp on debug
debug l2ctrld lldp on dump
debug l2ctrld lldp off
debug l2ctrld lldp show debug-level
debug l2ctrld lldp show stagger-limit
debug l2ctrld lldp pcap show
debug l2ctrld lldp pcap on virtualrouter <value>
debug l2ctrld lldp pcap off
debug l2ctrld lldp pcap delete
debug l2ctrld lldp pcap view
debug l2ctrld lldp delete neighbor <value>|<all>
debug l2ctrld lldp set stagger-limit <3-30>
debug l2ctrld lacp on error
debug l2ctrld lacp on warn
debug l2ctrld lacp on info
debug l2ctrld lacp on debug
debug l2ctrld lacp on dump
debug l2ctrld lacp off
debug l2ctrld lacp show debug-level
debug l2ctrld lacp show hold-me
debug l2ctrld lacp set hold-me aggregate-ethernet <value>|<all> enable <yes|no> interval
<3-600>

PAN-OS CLI Quick Start Version Version 10.1 235 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug ifmgr pstate port <value>

debug ifmgr dump-portdb
debug ifmgr dump-history port <value>
debug ifmgr dump-detail-history port <value>
debug roung mib <value>
debug roung list-mib
debug roung qtrace enable afi <ip|ip6|both> type <ospf|bgp|routed>
debug roung qtrace disable afi <ip|ip6> type <ospf|bgp|routed>
debug roung qtrace show afi <ip|ip6> type <ospf|bgp|routed>
debug roung qtrace flush-log
debug roung fqdn display virtual-router <value> type <dnsproxy|bgp|stac|all>
debug roung dctrace show
debug roung dctrace ips enable <yes|no> clear <yes|no>
debug roung dctrace pd enable <yes|no> clear <yes|no>
debug roung dctrace both enable <yes|no> clear <yes|no>
debug roung fib flush
debug roung fib stats
debug roung fib clear virtual-router <value> hit-cnt
debug roung ifmon
debug roung mpf stats
debug roung mpf offload on
debug roung mpf offload off
debug roung global on error
debug roung global on info
debug roung global on debug
debug roung global on dump
debug roung global off
debug roung global show
debug roung pcap show
debug roung pcap bgp on virtualrouter <value>
debug roung pcap bgp off
debug roung pcap bgp delete
debug roung pcap bgp view

PAN-OS CLI Quick Start Version Version 10.1 236 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug roung pcap igmp on virtualrouter <value>

debug roung pcap igmp off
debug roung pcap igmp delete
debug roung pcap igmp view
debug roung pcap ospf on virtualrouter <value>
debug roung pcap ospf off
debug roung pcap ospf delete
debug roung pcap ospf view
debug roung pcap ospfv3 on virtualrouter <value>
debug roung pcap ospfv3 off
debug roung pcap ospfv3 delete
debug roung pcap ospfv3 view
debug roung pcap pim on virtualrouter <value>
debug roung pcap pim off
debug roung pcap pim delete
debug roung pcap pim view
debug roung pcap rip on virtualrouter <value>
debug roung pcap rip off
debug roung pcap rip delete
debug roung pcap rip view
debug roung pcap all on virtualrouter <value>
debug roung pcap all off
debug roung pcap all delete
debug roung pcap all view
debug roung socket
debug roung dynamic-routes
debug roung restart
debug roung path-monitor id <0-1023>
debug bfd global on error
debug bfd global on info
debug bfd global on debug
debug bfd global on dump
debug bfd global off

PAN-OS CLI Quick Start Version Version 10.1 237 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug bfd global show

debug ssl-vpn global on error
debug ssl-vpn global on info
debug ssl-vpn global on debug
debug ssl-vpn global on dump
debug ssl-vpn global off
debug ssl-vpn global show
debug ssl-vpn socket
debug ssl-vpn global-protect-portal name <value>
debug ssl-vpn global-protect-gateway name <value>
debug global-protect portal interval <60-86400>
debug global-protect portal on
debug global-protect portal off
debug global-protect portal show
debug global-protect portal clientlessvpn host-match-referer on
debug global-protect portal clientlessvpn host-match-referer off
debug global-protect portal clientlessvpn host-match-referer show
debug global-protect reset-sysd-health-stat event-details
debug global-protect reset-sysd-health-stat all
debug l3svc on <dump|debug|info|warn|error>
debug l3svc off
debug l3svc clear
debug l3svc reset user-cache <value>|<all>
debug l3svc show user-cache
debug l3svc pcap show
debug l3svc pcap on virtualrouter <value>
debug l3svc pcap off
debug l3svc pcap delete
debug l3svc pcap view
debug l3svc capve-portal kerberos-meout interval <1-120>
debug l3svc capve-portal kerberos-meout on
debug l3svc capve-portal kerberos-meout off
debug l3svc capve-portal kerberos-meout show

PAN-OS CLI Quick Start Version Version 10.1 238 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug pppoed global on warn

debug pppoed global on info
debug pppoed global on debug
debug pppoed global on dump
debug pppoed global off
debug pppoed global show
debug pppoed pcap show
debug pppoed pcap on
debug pppoed pcap off
debug pppoed pcap delete
debug pppoed pcap view
debug pppoed show interface <value>|<all>
debug dnsproxyd global on warn
debug dnsproxyd global on info
debug dnsproxyd global on debug
debug dnsproxyd global on dump
debug dnsproxyd global off
debug dnsproxyd global show
debug dnsproxyd show objects
debug dnsproxyd show connecons
debug dnsproxyd show batches
debug dnsproxyd show persistent
debug dnsproxyd show cache-stascs
debug dnsproxyd show sys-stascs
debug dnsproxyd clear sys-stats
debug dnsproxyd clear cache-stascs
debug dnsproxyd clear fqdn counters
debug dnsproxyd disable-per-vsys yes
debug dnsproxyd disable-per-vsys no
debug dnsproxyd fqdn dump brief
debug dnsproxyd fqdn counters delta
debug dnsproxyd dns-signature query bypass-cache <yes|no> fqdn <value> dp-source slot <1-8>
dp <0-7>
debug dnsproxyd dns-signature query_n bypass-cache <yes|no> fqdns

PAN-OS CLI Quick Start Version Version 10.1 239 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug dnsproxyd dns-signature query_n bypass-cache <yes|no> fqdns [ <fqdns1> <fqdns2>... ]

debug dnsproxyd dns-signature query_n bypass-cache <yes|no> dp-source slot <1-8> dp <0-7>
debug dnsproxyd dns-signature response fqdn <value> l <1-30758400> gd <0-4294967295>
verdict <0-100>|<0|1|2|4|5|9> match-subdomains <yes|no> threat-name <value>
debug dnsproxyd dns-signature response_n fqdns
debug dnsproxyd dns-signature response_n fqdns [ <fqdns1> <fqdns2>... ]
debug dnsproxyd dns-signature response_n ls
debug dnsproxyd dns-signature response_n ls [ <ls1> <ls2>... ]
debug dnsproxyd dns-signature response_n gds
debug dnsproxyd dns-signature response_n gds [ <gds1> <gds2>... ]
debug dnsproxyd dns-signature response_n verdicts
debug dnsproxyd dns-signature response_n verdicts [ <verdicts1> <verdicts2>... ]
debug dnsproxyd dns-signature response_n match-subdomains
debug dnsproxyd dns-signature response_n match-subdomains [ <match-subdomains1> <match-
subdomains2>... ]
debug dnsproxyd dns-signature response_n threat-names
debug dnsproxyd dns-signature response_n threat-names [ <threat-names1> <threat-names2>... ]
debug dnsproxyd dns-signature allow-list download
debug dnsproxyd dns-signature info
debug dnsproxyd dns-signature cache fqdn <value>
debug dnsproxyd dns-signature threat-info fqdn <value>
debug dnsproxyd dns-signature counters
debug dnsproxyd dns-signature ut threat-info-api api-query-domain fqdn <value>
debug cryptod global on warn
debug cryptod global on info
debug cryptod global on debug
debug cryptod global on dump
debug cryptod global off
debug cryptod global show
debug cryptod show counters
debug cryptod show hsm-thread index <0-19>
debug cryptod show hsm-thread all
debug cryptod clear hsm-key-cache
debug vm-monitor reset source-name <value>|<all>

PAN-OS CLI Quick Start Version Version 10.1 240 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug vm-monitor clear source-name <value>|<all>

debug user-id on <error|warn|info|debug|dump>
debug user-id log-ip-user-mapping <yes|no>
debug user-id log-ip-tag-mapping <yes|no>
debug user-id log-user-tag-mapping <yes|no>
debug user-id disable-email-cache <yes|no>
debug user-id disable-hip-ha <yes|no>
debug user-id set agent <basic|conn|group|sslvpn|detail|tsa|all>
debug user-id set userid <basic|detail|servermonitor|probing|xmlapi|service|vmmonitor|mdm|
syslog|l3svc|groupsync|connmgr|regip|all>
debug user-id set ldap <basic|detail|all>
debug user-id set base <config|ha|id|all>
debug user-id set hip <basic|detail|ha|all>
debug user-id set third-party <libcurl|all>
debug user-id set misc <misc|all>
debug user-id set all
debug user-id unset agent <basic|conn|group|sslvpn|detail|tsa|all>
debug user-id unset userid <basic|detail|servermonitor|probing|xmlapi|service|vmmonitor|mdm|
syslog|l3svc|groupsync|connmgr|regip|all>
debug user-id unset ldap <basic|detail|all>
debug user-id unset base <config|ha|id|all>
debug user-id unset hip <basic|detail|ha|all>
debug user-id unset third-party <libcurl|all>
debug user-id unset misc <misc|all>
debug user-id unset all
debug user-id off
debug user-id get
debug user-id clear group <value>|<all>
debug user-id clear gm-srvc-query <value>|<all>
debug user-id clear log
debug user-id clear ip-port-user-dp ip <ip/netmask>
debug user-id clear domain-map
debug user-id clear email-cache
debug user-id query-unknown-ip on

PAN-OS CLI Quick Start Version Version 10.1 241 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug user-id query-unknown-ip off

debug user-id wmic-dynamic-range on
debug user-id wmic-dynamic-range off
debug user-id disable-max-inial-wmi on
debug user-id disable-max-inial-wmi off
debug user-id agent-getall-rate rate <0-100>
debug user-id agent-getall-rate show
debug user-id agent
debug user-id agent <name> on <error|warn|info|debug|verbose>
debug user-id agent <name> receive <yes|no>
debug user-id agent <name> off
debug user-id agent <name> clear group-mapping <value>|<all>
debug user-id agent <name> clear log
debug user-id agent <name> status
debug user-id agent <name> group-mapping
debug user-id agent <name> group-mapping <name> group name <value>
debug user-id agent <name> group-mapping <name> group list
debug user-id dscd on <error|warn|info|debug|dump>
debug user-id dscd off
debug user-id refresh group-mapping group-mapping-name <value>
debug user-id refresh group-mapping all
debug user-id refresh group-mapping xmlapi-groups
debug user-id refresh user-id agent <value>|<all> ip <ip/netmask>
debug user-id refresh dp-uid-gid
debug user-id refresh cloud-identy-engine name <value>
debug user-id refresh cloud-identy-engine config-data
debug user-id refresh cloud-identy-engine all
debug user-id reset group-mapping <value>|<all>
debug user-id reset credenal-filter <value>|<all>
debug user-id reset user-id-agent <value>|<all>
debug user-id reset ts-agent <value>|<all>
debug user-id reset server-monitor <value>|<all>
debug user-id reset global-protect-mdm <value>|<all>

PAN-OS CLI Quick Start Version Version 10.1 242 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug user-id reset user-id-syslog-parse <value>|<all>

debug user-id reset cloud-identy-engine name <value>
debug user-id reset cloud-identy-engine all
debug user-id reset capve-portal ip-address <ip/netmask>
debug user-id reset user-id-manager type all
debug user-id reset user-id-manager type user
debug user-id reset user-id-manager type user-group
debug user-id reset user-id-manager type computer
debug user-id reset com stascs
debug user-id reset conn-mgr stascs
debug user-id reset ip-user-mapping-stats
debug user-id save hip-profile-database
debug user-id test agentless
debug user-id test sso-login ip-address <ip/netmask> user <value>
debug user-id test cp-login ip-address <ip/netmask> user <value> factor-id-1 <1-65535> factor-
mestamp-1 <1-4294967295> factor-id-2 <1-65535> factor-mestamp-2 <1-4294967295>
factor-id-3 <1-65535> factor-mestamp-3 <1-4294967295> traceroute <yes|no>
debug user-id test cp-logout ip-address <ip/netmask> user <value>
debug user-id test hip-update ip <ip/netmask>
debug user-id test hip-profile-database size <1-65536>
debug user-id test hip-report user <value> ip <ip/netmask> computer <value> copy <yes|no>
debug user-id test probing
debug user-id test idmgr-change-max type user-group new-max-id <1-4294967295>
debug user-id test idmgr-restore-default-max type user-group
debug user-id dump memory <summary|detail>
debug user-id dump hip-report user <value> ip <ip/netmask> computer <value>
debug user-id dump hip-profile-database ipmapping
debug user-id dump hip-profile-database stascs
debug user-id dump hip-profile-database entry start-from <1-131072> ip <ip/netmask> show-
logout <yes|no>
debug user-id dump hip-mdm-cache start-from <1-131072> mobile-id <value>
debug user-id dump ts-agent config
debug user-id dump ts-agent user-ids
debug user-id dump vm-monitored-objects ref-id <value>

PAN-OS CLI Quick Start Version Version 10.1 243 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug user-id dump vm-monitored-objects source-name <value>

debug user-id dump vm-monitored-objects type <vm|host|resource-pool|data-center|folder|
cluster|compute-resource|root>
debug user-id dump vm-monitored-objects all
debug user-id dump domain-id-table domain name <value>
debug user-id dump domain-id-table domain all
debug user-id dump uid-2-primeuid user id <1-4294967295>
debug user-id dump uid-2-primeuid user all
debug user-id dump userPrefix-2-uid user name <value>
debug user-id dump userPrefix-2-uid user all
debug user-id dump uid-2-metadata user id <1-4294967295>
debug user-id dump uid-2-metadata user all
debug user-id dump idmgr high-availability state
debug user-id dump idmgr redis type user id <1-4294967295>
debug user-id dump idmgr redis type user name <value>
debug user-id dump idmgr redis type user all
debug user-id dump idmgr redis type user-group id <1-4294967295>
debug user-id dump idmgr redis type user-group name <value>
debug user-id dump idmgr redis type user-group all
debug user-id dump idmgr redis type computer id <1-4294967295>
debug user-id dump idmgr redis type computer name <value>
debug user-id dump idmgr redis type computer all
debug user-id dump idmgr type user id <1-4294967295>
debug user-id dump idmgr type user name <value>
debug user-id dump idmgr type user all
debug user-id dump idmgr type user-group id <1-4294967295>
debug user-id dump idmgr type user-group name <value>
debug user-id dump idmgr type user-group all
debug user-id dump idmgr type computer id <1-4294967295>
debug user-id dump idmgr type computer name <value>
debug user-id dump idmgr type computer all
debug user-id dump objects-in-policy
debug user-id dump log-stats
debug user-id dump uid-req-stats

PAN-OS CLI Quick Start Version Version 10.1 244 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug user-id dump ip-user-mapping-stats

debug user-id dump l3svc-stats
debug user-id dump domain-map
debug user-id dump ha
debug user-id dump state
debug user-id dump com stascs
debug user-id dump probing-stats
debug user-id dump unresolved-group-id
debug user-id dump xmlapi-stats
debug user-id dump conn-mgr stascs
debug user-id dump edir-user user <value>
debug user-id dump edir-user all
debug user-id dump email-cache email <value>
debug user-id dump email-cache all
debug user-id kerberos purge server-monitor <value>|<all>
debug user-id kerberos list server-monitor <value>|<all>
debug user-id kerberos test server-name <value>
debug user-id kerberos test default
debug object registered-ip clear all source-name <value>|<all|XMLAPI|AGENT>
debug object registered-ip test download-mode <incremental|full>
debug object registered-ip test download
debug object registered-ip test register tag <value> spid <value> ip <ip/netmask>
debug object registered-ip test register tag <value> spid <value> iprange <ip-range>
debug object registered-ip test unregister tag <value> ip <ip/netmask>
debug object registered-ip test unregister tag <value> iprange <ip-range>
debug object registered-ip show tag-source tag <value>|<all> ip <ip/netmask>
debug object registered-ip show tag-source tag <value>|<all> iprange <ip-range>
debug object registered-user clear all tag-source <all|XMLAPI|AGENT>
debug object registered-user test register user <value> tag <value> meout <0-2592000>
debug object registered-user test unregister user <value> tag <value>
debug object registered-user show tag-source user <value> tag <value>|<all>
debug management-interface dhcp client debug on
debug management-interface dhcp client debug off

PAN-OS CLI Quick Start Version Version 10.1 245 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug management-interface dhcp client log

debug proxy fast-session-delete enable yes
debug proxy fast-session-delete enable no
debug evtmgr ms syslog-enabled <yes|no>
debug evtmgr ms show client-id <1-4294967295>
debug evtmgr ms show basic
debug evtmgr ms show detail
debug evtmgr ms debug-log clfy
debug evtmgr ms debug-log client
debug evtmgr ms debug-log msg all
debug evtmgr ms debug-log msg filtered
debug evtmgr ms debug-log mulcast
debug evtmgr ms msg-filter msg-class <0-5> ctype <0-7> dtype <0-7> mtype <0-3>
mid <0-65535> token <0-65535> im-type <0-65535> len min <0-4294967295> max
<0-4294967295>
debug evtmgr ms msg-filter msg-class <0-5> ctype <0-7> dtype <0-7> mtype <0-3> mid
<0-65535> token <0-65535> im-type <0-65535> content starts-with <value> contains <value>
debug evtmgr configd show client-id <1-4294967295>
debug evtmgr configd show basic
debug evtmgr configd show detail
debug evtmgr configd debug-log clfy
debug evtmgr configd debug-log client
debug evtmgr configd debug-log msg all
debug evtmgr configd debug-log msg filtered
debug evtmgr configd debug-log mulcast
debug evtmgr configd msg-filter msg-class <0-5> ctype <0-7> dtype <0-7> mtype <0-3>
mid <0-65535> token <0-65535> im-type <0-65535> len min <0-4294967295> max
<0-4294967295>
debug evtmgr configd msg-filter msg-class <0-5> ctype <0-7> dtype <0-7> mtype <0-3> mid
<0-65535> token <0-65535> im-type <0-65535> content starts-with <value> contains <value>
debug evtmgr reportd show client-id <1-4294967295>
debug evtmgr reportd show basic
debug evtmgr reportd show detail
debug evtmgr reportd debug-log clfy
debug evtmgr reportd debug-log client

PAN-OS CLI Quick Start Version Version 10.1 246 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug evtmgr reportd debug-log msg all

debug evtmgr reportd debug-log msg filtered
debug evtmgr reportd debug-log mulcast
debug evtmgr reportd msg-filter msg-class <0-5> ctype <0-7> dtype <0-7> mtype <0-3>
mid <0-65535> token <0-65535> im-type <0-65535> len min <0-4294967295> max
<0-4294967295>
debug evtmgr reportd msg-filter msg-class <0-5> ctype <0-7> dtype <0-7> mtype <0-3> mid
<0-65535> token <0-65535> im-type <0-65535> content starts-with <value> contains <value>
debug evtmgr logrcvr show client-id <1-4294967295>
debug evtmgr logrcvr show basic
debug evtmgr logrcvr show detail
debug evtmgr logrcvr debug-log clfy
debug evtmgr logrcvr debug-log client
debug evtmgr logrcvr debug-log msg all
debug evtmgr logrcvr debug-log msg filtered
debug evtmgr logrcvr debug-log mulcast
debug evtmgr logrcvr msg-filter msg-class <0-5> ctype <0-7> dtype <0-7> mtype <0-3>
mid <0-65535> token <0-65535> im-type <0-65535> len min <0-4294967295> max
<0-4294967295>
debug evtmgr logrcvr msg-filter msg-class <0-5> ctype <0-7> dtype <0-7> mtype <0-3> mid
<0-65535> token <0-65535> im-type <0-65535> content starts-with <value> contains <value>
debug evtmgr cord show client-id <1-4294967295>
debug evtmgr cord show basic
debug evtmgr cord show detail
debug evtmgr cord debug-log clfy
debug evtmgr cord debug-log client
debug evtmgr cord debug-log msg all
debug evtmgr cord debug-log msg filtered
debug evtmgr cord debug-log mulcast
debug evtmgr cord msg-filter msg-class <0-5> ctype <0-7> dtype <0-7> mtype <0-3>
mid <0-65535> token <0-65535> im-type <0-65535> len min <0-4294967295> max
<0-4294967295>
debug evtmgr cord msg-filter msg-class <0-5> ctype <0-7> dtype <0-7> mtype <0-3> mid
<0-65535> token <0-65535> im-type <0-65535> content starts-with <value> contains <value>
debug evtmgr useridd show client-id <1-4294967295>
debug evtmgr useridd show basic

PAN-OS CLI Quick Start Version Version 10.1 247 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug evtmgr useridd show detail

debug evtmgr useridd debug-log clfy
debug evtmgr useridd debug-log client
debug evtmgr useridd debug-log msg all
debug evtmgr useridd debug-log msg filtered
debug evtmgr useridd debug-log mulcast
debug evtmgr useridd msg-filter msg-class <0-5> ctype <0-7> dtype <0-7> mtype <0-3>
mid <0-65535> token <0-65535> im-type <0-65535> len min <0-4294967295> max
<0-4294967295>
debug evtmgr useridd msg-filter msg-class <0-5> ctype <0-7> dtype <0-7> mtype <0-3> mid
<0-65535> token <0-65535> im-type <0-65535> content starts-with <value> contains <value>
debug techsupport duts add-search-dir <value>
debug techsupport duts set-byte-threshold <0-1073741823>
debug techsupport duts on
debug techsupport duts off
debug techsupport duts reset-config
debug techsupport duts run
debug management-websrvr backend on <error|info|debug|dump>
debug management-websrvr backend off
debug management-websrvr backend show
debug iot memory <summary|detail>
debug iot global on error
debug iot global on warn
debug iot global on info
debug iot global on debug
debug iot global on dump
debug iot global off
debug iot global show
debug iot global counter
debug iot disable-device-id yes
debug iot disable-device-id no
debug iot clear-all type <device|host|cookie>
debug iot icd on <error|warn|info|debug|dump>
debug iot icd verdict-server <value>

PAN-OS CLI Quick Start Version Version 10.1 248 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug iot icd key-value <value>

debug iot icd reset key-value <value>
debug iot icd reset connecon
debug iot icd reset cookie
debug iot icd trigger-app-match
debug iot eal on <error|warn|info|debug|dump>
debug iot eal cortex-server <value>
debug iot eal key-value <value>
debug iot eal sending-format json
debug iot eal sending-format protobuf
debug iot eal reset aggregaon-num <value>
debug iot eal reset aggregaon-non-ack <value>
debug iot eal reset key-value <value>
debug iot eal reset counter <all|raw-dpi|parser|deliver|protocol|response-me>
debug iot eal reset connecon
debug iot eal test load-dpi <value>
debug iot eal track disabled
debug iot eal track raw-dpi
debug iot eal track eal-protobuf
debug iot eal track eal-json
debug iot eal track filter show
debug iot eal track filter add subtype <value> protocol <value> src-ip <value> dest-ip <value> src-
port <value> dest-port <value>
debug iot eal track filter clear
debug iot eal validate-dpi yes
debug iot eal validate-dpi no
debug cloud-appid ace-server <value>
debug cloud-appid keep-task-file <yes|no>
debug cloud-appid reset connecon-to-cloud
debug cloud-appid reset cloud-app-data
debug cloud-appid reset signature-dp opon <mp-only>
debug cloud-appid reset task-record
debug cloud-appid reset pending-request-dp
debug cloud-appid reset force-memory-gc

PAN-OS CLI Quick Start Version Version 10.1 249 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug cloud-appid reset force-data-integrity-check

debug cloud-appid reset force-cad-rebuild
debug cloud-appid reset reload-cloud-data
debug cloud-appid unknown-signature-query appid <value>
debug cloud-appid unknown-signature-query app-name <value>
debug cloud-appid unknown-signature-query filter-sig-id <value>
debug cloud-appid delete-signature-data appid <value>
debug cloud-appid delete-signature-data app-name <value>
debug cloud-appid delete-signature-data filter-signature-id <value>
debug cloud-appid cloud-manual-pull applicaon <value>
debug cloud-appid cloud-manual-pull signature-appid <value>
debug cloud-appid cloud-manual-pull signature-id <value>
debug cloud-appid cloud-manual-pull cookie-base64 <value>
debug cloud-appid cloud-manual-pull cookie-base64-and-store <value>
debug cloud-appid cloud-manual-pull generate-cookie <value>
debug cloud-appid cloud-manual-pull check-cloud-app-data
debug cloud-appid cloud-manual-pull check-cloud-signatures
debug cloud-appid set config <value>
debug cloud-appid dump config
debug distributord on error
debug distributord on warn
debug distributord on info
debug distributord on debug
debug distributord on dump
debug distributord off
debug distributord show
debug distributord reset redistribuon-agent <value>|<all>
debug contentd status
debug snmpd on debug
debug snmpd off
debug snmpd clear_persistence enty
debug snmpd clear_persistence interface
debug external-list delete-file type ip name <value>

PAN-OS CLI Quick Start Version Version 10.1 250 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

debug external-list delete-file type domain name <value>

debug external-list delete-file type url name <value>
debug external-list delete-file all
set data-access-password <value>
set panorama <on|off>
set audit-comment xpath <value> comment <value>
set management-server logging <on|off|import-start|import-end>
set authencaon saml_signature_digest_algorithm <sha1|sha224|sha256|sha384|sha512>
set authencaon radius-vsa-on <client-source-ip|client-os|client-hostname|client-gp-version|
user-domain>
set authencaon radius-vsa-off <client-source-ip|client-os|client-hostname|client-gp-version|
user-domain>
set auth strict-username-check yes
set auth strict-username-check no
set password
set ssh-authencaon public-key <value> public-key <value>
set ssh service-restart mgmt
set ssh service-restart ha
set cli config-output-format <default|xml|set|json>
set cli pager <on|off>
set cli confirmaon-prompt <on|off>
set cli scripng-mode <on|off>
set cli op-command-xml-output <on|off>
set cli meout idle <1-1440>|<never>
set cli hide-ip value <yes|no>
set cli hide-user value <yes|no>
set cli terminal type <aaa|aaa+dec|aaa+rv|aaa+unk|aaa-18|aaa-18-rv|aaa-20|aaa-22|aaa-24|
aaa-24-rv|aaa-26|aaa-28|aaa-30-ctxt|aaa-30-rv|aaa-30-rv-ctxt|aaa-30-s|aaa-30-s-rv|aaa-36|
aaa-36-rv|aaa-40|aaa-40-rv|aaa-48|aaa-48-rv|aaa-60|aaa-60-dec-rv|aaa-60-rv|aaa-60-s|aaa-60-s-
rv|aaa-db|aaa-rv-unk|aaa-s-ctxt|aaa-s-rv-ctxt|aas1901|abm80|abm85|abm85e|abm85h|abm85h-
old|act4|act5|addrinfo|adds980|adm+sgr|adm11|adm1178|adm12|adm1a|adm2|adm20|adm21|
adm22|adm3|adm31|adm31-old|adm36|adm3a|adm3a+|adm42|adm42-ns|adm5|aepro|aixterm|
aixterm-m|aixterm-m-old|aj510|aj830|alto-h19|altos2|altos3|altos4|altos7|altos7pc|amiga|
amiga-8bit|amiga-h|amiga-vnc|ampex175|ampex175-b|ampex210|ampex219|ampex219w|
ampex232|ampex232w|ampex80|annarbor4080|ansi|ansi+arrows|ansi+csr|ansi+cup|ansi+erase|
ansi+idc|ansi+idl|ansi+idl1|ansi+iniabs|ansi+local|ansi+local1|ansi+pp|ansi+rca|ansi+rep|ansi+sgr|
ansi+sgrbold|ansi+sgrdim|ansi+sgrso|ansi+sgrul|ansi+tabs|ansi-color-2-emx|ansi-color-3-emx|ansi-
emx|ansi-generic|ansi-m|ansi-mini|ansi-mr|ansi-mtabs|ansi-nt|ansi.sys|ansi.sys-old|ansi.sysk|ansi77|

PAN-OS CLI Quick Start Version Version 10.1 251 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

apollo|apollo_15P|apollo_19L|apollo_color|apple-80|apple-ae|apple-soroc|apple-uterm|apple-
uterm-vb|apple-videx|apple-videx2|apple-videx3|apple-vm80|apple2e|apple2e-p|apple80p|appleII|
appleIIgs|arm100|arm100-w|atari|a2300|a2350|a4410|a4410v1-w|a4415|a4415+nl|
a4415-nl|a4415-rv|a4415-rv-nl|a4415-w|a4415-w-nl|a4415-w-rv|a4415-w-rv-n|
a4418|a4418-w|a4420|a4424|a4424-1|a4424m|a4426|a500|a505|a505-24|
a510a|a510d|a5310|a5410-w|a5410v1|a5420_2|a5420_2-w|a5425|a5425-nl|
a5425-w|a5620|a5620-1|a5620-24|a5620-34|a5620-s|a605|a605-pc|a605-w|
a610|a610-103k|a610-103k-w|a610-w|a615|a615-103k|a615-103k-w|a615-w|
a620|a620-103k|a620-103k-w|a620-w|a630|a630-24|a6386|a700|a730|a730-24|
a730-41|a7300|a730r|a730r-24|a730r-41|avatar|avatar0|avatar0+|avt|avt+s|avt-ns|avt-rv|
avt-rv-ns|avt-w|avt-w-ns|avt-w-rv|avt-w-rv-ns|aws|awsc|bantam|basis|beacon|beehive|beehive3|
beehive4|beterm|bg1.25|bg1.25nv|bg1.25rv|bg2.0|bg2.0rv|bitgraph|blit|bobcat|bq300|bq300-8|
bq300-8-pc|bq300-8-pc-rv|bq300-8-pc-w|bq300-8-pc-w-rv|bq300-8rv|bq300-8w|bq300-pc|
bq300-pc-rv|bq300-pc-w|bq300-pc-w-rv|bq300-rv|bq300-w|bq300-w-8rv|bq300-w-rv|bsdos-
pc|bsdos-pc-m|bsdos-pc-nobold|bsdos-ppc|bsdos-sparc|c100|c100-rv|c108|c108-4p|c108-rv|
c108-rv-4p|c108-w|ca22851|cad68-2|cad68-3|cbblit|cbunix|cci|cdc456|cdc721|cdc721-esc|
cdc721ll|cdc752|cdc756|cg7900|cit101|cit101e|cit101e-132|cit101e-n|cit101e-n132|cit101e-
rv|cit500|cit80|citoh|citoh-6lpi|citoh-8lpi|citoh-comp|citoh-elite|citoh-pica|citoh-prop|coco3|
color_xterm|commodore|cons25|cons25-m|cons25l1|cons25l1-m|cons25r|cons25r-m|cons25w|
cons30|cons30-m|cons43|cons43-m|cons50|cons50-m|cons50l1|cons50l1-m|cons50r|cons50r-
m|cons60|cons60-m|cons60l1|cons60l1-m|cons60r|cons60r-m|contel300|contel301|cops10|
crt|cs10|cs10-w|ct8500|ctrm|cyb110|cyb83|cygwin|cygwinB19|cygwinDBG|d132|d200|d210|
d210-dg|d211|d211-7b|d211-dg|d216-dg|d216-unix|d216-unix-25|d217-unix|d217-unix-25|
d220|d220-7b|d220-dg|d230c|d230c-dg|d400|d410|d410-7b|d410-7b-w|d410-dg|d410-w|d412-
dg|d412-unix|d412-unix-25|d412-unix-s|d412-unix-sr|d412-unix-w|d413-unix|d413-unix-25|
d413-unix-s|d413-unix-sr|d413-unix-w|d414-unix|d414-unix-25|d414-unix-s|d414-unix-sr|d414-
unix-w|d430c-dg|d430c-dg-ccc|d430c-unix|d430c-unix-25|d430c-unix-25-ccc|d430c-unix-ccc|
d430c-unix-s|d430c-unix-s-ccc|d430c-unix-sr|d430c-unix-sr-ccc|d430c-unix-w|d430c-unix-
w-ccc|d470c|d470c-7b|d470c-dg|d555|d555-7b|d555-7b-w|d555-dg|d555-w|d577|d577-7b|
d577-7b-w|d577-dg|d577-w|d578|d578-7b|d800|ddr|dec-vt100|dec-vt220|decansi|delta|dg
+ccc|dg+color|dg+color8|dg+fixed|dg-generic|dg200|dg210|dg211|dg450|dg460-ansi|dg6053|
dg6053-old|dgkeys+11|dgkeys+15|dgkeys+7b|dgkeys+8b|dgmode+color|dgmode+color8|dgunix
+ccc|dgunix+fixed|diablo1620|diablo1620-m8|diablo1640|diablo1640-lm|diablo1740-lm|digilog|
djgpp|djgpp203|djgpp204|dku7003|dku7003-dumb|dku7102-old|dku7202|dm1520|dm2500|
dm3025|dm3045|dm80|dm80w|dmchat|dmterm|dp3360|dp8242|dt100|dt100w|dt110|dt80-
sas|dtc300s|dtc382|derm|dumb|dw1|dw2|dw3|dw4|dwk|ecma+color|ecma+sgr|elks|elks-ansi|
elks-glassy|elks-vt52|emu|emu-220|emx-base|env230|ep40|ep48|ergo4000|esprit|esprit-am|
Eterm|eterm|ex155|excel62|excel62-rv|excel62-w|f100|f100-rv|f110|f110-14|f110-14w|f110-
w|f1720|f200|f200-w|f200vi|f200vi-w|falco|falco-p|fos|fox|gator|gator-52|gator-52t|gator-t|
gigi|glassy|gnome|gnome-rh62|gnome-rh72|gnome-rh80|gnome-rh90|go140|go140w|go225|
graphos|graphos-30|gs6300|gsi|gt40|gt42|guru|guru+rv|guru+s|guru-24|guru-44|guru-44-s|
guru-76|guru-76-lp|guru-76-s|guru-76-w|guru-76-w-s|guru-76-wm|guru-nctxt|guru-rv|guru-s|
h19|h19-a|h19-bs|h19-g|h19-u|h19-us|h19k|ha8675|ha8686|hazel|hds200|h-c|h-c-old|h-old|
hirez100|hirez100-w|hmod1|hp+arrows|hp+color|hp+labels|hp+p+arrows|hp+p+cr|hp+p-
cr|hp+printer|hp110|hp150|hp2|hp236|hp2382a|hp2392|hp2397a|hp2621|hp2621-48|hp2621-
a|hp2621-ba|hp2621-fl|hp2621-k45|hp2621-nl|hp2621-nt|hp2621b|hp2621b-kx|hp2621b-
kx-p|hp2621b-p|hp2621p|hp2621p-a|hp2622|hp2623|hp2624|hp2624-10p|hp2624b-10p-p|
hp2624b-p|hp2626|hp2626-12|hp2626-12-s|hp2626-12x40|hp2626-ns|hp2626-s|hp2626-
x40|hp2627a|hp2627a-rev|hp2627c|hp262x|hp2640a|hp2640b|hp2641a|hp2645|hp2648|
hp300h|hp700-wy|hp70092|hp9837|hp9845|hp98550|hpansi|hpex|hpgeneric|hpsub|hpterm|hurd|

PAN-OS CLI Quick Start Version Version 10.1 252 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

hz1000|hz1420|hz1500|hz1510|hz1520|hz1520-noesc|hz1552|hz1552-rv|hz2000|i100|i400|
ibcs2|ibm+16color|ibm+color|ibm-apl|ibm-pc|ibm-system1|ibm3101|ibm3151|ibm3161|ibm3161-
C|ibm3162|ibm3164|ibm327x|ibm5081|ibm5081-c|ibm5151|ibm5154|ibm6153|ibm6153-40|
ibm6153-90|ibm6154|ibm6155|ibm8503|ibm8512|ibm8514|ibm8514-c|ibmaed|ibmapa8c|
ibmapa8c-c|ibmega|ibmega-c|ibmmono|ibmpc|ibmpc3|ibmpcx|ibmvga|ibmvga-c|icl6404|icl6404-
w|ifmr|ims-ansi|ims950|ims950-b|ims950-rv|infoton|interix|interix-n|intertube|intertube2|intext|
intext2|iris-ansi|iris-ansi-ap|iris-color|jaixterm|jaixterm-m|kaypro|kermit|kermit-am|klone+acs|klone
+color|klone+koi8acs|klone+sgr|klone+sgr-dumb|konsole|konsole-16color|konsole-base|konsole-
linux|konsole-vt100|konsole-vt420pc|konsole-xf3x|konsole-xf4x|kt7|kt7ix|kterm|kterm-color|
kvt|l|linux|linux-basic|linux-c|linux-c-nc|linux-koi8|linux-koi8r|linux-lat|linux-m|linux-nic|linux-vt|
lisa|lisaterm|lisaterm-w|liswb|ln03|ln03-w|lpr|luna|m2-nam|mac|mac-w|mach|mach-bold|mach-
color|mai|masscomp|masscomp1|masscomp2|megatek|memhp|mgr|mgr-linux|mgr-sun|mgterm|
microb|mime|mime-|mime-hb|mime2a|mime2a-s|mime314|mime3a|mime3ax|minitel1|minitel1b|
minitel1b-80|minix|minix-old|minix-old-am|mlterm|mm340|modgraph|modgraph2|modgraph48|
mono-emx|morphos|ms-vt-u8|ms-vt100|ms-vt100+|ms-vt100-color|msk227|msk22714|
msk227am|mt4520-rv|mt70|mterm|mterm-ansi|MtxOrb|MtxOrb162|MtxOrb204|mvterm|
nansi.sys|nansi.sysk|ncr160vppp|ncr160vpwpp|ncr160vt100an|ncr160vt100pp|ncr160vt100wan|
ncr160vt100wpp|ncr160vt200an|ncr160vt200pp|ncr160vt200wan|ncr160vt200wpp|
ncr160vt300an|ncr160vt300pp|ncr160vt300wan|ncr160vt300wpp|ncr160wy50+pp|
ncr160wy50+wpp|ncr160wy60pp|ncr160wy60wpp|ncr260intan|ncr260intpp|ncr260intwan|
ncr260intwpp|ncr260vppp|ncr260vpwpp|ncr260vt100an|ncr260vt100pp|ncr260vt100wan|
ncr260vt100wpp|ncr260vt200an|ncr260vt200pp|ncr260vt200wan|ncr260vt200wpp|
ncr260vt300an|ncr260vt300pp|ncr260vt300wan|NCR260VT300WPP|ncr260wy325pp|
ncr260wy325wpp|ncr260wy350pp|ncr260wy350wpp|ncr260wy50+pp|ncr260wy50+wpp|
ncr260wy60pp|ncr260wy60wpp|ncr7900i|ncr7900iv|ncr7901|ncrvt100an|ncrvt100wan|ncsa|
ncsa-m|ncsa-m-ns|ncsa-ns|ncsa-vt220|nec5520|newhp|newhpkeyboard|news-29|news-29-euc|
news-29-sjis|news-33|news-33-euc|news-33-sjis|news-42|news-42-euc|news-42-sjis|news-old-
unk|news-unk|news28|news29|next|nextshell|northstar|nsterm|nsterm+7|nsterm+acs|nsterm
+c|nsterm+c41|nsterm+mac|nsterm+s|nsterm-7|nsterm-7-c|nsterm-acs|nsterm-c|nsterm-c-acs|
nsterm-c-s|nsterm-c-s-7|nsterm-c-s-acs|nsterm-m|nsterm-m-7|nsterm-m-acs|nsterm-m-s|nsterm-
m-s-7|nsterm-m-s-acs|nsterm-s|nsterm-s-7|nsterm-s-acs|nwp511|nwp512|nwp512-a|nwp512-
o|nwp513|nwp513-a|nwp513-o|nwp517|nwp517-w|oblit|oc100|ofcons|oldpc3|oldsun|omron|
opennt-100|opennt-100-n|opennt-35|opennt-35-n|opennt-35-w|opennt-50|opennt-50-n|
opennt-50-w|opennt-60|opennt-60-n|opennt-60-w|opennt-w|opennt-w-vt|opus3n1+|origpc3|
osborne|osborne-w|osexec|otek4112|otek4115|owl|p19|p8gl|pc-coherent|pc-minix|pc-venix|
pc3|pc6300plus|pcansi|pcansi-25|pcansi-25-m|pcansi-33|pcansi-33-m|pcansi-43|pcansi-43-m|
pcansi-m|pccons|pcix|pckermit|pckermit120|pcmw|pcplot|pcvt25|pcvt25-color|pcvt25w|pcvt28|
pcvt28w|pcvt35|pcvt35w|pcvt40|pcvt40w|pcvt43|pcvt43w|pcvt50|pcvt50w|pcvtXX|pe1251|
pe7000c|pe7000m|pilot|pmcons|prism12|prism12-m|prism12-m-w|prism12-w|prism14|prism14-
m|prism14-m-w|prism14-w|prism2|prism4|prism5|prism7|prism8|prism8-w|prism9|prism9-8|
prism9-8-w|prism9-w|pro350|ps300|psterm|psterm-80x24|psterm-90x28|psterm-96x48|psterm-
fast|pt100|pt100w|pt210|pt250|pt250w|pty|puy|qansi|qansi-g|qansi-m|qansi-t|qansi-w|qdss|qnx|
qnxm|qnxt|qnxt2|qnxtmono|qnxw|qume5|qvt101|qvt101+|qvt102|qvt103|qvt103-w|qvt119+|
qvt119+-25|qvt119+-25-w|qvt119+-w|qvt203|qvt203-25|qvt203-25-w|qvt203-w|rbcomm|
rbcomm-nam|rbcomm-w|rca|rcons|rcons-color|regent|regent100|regent20|regent25|regent40|
regent40+|regent60|rt6221|rt6221-w|rtpc|rxvt|rxvt+pceys|rxvt-16color|rxvt-basic|rxvt-color|
rxvt-cygwin|rxvt-cygwin-nave|rxvt-xpm|sb1|sb2|sbi|scanset|scoansi|scoansi-new|scoansi-old|
screen|screen-bce|screen-s|screen-w|screen.linux|screen.teraterm|screen.xterm-r6|screen.xterm-
xfree86|screen2|screen3|screwpoint|scrhp|sibo|simterm|soroc120|soroc140|st52|sun|sun-1|
sun-12|sun-17|sun-24|sun-34|sun-48|sun-c|sun-cgsix|sun-e|sun-e-s|sun-il|sun-s|sun-type4|

PAN-OS CLI Quick Start Version Version 10.1 253 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

superbee-xsb|superbeeic|superbrain|swtp|synertek|t10|t1061|t1061f|t16|t3700|t3800|tab132|
tab132-rv|tab132-w|tab132-w-rv|tandem6510|tandem653|tek|tek4013|tek4014|tek4014-sm|
tek4015|tek4015-sm|tek4023|tek4024|tek4025-17|tek4025-17-ws|tek4025-cr|tek4025-ex|
tek4025a|tek4025ex|tek4105|tek4105-30|tek4105a|tek4106brl|tek4107|tek4112|tek4112-5|
tek4112-nd|tek4113|tek4113-34|tek4113-nd|tek4115|tek4125|tek4205|tek4207|tek4207-s|
tek4404|teletec|teraterm|terminet1200|700|916|916-132|916-8|916-8-132|924|924-8|
924-8w|924w|926|926-8|928|928-8|931|_ansi|trs16|trs2|ts100|ts100-ctxt||505-22|
y33|y37|y40|y43|tvi803|tvi9065|tvi910|tvi910+|tvi912|tvi912b|tvi912b+2p|tvi912b+dim|
tvi912b+mc|tvi912b+printer|tvi912b+vb|tvi912b-2p|tvi912b-2p-mc|tvi912b-2p-p|tvi912b-2p-
unk|tvi912b-mc|tvi912b-p|tvi912b-unk|tvi912b-vb|tvi912b-vb-mc|tvi912b-vb-p|tvi912b-vb-
unk|tvi912cc|tvi920b|tvi920b+fn|tvi920b-2p|tvi920b-2p-mc|tvi920b-2p-p|tvi920b-2p-unk|
tvi920b-mc|tvi920b-p|tvi920b-unk|tvi920b-vb|tvi920b-vb-mc|tvi920b-vb-p|tvi920b-vb-unk|
tvi921|tvi924|tvi925|tvi925-hi|tvi92B|tvi92D|tvi950|tvi950-2p|tvi950-4p|tvi950-rv|tvi950-
rv-2p|tvi950-rv-4p|tvi955|tvi955-hb|tvi955-w|tvi970|tvi970-2p|tvi970-vb|tvipt|tws-generic|
tws2102-sna|tws2103|tws2103-sna|uniterm|unknown|uts30|uwin|v3220|v5410|vanilla|vc303|
vc303a|vc404|vc404-s|vc414|vc415|versaterm|vi200|vi200-f|vi200-rv|vi300|vi300-old|vi50|
vi500|vi50adm|vi55|vi550|vi603|viewpoint|vip|vip-H|vip-Hw|vip-w|visa50|vp3a+|vp60|vp90|
vremote|vsc|vt100|vt100+fnkeys|vt100+keypad|vt100+peys|vt100-nav|vt100-nav-w|vt100-
puy|vt100-s|vt100-s-bot|vt100-vb|vt100-w|vt100-w-nam|vt100nam|vt102|vt102-nsgr|vt102-
w|vt125|vt131|vt132|vt200-js|vt220|vt220+keypad|vt220-8bit|vt220-nam|vt220-old|vt220-
w|vt220d|vt320|vt320-k3|vt320-k311|vt320-nam|vt320-w|vt320-w-nam|vt320nam|vt340|
vt400|vt420|vt420f|vt420pc|vt420pcdos|vt50|vt50h|vt510|vt510pc|vt510pcdos|vt52|vt520|
vt525|vt61|wsiris|wsvt25|wsvt25m|wy100|wy100q|wy120|wy120-25|wy120-25-w|wy120-
vb|wy120-w|wy120-w-vb|wy160|wy160-25|wy160-25-w|wy160-42|wy160-42-w|wy160-43|
wy160-43-w|wy160-tek|wy160-vb|wy160-w|wy160-w-vb|wy185|wy185-24|wy185-vb|wy185-
w|wy185-wvb|wy30|wy30-mc|wy30-vb|wy325|wy325-25|wy325-25w|wy325-42|wy325-42w|
wy325-42w-vb|wy325-43|wy325-43w|wy325-43w-vb|wy325-vb|wy325-w|wy325-w-vb|
wy350|wy350-vb|wy350-w|wy350-wvb|wy370|wy370-105k|wy370-EPC|wy370-nk|wy370-
rv|wy370-tek|wy370-vb|wy370-w|wy370-wvb|wy50|wy50-mc|wy50-vb|wy50-w|wy50-wvb|
wy520|wy520-24|wy520-36|wy520-36pc|wy520-36w|wy520-36wpc|wy520-48|wy520-48pc|
wy520-48w|wy520-48wpc|wy520-epc|wy520-epc-24|wy520-epc-vb|wy520-epc-w|wy520-
epc-wvb|wy520-vb|wy520-w|wy520-wvb|wy60|wy60-25|wy60-25-w|wy60-42|wy60-42-w|
wy60-43|wy60-43-w|wy60-vb|wy60-w|wy60-w-vb|wy75|wy75-mc|wy75-vb|wy75-w|wy75-
wvb|wy75ap|wy85|wy85-8bit|wy85-vb|wy85-w|wy85-wvb|wy99-ansi|wy99a-ansi|wy99f|
wy99fa|wy99gt|wy99gt-25|wy99gt-25-w|wy99gt-tek|wy99gt-vb|wy99gt-w|wy99gt-w-vb|
wyse-vp|x10term|x68k|xerox1720|xerox820|xnuppc|xnuppc+100x37|xnuppc+112x37|xnuppc
+128x40|xnuppc+128x48|xnuppc+144x48|xnuppc+160x64|xnuppc+200x64|xnuppc+200x75|
xnuppc+256x96|xnuppc+80x25|xnuppc+80x30|xnuppc+90x30|xnuppc+b|xnuppc+basic|xnuppc
+c|xnuppc+f|xnuppc+f2|xnuppc-100x37|xnuppc-100x37-m|xnuppc-112x37|xnuppc-112x37-
m|xnuppc-128x40|xnuppc-128x40-m|xnuppc-128x48|xnuppc-128x48-m|xnuppc-144x48|
xnuppc-144x48-m|xnuppc-160x64|xnuppc-160x64-m|xnuppc-200x64|xnuppc-200x64-
m|xnuppc-200x75|xnuppc-200x75-m|xnuppc-256x96|xnuppc-256x96-m|xnuppc-80x25|
xnuppc-80x25-m|xnuppc-80x30|xnuppc-80x30-m|xnuppc-90x30|xnuppc-90x30-m|xnuppc-b|
xnuppc-f|xnuppc-f2|xnuppc-m|xnuppc-m-b|xnuppc-m-f|xnuppc-m-f2|xtalk|xterm|xterm+pceys|
xterm+sl|xterm+sl-twm|xterm-1002|xterm-1003|xterm-16color|xterm-24|xterm-256color|
xterm-88color|xterm-8bit|xterm-basic|xterm-bold|xterm-color|xterm-hp|xterm-new|xterm-nic|
xterm-noapp|xterm-pcolor|xterm-r5|xterm-r6|xterm-sco|xterm-sun|xterm-vt220|xterm-vt52|
xterm-xf86-v32|xterm-xf86-v33|xterm-xf86-v333|xterm-xf86-v40|xterm-xf86-v43|xterm-xf86-
v44|xterm-xfree86|xterm-xi|xterm1|xtermc|xtermm|xterms-sun|z100|z100bw|z29|z29a|z29a-kc-
uc|z29a-nkc-bc|z29a-nkc-uc|z340|z340-nam|z39-a|zen30|zen50|ztx>

PAN-OS CLI Quick Start Version Version 10.1 254 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set cli terminal width <1-500>

set cli terminal height <1-500>
set session meout-tcp <1-15999999>
set session meout-udp <1-15999999>
set session meout-icmp <1-15999999>
set session meout-default <1-15999999>
set session meout-tcpinit <1-60>
set session meout-tcphandshake <1-60>
set session meout-tcp-half-closed <1-604800>
set session meout-tcp-unverified-rst <1-600>
set session meout-tcp-me-wait <1-600>
set session meout-tcp-delayed-ack <1-250>
set session meout-capve-portal <1-15999999>
set session meout-scan <5-30>
set session meout-discard-tcp <1-15999999>
set session meout-discard-udp <1-15999999>
set session meout-discard-default <1-15999999>
set session scan-threshold <50-99>
set session scan-scaling-factor <2-16>
set session accelerated-aging-enable <yes|no>
set session accelerated-aging-threshold <50-99>
set session accelerated-aging-scaling-factor <2-16>
set session tcp-reject-non-syn <yes|no>
set session tcp-strict-rst <yes|no>
set session tcp-reject-small-inial-window-enable <yes|no>
set session tcp-reject-small-inial-window-threshold <0-1024>
set session offload <yes|no>
set session strict-checksum <yes|no>
set session resource-limit-behavior <bypass|drop>
set session drop-stp-packet <yes|no>
set session rewrite-pvst-pvid <yes|no>
set session pvst-nave-vlan-id <1-4094>
set session pass-through-1q-pcp <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 255 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set session tcp-reject-diff-syn yes

set session tcp-reject-diff-syn no
set session broadcast-first-packet yes
set session broadcast-first-packet no
set session run-to-compleon yes
set session run-to-compleon no
set session packet-buffer-latency-measurement yes
set session packet-buffer-latency-measurement no
set session default
set session lag-flow-key-type tag
set session lag-flow-key-type tuple
set session change-smac-in-resp yes
set session change-smac-in-resp no
set session tcp-retransmit-scan yes
set session tcp-retransmit-scan no
set session tcp-o-app yes
set session tcp-o-app no
set applicaon dump-unknown <yes|no>
set applicaon cache <yes|no>
set applicaon supernode <yes|no>
set applicaon heuriscs <yes|no>
set applicaon use-cache-for-idenficaon <yes|no>
set applicaon use-simple-appsigs <yes|no>
set applicaon use-appid-cache-ssl-sni <yes|no>
set applicaon nofy-user <yes|no>
set applicaon dump on limit <1-5000> from <value> to <value> source <ip/netmask> desnaon
<ip/netmask> source-user <value> desnaon-user <value> source-port <1-65535> desnaon-
port <1-65535> protocol <1-255> applicaon <value> rule <value>
set applicaon dump off
set applicaon traceroute enable <yes|no>
set applicaon traceroute l-threshold <0-255>
set clock date <value> me <value>
set system seng arp-cache-meout <60-65535>
set system seng ip6-defrag-meout <5-10>

PAN-OS CLI Quick Start Version Version 10.1 256 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set system seng icmp6-error <on|off>

set system seng mp-vr-vif-install-only-host-route <yes|no>
set system seng target-vsys <value>|<none>
set system seng shared-policy <enable|disable|import-and-disable>
set system seng template <enable|disable|import-and-disable>
set system seng appid-match <regex|lscan>
set system seng ctd-mode <aho|pscan>
set system seng dfa-mode <sw-dfa|hw-dfa>
set system seng jumbo-frame <on|off>
set system seng hardware-acl-blocking-enable <yes|no>
set system seng hardware-acl-blocking-duraon <1-3600>
set system seng mul-vsys <on|off>
set system seng fast-fail-over enable yes
set system seng fast-fail-over enable no
set system seng delay-interface-process interface <value> delay <0-5000>
set system seng rip-poison-reverse enable yes
set system seng rip-poison-reverse enable no
set system seng layer4-checksum disable
set system seng layer4-checksum enable
set system seng packet-path-test enable yes
set system seng packet-path-test enable no
set system seng packet-path-test show
set system seng packet-descriptor-monitor enable yes
set system seng packet-descriptor-monitor enable no
set system seng mp-memory-monitor enable yes
set system seng mp-memory-monitor enable no
set system seng zip enable <yes|no>
set system seng zip hw-reset <yes|no>
set system seng packet ip-frag-limit <yes|no>
set system seng ul assert-crash-once <yes|no>
set system seng pow wqe-tag-check <yes|no>
set system seng pow wqe-inuse-check <yes|no>
set system seng pow wqe-swbuf-check <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 257 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set system seng pow wqe-swbuf-track <yes|no>

set system seng pow wqe-hexspeak <yes|no>
set system seng pow wqe-swbuf-ref <yes|no>
set system seng wildfire interval server-list-update-interval <5-10080>|<default>
set system seng wildfire interval report-update-interval <60-3600>|<default>
set system seng wildfire disk-quota global <1-100>|<default>
set system seng wildfire disk-quota single-channel <1-100>|<default>
set system seng ctd regex-stats-on <yes|no>
set system seng ctd nonblocking-paern-match-interval <1-20>|<default>
set system seng ctd pkt-proc-loop-low <1-8190>|<default>
set system seng ctd pkt-proc-loop-high <1-8190>|<default>
set system seng ctd pkt-proc-boundary <1-32000>|<default>
set system seng ctd wif-shared-buf-threshold <0-99>
set system seng ctd ctd-agent-assigned-cores <0-2>
set system seng ctd lscan-mode <yes|no>
set system seng ctd sml-token <dfa|lscan>
set system seng ctd nonblocking-paern-match enable
set system seng ctd nonblocking-paern-match disable
set system seng ctd nonblocking-paern-match default
set system seng ctd enhanced-decode-filter-mode enable
set system seng ctd enhanced-decode-filter-mode disable
set system seng ctd enhanced-decode-filter-mode default
set system seng ctd block-on-base64-decode-error enable
set system seng ctd block-on-base64-decode-error disable
set system seng ctd block-on-base64-decode-error default
set system seng ctd block-on-bdat-chunk-decode-error enable
set system seng ctd block-on-bdat-chunk-decode-error disable
set system seng ctd block-on-bdat-chunk-decode-error default
set system seng ctd block-on-chunk-decode-error enable
set system seng ctd block-on-chunk-decode-error disable
set system seng ctd block-on-chunk-decode-error default
set system seng ctd block-on-qp-decode-error enable
set system seng ctd block-on-qp-decode-error disable

PAN-OS CLI Quick Start Version Version 10.1 258 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set system seng ctd block-on-qp-decode-error default

set system seng ctd block-on-u-decode-error enable
set system seng ctd block-on-u-decode-error disable
set system seng ctd block-on-u-decode-error default
set system seng ctd block-on-uu-decode-error enable
set system seng ctd block-on-uu-decode-error disable
set system seng ctd block-on-uu-decode-error default
set system seng ctd block-on-zip-decode-error enable
set system seng ctd block-on-zip-decode-error disable
set system seng ctd block-on-zip-decode-error default
set system seng ctd wif-bypass-exceed-buf-limit enable
set system seng ctd wif-bypass-exceed-buf-limit disable
set system seng ctd wif-bypass-exceed-buf-limit default
set system seng ctd wifclient-traffic enable
set system seng ctd wifclient-traffic disable
set system seng ctd wifclient-traffic default
set system seng ctd feature-forward cloud-appid-prefiltering enable
set system seng ctd feature-forward cloud-appid-prefiltering disable
set system seng ctd feature-forward cloud-appid-prefiltering default
set system seng ctd lscan-mode-default
set system seng addional-threat-log on
set system seng addional-threat-log off
set system seng logging max-log-rate <0-50000>
set system seng logging max-packet-rate <0-2560>
set system seng logging log-suppression <yes|no>
set system seng logging default-policy-logging <0-300>
set system seng logging log-compression <all|off|lcaas-only>
set system seng logging default
set system seng ssl-decrypt skip-ssl-decrypt <yes|no>
set system seng ssl-decrypt skip-ssl <yes|no>
set system seng ssl-decrypt answer-meout <1-86400>
set system seng ssl-decrypt nofy-user <yes|no>
set system seng ssl-decrypt tunnel-taildrop-threshold <1-3072>

PAN-OS CLI Quick Start Version Version 10.1 259 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set system seng ctd-mode-default

set system seng dfa-mode-default
set system seng correlaon enable yes
set system seng correlaon enable no
set user-id data <value>
set xmlapi-group add group <value> user <value> meout <1-3600>
set xmlapi-group delete group <value> user <value> meout <1-3600>
set xmlapi-group refresh group <value>
set quaranne data <value>
set nw-id-api data <value>
set max-num-images count <2-64>
set global-protect worker-threads <10-100>
set global-protect redirect locaon <value>
set global-protect redirect on
set global-protect redirect off
set global-protect redirect show
set ssl-conn-on-cert fail-all-conns <True|False>
set ssl-conn-on-cert fail-syslog-conns <True|False>
set syslogng ssl-conn-validaon all-conns <enforce|skip|prefer>
set syslogng ssl-conn-validaon explicit CRL enforce
set syslogng ssl-conn-validaon explicit CRL skip
set syslogng ssl-conn-validaon explicit CRL prefer
set syslogng ssl-conn-validaon explicit OCSP enforce
set syslogng ssl-conn-validaon explicit OCSP skip
set syslogng ssl-conn-validaon explicit OCSP prefer
set syslogng ssl-conn-validaon explicit EKU enforce
set syslogng ssl-conn-validaon explicit EKU skip
set syslogng ssl-conn-validaon explicit EKU prefer
set syslogng fqdn-refresh yes
set syslogng fqdn-refresh no
set ztp panorama-meout <0-9000>
set transceiver-monitor-rate slot <value> seconds <0-2147483647>
set sslmgr-check-cert-jobs max-limit <1-100>

PAN-OS CLI Quick Start Version Version 10.1 260 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

request api key expiraon

request clean-replay entries <all|commied>
request mongo show storage-engine instance <corr>
request mongo set storage-engine instance <corr> format <mmap|wiredTiger>
request plugins install <value>
request plugins quick-install <value>
request plugins uninstall <value>
request plugins reset-password <value>
request plugins delete-package <value>
request plugins upload name <value> path <value>
request plugins check
request plugins download file <value>
request plugins reset-plugin plugin-name <value> only <config|plugin>
request plugins debug plugin-name <value> level <off|low|medium|high>
request plugins dau plugin-name <value> unblock-device-push <yes|no>
request authencaon unlock-admin user <value>
request authencaon unlock-user vsys <value> auth-profile <value> user <value> is-seq <yes|
no>
request panorama-connecvity-check
request resolve vsys <value> address <value>
request acknowledge logid <value>
request last-acknowledge-me
request commit-lock add comment <value>
request commit-lock remove admin <value>
request config-lock add comment <value>
request config-lock remove
request password-hash password <value> username <value>
request password-change-history re-encrypt old-master-key <value> master-key <value>
request password-change-history dump-history master-key <value>
request master-key new-master-key <value> current-master-key <value> lifeme <1-438000>
reminder <1-8760> on-hsm <yes|no>
request encrypon-level level <0-2> re-encrypt <yes|no>
request hsm client-version <5.4.2|7.2.0>
request hsm server-enroll <value>

PAN-OS CLI Quick Start Version Version 10.1 261 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

request hsm authencate server <value> password <value>

request hsm login password <value>
request hsm ha create-ha-group password <value>
request hsm ha synchronize password <value>
request hsm ha replace-server password <value>
request hsm ha recover
request hsm support-info
request hsm rfs-setup
request hsm rfs-sync
request hsm reset
request hsm mkey-wrapping-key-rotaon
request tech-support dump
request stats dump
request telemetry-data dump
request quota-enforcement
request high-availability cluster sync-from <value>|<all>
request high-availability cluster clear-cache <value>|<all>
request high-availability sync-to-remote candidate-config
request high-availability sync-to-remote running-config
request high-availability sync-to-remote ssh-key
request high-availability sync-to-remote runme-state
request high-availability sync-to-remote clock
request high-availability sync-to-remote id-manager base
request high-availability sync-to-remote id-manager user-id
request high-availability state suspend
request high-availability state funconal
request high-availability state peer suspend
request high-availability state peer funconal
request high-availability session-reestablish force
request shutdown system with-swap-scrub nnsa
request shutdown system with-swap-scrub dod
request restart system with-swap-scrub nnsa
request restart system with-swap-scrub dod

PAN-OS CLI Quick Start Version Version 10.1 262 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

request restart soware

request restart dataplane
request system private-data-reset
request system bootstrap-usb prepare from <value>
request system bootstrap-usb delete bundle <value>
request system self-test crypto
request system self-test soware-integrity
request system self-test force-soware-integrity-failure
request system self-test force-crypto-failure mp <value>
request system self-test force-crypto-failure dp <value>
request system self-test-job crypto
request system self-test-job soware-integrity
request system soware info
request system soware check
request system soware download sync-to-peer <yes|no> version <value>
request system soware download sync-to-peer <yes|no> file <value>
request system soware install load-config <value> version <value>
request system fqdn show
request system fqdn show-object
request system fqdn refresh
request system external-list url-test <value>
request system external-list list-capacies
request system external-list global-find string <value>
request system external-list show type predefined-ip name <value> anchor <1-4294967295>
num-records <1-4294967295> find <value>
request system external-list show type predefined-url name <value> anchor <1-4294967295>
num-records <1-4294967295> find <value>
request system external-list show type ip name <value> anchor <1-4294967295> num-records
<1-4294967295> find <value>
request system external-list show type domain name <value> anchor <1-4294967295> num-
records <1-4294967295> find <value>
request system external-list show type url name <value> anchor <1-4294967295> num-records
<1-4294967295> find <value>
request system external-list stats type predefined-ip name <value>
request system external-list stats type predefined-url name <value>

PAN-OS CLI Quick Start Version Version 10.1 263 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

request system external-list stats type ip name <value>

request system external-list stats type domain name <value>
request system external-list stats type url name <value>
request system external-list refresh type ip name <value>
request system external-list refresh type domain name <value>
request system external-list refresh type url name <value>
request global-protect-client soware info
request global-protect-client soware check
request global-protect-client soware download sync-to-peer <yes|no> version <value>
request global-protect-client soware download sync-to-peer <yes|no> file <value>
request global-protect-client soware acvate version <value>
request global-protect-client soware acvate file <value>
request url-filtering save url-database
request url-filtering install pandb-database
request url-filtering update url <value>
request url-filtering upgrade
request data-filtering access-password create password <value>
request data-filtering access-password modify old-password <value> new-password <value>
request data-filtering access-password delete
request device-quaranne-list add ip <ip/netmask> ipv6 <ip/netmask> hosd <value> serialno
<value>
request device-quaranne-list delete host <value>
request device-quaranne-list show hosd <value>
request device-quaranne-list show serialno <value>
request device-quaranne-list show all opon <count>
request iot validity-check <value>
request iot upgrade info
request iot upgrade check
request content validity-check <value>
request content downgrade skip-content-validity-check <yes|no> install <value>
request content upgrade info
request content upgrade check
request content upgrade download sync-to-peer <yes|no> force <yes|no> latest

PAN-OS CLI Quick Start Version Version 10.1 264 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

request content upgrade install commit <yes|no> sync-to-peer <yes|no> disable-new-content

<yes|no> force <yes|no> skip-content-validity-check <yes|no> version <latest>
request content upgrade install commit <yes|no> sync-to-peer <yes|no> disable-new-content
<yes|no> force <yes|no> skip-content-validity-check <yes|no> file <value>
request an-virus downgrade install <value>
request an-virus upgrade info
request an-virus upgrade check
request an-virus upgrade download sync-to-peer <yes|no> latest
request an-virus upgrade install commit <yes|no> sync-to-peer <yes|no> version <latest>
request an-virus upgrade install commit <yes|no> sync-to-peer <yes|no> file <value>
request global-protect-clientless-vpn downgrade install <value>
request global-protect-clientless-vpn upgrade check
request global-protect-clientless-vpn upgrade download latest sync-to-peer <yes|no>
request global-protect-clientless-vpn upgrade info
request global-protect-clientless-vpn upgrade install commit <yes|no> sync-to-peer <yes|no> file
<value>
request global-protect-clientless-vpn upgrade install commit <yes|no> sync-to-peer <yes|no>
version <latest>
request wildfire-realme-cache add virus-paern-type <PE|Hash> UTID <value> virus-paern
<value>
request wildfire-realme-cache delete virus-paern-type <PE|Hash> UTID <value> virus-paern
<value>
request wildfire registraon channel <public|private>
request wildfire downgrade install <value>
request wildfire upgrade info
request wildfire upgrade check
request wildfire upgrade download latest sync-to-peer <yes|no>
request wildfire upgrade install commit <yes|no> sync-to-peer <yes|no> version <latest>
request wildfire upgrade install commit <yes|no> sync-to-peer <yes|no> file <value>
request wf-private downgrade install <value>
request wf-private upgrade info
request wf-private upgrade check
request wf-private upgrade download latest sync-to-peer <yes|no>
request wf-private upgrade install commit <yes|no> sync-to-peer <yes|no> version <latest>
request logging-service-forwarding customerinfo fetch

PAN-OS CLI Quick Start Version Version 10.1 265 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

request logging-service-forwarding customerinfo show

request logging-service-forwarding status
request logging-service-forwarding cerficate info
request logging-service-forwarding cerficate fetch
request logging-service-forwarding cerficate fetch-noproxy pre-shared-key <value>
request logging-service-forwarding cerficate delete
request saas_agent cerficate info
request log-collector-forwarding status
request address-expansion expand object-name <value> vsys-name <value>
request license install <value>
request license info
request license fetch auth-code <value>
request license api-key set key <value>
request license api-key delete
request license api-key show
request license deacvate VM-Capacity mode <auto|manual>
request license deacvate key mode <auto|manual> features
request license deacvate key mode <auto|manual> features [ <features1> <features2>... ]
request logdb migrate-to-panorama start type <value> start-me <value> end-me <value>
request logdb migrate-to-panorama status type <value>
request logdb migrate-to-panorama stop type <value>
request support info
request support check
request device-registraon username <value> password <value>
request cerficate show cerficate-name <value>
request cerficate generate cerficate-name <value> name <value> digest <value> country-code
<value> state <value> locality <value> organizaon <value> email <value> filename <value> ca
<yes|no> block-private-key <yes|no> signed-by <value>|<external> ocsp-responder-url <value>
days-ll-expiry <1-7300> algorithm RSA rsa-nbits <value>
request cerficate generate cerficate-name <value> name <value> digest <value> country-code
<value> state <value> locality <value> organizaon <value> email <value> filename <value> ca
<yes|no> block-private-key <yes|no> signed-by <value>|<external> ocsp-responder-url <value>
days-ll-expiry <1-7300> algorithm RSA rsa-nbits <value>
request cerficate generate cerficate-name <value> name <value> digest <value> country-code
<value> state <value> locality <value> organizaon <value> email <value> filename <value> ca

PAN-OS CLI Quick Start Version Version 10.1 266 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

<yes|no> block-private-key <yes|no> signed-by <value>|<external> ocsp-responder-url <value>

days-ll-expiry <1-7300> algorithm ECDSA ecdsa-nbits <value>
request cerficate generate cerficate-name <value> name <value> digest <value> country-code
<value> state <value> locality <value> organizaon <value> email <value> filename <value> ca
<yes|no> block-private-key <yes|no> signed-by <value>|<external> ocsp-responder-url <value>
days-ll-expiry <1-7300> organizaon-unit
request cerficate generate cerficate-name <value> name <value> digest <value> country-code
<value> state <value> locality <value> organizaon <value> email <value> filename <value> ca
<yes|no> block-private-key <yes|no> signed-by <value>|<external> ocsp-responder-url <value>
days-ll-expiry <1-7300> organizaon-unit [ <organizaon-unit1> <organizaon-unit2>... ]
request cerficate generate cerficate-name <value> name <value> digest <value> country-code
<value> state <value> locality <value> organizaon <value> email <value> filename <value> ca
<yes|no> block-private-key <yes|no> signed-by <value>|<external> ocsp-responder-url <value>
days-ll-expiry <1-7300> hostname
request cerficate generate cerficate-name <value> name <value> digest <value> country-code
<value> state <value> locality <value> organizaon <value> email <value> filename <value> ca
<yes|no> block-private-key <yes|no> signed-by <value>|<external> ocsp-responder-url <value>
days-ll-expiry <1-7300> hostname [ <hostname1> <hostname2>... ]
request cerficate generate cerficate-name <value> name <value> digest <value> country-code
<value> state <value> locality <value> organizaon <value> email <value> filename <value> ca
<yes|no> block-private-key <yes|no> signed-by <value>|<external> ocsp-responder-url <value>
days-ll-expiry <1-7300> ip
request cerficate generate cerficate-name <value> name <value> digest <value> country-code
<value> state <value> locality <value> organizaon <value> email <value> filename <value> ca
<yes|no> block-private-key <yes|no> signed-by <value>|<external> ocsp-responder-url <value>
days-ll-expiry <1-7300> ip [ <ip1> <ip2>... ]
request cerficate generate cerficate-name <value> name <value> digest <value> country-code
<value> state <value> locality <value> organizaon <value> email <value> filename <value> ca
<yes|no> block-private-key <yes|no> signed-by <value>|<external> ocsp-responder-url <value>
days-ll-expiry <1-7300> alt-email
request cerficate generate cerficate-name <value> name <value> digest <value> country-code
<value> state <value> locality <value> organizaon <value> email <value> filename <value> ca
<yes|no> block-private-key <yes|no> signed-by <value>|<external> ocsp-responder-url <value>
days-ll-expiry <1-7300> alt-email [ <alt-email1> <alt-email2>... ]
request cerficate generate-scep-client-cert cerficate-name <value> scep-profile <value> scep-
url <value> scep-url <value> scep-ca-cert <value> scep-client-cert <value> ca-identy-name
<value> subject <value> digest <value> fingerprint <value> use-as-digital-signature <yes|no> use-
for-key-encipherment <yes|no> scep-challenge fixed <value>
request cerficate generate-scep-client-cert cerficate-name <value> scep-profile <value> scep-
url <value> scep-url <value> scep-ca-cert <value> scep-client-cert <value> ca-identy-name
<value> subject <value> digest <value> fingerprint <value> use-as-digital-signature <yes|no> use-
for-key-encipherment <yes|no> scep-challenge none
request cerficate generate-scep-client-cert cerficate-name <value> scep-profile <value> scep-
url <value> scep-url <value> scep-ca-cert <value> scep-client-cert <value> ca-identy-name

PAN-OS CLI Quick Start Version Version 10.1 267 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

<value> subject <value> digest <value> fingerprint <value> use-as-digital-signature <yes|no> use-
for-key-encipherment <yes|no> scep-challenge dynamic otp-server-url <value> otp-server-url
<value> username <value> password <value>
request cerficate generate-scep-client-cert cerficate-name <value> scep-profile <value> scep-
url <value> scep-url <value> scep-ca-cert <value> scep-client-cert <value> ca-identy-name
<value> subject <value> digest <value> fingerprint <value> use-as-digital-signature <yes|no> use-
for-key-encipherment <yes|no> algorithm rsa rsa-nbits <value>
request cerficate generate-scep-client-cert cerficate-name <value> scep-profile <value> scep-
url <value> scep-url <value> scep-ca-cert <value> scep-client-cert <value> ca-identy-name
<value> subject <value> digest <value> fingerprint <value> use-as-digital-signature <yes|no> use-
for-key-encipherment <yes|no> cerficate-aributes rfc822name <value>
request cerficate generate-scep-client-cert cerficate-name <value> scep-profile <value> scep-
url <value> scep-url <value> scep-ca-cert <value> scep-client-cert <value> ca-identy-name
<value> subject <value> digest <value> fingerprint <value> use-as-digital-signature <yes|no> use-
for-key-encipherment <yes|no> cerficate-aributes dnsname <value>
request cerficate generate-scep-client-cert cerficate-name <value> scep-profile <value> scep-
url <value> scep-url <value> scep-ca-cert <value> scep-client-cert <value> ca-identy-name
<value> subject <value> digest <value> fingerprint <value> use-as-digital-signature <yes|no> use-
for-key-encipherment <yes|no> cerficate-aributes uniform-resource-idenfier <value>
request cerficate import-scep-ca-cert cerficate-name <value> scep-profile <value> scep-url
<value> ca-identy-name <value> scep-ca-cert <value> scep-client-cert <value>
request cerficate renew cerficate-name <value> days-ll-expiry <1-7300>
request cerficate revoke cerficate-name <value>
request cerficate revoke sslmgr-store db-serialno <value>
request cerficate fetch otp <value>
request cerficate is-blocked cerficate-name <value>
request cerficate show-blocked vsys-name <value>
request cerficate show-blocked shared
request global-protect-gateway client-logout-all gateway <value>
request global-protect-gateway check-client-logout-all-status
request global-protect-gateway client-logout gateway <value> domain <value> computer <value>
user <value> reason <force-logout> client-os-version <value>
request global-protect-gateway satellite-logout gateway <value> serialno <value> reason <force-
logout>
request global-protect-portal cket portal <value> request <value> duraon <0-65535>
request global-protect-portal client-logout portal <value> reason <force-logout> filter-user user
<value>
request global-protect-portal client-logout portal <value> reason <force-logout> filter-user match-
user <value>

PAN-OS CLI Quick Start Version Version 10.1 268 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

request global-protect-portal client-logout portal <value> reason <force-logout> filter-user id

<value>
request global-protect-portal client-logout portal <value> reason <force-logout> filter-user all-
users
request global-protect-portal clear-config-selecon-cache device <value>|<all>
request global-protect-satellite get-portal-config satellite <value> username <value> password
<value>
request global-protect-satellite get-gateway-config satellite <value> gateway-address <value>
request dhcp client renew <value>|<vlan|all>
request dhcp client release <value>|<vlan|all>
request dhcp client management-interface renew
request dhcp client management-interface release
request dnsproxy license refresh
request determine-new-applicaons version <value> rulebase <value>
request list-content-downloads
request get-disabled-applicaons
request get-applicaon-status applicaon <value>
request set-applicaon-status-recursive enable-dependent-apps <yes|no> applicaon <value>
status <enabled|disabled>
request clear-commit-tasks
request session-discard id <1-4294967295> reason <value> meout <0-15999999>
request disable-ztp
request device-telemetry collect-now
request device-telemetry cancel-collect-now
request mul-config enabled
request mul-config disabled
request authkey set <value>
request user-id cloud-identy-engine config-data status
test tag-filter <value>
test url <value>
test url-info-host <value>
test url-info-cloud <value>
test url-wpc <value>
test cookie-surrogate username <value> ip <ip/netmask>
test arp gratuitous interface <value> ip <ip/netmask>

PAN-OS CLI Quick Start Version Version 10.1 269 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

test nd router-adversement interface <value>

test nptv6 cks-neutral dest-network <ip/netmask> source-ip <ip/netmask>
test custom-url url <value>
test ssl-exclude-list predefined hostname <value>
test ssl-exclude-list shared hostname <value>
test ssl-exclude-list vsys hostname <value>
test security-policy-match from <value> to <value>|<mulcast> source <ip/netmask> source-
port <1-65535> desnaon <ip/netmask> desnaon-port <1-65535> source-user <value>
protocol <1-255> show-all <yes|no> applicaon <value> uappid <10000000-4294967295>
category <value> check-hip-mask <yes|no> source-os <value> source-model <value> source-
vendor <value> desnaon-os <value> desnaon-model <value> desnaon-vendor <value>
source-category <value> source-profile <value> source-osfamily <value> desnaon-category
<value> desnaon-profile <value> desnaon-osfamily <value>
test qos-policy-match from <value>|<any> to <value>|<any|mulcast> source <ip/netmask>
desnaon <ip/netmask> desnaon-port <1-65535> source-user <value> protocol <1-255>
applicaon <value> category <value> codepoint-type <dscp|tos> codepoint-value <0-63>
test authencaon-policy-match from <value>|<any> to <value>|<any> source <ip/netmask>
desnaon <ip/netmask> category <value>
test decrypon-policy-match from <value>|<any> to <value>|<any> source <ip/netmask>
desnaon <ip/netmask> category <value> applicaon <value>
test nat-policy-match from <value>|<any> to <value>|<any> source <ip/netmask> desnaon
<ip/netmask> source-port <1-65535> desnaon-port <1-65535> protocol <1-255> to-interface
<value> ha-device-id <0-1>
test pbf-policy-match from <value> from-interface <value> source <ip/netmask> desnaon <ip/
netmask> desnaon-port <1-65535> source-user <value> protocol <1-255> applicaon <value>
ha-device-id <0-1>
test dos-policy-match from <value> to <value>|<mulcast> from-interface <value> to-interface
<value> source <ip/netmask> desnaon <ip/netmask> desnaon-port <1-65535> source-user
<value> protocol <1-255>
test vpn ike-sa gateway <value>
test vpn ipsec-sa tunnel <value>
test roung fib-lookup ip <ip/netmask> virtual-router <value> ecmp source-ip <ip/netmask>
source-port <1-65535> desnaon-ip <ip/netmask> desnaon-port <1-65535>
test roung mfib-lookup group <ip/netmask> source <ip/netmask> virtual-router <value>
test roung bgp virtual-router
test roung bgp virtual-router <name> refresh peer <value>
test roung bgp virtual-router <name> restart peer <value>
test roung bgp virtual-router <name> restart self
test advanced-roung bgp restart peer <ip/netmask>|<all>

PAN-OS CLI Quick Start Version Version 10.1 270 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

test hp-profile vsys <value> name <value> type <config|system|traffic|threat|wildfire|url|data|hip-

match|auth|gtp|tunnel|correlaon|userid|iptag|decrypon|globalprotect>
test hp-server vsys <value> address <value> protocol <HTTP|HTTPS> tls-version <1.2|1.1|1.0>
cerficate-profile <value> port <1-65535> username <value> password <value>
test hp-profile-server-auth-token vsys <value> profile <value> server <value> token <value>
test smtp-server vsys <value> display-name <value> from <value> to <value> and-also-to <value>
gateway <value> protocol <SMTP|TLS> tls-version <1.2|1.1> auth <Auto|Login|Plain> cerficate-
profile <value> port <1-65535> username <value> password <value>
test stats-service
test uuid enable yes
test uuid enable no
test botnet domain <value>
test data-filtering paern <value>
test data-filtering ccn <value>
test data-filtering ssn <value>
test pppoe interface <value>
test dns-proxy query name
test dns-proxy query name <name> source <ip/netmask> domain-name <value>
test dns-proxy query name <name> source <ip/netmask> ip <ip/netmask>
test dns-proxy ddns update interface name <value>|<vlan|all>
test dns-proxy fqdn refresh all
test dns-proxy fqdn refresh entry FQDN <value> type <RR_A|RR_AAAA>
test dns-proxy dns-signature fqdn <value>
test custom-signature-perf paern <value> context <value>
test custom-signature-type paern <value>
test scp-server-connecon iniate hostname <value> port <1-65535> path <value> username
<value> password <value>
test scp-server-connecon confirm hostname <value> key <value>
test threat-vault connecon
test global-protect-satellite gateway-reconnect satellite <value> gateway-address <value> method
<registraon|acvaon>
test global-protect-satellite gateway-connect satellite <value> gateway-address <value> method
<registraon|acvaon>
test global-protect-satellite gateway-disconnect satellite <value> gateway-address <value>
method <registraon|acvaon>
test global-protect-mdm hipreport request mobile-id <value> jailbroken <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 271 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

test user-id user-id-syslog-parse regex-idenfier event-regex <value> username-regex <value>

address-regex <value> log-string <value>
test user-id user-id-syslog-parse field-idenfier event-string <value> username-prefix <value>
username-delimiter <value> address-prefix <value> address-delimiter <value> log-string <value>
test user-id custom-group group-mapping <value> ldap-filter <value>
test authencaon authencaon-profile <value> username <value> password <value>
test mfa-vendors mfa-server-profile <value>
test generate-saml-url capve-portal vsys <value> authprofile <value> ip-hostname <value>
test generate-saml-url global-protect vsys <value> authprofile <value> ip-hostname <value>
test generate-saml-url management interface <mgmt> authprofile <value> ip-hostname <value>
scp import idp-metadata profile-name <value> max-clock-skew <value> validate-metadata-
signature <value> validate-idp-cerficate <value> metadata-validaon-cert-profile <value> admin-
use-only <yes|no> from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import configuraon from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import ui-translaon-mapping from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import private-key from <value> remote-port <1-65535> source-ip <ip/netmask> passphrase
<value> cerficate-name <value> format <pkcs12|pem> block-private-key <yes|no>
scp import keypair from <value> remote-port <1-65535> source-ip <ip/netmask> passphrase
<value> cerficate-name <value> format <pkcs12|pem> block-private-key <yes|no>
scp import logdb from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import cerficate from <value> remote-port <1-65535> source-ip <ip/netmask> cerficate-
name <value> passphrase <value> format <pkcs12|pem>
scp import license from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import soware from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import plugin from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import high-availability-key from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import ssl-optout-text from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import ssl-cert-status-page from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import capve-portal-text from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import url-coach-text from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import applicaon-block-page from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import safe-search-block-page from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import hsm-server-cert from <value> remote-port <1-65535> source-ip <ip/netmask> hsm-
name <value>
scp import url-block-page from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import mfa-login-page from <value> remote-port <1-65535> source-ip <ip/netmask>

PAN-OS CLI Quick Start Version Version 10.1 272 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

scp import credenal-block-page from <value> remote-port <1-65535> source-ip <ip/netmask>

scp import credenal-coach-text from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import file-block-connue-page from <value> remote-port <1-65535> source-ip <ip/
netmask>
scp import file-block-page from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import data-filter-block-page from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import virus-block-page from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import saml-auth-internal-error-page from <value> remote-port <1-65535> source-ip <ip/
netmask>
scp import global-protect-portal-custom-login-page profile <value> from <value> remote-port
<1-65535> source-ip <ip/netmask>
scp import global-protect-portal-custom-home-page profile <value> from <value> remote-port
<1-65535> source-ip <ip/netmask>
scp import global-protect-portal-custom-help-page profile <value> from <value> remote-port
<1-65535> source-ip <ip/netmask>
scp import global-protect-portal-custom-welcome-page profile <value> from <value> remote-port
<1-65535> source-ip <ip/netmask>
scp import content from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import an-virus from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import wildfire from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import device-state from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import url-database from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import signed-url-database from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import pandb-url-database from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import global-protect-clientless-vpn from <value> remote-port <1-65535> source-ip <ip/
netmask>
scp import global-protect-client from <value> remote-port <1-65535> source-ip <ip/netmask>
scp import bootstrap-bundle from <value> remote-port <1-65535> source-ip <ip/netmask>
scp export mgmt-pcap from <value> to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export license-token-file from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
scp export threat-pcap pcap-id <value> search-me <value> to <value> remote-port <1-65535>
source-ip <ip/netmask>
scp export cerficate to <value> remote-port <1-65535> source-ip <ip/netmask> cerficate-
name <value> passphrase <value> include-key <yes|no> format <pem|der|pkcs12|pkcs10>
scp export ui-translaon-mapping from <value> to <value> remote-port <1-65535> source-ip
<ip/netmask>

PAN-OS CLI Quick Start Version Version 10.1 273 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

scp export device-state to <value> remote-port <1-65535> source-ip <ip/netmask>

scp export pan-url-db to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export crl from <value> to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export filter-pcap from <value> to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export applicaon-pcap from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
scp export inbound-proxy-key from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
scp export stats-dump to <value> remote-port <1-65535> source-ip <ip/netmask> start-me
equal <value>
scp export stats-dump to <value> remote-port <1-65535> source-ip <ip/netmask> end-me
equal <value>
scp export pprof-file management-plane from <value> to <value> remote-port <1-65535> source-
ip <ip/netmask>
scp export debug bootmem_file from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
scp export core-file management-plane from <value> to <value> remote-port <1-65535> source-
ip <ip/netmask>
scp export core-file large-corefile from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
scp export core-file data-plane from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
scp export log-file management-plane to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export log-file data-plane to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export configuraon from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
scp export pdf-reports from <value> to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export web-interface-cerficate to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export logdb to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export device-telemetry from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
scp export tech-support to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export telemetry-data from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
scp export dnsproxy from <value> to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export log traffic max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> start-me equal <value>

PAN-OS CLI Quick Start Version Version 10.1 274 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

scp export log traffic max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> end-me equal <value>
scp export log threat max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> start-me equal <value>
scp export log threat max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> end-me equal <value>
scp export log url max-log-count <0-1048576> query <value> to <value> remote-port <1-65535>
source-ip <ip/netmask> start-me equal <value>
scp export log url max-log-count <0-1048576> query <value> to <value> remote-port <1-65535>
source-ip <ip/netmask> end-me equal <value>
scp export log data max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> start-me equal <value>
scp export log data max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> end-me equal <value>
scp export log wildfire max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> start-me equal <value>
scp export log wildfire max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> end-me equal <value>
scp export log decrypon max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> start-me equal <value>
scp export log decrypon max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> end-me equal <value>
scp export log globalprotect max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> start-me equal <value>
scp export log globalprotect max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> end-me equal <value>
scp export log tunnel max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> start-me equal <value>
scp export log tunnel max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> end-me equal <value>
scp export log userid max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> start-me equal <value>
scp export log userid max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> end-me equal <value>
scp export log auth max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> start-me equal <value>
scp export log auth max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> end-me equal <value>
scp export log system max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> start-me equal <value>

PAN-OS CLI Quick Start Version Version 10.1 275 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

scp export log system max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> end-me equal <value>
scp export log config max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> start-me equal <value>
scp export log config max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> end-me equal <value>
scp export log alarm max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> start-me equal <value>
scp export log alarm max-log-count <0-1048576> query <value> to <value> remote-port
<1-65535> source-ip <ip/netmask> end-me equal <value>
scp export high-availability-key from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
scp export ssl-optout-text to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export global-protect-portal-custom-login-page name <value> to <value> remote-port
<1-65535> source-ip <ip/netmask>
scp export global-protect-portal-custom-home-page name <value> to <value> remote-port
<1-65535> source-ip <ip/netmask>
scp export global-protect-portal-custom-help-page name <value> to <value> remote-port
<1-65535> source-ip <ip/netmask>
scp export global-protect-portal-custom-welcome-page name <value> to <value> remote-port
<1-65535> source-ip <ip/netmask>
scp export ssl-cert-status-page to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export capve-portal-text to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export url-coach-text to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export file-block-connue-page to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export file-block-page to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export applicaon-block-page to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export url-block-page to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export mfa-login-page to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export virus-block-page to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export debug-pcap from <value> to <value> remote-port <1-65535> source-ip <ip/netmask>
scp export hsm-support-info from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
scp export hsm-client-cert from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
scp export ike-config-file from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
tp import an-virus from <value> file <value> remote-port <1-65535> source-ip <ip/netmask>

PAN-OS CLI Quick Start Version Version 10.1 276 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

tp import wildfire from <value> file <value> remote-port <1-65535> source-ip <ip/netmask>
tp import device-state from <value> file <value> remote-port <1-65535> source-ip <ip/
netmask>
tp import content from <value> file <value> remote-port <1-65535> source-ip <ip/netmask>
tp import url-database from <value> file <value> remote-port <1-65535> source-ip <ip/
netmask>
tp import signed-url-database from <value> file <value> remote-port <1-65535> source-ip <ip/
netmask>
tp import pandb-url-database from <value> file <value> remote-port <1-65535> source-ip <ip/
netmask>
tp import global-protect-client from <value> file <value> remote-port <1-65535> source-ip <ip/
netmask>
tp import bootstrap-bundle from <value> file <value> remote-port <1-65535> source-ip <ip/
netmask>
tp import configuraon from <value> file <value> remote-port <1-65535> source-ip <ip/
netmask>
tp import cerficate from <value> file <value> remote-port <1-65535> source-ip <ip/netmask>
cerficate-name <value> passphrase <value> format <pkcs12|pem>
tp import private-key from <value> file <value> remote-port <1-65535> source-ip <ip/netmask>
passphrase <value> cerficate-name <value> format <pkcs12|pem>
tp import keypair from <value> file <value> remote-port <1-65535> source-ip <ip/netmask>
passphrase <value> cerficate-name <value> format <pkcs12|pem>
tp import license from <value> file <value> remote-port <1-65535> source-ip <ip/netmask>
tp import soware from <value> file <value> remote-port <1-65535> source-ip <ip/netmask>
tp import high-availability-key from <value> file <value> remote-port <1-65535> source-ip <ip/
netmask>
tp import ssl-optout-text from <value> file <value> remote-port <1-65535> source-ip <ip/
netmask>
tp import ssl-cert-status-page from <value> file <value> remote-port <1-65535> source-ip <ip/
netmask>
tp import capve-portal-text from <value> file <value> remote-port <1-65535> source-ip <ip/
netmask>
tp import url-coach-text from <value> file <value> remote-port <1-65535> source-ip <ip/
netmask>
tp import file-block-connue-page from <value> file <value> remote-port <1-65535> source-ip
<ip/netmask>
tp import file-block-page from <value> file <value> remote-port <1-65535> source-ip <ip/
netmask>

PAN-OS CLI Quick Start Version Version 10.1 277 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

tp import data-filter-block-page from <value> file <value> remote-port <1-65535> source-ip
<ip/netmask>
tp import applicaon-block-page from <value> file <value> remote-port <1-65535> source-ip
<ip/netmask>
tp import safe-search-block-page from <value> file <value> remote-port <1-65535> source-ip
<ip/netmask>
tp import url-block-page from <value> file <value> remote-port <1-65535> source-ip <ip/
netmask>
tp import mfa-login-page from <value> file <value> remote-port <1-65535> source-ip <ip/
netmask>
tp import credenal-coach-text from <value> file <value> remote-port <1-65535> source-ip
<ip/netmask>
tp import credenal-block-page from <value> file <value> remote-port <1-65535> source-ip
<ip/netmask>
tp import virus-block-page from <value> file <value> remote-port <1-65535> source-ip <ip/
netmask>
tp import global-protect-portal-custom-login-page profile <value> from <value> file <value>
remote-port <1-65535> source-ip <ip/netmask>
tp import global-protect-portal-custom-home-page profile <value> from <value> file <value>
remote-port <1-65535> source-ip <ip/netmask>
tp import global-protect-portal-custom-help-page profile <value> from <value> file <value>
remote-port <1-65535> source-ip <ip/netmask>
tp import global-protect-portal-custom-welcome-page profile <value> from <value> file <value>
remote-port <1-65535> source-ip <ip/netmask>
tp export license-token-file from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
tp export device-state to <value> remote-port <1-65535> source-ip <ip/netmask>
tp export crl from <value> to <value> remote-port <1-65535> source-ip <ip/netmask>
tp export filter-pcap from <value> to <value> remote-port <1-65535> source-ip <ip/netmask>
tp export applicaon-pcap from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
tp export stats-dump to <value> remote-port <1-65535> source-ip <ip/netmask> start-me
equal <value>
tp export stats-dump to <value> remote-port <1-65535> source-ip <ip/netmask> end-me
equal <value>
tp export debug bootmem_file from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
tp export core-file management-plane from <value> to <value> remote-port <1-65535> source-
ip <ip/netmask>

PAN-OS CLI Quick Start Version Version 10.1 278 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

tp export core-file large-corefile from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
tp export core-file data-plane from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
tp export threat-pcap pcap-id <value> search-me <value> to <value> remote-port <1-65535>
source-ip <ip/netmask>
tp export mgmt-pcap from <value> to <value> remote-port <1-65535> source-ip <ip/netmask>
tp export configuraon from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
tp export web-interface-cerficate to <value> remote-port <1-65535> source-ip <ip/netmask>
tp export tech-support to <value> remote-port <1-65535> source-ip <ip/netmask>
tp export telemetry-data from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
tp export dnsproxy from <value> to <value> remote-port <1-65535> source-ip <ip/netmask>
tp export log-file management-plane to <value> remote-port <1-65535> source-ip <ip/
netmask>
tp export log-file data-plane to <value> remote-port <1-65535> source-ip <ip/netmask>
tp export high-availability-key from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
tp export ssl-optout-text to <value> remote-port <1-65535> source-ip <ip/netmask>
tp export ssl-cert-status-page to <value> remote-port <1-65535> source-ip <ip/netmask>
tp export capve-portal-text to <value> remote-port <1-65535> source-ip <ip/netmask>
tp export url-coach-text to <value> remote-port <1-65535> source-ip <ip/netmask>
tp export file-block-connue-page to <value> remote-port <1-65535> source-ip <ip/netmask>
tp export file-block-page to <value> remote-port <1-65535> source-ip <ip/netmask>
tp export applicaon-block-page to <value> remote-port <1-65535> source-ip <ip/netmask>
tp export url-block-page to <value> remote-port <1-65535> source-ip <ip/netmask>
tp export mfa-login-page to <value> remote-port <1-65535> source-ip <ip/netmask>
tp export virus-block-page to <value> remote-port <1-65535> source-ip <ip/netmask>
tp export global-protect-portal-custom-login-page name <value> to <value> remote-port
<1-65535> source-ip <ip/netmask>
tp export global-protect-portal-custom-home-page name <value> to <value> remote-port
<1-65535> source-ip <ip/netmask>
tp export global-protect-portal-custom-help-page name <value> to <value> remote-port
<1-65535> source-ip <ip/netmask>
tp export global-protect-portal-custom-welcome-page name <value> to <value> remote-port
<1-65535> source-ip <ip/netmask>

PAN-OS CLI Quick Start Version Version 10.1 279 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

tp export debug-pcap from <value> to <value> remote-port <1-65535> source-ip <ip/netmask>
tp export inbound-proxy-key from <value> to <value> remote-port <1-65535> source-ip <ip/
netmask>
p export log traffic query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> passive-mode equal <yes|no>
p export log traffic query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> start-me equal <value>
p export log traffic query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> end-me equal <value>
p export log threat query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> passive-mode equal <yes|no>
p export log threat query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> start-me equal <value>
p export log threat query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> end-me equal <value>
p export log data query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> passive-mode equal <yes|no>
p export log data query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> start-me equal <value>
p export log data query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> end-me equal <value>
p export log url query <value> max-log-count <0-1048576> to <value> remote-port <1-65535>
passive-mode equal <yes|no>
p export log url query <value> max-log-count <0-1048576> to <value> remote-port <1-65535>
start-me equal <value>
p export log url query <value> max-log-count <0-1048576> to <value> remote-port <1-65535>
end-me equal <value>
p export log wildfire query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> passive-mode equal <yes|no>
p export log wildfire query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> start-me equal <value>
p export log wildfire query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> end-me equal <value>
p export log decrypon query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> passive-mode equal <yes|no>
p export log decrypon query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> start-me equal <value>
p export log decrypon query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> end-me equal <value>

PAN-OS CLI Quick Start Version Version 10.1 280 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

p export log globalprotect query <value> max-log-count <0-1048576> to <value> remote-port

<1-65535> passive-mode equal <yes|no>
p export log globalprotect query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> start-me equal <value>
p export log globalprotect query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> end-me equal <value>
p export log tunnel query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> passive-mode equal <yes|no>
p export log tunnel query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> start-me equal <value>
p export log tunnel query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> end-me equal <value>
p export log userid query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> passive-mode equal <yes|no>
p export log userid query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> start-me equal <value>
p export log userid query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> end-me equal <value>
p export log auth query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> passive-mode equal <yes|no>
p export log auth query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> start-me equal <value>
p export log auth query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> end-me equal <value>
p export log system query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> passive-mode equal <yes|no>
p export log system query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> start-me equal <value>
p export log system query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> end-me equal <value>
p export log config query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> passive-mode equal <yes|no>
p export log config query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> start-me equal <value>
p export log config query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> end-me equal <value>
p export log alarm query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> passive-mode equal <yes|no>
p export log alarm query <value> max-log-count <0-1048576> to <value> remote-port
<1-65535> start-me equal <value>

PAN-OS CLI Quick Start Version Version 10.1 281 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

p export log alarm query <value> max-log-count <0-1048576> to <value> remote-port

<1-65535> end-me equal <value>
less mp-log <value>
less plugins-log <value>
less mp-global <value>
less dp-log <value>
less mp-backtrace <value>
less dp-backtrace <value>
less webserver-log <value>
less appweb-log <value>
less custom-page <value>
less agent-log <value>
less db-log <value>
ls long-format <yes|no> sort-by-me <yes|no> reverse-order <yes|no> mp-log <value>
ls long-format <yes|no> sort-by-me <yes|no> reverse-order <yes|no> plugins-log <value>
ls long-format <yes|no> sort-by-me <yes|no> reverse-order <yes|no> mp-global <value>
ls long-format <yes|no> sort-by-me <yes|no> reverse-order <yes|no> dp-log <value>
ls long-format <yes|no> sort-by-me <yes|no> reverse-order <yes|no> mp-backtrace <value>
ls long-format <yes|no> sort-by-me <yes|no> reverse-order <yes|no> dp-backtrace <value>
ls long-format <yes|no> sort-by-me <yes|no> reverse-order <yes|no> webserver-log <value>
ls long-format <yes|no> sort-by-me <yes|no> reverse-order <yes|no> appweb-log <value>
ls long-format <yes|no> sort-by-me <yes|no> reverse-order <yes|no> custom-page <value>
ls long-format <yes|no> sort-by-me <yes|no> reverse-order <yes|no> global <value>
ls long-format <yes|no> sort-by-me <yes|no> reverse-order <yes|no> content <value>
grep invert-match <yes|no> line-number <yes|no> ignore-case <yes|no> no-filename <yes|no>
count <yes|no> max-count <1-65535> context <1-65535> before-context <1-65535> aer-
context <1-65535> paern <value> mp-log <value>
grep invert-match <yes|no> line-number <yes|no> ignore-case <yes|no> no-filename <yes|no>
count <yes|no> max-count <1-65535> context <1-65535> before-context <1-65535> aer-
context <1-65535> paern <value> dp-log <value>
ping bypass-roung <yes|no> count <1-2000000000> do-not-fragment <yes|no> inet6 <yes|no>
interval <1-2000000000> source <value> no-resolve <yes|no> paern <value> size <0-65468>
tos <1-255> l <1-255> verbose <yes|no> host <value>
traceroute ipv4 <yes|no> ipv6 <yes|no> first-l <1-255> max-l <1-255> port <1-65535> tos
<1-255> wait <1-99999> pause <1-2000000000> do-not-fragment <yes|no> debug-socket <yes|
no> gateway <ip/netmask> no-resolve <yes|no> bypass-roung <yes|no> source <value> host
<value>

PAN-OS CLI Quick Start Version Version 10.1 282 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

ssh inet <yes|no> port <0-65535> source <value> v1 <yes|no> v2 <yes|no> host <value>
tail follow <yes|no> lines <1-65535> mp-log <value>
tail follow <yes|no> lines <1-65535> plugins-log <value>
tail follow <yes|no> lines <1-65535> db-log <value>
tail follow <yes|no> lines <1-65535> dp-log <value>
tail follow <yes|no> lines <1-65535> agent-log <value>
tail follow <yes|no> lines <1-65535> webserver-log <value>
tail follow <yes|no> lines <1-65535> appweb-log <value>
view-pcap follow <yes|no> link-header <yes|no> no-dns-lookup <yes|no> no-port-lookup <yes|
no> no-qualificaon <yes|no> absolute-seq <yes|no> no-mestamp <yes|no> unformaed-
mestamp <yes|no> delta <yes|no> mestamp <yes|no> undecoded-NFS <yes|no> verbose <yes|
no> verbose+ <yes|no> verbose++ <yes|no> hex <yes|no> hex-link <yes|no> hex-ascii <yes|no>
hex-ascii-link <yes|no> applicaon-pcap <value>
view-pcap follow <yes|no> link-header <yes|no> no-dns-lookup <yes|no> no-port-lookup <yes|
no> no-qualificaon <yes|no> absolute-seq <yes|no> no-mestamp <yes|no> unformaed-
mestamp <yes|no> delta <yes|no> mestamp <yes|no> undecoded-NFS <yes|no> verbose <yes|
no> verbose+ <yes|no> verbose++ <yes|no> hex <yes|no> hex-link <yes|no> hex-ascii <yes|no>
hex-ascii-link <yes|no> filter-pcap <value>
view-pcap follow <yes|no> link-header <yes|no> no-dns-lookup <yes|no> no-port-lookup <yes|
no> no-qualificaon <yes|no> absolute-seq <yes|no> no-mestamp <yes|no> unformaed-
mestamp <yes|no> delta <yes|no> mestamp <yes|no> undecoded-NFS <yes|no> verbose <yes|
no> verbose+ <yes|no> verbose++ <yes|no> hex <yes|no> hex-link <yes|no> hex-ascii <yes|no>
hex-ascii-link <yes|no> debug-pcap <value>
view-pcap follow <yes|no> link-header <yes|no> no-dns-lookup <yes|no> no-port-lookup <yes|
no> no-qualificaon <yes|no> absolute-seq <yes|no> no-mestamp <yes|no> unformaed-
mestamp <yes|no> delta <yes|no> mestamp <yes|no> undecoded-NFS <yes|no> verbose <yes|
no> verbose+ <yes|no> verbose++ <yes|no> hex <yes|no> hex-link <yes|no> hex-ascii <yes|no>
hex-ascii-link <yes|no> mgmt-pcap <value>
view-pcap follow <yes|no> link-header <yes|no> no-dns-lookup <yes|no> no-port-lookup <yes|
no> no-qualificaon <yes|no> absolute-seq <yes|no> no-mestamp <yes|no> unformaed-
mestamp <yes|no> delta <yes|no> mestamp <yes|no> undecoded-NFS <yes|no> verbose <yes|
no> verbose+ <yes|no> verbose++ <yes|no> hex <yes|no> hex-link <yes|no> hex-ascii <yes|no>
hex-ascii-link <yes|no> threat threat-pcap-id <value> search-me <value>
tcpdump snaplen <0-65535> filter <value>
diff config num-context-lines <0|1|5|10|20|all> paral shared-object <excluded> device-and-
network <excluded> admin
diff config num-context-lines <0|1|5|10|20|all> paral shared-object <excluded> device-and-
network <excluded> admin [ <admin1> <admin2>... ]
diff config num-context-lines <0|1|5|10|20|all> paral shared-object <excluded> device-and-
network <excluded> no-vsys

PAN-OS CLI Quick Start Version Version 10.1 283 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

diff config num-context-lines <0|1|5|10|20|all> paral shared-object <excluded> device-and-

network <excluded> vsys
diff config num-context-lines <0|1|5|10|20|all> paral shared-object <excluded> device-and-
network <excluded> vsys [ <vsys1> <vsys2>... ]
find command keyword <value>

PAN-OS CLI Quick Start Version Version 10.1 284 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

PAN-OS 10.1 Configure CLI Command Hierarchy

check pending-changes
check full-commit-required
check data-access-passwd system
save config to <value> paral shared-object <excluded> device-and-network <excluded> admin
save config to <value> paral shared-object <excluded> device-and-network <excluded> admin
[ <admin1> <admin2>... ]
save config to <value> paral shared-object <excluded> device-and-network <excluded> no-vsys
save config to <value> paral shared-object <excluded> device-and-network <excluded> vsys
save config to <value> paral shared-object <excluded> device-and-network <excluded> vsys
[ <vsys1> <vsys2>... ]
save device-state
revert config skip-validate <yes|no> paral shared-object <excluded> device-and-network
<excluded> admin
revert config skip-validate <yes|no> paral shared-object <excluded> device-and-network
<excluded> admin [ <admin1> <admin2>... ]
revert config skip-validate <yes|no> paral shared-object <excluded> device-and-network
<excluded> no-vsys
revert config skip-validate <yes|no> paral shared-object <excluded> device-and-network
<excluded> vsys
revert config skip-validate <yes|no> paral shared-object <excluded> device-and-network
<excluded> vsys [ <vsys1> <vsys2>... ]
load config key <value>|<default> regenerate-rule-uuid-all <yes|no> skip-validate <yes|no> from
<value>
load config key <value>|<default> regenerate-rule-uuid-all <yes|no> skip-validate <yes|no>
version <value>|<1-1048576>
load config key <value>|<default> regenerate-rule-uuid-all <yes|no> skip-validate <yes|no> last-
saved
load config key <value>|<default> regenerate-rule-uuid-all <yes|no> skip-validate <yes|no> paral
shared-objects <included> shared-policies <included> from <value> from-xpath <value> to-xpath
<value> mode <merge|replace|append> device-group
load config key <value>|<default> regenerate-rule-uuid-all <yes|no> skip-validate <yes|no> paral
shared-objects <included> shared-policies <included> from <value> from-xpath <value> to-xpath
<value> mode <merge|replace|append> device-group [ <device-group1> <device-group2>... ]
load config key <value>|<default> regenerate-rule-uuid-all <yes|no> skip-validate <yes|no> paral
shared-objects <included> shared-policies <included> from <value> from-xpath <value> to-xpath
<value> mode <merge|replace|append> template

PAN-OS CLI Quick Start Version Version 10.1 285 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

load config key <value>|<default> regenerate-rule-uuid-all <yes|no> skip-validate <yes|no> paral

shared-objects <included> shared-policies <included> from <value> from-xpath <value> to-xpath
<value> mode <merge|replace|append> template [ <template1> <template2>... ]
load config key <value>|<default> regenerate-rule-uuid-all <yes|no> skip-validate <yes|no> paral
shared-objects <included> shared-policies <included> from <value> from-xpath <value> to-xpath
<value> mode <merge|replace|append> template-stack
load config key <value>|<default> regenerate-rule-uuid-all <yes|no> skip-validate <yes|no> paral
shared-objects <included> shared-policies <included> from <value> from-xpath <value> to-xpath
<value> mode <merge|replace|append> template-stack [ <template-stack1> <template-stack2>... ]
load device-state
commit descripon <value> force paral device-and-network <excluded> shared-object
<excluded> admin
commit descripon <value> force paral device-and-network <excluded> shared-object
<excluded> admin [ <admin1> <admin2>... ]
commit descripon <value> force paral device-and-network <excluded> shared-object
<excluded> no-vsys
commit descripon <value> force paral device-and-network <excluded> shared-object
<excluded> vsys
commit descripon <value> force paral device-and-network <excluded> shared-object
<excluded> vsys [ <vsys1> <vsys2>... ]
commit descripon <value> paral device-and-network <excluded> shared-object <excluded>
admin
commit descripon <value> paral device-and-network <excluded> shared-object <excluded>
admin [ <admin1> <admin2>... ]
commit descripon <value> paral device-and-network <excluded> shared-object <excluded> no-
vsys
commit descripon <value> paral device-and-network <excluded> shared-object <excluded>
vsys
commit descripon <value> paral device-and-network <excluded> shared-object <excluded>
vsys [ <vsys1> <vsys2>... ]
validate full
validate paral device-and-network <excluded> shared-object <excluded> admin
validate paral device-and-network <excluded> shared-object <excluded> admin [ <admin1>
<admin2>... ]
validate paral device-and-network <excluded> shared-object <excluded> no-vsys
validate paral device-and-network <excluded> shared-object <excluded> vsys
validate paral device-and-network <excluded> shared-object <excluded> vsys [ <vsys1>
<vsys2>... ]
find command keyword <value>

PAN-OS CLI Quick Start Version Version 10.1 286 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show deviceconfig
show deviceconfig system
show deviceconfig system type
show deviceconfig system type
show deviceconfig system type stac
show deviceconfig system type dhcp-client
show deviceconfig system dns-seng
show deviceconfig system dns-seng
show deviceconfig system dns-seng servers
show deviceconfig system panorama
show deviceconfig system panorama
show deviceconfig system panorama local-panorama
show deviceconfig system ntp-servers
show deviceconfig system ntp-servers primary-ntp-server
show deviceconfig system ntp-servers primary-ntp-server authencaon-type
show deviceconfig system ntp-servers primary-ntp-server authencaon-type none
show deviceconfig system ntp-servers primary-ntp-server authencaon-type symmetric-key
show deviceconfig system ntp-servers primary-ntp-server authencaon-type symmetric-key
algorithm
show deviceconfig system ntp-servers primary-ntp-server authencaon-type symmetric-key
algorithm md5
show deviceconfig system ntp-servers primary-ntp-server authencaon-type symmetric-key
algorithm sha1
show deviceconfig system ntp-servers primary-ntp-server authencaon-type autokey
show deviceconfig system ntp-servers secondary-ntp-server
show deviceconfig system ntp-servers secondary-ntp-server authencaon-type
show deviceconfig system ntp-servers secondary-ntp-server authencaon-type none
show deviceconfig system ntp-servers secondary-ntp-server authencaon-type symmetric-key
show deviceconfig system ntp-servers secondary-ntp-server authencaon-type symmetric-key
algorithm
show deviceconfig system ntp-servers secondary-ntp-server authencaon-type symmetric-key
algorithm md5
show deviceconfig system ntp-servers secondary-ntp-server authencaon-type symmetric-key
algorithm sha1
show deviceconfig system ntp-servers secondary-ntp-server authencaon-type autokey

PAN-OS CLI Quick Start Version Version 10.1 287 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show deviceconfig system hsm-sengs

show deviceconfig system hsm-sengs provider
show deviceconfig system hsm-sengs provider
show deviceconfig system hsm-sengs provider safenet-network
show deviceconfig system hsm-sengs provider safenet-network hsm-server
show deviceconfig system hsm-sengs provider safenet-network hsm-server <name>
show deviceconfig system hsm-sengs provider safenet-network ha
show deviceconfig system hsm-sengs provider ncipher-nshield-connect
show deviceconfig system hsm-sengs provider ncipher-nshield-connect hsm-server
show deviceconfig system hsm-sengs provider ncipher-nshield-connect hsm-server <name>
show deviceconfig system hsm-sengs provider none
show deviceconfig system ssh
show deviceconfig system ssh profiles
show deviceconfig system ssh profiles ha-profiles
show deviceconfig system ssh profiles ha-profiles <name>
show deviceconfig system ssh profiles ha-profiles <name> default-hostkey
show deviceconfig system ssh profiles ha-profiles <name> default-hostkey key-type
show deviceconfig system ssh profiles ha-profiles <name> session-rekey
show deviceconfig system ssh profiles mgmt-profiles
show deviceconfig system ssh profiles mgmt-profiles server-profiles
show deviceconfig system ssh profiles mgmt-profiles server-profiles <name>
show deviceconfig system ssh profiles mgmt-profiles server-profiles <name> default-hostkey
show deviceconfig system ssh profiles mgmt-profiles server-profiles <name> default-hostkey key-
type
show deviceconfig system ssh profiles mgmt-profiles server-profiles <name> default-hostkey key-
type all
show deviceconfig system ssh profiles mgmt-profiles server-profiles <name> session-rekey
show deviceconfig system ssh ha
show deviceconfig system ssh mgmt
show deviceconfig system ssh regenerate-hostkeys
show deviceconfig system ssh regenerate-hostkeys ha
show deviceconfig system ssh regenerate-hostkeys ha key-type
show deviceconfig system ssh regenerate-hostkeys ha key-type ECDSA
show deviceconfig system ssh regenerate-hostkeys ha key-type RSA

PAN-OS CLI Quick Start Version Version 10.1 288 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show deviceconfig system ssh regenerate-hostkeys mgmt

show deviceconfig system ssh regenerate-hostkeys mgmt key-type
show deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA
show deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA
show deviceconfig system device-telemetry
show deviceconfig system snmp-seng
show deviceconfig system snmp-seng snmp-system
show deviceconfig system snmp-seng access-seng
show deviceconfig system snmp-seng access-seng version
show deviceconfig system snmp-seng access-seng version v2c
show deviceconfig system snmp-seng access-seng version v3
show deviceconfig system snmp-seng access-seng version v3 views
show deviceconfig system snmp-seng access-seng version v3 views <name>
show deviceconfig system snmp-seng access-seng version v3 views <name> view
show deviceconfig system snmp-seng access-seng version v3 views <name> view <name>
show deviceconfig system snmp-seng access-seng version v3 users
show deviceconfig system snmp-seng access-seng version v3 users <name>
show deviceconfig system geo-locaon
show deviceconfig system service
show deviceconfig system permied-ip
show deviceconfig system permied-ip <name>
show deviceconfig system route
show deviceconfig system route service
show deviceconfig system route service <name>
show deviceconfig system route service <name> source
show deviceconfig system route service <name> source-v6
show deviceconfig system route desnaon
show deviceconfig system route desnaon <name>
show deviceconfig system route desnaon <name> source
show deviceconfig system log-link
show deviceconfig system log-link <name>
show deviceconfig system log-export-schedule
show deviceconfig system log-export-schedule <name>

PAN-OS CLI Quick Start Version Version 10.1 289 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show deviceconfig system log-export-schedule <name> protocol

show deviceconfig system log-export-schedule <name> protocol p
show deviceconfig system log-export-schedule <name> protocol scp
show deviceconfig system update-schedule
show deviceconfig system update-schedule stascs-service
show deviceconfig system update-schedule threats
show deviceconfig system update-schedule threats recurring
show deviceconfig system update-schedule threats recurring
show deviceconfig system update-schedule threats recurring none
show deviceconfig system update-schedule threats recurring every-30-mins
show deviceconfig system update-schedule threats recurring hourly
show deviceconfig system update-schedule threats recurring daily
show deviceconfig system update-schedule threats recurring weekly
show deviceconfig system update-schedule app-profile
show deviceconfig system update-schedule app-profile recurring
show deviceconfig system update-schedule app-profile recurring
show deviceconfig system update-schedule app-profile recurring none
show deviceconfig system update-schedule app-profile recurring daily
show deviceconfig system update-schedule app-profile recurring weekly
show deviceconfig system update-schedule an-virus
show deviceconfig system update-schedule an-virus recurring
show deviceconfig system update-schedule an-virus recurring
show deviceconfig system update-schedule an-virus recurring none
show deviceconfig system update-schedule an-virus recurring hourly
show deviceconfig system update-schedule an-virus recurring daily
show deviceconfig system update-schedule an-virus recurring weekly
show deviceconfig system update-schedule wildfire
show deviceconfig system update-schedule wildfire recurring
show deviceconfig system update-schedule wildfire recurring
show deviceconfig system update-schedule wildfire recurring none
show deviceconfig system update-schedule wildfire recurring real-me
show deviceconfig system update-schedule wildfire recurring every-min
show deviceconfig system update-schedule wildfire recurring every-15-mins

PAN-OS CLI Quick Start Version Version 10.1 290 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show deviceconfig system update-schedule wildfire recurring every-30-mins

show deviceconfig system update-schedule wildfire recurring every-hour
show deviceconfig system update-schedule wf-private
show deviceconfig system update-schedule wf-private recurring
show deviceconfig system update-schedule wf-private recurring
show deviceconfig system update-schedule wf-private recurring none
show deviceconfig system update-schedule wf-private recurring every-5-mins
show deviceconfig system update-schedule wf-private recurring every-15-mins
show deviceconfig system update-schedule wf-private recurring every-30-mins
show deviceconfig system update-schedule wf-private recurring every-hour
show deviceconfig system update-schedule global-protect-clientless-vpn
show deviceconfig system update-schedule global-protect-clientless-vpn recurring
show deviceconfig system update-schedule global-protect-clientless-vpn recurring
show deviceconfig system update-schedule global-protect-clientless-vpn recurring none
show deviceconfig system update-schedule global-protect-clientless-vpn recurring hourly
show deviceconfig system update-schedule global-protect-clientless-vpn recurring daily
show deviceconfig system update-schedule global-protect-clientless-vpn recurring weekly
show deviceconfig system update-schedule global-protect-datafile
show deviceconfig system update-schedule global-protect-datafile recurring
show deviceconfig system update-schedule global-protect-datafile recurring
show deviceconfig system update-schedule global-protect-datafile recurring none
show deviceconfig system update-schedule global-protect-datafile recurring hourly
show deviceconfig system update-schedule global-protect-datafile recurring daily
show deviceconfig system update-schedule global-protect-datafile recurring weekly
show deviceconfig system motd-and-banner
show deviceconfig seng
show deviceconfig seng nat
show deviceconfig seng jumbo-frame
show deviceconfig seng icmpv6-rate-limit
show deviceconfig seng nat64
show deviceconfig seng packet
show deviceconfig seng ul
show deviceconfig seng pan-url-db

PAN-OS CLI Quick Start Version Version 10.1 291 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show deviceconfig seng hawkeye

show deviceconfig seng global-protect
show deviceconfig seng l3-service
show deviceconfig seng capve-portal
show deviceconfig seng applicaon
show deviceconfig seng applicaon traceroute
show deviceconfig seng autofocus
show deviceconfig seng wildfire
show deviceconfig seng wildfire file-size-limit
show deviceconfig seng wildfire file-size-limit <name>
show deviceconfig seng wildfire session-info-select
show deviceconfig seng ctd
show deviceconfig seng ssl-decrypt
show deviceconfig seng session
show deviceconfig seng tcp
show deviceconfig seng zip
show deviceconfig seng hp2
show deviceconfig seng pow
show deviceconfig seng config
show deviceconfig seng logging
show deviceconfig seng logging enhanced-applicaon-logging
show deviceconfig seng logging enhanced-applicaon-logging disable-applicaon
show deviceconfig seng logging enhanced-applicaon-logging disable-applicaon <name>
show deviceconfig seng logging enhanced-applicaon-logging disable-global
show deviceconfig seng logging enhanced-applicaon-logging disable-global all
show deviceconfig seng logging enhanced-applicaon-logging disable-global arp
show deviceconfig seng logging enhanced-applicaon-logging disable-global non-syn-tcp
show deviceconfig seng logging enhanced-applicaon-logging disable-global ext-traffic
show deviceconfig seng logging enhanced-applicaon-logging disable-global hip-report
show deviceconfig seng logging logging-service-forwarding
show deviceconfig seng management
show deviceconfig seng management secure-conn-client
show deviceconfig seng management secure-conn-client cerficate-type

PAN-OS CLI Quick Start Version Version 10.1 292 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show deviceconfig seng management secure-conn-client cerficate-type

show deviceconfig seng management secure-conn-client cerficate-type none
show deviceconfig seng management secure-conn-client cerficate-type local
show deviceconfig seng management secure-conn-client cerficate-type scep
show deviceconfig seng management secure-conn-server
show deviceconfig seng management quota-sengs
show deviceconfig seng management quota-sengs log-expiraon-period
show deviceconfig seng management quota-sengs disk-quota
show deviceconfig seng management common-criteria
show deviceconfig seng management common-criteria self-test-schedule
show deviceconfig seng management common-criteria self-test-schedule crypto
show deviceconfig seng management common-criteria self-test-schedule soware-integrity
show deviceconfig seng management common-criteria
show deviceconfig seng management common-criteria self-test-schedule
show deviceconfig seng management common-criteria self-test-schedule crypto
show deviceconfig seng management common-criteria self-test-schedule soware-integrity
show deviceconfig seng management common-criteria
show deviceconfig seng management api
show deviceconfig seng management api key
show deviceconfig seng management admin-lockout
show deviceconfig seng management admin-session
show deviceconfig seng management browse-acvity-report-seng
show deviceconfig seng management device-monitoring
show deviceconfig seng management common-criteria-alarm-generaon
show deviceconfig seng management common-criteria-alarm-generaon security-policy-limits
show deviceconfig seng management common-criteria-alarm-generaon rule-group-limits
show deviceconfig seng management common-criteria-alarm-generaon log-databases-alarm-
threshold
show deviceconfig seng management audit-tracking
show deviceconfig seng logrcvr
show deviceconfig seng vpn
show deviceconfig seng vpn ikev2
show deviceconfig seng custom-logo
show deviceconfig seng custom-logo login-screen

PAN-OS CLI Quick Start Version Version 10.1 293 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show deviceconfig seng custom-logo main-ui

show deviceconfig seng custom-logo pdf-report-header
show deviceconfig seng custom-logo pdf-report-footer
show deviceconfig seng iot
show deviceconfig seng iot edge
show deviceconfig seng cloudapp
show deviceconfig seng cloudapp cloudapp-srvr-addr
show deviceconfig high-availability
show deviceconfig high-availability interface
show deviceconfig high-availability interface ha1
show deviceconfig high-availability interface ha1 encrypon
show deviceconfig high-availability interface ha1-backup
show deviceconfig high-availability interface ha2
show deviceconfig high-availability interface ha2-backup
show deviceconfig high-availability interface ha3
show deviceconfig high-availability interface ha4
show deviceconfig high-availability interface ha4-backup
show deviceconfig high-availability cluster
show deviceconfig high-availability cluster cluster-members
show deviceconfig high-availability cluster cluster-members <name>
show deviceconfig high-availability group
show deviceconfig high-availability group elecon-opon
show deviceconfig high-availability group elecon-opon mers
show deviceconfig high-availability group elecon-opon mers
show deviceconfig high-availability group elecon-opon mers recommended
show deviceconfig high-availability group elecon-opon mers aggressive
show deviceconfig high-availability group elecon-opon mers advanced
show deviceconfig high-availability group state-synchronizaon
show deviceconfig high-availability group state-synchronizaon ha2-keep-alive
show deviceconfig high-availability group configuraon-synchronizaon
show deviceconfig high-availability group mode
show deviceconfig high-availability group mode
show deviceconfig high-availability group mode acve-passive

PAN-OS CLI Quick Start Version Version 10.1 294 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show deviceconfig high-availability group mode acve-acve

show deviceconfig high-availability group mode acve-acve network-configuraon
show deviceconfig high-availability group mode acve-acve network-configuraon sync
show deviceconfig high-availability group mode acve-acve virtual-address
show deviceconfig high-availability group mode acve-acve virtual-address <name>
show deviceconfig high-availability group mode acve-acve virtual-address <name> ip
show deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
show deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
show deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
floang
show deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
floang device-priority
show deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
arp-load-sharing
show deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
arp-load-sharing
show deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
arp-load-sharing ip-modulo
show deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
arp-load-sharing ip-hash
show deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6
show deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6
<name>
show deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6
<name>
show deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6
<name> floang
show deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6
<name> floang device-priority
show deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6
<name> arp-load-sharing
show deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6
<name> arp-load-sharing
show deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6
<name> arp-load-sharing ip-modulo
show deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6
<name> arp-load-sharing ip-hash
show deviceconfig high-availability group mode acve-acve session-owner-selecon

PAN-OS CLI Quick Start Version Version 10.1 295 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show deviceconfig high-availability group mode acve-acve session-owner-selecon

show deviceconfig high-availability group mode acve-acve session-owner-selecon primary-
device
show deviceconfig high-availability group mode acve-acve session-owner-selecon first-packet
show deviceconfig high-availability group mode acve-acve session-owner-selecon first-packet
session-setup
show deviceconfig high-availability group mode acve-acve session-owner-selecon first-packet
session-setup
show deviceconfig high-availability group mode acve-acve session-owner-selecon first-packet
session-setup primary-device
show deviceconfig high-availability group mode acve-acve session-owner-selecon first-packet
session-setup first-packet
show deviceconfig high-availability group mode acve-acve session-owner-selecon first-packet
session-setup ip-modulo
show deviceconfig high-availability group mode acve-acve session-owner-selecon first-packet
session-setup ip-hash
show deviceconfig high-availability group monitoring
show deviceconfig high-availability group monitoring path-monitoring
show deviceconfig high-availability group monitoring path-monitoring path-group
show deviceconfig high-availability group monitoring path-monitoring path-group virtual-wire
show deviceconfig high-availability group monitoring path-monitoring path-group virtual-wire
<name>
show deviceconfig high-availability group monitoring path-monitoring path-group virtual-wire
<name> desnaon-ip-group
show deviceconfig high-availability group monitoring path-monitoring path-group virtual-wire
<name> desnaon-ip-group <name>
show deviceconfig high-availability group monitoring path-monitoring path-group vlan
show deviceconfig high-availability group monitoring path-monitoring path-group vlan <name>
show deviceconfig high-availability group monitoring path-monitoring path-group vlan <name>
desnaon-ip-group
show deviceconfig high-availability group monitoring path-monitoring path-group vlan <name>
desnaon-ip-group <name>
show deviceconfig high-availability group monitoring path-monitoring path-group virtual-router
show deviceconfig high-availability group monitoring path-monitoring path-group virtual-router
<name>
show deviceconfig high-availability group monitoring path-monitoring path-group virtual-router
<name> desnaon-ip-group

PAN-OS CLI Quick Start Version Version 10.1 296 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show deviceconfig high-availability group monitoring path-monitoring path-group virtual-router

<name> desnaon-ip-group <name>
show deviceconfig high-availability group monitoring path-monitoring path-group logical-router
show deviceconfig high-availability group monitoring path-monitoring path-group logical-router
<name>
show deviceconfig high-availability group monitoring path-monitoring path-group logical-router
<name> desnaon-ip-group
show deviceconfig high-availability group monitoring path-monitoring path-group logical-router
<name> desnaon-ip-group <name>
show deviceconfig high-availability group monitoring link-monitoring
show deviceconfig high-availability group monitoring link-monitoring link-group
show deviceconfig high-availability group monitoring link-monitoring link-group <name>
show mgt-config
show mgt-config password-complexity
show mgt-config password-complexity password-change
show mgt-config password-profile
show mgt-config password-profile <name>
show mgt-config password-profile <name> password-change
show mgt-config users
show mgt-config users <name>
show mgt-config users <name> preferences
show mgt-config users <name> preferences saved-log-query
show mgt-config users <name> preferences saved-log-query unified
show mgt-config users <name> preferences saved-log-query unified <name>
show mgt-config users <name> preferences saved-log-query traffic
show mgt-config users <name> preferences saved-log-query traffic <name>
show mgt-config users <name> preferences saved-log-query threat
show mgt-config users <name> preferences saved-log-query threat <name>
show mgt-config users <name> preferences saved-log-query url
show mgt-config users <name> preferences saved-log-query url <name>
show mgt-config users <name> preferences saved-log-query data
show mgt-config users <name> preferences saved-log-query data <name>
show mgt-config users <name> preferences saved-log-query config
show mgt-config users <name> preferences saved-log-query config <name>
show mgt-config users <name> preferences saved-log-query system

PAN-OS CLI Quick Start Version Version 10.1 297 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show mgt-config users <name> preferences saved-log-query system <name>

show mgt-config users <name> preferences saved-log-query wildfire
show mgt-config users <name> preferences saved-log-query wildfire <name>
show mgt-config users <name> preferences saved-log-query hipmatch
show mgt-config users <name> preferences saved-log-query hipmatch <name>
show mgt-config users <name> preferences saved-log-query corr
show mgt-config users <name> preferences saved-log-query corr <name>
show mgt-config users <name> preferences saved-log-query tunnel
show mgt-config users <name> preferences saved-log-query tunnel <name>
show mgt-config users <name> preferences saved-log-query userid
show mgt-config users <name> preferences saved-log-query userid <name>
show mgt-config users <name> preferences saved-log-query auth
show mgt-config users <name> preferences saved-log-query auth <name>
show mgt-config users <name> preferences saved-log-query globalprotect
show mgt-config users <name> preferences saved-log-query globalprotect <name>
show mgt-config users <name> preferences saved-log-query alarm
show mgt-config users <name> preferences saved-log-query alarm <name>
show mgt-config users <name> preferences saved-log-query decrypon
show mgt-config users <name> preferences saved-log-query decrypon <name>
show mgt-config users <name> permissions
show mgt-config users <name> permissions role-based
show mgt-config users <name> permissions role-based vsysreader
show mgt-config users <name> permissions role-based vsysreader <name>
show mgt-config users <name> permissions role-based vsysadmin
show mgt-config users <name> permissions role-based vsysadmin <name>
show mgt-config users <name> permissions role-based custom
show mgt-config access-domain
show mgt-config access-domain <name>
show network
show network profiles
show network profiles monitor-profile
show network profiles monitor-profile <name>
show network profiles interface-management-profile

PAN-OS CLI Quick Start Version Version 10.1 298 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network profiles interface-management-profile <name>

show network profiles interface-management-profile <name> permied-ip
show network profiles interface-management-profile <name> permied-ip <name>
show network profiles zone-protecon-profile
show network profiles zone-protecon-profile <name>
show network profiles zone-protecon-profile <name> scan
show network profiles zone-protecon-profile <name> scan <name>
show network profiles zone-protecon-profile <name> scan <name> acon
show network profiles zone-protecon-profile <name> scan <name> acon allow
show network profiles zone-protecon-profile <name> scan <name> acon alert
show network profiles zone-protecon-profile <name> scan <name> acon block
show network profiles zone-protecon-profile <name> scan <name> acon block-ip
show network profiles zone-protecon-profile <name> scan-white-list
show network profiles zone-protecon-profile <name> scan-white-list <name>
show network profiles zone-protecon-profile <name> scan-white-list <name>
show network profiles zone-protecon-profile <name> flood
show network profiles zone-protecon-profile <name> flood tcp-syn
show network profiles zone-protecon-profile <name> flood tcp-syn
show network profiles zone-protecon-profile <name> flood tcp-syn red
show network profiles zone-protecon-profile <name> flood tcp-syn syn-cookies
show network profiles zone-protecon-profile <name> flood udp
show network profiles zone-protecon-profile <name> flood udp red
show network profiles zone-protecon-profile <name> flood icmp
show network profiles zone-protecon-profile <name> flood icmp red
show network profiles zone-protecon-profile <name> flood icmpv6
show network profiles zone-protecon-profile <name> flood icmpv6 red
show network profiles zone-protecon-profile <name> flood other-ip
show network profiles zone-protecon-profile <name> flood other-ip red
show network profiles zone-protecon-profile <name> ipv6
show network profiles zone-protecon-profile <name> ipv6 filter-ext-hdr
show network profiles zone-protecon-profile <name> ipv6 ignore-inv-pkt
show network profiles zone-protecon-profile <name> non-ip-protocol
show network profiles zone-protecon-profile <name> non-ip-protocol protocol

PAN-OS CLI Quick Start Version Version 10.1 299 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network profiles zone-protecon-profile <name> non-ip-protocol protocol <name>

show network profiles zone-protecon-profile <name> l2-sec-group-tag-protecon
show network profiles zone-protecon-profile <name> l2-sec-group-tag-protecon tags
show network profiles zone-protecon-profile <name> l2-sec-group-tag-protecon tags <name>
show network profiles lldp-profile
show network profiles lldp-profile <name>
show network profiles lldp-profile <name> opon-tlvs
show network profiles lldp-profile <name> opon-tlvs management-address
show network profiles lldp-profile <name> opon-tlvs management-address iplist
show network profiles lldp-profile <name> opon-tlvs management-address iplist <name>
show network profiles lldp-profile <name> opon-tlvs management-address iplist <name>
show network profiles bfd-profile
show network profiles bfd-profile <name>
show network profiles bfd-profile <name> mulhop
show network interface
show network interface ethernet
show network interface ethernet <name>
show network interface ethernet <name>
show network interface ethernet <name> tap
show network interface ethernet <name> ha
show network interface ethernet <name> decrypt-mirror
show network interface ethernet <name> virtual-wire
show network interface ethernet <name> virtual-wire units
show network interface ethernet <name> virtual-wire units <name>
show network interface ethernet <name> virtual-wire lldp
show network interface ethernet <name> virtual-wire lldp high-availability
show network interface ethernet <name> virtual-wire lacp
show network interface ethernet <name> virtual-wire lacp high-availability
show network interface ethernet <name> layer2
show network interface ethernet <name> layer2 units
show network interface ethernet <name> layer2 units <name>
show network interface ethernet <name> layer2 lldp
show network interface ethernet <name> layer2 lldp high-availability

PAN-OS CLI Quick Start Version Version 10.1 300 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network interface ethernet <name> layer3

show network interface ethernet <name> layer3 bonjour
show network interface ethernet <name> layer3 adjust-tcp-mss
show network interface ethernet <name> layer3 ip
show network interface ethernet <name> layer3 ip <name>
show network interface ethernet <name> layer3 ipv6
show network interface ethernet <name> layer3 ipv6 address
show network interface ethernet <name> layer3 ipv6 address <name>
show network interface ethernet <name> layer3 ipv6 address <name> prefix
show network interface ethernet <name> layer3 ipv6 address <name> anycast
show network interface ethernet <name> layer3 ipv6 address <name> adverse
show network interface ethernet <name> layer3 ipv6 neighbor-discovery
show network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement
show network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement
dns-support
show network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement
dns-support server
show network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement
dns-support server <name>
show network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement
dns-support suffix
show network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement
dns-support suffix <name>
show network interface ethernet <name> layer3 ipv6 neighbor-discovery neighbor
show network interface ethernet <name> layer3 ipv6 neighbor-discovery neighbor <name>
show network interface ethernet <name> layer3 pppoe
show network interface ethernet <name> layer3 pppoe stac-address
show network interface ethernet <name> layer3 pppoe passive
show network interface ethernet <name> layer3 dhcp-client
show network interface ethernet <name> layer3 dhcp-client send-hostname
show network interface ethernet <name> layer3 ddns-config
show network interface ethernet <name> layer3 ddns-config ddns-vendor-config
show network interface ethernet <name> layer3 ddns-config ddns-vendor-config <name>
show network interface ethernet <name> layer3 arp
show network interface ethernet <name> layer3 arp <name>

PAN-OS CLI Quick Start Version Version 10.1 301 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network interface ethernet <name> layer3 ndp-proxy

show network interface ethernet <name> layer3 ndp-proxy address
show network interface ethernet <name> layer3 ndp-proxy address <name>
show network interface ethernet <name> layer3 sdwan-link-sengs
show network interface ethernet <name> layer3 sdwan-link-sengs upstream-nat
show network interface ethernet <name> layer3 sdwan-link-sengs upstream-nat
show network interface ethernet <name> layer3 sdwan-link-sengs upstream-nat stac-ip
show network interface ethernet <name> layer3 sdwan-link-sengs upstream-nat stac-ip
show network interface ethernet <name> layer3 sdwan-link-sengs upstream-nat ddns
show network interface ethernet <name> layer3 units
show network interface ethernet <name> layer3 units <name>
show network interface ethernet <name> layer3 units <name> sdwan-link-sengs
show network interface ethernet <name> layer3 units <name> sdwan-link-sengs upstream-nat
show network interface ethernet <name> layer3 units <name> sdwan-link-sengs upstream-nat
show network interface ethernet <name> layer3 units <name> sdwan-link-sengs upstream-nat
stac-ip
show network interface ethernet <name> layer3 units <name> sdwan-link-sengs upstream-nat
stac-ip
show network interface ethernet <name> layer3 units <name> sdwan-link-sengs upstream-nat
ddns
show network interface ethernet <name> layer3 units <name> bonjour
show network interface ethernet <name> layer3 units <name> adjust-tcp-mss
show network interface ethernet <name> layer3 units <name> ip
show network interface ethernet <name> layer3 units <name> ip <name>
show network interface ethernet <name> layer3 units <name> ipv6
show network interface ethernet <name> layer3 units <name> ipv6 address
show network interface ethernet <name> layer3 units <name> ipv6 address <name>
show network interface ethernet <name> layer3 units <name> ipv6 address <name> prefix
show network interface ethernet <name> layer3 units <name> ipv6 address <name> anycast
show network interface ethernet <name> layer3 units <name> ipv6 address <name> adverse
show network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery
show network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement
show network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement dns-support

PAN-OS CLI Quick Start Version Version 10.1 302 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement dns-support server
show network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement dns-support server <name>
show network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement dns-support suffix
show network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement dns-support suffix <name>
show network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery neighbor
show network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery neighbor
<name>
show network interface ethernet <name> layer3 units <name> arp
show network interface ethernet <name> layer3 units <name> arp <name>
show network interface ethernet <name> layer3 units <name> ndp-proxy
show network interface ethernet <name> layer3 units <name> ndp-proxy address
show network interface ethernet <name> layer3 units <name> ndp-proxy address <name>
show network interface ethernet <name> layer3 units <name> dhcp-client
show network interface ethernet <name> layer3 units <name> dhcp-client send-hostname
show network interface ethernet <name> layer3 units <name> ddns-config
show network interface ethernet <name> layer3 units <name> ddns-config ddns-vendor-config
show network interface ethernet <name> layer3 units <name> ddns-config ddns-vendor-config
<name>
show network interface ethernet <name> layer3 lldp
show network interface ethernet <name> layer3 lldp high-availability
show network interface ethernet <name> lacp
show network interface aggregate-ethernet
show network interface aggregate-ethernet <name>
show network interface aggregate-ethernet <name>
show network interface aggregate-ethernet <name> ha
show network interface aggregate-ethernet <name> ha lacp
show network interface aggregate-ethernet <name> decrypt-mirror
show network interface aggregate-ethernet <name> virtual-wire
show network interface aggregate-ethernet <name> virtual-wire units
show network interface aggregate-ethernet <name> virtual-wire units <name>
show network interface aggregate-ethernet <name> virtual-wire lldp

PAN-OS CLI Quick Start Version Version 10.1 303 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network interface aggregate-ethernet <name> virtual-wire lldp high-availability

show network interface aggregate-ethernet <name> layer2
show network interface aggregate-ethernet <name> layer2 units
show network interface aggregate-ethernet <name> layer2 units <name>
show network interface aggregate-ethernet <name> layer2 lacp
show network interface aggregate-ethernet <name> layer2 lacp high-availability
show network interface aggregate-ethernet <name> layer2 lacp high-availability use-same-
system-mac
show network interface aggregate-ethernet <name> layer2 lldp
show network interface aggregate-ethernet <name> layer2 lldp high-availability
show network interface aggregate-ethernet <name> layer3
show network interface aggregate-ethernet <name> layer3 bonjour
show network interface aggregate-ethernet <name> layer3 adjust-tcp-mss
show network interface aggregate-ethernet <name> layer3 ip
show network interface aggregate-ethernet <name> layer3 ip <name>
show network interface aggregate-ethernet <name> layer3 ipv6
show network interface aggregate-ethernet <name> layer3 ipv6 address
show network interface aggregate-ethernet <name> layer3 ipv6 address <name>
show network interface aggregate-ethernet <name> layer3 ipv6 address <name> prefix
show network interface aggregate-ethernet <name> layer3 ipv6 address <name> anycast
show network interface aggregate-ethernet <name> layer3 ipv6 address <name> adverse
show network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery
show network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement
show network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement dns-support
show network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement dns-support server
show network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement dns-support server <name>
show network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement dns-support suffix
show network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement dns-support suffix <name>
show network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery neighbor

PAN-OS CLI Quick Start Version Version 10.1 304 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery neighbor

<name>
show network interface aggregate-ethernet <name> layer3 lacp
show network interface aggregate-ethernet <name> layer3 lacp high-availability
show network interface aggregate-ethernet <name> layer3 lacp high-availability use-same-
system-mac
show network interface aggregate-ethernet <name> layer3 lldp
show network interface aggregate-ethernet <name> layer3 lldp high-availability
show network interface aggregate-ethernet <name> layer3 arp
show network interface aggregate-ethernet <name> layer3 arp <name>
show network interface aggregate-ethernet <name> layer3 ndp-proxy
show network interface aggregate-ethernet <name> layer3 ndp-proxy address
show network interface aggregate-ethernet <name> layer3 ndp-proxy address <name>
show network interface aggregate-ethernet <name> layer3 dhcp-client
show network interface aggregate-ethernet <name> layer3 dhcp-client send-hostname
show network interface aggregate-ethernet <name> layer3 ddns-config
show network interface aggregate-ethernet <name> layer3 ddns-config ddns-vendor-config
show network interface aggregate-ethernet <name> layer3 ddns-config ddns-vendor-config
<name>
show network interface aggregate-ethernet <name> layer3 sdwan-link-sengs
show network interface aggregate-ethernet <name> layer3 sdwan-link-sengs upstream-nat
show network interface aggregate-ethernet <name> layer3 sdwan-link-sengs upstream-nat
show network interface aggregate-ethernet <name> layer3 sdwan-link-sengs upstream-nat
stac-ip
show network interface aggregate-ethernet <name> layer3 sdwan-link-sengs upstream-nat
stac-ip
show network interface aggregate-ethernet <name> layer3 sdwan-link-sengs upstream-nat
ddns
show network interface aggregate-ethernet <name> layer3 units
show network interface aggregate-ethernet <name> layer3 units <name>
show network interface aggregate-ethernet <name> layer3 units <name> bonjour
show network interface aggregate-ethernet <name> layer3 units <name> adjust-tcp-mss
show network interface aggregate-ethernet <name> layer3 units <name> ip
show network interface aggregate-ethernet <name> layer3 units <name> ip <name>
show network interface aggregate-ethernet <name> layer3 units <name> ipv6

PAN-OS CLI Quick Start Version Version 10.1 305 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network interface aggregate-ethernet <name> layer3 units <name> ipv6 address
show network interface aggregate-ethernet <name> layer3 units <name> ipv6 address <name>
show network interface aggregate-ethernet <name> layer3 units <name> ipv6 address <name>
prefix
show network interface aggregate-ethernet <name> layer3 units <name> ipv6 address <name>
anycast
show network interface aggregate-ethernet <name> layer3 units <name> ipv6 address <name>
adverse
show network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
show network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement
show network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement dns-support
show network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement dns-support server
show network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement dns-support server <name>
show network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement dns-support suffix
show network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement dns-support suffix <name>
show network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
neighbor
show network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
neighbor <name>
show network interface aggregate-ethernet <name> layer3 units <name> arp
show network interface aggregate-ethernet <name> layer3 units <name> arp <name>
show network interface aggregate-ethernet <name> layer3 units <name> ndp-proxy
show network interface aggregate-ethernet <name> layer3 units <name> ndp-proxy address
show network interface aggregate-ethernet <name> layer3 units <name> ndp-proxy address
<name>
show network interface aggregate-ethernet <name> layer3 units <name> sdwan-link-sengs
show network interface aggregate-ethernet <name> layer3 units <name> sdwan-link-sengs
upstream-nat
show network interface aggregate-ethernet <name> layer3 units <name> sdwan-link-sengs
upstream-nat
show network interface aggregate-ethernet <name> layer3 units <name> sdwan-link-sengs
upstream-nat stac-ip

PAN-OS CLI Quick Start Version Version 10.1 306 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network interface aggregate-ethernet <name> layer3 units <name> sdwan-link-sengs

upstream-nat stac-ip
show network interface aggregate-ethernet <name> layer3 units <name> sdwan-link-sengs
upstream-nat ddns
show network interface aggregate-ethernet <name> layer3 units <name> dhcp-client
show network interface aggregate-ethernet <name> layer3 units <name> dhcp-client send-
hostname
show network interface aggregate-ethernet <name> layer3 units <name> ddns-config
show network interface aggregate-ethernet <name> layer3 units <name> ddns-config ddns-
vendor-config
show network interface aggregate-ethernet <name> layer3 units <name> ddns-config ddns-
vendor-config <name>
show network interface vlan
show network interface vlan adjust-tcp-mss
show network interface vlan ip
show network interface vlan ip <name>
show network interface vlan ipv6
show network interface vlan ipv6 address
show network interface vlan ipv6 address <name>
show network interface vlan ipv6 address <name> prefix
show network interface vlan ipv6 address <name> anycast
show network interface vlan ipv6 address <name> adverse
show network interface vlan ipv6 neighbor-discovery
show network interface vlan ipv6 neighbor-discovery router-adversement
show network interface vlan ipv6 neighbor-discovery router-adversement dns-support
show network interface vlan ipv6 neighbor-discovery router-adversement dns-support server
show network interface vlan ipv6 neighbor-discovery router-adversement dns-support server
<name>
show network interface vlan ipv6 neighbor-discovery router-adversement dns-support suffix
show network interface vlan ipv6 neighbor-discovery router-adversement dns-support suffix
<name>
show network interface vlan ipv6 neighbor-discovery neighbor
show network interface vlan ipv6 neighbor-discovery neighbor <name>
show network interface vlan arp
show network interface vlan arp <name>
show network interface vlan ndp-proxy

PAN-OS CLI Quick Start Version Version 10.1 307 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network interface vlan ndp-proxy address

show network interface vlan ndp-proxy address <name>
show network interface vlan dhcp-client
show network interface vlan dhcp-client send-hostname
show network interface vlan ddns-config
show network interface vlan ddns-config ddns-vendor-config
show network interface vlan ddns-config ddns-vendor-config <name>
show network interface vlan units
show network interface vlan units <name>
show network interface vlan units <name> adjust-tcp-mss
show network interface vlan units <name> ip
show network interface vlan units <name> ip <name>
show network interface vlan units <name> ipv6
show network interface vlan units <name> ipv6 address
show network interface vlan units <name> ipv6 address <name>
show network interface vlan units <name> ipv6 address <name> prefix
show network interface vlan units <name> ipv6 address <name> anycast
show network interface vlan units <name> ipv6 address <name> adverse
show network interface vlan units <name> ipv6 neighbor-discovery
show network interface vlan units <name> ipv6 neighbor-discovery router-adversement
show network interface vlan units <name> ipv6 neighbor-discovery router-adversement dns-
support
show network interface vlan units <name> ipv6 neighbor-discovery router-adversement dns-
support server
show network interface vlan units <name> ipv6 neighbor-discovery router-adversement dns-
support server <name>
show network interface vlan units <name> ipv6 neighbor-discovery router-adversement dns-
support suffix
show network interface vlan units <name> ipv6 neighbor-discovery router-adversement dns-
support suffix <name>
show network interface vlan units <name> ipv6 neighbor-discovery neighbor
show network interface vlan units <name> ipv6 neighbor-discovery neighbor <name>
show network interface vlan units <name> arp
show network interface vlan units <name> arp <name>
show network interface vlan units <name> ndp-proxy

PAN-OS CLI Quick Start Version Version 10.1 308 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network interface vlan units <name> ndp-proxy address

show network interface vlan units <name> ndp-proxy address <name>
show network interface vlan units <name> dhcp-client
show network interface vlan units <name> dhcp-client send-hostname
show network interface vlan units <name> ddns-config
show network interface vlan units <name> ddns-config ddns-vendor-config
show network interface vlan units <name> ddns-config ddns-vendor-config <name>
show network interface loopback
show network interface loopback adjust-tcp-mss
show network interface loopback ip
show network interface loopback ip <name>
show network interface loopback ipv6
show network interface loopback ipv6 address
show network interface loopback ipv6 address <name>
show network interface loopback ipv6 address <name> prefix
show network interface loopback ipv6 address <name> anycast
show network interface loopback units
show network interface loopback units <name>
show network interface loopback units <name> adjust-tcp-mss
show network interface loopback units <name> ip
show network interface loopback units <name> ip <name>
show network interface loopback units <name> ipv6
show network interface loopback units <name> ipv6 address
show network interface loopback units <name> ipv6 address <name>
show network interface loopback units <name> ipv6 address <name> prefix
show network interface loopback units <name> ipv6 address <name> anycast
show network interface tunnel
show network interface tunnel ip
show network interface tunnel ip <name>
show network interface tunnel ipv6
show network interface tunnel ipv6 address
show network interface tunnel ipv6 address <name>
show network interface tunnel ipv6 address <name> prefix

PAN-OS CLI Quick Start Version Version 10.1 309 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network interface tunnel ipv6 address <name> anycast

show network interface tunnel units
show network interface tunnel units <name>
show network interface tunnel units <name> ip
show network interface tunnel units <name> ip <name>
show network interface tunnel units <name> ipv6
show network interface tunnel units <name> ipv6 address
show network interface tunnel units <name> ipv6 address <name>
show network interface tunnel units <name> ipv6 address <name> prefix
show network interface tunnel units <name> ipv6 address <name> anycast
show network interface sdwan
show network interface sdwan units
show network interface sdwan units <name>
show network ike
show network ike gateway
show network ike gateway <name>
show network ike gateway <name> peer-address
show network ike gateway <name> peer-address dynamic
show network ike gateway <name> local-address
show network ike gateway <name> local-address
show network ike gateway <name> peer-id
show network ike gateway <name> local-id
show network ike gateway <name> authencaon
show network ike gateway <name> authencaon pre-shared-key
show network ike gateway <name> authencaon cerficate
show network ike gateway <name> authencaon cerficate local-cerficate
show network ike gateway <name> authencaon cerficate local-cerficate hash-and-url
show network ike gateway <name> protocol
show network ike gateway <name> protocol ikev1
show network ike gateway <name> protocol ikev1 dpd
show network ike gateway <name> protocol ikev2
show network ike gateway <name> protocol ikev2 dpd
show network ike gateway <name> protocol-common

PAN-OS CLI Quick Start Version Version 10.1 310 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network ike gateway <name> protocol-common nat-traversal

show network ike gateway <name> protocol-common fragmentaon
show network ike crypto-profiles
show network ike crypto-profiles ike-crypto-profiles
show network ike crypto-profiles ike-crypto-profiles <name>
show network ike crypto-profiles ike-crypto-profiles <name> lifeme
show network ike crypto-profiles ipsec-crypto-profiles
show network ike crypto-profiles ipsec-crypto-profiles <name>
show network ike crypto-profiles ipsec-crypto-profiles <name>
show network ike crypto-profiles ipsec-crypto-profiles <name> esp
show network ike crypto-profiles ipsec-crypto-profiles <name> ah
show network ike crypto-profiles ipsec-crypto-profiles <name> lifeme
show network ike crypto-profiles ipsec-crypto-profiles <name> lifesize
show network ike crypto-profiles global-protect-app-crypto-profiles
show network ike crypto-profiles global-protect-app-crypto-profiles <name>
show network tunnel
show network tunnel gre
show network tunnel gre <name>
show network tunnel gre <name> local-address
show network tunnel gre <name> local-address
show network tunnel gre <name> peer-address
show network tunnel gre <name> keep-alive
show network tunnel ipsec
show network tunnel ipsec <name>
show network tunnel ipsec <name> tunnel-monitor
show network tunnel ipsec <name>
show network tunnel ipsec <name> auto-key
show network tunnel ipsec <name> auto-key ike-gateway
show network tunnel ipsec <name> auto-key ike-gateway <name>
show network tunnel ipsec <name> auto-key proxy-id
show network tunnel ipsec <name> auto-key proxy-id <name>
show network tunnel ipsec <name> auto-key proxy-id <name> protocol
show network tunnel ipsec <name> auto-key proxy-id <name> protocol any

PAN-OS CLI Quick Start Version Version 10.1 311 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network tunnel ipsec <name> auto-key proxy-id <name> protocol tcp
show network tunnel ipsec <name> auto-key proxy-id <name> protocol udp
show network tunnel ipsec <name> auto-key proxy-id-v6
show network tunnel ipsec <name> auto-key proxy-id-v6 <name>
show network tunnel ipsec <name> auto-key proxy-id-v6 <name> protocol
show network tunnel ipsec <name> auto-key proxy-id-v6 <name> protocol any
show network tunnel ipsec <name> auto-key proxy-id-v6 <name> protocol tcp
show network tunnel ipsec <name> auto-key proxy-id-v6 <name> protocol udp
show network tunnel ipsec <name> manual-key
show network tunnel ipsec <name> manual-key peer-address
show network tunnel ipsec <name> manual-key local-address
show network tunnel ipsec <name> manual-key local-address
show network tunnel ipsec <name> manual-key
show network tunnel ipsec <name> manual-key esp
show network tunnel ipsec <name> manual-key esp authencaon
show network tunnel ipsec <name> manual-key esp authencaon
show network tunnel ipsec <name> manual-key esp authencaon md5
show network tunnel ipsec <name> manual-key esp authencaon sha1
show network tunnel ipsec <name> manual-key esp authencaon sha256
show network tunnel ipsec <name> manual-key esp authencaon sha384
show network tunnel ipsec <name> manual-key esp authencaon sha512
show network tunnel ipsec <name> manual-key esp authencaon none
show network tunnel ipsec <name> manual-key esp encrypon
show network tunnel ipsec <name> manual-key ah
show network tunnel ipsec <name> manual-key ah
show network tunnel ipsec <name> manual-key ah md5
show network tunnel ipsec <name> manual-key ah sha1
show network tunnel ipsec <name> manual-key ah sha256
show network tunnel ipsec <name> manual-key ah sha384
show network tunnel ipsec <name> manual-key ah sha512
show network tunnel ipsec <name> global-protect-satellite
show network tunnel ipsec <name> global-protect-satellite local-address
show network tunnel ipsec <name> global-protect-satellite local-address

PAN-OS CLI Quick Start Version Version 10.1 312 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network tunnel ipsec <name> global-protect-satellite local-address ip

show network tunnel ipsec <name> global-protect-satellite local-address floang-ip
show network tunnel ipsec <name> global-protect-satellite publish-connected-routes
show network tunnel ipsec <name> global-protect-satellite external-ca
show network tunnel global-protect-gateway
show network tunnel global-protect-gateway <name>
show network tunnel global-protect-gateway <name> local-address
show network tunnel global-protect-gateway <name> local-address
show network tunnel global-protect-gateway <name> local-address ip
show network tunnel global-protect-gateway <name> local-address floang-ip
show network tunnel global-protect-gateway <name> ipsec
show network tunnel global-protect-gateway <name> ipsec third-party-client
show network tunnel global-protect-gateway <name> client
show network tunnel global-protect-gateway <name> client inheritance
show network tunnel global-protect-gateway <name> client dns-server
show network tunnel global-protect-gateway <name> client wins-server
show network tunnel global-protect-gateway <name> client exclude-video-traffic
show network tunnel global-protect-site-to-site
show network tunnel global-protect-site-to-site <name>
show network tunnel global-protect-site-to-site <name> local-address
show network tunnel global-protect-site-to-site <name> local-address
show network tunnel global-protect-site-to-site <name> local-address ip
show network tunnel global-protect-site-to-site <name> local-address floang-ip
show network tunnel global-protect-site-to-site <name> client
show network tunnel global-protect-site-to-site <name> client inheritance
show network tunnel global-protect-site-to-site <name> client dns-server
show network tunnel global-protect-site-to-site <name> client split-tunneling
show network tunnel global-protect-site-to-site <name> client tunnel-monitor
show network vlan
show network vlan <name>
show network vlan <name> mac
show network vlan <name> mac <name>
show network vlan <name> virtual-interface

PAN-OS CLI Quick Start Version Version 10.1 313 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network qos

show network qos profile
show network qos profile <name>
show network qos profile <name> aggregate-bandwidth
show network qos profile <name> class-bandwidth-type
show network qos profile <name> class-bandwidth-type mbps
show network qos profile <name> class-bandwidth-type mbps class
show network qos profile <name> class-bandwidth-type mbps class <name>
show network qos profile <name> class-bandwidth-type mbps class <name> class-bandwidth
show network qos profile <name> class-bandwidth-type percentage
show network qos profile <name> class-bandwidth-type percentage class
show network qos profile <name> class-bandwidth-type percentage class <name>
show network qos profile <name> class-bandwidth-type percentage class <name> class-
bandwidth
show network qos interface
show network qos interface <name>
show network qos interface <name> interface-bandwidth
show network qos interface <name> tunnel-traffic
show network qos interface <name> tunnel-traffic groups
show network qos interface <name> tunnel-traffic groups <name>
show network qos interface <name> tunnel-traffic groups <name> members
show network qos interface <name> tunnel-traffic groups <name> members <name>
show network qos interface <name> tunnel-traffic default-group
show network qos interface <name> tunnel-traffic bandwidth
show network qos interface <name> regular-traffic
show network qos interface <name> regular-traffic groups
show network qos interface <name> regular-traffic groups <name>
show network qos interface <name> regular-traffic groups <name> members
show network qos interface <name> regular-traffic groups <name> members <name>
show network qos interface <name> regular-traffic groups <name> members <name> match
show network qos interface <name> regular-traffic groups <name> members <name> match local-
address
show network qos interface <name> regular-traffic default-group
show network qos interface <name> regular-traffic bandwidth

PAN-OS CLI Quick Start Version Version 10.1 314 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network virtual-wire

show network virtual-wire <name>
show network virtual-wire <name> mulcast-firewalling
show network virtual-wire <name> link-state-pass-through
show network virtual-router
show network virtual-router <name>
show network virtual-router <name> roung-table
show network virtual-router <name> roung-table ip
show network virtual-router <name> roung-table ip stac-route
show network virtual-router <name> roung-table ip stac-route <name>
show network virtual-router <name> roung-table ip stac-route <name> nexthop
show network virtual-router <name> roung-table ip stac-route <name> nexthop discard
show network virtual-router <name> roung-table ip stac-route <name> route-table
show network virtual-router <name> roung-table ip stac-route <name> route-table
show network virtual-router <name> roung-table ip stac-route <name> route-table unicast
show network virtual-router <name> roung-table ip stac-route <name> route-table mulcast
show network virtual-router <name> roung-table ip stac-route <name> route-table both
show network virtual-router <name> roung-table ip stac-route <name> route-table no-install
show network virtual-router <name> roung-table ip stac-route <name> bfd
show network virtual-router <name> roung-table ip stac-route <name> path-monitor
show network virtual-router <name> roung-table ip stac-route <name> path-monitor monitor-
desnaons
show network virtual-router <name> roung-table ip stac-route <name> path-monitor monitor-
desnaons <name>
show network virtual-router <name> roung-table ipv6
show network virtual-router <name> roung-table ipv6 stac-route
show network virtual-router <name> roung-table ipv6 stac-route <name>
show network virtual-router <name> roung-table ipv6 stac-route <name> nexthop
show network virtual-router <name> roung-table ipv6 stac-route <name> nexthop discard
show network virtual-router <name> roung-table ipv6 stac-route <name> route-table
show network virtual-router <name> roung-table ipv6 stac-route <name> route-table
show network virtual-router <name> roung-table ipv6 stac-route <name> route-table unicast
show network virtual-router <name> roung-table ipv6 stac-route <name> route-table no-install
show network virtual-router <name> roung-table ipv6 stac-route <name> bfd

PAN-OS CLI Quick Start Version Version 10.1 315 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network virtual-router <name> roung-table ipv6 stac-route <name> path-monitor

show network virtual-router <name> roung-table ipv6 stac-route <name> path-monitor
monitor-desnaons
show network virtual-router <name> roung-table ipv6 stac-route <name> path-monitor
monitor-desnaons <name>
show network virtual-router <name> mulcast
show network virtual-router <name> mulcast interface-group
show network virtual-router <name> mulcast interface-group <name>
show network virtual-router <name> mulcast interface-group <name> group-permission
show network virtual-router <name> mulcast interface-group <name> group-permission any-
source-mulcast
show network virtual-router <name> mulcast interface-group <name> group-permission any-
source-mulcast <name>
show network virtual-router <name> mulcast interface-group <name> group-permission source-
specific-mulcast
show network virtual-router <name> mulcast interface-group <name> group-permission source-
specific-mulcast <name>
show network virtual-router <name> mulcast interface-group <name> igmp
show network virtual-router <name> mulcast interface-group <name> pim
show network virtual-router <name> mulcast interface-group <name> pim allowed-neighbors
show network virtual-router <name> mulcast interface-group <name> pim allowed-neighbors
<name>
show network virtual-router <name> mulcast ssm-address-space
show network virtual-router <name> mulcast ssm-address-space <name>
show network virtual-router <name> mulcast spt-threshold
show network virtual-router <name> mulcast spt-threshold <name>
show network virtual-router <name> mulcast rp
show network virtual-router <name> mulcast rp local-rp
show network virtual-router <name> mulcast rp local-rp
show network virtual-router <name> mulcast rp local-rp stac-rp
show network virtual-router <name> mulcast rp local-rp candidate-rp
show network virtual-router <name> mulcast rp external-rp
show network virtual-router <name> mulcast rp external-rp <name>
show network virtual-router <name> protocol
show network virtual-router <name> protocol redist-profile
show network virtual-router <name> protocol redist-profile <name>

PAN-OS CLI Quick Start Version Version 10.1 316 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network virtual-router <name> protocol redist-profile <name> filter

show network virtual-router <name> protocol redist-profile <name> filter ospf
show network virtual-router <name> protocol redist-profile <name> filter bgp
show network virtual-router <name> protocol redist-profile <name> acon
show network virtual-router <name> protocol redist-profile <name> acon no-redist
show network virtual-router <name> protocol redist-profile <name> acon redist
show network virtual-router <name> protocol redist-profile-ipv6
show network virtual-router <name> protocol redist-profile-ipv6 <name>
show network virtual-router <name> protocol redist-profile-ipv6 <name> filter
show network virtual-router <name> protocol redist-profile-ipv6 <name> filter ospfv3
show network virtual-router <name> protocol redist-profile-ipv6 <name> filter bgp
show network virtual-router <name> protocol redist-profile-ipv6 <name> acon
show network virtual-router <name> protocol redist-profile-ipv6 <name> acon no-redist
show network virtual-router <name> protocol redist-profile-ipv6 <name> acon redist
show network virtual-router <name> protocol rip
show network virtual-router <name> protocol rip mers
show network virtual-router <name> protocol rip auth-profile
show network virtual-router <name> protocol rip auth-profile <name>
show network virtual-router <name> protocol rip auth-profile <name>
show network virtual-router <name> protocol rip auth-profile <name> md5
show network virtual-router <name> protocol rip auth-profile <name> md5 <name>
show network virtual-router <name> protocol rip global-bfd
show network virtual-router <name> protocol rip interface
show network virtual-router <name> protocol rip interface <name>
show network virtual-router <name> protocol rip interface <name> default-route
show network virtual-router <name> protocol rip interface <name> default-route disable
show network virtual-router <name> protocol rip interface <name> default-route adverse
show network virtual-router <name> protocol rip interface <name> bfd
show network virtual-router <name> protocol rip export-rules
show network virtual-router <name> protocol rip export-rules <name>
show network virtual-router <name> protocol ospf
show network virtual-router <name> protocol ospf mers
show network virtual-router <name> protocol ospf auth-profile

PAN-OS CLI Quick Start Version Version 10.1 317 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network virtual-router <name> protocol ospf auth-profile <name>

show network virtual-router <name> protocol ospf auth-profile <name>
show network virtual-router <name> protocol ospf auth-profile <name> md5
show network virtual-router <name> protocol ospf auth-profile <name> md5 <name>
show network virtual-router <name> protocol ospf global-bfd
show network virtual-router <name> protocol ospf area
show network virtual-router <name> protocol ospf area <name>
show network virtual-router <name> protocol ospf area <name> type
show network virtual-router <name> protocol ospf area <name> type normal
show network virtual-router <name> protocol ospf area <name> type stub
show network virtual-router <name> protocol ospf area <name> type stub default-route
show network virtual-router <name> protocol ospf area <name> type stub default-route disable
show network virtual-router <name> protocol ospf area <name> type stub default-route adverse
show network virtual-router <name> protocol ospf area <name> type nssa
show network virtual-router <name> protocol ospf area <name> type nssa default-route
show network virtual-router <name> protocol ospf area <name> type nssa default-route disable
show network virtual-router <name> protocol ospf area <name> type nssa default-route adverse
show network virtual-router <name> protocol ospf area <name> type nssa nssa-ext-range
show network virtual-router <name> protocol ospf area <name> type nssa nssa-ext-range
<name>
show network virtual-router <name> protocol ospf area <name> type nssa nssa-ext-range
<name>
show network virtual-router <name> protocol ospf area <name> type nssa nssa-ext-range
<name> adverse
show network virtual-router <name> protocol ospf area <name> type nssa nssa-ext-range
<name> suppress
show network virtual-router <name> protocol ospf area <name> range
show network virtual-router <name> protocol ospf area <name> range <name>
show network virtual-router <name> protocol ospf area <name> range <name>
show network virtual-router <name> protocol ospf area <name> range <name> adverse
show network virtual-router <name> protocol ospf area <name> range <name> suppress
show network virtual-router <name> protocol ospf area <name> interface
show network virtual-router <name> protocol ospf area <name> interface <name>
show network virtual-router <name> protocol ospf area <name> interface <name> link-type

PAN-OS CLI Quick Start Version Version 10.1 318 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network virtual-router <name> protocol ospf area <name> interface <name> link-type
broadcast
show network virtual-router <name> protocol ospf area <name> interface <name> link-type p2p
show network virtual-router <name> protocol ospf area <name> interface <name> link-type p2mp
show network virtual-router <name> protocol ospf area <name> interface <name> neighbor
show network virtual-router <name> protocol ospf area <name> interface <name> neighbor
<name>
show network virtual-router <name> protocol ospf area <name> interface <name> bfd
show network virtual-router <name> protocol ospf area <name> virtual-link
show network virtual-router <name> protocol ospf area <name> virtual-link <name>
show network virtual-router <name> protocol ospf area <name> virtual-link <name> bfd
show network virtual-router <name> protocol ospf export-rules
show network virtual-router <name> protocol ospf export-rules <name>
show network virtual-router <name> protocol ospf graceful-restart
show network virtual-router <name> protocol ospfv3
show network virtual-router <name> protocol ospfv3 mers
show network virtual-router <name> protocol ospfv3 auth-profile
show network virtual-router <name> protocol ospfv3 auth-profile <name>
show network virtual-router <name> protocol ospfv3 auth-profile <name>
show network virtual-router <name> protocol ospfv3 auth-profile <name> esp
show network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon
show network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon
show network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon
md5
show network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon
sha1
show network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon
sha256
show network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon
sha384
show network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon
sha512
show network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon
none
show network virtual-router <name> protocol ospfv3 auth-profile <name> esp encrypon
show network virtual-router <name> protocol ospfv3 auth-profile <name> ah

PAN-OS CLI Quick Start Version Version 10.1 319 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network virtual-router <name> protocol ospfv3 auth-profile <name> ah

show network virtual-router <name> protocol ospfv3 auth-profile <name> ah md5
show network virtual-router <name> protocol ospfv3 auth-profile <name> ah sha1
show network virtual-router <name> protocol ospfv3 auth-profile <name> ah sha256
show network virtual-router <name> protocol ospfv3 auth-profile <name> ah sha384
show network virtual-router <name> protocol ospfv3 auth-profile <name> ah sha512
show network virtual-router <name> protocol ospfv3 global-bfd
show network virtual-router <name> protocol ospfv3 area
show network virtual-router <name> protocol ospfv3 area <name>
show network virtual-router <name> protocol ospfv3 area <name> type
show network virtual-router <name> protocol ospfv3 area <name> type normal
show network virtual-router <name> protocol ospfv3 area <name> type stub
show network virtual-router <name> protocol ospfv3 area <name> type stub default-route
show network virtual-router <name> protocol ospfv3 area <name> type stub default-route disable
show network virtual-router <name> protocol ospfv3 area <name> type stub default-route
adverse
show network virtual-router <name> protocol ospfv3 area <name> type nssa
show network virtual-router <name> protocol ospfv3 area <name> type nssa default-route
show network virtual-router <name> protocol ospfv3 area <name> type nssa default-route disable
show network virtual-router <name> protocol ospfv3 area <name> type nssa default-route
adverse
show network virtual-router <name> protocol ospfv3 area <name> type nssa nssa-ext-range
show network virtual-router <name> protocol ospfv3 area <name> type nssa nssa-ext-range
<name>
show network virtual-router <name> protocol ospfv3 area <name> type nssa nssa-ext-range
<name>
show network virtual-router <name> protocol ospfv3 area <name> type nssa nssa-ext-range
<name> adverse
show network virtual-router <name> protocol ospfv3 area <name> type nssa nssa-ext-range
<name> suppress
show network virtual-router <name> protocol ospfv3 area <name> range
show network virtual-router <name> protocol ospfv3 area <name> range <name>
show network virtual-router <name> protocol ospfv3 area <name> range <name>
show network virtual-router <name> protocol ospfv3 area <name> range <name> adverse
show network virtual-router <name> protocol ospfv3 area <name> range <name> suppress

PAN-OS CLI Quick Start Version Version 10.1 320 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network virtual-router <name> protocol ospfv3 area <name> interface

show network virtual-router <name> protocol ospfv3 area <name> interface <name>
show network virtual-router <name> protocol ospfv3 area <name> interface <name> link-type
show network virtual-router <name> protocol ospfv3 area <name> interface <name> link-type
broadcast
show network virtual-router <name> protocol ospfv3 area <name> interface <name> link-type
p2p
show network virtual-router <name> protocol ospfv3 area <name> interface <name> link-type
p2mp
show network virtual-router <name> protocol ospfv3 area <name> interface <name> neighbor
show network virtual-router <name> protocol ospfv3 area <name> interface <name> neighbor
<name>
show network virtual-router <name> protocol ospfv3 area <name> interface <name> bfd
show network virtual-router <name> protocol ospfv3 area <name> virtual-link
show network virtual-router <name> protocol ospfv3 area <name> virtual-link <name>
show network virtual-router <name> protocol ospfv3 area <name> virtual-link <name> bfd
show network virtual-router <name> protocol ospfv3 export-rules
show network virtual-router <name> protocol ospfv3 export-rules <name>
show network virtual-router <name> protocol ospfv3 graceful-restart
show network virtual-router <name> protocol bgp
show network virtual-router <name> protocol bgp roung-opons
show network virtual-router <name> protocol bgp roung-opons med
show network virtual-router <name> protocol bgp roung-opons graceful-restart
show network virtual-router <name> protocol bgp roung-opons aggregate
show network virtual-router <name> protocol bgp auth-profile
show network virtual-router <name> protocol bgp auth-profile <name>
show network virtual-router <name> protocol bgp dampening-profile
show network virtual-router <name> protocol bgp dampening-profile <name>
show network virtual-router <name> protocol bgp global-bfd
show network virtual-router <name> protocol bgp peer-group
show network virtual-router <name> protocol bgp peer-group <name>
show network virtual-router <name> protocol bgp peer-group <name> type
show network virtual-router <name> protocol bgp peer-group <name> type ibgp
show network virtual-router <name> protocol bgp peer-group <name> type ebgp-confed
show network virtual-router <name> protocol bgp peer-group <name> type ibgp-confed

PAN-OS CLI Quick Start Version Version 10.1 321 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network virtual-router <name> protocol bgp peer-group <name> type ebgp
show network virtual-router <name> protocol bgp peer-group <name> peer
show network virtual-router <name> protocol bgp peer-group <name> peer <name>
show network virtual-router <name> protocol bgp peer-group <name> peer <name> subsequent-
address-family-idenfier
show network virtual-router <name> protocol bgp peer-group <name> peer <name> local-address
show network virtual-router <name> protocol bgp peer-group <name> peer <name> peer-address
show network virtual-router <name> protocol bgp peer-group <name> peer <name> peer-address
show network virtual-router <name> protocol bgp peer-group <name> peer <name> connecon-
opons
show network virtual-router <name> protocol bgp peer-group <name> peer <name> connecon-
opons incoming-bgp-connecon
show network virtual-router <name> protocol bgp peer-group <name> peer <name> connecon-
opons outgoing-bgp-connecon
show network virtual-router <name> protocol bgp peer-group <name> peer <name> bfd
show network virtual-router <name> protocol bgp policy
show network virtual-router <name> protocol bgp policy import
show network virtual-router <name> protocol bgp policy import rules
show network virtual-router <name> protocol bgp policy import rules <name>
show network virtual-router <name> protocol bgp policy import rules <name> match
show network virtual-router <name> protocol bgp policy import rules <name> match address-
prefix
show network virtual-router <name> protocol bgp policy import rules <name> match address-
prefix <name>
show network virtual-router <name> protocol bgp policy import rules <name> match as-path
show network virtual-router <name> protocol bgp policy import rules <name> match as-path
show network virtual-router <name> protocol bgp policy import rules <name> match community
show network virtual-router <name> protocol bgp policy import rules <name> match community
show network virtual-router <name> protocol bgp policy import rules <name> match extended-
community
show network virtual-router <name> protocol bgp policy import rules <name> match extended-
community
show network virtual-router <name> protocol bgp policy import rules <name> acon
show network virtual-router <name> protocol bgp policy import rules <name> acon
show network virtual-router <name> protocol bgp policy import rules <name> acon deny
show network virtual-router <name> protocol bgp policy import rules <name> acon allow

PAN-OS CLI Quick Start Version Version 10.1 322 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network virtual-router <name> protocol bgp policy import rules <name> acon allow
update
show network virtual-router <name> protocol bgp policy import rules <name> acon allow
update as-path
show network virtual-router <name> protocol bgp policy import rules <name> acon allow
update as-path
show network virtual-router <name> protocol bgp policy import rules <name> acon allow
update as-path none
show network virtual-router <name> protocol bgp policy import rules <name> acon allow
update as-path remove
show network virtual-router <name> protocol bgp policy import rules <name> acon allow
update community
show network virtual-router <name> protocol bgp policy import rules <name> acon allow
update community
show network virtual-router <name> protocol bgp policy import rules <name> acon allow
update community none
show network virtual-router <name> protocol bgp policy import rules <name> acon allow
update community remove-all
show network virtual-router <name> protocol bgp policy import rules <name> acon allow
update extended-community
show network virtual-router <name> protocol bgp policy import rules <name> acon allow
update extended-community
show network virtual-router <name> protocol bgp policy import rules <name> acon allow
update extended-community none
show network virtual-router <name> protocol bgp policy import rules <name> acon allow
update extended-community remove-all
show network virtual-router <name> protocol bgp policy export
show network virtual-router <name> protocol bgp policy export rules
show network virtual-router <name> protocol bgp policy export rules <name>
show network virtual-router <name> protocol bgp policy export rules <name> match
show network virtual-router <name> protocol bgp policy export rules <name> match address-
prefix
show network virtual-router <name> protocol bgp policy export rules <name> match address-
prefix <name>
show network virtual-router <name> protocol bgp policy export rules <name> match as-path
show network virtual-router <name> protocol bgp policy export rules <name> match as-path
show network virtual-router <name> protocol bgp policy export rules <name> match community
show network virtual-router <name> protocol bgp policy export rules <name> match community

PAN-OS CLI Quick Start Version Version 10.1 323 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network virtual-router <name> protocol bgp policy export rules <name> match extended-
community
show network virtual-router <name> protocol bgp policy export rules <name> match extended-
community
show network virtual-router <name> protocol bgp policy export rules <name> acon
show network virtual-router <name> protocol bgp policy export rules <name> acon
show network virtual-router <name> protocol bgp policy export rules <name> acon deny
show network virtual-router <name> protocol bgp policy export rules <name> acon allow
show network virtual-router <name> protocol bgp policy export rules <name> acon allow update
show network virtual-router <name> protocol bgp policy export rules <name> acon allow update
as-path
show network virtual-router <name> protocol bgp policy export rules <name> acon allow update
as-path
show network virtual-router <name> protocol bgp policy export rules <name> acon allow update
as-path none
show network virtual-router <name> protocol bgp policy export rules <name> acon allow update
as-path remove
show network virtual-router <name> protocol bgp policy export rules <name> acon allow update
community
show network virtual-router <name> protocol bgp policy export rules <name> acon allow update
community
show network virtual-router <name> protocol bgp policy export rules <name> acon allow update
community none
show network virtual-router <name> protocol bgp policy export rules <name> acon allow update
community remove-all
show network virtual-router <name> protocol bgp policy export rules <name> acon allow update
extended-community
show network virtual-router <name> protocol bgp policy export rules <name> acon allow update
extended-community
show network virtual-router <name> protocol bgp policy export rules <name> acon allow update
extended-community none
show network virtual-router <name> protocol bgp policy export rules <name> acon allow update
extended-community remove-all
show network virtual-router <name> protocol bgp policy condional-adversement
show network virtual-router <name> protocol bgp policy condional-adversement policy
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name>
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> non-exist-filters

PAN-OS CLI Quick Start Version Version 10.1 324 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network virtual-router <name> protocol bgp policy condional-adversement policy

<name> non-exist-filters <name>
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> non-exist-filters <name> match
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> non-exist-filters <name> match address-prefix
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> non-exist-filters <name> match address-prefix <name>
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> non-exist-filters <name> match as-path
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> non-exist-filters <name> match as-path
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> non-exist-filters <name> match community
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> non-exist-filters <name> match community
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> non-exist-filters <name> match extended-community
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> non-exist-filters <name> match extended-community
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> adverse-filters
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> adverse-filters <name>
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> adverse-filters <name> match
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> adverse-filters <name> match address-prefix
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> adverse-filters <name> match address-prefix <name>
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> adverse-filters <name> match as-path
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> adverse-filters <name> match as-path
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> adverse-filters <name> match community
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> adverse-filters <name> match community
show network virtual-router <name> protocol bgp policy condional-adversement policy
<name> adverse-filters <name> match extended-community

PAN-OS CLI Quick Start Version Version 10.1 325 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network virtual-router <name> protocol bgp policy condional-adversement policy

<name> adverse-filters <name> match extended-community
show network virtual-router <name> protocol bgp policy aggregaon
show network virtual-router <name> protocol bgp policy aggregaon address
show network virtual-router <name> protocol bgp policy aggregaon address <name>
show network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes
show network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes as-path
show network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes as-path
show network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes as-path none
show network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes community
show network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes community
show network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes community none
show network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes community remove-all
show network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes extended-community
show network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes extended-community
show network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes extended-community none
show network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes extended-community remove-all
show network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters
show network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name>
show network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match
show network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match address-prefix
show network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match address-prefix <name>

PAN-OS CLI Quick Start Version Version 10.1 326 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match as-path
show network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match as-path
show network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match community
show network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match community
show network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match extended-community
show network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match extended-community
show network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters
show network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name>
show network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match
show network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match address-prefix
show network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match address-prefix <name>
show network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match as-path
show network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match as-path
show network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match community
show network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match community
show network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match extended-community
show network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match extended-community
show network virtual-router <name> protocol bgp redist-rules
show network virtual-router <name> protocol bgp redist-rules <name>
show network virtual-router <name> admin-dists
show network virtual-router <name> ecmp
show network virtual-router <name> ecmp algorithm

PAN-OS CLI Quick Start Version Version 10.1 327 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network virtual-router <name> ecmp algorithm

show network virtual-router <name> ecmp algorithm ip-modulo
show network virtual-router <name> ecmp algorithm ip-hash
show network virtual-router <name> ecmp algorithm weighted-round-robin
show network virtual-router <name> ecmp algorithm weighted-round-robin interface
show network virtual-router <name> ecmp algorithm weighted-round-robin interface <name>
show network virtual-router <name> ecmp algorithm balanced-round-robin
show network logical-router
show network logical-router <name>
show network logical-router <name> vrf
show network logical-router <name> vrf <name>
show network logical-router <name> vrf <name> bgp
show network logical-router <name> vrf <name> bgp med
show network logical-router <name> vrf <name> bgp graceful-restart
show network logical-router <name> vrf <name> bgp peer-group
show network logical-router <name> vrf <name> bgp peer-group <name>
show network logical-router <name> vrf <name> bgp peer-group <name> type
show network logical-router <name> vrf <name> bgp peer-group <name> type ibgp
show network logical-router <name> vrf <name> bgp peer-group <name> type ebgp
show network logical-router <name> vrf <name> bgp peer-group <name> address-family
show network logical-router <name> vrf <name> bgp peer-group <name> address-family ipv4
show network logical-router <name> vrf <name> bgp peer-group <name> address-family ipv6
show network logical-router <name> vrf <name> bgp peer-group <name> connecon-opons
show network logical-router <name> vrf <name> bgp peer-group <name> peer
show network logical-router <name> vrf <name> bgp peer-group <name> peer <name>
show network logical-router <name> vrf <name> bgp peer-group <name> peer <name> address-
family
show network logical-router <name> vrf <name> bgp peer-group <name> peer <name> address-
family ipv4
show network logical-router <name> vrf <name> bgp peer-group <name> peer <name> address-
family ipv6
show network logical-router <name> vrf <name> bgp peer-group <name> peer <name> local-
address
show network logical-router <name> vrf <name> bgp peer-group <name> peer <name> peer-
address

PAN-OS CLI Quick Start Version Version 10.1 328 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network logical-router <name> vrf <name> bgp peer-group <name> peer <name> peer-
address
show network logical-router <name> vrf <name> bgp peer-group <name> peer <name>
connecon-opons
show network logical-router <name> vrf <name> bgp redistribuon-rule
show network logical-router <name> vrf <name> bgp redistribuon-rule ipv4
show network logical-router <name> vrf <name> bgp redistribuon-rule ipv6
show network logical-router <name> vrf <name> bgp address-family-idenfier
show network logical-router <name> vrf <name> bgp address-family-idenfier ipv4
show network logical-router <name> vrf <name> bgp address-family-idenfier ipv4 network
show network logical-router <name> vrf <name> bgp address-family-idenfier ipv4 network
<name>
show network logical-router <name> vrf <name> bgp address-family-idenfier ipv6
show network logical-router <name> vrf <name> bgp address-family-idenfier ipv6 network
show network logical-router <name> vrf <name> bgp address-family-idenfier ipv6 network
<name>
show network logical-router <name> vrf <name> roung-table
show network logical-router <name> vrf <name> roung-table ip
show network logical-router <name> vrf <name> roung-table ip stac-route
show network logical-router <name> vrf <name> roung-table ip stac-route <name>
show network logical-router <name> vrf <name> roung-table ip stac-route <name> nexthop
show network logical-router <name> vrf <name> roung-table ip stac-route <name> nexthop
discard
show network logical-router <name> vrf <name> roung-table ip stac-route <name> path-
monitor
show network logical-router <name> vrf <name> roung-table ip stac-route <name> path-
monitor monitor-desnaons
show network logical-router <name> vrf <name> roung-table ip stac-route <name> path-
monitor monitor-desnaons <name>
show network logical-router <name> vrf <name> roung-table ipv6
show network logical-router <name> vrf <name> roung-table ipv6 stac-route
show network logical-router <name> vrf <name> roung-table ipv6 stac-route <name>
show network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> nexthop
show network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> nexthop
discard
show network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> path-
monitor

PAN-OS CLI Quick Start Version Version 10.1 329 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> path-
monitor monitor-desnaons
show network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> path-
monitor monitor-desnaons <name>
show network logical-router <name> vrf <name> ecmp
show network logical-router <name> vrf <name> ecmp algorithm
show network logical-router <name> vrf <name> ecmp algorithm
show network logical-router <name> vrf <name> ecmp algorithm ip-modulo
show network logical-router <name> vrf <name> ecmp algorithm ip-hash
show network logical-router <name> vrf <name> ecmp algorithm weighted-round-robin
show network logical-router <name> vrf <name> ecmp algorithm weighted-round-robin interface
show network logical-router <name> vrf <name> ecmp algorithm weighted-round-robin interface
<name>
show network logical-router <name> vrf <name> ecmp algorithm balanced-round-robin
show network roung-profile
show network roung-profile bgp
show network roung-profile bgp auth-profile
show network roung-profile bgp auth-profile <name>
show network roung-profile bgp mer-profile
show network roung-profile bgp mer-profile <name>
show network roung-profile bgp address-family-profile
show network roung-profile bgp address-family-profile <name>
show network roung-profile bgp address-family-profile <name>
show network roung-profile bgp address-family-profile <name> ipv4
show network roung-profile bgp address-family-profile <name> ipv4
show network roung-profile bgp address-family-profile <name> ipv4 unicast
show network roung-profile bgp address-family-profile <name> ipv4 unicast add-path
show network roung-profile bgp address-family-profile <name> ipv4 unicast allowas-in
show network roung-profile bgp address-family-profile <name> ipv4 unicast allowas-in
show network roung-profile bgp address-family-profile <name> ipv4 unicast allowas-in origin
show network roung-profile bgp address-family-profile <name> ipv4 unicast maximum-prefix
show network roung-profile bgp address-family-profile <name> ipv4 unicast maximum-prefix
acon
show network roung-profile bgp address-family-profile <name> ipv4 unicast maximum-prefix
acon

PAN-OS CLI Quick Start Version Version 10.1 330 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network roung-profile bgp address-family-profile <name> ipv4 unicast maximum-prefix

acon warning-only
show network roung-profile bgp address-family-profile <name> ipv4 unicast maximum-prefix
acon restart
show network roung-profile bgp address-family-profile <name> ipv4 unicast next-hop
show network roung-profile bgp address-family-profile <name> ipv4 unicast next-hop
show network roung-profile bgp address-family-profile <name> ipv4 unicast next-hop self
show network roung-profile bgp address-family-profile <name> ipv4 unicast next-hop self-force
show network roung-profile bgp address-family-profile <name> ipv4 unicast remove-private-AS
show network roung-profile bgp address-family-profile <name> ipv4 unicast remove-private-AS
show network roung-profile bgp address-family-profile <name> ipv4 unicast remove-private-AS
all
show network roung-profile bgp address-family-profile <name> ipv4 unicast remove-private-AS
replace-AS
show network roung-profile bgp address-family-profile <name> ipv4 unicast send-community
show network roung-profile bgp address-family-profile <name> ipv4 unicast send-community
show network roung-profile bgp address-family-profile <name> ipv4 unicast send-community all
show network roung-profile bgp address-family-profile <name> ipv4 unicast send-community
both
show network roung-profile bgp address-family-profile <name> ipv4 unicast send-community
extended
show network roung-profile bgp address-family-profile <name> ipv4 unicast send-community
large
show network roung-profile bgp address-family-profile <name> ipv4 unicast send-community
standard
show network roung-profile bgp address-family-profile <name> ipv6
show network roung-profile bgp address-family-profile <name> ipv6
show network roung-profile bgp address-family-profile <name> ipv6 unicast
show network roung-profile bgp address-family-profile <name> ipv6 unicast add-path
show network roung-profile bgp address-family-profile <name> ipv6 unicast allowas-in
show network roung-profile bgp address-family-profile <name> ipv6 unicast allowas-in
show network roung-profile bgp address-family-profile <name> ipv6 unicast allowas-in origin
show network roung-profile bgp address-family-profile <name> ipv6 unicast maximum-prefix
show network roung-profile bgp address-family-profile <name> ipv6 unicast maximum-prefix
acon
show network roung-profile bgp address-family-profile <name> ipv6 unicast maximum-prefix
acon

PAN-OS CLI Quick Start Version Version 10.1 331 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network roung-profile bgp address-family-profile <name> ipv6 unicast maximum-prefix

acon warning-only
show network roung-profile bgp address-family-profile <name> ipv6 unicast maximum-prefix
acon restart
show network roung-profile bgp address-family-profile <name> ipv6 unicast next-hop
show network roung-profile bgp address-family-profile <name> ipv6 unicast next-hop
show network roung-profile bgp address-family-profile <name> ipv6 unicast next-hop self
show network roung-profile bgp address-family-profile <name> ipv6 unicast next-hop self-force
show network roung-profile bgp address-family-profile <name> ipv6 unicast remove-private-AS
show network roung-profile bgp address-family-profile <name> ipv6 unicast remove-private-AS
show network roung-profile bgp address-family-profile <name> ipv6 unicast remove-private-AS
all
show network roung-profile bgp address-family-profile <name> ipv6 unicast remove-private-AS
replace-AS
show network roung-profile bgp address-family-profile <name> ipv6 unicast send-community
show network roung-profile bgp address-family-profile <name> ipv6 unicast send-community
show network roung-profile bgp address-family-profile <name> ipv6 unicast send-community all
show network roung-profile bgp address-family-profile <name> ipv6 unicast send-community
both
show network roung-profile bgp address-family-profile <name> ipv6 unicast send-community
extended
show network roung-profile bgp address-family-profile <name> ipv6 unicast send-community
large
show network roung-profile bgp address-family-profile <name> ipv6 unicast send-community
standard
show network roung-profile bgp redistribuon-profile
show network roung-profile bgp redistribuon-profile <name>
show network roung-profile bgp redistribuon-profile <name>
show network roung-profile bgp redistribuon-profile <name> ipv4
show network roung-profile bgp redistribuon-profile <name> ipv4
show network roung-profile bgp redistribuon-profile <name> ipv4 unicast
show network roung-profile bgp redistribuon-profile <name> ipv4 unicast stac
show network roung-profile bgp redistribuon-profile <name> ipv4 unicast connected
show network roung-profile bgp redistribuon-profile <name> ipv6
show network roung-profile bgp redistribuon-profile <name> ipv6
show network roung-profile bgp redistribuon-profile <name> ipv6 unicast

PAN-OS CLI Quick Start Version Version 10.1 332 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network roung-profile bgp redistribuon-profile <name> ipv6 unicast stac

show network roung-profile bgp redistribuon-profile <name> ipv6 unicast connected
show network dns-proxy
show network dns-proxy <name>
show network dns-proxy <name> default
show network dns-proxy <name> default inheritance
show network dns-proxy <name> domain-servers
show network dns-proxy <name> domain-servers <name>
show network dns-proxy <name> cache
show network dns-proxy <name> cache max-l
show network dns-proxy <name> stac-entries
show network dns-proxy <name> stac-entries <name>
show network dns-proxy <name> tcp-queries
show network dns-proxy <name> udp-queries
show network dns-proxy <name> udp-queries retries
show network dhcp
show network dhcp interface
show network dhcp interface <name>
show network dhcp interface <name> server
show network dhcp interface <name> server opon
show network dhcp interface <name> server opon lease
show network dhcp interface <name> server opon lease unlimited
show network dhcp interface <name> server opon inheritance
show network dhcp interface <name> server opon dns
show network dhcp interface <name> server opon wins
show network dhcp interface <name> server opon nis
show network dhcp interface <name> server opon ntp
show network dhcp interface <name> server opon user-defined
show network dhcp interface <name> server opon user-defined <name>
show network dhcp interface <name> server opon user-defined <name>
show network dhcp interface <name> server reserved
show network dhcp interface <name> server reserved <name>
show network dhcp interface <name> relay

PAN-OS CLI Quick Start Version Version 10.1 333 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network dhcp interface <name> relay ip

show network dhcp interface <name> relay ipv6
show network dhcp interface <name> relay ipv6 server
show network dhcp interface <name> relay ipv6 server <name>
show network shared-gateway
show network shared-gateway <name>
show network shared-gateway <name> import
show network shared-gateway <name> import network
show network shared-gateway <name> zone
show network shared-gateway <name> zone <name>
show network shared-gateway <name> zone <name> network
show network shared-gateway <name> zone <name> network
show network shared-gateway <name> zone <name> user-acl
show network shared-gateway <name> address
show network shared-gateway <name> address <name>
show network shared-gateway <name> address <name>
show network shared-gateway <name> address-group
show network shared-gateway <name> address-group <name>
show network shared-gateway <name> address-group <name>
show network shared-gateway <name> address-group <name> dynamic
show network shared-gateway <name> service
show network shared-gateway <name> service <name>
show network shared-gateway <name> service <name> protocol
show network shared-gateway <name> service <name> protocol tcp
show network shared-gateway <name> service <name> protocol tcp override
show network shared-gateway <name> service <name> protocol tcp override no
show network shared-gateway <name> service <name> protocol tcp override yes
show network shared-gateway <name> service <name> protocol udp
show network shared-gateway <name> service <name> protocol udp override
show network shared-gateway <name> service <name> protocol udp override no
show network shared-gateway <name> service <name> protocol udp override yes
show network shared-gateway <name> service-group
show network shared-gateway <name> service-group <name>

PAN-OS CLI Quick Start Version Version 10.1 334 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network shared-gateway <name> tag

show network shared-gateway <name> tag <name>
show network shared-gateway <name> log-sengs
show network shared-gateway <name> log-sengs snmptrap
show network shared-gateway <name> log-sengs snmptrap <name>
show network shared-gateway <name> log-sengs snmptrap <name> version
show network shared-gateway <name> log-sengs snmptrap <name> version v2c
show network shared-gateway <name> log-sengs snmptrap <name> version v2c server
show network shared-gateway <name> log-sengs snmptrap <name> version v2c server <name>
show network shared-gateway <name> log-sengs snmptrap <name> version v3
show network shared-gateway <name> log-sengs snmptrap <name> version v3 server
show network shared-gateway <name> log-sengs snmptrap <name> version v3 server <name>
show network shared-gateway <name> log-sengs email
show network shared-gateway <name> log-sengs email <name>
show network shared-gateway <name> log-sengs email <name> server
show network shared-gateway <name> log-sengs email <name> server <name>
show network shared-gateway <name> log-sengs email <name> format
show network shared-gateway <name> log-sengs email <name> format escaping
show network shared-gateway <name> log-sengs syslog
show network shared-gateway <name> log-sengs syslog <name>
show network shared-gateway <name> log-sengs syslog <name> server
show network shared-gateway <name> log-sengs syslog <name> server <name>
show network shared-gateway <name> log-sengs syslog <name> format
show network shared-gateway <name> log-sengs syslog <name> format escaping
show network shared-gateway <name> log-sengs hp
show network shared-gateway <name> log-sengs hp <name>
show network shared-gateway <name> log-sengs hp <name> server
show network shared-gateway <name> log-sengs hp <name> server <name>
show network shared-gateway <name> log-sengs hp <name> format
show network shared-gateway <name> log-sengs hp <name> format config
show network shared-gateway <name> log-sengs hp <name> format config headers
show network shared-gateway <name> log-sengs hp <name> format config headers <name>
show network shared-gateway <name> log-sengs hp <name> format config params

PAN-OS CLI Quick Start Version Version 10.1 335 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network shared-gateway <name> log-sengs hp <name> format config params <name>
show network shared-gateway <name> log-sengs hp <name> format system
show network shared-gateway <name> log-sengs hp <name> format system headers
show network shared-gateway <name> log-sengs hp <name> format system headers <name>
show network shared-gateway <name> log-sengs hp <name> format system params
show network shared-gateway <name> log-sengs hp <name> format system params <name>
show network shared-gateway <name> log-sengs hp <name> format traffic
show network shared-gateway <name> log-sengs hp <name> format traffic headers
show network shared-gateway <name> log-sengs hp <name> format traffic headers <name>
show network shared-gateway <name> log-sengs hp <name> format traffic params
show network shared-gateway <name> log-sengs hp <name> format traffic params <name>
show network shared-gateway <name> log-sengs hp <name> format threat
show network shared-gateway <name> log-sengs hp <name> format threat headers
show network shared-gateway <name> log-sengs hp <name> format threat headers <name>
show network shared-gateway <name> log-sengs hp <name> format threat params
show network shared-gateway <name> log-sengs hp <name> format threat params <name>
show network shared-gateway <name> log-sengs hp <name> format wildfire
show network shared-gateway <name> log-sengs hp <name> format wildfire headers
show network shared-gateway <name> log-sengs hp <name> format wildfire headers <name>
show network shared-gateway <name> log-sengs hp <name> format wildfire params
show network shared-gateway <name> log-sengs hp <name> format wildfire params <name>
show network shared-gateway <name> log-sengs hp <name> format url
show network shared-gateway <name> log-sengs hp <name> format url headers
show network shared-gateway <name> log-sengs hp <name> format url headers <name>
show network shared-gateway <name> log-sengs hp <name> format url params
show network shared-gateway <name> log-sengs hp <name> format url params <name>
show network shared-gateway <name> log-sengs hp <name> format data
show network shared-gateway <name> log-sengs hp <name> format data headers
show network shared-gateway <name> log-sengs hp <name> format data headers <name>
show network shared-gateway <name> log-sengs hp <name> format data params
show network shared-gateway <name> log-sengs hp <name> format data params <name>
show network shared-gateway <name> log-sengs hp <name> format tunnel
show network shared-gateway <name> log-sengs hp <name> format tunnel headers

PAN-OS CLI Quick Start Version Version 10.1 336 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network shared-gateway <name> log-sengs hp <name> format tunnel headers <name>
show network shared-gateway <name> log-sengs hp <name> format tunnel params
show network shared-gateway <name> log-sengs hp <name> format tunnel params <name>
show network shared-gateway <name> log-sengs hp <name> format auth
show network shared-gateway <name> log-sengs hp <name> format auth headers
show network shared-gateway <name> log-sengs hp <name> format auth headers <name>
show network shared-gateway <name> log-sengs hp <name> format auth params
show network shared-gateway <name> log-sengs hp <name> format auth params <name>
show network shared-gateway <name> log-sengs hp <name> format userid
show network shared-gateway <name> log-sengs hp <name> format userid headers
show network shared-gateway <name> log-sengs hp <name> format userid headers <name>
show network shared-gateway <name> log-sengs hp <name> format userid params
show network shared-gateway <name> log-sengs hp <name> format userid params <name>
show network shared-gateway <name> log-sengs hp <name> format iptag
show network shared-gateway <name> log-sengs hp <name> format iptag headers
show network shared-gateway <name> log-sengs hp <name> format iptag headers <name>
show network shared-gateway <name> log-sengs hp <name> format iptag params
show network shared-gateway <name> log-sengs hp <name> format iptag params <name>
show network shared-gateway <name> log-sengs hp <name> format decrypon
show network shared-gateway <name> log-sengs hp <name> format decrypon headers
show network shared-gateway <name> log-sengs hp <name> format decrypon headers
<name>
show network shared-gateway <name> log-sengs hp <name> format decrypon params
show network shared-gateway <name> log-sengs hp <name> format decrypon params
<name>
show network shared-gateway <name> log-sengs hp <name> format globalprotect
show network shared-gateway <name> log-sengs hp <name> format globalprotect headers
show network shared-gateway <name> log-sengs hp <name> format globalprotect headers
<name>
show network shared-gateway <name> log-sengs hp <name> format globalprotect params
show network shared-gateway <name> log-sengs hp <name> format globalprotect params
<name>
show network shared-gateway <name> log-sengs hp <name> format hip-match
show network shared-gateway <name> log-sengs hp <name> format hip-match headers

PAN-OS CLI Quick Start Version Version 10.1 337 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network shared-gateway <name> log-sengs hp <name> format hip-match headers
<name>
show network shared-gateway <name> log-sengs hp <name> format hip-match params
show network shared-gateway <name> log-sengs hp <name> format hip-match params
<name>
show network shared-gateway <name> log-sengs hp <name> format correlaon
show network shared-gateway <name> log-sengs hp <name> format correlaon headers
show network shared-gateway <name> log-sengs hp <name> format correlaon headers
<name>
show network shared-gateway <name> log-sengs hp <name> format correlaon params
show network shared-gateway <name> log-sengs hp <name> format correlaon params
<name>
show network shared-gateway <name> log-sengs profiles
show network shared-gateway <name> log-sengs profiles <name>
show network shared-gateway <name> log-sengs profiles <name> match-list
show network shared-gateway <name> log-sengs profiles <name> match-list <name>
show network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
show network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
<name>
show network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
<name> type
show network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
<name> type tagging
show network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
<name> type tagging registraon
show network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
<name> type tagging registraon localhost
show network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
<name> type tagging registraon panorama
show network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
<name> type tagging registraon remote
show network shared-gateway <name> rulebase
show network shared-gateway <name> rulebase nat
show network shared-gateway <name> rulebase nat rules
show network shared-gateway <name> rulebase nat rules <name>
show network shared-gateway <name> rulebase nat rules <name> source-translaon
show network shared-gateway <name> rulebase nat rules <name> source-translaon

PAN-OS CLI Quick Start Version Version 10.1 338 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip-
and-port
show network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip-
and-port
show network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip-
and-port interface-address
show network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip-
and-port interface-address
show network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip
show network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip
fallback
show network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip
fallback
show network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip
fallback interface-address
show network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip
fallback interface-address
show network shared-gateway <name> rulebase nat rules <name> source-translaon stac-ip
show network shared-gateway <name> rulebase nat rules <name>
show network shared-gateway <name> rulebase nat rules <name> desnaon-translaon
show network shared-gateway <name> rulebase nat rules <name> desnaon-translaon
show network shared-gateway <name> rulebase nat rules <name> desnaon-translaon dns-
rewrite
show network shared-gateway <name> rulebase nat rules <name> dynamic-desnaon-
translaon
show network shared-gateway <name> rulebase pbf
show network shared-gateway <name> rulebase pbf rules
show network shared-gateway <name> rulebase pbf rules <name>
show network shared-gateway <name> rulebase pbf rules <name> from
show network shared-gateway <name> rulebase pbf rules <name> from
show network shared-gateway <name> rulebase pbf rules <name> acon
show network shared-gateway <name> rulebase pbf rules <name> acon
show network shared-gateway <name> rulebase pbf rules <name> acon forward
show network shared-gateway <name> rulebase pbf rules <name> acon forward nexthop
show network shared-gateway <name> rulebase pbf rules <name> acon forward nexthop
show network shared-gateway <name> rulebase pbf rules <name> acon forward monitor
show network shared-gateway <name> rulebase pbf rules <name> acon discard

PAN-OS CLI Quick Start Version Version 10.1 339 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show network shared-gateway <name> rulebase pbf rules <name> acon no-pbf
show network shared-gateway <name> rulebase pbf rules <name> enforce-symmetric-return
show network shared-gateway <name> rulebase pbf rules <name> enforce-symmetric-return
nexthop-address-list
show network shared-gateway <name> rulebase pbf rules <name> enforce-symmetric-return
nexthop-address-list <name>
show network shared-gateway <name> rulebase sdwan
show network shared-gateway <name> rulebase sdwan rules
show network shared-gateway <name> rulebase sdwan rules <name>
show network shared-gateway <name> rulebase sdwan rules <name> acon
show network shared-gateway <name> rulebase network-packet-broker
show network shared-gateway <name> rulebase network-packet-broker rules
show network shared-gateway <name> rulebase network-packet-broker rules <name>
show network shared-gateway <name> rulebase network-packet-broker rules <name> traffic-type
show network shared-gateway <name> rulebase network-packet-broker rules <name> acon
show network lldp
show network underlay-net
show network underlay-net ip-mapping
show network underlay-net ip-mapping <name>
show shared
show shared address
show shared address <name>
show shared address <name>
show shared address-group
show shared address-group <name>
show shared address-group <name>
show shared address-group <name> dynamic
show shared applicaon
show shared applicaon <name>
show shared applicaon <name> default
show shared applicaon <name> default ident-by-icmp-type
show shared applicaon <name> default ident-by-icmp6-type
show shared applicaon <name> signature
show shared applicaon <name> signature <name>

PAN-OS CLI Quick Start Version Version 10.1 340 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared applicaon <name> signature <name> and-condion

show shared applicaon <name> signature <name> and-condion <name>
show shared applicaon <name> signature <name> and-condion <name> or-condion
show shared applicaon <name> signature <name> and-condion <name> or-condion <name>
show shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator
show shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator paern-match
show shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator paern-match qualifier
show shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator paern-match qualifier <name>
show shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator greater-than
show shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator greater-than qualifier
show shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator greater-than qualifier <name>
show shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator less-than
show shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator less-than qualifier
show shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator less-than qualifier <name>
show shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator equal-to
show shared applicaon-filter
show shared applicaon-filter <name>
show shared applicaon-filter <name> tagging
show shared applicaon-group
show shared applicaon-group <name>
show shared service
show shared service <name>
show shared service <name> protocol
show shared service <name> protocol tcp
show shared service <name> protocol tcp override
show shared service <name> protocol tcp override no

PAN-OS CLI Quick Start Version Version 10.1 341 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared service <name> protocol tcp override yes

show shared service <name> protocol udp
show shared service <name> protocol udp override
show shared service <name> protocol udp override no
show shared service <name> protocol udp override yes
show shared service-group
show shared service-group <name>
show shared device-object
show shared device-object <name>
show shared profiles
show shared profiles hip-objects
show shared profiles hip-objects <name>
show shared profiles hip-objects <name> host-info
show shared profiles hip-objects <name> host-info criteria
show shared profiles hip-objects <name> host-info criteria domain
show shared profiles hip-objects <name> host-info criteria domain
show shared profiles hip-objects <name> host-info criteria os
show shared profiles hip-objects <name> host-info criteria os
show shared profiles hip-objects <name> host-info criteria os contains
show shared profiles hip-objects <name> host-info criteria os contains
show shared profiles hip-objects <name> host-info criteria client-version
show shared profiles hip-objects <name> host-info criteria client-version
show shared profiles hip-objects <name> host-info criteria host-name
show shared profiles hip-objects <name> host-info criteria host-name
show shared profiles hip-objects <name> host-info criteria host-id
show shared profiles hip-objects <name> host-info criteria host-id
show shared profiles hip-objects <name> host-info criteria serial-number
show shared profiles hip-objects <name> host-info criteria serial-number
show shared profiles hip-objects <name> network-info
show shared profiles hip-objects <name> network-info criteria
show shared profiles hip-objects <name> network-info criteria network
show shared profiles hip-objects <name> network-info criteria network is
show shared profiles hip-objects <name> network-info criteria network is wifi

PAN-OS CLI Quick Start Version Version 10.1 342 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared profiles hip-objects <name> network-info criteria network is mobile

show shared profiles hip-objects <name> network-info criteria network is unknown
show shared profiles hip-objects <name> network-info criteria network is-not
show shared profiles hip-objects <name> network-info criteria network is-not wifi
show shared profiles hip-objects <name> network-info criteria network is-not mobile
show shared profiles hip-objects <name> network-info criteria network is-not ethernet
show shared profiles hip-objects <name> network-info criteria network is-not unknown
show shared profiles hip-objects <name> patch-management
show shared profiles hip-objects <name> patch-management criteria
show shared profiles hip-objects <name> patch-management criteria missing-patches
show shared profiles hip-objects <name> patch-management criteria missing-patches severity
show shared profiles hip-objects <name> patch-management criteria missing-patches severity
show shared profiles hip-objects <name> patch-management vendor
show shared profiles hip-objects <name> patch-management vendor <name>
show shared profiles hip-objects <name> data-loss-prevenon
show shared profiles hip-objects <name> data-loss-prevenon criteria
show shared profiles hip-objects <name> data-loss-prevenon vendor
show shared profiles hip-objects <name> data-loss-prevenon vendor <name>
show shared profiles hip-objects <name> firewall
show shared profiles hip-objects <name> firewall criteria
show shared profiles hip-objects <name> firewall vendor
show shared profiles hip-objects <name> firewall vendor <name>
show shared profiles hip-objects <name> an-malware
show shared profiles hip-objects <name> an-malware criteria
show shared profiles hip-objects <name> an-malware criteria virdef-version
show shared profiles hip-objects <name> an-malware criteria virdef-version
show shared profiles hip-objects <name> an-malware criteria virdef-version within
show shared profiles hip-objects <name> an-malware criteria virdef-version not-within
show shared profiles hip-objects <name> an-malware criteria product-version
show shared profiles hip-objects <name> an-malware criteria product-version
show shared profiles hip-objects <name> an-malware criteria product-version within
show shared profiles hip-objects <name> an-malware criteria product-version not-within
show shared profiles hip-objects <name> an-malware criteria last-scan-me

PAN-OS CLI Quick Start Version Version 10.1 343 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared profiles hip-objects <name> an-malware criteria last-scan-me

show shared profiles hip-objects <name> an-malware criteria last-scan-me not-available
show shared profiles hip-objects <name> an-malware criteria last-scan-me within
show shared profiles hip-objects <name> an-malware criteria last-scan-me not-within
show shared profiles hip-objects <name> an-malware vendor
show shared profiles hip-objects <name> an-malware vendor <name>
show shared profiles hip-objects <name> disk-backup
show shared profiles hip-objects <name> disk-backup criteria
show shared profiles hip-objects <name> disk-backup criteria last-backup-me
show shared profiles hip-objects <name> disk-backup criteria last-backup-me
show shared profiles hip-objects <name> disk-backup criteria last-backup-me not-available
show shared profiles hip-objects <name> disk-backup criteria last-backup-me within
show shared profiles hip-objects <name> disk-backup criteria last-backup-me not-within
show shared profiles hip-objects <name> disk-backup vendor
show shared profiles hip-objects <name> disk-backup vendor <name>
show shared profiles hip-objects <name> disk-encrypon
show shared profiles hip-objects <name> disk-encrypon criteria
show shared profiles hip-objects <name> disk-encrypon criteria encrypted-locaons
show shared profiles hip-objects <name> disk-encrypon criteria encrypted-locaons <name>
show shared profiles hip-objects <name> disk-encrypon criteria encrypted-locaons <name>
encrypon-state
show shared profiles hip-objects <name> disk-encrypon vendor
show shared profiles hip-objects <name> disk-encrypon vendor <name>
show shared profiles hip-objects <name> custom-checks
show shared profiles hip-objects <name> custom-checks criteria
show shared profiles hip-objects <name> custom-checks criteria process-list
show shared profiles hip-objects <name> custom-checks criteria process-list <name>
show shared profiles hip-objects <name> custom-checks criteria registry-key
show shared profiles hip-objects <name> custom-checks criteria registry-key <name>
show shared profiles hip-objects <name> custom-checks criteria registry-key <name> registry-
value
show shared profiles hip-objects <name> custom-checks criteria registry-key <name> registry-
value <name>
show shared profiles hip-objects <name> custom-checks criteria plist

PAN-OS CLI Quick Start Version Version 10.1 344 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared profiles hip-objects <name> custom-checks criteria plist <name>

show shared profiles hip-objects <name> custom-checks criteria plist <name> key
show shared profiles hip-objects <name> custom-checks criteria plist <name> key <name>
show shared profiles hip-objects <name> mobile-device
show shared profiles hip-objects <name> mobile-device criteria
show shared profiles hip-objects <name> mobile-device criteria last-checkin-me
show shared profiles hip-objects <name> mobile-device criteria last-checkin-me
show shared profiles hip-objects <name> mobile-device criteria last-checkin-me within
show shared profiles hip-objects <name> mobile-device criteria last-checkin-me not-within
show shared profiles hip-objects <name> mobile-device criteria imei
show shared profiles hip-objects <name> mobile-device criteria imei
show shared profiles hip-objects <name> mobile-device criteria model
show shared profiles hip-objects <name> mobile-device criteria model
show shared profiles hip-objects <name> mobile-device criteria phone-number
show shared profiles hip-objects <name> mobile-device criteria phone-number
show shared profiles hip-objects <name> mobile-device criteria tag
show shared profiles hip-objects <name> mobile-device criteria tag
show shared profiles hip-objects <name> mobile-device criteria applicaons
show shared profiles hip-objects <name> mobile-device criteria applicaons has-malware
show shared profiles hip-objects <name> mobile-device criteria applicaons has-malware no
show shared profiles hip-objects <name> mobile-device criteria applicaons has-malware yes
show shared profiles hip-objects <name> mobile-device criteria applicaons has-malware yes
excludes
show shared profiles hip-objects <name> mobile-device criteria applicaons has-malware yes
excludes <name>
show shared profiles hip-objects <name> mobile-device criteria applicaons includes
show shared profiles hip-objects <name> mobile-device criteria applicaons includes <name>
show shared profiles hip-objects <name> cerficate
show shared profiles hip-objects <name> cerficate criteria
show shared profiles hip-objects <name> cerficate criteria cerficate-aributes
show shared profiles hip-objects <name> cerficate criteria cerficate-aributes <name>
show shared profiles virus
show shared profiles virus <name>
show shared profiles virus <name> mlav-engine-filebased-enabled

PAN-OS CLI Quick Start Version Version 10.1 345 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared profiles virus <name> mlav-engine-filebased-enabled <name>

show shared profiles virus <name> decoder
show shared profiles virus <name> decoder <name>
show shared profiles virus <name> applicaon
show shared profiles virus <name> applicaon <name>
show shared profiles virus <name> threat-excepon
show shared profiles virus <name> threat-excepon <name>
show shared profiles virus <name> mlav-excepon
show shared profiles virus <name> mlav-excepon <name>
show shared profiles spyware
show shared profiles spyware <name>
show shared profiles spyware <name> botnet-domains
show shared profiles spyware <name> botnet-domains lists
show shared profiles spyware <name> botnet-domains lists <name>
show shared profiles spyware <name> botnet-domains lists <name> acon
show shared profiles spyware <name> botnet-domains lists <name> acon alert
show shared profiles spyware <name> botnet-domains lists <name> acon allow
show shared profiles spyware <name> botnet-domains lists <name> acon block
show shared profiles spyware <name> botnet-domains lists <name> acon sinkhole
show shared profiles spyware <name> botnet-domains dns-security-categories
show shared profiles spyware <name> botnet-domains dns-security-categories <name>
show shared profiles spyware <name> botnet-domains whitelist
show shared profiles spyware <name> botnet-domains whitelist <name>
show shared profiles spyware <name> botnet-domains sinkhole
show shared profiles spyware <name> botnet-domains threat-excepon
show shared profiles spyware <name> botnet-domains threat-excepon <name>
show shared profiles spyware <name> rules
show shared profiles spyware <name> rules <name>
show shared profiles spyware <name> rules <name> acon
show shared profiles spyware <name> rules <name> acon default
show shared profiles spyware <name> rules <name> acon allow
show shared profiles spyware <name> rules <name> acon alert
show shared profiles spyware <name> rules <name> acon drop

PAN-OS CLI Quick Start Version Version 10.1 346 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared profiles spyware <name> rules <name> acon reset-client

show shared profiles spyware <name> rules <name> acon reset-server
show shared profiles spyware <name> rules <name> acon reset-both
show shared profiles spyware <name> rules <name> acon block-ip
show shared profiles spyware <name> threat-excepon
show shared profiles spyware <name> threat-excepon <name>
show shared profiles spyware <name> threat-excepon <name> acon
show shared profiles spyware <name> threat-excepon <name> acon default
show shared profiles spyware <name> threat-excepon <name> acon allow
show shared profiles spyware <name> threat-excepon <name> acon alert
show shared profiles spyware <name> threat-excepon <name> acon drop
show shared profiles spyware <name> threat-excepon <name> acon reset-both
show shared profiles spyware <name> threat-excepon <name> acon reset-client
show shared profiles spyware <name> threat-excepon <name> acon reset-server
show shared profiles spyware <name> threat-excepon <name> acon block-ip
show shared profiles spyware <name> threat-excepon <name> exempt-ip
show shared profiles spyware <name> threat-excepon <name> exempt-ip <name>
show shared profiles vulnerability
show shared profiles vulnerability <name>
show shared profiles vulnerability <name> rules
show shared profiles vulnerability <name> rules <name>
show shared profiles vulnerability <name> rules <name> acon
show shared profiles vulnerability <name> rules <name> acon default
show shared profiles vulnerability <name> rules <name> acon allow
show shared profiles vulnerability <name> rules <name> acon alert
show shared profiles vulnerability <name> rules <name> acon drop
show shared profiles vulnerability <name> rules <name> acon reset-client
show shared profiles vulnerability <name> rules <name> acon reset-server
show shared profiles vulnerability <name> rules <name> acon reset-both
show shared profiles vulnerability <name> rules <name> acon block-ip
show shared profiles vulnerability <name> threat-excepon
show shared profiles vulnerability <name> threat-excepon <name>
show shared profiles vulnerability <name> threat-excepon <name> acon

PAN-OS CLI Quick Start Version Version 10.1 347 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared profiles vulnerability <name> threat-excepon <name> acon default

show shared profiles vulnerability <name> threat-excepon <name> acon allow
show shared profiles vulnerability <name> threat-excepon <name> acon alert
show shared profiles vulnerability <name> threat-excepon <name> acon drop
show shared profiles vulnerability <name> threat-excepon <name> acon reset-client
show shared profiles vulnerability <name> threat-excepon <name> acon reset-server
show shared profiles vulnerability <name> threat-excepon <name> acon reset-both
show shared profiles vulnerability <name> threat-excepon <name> acon block-ip
show shared profiles vulnerability <name> threat-excepon <name> me-aribute
show shared profiles vulnerability <name> threat-excepon <name> exempt-ip
show shared profiles vulnerability <name> threat-excepon <name> exempt-ip <name>
show shared profiles url-filtering
show shared profiles url-filtering <name>
show shared profiles url-filtering <name> credenal-enforcement
show shared profiles url-filtering <name> credenal-enforcement mode
show shared profiles url-filtering <name> credenal-enforcement mode disabled
show shared profiles url-filtering <name> credenal-enforcement mode ip-user
show shared profiles url-filtering <name> credenal-enforcement mode domain-credenals
show shared profiles url-filtering <name> hp-header-inseron
show shared profiles url-filtering <name> hp-header-inseron <name>
show shared profiles url-filtering <name> hp-header-inseron <name> type
show shared profiles url-filtering <name> hp-header-inseron <name> type <name>
show shared profiles url-filtering <name> hp-header-inseron <name> type <name> headers
show shared profiles url-filtering <name> hp-header-inseron <name> type <name> headers
<name>
show shared profiles url-filtering <name> mlav-engine-urlbased-enabled
show shared profiles url-filtering <name> mlav-engine-urlbased-enabled <name>
show shared profiles file-blocking
show shared profiles file-blocking <name>
show shared profiles file-blocking <name> rules
show shared profiles file-blocking <name> rules <name>
show shared profiles wildfire-analysis
show shared profiles wildfire-analysis <name>
show shared profiles wildfire-analysis <name> rules

PAN-OS CLI Quick Start Version Version 10.1 348 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared profiles wildfire-analysis <name> rules <name>

show shared profiles custom-url-category
show shared profiles custom-url-category <name>
show shared profiles data-objects
show shared profiles data-objects <name>
show shared profiles data-objects <name> paern-type
show shared profiles data-objects <name> paern-type predefined
show shared profiles data-objects <name> paern-type predefined paern
show shared profiles data-objects <name> paern-type predefined paern <name>
show shared profiles data-objects <name> paern-type regex
show shared profiles data-objects <name> paern-type regex paern
show shared profiles data-objects <name> paern-type regex paern <name>
show shared profiles data-objects <name> paern-type file-properes
show shared profiles data-objects <name> paern-type file-properes paern
show shared profiles data-objects <name> paern-type file-properes paern <name>
show shared profiles data-filtering
show shared profiles data-filtering <name>
show shared profiles data-filtering <name> rules
show shared profiles data-filtering <name> rules <name>
show shared profiles hip-profiles
show shared profiles hip-profiles <name>
show shared profiles dos-protecon
show shared profiles dos-protecon <name>
show shared profiles dos-protecon <name> flood
show shared profiles dos-protecon <name> flood tcp-syn
show shared profiles dos-protecon <name> flood tcp-syn
show shared profiles dos-protecon <name> flood tcp-syn red
show shared profiles dos-protecon <name> flood tcp-syn red block
show shared profiles dos-protecon <name> flood tcp-syn syn-cookies
show shared profiles dos-protecon <name> flood tcp-syn syn-cookies block
show shared profiles dos-protecon <name> flood udp
show shared profiles dos-protecon <name> flood udp red
show shared profiles dos-protecon <name> flood udp red block

PAN-OS CLI Quick Start Version Version 10.1 349 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared profiles dos-protecon <name> flood icmp

show shared profiles dos-protecon <name> flood icmp red
show shared profiles dos-protecon <name> flood icmp red block
show shared profiles dos-protecon <name> flood icmpv6
show shared profiles dos-protecon <name> flood icmpv6 red
show shared profiles dos-protecon <name> flood icmpv6 red block
show shared profiles dos-protecon <name> flood other-ip
show shared profiles dos-protecon <name> flood other-ip red
show shared profiles dos-protecon <name> flood other-ip red block
show shared profiles dos-protecon <name> resource
show shared profiles dos-protecon <name> resource sessions
show shared profiles sdwan-path-quality
show shared profiles sdwan-path-quality <name>
show shared profiles sdwan-path-quality <name> metric
show shared profiles sdwan-path-quality <name> metric latency
show shared profiles sdwan-path-quality <name> metric pkt-loss
show shared profiles sdwan-path-quality <name> metric jier
show shared profiles sdwan-traffic-distribuon
show shared profiles sdwan-traffic-distribuon <name>
show shared profiles sdwan-traffic-distribuon <name> link-tags
show shared profiles sdwan-traffic-distribuon <name> link-tags <name>
show shared profiles sdwan-saas-quality
show shared profiles sdwan-saas-quality <name>
show shared profiles sdwan-saas-quality <name> monitor-mode
show shared profiles sdwan-saas-quality <name> monitor-mode
show shared profiles sdwan-saas-quality <name> monitor-mode adapve
show shared profiles sdwan-saas-quality <name> monitor-mode stac-ip
show shared profiles sdwan-saas-quality <name> monitor-mode stac-ip
show shared profiles sdwan-saas-quality <name> monitor-mode stac-ip ip-address
show shared profiles sdwan-saas-quality <name> monitor-mode stac-ip ip-address <name>
show shared profiles sdwan-saas-quality <name> monitor-mode stac-ip fqdn
show shared profiles sdwan-saas-quality <name> monitor-mode hp-hps
show shared profiles sdwan-error-correcon

PAN-OS CLI Quick Start Version Version 10.1 350 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared profiles sdwan-error-correcon <name>

show shared profiles sdwan-error-correcon <name> mode
show shared profiles sdwan-error-correcon <name> mode
show shared profiles sdwan-error-correcon <name> mode forward-error-correcon
show shared profiles sdwan-error-correcon <name> mode packet-duplicaon
show shared profiles decrypon
show shared profiles decrypon <name>
show shared profiles decrypon <name> ssl-forward-proxy
show shared profiles decrypon <name> ssl-inbound-proxy
show shared profiles decrypon <name> ssl-protocol-sengs
show shared profiles decrypon <name> ssl-no-proxy
show shared profiles decrypon <name> ssh-proxy
show shared profile-group
show shared profile-group <name>
show shared schedule
show shared schedule <name>
show shared schedule <name> schedule-type
show shared schedule <name> schedule-type recurring
show shared schedule <name> schedule-type recurring weekly
show shared threats
show shared threats vulnerability
show shared threats vulnerability <name>
show shared threats vulnerability <name> affected-host
show shared threats vulnerability <name> default-acon
show shared threats vulnerability <name> default-acon alert
show shared threats vulnerability <name> default-acon drop
show shared threats vulnerability <name> default-acon reset-client
show shared threats vulnerability <name> default-acon reset-server
show shared threats vulnerability <name> default-acon reset-both
show shared threats vulnerability <name> default-acon block-ip
show shared threats vulnerability <name> default-acon allow
show shared threats vulnerability <name> signature
show shared threats vulnerability <name> signature standard

PAN-OS CLI Quick Start Version Version 10.1 351 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared threats vulnerability <name> signature standard <name>

show shared threats vulnerability <name> signature standard <name> and-condion
show shared threats vulnerability <name> signature standard <name> and-condion <name>
show shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion
show shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name>
show shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator
show shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than
show shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than qualifier
show shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than qualifier <name>
show shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to
show shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to qualifier
show shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to qualifier <name>
show shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than
show shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than qualifier
show shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than qualifier <name>
show shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match
show shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match qualifier
show shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match qualifier <name>
show shared threats vulnerability <name> signature combinaon
show shared threats vulnerability <name> signature combinaon me-aribute
show shared threats vulnerability <name> signature combinaon and-condion
show shared threats vulnerability <name> signature combinaon and-condion <name>
show shared threats vulnerability <name> signature combinaon and-condion <name> or-
condion

PAN-OS CLI Quick Start Version Version 10.1 352 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared threats vulnerability <name> signature combinaon and-condion <name> or-
condion <name>
show shared threats spyware
show shared threats spyware <name>
show shared threats spyware <name> default-acon
show shared threats spyware <name> default-acon alert
show shared threats spyware <name> default-acon drop
show shared threats spyware <name> default-acon reset-client
show shared threats spyware <name> default-acon reset-server
show shared threats spyware <name> default-acon reset-both
show shared threats spyware <name> default-acon block-ip
show shared threats spyware <name> default-acon allow
show shared threats spyware <name> signature
show shared threats spyware <name> signature standard
show shared threats spyware <name> signature standard <name>
show shared threats spyware <name> signature standard <name> and-condion
show shared threats spyware <name> signature standard <name> and-condion <name>
show shared threats spyware <name> signature standard <name> and-condion <name> or-
condion
show shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name>
show shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator
show shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than
show shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than qualifier
show shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than qualifier <name>
show shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to
show shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to qualifier
show shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to qualifier <name>
show shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than

PAN-OS CLI Quick Start Version Version 10.1 353 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than qualifier
show shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than qualifier <name>
show shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match
show shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match qualifier
show shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match qualifier <name>
show shared threats spyware <name> signature combinaon
show shared threats spyware <name> signature combinaon me-aribute
show shared threats spyware <name> signature combinaon and-condion
show shared threats spyware <name> signature combinaon and-condion <name>
show shared threats spyware <name> signature combinaon and-condion <name> or-condion
show shared threats spyware <name> signature combinaon and-condion <name> or-condion
<name>
show shared external-list
show shared external-list <name>
show shared external-list <name> type
show shared external-list <name> type predefined-ip
show shared external-list <name> type predefined-url
show shared external-list <name> type ip
show shared external-list <name> type ip auth
show shared external-list <name> type ip recurring
show shared external-list <name> type ip recurring
show shared external-list <name> type ip recurring five-minute
show shared external-list <name> type ip recurring hourly
show shared external-list <name> type ip recurring daily
show shared external-list <name> type ip recurring weekly
show shared external-list <name> type ip recurring monthly
show shared external-list <name> type domain
show shared external-list <name> type domain auth
show shared external-list <name> type domain recurring
show shared external-list <name> type domain recurring

PAN-OS CLI Quick Start Version Version 10.1 354 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared external-list <name> type domain recurring hourly

show shared external-list <name> type domain recurring five-minute
show shared external-list <name> type domain recurring daily
show shared external-list <name> type domain recurring weekly
show shared external-list <name> type domain recurring monthly
show shared external-list <name> type url
show shared external-list <name> type url auth
show shared external-list <name> type url recurring
show shared external-list <name> type url recurring
show shared external-list <name> type url recurring hourly
show shared external-list <name> type url recurring five-minute
show shared external-list <name> type url recurring daily
show shared external-list <name> type url recurring weekly
show shared external-list <name> type url recurring monthly
show shared tag
show shared tag <name>
show shared authencaon-object
show shared authencaon-object <name>
show shared global-protect
show shared global-protect clientless-app
show shared global-protect clientless-app <name>
show shared global-protect clientless-app-group
show shared global-protect clientless-app-group <name>
show shared reports
show shared reports <name>
show shared reports <name> type
show shared reports <name> type appstat
show shared reports <name> type decrypon
show shared reports <name> type desum
show shared reports <name> type threat
show shared reports <name> type url
show shared reports <name> type wildfire
show shared reports <name> type data

PAN-OS CLI Quick Start Version Version 10.1 355 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared reports <name> type thsum

show shared reports <name> type traffic
show shared reports <name> type urlsum
show shared reports <name> type trsum
show shared reports <name> type tunnel
show shared reports <name> type tunnelsum
show shared reports <name> type userid
show shared reports <name> type auth
show shared reports <name> type iptag
show shared reports <name> type hipmatch
show shared reports <name> type globalprotect
show shared report-group
show shared report-group <name>
show shared report-group <name>
show shared report-group <name> custom-widget
show shared report-group <name> custom-widget <name>
show shared report-group <name> custom-widget <name>
show shared report-group <name>
show shared report-group <name> all
show shared report-group <name> all entry
show shared report-group <name> selected-zone
show shared report-group <name> selected-zone entry
show shared report-group <name> selected-user-group
show shared report-group <name> selected-user-group entry
show shared report-group <name> variable
show shared report-group <name> variable <name>
show shared pdf-summary-report
show shared pdf-summary-report <name>
show shared pdf-summary-report <name> header
show shared pdf-summary-report <name> footer
show shared pdf-summary-report <name> predefined-widget
show shared pdf-summary-report <name> predefined-widget <name>
show shared pdf-summary-report <name> custom-widget

PAN-OS CLI Quick Start Version Version 10.1 356 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared pdf-summary-report <name> custom-widget <name>

show shared email-scheduler
show shared email-scheduler <name>
show shared email-scheduler <name> recurring
show shared email-scheduler <name> recurring disabled
show shared email-scheduler <name> recurring daily
show shared botnet
show shared botnet configuraon
show shared botnet configuraon hp
show shared botnet configuraon hp malware-sites
show shared botnet configuraon hp dynamic-dns
show shared botnet configuraon hp ip-domains
show shared botnet configuraon hp recent-domains
show shared botnet configuraon hp executables-from-unknown-sites
show shared botnet configuraon unknown-applicaons
show shared botnet configuraon unknown-applicaons unknown-tcp
show shared botnet configuraon unknown-applicaons unknown-tcp session-length
show shared botnet configuraon unknown-applicaons unknown-udp
show shared botnet configuraon unknown-applicaons unknown-udp session-length
show shared botnet configuraon other-applicaons
show shared botnet report
show shared override
show shared override applicaon
show shared override applicaon <name>
show shared alg-override
show shared alg-override applicaon
show shared alg-override applicaon <name>
show shared authencaon-profile
show shared authencaon-profile <name>
show shared authencaon-profile <name> single-sign-on
show shared authencaon-profile <name> lockout
show shared authencaon-profile <name> method
show shared authencaon-profile <name> method none

PAN-OS CLI Quick Start Version Version 10.1 357 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared authencaon-profile <name> method cloud

show shared authencaon-profile <name> method cloud region
show shared authencaon-profile <name> method cloud region tenant
show shared authencaon-profile <name> method cloud region tenant profile
show shared authencaon-profile <name> method cloud region tenant profile mfa
show shared authencaon-profile <name> method local-database
show shared authencaon-profile <name> method radius
show shared authencaon-profile <name> method ldap
show shared authencaon-profile <name> method kerberos
show shared authencaon-profile <name> method tacplus
show shared authencaon-profile <name> method saml-idp
show shared authencaon-profile <name> mul-factor-auth
show shared authencaon-sequence
show shared authencaon-sequence <name>
show shared cerficate-profile
show shared cerficate-profile <name>
show shared cerficate-profile <name> username-field
show shared cerficate-profile <name> CA
show shared cerficate-profile <name> CA <name>
show shared server-profile
show shared server-profile ldap
show shared server-profile ldap <name>
show shared server-profile ldap <name> server
show shared server-profile ldap <name> server <name>
show shared server-profile radius
show shared server-profile radius <name>
show shared server-profile radius <name> protocol
show shared server-profile radius <name> protocol CHAP
show shared server-profile radius <name> protocol PAP
show shared server-profile radius <name> protocol PEAP-MSCHAPv2
show shared server-profile radius <name> protocol PEAP-with-GTC
show shared server-profile radius <name> protocol EAP-TTLS-with-PAP
show shared server-profile radius <name> server

PAN-OS CLI Quick Start Version Version 10.1 358 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared server-profile radius <name> server <name>

show shared server-profile kerberos
show shared server-profile kerberos <name>
show shared server-profile kerberos <name> server
show shared server-profile kerberos <name> server <name>
show shared server-profile tacplus
show shared server-profile tacplus <name>
show shared server-profile tacplus <name> server
show shared server-profile tacplus <name> server <name>
show shared server-profile saml-idp
show shared server-profile saml-idp <name>
show shared server-profile nelow
show shared server-profile nelow <name>
show shared server-profile nelow <name> template-refresh-rate
show shared server-profile nelow <name> server
show shared server-profile nelow <name> server <name>
show shared server-profile mfa-server-profile
show shared server-profile mfa-server-profile <name>
show shared server-profile mfa-server-profile <name> mfa-config
show shared server-profile mfa-server-profile <name> mfa-config <name>
show shared log-sengs
show shared log-sengs system
show shared log-sengs system match-list
show shared log-sengs system match-list <name>
show shared log-sengs system match-list <name> acons
show shared log-sengs system match-list <name> acons <name>
show shared log-sengs system match-list <name> acons <name> type
show shared log-sengs config
show shared log-sengs config match-list
show shared log-sengs config match-list <name>
show shared log-sengs userid
show shared log-sengs userid match-list
show shared log-sengs userid match-list <name>

PAN-OS CLI Quick Start Version Version 10.1 359 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared log-sengs userid match-list <name> acons

show shared log-sengs userid match-list <name> acons <name>
show shared log-sengs userid match-list <name> acons <name> type
show shared log-sengs userid match-list <name> acons <name> type tagging
show shared log-sengs userid match-list <name> acons <name> type tagging registraon
show shared log-sengs userid match-list <name> acons <name> type tagging registraon
localhost
show shared log-sengs userid match-list <name> acons <name> type tagging registraon
panorama
show shared log-sengs userid match-list <name> acons <name> type tagging registraon
remote
show shared log-sengs iptag
show shared log-sengs iptag match-list
show shared log-sengs iptag match-list <name>
show shared log-sengs iptag match-list <name> acons
show shared log-sengs iptag match-list <name> acons <name>
show shared log-sengs iptag match-list <name> acons <name> type
show shared log-sengs iptag match-list <name> acons <name> type tagging
show shared log-sengs iptag match-list <name> acons <name> type tagging registraon
show shared log-sengs iptag match-list <name> acons <name> type tagging registraon
localhost
show shared log-sengs iptag match-list <name> acons <name> type tagging registraon
panorama
show shared log-sengs iptag match-list <name> acons <name> type tagging registraon
remote
show shared log-sengs globalprotect
show shared log-sengs globalprotect match-list
show shared log-sengs globalprotect match-list <name>
show shared log-sengs globalprotect match-list <name> acons
show shared log-sengs globalprotect match-list <name> acons <name>
show shared log-sengs globalprotect match-list <name> acons <name> type
show shared log-sengs globalprotect match-list <name> acons <name> type tagging
show shared log-sengs globalprotect match-list <name> acons <name> type tagging
registraon
show shared log-sengs globalprotect match-list <name> acons <name> type tagging
registraon localhost

PAN-OS CLI Quick Start Version Version 10.1 360 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared log-sengs globalprotect match-list <name> acons <name> type tagging
registraon panorama
show shared log-sengs globalprotect match-list <name> acons <name> type tagging
registraon remote
show shared log-sengs hipmatch
show shared log-sengs hipmatch match-list
show shared log-sengs hipmatch match-list <name>
show shared log-sengs hipmatch match-list <name> acons
show shared log-sengs hipmatch match-list <name> acons <name>
show shared log-sengs hipmatch match-list <name> acons <name> type
show shared log-sengs hipmatch match-list <name> acons <name> type tagging
show shared log-sengs hipmatch match-list <name> acons <name> type tagging registraon
show shared log-sengs hipmatch match-list <name> acons <name> type tagging registraon
localhost
show shared log-sengs hipmatch match-list <name> acons <name> type tagging registraon
panorama
show shared log-sengs hipmatch match-list <name> acons <name> type tagging registraon
remote
show shared log-sengs correlaon
show shared log-sengs correlaon match-list
show shared log-sengs correlaon match-list <name>
show shared log-sengs correlaon match-list <name> acons
show shared log-sengs correlaon match-list <name> acons <name>
show shared log-sengs correlaon match-list <name> acons <name> type
show shared log-sengs correlaon match-list <name> acons <name> type tagging
show shared log-sengs correlaon match-list <name> acons <name> type tagging registraon
show shared log-sengs correlaon match-list <name> acons <name> type tagging registraon
localhost
show shared log-sengs correlaon match-list <name> acons <name> type tagging registraon
panorama
show shared log-sengs correlaon match-list <name> acons <name> type tagging registraon
remote
show shared log-sengs snmptrap
show shared log-sengs snmptrap <name>
show shared log-sengs snmptrap <name> version
show shared log-sengs snmptrap <name> version v2c

PAN-OS CLI Quick Start Version Version 10.1 361 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared log-sengs snmptrap <name> version v2c server

show shared log-sengs snmptrap <name> version v2c server <name>
show shared log-sengs snmptrap <name> version v3
show shared log-sengs snmptrap <name> version v3 server
show shared log-sengs snmptrap <name> version v3 server <name>
show shared log-sengs email
show shared log-sengs email <name>
show shared log-sengs email <name> server
show shared log-sengs email <name> server <name>
show shared log-sengs email <name> format
show shared log-sengs email <name> format escaping
show shared log-sengs syslog
show shared log-sengs syslog <name>
show shared log-sengs syslog <name> server
show shared log-sengs syslog <name> server <name>
show shared log-sengs syslog <name> format
show shared log-sengs syslog <name> format escaping
show shared log-sengs hp
show shared log-sengs hp <name>
show shared log-sengs hp <name> server
show shared log-sengs hp <name> server <name>
show shared log-sengs hp <name> format
show shared log-sengs hp <name> format config
show shared log-sengs hp <name> format config headers
show shared log-sengs hp <name> format config headers <name>
show shared log-sengs hp <name> format config params
show shared log-sengs hp <name> format config params <name>
show shared log-sengs hp <name> format system
show shared log-sengs hp <name> format system headers
show shared log-sengs hp <name> format system headers <name>
show shared log-sengs hp <name> format system params
show shared log-sengs hp <name> format system params <name>
show shared log-sengs hp <name> format traffic

PAN-OS CLI Quick Start Version Version 10.1 362 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared log-sengs hp <name> format traffic headers

show shared log-sengs hp <name> format traffic headers <name>
show shared log-sengs hp <name> format traffic params
show shared log-sengs hp <name> format traffic params <name>
show shared log-sengs hp <name> format threat
show shared log-sengs hp <name> format threat headers
show shared log-sengs hp <name> format threat headers <name>
show shared log-sengs hp <name> format threat params
show shared log-sengs hp <name> format threat params <name>
show shared log-sengs hp <name> format wildfire
show shared log-sengs hp <name> format wildfire headers
show shared log-sengs hp <name> format wildfire headers <name>
show shared log-sengs hp <name> format wildfire params
show shared log-sengs hp <name> format wildfire params <name>
show shared log-sengs hp <name> format url
show shared log-sengs hp <name> format url headers
show shared log-sengs hp <name> format url headers <name>
show shared log-sengs hp <name> format url params
show shared log-sengs hp <name> format url params <name>
show shared log-sengs hp <name> format data
show shared log-sengs hp <name> format data headers
show shared log-sengs hp <name> format data headers <name>
show shared log-sengs hp <name> format data params
show shared log-sengs hp <name> format data params <name>
show shared log-sengs hp <name> format tunnel
show shared log-sengs hp <name> format tunnel headers
show shared log-sengs hp <name> format tunnel headers <name>
show shared log-sengs hp <name> format tunnel params
show shared log-sengs hp <name> format tunnel params <name>
show shared log-sengs hp <name> format auth
show shared log-sengs hp <name> format auth headers
show shared log-sengs hp <name> format auth headers <name>
show shared log-sengs hp <name> format auth params

PAN-OS CLI Quick Start Version Version 10.1 363 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared log-sengs hp <name> format auth params <name>

show shared log-sengs hp <name> format userid
show shared log-sengs hp <name> format userid headers
show shared log-sengs hp <name> format userid headers <name>
show shared log-sengs hp <name> format userid params
show shared log-sengs hp <name> format userid params <name>
show shared log-sengs hp <name> format iptag
show shared log-sengs hp <name> format iptag headers
show shared log-sengs hp <name> format iptag headers <name>
show shared log-sengs hp <name> format iptag params
show shared log-sengs hp <name> format iptag params <name>
show shared log-sengs hp <name> format decrypon
show shared log-sengs hp <name> format decrypon headers
show shared log-sengs hp <name> format decrypon headers <name>
show shared log-sengs hp <name> format decrypon params
show shared log-sengs hp <name> format decrypon params <name>
show shared log-sengs hp <name> format globalprotect
show shared log-sengs hp <name> format globalprotect headers
show shared log-sengs hp <name> format globalprotect headers <name>
show shared log-sengs hp <name> format globalprotect params
show shared log-sengs hp <name> format globalprotect params <name>
show shared log-sengs hp <name> format hip-match
show shared log-sengs hp <name> format hip-match headers
show shared log-sengs hp <name> format hip-match headers <name>
show shared log-sengs hp <name> format hip-match params
show shared log-sengs hp <name> format hip-match params <name>
show shared log-sengs hp <name> format correlaon
show shared log-sengs hp <name> format correlaon headers
show shared log-sengs hp <name> format correlaon headers <name>
show shared log-sengs hp <name> format correlaon params
show shared log-sengs hp <name> format correlaon params <name>
show shared log-sengs profiles
show shared log-sengs profiles <name>

PAN-OS CLI Quick Start Version Version 10.1 364 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared log-sengs profiles <name> match-list

show shared log-sengs profiles <name> match-list <name>
show shared log-sengs profiles <name> match-list <name> acons
show shared log-sengs profiles <name> match-list <name> acons <name>
show shared log-sengs profiles <name> match-list <name> acons <name> type
show shared log-sengs profiles <name> match-list <name> acons <name> type tagging
show shared log-sengs profiles <name> match-list <name> acons <name> type tagging
registraon
show shared log-sengs profiles <name> match-list <name> acons <name> type tagging
registraon localhost
show shared log-sengs profiles <name> match-list <name> acons <name> type tagging
registraon panorama
show shared log-sengs profiles <name> match-list <name> acons <name> type tagging
registraon remote
show shared cerficate
show shared cerficate <name>
show shared cerficate <name>
show shared cerficate <name>
show shared ssl-tls-service-profile
show shared ssl-tls-service-profile <name>
show shared ssl-tls-service-profile <name> protocol-sengs
show shared response-page
show shared response-page global-protect-portal-custom-login-page
show shared response-page global-protect-portal-custom-login-page <name>
show shared response-page global-protect-portal-custom-home-page
show shared response-page global-protect-portal-custom-home-page <name>
show shared response-page global-protect-portal-custom-help-page
show shared response-page global-protect-portal-custom-help-page <name>
show shared response-page global-protect-portal-custom-welcome-page
show shared response-page global-protect-portal-custom-welcome-page <name>
show shared local-user-database
show shared local-user-database user
show shared local-user-database user <name>
show shared local-user-database user-group
show shared local-user-database user-group <name>

PAN-OS CLI Quick Start Version Version 10.1 365 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared ocsp-responder

show shared ocsp-responder <name>
show shared ssl-decrypt
show shared ssl-decrypt forward-trust-cerficate
show shared ssl-decrypt forward-untrust-cerficate
show shared ssl-decrypt ssl-exclude-cert
show shared ssl-decrypt ssl-exclude-cert <name>
show shared admin-role
show shared admin-role <name>
show shared admin-role <name> role
show shared admin-role <name> role device
show shared admin-role <name> role device webui
show shared admin-role <name> role device webui monitor
show shared admin-role <name> role device webui monitor logs
show shared admin-role <name> role device webui monitor automated-correlaon-engine
show shared admin-role <name> role device webui monitor pdf-reports
show shared admin-role <name> role device webui monitor custom-reports
show shared admin-role <name> role device webui policies
show shared admin-role <name> role device webui objects
show shared admin-role <name> role device webui objects global-protect
show shared admin-role <name> role device webui objects custom-objects
show shared admin-role <name> role device webui objects security-profiles
show shared admin-role <name> role device webui objects decrypon
show shared admin-role <name> role device webui objects sdwan
show shared admin-role <name> role device webui network
show shared admin-role <name> role device webui network roung
show shared admin-role <name> role device webui network roung roung-profiles
show shared admin-role <name> role device webui network global-protect
show shared admin-role <name> role device webui network network-profiles
show shared admin-role <name> role device webui device
show shared admin-role <name> role device webui device setup
show shared admin-role <name> role device webui device cerficate-management
show shared admin-role <name> role device webui device log-sengs

PAN-OS CLI Quick Start Version Version 10.1 366 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared admin-role <name> role device webui device server-profile

show shared admin-role <name> role device webui device local-user-database
show shared admin-role <name> role device webui device policy-recommendaons
show shared admin-role <name> role device webui operaons
show shared admin-role <name> role device webui privacy
show shared admin-role <name> role device webui save
show shared admin-role <name> role device webui commit
show shared admin-role <name> role device webui global
show shared admin-role <name> role device xmlapi
show shared admin-role <name> role device restapi
show shared admin-role <name> role device restapi objects
show shared admin-role <name> role device restapi policies
show shared admin-role <name> role device restapi network
show shared admin-role <name> role device restapi device
show shared admin-role <name> role device restapi system
show shared admin-role <name> role vsys
show shared admin-role <name> role vsys webui
show shared admin-role <name> role vsys webui monitor
show shared admin-role <name> role vsys webui monitor logs
show shared admin-role <name> role vsys webui monitor automated-correlaon-engine
show shared admin-role <name> role vsys webui monitor pdf-reports
show shared admin-role <name> role vsys webui monitor custom-reports
show shared admin-role <name> role vsys webui policies
show shared admin-role <name> role vsys webui objects
show shared admin-role <name> role vsys webui objects global-protect
show shared admin-role <name> role vsys webui objects custom-objects
show shared admin-role <name> role vsys webui objects security-profiles
show shared admin-role <name> role vsys webui objects decrypon
show shared admin-role <name> role vsys webui objects sdwan
show shared admin-role <name> role vsys webui network
show shared admin-role <name> role vsys webui network global-protect
show shared admin-role <name> role vsys webui device
show shared admin-role <name> role vsys webui device setup

PAN-OS CLI Quick Start Version Version 10.1 367 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show shared admin-role <name> role vsys webui device cerficate-management

show shared admin-role <name> role vsys webui device log-sengs
show shared admin-role <name> role vsys webui device server-profile
show shared admin-role <name> role vsys webui device local-user-database
show shared admin-role <name> role vsys webui device policy-recommendaons
show shared admin-role <name> role vsys webui operaons
show shared admin-role <name> role vsys webui privacy
show shared admin-role <name> role vsys webui save
show shared admin-role <name> role vsys webui commit
show shared admin-role <name> role vsys xmlapi
show shared admin-role <name> role vsys restapi
show shared admin-role <name> role vsys restapi objects
show shared admin-role <name> role vsys restapi policies
show shared admin-role <name> role vsys restapi network
show shared admin-role <name> role vsys restapi device
show shared admin-role <name> role vsys restapi system
show shared scep
show shared scep <name>
show shared scep <name> scep-challenge
show shared scep <name> scep-challenge none
show shared scep <name> scep-challenge dynamic
show shared scep <name> algorithm
show shared scep <name> algorithm rsa
show shared scep <name> cerficate-aributes
show shared user-id-hub
show vsys
show vsys <name>
show vsys <name> seng
show vsys <name> seng nat
show vsys <name> seng ssl-decrypt
show vsys <name> import
show vsys <name> import network
show vsys <name> import resource

PAN-OS CLI Quick Start Version Version 10.1 368 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> route

show vsys <name> route service
show vsys <name> route service <name>
show vsys <name> route service <name> source
show vsys <name> route service <name> source-v6
show vsys <name> authencaon-profile
show vsys <name> authencaon-profile <name>
show vsys <name> authencaon-profile <name> single-sign-on
show vsys <name> authencaon-profile <name> lockout
show vsys <name> authencaon-profile <name> method
show vsys <name> authencaon-profile <name> method none
show vsys <name> authencaon-profile <name> method cloud
show vsys <name> authencaon-profile <name> method cloud region
show vsys <name> authencaon-profile <name> method cloud region tenant
show vsys <name> authencaon-profile <name> method cloud region tenant profile
show vsys <name> authencaon-profile <name> method cloud region tenant profile mfa
show vsys <name> authencaon-profile <name> method local-database
show vsys <name> authencaon-profile <name> method radius
show vsys <name> authencaon-profile <name> method ldap
show vsys <name> authencaon-profile <name> method kerberos
show vsys <name> authencaon-profile <name> method tacplus
show vsys <name> authencaon-profile <name> method saml-idp
show vsys <name> authencaon-profile <name> mul-factor-auth
show vsys <name> authencaon-sequence
show vsys <name> authencaon-sequence <name>
show vsys <name> cerficate-profile
show vsys <name> cerficate-profile <name>
show vsys <name> cerficate-profile <name> username-field
show vsys <name> cerficate-profile <name> CA
show vsys <name> cerficate-profile <name> CA <name>
show vsys <name> server-profile
show vsys <name> server-profile ldap
show vsys <name> server-profile ldap <name>

PAN-OS CLI Quick Start Version Version 10.1 369 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> server-profile ldap <name> server

show vsys <name> server-profile ldap <name> server <name>
show vsys <name> server-profile radius
show vsys <name> server-profile radius <name>
show vsys <name> server-profile radius <name> protocol
show vsys <name> server-profile radius <name> protocol CHAP
show vsys <name> server-profile radius <name> protocol PAP
show vsys <name> server-profile radius <name> protocol PEAP-MSCHAPv2
show vsys <name> server-profile radius <name> protocol PEAP-with-GTC
show vsys <name> server-profile radius <name> protocol EAP-TTLS-with-PAP
show vsys <name> server-profile radius <name> server
show vsys <name> server-profile radius <name> server <name>
show vsys <name> server-profile kerberos
show vsys <name> server-profile kerberos <name>
show vsys <name> server-profile kerberos <name> server
show vsys <name> server-profile kerberos <name> server <name>
show vsys <name> server-profile tacplus
show vsys <name> server-profile tacplus <name>
show vsys <name> server-profile tacplus <name> server
show vsys <name> server-profile tacplus <name> server <name>
show vsys <name> server-profile saml-idp
show vsys <name> server-profile saml-idp <name>
show vsys <name> server-profile nelow
show vsys <name> server-profile nelow <name>
show vsys <name> server-profile nelow <name> template-refresh-rate
show vsys <name> server-profile nelow <name> server
show vsys <name> server-profile nelow <name> server <name>
show vsys <name> server-profile dns
show vsys <name> server-profile dns <name>
show vsys <name> server-profile dns <name> inheritance
show vsys <name> server-profile dns <name> source
show vsys <name> server-profile dns <name> source-v6
show vsys <name> server-profile mfa-server-profile

PAN-OS CLI Quick Start Version Version 10.1 370 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> server-profile mfa-server-profile <name>

show vsys <name> server-profile mfa-server-profile <name> mfa-config
show vsys <name> server-profile mfa-server-profile <name> mfa-config <name>
show vsys <name> dns-proxy
show vsys <name> dns-proxy <name>
show vsys <name> dns-proxy <name> domain-servers
show vsys <name> dns-proxy <name> domain-servers <name>
show vsys <name> dns-proxy <name> cache
show vsys <name> dns-proxy <name> cache max-l
show vsys <name> dns-proxy <name> stac-entries
show vsys <name> dns-proxy <name> stac-entries <name>
show vsys <name> dns-proxy <name> tcp-queries
show vsys <name> dns-proxy <name> udp-queries
show vsys <name> dns-proxy <name> udp-queries retries
show vsys <name> log-sengs
show vsys <name> log-sengs snmptrap
show vsys <name> log-sengs snmptrap <name>
show vsys <name> log-sengs snmptrap <name> version
show vsys <name> log-sengs snmptrap <name> version v2c
show vsys <name> log-sengs snmptrap <name> version v2c server
show vsys <name> log-sengs snmptrap <name> version v2c server <name>
show vsys <name> log-sengs snmptrap <name> version v3
show vsys <name> log-sengs snmptrap <name> version v3 server
show vsys <name> log-sengs snmptrap <name> version v3 server <name>
show vsys <name> log-sengs email
show vsys <name> log-sengs email <name>
show vsys <name> log-sengs email <name> server
show vsys <name> log-sengs email <name> server <name>
show vsys <name> log-sengs email <name> format
show vsys <name> log-sengs email <name> format escaping
show vsys <name> log-sengs syslog
show vsys <name> log-sengs syslog <name>
show vsys <name> log-sengs syslog <name> server

PAN-OS CLI Quick Start Version Version 10.1 371 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> log-sengs syslog <name> server <name>

show vsys <name> log-sengs syslog <name> format
show vsys <name> log-sengs syslog <name> format escaping
show vsys <name> log-sengs hp
show vsys <name> log-sengs hp <name>
show vsys <name> log-sengs hp <name> server
show vsys <name> log-sengs hp <name> server <name>
show vsys <name> log-sengs hp <name> format
show vsys <name> log-sengs hp <name> format config
show vsys <name> log-sengs hp <name> format config headers
show vsys <name> log-sengs hp <name> format config headers <name>
show vsys <name> log-sengs hp <name> format config params
show vsys <name> log-sengs hp <name> format config params <name>
show vsys <name> log-sengs hp <name> format system
show vsys <name> log-sengs hp <name> format system headers
show vsys <name> log-sengs hp <name> format system headers <name>
show vsys <name> log-sengs hp <name> format system params
show vsys <name> log-sengs hp <name> format system params <name>
show vsys <name> log-sengs hp <name> format traffic
show vsys <name> log-sengs hp <name> format traffic headers
show vsys <name> log-sengs hp <name> format traffic headers <name>
show vsys <name> log-sengs hp <name> format traffic params
show vsys <name> log-sengs hp <name> format traffic params <name>
show vsys <name> log-sengs hp <name> format threat
show vsys <name> log-sengs hp <name> format threat headers
show vsys <name> log-sengs hp <name> format threat headers <name>
show vsys <name> log-sengs hp <name> format threat params
show vsys <name> log-sengs hp <name> format threat params <name>
show vsys <name> log-sengs hp <name> format wildfire
show vsys <name> log-sengs hp <name> format wildfire headers
show vsys <name> log-sengs hp <name> format wildfire headers <name>
show vsys <name> log-sengs hp <name> format wildfire params
show vsys <name> log-sengs hp <name> format wildfire params <name>

PAN-OS CLI Quick Start Version Version 10.1 372 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> log-sengs hp <name> format url

show vsys <name> log-sengs hp <name> format url headers
show vsys <name> log-sengs hp <name> format url headers <name>
show vsys <name> log-sengs hp <name> format url params
show vsys <name> log-sengs hp <name> format url params <name>
show vsys <name> log-sengs hp <name> format data
show vsys <name> log-sengs hp <name> format data headers
show vsys <name> log-sengs hp <name> format data headers <name>
show vsys <name> log-sengs hp <name> format data params
show vsys <name> log-sengs hp <name> format data params <name>
show vsys <name> log-sengs hp <name> format tunnel
show vsys <name> log-sengs hp <name> format tunnel headers
show vsys <name> log-sengs hp <name> format tunnel headers <name>
show vsys <name> log-sengs hp <name> format tunnel params
show vsys <name> log-sengs hp <name> format tunnel params <name>
show vsys <name> log-sengs hp <name> format auth
show vsys <name> log-sengs hp <name> format auth headers
show vsys <name> log-sengs hp <name> format auth headers <name>
show vsys <name> log-sengs hp <name> format auth params
show vsys <name> log-sengs hp <name> format auth params <name>
show vsys <name> log-sengs hp <name> format userid
show vsys <name> log-sengs hp <name> format userid headers
show vsys <name> log-sengs hp <name> format userid headers <name>
show vsys <name> log-sengs hp <name> format userid params
show vsys <name> log-sengs hp <name> format userid params <name>
show vsys <name> log-sengs hp <name> format iptag
show vsys <name> log-sengs hp <name> format iptag headers
show vsys <name> log-sengs hp <name> format iptag headers <name>
show vsys <name> log-sengs hp <name> format iptag params
show vsys <name> log-sengs hp <name> format iptag params <name>
show vsys <name> log-sengs hp <name> format decrypon
show vsys <name> log-sengs hp <name> format decrypon headers
show vsys <name> log-sengs hp <name> format decrypon headers <name>

PAN-OS CLI Quick Start Version Version 10.1 373 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> log-sengs hp <name> format decrypon params

show vsys <name> log-sengs hp <name> format decrypon params <name>
show vsys <name> log-sengs hp <name> format globalprotect
show vsys <name> log-sengs hp <name> format globalprotect headers
show vsys <name> log-sengs hp <name> format globalprotect headers <name>
show vsys <name> log-sengs hp <name> format globalprotect params
show vsys <name> log-sengs hp <name> format globalprotect params <name>
show vsys <name> log-sengs hp <name> format hip-match
show vsys <name> log-sengs hp <name> format hip-match headers
show vsys <name> log-sengs hp <name> format hip-match headers <name>
show vsys <name> log-sengs hp <name> format hip-match params
show vsys <name> log-sengs hp <name> format hip-match params <name>
show vsys <name> log-sengs hp <name> format correlaon
show vsys <name> log-sengs hp <name> format correlaon headers
show vsys <name> log-sengs hp <name> format correlaon headers <name>
show vsys <name> log-sengs hp <name> format correlaon params
show vsys <name> log-sengs hp <name> format correlaon params <name>
show vsys <name> log-sengs profiles
show vsys <name> log-sengs profiles <name>
show vsys <name> log-sengs profiles <name> match-list
show vsys <name> log-sengs profiles <name> match-list <name>
show vsys <name> log-sengs profiles <name> match-list <name> acons
show vsys <name> log-sengs profiles <name> match-list <name> acons <name>
show vsys <name> log-sengs profiles <name> match-list <name> acons <name> type
show vsys <name> log-sengs profiles <name> match-list <name> acons <name> type tagging
show vsys <name> log-sengs profiles <name> match-list <name> acons <name> type tagging
registraon
show vsys <name> log-sengs profiles <name> match-list <name> acons <name> type tagging
registraon localhost
show vsys <name> log-sengs profiles <name> match-list <name> acons <name> type tagging
registraon panorama
show vsys <name> log-sengs profiles <name> match-list <name> acons <name> type tagging
registraon remote
show vsys <name> cerficate
show vsys <name> cerficate <name>

PAN-OS CLI Quick Start Version Version 10.1 374 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> cerficate <name>

show vsys <name> cerficate <name>
show vsys <name> ssl-tls-service-profile
show vsys <name> ssl-tls-service-profile <name>
show vsys <name> ssl-tls-service-profile <name> protocol-sengs
show vsys <name> response-page
show vsys <name> response-page global-protect-portal-custom-login-page
show vsys <name> response-page global-protect-portal-custom-login-page <name>
show vsys <name> response-page global-protect-portal-custom-home-page
show vsys <name> response-page global-protect-portal-custom-home-page <name>
show vsys <name> response-page global-protect-portal-custom-help-page
show vsys <name> response-page global-protect-portal-custom-help-page <name>
show vsys <name> response-page global-protect-portal-custom-welcome-page
show vsys <name> response-page global-protect-portal-custom-welcome-page <name>
show vsys <name> local-user-database
show vsys <name> local-user-database user
show vsys <name> local-user-database user <name>
show vsys <name> local-user-database user-group
show vsys <name> local-user-database user-group <name>
show vsys <name> ssl-decrypt
show vsys <name> ssl-decrypt forward-trust-cerficate
show vsys <name> ssl-decrypt forward-untrust-cerficate
show vsys <name> ssl-decrypt ssl-exclude-cert
show vsys <name> ssl-decrypt ssl-exclude-cert <name>
show vsys <name> ocsp-responder
show vsys <name> ocsp-responder <name>
show vsys <name> scep
show vsys <name> scep <name>
show vsys <name> scep <name> scep-challenge
show vsys <name> scep <name> scep-challenge none
show vsys <name> scep <name> scep-challenge dynamic
show vsys <name> scep <name> algorithm
show vsys <name> scep <name> algorithm rsa

PAN-OS CLI Quick Start Version Version 10.1 375 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> scep <name> cerficate-aributes

show vsys <name> ts-agent
show vsys <name> ts-agent <name>
show vsys <name> redistribuon-agent
show vsys <name> redistribuon-agent <name>
show vsys <name> redistribuon-agent <name>
show vsys <name> redistribuon-agent <name> host-port
show vsys <name> ipuser-include-exclude-list
show vsys <name> ipuser-include-exclude-list include-exclude-network
show vsys <name> ipuser-include-exclude-list include-exclude-network <name>
show vsys <name> iptag-include-exclude-list
show vsys <name> iptag-include-exclude-list include-exclude-network
show vsys <name> iptag-include-exclude-list include-exclude-network <name>
show vsys <name> redistribuon-collector
show vsys <name> redistribuon-collector seng
show vsys <name> user-id-ssl-auth
show vsys <name> vm-info-source
show vsys <name> vm-info-source <name>
show vsys <name> vm-info-source <name>
show vsys <name> vm-info-source <name> AWS-VPC
show vsys <name> vm-info-source <name> Google-Compute-Engine
show vsys <name> vm-info-source <name> Google-Compute-Engine service-auth-type
show vsys <name> vm-info-source <name> Google-Compute-Engine service-auth-type service-
in-gce
show vsys <name> vm-info-source <name> Google-Compute-Engine service-auth-type service-
account
show vsys <name> vm-info-source <name> VMware-ESXi
show vsys <name> vm-info-source <name> VMware-vCenter
show vsys <name> group-mapping
show vsys <name> group-mapping <name>
show vsys <name> group-mapping <name> custom-group
show vsys <name> group-mapping <name> custom-group <name>
show vsys <name> cloud-identy-engine
show vsys <name> cloud-identy-engine <name>

PAN-OS CLI Quick Start Version Version 10.1 376 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> capve-portal

show vsys <name> capve-portal mode
show vsys <name> capve-portal mode transparent
show vsys <name> capve-portal mode redirect
show vsys <name> capve-portal mode redirect session-cookie
show vsys <name> user-id-collector
show vsys <name> user-id-collector seng
show vsys <name> user-id-collector syslog-parse-profile
show vsys <name> user-id-collector syslog-parse-profile <name>
show vsys <name> user-id-collector syslog-parse-profile <name>
show vsys <name> user-id-collector syslog-parse-profile <name> regex-idenfier
show vsys <name> user-id-collector syslog-parse-profile <name> field-idenfier
show vsys <name> user-id-collector server-monitor
show vsys <name> user-id-collector server-monitor <name>
show vsys <name> user-id-collector server-monitor <name>
show vsys <name> user-id-collector server-monitor <name> acve-directory
show vsys <name> user-id-collector server-monitor <name> exchange
show vsys <name> user-id-collector server-monitor <name> e-directory
show vsys <name> user-id-collector server-monitor <name> syslog
show vsys <name> user-id-collector server-monitor <name> syslog syslog-parse-profile
show vsys <name> user-id-collector server-monitor <name> syslog syslog-parse-profile <name>
show vsys <name> user-id-collector include-exclude-network
show vsys <name> user-id-collector include-exclude-network <name>
show vsys <name> user-id-collector include-exclude-network-sequence
show vsys <name> url-admin-override
show vsys <name> url-admin-override mode
show vsys <name> url-admin-override mode transparent
show vsys <name> url-admin-override mode redirect
show vsys <name> zone
show vsys <name> zone <name>
show vsys <name> zone <name> network
show vsys <name> zone <name> network
show vsys <name> zone <name> network tunnel

PAN-OS CLI Quick Start Version Version 10.1 377 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> zone <name> user-acl

show vsys <name> zone <name> device-acl
show vsys <name> sdwan-interface-profile
show vsys <name> sdwan-interface-profile <name>
show vsys <name> global-protect
show vsys <name> global-protect global-protect-portal
show vsys <name> global-protect global-protect-portal <name>
show vsys <name> global-protect global-protect-portal <name> portal-config
show vsys <name> global-protect global-protect-portal <name> portal-config local-address
show vsys <name> global-protect global-protect-portal <name> portal-config local-address
show vsys <name> global-protect global-protect-portal <name> portal-config local-address ip
show vsys <name> global-protect global-protect-portal <name> portal-config local-address
floang-ip
show vsys <name> global-protect global-protect-portal <name> portal-config client-auth
show vsys <name> global-protect global-protect-portal <name> portal-config client-auth <name>
show vsys <name> global-protect global-protect-portal <name> portal-config config-selecon
show vsys <name> global-protect global-protect-portal <name> portal-config config-selecon
custom-checks
show vsys <name> global-protect global-protect-portal <name> portal-config config-selecon
custom-checks windows
show vsys <name> global-protect global-protect-portal <name> portal-config config-selecon
custom-checks windows registry-key
show vsys <name> global-protect global-protect-portal <name> portal-config config-selecon
custom-checks windows registry-key <name>
show vsys <name> global-protect global-protect-portal <name> portal-config config-selecon
custom-checks mac-os
show vsys <name> global-protect global-protect-portal <name> portal-config config-selecon
custom-checks mac-os plist
show vsys <name> global-protect global-protect-portal <name> portal-config config-selecon
custom-checks mac-os plist <name>
show vsys <name> global-protect global-protect-portal <name> clientless-vpn
show vsys <name> global-protect global-protect-portal <name> clientless-vpn login-lifeme
show vsys <name> global-protect global-protect-portal <name> clientless-vpn inacvity-logout
show vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs
show vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs ssl-
protocol

PAN-OS CLI Quick Start Version Version 10.1 378 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs

server-cert-verificaon
show vsys <name> global-protect global-protect-portal <name> clientless-vpn apps-to-user-
mapping
show vsys <name> global-protect global-protect-portal <name> clientless-vpn apps-to-user-
mapping <name>
show vsys <name> global-protect global-protect-portal <name> clientless-vpn proxy-server-
seng
show vsys <name> global-protect global-protect-portal <name> clientless-vpn proxy-server-
seng <name>
show vsys <name> global-protect global-protect-portal <name> clientless-vpn proxy-server-
seng <name> proxy-server
show vsys <name> global-protect global-protect-portal <name> client-config
show vsys <name> global-protect global-protect-portal <name> client-config root-ca
show vsys <name> global-protect global-protect-portal <name> client-config root-ca <name>
show vsys <name> global-protect global-protect-portal <name> client-config configs
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
cerficate
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
cerficate criteria
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria registry-key
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria registry-key <name>
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria registry-key <name> registry-value
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria registry-key <name> registry-value <name>
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria plist
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria plist <name>
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria plist <name> key

PAN-OS CLI Quick Start Version Version 10.1 379 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> global-protect global-protect-portal <name> client-config configs <name>

custom-checks criteria plist <name> key <name>
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
machine-account-exists-with-serialno
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
machine-account-exists-with-serialno no
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
machine-account-exists-with-serialno yes
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways internal
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways internal list
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways internal list <name>
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways internal list <name>
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways internal list <name> ip
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external list
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external list <name>
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external list <name>
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external list <name> ip
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external list <name> priority-rule
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external list <name> priority-rule <name>
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
internal-host-detecon
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
internal-host-detecon-v6
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
agent-ui

PAN-OS CLI Quick Start Version Version 10.1 380 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> global-protect global-protect-portal <name> client-config configs <name>

agent-ui welcome-page
show vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon
show vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon exclusion
show vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon exclusion category
show vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon exclusion category <name>
show vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon exclusion category <name> vendor
show vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon exclusion category <name> vendor <name>
show vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks
show vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks windows
show vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks windows registry-key
show vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks windows registry-key <name>
show vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks mac-os
show vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks mac-os plist
show vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks mac-os plist <name>
show vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks linux
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
agent-config
show vsys <name> global-protect global-protect-portal <name> client-config configs <name> gp-
app-config
show vsys <name> global-protect global-protect-portal <name> client-config configs <name> gp-
app-config config
show vsys <name> global-protect global-protect-portal <name> client-config configs <name> gp-
app-config config <name>
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
client-cerficate

PAN-OS CLI Quick Start Version Version 10.1 381 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> global-protect global-protect-portal <name> client-config configs <name>

authencaon-override
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
authencaon-override accept-cookie
show vsys <name> global-protect global-protect-portal <name> client-config configs <name>
authencaon-override accept-cookie cookie-lifeme
show vsys <name> global-protect global-protect-portal <name> satellite-config
show vsys <name> global-protect global-protect-portal <name> satellite-config client-cerficate
show vsys <name> global-protect global-protect-portal <name> satellite-config client-cerficate
local
show vsys <name> global-protect global-protect-portal <name> satellite-config client-cerficate
scep
show vsys <name> global-protect global-protect-portal <name> satellite-config configs
show vsys <name> global-protect global-protect-portal <name> satellite-config configs <name>
show vsys <name> global-protect global-protect-portal <name> satellite-config configs <name>
gateways
show vsys <name> global-protect global-protect-portal <name> satellite-config configs <name>
gateways <name>
show vsys <name> global-protect global-protect-portal <name> satellite-config configs <name>
gateways <name>
show vsys <name> global-protect global-protect-portal <name> satellite-config configs <name>
gateways <name> ip
show vsys <name> global-protect global-protect-gateway
show vsys <name> global-protect global-protect-gateway <name>
show vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
show vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name>
show vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> authencaon-override
show vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> authencaon-override accept-cookie
show vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> authencaon-override accept-cookie cookie-lifeme
show vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> source-address
show vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> split-tunneling
show vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> split-tunneling include-domains

PAN-OS CLI Quick Start Version Version 10.1 382 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs

<name> split-tunneling include-domains list
show vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> split-tunneling include-domains list <name>
show vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> split-tunneling exclude-domains
show vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> split-tunneling exclude-domains list
show vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> split-tunneling exclude-domains list <name>
show vsys <name> global-protect global-protect-gateway <name> client-auth
show vsys <name> global-protect global-protect-gateway <name> client-auth <name>
show vsys <name> global-protect global-protect-gateway <name> local-address
show vsys <name> global-protect global-protect-gateway <name> local-address
show vsys <name> global-protect global-protect-gateway <name> local-address ip
show vsys <name> global-protect global-protect-gateway <name> local-address floang-ip
show vsys <name> global-protect global-protect-gateway <name> security-restricons
show vsys <name> global-protect global-protect-gateway <name> security-restricons source-ip-
enforcement
show vsys <name> global-protect global-protect-gateway <name> security-restricons source-ip-
enforcement
show vsys <name> global-protect global-protect-gateway <name> security-restricons source-ip-
enforcement default
show vsys <name> global-protect global-protect-gateway <name> security-restricons source-ip-
enforcement custom
show vsys <name> global-protect global-protect-gateway <name> roles
show vsys <name> global-protect global-protect-gateway <name> roles <name>
show vsys <name> global-protect global-protect-gateway <name> roles <name> login-lifeme
show vsys <name> global-protect global-protect-gateway <name> hip-noficaon
show vsys <name> global-protect global-protect-gateway <name> hip-noficaon <name>
show vsys <name> global-protect global-protect-gateway <name> hip-noficaon <name>
match-message
show vsys <name> global-protect global-protect-gateway <name> hip-noficaon <name> not-
match-message
show vsys <name> global-protect global-protect-mdm
show vsys <name> global-protect global-protect-mdm <name>
show vsys <name> global-protect clientless-app

PAN-OS CLI Quick Start Version Version 10.1 383 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> global-protect clientless-app <name>

show vsys <name> global-protect clientless-app-group
show vsys <name> global-protect clientless-app-group <name>
show vsys <name> profiles
show vsys <name> profiles hip-objects
show vsys <name> profiles hip-objects <name>
show vsys <name> profiles hip-objects <name> host-info
show vsys <name> profiles hip-objects <name> host-info criteria
show vsys <name> profiles hip-objects <name> host-info criteria domain
show vsys <name> profiles hip-objects <name> host-info criteria domain
show vsys <name> profiles hip-objects <name> host-info criteria os
show vsys <name> profiles hip-objects <name> host-info criteria os
show vsys <name> profiles hip-objects <name> host-info criteria os contains
show vsys <name> profiles hip-objects <name> host-info criteria os contains
show vsys <name> profiles hip-objects <name> host-info criteria client-version
show vsys <name> profiles hip-objects <name> host-info criteria client-version
show vsys <name> profiles hip-objects <name> host-info criteria host-name
show vsys <name> profiles hip-objects <name> host-info criteria host-name
show vsys <name> profiles hip-objects <name> host-info criteria host-id
show vsys <name> profiles hip-objects <name> host-info criteria host-id
show vsys <name> profiles hip-objects <name> host-info criteria serial-number
show vsys <name> profiles hip-objects <name> host-info criteria serial-number
show vsys <name> profiles hip-objects <name> network-info
show vsys <name> profiles hip-objects <name> network-info criteria
show vsys <name> profiles hip-objects <name> network-info criteria network
show vsys <name> profiles hip-objects <name> network-info criteria network is
show vsys <name> profiles hip-objects <name> network-info criteria network is wifi
show vsys <name> profiles hip-objects <name> network-info criteria network is mobile
show vsys <name> profiles hip-objects <name> network-info criteria network is unknown
show vsys <name> profiles hip-objects <name> network-info criteria network is-not
show vsys <name> profiles hip-objects <name> network-info criteria network is-not wifi
show vsys <name> profiles hip-objects <name> network-info criteria network is-not mobile
show vsys <name> profiles hip-objects <name> network-info criteria network is-not ethernet

PAN-OS CLI Quick Start Version Version 10.1 384 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> profiles hip-objects <name> network-info criteria network is-not unknown
show vsys <name> profiles hip-objects <name> patch-management
show vsys <name> profiles hip-objects <name> patch-management criteria
show vsys <name> profiles hip-objects <name> patch-management criteria missing-patches
show vsys <name> profiles hip-objects <name> patch-management criteria missing-patches
severity
show vsys <name> profiles hip-objects <name> patch-management criteria missing-patches
severity
show vsys <name> profiles hip-objects <name> patch-management vendor
show vsys <name> profiles hip-objects <name> patch-management vendor <name>
show vsys <name> profiles hip-objects <name> data-loss-prevenon
show vsys <name> profiles hip-objects <name> data-loss-prevenon criteria
show vsys <name> profiles hip-objects <name> data-loss-prevenon vendor
show vsys <name> profiles hip-objects <name> data-loss-prevenon vendor <name>
show vsys <name> profiles hip-objects <name> firewall
show vsys <name> profiles hip-objects <name> firewall criteria
show vsys <name> profiles hip-objects <name> firewall vendor
show vsys <name> profiles hip-objects <name> firewall vendor <name>
show vsys <name> profiles hip-objects <name> an-malware
show vsys <name> profiles hip-objects <name> an-malware criteria
show vsys <name> profiles hip-objects <name> an-malware criteria virdef-version
show vsys <name> profiles hip-objects <name> an-malware criteria virdef-version
show vsys <name> profiles hip-objects <name> an-malware criteria virdef-version within
show vsys <name> profiles hip-objects <name> an-malware criteria virdef-version not-within
show vsys <name> profiles hip-objects <name> an-malware criteria product-version
show vsys <name> profiles hip-objects <name> an-malware criteria product-version
show vsys <name> profiles hip-objects <name> an-malware criteria product-version within
show vsys <name> profiles hip-objects <name> an-malware criteria product-version not-within
show vsys <name> profiles hip-objects <name> an-malware criteria last-scan-me
show vsys <name> profiles hip-objects <name> an-malware criteria last-scan-me
show vsys <name> profiles hip-objects <name> an-malware criteria last-scan-me not-available
show vsys <name> profiles hip-objects <name> an-malware criteria last-scan-me within
show vsys <name> profiles hip-objects <name> an-malware criteria last-scan-me not-within
show vsys <name> profiles hip-objects <name> an-malware vendor

PAN-OS CLI Quick Start Version Version 10.1 385 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> profiles hip-objects <name> an-malware vendor <name>

show vsys <name> profiles hip-objects <name> disk-backup
show vsys <name> profiles hip-objects <name> disk-backup criteria
show vsys <name> profiles hip-objects <name> disk-backup criteria last-backup-me
show vsys <name> profiles hip-objects <name> disk-backup criteria last-backup-me
show vsys <name> profiles hip-objects <name> disk-backup criteria last-backup-me not-
available
show vsys <name> profiles hip-objects <name> disk-backup criteria last-backup-me within
show vsys <name> profiles hip-objects <name> disk-backup criteria last-backup-me not-within
show vsys <name> profiles hip-objects <name> disk-backup vendor
show vsys <name> profiles hip-objects <name> disk-backup vendor <name>
show vsys <name> profiles hip-objects <name> disk-encrypon
show vsys <name> profiles hip-objects <name> disk-encrypon criteria
show vsys <name> profiles hip-objects <name> disk-encrypon criteria encrypted-locaons
show vsys <name> profiles hip-objects <name> disk-encrypon criteria encrypted-locaons
<name>
show vsys <name> profiles hip-objects <name> disk-encrypon criteria encrypted-locaons
<name> encrypon-state
show vsys <name> profiles hip-objects <name> disk-encrypon vendor
show vsys <name> profiles hip-objects <name> disk-encrypon vendor <name>
show vsys <name> profiles hip-objects <name> custom-checks
show vsys <name> profiles hip-objects <name> custom-checks criteria
show vsys <name> profiles hip-objects <name> custom-checks criteria process-list
show vsys <name> profiles hip-objects <name> custom-checks criteria process-list <name>
show vsys <name> profiles hip-objects <name> custom-checks criteria registry-key
show vsys <name> profiles hip-objects <name> custom-checks criteria registry-key <name>
show vsys <name> profiles hip-objects <name> custom-checks criteria registry-key <name>
registry-value
show vsys <name> profiles hip-objects <name> custom-checks criteria registry-key <name>
registry-value <name>
show vsys <name> profiles hip-objects <name> custom-checks criteria plist
show vsys <name> profiles hip-objects <name> custom-checks criteria plist <name>
show vsys <name> profiles hip-objects <name> custom-checks criteria plist <name> key
show vsys <name> profiles hip-objects <name> custom-checks criteria plist <name> key <name>
show vsys <name> profiles hip-objects <name> mobile-device

PAN-OS CLI Quick Start Version Version 10.1 386 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> profiles hip-objects <name> mobile-device criteria

show vsys <name> profiles hip-objects <name> mobile-device criteria last-checkin-me
show vsys <name> profiles hip-objects <name> mobile-device criteria last-checkin-me
show vsys <name> profiles hip-objects <name> mobile-device criteria last-checkin-me within
show vsys <name> profiles hip-objects <name> mobile-device criteria last-checkin-me not-
within
show vsys <name> profiles hip-objects <name> mobile-device criteria imei
show vsys <name> profiles hip-objects <name> mobile-device criteria imei
show vsys <name> profiles hip-objects <name> mobile-device criteria model
show vsys <name> profiles hip-objects <name> mobile-device criteria model
show vsys <name> profiles hip-objects <name> mobile-device criteria phone-number
show vsys <name> profiles hip-objects <name> mobile-device criteria phone-number
show vsys <name> profiles hip-objects <name> mobile-device criteria tag
show vsys <name> profiles hip-objects <name> mobile-device criteria tag
show vsys <name> profiles hip-objects <name> mobile-device criteria applicaons
show vsys <name> profiles hip-objects <name> mobile-device criteria applicaons has-malware
show vsys <name> profiles hip-objects <name> mobile-device criteria applicaons has-malware
no
show vsys <name> profiles hip-objects <name> mobile-device criteria applicaons has-malware
yes
show vsys <name> profiles hip-objects <name> mobile-device criteria applicaons has-malware
yes excludes
show vsys <name> profiles hip-objects <name> mobile-device criteria applicaons has-malware
yes excludes <name>
show vsys <name> profiles hip-objects <name> mobile-device criteria applicaons includes
show vsys <name> profiles hip-objects <name> mobile-device criteria applicaons includes
<name>
show vsys <name> profiles hip-objects <name> cerficate
show vsys <name> profiles hip-objects <name> cerficate criteria
show vsys <name> profiles hip-objects <name> cerficate criteria cerficate-aributes
show vsys <name> profiles hip-objects <name> cerficate criteria cerficate-aributes <name>
show vsys <name> profiles virus
show vsys <name> profiles virus <name>
show vsys <name> profiles virus <name> mlav-engine-filebased-enabled
show vsys <name> profiles virus <name> mlav-engine-filebased-enabled <name>

PAN-OS CLI Quick Start Version Version 10.1 387 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> profiles virus <name> decoder

show vsys <name> profiles virus <name> decoder <name>
show vsys <name> profiles virus <name> applicaon
show vsys <name> profiles virus <name> applicaon <name>
show vsys <name> profiles virus <name> threat-excepon
show vsys <name> profiles virus <name> threat-excepon <name>
show vsys <name> profiles virus <name> mlav-excepon
show vsys <name> profiles virus <name> mlav-excepon <name>
show vsys <name> profiles spyware
show vsys <name> profiles spyware <name>
show vsys <name> profiles spyware <name> botnet-domains
show vsys <name> profiles spyware <name> botnet-domains lists
show vsys <name> profiles spyware <name> botnet-domains lists <name>
show vsys <name> profiles spyware <name> botnet-domains lists <name> acon
show vsys <name> profiles spyware <name> botnet-domains lists <name> acon alert
show vsys <name> profiles spyware <name> botnet-domains lists <name> acon allow
show vsys <name> profiles spyware <name> botnet-domains lists <name> acon block
show vsys <name> profiles spyware <name> botnet-domains lists <name> acon sinkhole
show vsys <name> profiles spyware <name> botnet-domains dns-security-categories
show vsys <name> profiles spyware <name> botnet-domains dns-security-categories <name>
show vsys <name> profiles spyware <name> botnet-domains whitelist
show vsys <name> profiles spyware <name> botnet-domains whitelist <name>
show vsys <name> profiles spyware <name> botnet-domains sinkhole
show vsys <name> profiles spyware <name> botnet-domains threat-excepon
show vsys <name> profiles spyware <name> botnet-domains threat-excepon <name>
show vsys <name> profiles spyware <name> rules
show vsys <name> profiles spyware <name> rules <name>
show vsys <name> profiles spyware <name> rules <name> acon
show vsys <name> profiles spyware <name> rules <name> acon default
show vsys <name> profiles spyware <name> rules <name> acon allow
show vsys <name> profiles spyware <name> rules <name> acon alert
show vsys <name> profiles spyware <name> rules <name> acon drop
show vsys <name> profiles spyware <name> rules <name> acon reset-client

PAN-OS CLI Quick Start Version Version 10.1 388 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> profiles spyware <name> rules <name> acon reset-server
show vsys <name> profiles spyware <name> rules <name> acon reset-both
show vsys <name> profiles spyware <name> rules <name> acon block-ip
show vsys <name> profiles spyware <name> threat-excepon
show vsys <name> profiles spyware <name> threat-excepon <name>
show vsys <name> profiles spyware <name> threat-excepon <name> acon
show vsys <name> profiles spyware <name> threat-excepon <name> acon default
show vsys <name> profiles spyware <name> threat-excepon <name> acon allow
show vsys <name> profiles spyware <name> threat-excepon <name> acon alert
show vsys <name> profiles spyware <name> threat-excepon <name> acon drop
show vsys <name> profiles spyware <name> threat-excepon <name> acon reset-both
show vsys <name> profiles spyware <name> threat-excepon <name> acon reset-client
show vsys <name> profiles spyware <name> threat-excepon <name> acon reset-server
show vsys <name> profiles spyware <name> threat-excepon <name> acon block-ip
show vsys <name> profiles spyware <name> threat-excepon <name> exempt-ip
show vsys <name> profiles spyware <name> threat-excepon <name> exempt-ip <name>
show vsys <name> profiles vulnerability
show vsys <name> profiles vulnerability <name>
show vsys <name> profiles vulnerability <name> rules
show vsys <name> profiles vulnerability <name> rules <name>
show vsys <name> profiles vulnerability <name> rules <name> acon
show vsys <name> profiles vulnerability <name> rules <name> acon default
show vsys <name> profiles vulnerability <name> rules <name> acon allow
show vsys <name> profiles vulnerability <name> rules <name> acon alert
show vsys <name> profiles vulnerability <name> rules <name> acon drop
show vsys <name> profiles vulnerability <name> rules <name> acon reset-client
show vsys <name> profiles vulnerability <name> rules <name> acon reset-server
show vsys <name> profiles vulnerability <name> rules <name> acon reset-both
show vsys <name> profiles vulnerability <name> rules <name> acon block-ip
show vsys <name> profiles vulnerability <name> threat-excepon
show vsys <name> profiles vulnerability <name> threat-excepon <name>
show vsys <name> profiles vulnerability <name> threat-excepon <name> acon
show vsys <name> profiles vulnerability <name> threat-excepon <name> acon default

PAN-OS CLI Quick Start Version Version 10.1 389 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> profiles vulnerability <name> threat-excepon <name> acon allow
show vsys <name> profiles vulnerability <name> threat-excepon <name> acon alert
show vsys <name> profiles vulnerability <name> threat-excepon <name> acon drop
show vsys <name> profiles vulnerability <name> threat-excepon <name> acon reset-client
show vsys <name> profiles vulnerability <name> threat-excepon <name> acon reset-server
show vsys <name> profiles vulnerability <name> threat-excepon <name> acon reset-both
show vsys <name> profiles vulnerability <name> threat-excepon <name> acon block-ip
show vsys <name> profiles vulnerability <name> threat-excepon <name> me-aribute
show vsys <name> profiles vulnerability <name> threat-excepon <name> exempt-ip
show vsys <name> profiles vulnerability <name> threat-excepon <name> exempt-ip <name>
show vsys <name> profiles url-filtering
show vsys <name> profiles url-filtering <name>
show vsys <name> profiles url-filtering <name> credenal-enforcement
show vsys <name> profiles url-filtering <name> credenal-enforcement mode
show vsys <name> profiles url-filtering <name> credenal-enforcement mode disabled
show vsys <name> profiles url-filtering <name> credenal-enforcement mode ip-user
show vsys <name> profiles url-filtering <name> credenal-enforcement mode domain-credenals
show vsys <name> profiles url-filtering <name> hp-header-inseron
show vsys <name> profiles url-filtering <name> hp-header-inseron <name>
show vsys <name> profiles url-filtering <name> hp-header-inseron <name> type
show vsys <name> profiles url-filtering <name> hp-header-inseron <name> type <name>
show vsys <name> profiles url-filtering <name> hp-header-inseron <name> type <name>
headers
show vsys <name> profiles url-filtering <name> hp-header-inseron <name> type <name>
headers <name>
show vsys <name> profiles url-filtering <name> mlav-engine-urlbased-enabled
show vsys <name> profiles url-filtering <name> mlav-engine-urlbased-enabled <name>
show vsys <name> profiles file-blocking
show vsys <name> profiles file-blocking <name>
show vsys <name> profiles file-blocking <name> rules
show vsys <name> profiles file-blocking <name> rules <name>
show vsys <name> profiles wildfire-analysis
show vsys <name> profiles wildfire-analysis <name>
show vsys <name> profiles wildfire-analysis <name> rules

PAN-OS CLI Quick Start Version Version 10.1 390 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> profiles wildfire-analysis <name> rules <name>

show vsys <name> profiles custom-url-category
show vsys <name> profiles custom-url-category <name>
show vsys <name> profiles data-objects
show vsys <name> profiles data-objects <name>
show vsys <name> profiles data-objects <name> paern-type
show vsys <name> profiles data-objects <name> paern-type predefined
show vsys <name> profiles data-objects <name> paern-type predefined paern
show vsys <name> profiles data-objects <name> paern-type predefined paern <name>
show vsys <name> profiles data-objects <name> paern-type regex
show vsys <name> profiles data-objects <name> paern-type regex paern
show vsys <name> profiles data-objects <name> paern-type regex paern <name>
show vsys <name> profiles data-objects <name> paern-type file-properes
show vsys <name> profiles data-objects <name> paern-type file-properes paern
show vsys <name> profiles data-objects <name> paern-type file-properes paern <name>
show vsys <name> profiles data-filtering
show vsys <name> profiles data-filtering <name>
show vsys <name> profiles data-filtering <name> rules
show vsys <name> profiles data-filtering <name> rules <name>
show vsys <name> profiles hip-profiles
show vsys <name> profiles hip-profiles <name>
show vsys <name> profiles dos-protecon
show vsys <name> profiles dos-protecon <name>
show vsys <name> profiles dos-protecon <name> flood
show vsys <name> profiles dos-protecon <name> flood tcp-syn
show vsys <name> profiles dos-protecon <name> flood tcp-syn
show vsys <name> profiles dos-protecon <name> flood tcp-syn red
show vsys <name> profiles dos-protecon <name> flood tcp-syn red block
show vsys <name> profiles dos-protecon <name> flood tcp-syn syn-cookies
show vsys <name> profiles dos-protecon <name> flood tcp-syn syn-cookies block
show vsys <name> profiles dos-protecon <name> flood udp
show vsys <name> profiles dos-protecon <name> flood udp red
show vsys <name> profiles dos-protecon <name> flood udp red block

PAN-OS CLI Quick Start Version Version 10.1 391 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> profiles dos-protecon <name> flood icmp

show vsys <name> profiles dos-protecon <name> flood icmp red
show vsys <name> profiles dos-protecon <name> flood icmp red block
show vsys <name> profiles dos-protecon <name> flood icmpv6
show vsys <name> profiles dos-protecon <name> flood icmpv6 red
show vsys <name> profiles dos-protecon <name> flood icmpv6 red block
show vsys <name> profiles dos-protecon <name> flood other-ip
show vsys <name> profiles dos-protecon <name> flood other-ip red
show vsys <name> profiles dos-protecon <name> flood other-ip red block
show vsys <name> profiles dos-protecon <name> resource
show vsys <name> profiles dos-protecon <name> resource sessions
show vsys <name> profiles sdwan-path-quality
show vsys <name> profiles sdwan-path-quality <name>
show vsys <name> profiles sdwan-path-quality <name> metric
show vsys <name> profiles sdwan-path-quality <name> metric latency
show vsys <name> profiles sdwan-path-quality <name> metric pkt-loss
show vsys <name> profiles sdwan-path-quality <name> metric jier
show vsys <name> profiles sdwan-traffic-distribuon
show vsys <name> profiles sdwan-traffic-distribuon <name>
show vsys <name> profiles sdwan-traffic-distribuon <name> link-tags
show vsys <name> profiles sdwan-traffic-distribuon <name> link-tags <name>
show vsys <name> profiles sdwan-saas-quality
show vsys <name> profiles sdwan-saas-quality <name>
show vsys <name> profiles sdwan-saas-quality <name> monitor-mode
show vsys <name> profiles sdwan-saas-quality <name> monitor-mode
show vsys <name> profiles sdwan-saas-quality <name> monitor-mode adapve
show vsys <name> profiles sdwan-saas-quality <name> monitor-mode stac-ip
show vsys <name> profiles sdwan-saas-quality <name> monitor-mode stac-ip
show vsys <name> profiles sdwan-saas-quality <name> monitor-mode stac-ip ip-address
show vsys <name> profiles sdwan-saas-quality <name> monitor-mode stac-ip ip-address
<name>
show vsys <name> profiles sdwan-saas-quality <name> monitor-mode stac-ip fqdn
show vsys <name> profiles sdwan-saas-quality <name> monitor-mode hp-hps
show vsys <name> profiles sdwan-error-correcon

PAN-OS CLI Quick Start Version Version 10.1 392 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> profiles sdwan-error-correcon <name>

show vsys <name> profiles sdwan-error-correcon <name> mode
show vsys <name> profiles sdwan-error-correcon <name> mode
show vsys <name> profiles sdwan-error-correcon <name> mode forward-error-correcon
show vsys <name> profiles sdwan-error-correcon <name> mode packet-duplicaon
show vsys <name> profiles decrypon
show vsys <name> profiles decrypon <name>
show vsys <name> profiles decrypon <name> ssl-forward-proxy
show vsys <name> profiles decrypon <name> ssl-inbound-proxy
show vsys <name> profiles decrypon <name> ssl-protocol-sengs
show vsys <name> profiles decrypon <name> ssl-no-proxy
show vsys <name> profiles decrypon <name> ssh-proxy
show vsys <name> profiles packet-broker
show vsys <name> profiles packet-broker <name>
show vsys <name> profiles packet-broker <name>
show vsys <name> profiles packet-broker <name> transparent
show vsys <name> profiles packet-broker <name> routed
show vsys <name> profiles packet-broker <name> routed security-chain
show vsys <name> profiles packet-broker <name> routed security-chain <name>
show vsys <name> profiles packet-broker <name> health-check
show vsys <name> profile-group
show vsys <name> profile-group <name>
show vsys <name> service
show vsys <name> service <name>
show vsys <name> service <name> protocol
show vsys <name> service <name> protocol tcp
show vsys <name> service <name> protocol tcp override
show vsys <name> service <name> protocol tcp override no
show vsys <name> service <name> protocol tcp override yes
show vsys <name> service <name> protocol udp
show vsys <name> service <name> protocol udp override
show vsys <name> service <name> protocol udp override no
show vsys <name> service <name> protocol udp override yes

PAN-OS CLI Quick Start Version Version 10.1 393 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> service-group

show vsys <name> service-group <name>
show vsys <name> reports
show vsys <name> reports <name>
show vsys <name> reports <name> type
show vsys <name> reports <name> type appstat
show vsys <name> reports <name> type decrypon
show vsys <name> reports <name> type desum
show vsys <name> reports <name> type threat
show vsys <name> reports <name> type url
show vsys <name> reports <name> type wildfire
show vsys <name> reports <name> type data
show vsys <name> reports <name> type thsum
show vsys <name> reports <name> type traffic
show vsys <name> reports <name> type urlsum
show vsys <name> reports <name> type trsum
show vsys <name> reports <name> type tunnel
show vsys <name> reports <name> type tunnelsum
show vsys <name> reports <name> type userid
show vsys <name> reports <name> type auth
show vsys <name> reports <name> type iptag
show vsys <name> reports <name> type hipmatch
show vsys <name> reports <name> type globalprotect
show vsys <name> report-group
show vsys <name> report-group <name>
show vsys <name> report-group <name>
show vsys <name> report-group <name> custom-widget
show vsys <name> report-group <name> custom-widget <name>
show vsys <name> report-group <name> custom-widget <name>
show vsys <name> report-group <name>
show vsys <name> report-group <name> all
show vsys <name> report-group <name> all entry
show vsys <name> report-group <name> selected-zone

PAN-OS CLI Quick Start Version Version 10.1 394 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> report-group <name> selected-zone entry

show vsys <name> report-group <name> selected-user-group
show vsys <name> report-group <name> selected-user-group entry
show vsys <name> report-group <name> variable
show vsys <name> report-group <name> variable <name>
show vsys <name> pdf-summary-report
show vsys <name> pdf-summary-report <name>
show vsys <name> pdf-summary-report <name> header
show vsys <name> pdf-summary-report <name> footer
show vsys <name> pdf-summary-report <name> custom-widget
show vsys <name> pdf-summary-report <name> custom-widget <name>
show vsys <name> email-scheduler
show vsys <name> email-scheduler <name>
show vsys <name> email-scheduler <name> recurring
show vsys <name> email-scheduler <name> recurring disabled
show vsys <name> email-scheduler <name> recurring daily
show vsys <name> external-list
show vsys <name> external-list <name>
show vsys <name> external-list <name> type
show vsys <name> external-list <name> type predefined-ip
show vsys <name> external-list <name> type predefined-url
show vsys <name> external-list <name> type ip
show vsys <name> external-list <name> type ip auth
show vsys <name> external-list <name> type ip recurring
show vsys <name> external-list <name> type ip recurring
show vsys <name> external-list <name> type ip recurring five-minute
show vsys <name> external-list <name> type ip recurring hourly
show vsys <name> external-list <name> type ip recurring daily
show vsys <name> external-list <name> type ip recurring weekly
show vsys <name> external-list <name> type ip recurring monthly
show vsys <name> external-list <name> type domain
show vsys <name> external-list <name> type domain auth
show vsys <name> external-list <name> type domain recurring

PAN-OS CLI Quick Start Version Version 10.1 395 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> external-list <name> type domain recurring

show vsys <name> external-list <name> type domain recurring hourly
show vsys <name> external-list <name> type domain recurring five-minute
show vsys <name> external-list <name> type domain recurring daily
show vsys <name> external-list <name> type domain recurring weekly
show vsys <name> external-list <name> type domain recurring monthly
show vsys <name> external-list <name> type url
show vsys <name> external-list <name> type url auth
show vsys <name> external-list <name> type url recurring
show vsys <name> external-list <name> type url recurring
show vsys <name> external-list <name> type url recurring hourly
show vsys <name> external-list <name> type url recurring five-minute
show vsys <name> external-list <name> type url recurring daily
show vsys <name> external-list <name> type url recurring weekly
show vsys <name> external-list <name> type url recurring monthly
show vsys <name> address
show vsys <name> address <name>
show vsys <name> address <name>
show vsys <name> address-group
show vsys <name> address-group <name>
show vsys <name> address-group <name>
show vsys <name> address-group <name> dynamic
show vsys <name> dynamic-user-group
show vsys <name> dynamic-user-group <name>
show vsys <name> schedule
show vsys <name> schedule <name>
show vsys <name> schedule <name> schedule-type
show vsys <name> schedule <name> schedule-type recurring
show vsys <name> schedule <name> schedule-type recurring weekly
show vsys <name> threats
show vsys <name> threats vulnerability
show vsys <name> threats vulnerability <name>
show vsys <name> threats vulnerability <name> affected-host

PAN-OS CLI Quick Start Version Version 10.1 396 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> threats vulnerability <name> default-acon

show vsys <name> threats vulnerability <name> default-acon alert
show vsys <name> threats vulnerability <name> default-acon drop
show vsys <name> threats vulnerability <name> default-acon reset-client
show vsys <name> threats vulnerability <name> default-acon reset-server
show vsys <name> threats vulnerability <name> default-acon reset-both
show vsys <name> threats vulnerability <name> default-acon block-ip
show vsys <name> threats vulnerability <name> default-acon allow
show vsys <name> threats vulnerability <name> signature
show vsys <name> threats vulnerability <name> signature standard
show vsys <name> threats vulnerability <name> signature standard <name>
show vsys <name> threats vulnerability <name> signature standard <name> and-condion
show vsys <name> threats vulnerability <name> signature standard <name> and-condion
<name>
show vsys <name> threats vulnerability <name> signature standard <name> and-condion
<name> or-condion
show vsys <name> threats vulnerability <name> signature standard <name> and-condion
<name> or-condion <name>
show vsys <name> threats vulnerability <name> signature standard <name> and-condion
<name> or-condion <name> operator
show vsys <name> threats vulnerability <name> signature standard <name> and-condion
<name> or-condion <name> operator less-than
show vsys <name> threats vulnerability <name> signature standard <name> and-condion
<name> or-condion <name> operator less-than qualifier
show vsys <name> threats vulnerability <name> signature standard <name> and-condion
<name> or-condion <name> operator less-than qualifier <name>
show vsys <name> threats vulnerability <name> signature standard <name> and-condion
<name> or-condion <name> operator equal-to
show vsys <name> threats vulnerability <name> signature standard <name> and-condion
<name> or-condion <name> operator equal-to qualifier
show vsys <name> threats vulnerability <name> signature standard <name> and-condion
<name> or-condion <name> operator equal-to qualifier <name>
show vsys <name> threats vulnerability <name> signature standard <name> and-condion
<name> or-condion <name> operator greater-than
show vsys <name> threats vulnerability <name> signature standard <name> and-condion
<name> or-condion <name> operator greater-than qualifier
show vsys <name> threats vulnerability <name> signature standard <name> and-condion
<name> or-condion <name> operator greater-than qualifier <name>

PAN-OS CLI Quick Start Version Version 10.1 397 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> threats vulnerability <name> signature standard <name> and-condion
<name> or-condion <name> operator paern-match
show vsys <name> threats vulnerability <name> signature standard <name> and-condion
<name> or-condion <name> operator paern-match qualifier
show vsys <name> threats vulnerability <name> signature standard <name> and-condion
<name> or-condion <name> operator paern-match qualifier <name>
show vsys <name> threats vulnerability <name> signature combinaon
show vsys <name> threats vulnerability <name> signature combinaon me-aribute
show vsys <name> threats vulnerability <name> signature combinaon and-condion
show vsys <name> threats vulnerability <name> signature combinaon and-condion <name>
show vsys <name> threats vulnerability <name> signature combinaon and-condion <name> or-
condion
show vsys <name> threats vulnerability <name> signature combinaon and-condion <name> or-
condion <name>
show vsys <name> threats spyware
show vsys <name> threats spyware <name>
show vsys <name> threats spyware <name> default-acon
show vsys <name> threats spyware <name> default-acon alert
show vsys <name> threats spyware <name> default-acon drop
show vsys <name> threats spyware <name> default-acon reset-client
show vsys <name> threats spyware <name> default-acon reset-server
show vsys <name> threats spyware <name> default-acon reset-both
show vsys <name> threats spyware <name> default-acon block-ip
show vsys <name> threats spyware <name> default-acon allow
show vsys <name> threats spyware <name> signature
show vsys <name> threats spyware <name> signature standard
show vsys <name> threats spyware <name> signature standard <name>
show vsys <name> threats spyware <name> signature standard <name> and-condion
show vsys <name> threats spyware <name> signature standard <name> and-condion <name>
show vsys <name> threats spyware <name> signature standard <name> and-condion <name>
or-condion
show vsys <name> threats spyware <name> signature standard <name> and-condion <name>
or-condion <name>
show vsys <name> threats spyware <name> signature standard <name> and-condion <name>
or-condion <name> operator

PAN-OS CLI Quick Start Version Version 10.1 398 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> threats spyware <name> signature standard <name> and-condion <name>
or-condion <name> operator less-than
show vsys <name> threats spyware <name> signature standard <name> and-condion <name>
or-condion <name> operator less-than qualifier
show vsys <name> threats spyware <name> signature standard <name> and-condion <name>
or-condion <name> operator less-than qualifier <name>
show vsys <name> threats spyware <name> signature standard <name> and-condion <name>
or-condion <name> operator equal-to
show vsys <name> threats spyware <name> signature standard <name> and-condion <name>
or-condion <name> operator equal-to qualifier
show vsys <name> threats spyware <name> signature standard <name> and-condion <name>
or-condion <name> operator equal-to qualifier <name>
show vsys <name> threats spyware <name> signature standard <name> and-condion <name>
or-condion <name> operator greater-than
show vsys <name> threats spyware <name> signature standard <name> and-condion <name>
or-condion <name> operator greater-than qualifier
show vsys <name> threats spyware <name> signature standard <name> and-condion <name>
or-condion <name> operator greater-than qualifier <name>
show vsys <name> threats spyware <name> signature standard <name> and-condion <name>
or-condion <name> operator paern-match
show vsys <name> threats spyware <name> signature standard <name> and-condion <name>
or-condion <name> operator paern-match qualifier
show vsys <name> threats spyware <name> signature standard <name> and-condion <name>
or-condion <name> operator paern-match qualifier <name>
show vsys <name> threats spyware <name> signature combinaon
show vsys <name> threats spyware <name> signature combinaon me-aribute
show vsys <name> threats spyware <name> signature combinaon and-condion
show vsys <name> threats spyware <name> signature combinaon and-condion <name>
show vsys <name> threats spyware <name> signature combinaon and-condion <name> or-
condion
show vsys <name> threats spyware <name> signature combinaon and-condion <name> or-
condion <name>
show vsys <name> applicaon
show vsys <name> applicaon <name>
show vsys <name> applicaon <name> default
show vsys <name> applicaon <name> default ident-by-icmp-type
show vsys <name> applicaon <name> default ident-by-icmp6-type
show vsys <name> applicaon <name> signature

PAN-OS CLI Quick Start Version Version 10.1 399 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> applicaon <name> signature <name>

show vsys <name> applicaon <name> signature <name> and-condion
show vsys <name> applicaon <name> signature <name> and-condion <name>
show vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
show vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name>
show vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator
show vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator paern-match
show vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator paern-match qualifier
show vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator paern-match qualifier <name>
show vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator greater-than
show vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator greater-than qualifier
show vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator greater-than qualifier <name>
show vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator less-than
show vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator less-than qualifier
show vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator less-than qualifier <name>
show vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator equal-to
show vsys <name> applicaon-tag
show vsys <name> applicaon-tag <name>
show vsys <name> applicaon-filter
show vsys <name> applicaon-filter <name>
show vsys <name> applicaon-filter <name> tagging
show vsys <name> applicaon-group
show vsys <name> applicaon-group <name>
show vsys <name> device-object
show vsys <name> device-object <name>

PAN-OS CLI Quick Start Version Version 10.1 400 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> region

show vsys <name> region <name>
show vsys <name> region <name> geo-locaon
show vsys <name> tag
show vsys <name> tag <name>
show vsys <name> authencaon-object
show vsys <name> authencaon-object <name>
show vsys <name> rulebase
show vsys <name> rulebase security
show vsys <name> rulebase security rules
show vsys <name> rulebase security rules <name>
show vsys <name> rulebase security rules <name> opon
show vsys <name> rulebase security rules <name> profile-seng
show vsys <name> rulebase security rules <name> profile-seng profiles
show vsys <name> rulebase security rules <name> qos
show vsys <name> rulebase security rules <name> qos marking
show vsys <name> rulebase security rules <name> qos marking follow-c2s-flow
show vsys <name> rulebase default-security-rules
show vsys <name> rulebase default-security-rules rules
show vsys <name> rulebase default-security-rules rules <name>
show vsys <name> rulebase default-security-rules rules <name> profile-seng
show vsys <name> rulebase default-security-rules rules <name> profile-seng profiles
show vsys <name> rulebase applicaon-override
show vsys <name> rulebase applicaon-override rules
show vsys <name> rulebase applicaon-override rules <name>
show vsys <name> rulebase decrypon
show vsys <name> rulebase decrypon rules
show vsys <name> rulebase decrypon rules <name>
show vsys <name> rulebase decrypon rules <name> type
show vsys <name> rulebase decrypon rules <name> type ssl-forward-proxy
show vsys <name> rulebase decrypon rules <name> type ssh-proxy
show vsys <name> rulebase authencaon
show vsys <name> rulebase authencaon rules

PAN-OS CLI Quick Start Version Version 10.1 401 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> rulebase authencaon rules <name>

show vsys <name> rulebase tunnel-inspect
show vsys <name> rulebase tunnel-inspect rules
show vsys <name> rulebase tunnel-inspect rules <name>
show vsys <name> rulebase tunnel-inspect rules <name> tunnel-id
show vsys <name> rulebase tunnel-inspect rules <name> tunnel-id vni
show vsys <name> rulebase tunnel-inspect rules <name> tunnel-id vni <name>
show vsys <name> rulebase tunnel-inspect rules <name> inspect-opons
show vsys <name> rulebase tunnel-inspect rules <name> zone-assign
show vsys <name> rulebase tunnel-inspect rules <name> monitor-opons
show vsys <name> rulebase tunnel-inspect rules <name> monitor-opons log-seng-override
show vsys <name> rulebase nat
show vsys <name> rulebase nat rules
show vsys <name> rulebase nat rules <name>
show vsys <name> rulebase nat rules <name> source-translaon
show vsys <name> rulebase nat rules <name> source-translaon
show vsys <name> rulebase nat rules <name> source-translaon dynamic-ip-and-port
show vsys <name> rulebase nat rules <name> source-translaon dynamic-ip-and-port
show vsys <name> rulebase nat rules <name> source-translaon dynamic-ip-and-port interface-
address
show vsys <name> rulebase nat rules <name> source-translaon dynamic-ip-and-port interface-
address
show vsys <name> rulebase nat rules <name> source-translaon dynamic-ip
show vsys <name> rulebase nat rules <name> source-translaon dynamic-ip fallback
show vsys <name> rulebase nat rules <name> source-translaon dynamic-ip fallback
show vsys <name> rulebase nat rules <name> source-translaon dynamic-ip fallback interface-
address
show vsys <name> rulebase nat rules <name> source-translaon dynamic-ip fallback interface-
address
show vsys <name> rulebase nat rules <name> source-translaon stac-ip
show vsys <name> rulebase nat rules <name>
show vsys <name> rulebase nat rules <name> desnaon-translaon
show vsys <name> rulebase nat rules <name> desnaon-translaon
show vsys <name> rulebase nat rules <name> desnaon-translaon dns-rewrite
show vsys <name> rulebase nat rules <name> dynamic-desnaon-translaon

PAN-OS CLI Quick Start Version Version 10.1 402 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> rulebase qos

show vsys <name> rulebase qos rules
show vsys <name> rulebase qos rules <name>
show vsys <name> rulebase qos rules <name> dscp-tos
show vsys <name> rulebase qos rules <name> dscp-tos any
show vsys <name> rulebase qos rules <name> dscp-tos codepoints
show vsys <name> rulebase qos rules <name> dscp-tos codepoints <name>
show vsys <name> rulebase qos rules <name> dscp-tos codepoints <name>
show vsys <name> rulebase qos rules <name> dscp-tos codepoints <name> ef
show vsys <name> rulebase qos rules <name> dscp-tos codepoints <name> af
show vsys <name> rulebase qos rules <name> dscp-tos codepoints <name> cs
show vsys <name> rulebase qos rules <name> dscp-tos codepoints <name> tos
show vsys <name> rulebase qos rules <name> dscp-tos codepoints <name> custom
show vsys <name> rulebase qos rules <name> dscp-tos codepoints <name> custom codepoint
show vsys <name> rulebase qos rules <name> acon
show vsys <name> rulebase pbf
show vsys <name> rulebase pbf rules
show vsys <name> rulebase pbf rules <name>
show vsys <name> rulebase pbf rules <name> from
show vsys <name> rulebase pbf rules <name> from
show vsys <name> rulebase pbf rules <name> acon
show vsys <name> rulebase pbf rules <name> acon
show vsys <name> rulebase pbf rules <name> acon forward
show vsys <name> rulebase pbf rules <name> acon forward nexthop
show vsys <name> rulebase pbf rules <name> acon forward nexthop
show vsys <name> rulebase pbf rules <name> acon forward monitor
show vsys <name> rulebase pbf rules <name> acon discard
show vsys <name> rulebase pbf rules <name> acon no-pbf
show vsys <name> rulebase pbf rules <name> enforce-symmetric-return
show vsys <name> rulebase pbf rules <name> enforce-symmetric-return nexthop-address-list
show vsys <name> rulebase pbf rules <name> enforce-symmetric-return nexthop-address-list
<name>
show vsys <name> rulebase sdwan
show vsys <name> rulebase sdwan rules

PAN-OS CLI Quick Start Version Version 10.1 403 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

show vsys <name> rulebase sdwan rules <name>

show vsys <name> rulebase sdwan rules <name> acon
show vsys <name> rulebase dos
show vsys <name> rulebase dos rules
show vsys <name> rulebase dos rules <name>
show vsys <name> rulebase dos rules <name> from
show vsys <name> rulebase dos rules <name> from
show vsys <name> rulebase dos rules <name> to
show vsys <name> rulebase dos rules <name> to
show vsys <name> rulebase dos rules <name> protecon
show vsys <name> rulebase dos rules <name> protecon aggregate
show vsys <name> rulebase dos rules <name> protecon classified
show vsys <name> rulebase dos rules <name> protecon classified classificaon-criteria
show vsys <name> rulebase dos rules <name> acon
show vsys <name> rulebase dos rules <name> acon
show vsys <name> rulebase dos rules <name> acon deny
show vsys <name> rulebase dos rules <name> acon allow
show vsys <name> rulebase dos rules <name> acon protect
show vsys <name> rulebase network-packet-broker
show vsys <name> rulebase network-packet-broker rules
show vsys <name> rulebase network-packet-broker rules <name>
show vsys <name> rulebase network-packet-broker rules <name> traffic-type
show vsys <name> rulebase network-packet-broker rules <name> acon
set deviceconfig
set deviceconfig system
set deviceconfig system type
set deviceconfig system type
set deviceconfig system type stac
set deviceconfig system type dhcp-client
set deviceconfig system type dhcp-client send-hostname <yes|no>
set deviceconfig system type dhcp-client send-client-id <yes|no>
set deviceconfig system type dhcp-client accept-dhcp-hostname <yes|no>
set deviceconfig system type dhcp-client accept-dhcp-domain <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 404 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig system login-banner <value>

set deviceconfig system ack-login-banner <yes|no>
set deviceconfig system hostname <value>
set deviceconfig system domain <value>
set deviceconfig system speed-duplex <auto-negoate|10Mbps-half-duplex|10Mbps-full-duplex|
100Mbps-half-duplex|100Mbps-full-duplex|1Gbps-half-duplex|1Gbps-full-duplex>
set deviceconfig system mtu <576-1500>
set deviceconfig system ip-address <ip/netmask>
set deviceconfig system netmask <value>
set deviceconfig system default-gateway <ip/netmask>
set deviceconfig system ipv6-address <ip/netmask>
set deviceconfig system ipv6-default-gateway <ip/netmask>
set deviceconfig system authencaon-profile <value>
set deviceconfig system non-ui-authencaon-profile <value>
set deviceconfig system cerficate-profile <value>
set deviceconfig system syslog-cerficate <value>
set deviceconfig system ssl-tls-service-profile <value>
set deviceconfig system dns-seng
set deviceconfig system dns-seng
set deviceconfig system dns-seng servers
set deviceconfig system dns-seng servers primary <ip/netmask>
set deviceconfig system dns-seng servers secondary <ip/netmask>
set deviceconfig system dns-seng dns-proxy-object <value>
set deviceconfig system fqdn-refresh-me <0-14399>
set deviceconfig system fqdn-stale-entry-meout <0-10080>
set deviceconfig system panorama
set deviceconfig system panorama
set deviceconfig system panorama local-panorama
set deviceconfig system panorama local-panorama panorama-server <value>
set deviceconfig system panorama local-panorama panorama-server-2 <value>
set deviceconfig system ntp-servers
set deviceconfig system ntp-servers primary-ntp-server
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <value>
set deviceconfig system ntp-servers primary-ntp-server authencaon-type

PAN-OS CLI Quick Start Version Version 10.1 405 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig system ntp-servers primary-ntp-server authencaon-type none

set deviceconfig system ntp-servers primary-ntp-server authencaon-type symmetric-key
set deviceconfig system ntp-servers primary-ntp-server authencaon-type symmetric-key key-id
<1-65534>
set deviceconfig system ntp-servers primary-ntp-server authencaon-type symmetric-key
algorithm
set deviceconfig system ntp-servers primary-ntp-server authencaon-type symmetric-key
algorithm md5
set deviceconfig system ntp-servers primary-ntp-server authencaon-type symmetric-key
algorithm md5 authencaon-key <value>
set deviceconfig system ntp-servers primary-ntp-server authencaon-type symmetric-key
algorithm sha1
set deviceconfig system ntp-servers primary-ntp-server authencaon-type symmetric-key
algorithm sha1 authencaon-key <value>
set deviceconfig system ntp-servers primary-ntp-server authencaon-type autokey
set deviceconfig system ntp-servers secondary-ntp-server
set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address <value>
set deviceconfig system ntp-servers secondary-ntp-server authencaon-type
set deviceconfig system ntp-servers secondary-ntp-server authencaon-type none
set deviceconfig system ntp-servers secondary-ntp-server authencaon-type symmetric-key
set deviceconfig system ntp-servers secondary-ntp-server authencaon-type symmetric-key
key-id <1-65534>
set deviceconfig system ntp-servers secondary-ntp-server authencaon-type symmetric-key
algorithm
set deviceconfig system ntp-servers secondary-ntp-server authencaon-type symmetric-key
algorithm md5
set deviceconfig system ntp-servers secondary-ntp-server authencaon-type symmetric-key
algorithm md5 authencaon-key <value>
set deviceconfig system ntp-servers secondary-ntp-server authencaon-type symmetric-key
algorithm sha1
set deviceconfig system ntp-servers secondary-ntp-server authencaon-type symmetric-key
algorithm sha1 authencaon-key <value>
set deviceconfig system ntp-servers secondary-ntp-server authencaon-type autokey
set deviceconfig system update-server <value>
set deviceconfig system server-verificaon <yes|no>
set deviceconfig system secure-proxy-server <value>
set deviceconfig system secure-proxy-port <1-65535>

PAN-OS CLI Quick Start Version Version 10.1 406 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig system secure-proxy-user <value>

set deviceconfig system secure-proxy-password <value>
set deviceconfig system lcaas-use-proxy <yes|no>
set deviceconfig system auto-renew-mkey-lifeme <0-17520>
set deviceconfig system hsm-sengs
set deviceconfig system hsm-sengs provider
set deviceconfig system hsm-sengs provider
set deviceconfig system hsm-sengs provider safenet-network
set deviceconfig system hsm-sengs provider safenet-network hsm-server
set deviceconfig system hsm-sengs provider safenet-network hsm-server <name>
set deviceconfig system hsm-sengs provider safenet-network hsm-server <name> server-
address <ip/netmask>
set deviceconfig system hsm-sengs provider safenet-network ha
set deviceconfig system hsm-sengs provider safenet-network ha auto-recovery-retry <0-500>
set deviceconfig system hsm-sengs provider safenet-network ha ha-group-name <value>
set deviceconfig system hsm-sengs provider ncipher-nshield-connect
set deviceconfig system hsm-sengs provider ncipher-nshield-connect hsm-server
set deviceconfig system hsm-sengs provider ncipher-nshield-connect hsm-server <name>
set deviceconfig system hsm-sengs provider ncipher-nshield-connect hsm-server <name>
server-address <ip/netmask>
set deviceconfig system hsm-sengs provider ncipher-nshield-connect rfs-address <ip/netmask>
set deviceconfig system hsm-sengs provider none
set deviceconfig system ssh
set deviceconfig system ssh profiles
set deviceconfig system ssh profiles ha-profiles
set deviceconfig system ssh profiles ha-profiles <name>
set deviceconfig system ssh profiles ha-profiles <name> ciphers [ <ciphers1> <ciphers2>... ]
set deviceconfig system ssh profiles ha-profiles <name> mac [ <mac1> <mac2>... ]
set deviceconfig system ssh profiles ha-profiles <name> kex [ <kex1> <kex2>... ]
set deviceconfig system ssh profiles ha-profiles <name> default-hostkey
set deviceconfig system ssh profiles ha-profiles <name> default-hostkey key-type
set deviceconfig system ssh profiles ha-profiles <name> default-hostkey key-type ECDSA <256|
384|521>
set deviceconfig system ssh profiles ha-profiles <name> default-hostkey key-type RSA <2048|
3072|4096>

PAN-OS CLI Quick Start Version Version 10.1 407 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig system ssh profiles ha-profiles <name> session-rekey

set deviceconfig system ssh profiles ha-profiles <name> session-rekey data <10-4000>|<default>
set deviceconfig system ssh profiles ha-profiles <name> session-rekey interval <10-3600>|
<default>
set deviceconfig system ssh profiles ha-profiles <name> session-rekey packets <12-27>|<default>
set deviceconfig system ssh profiles mgmt-profiles
set deviceconfig system ssh profiles mgmt-profiles server-profiles
set deviceconfig system ssh profiles mgmt-profiles server-profiles <name>
set deviceconfig system ssh profiles mgmt-profiles server-profiles <name> ciphers [ <ciphers1>
<ciphers2>... ]
set deviceconfig system ssh profiles mgmt-profiles server-profiles <name> mac [ <mac1>
<mac2>... ]
set deviceconfig system ssh profiles mgmt-profiles server-profiles <name> kex [ <kex1> <kex2>... ]
set deviceconfig system ssh profiles mgmt-profiles server-profiles <name> default-hostkey
set deviceconfig system ssh profiles mgmt-profiles server-profiles <name> default-hostkey key-
type
set deviceconfig system ssh profiles mgmt-profiles server-profiles <name> default-hostkey key-
type ECDSA <256|384|521>
set deviceconfig system ssh profiles mgmt-profiles server-profiles <name> default-hostkey key-
type RSA <2048|3072|4096>
set deviceconfig system ssh profiles mgmt-profiles server-profiles <name> default-hostkey key-
type all
set deviceconfig system ssh profiles mgmt-profiles server-profiles <name> session-rekey
set deviceconfig system ssh profiles mgmt-profiles server-profiles <name> session-rekey data
<10-4000>|<default>
set deviceconfig system ssh profiles mgmt-profiles server-profiles <name> session-rekey interval
<10-3600>|<default>
set deviceconfig system ssh profiles mgmt-profiles server-profiles <name> session-rekey packets
<12-27>|<default>
set deviceconfig system ssh ha
set deviceconfig system ssh ha ha-profile <value>
set deviceconfig system ssh mgmt
set deviceconfig system ssh mgmt server-profile <value>
set deviceconfig system ssh regenerate-hostkeys
set deviceconfig system ssh regenerate-hostkeys ha
set deviceconfig system ssh regenerate-hostkeys ha key-type
set deviceconfig system ssh regenerate-hostkeys ha key-type ECDSA

PAN-OS CLI Quick Start Version Version 10.1 408 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig system ssh regenerate-hostkeys ha key-type ECDSA key-length <256|384|521>

set deviceconfig system ssh regenerate-hostkeys ha key-type RSA
set deviceconfig system ssh regenerate-hostkeys ha key-type RSA key-length <2048|3072|4096>
set deviceconfig system ssh regenerate-hostkeys mgmt
set deviceconfig system ssh regenerate-hostkeys mgmt key-type
set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA
set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length <256|384|
521>
set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA
set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length <2048|3072|
4096>
set deviceconfig system device-telemetry
set deviceconfig system device-telemetry product-usage <yes|no>
set deviceconfig system device-telemetry device-health-performance <yes|no>
set deviceconfig system device-telemetry threat-prevenon <yes|no>
set deviceconfig system device-telemetry region <value>
set deviceconfig system snmp-seng
set deviceconfig system snmp-seng snmp-system
set deviceconfig system snmp-seng snmp-system locaon <value>
set deviceconfig system snmp-seng snmp-system contact <value>
set deviceconfig system snmp-seng snmp-system send-event-specific-traps <yes|no>
set deviceconfig system snmp-seng access-seng
set deviceconfig system snmp-seng access-seng version
set deviceconfig system snmp-seng access-seng version v2c
set deviceconfig system snmp-seng access-seng version v2c snmp-community-string <value>
set deviceconfig system snmp-seng access-seng version v3
set deviceconfig system snmp-seng access-seng version v3 views
set deviceconfig system snmp-seng access-seng version v3 views <name>
set deviceconfig system snmp-seng access-seng version v3 views <name> view
set deviceconfig system snmp-seng access-seng version v3 views <name> view <name>
set deviceconfig system snmp-seng access-seng version v3 views <name> view <name> oid
<value>
set deviceconfig system snmp-seng access-seng version v3 views <name> view <name>
opon <include|exclude>

PAN-OS CLI Quick Start Version Version 10.1 409 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig system snmp-seng access-seng version v3 views <name> view <name> mask
<value>
set deviceconfig system snmp-seng access-seng version v3 users
set deviceconfig system snmp-seng access-seng version v3 users <name>
set deviceconfig system snmp-seng access-seng version v3 users <name> view <value>
set deviceconfig system snmp-seng access-seng version v3 users <name> authpwd <value>
set deviceconfig system snmp-seng access-seng version v3 users <name> privpwd <value>
set deviceconfig system snmp-seng access-seng version v3 users <name> authproto <SHA|
SHA-224|SHA-256|SHA-384|SHA-512>
set deviceconfig system snmp-seng access-seng version v3 users <name> privproto <AES|
AES-192|AES-256>
set deviceconfig system locale <value>|<en|es|ja|fr|zh_CN|zh_TW>
set deviceconfig system domain-lookup-url <value>
set deviceconfig system ip-address-lookup-url <value>
set deviceconfig system geo-locaon
set deviceconfig system geo-locaon latude <value>
set deviceconfig system geo-locaon longitude <value>
set deviceconfig system service
set deviceconfig system service disable-hp <yes|no>
set deviceconfig system service disable-hps <yes|no>
set deviceconfig system service disable-telnet <yes|no>
set deviceconfig system service disable-ssh <yes|no>
set deviceconfig system service disable-icmp <yes|no>
set deviceconfig system service disable-snmp <yes|no>
set deviceconfig system service disable-userid-service <yes|no>
set deviceconfig system service disable-userid-syslog-listener-ssl <yes|no>
set deviceconfig system service disable-userid-syslog-listener-udp <yes|no>
set deviceconfig system service disable-hp-ocsp <yes|no>
set deviceconfig system permied-ip
set deviceconfig system permied-ip <name>
set deviceconfig system permied-ip <name> descripon <value>
set deviceconfig system route
set deviceconfig system route service
set deviceconfig system route service <name>

PAN-OS CLI Quick Start Version Version 10.1 410 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig system route service <name> source

set deviceconfig system route service <name> source interface <value>
set deviceconfig system route service <name> source address <value>
set deviceconfig system route service <name> source-v6
set deviceconfig system route service <name> source-v6 interface <value>
set deviceconfig system route service <name> source-v6 address <value>
set deviceconfig system route desnaon
set deviceconfig system route desnaon <name>
set deviceconfig system route desnaon <name> source
set deviceconfig system route desnaon <name> source interface <value>
set deviceconfig system route desnaon <name> source address <value>
set deviceconfig system log-link
set deviceconfig system log-link <name>
set deviceconfig system log-link <name> url <value>
set deviceconfig system log-export-schedule
set deviceconfig system log-export-schedule <name>
set deviceconfig system log-export-schedule <name> descripon <value>
set deviceconfig system log-export-schedule <name> enable <yes|no>
set deviceconfig system log-export-schedule <name> log-type <traffic|threat|tunnel|userid|iptag|
auth|url|data|hipmatch|wildfire|decrypon|globalprotect>
set deviceconfig system log-export-schedule <name> start-me <value>
set deviceconfig system log-export-schedule <name> protocol
set deviceconfig system log-export-schedule <name> protocol p
set deviceconfig system log-export-schedule <name> protocol p hostname <value>
set deviceconfig system log-export-schedule <name> protocol p port <1-65535>
set deviceconfig system log-export-schedule <name> protocol p path <value>
set deviceconfig system log-export-schedule <name> protocol p username <value>
set deviceconfig system log-export-schedule <name> protocol p password <value>
set deviceconfig system log-export-schedule <name> protocol p passive-mode <yes|no>
set deviceconfig system log-export-schedule <name> protocol scp
set deviceconfig system log-export-schedule <name> protocol scp hostname <value>
set deviceconfig system log-export-schedule <name> protocol scp port <1-65535>
set deviceconfig system log-export-schedule <name> protocol scp path <value>
set deviceconfig system log-export-schedule <name> protocol scp username <value>

PAN-OS CLI Quick Start Version Version 10.1 411 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig system log-export-schedule <name> protocol scp password <value>

set deviceconfig system update-schedule
set deviceconfig system update-schedule stascs-service
set deviceconfig system update-schedule stascs-service applicaon-reports <yes|no>
set deviceconfig system update-schedule stascs-service threat-prevenon-reports <yes|no>
set deviceconfig system update-schedule stascs-service threat-prevenon-informaon <yes|
no>
set deviceconfig system update-schedule stascs-service threat-prevenon-pcap <yes|no>
set deviceconfig system update-schedule stascs-service passive-dns-monitoring <yes|no>
set deviceconfig system update-schedule stascs-service url-reports <yes|no>
set deviceconfig system update-schedule stascs-service health-performance-reports <yes|no>
set deviceconfig system update-schedule stascs-service file-idenficaon-reports <yes|no>
set deviceconfig system update-schedule threats
set deviceconfig system update-schedule threats recurring
set deviceconfig system update-schedule threats recurring
set deviceconfig system update-schedule threats recurring none
set deviceconfig system update-schedule threats recurring every-30-mins
set deviceconfig system update-schedule threats recurring every-30-mins at <0-29>
set deviceconfig system update-schedule threats recurring every-30-mins acon <download-only|
download-and-install>
set deviceconfig system update-schedule threats recurring every-30-mins disable-new-content
<yes|no>
set deviceconfig system update-schedule threats recurring hourly
set deviceconfig system update-schedule threats recurring hourly at <0-59>
set deviceconfig system update-schedule threats recurring hourly acon <download-only|
download-and-install>
set deviceconfig system update-schedule threats recurring hourly disable-new-content <yes|no>
set deviceconfig system update-schedule threats recurring daily
set deviceconfig system update-schedule threats recurring daily at <value>
set deviceconfig system update-schedule threats recurring daily acon <download-only|
download-and-install>
set deviceconfig system update-schedule threats recurring daily disable-new-content <yes|no>
set deviceconfig system update-schedule threats recurring weekly
set deviceconfig system update-schedule threats recurring weekly day-of-week <sunday|monday|
tuesday|wednesday|thursday|friday|saturday>

PAN-OS CLI Quick Start Version Version 10.1 412 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig system update-schedule threats recurring weekly at <value>

set deviceconfig system update-schedule threats recurring weekly acon <download-only|
download-and-install>
set deviceconfig system update-schedule threats recurring weekly disable-new-content <yes|no>
set deviceconfig system update-schedule threats recurring threshold <1-336>
set deviceconfig system update-schedule threats recurring new-app-threshold <1-336>
set deviceconfig system update-schedule threats recurring sync-to-peer <yes|no>
set deviceconfig system update-schedule app-profile
set deviceconfig system update-schedule app-profile recurring
set deviceconfig system update-schedule app-profile recurring
set deviceconfig system update-schedule app-profile recurring none
set deviceconfig system update-schedule app-profile recurring daily
set deviceconfig system update-schedule app-profile recurring daily at <value>
set deviceconfig system update-schedule app-profile recurring daily acon <download-only|
download-and-install>
set deviceconfig system update-schedule app-profile recurring weekly
set deviceconfig system update-schedule app-profile recurring weekly day-of-week <sunday|
monday|tuesday|wednesday|thursday|friday|saturday>
set deviceconfig system update-schedule app-profile recurring weekly at <value>
set deviceconfig system update-schedule app-profile recurring weekly acon <download-only|
download-and-install>
set deviceconfig system update-schedule app-profile recurring threshold <1-336>
set deviceconfig system update-schedule app-profile recurring sync-to-peer <yes|no>
set deviceconfig system update-schedule an-virus
set deviceconfig system update-schedule an-virus recurring
set deviceconfig system update-schedule an-virus recurring
set deviceconfig system update-schedule an-virus recurring none
set deviceconfig system update-schedule an-virus recurring hourly
set deviceconfig system update-schedule an-virus recurring hourly at <0-59>
set deviceconfig system update-schedule an-virus recurring hourly acon <download-only|
download-and-install>
set deviceconfig system update-schedule an-virus recurring daily
set deviceconfig system update-schedule an-virus recurring daily at <value>
set deviceconfig system update-schedule an-virus recurring daily acon <download-only|
download-and-install>

PAN-OS CLI Quick Start Version Version 10.1 413 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig system update-schedule an-virus recurring weekly

set deviceconfig system update-schedule an-virus recurring weekly day-of-week <sunday|
monday|tuesday|wednesday|thursday|friday|saturday>
set deviceconfig system update-schedule an-virus recurring weekly at <value>
set deviceconfig system update-schedule an-virus recurring weekly acon <download-only|
download-and-install>
set deviceconfig system update-schedule an-virus recurring threshold <1-336>
set deviceconfig system update-schedule an-virus recurring sync-to-peer <yes|no>
set deviceconfig system update-schedule wildfire
set deviceconfig system update-schedule wildfire recurring
set deviceconfig system update-schedule wildfire recurring
set deviceconfig system update-schedule wildfire recurring none
set deviceconfig system update-schedule wildfire recurring real-me
set deviceconfig system update-schedule wildfire recurring every-min
set deviceconfig system update-schedule wildfire recurring every-min acon <download-only|
download-and-install>
set deviceconfig system update-schedule wildfire recurring every-min sync-to-peer <yes|no>
set deviceconfig system update-schedule wildfire recurring every-15-mins
set deviceconfig system update-schedule wildfire recurring every-15-mins at <0-14>
set deviceconfig system update-schedule wildfire recurring every-15-mins acon <download-only|
download-and-install>
set deviceconfig system update-schedule wildfire recurring every-15-mins sync-to-peer <yes|no>
set deviceconfig system update-schedule wildfire recurring every-30-mins
set deviceconfig system update-schedule wildfire recurring every-30-mins at <0-29>
set deviceconfig system update-schedule wildfire recurring every-30-mins acon <download-only|
download-and-install>
set deviceconfig system update-schedule wildfire recurring every-30-mins sync-to-peer <yes|no>
set deviceconfig system update-schedule wildfire recurring every-hour
set deviceconfig system update-schedule wildfire recurring every-hour at <0-59>
set deviceconfig system update-schedule wildfire recurring every-hour acon <download-only|
download-and-install>
set deviceconfig system update-schedule wildfire recurring every-hour sync-to-peer <yes|no>
set deviceconfig system update-schedule wf-private
set deviceconfig system update-schedule wf-private recurring
set deviceconfig system update-schedule wf-private recurring

PAN-OS CLI Quick Start Version Version 10.1 414 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig system update-schedule wf-private recurring none

set deviceconfig system update-schedule wf-private recurring every-5-mins
set deviceconfig system update-schedule wf-private recurring every-5-mins at <0-4>
set deviceconfig system update-schedule wf-private recurring every-5-mins acon <download-
only|download-and-install>
set deviceconfig system update-schedule wf-private recurring every-15-mins
set deviceconfig system update-schedule wf-private recurring every-15-mins at <0-14>
set deviceconfig system update-schedule wf-private recurring every-15-mins acon <download-
only|download-and-install>
set deviceconfig system update-schedule wf-private recurring every-30-mins
set deviceconfig system update-schedule wf-private recurring every-30-mins at <0-29>
set deviceconfig system update-schedule wf-private recurring every-30-mins acon <download-
only|download-and-install>
set deviceconfig system update-schedule wf-private recurring every-hour
set deviceconfig system update-schedule wf-private recurring every-hour at <0-59>
set deviceconfig system update-schedule wf-private recurring every-hour acon <download-only|
download-and-install>
set deviceconfig system update-schedule wf-private recurring sync-to-peer <yes|no>
set deviceconfig system update-schedule global-protect-clientless-vpn
set deviceconfig system update-schedule global-protect-clientless-vpn recurring
set deviceconfig system update-schedule global-protect-clientless-vpn recurring
set deviceconfig system update-schedule global-protect-clientless-vpn recurring none
set deviceconfig system update-schedule global-protect-clientless-vpn recurring hourly
set deviceconfig system update-schedule global-protect-clientless-vpn recurring hourly at <0-59>
set deviceconfig system update-schedule global-protect-clientless-vpn recurring hourly acon
<download-and-install|download-only>
set deviceconfig system update-schedule global-protect-clientless-vpn recurring daily
set deviceconfig system update-schedule global-protect-clientless-vpn recurring daily at <value>
set deviceconfig system update-schedule global-protect-clientless-vpn recurring daily acon
<download-and-install|download-only>
set deviceconfig system update-schedule global-protect-clientless-vpn recurring weekly
set deviceconfig system update-schedule global-protect-clientless-vpn recurring weekly day-of-
week <sunday|monday|tuesday|wednesday|thursday|friday|saturday>
set deviceconfig system update-schedule global-protect-clientless-vpn recurring weekly at
<value>

PAN-OS CLI Quick Start Version Version 10.1 415 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig system update-schedule global-protect-clientless-vpn recurring weekly acon

<download-and-install|download-only>
set deviceconfig system update-schedule global-protect-datafile
set deviceconfig system update-schedule global-protect-datafile recurring
set deviceconfig system update-schedule global-protect-datafile recurring
set deviceconfig system update-schedule global-protect-datafile recurring none
set deviceconfig system update-schedule global-protect-datafile recurring hourly
set deviceconfig system update-schedule global-protect-datafile recurring hourly at <0-59>
set deviceconfig system update-schedule global-protect-datafile recurring hourly acon
<download-and-install|download-only>
set deviceconfig system update-schedule global-protect-datafile recurring daily
set deviceconfig system update-schedule global-protect-datafile recurring daily at <value>
set deviceconfig system update-schedule global-protect-datafile recurring daily acon <download-
and-install>
set deviceconfig system update-schedule global-protect-datafile recurring weekly
set deviceconfig system update-schedule global-protect-datafile recurring weekly day-of-week
<sunday|monday|tuesday|wednesday|thursday|friday|saturday>
set deviceconfig system update-schedule global-protect-datafile recurring weekly at <value>
set deviceconfig system update-schedule global-protect-datafile recurring weekly acon
<download-and-install|download-only>
set deviceconfig system motd-and-banner
set deviceconfig system motd-and-banner motd-enable <yes|no>
set deviceconfig system motd-and-banner message <value>
set deviceconfig system motd-and-banner motd-do-not-display-again <yes|no>
set deviceconfig system motd-and-banner motd-tle <value>
set deviceconfig system motd-and-banner motd-color <color1|color2|color3|color4|color5|color6|
color7|color8|color9|color10|color11|color12|color13|color14|color15|color16|color17>
set deviceconfig system motd-and-banner severity <warning|queson|error|info>
set deviceconfig system motd-and-banner banner-header <value>
set deviceconfig system motd-and-banner banner-header-color <color1|color2|color3|color4|
color5|color6|color7|color8|color9|color10|color11|color12|color13|color14|color15|color16|
color17>
set deviceconfig system motd-and-banner banner-header-text-color <color1|color2|color3|color4|
color5|color6|color7|color8|color9|color10|color11|color12|color13|color14|color15|color16|
color17|color18>
set deviceconfig system motd-and-banner banner-header-footer-match <yes|no>
set deviceconfig system motd-and-banner banner-footer <value>

PAN-OS CLI Quick Start Version Version 10.1 416 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig system motd-and-banner banner-footer-color <color1|color2|color3|color4|

color5|color6|color7|color8|color9|color10|color11|color12|color13|color14|color15|color16|
color17>
set deviceconfig system motd-and-banner banner-footer-text-color <color1|color2|color3|color4|
color5|color6|color7|color8|color9|color10|color11|color12|color13|color14|color15|color16|
color17|color18>
set deviceconfig system mezone <Africa/Abidjan|Africa/Accra|Africa/Addis_Ababa|Africa/
Algiers|Africa/Asmara|Africa/Asmera|Africa/Bamako|Africa/Bangui|Africa/Banjul|Africa/Bissau|
Africa/Blantyre|Africa/Brazzaville|Africa/Bujumbura|Africa/Cairo|Africa/Casablanca|Africa/
Ceuta|Africa/Conakry|Africa/Dakar|Africa/Dar_es_Salaam|Africa/Djibou|Africa/Douala|Africa/
El_Aaiun|Africa/Freetown|Africa/Gaborone|Africa/Harare|Africa/Johannesburg|Africa/Kampala|
Africa/Khartoum|Africa/Kigali|Africa/Kinshasa|Africa/Lagos|Africa/Libreville|Africa/Lome|Africa/
Luanda|Africa/Lubumbashi|Africa/Lusaka|Africa/Malabo|Africa/Maputo|Africa/Maseru|Africa/
Mbabane|Africa/Mogadishu|Africa/Monrovia|Africa/Nairobi|Africa/Ndjamena|Africa/Niamey|
Africa/Nouakcho|Africa/Ouagadougou|Africa/Porto-Novo|Africa/Sao_Tome|Africa/Timbuktu|
Africa/Tripoli|Africa/Tunis|Africa/Windhoek|America/Adak|America/Anchorage|America/
Anguilla|America/Angua|America/Araguaina|America/Argenna/Buenos_Aires|America/
Argenna/Catamarca|America/Argenna/ComodRivadavia|America/Argenna/Cordoba|America/
Argenna/Jujuy|America/Argenna/La_Rioja|America/Argenna/Mendoza|America/Argenna/
Rio_Gallegos|America/Argenna/Salta|America/Argenna/San_Juan|America/Argenna/San_Luis|
America/Argenna/Tucuman|America/Argenna/Ushuaia|America/Aruba|America/Asuncion|
America/Akokan|America/Atka|America/Bahia|America/Barbados|America/Belem|America/
Belize|America/Blanc-Sablon|America/Boa_Vista|America/Bogota|America/Boise|America/
Buenos_Aires|America/Cambridge_Bay|America/Campo_Grande|America/Cancun|America/
Caracas|America/Catamarca|America/Cayenne|America/Cayman|America/Chicago|America/
Chihuahua|America/Coral_Harbour|America/Cordoba|America/Costa_Rica|America/Cuiaba|
America/Curacao|America/Danmarkshavn|America/Dawson|America/Dawson_Creek|America/
Denver|America/Detroit|America/Dominica|America/Edmonton|America/Eirunepe|America/
El_Salvador|America/Ensenada|America/Fortaleza|America/Fort_Wayne|America/Glace_Bay|
America/Godthab|America/Goose_Bay|America/Grand_Turk|America/Grenada|America/
Guadeloupe|America/Guatemala|America/Guayaquil|America/Guyana|America/Halifax|America/
Havana|America/Hermosillo|America/Indiana/Indianapolis|America/Indiana/Knox|America/
Indiana/Marengo|America/Indiana/Petersburg|America/Indianapolis|America/Indiana/Tell_City|
America/Indiana/Vevay|America/Indiana/Vincennes|America/Indiana/Winamac|America/Inuvik|
America/Iqaluit|America/Jamaica|America/Jujuy|America/Juneau|America/Kentucky/Louisville|
America/Kentucky/Moncello|America/Knox_IN|America/La_Paz|America/Lima|America/
Los_Angeles|America/Louisville|America/Maceio|America/Managua|America/Manaus|America/
Marigot|America/Marnique|America/Mazatlan|America/Mendoza|America/Menominee|
America/Merida|America/Mexico_City|America/Miquelon|America/Moncton|America/Monterrey|
America/Montevideo|America/Montreal|America/Montserrat|America/Nassau|America/
New_York|America/Nipigon|America/Nome|America/Noronha|America/North_Dakota/Center|
America/North_Dakota/New_Salem|America/Panama|America/Pangnirtung|America/Paramaribo|
America/Phoenix|America/Port-au-Prince|America/Porto_Acre|America/Port_of_Spain|America/
Porto_Velho|America/Puerto_Rico|America/Rainy_River|America/Rankin_Inlet|America/Recife|
America/Regina|America/Resolute|America/Rio_Branco|America/Rosario|America/Santarem|
America/Sanago|America/Santo_Domingo|America/Sao_Paulo|America/Scoresbysund|America/
Shiprock|America/St_Barthelemy|America/St_Johns|America/St_Kis|America/St_Lucia|America/
St_Thomas|America/St_Vincent|America/Swi_Current|America/Tegucigalpa|America/Thule|
America/Thunder_Bay|America/Tijuana|America/Toronto|America/Tortola|America/Vancouver|

PAN-OS CLI Quick Start Version Version 10.1 417 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

America/Virgin|America/Whitehorse|America/Winnipeg|America/Yakutat|America/Yellowknife|
Antarcca/Casey|Antarcca/Davis|Antarcca/DumontDUrville|Antarcca/Mawson|Antarcca/
McMurdo|Antarcca/Palmer|Antarcca/Rothera|Antarcca/South_Pole|Antarcca/Syowa|
Antarcca/Vostok|Arcc/Longyearbyen|Asia/Aden|Asia/Almaty|Asia/Amman|Asia/Anadyr|Asia/
Aqtau|Asia/Aqtobe|Asia/Ashgabat|Asia/Ashkhabad|Asia/Baghdad|Asia/Bahrain|Asia/Baku|Asia/
Bangkok|Asia/Beirut|Asia/Bishkek|Asia/Brunei|Asia/Calcua|Asia/Choibalsan|Asia/Chongqing|
Asia/Chungking|Asia/Colombo|Asia/Dacca|Asia/Damascus|Asia/Dhaka|Asia/Dili|Asia/Dubai|
Asia/Dushanbe|Asia/Gaza|Asia/Harbin|Asia/Ho_Chi_Minh|Asia/Hong_Kong|Asia/Hovd|Asia/
Irkutsk|Asia/Istanbul|Asia/Jakarta|Asia/Jayapura|Asia/Jerusalem|Asia/Kabul|Asia/Kamchatka|
Asia/Karachi|Asia/Kashgar|Asia/Kathmandu|Asia/Katmandu|Asia/Kolkata|Asia/Krasnoyarsk|
Asia/Kuala_Lumpur|Asia/Kuching|Asia/Kuwait|Asia/Macao|Asia/Macau|Asia/Magadan|Asia/
Makassar|Asia/Manila|Asia/Muscat|Asia/Nicosia|Asia/Novokuznetsk|Asia/Novosibirsk|Asia/Omsk|
Asia/Oral|Asia/Phnom_Penh|Asia/Ponanak|Asia/Pyongyang|Asia/Qatar|Asia/Qyzylorda|Asia/
Rangoon|Asia/Riyadh|Asia/Riyadh87|Asia/Riyadh88|Asia/Riyadh89|Asia/Saigon|Asia/Sakhalin|
Asia/Samarkand|Asia/Seoul|Asia/Shanghai|Asia/Singapore|Asia/Taipei|Asia/Tashkent|Asia/
Tbilisi|Asia/Tehran|Asia/Tel_Aviv|Asia/Thimbu|Asia/Thimphu|Asia/Tokyo|Asia/Ujung_Pandang|
Asia/Ulaanbaatar|Asia/Ulan_Bator|Asia/Urumqi|Asia/Vienane|Asia/Vladivostok|Asia/Yakutsk|
Asia/Yekaterinburg|Asia/Yerevan|Atlanc/Azores|Atlanc/Bermuda|Atlanc/Canary|Atlanc/
Cape_Verde|Atlanc/Faeroe|Atlanc/Faroe|Atlanc/Jan_Mayen|Atlanc/Madeira|Atlanc/
Reykjavik|Atlanc/South_Georgia|Atlanc/Stanley|Atlanc/St_Helena|Australia/ACT|Australia/
Adelaide|Australia/Brisbane|Australia/Broken_Hill|Australia/Canberra|Australia/Currie|Australia/
Darwin|Australia/Eucla|Australia/Hobart|Australia/LHI|Australia/Lindeman|Australia/Lord_Howe|
Australia/Melbourne|Australia/North|Australia/NSW|Australia/Perth|Australia/Queensland|
Australia/South|Australia/Sydney|Australia/Tasmania|Australia/Victoria|Australia/West|Australia/
Yancowinna|Brazil/Acre|Brazil/DeNoronha|Brazil/East|Brazil/West|Canada/Atlanc|Canada/
Central|Canada/Eastern|Canada/East-Saskatchewan|Canada/Mountain|Canada/Newfoundland|
Canada/Pacific|Canada/Saskatchewan|Canada/Yukon|CET|Chile/Connental|Chile/EasterIsland|
CST6CDT|Cuba|EET|Egypt|Eire|EST|EST5EDT|Etc/GMT|Etc/GMT0|Etc/GMT-0|Etc/GMT+0|
Etc/GMT-1|Etc/GMT+1|Etc/GMT-10|Etc/GMT+10|Etc/GMT-11|Etc/GMT+11|Etc/GMT-12|
Etc/GMT+12|Etc/GMT-13|Etc/GMT-14|Etc/GMT-2|Etc/GMT+2|Etc/GMT-3|Etc/GMT+3|Etc/
GMT-4|Etc/GMT+4|Etc/GMT-5|Etc/GMT+5|Etc/GMT-6|Etc/GMT+6|Etc/GMT-7|Etc/GMT+7|
Etc/GMT-8|Etc/GMT+8|Etc/GMT-9|Etc/GMT+9|Etc/Greenwich|Etc/UCT|Etc/Universal|Etc/UTC|
Etc/Zulu|Europe/Amsterdam|Europe/Andorra|Europe/Athens|Europe/Belfast|Europe/Belgrade|
Europe/Berlin|Europe/Braslava|Europe/Brussels|Europe/Bucharest|Europe/Budapest|Europe/
Chisinau|Europe/Copenhagen|Europe/Dublin|Europe/Gibraltar|Europe/Guernsey|Europe/Helsinki|
Europe/Isle_of_Man|Europe/Istanbul|Europe/Jersey|Europe/Kaliningrad|Europe/Kiev|Europe/
Lisbon|Europe/Ljubljana|Europe/London|Europe/Luxembourg|Europe/Madrid|Europe/Malta|
Europe/Mariehamn|Europe/Minsk|Europe/Monaco|Europe/Moscow|Europe/Nicosia|Europe/
Oslo|Europe/Paris|Europe/Podgorica|Europe/Prague|Europe/Riga|Europe/Rome|Europe/Samara|
Europe/San_Marino|Europe/Sarajevo|Europe/Simferopol|Europe/Skopje|Europe/Sofia|Europe/
Stockholm|Europe/Tallinn|Europe/Tirane|Europe/Tiraspol|Europe/Uzhgorod|Europe/Vaduz|
Europe/Vacan|Europe/Vienna|Europe/Vilnius|Europe/Volgograd|Europe/Warsaw|Europe/
Zagreb|Europe/Zaporozhye|Europe/Zurich|Factory|GB|GB-Eire|GMT|GMT0|GMT-0|GMT+0|
Greenwich|Hongkong|HST|Iceland|Indian/Antananarivo|Indian/Chagos|Indian/Christmas|Indian/
Cocos|Indian/Comoro|Indian/Kerguelen|Indian/Mahe|Indian/Maldives|Indian/Maurius|Indian/
Mayoe|Indian/Reunion|Iran|Israel|Jamaica|Japan|Kwajalein|Libya|MET|Mexico/BajaNorte|
Mexico/BajaSur|Mexico/General|Mideast/Riyadh87|Mideast/Riyadh88|Mideast/Riyadh89|MST|
MST7MDT|Navajo|NZ|NZ-CHAT|Pacific/Apia|Pacific/Auckland|Pacific/Chatham|Pacific/Easter|
Pacific/Efate|Pacific/Enderbury|Pacific/Fakaofo|Pacific/Fiji|Pacific/Funafu|Pacific/Galapagos|
Pacific/Gambier|Pacific/Guadalcanal|Pacific/Guam|Pacific/Honolulu|Pacific/Johnston|Pacific/

PAN-OS CLI Quick Start Version Version 10.1 418 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

Kirima|Pacific/Kosrae|Pacific/Kwajalein|Pacific/Majuro|Pacific/Marquesas|Pacific/Midway|
Pacific/Nauru|Pacific/Niue|Pacific/Norfolk|Pacific/Noumea|Pacific/Pago_Pago|Pacific/Palau|
Pacific/Pitcairn|Pacific/Ponape|Pacific/Port_Moresby|Pacific/Rarotonga|Pacific/Saipan|Pacific/
Samoa|Pacific/Tahi|Pacific/Tarawa|Pacific/Tongatapu|Pacific/Truk|Pacific/Wake|Pacific/Wallis|
Pacific/Yap|Poland|Portugal|PRC|PST8PDT|ROC|ROK|Singapore|Turkey|UCT|Universal|US/Alaska|
US/Aleuan|US/Arizona|US/Central|US/Eastern|US/East-Indiana|US/Hawaii|US/Indiana-Starke|
US/Michigan|US/Mountain|US/Pacific|US/Samoa|UTC|WET|W-SU|Zulu>
set deviceconfig seng
set deviceconfig seng nat
set deviceconfig seng nat reserve-ip <yes|no>
set deviceconfig seng nat reserve-me <1-604800>
set deviceconfig seng nat dipp-oversub <1x|2x|4x|8x>
set deviceconfig seng jumbo-frame
set deviceconfig seng jumbo-frame mtu <512-9216>
set deviceconfig seng icmpv6-rate-limit
set deviceconfig seng icmpv6-rate-limit bucket-size <10-65535>
set deviceconfig seng icmpv6-rate-limit packet-rate <1-65535>
set deviceconfig seng nat64
set deviceconfig seng nat64 ipv6-min-network-mtu <1280-9216>
set deviceconfig seng packet
set deviceconfig seng packet ip-frag-limit <yes|no>
set deviceconfig seng ul
set deviceconfig seng ul assert-crash-once <yes|no>
set deviceconfig seng pan-url-db
set deviceconfig seng pan-url-db cloud-stac-list <value>
set deviceconfig seng pan-url-db meout <1-300>
set deviceconfig seng hawkeye
set deviceconfig seng hawkeye public-cloud-server <value>
set deviceconfig seng global-protect
set deviceconfig seng global-protect meout <3-150>
set deviceconfig seng global-protect keepalive <3-150>
set deviceconfig seng global-protect enable-external-gateway-priority <yes|no>
set deviceconfig seng global-protect locaon <value>
set deviceconfig seng global-protect worker-threads <10-100>
set deviceconfig seng l3-service

PAN-OS CLI Quick Start Version Version 10.1 419 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig seng l3-service meout <3-125>

set deviceconfig seng capve-portal
set deviceconfig seng capve-portal number-workers <2-12>
set deviceconfig seng capve-portal disable-token <yes|no>
set deviceconfig seng applicaon
set deviceconfig seng applicaon idenfy-unknown-traffic-by-port <yes|no>
set deviceconfig seng applicaon dump-unknown <on|off>
set deviceconfig seng applicaon cache <yes|no>
set deviceconfig seng applicaon use-cache-for-idenficaon <yes|no>
set deviceconfig seng applicaon cache-threshold <1-65535>
set deviceconfig seng applicaon supernode <yes|no>
set deviceconfig seng applicaon heuriscs <yes|no>
set deviceconfig seng applicaon nofy-user <yes|no>
set deviceconfig seng applicaon bypass-exceed-queue <yes|no>
set deviceconfig seng applicaon traceroute
set deviceconfig seng applicaon traceroute enable <yes|no>
set deviceconfig seng applicaon traceroute l-threshold <0-255>
set deviceconfig seng autofocus
set deviceconfig seng autofocus enabled <yes|no>
set deviceconfig seng autofocus autofocus-url <value>
set deviceconfig seng autofocus query-meout <15-3600>
set deviceconfig seng wildfire
set deviceconfig seng wildfire file-idle-meout <5-180>
set deviceconfig seng wildfire file-size-limit
set deviceconfig seng wildfire file-size-limit <name>
set deviceconfig seng wildfire file-size-limit <name> size-limit <value>
set deviceconfig seng wildfire file-upload-rate <1-150>
set deviceconfig seng wildfire public-cloud-server <value>
set deviceconfig seng wildfire private-cloud-server <value>
set deviceconfig seng wildfire real-me-cloud-server <value>
set deviceconfig seng wildfire private-cloud-use-proxy <yes|no>
set deviceconfig seng wildfire disable-signature-verify <yes|no>
set deviceconfig seng wildfire report-benign-file <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 420 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig seng wildfire report-grayware-file <yes|no>

set deviceconfig seng wildfire session-info-select
set deviceconfig seng wildfire session-info-select exclude-src-ip <yes|no>
set deviceconfig seng wildfire session-info-select exclude-src-port <yes|no>
set deviceconfig seng wildfire session-info-select exclude-dest-ip <yes|no>
set deviceconfig seng wildfire session-info-select exclude-dest-port <yes|no>
set deviceconfig seng wildfire session-info-select exclude-vsys-id <yes|no>
set deviceconfig seng wildfire session-info-select exclude-app-name <yes|no>
set deviceconfig seng wildfire session-info-select exclude-username <yes|no>
set deviceconfig seng wildfire session-info-select exclude-url <yes|no>
set deviceconfig seng wildfire session-info-select exclude-filename <yes|no>
set deviceconfig seng wildfire session-info-select exclude-email-sender <yes|no>
set deviceconfig seng wildfire session-info-select exclude-email-recipient <yes|no>
set deviceconfig seng wildfire session-info-select exclude-email-subject <yes|no>
set deviceconfig seng ctd
set deviceconfig seng ctd x-forwarded-for <0|1|2>
set deviceconfig seng ctd strip-x-fwd-for <yes|no>
set deviceconfig seng ctd url-coach-meout <1-86400>
set deviceconfig seng ctd url-admin-meout <1-86400>
set deviceconfig seng ctd url-lockout-meout <1-86400>
set deviceconfig seng ctd url-wait-meout <1-60>
set deviceconfig seng ctd cap-portal-ask-meout <0-65535>
set deviceconfig seng ctd cap-portal-ask-requests <1-32>
set deviceconfig seng ctd cap-portal-max-session <0-8192>
set deviceconfig seng ctd cap-portal-html-redirect <yes|no>
set deviceconfig seng ctd hp-proxy-use-transacon <yes|no>
set deviceconfig seng ctd tcp-bypass-exceed-queue <yes|no>
set deviceconfig seng ctd udp-bypass-exceed-queue <yes|no>
set deviceconfig seng ctd allow-hp-range <yes|no>
set deviceconfig seng ctd extended-capture-segment <1-50>
set deviceconfig seng ctd track-filename <yes|no>
set deviceconfig seng ctd hash-signature-allow <yes|no>
set deviceconfig seng ctd decode-filter-max-depth <1-4>

PAN-OS CLI Quick Start Version Version 10.1 421 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig seng ctd hold-client-request <yes|no>

set deviceconfig seng ctd header-insert-cleartext-proxy <yes|no>
set deviceconfig seng ctd block-on-cleartext-proxy-failure <yes|no>
set deviceconfig seng ctd cloud-dns-meout <0-60000>
set deviceconfig seng ctd cloud-dns-privacy-mask <yes|no>
set deviceconfig seng ctd cloudapp-implicit-policy-enforce <yes|no>
set deviceconfig seng ctd shm-quota-threshold <50-80>
set deviceconfig seng ctd shared-memory-quota-dlp <0-100>
set deviceconfig seng ctd shared-memory-quota-iot <0-100>
set deviceconfig seng ctd shared-memory-quota-ace <0-100>
set deviceconfig seng ctd siptcp-cleartext-proxy <0|1|2>
set deviceconfig seng ctd hp2-cleartext-proxy <yes|no>
set deviceconfig seng ssl-decrypt
set deviceconfig seng ssl-decrypt url-wait <yes|no>
set deviceconfig seng ssl-decrypt url-proxy <yes|no>
set deviceconfig seng ssl-decrypt nofy-user <yes|no>
set deviceconfig seng ssl-decrypt answer-meout <1-86400>
set deviceconfig seng ssl-decrypt crl <yes|no>
set deviceconfig seng ssl-decrypt ocsp <yes|no>
set deviceconfig seng ssl-decrypt crl-receive-meout <1-60>
set deviceconfig seng ssl-decrypt ocsp-receive-meout <1-60>
set deviceconfig seng ssl-decrypt cert-status-meout <0-60>
set deviceconfig seng ssl-decrypt session-cache-meout <10-86400>
set deviceconfig seng ssl-decrypt tcp-use-ts <yes|no>
set deviceconfig seng ssl-decrypt fwd-proxy-server-cert-key-size-rsa <0|1024|2048|3072|
4096>
set deviceconfig seng ssl-decrypt fwd-proxy-server-cert-key-size-ecdsa <0|256|384>
set deviceconfig seng ssl-decrypt default-ellipc-curve <192|224|256|384|521>
set deviceconfig seng ssl-decrypt fptcp-rwin-max <524288-8388608>
set deviceconfig seng ssl-decrypt scan-handshake <yes|no>
set deviceconfig seng ssl-decrypt use-mp-sess-cache <yes|no>
set deviceconfig seng session
set deviceconfig seng session meout-tcp <1-15999999>
set deviceconfig seng session meout-udp <1-15999999>

PAN-OS CLI Quick Start Version Version 10.1 422 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig seng session meout-icmp <1-15999999>

set deviceconfig seng session meout-default <1-15999999>
set deviceconfig seng session meout-tcpinit <1-60>
set deviceconfig seng session meout-tcphandshake <1-60>
set deviceconfig seng session meout-tcp-half-closed <1-604800>
set deviceconfig seng session meout-tcp-me-wait <1-600>
set deviceconfig seng session meout-tcp-unverified-rst <1-600>
set deviceconfig seng session meout-capve-portal <1-15999999>
set deviceconfig seng session meout-discard-tcp <1-15999999>
set deviceconfig seng session meout-discard-udp <1-15999999>
set deviceconfig seng session meout-discard-default <1-15999999>
set deviceconfig seng session icmp-unreachable-rate <1-65535>
set deviceconfig seng session meout-scan <5-30>
set deviceconfig seng session scan-threshold <50-99>
set deviceconfig seng session scan-scaling-factor <2-16>
set deviceconfig seng session accelerated-aging-enable <yes|no>
set deviceconfig seng session accelerated-aging-threshold <50-99>
set deviceconfig seng session accelerated-aging-scaling-factor <2-16>
set deviceconfig seng session packet-buffer-protecon-enable <yes|no>
set deviceconfig seng session packet-buffer-protecon-monitor-only <yes|no>
set deviceconfig seng session packet-buffer-protecon-alert <0-99>
set deviceconfig seng session packet-buffer-protecon-acvate <0-99>
set deviceconfig seng session packet-buffer-protecon-block-countdown <0-99>
set deviceconfig seng session packet-buffer-protecon-block-hold-me <0-65535>
set deviceconfig seng session packet-buffer-protecon-block-duraon-me <1-15999999>
set deviceconfig seng session packet-buffer-protecon-use-latency <yes|no>
set deviceconfig seng session packet-buffer-protecon-latency-alert <1-20000>
set deviceconfig seng session packet-buffer-protecon-latency-acvate <1-20000>
set deviceconfig seng session packet-buffer-protecon-latency-block-countdown <1-20000>
set deviceconfig seng session packet-buffer-protecon-latency-max-tolerate <1-20000>
set deviceconfig seng session tcp-reject-non-syn <yes|no>
set deviceconfig seng session tcp-retransmit-scan <yes|no>
set deviceconfig seng session offload <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 423 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig seng session ipv6-firewalling <yes|no>

set deviceconfig seng session express-mode <yes|no>
set deviceconfig seng session resource-limit-behavior <bypass|drop>
set deviceconfig seng session mulcast-route-setup-buffering <yes|no>
set deviceconfig seng session max-pending-mcast-pkts-per-session <1-2000>
set deviceconfig seng tcp
set deviceconfig seng tcp bypass-exceed-oo-queue <yes|no>
set deviceconfig seng tcp allow-challenge-ack <yes|no>
set deviceconfig seng tcp check-mestamp-opon <yes|no>
set deviceconfig seng tcp asymmetric-path <drop|bypass>
set deviceconfig seng tcp urgent-data <clear|oobinline>
set deviceconfig seng tcp drop-zero-flag <yes|no>
set deviceconfig seng tcp strip-mptcp-opon <yes|no>
set deviceconfig seng zip
set deviceconfig seng zip enable <yes|no>
set deviceconfig seng zip mode <hw|sw|auto>
set deviceconfig seng hp2
set deviceconfig seng hp2 enable <yes|no>
set deviceconfig seng hp2 stream-closed-buffer-threshold <1-100>
set deviceconfig seng hp2 server-push <yes|no>
set deviceconfig seng hp2 connecon-logging <yes|no>
set deviceconfig seng pow
set deviceconfig seng pow wqe-tag-check <yes|no>
set deviceconfig seng pow wqe-inuse-check <yes|no>
set deviceconfig seng pow wqe-swbuf-check <yes|no>
set deviceconfig seng pow wqe-swbuf-track <yes|no>
set deviceconfig seng pow wqe-hexspeak <yes|no>
set deviceconfig seng pow wqe-swbuf-ref <yes|no>
set deviceconfig seng config
set deviceconfig seng config rematch <yes|no>
set deviceconfig seng logging
set deviceconfig seng logging enhanced-applicaon-logging
set deviceconfig seng logging enhanced-applicaon-logging disable-applicaon

PAN-OS CLI Quick Start Version Version 10.1 424 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig seng logging enhanced-applicaon-logging disable-applicaon <name>

set deviceconfig seng logging enhanced-applicaon-logging disable-global
set deviceconfig seng logging enhanced-applicaon-logging disable-global all
set deviceconfig seng logging enhanced-applicaon-logging disable-global arp
set deviceconfig seng logging enhanced-applicaon-logging disable-global non-syn-tcp
set deviceconfig seng logging enhanced-applicaon-logging disable-global ext-traffic
set deviceconfig seng logging enhanced-applicaon-logging disable-global hip-report
set deviceconfig seng logging enhanced-applicaon-logging enable <yes|no>
set deviceconfig seng logging logging-service-forwarding
set deviceconfig seng logging logging-service-forwarding enable <yes|no>
set deviceconfig seng logging logging-service-forwarding enable-duplicate-logging <yes|no>
set deviceconfig seng logging logging-service-forwarding logging-service-regions <value>
set deviceconfig seng logging max-log-rate <0-50000>
set deviceconfig seng logging max-packet-rate <0-2560>
set deviceconfig seng logging log-suppression <yes|no>
set deviceconfig seng management
set deviceconfig seng management secure-conn-client
set deviceconfig seng management secure-conn-client cerficate-type
set deviceconfig seng management secure-conn-client cerficate-type
set deviceconfig seng management secure-conn-client cerficate-type none
set deviceconfig seng management secure-conn-client cerficate-type local
set deviceconfig seng management secure-conn-client cerficate-type local cerficate <value>
set deviceconfig seng management secure-conn-client cerficate-type local cerficate-profile
<value>
set deviceconfig seng management secure-conn-client cerficate-type scep
set deviceconfig seng management secure-conn-client cerficate-type scep scep-profile <value>
set deviceconfig seng management secure-conn-client cerficate-type scep cerficate-profile
<value>
set deviceconfig seng management secure-conn-client check-server-identy <yes|no>
set deviceconfig seng management secure-conn-client enable-secure-wildfire-communicaon
<yes|no>
set deviceconfig seng management secure-conn-client enable-secure-pandb-communicaon
<yes|no>
set deviceconfig seng management secure-conn-client enable-secure-panorama-communicaon
<yes|no>

PAN-OS CLI Quick Start Version Version 10.1 425 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig seng management secure-conn-client enable-secure-lc-communicaon <yes|

no>
set deviceconfig seng management secure-conn-client enable-secure-user-id-communicaon
<yes|no>
set deviceconfig seng management secure-conn-server
set deviceconfig seng management secure-conn-server ssl-tls-service-profile <value>
set deviceconfig seng management secure-conn-server cerficate-profile <value>
set deviceconfig seng management secure-conn-server enable-secure-user-id-communicaon
<yes|no>
set deviceconfig seng management quota-sengs
set deviceconfig seng management quota-sengs log-expiraon-period
set deviceconfig seng management quota-sengs log-expiraon-period traffic <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period threat <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period decrypon <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period config <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period system <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period alarm <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period appstat <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period trsum <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period thsum <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period urlsum <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period desum <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period hipmatch <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period hourlytrsum <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period dailytrsum <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period weeklytrsum <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period hourlythsum <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period dailythsum <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period weeklythsum
<1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period hourlyurlsum <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period dailyurlsum <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period weeklyurlsum
<1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period threat-pcaps <1-2000>

PAN-OS CLI Quick Start Version Version 10.1 426 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig seng management quota-sengs log-expiraon-period gtp <1-2000>

set deviceconfig seng management quota-sengs log-expiraon-period gtpsum <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period hourlygtpsum
<1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period dailygtpsum <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period weeklygtpsum
<1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period hourlydesum <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period dailydesum <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period weeklydesum
<1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period userid <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period iptag <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period auth <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period globalprotect
<1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period dlp-logs <1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period applicaon-pcaps
<1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period debug-filter-pcaps
<1-2000>
set deviceconfig seng management quota-sengs log-expiraon-period hip-reports <1-2000>
set deviceconfig seng management quota-sengs disk-quota
set deviceconfig seng management quota-sengs disk-quota traffic <float>
set deviceconfig seng management quota-sengs disk-quota threat <float>
set deviceconfig seng management quota-sengs disk-quota config <float>
set deviceconfig seng management quota-sengs disk-quota system <float>
set deviceconfig seng management quota-sengs disk-quota globalprotect <float>
set deviceconfig seng management quota-sengs disk-quota desum <float>
set deviceconfig seng management quota-sengs disk-quota decrypon <float>
set deviceconfig seng management quota-sengs disk-quota alarm <float>
set deviceconfig seng management quota-sengs disk-quota appstat <float>
set deviceconfig seng management quota-sengs disk-quota trsum <float>
set deviceconfig seng management quota-sengs disk-quota thsum <float>
set deviceconfig seng management quota-sengs disk-quota urlsum <float>

PAN-OS CLI Quick Start Version Version 10.1 427 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig seng management quota-sengs disk-quota hipmatch <float>

set deviceconfig seng management quota-sengs disk-quota hourlytrsum <float>
set deviceconfig seng management quota-sengs disk-quota dailytrsum <float>
set deviceconfig seng management quota-sengs disk-quota weeklytrsum <float>
set deviceconfig seng management quota-sengs disk-quota hourlythsum <float>
set deviceconfig seng management quota-sengs disk-quota dailythsum <float>
set deviceconfig seng management quota-sengs disk-quota weeklythsum <float>
set deviceconfig seng management quota-sengs disk-quota hourlyurlsum <float>
set deviceconfig seng management quota-sengs disk-quota dailyurlsum <float>
set deviceconfig seng management quota-sengs disk-quota weeklyurlsum <float>
set deviceconfig seng management quota-sengs disk-quota threat-pcaps <float>
set deviceconfig seng management quota-sengs disk-quota gtp <float>
set deviceconfig seng management quota-sengs disk-quota gtpsum <float>
set deviceconfig seng management quota-sengs disk-quota hourlygtpsum <float>
set deviceconfig seng management quota-sengs disk-quota dailygtpsum <float>
set deviceconfig seng management quota-sengs disk-quota weeklygtpsum <float>
set deviceconfig seng management quota-sengs disk-quota hourlydesum <float>
set deviceconfig seng management quota-sengs disk-quota dailydesum <float>
set deviceconfig seng management quota-sengs disk-quota weeklydesum <float>
set deviceconfig seng management quota-sengs disk-quota userid <float>
set deviceconfig seng management quota-sengs disk-quota auth <float>
set deviceconfig seng management quota-sengs disk-quota iptag <float>
set deviceconfig seng management quota-sengs disk-quota dlp-logs <float>
set deviceconfig seng management quota-sengs disk-quota applicaon-pcaps <float>
set deviceconfig seng management quota-sengs disk-quota debug-filter-pcaps <float>
set deviceconfig seng management quota-sengs disk-quota hip-reports <float>
set deviceconfig seng management large-core <yes|no>
set deviceconfig seng management disable-predefined-reports [ <disable-predefined-reports1>
<disable-predefined-reports2>... ]
set deviceconfig seng management disable-predefined-correlaon-objs [ <disable-predefined-
correlaon-objs1> <disable-predefined-correlaon-objs2>... ]
set deviceconfig seng management common-criteria
set deviceconfig seng management common-criteria enable-cconly-logs <yes|no>
set deviceconfig seng management common-criteria enable-packet-drop-logs <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 428 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig seng management common-criteria skip-authencaon-success-logs <yes|no>

set deviceconfig seng management common-criteria skip-authencaon-failure-logs <yes|no>
set deviceconfig seng management common-criteria enable-tls-session-logging <yes|no>
set deviceconfig seng management common-criteria enable-ocsp-crl-logs <yes|no>
set deviceconfig seng management common-criteria enable-ike-logging <yes|no>
set deviceconfig seng management common-criteria skip-configuraon-logs-for [ <skip-
configuraon-logs-for1> <skip-configuraon-logs-for2>... ]
set deviceconfig seng management common-criteria self-test-schedule
set deviceconfig seng management common-criteria self-test-schedule crypto
set deviceconfig seng management common-criteria self-test-schedule crypto start-me
[ <start-me1> <start-me2>... ]
set deviceconfig seng management common-criteria self-test-schedule soware-integrity
set deviceconfig seng management common-criteria self-test-schedule soware-integrity start-
me [ <start-me1> <start-me2>... ]
set deviceconfig seng management common-criteria
set deviceconfig seng management common-criteria self-test-schedule
set deviceconfig seng management common-criteria self-test-schedule crypto
set deviceconfig seng management common-criteria self-test-schedule crypto start-me
[ <start-me1> <start-me2>... ]
set deviceconfig seng management common-criteria self-test-schedule soware-integrity
set deviceconfig seng management common-criteria self-test-schedule soware-integrity start-
me [ <start-me1> <start-me2>... ]
set deviceconfig seng management common-criteria
set deviceconfig seng management common-criteria enable-tls-session-logging <yes|no>
set deviceconfig seng management common-criteria enable-ocsp-crl-logs <yes|no>
set deviceconfig seng management common-criteria enable-ike-logging <yes|no>
set deviceconfig seng management idle-meout <1-1440>|<0>
set deviceconfig seng management api
set deviceconfig seng management api key
set deviceconfig seng management api key lifeme <1-525600>|<0>
set deviceconfig seng management admin-lockout
set deviceconfig seng management admin-lockout failed-aempts <1-10>
set deviceconfig seng management admin-lockout failed-aempts <0-10>
set deviceconfig seng management admin-lockout lockout-me <0-60>
set deviceconfig seng management admin-lockout lockout-me <0-60>

PAN-OS CLI Quick Start Version Version 10.1 429 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig seng management admin-session

set deviceconfig seng management admin-session max-session-count <0-4>
set deviceconfig seng management admin-session max-session-me <value>
set deviceconfig seng management admin-session max-session-count <0-4>
set deviceconfig seng management admin-session max-session-me <value>
set deviceconfig seng management appusage-lifeme <60-365>
set deviceconfig seng management hostname-type-in-syslog <none|FQDN|hostname|ipv4-
address|ipv6-address>
set deviceconfig seng management report-run-me <value>
set deviceconfig seng management report-expiraon-period <1-2000>
set deviceconfig seng management threat-vault-access <yes|no>
set deviceconfig seng management support-u8-for-log-output <yes|no>
set deviceconfig seng management auto-acquire-commit-lock <yes|no>
set deviceconfig seng management disable-commit-recovery <yes|no>
set deviceconfig seng management commit-recovery-retry <1-5>
set deviceconfig seng management commit-recovery-meout <3-30>
set deviceconfig seng management rule-hit-count <yes|no>
set deviceconfig seng management rule-require-tag <yes|no>
set deviceconfig seng management rule-require-descripon <yes|no>
set deviceconfig seng management rule-fail-commit <yes|no>
set deviceconfig seng management rule-require-audit-comment <yes|no>
set deviceconfig seng management rule-audit-comment-regex <value>
set deviceconfig seng management appusage-policy <yes|no>
set deviceconfig seng management canonicalize-block-allow-list <yes|no>
set deviceconfig seng management traffic-stop-on-logdb-full <yes|no>
set deviceconfig seng management enable-log-high-dp-load <yes|no>
set deviceconfig seng management enable-cerficate-expiraon-check <yes|no>
set deviceconfig seng management max-rows-in-csv-export <1-1048576>
set deviceconfig seng management max-rows-in-pdf-report <1-1048576>
set deviceconfig seng management browse-acvity-report-seng
set deviceconfig seng management browse-acvity-report-seng average-browse-me
<1-300>
set deviceconfig seng management browse-acvity-report-seng page-load-threshold <1-60>
set deviceconfig seng management max-audit-versions <1-1048576>

PAN-OS CLI Quick Start Version Version 10.1 430 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig seng management panorama-tcp-receive-meout <1-240>

set deviceconfig seng management panorama-tcp-send-meout <1-240>
set deviceconfig seng management panorama-ssl-send-retries <1-64>
set deviceconfig seng management device-monitoring
set deviceconfig seng management device-monitoring enabled <yes|no>
set deviceconfig seng management common-criteria-alarm-generaon
set deviceconfig seng management common-criteria-alarm-generaon enable-alarm-generaon
<yes|no>
set deviceconfig seng management common-criteria-alarm-generaon enable-cli-alarm-
noficaon <yes|no>
set deviceconfig seng management common-criteria-alarm-generaon enable-web-alarm-
noficaon <yes|no>
set deviceconfig seng management common-criteria-alarm-generaon enable-audible-alarms
<yes|no>
set deviceconfig seng management common-criteria-alarm-generaon encrypt-decrypt-fail-
count <1-4294967295>
set deviceconfig seng management common-criteria-alarm-generaon security-policy-limits
set deviceconfig seng management common-criteria-alarm-generaon security-policy-limits
count <1-4294967295>
set deviceconfig seng management common-criteria-alarm-generaon security-policy-limits
me-interval <30-86400>
set deviceconfig seng management common-criteria-alarm-generaon rule-group-limits
set deviceconfig seng management common-criteria-alarm-generaon rule-group-limits count
<1-4294967295>
set deviceconfig seng management common-criteria-alarm-generaon rule-group-limits me-
interval <30-86400>
set deviceconfig seng management common-criteria-alarm-generaon rule-group-limits tags
[ <tags1> <tags2>... ]
set deviceconfig seng management common-criteria-alarm-generaon log-databases-alarm-
threshold
set deviceconfig seng management common-criteria-alarm-generaon log-databases-alarm-
threshold traffic <0-100>
set deviceconfig seng management common-criteria-alarm-generaon log-databases-alarm-
threshold threat <0-100>
set deviceconfig seng management common-criteria-alarm-generaon log-databases-alarm-
threshold config <0-100>
set deviceconfig seng management common-criteria-alarm-generaon log-databases-alarm-
threshold system <0-100>

PAN-OS CLI Quick Start Version Version 10.1 431 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig seng management common-criteria-alarm-generaon log-databases-alarm-

threshold alarm <0-100>
set deviceconfig seng management common-criteria-alarm-generaon log-databases-alarm-
threshold hipmatch <0-100>
set deviceconfig seng management common-criteria-alarm-generaon log-databases-alarm-
threshold userid <0-100>
set deviceconfig seng management common-criteria-alarm-generaon log-databases-alarm-
threshold iptag <0-100>
set deviceconfig seng management common-criteria-alarm-generaon log-databases-alarm-
threshold auth <0-100>
set deviceconfig seng management common-criteria-alarm-generaon log-databases-alarm-
threshold gtp <0-100>
set deviceconfig seng management common-criteria-alarm-generaon log-databases-alarm-
threshold sctp <0-100>
set deviceconfig seng management common-criteria-alarm-generaon log-databases-alarm-
threshold globalprotect <0-100>
set deviceconfig seng management common-criteria-alarm-generaon log-databases-alarm-
threshold decrypon <0-100>
set deviceconfig seng management audit-tracking
set deviceconfig seng management audit-tracking op-commands <yes|no>
set deviceconfig seng management audit-tracking ui-acons <yes|no>
set deviceconfig seng management audit-tracking send-syslog <value>
set deviceconfig seng logrcvr
set deviceconfig seng logrcvr container-page-meout <1-60>
set deviceconfig seng vpn
set deviceconfig seng vpn ikev2
set deviceconfig seng vpn ikev2 cookie-threshold <0-65535>
set deviceconfig seng vpn ikev2 max-half-opened-sa <1-65535>
set deviceconfig seng vpn ikev2 cerficate-cache-size <0-4000>
set deviceconfig seng tunnel-acceleraon <yes|no>
set deviceconfig seng advance-roung <yes|no>
set deviceconfig seng custom-logo
set deviceconfig seng custom-logo login-screen
set deviceconfig seng custom-logo login-screen name <value>
set deviceconfig seng custom-logo login-screen content <value>
set deviceconfig seng custom-logo main-ui

PAN-OS CLI Quick Start Version Version 10.1 432 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig seng custom-logo main-ui name <value>

set deviceconfig seng custom-logo main-ui content <value>
set deviceconfig seng custom-logo pdf-report-header
set deviceconfig seng custom-logo pdf-report-header name <value>
set deviceconfig seng custom-logo pdf-report-header content <value>
set deviceconfig seng custom-logo pdf-report-footer
set deviceconfig seng custom-logo pdf-report-footer name <value>
set deviceconfig seng custom-logo pdf-report-footer content <value>
set deviceconfig seng iot
set deviceconfig seng iot edge
set deviceconfig seng iot edge disable-device-cert <yes|no>
set deviceconfig seng iot edge address <ip/netmask>|<value>
set deviceconfig seng cloudapp
set deviceconfig seng cloudapp disable <yes|no>
set deviceconfig seng cloudapp cloudapp-srvr-addr
set deviceconfig seng cloudapp cloudapp-srvr-addr address <ip/netmask>|<value>
set deviceconfig high-availability
set deviceconfig high-availability enabled <yes|no>
set deviceconfig high-availability interface
set deviceconfig high-availability interface ha1
set deviceconfig high-availability interface ha1 port <value>|<ha1-a|ha1-b|management>
set deviceconfig high-availability interface ha1 link-speed <auto|10|100|1000>
set deviceconfig high-availability interface ha1 link-duplex <auto|full|half>
set deviceconfig high-availability interface ha1 encrypon
set deviceconfig high-availability interface ha1 encrypon enabled <yes|no>
set deviceconfig high-availability interface ha1 ip-address <ip/netmask>
set deviceconfig high-availability interface ha1 netmask <value>
set deviceconfig high-availability interface ha1 gateway <ip/netmask>
set deviceconfig high-availability interface ha1 monitor-hold-me <1000-60000>
set deviceconfig high-availability interface ha1-backup
set deviceconfig high-availability interface ha1-backup port <value>|<ha1-a|ha1-b|management>
set deviceconfig high-availability interface ha1-backup link-speed <auto|10|100|1000>
set deviceconfig high-availability interface ha1-backup link-duplex <auto|full|half>

PAN-OS CLI Quick Start Version Version 10.1 433 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig high-availability interface ha1-backup ip-address <ip/netmask>

set deviceconfig high-availability interface ha1-backup netmask <value>
set deviceconfig high-availability interface ha1-backup gateway <ip/netmask>
set deviceconfig high-availability interface ha2
set deviceconfig high-availability interface ha2 port <value>|<hsci>
set deviceconfig high-availability interface ha2 ip-address <ip/netmask>
set deviceconfig high-availability interface ha2 netmask <value>
set deviceconfig high-availability interface ha2 gateway <ip/netmask>
set deviceconfig high-availability interface ha2-backup
set deviceconfig high-availability interface ha2-backup port <value>|<hsci>
set deviceconfig high-availability interface ha2-backup ip-address <ip/netmask>
set deviceconfig high-availability interface ha2-backup netmask <value>
set deviceconfig high-availability interface ha2-backup gateway <ip/netmask>
set deviceconfig high-availability interface ha3
set deviceconfig high-availability interface ha3 port <value>|<hsci>
set deviceconfig high-availability interface ha4
set deviceconfig high-availability interface ha4 port <value>
set deviceconfig high-availability interface ha4 ip-address <ip/netmask>
set deviceconfig high-availability interface ha4 netmask <value>
set deviceconfig high-availability interface ha4-backup
set deviceconfig high-availability interface ha4-backup port <value>
set deviceconfig high-availability interface ha4-backup ip-address <ip/netmask>
set deviceconfig high-availability interface ha4-backup netmask <value>
set deviceconfig high-availability cluster
set deviceconfig high-availability cluster enabled <yes|no>
set deviceconfig high-availability cluster cluster-id <1-99>
set deviceconfig high-availability cluster cluster-synchronizaon-meout <0-30>
set deviceconfig high-availability cluster cluster-keepalive-threshold <5000-60000>
set deviceconfig high-availability cluster descripon <value>
set deviceconfig high-availability cluster cluster-members
set deviceconfig high-availability cluster cluster-members <name>
set deviceconfig high-availability cluster cluster-members <name> ha4-ip-address <ip/netmask>
set deviceconfig high-availability cluster cluster-members <name> ha4-backup-ip-address <ip/
netmask>

PAN-OS CLI Quick Start Version Version 10.1 434 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig high-availability cluster cluster-members <name> session-synchronizaon

<enabled|disabled>
set deviceconfig high-availability cluster cluster-members <name> comments <value>
set deviceconfig high-availability cluster monitor-fail-hold-down-me <1-60>
set deviceconfig high-availability group
set deviceconfig high-availability group group-id <1-63>
set deviceconfig high-availability group descripon <value>
set deviceconfig high-availability group elecon-opon
set deviceconfig high-availability group elecon-opon device-priority <0-255>
set deviceconfig high-availability group elecon-opon preempve <yes|no>
set deviceconfig high-availability group elecon-opon heartbeat-backup <yes|no>
set deviceconfig high-availability group elecon-opon mers
set deviceconfig high-availability group elecon-opon mers
set deviceconfig high-availability group elecon-opon mers recommended
set deviceconfig high-availability group elecon-opon mers aggressive
set deviceconfig high-availability group elecon-opon mers advanced
set deviceconfig high-availability group elecon-opon mers advanced promoon-hold-me
<0-60000>
set deviceconfig high-availability group elecon-opon mers advanced hello-interval
<8000-60000>
set deviceconfig high-availability group elecon-opon mers advanced heartbeat-interval
<1000-60000>
set deviceconfig high-availability group elecon-opon mers advanced flap-max <1-16>|
<infinite|disable>
set deviceconfig high-availability group elecon-opon mers advanced preempon-hold-me
<1-60>
set deviceconfig high-availability group elecon-opon mers advanced monitor-fail-hold-up-me
<0-60000>
set deviceconfig high-availability group elecon-opon mers advanced addional-master-hold-
up-me <0-60000>
set deviceconfig high-availability group peer-ip <ip/netmask>
set deviceconfig high-availability group peer-ip-backup <ip/netmask>
set deviceconfig high-availability group state-synchronizaon
set deviceconfig high-availability group state-synchronizaon enabled <yes|no>
set deviceconfig high-availability group state-synchronizaon transport <ethernet|ip|udp>
set deviceconfig high-availability group state-synchronizaon ha2-keep-alive

PAN-OS CLI Quick Start Version Version 10.1 435 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig high-availability group state-synchronizaon ha2-keep-alive enabled <yes|no>

set deviceconfig high-availability group state-synchronizaon ha2-keep-alive acon <log-only|
split-datapath>
set deviceconfig high-availability group state-synchronizaon ha2-keep-alive threshold
<5000-60000>
set deviceconfig high-availability group configuraon-synchronizaon
set deviceconfig high-availability group configuraon-synchronizaon enabled <yes|no>
set deviceconfig high-availability group mode
set deviceconfig high-availability group mode
set deviceconfig high-availability group mode acve-passive
set deviceconfig high-availability group mode acve-passive passive-link-state <shutdown|auto>
set deviceconfig high-availability group mode acve-passive monitor-fail-hold-down-me <1-60>
set deviceconfig high-availability group mode acve-acve
set deviceconfig high-availability group mode acve-acve device-id <0|1>
set deviceconfig high-availability group mode acve-acve tentave-hold-me <10-600>|
<disabled>
set deviceconfig high-availability group mode acve-acve network-configuraon
set deviceconfig high-availability group mode acve-acve network-configuraon sync
set deviceconfig high-availability group mode acve-acve network-configuraon sync virtual-
router <yes|no>
set deviceconfig high-availability group mode acve-acve network-configuraon sync logical-
router <yes|no>
set deviceconfig high-availability group mode acve-acve network-configuraon sync qos <yes|
no>
set deviceconfig high-availability group mode acve-acve virtual-address
set deviceconfig high-availability group mode acve-acve virtual-address <name>
set deviceconfig high-availability group mode acve-acve virtual-address <name> ip
set deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
set deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
set deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
floang
set deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
floang bind-to-acve-primary <yes|no>
set deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
floang device-priority
set deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
floang device-priority device-0 <0-255>

PAN-OS CLI Quick Start Version Version 10.1 436 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>

floang device-priority device-1 <0-255>
set deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
floang device-priority failover-on-link-down <yes|no>
set deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
arp-load-sharing
set deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
arp-load-sharing
set deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
arp-load-sharing ip-modulo
set deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
arp-load-sharing ip-hash
set deviceconfig high-availability group mode acve-acve virtual-address <name> ip <name>
arp-load-sharing ip-hash hash-seed <0-4294967295>
set deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6
set deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6 <name>
set deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6 <name>
set deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6 <name>
floang
set deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6 <name>
floang bind-to-acve-primary <yes|no>
set deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6 <name>
floang device-priority
set deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6 <name>
floang device-priority device-0 <0-255>
set deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6 <name>
floang device-priority device-1 <0-255>
set deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6 <name>
floang device-priority failover-on-link-down <yes|no>
set deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6 <name>
arp-load-sharing
set deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6 <name>
arp-load-sharing
set deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6 <name>
arp-load-sharing ip-modulo
set deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6 <name>
arp-load-sharing ip-hash
set deviceconfig high-availability group mode acve-acve virtual-address <name> ipv6 <name>
arp-load-sharing ip-hash hash-seed <0-4294967295>

PAN-OS CLI Quick Start Version Version 10.1 437 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig high-availability group mode acve-acve session-owner-selecon

set deviceconfig high-availability group mode acve-acve session-owner-selecon
set deviceconfig high-availability group mode acve-acve session-owner-selecon primary-
device
set deviceconfig high-availability group mode acve-acve session-owner-selecon first-packet
set deviceconfig high-availability group mode acve-acve session-owner-selecon first-packet
session-setup
set deviceconfig high-availability group mode acve-acve session-owner-selecon first-packet
session-setup
set deviceconfig high-availability group mode acve-acve session-owner-selecon first-packet
session-setup primary-device
set deviceconfig high-availability group mode acve-acve session-owner-selecon first-packet
session-setup first-packet
set deviceconfig high-availability group mode acve-acve session-owner-selecon first-packet
session-setup ip-modulo
set deviceconfig high-availability group mode acve-acve session-owner-selecon first-packet
session-setup ip-hash
set deviceconfig high-availability group mode acve-acve session-owner-selecon first-packet
session-setup ip-hash hash-key <source|source-and-desnaon>
set deviceconfig high-availability group mode acve-acve session-owner-selecon first-packet
session-setup ip-hash hash-seed <0-4294967295>
set deviceconfig high-availability group monitoring
set deviceconfig high-availability group monitoring path-monitoring
set deviceconfig high-availability group monitoring path-monitoring enabled <yes|no>
set deviceconfig high-availability group monitoring path-monitoring failure-condion <any|all>
set deviceconfig high-availability group monitoring path-monitoring path-group
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-wire
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-wire
<name>
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-wire
<name> source-ip <ip/netmask>
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-wire
<name> enabled <yes|no>
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-wire
<name> failure-condion <any|all>
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-wire
<name> ping-interval <200-60000>

PAN-OS CLI Quick Start Version Version 10.1 438 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig high-availability group monitoring path-monitoring path-group virtual-wire

<name> ping-count <3-10>
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-wire
<name> desnaon-ip-group
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-wire
<name> desnaon-ip-group <name>
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-wire
<name> desnaon-ip-group <name> desnaon-ip [ <desnaon-ip1> <desnaon-ip2>... ]
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-wire
<name> desnaon-ip-group <name> enabled <yes|no>
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-wire
<name> desnaon-ip-group <name> failure-condion <any|all>
set deviceconfig high-availability group monitoring path-monitoring path-group vlan
set deviceconfig high-availability group monitoring path-monitoring path-group vlan <name>
set deviceconfig high-availability group monitoring path-monitoring path-group vlan <name>
source-ip <ip/netmask>
set deviceconfig high-availability group monitoring path-monitoring path-group vlan <name>
enabled <yes|no>
set deviceconfig high-availability group monitoring path-monitoring path-group vlan <name>
failure-condion <any|all>
set deviceconfig high-availability group monitoring path-monitoring path-group vlan <name> ping-
interval <200-60000>
set deviceconfig high-availability group monitoring path-monitoring path-group vlan <name> ping-
count <3-10>
set deviceconfig high-availability group monitoring path-monitoring path-group vlan <name>
desnaon-ip-group
set deviceconfig high-availability group monitoring path-monitoring path-group vlan <name>
desnaon-ip-group <name>
set deviceconfig high-availability group monitoring path-monitoring path-group vlan <name>
desnaon-ip-group <name> desnaon-ip [ <desnaon-ip1> <desnaon-ip2>... ]
set deviceconfig high-availability group monitoring path-monitoring path-group vlan <name>
desnaon-ip-group <name> enabled <yes|no>
set deviceconfig high-availability group monitoring path-monitoring path-group vlan <name>
desnaon-ip-group <name> failure-condion <any|all>
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-router
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-router
<name>
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-router
<name> enabled <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 439 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig high-availability group monitoring path-monitoring path-group virtual-router

<name> failure-condion <any|all>
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-router
<name> ping-interval <200-60000>
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-router
<name> ping-count <3-10>
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-router
<name> desnaon-ip-group
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-router
<name> desnaon-ip-group <name>
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-router
<name> desnaon-ip-group <name> desnaon-ip [ <desnaon-ip1> <desnaon-ip2>... ]
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-router
<name> desnaon-ip-group <name> enabled <yes|no>
set deviceconfig high-availability group monitoring path-monitoring path-group virtual-router
<name> desnaon-ip-group <name> failure-condion <any|all>
set deviceconfig high-availability group monitoring path-monitoring path-group logical-router
set deviceconfig high-availability group monitoring path-monitoring path-group logical-router
<name>
set deviceconfig high-availability group monitoring path-monitoring path-group logical-router
<name> enabled <yes|no>
set deviceconfig high-availability group monitoring path-monitoring path-group logical-router
<name> failure-condion <any|all>
set deviceconfig high-availability group monitoring path-monitoring path-group logical-router
<name> ping-interval <200-60000>
set deviceconfig high-availability group monitoring path-monitoring path-group logical-router
<name> ping-count <3-10>
set deviceconfig high-availability group monitoring path-monitoring path-group logical-router
<name> desnaon-ip-group
set deviceconfig high-availability group monitoring path-monitoring path-group logical-router
<name> desnaon-ip-group <name>
set deviceconfig high-availability group monitoring path-monitoring path-group logical-router
<name> desnaon-ip-group <name> desnaon-ip [ <desnaon-ip1> <desnaon-ip2>... ]
set deviceconfig high-availability group monitoring path-monitoring path-group logical-router
<name> desnaon-ip-group <name> enabled <yes|no>
set deviceconfig high-availability group monitoring path-monitoring path-group logical-router
<name> desnaon-ip-group <name> failure-condion <any|all>
set deviceconfig high-availability group monitoring link-monitoring
set deviceconfig high-availability group monitoring link-monitoring enabled <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 440 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set deviceconfig high-availability group monitoring link-monitoring failure-condion <any|all>

set deviceconfig high-availability group monitoring link-monitoring link-group
set deviceconfig high-availability group monitoring link-monitoring link-group <name>
set deviceconfig high-availability group monitoring link-monitoring link-group <name> enabled
<yes|no>
set deviceconfig high-availability group monitoring link-monitoring link-group <name> failure-
condion <any|all>
set deviceconfig high-availability group monitoring link-monitoring link-group <name> interface
[ <interface1> <interface2>... ]
set mgt-config
set mgt-config password-complexity
set mgt-config password-complexity enabled <yes|no>
set mgt-config password-complexity block-username-inclusion <yes|no>
set mgt-config password-complexity password-change-on-first-login <yes|no>
set mgt-config password-complexity minimum-length <6-15>
set mgt-config password-complexity minimum-length <0-15>
set mgt-config password-complexity minimum-uppercase-leers <0-15>
set mgt-config password-complexity minimum-lowercase-leers <0-15>
set mgt-config password-complexity minimum-numeric-leers <0-15>
set mgt-config password-complexity minimum-special-characters <0-15>
set mgt-config password-complexity block-repeated-characters <0-15>
set mgt-config password-complexity password-history-count <0-150>
set mgt-config password-complexity new-password-differs-by-characters <0-15>
set mgt-config password-complexity password-change-period-block <0-365>
set mgt-config password-complexity password-change
set mgt-config password-complexity password-change expiraon-period <0-365>
set mgt-config password-complexity password-change expiraon-warning-period <0-30>
set mgt-config password-complexity password-change post-expiraon-admin-login-count <0-3>
set mgt-config password-complexity password-change post-expiraon-grace-period <0-30>
set mgt-config password-profile
set mgt-config password-profile <name>
set mgt-config password-profile <name> password-change
set mgt-config password-profile <name> password-change expiraon-period <0-365>
set mgt-config password-profile <name> password-change expiraon-warning-period <0-30>

PAN-OS CLI Quick Start Version Version 10.1 441 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set mgt-config password-profile <name> password-change post-expiraon-admin-login-count

<0-3>
set mgt-config password-profile <name> password-change post-expiraon-grace-period <0-30>
set mgt-config users
set mgt-config users <name>
set mgt-config users <name> phash <value>
set mgt-config users <name> authencaon-profile <value>
set mgt-config users <name> password-profile <value>
set mgt-config users <name> client-cerficate-only <yes|no>
set mgt-config users <name> public-key <value>
set mgt-config users <name> public-key <value>
set mgt-config users <name> preferences
set mgt-config users <name> preferences disable-dns <yes|no>
set mgt-config users <name> preferences saved-log-query
set mgt-config users <name> preferences saved-log-query unified
set mgt-config users <name> preferences saved-log-query unified <name>
set mgt-config users <name> preferences saved-log-query unified <name> query <value>
set mgt-config users <name> preferences saved-log-query traffic
set mgt-config users <name> preferences saved-log-query traffic <name>
set mgt-config users <name> preferences saved-log-query traffic <name> query <value>
set mgt-config users <name> preferences saved-log-query threat
set mgt-config users <name> preferences saved-log-query threat <name>
set mgt-config users <name> preferences saved-log-query threat <name> query <value>
set mgt-config users <name> preferences saved-log-query url
set mgt-config users <name> preferences saved-log-query url <name>
set mgt-config users <name> preferences saved-log-query url <name> query <value>
set mgt-config users <name> preferences saved-log-query data
set mgt-config users <name> preferences saved-log-query data <name>
set mgt-config users <name> preferences saved-log-query data <name> query <value>
set mgt-config users <name> preferences saved-log-query config
set mgt-config users <name> preferences saved-log-query config <name>
set mgt-config users <name> preferences saved-log-query config <name> query <value>
set mgt-config users <name> preferences saved-log-query system
set mgt-config users <name> preferences saved-log-query system <name>

PAN-OS CLI Quick Start Version Version 10.1 442 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set mgt-config users <name> preferences saved-log-query system <name> query <value>
set mgt-config users <name> preferences saved-log-query wildfire
set mgt-config users <name> preferences saved-log-query wildfire <name>
set mgt-config users <name> preferences saved-log-query wildfire <name> query <value>
set mgt-config users <name> preferences saved-log-query hipmatch
set mgt-config users <name> preferences saved-log-query hipmatch <name>
set mgt-config users <name> preferences saved-log-query hipmatch <name> query <value>
set mgt-config users <name> preferences saved-log-query corr
set mgt-config users <name> preferences saved-log-query corr <name>
set mgt-config users <name> preferences saved-log-query corr <name> query <value>
set mgt-config users <name> preferences saved-log-query tunnel
set mgt-config users <name> preferences saved-log-query tunnel <name>
set mgt-config users <name> preferences saved-log-query tunnel <name> query <value>
set mgt-config users <name> preferences saved-log-query userid
set mgt-config users <name> preferences saved-log-query userid <name>
set mgt-config users <name> preferences saved-log-query userid <name> query <value>
set mgt-config users <name> preferences saved-log-query auth
set mgt-config users <name> preferences saved-log-query auth <name>
set mgt-config users <name> preferences saved-log-query auth <name> query <value>
set mgt-config users <name> preferences saved-log-query globalprotect
set mgt-config users <name> preferences saved-log-query globalprotect <name>
set mgt-config users <name> preferences saved-log-query globalprotect <name> query <value>
set mgt-config users <name> preferences saved-log-query alarm
set mgt-config users <name> preferences saved-log-query alarm <name>
set mgt-config users <name> preferences saved-log-query alarm <name> query <value>
set mgt-config users <name> preferences saved-log-query decrypon
set mgt-config users <name> preferences saved-log-query decrypon <name>
set mgt-config users <name> preferences saved-log-query decrypon <name> query <value>
set mgt-config users <name> permissions
set mgt-config users <name> permissions role-based
set mgt-config users <name> permissions role-based vsysreader
set mgt-config users <name> permissions role-based vsysreader <name>
set mgt-config users <name> permissions role-based vsysreader <name> vsys [ <vsys1>
<vsys2>... ]

PAN-OS CLI Quick Start Version Version 10.1 443 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set mgt-config users <name> permissions role-based vsysadmin

set mgt-config users <name> permissions role-based vsysadmin <name>
set mgt-config users <name> permissions role-based vsysadmin <name> vsys [ <vsys1>
<vsys2>... ]
set mgt-config users <name> permissions role-based devicereader [ <devicereader1>
<devicereader2>... ]
set mgt-config users <name> permissions role-based deviceadmin [ <deviceadmin1>
<deviceadmin2>... ]
set mgt-config users <name> permissions role-based superreader <yes>
set mgt-config users <name> permissions role-based superuser <yes>
set mgt-config users <name> permissions role-based custom
set mgt-config users <name> permissions role-based custom profile <value>
set mgt-config users <name> permissions role-based custom vsys [ <vsys1> <vsys2>... ]
set mgt-config access-domain
set mgt-config access-domain <name>
set mgt-config access-domain <name> vsys [ <vsys1> <vsys2>... ]
set network
set network profiles
set network profiles monitor-profile
set network profiles monitor-profile <name>
set network profiles monitor-profile <name> interval <2-100>
set network profiles monitor-profile <name> threshold <2-10>
set network profiles monitor-profile <name> acon <wait-recover|fail-over>
set network profiles interface-management-profile
set network profiles interface-management-profile <name>
set network profiles interface-management-profile <name> hp <yes|no>
set network profiles interface-management-profile <name> hps <yes|no>
set network profiles interface-management-profile <name> ping <yes|no>
set network profiles interface-management-profile <name> response-pages <yes|no>
set network profiles interface-management-profile <name> userid-service <yes|no>
set network profiles interface-management-profile <name> userid-syslog-listener-ssl <yes|no>
set network profiles interface-management-profile <name> userid-syslog-listener-udp <yes|no>
set network profiles interface-management-profile <name> ssh <yes|no>
set network profiles interface-management-profile <name> telnet <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 444 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network profiles interface-management-profile <name> snmp <yes|no>

set network profiles interface-management-profile <name> hp-ocsp <yes|no>
set network profiles interface-management-profile <name> permied-ip
set network profiles interface-management-profile <name> permied-ip <name>
set network profiles zone-protecon-profile
set network profiles zone-protecon-profile <name>
set network profiles zone-protecon-profile <name> descripon <value>
set network profiles zone-protecon-profile <name> scan
set network profiles zone-protecon-profile <name> scan <name>
set network profiles zone-protecon-profile <name> scan <name> acon
set network profiles zone-protecon-profile <name> scan <name> acon allow
set network profiles zone-protecon-profile <name> scan <name> acon alert
set network profiles zone-protecon-profile <name> scan <name> acon block
set network profiles zone-protecon-profile <name> scan <name> acon block-ip
set network profiles zone-protecon-profile <name> scan <name> acon block-ip track-by
<source|source-and-desnaon>
set network profiles zone-protecon-profile <name> scan <name> acon block-ip duraon
<1-3600>
set network profiles zone-protecon-profile <name> scan <name> interval <2-65535>
set network profiles zone-protecon-profile <name> scan <name> threshold <2-65535>
set network profiles zone-protecon-profile <name> scan-white-list
set network profiles zone-protecon-profile <name> scan-white-list <name>
set network profiles zone-protecon-profile <name> scan-white-list <name>
set network profiles zone-protecon-profile <name> scan-white-list <name> ipv4 <value>
set network profiles zone-protecon-profile <name> scan-white-list <name> ipv6 <value>
set network profiles zone-protecon-profile <name> flood
set network profiles zone-protecon-profile <name> flood tcp-syn
set network profiles zone-protecon-profile <name> flood tcp-syn enable <yes|no>
set network profiles zone-protecon-profile <name> flood tcp-syn
set network profiles zone-protecon-profile <name> flood tcp-syn red
set network profiles zone-protecon-profile <name> flood tcp-syn red alarm-rate <0-2000000>
set network profiles zone-protecon-profile <name> flood tcp-syn red acvate-rate <1-2000000>
set network profiles zone-protecon-profile <name> flood tcp-syn red maximal-rate
<1-2000000>

PAN-OS CLI Quick Start Version Version 10.1 445 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network profiles zone-protecon-profile <name> flood tcp-syn syn-cookies

set network profiles zone-protecon-profile <name> flood tcp-syn syn-cookies alarm-rate
<0-2000000>
set network profiles zone-protecon-profile <name> flood tcp-syn syn-cookies acvate-rate
<0-2000000>
set network profiles zone-protecon-profile <name> flood tcp-syn syn-cookies maximal-rate
<1-2000000>
set network profiles zone-protecon-profile <name> flood udp
set network profiles zone-protecon-profile <name> flood udp enable <yes|no>
set network profiles zone-protecon-profile <name> flood udp red
set network profiles zone-protecon-profile <name> flood udp red alarm-rate <0-2000000>
set network profiles zone-protecon-profile <name> flood udp red acvate-rate <1-2000000>
set network profiles zone-protecon-profile <name> flood udp red maximal-rate <1-2000000>
set network profiles zone-protecon-profile <name> flood icmp
set network profiles zone-protecon-profile <name> flood icmp enable <yes|no>
set network profiles zone-protecon-profile <name> flood icmp red
set network profiles zone-protecon-profile <name> flood icmp red alarm-rate <0-2000000>
set network profiles zone-protecon-profile <name> flood icmp red acvate-rate <1-2000000>
set network profiles zone-protecon-profile <name> flood icmp red maximal-rate <1-2000000>
set network profiles zone-protecon-profile <name> flood icmpv6
set network profiles zone-protecon-profile <name> flood icmpv6 enable <yes|no>
set network profiles zone-protecon-profile <name> flood icmpv6 red
set network profiles zone-protecon-profile <name> flood icmpv6 red alarm-rate <0-2000000>
set network profiles zone-protecon-profile <name> flood icmpv6 red acvate-rate <1-2000000>
set network profiles zone-protecon-profile <name> flood icmpv6 red maximal-rate
<1-2000000>
set network profiles zone-protecon-profile <name> flood other-ip
set network profiles zone-protecon-profile <name> flood other-ip enable <yes|no>
set network profiles zone-protecon-profile <name> flood other-ip red
set network profiles zone-protecon-profile <name> flood other-ip red alarm-rate <0-2000000>
set network profiles zone-protecon-profile <name> flood other-ip red acvate-rate
<1-2000000>
set network profiles zone-protecon-profile <name> flood other-ip red maximal-rate
<1-2000000>
set network profiles zone-protecon-profile <name> ipv6

PAN-OS CLI Quick Start Version Version 10.1 446 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network profiles zone-protecon-profile <name> ipv6 roung-header-0 <yes|no>

set network profiles zone-protecon-profile <name> ipv6 roung-header-1 <yes|no>
set network profiles zone-protecon-profile <name> ipv6 roung-header-3 <yes|no>
set network profiles zone-protecon-profile <name> ipv6 roung-header-4-252 <yes|no>
set network profiles zone-protecon-profile <name> ipv6 roung-header-253 <yes|no>
set network profiles zone-protecon-profile <name> ipv6 roung-header-254 <yes|no>
set network profiles zone-protecon-profile <name> ipv6 roung-header-255 <yes|no>
set network profiles zone-protecon-profile <name> ipv6 ipv4-compable-address <yes|no>
set network profiles zone-protecon-profile <name> ipv6 mulcast-source <yes|no>
set network profiles zone-protecon-profile <name> ipv6 anycast-source <yes|no>
set network profiles zone-protecon-profile <name> ipv6 filter-ext-hdr
set network profiles zone-protecon-profile <name> ipv6 filter-ext-hdr hop-by-hop-hdr <yes|no>
set network profiles zone-protecon-profile <name> ipv6 filter-ext-hdr roung-hdr <yes|no>
set network profiles zone-protecon-profile <name> ipv6 filter-ext-hdr dest-opon-hdr <yes|no>
set network profiles zone-protecon-profile <name> ipv6 ignore-inv-pkt
set network profiles zone-protecon-profile <name> ipv6 ignore-inv-pkt dest-unreach <yes|no>
set network profiles zone-protecon-profile <name> ipv6 ignore-inv-pkt pkt-too-big <yes|no>
set network profiles zone-protecon-profile <name> ipv6 ignore-inv-pkt me-exceeded <yes|no>
set network profiles zone-protecon-profile <name> ipv6 ignore-inv-pkt param-problem <yes|no>
set network profiles zone-protecon-profile <name> ipv6 ignore-inv-pkt redirect <yes|no>
set network profiles zone-protecon-profile <name> ipv6 opons-invalid-ipv6-discard <yes|no>
set network profiles zone-protecon-profile <name> ipv6 icmpv6-too-big-small-mtu-discard <yes|
no>
set network profiles zone-protecon-profile <name> ipv6 needless-fragment-hdr <yes|no>
set network profiles zone-protecon-profile <name> ipv6 reserved-field-set-discard <yes|no>
set network profiles zone-protecon-profile <name> tcp-reject-non-syn <global|yes|no>
set network profiles zone-protecon-profile <name> strip-mptcp-opon <global|yes|no>
set network profiles zone-protecon-profile <name> asymmetric-path <global|drop|bypass>
set network profiles zone-protecon-profile <name> discard-ip-spoof <yes|no>
set network profiles zone-protecon-profile <name> discard-ip-frag <yes|no>
set network profiles zone-protecon-profile <name> discard-icmp-ping-zero-id <yes|no>
set network profiles zone-protecon-profile <name> discard-icmp-frag <yes|no>
set network profiles zone-protecon-profile <name> discard-icmp-large-packet <yes|no>
set network profiles zone-protecon-profile <name> discard-icmp-error <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 447 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network profiles zone-protecon-profile <name> suppress-icmp-meexceeded <yes|no>

set network profiles zone-protecon-profile <name> suppress-icmp-needfrag <yes|no>
set network profiles zone-protecon-profile <name> discard-strict-source-roung <yes|no>
set network profiles zone-protecon-profile <name> discard-loose-source-roung <yes|no>
set network profiles zone-protecon-profile <name> discard-mestamp <yes|no>
set network profiles zone-protecon-profile <name> discard-record-route <yes|no>
set network profiles zone-protecon-profile <name> discard-security <yes|no>
set network profiles zone-protecon-profile <name> discard-stream-id <yes|no>
set network profiles zone-protecon-profile <name> discard-unknown-opon <yes|no>
set network profiles zone-protecon-profile <name> discard-malformed-opon <yes|no>
set network profiles zone-protecon-profile <name> discard-overlapping-tcp-segment-mismatch
<yes|no>
set network profiles zone-protecon-profile <name> strict-ip-check <yes|no>
set network profiles zone-protecon-profile <name> remove-tcp-mestamp <yes|no>
set network profiles zone-protecon-profile <name> discard-tcp-split-handshake <yes|no>
set network profiles zone-protecon-profile <name> discard-tcp-syn-with-data <yes|no>
set network profiles zone-protecon-profile <name> discard-tcp-synack-with-data <yes|no>
set network profiles zone-protecon-profile <name> strip-tcp-fast-open-and-data <yes|no>
set network profiles zone-protecon-profile <name> non-ip-protocol
set network profiles zone-protecon-profile <name> non-ip-protocol list-type <exclude|include>
set network profiles zone-protecon-profile <name> non-ip-protocol protocol
set network profiles zone-protecon-profile <name> non-ip-protocol protocol <name>
set network profiles zone-protecon-profile <name> non-ip-protocol protocol <name> ether-type
<value>
set network profiles zone-protecon-profile <name> non-ip-protocol protocol <name> enable
<yes|no>
set network profiles zone-protecon-profile <name> l2-sec-group-tag-protecon
set network profiles zone-protecon-profile <name> l2-sec-group-tag-protecon tags
set network profiles zone-protecon-profile <name> l2-sec-group-tag-protecon tags <name>
set network profiles zone-protecon-profile <name> l2-sec-group-tag-protecon tags <name> tag
<value>
set network profiles zone-protecon-profile <name> l2-sec-group-tag-protecon tags <name>
enable <yes|no>
set network profiles lldp-profile
set network profiles lldp-profile <name>

PAN-OS CLI Quick Start Version Version 10.1 448 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network profiles lldp-profile <name> mode <transmit-receive|transmit-only|receive-only>

set network profiles lldp-profile <name> snmp-syslog-noficaon <yes|no>
set network profiles lldp-profile <name> opon-tlvs
set network profiles lldp-profile <name> opon-tlvs port-descripon <yes|no>
set network profiles lldp-profile <name> opon-tlvs system-name <yes|no>
set network profiles lldp-profile <name> opon-tlvs system-descripon <yes|no>
set network profiles lldp-profile <name> opon-tlvs system-capabilies <yes|no>
set network profiles lldp-profile <name> opon-tlvs management-address
set network profiles lldp-profile <name> opon-tlvs management-address enabled <yes|no>
set network profiles lldp-profile <name> opon-tlvs management-address iplist
set network profiles lldp-profile <name> opon-tlvs management-address iplist <name>
set network profiles lldp-profile <name> opon-tlvs management-address iplist <name> interface
<value>
set network profiles lldp-profile <name> opon-tlvs management-address iplist <name>
set network profiles lldp-profile <name> opon-tlvs management-address iplist <name> ipv4
<value>
set network profiles lldp-profile <name> opon-tlvs management-address iplist <name> ipv6
<value>
set network profiles bfd-profile
set network profiles bfd-profile <name>
set network profiles bfd-profile <name> mode <acve|passive>
set network profiles bfd-profile <name> min-tx-interval <100-2000>
set network profiles bfd-profile <name> min-rx-interval <100-2000>
set network profiles bfd-profile <name> detecon-mulplier <2-50>
set network profiles bfd-profile <name> hold-me <0-120000>
set network profiles bfd-profile <name> mulhop
set network profiles bfd-profile <name> mulhop min-received-l <1-254>
set network interface
set network interface ethernet
set network interface ethernet <name>
set network interface ethernet <name> link-speed <value>
set network interface ethernet <name> link-duplex <value>
set network interface ethernet <name> link-state <auto|up|down>
set network interface ethernet <name>

PAN-OS CLI Quick Start Version Version 10.1 449 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface ethernet <name> tap

set network interface ethernet <name> tap nelow-profile <value>
set network interface ethernet <name> ha
set network interface ethernet <name> decrypt-mirror
set network interface ethernet <name> virtual-wire
set network interface ethernet <name> virtual-wire units
set network interface ethernet <name> virtual-wire units <name>
set network interface ethernet <name> virtual-wire units <name> tag <0-4094>
set network interface ethernet <name> virtual-wire units <name> nelow-profile <value>
set network interface ethernet <name> virtual-wire units <name> comment <value>
set network interface ethernet <name> virtual-wire units <name> ip-classifier [ <ip-classifier1>
<ip-classifier2>... ]
set network interface ethernet <name> virtual-wire nelow-profile <value>
set network interface ethernet <name> virtual-wire lldp
set network interface ethernet <name> virtual-wire lldp enable <yes|no>
set network interface ethernet <name> virtual-wire lldp profile <value>
set network interface ethernet <name> virtual-wire lldp high-availability
set network interface ethernet <name> virtual-wire lldp high-availability passive-pre-negoaon
<yes|no>
set network interface ethernet <name> virtual-wire lacp
set network interface ethernet <name> virtual-wire lacp high-availability
set network interface ethernet <name> virtual-wire lacp high-availability passive-pre-negoaon
<yes|no>
set network interface ethernet <name> layer2
set network interface ethernet <name> layer2 units
set network interface ethernet <name> layer2 units <name>
set network interface ethernet <name> layer2 units <name> tag <1-4094>
set network interface ethernet <name> layer2 units <name> nelow-profile <value>
set network interface ethernet <name> layer2 units <name> comment <value>
set network interface ethernet <name> layer2 nelow-profile <value>
set network interface ethernet <name> layer2 lldp
set network interface ethernet <name> layer2 lldp enable <yes|no>
set network interface ethernet <name> layer2 lldp profile <value>
set network interface ethernet <name> layer2 lldp high-availability

PAN-OS CLI Quick Start Version Version 10.1 450 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface ethernet <name> layer2 lldp high-availability passive-pre-negoaon <yes|
no>
set network interface ethernet <name> layer3
set network interface ethernet <name> layer3 decrypt-forward <yes|no>
set network interface ethernet <name> layer3 mtu <576-9216>
set network interface ethernet <name> layer3 bonjour
set network interface ethernet <name> layer3 bonjour enable <yes|no>
set network interface ethernet <name> layer3 adjust-tcp-mss
set network interface ethernet <name> layer3 adjust-tcp-mss enable <yes|no>
set network interface ethernet <name> layer3 adjust-tcp-mss ipv4-mss-adjustment <40-300>
set network interface ethernet <name> layer3 adjust-tcp-mss ipv6-mss-adjustment <60-300>
set network interface ethernet <name> layer3 untagged-sub-interface <yes|no>
set network interface ethernet <name> layer3 ip
set network interface ethernet <name> layer3 ip <name>
set network interface ethernet <name> layer3 ip <name> sdwan-gateway <ip/netmask>
set network interface ethernet <name> layer3 ipv6
set network interface ethernet <name> layer3 ipv6 enabled <yes|no>
set network interface ethernet <name> layer3 ipv6 interface-id <value>|<EUI-64>
set network interface ethernet <name> layer3 ipv6 address
set network interface ethernet <name> layer3 ipv6 address <name>
set network interface ethernet <name> layer3 ipv6 address <name> enable-on-interface <yes|no>
set network interface ethernet <name> layer3 ipv6 address <name> prefix
set network interface ethernet <name> layer3 ipv6 address <name> anycast
set network interface ethernet <name> layer3 ipv6 address <name> adverse
set network interface ethernet <name> layer3 ipv6 address <name> adverse enable <yes|no>
set network interface ethernet <name> layer3 ipv6 address <name> adverse valid-lifeme
<0-4294967294>|<infinity>
set network interface ethernet <name> layer3 ipv6 address <name> adverse preferred-lifeme
<0-4294967294>|<infinity>
set network interface ethernet <name> layer3 ipv6 address <name> adverse onlink-flag <yes|
no>
set network interface ethernet <name> layer3 ipv6 address <name> adverse auto-config-flag
<yes|no>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement

PAN-OS CLI Quick Start Version Version 10.1 451 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement

enable <yes|no>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement max-
interval <4-1800>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement min-
interval <3-1350>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement
managed-flag <yes|no>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement
other-flag <yes|no>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement link-
mtu <1280-9216>|<unspecified>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement
reachable-me <0-3600000>|<unspecified>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement
retransmission-mer <0-4294967295>|<unspecified>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement hop-
limit <1-255>|<unspecified>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement
lifeme <0-9000>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement
router-preference <High|Medium|Low>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement
enable-consistency-check <yes|no>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement dns-
support
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement dns-
support enable <yes|no>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement dns-
support server
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement dns-
support server <name>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement dns-
support server <name> lifeme <4-3600>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement dns-
support suffix
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement dns-
support suffix <name>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery router-adversement dns-
support suffix <name> lifeme <4-3600>

PAN-OS CLI Quick Start Version Version 10.1 452 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface ethernet <name> layer3 ipv6 neighbor-discovery enable-ndp-monitor <yes|
no>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery enable-dad <yes|no>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery dad-aempts <0-10>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery ns-interval <1-3600>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery reachable-me
<10-36000>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery neighbor
set network interface ethernet <name> layer3 ipv6 neighbor-discovery neighbor <name>
set network interface ethernet <name> layer3 ipv6 neighbor-discovery neighbor <name> hw-
address <value>
set network interface ethernet <name> layer3 pppoe
set network interface ethernet <name> layer3 pppoe enable <yes|no>
set network interface ethernet <name> layer3 pppoe authencaon <CHAP|PAP|auto>
set network interface ethernet <name> layer3 pppoe stac-address
set network interface ethernet <name> layer3 pppoe stac-address ip <value>
set network interface ethernet <name> layer3 pppoe username <value>
set network interface ethernet <name> layer3 pppoe password <value>
set network interface ethernet <name> layer3 pppoe create-default-route <yes|no>
set network interface ethernet <name> layer3 pppoe default-route-metric <1-65535>
set network interface ethernet <name> layer3 pppoe access-concentrator <value>
set network interface ethernet <name> layer3 pppoe service <value>
set network interface ethernet <name> layer3 pppoe passive
set network interface ethernet <name> layer3 pppoe passive enable <yes|no>
set network interface ethernet <name> layer3 dhcp-client
set network interface ethernet <name> layer3 dhcp-client enable <yes|no>
set network interface ethernet <name> layer3 dhcp-client create-default-route <yes|no>
set network interface ethernet <name> layer3 dhcp-client send-hostname
set network interface ethernet <name> layer3 dhcp-client send-hostname enable <yes|no>
set network interface ethernet <name> layer3 dhcp-client send-hostname hostname <value>|
<system-hostname>
set network interface ethernet <name> layer3 dhcp-client default-route-metric <1-65535>
set network interface ethernet <name> layer3 ddns-config
set network interface ethernet <name> layer3 ddns-config ddns-enabled <yes|no>
set network interface ethernet <name> layer3 ddns-config ddns-update-interval <1-30>

PAN-OS CLI Quick Start Version Version 10.1 453 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface ethernet <name> layer3 ddns-config ddns-hostname <value>

set network interface ethernet <name> layer3 ddns-config ddns-ip [ <ddns-ip1> <ddns-ip2>... ]
set network interface ethernet <name> layer3 ddns-config ddns-ipv6 [ <ddns-ipv61> <ddns-
ipv62>... ]
set network interface ethernet <name> layer3 ddns-config ddns-cert-profile <value>
set network interface ethernet <name> layer3 ddns-config ddns-vendor <value>
set network interface ethernet <name> layer3 ddns-config ddns-vendor-config
set network interface ethernet <name> layer3 ddns-config ddns-vendor-config <name>
set network interface ethernet <name> layer3 ddns-config ddns-vendor-config <name> value
<value>
set network interface ethernet <name> layer3 arp
set network interface ethernet <name> layer3 arp <name>
set network interface ethernet <name> layer3 arp <name> hw-address <value>
set network interface ethernet <name> layer3 ndp-proxy
set network interface ethernet <name> layer3 ndp-proxy enabled <yes|no>
set network interface ethernet <name> layer3 ndp-proxy address
set network interface ethernet <name> layer3 ndp-proxy address <name>
set network interface ethernet <name> layer3 ndp-proxy address <name> negate <yes|no>
set network interface ethernet <name> layer3 interface-management-profile <value>
set network interface ethernet <name> layer3 sdwan-link-sengs
set network interface ethernet <name> layer3 sdwan-link-sengs enable <yes|no>
set network interface ethernet <name> layer3 sdwan-link-sengs sdwan-interface-profile
<value>
set network interface ethernet <name> layer3 sdwan-link-sengs upstream-nat
set network interface ethernet <name> layer3 sdwan-link-sengs upstream-nat enable <yes|no>
set network interface ethernet <name> layer3 sdwan-link-sengs upstream-nat
set network interface ethernet <name> layer3 sdwan-link-sengs upstream-nat stac-ip
set network interface ethernet <name> layer3 sdwan-link-sengs upstream-nat stac-ip
set network interface ethernet <name> layer3 sdwan-link-sengs upstream-nat stac-ip ip-
address <value>|<ip/netmask>
set network interface ethernet <name> layer3 sdwan-link-sengs upstream-nat stac-ip fqdn
<value>
set network interface ethernet <name> layer3 sdwan-link-sengs upstream-nat ddns
set network interface ethernet <name> layer3 units
set network interface ethernet <name> layer3 units <name>

PAN-OS CLI Quick Start Version Version 10.1 454 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface ethernet <name> layer3 units <name> sdwan-link-sengs

set network interface ethernet <name> layer3 units <name> sdwan-link-sengs enable <yes|no>
set network interface ethernet <name> layer3 units <name> sdwan-link-sengs sdwan-interface-
profile <value>
set network interface ethernet <name> layer3 units <name> sdwan-link-sengs upstream-nat
set network interface ethernet <name> layer3 units <name> sdwan-link-sengs upstream-nat
enable <yes|no>
set network interface ethernet <name> layer3 units <name> sdwan-link-sengs upstream-nat
set network interface ethernet <name> layer3 units <name> sdwan-link-sengs upstream-nat
stac-ip
set network interface ethernet <name> layer3 units <name> sdwan-link-sengs upstream-nat
stac-ip
set network interface ethernet <name> layer3 units <name> sdwan-link-sengs upstream-nat
stac-ip ip-address <value>|<ip/netmask>
set network interface ethernet <name> layer3 units <name> sdwan-link-sengs upstream-nat
stac-ip fqdn <value>
set network interface ethernet <name> layer3 units <name> sdwan-link-sengs upstream-nat
ddns
set network interface ethernet <name> layer3 units <name> decrypt-forward <yes|no>
set network interface ethernet <name> layer3 units <name> mtu <576-9216>
set network interface ethernet <name> layer3 units <name> bonjour
set network interface ethernet <name> layer3 units <name> bonjour enable <yes|no>
set network interface ethernet <name> layer3 units <name> adjust-tcp-mss
set network interface ethernet <name> layer3 units <name> adjust-tcp-mss enable <yes|no>
set network interface ethernet <name> layer3 units <name> adjust-tcp-mss ipv4-mss-adjustment
<40-300>
set network interface ethernet <name> layer3 units <name> adjust-tcp-mss ipv6-mss-adjustment
<60-300>
set network interface ethernet <name> layer3 units <name> ip
set network interface ethernet <name> layer3 units <name> ip <name>
set network interface ethernet <name> layer3 units <name> ip <name> sdwan-gateway <ip/
netmask>
set network interface ethernet <name> layer3 units <name> ipv6
set network interface ethernet <name> layer3 units <name> ipv6 enabled <yes|no>
set network interface ethernet <name> layer3 units <name> ipv6 interface-id <value>|<EUI-64>
set network interface ethernet <name> layer3 units <name> ipv6 address
set network interface ethernet <name> layer3 units <name> ipv6 address <name>

PAN-OS CLI Quick Start Version Version 10.1 455 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface ethernet <name> layer3 units <name> ipv6 address <name> enable-on-
interface <yes|no>
set network interface ethernet <name> layer3 units <name> ipv6 address <name> prefix
set network interface ethernet <name> layer3 units <name> ipv6 address <name> anycast
set network interface ethernet <name> layer3 units <name> ipv6 address <name> adverse
set network interface ethernet <name> layer3 units <name> ipv6 address <name> adverse
enable <yes|no>
set network interface ethernet <name> layer3 units <name> ipv6 address <name> adverse valid-
lifeme <0-4294967294>|<infinity>
set network interface ethernet <name> layer3 units <name> ipv6 address <name> adverse
preferred-lifeme <0-4294967294>|<infinity>
set network interface ethernet <name> layer3 units <name> ipv6 address <name> adverse
onlink-flag <yes|no>
set network interface ethernet <name> layer3 units <name> ipv6 address <name> adverse auto-
config-flag <yes|no>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement enable <yes|no>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement max-interval <4-1800>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement min-interval <3-1350>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement managed-flag <yes|no>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement other-flag <yes|no>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement link-mtu <1280-9216>|<unspecified>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement reachable-me <0-3600000>|<unspecified>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement retransmission-mer <0-4294967295>|<unspecified>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement hop-limit <1-255>|<unspecified>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement lifeme <0-9000>

PAN-OS CLI Quick Start Version Version 10.1 456 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement router-preference <High|Medium|Low>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement enable-consistency-check <yes|no>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement dns-support
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement dns-support enable <yes|no>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement dns-support server
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement dns-support server <name>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement dns-support server <name> lifeme <4-3600>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement dns-support suffix
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement dns-support suffix <name>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery router-
adversement dns-support suffix <name> lifeme <4-3600>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery enable-ndp-
monitor <yes|no>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery enable-dad
<yes|no>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery dad-
aempts <0-10>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery ns-interval
<1-3600>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery reachable-
me <10-36000>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery neighbor
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery neighbor
<name>
set network interface ethernet <name> layer3 units <name> ipv6 neighbor-discovery neighbor
<name> hw-address <value>
set network interface ethernet <name> layer3 units <name> arp
set network interface ethernet <name> layer3 units <name> arp <name>
set network interface ethernet <name> layer3 units <name> arp <name> hw-address <value>
set network interface ethernet <name> layer3 units <name> ndp-proxy

PAN-OS CLI Quick Start Version Version 10.1 457 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface ethernet <name> layer3 units <name> ndp-proxy enabled <yes|no>
set network interface ethernet <name> layer3 units <name> ndp-proxy address
set network interface ethernet <name> layer3 units <name> ndp-proxy address <name>
set network interface ethernet <name> layer3 units <name> ndp-proxy address <name> negate
<yes|no>
set network interface ethernet <name> layer3 units <name> interface-management-profile
<value>
set network interface ethernet <name> layer3 units <name> tag <1-4094>
set network interface ethernet <name> layer3 units <name> dhcp-client
set network interface ethernet <name> layer3 units <name> dhcp-client enable <yes|no>
set network interface ethernet <name> layer3 units <name> dhcp-client create-default-route
<yes|no>
set network interface ethernet <name> layer3 units <name> dhcp-client send-hostname
set network interface ethernet <name> layer3 units <name> dhcp-client send-hostname enable
<yes|no>
set network interface ethernet <name> layer3 units <name> dhcp-client send-hostname
hostname <value>|<system-hostname>
set network interface ethernet <name> layer3 units <name> dhcp-client default-route-metric
<1-65535>
set network interface ethernet <name> layer3 units <name> ddns-config
set network interface ethernet <name> layer3 units <name> ddns-config ddns-enabled <yes|no>
set network interface ethernet <name> layer3 units <name> ddns-config ddns-update-interval
<1-30>
set network interface ethernet <name> layer3 units <name> ddns-config ddns-hostname <value>
set network interface ethernet <name> layer3 units <name> ddns-config ddns-ip [ <ddns-ip1>
<ddns-ip2>... ]
set network interface ethernet <name> layer3 units <name> ddns-config ddns-ipv6 [ <ddns-
ipv61> <ddns-ipv62>... ]
set network interface ethernet <name> layer3 units <name> ddns-config ddns-cert-profile
<value>
set network interface ethernet <name> layer3 units <name> ddns-config ddns-vendor <value>
set network interface ethernet <name> layer3 units <name> ddns-config ddns-vendor-config
set network interface ethernet <name> layer3 units <name> ddns-config ddns-vendor-config
<name>
set network interface ethernet <name> layer3 units <name> ddns-config ddns-vendor-config
<name> value <value>
set network interface ethernet <name> layer3 units <name> nelow-profile <value>

PAN-OS CLI Quick Start Version Version 10.1 458 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface ethernet <name> layer3 units <name> comment <value>
set network interface ethernet <name> layer3 nelow-profile <value>
set network interface ethernet <name> layer3 lldp
set network interface ethernet <name> layer3 lldp enable <yes|no>
set network interface ethernet <name> layer3 lldp profile <value>
set network interface ethernet <name> layer3 lldp high-availability
set network interface ethernet <name> layer3 lldp high-availability passive-pre-negoaon <yes|
no>
set network interface ethernet <name> aggregate-group <value>
set network interface ethernet <name> comment <value>
set network interface ethernet <name> lacp
set network interface ethernet <name> lacp port-priority <1-65535>
set network interface aggregate-ethernet
set network interface aggregate-ethernet <name>
set network interface aggregate-ethernet <name>
set network interface aggregate-ethernet <name> ha
set network interface aggregate-ethernet <name> ha lacp
set network interface aggregate-ethernet <name> ha lacp enable <yes|no>
set network interface aggregate-ethernet <name> ha lacp fast-failover <yes|no>
set network interface aggregate-ethernet <name> ha lacp mode <passive|acve>
set network interface aggregate-ethernet <name> ha lacp transmission-rate <fast|slow>
set network interface aggregate-ethernet <name> ha lacp system-priority <1-65535>
set network interface aggregate-ethernet <name> ha lacp max-ports <1-8>
set network interface aggregate-ethernet <name> decrypt-mirror
set network interface aggregate-ethernet <name> virtual-wire
set network interface aggregate-ethernet <name> virtual-wire units
set network interface aggregate-ethernet <name> virtual-wire units <name>
set network interface aggregate-ethernet <name> virtual-wire units <name> tag <0-4094>
set network interface aggregate-ethernet <name> virtual-wire units <name> nelow-profile
<value>
set network interface aggregate-ethernet <name> virtual-wire units <name> comment <value>
set network interface aggregate-ethernet <name> virtual-wire units <name> ip-classifier [ <ip-
classifier1> <ip-classifier2>... ]
set network interface aggregate-ethernet <name> virtual-wire nelow-profile <value>

PAN-OS CLI Quick Start Version Version 10.1 459 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface aggregate-ethernet <name> virtual-wire lldp

set network interface aggregate-ethernet <name> virtual-wire lldp enable <yes|no>
set network interface aggregate-ethernet <name> virtual-wire lldp profile <value>
set network interface aggregate-ethernet <name> virtual-wire lldp high-availability
set network interface aggregate-ethernet <name> virtual-wire lldp high-availability passive-pre-
negoaon <yes|no>
set network interface aggregate-ethernet <name> layer2
set network interface aggregate-ethernet <name> layer2 units
set network interface aggregate-ethernet <name> layer2 units <name>
set network interface aggregate-ethernet <name> layer2 units <name> tag <1-4094>
set network interface aggregate-ethernet <name> layer2 units <name> nelow-profile <value>
set network interface aggregate-ethernet <name> layer2 units <name> comment <value>
set network interface aggregate-ethernet <name> layer2 nelow-profile <value>
set network interface aggregate-ethernet <name> layer2 lacp
set network interface aggregate-ethernet <name> layer2 lacp enable <yes|no>
set network interface aggregate-ethernet <name> layer2 lacp fast-failover <yes|no>
set network interface aggregate-ethernet <name> layer2 lacp mode <passive|acve>
set network interface aggregate-ethernet <name> layer2 lacp transmission-rate <fast|slow>
set network interface aggregate-ethernet <name> layer2 lacp system-priority <1-65535>
set network interface aggregate-ethernet <name> layer2 lacp max-ports <1-8>
set network interface aggregate-ethernet <name> layer2 lacp high-availability
set network interface aggregate-ethernet <name> layer2 lacp high-availability use-same-system-
mac
set network interface aggregate-ethernet <name> layer2 lacp high-availability use-same-system-
mac enable <yes|no>
set network interface aggregate-ethernet <name> layer2 lacp high-availability use-same-system-
mac mac-address <value>
set network interface aggregate-ethernet <name> layer2 lacp high-availability passive-pre-
negoaon <yes|no>
set network interface aggregate-ethernet <name> layer2 lldp
set network interface aggregate-ethernet <name> layer2 lldp enable <yes|no>
set network interface aggregate-ethernet <name> layer2 lldp profile <value>
set network interface aggregate-ethernet <name> layer2 lldp high-availability
set network interface aggregate-ethernet <name> layer2 lldp high-availability passive-pre-
negoaon <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 460 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface aggregate-ethernet <name> layer3

set network interface aggregate-ethernet <name> layer3 decrypt-forward <yes|no>
set network interface aggregate-ethernet <name> layer3 mtu <576-9216>
set network interface aggregate-ethernet <name> layer3 bonjour
set network interface aggregate-ethernet <name> layer3 bonjour enable <yes|no>
set network interface aggregate-ethernet <name> layer3 adjust-tcp-mss
set network interface aggregate-ethernet <name> layer3 adjust-tcp-mss enable <yes|no>
set network interface aggregate-ethernet <name> layer3 adjust-tcp-mss ipv4-mss-adjustment
<40-300>
set network interface aggregate-ethernet <name> layer3 adjust-tcp-mss ipv6-mss-adjustment
<60-300>
set network interface aggregate-ethernet <name> layer3 untagged-sub-interface <yes|no>
set network interface aggregate-ethernet <name> layer3 ip
set network interface aggregate-ethernet <name> layer3 ip <name>
set network interface aggregate-ethernet <name> layer3 ip <name> sdwan-gateway <ip/
netmask>
set network interface aggregate-ethernet <name> layer3 ipv6
set network interface aggregate-ethernet <name> layer3 ipv6 enabled <yes|no>
set network interface aggregate-ethernet <name> layer3 ipv6 interface-id <value>|<EUI-64>
set network interface aggregate-ethernet <name> layer3 ipv6 address
set network interface aggregate-ethernet <name> layer3 ipv6 address <name>
set network interface aggregate-ethernet <name> layer3 ipv6 address <name> enable-on-
interface <yes|no>
set network interface aggregate-ethernet <name> layer3 ipv6 address <name> prefix
set network interface aggregate-ethernet <name> layer3 ipv6 address <name> anycast
set network interface aggregate-ethernet <name> layer3 ipv6 address <name> adverse
set network interface aggregate-ethernet <name> layer3 ipv6 address <name> adverse enable
<yes|no>
set network interface aggregate-ethernet <name> layer3 ipv6 address <name> adverse valid-
lifeme <0-4294967294>|<infinity>
set network interface aggregate-ethernet <name> layer3 ipv6 address <name> adverse
preferred-lifeme <0-4294967294>|<infinity>
set network interface aggregate-ethernet <name> layer3 ipv6 address <name> adverse onlink-
flag <yes|no>
set network interface aggregate-ethernet <name> layer3 ipv6 address <name> adverse auto-
config-flag <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 461 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery

set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement enable <yes|no>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement max-interval <4-1800>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement min-interval <3-1350>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement managed-flag <yes|no>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement other-flag <yes|no>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement link-mtu <1280-9216>|<unspecified>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement reachable-me <0-3600000>|<unspecified>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement retransmission-mer <0-4294967295>|<unspecified>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement hop-limit <1-255>|<unspecified>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement lifeme <0-9000>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement router-preference <High|Medium|Low>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement enable-consistency-check <yes|no>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement dns-support
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement dns-support enable <yes|no>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement dns-support server
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement dns-support server <name>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement dns-support server <name> lifeme <4-3600>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement dns-support suffix

PAN-OS CLI Quick Start Version Version 10.1 462 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-

adversement dns-support suffix <name>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery router-
adversement dns-support suffix <name> lifeme <4-3600>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery enable-ndp-
monitor <yes|no>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery enable-dad
<yes|no>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery dad-aempts
<0-10>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery ns-interval
<1-3600>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery reachable-me
<10-36000>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery neighbor
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery neighbor
<name>
set network interface aggregate-ethernet <name> layer3 ipv6 neighbor-discovery neighbor
<name> hw-address <value>
set network interface aggregate-ethernet <name> layer3 lacp
set network interface aggregate-ethernet <name> layer3 lacp enable <yes|no>
set network interface aggregate-ethernet <name> layer3 lacp fast-failover <yes|no>
set network interface aggregate-ethernet <name> layer3 lacp mode <passive|acve>
set network interface aggregate-ethernet <name> layer3 lacp transmission-rate <fast|slow>
set network interface aggregate-ethernet <name> layer3 lacp system-priority <1-65535>
set network interface aggregate-ethernet <name> layer3 lacp max-ports <1-8>
set network interface aggregate-ethernet <name> layer3 lacp high-availability
set network interface aggregate-ethernet <name> layer3 lacp high-availability use-same-system-
mac
set network interface aggregate-ethernet <name> layer3 lacp high-availability use-same-system-
mac enable <yes|no>
set network interface aggregate-ethernet <name> layer3 lacp high-availability use-same-system-
mac mac-address <value>
set network interface aggregate-ethernet <name> layer3 lacp high-availability passive-pre-
negoaon <yes|no>
set network interface aggregate-ethernet <name> layer3 lldp
set network interface aggregate-ethernet <name> layer3 lldp enable <yes|no>
set network interface aggregate-ethernet <name> layer3 lldp profile <value>

PAN-OS CLI Quick Start Version Version 10.1 463 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface aggregate-ethernet <name> layer3 lldp high-availability

set network interface aggregate-ethernet <name> layer3 lldp high-availability passive-pre-
negoaon <yes|no>
set network interface aggregate-ethernet <name> layer3 arp
set network interface aggregate-ethernet <name> layer3 arp <name>
set network interface aggregate-ethernet <name> layer3 arp <name> hw-address <value>
set network interface aggregate-ethernet <name> layer3 ndp-proxy
set network interface aggregate-ethernet <name> layer3 ndp-proxy enabled <yes|no>
set network interface aggregate-ethernet <name> layer3 ndp-proxy address
set network interface aggregate-ethernet <name> layer3 ndp-proxy address <name>
set network interface aggregate-ethernet <name> layer3 ndp-proxy address <name> negate <yes|
no>
set network interface aggregate-ethernet <name> layer3 interface-management-profile <value>
set network interface aggregate-ethernet <name> layer3 dhcp-client
set network interface aggregate-ethernet <name> layer3 dhcp-client enable <yes|no>
set network interface aggregate-ethernet <name> layer3 dhcp-client create-default-route <yes|
no>
set network interface aggregate-ethernet <name> layer3 dhcp-client send-hostname
set network interface aggregate-ethernet <name> layer3 dhcp-client send-hostname enable <yes|
no>
set network interface aggregate-ethernet <name> layer3 dhcp-client send-hostname hostname
<value>|<system-hostname>
set network interface aggregate-ethernet <name> layer3 dhcp-client default-route-metric
<1-65535>
set network interface aggregate-ethernet <name> layer3 ddns-config
set network interface aggregate-ethernet <name> layer3 ddns-config ddns-enabled <yes|no>
set network interface aggregate-ethernet <name> layer3 ddns-config ddns-update-interval
<1-30>
set network interface aggregate-ethernet <name> layer3 ddns-config ddns-hostname <value>
set network interface aggregate-ethernet <name> layer3 ddns-config ddns-ip [ <ddns-ip1> <ddns-
ip2>... ]
set network interface aggregate-ethernet <name> layer3 ddns-config ddns-ipv6 [ <ddns-ipv61>
<ddns-ipv62>... ]
set network interface aggregate-ethernet <name> layer3 ddns-config ddns-cert-profile <value>
set network interface aggregate-ethernet <name> layer3 ddns-config ddns-vendor <value>
set network interface aggregate-ethernet <name> layer3 ddns-config ddns-vendor-config

PAN-OS CLI Quick Start Version Version 10.1 464 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface aggregate-ethernet <name> layer3 ddns-config ddns-vendor-config <name>

set network interface aggregate-ethernet <name> layer3 ddns-config ddns-vendor-config <name>
value <value>
set network interface aggregate-ethernet <name> layer3 sdwan-link-sengs
set network interface aggregate-ethernet <name> layer3 sdwan-link-sengs enable <yes|no>
set network interface aggregate-ethernet <name> layer3 sdwan-link-sengs sdwan-interface-
profile <value>
set network interface aggregate-ethernet <name> layer3 sdwan-link-sengs upstream-nat
set network interface aggregate-ethernet <name> layer3 sdwan-link-sengs upstream-nat enable
<yes|no>
set network interface aggregate-ethernet <name> layer3 sdwan-link-sengs upstream-nat
set network interface aggregate-ethernet <name> layer3 sdwan-link-sengs upstream-nat stac-
ip
set network interface aggregate-ethernet <name> layer3 sdwan-link-sengs upstream-nat stac-
ip
set network interface aggregate-ethernet <name> layer3 sdwan-link-sengs upstream-nat stac-
ip ip-address <value>|<ip/netmask>
set network interface aggregate-ethernet <name> layer3 sdwan-link-sengs upstream-nat stac-
ip fqdn <value>
set network interface aggregate-ethernet <name> layer3 sdwan-link-sengs upstream-nat ddns
set network interface aggregate-ethernet <name> layer3 units
set network interface aggregate-ethernet <name> layer3 units <name>
set network interface aggregate-ethernet <name> layer3 units <name> decrypt-forward <yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> mtu <576-9216>
set network interface aggregate-ethernet <name> layer3 units <name> bonjour
set network interface aggregate-ethernet <name> layer3 units <name> bonjour enable <yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> adjust-tcp-mss
set network interface aggregate-ethernet <name> layer3 units <name> adjust-tcp-mss enable
<yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> adjust-tcp-mss ipv4-mss-
adjustment <40-300>
set network interface aggregate-ethernet <name> layer3 units <name> adjust-tcp-mss ipv6-mss-
adjustment <60-300>
set network interface aggregate-ethernet <name> layer3 units <name> ip
set network interface aggregate-ethernet <name> layer3 units <name> ip <name>
set network interface aggregate-ethernet <name> layer3 units <name> ip <name> sdwan-
gateway <ip/netmask>

PAN-OS CLI Quick Start Version Version 10.1 465 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface aggregate-ethernet <name> layer3 units <name> ipv6

set network interface aggregate-ethernet <name> layer3 units <name> ipv6 enabled <yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 interface-id <value>|
<EUI-64>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 address
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 address <name>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 address <name>
enable-on-interface <yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 address <name>
prefix
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 address <name>
anycast
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 address <name>
adverse
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 address <name>
adverse enable <yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 address <name>
adverse valid-lifeme <0-4294967294>|<infinity>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 address <name>
adverse preferred-lifeme <0-4294967294>|<infinity>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 address <name>
adverse onlink-flag <yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 address <name>
adverse auto-config-flag <yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement enable <yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement max-interval <4-1800>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement min-interval <3-1350>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement managed-flag <yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement other-flag <yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement link-mtu <1280-9216>|<unspecified>

PAN-OS CLI Quick Start Version Version 10.1 466 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement reachable-me <0-3600000>|<unspecified>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement retransmission-mer <0-4294967295>|<unspecified>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement hop-limit <1-255>|<unspecified>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement lifeme <0-9000>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement router-preference <High|Medium|Low>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement enable-consistency-check <yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement dns-support
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement dns-support enable <yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement dns-support server
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement dns-support server <name>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement dns-support server <name> lifeme <4-3600>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement dns-support suffix
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement dns-support suffix <name>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
router-adversement dns-support suffix <name> lifeme <4-3600>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
enable-ndp-monitor <yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
enable-dad <yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
dad-aempts <0-10>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
ns-interval <1-3600>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
reachable-me <10-36000>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
neighbor

PAN-OS CLI Quick Start Version Version 10.1 467 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
neighbor <name>
set network interface aggregate-ethernet <name> layer3 units <name> ipv6 neighbor-discovery
neighbor <name> hw-address <value>
set network interface aggregate-ethernet <name> layer3 units <name> arp
set network interface aggregate-ethernet <name> layer3 units <name> arp <name>
set network interface aggregate-ethernet <name> layer3 units <name> arp <name> hw-address
<value>
set network interface aggregate-ethernet <name> layer3 units <name> ndp-proxy
set network interface aggregate-ethernet <name> layer3 units <name> ndp-proxy enabled <yes|
no>
set network interface aggregate-ethernet <name> layer3 units <name> ndp-proxy address
set network interface aggregate-ethernet <name> layer3 units <name> ndp-proxy address
<name>
set network interface aggregate-ethernet <name> layer3 units <name> ndp-proxy address
<name> negate <yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> interface-management-
profile <value>
set network interface aggregate-ethernet <name> layer3 units <name> tag <1-4094>
set network interface aggregate-ethernet <name> layer3 units <name> sdwan-link-sengs
set network interface aggregate-ethernet <name> layer3 units <name> sdwan-link-sengs enable
<yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> sdwan-link-sengs
sdwan-interface-profile <value>
set network interface aggregate-ethernet <name> layer3 units <name> sdwan-link-sengs
upstream-nat
set network interface aggregate-ethernet <name> layer3 units <name> sdwan-link-sengs
upstream-nat enable <yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> sdwan-link-sengs
upstream-nat
set network interface aggregate-ethernet <name> layer3 units <name> sdwan-link-sengs
upstream-nat stac-ip
set network interface aggregate-ethernet <name> layer3 units <name> sdwan-link-sengs
upstream-nat stac-ip
set network interface aggregate-ethernet <name> layer3 units <name> sdwan-link-sengs
upstream-nat stac-ip ip-address <value>|<ip/netmask>
set network interface aggregate-ethernet <name> layer3 units <name> sdwan-link-sengs
upstream-nat stac-ip fqdn <value>

PAN-OS CLI Quick Start Version Version 10.1 468 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface aggregate-ethernet <name> layer3 units <name> sdwan-link-sengs

upstream-nat ddns
set network interface aggregate-ethernet <name> layer3 units <name> dhcp-client
set network interface aggregate-ethernet <name> layer3 units <name> dhcp-client enable <yes|
no>
set network interface aggregate-ethernet <name> layer3 units <name> dhcp-client create-
default-route <yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> dhcp-client send-
hostname
set network interface aggregate-ethernet <name> layer3 units <name> dhcp-client send-
hostname enable <yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> dhcp-client send-
hostname hostname <value>|<system-hostname>
set network interface aggregate-ethernet <name> layer3 units <name> dhcp-client default-route-
metric <1-65535>
set network interface aggregate-ethernet <name> layer3 units <name> nelow-profile <value>
set network interface aggregate-ethernet <name> layer3 units <name> ddns-config
set network interface aggregate-ethernet <name> layer3 units <name> ddns-config ddns-enabled
<yes|no>
set network interface aggregate-ethernet <name> layer3 units <name> ddns-config ddns-update-
interval <1-30>
set network interface aggregate-ethernet <name> layer3 units <name> ddns-config ddns-
hostname <value>
set network interface aggregate-ethernet <name> layer3 units <name> ddns-config ddns-ip
[ <ddns-ip1> <ddns-ip2>... ]
set network interface aggregate-ethernet <name> layer3 units <name> ddns-config ddns-ipv6
[ <ddns-ipv61> <ddns-ipv62>... ]
set network interface aggregate-ethernet <name> layer3 units <name> ddns-config ddns-cert-
profile <value>
set network interface aggregate-ethernet <name> layer3 units <name> ddns-config ddns-vendor
<value>
set network interface aggregate-ethernet <name> layer3 units <name> ddns-config ddns-vendor-
config
set network interface aggregate-ethernet <name> layer3 units <name> ddns-config ddns-vendor-
config <name>
set network interface aggregate-ethernet <name> layer3 units <name> ddns-config ddns-vendor-
config <name> value <value>
set network interface aggregate-ethernet <name> layer3 units <name> comment <value>
set network interface aggregate-ethernet <name> layer3 nelow-profile <value>

PAN-OS CLI Quick Start Version Version 10.1 469 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface aggregate-ethernet <name> comment <value>

set network interface vlan
set network interface vlan mtu <576-9216>
set network interface vlan adjust-tcp-mss
set network interface vlan adjust-tcp-mss enable <yes|no>
set network interface vlan adjust-tcp-mss ipv4-mss-adjustment <40-300>
set network interface vlan adjust-tcp-mss ipv6-mss-adjustment <60-300>
set network interface vlan ip
set network interface vlan ip <name>
set network interface vlan ipv6
set network interface vlan ipv6 enabled <yes|no>
set network interface vlan ipv6 interface-id <value>|<EUI-64>
set network interface vlan ipv6 address
set network interface vlan ipv6 address <name>
set network interface vlan ipv6 address <name> enable-on-interface <yes|no>
set network interface vlan ipv6 address <name> prefix
set network interface vlan ipv6 address <name> anycast
set network interface vlan ipv6 address <name> adverse
set network interface vlan ipv6 address <name> adverse enable <yes|no>
set network interface vlan ipv6 address <name> adverse valid-lifeme <0-4294967294>|
<infinity>
set network interface vlan ipv6 address <name> adverse preferred-lifeme <0-4294967294>|
<infinity>
set network interface vlan ipv6 address <name> adverse onlink-flag <yes|no>
set network interface vlan ipv6 address <name> adverse auto-config-flag <yes|no>
set network interface vlan ipv6 neighbor-discovery
set network interface vlan ipv6 neighbor-discovery router-adversement
set network interface vlan ipv6 neighbor-discovery router-adversement enable <yes|no>
set network interface vlan ipv6 neighbor-discovery router-adversement max-interval <4-1800>
set network interface vlan ipv6 neighbor-discovery router-adversement min-interval <3-1350>
set network interface vlan ipv6 neighbor-discovery router-adversement managed-flag <yes|no>
set network interface vlan ipv6 neighbor-discovery router-adversement other-flag <yes|no>
set network interface vlan ipv6 neighbor-discovery router-adversement link-mtu <1280-9216>|
<unspecified>

PAN-OS CLI Quick Start Version Version 10.1 470 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface vlan ipv6 neighbor-discovery router-adversement reachable-me

<0-3600000>|<unspecified>
set network interface vlan ipv6 neighbor-discovery router-adversement retransmission-mer
<0-4294967295>|<unspecified>
set network interface vlan ipv6 neighbor-discovery router-adversement hop-limit <1-255>|
<unspecified>
set network interface vlan ipv6 neighbor-discovery router-adversement lifeme <0-9000>
set network interface vlan ipv6 neighbor-discovery router-adversement router-preference <High|
Medium|Low>
set network interface vlan ipv6 neighbor-discovery router-adversement enable-consistency-
check <yes|no>
set network interface vlan ipv6 neighbor-discovery router-adversement dns-support
set network interface vlan ipv6 neighbor-discovery router-adversement dns-support enable
<yes|no>
set network interface vlan ipv6 neighbor-discovery router-adversement dns-support server
set network interface vlan ipv6 neighbor-discovery router-adversement dns-support server
<name>
set network interface vlan ipv6 neighbor-discovery router-adversement dns-support server
<name> lifeme <4-3600>
set network interface vlan ipv6 neighbor-discovery router-adversement dns-support suffix
set network interface vlan ipv6 neighbor-discovery router-adversement dns-support suffix
<name>
set network interface vlan ipv6 neighbor-discovery router-adversement dns-support suffix
<name> lifeme <4-3600>
set network interface vlan ipv6 neighbor-discovery enable-ndp-monitor <yes|no>
set network interface vlan ipv6 neighbor-discovery enable-dad <yes|no>
set network interface vlan ipv6 neighbor-discovery dad-aempts <0-10>
set network interface vlan ipv6 neighbor-discovery ns-interval <1-3600>
set network interface vlan ipv6 neighbor-discovery reachable-me <10-36000>
set network interface vlan ipv6 neighbor-discovery neighbor
set network interface vlan ipv6 neighbor-discovery neighbor <name>
set network interface vlan ipv6 neighbor-discovery neighbor <name> hw-address <value>
set network interface vlan arp
set network interface vlan arp <name>
set network interface vlan arp <name> hw-address <value>
set network interface vlan arp <name> interface <value>
set network interface vlan ndp-proxy

PAN-OS CLI Quick Start Version Version 10.1 471 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface vlan ndp-proxy enabled <yes|no>

set network interface vlan ndp-proxy address
set network interface vlan ndp-proxy address <name>
set network interface vlan ndp-proxy address <name> negate <yes|no>
set network interface vlan interface-management-profile <value>
set network interface vlan dhcp-client
set network interface vlan dhcp-client enable <yes|no>
set network interface vlan dhcp-client create-default-route <yes|no>
set network interface vlan dhcp-client send-hostname
set network interface vlan dhcp-client send-hostname enable <yes|no>
set network interface vlan dhcp-client send-hostname hostname <value>|<system-hostname>
set network interface vlan dhcp-client default-route-metric <1-65535>
set network interface vlan ddns-config
set network interface vlan ddns-config ddns-enabled <yes|no>
set network interface vlan ddns-config ddns-update-interval <1-30>
set network interface vlan ddns-config ddns-hostname <value>
set network interface vlan ddns-config ddns-ip [ <ddns-ip1> <ddns-ip2>... ]
set network interface vlan ddns-config ddns-ipv6 [ <ddns-ipv61> <ddns-ipv62>... ]
set network interface vlan ddns-config ddns-cert-profile <value>
set network interface vlan ddns-config ddns-vendor <value>
set network interface vlan ddns-config ddns-vendor-config
set network interface vlan ddns-config ddns-vendor-config <name>
set network interface vlan ddns-config ddns-vendor-config <name> value <value>
set network interface vlan units
set network interface vlan units <name>
set network interface vlan units <name> mtu <576-9216>
set network interface vlan units <name> adjust-tcp-mss
set network interface vlan units <name> adjust-tcp-mss enable <yes|no>
set network interface vlan units <name> adjust-tcp-mss ipv4-mss-adjustment <40-300>
set network interface vlan units <name> adjust-tcp-mss ipv6-mss-adjustment <60-300>
set network interface vlan units <name> ip
set network interface vlan units <name> ip <name>
set network interface vlan units <name> ipv6

PAN-OS CLI Quick Start Version Version 10.1 472 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface vlan units <name> ipv6 enabled <yes|no>

set network interface vlan units <name> ipv6 interface-id <value>|<EUI-64>
set network interface vlan units <name> ipv6 address
set network interface vlan units <name> ipv6 address <name>
set network interface vlan units <name> ipv6 address <name> enable-on-interface <yes|no>
set network interface vlan units <name> ipv6 address <name> prefix
set network interface vlan units <name> ipv6 address <name> anycast
set network interface vlan units <name> ipv6 address <name> adverse
set network interface vlan units <name> ipv6 address <name> adverse enable <yes|no>
set network interface vlan units <name> ipv6 address <name> adverse valid-lifeme
<0-4294967294>|<infinity>
set network interface vlan units <name> ipv6 address <name> adverse preferred-lifeme
<0-4294967294>|<infinity>
set network interface vlan units <name> ipv6 address <name> adverse onlink-flag <yes|no>
set network interface vlan units <name> ipv6 address <name> adverse auto-config-flag <yes|no>
set network interface vlan units <name> ipv6 neighbor-discovery
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement enable
<yes|no>
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement max-
interval <4-1800>
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement min-
interval <3-1350>
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement managed-
flag <yes|no>
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement other-flag
<yes|no>
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement link-mtu
<1280-9216>|<unspecified>
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement reachable-
me <0-3600000>|<unspecified>
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement
retransmission-mer <0-4294967295>|<unspecified>
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement hop-limit
<1-255>|<unspecified>
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement lifeme
<0-9000>

PAN-OS CLI Quick Start Version Version 10.1 473 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface vlan units <name> ipv6 neighbor-discovery router-adversement router-
preference <High|Medium|Low>
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement enable-
consistency-check <yes|no>
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement dns-
support
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement dns-
support enable <yes|no>
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement dns-
support server
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement dns-
support server <name>
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement dns-
support server <name> lifeme <4-3600>
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement dns-
support suffix
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement dns-
support suffix <name>
set network interface vlan units <name> ipv6 neighbor-discovery router-adversement dns-
support suffix <name> lifeme <4-3600>
set network interface vlan units <name> ipv6 neighbor-discovery enable-ndp-monitor <yes|no>
set network interface vlan units <name> ipv6 neighbor-discovery enable-dad <yes|no>
set network interface vlan units <name> ipv6 neighbor-discovery dad-aempts <0-10>
set network interface vlan units <name> ipv6 neighbor-discovery ns-interval <1-3600>
set network interface vlan units <name> ipv6 neighbor-discovery reachable-me <10-36000>
set network interface vlan units <name> ipv6 neighbor-discovery neighbor
set network interface vlan units <name> ipv6 neighbor-discovery neighbor <name>
set network interface vlan units <name> ipv6 neighbor-discovery neighbor <name> hw-address
<value>
set network interface vlan units <name> arp
set network interface vlan units <name> arp <name>
set network interface vlan units <name> arp <name> hw-address <value>
set network interface vlan units <name> arp <name> interface <value>
set network interface vlan units <name> ndp-proxy
set network interface vlan units <name> ndp-proxy enabled <yes|no>
set network interface vlan units <name> ndp-proxy address
set network interface vlan units <name> ndp-proxy address <name>

PAN-OS CLI Quick Start Version Version 10.1 474 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface vlan units <name> ndp-proxy address <name> negate <yes|no>
set network interface vlan units <name> interface-management-profile <value>
set network interface vlan units <name> dhcp-client
set network interface vlan units <name> dhcp-client enable <yes|no>
set network interface vlan units <name> dhcp-client create-default-route <yes|no>
set network interface vlan units <name> dhcp-client send-hostname
set network interface vlan units <name> dhcp-client send-hostname enable <yes|no>
set network interface vlan units <name> dhcp-client send-hostname hostname <value>|<system-
hostname>
set network interface vlan units <name> dhcp-client default-route-metric <1-65535>
set network interface vlan units <name> nelow-profile <value>
set network interface vlan units <name> ddns-config
set network interface vlan units <name> ddns-config ddns-enabled <yes|no>
set network interface vlan units <name> ddns-config ddns-update-interval <1-30>
set network interface vlan units <name> ddns-config ddns-hostname <value>
set network interface vlan units <name> ddns-config ddns-ip [ <ddns-ip1> <ddns-ip2>... ]
set network interface vlan units <name> ddns-config ddns-ipv6 [ <ddns-ipv61> <ddns-ipv62>... ]
set network interface vlan units <name> ddns-config ddns-cert-profile <value>
set network interface vlan units <name> ddns-config ddns-vendor <value>
set network interface vlan units <name> ddns-config ddns-vendor-config
set network interface vlan units <name> ddns-config ddns-vendor-config <name>
set network interface vlan units <name> ddns-config ddns-vendor-config <name> value <value>
set network interface vlan units <name> comment <value>
set network interface vlan nelow-profile <value>
set network interface vlan comment <value>
set network interface loopback
set network interface loopback df-ignore <yes|no>
set network interface loopback mtu <576-9216>
set network interface loopback adjust-tcp-mss
set network interface loopback adjust-tcp-mss enable <yes|no>
set network interface loopback adjust-tcp-mss ipv4-mss-adjustment <40-300>
set network interface loopback adjust-tcp-mss ipv6-mss-adjustment <60-300>
set network interface loopback ip
set network interface loopback ip <name>

PAN-OS CLI Quick Start Version Version 10.1 475 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface loopback ipv6

set network interface loopback ipv6 enabled <yes|no>
set network interface loopback ipv6 interface-id <value>|<EUI-64>
set network interface loopback ipv6 address
set network interface loopback ipv6 address <name>
set network interface loopback ipv6 address <name> enable-on-interface <yes|no>
set network interface loopback ipv6 address <name> prefix
set network interface loopback ipv6 address <name> anycast
set network interface loopback interface-management-profile <value>
set network interface loopback units
set network interface loopback units <name>
set network interface loopback units <name> mtu <576-9216>
set network interface loopback units <name> adjust-tcp-mss
set network interface loopback units <name> adjust-tcp-mss enable <yes|no>
set network interface loopback units <name> adjust-tcp-mss ipv4-mss-adjustment <40-300>
set network interface loopback units <name> adjust-tcp-mss ipv6-mss-adjustment <60-300>
set network interface loopback units <name> ip
set network interface loopback units <name> ip <name>
set network interface loopback units <name> ipv6
set network interface loopback units <name> ipv6 enabled <yes|no>
set network interface loopback units <name> ipv6 interface-id <value>|<EUI-64>
set network interface loopback units <name> ipv6 address
set network interface loopback units <name> ipv6 address <name>
set network interface loopback units <name> ipv6 address <name> enable-on-interface <yes|no>
set network interface loopback units <name> ipv6 address <name> prefix
set network interface loopback units <name> ipv6 address <name> anycast
set network interface loopback units <name> interface-management-profile <value>
set network interface loopback units <name> nelow-profile <value>
set network interface loopback units <name> comment <value>
set network interface loopback nelow-profile <value>
set network interface loopback comment <value>
set network interface tunnel
set network interface tunnel mtu <576-9216>

PAN-OS CLI Quick Start Version Version 10.1 476 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface tunnel ip

set network interface tunnel ip <name>
set network interface tunnel ipv6
set network interface tunnel ipv6 enabled <yes|no>
set network interface tunnel ipv6 interface-id <value>|<EUI-64>
set network interface tunnel ipv6 address
set network interface tunnel ipv6 address <name>
set network interface tunnel ipv6 address <name> enable-on-interface <yes|no>
set network interface tunnel ipv6 address <name> prefix
set network interface tunnel ipv6 address <name> anycast
set network interface tunnel interface-management-profile <value>
set network interface tunnel units
set network interface tunnel units <name>
set network interface tunnel units <name> mtu <576-9216>
set network interface tunnel units <name> ip
set network interface tunnel units <name> ip <name>
set network interface tunnel units <name> ipv6
set network interface tunnel units <name> ipv6 enabled <yes|no>
set network interface tunnel units <name> ipv6 interface-id <value>|<EUI-64>
set network interface tunnel units <name> ipv6 address
set network interface tunnel units <name> ipv6 address <name>
set network interface tunnel units <name> ipv6 address <name> enable-on-interface <yes|no>
set network interface tunnel units <name> ipv6 address <name> prefix
set network interface tunnel units <name> ipv6 address <name> anycast
set network interface tunnel units <name> interface-management-profile <value>
set network interface tunnel units <name> nelow-profile <value>
set network interface tunnel units <name> comment <value>
set network interface tunnel nelow-profile <value>
set network interface tunnel comment <value>
set network interface sdwan
set network interface sdwan units
set network interface sdwan units <name>
set network interface sdwan units <name> comment <value>

PAN-OS CLI Quick Start Version Version 10.1 477 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network interface sdwan units <name> cluster-name <value>

set network interface sdwan units <name> link-tag <value>
set network interface sdwan units <name> interface [ <interface1> <interface2>... ]
set network ike
set network ike gateway
set network ike gateway <name>
set network ike gateway <name> disabled <yes|no>
set network ike gateway <name> ipv6 <yes|no>
set network ike gateway <name> comment <value>
set network ike gateway <name> peer-address
set network ike gateway <name> peer-address ip <value>|<ip/netmask>
set network ike gateway <name> peer-address fqdn <value>
set network ike gateway <name> peer-address dynamic
set network ike gateway <name> local-address
set network ike gateway <name> local-address interface <value>
set network ike gateway <name> local-address
set network ike gateway <name> local-address ip <value>
set network ike gateway <name> local-address floang-ip <value>
set network ike gateway <name> peer-id
set network ike gateway <name> peer-id type <value>
set network ike gateway <name> peer-id id <value>
set network ike gateway <name> peer-id matching <exact|wildcard>
set network ike gateway <name> local-id
set network ike gateway <name> local-id type <value>
set network ike gateway <name> local-id id <value>
set network ike gateway <name> authencaon
set network ike gateway <name> authencaon pre-shared-key
set network ike gateway <name> authencaon pre-shared-key key <value>
set network ike gateway <name> authencaon cerficate
set network ike gateway <name> authencaon cerficate local-cerficate
set network ike gateway <name> authencaon cerficate local-cerficate name <value>
set network ike gateway <name> authencaon cerficate local-cerficate hash-and-url
set network ike gateway <name> authencaon cerficate local-cerficate hash-and-url enable
<yes|no>

PAN-OS CLI Quick Start Version Version 10.1 478 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network ike gateway <name> authencaon cerficate local-cerficate hash-and-url base-url
<value>
set network ike gateway <name> authencaon cerficate cerficate-profile <value>
set network ike gateway <name> authencaon cerficate use-management-as-source <yes|no>
set network ike gateway <name> authencaon cerficate strict-validaon-revocaon <yes|no>
set network ike gateway <name> authencaon cerficate allow-id-payload-mismatch <yes|no>
set network ike gateway <name> protocol
set network ike gateway <name> protocol version <ikev1|ikev2|ikev2-preferred>
set network ike gateway <name> protocol ikev1
set network ike gateway <name> protocol ikev1 exchange-mode <auto|main|aggressive>
set network ike gateway <name> protocol ikev1 ike-crypto-profile <value>
set network ike gateway <name> protocol ikev1 dpd
set network ike gateway <name> protocol ikev1 dpd enable <yes|no>
set network ike gateway <name> protocol ikev1 dpd interval <2-100>
set network ike gateway <name> protocol ikev1 dpd retry <2-100>
set network ike gateway <name> protocol ikev2
set network ike gateway <name> protocol ikev2 ike-crypto-profile <value>
set network ike gateway <name> protocol ikev2 require-cookie <yes|no>
set network ike gateway <name> protocol ikev2 dpd
set network ike gateway <name> protocol ikev2 dpd enable <yes|no>
set network ike gateway <name> protocol ikev2 dpd interval <2-100>
set network ike gateway <name> protocol-common
set network ike gateway <name> protocol-common nat-traversal
set network ike gateway <name> protocol-common nat-traversal enable <yes|no>
set network ike gateway <name> protocol-common nat-traversal keep-alive-interval <10-3600>
set network ike gateway <name> protocol-common nat-traversal udp-checksum-enable <yes|no>
set network ike gateway <name> protocol-common passive-mode <yes|no>
set network ike gateway <name> protocol-common fragmentaon
set network ike gateway <name> protocol-common fragmentaon enable <yes|no>
set network ike crypto-profiles
set network ike crypto-profiles ike-crypto-profiles
set network ike crypto-profiles ike-crypto-profiles <name>
set network ike crypto-profiles ike-crypto-profiles <name> encrypon [ <encrypon1>
<encrypon2>... ]

PAN-OS CLI Quick Start Version Version 10.1 479 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network ike crypto-profiles ike-crypto-profiles <name> hash [ <hash1> <hash2>... ]

set network ike crypto-profiles ike-crypto-profiles <name> dh-group [ <dh-group1> <dh-
group2>... ]
set network ike crypto-profiles ike-crypto-profiles <name> lifeme
set network ike crypto-profiles ike-crypto-profiles <name> lifeme seconds <180-65535>
set network ike crypto-profiles ike-crypto-profiles <name> lifeme minutes <3-65535>
set network ike crypto-profiles ike-crypto-profiles <name> lifeme hours <1-65535>
set network ike crypto-profiles ike-crypto-profiles <name> lifeme days <1-365>
set network ike crypto-profiles ike-crypto-profiles <name> authencaon-mulple <0-50>
set network ike crypto-profiles ipsec-crypto-profiles
set network ike crypto-profiles ipsec-crypto-profiles <name>
set network ike crypto-profiles ipsec-crypto-profiles <name>
set network ike crypto-profiles ipsec-crypto-profiles <name> esp
set network ike crypto-profiles ipsec-crypto-profiles <name> esp encrypon [ <encrypon1>
<encrypon2>... ]
set network ike crypto-profiles ipsec-crypto-profiles <name> esp authencaon
[ <authencaon1> <authencaon2>... ]
set network ike crypto-profiles ipsec-crypto-profiles <name> ah
set network ike crypto-profiles ipsec-crypto-profiles <name> ah authencaon
[ <authencaon1> <authencaon2>... ]
set network ike crypto-profiles ipsec-crypto-profiles <name> dh-group <no-pfs|group1|group2|
group5|group14|group19|group20>
set network ike crypto-profiles ipsec-crypto-profiles <name> lifeme
set network ike crypto-profiles ipsec-crypto-profiles <name> lifeme seconds <180-65535>
set network ike crypto-profiles ipsec-crypto-profiles <name> lifeme minutes <3-65535>
set network ike crypto-profiles ipsec-crypto-profiles <name> lifeme hours <1-65535>
set network ike crypto-profiles ipsec-crypto-profiles <name> lifeme days <1-365>
set network ike crypto-profiles ipsec-crypto-profiles <name> lifesize
set network ike crypto-profiles ipsec-crypto-profiles <name> lifesize kb <1-65535>
set network ike crypto-profiles ipsec-crypto-profiles <name> lifesize mb <1-65535>
set network ike crypto-profiles ipsec-crypto-profiles <name> lifesize gb <1-65535>
set network ike crypto-profiles ipsec-crypto-profiles <name> lifesize tb <1-65535>
set network ike crypto-profiles global-protect-app-crypto-profiles
set network ike crypto-profiles global-protect-app-crypto-profiles <name>

PAN-OS CLI Quick Start Version Version 10.1 480 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network ike crypto-profiles global-protect-app-crypto-profiles <name> encrypon

[ <encrypon1> <encrypon2>... ]
set network ike crypto-profiles global-protect-app-crypto-profiles <name> authencaon
[ <authencaon1> <authencaon2>... ]
set network tunnel
set network tunnel gre
set network tunnel gre <name>
set network tunnel gre <name> disabled <yes|no>
set network tunnel gre <name> copy-tos <yes|no>
set network tunnel gre <name> l <1-255>
set network tunnel gre <name> tunnel-interface <value>
set network tunnel gre <name> local-address
set network tunnel gre <name> local-address interface <value>
set network tunnel gre <name> local-address
set network tunnel gre <name> local-address ip <value>
set network tunnel gre <name> local-address floang-ip <value>
set network tunnel gre <name> peer-address
set network tunnel gre <name> peer-address ip <ip/netmask>
set network tunnel gre <name> keep-alive
set network tunnel gre <name> keep-alive enable <yes|no>
set network tunnel gre <name> keep-alive interval <1-50>
set network tunnel gre <name> keep-alive retry <1-64>
set network tunnel gre <name> keep-alive hold-mer <1-64>
set network tunnel ipsec
set network tunnel ipsec <name>
set network tunnel ipsec <name> disabled <yes|no>
set network tunnel ipsec <name> ipv6 <yes|no>
set network tunnel ipsec <name> comment <value>
set network tunnel ipsec <name> tunnel-interface <value>
set network tunnel ipsec <name> an-replay <yes|no>
set network tunnel ipsec <name> an-replay-window <64|128|256|512|1024|2048|4096>
set network tunnel ipsec <name> copy-tos <yes|no>
set network tunnel ipsec <name> copy-flow-label <yes|no>
set network tunnel ipsec <name> enable-gre-encapsulaon <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 481 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network tunnel ipsec <name> tunnel-monitor

set network tunnel ipsec <name> tunnel-monitor enable <yes|no>
set network tunnel ipsec <name> tunnel-monitor desnaon-ip <ip/netmask>
set network tunnel ipsec <name> tunnel-monitor proxy-id <value>
set network tunnel ipsec <name> tunnel-monitor tunnel-monitor-profile <value>
set network tunnel ipsec <name>
set network tunnel ipsec <name> auto-key
set network tunnel ipsec <name> auto-key ike-gateway
set network tunnel ipsec <name> auto-key ike-gateway <name>
set network tunnel ipsec <name> auto-key ipsec-crypto-profile <value>
set network tunnel ipsec <name> auto-key proxy-id
set network tunnel ipsec <name> auto-key proxy-id <name>
set network tunnel ipsec <name> auto-key proxy-id <name> local <ip/netmask>
set network tunnel ipsec <name> auto-key proxy-id <name> remote <ip/netmask>
set network tunnel ipsec <name> auto-key proxy-id <name> protocol
set network tunnel ipsec <name> auto-key proxy-id <name> protocol number <1-254>
set network tunnel ipsec <name> auto-key proxy-id <name> protocol any
set network tunnel ipsec <name> auto-key proxy-id <name> protocol tcp
set network tunnel ipsec <name> auto-key proxy-id <name> protocol tcp local-port <0-65535>
set network tunnel ipsec <name> auto-key proxy-id <name> protocol tcp remote-port <0-65535>
set network tunnel ipsec <name> auto-key proxy-id <name> protocol udp
set network tunnel ipsec <name> auto-key proxy-id <name> protocol udp local-port <0-65535>
set network tunnel ipsec <name> auto-key proxy-id <name> protocol udp remote-port
<0-65535>
set network tunnel ipsec <name> auto-key proxy-id-v6
set network tunnel ipsec <name> auto-key proxy-id-v6 <name>
set network tunnel ipsec <name> auto-key proxy-id-v6 <name> local <ip/netmask>
set network tunnel ipsec <name> auto-key proxy-id-v6 <name> remote <ip/netmask>
set network tunnel ipsec <name> auto-key proxy-id-v6 <name> protocol
set network tunnel ipsec <name> auto-key proxy-id-v6 <name> protocol number <1-254>
set network tunnel ipsec <name> auto-key proxy-id-v6 <name> protocol any
set network tunnel ipsec <name> auto-key proxy-id-v6 <name> protocol tcp
set network tunnel ipsec <name> auto-key proxy-id-v6 <name> protocol tcp local-port
<0-65535>

PAN-OS CLI Quick Start Version Version 10.1 482 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network tunnel ipsec <name> auto-key proxy-id-v6 <name> protocol tcp remote-port
<0-65535>
set network tunnel ipsec <name> auto-key proxy-id-v6 <name> protocol udp
set network tunnel ipsec <name> auto-key proxy-id-v6 <name> protocol udp local-port
<0-65535>
set network tunnel ipsec <name> auto-key proxy-id-v6 <name> protocol udp remote-port
<0-65535>
set network tunnel ipsec <name> manual-key
set network tunnel ipsec <name> manual-key peer-address
set network tunnel ipsec <name> manual-key peer-address ip <ip/netmask>
set network tunnel ipsec <name> manual-key local-address
set network tunnel ipsec <name> manual-key local-address interface <value>
set network tunnel ipsec <name> manual-key local-address
set network tunnel ipsec <name> manual-key local-address ip <value>
set network tunnel ipsec <name> manual-key local-address floang-ip <value>
set network tunnel ipsec <name> manual-key local-spi <value>
set network tunnel ipsec <name> manual-key remote-spi <value>
set network tunnel ipsec <name> manual-key
set network tunnel ipsec <name> manual-key esp
set network tunnel ipsec <name> manual-key esp authencaon
set network tunnel ipsec <name> manual-key esp authencaon
set network tunnel ipsec <name> manual-key esp authencaon md5
set network tunnel ipsec <name> manual-key esp authencaon md5 key <value>
set network tunnel ipsec <name> manual-key esp authencaon sha1
set network tunnel ipsec <name> manual-key esp authencaon sha1 key <value>
set network tunnel ipsec <name> manual-key esp authencaon sha256
set network tunnel ipsec <name> manual-key esp authencaon sha256 key <value>
set network tunnel ipsec <name> manual-key esp authencaon sha384
set network tunnel ipsec <name> manual-key esp authencaon sha384 key <value>
set network tunnel ipsec <name> manual-key esp authencaon sha512
set network tunnel ipsec <name> manual-key esp authencaon sha512 key <value>
set network tunnel ipsec <name> manual-key esp authencaon none
set network tunnel ipsec <name> manual-key esp encrypon
set network tunnel ipsec <name> manual-key esp encrypon algorithm <des|3des|aes-128-cbc|
aes-192-cbc|aes-256-cbc|null>

PAN-OS CLI Quick Start Version Version 10.1 483 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network tunnel ipsec <name> manual-key esp encrypon key <value>
set network tunnel ipsec <name> manual-key ah
set network tunnel ipsec <name> manual-key ah
set network tunnel ipsec <name> manual-key ah md5
set network tunnel ipsec <name> manual-key ah md5 key <value>
set network tunnel ipsec <name> manual-key ah sha1
set network tunnel ipsec <name> manual-key ah sha1 key <value>
set network tunnel ipsec <name> manual-key ah sha256
set network tunnel ipsec <name> manual-key ah sha256 key <value>
set network tunnel ipsec <name> manual-key ah sha384
set network tunnel ipsec <name> manual-key ah sha384 key <value>
set network tunnel ipsec <name> manual-key ah sha512
set network tunnel ipsec <name> manual-key ah sha512 key <value>
set network tunnel ipsec <name> global-protect-satellite
set network tunnel ipsec <name> global-protect-satellite portal-address <value>
set network tunnel ipsec <name> global-protect-satellite ipv6-preferred <yes|no>
set network tunnel ipsec <name> global-protect-satellite local-address
set network tunnel ipsec <name> global-protect-satellite local-address interface <value>
set network tunnel ipsec <name> global-protect-satellite local-address
set network tunnel ipsec <name> global-protect-satellite local-address ip
set network tunnel ipsec <name> global-protect-satellite local-address ip ipv4 <value>
set network tunnel ipsec <name> global-protect-satellite local-address ip ipv6 <value>
set network tunnel ipsec <name> global-protect-satellite local-address floang-ip
set network tunnel ipsec <name> global-protect-satellite local-address floang-ip ipv4 <value>
set network tunnel ipsec <name> global-protect-satellite local-address floang-ip ipv6 <value>
set network tunnel ipsec <name> global-protect-satellite publish-routes [ <publish-routes1>
<publish-routes2>... ]
set network tunnel ipsec <name> global-protect-satellite publish-connected-routes
set network tunnel ipsec <name> global-protect-satellite publish-connected-routes enable <yes|
no>
set network tunnel ipsec <name> global-protect-satellite external-ca
set network tunnel ipsec <name> global-protect-satellite external-ca local-cerficate <value>
set network tunnel ipsec <name> global-protect-satellite external-ca cerficate-profile <value>
set network tunnel global-protect-gateway

PAN-OS CLI Quick Start Version Version 10.1 484 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network tunnel global-protect-gateway <name>

set network tunnel global-protect-gateway <name> tunnel-interface <value>
set network tunnel global-protect-gateway <name> local-address
set network tunnel global-protect-gateway <name> local-address ip-address-family <ipv4|ipv6|
ipv4_ipv6>
set network tunnel global-protect-gateway <name> local-address interface <value>
set network tunnel global-protect-gateway <name> local-address
set network tunnel global-protect-gateway <name> local-address ip
set network tunnel global-protect-gateway <name> local-address ip ipv4 <value>
set network tunnel global-protect-gateway <name> local-address ip ipv6 <value>
set network tunnel global-protect-gateway <name> local-address floang-ip
set network tunnel global-protect-gateway <name> local-address floang-ip ipv4 <value>
set network tunnel global-protect-gateway <name> local-address floang-ip ipv6 <value>
set network tunnel global-protect-gateway <name> ipsec
set network tunnel global-protect-gateway <name> ipsec enable <yes|no>
set network tunnel global-protect-gateway <name> ipsec third-party-client
set network tunnel global-protect-gateway <name> ipsec third-party-client enable <yes|no>
set network tunnel global-protect-gateway <name> ipsec third-party-client group-name <value>
set network tunnel global-protect-gateway <name> ipsec third-party-client group-password
<value>
set network tunnel global-protect-gateway <name> ipsec third-party-client rekey-noauth <yes|
no>
set network tunnel global-protect-gateway <name> ipsec ipsec-crypto-profile <value>
set network tunnel global-protect-gateway <name> max-user <1-65535>
set network tunnel global-protect-gateway <name> ip-pool [ <ip-pool1> <ip-pool2>... ]
set network tunnel global-protect-gateway <name> client
set network tunnel global-protect-gateway <name> client inheritance
set network tunnel global-protect-gateway <name> client inheritance source <value>
set network tunnel global-protect-gateway <name> client dns-server
set network tunnel global-protect-gateway <name> client dns-server primary <ip/netmask>|
<inherited>
set network tunnel global-protect-gateway <name> client dns-server secondary <ip/netmask>|
<inherited>
set network tunnel global-protect-gateway <name> client wins-server

PAN-OS CLI Quick Start Version Version 10.1 485 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network tunnel global-protect-gateway <name> client wins-server primary <ip/netmask>|

<validate>|<inherited>
set network tunnel global-protect-gateway <name> client wins-server secondary <ip/netmask>|
<validate>|<inherited>
set network tunnel global-protect-gateway <name> client dns-suffix-inherited <yes|no>
set network tunnel global-protect-gateway <name> client dns-suffix [ <dns-suffix1> <dns-
suffix2>... ]
set network tunnel global-protect-gateway <name> client exclude-video-traffic
set network tunnel global-protect-gateway <name> client exclude-video-traffic enabled <yes|no>
set network tunnel global-protect-gateway <name> client exclude-video-traffic applicaons
[ <applicaons1> <applicaons2>... ]
set network tunnel global-protect-site-to-site
set network tunnel global-protect-site-to-site <name>
set network tunnel global-protect-site-to-site <name> tunnel-interface <value>
set network tunnel global-protect-site-to-site <name> local-address
set network tunnel global-protect-site-to-site <name> local-address ip-address-family <ipv4|ipv6|
ipv4_ipv6>
set network tunnel global-protect-site-to-site <name> local-address interface <value>
set network tunnel global-protect-site-to-site <name> local-address
set network tunnel global-protect-site-to-site <name> local-address ip
set network tunnel global-protect-site-to-site <name> local-address ip ipv4 <value>
set network tunnel global-protect-site-to-site <name> local-address ip ipv6 <value>
set network tunnel global-protect-site-to-site <name> local-address floang-ip
set network tunnel global-protect-site-to-site <name> local-address floang-ip ipv4 <value>
set network tunnel global-protect-site-to-site <name> local-address floang-ip ipv6 <value>
set network tunnel global-protect-site-to-site <name> client
set network tunnel global-protect-site-to-site <name> client config-refresh-interval <1-48>
set network tunnel global-protect-site-to-site <name> client ip-pool [ <ip-pool1> <ip-pool2>... ]
set network tunnel global-protect-site-to-site <name> client inheritance
set network tunnel global-protect-site-to-site <name> client inheritance source <value>
set network tunnel global-protect-site-to-site <name> client dns-server
set network tunnel global-protect-site-to-site <name> client dns-server primary <ip/netmask>|
<inherited>
set network tunnel global-protect-site-to-site <name> client dns-server secondary <ip/netmask>|
<inherited>
set network tunnel global-protect-site-to-site <name> client dns-suffix-inherited <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 486 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network tunnel global-protect-site-to-site <name> client dns-suffix [ <dns-suffix1> <dns-

suffix2>... ]
set network tunnel global-protect-site-to-site <name> client split-tunneling
set network tunnel global-protect-site-to-site <name> client split-tunneling access-route
[ <access-route1> <access-route2>... ]
set network tunnel global-protect-site-to-site <name> client tunnel-monitor
set network tunnel global-protect-site-to-site <name> client tunnel-monitor enable <yes|no>
set network tunnel global-protect-site-to-site <name> client tunnel-monitor desnaon-ip <ip/
netmask>
set network tunnel global-protect-site-to-site <name> client tunnel-monitor desnaon-ipv6 <ip/
netmask>
set network tunnel global-protect-site-to-site <name> client tunnel-monitor tunnel-monitor-
profile <value>
set network tunnel global-protect-site-to-site <name> client ipsec-crypto-profile <value>
set network tunnel global-protect-site-to-site <name> client accept-published-routes <yes|no>
set network tunnel global-protect-site-to-site <name> client valid-networks [ <valid-networks1>
<valid-networks2>... ]
set network tunnel global-protect-site-to-site <name> client an-replay <yes|no>
set network tunnel global-protect-site-to-site <name> client copy-tos <yes|no>
set network vlan
set network vlan <name>
set network vlan <name> interface [ <interface1> <interface2>... ]
set network vlan <name> mac
set network vlan <name> mac <name>
set network vlan <name> mac <name> interface <value>
set network vlan <name> virtual-interface
set network vlan <name> virtual-interface interface <value>
set network qos
set network qos profile
set network qos profile <name>
set network qos profile <name> aggregate-bandwidth
set network qos profile <name> aggregate-bandwidth egress-max <float>
set network qos profile <name> aggregate-bandwidth egress-guaranteed <float>
set network qos profile <name> class-bandwidth-type
set network qos profile <name> class-bandwidth-type mbps

PAN-OS CLI Quick Start Version Version 10.1 487 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network qos profile <name> class-bandwidth-type mbps class

set network qos profile <name> class-bandwidth-type mbps class <name>
set network qos profile <name> class-bandwidth-type mbps class <name> priority <real-me|high|
medium|low>
set network qos profile <name> class-bandwidth-type mbps class <name> class-bandwidth
set network qos profile <name> class-bandwidth-type mbps class <name> class-bandwidth
egress-max <float>
set network qos profile <name> class-bandwidth-type mbps class <name> class-bandwidth
egress-guaranteed <float>
set network qos profile <name> class-bandwidth-type percentage
set network qos profile <name> class-bandwidth-type percentage class
set network qos profile <name> class-bandwidth-type percentage class <name>
set network qos profile <name> class-bandwidth-type percentage class <name> priority <real-
me|high|medium|low>
set network qos profile <name> class-bandwidth-type percentage class <name> class-bandwidth
set network qos profile <name> class-bandwidth-type percentage class <name> class-bandwidth
egress-max <float>
set network qos profile <name> class-bandwidth-type percentage class <name> class-bandwidth
egress-guaranteed <float>
set network qos interface
set network qos interface <name>
set network qos interface <name> enabled <yes|no>
set network qos interface <name> interface-bandwidth
set network qos interface <name> interface-bandwidth egress-max <float>
set network qos interface <name> tunnel-traffic
set network qos interface <name> tunnel-traffic groups
set network qos interface <name> tunnel-traffic groups <name>
set network qos interface <name> tunnel-traffic groups <name> members
set network qos interface <name> tunnel-traffic groups <name> members <name>
set network qos interface <name> tunnel-traffic groups <name> members <name> qos-profile
<value>
set network qos interface <name> tunnel-traffic default-group
set network qos interface <name> tunnel-traffic default-group per-tunnel-qos-profile <value>
set network qos interface <name> tunnel-traffic bandwidth
set network qos interface <name> tunnel-traffic bandwidth egress-max <float>
set network qos interface <name> tunnel-traffic bandwidth egress-guaranteed <float>

PAN-OS CLI Quick Start Version Version 10.1 488 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network qos interface <name> regular-traffic

set network qos interface <name> regular-traffic groups
set network qos interface <name> regular-traffic groups <name>
set network qos interface <name> regular-traffic groups <name> members
set network qos interface <name> regular-traffic groups <name> members <name>
set network qos interface <name> regular-traffic groups <name> members <name> qos-profile
<value>
set network qos interface <name> regular-traffic groups <name> members <name> match
set network qos interface <name> regular-traffic groups <name> members <name> match local-
address
set network qos interface <name> regular-traffic groups <name> members <name> match local-
address interface <value>
set network qos interface <name> regular-traffic groups <name> members <name> match local-
address desnaon_interface <value>
set network qos interface <name> regular-traffic groups <name> members <name> match local-
address address [ <address1> <address2>... ]
set network qos interface <name> regular-traffic default-group
set network qos interface <name> regular-traffic default-group qos-profile <value>
set network qos interface <name> regular-traffic bandwidth
set network qos interface <name> regular-traffic bandwidth egress-max <float>
set network qos interface <name> regular-traffic bandwidth egress-guaranteed <float>
set network virtual-wire
set network virtual-wire <name>
set network virtual-wire <name> interface1 <value>
set network virtual-wire <name> interface2 <value>
set network virtual-wire <name> tag-allowed <0-4094,...>
set network virtual-wire <name> mulcast-firewalling
set network virtual-wire <name> mulcast-firewalling enable <yes|no>
set network virtual-wire <name> link-state-pass-through
set network virtual-wire <name> link-state-pass-through enable <yes|no>
set network virtual-router
set network virtual-router <name>
set network virtual-router <name> interface [ <interface1> <interface2>... ]
set network virtual-router <name> roung-table
set network virtual-router <name> roung-table ip

PAN-OS CLI Quick Start Version Version 10.1 489 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> roung-table ip stac-route

set network virtual-router <name> roung-table ip stac-route <name>
set network virtual-router <name> roung-table ip stac-route <name> desnaon <value>|<ip/
netmask>
set network virtual-router <name> roung-table ip stac-route <name> interface <value>
set network virtual-router <name> roung-table ip stac-route <name> nexthop
set network virtual-router <name> roung-table ip stac-route <name> nexthop discard
set network virtual-router <name> roung-table ip stac-route <name> nexthop ip-address
<value>|<ip/netmask>
set network virtual-router <name> roung-table ip stac-route <name> nexthop fqdn <value>
set network virtual-router <name> roung-table ip stac-route <name> nexthop next-vr <value>
set network virtual-router <name> roung-table ip stac-route <name> admin-dist <10-240>
set network virtual-router <name> roung-table ip stac-route <name> metric <1-65535>
set network virtual-router <name> roung-table ip stac-route <name> route-table
set network virtual-router <name> roung-table ip stac-route <name> route-table
set network virtual-router <name> roung-table ip stac-route <name> route-table unicast
set network virtual-router <name> roung-table ip stac-route <name> route-table mulcast
set network virtual-router <name> roung-table ip stac-route <name> route-table both
set network virtual-router <name> roung-table ip stac-route <name> route-table no-install
set network virtual-router <name> roung-table ip stac-route <name> bfd
set network virtual-router <name> roung-table ip stac-route <name> bfd profile <value>|
<None>
set network virtual-router <name> roung-table ip stac-route <name> path-monitor
set network virtual-router <name> roung-table ip stac-route <name> path-monitor enable
<yes|no>
set network virtual-router <name> roung-table ip stac-route <name> path-monitor failure-
condion <any|all>
set network virtual-router <name> roung-table ip stac-route <name> path-monitor hold-me
<0-1440>
set network virtual-router <name> roung-table ip stac-route <name> path-monitor monitor-
desnaons
set network virtual-router <name> roung-table ip stac-route <name> path-monitor monitor-
desnaons <name>
set network virtual-router <name> roung-table ip stac-route <name> path-monitor monitor-
desnaons <name> enable <yes|no>
set network virtual-router <name> roung-table ip stac-route <name> path-monitor monitor-
desnaons <name> source <value>|<DHCP|PPPOE>

PAN-OS CLI Quick Start Version Version 10.1 490 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> roung-table ip stac-route <name> path-monitor monitor-

desnaons <name> desnaon <value>
set network virtual-router <name> roung-table ip stac-route <name> path-monitor monitor-
desnaons <name> interval <1-60>
set network virtual-router <name> roung-table ip stac-route <name> path-monitor monitor-
desnaons <name> count <3-10>
set network virtual-router <name> roung-table ipv6
set network virtual-router <name> roung-table ipv6 stac-route
set network virtual-router <name> roung-table ipv6 stac-route <name>
set network virtual-router <name> roung-table ipv6 stac-route <name> desnaon <value>|
<ip/netmask>
set network virtual-router <name> roung-table ipv6 stac-route <name> interface <value>
set network virtual-router <name> roung-table ipv6 stac-route <name> nexthop
set network virtual-router <name> roung-table ipv6 stac-route <name> nexthop discard
set network virtual-router <name> roung-table ipv6 stac-route <name> nexthop ipv6-address
<value>|<ip/netmask>
set network virtual-router <name> roung-table ipv6 stac-route <name> nexthop fqdn <value>
set network virtual-router <name> roung-table ipv6 stac-route <name> nexthop next-vr
<value>
set network virtual-router <name> roung-table ipv6 stac-route <name> admin-dist <10-240>
set network virtual-router <name> roung-table ipv6 stac-route <name> metric <1-65535>
set network virtual-router <name> roung-table ipv6 stac-route <name> route-table
set network virtual-router <name> roung-table ipv6 stac-route <name> route-table
set network virtual-router <name> roung-table ipv6 stac-route <name> route-table unicast
set network virtual-router <name> roung-table ipv6 stac-route <name> route-table no-install
set network virtual-router <name> roung-table ipv6 stac-route <name> bfd
set network virtual-router <name> roung-table ipv6 stac-route <name> bfd profile <value>|
<None>
set network virtual-router <name> roung-table ipv6 stac-route <name> path-monitor
set network virtual-router <name> roung-table ipv6 stac-route <name> path-monitor enable
<yes|no>
set network virtual-router <name> roung-table ipv6 stac-route <name> path-monitor failure-
condion <any|all>
set network virtual-router <name> roung-table ipv6 stac-route <name> path-monitor hold-me
<0-1440>
set network virtual-router <name> roung-table ipv6 stac-route <name> path-monitor monitor-
desnaons

PAN-OS CLI Quick Start Version Version 10.1 491 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> roung-table ipv6 stac-route <name> path-monitor monitor-
desnaons <name>
set network virtual-router <name> roung-table ipv6 stac-route <name> path-monitor monitor-
desnaons <name> enable <yes|no>
set network virtual-router <name> roung-table ipv6 stac-route <name> path-monitor monitor-
desnaons <name> source <value>
set network virtual-router <name> roung-table ipv6 stac-route <name> path-monitor monitor-
desnaons <name> desnaon <value>
set network virtual-router <name> roung-table ipv6 stac-route <name> path-monitor monitor-
desnaons <name> interval <1-60>
set network virtual-router <name> roung-table ipv6 stac-route <name> path-monitor monitor-
desnaons <name> count <3-10>
set network virtual-router <name> mulcast
set network virtual-router <name> mulcast enable <yes|no>
set network virtual-router <name> mulcast route-ageout-me <210-7200>
set network virtual-router <name> mulcast interface-group
set network virtual-router <name> mulcast interface-group <name>
set network virtual-router <name> mulcast interface-group <name> descripon <value>
set network virtual-router <name> mulcast interface-group <name> interface [ <interface1>
<interface2>... ]
set network virtual-router <name> mulcast interface-group <name> group-permission
set network virtual-router <name> mulcast interface-group <name> group-permission any-
source-mulcast
set network virtual-router <name> mulcast interface-group <name> group-permission any-
source-mulcast <name>
set network virtual-router <name> mulcast interface-group <name> group-permission any-
source-mulcast <name> group-address <ip/netmask>
set network virtual-router <name> mulcast interface-group <name> group-permission any-
source-mulcast <name> included <yes|no>
set network virtual-router <name> mulcast interface-group <name> group-permission source-
specific-mulcast
set network virtual-router <name> mulcast interface-group <name> group-permission source-
specific-mulcast <name>
set network virtual-router <name> mulcast interface-group <name> group-permission source-
specific-mulcast <name> group-address <ip/netmask>
set network virtual-router <name> mulcast interface-group <name> group-permission source-
specific-mulcast <name> source-address <ip/netmask>
set network virtual-router <name> mulcast interface-group <name> group-permission source-
specific-mulcast <name> included <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 492 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> mulcast interface-group <name> igmp

set network virtual-router <name> mulcast interface-group <name> igmp enable <yes|no>
set network virtual-router <name> mulcast interface-group <name> igmp version <1|2|3>
set network virtual-router <name> mulcast interface-group <name> igmp max-query-response-
me <float>
set network virtual-router <name> mulcast interface-group <name> igmp query-interval
<1-31744>
set network virtual-router <name> mulcast interface-group <name> igmp last-member-query-
interval <float>
set network virtual-router <name> mulcast interface-group <name> igmp immediate-leave <yes|
no>
set network virtual-router <name> mulcast interface-group <name> igmp robustness <1|2|3|4|5|
6|7>
set network virtual-router <name> mulcast interface-group <name> igmp max-groups
<1-65535>|<unlimited>
set network virtual-router <name> mulcast interface-group <name> igmp max-sources
<1-65535>|<unlimited>
set network virtual-router <name> mulcast interface-group <name> igmp router-alert-policing
<yes|no>
set network virtual-router <name> mulcast interface-group <name> pim
set network virtual-router <name> mulcast interface-group <name> pim enable <yes|no>
set network virtual-router <name> mulcast interface-group <name> pim assert-interval
<0-65534>
set network virtual-router <name> mulcast interface-group <name> pim hello-interval
<0-18000>
set network virtual-router <name> mulcast interface-group <name> pim join-prune-interval
<1-18000>
set network virtual-router <name> mulcast interface-group <name> pim dr-priority
<0-4294967295>
set network virtual-router <name> mulcast interface-group <name> pim bsr-border <yes|no>
set network virtual-router <name> mulcast interface-group <name> pim allowed-neighbors
set network virtual-router <name> mulcast interface-group <name> pim allowed-neighbors
<name>
set network virtual-router <name> mulcast ssm-address-space
set network virtual-router <name> mulcast ssm-address-space <name>
set network virtual-router <name> mulcast ssm-address-space <name> group-address <ip/
netmask>
set network virtual-router <name> mulcast ssm-address-space <name> included <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 493 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> mulcast spt-threshold

set network virtual-router <name> mulcast spt-threshold <name>
set network virtual-router <name> mulcast spt-threshold <name> threshold <1-4294967295>|
<never|0>
set network virtual-router <name> mulcast rp
set network virtual-router <name> mulcast rp local-rp
set network virtual-router <name> mulcast rp local-rp
set network virtual-router <name> mulcast rp local-rp stac-rp
set network virtual-router <name> mulcast rp local-rp stac-rp interface <value>
set network virtual-router <name> mulcast rp local-rp stac-rp address <value>
set network virtual-router <name> mulcast rp local-rp stac-rp override <yes|no>
set network virtual-router <name> mulcast rp local-rp stac-rp group-addresses [ <group-
addresses1> <group-addresses2>... ]
set network virtual-router <name> mulcast rp local-rp candidate-rp
set network virtual-router <name> mulcast rp local-rp candidate-rp interface <value>
set network virtual-router <name> mulcast rp local-rp candidate-rp address <value>
set network virtual-router <name> mulcast rp local-rp candidate-rp priority <0-255>
set network virtual-router <name> mulcast rp local-rp candidate-rp adversement-interval
<1-26214>
set network virtual-router <name> mulcast rp local-rp candidate-rp group-addresses [ <group-
addresses1> <group-addresses2>... ]
set network virtual-router <name> mulcast rp external-rp
set network virtual-router <name> mulcast rp external-rp <name>
set network virtual-router <name> mulcast rp external-rp <name> group-addresses [ <group-
addresses1> <group-addresses2>... ]
set network virtual-router <name> mulcast rp external-rp <name> override <yes|no>
set network virtual-router <name> protocol
set network virtual-router <name> protocol redist-profile
set network virtual-router <name> protocol redist-profile <name>
set network virtual-router <name> protocol redist-profile <name> priority <1-255>
set network virtual-router <name> protocol redist-profile <name> filter
set network virtual-router <name> protocol redist-profile <name> filter type [ <type1> <type2>... ]
set network virtual-router <name> protocol redist-profile <name> filter interface [ <interface1>
<interface2>... ]
set network virtual-router <name> protocol redist-profile <name> filter desnaon
[ <desnaon1> <desnaon2>... ]

PAN-OS CLI Quick Start Version Version 10.1 494 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol redist-profile <name> filter nexthop [ <nexthop1>
<nexthop2>... ]
set network virtual-router <name> protocol redist-profile <name> filter ospf
set network virtual-router <name> protocol redist-profile <name> filter ospf path-type [ <path-
type1> <path-type2>... ]
set network virtual-router <name> protocol redist-profile <name> filter ospf area [ <area1>
<area2>... ]
set network virtual-router <name> protocol redist-profile <name> filter ospf tag [ <tag1>
<tag2>... ]
set network virtual-router <name> protocol redist-profile <name> filter bgp
set network virtual-router <name> protocol redist-profile <name> filter bgp community
[ <community1> <community2>... ]
set network virtual-router <name> protocol redist-profile <name> filter bgp extended-community
[ <extended-community1> <extended-community2>... ]
set network virtual-router <name> protocol redist-profile <name> acon
set network virtual-router <name> protocol redist-profile <name> acon no-redist
set network virtual-router <name> protocol redist-profile <name> acon redist
set network virtual-router <name> protocol redist-profile-ipv6
set network virtual-router <name> protocol redist-profile-ipv6 <name>
set network virtual-router <name> protocol redist-profile-ipv6 <name> priority <1-255>
set network virtual-router <name> protocol redist-profile-ipv6 <name> filter
set network virtual-router <name> protocol redist-profile-ipv6 <name> filter type [ <type1>
<type2>... ]
set network virtual-router <name> protocol redist-profile-ipv6 <name> filter interface
[ <interface1> <interface2>... ]
set network virtual-router <name> protocol redist-profile-ipv6 <name> filter desnaon
[ <desnaon1> <desnaon2>... ]
set network virtual-router <name> protocol redist-profile-ipv6 <name> filter nexthop
[ <nexthop1> <nexthop2>... ]
set network virtual-router <name> protocol redist-profile-ipv6 <name> filter ospfv3
set network virtual-router <name> protocol redist-profile-ipv6 <name> filter ospfv3 path-type
[ <path-type1> <path-type2>... ]
set network virtual-router <name> protocol redist-profile-ipv6 <name> filter ospfv3 area
[ <area1> <area2>... ]
set network virtual-router <name> protocol redist-profile-ipv6 <name> filter ospfv3 tag [ <tag1>
<tag2>... ]
set network virtual-router <name> protocol redist-profile-ipv6 <name> filter bgp

PAN-OS CLI Quick Start Version Version 10.1 495 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol redist-profile-ipv6 <name> filter bgp community
[ <community1> <community2>... ]
set network virtual-router <name> protocol redist-profile-ipv6 <name> filter bgp extended-
community [ <extended-community1> <extended-community2>... ]
set network virtual-router <name> protocol redist-profile-ipv6 <name> acon
set network virtual-router <name> protocol redist-profile-ipv6 <name> acon no-redist
set network virtual-router <name> protocol redist-profile-ipv6 <name> acon redist
set network virtual-router <name> protocol rip
set network virtual-router <name> protocol rip enable <yes|no>
set network virtual-router <name> protocol rip reject-default-route <yes|no>
set network virtual-router <name> protocol rip allow-redist-default-route <yes|no>
set network virtual-router <name> protocol rip mers
set network virtual-router <name> protocol rip mers interval-seconds <1-60>
set network virtual-router <name> protocol rip mers update-intervals <1-255>
set network virtual-router <name> protocol rip mers expire-intervals <1-255>
set network virtual-router <name> protocol rip mers delete-intervals <1-255>
set network virtual-router <name> protocol rip auth-profile
set network virtual-router <name> protocol rip auth-profile <name>
set network virtual-router <name> protocol rip auth-profile <name>
set network virtual-router <name> protocol rip auth-profile <name> password <value>
set network virtual-router <name> protocol rip auth-profile <name> md5
set network virtual-router <name> protocol rip auth-profile <name> md5 <name>
set network virtual-router <name> protocol rip auth-profile <name> md5 <name> key <value>
set network virtual-router <name> protocol rip auth-profile <name> md5 <name> preferred <yes|
no>
set network virtual-router <name> protocol rip global-bfd
set network virtual-router <name> protocol rip global-bfd profile <value>|<None>
set network virtual-router <name> protocol rip interface
set network virtual-router <name> protocol rip interface <name>
set network virtual-router <name> protocol rip interface <name> enable <yes|no>
set network virtual-router <name> protocol rip interface <name> default-route
set network virtual-router <name> protocol rip interface <name> default-route disable
set network virtual-router <name> protocol rip interface <name> default-route adverse
set network virtual-router <name> protocol rip interface <name> default-route adverse metric
<1-15>

PAN-OS CLI Quick Start Version Version 10.1 496 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol rip interface <name> authencaon <value>
set network virtual-router <name> protocol rip interface <name> mode <normal|passive|send-
only>
set network virtual-router <name> protocol rip interface <name> bfd
set network virtual-router <name> protocol rip interface <name> bfd profile <value>|<None|
Inherit-vr-global-seng>
set network virtual-router <name> protocol rip export-rules
set network virtual-router <name> protocol rip export-rules <name>
set network virtual-router <name> protocol rip export-rules <name> metric <1-16>
set network virtual-router <name> protocol ospf
set network virtual-router <name> protocol ospf router-id <ip/netmask>
set network virtual-router <name> protocol ospf enable <yes|no>
set network virtual-router <name> protocol ospf reject-default-route <yes|no>
set network virtual-router <name> protocol ospf allow-redist-default-route <yes|no>
set network virtual-router <name> protocol ospf rfc1583 <yes|no>
set network virtual-router <name> protocol ospf mers
set network virtual-router <name> protocol ospf mers spf-calculaon-delay <float>
set network virtual-router <name> protocol ospf mers lsa-interval <float>
set network virtual-router <name> protocol ospf auth-profile
set network virtual-router <name> protocol ospf auth-profile <name>
set network virtual-router <name> protocol ospf auth-profile <name>
set network virtual-router <name> protocol ospf auth-profile <name> password <value>
set network virtual-router <name> protocol ospf auth-profile <name> md5
set network virtual-router <name> protocol ospf auth-profile <name> md5 <name>
set network virtual-router <name> protocol ospf auth-profile <name> md5 <name> key <value>
set network virtual-router <name> protocol ospf auth-profile <name> md5 <name> preferred
<yes|no>
set network virtual-router <name> protocol ospf global-bfd
set network virtual-router <name> protocol ospf global-bfd profile <value>|<None>
set network virtual-router <name> protocol ospf area
set network virtual-router <name> protocol ospf area <name>
set network virtual-router <name> protocol ospf area <name> type
set network virtual-router <name> protocol ospf area <name> type normal
set network virtual-router <name> protocol ospf area <name> type stub

PAN-OS CLI Quick Start Version Version 10.1 497 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol ospf area <name> type stub accept-summary <yes|
no>
set network virtual-router <name> protocol ospf area <name> type stub default-route
set network virtual-router <name> protocol ospf area <name> type stub default-route disable
set network virtual-router <name> protocol ospf area <name> type stub default-route adverse
set network virtual-router <name> protocol ospf area <name> type stub default-route adverse
metric <1-255>
set network virtual-router <name> protocol ospf area <name> type nssa
set network virtual-router <name> protocol ospf area <name> type nssa accept-summary <yes|
no>
set network virtual-router <name> protocol ospf area <name> type nssa default-route
set network virtual-router <name> protocol ospf area <name> type nssa default-route disable
set network virtual-router <name> protocol ospf area <name> type nssa default-route adverse
set network virtual-router <name> protocol ospf area <name> type nssa default-route adverse
metric <1-255>
set network virtual-router <name> protocol ospf area <name> type nssa default-route adverse
type <ext-1|ext-2>
set network virtual-router <name> protocol ospf area <name> type nssa nssa-ext-range
set network virtual-router <name> protocol ospf area <name> type nssa nssa-ext-range <name>
set network virtual-router <name> protocol ospf area <name> type nssa nssa-ext-range <name>
set network virtual-router <name> protocol ospf area <name> type nssa nssa-ext-range <name>
adverse
set network virtual-router <name> protocol ospf area <name> type nssa nssa-ext-range <name>
suppress
set network virtual-router <name> protocol ospf area <name> range
set network virtual-router <name> protocol ospf area <name> range <name>
set network virtual-router <name> protocol ospf area <name> range <name>
set network virtual-router <name> protocol ospf area <name> range <name> adverse
set network virtual-router <name> protocol ospf area <name> range <name> suppress
set network virtual-router <name> protocol ospf area <name> interface
set network virtual-router <name> protocol ospf area <name> interface <name>
set network virtual-router <name> protocol ospf area <name> interface <name> enable <yes|no>
set network virtual-router <name> protocol ospf area <name> interface <name> passive <yes|no>
set network virtual-router <name> protocol ospf area <name> interface <name> link-type
set network virtual-router <name> protocol ospf area <name> interface <name> link-type
broadcast

PAN-OS CLI Quick Start Version Version 10.1 498 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol ospf area <name> interface <name> link-type p2p
set network virtual-router <name> protocol ospf area <name> interface <name> link-type p2mp
set network virtual-router <name> protocol ospf area <name> interface <name> metric
<1-65535>
set network virtual-router <name> protocol ospf area <name> interface <name> priority <0-255>
set network virtual-router <name> protocol ospf area <name> interface <name> hello-interval
<0-3600>
set network virtual-router <name> protocol ospf area <name> interface <name> dead-counts
<3-20>
set network virtual-router <name> protocol ospf area <name> interface <name> retransmit-
interval <1-3600>
set network virtual-router <name> protocol ospf area <name> interface <name> transit-delay
<1-3600>
set network virtual-router <name> protocol ospf area <name> interface <name> authencaon
<value>
set network virtual-router <name> protocol ospf area <name> interface <name> gr-delay <1-10>
set network virtual-router <name> protocol ospf area <name> interface <name> neighbor
set network virtual-router <name> protocol ospf area <name> interface <name> neighbor
<name>
set network virtual-router <name> protocol ospf area <name> interface <name> bfd
set network virtual-router <name> protocol ospf area <name> interface <name> bfd profile
<value>|<None|Inherit-vr-global-seng>
set network virtual-router <name> protocol ospf area <name> virtual-link
set network virtual-router <name> protocol ospf area <name> virtual-link <name>
set network virtual-router <name> protocol ospf area <name> virtual-link <name> neighbor-id
<ip/netmask>
set network virtual-router <name> protocol ospf area <name> virtual-link <name> transit-area-id
<value>
set network virtual-router <name> protocol ospf area <name> virtual-link <name> enable <yes|
no>
set network virtual-router <name> protocol ospf area <name> virtual-link <name> hello-interval
<0-3600>
set network virtual-router <name> protocol ospf area <name> virtual-link <name> dead-counts
<3-20>
set network virtual-router <name> protocol ospf area <name> virtual-link <name> retransmit-
interval <1-3600>
set network virtual-router <name> protocol ospf area <name> virtual-link <name> transit-delay
<1-3600>

PAN-OS CLI Quick Start Version Version 10.1 499 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol ospf area <name> virtual-link <name> authencaon
<value>
set network virtual-router <name> protocol ospf area <name> virtual-link <name> bfd
set network virtual-router <name> protocol ospf area <name> virtual-link <name> bfd profile
<value>|<None|Inherit-vr-global-seng>
set network virtual-router <name> protocol ospf export-rules
set network virtual-router <name> protocol ospf export-rules <name>
set network virtual-router <name> protocol ospf export-rules <name> new-path-type <ext-1|
ext-2>
set network virtual-router <name> protocol ospf export-rules <name> new-tag <1-4294967295>|
<ip/netmask>
set network virtual-router <name> protocol ospf export-rules <name> metric <1-65535>
set network virtual-router <name> protocol ospf graceful-restart
set network virtual-router <name> protocol ospf graceful-restart enable <yes|no>
set network virtual-router <name> protocol ospf graceful-restart grace-period <5-1800>
set network virtual-router <name> protocol ospf graceful-restart helper-enable <yes|no>
set network virtual-router <name> protocol ospf graceful-restart strict-LSA-checking <yes|no>
set network virtual-router <name> protocol ospf graceful-restart max-neighbor-restart-me
<5-1800>
set network virtual-router <name> protocol ospfv3
set network virtual-router <name> protocol ospfv3 router-id <ip/netmask>
set network virtual-router <name> protocol ospfv3 enable <yes|no>
set network virtual-router <name> protocol ospfv3 reject-default-route <yes|no>
set network virtual-router <name> protocol ospfv3 allow-redist-default-route <yes|no>
set network virtual-router <name> protocol ospfv3 disable-transit-traffic <yes|no>
set network virtual-router <name> protocol ospfv3 mers
set network virtual-router <name> protocol ospfv3 mers spf-calculaon-delay <float>
set network virtual-router <name> protocol ospfv3 mers lsa-interval <float>
set network virtual-router <name> protocol ospfv3 auth-profile
set network virtual-router <name> protocol ospfv3 auth-profile <name>
set network virtual-router <name> protocol ospfv3 auth-profile <name> spi <value>
set network virtual-router <name> protocol ospfv3 auth-profile <name>
set network virtual-router <name> protocol ospfv3 auth-profile <name> esp
set network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon
set network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon

PAN-OS CLI Quick Start Version Version 10.1 500 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon md5
set network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon md5
key <value>
set network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon sha1
set network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon sha1
key <value>
set network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon
sha256
set network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon
sha256 key <value>
set network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon
sha384
set network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon
sha384 key <value>
set network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon
sha512
set network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon
sha512 key <value>
set network virtual-router <name> protocol ospfv3 auth-profile <name> esp authencaon none
set network virtual-router <name> protocol ospfv3 auth-profile <name> esp encrypon
set network virtual-router <name> protocol ospfv3 auth-profile <name> esp encrypon algorithm
<3des|aes-128-cbc|aes-192-cbc|aes-256-cbc|null>
set network virtual-router <name> protocol ospfv3 auth-profile <name> esp encrypon key
<value>
set network virtual-router <name> protocol ospfv3 auth-profile <name> ah
set network virtual-router <name> protocol ospfv3 auth-profile <name> ah
set network virtual-router <name> protocol ospfv3 auth-profile <name> ah md5
set network virtual-router <name> protocol ospfv3 auth-profile <name> ah md5 key <value>
set network virtual-router <name> protocol ospfv3 auth-profile <name> ah sha1
set network virtual-router <name> protocol ospfv3 auth-profile <name> ah sha1 key <value>
set network virtual-router <name> protocol ospfv3 auth-profile <name> ah sha256
set network virtual-router <name> protocol ospfv3 auth-profile <name> ah sha256 key <value>
set network virtual-router <name> protocol ospfv3 auth-profile <name> ah sha384
set network virtual-router <name> protocol ospfv3 auth-profile <name> ah sha384 key <value>
set network virtual-router <name> protocol ospfv3 auth-profile <name> ah sha512
set network virtual-router <name> protocol ospfv3 auth-profile <name> ah sha512 key <value>
set network virtual-router <name> protocol ospfv3 global-bfd

PAN-OS CLI Quick Start Version Version 10.1 501 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol ospfv3 global-bfd profile <value>|<None>

set network virtual-router <name> protocol ospfv3 area
set network virtual-router <name> protocol ospfv3 area <name>
set network virtual-router <name> protocol ospfv3 area <name> authencaon <value>
set network virtual-router <name> protocol ospfv3 area <name> type
set network virtual-router <name> protocol ospfv3 area <name> type normal
set network virtual-router <name> protocol ospfv3 area <name> type stub
set network virtual-router <name> protocol ospfv3 area <name> type stub accept-summary <yes|
no>
set network virtual-router <name> protocol ospfv3 area <name> type stub default-route
set network virtual-router <name> protocol ospfv3 area <name> type stub default-route disable
set network virtual-router <name> protocol ospfv3 area <name> type stub default-route adverse
set network virtual-router <name> protocol ospfv3 area <name> type stub default-route adverse
metric <1-16777215>
set network virtual-router <name> protocol ospfv3 area <name> type nssa
set network virtual-router <name> protocol ospfv3 area <name> type nssa accept-summary <yes|
no>
set network virtual-router <name> protocol ospfv3 area <name> type nssa default-route
set network virtual-router <name> protocol ospfv3 area <name> type nssa default-route disable
set network virtual-router <name> protocol ospfv3 area <name> type nssa default-route adverse
set network virtual-router <name> protocol ospfv3 area <name> type nssa default-route adverse
metric <1-16777215>
set network virtual-router <name> protocol ospfv3 area <name> type nssa default-route adverse
type <ext-1|ext-2>
set network virtual-router <name> protocol ospfv3 area <name> type nssa nssa-ext-range
set network virtual-router <name> protocol ospfv3 area <name> type nssa nssa-ext-range
<name>
set network virtual-router <name> protocol ospfv3 area <name> type nssa nssa-ext-range
<name>
set network virtual-router <name> protocol ospfv3 area <name> type nssa nssa-ext-range
<name> adverse
set network virtual-router <name> protocol ospfv3 area <name> type nssa nssa-ext-range
<name> suppress
set network virtual-router <name> protocol ospfv3 area <name> range
set network virtual-router <name> protocol ospfv3 area <name> range <name>
set network virtual-router <name> protocol ospfv3 area <name> range <name>

PAN-OS CLI Quick Start Version Version 10.1 502 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol ospfv3 area <name> range <name> adverse
set network virtual-router <name> protocol ospfv3 area <name> range <name> suppress
set network virtual-router <name> protocol ospfv3 area <name> interface
set network virtual-router <name> protocol ospfv3 area <name> interface <name>
set network virtual-router <name> protocol ospfv3 area <name> interface <name> enable <yes|
no>
set network virtual-router <name> protocol ospfv3 area <name> interface <name> instance-id
<0-255>
set network virtual-router <name> protocol ospfv3 area <name> interface <name> passive <yes|
no>
set network virtual-router <name> protocol ospfv3 area <name> interface <name> link-type
set network virtual-router <name> protocol ospfv3 area <name> interface <name> link-type
broadcast
set network virtual-router <name> protocol ospfv3 area <name> interface <name> link-type p2p
set network virtual-router <name> protocol ospfv3 area <name> interface <name> link-type
p2mp
set network virtual-router <name> protocol ospfv3 area <name> interface <name> metric
<1-65535>
set network virtual-router <name> protocol ospfv3 area <name> interface <name> priority
<0-255>
set network virtual-router <name> protocol ospfv3 area <name> interface <name> hello-interval
<1-3600>
set network virtual-router <name> protocol ospfv3 area <name> interface <name> dead-counts
<3-20>
set network virtual-router <name> protocol ospfv3 area <name> interface <name> retransmit-
interval <1-1800>
set network virtual-router <name> protocol ospfv3 area <name> interface <name> transit-delay
<1-1800>
set network virtual-router <name> protocol ospfv3 area <name> interface <name> authencaon
<value>
set network virtual-router <name> protocol ospfv3 area <name> interface <name> gr-delay
<1-10>
set network virtual-router <name> protocol ospfv3 area <name> interface <name> neighbor
set network virtual-router <name> protocol ospfv3 area <name> interface <name> neighbor
<name>
set network virtual-router <name> protocol ospfv3 area <name> interface <name> bfd
set network virtual-router <name> protocol ospfv3 area <name> interface <name> bfd profile
<value>|<None|Inherit-vr-global-seng>

PAN-OS CLI Quick Start Version Version 10.1 503 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol ospfv3 area <name> virtual-link

set network virtual-router <name> protocol ospfv3 area <name> virtual-link <name>
set network virtual-router <name> protocol ospfv3 area <name> virtual-link <name> neighbor-id
<ip/netmask>
set network virtual-router <name> protocol ospfv3 area <name> virtual-link <name> transit-area-
id <value>
set network virtual-router <name> protocol ospfv3 area <name> virtual-link <name> enable <yes|
no>
set network virtual-router <name> protocol ospfv3 area <name> virtual-link <name> instance-id
<0-255>
set network virtual-router <name> protocol ospfv3 area <name> virtual-link <name> hello-
interval <1-3600>
set network virtual-router <name> protocol ospfv3 area <name> virtual-link <name> dead-counts
<3-20>
set network virtual-router <name> protocol ospfv3 area <name> virtual-link <name> retransmit-
interval <1-1800>
set network virtual-router <name> protocol ospfv3 area <name> virtual-link <name> transit-delay
<1-1800>
set network virtual-router <name> protocol ospfv3 area <name> virtual-link <name>
authencaon <value>
set network virtual-router <name> protocol ospfv3 area <name> virtual-link <name> bfd
set network virtual-router <name> protocol ospfv3 area <name> virtual-link <name> bfd profile
<value>|<None|Inherit-vr-global-seng>
set network virtual-router <name> protocol ospfv3 export-rules
set network virtual-router <name> protocol ospfv3 export-rules <name>
set network virtual-router <name> protocol ospfv3 export-rules <name> new-path-type <ext-1|
ext-2>
set network virtual-router <name> protocol ospfv3 export-rules <name> new-tag
<1-4294967295>|<ip/netmask>
set network virtual-router <name> protocol ospfv3 export-rules <name> metric <1-16777215>
set network virtual-router <name> protocol ospfv3 graceful-restart
set network virtual-router <name> protocol ospfv3 graceful-restart enable <yes|no>
set network virtual-router <name> protocol ospfv3 graceful-restart grace-period <5-1800>
set network virtual-router <name> protocol ospfv3 graceful-restart helper-enable <yes|no>
set network virtual-router <name> protocol ospfv3 graceful-restart strict-LSA-checking <yes|no>
set network virtual-router <name> protocol ospfv3 graceful-restart max-neighbor-restart-me
<5-1800>
set network virtual-router <name> protocol bgp

PAN-OS CLI Quick Start Version Version 10.1 504 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol bgp enable <yes|no>

set network virtual-router <name> protocol bgp router-id <ip/netmask>
set network virtual-router <name> protocol bgp local-as <1-4294967295>|<value>
set network virtual-router <name> protocol bgp reject-default-route <yes|no>
set network virtual-router <name> protocol bgp allow-redist-default-route <yes|no>
set network virtual-router <name> protocol bgp install-route <yes|no>
set network virtual-router <name> protocol bgp ecmp-mul-as <yes|no>
set network virtual-router <name> protocol bgp enforce-first-as <yes|no>
set network virtual-router <name> protocol bgp roung-opons
set network virtual-router <name> protocol bgp roung-opons as-format <2-byte|4-byte>
set network virtual-router <name> protocol bgp roung-opons med
set network virtual-router <name> protocol bgp roung-opons med always-compare-med <yes|
no>
set network virtual-router <name> protocol bgp roung-opons med determinisc-med-
comparison <yes|no>
set network virtual-router <name> protocol bgp roung-opons default-local-preference
<0-4294967295>
set network virtual-router <name> protocol bgp roung-opons graceful-restart
set network virtual-router <name> protocol bgp roung-opons graceful-restart enable <yes|no>
set network virtual-router <name> protocol bgp roung-opons graceful-restart stale-route-me
<1-3600>
set network virtual-router <name> protocol bgp roung-opons graceful-restart local-restart-me
<1-3600>
set network virtual-router <name> protocol bgp roung-opons graceful-restart max-peer-
restart-me <1-3600>
set network virtual-router <name> protocol bgp roung-opons reflector-cluster-id <ip/netmask>
set network virtual-router <name> protocol bgp roung-opons confederaon-member-as
<1-4294967295>|<value>
set network virtual-router <name> protocol bgp roung-opons aggregate
set network virtual-router <name> protocol bgp roung-opons aggregate aggregate-med <yes|
no>
set network virtual-router <name> protocol bgp auth-profile
set network virtual-router <name> protocol bgp auth-profile <name>
set network virtual-router <name> protocol bgp auth-profile <name> secret <value>
set network virtual-router <name> protocol bgp dampening-profile
set network virtual-router <name> protocol bgp dampening-profile <name>

PAN-OS CLI Quick Start Version Version 10.1 505 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol bgp dampening-profile <name> enable <yes|no>
set network virtual-router <name> protocol bgp dampening-profile <name> cutoff <float>
set network virtual-router <name> protocol bgp dampening-profile <name> reuse <float>
set network virtual-router <name> protocol bgp dampening-profile <name> max-hold-me
<1-3600>
set network virtual-router <name> protocol bgp dampening-profile <name> decay-half-life-
reachable <1-3600>
set network virtual-router <name> protocol bgp dampening-profile <name> decay-half-life-
unreachable <1-3600>
set network virtual-router <name> protocol bgp global-bfd
set network virtual-router <name> protocol bgp global-bfd profile <value>|<None>
set network virtual-router <name> protocol bgp peer-group
set network virtual-router <name> protocol bgp peer-group <name>
set network virtual-router <name> protocol bgp peer-group <name> enable <yes|no>
set network virtual-router <name> protocol bgp peer-group <name> aggregated-confed-as-path
<yes|no>
set network virtual-router <name> protocol bgp peer-group <name> so-reset-with-stored-info
<yes|no>
set network virtual-router <name> protocol bgp peer-group <name> type
set network virtual-router <name> protocol bgp peer-group <name> type ibgp
set network virtual-router <name> protocol bgp peer-group <name> type ibgp export-nexthop
<original|use-self>
set network virtual-router <name> protocol bgp peer-group <name> type ebgp-confed
set network virtual-router <name> protocol bgp peer-group <name> type ebgp-confed export-
nexthop <original|use-self>
set network virtual-router <name> protocol bgp peer-group <name> type ibgp-confed
set network virtual-router <name> protocol bgp peer-group <name> type ibgp-confed export-
nexthop <original|use-self>
set network virtual-router <name> protocol bgp peer-group <name> type ebgp
set network virtual-router <name> protocol bgp peer-group <name> type ebgp import-nexthop
<original|use-peer>
set network virtual-router <name> protocol bgp peer-group <name> type ebgp export-nexthop
<resolve|use-self>
set network virtual-router <name> protocol bgp peer-group <name> type ebgp remove-private-as
<yes|no>
set network virtual-router <name> protocol bgp peer-group <name> peer
set network virtual-router <name> protocol bgp peer-group <name> peer <name>

PAN-OS CLI Quick Start Version Version 10.1 506 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol bgp peer-group <name> peer <name> enable <yes|
no>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> peer-as
<1-4294967295>|<value>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> enable-mp-bgp
<yes|no>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> address-family-
idenfier <ipv4|ipv6>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> subsequent-
address-family-idenfier
set network virtual-router <name> protocol bgp peer-group <name> peer <name> subsequent-
address-family-idenfier unicast <yes|no>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> subsequent-
address-family-idenfier mulcast <yes|no>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> local-address
set network virtual-router <name> protocol bgp peer-group <name> peer <name> local-address
interface <value>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> local-address ip
<value>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> peer-address
set network virtual-router <name> protocol bgp peer-group <name> peer <name> peer-address
set network virtual-router <name> protocol bgp peer-group <name> peer <name> peer-address ip
<value>|<ip/netmask>|<validate>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> peer-address
fqdn <value>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> connecon-
opons
set network virtual-router <name> protocol bgp peer-group <name> peer <name> connecon-
opons authencaon <value>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> connecon-
opons keep-alive-interval <1-1200>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> connecon-
opons min-route-adv-interval <1-600>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> connecon-
opons mulhop <0-255>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> connecon-
opons open-delay-me <0-240>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> connecon-
opons hold-me <3-3600>

PAN-OS CLI Quick Start Version Version 10.1 507 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol bgp peer-group <name> peer <name> connecon-
opons idle-hold-me <1-3600>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> connecon-
opons incoming-bgp-connecon
set network virtual-router <name> protocol bgp peer-group <name> peer <name> connecon-
opons incoming-bgp-connecon remote-port <0-65535>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> connecon-
opons incoming-bgp-connecon allow <yes|no>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> connecon-
opons outgoing-bgp-connecon
set network virtual-router <name> protocol bgp peer-group <name> peer <name> connecon-
opons outgoing-bgp-connecon local-port <0-65535>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> connecon-
opons outgoing-bgp-connecon allow <yes|no>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> enable-sender-
side-loop-detecon <yes|no>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> reflector-client
<non-client|client|meshed-client>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> peering-type
<bilateral|unspecified>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> max-prefixes
<1-100000>|<unlimited>
set network virtual-router <name> protocol bgp peer-group <name> peer <name> bfd
set network virtual-router <name> protocol bgp peer-group <name> peer <name> bfd profile
<value>|<None|Inherit-vr-global-seng>
set network virtual-router <name> protocol bgp policy
set network virtual-router <name> protocol bgp policy import
set network virtual-router <name> protocol bgp policy import rules
set network virtual-router <name> protocol bgp policy import rules <name>
set network virtual-router <name> protocol bgp policy import rules <name> enable <yes|no>
set network virtual-router <name> protocol bgp policy import rules <name> used-by [ <used-by1>
<used-by2>... ]
set network virtual-router <name> protocol bgp policy import rules <name> match
set network virtual-router <name> protocol bgp policy import rules <name> match route-table
<unicast|mulcast|both>
set network virtual-router <name> protocol bgp policy import rules <name> match address-prefix
set network virtual-router <name> protocol bgp policy import rules <name> match address-prefix
<name>

PAN-OS CLI Quick Start Version Version 10.1 508 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol bgp policy import rules <name> match address-prefix
<name> exact <yes|no>
set network virtual-router <name> protocol bgp policy import rules <name> match nexthop
[ <nexthop1> <nexthop2>... ]
set network virtual-router <name> protocol bgp policy import rules <name> match from-peer
[ <from-peer1> <from-peer2>... ]
set network virtual-router <name> protocol bgp policy import rules <name> match med
<0-4294967295>
set network virtual-router <name> protocol bgp policy import rules <name> match as-path
set network virtual-router <name> protocol bgp policy import rules <name> match as-path
set network virtual-router <name> protocol bgp policy import rules <name> match as-path regex
<value>
set network virtual-router <name> protocol bgp policy import rules <name> match community
set network virtual-router <name> protocol bgp policy import rules <name> match community
set network virtual-router <name> protocol bgp policy import rules <name> match community
regex <value>
set network virtual-router <name> protocol bgp policy import rules <name> match extended-
community
set network virtual-router <name> protocol bgp policy import rules <name> match extended-
community
set network virtual-router <name> protocol bgp policy import rules <name> match extended-
community regex <value>
set network virtual-router <name> protocol bgp policy import rules <name> acon
set network virtual-router <name> protocol bgp policy import rules <name> acon
set network virtual-router <name> protocol bgp policy import rules <name> acon deny
set network virtual-router <name> protocol bgp policy import rules <name> acon allow
set network virtual-router <name> protocol bgp policy import rules <name> acon allow
dampening <value>
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
local-preference <0-4294967295>
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
med <0-4294967295>
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
weight <0-65535>
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
nexthop <ip/netmask>

PAN-OS CLI Quick Start Version Version 10.1 509 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
origin <igp|egp|incomplete>
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
as-path-limit <1-255>
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
as-path
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
as-path
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
as-path none
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
as-path remove
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
community
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
community
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
community none
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
community remove-all
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
community remove-regex <value>
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
community append [ <append1> <append2>... ]
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
community overwrite [ <overwrite1> <overwrite2>... ]
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
extended-community
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
extended-community
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
extended-community none
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
extended-community remove-all
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
extended-community remove-regex <value>
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
extended-community append [ <append1> <append2>... ]
set network virtual-router <name> protocol bgp policy import rules <name> acon allow update
extended-community overwrite [ <overwrite1> <overwrite2>... ]

PAN-OS CLI Quick Start Version Version 10.1 510 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol bgp policy export

set network virtual-router <name> protocol bgp policy export rules
set network virtual-router <name> protocol bgp policy export rules <name>
set network virtual-router <name> protocol bgp policy export rules <name> enable <yes|no>
set network virtual-router <name> protocol bgp policy export rules <name> used-by [ <used-by1>
<used-by2>... ]
set network virtual-router <name> protocol bgp policy export rules <name> match
set network virtual-router <name> protocol bgp policy export rules <name> match route-table
<unicast|mulcast|both>
set network virtual-router <name> protocol bgp policy export rules <name> match address-prefix
set network virtual-router <name> protocol bgp policy export rules <name> match address-prefix
<name>
set network virtual-router <name> protocol bgp policy export rules <name> match address-prefix
<name> exact <yes|no>
set network virtual-router <name> protocol bgp policy export rules <name> match nexthop
[ <nexthop1> <nexthop2>... ]
set network virtual-router <name> protocol bgp policy export rules <name> match from-peer
[ <from-peer1> <from-peer2>... ]
set network virtual-router <name> protocol bgp policy export rules <name> match med
<0-4294967295>
set network virtual-router <name> protocol bgp policy export rules <name> match as-path
set network virtual-router <name> protocol bgp policy export rules <name> match as-path
set network virtual-router <name> protocol bgp policy export rules <name> match as-path regex
<value>
set network virtual-router <name> protocol bgp policy export rules <name> match community
set network virtual-router <name> protocol bgp policy export rules <name> match community
set network virtual-router <name> protocol bgp policy export rules <name> match community
regex <value>
set network virtual-router <name> protocol bgp policy export rules <name> match extended-
community
set network virtual-router <name> protocol bgp policy export rules <name> match extended-
community
set network virtual-router <name> protocol bgp policy export rules <name> match extended-
community regex <value>
set network virtual-router <name> protocol bgp policy export rules <name> acon
set network virtual-router <name> protocol bgp policy export rules <name> acon
set network virtual-router <name> protocol bgp policy export rules <name> acon deny

PAN-OS CLI Quick Start Version Version 10.1 511 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol bgp policy export rules <name> acon allow
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
local-preference <0-4294967295>
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
med <0-4294967295>
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
nexthop <ip/netmask>
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
origin <igp|egp|incomplete>
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
as-path-limit <1-255>
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
as-path
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
as-path
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
as-path none
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
as-path remove
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
as-path prepend <1-255>
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
as-path remove-and-prepend <1-255>
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
community
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
community
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
community none
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
community remove-all
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
community remove-regex <value>
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
community append [ <append1> <append2>... ]
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
community overwrite [ <overwrite1> <overwrite2>... ]
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
extended-community

PAN-OS CLI Quick Start Version Version 10.1 512 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
extended-community
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
extended-community none
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
extended-community remove-all
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
extended-community remove-regex <value>
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
extended-community append [ <append1> <append2>... ]
set network virtual-router <name> protocol bgp policy export rules <name> acon allow update
extended-community overwrite [ <overwrite1> <overwrite2>... ]
set network virtual-router <name> protocol bgp policy condional-adversement
set network virtual-router <name> protocol bgp policy condional-adversement policy
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
enable <yes|no>
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
used-by [ <used-by1> <used-by2>... ]
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
non-exist-filters
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
non-exist-filters <name>
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
non-exist-filters <name> enable <yes|no>
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
non-exist-filters <name> match
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
non-exist-filters <name> match route-table <unicast|mulcast|both>
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
non-exist-filters <name> match address-prefix
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
non-exist-filters <name> match address-prefix <name>
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
non-exist-filters <name> match nexthop [ <nexthop1> <nexthop2>... ]
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
non-exist-filters <name> match from-peer [ <from-peer1> <from-peer2>... ]
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
non-exist-filters <name> match med <0-4294967295>

PAN-OS CLI Quick Start Version Version 10.1 513 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
non-exist-filters <name> match as-path
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
non-exist-filters <name> match as-path
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
non-exist-filters <name> match as-path regex <value>
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
non-exist-filters <name> match community
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
non-exist-filters <name> match community
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
non-exist-filters <name> match community regex <value>
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
non-exist-filters <name> match extended-community
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
non-exist-filters <name> match extended-community
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
non-exist-filters <name> match extended-community regex <value>
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
adverse-filters
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
adverse-filters <name>
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
adverse-filters <name> enable <yes|no>
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
adverse-filters <name> match
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
adverse-filters <name> match route-table <unicast|mulcast|both>
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
adverse-filters <name> match address-prefix
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
adverse-filters <name> match address-prefix <name>
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
adverse-filters <name> match nexthop [ <nexthop1> <nexthop2>... ]
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
adverse-filters <name> match from-peer [ <from-peer1> <from-peer2>... ]
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
adverse-filters <name> match med <0-4294967295>
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
adverse-filters <name> match as-path

PAN-OS CLI Quick Start Version Version 10.1 514 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
adverse-filters <name> match as-path
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
adverse-filters <name> match as-path regex <value>
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
adverse-filters <name> match community
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
adverse-filters <name> match community
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
adverse-filters <name> match community regex <value>
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
adverse-filters <name> match extended-community
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
adverse-filters <name> match extended-community
set network virtual-router <name> protocol bgp policy condional-adversement policy <name>
adverse-filters <name> match extended-community regex <value>
set network virtual-router <name> protocol bgp policy aggregaon
set network virtual-router <name> protocol bgp policy aggregaon address
set network virtual-router <name> protocol bgp policy aggregaon address <name>
set network virtual-router <name> protocol bgp policy aggregaon address <name> prefix <ip/
netmask>
set network virtual-router <name> protocol bgp policy aggregaon address <name> enable <yes|
no>
set network virtual-router <name> protocol bgp policy aggregaon address <name> summary
<yes|no>
set network virtual-router <name> protocol bgp policy aggregaon address <name> as-set <yes|
no>
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes local-preference <0-4294967295>
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes med <0-4294967295>
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes weight <0-65535>
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes nexthop <ip/netmask>
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes origin <igp|egp|incomplete>

PAN-OS CLI Quick Start Version Version 10.1 515 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes as-path-limit <1-255>
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes as-path
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes as-path
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes as-path none
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes as-path prepend <1-255>
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes community
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes community
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes community none
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes community remove-all
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes community remove-regex <value>
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes community append [ <append1> <append2>... ]
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes community overwrite [ <overwrite1> <overwrite2>... ]
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes extended-community
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes extended-community
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes extended-community none
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes extended-community remove-all
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes extended-community remove-regex <value>
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes extended-community append [ <append1> <append2>... ]
set network virtual-router <name> protocol bgp policy aggregaon address <name> aggregate-
route-aributes extended-community overwrite [ <overwrite1> <overwrite2>... ]
set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters

PAN-OS CLI Quick Start Version Version 10.1 516 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name>
set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> enable <yes|no>
set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match
set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match route-table <unicast|mulcast|both>
set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match address-prefix
set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match address-prefix <name>
set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match address-prefix <name> exact <yes|no>
set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match nexthop [ <nexthop1> <nexthop2>... ]
set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match from-peer [ <from-peer1> <from-peer2>... ]
set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match med <0-4294967295>
set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match as-path
set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match as-path
set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match as-path regex <value>
set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match community
set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match community
set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match community regex <value>
set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match extended-community
set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match extended-community
set network virtual-router <name> protocol bgp policy aggregaon address <name> suppress-
filters <name> match extended-community regex <value>
set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters

PAN-OS CLI Quick Start Version Version 10.1 517 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name>
set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> enable <yes|no>
set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match
set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match route-table <unicast|mulcast|both>
set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match address-prefix
set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match address-prefix <name>
set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match address-prefix <name> exact <yes|no>
set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match nexthop [ <nexthop1> <nexthop2>... ]
set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match from-peer [ <from-peer1> <from-peer2>... ]
set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match med <0-4294967295>
set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match as-path
set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match as-path
set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match as-path regex <value>
set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match community
set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match community
set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match community regex <value>
set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match extended-community
set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match extended-community
set network virtual-router <name> protocol bgp policy aggregaon address <name> adverse-
filters <name> match extended-community regex <value>
set network virtual-router <name> protocol bgp redist-rules
set network virtual-router <name> protocol bgp redist-rules <name>

PAN-OS CLI Quick Start Version Version 10.1 518 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> protocol bgp redist-rules <name> address-family-idenfier

<ipv4|ipv6>
set network virtual-router <name> protocol bgp redist-rules <name> route-table <unicast|
mulcast|both>
set network virtual-router <name> protocol bgp redist-rules <name> enable <yes|no>
set network virtual-router <name> protocol bgp redist-rules <name> set-origin <igp|egp|
incomplete>
set network virtual-router <name> protocol bgp redist-rules <name> set-med <0-4294967295>
set network virtual-router <name> protocol bgp redist-rules <name> set-local-preference
<0-4294967295>
set network virtual-router <name> protocol bgp redist-rules <name> set-as-path-limit <1-255>
set network virtual-router <name> protocol bgp redist-rules <name> set-community [ <set-
community1> <set-community2>... ]
set network virtual-router <name> protocol bgp redist-rules <name> set-extended-community
[ <set-extended-community1> <set-extended-community2>... ]
set network virtual-router <name> protocol bgp redist-rules <name> metric <1-65535>
set network virtual-router <name> admin-dists
set network virtual-router <name> admin-dists stac <10-240>
set network virtual-router <name> admin-dists stac-ipv6 <10-240>
set network virtual-router <name> admin-dists ospf-int <10-240>
set network virtual-router <name> admin-dists ospf-ext <10-240>
set network virtual-router <name> admin-dists ospfv3-int <10-240>
set network virtual-router <name> admin-dists ospfv3-ext <10-240>
set network virtual-router <name> admin-dists ibgp <10-240>
set network virtual-router <name> admin-dists ebgp <10-240>
set network virtual-router <name> admin-dists rip <10-240>
set network virtual-router <name> ecmp
set network virtual-router <name> ecmp enable <yes|no>
set network virtual-router <name> ecmp algorithm
set network virtual-router <name> ecmp algorithm
set network virtual-router <name> ecmp algorithm ip-modulo
set network virtual-router <name> ecmp algorithm ip-hash
set network virtual-router <name> ecmp algorithm ip-hash src-only <yes|no>
set network virtual-router <name> ecmp algorithm ip-hash use-port <yes|no>
set network virtual-router <name> ecmp algorithm ip-hash hash-seed <0-4294967295>

PAN-OS CLI Quick Start Version Version 10.1 519 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network virtual-router <name> ecmp algorithm weighted-round-robin

set network virtual-router <name> ecmp algorithm weighted-round-robin interface
set network virtual-router <name> ecmp algorithm weighted-round-robin interface <name>
set network virtual-router <name> ecmp algorithm weighted-round-robin interface <name>
weight <1-255>
set network virtual-router <name> ecmp algorithm balanced-round-robin
set network virtual-router <name> ecmp max-path <2-4>
set network virtual-router <name> ecmp symmetric-return <yes|no>
set network virtual-router <name> ecmp strict-source-path <yes|no>
set network logical-router
set network logical-router <name>
set network logical-router <name> vrf
set network logical-router <name> vrf <name>
set network logical-router <name> vrf <name> interface [ <interface1> <interface2>... ]
set network logical-router <name> vrf <name> bgp
set network logical-router <name> vrf <name> bgp enable <yes|no>
set network logical-router <name> vrf <name> bgp router-id <ip/netmask>
set network logical-router <name> vrf <name> bgp enforce-first-as <yes|no>
set network logical-router <name> vrf <name> bgp fast-external-failover <yes|no>
set network logical-router <name> vrf <name> bgp ecmp-mul-as <yes|no>
set network logical-router <name> vrf <name> bgp local-as <1-4294967295>
set network logical-router <name> vrf <name> bgp med
set network logical-router <name> vrf <name> bgp med always-compare-med <yes|no>
set network logical-router <name> vrf <name> bgp med determinisc-med-comparison <yes|no>
set network logical-router <name> vrf <name> bgp default-local-preference <0-4294967295>
set network logical-router <name> vrf <name> bgp graceful-restart
set network logical-router <name> vrf <name> bgp graceful-restart enable <yes|no>
set network logical-router <name> vrf <name> bgp graceful-restart stale-route-me <1-3600>
set network logical-router <name> vrf <name> bgp graceful-restart max-peer-restart-me
<1-3600>
set network logical-router <name> vrf <name> bgp peer-group
set network logical-router <name> vrf <name> bgp peer-group <name>
set network logical-router <name> vrf <name> bgp peer-group <name> enable <yes|no>
set network logical-router <name> vrf <name> bgp peer-group <name> type

PAN-OS CLI Quick Start Version Version 10.1 520 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network logical-router <name> vrf <name> bgp peer-group <name> type ibgp
set network logical-router <name> vrf <name> bgp peer-group <name> type ebgp
set network logical-router <name> vrf <name> bgp peer-group <name> address-family
set network logical-router <name> vrf <name> bgp peer-group <name> address-family ipv4
set network logical-router <name> vrf <name> bgp peer-group <name> address-family ipv4
unicast <value>
set network logical-router <name> vrf <name> bgp peer-group <name> address-family ipv6
set network logical-router <name> vrf <name> bgp peer-group <name> address-family ipv6
unicast <value>
set network logical-router <name> vrf <name> bgp peer-group <name> connecon-opons
set network logical-router <name> vrf <name> bgp peer-group <name> connecon-opons
mers <value>
set network logical-router <name> vrf <name> bgp peer-group <name> connecon-opons
mulhop <0-255>
set network logical-router <name> vrf <name> bgp peer-group <name> connecon-opons
authencaon <value>
set network logical-router <name> vrf <name> bgp peer-group <name> peer
set network logical-router <name> vrf <name> bgp peer-group <name> peer <name>
set network logical-router <name> vrf <name> bgp peer-group <name> peer <name> enable
<yes|no>
set network logical-router <name> vrf <name> bgp peer-group <name> peer <name> peer-as
<1-4294967295>
set network logical-router <name> vrf <name> bgp peer-group <name> peer <name> enable-
sender-side-loop-detecon <yes|no>
set network logical-router <name> vrf <name> bgp peer-group <name> peer <name> address-
family
set network logical-router <name> vrf <name> bgp peer-group <name> peer <name> address-
family inherit <yes|no>
set network logical-router <name> vrf <name> bgp peer-group <name> peer <name> address-
family ipv4
set network logical-router <name> vrf <name> bgp peer-group <name> peer <name> address-
family ipv4 unicast <value>
set network logical-router <name> vrf <name> bgp peer-group <name> peer <name> address-
family ipv6
set network logical-router <name> vrf <name> bgp peer-group <name> peer <name> address-
family ipv6 unicast <value>
set network logical-router <name> vrf <name> bgp peer-group <name> peer <name> local-
address

PAN-OS CLI Quick Start Version Version 10.1 521 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network logical-router <name> vrf <name> bgp peer-group <name> peer <name> local-
address interface <value>
set network logical-router <name> vrf <name> bgp peer-group <name> peer <name> local-
address ip <value>
set network logical-router <name> vrf <name> bgp peer-group <name> peer <name> peer-
address
set network logical-router <name> vrf <name> bgp peer-group <name> peer <name> peer-
address
set network logical-router <name> vrf <name> bgp peer-group <name> peer <name> peer-
address ip <value>|<ip/netmask>|<validate>
set network logical-router <name> vrf <name> bgp peer-group <name> peer <name> connecon-
opons
set network logical-router <name> vrf <name> bgp peer-group <name> peer <name> connecon-
opons mers <value>|<inherit>
set network logical-router <name> vrf <name> bgp peer-group <name> peer <name> connecon-
opons mulhop <0-255>|<inherit>
set network logical-router <name> vrf <name> bgp peer-group <name> peer <name> connecon-
opons authencaon <value>|<inherit>
set network logical-router <name> vrf <name> bgp redistribuon-rule
set network logical-router <name> vrf <name> bgp redistribuon-rule ipv4
set network logical-router <name> vrf <name> bgp redistribuon-rule ipv4 unicast <value>
set network logical-router <name> vrf <name> bgp redistribuon-rule ipv6
set network logical-router <name> vrf <name> bgp redistribuon-rule ipv6 unicast <value>
set network logical-router <name> vrf <name> bgp address-family-idenfier
set network logical-router <name> vrf <name> bgp address-family-idenfier ipv4
set network logical-router <name> vrf <name> bgp address-family-idenfier ipv4 network
set network logical-router <name> vrf <name> bgp address-family-idenfier ipv4 network
<name>
set network logical-router <name> vrf <name> bgp address-family-idenfier ipv4 network
<name> unicast <yes|no>
set network logical-router <name> vrf <name> bgp address-family-idenfier ipv6
set network logical-router <name> vrf <name> bgp address-family-idenfier ipv6 network
set network logical-router <name> vrf <name> bgp address-family-idenfier ipv6 network
<name>
set network logical-router <name> vrf <name> bgp address-family-idenfier ipv6 network
<name> unicast <yes|no>
set network logical-router <name> vrf <name> roung-table
set network logical-router <name> vrf <name> roung-table ip

PAN-OS CLI Quick Start Version Version 10.1 522 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network logical-router <name> vrf <name> roung-table ip stac-route

set network logical-router <name> vrf <name> roung-table ip stac-route <name>
set network logical-router <name> vrf <name> roung-table ip stac-route <name> desnaon
<value>|<ip/netmask>
set network logical-router <name> vrf <name> roung-table ip stac-route <name> interface
<value>
set network logical-router <name> vrf <name> roung-table ip stac-route <name> nexthop
set network logical-router <name> vrf <name> roung-table ip stac-route <name> nexthop
discard
set network logical-router <name> vrf <name> roung-table ip stac-route <name> nexthop ip-
address <value>|<ip/netmask>
set network logical-router <name> vrf <name> roung-table ip stac-route <name> admin-dist
<10-240>
set network logical-router <name> vrf <name> roung-table ip stac-route <name> metric
<1-65535>
set network logical-router <name> vrf <name> roung-table ip stac-route <name> path-monitor
set network logical-router <name> vrf <name> roung-table ip stac-route <name> path-monitor
enable <yes|no>
set network logical-router <name> vrf <name> roung-table ip stac-route <name> path-monitor
failure-condion <any|all>
set network logical-router <name> vrf <name> roung-table ip stac-route <name> path-monitor
hold-me <0-1440>
set network logical-router <name> vrf <name> roung-table ip stac-route <name> path-monitor
monitor-desnaons
set network logical-router <name> vrf <name> roung-table ip stac-route <name> path-monitor
monitor-desnaons <name>
set network logical-router <name> vrf <name> roung-table ip stac-route <name> path-monitor
monitor-desnaons <name> enable <yes|no>
set network logical-router <name> vrf <name> roung-table ip stac-route <name> path-monitor
monitor-desnaons <name> source <value>|<DHCP|PPPOE>
set network logical-router <name> vrf <name> roung-table ip stac-route <name> path-monitor
monitor-desnaons <name> desnaon <value>
set network logical-router <name> vrf <name> roung-table ip stac-route <name> path-monitor
monitor-desnaons <name> interval <1-60>
set network logical-router <name> vrf <name> roung-table ip stac-route <name> path-monitor
monitor-desnaons <name> count <3-10>
set network logical-router <name> vrf <name> roung-table ipv6
set network logical-router <name> vrf <name> roung-table ipv6 stac-route
set network logical-router <name> vrf <name> roung-table ipv6 stac-route <name>

PAN-OS CLI Quick Start Version Version 10.1 523 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> desnaon
<value>|<ip/netmask>
set network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> interface
<value>
set network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> nexthop
set network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> nexthop
discard
set network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> nexthop
ipv6-address <value>|<ip/netmask>
set network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> admin-dist
<10-240>
set network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> metric
<1-65535>
set network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> path-
monitor
set network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> path-
monitor enable <yes|no>
set network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> path-
monitor failure-condion <any|all>
set network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> path-
monitor hold-me <0-1440>
set network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> path-
monitor monitor-desnaons
set network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> path-
monitor monitor-desnaons <name>
set network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> path-
monitor monitor-desnaons <name> enable <yes|no>
set network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> path-
monitor monitor-desnaons <name> source <value>
set network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> path-
monitor monitor-desnaons <name> desnaon <value>
set network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> path-
monitor monitor-desnaons <name> interval <1-60>
set network logical-router <name> vrf <name> roung-table ipv6 stac-route <name> path-
monitor monitor-desnaons <name> count <3-10>
set network logical-router <name> vrf <name> ecmp
set network logical-router <name> vrf <name> ecmp enable <yes|no>
set network logical-router <name> vrf <name> ecmp algorithm
set network logical-router <name> vrf <name> ecmp algorithm

PAN-OS CLI Quick Start Version Version 10.1 524 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network logical-router <name> vrf <name> ecmp algorithm ip-modulo

set network logical-router <name> vrf <name> ecmp algorithm ip-hash
set network logical-router <name> vrf <name> ecmp algorithm ip-hash src-only <yes|no>
set network logical-router <name> vrf <name> ecmp algorithm ip-hash use-port <yes|no>
set network logical-router <name> vrf <name> ecmp algorithm ip-hash hash-seed
<0-4294967295>
set network logical-router <name> vrf <name> ecmp algorithm weighted-round-robin
set network logical-router <name> vrf <name> ecmp algorithm weighted-round-robin interface
set network logical-router <name> vrf <name> ecmp algorithm weighted-round-robin interface
<name>
set network logical-router <name> vrf <name> ecmp algorithm weighted-round-robin interface
<name> weight <1-255>
set network logical-router <name> vrf <name> ecmp algorithm balanced-round-robin
set network logical-router <name> vrf <name> ecmp max-path <2-4>
set network logical-router <name> vrf <name> ecmp symmetric-return <yes|no>
set network logical-router <name> vrf <name> ecmp strict-source-path <yes|no>
set network roung-profile
set network roung-profile bgp
set network roung-profile bgp auth-profile
set network roung-profile bgp auth-profile <name>
set network roung-profile bgp auth-profile <name> secret <value>
set network roung-profile bgp mer-profile
set network roung-profile bgp mer-profile <name>
set network roung-profile bgp mer-profile <name> keep-alive-interval <1-1200>
set network roung-profile bgp mer-profile <name> hold-me <3-3600>
set network roung-profile bgp mer-profile <name> min-route-adv-interval <1-600>
set network roung-profile bgp address-family-profile
set network roung-profile bgp address-family-profile <name>
set network roung-profile bgp address-family-profile <name>
set network roung-profile bgp address-family-profile <name> ipv4
set network roung-profile bgp address-family-profile <name> ipv4
set network roung-profile bgp address-family-profile <name> ipv4 unicast
set network roung-profile bgp address-family-profile <name> ipv4 unicast add-path
set network roung-profile bgp address-family-profile <name> ipv4 unicast add-path tx-all-paths
<yes|no>

PAN-OS CLI Quick Start Version Version 10.1 525 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network roung-profile bgp address-family-profile <name> ipv4 unicast add-path tx-bestpath-
per-AS <yes|no>
set network roung-profile bgp address-family-profile <name> ipv4 unicast allowas-in
set network roung-profile bgp address-family-profile <name> ipv4 unicast allowas-in
set network roung-profile bgp address-family-profile <name> ipv4 unicast allowas-in origin
set network roung-profile bgp address-family-profile <name> ipv4 unicast allowas-in occurrence
<1-10>
set network roung-profile bgp address-family-profile <name> ipv4 unicast as-override <yes|no>
set network roung-profile bgp address-family-profile <name> ipv4 unicast default-originate <yes|
no>
set network roung-profile bgp address-family-profile <name> ipv4 unicast maximum-prefix
set network roung-profile bgp address-family-profile <name> ipv4 unicast maximum-prefix
num_prefixes <1-4294967295>
set network roung-profile bgp address-family-profile <name> ipv4 unicast maximum-prefix
threshold <1-100>
set network roung-profile bgp address-family-profile <name> ipv4 unicast maximum-prefix
acon
set network roung-profile bgp address-family-profile <name> ipv4 unicast maximum-prefix
acon
set network roung-profile bgp address-family-profile <name> ipv4 unicast maximum-prefix
acon warning-only
set network roung-profile bgp address-family-profile <name> ipv4 unicast maximum-prefix
acon restart
set network roung-profile bgp address-family-profile <name> ipv4 unicast maximum-prefix
acon restart interval <1-65535>
set network roung-profile bgp address-family-profile <name> ipv4 unicast next-hop
set network roung-profile bgp address-family-profile <name> ipv4 unicast next-hop
set network roung-profile bgp address-family-profile <name> ipv4 unicast next-hop self
set network roung-profile bgp address-family-profile <name> ipv4 unicast next-hop self-force
set network roung-profile bgp address-family-profile <name> ipv4 unicast remove-private-AS
set network roung-profile bgp address-family-profile <name> ipv4 unicast remove-private-AS
set network roung-profile bgp address-family-profile <name> ipv4 unicast remove-private-AS all
set network roung-profile bgp address-family-profile <name> ipv4 unicast remove-private-AS
replace-AS
set network roung-profile bgp address-family-profile <name> ipv4 unicast route-reflector-client
<yes|no>
set network roung-profile bgp address-family-profile <name> ipv4 unicast send-community

PAN-OS CLI Quick Start Version Version 10.1 526 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network roung-profile bgp address-family-profile <name> ipv4 unicast send-community

set network roung-profile bgp address-family-profile <name> ipv4 unicast send-community all
set network roung-profile bgp address-family-profile <name> ipv4 unicast send-community both
set network roung-profile bgp address-family-profile <name> ipv4 unicast send-community
extended
set network roung-profile bgp address-family-profile <name> ipv4 unicast send-community large
set network roung-profile bgp address-family-profile <name> ipv4 unicast send-community
standard
set network roung-profile bgp address-family-profile <name> ipv6
set network roung-profile bgp address-family-profile <name> ipv6
set network roung-profile bgp address-family-profile <name> ipv6 unicast
set network roung-profile bgp address-family-profile <name> ipv6 unicast add-path
set network roung-profile bgp address-family-profile <name> ipv6 unicast add-path tx-all-paths
<yes|no>
set network roung-profile bgp address-family-profile <name> ipv6 unicast add-path tx-bestpath-
per-AS <yes|no>
set network roung-profile bgp address-family-profile <name> ipv6 unicast allowas-in
set network roung-profile bgp address-family-profile <name> ipv6 unicast allowas-in
set network roung-profile bgp address-family-profile <name> ipv6 unicast allowas-in origin
set network roung-profile bgp address-family-profile <name> ipv6 unicast allowas-in occurrence
<1-10>
set network roung-profile bgp address-family-profile <name> ipv6 unicast as-override <yes|no>
set network roung-profile bgp address-family-profile <name> ipv6 unicast default-originate <yes|
no>
set network roung-profile bgp address-family-profile <name> ipv6 unicast maximum-prefix
set network roung-profile bgp address-family-profile <name> ipv6 unicast maximum-prefix
num_prefixes <1-4294967295>
set network roung-profile bgp address-family-profile <name> ipv6 unicast maximum-prefix
threshold <1-100>
set network roung-profile bgp address-family-profile <name> ipv6 unicast maximum-prefix
acon
set network roung-profile bgp address-family-profile <name> ipv6 unicast maximum-prefix
acon
set network roung-profile bgp address-family-profile <name> ipv6 unicast maximum-prefix
acon warning-only
set network roung-profile bgp address-family-profile <name> ipv6 unicast maximum-prefix
acon restart

PAN-OS CLI Quick Start Version Version 10.1 527 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network roung-profile bgp address-family-profile <name> ipv6 unicast maximum-prefix

acon restart interval <1-65535>
set network roung-profile bgp address-family-profile <name> ipv6 unicast next-hop
set network roung-profile bgp address-family-profile <name> ipv6 unicast next-hop
set network roung-profile bgp address-family-profile <name> ipv6 unicast next-hop self
set network roung-profile bgp address-family-profile <name> ipv6 unicast next-hop self-force
set network roung-profile bgp address-family-profile <name> ipv6 unicast remove-private-AS
set network roung-profile bgp address-family-profile <name> ipv6 unicast remove-private-AS
set network roung-profile bgp address-family-profile <name> ipv6 unicast remove-private-AS all
set network roung-profile bgp address-family-profile <name> ipv6 unicast remove-private-AS
replace-AS
set network roung-profile bgp address-family-profile <name> ipv6 unicast route-reflector-client
<yes|no>
set network roung-profile bgp address-family-profile <name> ipv6 unicast send-community
set network roung-profile bgp address-family-profile <name> ipv6 unicast send-community
set network roung-profile bgp address-family-profile <name> ipv6 unicast send-community all
set network roung-profile bgp address-family-profile <name> ipv6 unicast send-community both
set network roung-profile bgp address-family-profile <name> ipv6 unicast send-community
extended
set network roung-profile bgp address-family-profile <name> ipv6 unicast send-community large
set network roung-profile bgp address-family-profile <name> ipv6 unicast send-community
standard
set network roung-profile bgp redistribuon-profile
set network roung-profile bgp redistribuon-profile <name>
set network roung-profile bgp redistribuon-profile <name>
set network roung-profile bgp redistribuon-profile <name> ipv4
set network roung-profile bgp redistribuon-profile <name> ipv4
set network roung-profile bgp redistribuon-profile <name> ipv4 unicast
set network roung-profile bgp redistribuon-profile <name> ipv4 unicast stac
set network roung-profile bgp redistribuon-profile <name> ipv4 unicast stac enable <yes|no>
set network roung-profile bgp redistribuon-profile <name> ipv4 unicast stac metric
<1-65535>
set network roung-profile bgp redistribuon-profile <name> ipv4 unicast connected
set network roung-profile bgp redistribuon-profile <name> ipv4 unicast connected enable <yes|
no>

PAN-OS CLI Quick Start Version Version 10.1 528 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network roung-profile bgp redistribuon-profile <name> ipv4 unicast connected metric
<1-65535>
set network roung-profile bgp redistribuon-profile <name> ipv6
set network roung-profile bgp redistribuon-profile <name> ipv6
set network roung-profile bgp redistribuon-profile <name> ipv6 unicast
set network roung-profile bgp redistribuon-profile <name> ipv6 unicast stac
set network roung-profile bgp redistribuon-profile <name> ipv6 unicast stac enable <yes|no>
set network roung-profile bgp redistribuon-profile <name> ipv6 unicast stac metric
<1-65535>
set network roung-profile bgp redistribuon-profile <name> ipv6 unicast connected
set network roung-profile bgp redistribuon-profile <name> ipv6 unicast connected enable <yes|
no>
set network roung-profile bgp redistribuon-profile <name> ipv6 unicast connected metric
<1-65535>
set network dns-proxy
set network dns-proxy <name>
set network dns-proxy <name> enabled <yes|no>
set network dns-proxy <name> interface [ <interface1> <interface2>... ]
set network dns-proxy <name> default
set network dns-proxy <name> default inheritance
set network dns-proxy <name> default inheritance source <value>
set network dns-proxy <name> default primary <validate>|<ip/netmask>|<inherited>
set network dns-proxy <name> default secondary <validate>|<ip/netmask>|<inherited>
set network dns-proxy <name> domain-servers
set network dns-proxy <name> domain-servers <name>
set network dns-proxy <name> domain-servers <name> cacheable <yes|no>
set network dns-proxy <name> domain-servers <name> domain-name [ <domain-name1>
<domain-name2>... ]
set network dns-proxy <name> domain-servers <name> primary <ip/netmask>
set network dns-proxy <name> domain-servers <name> secondary <ip/netmask>
set network dns-proxy <name> cache
set network dns-proxy <name> cache enabled <yes|no>
set network dns-proxy <name> cache cache-edns <yes|no>
set network dns-proxy <name> cache max-l
set network dns-proxy <name> cache max-l enabled <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 529 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network dns-proxy <name> cache max-l me-to-live <60-86400>

set network dns-proxy <name> stac-entries
set network dns-proxy <name> stac-entries <name>
set network dns-proxy <name> stac-entries <name> domain <value>
set network dns-proxy <name> stac-entries <name> address [ <address1> <address2>... ]
set network dns-proxy <name> tcp-queries
set network dns-proxy <name> tcp-queries enabled <yes|no>
set network dns-proxy <name> tcp-queries max-pending-requests <64-256>
set network dns-proxy <name> udp-queries
set network dns-proxy <name> udp-queries retries
set network dns-proxy <name> udp-queries retries interval <1-30>
set network dns-proxy <name> udp-queries retries aempts <1-30>
set network dhcp
set network dhcp interface
set network dhcp interface <name>
set network dhcp interface <name> server
set network dhcp interface <name> server mode <enabled|disabled|auto>
set network dhcp interface <name> server probe-ip <yes|no>
set network dhcp interface <name> server opon
set network dhcp interface <name> server opon lease
set network dhcp interface <name> server opon lease unlimited
set network dhcp interface <name> server opon lease meout <0-1000000>
set network dhcp interface <name> server opon inheritance
set network dhcp interface <name> server opon inheritance source <value>
set network dhcp interface <name> server opon gateway <ip/netmask>
set network dhcp interface <name> server opon subnet-mask <value>
set network dhcp interface <name> server opon dns
set network dhcp interface <name> server opon dns primary <ip/netmask>|<inherited>
set network dhcp interface <name> server opon dns secondary <ip/netmask>|<inherited>
set network dhcp interface <name> server opon wins
set network dhcp interface <name> server opon wins primary <ip/netmask>|<inherited>
set network dhcp interface <name> server opon wins secondary <ip/netmask>|<inherited>
set network dhcp interface <name> server opon nis

PAN-OS CLI Quick Start Version Version 10.1 530 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network dhcp interface <name> server opon nis primary <ip/netmask>|<inherited>
set network dhcp interface <name> server opon nis secondary <ip/netmask>|<inherited>
set network dhcp interface <name> server opon ntp
set network dhcp interface <name> server opon ntp primary <ip/netmask>|<inherited>
set network dhcp interface <name> server opon ntp secondary <ip/netmask>|<inherited>
set network dhcp interface <name> server opon pop3-server <ip/netmask>|<inherited>
set network dhcp interface <name> server opon smtp-server <ip/netmask>|<inherited>
set network dhcp interface <name> server opon dns-suffix <value>|<inherited>
set network dhcp interface <name> server opon user-defined
set network dhcp interface <name> server opon user-defined <name>
set network dhcp interface <name> server opon user-defined <name> code <1-254>
set network dhcp interface <name> server opon user-defined <name> vendor-class-idenfier
<value>
set network dhcp interface <name> server opon user-defined <name> inherited <yes|no>
set network dhcp interface <name> server opon user-defined <name>
set network dhcp interface <name> server opon user-defined <name> ip [ <ip1> <ip2>... ]
set network dhcp interface <name> server opon user-defined <name> ascii [ <ascii1> <ascii2>... ]
set network dhcp interface <name> server opon user-defined <name> hex [ <hex1> <hex2>... ]
set network dhcp interface <name> server ip-pool [ <ip-pool1> <ip-pool2>... ]
set network dhcp interface <name> server reserved
set network dhcp interface <name> server reserved <name>
set network dhcp interface <name> server reserved <name> mac <value>
set network dhcp interface <name> server reserved <name> descripon <value>
set network dhcp interface <name> relay
set network dhcp interface <name> relay ip
set network dhcp interface <name> relay ip enabled <yes|no>
set network dhcp interface <name> relay ip server [ <server1> <server2>... ]
set network dhcp interface <name> relay ipv6
set network dhcp interface <name> relay ipv6 enabled <yes|no>
set network dhcp interface <name> relay ipv6 server
set network dhcp interface <name> relay ipv6 server <name>
set network dhcp interface <name> relay ipv6 server <name> interface <value>
set network shared-gateway
set network shared-gateway <name>

PAN-OS CLI Quick Start Version Version 10.1 531 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network shared-gateway <name> display-name <value>

set network shared-gateway <name> import
set network shared-gateway <name> import dns-proxy <value>
set network shared-gateway <name> import network
set network shared-gateway <name> import network interface [ <interface1> <interface2>... ]
set network shared-gateway <name> zone
set network shared-gateway <name> zone <name>
set network shared-gateway <name> zone <name> network
set network shared-gateway <name> zone <name> network zone-protecon-profile <value>
set network shared-gateway <name> zone <name> network enable-packet-buffer-protecon
<yes|no>
set network shared-gateway <name> zone <name> network log-seng <value>
set network shared-gateway <name> zone <name> network
set network shared-gateway <name> zone <name> network layer3 [ <layer31> <layer32>... ]
set network shared-gateway <name> zone <name> network external [ <external1>
<external2>... ]
set network shared-gateway <name> zone <name> user-acl
set network shared-gateway <name> zone <name> user-acl include-list [ <include-list1> <include-
list2>... ]
set network shared-gateway <name> zone <name> user-acl exclude-list [ <exclude-list1>
<exclude-list2>... ]
set network shared-gateway <name> address
set network shared-gateway <name> address <name>
set network shared-gateway <name> address <name> descripon <value>
set network shared-gateway <name> address <name>
set network shared-gateway <name> address <name> ip-netmask <ip/netmask>
set network shared-gateway <name> address <name> ip-range <ip-range>
set network shared-gateway <name> address <name> ip-wildcard <ipdiscontmask>
set network shared-gateway <name> address <name> fqdn <value>
set network shared-gateway <name> address <name> tag [ <tag1> <tag2>... ]
set network shared-gateway <name> address-group
set network shared-gateway <name> address-group <name>
set network shared-gateway <name> address-group <name> descripon <value>
set network shared-gateway <name> address-group <name>
set network shared-gateway <name> address-group <name> stac [ <stac1> <stac2>... ]

PAN-OS CLI Quick Start Version Version 10.1 532 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network shared-gateway <name> address-group <name> dynamic

set network shared-gateway <name> address-group <name> dynamic filter <value>
set network shared-gateway <name> address-group <name> tag [ <tag1> <tag2>... ]
set network shared-gateway <name> service
set network shared-gateway <name> service <name>
set network shared-gateway <name> service <name> descripon <value>
set network shared-gateway <name> service <name> protocol
set network shared-gateway <name> service <name> protocol tcp
set network shared-gateway <name> service <name> protocol tcp port <0-65535,...>
set network shared-gateway <name> service <name> protocol tcp source-port <0-65535,...>
set network shared-gateway <name> service <name> protocol tcp override
set network shared-gateway <name> service <name> protocol tcp override no
set network shared-gateway <name> service <name> protocol tcp override yes
set network shared-gateway <name> service <name> protocol tcp override yes meout
<1-604800>
set network shared-gateway <name> service <name> protocol tcp override yes halfclose-meout
<1-604800>
set network shared-gateway <name> service <name> protocol tcp override yes mewait-meout
<1-600>
set network shared-gateway <name> service <name> protocol udp
set network shared-gateway <name> service <name> protocol udp port <0-65535,...>
set network shared-gateway <name> service <name> protocol udp source-port <0-65535,...>
set network shared-gateway <name> service <name> protocol udp override
set network shared-gateway <name> service <name> protocol udp override no
set network shared-gateway <name> service <name> protocol udp override yes
set network shared-gateway <name> service <name> protocol udp override yes meout
<1-604800>
set network shared-gateway <name> service <name> tag [ <tag1> <tag2>... ]
set network shared-gateway <name> service-group
set network shared-gateway <name> service-group <name>
set network shared-gateway <name> service-group <name> members [ <members1>
<members2>... ]
set network shared-gateway <name> service-group <name> tag [ <tag1> <tag2>... ]
set network shared-gateway <name> tag
set network shared-gateway <name> tag <name>

PAN-OS CLI Quick Start Version Version 10.1 533 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network shared-gateway <name> tag <name> color <color1|color2|color3|color4|color5|

color6|color7|color8|color9|color10|color11|color12|color13|color14|color15|color16|color17|
color19|color20|color21|color22|color23|color24|color25|color26|color27|color28|color29|
color30|color31|color32|color33|color34|color35|color36|color37|color38|color39|color40|
color41|color42>
set network shared-gateway <name> tag <name> comments <value>
set network shared-gateway <name> log-sengs
set network shared-gateway <name> log-sengs snmptrap
set network shared-gateway <name> log-sengs snmptrap <name>
set network shared-gateway <name> log-sengs snmptrap <name> version
set network shared-gateway <name> log-sengs snmptrap <name> version v2c
set network shared-gateway <name> log-sengs snmptrap <name> version v2c server
set network shared-gateway <name> log-sengs snmptrap <name> version v2c server <name>
set network shared-gateway <name> log-sengs snmptrap <name> version v2c server <name>
manager <ip/netmask>|<value>
set network shared-gateway <name> log-sengs snmptrap <name> version v2c server <name>
community <value>
set network shared-gateway <name> log-sengs snmptrap <name> version v3
set network shared-gateway <name> log-sengs snmptrap <name> version v3 server
set network shared-gateway <name> log-sengs snmptrap <name> version v3 server <name>
set network shared-gateway <name> log-sengs snmptrap <name> version v3 server <name>
manager <ip/netmask>|<value>
set network shared-gateway <name> log-sengs snmptrap <name> version v3 server <name>
user <value>
set network shared-gateway <name> log-sengs snmptrap <name> version v3 server <name>
engineid <value>
set network shared-gateway <name> log-sengs snmptrap <name> version v3 server <name>
authpwd <value>
set network shared-gateway <name> log-sengs snmptrap <name> version v3 server <name>
privpwd <value>
set network shared-gateway <name> log-sengs snmptrap <name> version v3 server <name>
authproto <SHA|SHA-224|SHA-256|SHA-384|SHA-512>
set network shared-gateway <name> log-sengs snmptrap <name> version v3 server <name>
privproto <AES|AES-192|AES-256>
set network shared-gateway <name> log-sengs email
set network shared-gateway <name> log-sengs email <name>
set network shared-gateway <name> log-sengs email <name> server
set network shared-gateway <name> log-sengs email <name> server <name>

PAN-OS CLI Quick Start Version Version 10.1 534 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network shared-gateway <name> log-sengs email <name> server <name> display-name
<value>
set network shared-gateway <name> log-sengs email <name> server <name> from <value>
set network shared-gateway <name> log-sengs email <name> server <name> to <value>
set network shared-gateway <name> log-sengs email <name> server <name> and-also-to
<value>
set network shared-gateway <name> log-sengs email <name> server <name> gateway <value>
set network shared-gateway <name> log-sengs email <name> server <name> protocol <SMTP|
TLS>
set network shared-gateway <name> log-sengs email <name> server <name> port <1-65535>
set network shared-gateway <name> log-sengs email <name> server <name> tls-version <1.2|
1.1>
set network shared-gateway <name> log-sengs email <name> server <name> auth <Auto|Login|
Plain>
set network shared-gateway <name> log-sengs email <name> server <name> cerficate-profile
<value>
set network shared-gateway <name> log-sengs email <name> server <name> username
<value>
set network shared-gateway <name> log-sengs email <name> server <name> password <value>
set network shared-gateway <name> log-sengs email <name> format
set network shared-gateway <name> log-sengs email <name> format traffic <value>
set network shared-gateway <name> log-sengs email <name> format threat <value>
set network shared-gateway <name> log-sengs email <name> format wildfire <value>
set network shared-gateway <name> log-sengs email <name> format url <value>
set network shared-gateway <name> log-sengs email <name> format data <value>
set network shared-gateway <name> log-sengs email <name> format tunnel <value>
set network shared-gateway <name> log-sengs email <name> format auth <value>
set network shared-gateway <name> log-sengs email <name> format userid <value>
set network shared-gateway <name> log-sengs email <name> format iptag <value>
set network shared-gateway <name> log-sengs email <name> format decrypon <value>
set network shared-gateway <name> log-sengs email <name> format config <value>
set network shared-gateway <name> log-sengs email <name> format system <value>
set network shared-gateway <name> log-sengs email <name> format globalprotect <value>
set network shared-gateway <name> log-sengs email <name> format hip-match <value>
set network shared-gateway <name> log-sengs email <name> format correlaon <value>
set network shared-gateway <name> log-sengs email <name> format escaping

PAN-OS CLI Quick Start Version Version 10.1 535 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network shared-gateway <name> log-sengs email <name> format escaping escaped-
characters <value>
set network shared-gateway <name> log-sengs email <name> format escaping escape-
character <value>
set network shared-gateway <name> log-sengs syslog
set network shared-gateway <name> log-sengs syslog <name>
set network shared-gateway <name> log-sengs syslog <name> server
set network shared-gateway <name> log-sengs syslog <name> server <name>
set network shared-gateway <name> log-sengs syslog <name> server <name> server <value>
set network shared-gateway <name> log-sengs syslog <name> server <name> transport <UDP|
TCP|SSL>
set network shared-gateway <name> log-sengs syslog <name> server <name> port <1-65535>
set network shared-gateway <name> log-sengs syslog <name> server <name> format <BSD|
IETF>
set network shared-gateway <name> log-sengs syslog <name> server <name> facility
<LOG_USER|LOG_LOCAL0|LOG_LOCAL1|LOG_LOCAL2|LOG_LOCAL3|LOG_LOCAL4|
LOG_LOCAL5|LOG_LOCAL6|LOG_LOCAL7>
set network shared-gateway <name> log-sengs syslog <name> format
set network shared-gateway <name> log-sengs syslog <name> format traffic <value>
set network shared-gateway <name> log-sengs syslog <name> format threat <value>
set network shared-gateway <name> log-sengs syslog <name> format wildfire <value>
set network shared-gateway <name> log-sengs syslog <name> format url <value>
set network shared-gateway <name> log-sengs syslog <name> format data <value>
set network shared-gateway <name> log-sengs syslog <name> format tunnel <value>
set network shared-gateway <name> log-sengs syslog <name> format auth <value>
set network shared-gateway <name> log-sengs syslog <name> format userid <value>
set network shared-gateway <name> log-sengs syslog <name> format iptag <value>
set network shared-gateway <name> log-sengs syslog <name> format decrypon <value>
set network shared-gateway <name> log-sengs syslog <name> format config <value>
set network shared-gateway <name> log-sengs syslog <name> format system <value>
set network shared-gateway <name> log-sengs syslog <name> format globalprotect <value>
set network shared-gateway <name> log-sengs syslog <name> format hip-match <value>
set network shared-gateway <name> log-sengs syslog <name> format correlaon <value>
set network shared-gateway <name> log-sengs syslog <name> format escaping
set network shared-gateway <name> log-sengs syslog <name> format escaping escaped-
characters <value>

PAN-OS CLI Quick Start Version Version 10.1 536 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network shared-gateway <name> log-sengs syslog <name> format escaping escape-
character <value>
set network shared-gateway <name> log-sengs hp
set network shared-gateway <name> log-sengs hp <name>
set network shared-gateway <name> log-sengs hp <name> tag-registraon <yes|no>
set network shared-gateway <name> log-sengs hp <name> server
set network shared-gateway <name> log-sengs hp <name> server <name>
set network shared-gateway <name> log-sengs hp <name> server <name> address <value>
set network shared-gateway <name> log-sengs hp <name> server <name> protocol <HTTP|
HTTPS>
set network shared-gateway <name> log-sengs hp <name> server <name> port <1-65535>
set network shared-gateway <name> log-sengs hp <name> server <name> tls-version <1.2|
1.1|1.0>
set network shared-gateway <name> log-sengs hp <name> server <name> cerficate-profile
<value>
set network shared-gateway <name> log-sengs hp <name> server <name> hp-method
<value>
set network shared-gateway <name> log-sengs hp <name> server <name> username <value>
set network shared-gateway <name> log-sengs hp <name> server <name> password <value>
set network shared-gateway <name> log-sengs hp <name> format
set network shared-gateway <name> log-sengs hp <name> format config
set network shared-gateway <name> log-sengs hp <name> format config name <value>
set network shared-gateway <name> log-sengs hp <name> format config url-format <value>
set network shared-gateway <name> log-sengs hp <name> format config headers
set network shared-gateway <name> log-sengs hp <name> format config headers <name>
set network shared-gateway <name> log-sengs hp <name> format config headers <name>
value <value>
set network shared-gateway <name> log-sengs hp <name> format config params
set network shared-gateway <name> log-sengs hp <name> format config params <name>
set network shared-gateway <name> log-sengs hp <name> format config params <name>
value <value>
set network shared-gateway <name> log-sengs hp <name> format config payload <value>
set network shared-gateway <name> log-sengs hp <name> format system
set network shared-gateway <name> log-sengs hp <name> format system name <value>
set network shared-gateway <name> log-sengs hp <name> format system url-format <value>
set network shared-gateway <name> log-sengs hp <name> format system headers

PAN-OS CLI Quick Start Version Version 10.1 537 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network shared-gateway <name> log-sengs hp <name> format system headers <name>
set network shared-gateway <name> log-sengs hp <name> format system headers <name>
value <value>
set network shared-gateway <name> log-sengs hp <name> format system params
set network shared-gateway <name> log-sengs hp <name> format system params <name>
set network shared-gateway <name> log-sengs hp <name> format system params <name>
value <value>
set network shared-gateway <name> log-sengs hp <name> format system payload <value>
set network shared-gateway <name> log-sengs hp <name> format traffic
set network shared-gateway <name> log-sengs hp <name> format traffic name <value>
set network shared-gateway <name> log-sengs hp <name> format traffic url-format <value>
set network shared-gateway <name> log-sengs hp <name> format traffic headers
set network shared-gateway <name> log-sengs hp <name> format traffic headers <name>
set network shared-gateway <name> log-sengs hp <name> format traffic headers <name>
value <value>
set network shared-gateway <name> log-sengs hp <name> format traffic params
set network shared-gateway <name> log-sengs hp <name> format traffic params <name>
set network shared-gateway <name> log-sengs hp <name> format traffic params <name>
value <value>
set network shared-gateway <name> log-sengs hp <name> format traffic payload <value>
set network shared-gateway <name> log-sengs hp <name> format threat
set network shared-gateway <name> log-sengs hp <name> format threat name <value>
set network shared-gateway <name> log-sengs hp <name> format threat url-format <value>
set network shared-gateway <name> log-sengs hp <name> format threat headers
set network shared-gateway <name> log-sengs hp <name> format threat headers <name>
set network shared-gateway <name> log-sengs hp <name> format threat headers <name>
value <value>
set network shared-gateway <name> log-sengs hp <name> format threat params
set network shared-gateway <name> log-sengs hp <name> format threat params <name>
set network shared-gateway <name> log-sengs hp <name> format threat params <name>
value <value>
set network shared-gateway <name> log-sengs hp <name> format threat payload <value>
set network shared-gateway <name> log-sengs hp <name> format wildfire
set network shared-gateway <name> log-sengs hp <name> format wildfire name <value>
set network shared-gateway <name> log-sengs hp <name> format wildfire url-format <value>

PAN-OS CLI Quick Start Version Version 10.1 538 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network shared-gateway <name> log-sengs hp <name> format wildfire headers
set network shared-gateway <name> log-sengs hp <name> format wildfire headers <name>
set network shared-gateway <name> log-sengs hp <name> format wildfire headers <name>
value <value>
set network shared-gateway <name> log-sengs hp <name> format wildfire params
set network shared-gateway <name> log-sengs hp <name> format wildfire params <name>
set network shared-gateway <name> log-sengs hp <name> format wildfire params <name>
value <value>
set network shared-gateway <name> log-sengs hp <name> format wildfire payload <value>
set network shared-gateway <name> log-sengs hp <name> format url
set network shared-gateway <name> log-sengs hp <name> format url name <value>
set network shared-gateway <name> log-sengs hp <name> format url url-format <value>
set network shared-gateway <name> log-sengs hp <name> format url headers
set network shared-gateway <name> log-sengs hp <name> format url headers <name>
set network shared-gateway <name> log-sengs hp <name> format url headers <name> value
<value>
set network shared-gateway <name> log-sengs hp <name> format url params
set network shared-gateway <name> log-sengs hp <name> format url params <name>
set network shared-gateway <name> log-sengs hp <name> format url params <name> value
<value>
set network shared-gateway <name> log-sengs hp <name> format url payload <value>
set network shared-gateway <name> log-sengs hp <name> format data
set network shared-gateway <name> log-sengs hp <name> format data name <value>
set network shared-gateway <name> log-sengs hp <name> format data url-format <value>
set network shared-gateway <name> log-sengs hp <name> format data headers
set network shared-gateway <name> log-sengs hp <name> format data headers <name>
set network shared-gateway <name> log-sengs hp <name> format data headers <name> value
<value>
set network shared-gateway <name> log-sengs hp <name> format data params
set network shared-gateway <name> log-sengs hp <name> format data params <name>
set network shared-gateway <name> log-sengs hp <name> format data params <name> value
<value>
set network shared-gateway <name> log-sengs hp <name> format data payload <value>
set network shared-gateway <name> log-sengs hp <name> format tunnel
set network shared-gateway <name> log-sengs hp <name> format tunnel name <value>

PAN-OS CLI Quick Start Version Version 10.1 539 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network shared-gateway <name> log-sengs hp <name> format tunnel url-format <value>
set network shared-gateway <name> log-sengs hp <name> format tunnel headers
set network shared-gateway <name> log-sengs hp <name> format tunnel headers <name>
set network shared-gateway <name> log-sengs hp <name> format tunnel headers <name>
value <value>
set network shared-gateway <name> log-sengs hp <name> format tunnel params
set network shared-gateway <name> log-sengs hp <name> format tunnel params <name>
set network shared-gateway <name> log-sengs hp <name> format tunnel params <name>
value <value>
set network shared-gateway <name> log-sengs hp <name> format tunnel payload <value>
set network shared-gateway <name> log-sengs hp <name> format auth
set network shared-gateway <name> log-sengs hp <name> format auth name <value>
set network shared-gateway <name> log-sengs hp <name> format auth url-format <value>
set network shared-gateway <name> log-sengs hp <name> format auth headers
set network shared-gateway <name> log-sengs hp <name> format auth headers <name>
set network shared-gateway <name> log-sengs hp <name> format auth headers <name> value
<value>
set network shared-gateway <name> log-sengs hp <name> format auth params
set network shared-gateway <name> log-sengs hp <name> format auth params <name>
set network shared-gateway <name> log-sengs hp <name> format auth params <name> value
<value>
set network shared-gateway <name> log-sengs hp <name> format auth payload <value>
set network shared-gateway <name> log-sengs hp <name> format userid
set network shared-gateway <name> log-sengs hp <name> format userid name <value>
set network shared-gateway <name> log-sengs hp <name> format userid url-format <value>
set network shared-gateway <name> log-sengs hp <name> format userid headers
set network shared-gateway <name> log-sengs hp <name> format userid headers <name>
set network shared-gateway <name> log-sengs hp <name> format userid headers <name>
value <value>
set network shared-gateway <name> log-sengs hp <name> format userid params
set network shared-gateway <name> log-sengs hp <name> format userid params <name>
set network shared-gateway <name> log-sengs hp <name> format userid params <name>
value <value>
set network shared-gateway <name> log-sengs hp <name> format userid payload <value>
set network shared-gateway <name> log-sengs hp <name> format iptag

PAN-OS CLI Quick Start Version Version 10.1 540 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network shared-gateway <name> log-sengs hp <name> format iptag name <value>
set network shared-gateway <name> log-sengs hp <name> format iptag url-format <value>
set network shared-gateway <name> log-sengs hp <name> format iptag headers
set network shared-gateway <name> log-sengs hp <name> format iptag headers <name>
set network shared-gateway <name> log-sengs hp <name> format iptag headers <name>
value <value>
set network shared-gateway <name> log-sengs hp <name> format iptag params
set network shared-gateway <name> log-sengs hp <name> format iptag params <name>
set network shared-gateway <name> log-sengs hp <name> format iptag params <name> value
<value>
set network shared-gateway <name> log-sengs hp <name> format iptag payload <value>
set network shared-gateway <name> log-sengs hp <name> format decrypon
set network shared-gateway <name> log-sengs hp <name> format decrypon name <value>
set network shared-gateway <name> log-sengs hp <name> format decrypon url-format
<value>
set network shared-gateway <name> log-sengs hp <name> format decrypon headers
set network shared-gateway <name> log-sengs hp <name> format decrypon headers
<name>
set network shared-gateway <name> log-sengs hp <name> format decrypon headers
<name> value <value>
set network shared-gateway <name> log-sengs hp <name> format decrypon params
set network shared-gateway <name> log-sengs hp <name> format decrypon params <name>
set network shared-gateway <name> log-sengs hp <name> format decrypon params <name>
value <value>
set network shared-gateway <name> log-sengs hp <name> format decrypon payload
<value>
set network shared-gateway <name> log-sengs hp <name> format globalprotect
set network shared-gateway <name> log-sengs hp <name> format globalprotect name
<value>
set network shared-gateway <name> log-sengs hp <name> format globalprotect url-format
<value>
set network shared-gateway <name> log-sengs hp <name> format globalprotect headers
set network shared-gateway <name> log-sengs hp <name> format globalprotect headers
<name>
set network shared-gateway <name> log-sengs hp <name> format globalprotect headers
<name> value <value>
set network shared-gateway <name> log-sengs hp <name> format globalprotect params

PAN-OS CLI Quick Start Version Version 10.1 541 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network shared-gateway <name> log-sengs hp <name> format globalprotect params
<name>
set network shared-gateway <name> log-sengs hp <name> format globalprotect params
<name> value <value>
set network shared-gateway <name> log-sengs hp <name> format globalprotect payload
<value>
set network shared-gateway <name> log-sengs hp <name> format hip-match
set network shared-gateway <name> log-sengs hp <name> format hip-match name <value>
set network shared-gateway <name> log-sengs hp <name> format hip-match url-format
<value>
set network shared-gateway <name> log-sengs hp <name> format hip-match headers
set network shared-gateway <name> log-sengs hp <name> format hip-match headers <name>
set network shared-gateway <name> log-sengs hp <name> format hip-match headers <name>
value <value>
set network shared-gateway <name> log-sengs hp <name> format hip-match params
set network shared-gateway <name> log-sengs hp <name> format hip-match params <name>
set network shared-gateway <name> log-sengs hp <name> format hip-match params <name>
value <value>
set network shared-gateway <name> log-sengs hp <name> format hip-match payload <value>
set network shared-gateway <name> log-sengs hp <name> format correlaon
set network shared-gateway <name> log-sengs hp <name> format correlaon name <value>
set network shared-gateway <name> log-sengs hp <name> format correlaon url-format
<value>
set network shared-gateway <name> log-sengs hp <name> format correlaon headers
set network shared-gateway <name> log-sengs hp <name> format correlaon headers
<name>
set network shared-gateway <name> log-sengs hp <name> format correlaon headers
<name> value <value>
set network shared-gateway <name> log-sengs hp <name> format correlaon params
set network shared-gateway <name> log-sengs hp <name> format correlaon params <name>
set network shared-gateway <name> log-sengs hp <name> format correlaon params <name>
value <value>
set network shared-gateway <name> log-sengs hp <name> format correlaon payload
<value>
set network shared-gateway <name> log-sengs profiles
set network shared-gateway <name> log-sengs profiles <name>
set network shared-gateway <name> log-sengs profiles <name> descripon <value>

PAN-OS CLI Quick Start Version Version 10.1 542 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network shared-gateway <name> log-sengs profiles <name> enhanced-applicaon-logging

<yes|no>
set network shared-gateway <name> log-sengs profiles <name> match-list
set network shared-gateway <name> log-sengs profiles <name> match-list <name>
set network shared-gateway <name> log-sengs profiles <name> match-list <name> acon-desc
<value>
set network shared-gateway <name> log-sengs profiles <name> match-list <name> log-type
<traffic|threat|wildfire|url|data|tunnel|auth|decrypon>
set network shared-gateway <name> log-sengs profiles <name> match-list <name> filter
<value>
set network shared-gateway <name> log-sengs profiles <name> match-list <name> send-to-
panorama <yes|no>
set network shared-gateway <name> log-sengs profiles <name> match-list <name> send-
snmptrap [ <send-snmptrap1> <send-snmptrap2>... ]
set network shared-gateway <name> log-sengs profiles <name> match-list <name> send-email
[ <send-email1> <send-email2>... ]
set network shared-gateway <name> log-sengs profiles <name> match-list <name> send-syslog
[ <send-syslog1> <send-syslog2>... ]
set network shared-gateway <name> log-sengs profiles <name> match-list <name> send-hp
[ <send-hp1> <send-hp2>... ]
set network shared-gateway <name> log-sengs profiles <name> match-list <name> quaranne
<yes|no>
set network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
set network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
<name>
set network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
<name> type
set network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
<name> type tagging
set network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
<name> type tagging target <source-address|desnaon-address|xff-address|user>
set network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
<name> type tagging acon <add-tag|remove-tag>
set network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
<name> type tagging registraon
set network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
<name> type tagging registraon localhost
set network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
<name> type tagging registraon panorama

PAN-OS CLI Quick Start Version Version 10.1 543 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
<name> type tagging registraon remote
set network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
<name> type tagging registraon remote hp-profile <value>
set network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
<name> type tagging meout <0-43200>
set network shared-gateway <name> log-sengs profiles <name> match-list <name> acons
<name> type tagging tags [ <tags1> <tags2>... ]
set network shared-gateway <name> rulebase
set network shared-gateway <name> rulebase nat
set network shared-gateway <name> rulebase nat rules
set network shared-gateway <name> rulebase nat rules <name>
set network shared-gateway <name> rulebase nat rules <name> from [ <from1> <from2>... ]
set network shared-gateway <name> rulebase nat rules <name> to [ <to1> <to2>... ]
set network shared-gateway <name> rulebase nat rules <name> source [ <source1> <source2>... ]
set network shared-gateway <name> rulebase nat rules <name> desnaon [ <desnaon1>
<desnaon2>... ]
set network shared-gateway <name> rulebase nat rules <name> service <value>
set network shared-gateway <name> rulebase nat rules <name> nat-type <ipv4|nat64|nptv6>
set network shared-gateway <name> rulebase nat rules <name> to-interface <value>|<any>
set network shared-gateway <name> rulebase nat rules <name> source-translaon
set network shared-gateway <name> rulebase nat rules <name> source-translaon
set network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip-
and-port
set network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip-
and-port
set network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip-
and-port translated-address [ <translated-address1> <translated-address2>... ]
set network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip-
and-port interface-address
set network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip-
and-port interface-address interface <value>
set network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip-
and-port interface-address
set network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip-
and-port interface-address ip <value>
set network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip-
and-port interface-address floang-ip <value>

PAN-OS CLI Quick Start Version Version 10.1 544 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip
set network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip
translated-address [ <translated-address1> <translated-address2>... ]
set network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip
fallback
set network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip
fallback
set network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip
fallback translated-address [ <translated-address1> <translated-address2>... ]
set network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip
fallback interface-address
set network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip
fallback interface-address interface <value>
set network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip
fallback interface-address
set network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip
fallback interface-address ip <value>
set network shared-gateway <name> rulebase nat rules <name> source-translaon dynamic-ip
fallback interface-address floang-ip <value>
set network shared-gateway <name> rulebase nat rules <name> source-translaon stac-ip
set network shared-gateway <name> rulebase nat rules <name> source-translaon stac-ip
translated-address <value>|<ip/netmask>|<ip-range>
set network shared-gateway <name> rulebase nat rules <name> source-translaon stac-ip bi-
direconal <yes|no>
set network shared-gateway <name> rulebase nat rules <name>
set network shared-gateway <name> rulebase nat rules <name> desnaon-translaon
set network shared-gateway <name> rulebase nat rules <name> desnaon-translaon
translated-address <value>|<ip/netmask>|<ip-range>
set network shared-gateway <name> rulebase nat rules <name> desnaon-translaon
translated-port <1-65535>
set network shared-gateway <name> rulebase nat rules <name> desnaon-translaon
set network shared-gateway <name> rulebase nat rules <name> desnaon-translaon dns-
rewrite
set network shared-gateway <name> rulebase nat rules <name> desnaon-translaon dns-
rewrite direcon <reverse|forward>
set network shared-gateway <name> rulebase nat rules <name> dynamic-desnaon-translaon
set network shared-gateway <name> rulebase nat rules <name> dynamic-desnaon-translaon
translated-address <value>|<ip/netmask>|<ip-range>

PAN-OS CLI Quick Start Version Version 10.1 545 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network shared-gateway <name> rulebase nat rules <name> dynamic-desnaon-translaon

translated-port <1-65535>
set network shared-gateway <name> rulebase nat rules <name> dynamic-desnaon-translaon
distribuon <round-robin|source-ip-hash|ip-modulo|ip-hash|least-sessions>
set network shared-gateway <name> rulebase nat rules <name> acve-acve-device-binding
<primary|both|0|1>
set network shared-gateway <name> rulebase nat rules <name> tag [ <tag1> <tag2>... ]
set network shared-gateway <name> rulebase nat rules <name> disabled <yes|no>
set network shared-gateway <name> rulebase nat rules <name> descripon <value>
set network shared-gateway <name> rulebase nat rules <name> group-tag <value>
set network shared-gateway <name> rulebase pbf
set network shared-gateway <name> rulebase pbf rules
set network shared-gateway <name> rulebase pbf rules <name>
set network shared-gateway <name> rulebase pbf rules <name> from
set network shared-gateway <name> rulebase pbf rules <name> from
set network shared-gateway <name> rulebase pbf rules <name> from zone [ <zone1> <zone2>... ]
set network shared-gateway <name> rulebase pbf rules <name> from interface [ <interface1>
<interface2>... ]
set network shared-gateway <name> rulebase pbf rules <name> source [ <source1> <source2>... ]
set network shared-gateway <name> rulebase pbf rules <name> source-user [ <source-user1>
<source-user2>... ]
set network shared-gateway <name> rulebase pbf rules <name> desnaon [ <desnaon1>
<desnaon2>... ]
set network shared-gateway <name> rulebase pbf rules <name> service [ <service1>
<service2>... ]
set network shared-gateway <name> rulebase pbf rules <name> schedule <value>
set network shared-gateway <name> rulebase pbf rules <name> tag [ <tag1> <tag2>... ]
set network shared-gateway <name> rulebase pbf rules <name> negate-source <yes|no>
set network shared-gateway <name> rulebase pbf rules <name> negate-desnaon <yes|no>
set network shared-gateway <name> rulebase pbf rules <name> disabled <yes|no>
set network shared-gateway <name> rulebase pbf rules <name> descripon <value>
set network shared-gateway <name> rulebase pbf rules <name> group-tag <value>
set network shared-gateway <name> rulebase pbf rules <name> applicaon [ <applicaon1>
<applicaon2>... ]
set network shared-gateway <name> rulebase pbf rules <name> acon
set network shared-gateway <name> rulebase pbf rules <name> acon

PAN-OS CLI Quick Start Version Version 10.1 546 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network shared-gateway <name> rulebase pbf rules <name> acon forward
set network shared-gateway <name> rulebase pbf rules <name> acon forward egress-interface
<value>
set network shared-gateway <name> rulebase pbf rules <name> acon forward nexthop
set network shared-gateway <name> rulebase pbf rules <name> acon forward nexthop
set network shared-gateway <name> rulebase pbf rules <name> acon forward nexthop ip-
address <value>|<ip/netmask>
set network shared-gateway <name> rulebase pbf rules <name> acon forward nexthop fqdn
<value>
set network shared-gateway <name> rulebase pbf rules <name> acon forward monitor
set network shared-gateway <name> rulebase pbf rules <name> acon forward monitor profile
<value>
set network shared-gateway <name> rulebase pbf rules <name> acon forward monitor disable-
if-unreachable <yes|no>
set network shared-gateway <name> rulebase pbf rules <name> acon forward monitor ip-
address <ip/netmask>
set network shared-gateway <name> rulebase pbf rules <name> acon forward-to-vsys <value>
set network shared-gateway <name> rulebase pbf rules <name> acon discard
set network shared-gateway <name> rulebase pbf rules <name> acon no-pbf
set network shared-gateway <name> rulebase pbf rules <name> enforce-symmetric-return
set network shared-gateway <name> rulebase pbf rules <name> enforce-symmetric-return
enabled <yes|no>
set network shared-gateway <name> rulebase pbf rules <name> enforce-symmetric-return
nexthop-address-list
set network shared-gateway <name> rulebase pbf rules <name> enforce-symmetric-return
nexthop-address-list <name>
set network shared-gateway <name> rulebase pbf rules <name> acve-acve-device-binding
<both|0|1>
set network shared-gateway <name> rulebase sdwan
set network shared-gateway <name> rulebase sdwan rules
set network shared-gateway <name> rulebase sdwan rules <name>
set network shared-gateway <name> rulebase sdwan rules <name> from [ <from1> <from2>... ]
set network shared-gateway <name> rulebase sdwan rules <name> to [ <to1> <to2>... ]
set network shared-gateway <name> rulebase sdwan rules <name> source [ <source1>
<source2>... ]
set network shared-gateway <name> rulebase sdwan rules <name> source-user [ <source-user1>
<source-user2>... ]

PAN-OS CLI Quick Start Version Version 10.1 547 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network shared-gateway <name> rulebase sdwan rules <name> desnaon [ <desnaon1>
<desnaon2>... ]
set network shared-gateway <name> rulebase sdwan rules <name> applicaon [ <applicaon1>
<applicaon2>... ]
set network shared-gateway <name> rulebase sdwan rules <name> service [ <service1>
<service2>... ]
set network shared-gateway <name> rulebase sdwan rules <name> tag [ <tag1> <tag2>... ]
set network shared-gateway <name> rulebase sdwan rules <name> negate-source <yes|no>
set network shared-gateway <name> rulebase sdwan rules <name> negate-desnaon <yes|no>
set network shared-gateway <name> rulebase sdwan rules <name> disabled <yes|no>
set network shared-gateway <name> rulebase sdwan rules <name> descripon <value>
set network shared-gateway <name> rulebase sdwan rules <name> group-tag <value>
set network shared-gateway <name> rulebase sdwan rules <name> path-quality-profile <value>
set network shared-gateway <name> rulebase sdwan rules <name> saas-quality-profile <value>
set network shared-gateway <name> rulebase sdwan rules <name> error-correcon-profile
<value>
set network shared-gateway <name> rulebase sdwan rules <name> acon
set network shared-gateway <name> rulebase sdwan rules <name> acon traffic-distribuon-
profile <value>
set network shared-gateway <name> rulebase sdwan rules <name> acon app-failover-for-nat-
sessions <keep-exisng-link|failover-to-beer-path>
set network shared-gateway <name> rulebase network-packet-broker
set network shared-gateway <name> rulebase network-packet-broker rules
set network shared-gateway <name> rulebase network-packet-broker rules <name>
set network shared-gateway <name> rulebase network-packet-broker rules <name> from
[ <from1> <from2>... ]
set network shared-gateway <name> rulebase network-packet-broker rules <name> to [ <to1>
<to2>... ]
set network shared-gateway <name> rulebase network-packet-broker rules <name> source
[ <source1> <source2>... ]
set network shared-gateway <name> rulebase network-packet-broker rules <name> source-user
[ <source-user1> <source-user2>... ]
set network shared-gateway <name> rulebase network-packet-broker rules <name> desnaon
[ <desnaon1> <desnaon2>... ]
set network shared-gateway <name> rulebase network-packet-broker rules <name> applicaon
[ <applicaon1> <applicaon2>... ]
set network shared-gateway <name> rulebase network-packet-broker rules <name> service
[ <service1> <service2>... ]

PAN-OS CLI Quick Start Version Version 10.1 548 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network shared-gateway <name> rulebase network-packet-broker rules <name> tag [ <tag1>
<tag2>... ]
set network shared-gateway <name> rulebase network-packet-broker rules <name> negate-
source <yes|no>
set network shared-gateway <name> rulebase network-packet-broker rules <name> negate-
desnaon <yes|no>
set network shared-gateway <name> rulebase network-packet-broker rules <name> disabled
<yes|no>
set network shared-gateway <name> rulebase network-packet-broker rules <name> descripon
<value>
set network shared-gateway <name> rulebase network-packet-broker rules <name> group-tag
<value>
set network shared-gateway <name> rulebase network-packet-broker rules <name> source-hip
[ <source-hip1> <source-hip2>... ]
set network shared-gateway <name> rulebase network-packet-broker rules <name> desnaon-
hip [ <desnaon-hip1> <desnaon-hip2>... ]
set network shared-gateway <name> rulebase network-packet-broker rules <name> traffic-type
set network shared-gateway <name> rulebase network-packet-broker rules <name> traffic-type
tls-decrypted <yes|no>
set network shared-gateway <name> rulebase network-packet-broker rules <name> traffic-type
tls-encrypted <yes|no>
set network shared-gateway <name> rulebase network-packet-broker rules <name> traffic-type
non-tls <yes|no>
set network shared-gateway <name> rulebase network-packet-broker rules <name> acon
set network shared-gateway <name> rulebase network-packet-broker rules <name> acon
packet-broker-profile <value>
set network lldp
set network lldp enable <yes|no>
set network lldp transmit-interval <1-3600>
set network lldp transmit-delay <1-600>
set network lldp hold-me-mulple <1-100>
set network lldp noficaon-interval <1-3600>
set network lldp tx-credit-max <1-10>
set network lldp tx-fast-init <1-8>
set network lldp reinit-delay <1-10>
set network lldp msg-fast-tx <1-3600>
set network underlay-net

PAN-OS CLI Quick Start Version Version 10.1 549 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set network underlay-net ip-mapping

set network underlay-net ip-mapping <name>
set network underlay-net ip-mapping <name> overlay-ip <value>
set network underlay-net ip-mapping <name> underlay-ip <value>
set shared
set shared address
set shared address <name>
set shared address <name> descripon <value>
set shared address <name>
set shared address <name> ip-netmask <ip/netmask>
set shared address <name> ip-range <ip-range>
set shared address <name> ip-wildcard <ipdiscontmask>
set shared address <name> fqdn <value>
set shared address <name> tag [ <tag1> <tag2>... ]
set shared address-group
set shared address-group <name>
set shared address-group <name> descripon <value>
set shared address-group <name>
set shared address-group <name> stac [ <stac1> <stac2>... ]
set shared address-group <name> dynamic
set shared address-group <name> dynamic filter <value>
set shared address-group <name> tag [ <tag1> <tag2>... ]
set shared applicaon
set shared applicaon <name>
set shared applicaon <name> default
set shared applicaon <name> default port [ <port1> <port2>... ]
set shared applicaon <name> default ident-by-ip-protocol <0-255,...>
set shared applicaon <name> default ident-by-icmp-type
set shared applicaon <name> default ident-by-icmp-type type <0-255,...>
set shared applicaon <name> default ident-by-icmp-type code <0-255,...>
set shared applicaon <name> default ident-by-icmp6-type
set shared applicaon <name> default ident-by-icmp6-type type <0-255,...>
set shared applicaon <name> default ident-by-icmp6-type code <0-255,...>

PAN-OS CLI Quick Start Version Version 10.1 550 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared applicaon <name> category <value>

set shared applicaon <name> subcategory <value>
set shared applicaon <name> technology <value>
set shared applicaon <name> descripon <value>
set shared applicaon <name> meout <0-604800>
set shared applicaon <name> tcp-meout <0-604800>
set shared applicaon <name> udp-meout <0-604800>
set shared applicaon <name> tcp-half-closed-meout <1-604800>
set shared applicaon <name> tcp-me-wait-meout <1-600>
set shared applicaon <name> risk <1-5>
set shared applicaon <name> evasive-behavior <yes|no>
set shared applicaon <name> consume-big-bandwidth <yes|no>
set shared applicaon <name> used-by-malware <yes|no>
set shared applicaon <name> able-to-transfer-file <yes|no>
set shared applicaon <name> has-known-vulnerability <yes|no>
set shared applicaon <name> tunnel-other-applicaon <yes|no>
set shared applicaon <name> tunnel-applicaons <yes|no>
set shared applicaon <name> prone-to-misuse <yes|no>
set shared applicaon <name> pervasive-use <yes|no>
set shared applicaon <name> file-type-ident <yes|no>
set shared applicaon <name> virus-ident <yes|no>
set shared applicaon <name> data-ident <yes|no>
set shared applicaon <name> no-appid-caching <yes|no>
set shared applicaon <name> alg-disable-capability <value>
set shared applicaon <name> parent-app <value>
set shared applicaon <name> signature
set shared applicaon <name> signature <name>
set shared applicaon <name> signature <name> comment <value>
set shared applicaon <name> signature <name> scope <protocol-data-unit|session>
set shared applicaon <name> signature <name> order-free <yes|no>
set shared applicaon <name> signature <name> and-condion
set shared applicaon <name> signature <name> and-condion <name>
set shared applicaon <name> signature <name> and-condion <name> or-condion

PAN-OS CLI Quick Start Version Version 10.1 551 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator paern-match
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator paern-match context <value>
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator paern-match paern <value>
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator paern-match qualifier
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator paern-match qualifier <name>
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator paern-match qualifier <name> value <1-127>|<value>
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator greater-than
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator greater-than context <value>
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator greater-than value <0-4294967295>
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator greater-than qualifier
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator greater-than qualifier <name>
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator greater-than qualifier <name> value <1-127>|<value>
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator less-than
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator less-than context <value>
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator less-than value <0-4294967295>
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator less-than qualifier
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator less-than qualifier <name>
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator less-than qualifier <name> value <1-127>|<value>

PAN-OS CLI Quick Start Version Version 10.1 552 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator equal-to
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator equal-to context <value>|<unknown-req-tcp|unknown-rsp-tcp|unknown-req-udp|
unknown-rsp-udp>
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator equal-to posion <value>
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator equal-to mask <value>
set shared applicaon <name> signature <name> and-condion <name> or-condion <name>
operator equal-to value <value>
set shared applicaon-filter
set shared applicaon-filter <name>
set shared applicaon-filter <name> category [ <category1> <category2>... ]
set shared applicaon-filter <name> subcategory [ <subcategory1> <subcategory2>... ]
set shared applicaon-filter <name> technology [ <technology1> <technology2>... ]
set shared applicaon-filter <name> evasive <yes>
set shared applicaon-filter <name> excessive-bandwidth-use <yes>
set shared applicaon-filter <name> used-by-malware <yes>
set shared applicaon-filter <name> transfers-files <yes>
set shared applicaon-filter <name> has-known-vulnerabilies <yes>
set shared applicaon-filter <name> tunnels-other-apps <yes>
set shared applicaon-filter <name> prone-to-misuse <yes>
set shared applicaon-filter <name> pervasive <yes>
set shared applicaon-filter <name> is-saas <yes>
set shared applicaon-filter <name> new-appid <yes>
set shared applicaon-filter <name> risk [ <risk1> <risk2>... ]
set shared applicaon-filter <name> saas-cerficaons [ <saas-cerficaons1> <saas-
cerficaons2>... ]
set shared applicaon-filter <name> saas-risk [ <saas-risk1> <saas-risk2>... ]
set shared applicaon-filter <name> tagging
set shared applicaon-filter <name> tagging no-tag <yes>
set shared applicaon-filter <name> tagging tag [ <tag1> <tag2>... ]
set shared applicaon-filter <name> exclude [ <exclude1> <exclude2>... ]
set shared applicaon-group
set shared applicaon-group <name>

PAN-OS CLI Quick Start Version Version 10.1 553 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared applicaon-group <name> members [ <members1> <members2>... ]

set shared service
set shared service <name>
set shared service <name> descripon <value>
set shared service <name> protocol
set shared service <name> protocol tcp
set shared service <name> protocol tcp port <0-65535,...>
set shared service <name> protocol tcp source-port <0-65535,...>
set shared service <name> protocol tcp override
set shared service <name> protocol tcp override no
set shared service <name> protocol tcp override yes
set shared service <name> protocol tcp override yes meout <1-604800>
set shared service <name> protocol tcp override yes halfclose-meout <1-604800>
set shared service <name> protocol tcp override yes mewait-meout <1-600>
set shared service <name> protocol udp
set shared service <name> protocol udp port <0-65535,...>
set shared service <name> protocol udp source-port <0-65535,...>
set shared service <name> protocol udp override
set shared service <name> protocol udp override no
set shared service <name> protocol udp override yes
set shared service <name> protocol udp override yes meout <1-604800>
set shared service <name> tag [ <tag1> <tag2>... ]
set shared service-group
set shared service-group <name>
set shared service-group <name> members [ <members1> <members2>... ]
set shared service-group <name> tag [ <tag1> <tag2>... ]
set shared device-object
set shared device-object <name>
set shared device-object <name> descripon <value>
set shared device-object <name> category [ <category1> <category2>... ]
set shared device-object <name> profile [ <profile1> <profile2>... ]
set shared device-object <name> osfamily [ <osfamily1> <osfamily2>... ]
set shared device-object <name> os [ <os1> <os2>... ]

PAN-OS CLI Quick Start Version Version 10.1 554 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared device-object <name> model [ <model1> <model2>... ]

set shared device-object <name> vendor [ <vendor1> <vendor2>... ]
set shared profiles
set shared profiles hip-objects
set shared profiles hip-objects <name>
set shared profiles hip-objects <name> descripon <value>
set shared profiles hip-objects <name> host-info
set shared profiles hip-objects <name> host-info criteria
set shared profiles hip-objects <name> host-info criteria domain
set shared profiles hip-objects <name> host-info criteria domain
set shared profiles hip-objects <name> host-info criteria domain contains <value>
set shared profiles hip-objects <name> host-info criteria domain is <value>
set shared profiles hip-objects <name> host-info criteria domain is-not <value>
set shared profiles hip-objects <name> host-info criteria os
set shared profiles hip-objects <name> host-info criteria os
set shared profiles hip-objects <name> host-info criteria os contains
set shared profiles hip-objects <name> host-info criteria os contains
set shared profiles hip-objects <name> host-info criteria os contains Microso <value>
set shared profiles hip-objects <name> host-info criteria os contains Apple <value>
set shared profiles hip-objects <name> host-info criteria os contains Google <value>
set shared profiles hip-objects <name> host-info criteria os contains Linux <value>
set shared profiles hip-objects <name> host-info criteria os contains Other <value>
set shared profiles hip-objects <name> host-info criteria client-version
set shared profiles hip-objects <name> host-info criteria client-version
set shared profiles hip-objects <name> host-info criteria client-version contains <value>
set shared profiles hip-objects <name> host-info criteria client-version is <value>
set shared profiles hip-objects <name> host-info criteria client-version is-not <value>
set shared profiles hip-objects <name> host-info criteria host-name
set shared profiles hip-objects <name> host-info criteria host-name
set shared profiles hip-objects <name> host-info criteria host-name contains <value>
set shared profiles hip-objects <name> host-info criteria host-name is <value>
set shared profiles hip-objects <name> host-info criteria host-name is-not <value>
set shared profiles hip-objects <name> host-info criteria host-id

PAN-OS CLI Quick Start Version Version 10.1 555 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles hip-objects <name> host-info criteria host-id

set shared profiles hip-objects <name> host-info criteria host-id contains <value>
set shared profiles hip-objects <name> host-info criteria host-id is <value>
set shared profiles hip-objects <name> host-info criteria host-id is-not <value>
set shared profiles hip-objects <name> host-info criteria managed <no|yes>
set shared profiles hip-objects <name> host-info criteria serial-number
set shared profiles hip-objects <name> host-info criteria serial-number
set shared profiles hip-objects <name> host-info criteria serial-number contains <value>
set shared profiles hip-objects <name> host-info criteria serial-number is <value>
set shared profiles hip-objects <name> host-info criteria serial-number is-not <value>
set shared profiles hip-objects <name> network-info
set shared profiles hip-objects <name> network-info criteria
set shared profiles hip-objects <name> network-info criteria network
set shared profiles hip-objects <name> network-info criteria network is
set shared profiles hip-objects <name> network-info criteria network is wifi
set shared profiles hip-objects <name> network-info criteria network is wifi ssid <value>
set shared profiles hip-objects <name> network-info criteria network is mobile
set shared profiles hip-objects <name> network-info criteria network is mobile carrier <value>
set shared profiles hip-objects <name> network-info criteria network is unknown
set shared profiles hip-objects <name> network-info criteria network is-not
set shared profiles hip-objects <name> network-info criteria network is-not wifi
set shared profiles hip-objects <name> network-info criteria network is-not wifi ssid <value>
set shared profiles hip-objects <name> network-info criteria network is-not mobile
set shared profiles hip-objects <name> network-info criteria network is-not mobile carrier <value>
set shared profiles hip-objects <name> network-info criteria network is-not ethernet
set shared profiles hip-objects <name> network-info criteria network is-not unknown
set shared profiles hip-objects <name> patch-management
set shared profiles hip-objects <name> patch-management criteria
set shared profiles hip-objects <name> patch-management criteria is-installed <yes|no>
set shared profiles hip-objects <name> patch-management criteria is-enabled <no|yes|not-
available>
set shared profiles hip-objects <name> patch-management criteria missing-patches
set shared profiles hip-objects <name> patch-management criteria missing-patches severity
set shared profiles hip-objects <name> patch-management criteria missing-patches severity

PAN-OS CLI Quick Start Version Version 10.1 556 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles hip-objects <name> patch-management criteria missing-patches severity

greater-equal <0-100000>
set shared profiles hip-objects <name> patch-management criteria missing-patches severity
greater-than <0-100000>
set shared profiles hip-objects <name> patch-management criteria missing-patches severity is
<0-100000>
set shared profiles hip-objects <name> patch-management criteria missing-patches severity is-not
<0-100000>
set shared profiles hip-objects <name> patch-management criteria missing-patches severity less-
equal <0-100000>
set shared profiles hip-objects <name> patch-management criteria missing-patches severity less-
than <0-100000>
set shared profiles hip-objects <name> patch-management criteria missing-patches patches
[ <patches1> <patches2>... ]
set shared profiles hip-objects <name> patch-management criteria missing-patches check <has-
any|has-none|has-all>
set shared profiles hip-objects <name> patch-management vendor
set shared profiles hip-objects <name> patch-management vendor <name>
set shared profiles hip-objects <name> patch-management vendor <name> product [ <product1>
<product2>... ]
set shared profiles hip-objects <name> patch-management exclude-vendor <yes|no>
set shared profiles hip-objects <name> data-loss-prevenon
set shared profiles hip-objects <name> data-loss-prevenon criteria
set shared profiles hip-objects <name> data-loss-prevenon criteria is-installed <yes|no>
set shared profiles hip-objects <name> data-loss-prevenon criteria is-enabled <no|yes|not-
available>
set shared profiles hip-objects <name> data-loss-prevenon vendor
set shared profiles hip-objects <name> data-loss-prevenon vendor <name>
set shared profiles hip-objects <name> data-loss-prevenon vendor <name> product
[ <product1> <product2>... ]
set shared profiles hip-objects <name> data-loss-prevenon exclude-vendor <yes|no>
set shared profiles hip-objects <name> firewall
set shared profiles hip-objects <name> firewall criteria
set shared profiles hip-objects <name> firewall criteria is-installed <yes|no>
set shared profiles hip-objects <name> firewall criteria is-enabled <no|yes|not-available>
set shared profiles hip-objects <name> firewall vendor
set shared profiles hip-objects <name> firewall vendor <name>

PAN-OS CLI Quick Start Version Version 10.1 557 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles hip-objects <name> firewall vendor <name> product [ <product1>
<product2>... ]
set shared profiles hip-objects <name> firewall exclude-vendor <yes|no>
set shared profiles hip-objects <name> an-malware
set shared profiles hip-objects <name> an-malware criteria
set shared profiles hip-objects <name> an-malware criteria virdef-version
set shared profiles hip-objects <name> an-malware criteria virdef-version
set shared profiles hip-objects <name> an-malware criteria virdef-version within
set shared profiles hip-objects <name> an-malware criteria virdef-version within days
<1-65535>
set shared profiles hip-objects <name> an-malware criteria virdef-version within versions
<1-65535>
set shared profiles hip-objects <name> an-malware criteria virdef-version not-within
set shared profiles hip-objects <name> an-malware criteria virdef-version not-within days
<1-65535>
set shared profiles hip-objects <name> an-malware criteria virdef-version not-within versions
<1-65535>
set shared profiles hip-objects <name> an-malware criteria product-version
set shared profiles hip-objects <name> an-malware criteria product-version
set shared profiles hip-objects <name> an-malware criteria product-version greater-equal
<value>
set shared profiles hip-objects <name> an-malware criteria product-version greater-than <value>
set shared profiles hip-objects <name> an-malware criteria product-version is <value>
set shared profiles hip-objects <name> an-malware criteria product-version is-not <value>
set shared profiles hip-objects <name> an-malware criteria product-version less-equal <value>
set shared profiles hip-objects <name> an-malware criteria product-version less-than <value>
set shared profiles hip-objects <name> an-malware criteria product-version contains <value>
set shared profiles hip-objects <name> an-malware criteria product-version within
set shared profiles hip-objects <name> an-malware criteria product-version within versions
<1-1>
set shared profiles hip-objects <name> an-malware criteria product-version not-within
set shared profiles hip-objects <name> an-malware criteria product-version not-within versions
<1-1>
set shared profiles hip-objects <name> an-malware criteria is-installed <yes|no>
set shared profiles hip-objects <name> an-malware criteria real-me-protecon <no|yes|not-
available>

PAN-OS CLI Quick Start Version Version 10.1 558 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles hip-objects <name> an-malware criteria last-scan-me

set shared profiles hip-objects <name> an-malware criteria last-scan-me
set shared profiles hip-objects <name> an-malware criteria last-scan-me not-available
set shared profiles hip-objects <name> an-malware criteria last-scan-me within
set shared profiles hip-objects <name> an-malware criteria last-scan-me within days
<1-65535>
set shared profiles hip-objects <name> an-malware criteria last-scan-me within hours
<1-65535>
set shared profiles hip-objects <name> an-malware criteria last-scan-me not-within
set shared profiles hip-objects <name> an-malware criteria last-scan-me not-within days
<1-65535>
set shared profiles hip-objects <name> an-malware criteria last-scan-me not-within hours
<1-65535>
set shared profiles hip-objects <name> an-malware vendor
set shared profiles hip-objects <name> an-malware vendor <name>
set shared profiles hip-objects <name> an-malware vendor <name> product [ <product1>
<product2>... ]
set shared profiles hip-objects <name> an-malware exclude-vendor <yes|no>
set shared profiles hip-objects <name> disk-backup
set shared profiles hip-objects <name> disk-backup criteria
set shared profiles hip-objects <name> disk-backup criteria is-installed <yes|no>
set shared profiles hip-objects <name> disk-backup criteria last-backup-me
set shared profiles hip-objects <name> disk-backup criteria last-backup-me
set shared profiles hip-objects <name> disk-backup criteria last-backup-me not-available
set shared profiles hip-objects <name> disk-backup criteria last-backup-me within
set shared profiles hip-objects <name> disk-backup criteria last-backup-me within days
<1-65535>
set shared profiles hip-objects <name> disk-backup criteria last-backup-me within hours
<1-65535>
set shared profiles hip-objects <name> disk-backup criteria last-backup-me not-within
set shared profiles hip-objects <name> disk-backup criteria last-backup-me not-within days
<1-65535>
set shared profiles hip-objects <name> disk-backup criteria last-backup-me not-within hours
<1-65535>
set shared profiles hip-objects <name> disk-backup vendor
set shared profiles hip-objects <name> disk-backup vendor <name>

PAN-OS CLI Quick Start Version Version 10.1 559 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles hip-objects <name> disk-backup vendor <name> product [ <product1>
<product2>... ]
set shared profiles hip-objects <name> disk-backup exclude-vendor <yes|no>
set shared profiles hip-objects <name> disk-encrypon
set shared profiles hip-objects <name> disk-encrypon criteria
set shared profiles hip-objects <name> disk-encrypon criteria is-installed <yes|no>
set shared profiles hip-objects <name> disk-encrypon criteria encrypted-locaons
set shared profiles hip-objects <name> disk-encrypon criteria encrypted-locaons <name>
set shared profiles hip-objects <name> disk-encrypon criteria encrypted-locaons <name>
encrypon-state
set shared profiles hip-objects <name> disk-encrypon criteria encrypted-locaons <name>
encrypon-state is <encrypted|unencrypted|paral|unknown>
set shared profiles hip-objects <name> disk-encrypon criteria encrypted-locaons <name>
encrypon-state is-not <encrypted|unencrypted|paral|unknown>
set shared profiles hip-objects <name> disk-encrypon vendor
set shared profiles hip-objects <name> disk-encrypon vendor <name>
set shared profiles hip-objects <name> disk-encrypon vendor <name> product [ <product1>
<product2>... ]
set shared profiles hip-objects <name> disk-encrypon exclude-vendor <yes|no>
set shared profiles hip-objects <name> custom-checks
set shared profiles hip-objects <name> custom-checks criteria
set shared profiles hip-objects <name> custom-checks criteria process-list
set shared profiles hip-objects <name> custom-checks criteria process-list <name>
set shared profiles hip-objects <name> custom-checks criteria process-list <name> running <yes|
no>
set shared profiles hip-objects <name> custom-checks criteria registry-key
set shared profiles hip-objects <name> custom-checks criteria registry-key <name>
set shared profiles hip-objects <name> custom-checks criteria registry-key <name> default-value-
data <value>
set shared profiles hip-objects <name> custom-checks criteria registry-key <name> negate <yes|
no>
set shared profiles hip-objects <name> custom-checks criteria registry-key <name> registry-value
set shared profiles hip-objects <name> custom-checks criteria registry-key <name> registry-value
<name>
set shared profiles hip-objects <name> custom-checks criteria registry-key <name> registry-value
<name> value-data <value>

PAN-OS CLI Quick Start Version Version 10.1 560 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles hip-objects <name> custom-checks criteria registry-key <name> registry-value
<name> negate <yes|no>
set shared profiles hip-objects <name> custom-checks criteria plist
set shared profiles hip-objects <name> custom-checks criteria plist <name>
set shared profiles hip-objects <name> custom-checks criteria plist <name> negate <yes|no>
set shared profiles hip-objects <name> custom-checks criteria plist <name> key
set shared profiles hip-objects <name> custom-checks criteria plist <name> key <name>
set shared profiles hip-objects <name> custom-checks criteria plist <name> key <name> value
<value>
set shared profiles hip-objects <name> custom-checks criteria plist <name> key <name> negate
<yes|no>
set shared profiles hip-objects <name> mobile-device
set shared profiles hip-objects <name> mobile-device criteria
set shared profiles hip-objects <name> mobile-device criteria jailbroken <no|yes>
set shared profiles hip-objects <name> mobile-device criteria disk-encrypted <no|yes>
set shared profiles hip-objects <name> mobile-device criteria passcode-set <no|yes>
set shared profiles hip-objects <name> mobile-device criteria last-checkin-me
set shared profiles hip-objects <name> mobile-device criteria last-checkin-me
set shared profiles hip-objects <name> mobile-device criteria last-checkin-me within
set shared profiles hip-objects <name> mobile-device criteria last-checkin-me within days
<1-365>
set shared profiles hip-objects <name> mobile-device criteria last-checkin-me not-within
set shared profiles hip-objects <name> mobile-device criteria last-checkin-me not-within days
<1-365>
set shared profiles hip-objects <name> mobile-device criteria imei
set shared profiles hip-objects <name> mobile-device criteria imei
set shared profiles hip-objects <name> mobile-device criteria imei contains <value>
set shared profiles hip-objects <name> mobile-device criteria imei is <value>
set shared profiles hip-objects <name> mobile-device criteria imei is-not <value>
set shared profiles hip-objects <name> mobile-device criteria model
set shared profiles hip-objects <name> mobile-device criteria model
set shared profiles hip-objects <name> mobile-device criteria model contains <value>
set shared profiles hip-objects <name> mobile-device criteria model is <value>
set shared profiles hip-objects <name> mobile-device criteria model is-not <value>
set shared profiles hip-objects <name> mobile-device criteria phone-number

PAN-OS CLI Quick Start Version Version 10.1 561 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles hip-objects <name> mobile-device criteria phone-number

set shared profiles hip-objects <name> mobile-device criteria phone-number contains <value>
set shared profiles hip-objects <name> mobile-device criteria phone-number is <value>
set shared profiles hip-objects <name> mobile-device criteria phone-number is-not <value>
set shared profiles hip-objects <name> mobile-device criteria tag
set shared profiles hip-objects <name> mobile-device criteria tag
set shared profiles hip-objects <name> mobile-device criteria tag contains <value>
set shared profiles hip-objects <name> mobile-device criteria tag is <value>
set shared profiles hip-objects <name> mobile-device criteria tag is-not <value>
set shared profiles hip-objects <name> mobile-device criteria applicaons
set shared profiles hip-objects <name> mobile-device criteria applicaons has-malware
set shared profiles hip-objects <name> mobile-device criteria applicaons has-malware no
set shared profiles hip-objects <name> mobile-device criteria applicaons has-malware yes
set shared profiles hip-objects <name> mobile-device criteria applicaons has-malware yes
excludes
set shared profiles hip-objects <name> mobile-device criteria applicaons has-malware yes
excludes <name>
set shared profiles hip-objects <name> mobile-device criteria applicaons has-malware yes
excludes <name> package <value>
set shared profiles hip-objects <name> mobile-device criteria applicaons has-malware yes
excludes <name> hash <value>
set shared profiles hip-objects <name> mobile-device criteria applicaons has-unmanaged-app
<no|yes>
set shared profiles hip-objects <name> mobile-device criteria applicaons includes
set shared profiles hip-objects <name> mobile-device criteria applicaons includes <name>
set shared profiles hip-objects <name> mobile-device criteria applicaons includes <name>
package <value>
set shared profiles hip-objects <name> mobile-device criteria applicaons includes <name> hash
<value>
set shared profiles hip-objects <name> cerficate
set shared profiles hip-objects <name> cerficate criteria
set shared profiles hip-objects <name> cerficate criteria cerficate-profile <value>
set shared profiles hip-objects <name> cerficate criteria cerficate-aributes
set shared profiles hip-objects <name> cerficate criteria cerficate-aributes <name>
set shared profiles hip-objects <name> cerficate criteria cerficate-aributes <name> value
<value>

PAN-OS CLI Quick Start Version Version 10.1 562 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles virus

set shared profiles virus <name>
set shared profiles virus <name> descripon <value>
set shared profiles virus <name> packet-capture <yes|no>
set shared profiles virus <name> mlav-engine-filebased-enabled
set shared profiles virus <name> mlav-engine-filebased-enabled <name>
set shared profiles virus <name> mlav-engine-filebased-enabled <name> mlav-policy-acon
<enable|enable(alert-only)|disable>
set shared profiles virus <name> decoder
set shared profiles virus <name> decoder <name>
set shared profiles virus <name> decoder <name> acon <default|allow|alert|drop|reset-client|
reset-server|reset-both>
set shared profiles virus <name> decoder <name> wildfire-acon <default|allow|alert|drop|reset-
client|reset-server|reset-both>
set shared profiles virus <name> decoder <name> mlav-acon <default|allow|alert|drop|reset-
client|reset-server|reset-both>
set shared profiles virus <name> applicaon
set shared profiles virus <name> applicaon <name>
set shared profiles virus <name> applicaon <name> acon <default|allow|alert|drop|reset-client|
reset-server|reset-both>
set shared profiles virus <name> threat-excepon
set shared profiles virus <name> threat-excepon <name>
set shared profiles virus <name> mlav-excepon
set shared profiles virus <name> mlav-excepon <name>
set shared profiles virus <name> mlav-excepon <name> filename <value>
set shared profiles virus <name> mlav-excepon <name> descripon <value>
set shared profiles spyware
set shared profiles spyware <name>
set shared profiles spyware <name> descripon <value>
set shared profiles spyware <name> botnet-domains
set shared profiles spyware <name> botnet-domains lists
set shared profiles spyware <name> botnet-domains lists <name>
set shared profiles spyware <name> botnet-domains lists <name> acon
set shared profiles spyware <name> botnet-domains lists <name> acon alert
set shared profiles spyware <name> botnet-domains lists <name> acon allow

PAN-OS CLI Quick Start Version Version 10.1 563 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles spyware <name> botnet-domains lists <name> acon block
set shared profiles spyware <name> botnet-domains lists <name> acon sinkhole
set shared profiles spyware <name> botnet-domains lists <name> packet-capture <disable|single-
packet|extended-capture>
set shared profiles spyware <name> botnet-domains dns-security-categories
set shared profiles spyware <name> botnet-domains dns-security-categories <name>
set shared profiles spyware <name> botnet-domains dns-security-categories <name> acon
<default|allow|block|sinkhole>
set shared profiles spyware <name> botnet-domains dns-security-categories <name> log-level
<default|none|low|informaonal|medium|high|crical>
set shared profiles spyware <name> botnet-domains dns-security-categories <name> packet-
capture <disable|single-packet|extended-capture>
set shared profiles spyware <name> botnet-domains whitelist
set shared profiles spyware <name> botnet-domains whitelist <name>
set shared profiles spyware <name> botnet-domains whitelist <name> descripon <value>
set shared profiles spyware <name> botnet-domains sinkhole
set shared profiles spyware <name> botnet-domains sinkhole ipv4-address <value>|<127.0.0.1|
pan-sinkhole-default-ip>
set shared profiles spyware <name> botnet-domains sinkhole ipv6-address <ip/netmask>|<::1>
set shared profiles spyware <name> botnet-domains threat-excepon
set shared profiles spyware <name> botnet-domains threat-excepon <name>
set shared profiles spyware <name> rules
set shared profiles spyware <name> rules <name>
set shared profiles spyware <name> rules <name> threat-name <value>|<any>
set shared profiles spyware <name> rules <name> category <value>|<any>
set shared profiles spyware <name> rules <name> severity [ <severity1> <severity2>... ]
set shared profiles spyware <name> rules <name> acon
set shared profiles spyware <name> rules <name> acon default
set shared profiles spyware <name> rules <name> acon allow
set shared profiles spyware <name> rules <name> acon alert
set shared profiles spyware <name> rules <name> acon drop
set shared profiles spyware <name> rules <name> acon reset-client
set shared profiles spyware <name> rules <name> acon reset-server
set shared profiles spyware <name> rules <name> acon reset-both
set shared profiles spyware <name> rules <name> acon block-ip

PAN-OS CLI Quick Start Version Version 10.1 564 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles spyware <name> rules <name> acon block-ip track-by <source|source-and-
desnaon>
set shared profiles spyware <name> rules <name> acon block-ip duraon <1-3600>
set shared profiles spyware <name> rules <name> packet-capture <disable|single-packet|
extended-capture>
set shared profiles spyware <name> threat-excepon
set shared profiles spyware <name> threat-excepon <name>
set shared profiles spyware <name> threat-excepon <name> packet-capture <disable|single-
packet|extended-capture>
set shared profiles spyware <name> threat-excepon <name> acon
set shared profiles spyware <name> threat-excepon <name> acon default
set shared profiles spyware <name> threat-excepon <name> acon allow
set shared profiles spyware <name> threat-excepon <name> acon alert
set shared profiles spyware <name> threat-excepon <name> acon drop
set shared profiles spyware <name> threat-excepon <name> acon reset-both
set shared profiles spyware <name> threat-excepon <name> acon reset-client
set shared profiles spyware <name> threat-excepon <name> acon reset-server
set shared profiles spyware <name> threat-excepon <name> acon block-ip
set shared profiles spyware <name> threat-excepon <name> acon block-ip track-by <source|
source-and-desnaon>
set shared profiles spyware <name> threat-excepon <name> acon block-ip duraon <1-3600>
set shared profiles spyware <name> threat-excepon <name> exempt-ip
set shared profiles spyware <name> threat-excepon <name> exempt-ip <name>
set shared profiles vulnerability
set shared profiles vulnerability <name>
set shared profiles vulnerability <name> descripon <value>
set shared profiles vulnerability <name> rules
set shared profiles vulnerability <name> rules <name>
set shared profiles vulnerability <name> rules <name> threat-name <value>|<any>
set shared profiles vulnerability <name> rules <name> cve [ <cve1> <cve2>... ]
set shared profiles vulnerability <name> rules <name> host <any|client|server>
set shared profiles vulnerability <name> rules <name> vendor-id [ <vendor-id1> <vendor-id2>... ]
set shared profiles vulnerability <name> rules <name> severity [ <severity1> <severity2>... ]
set shared profiles vulnerability <name> rules <name> category <value>|<any>
set shared profiles vulnerability <name> rules <name> acon

PAN-OS CLI Quick Start Version Version 10.1 565 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles vulnerability <name> rules <name> acon default

set shared profiles vulnerability <name> rules <name> acon allow
set shared profiles vulnerability <name> rules <name> acon alert
set shared profiles vulnerability <name> rules <name> acon drop
set shared profiles vulnerability <name> rules <name> acon reset-client
set shared profiles vulnerability <name> rules <name> acon reset-server
set shared profiles vulnerability <name> rules <name> acon reset-both
set shared profiles vulnerability <name> rules <name> acon block-ip
set shared profiles vulnerability <name> rules <name> acon block-ip track-by <source|source-
and-desnaon>
set shared profiles vulnerability <name> rules <name> acon block-ip duraon <1-3600>
set shared profiles vulnerability <name> rules <name> packet-capture <disable|single-packet|
extended-capture>
set shared profiles vulnerability <name> threat-excepon
set shared profiles vulnerability <name> threat-excepon <name>
set shared profiles vulnerability <name> threat-excepon <name> packet-capture <disable|single-
packet|extended-capture>
set shared profiles vulnerability <name> threat-excepon <name> acon
set shared profiles vulnerability <name> threat-excepon <name> acon default
set shared profiles vulnerability <name> threat-excepon <name> acon allow
set shared profiles vulnerability <name> threat-excepon <name> acon alert
set shared profiles vulnerability <name> threat-excepon <name> acon drop
set shared profiles vulnerability <name> threat-excepon <name> acon reset-client
set shared profiles vulnerability <name> threat-excepon <name> acon reset-server
set shared profiles vulnerability <name> threat-excepon <name> acon reset-both
set shared profiles vulnerability <name> threat-excepon <name> acon block-ip
set shared profiles vulnerability <name> threat-excepon <name> acon block-ip track-by
<source|source-and-desnaon>
set shared profiles vulnerability <name> threat-excepon <name> acon block-ip duraon
<1-3600>
set shared profiles vulnerability <name> threat-excepon <name> me-aribute
set shared profiles vulnerability <name> threat-excepon <name> me-aribute interval
<1-3600>
set shared profiles vulnerability <name> threat-excepon <name> me-aribute threshold
<1-65535>

PAN-OS CLI Quick Start Version Version 10.1 566 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles vulnerability <name> threat-excepon <name> me-aribute track-by <source|
desnaon|source-and-desnaon>
set shared profiles vulnerability <name> threat-excepon <name> exempt-ip
set shared profiles vulnerability <name> threat-excepon <name> exempt-ip <name>
set shared profiles url-filtering
set shared profiles url-filtering <name>
set shared profiles url-filtering <name> descripon <value>
set shared profiles url-filtering <name> allow [ <allow1> <allow2>... ]
set shared profiles url-filtering <name> alert [ <alert1> <alert2>... ]
set shared profiles url-filtering <name> block [ <block1> <block2>... ]
set shared profiles url-filtering <name> connue [ <connue1> <connue2>... ]
set shared profiles url-filtering <name> override [ <override1> <override2>... ]
set shared profiles url-filtering <name> credenal-enforcement
set shared profiles url-filtering <name> credenal-enforcement mode
set shared profiles url-filtering <name> credenal-enforcement mode disabled
set shared profiles url-filtering <name> credenal-enforcement mode ip-user
set shared profiles url-filtering <name> credenal-enforcement mode domain-credenals
set shared profiles url-filtering <name> credenal-enforcement mode group-mapping <value>
set shared profiles url-filtering <name> credenal-enforcement log-severity <value>
set shared profiles url-filtering <name> credenal-enforcement allow [ <allow1> <allow2>... ]
set shared profiles url-filtering <name> credenal-enforcement alert [ <alert1> <alert2>... ]
set shared profiles url-filtering <name> credenal-enforcement block [ <block1> <block2>... ]
set shared profiles url-filtering <name> credenal-enforcement connue [ <connue1>
<connue2>... ]
set shared profiles url-filtering <name> enable-container-page <yes|no>
set shared profiles url-filtering <name> log-container-page-only <yes|no>
set shared profiles url-filtering <name> safe-search-enforcement <yes|no>
set shared profiles url-filtering <name> log-hp-hdr-xff <yes|no>
set shared profiles url-filtering <name> log-hp-hdr-user-agent <yes|no>
set shared profiles url-filtering <name> log-hp-hdr-referer <yes|no>
set shared profiles url-filtering <name> hp-header-inseron
set shared profiles url-filtering <name> hp-header-inseron <name>
set shared profiles url-filtering <name> hp-header-inseron <name> type
set shared profiles url-filtering <name> hp-header-inseron <name> type <name>

PAN-OS CLI Quick Start Version Version 10.1 567 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles url-filtering <name> hp-header-inseron <name> type <name> headers
set shared profiles url-filtering <name> hp-header-inseron <name> type <name> headers
<name>
set shared profiles url-filtering <name> hp-header-inseron <name> type <name> headers
<name> header <value>
set shared profiles url-filtering <name> hp-header-inseron <name> type <name> headers
<name> value <value>
set shared profiles url-filtering <name> hp-header-inseron <name> type <name> headers
<name> log <yes|no>
set shared profiles url-filtering <name> hp-header-inseron <name> type <name> domains
[ <domains1> <domains2>... ]
set shared profiles url-filtering <name> mlav-category-excepon [ <mlav-category-excepon1>
<mlav-category-excepon2>... ]
set shared profiles url-filtering <name> mlav-engine-urlbased-enabled
set shared profiles url-filtering <name> mlav-engine-urlbased-enabled <name>
set shared profiles url-filtering <name> mlav-engine-urlbased-enabled <name> mlav-policy-acon
<block|alert|allow>
set shared profiles file-blocking
set shared profiles file-blocking <name>
set shared profiles file-blocking <name> descripon <value>
set shared profiles file-blocking <name> rules
set shared profiles file-blocking <name> rules <name>
set shared profiles file-blocking <name> rules <name> applicaon [ <applicaon1>
<applicaon2>... ]
set shared profiles file-blocking <name> rules <name> file-type [ <file-type1> <file-type2>... ]
set shared profiles file-blocking <name> rules <name> direcon <upload|download|both>
set shared profiles file-blocking <name> rules <name> acon <alert|block|connue>
set shared profiles wildfire-analysis
set shared profiles wildfire-analysis <name>
set shared profiles wildfire-analysis <name> descripon <value>
set shared profiles wildfire-analysis <name> rules
set shared profiles wildfire-analysis <name> rules <name>
set shared profiles wildfire-analysis <name> rules <name> applicaon [ <applicaon1>
<applicaon2>... ]
set shared profiles wildfire-analysis <name> rules <name> file-type [ <file-type1> <file-type2>... ]
set shared profiles wildfire-analysis <name> rules <name> direcon <upload|download|both>

PAN-OS CLI Quick Start Version Version 10.1 568 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles wildfire-analysis <name> rules <name> analysis <public-cloud|private-cloud>

set shared profiles custom-url-category
set shared profiles custom-url-category <name>
set shared profiles custom-url-category <name> descripon <value>
set shared profiles custom-url-category <name> list [ <list1> <list2>... ]
set shared profiles custom-url-category <name> type <value>
set shared profiles data-objects
set shared profiles data-objects <name>
set shared profiles data-objects <name> descripon <value>
set shared profiles data-objects <name> paern-type
set shared profiles data-objects <name> paern-type predefined
set shared profiles data-objects <name> paern-type predefined paern
set shared profiles data-objects <name> paern-type predefined paern <name>
set shared profiles data-objects <name> paern-type predefined paern <name> file-type [ <file-
type1> <file-type2>... ]
set shared profiles data-objects <name> paern-type regex
set shared profiles data-objects <name> paern-type regex paern
set shared profiles data-objects <name> paern-type regex paern <name>
set shared profiles data-objects <name> paern-type regex paern <name> file-type [ <file-
type1> <file-type2>... ]
set shared profiles data-objects <name> paern-type regex paern <name> regex <value>
set shared profiles data-objects <name> paern-type file-properes
set shared profiles data-objects <name> paern-type file-properes paern
set shared profiles data-objects <name> paern-type file-properes paern <name>
set shared profiles data-objects <name> paern-type file-properes paern <name> file-type
<value>
set shared profiles data-objects <name> paern-type file-properes paern <name> file-property
<value>
set shared profiles data-objects <name> paern-type file-properes paern <name> property-
value <value>
set shared profiles data-filtering
set shared profiles data-filtering <name>
set shared profiles data-filtering <name> descripon <value>
set shared profiles data-filtering <name> data-capture <yes|no>
set shared profiles data-filtering <name> rules

PAN-OS CLI Quick Start Version Version 10.1 569 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles data-filtering <name> rules <name>

set shared profiles data-filtering <name> rules <name> data-object <value>
set shared profiles data-filtering <name> rules <name> applicaon [ <applicaon1>
<applicaon2>... ]
set shared profiles data-filtering <name> rules <name> file-type [ <file-type1> <file-type2>... ]
set shared profiles data-filtering <name> rules <name> direcon <upload|download|both>
set shared profiles data-filtering <name> rules <name> alert-threshold <0-65535>
set shared profiles data-filtering <name> rules <name> block-threshold <0-65535>
set shared profiles data-filtering <name> rules <name> log-severity <value>
set shared profiles hip-profiles
set shared profiles hip-profiles <name>
set shared profiles hip-profiles <name> descripon <value>
set shared profiles hip-profiles <name> match <value>
set shared profiles dos-protecon
set shared profiles dos-protecon <name>
set shared profiles dos-protecon <name> type <aggregate|classified>
set shared profiles dos-protecon <name> descripon <value>
set shared profiles dos-protecon <name> flood
set shared profiles dos-protecon <name> flood tcp-syn
set shared profiles dos-protecon <name> flood tcp-syn enable <yes|no>
set shared profiles dos-protecon <name> flood tcp-syn
set shared profiles dos-protecon <name> flood tcp-syn red
set shared profiles dos-protecon <name> flood tcp-syn red alarm-rate <0-2000000>
set shared profiles dos-protecon <name> flood tcp-syn red acvate-rate <1-2000000>
set shared profiles dos-protecon <name> flood tcp-syn red maximal-rate <1-2000000>
set shared profiles dos-protecon <name> flood tcp-syn red block
set shared profiles dos-protecon <name> flood tcp-syn red block duraon <1-21600>
set shared profiles dos-protecon <name> flood tcp-syn syn-cookies
set shared profiles dos-protecon <name> flood tcp-syn syn-cookies alarm-rate <0-2000000>
set shared profiles dos-protecon <name> flood tcp-syn syn-cookies acvate-rate <0-2000000>
set shared profiles dos-protecon <name> flood tcp-syn syn-cookies maximal-rate <1-2000000>
set shared profiles dos-protecon <name> flood tcp-syn syn-cookies block
set shared profiles dos-protecon <name> flood tcp-syn syn-cookies block duraon <1-21600>
set shared profiles dos-protecon <name> flood udp

PAN-OS CLI Quick Start Version Version 10.1 570 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles dos-protecon <name> flood udp enable <yes|no>

set shared profiles dos-protecon <name> flood udp red
set shared profiles dos-protecon <name> flood udp red alarm-rate <0-2000000>
set shared profiles dos-protecon <name> flood udp red acvate-rate <1-2000000>
set shared profiles dos-protecon <name> flood udp red maximal-rate <1-2000000>
set shared profiles dos-protecon <name> flood udp red block
set shared profiles dos-protecon <name> flood udp red block duraon <1-21600>
set shared profiles dos-protecon <name> flood icmp
set shared profiles dos-protecon <name> flood icmp enable <yes|no>
set shared profiles dos-protecon <name> flood icmp red
set shared profiles dos-protecon <name> flood icmp red alarm-rate <0-2000000>
set shared profiles dos-protecon <name> flood icmp red acvate-rate <1-2000000>
set shared profiles dos-protecon <name> flood icmp red maximal-rate <1-2000000>
set shared profiles dos-protecon <name> flood icmp red block
set shared profiles dos-protecon <name> flood icmp red block duraon <1-21600>
set shared profiles dos-protecon <name> flood icmpv6
set shared profiles dos-protecon <name> flood icmpv6 enable <yes|no>
set shared profiles dos-protecon <name> flood icmpv6 red
set shared profiles dos-protecon <name> flood icmpv6 red alarm-rate <0-2000000>
set shared profiles dos-protecon <name> flood icmpv6 red acvate-rate <1-2000000>
set shared profiles dos-protecon <name> flood icmpv6 red maximal-rate <1-2000000>
set shared profiles dos-protecon <name> flood icmpv6 red block
set shared profiles dos-protecon <name> flood icmpv6 red block duraon <1-21600>
set shared profiles dos-protecon <name> flood other-ip
set shared profiles dos-protecon <name> flood other-ip enable <yes|no>
set shared profiles dos-protecon <name> flood other-ip red
set shared profiles dos-protecon <name> flood other-ip red alarm-rate <0-2000000>
set shared profiles dos-protecon <name> flood other-ip red acvate-rate <1-2000000>
set shared profiles dos-protecon <name> flood other-ip red maximal-rate <1-2000000>
set shared profiles dos-protecon <name> flood other-ip red block
set shared profiles dos-protecon <name> flood other-ip red block duraon <1-21600>
set shared profiles dos-protecon <name> resource
set shared profiles dos-protecon <name> resource sessions

PAN-OS CLI Quick Start Version Version 10.1 571 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles dos-protecon <name> resource sessions enabled <yes|no>

set shared profiles dos-protecon <name> resource sessions max-concurrent-limit <1-4194304>
set shared profiles sdwan-path-quality
set shared profiles sdwan-path-quality <name>
set shared profiles sdwan-path-quality <name> metric
set shared profiles sdwan-path-quality <name> metric latency
set shared profiles sdwan-path-quality <name> metric latency threshold <10-3000>
set shared profiles sdwan-path-quality <name> metric latency sensivity <low|medium|high>
set shared profiles sdwan-path-quality <name> metric pkt-loss
set shared profiles sdwan-path-quality <name> metric pkt-loss threshold <1-100>
set shared profiles sdwan-path-quality <name> metric pkt-loss sensivity <low|medium|high>
set shared profiles sdwan-path-quality <name> metric jier
set shared profiles sdwan-path-quality <name> metric jier threshold <10-2000>
set shared profiles sdwan-path-quality <name> metric jier sensivity <low|medium|high>
set shared profiles sdwan-traffic-distribuon
set shared profiles sdwan-traffic-distribuon <name>
set shared profiles sdwan-traffic-distribuon <name> traffic-distribuon <Best Available Path|Top
Down Priority|Weighted Session Distribuon>
set shared profiles sdwan-traffic-distribuon <name> link-tags
set shared profiles sdwan-traffic-distribuon <name> link-tags <name>
set shared profiles sdwan-traffic-distribuon <name> link-tags <name> weight <0-100>
set shared profiles sdwan-saas-quality
set shared profiles sdwan-saas-quality <name>
set shared profiles sdwan-saas-quality <name> monitor-mode
set shared profiles sdwan-saas-quality <name> monitor-mode
set shared profiles sdwan-saas-quality <name> monitor-mode adapve
set shared profiles sdwan-saas-quality <name> monitor-mode stac-ip
set shared profiles sdwan-saas-quality <name> monitor-mode stac-ip
set shared profiles sdwan-saas-quality <name> monitor-mode stac-ip ip-address
set shared profiles sdwan-saas-quality <name> monitor-mode stac-ip ip-address <name>
set shared profiles sdwan-saas-quality <name> monitor-mode stac-ip ip-address <name> probe-
interval <1-60>
set shared profiles sdwan-saas-quality <name> monitor-mode stac-ip fqdn
set shared profiles sdwan-saas-quality <name> monitor-mode stac-ip fqdn fqdn-name <value>

PAN-OS CLI Quick Start Version Version 10.1 572 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles sdwan-saas-quality <name> monitor-mode stac-ip fqdn probe-interval

<1-60>
set shared profiles sdwan-saas-quality <name> monitor-mode hp-hps
set shared profiles sdwan-saas-quality <name> monitor-mode hp-hps monitored-url <value>
set shared profiles sdwan-saas-quality <name> monitor-mode hp-hps probe-interval <3-60>
set shared profiles sdwan-error-correcon
set shared profiles sdwan-error-correcon <name>
set shared profiles sdwan-error-correcon <name> acvaon-threshold <1-99>
set shared profiles sdwan-error-correcon <name> mode
set shared profiles sdwan-error-correcon <name> mode
set shared profiles sdwan-error-correcon <name> mode forward-error-correcon
set shared profiles sdwan-error-correcon <name> mode forward-error-correcon rao <10%
(20:2)|20% (20:4)|30% (20:6)|40% (20:8)|50% (20:10)>
set shared profiles sdwan-error-correcon <name> mode forward-error-correcon recovery-
duraon <1-5000>
set shared profiles sdwan-error-correcon <name> mode packet-duplicaon
set shared profiles sdwan-error-correcon <name> mode packet-duplicaon recovery-duraon-pd
<1-5000>
set shared profiles decrypon
set shared profiles decrypon <name>
set shared profiles decrypon <name> interface <value>
set shared profiles decrypon <name> forwarded-only <yes|no>
set shared profiles decrypon <name> ssl-forward-proxy
set shared profiles decrypon <name> ssl-forward-proxy block-expired-cerficate <yes|no>
set shared profiles decrypon <name> ssl-forward-proxy block-untrusted-issuer <yes|no>
set shared profiles decrypon <name> ssl-forward-proxy block-tls13-downgrade-no-resource
<yes|no>
set shared profiles decrypon <name> ssl-forward-proxy restrict-cert-exts <yes|no>
set shared profiles decrypon <name> ssl-forward-proxy block-unsupported-version <yes|no>
set shared profiles decrypon <name> ssl-forward-proxy block-unsupported-cipher <yes|no>
set shared profiles decrypon <name> ssl-forward-proxy block-client-cert <yes|no>
set shared profiles decrypon <name> ssl-forward-proxy block-if-no-resource <yes|no>
set shared profiles decrypon <name> ssl-forward-proxy block-if-hsm-unavailable <yes|no>
set shared profiles decrypon <name> ssl-forward-proxy block-unknown-cert <yes|no>
set shared profiles decrypon <name> ssl-forward-proxy block-meout-cert <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 573 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles decrypon <name> ssl-forward-proxy auto-include-altname <yes|no>

set shared profiles decrypon <name> ssl-forward-proxy strip-alpn <yes|no>
set shared profiles decrypon <name> ssl-inbound-proxy
set shared profiles decrypon <name> ssl-inbound-proxy block-unsupported-version <yes|no>
set shared profiles decrypon <name> ssl-inbound-proxy block-unsupported-cipher <yes|no>
set shared profiles decrypon <name> ssl-inbound-proxy block-if-no-resource <yes|no>
set shared profiles decrypon <name> ssl-inbound-proxy block-tls13-downgrade-no-resource
<yes|no>
set shared profiles decrypon <name> ssl-inbound-proxy block-if-hsm-unavailable <yes|no>
set shared profiles decrypon <name> ssl-protocol-sengs
set shared profiles decrypon <name> ssl-protocol-sengs min-version <sslv3|tls1-0|tls1-1|
tls1-2|tls1-3>
set shared profiles decrypon <name> ssl-protocol-sengs max-version <sslv3|tls1-0|tls1-1|
tls1-2|tls1-3|max>
set shared profiles decrypon <name> ssl-protocol-sengs keyxchg-algo-rsa <yes|no>
set shared profiles decrypon <name> ssl-protocol-sengs keyxchg-algo-dhe <yes|no>
set shared profiles decrypon <name> ssl-protocol-sengs keyxchg-algo-ecdhe <yes|no>
set shared profiles decrypon <name> ssl-protocol-sengs enc-algo-3des <yes|no>
set shared profiles decrypon <name> ssl-protocol-sengs enc-algo-rc4 <yes|no>
set shared profiles decrypon <name> ssl-protocol-sengs enc-algo-aes-128-cbc <yes|no>
set shared profiles decrypon <name> ssl-protocol-sengs enc-algo-aes-256-cbc <yes|no>
set shared profiles decrypon <name> ssl-protocol-sengs enc-algo-aes-128-gcm <yes|no>
set shared profiles decrypon <name> ssl-protocol-sengs enc-algo-aes-256-gcm <yes|no>
set shared profiles decrypon <name> ssl-protocol-sengs enc-algo-chacha20-poly1305 <yes|
no>
set shared profiles decrypon <name> ssl-protocol-sengs auth-algo-md5 <yes|no>
set shared profiles decrypon <name> ssl-protocol-sengs auth-algo-sha1 <yes|no>
set shared profiles decrypon <name> ssl-protocol-sengs auth-algo-sha256 <yes|no>
set shared profiles decrypon <name> ssl-protocol-sengs auth-algo-sha384 <yes|no>
set shared profiles decrypon <name> ssl-no-proxy
set shared profiles decrypon <name> ssl-no-proxy block-expired-cerficate <yes|no>
set shared profiles decrypon <name> ssl-no-proxy block-untrusted-issuer <yes|no>
set shared profiles decrypon <name> ssh-proxy
set shared profiles decrypon <name> ssh-proxy block-unsupported-version <yes|no>
set shared profiles decrypon <name> ssh-proxy block-unsupported-alg <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 574 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared profiles decrypon <name> ssh-proxy block-ssh-errors <yes|no>

set shared profiles decrypon <name> ssh-proxy block-if-no-resource <yes|no>
set shared profile-group
set shared profile-group <name>
set shared profile-group <name> virus [ <virus1> <virus2>... ]
set shared profile-group <name> spyware [ <spyware1> <spyware2>... ]
set shared profile-group <name> vulnerability [ <vulnerability1> <vulnerability2>... ]
set shared profile-group <name> url-filtering [ <url-filtering1> <url-filtering2>... ]
set shared profile-group <name> file-blocking [ <file-blocking1> <file-blocking2>... ]
set shared profile-group <name> wildfire-analysis [ <wildfire-analysis1> <wildfire-analysis2>... ]
set shared profile-group <name> data-filtering [ <data-filtering1> <data-filtering2>... ]
set shared schedule
set shared schedule <name>
set shared schedule <name> schedule-type
set shared schedule <name> schedule-type recurring
set shared schedule <name> schedule-type recurring weekly
set shared schedule <name> schedule-type recurring weekly sunday [ <sunday1> <sunday2>... ]
set shared schedule <name> schedule-type recurring weekly monday [ <monday1>
<monday2>... ]
set shared schedule <name> schedule-type recurring weekly tuesday [ <tuesday1> <tuesday2>... ]
set shared schedule <name> schedule-type recurring weekly wednesday [ <wednesday1>
<wednesday2>... ]
set shared schedule <name> schedule-type recurring weekly thursday [ <thursday1>
<thursday2>... ]
set shared schedule <name> schedule-type recurring weekly friday [ <friday1> <friday2>... ]
set shared schedule <name> schedule-type recurring weekly saturday [ <saturday1>
<saturday2>... ]
set shared schedule <name> schedule-type recurring daily [ <daily1> <daily2>... ]
set shared schedule <name> schedule-type non-recurring [ <non-recurring1> <non-recurring2>... ]
set shared threats
set shared threats vulnerability
set shared threats vulnerability <name>
set shared threats vulnerability <name> threatname <value>
set shared threats vulnerability <name> affected-host
set shared threats vulnerability <name> affected-host client <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 575 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared threats vulnerability <name> affected-host server <yes|no>

set shared threats vulnerability <name> comment <value>
set shared threats vulnerability <name> severity <value>
set shared threats vulnerability <name> direcon <value>
set shared threats vulnerability <name> default-acon
set shared threats vulnerability <name> default-acon alert
set shared threats vulnerability <name> default-acon drop
set shared threats vulnerability <name> default-acon reset-client
set shared threats vulnerability <name> default-acon reset-server
set shared threats vulnerability <name> default-acon reset-both
set shared threats vulnerability <name> default-acon block-ip
set shared threats vulnerability <name> default-acon block-ip track-by <source|source-and-
desnaon>
set shared threats vulnerability <name> default-acon block-ip duraon <1-3600>
set shared threats vulnerability <name> default-acon allow
set shared threats vulnerability <name> cve [ <cve1> <cve2>... ]
set shared threats vulnerability <name> bugtraq [ <bugtraq1> <bugtraq2>... ]
set shared threats vulnerability <name> vendor [ <vendor1> <vendor2>... ]
set shared threats vulnerability <name> reference [ <reference1> <reference2>... ]
set shared threats vulnerability <name> signature
set shared threats vulnerability <name> signature standard
set shared threats vulnerability <name> signature standard <name>
set shared threats vulnerability <name> signature standard <name> comment <value>
set shared threats vulnerability <name> signature standard <name> scope <protocol-data-unit|
session>
set shared threats vulnerability <name> signature standard <name> order-free <yes|no>
set shared threats vulnerability <name> signature standard <name> and-condion
set shared threats vulnerability <name> signature standard <name> and-condion <name>
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name>
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator

PAN-OS CLI Quick Start Version Version 10.1 576 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than context <value>
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than value <0-4294967295>
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than qualifier
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than qualifier <name>
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than qualifier <name> value <1-127>|<value>
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to context <value>
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to value <0-4294967295>
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to qualifier
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to qualifier <name>
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to qualifier <name> value <1-127>|<value>
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than context <value>
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than value <0-4294967295>
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than qualifier
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than qualifier <name>
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than qualifier <name> value <1-127>|<value>
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match context <value>

PAN-OS CLI Quick Start Version Version 10.1 577 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match paern <value>
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match negate <yes|no>
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match qualifier
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match qualifier <name>
set shared threats vulnerability <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match qualifier <name> value <1-127>|<value>
set shared threats vulnerability <name> signature combinaon
set shared threats vulnerability <name> signature combinaon me-aribute
set shared threats vulnerability <name> signature combinaon me-aribute interval <1-3600>
set shared threats vulnerability <name> signature combinaon me-aribute threshold <1-255>
set shared threats vulnerability <name> signature combinaon me-aribute track-by <source|
desnaon|source-and-desnaon>
set shared threats vulnerability <name> signature combinaon order-free <yes|no>
set shared threats vulnerability <name> signature combinaon and-condion
set shared threats vulnerability <name> signature combinaon and-condion <name>
set shared threats vulnerability <name> signature combinaon and-condion <name> or-
condion
set shared threats vulnerability <name> signature combinaon and-condion <name> or-
condion <name>
set shared threats vulnerability <name> signature combinaon and-condion <name> or-
condion <name> threat-id <value>
set shared threats spyware
set shared threats spyware <name>
set shared threats spyware <name> threatname <value>
set shared threats spyware <name> comment <value>
set shared threats spyware <name> severity <value>
set shared threats spyware <name> direcon <value>
set shared threats spyware <name> default-acon
set shared threats spyware <name> default-acon alert
set shared threats spyware <name> default-acon drop
set shared threats spyware <name> default-acon reset-client
set shared threats spyware <name> default-acon reset-server

PAN-OS CLI Quick Start Version Version 10.1 578 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared threats spyware <name> default-acon reset-both

set shared threats spyware <name> default-acon block-ip
set shared threats spyware <name> default-acon block-ip track-by <source|source-and-
desnaon>
set shared threats spyware <name> default-acon block-ip duraon <1-3600>
set shared threats spyware <name> default-acon allow
set shared threats spyware <name> cve [ <cve1> <cve2>... ]
set shared threats spyware <name> bugtraq [ <bugtraq1> <bugtraq2>... ]
set shared threats spyware <name> vendor [ <vendor1> <vendor2>... ]
set shared threats spyware <name> reference [ <reference1> <reference2>... ]
set shared threats spyware <name> signature
set shared threats spyware <name> signature standard
set shared threats spyware <name> signature standard <name>
set shared threats spyware <name> signature standard <name> comment <value>
set shared threats spyware <name> signature standard <name> scope <protocol-data-unit|
session>
set shared threats spyware <name> signature standard <name> order-free <yes|no>
set shared threats spyware <name> signature standard <name> and-condion
set shared threats spyware <name> signature standard <name> and-condion <name>
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name>
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than value <0-4294967295>
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than context <value>
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than qualifier
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than qualifier <name>
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than qualifier <name> value <1-127>|<value>

PAN-OS CLI Quick Start Version Version 10.1 579 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to value <0-4294967295>
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to context <value>
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to qualifier
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to qualifier <name>
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to qualifier <name> value <1-127>|<value>
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than value <0-4294967295>
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than context <value>
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than qualifier
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than qualifier <name>
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than qualifier <name> value <1-127>|<value>
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match context <value>
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match paern <value>
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match negate <yes|no>
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match qualifier
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match qualifier <name>
set shared threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match qualifier <name> value <1-127>|<value>
set shared threats spyware <name> signature combinaon
set shared threats spyware <name> signature combinaon me-aribute

PAN-OS CLI Quick Start Version Version 10.1 580 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared threats spyware <name> signature combinaon me-aribute interval <1-3600>
set shared threats spyware <name> signature combinaon me-aribute threshold <1-255>
set shared threats spyware <name> signature combinaon me-aribute track-by <source|
desnaon|source-and-desnaon>
set shared threats spyware <name> signature combinaon order-free <yes|no>
set shared threats spyware <name> signature combinaon and-condion
set shared threats spyware <name> signature combinaon and-condion <name>
set shared threats spyware <name> signature combinaon and-condion <name> or-condion
set shared threats spyware <name> signature combinaon and-condion <name> or-condion
<name>
set shared threats spyware <name> signature combinaon and-condion <name> or-condion
<name> threat-id <value>
set shared external-list
set shared external-list <name>
set shared external-list <name> type
set shared external-list <name> type predefined-ip
set shared external-list <name> type predefined-ip excepon-list [ <excepon-list1> <excepon-
list2>... ]
set shared external-list <name> type predefined-ip descripon <value>
set shared external-list <name> type predefined-ip url <value>
set shared external-list <name> type predefined-url
set shared external-list <name> type predefined-url excepon-list [ <excepon-list1> <excepon-
list2>... ]
set shared external-list <name> type predefined-url descripon <value>
set shared external-list <name> type predefined-url url <value>
set shared external-list <name> type ip
set shared external-list <name> type ip excepon-list [ <excepon-list1> <excepon-list2>... ]
set shared external-list <name> type ip descripon <value>
set shared external-list <name> type ip url <value>
set shared external-list <name> type ip cerficate-profile <value>|<None>
set shared external-list <name> type ip auth
set shared external-list <name> type ip auth username <value>
set shared external-list <name> type ip auth password <value>
set shared external-list <name> type ip recurring
set shared external-list <name> type ip recurring

PAN-OS CLI Quick Start Version Version 10.1 581 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared external-list <name> type ip recurring five-minute

set shared external-list <name> type ip recurring hourly
set shared external-list <name> type ip recurring daily
set shared external-list <name> type ip recurring daily at <value>
set shared external-list <name> type ip recurring weekly
set shared external-list <name> type ip recurring weekly day-of-week <sunday|monday|tuesday|
wednesday|thursday|friday|saturday>
set shared external-list <name> type ip recurring weekly at <value>
set shared external-list <name> type ip recurring monthly
set shared external-list <name> type ip recurring monthly day-of-month <1-31>
set shared external-list <name> type ip recurring monthly at <value>
set shared external-list <name> type domain
set shared external-list <name> type domain excepon-list [ <excepon-list1> <excepon-
list2>... ]
set shared external-list <name> type domain descripon <value>
set shared external-list <name> type domain url <value>
set shared external-list <name> type domain cerficate-profile <value>|<None>
set shared external-list <name> type domain auth
set shared external-list <name> type domain auth username <value>
set shared external-list <name> type domain auth password <value>
set shared external-list <name> type domain recurring
set shared external-list <name> type domain recurring
set shared external-list <name> type domain recurring hourly
set shared external-list <name> type domain recurring five-minute
set shared external-list <name> type domain recurring daily
set shared external-list <name> type domain recurring daily at <value>
set shared external-list <name> type domain recurring weekly
set shared external-list <name> type domain recurring weekly day-of-week <sunday|monday|
tuesday|wednesday|thursday|friday|saturday>
set shared external-list <name> type domain recurring weekly at <value>
set shared external-list <name> type domain recurring monthly
set shared external-list <name> type domain recurring monthly day-of-month <1-31>
set shared external-list <name> type domain recurring monthly at <value>
set shared external-list <name> type domain expand-domain <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 582 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared external-list <name> type url

set shared external-list <name> type url excepon-list [ <excepon-list1> <excepon-list2>... ]
set shared external-list <name> type url descripon <value>
set shared external-list <name> type url url <value>
set shared external-list <name> type url cerficate-profile <value>|<None>
set shared external-list <name> type url auth
set shared external-list <name> type url auth username <value>
set shared external-list <name> type url auth password <value>
set shared external-list <name> type url recurring
set shared external-list <name> type url recurring
set shared external-list <name> type url recurring hourly
set shared external-list <name> type url recurring five-minute
set shared external-list <name> type url recurring daily
set shared external-list <name> type url recurring daily at <value>
set shared external-list <name> type url recurring weekly
set shared external-list <name> type url recurring weekly day-of-week <sunday|monday|tuesday|
wednesday|thursday|friday|saturday>
set shared external-list <name> type url recurring weekly at <value>
set shared external-list <name> type url recurring monthly
set shared external-list <name> type url recurring monthly day-of-month <1-31>
set shared external-list <name> type url recurring monthly at <value>
set shared tag
set shared tag <name>
set shared tag <name> color <color1|color2|color3|color4|color5|color6|color7|color8|color9|
color10|color11|color12|color13|color14|color15|color16|color17|color19|color20|color21|
color22|color23|color24|color25|color26|color27|color28|color29|color30|color31|color32|
color33|color34|color35|color36|color37|color38|color39|color40|color41|color42>
set shared tag <name> comments <value>
set shared authencaon-object
set shared authencaon-object <name>
set shared authencaon-object <name> authencaon-method <web-form|no-capve-portal|
browser-challenge>
set shared authencaon-object <name> authencaon-profile <value>
set shared authencaon-object <name> message <value>
set shared global-protect

PAN-OS CLI Quick Start Version Version 10.1 583 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared global-protect clientless-app

set shared global-protect clientless-app <name>
set shared global-protect clientless-app <name> applicaon-home-url <value>
set shared global-protect clientless-app <name> descripon <value>
set shared global-protect clientless-app <name> app-icon <value>
set shared global-protect clientless-app-group
set shared global-protect clientless-app-group <name>
set shared global-protect clientless-app-group <name> members [ <members1> <members2>... ]
set shared reports
set shared reports <name>
set shared reports <name> descripon <value>
set shared reports <name> disabled <yes|no>
set shared reports <name> query <value>
set shared reports <name> capon <value>
set shared reports <name> frequency <daily>
set shared reports <name> start-me <value>
set shared reports <name> end-me <value>
set shared reports <name> period <last-15-minutes|last-hour|last-6-hrs|last-12-hrs|last-24-
hrs|last-calendar-day|last-7-days|last-7-calendar-days|last-calendar-week|last-30-days|last-30-
calendar-days|last-60-days|last-60-calendar-days|last-90-days|last-90-calendar-days|last-
calendar-month>
set shared reports <name> topn <1-10000>
set shared reports <name> topm <1-50>
set shared reports <name> type
set shared reports <name> type appstat
set shared reports <name> type appstat aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set shared reports <name> type appstat group-by <serial|vsys_name|device_name|vsys|name|risk|
day-of-receive_me|hour-of-receive_me|quarter-hour-of-receive_me|subcategory-of-name|
category-of-name|risk-of-name|container-of-name|technology-of-name>
set shared reports <name> type appstat values [ <values1> <values2>... ]
set shared reports <name> type appstat labels [ <labels1> <labels2>... ]
set shared reports <name> type appstat sortby <nbytes|nsess|npkts|nthreats>
set shared reports <name> type decrypon
set shared reports <name> type decrypon aggregate-by [ <aggregate-by1> <aggregate-by2>... ]

PAN-OS CLI Quick Start Version Version 10.1 584 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared reports <name> type decrypon group-by <serial|me_generated|src|dst|natsrc|

natdst|rule|srcuser|dstuser|srcloc|dstloc|app|vsys|from|to|inbound_if|outbound_if|sport|dport|
natsport|natdport|proto|acon|tunnel|rule_uuid|s_encrypted|category-of-app|subcategory-
of-app|technology-of-app|container-of-app|risk-of-app|vsys_name|device_name|tls_version|
tls_keyxchg|tls_enc|tls_auth|ec_curve|err_index|root_status|proxy_type|policy_name|cn|issuer_cn|
root_cn|sni|error|src_dag|dst_dag|src_edl|dst_edl|container_id|pod_namespace|pod_name|
src_category|src_profile|src_model|src_vendor|src_osfamily|src_osversion|src_host|src_mac|
dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|day-
of-receive_me|hour-of-receive_me|quarter-hour-of-receive_me>
set shared reports <name> type decrypon values [ <values1> <values2>... ]
set shared reports <name> type decrypon labels [ <labels1> <labels2>... ]
set shared reports <name> type decrypon sortby <repeatcnt|nunique-of-src_profile|nunique-of-
dst_profile>
set shared reports <name> type desum
set shared reports <name> type desum aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set shared reports <name> type desum group-by <serial|me_generated|vsys_name|device_name|
category-of-app|subcategory-of-app|technology-of-app|container-of-app|risk-of-app|app|src|
dst|srcuser|dstuser|vsys|tls_version|tls_keyxchg|tls_enc|tls_auth|sni|error|err_index|src_edl|
dst_edl|container_id|pod_namespace|pod_name|src_category|src_profile|src_model|src_vendor|
src_osfamily|src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|dst_vendor|
dst_osfamily|dst_osversion|dst_host|dst_mac|src_dag|dst_dag|day-of-receive_me|hour-of-
receive_me|quarter-hour-of-receive_me>
set shared reports <name> type desum values [ <values1> <values2>... ]
set shared reports <name> type desum labels [ <labels1> <labels2>... ]
set shared reports <name> type desum sortby <repeatcnt|nunique-of-src_profile|nunique-of-
dst_profile>
set shared reports <name> type threat
set shared reports <name> type threat aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set shared reports <name> type threat group-by <serial|me_generated|src|dst|natsrc|natdst|
rule|srcuser|dstuser|srcloc|dstloc|app|vsys|from|to|inbound_if|outbound_if|sport|dport|natsport|
natdport|proto|acon|tunnel|rule_uuid|s_encrypted|category-of-app|subcategory-of-app|
technology-of-app|container-of-app|risk-of-app|vsys_name|device_name|parent_session_id|
parent_start_me|thread|category|severity|direcon|hp_method|nssai_sst|filedigest|filetype|
hp2_connecon|xff_ip|threat_name|src_edl|dst_edl|dynusergroup_name|hosd|paral_hash|
src_category|src_profile|src_model|src_vendor|src_osfamily|src_osversion|src_host|src_mac|
dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|
container_id|pod_namespace|pod_name|misc|src_dag|dst_dag|day-of-receive_me|hour-of-
receive_me|quarter-hour-of-receive_me|pbf-s2c|pbf-c2s|flag-nat|flag-pcap|subtype|transacon|
capve-portal|flag-proxy|non-std-dport|tunnelid|monitortag|users|category-of-thread|threat-
type>
set shared reports <name> type threat values [ <values1> <values2>... ]
set shared reports <name> type threat labels [ <labels1> <labels2>... ]

PAN-OS CLI Quick Start Version Version 10.1 585 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared reports <name> type threat sortby <repeatcnt|nunique-of-users|nunique-of-src_profile|

nunique-of-dst_profile>
set shared reports <name> type url
set shared reports <name> type url aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set shared reports <name> type url group-by <acon|app|category|category-of-app|direcon|
dport|dst|dstuser|from|inbound_if|misc|hp_headers|natdport|natdst|natsport|natsrc|outbound_if|
proto|risk-of-app|rule|rule_uuid|severity|sport|src|srcuser|subcategory-of-app|technology-of-
app|container-of-app|to|dstloc|srcloc|vsys|quarter-hour-of-receive_me|hour-of-receive_me|
day-of-receive_me|contenype|user_agent|device_name|vsys_name|url|tunnelid|monitortag|
parent_session_id|parent_start_me|hp2_connecon|tunnel|hp_method|url_category_list|xff_ip|
container_id|pod_namespace|pod_name|src_dag|dst_dag|src_edl|dst_edl|src_category|src_profile|
src_model|src_vendor|src_osfamily|src_osversion|src_host|src_mac|dst_category|dst_profile|
dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac>
set shared reports <name> type url values [ <values1> <values2>... ]
set shared reports <name> type url labels [ <labels1> <labels2>... ]
set shared reports <name> type url sortby <repeatcnt|nunique-of-users>
set shared reports <name> type wildfire
set shared reports <name> type wildfire aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set shared reports <name> type wildfire group-by <app|category|category-of-app|dport|dst|
dstuser|from|inbound_if|misc|natdport|natdst|natsport|natsrc|outbound_if|proto|risk-of-app|rule|
rule_uuid|sport|src|srcuser|subcategory-of-app|technology-of-app|container-of-app|to|dstloc|
srcloc|vsys|quarter-hour-of-receive_me|hour-of-receive_me|day-of-receive_me|vsys_name|
device_name|filetype|filename|filedigest|tunnelid|monitortag|parent_session_id|parent_start_me|
hp2_connecon|tunnel|xff_ip|src_dag|dst_dag|src_edl|dst_edl>
set shared reports <name> type wildfire values [ <values1> <values2>... ]
set shared reports <name> type wildfire labels [ <labels1> <labels2>... ]
set shared reports <name> type wildfire sortby <repeatcnt|nunique-of-users>
set shared reports <name> type data
set shared reports <name> type data aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set shared reports <name> type data group-by <acon|app|category-of-app|direcon|dport|dst|
dstuser|from|inbound_if|misc|natdport|natdst|natsport|natsrc|outbound_if|proto|risk-of-app|rule|
rule_uuid|severity|sport|src|srcuser|subcategory-of-app|subtype|technology-of-app|container-
of-app|thread|to|dstloc|srcloc|vsys|quarter-hour-of-receive_me|hour-of-receive_me|day-of-
receive_me|vsys_name|device_name|data-type|filename|tunnelid|monitortag|parent_session_id|
parent_start_me|hp2_connecon|tunnel|xff_ip|src_dag|dst_dag|src_edl|dst_edl|src_category|
src_profile|src_model|src_vendor|src_osfamily|src_osversion|src_host|src_mac|dst_category|
dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac>
set shared reports <name> type data values [ <values1> <values2>... ]
set shared reports <name> type data labels [ <labels1> <labels2>... ]
set shared reports <name> type data sortby <repeatcnt|nunique-of-users>

PAN-OS CLI Quick Start Version Version 10.1 586 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared reports <name> type thsum

set shared reports <name> type thsum aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set shared reports <name> type thsum group-by <serial|me_generated|vsys_name|device_name|
app|src|dst|rule|thread|srcuser|dstuser|srcloc|dstloc|xff_ip|vsys|from|to|dev_serial|dport|acon|
severity|inbound_if|outbound_if|category|category-of-app|subcategory-of-app|technology-of-
app|container-of-app|risk-of-app|parent_session_id|parent_start_me|tunnel|direcon|assoc_id|
ppid|hp2_connecon|rule_uuid|threat_name|src_edl|dst_edl|hosd|dynusergroup_name|
nssai_sst|src_category|src_profile|src_model|src_vendor|src_osfamily|src_osversion|src_host|
src_mac|dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|
dst_mac|container_id|pod_namespace|pod_name|src_dag|dst_dag|day-of-receive_me|hour-of-
receive_me|quarter-hour-of-receive_me|subtype|tunnelid|monitortag|category-of-thread|
threat-type>
set shared reports <name> type thsum values [ <values1> <values2>... ]
set shared reports <name> type thsum labels [ <labels1> <labels2>... ]
set shared reports <name> type thsum sortby <sessions|count|nunique-of-apps|nunique-of-users|
nunique-of-src_profile|nunique-of-dst_profile>
set shared reports <name> type traffic
set shared reports <name> type traffic aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set shared reports <name> type traffic group-by <serial|me_generated|src|dst|natsrc|
natdst|rule|srcuser|dstuser|srcloc|dstloc|app|vsys|from|to|inbound_if|outbound_if|sport|
dport|natsport|natdport|proto|acon|tunnel|rule_uuid|s_encrypted|category-of-app|
subcategory-of-app|technology-of-app|container-of-app|risk-of-app|vsys_name|device_name|
parent_session_id|parent_start_me|category|session_end_reason|acon_source|nssai_sst|
nssai_sd|hp2_connecon|xff_ip|dynusergroup_name|src_edl|dst_edl|hosd|session_owner|
policy_id|offloaded|src_category|src_profile|src_model|src_vendor|src_osfamily|src_osversion|
src_host|src_mac|dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|
dst_host|dst_mac|container_id|pod_namespace|pod_name|src_dag|dst_dag|day-of-receive_me|
hour-of-receive_me|quarter-hour-of-receive_me|pbf-s2c|pbf-c2s|decrypt-mirror|threat-type|
flag-nat|flag-pcap|capve-portal|flag-proxy|non-std-dport|transacon|sym-return|sessionid|flag-
decrypt-fwd|tunnelid|monitortag>
set shared reports <name> type traffic values [ <values1> <values2>... ]
set shared reports <name> type traffic labels [ <labels1> <labels2>... ]
set shared reports <name> type traffic sortby <repeatcnt|bytes|bytes_sent|bytes_received|packets|
pkts_sent|pkts_received|chunks|chunks_sent|chunks_received|nunique-of-users|elapsed|nunique-
of-src_profile|nunique-of-dst_profile>
set shared reports <name> type urlsum
set shared reports <name> type urlsum aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set shared reports <name> type urlsum group-by <serial|me_generated|vsys_name|device_name|
app|category|src|dst|rule|srcuser|dstuser|srcloc|dstloc|vsys|from|to|dev_serial|inbound_if|
outbound_if|dport|acon|tunnel|url_domain|user_agent|hp_method|hp2_connecon|category-
of-app|subcategory-of-app|technology-of-app|container-of-app|risk-of-app|parent_session_id|
parent_start_me|rule_uuid|xff_ip|src_edl|dst_edl|hosd|dynusergroup_name|nssai_sst|
src_category|src_profile|src_model|src_vendor|src_osfamily|src_osversion|src_host|src_mac|

PAN-OS CLI Quick Start Version Version 10.1 587 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|
container_id|pod_namespace|pod_name|url_category_list|src_dag|dst_dag|day-of-receive_me|
hour-of-receive_me|quarter-hour-of-receive_me|tunnelid|monitortag>
set shared reports <name> type urlsum values [ <values1> <values2>... ]
set shared reports <name> type urlsum labels [ <labels1> <labels2>... ]
set shared reports <name> type urlsum sortby <repeatcnt|nunique-of-users|nunique-of-
src_profile|nunique-of-dst_profile>
set shared reports <name> type trsum
set shared reports <name> type trsum aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set shared reports <name> type trsum group-by <serial|me_generated|vsys_name|device_name|
app|src|dst|xff_ip|rule|srcuser|dstuser|srcloc|dstloc|category|vsys|from|to|dev_serial|dport|acon|
tunnel|inbound_if|outbound_if|category-of-app|subcategory-of-app|technology-of-app|container-
of-app|risk-of-app|parent_session_id|parent_start_me|assoc_id|hp2_connecon|rule_uuid|
src_edl|dst_edl|dynusergroup_name|s_decrypted|s_encrypted|hosd|nssai_sst|src_category|
src_profile|src_model|src_vendor|src_osfamily|src_osversion|src_host|src_mac|dst_category|
dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|container_id|
pod_namespace|pod_name|src_dag|dst_dag|day-of-receive_me|hour-of-receive_me|quarter-
hour-of-receive_me|tunnelid|monitortag|standard-ports-of-app>
set shared reports <name> type trsum values [ <values1> <values2>... ]
set shared reports <name> type trsum labels [ <labels1> <labels2>... ]
set shared reports <name> type trsum sortby <bytes|sessions|bytes_sent|bytes_received|nthreats|
nrans|ndpmatches|nurlcount|chunks|chunks_sent|chunks_received|ncontent|nunique-of-apps|
nunique-of-users|nunique-of-src_profile|nunique-of-dst_profile>
set shared reports <name> type tunnel
set shared reports <name> type tunnel aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set shared reports <name> type tunnel group-by <acon|app|category-of-app|dport|dst|dstuser|
from|inbound_if|natdport|natdst|natsport|natsrc|outbound_if|proto|risk-of-app|rule|rule_uuid|
sessionid|sport|src|srcuser|subcategory-of-app|technology-of-app|container-of-app|to|dstloc|
srcloc|vsys|quarter-hour-of-receive_me|hour-of-receive_me|day-of-receive_me|vsys_name|
device_name|tunnelid|monitortag|parent_session_id|parent_start_me|session_end_reason|
acon_source|tunnel|tunnel_insp_rule|src_dag|dst_dag|src_edl|dst_edl>
set shared reports <name> type tunnel values [ <values1> <values2>... ]
set shared reports <name> type tunnel labels [ <labels1> <labels2>... ]
set shared reports <name> type tunnel sortby <repeatcnt|bytes|bytes_sent|bytes_received|
packets|pkts_sent|pkts_received|max_encap|unknown_proto|strict_check|tunnel_fragment|
sessions_created|sessions_closed|nunique-of-users>
set shared reports <name> type tunnelsum
set shared reports <name> type tunnelsum aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set shared reports <name> type tunnelsum group-by <acon|app|category-of-app|dst|risk-of-
app|rule|rule_uuid|src|subcategory-of-app|technology-of-app|container-of-app|dstloc|srcloc|
vsys|quarter-hour-of-receive_me|hour-of-receive_me|day-of-receive_me|serial|vsys_name|

PAN-OS CLI Quick Start Version Version 10.1 588 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

device_name|tunnelid|monitortag|parent_session_id|parent_start_me|tunnel|tunnel_insp_rule|
src_dag|dst_dag|src_edl|dst_edl>
set shared reports <name> type tunnelsum values [ <values1> <values2>... ]
set shared reports <name> type tunnelsum labels [ <labels1> <labels2>... ]
set shared reports <name> type tunnelsum sortby <repeatcnt|bytes|bytes_sent|bytes_received>
set shared reports <name> type userid
set shared reports <name> type userid aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set shared reports <name> type userid group-by <serial|me_generated|vsys_name|device_name|
vsys|ip|user|datasourcename|beginport|endport|datasource|datasourcetype|factortype|
factorcompleonme|factorno|tag_name|day-of-receive_me|hour-of-receive_me|quarter-hour-
of-receive_me|subtype>
set shared reports <name> type userid values [ <values1> <values2>... ]
set shared reports <name> type userid labels [ <labels1> <labels2>... ]
set shared reports <name> type userid sortby <repeatcnt|factortype|factorcompleonme>
set shared reports <name> type auth
set shared reports <name> type auth aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set shared reports <name> type auth group-by <serial|me_generated|vsys_name|device_name|
vsys|ip|user|normalize_user|object|authpolicy|authid|vendor|clienype|event|factorno|authproto|
rule_uuid|src_category|src_profile|src_model|src_vendor|src_osfamily|src_osversion|src_host|
src_mac|day-of-receive_me|hour-of-receive_me|quarter-hour-of-receive_me|serverprofile|
desc>
set shared reports <name> type auth values [ <values1> <values2>... ]
set shared reports <name> type auth labels [ <labels1> <labels2>... ]
set shared reports <name> type auth sortby <repeatcnt|me_generated|vendor>
set shared reports <name> type iptag
set shared reports <name> type iptag aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set shared reports <name> type iptag group-by <serial|me_generated|vsys_name|device_name|
vsys|ip|tag_name|event_id|datasourcename|datasource_type|datasource_subtype|day-of-
receive_me|hour-of-receive_me|quarter-hour-of-receive_me>
set shared reports <name> type iptag values [ <values1> <values2>... ]
set shared reports <name> type iptag labels [ <labels1> <labels2>... ]
set shared reports <name> type iptag sortby <repeatcnt|me_generated>
set shared reports <name> type hipmatch
set shared reports <name> type hipmatch aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set shared reports <name> type hipmatch group-by <serial|me_generated|vsys_name|
device_name|srcuser|vsys|machinename|src|matchname|os|matchtype|srcipv6|hosd|mac|day-of-
receive_me|hour-of-receive_me|quarter-hour-of-receive_me>

PAN-OS CLI Quick Start Version Version 10.1 589 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared reports <name> type hipmatch values [ <values1> <values2>... ]

set shared reports <name> type hipmatch labels [ <labels1> <labels2>... ]
set shared reports <name> type hipmatch sortby <repeatcnt>
set shared reports <name> type hipmatch last-match-by <>
set shared reports <name> type globalprotect
set shared reports <name> type globalprotect aggregate-by [ <aggregate-by1> <aggregate-
by2>... ]
set shared reports <name> type globalprotect group-by <serial|me_generated|vsys_name|
device_name|vsys|evend|status|stage|auth_method|tunnel_type|portal|srcuser|srcregion|
machinename|public_ip|public_ipv6|private_ip|private_ipv6|hosd|serialnumber|client_ver|
client_os|client_os_ver|login_duraon|connect_method|reason|error_code|error|opaque|gateway|
selecon_type|response_me|priority|aempted_gateways|day-of-receive_me|hour-of-
receive_me|quarter-hour-of-receive_me>
set shared reports <name> type globalprotect values [ <values1> <values2>... ]
set shared reports <name> type globalprotect labels [ <labels1> <labels2>... ]
set shared reports <name> type globalprotect sortby <repeatcnt|nunique-of-ips|nunique-of-
gateways|nunique-of-users|nunique-of-hosd>
set shared report-group
set shared report-group <name>
set shared report-group <name> tle-page <yes|no>
set shared report-group <name>
set shared report-group <name> predefined <user-acvity-report|saas-applicaon-usage-report>
set shared report-group <name> custom-widget
set shared report-group <name> custom-widget <name>
set shared report-group <name> custom-widget <name>
set shared report-group <name> custom-widget <name> predefined-report <value>
set shared report-group <name> custom-widget <name> custom-report <value>
set shared report-group <name> custom-widget <name> pdf-summary-report <value>
set shared report-group <name> custom-widget <name> log-view <value>
set shared report-group <name> custom-widget <name> csv <value>
set shared report-group <name>
set shared report-group <name> all
set shared report-group <name> all entry
set shared report-group <name> all entry include-user-groups-info <yes|no>
set shared report-group <name> all entry user-groups [ <user-groups1> <user-groups2>... ]
set shared report-group <name> selected-zone

PAN-OS CLI Quick Start Version Version 10.1 590 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared report-group <name> selected-zone entry

set shared report-group <name> selected-zone entry include-user-groups-info <yes|no>
set shared report-group <name> selected-zone entry user-groups [ <user-groups1> <user-
groups2>... ]
set shared report-group <name> selected-zone entry zone <value>
set shared report-group <name> selected-user-group
set shared report-group <name> selected-user-group entry
set shared report-group <name> selected-user-group entry user-group <value>
set shared report-group <name> variable
set shared report-group <name> variable <name>
set shared report-group <name> variable <name> value <value>
set shared pdf-summary-report
set shared pdf-summary-report <name>
set shared pdf-summary-report <name> header
set shared pdf-summary-report <name> header capon <value>
set shared pdf-summary-report <name> footer
set shared pdf-summary-report <name> footer note <value>
set shared pdf-summary-report <name> predefined-widget
set shared pdf-summary-report <name> predefined-widget <name>
set shared pdf-summary-report <name> predefined-widget <name> chart-type <pie|line|bar|
table>
set shared pdf-summary-report <name> predefined-widget <name> row <1-6>
set shared pdf-summary-report <name> predefined-widget <name> column <1-3>
set shared pdf-summary-report <name> custom-widget
set shared pdf-summary-report <name> custom-widget <name>
set shared pdf-summary-report <name> custom-widget <name> chart-type <pie|line|bar|table>
set shared pdf-summary-report <name> custom-widget <name> row <1-6>
set shared pdf-summary-report <name> custom-widget <name> column <1-3>
set shared email-scheduler
set shared email-scheduler <name>
set shared email-scheduler <name> report-group <value>
set shared email-scheduler <name> email-profile <value>
set shared email-scheduler <name> recipient-emails <value>
set shared email-scheduler <name> recurring

PAN-OS CLI Quick Start Version Version 10.1 591 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared email-scheduler <name> recurring disabled

set shared email-scheduler <name> recurring daily
set shared email-scheduler <name> recurring weekly <sunday|monday|tuesday|wednesday|
thursday|friday|saturday>
set shared email-scheduler <name> recurring monthly <1-31>
set shared botnet
set shared botnet configuraon
set shared botnet configuraon hp
set shared botnet configuraon hp malware-sites
set shared botnet configuraon hp malware-sites enabled <yes|no>
set shared botnet configuraon hp malware-sites threshold <2-1000>
set shared botnet configuraon hp dynamic-dns
set shared botnet configuraon hp dynamic-dns enabled <yes|no>
set shared botnet configuraon hp dynamic-dns threshold <2-1000>
set shared botnet configuraon hp ip-domains
set shared botnet configuraon hp ip-domains enabled <yes|no>
set shared botnet configuraon hp ip-domains threshold <2-1000>
set shared botnet configuraon hp recent-domains
set shared botnet configuraon hp recent-domains enabled <yes|no>
set shared botnet configuraon hp recent-domains threshold <2-1000>
set shared botnet configuraon hp executables-from-unknown-sites
set shared botnet configuraon hp executables-from-unknown-sites enabled <yes|no>
set shared botnet configuraon hp executables-from-unknown-sites threshold <2-1000>
set shared botnet configuraon unknown-applicaons
set shared botnet configuraon unknown-applicaons unknown-tcp
set shared botnet configuraon unknown-applicaons unknown-tcp sessions-per-hour <1-3600>
set shared botnet configuraon unknown-applicaons unknown-tcp desnaons-per-hour
<1-3600>
set shared botnet configuraon unknown-applicaons unknown-tcp session-length
set shared botnet configuraon unknown-applicaons unknown-tcp session-length minimum-
bytes <1-200>
set shared botnet configuraon unknown-applicaons unknown-tcp session-length maximum-
bytes <1-200>
set shared botnet configuraon unknown-applicaons unknown-udp
set shared botnet configuraon unknown-applicaons unknown-udp sessions-per-hour <1-3600>

PAN-OS CLI Quick Start Version Version 10.1 592 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared botnet configuraon unknown-applicaons unknown-udp desnaons-per-hour

<1-3600>
set shared botnet configuraon unknown-applicaons unknown-udp session-length
set shared botnet configuraon unknown-applicaons unknown-udp session-length minimum-
bytes <1-200>
set shared botnet configuraon unknown-applicaons unknown-udp session-length maximum-
bytes <1-200>
set shared botnet configuraon other-applicaons
set shared botnet configuraon other-applicaons irc <yes|no>
set shared botnet report
set shared botnet report scheduled <yes|no>
set shared botnet report topn <1-500>
set shared botnet report query <value>
set shared override
set shared override applicaon
set shared override applicaon <name>
set shared override applicaon <name> meout <0-604800>
set shared override applicaon <name> tcp-meout <0-604800>
set shared override applicaon <name> tcp-half-closed-meout <1-604800>
set shared override applicaon <name> tcp-me-wait-meout <1-600>
set shared override applicaon <name> udp-meout <0-604800>
set shared override applicaon <name> risk <1-5>
set shared override applicaon <name> no-appid-caching <yes|no>
set shared alg-override
set shared alg-override applicaon
set shared alg-override applicaon <name>
set shared alg-override applicaon <name> alg-disabled <yes|no>
set shared authencaon-profile
set shared authencaon-profile <name>
set shared authencaon-profile <name> username-modifier <value>|<validate>|<%USERINPUT
%|%USERINPUT%@%USERDOMAIN%|%USERDOMAIN%\%USERINPUT%>
set shared authencaon-profile <name> user-domain <value>
set shared authencaon-profile <name> single-sign-on
set shared authencaon-profile <name> single-sign-on realm <value>
set shared authencaon-profile <name> single-sign-on service-principal <value>

PAN-OS CLI Quick Start Version Version 10.1 593 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared authencaon-profile <name> single-sign-on kerberos-keytab <value>

set shared authencaon-profile <name> single-sign-on kerberos-keytab <value>
set shared authencaon-profile <name> lockout
set shared authencaon-profile <name> lockout failed-aempts <0-10>
set shared authencaon-profile <name> lockout lockout-me <0-60>
set shared authencaon-profile <name> allow-list [ <allow-list1> <allow-list2>... ]
set shared authencaon-profile <name> method
set shared authencaon-profile <name> method none
set shared authencaon-profile <name> method cloud
set shared authencaon-profile <name> method cloud region
set shared authencaon-profile <name> method cloud region region_id <value>
set shared authencaon-profile <name> method cloud region tenant
set shared authencaon-profile <name> method cloud region tenant tenant_id <value>
set shared authencaon-profile <name> method cloud region tenant profile
set shared authencaon-profile <name> method cloud region tenant profile profile_id <value>
set shared authencaon-profile <name> method cloud region tenant profile mfa
set shared authencaon-profile <name> method cloud region tenant profile mfa force-mfa
<value>
set shared authencaon-profile <name> method cloud clock-skew <1-900>
set shared authencaon-profile <name> method local-database
set shared authencaon-profile <name> method radius
set shared authencaon-profile <name> method radius server-profile <value>
set shared authencaon-profile <name> method radius checkgroup <yes|no>
set shared authencaon-profile <name> method ldap
set shared authencaon-profile <name> method ldap server-profile <value>
set shared authencaon-profile <name> method ldap login-aribute <value>
set shared authencaon-profile <name> method ldap passwd-exp-days <0-255>
set shared authencaon-profile <name> method kerberos
set shared authencaon-profile <name> method kerberos server-profile <value>
set shared authencaon-profile <name> method kerberos realm <value>
set shared authencaon-profile <name> method tacplus
set shared authencaon-profile <name> method tacplus server-profile <value>
set shared authencaon-profile <name> method tacplus checkgroup <yes|no>
set shared authencaon-profile <name> method saml-idp

PAN-OS CLI Quick Start Version Version 10.1 594 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared authencaon-profile <name> method saml-idp server-profile <value>

set shared authencaon-profile <name> method saml-idp enable-single-logout <yes|no>
set shared authencaon-profile <name> method saml-idp request-signing-cerficate <value>
set shared authencaon-profile <name> method saml-idp cerficate-profile <value>
set shared authencaon-profile <name> method saml-idp aribute-name-username <value>
set shared authencaon-profile <name> method saml-idp aribute-name-usergroup <value>
set shared authencaon-profile <name> method saml-idp aribute-name-admin-role <value>
set shared authencaon-profile <name> method saml-idp aribute-name-access-domain
<value>
set shared authencaon-profile <name> mul-factor-auth
set shared authencaon-profile <name> mul-factor-auth mfa-enable <yes|no>
set shared authencaon-profile <name> mul-factor-auth factors [ <factors1> <factors2>... ]
set shared authencaon-sequence
set shared authencaon-sequence <name>
set shared authencaon-sequence <name> use-domain-find-profile <yes|no>
set shared authencaon-sequence <name> authencaon-profiles [ <authencaon-profiles1>
<authencaon-profiles2>... ]
set shared cerficate-profile
set shared cerficate-profile <name>
set shared cerficate-profile <name> username-field
set shared cerficate-profile <name> username-field subject <common-name>
set shared cerficate-profile <name> username-field subject-alt <email|principal-name>
set shared cerficate-profile <name> domain <value>
set shared cerficate-profile <name> CA
set shared cerficate-profile <name> CA <name>
set shared cerficate-profile <name> CA <name> default-ocsp-url <value>
set shared cerficate-profile <name> CA <name> ocsp-verify-cert <value>
set shared cerficate-profile <name> CA <name> template-name <value>
set shared cerficate-profile <name> use-crl <yes|no>
set shared cerficate-profile <name> use-ocsp <yes|no>
set shared cerficate-profile <name> crl-receive-meout <1-60>
set shared cerficate-profile <name> ocsp-receive-meout <1-60>
set shared cerficate-profile <name> ocsp-exclude-nonce <yes|no>
set shared cerficate-profile <name> cert-status-meout <0-60>

PAN-OS CLI Quick Start Version Version 10.1 595 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared cerficate-profile <name> block-unknown-cert <yes|no>

set shared cerficate-profile <name> block-meout-cert <yes|no>
set shared cerficate-profile <name> block-unauthencated-cert <yes|no>
set shared cerficate-profile <name> block-expired-cert <yes|no>
set shared server-profile
set shared server-profile ldap
set shared server-profile ldap <name>
set shared server-profile ldap <name> admin-use-only <yes|no>
set shared server-profile ldap <name> ldap-type <acve-directory|e-directory|sun|other>
set shared server-profile ldap <name> server
set shared server-profile ldap <name> server <name>
set shared server-profile ldap <name> server <name> address <ip/netmask>|<value>
set shared server-profile ldap <name> server <name> port <1-65535>
set shared server-profile ldap <name> ssl <yes|no>
set shared server-profile ldap <name> ssl <yes>
set shared server-profile ldap <name> verify-server-cerficate <yes|no>
set shared server-profile ldap <name> disabled <yes|no>
set shared server-profile ldap <name> base <value>
set shared server-profile ldap <name> bind-dn <value>
set shared server-profile ldap <name> bind-password <value>
set shared server-profile ldap <name> melimit <1-30>
set shared server-profile ldap <name> bind-melimit <1-60>
set shared server-profile ldap <name> retry-interval <60-3600>
set shared server-profile radius
set shared server-profile radius <name>
set shared server-profile radius <name> admin-use-only <yes|no>
set shared server-profile radius <name> meout <1-120>
set shared server-profile radius <name> retries <1-5>
set shared server-profile radius <name> protocol
set shared server-profile radius <name> protocol CHAP
set shared server-profile radius <name> protocol PAP
set shared server-profile radius <name> protocol PEAP-MSCHAPv2
set shared server-profile radius <name> protocol PEAP-MSCHAPv2 anon-outer-id <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 596 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared server-profile radius <name> protocol PEAP-MSCHAPv2 allow-pwd-change <yes|no>

set shared server-profile radius <name> protocol PEAP-MSCHAPv2 radius-cert-profile <value>
set shared server-profile radius <name> protocol PEAP-with-GTC
set shared server-profile radius <name> protocol PEAP-with-GTC anon-outer-id <yes|no>
set shared server-profile radius <name> protocol PEAP-with-GTC radius-cert-profile <value>
set shared server-profile radius <name> protocol EAP-TTLS-with-PAP
set shared server-profile radius <name> protocol EAP-TTLS-with-PAP anon-outer-id <yes|no>
set shared server-profile radius <name> protocol EAP-TTLS-with-PAP radius-cert-profile <value>
set shared server-profile radius <name> server
set shared server-profile radius <name> server <name>
set shared server-profile radius <name> server <name> ip-address <ip/netmask>|<value>
set shared server-profile radius <name> server <name> secret <value>
set shared server-profile radius <name> server <name> port <1-65535>
set shared server-profile kerberos
set shared server-profile kerberos <name>
set shared server-profile kerberos <name> admin-use-only <yes|no>
set shared server-profile kerberos <name> server
set shared server-profile kerberos <name> server <name>
set shared server-profile kerberos <name> server <name> host <ip/netmask>|<value>
set shared server-profile kerberos <name> server <name> port <1-65535>
set shared server-profile tacplus
set shared server-profile tacplus <name>
set shared server-profile tacplus <name> meout <1-30>
set shared server-profile tacplus <name> admin-use-only <yes|no>
set shared server-profile tacplus <name> use-single-connecon <yes|no>
set shared server-profile tacplus <name> protocol <CHAP|PAP>
set shared server-profile tacplus <name> server
set shared server-profile tacplus <name> server <name>
set shared server-profile tacplus <name> server <name> address <ip/netmask>|<value>
set shared server-profile tacplus <name> server <name> secret <value>
set shared server-profile tacplus <name> server <name> port <1-65535>
set shared server-profile saml-idp
set shared server-profile saml-idp <name>

PAN-OS CLI Quick Start Version Version 10.1 597 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared server-profile saml-idp <name> admin-use-only <yes|no>

set shared server-profile saml-idp <name> enty-id <value>
set shared server-profile saml-idp <name> cerficate <value>
set shared server-profile saml-idp <name> sso-url <value>
set shared server-profile saml-idp <name> sso-bindings <post|redirect>
set shared server-profile saml-idp <name> slo-url <value>
set shared server-profile saml-idp <name> slo-bindings <post|redirect>
set shared server-profile saml-idp <name> validate-idp-cerficate <yes|no>
set shared server-profile saml-idp <name> want-auth-requests-signed <yes|no>
set shared server-profile saml-idp <name> max-clock-skew <1-900>
set shared server-profile nelow
set shared server-profile nelow <name>
set shared server-profile nelow <name> template-refresh-rate
set shared server-profile nelow <name> template-refresh-rate minutes <1-3600>
set shared server-profile nelow <name> template-refresh-rate packets <1-600>
set shared server-profile nelow <name> acve-meout <1-60>
set shared server-profile nelow <name> export-enterprise-fields <yes|no>
set shared server-profile nelow <name> server
set shared server-profile nelow <name> server <name>
set shared server-profile nelow <name> server <name> host <ip/netmask>|<value>
set shared server-profile nelow <name> server <name> port <1-65535>
set shared server-profile mfa-server-profile
set shared server-profile mfa-server-profile <name>
set shared server-profile mfa-server-profile <name> mfa-vendor-type <value>
set shared server-profile mfa-server-profile <name> mfa-cert-profile <value>
set shared server-profile mfa-server-profile <name> mfa-config
set shared server-profile mfa-server-profile <name> mfa-config <name>
set shared server-profile mfa-server-profile <name> mfa-config <name> value <value>
set shared log-sengs
set shared log-sengs system
set shared log-sengs system match-list
set shared log-sengs system match-list <name>
set shared log-sengs system match-list <name> descripon <value>

PAN-OS CLI Quick Start Version Version 10.1 598 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared log-sengs system match-list <name> filter <value>

set shared log-sengs system match-list <name> send-to-panorama <yes|no>
set shared log-sengs system match-list <name> send-snmptrap [ <send-snmptrap1> <send-
snmptrap2>... ]
set shared log-sengs system match-list <name> send-email [ <send-email1> <send-email2>... ]
set shared log-sengs system match-list <name> send-syslog [ <send-syslog1> <send-
syslog2>... ]
set shared log-sengs system match-list <name> send-hp [ <send-hp1> <send-hp2>... ]
set shared log-sengs system match-list <name> acons
set shared log-sengs system match-list <name> acons <name>
set shared log-sengs system match-list <name> acons <name> type
set shared log-sengs config
set shared log-sengs config match-list
set shared log-sengs config match-list <name>
set shared log-sengs config match-list <name> descripon <value>
set shared log-sengs config match-list <name> filter <value>
set shared log-sengs config match-list <name> send-to-panorama <yes|no>
set shared log-sengs config match-list <name> send-snmptrap [ <send-snmptrap1> <send-
snmptrap2>... ]
set shared log-sengs config match-list <name> send-email [ <send-email1> <send-email2>... ]
set shared log-sengs config match-list <name> send-syslog [ <send-syslog1> <send-syslog2>... ]
set shared log-sengs config match-list <name> send-hp [ <send-hp1> <send-hp2>... ]
set shared log-sengs userid
set shared log-sengs userid match-list
set shared log-sengs userid match-list <name>
set shared log-sengs userid match-list <name> descripon <value>
set shared log-sengs userid match-list <name> filter <value>
set shared log-sengs userid match-list <name> send-to-panorama <yes|no>
set shared log-sengs userid match-list <name> send-snmptrap [ <send-snmptrap1> <send-
snmptrap2>... ]
set shared log-sengs userid match-list <name> send-email [ <send-email1> <send-email2>... ]
set shared log-sengs userid match-list <name> send-syslog [ <send-syslog1> <send-syslog2>... ]
set shared log-sengs userid match-list <name> send-hp [ <send-hp1> <send-hp2>... ]
set shared log-sengs userid match-list <name> quaranne <yes|no>
set shared log-sengs userid match-list <name> acons

PAN-OS CLI Quick Start Version Version 10.1 599 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared log-sengs userid match-list <name> acons <name>

set shared log-sengs userid match-list <name> acons <name> type
set shared log-sengs userid match-list <name> acons <name> type tagging
set shared log-sengs userid match-list <name> acons <name> type tagging target <source-
address|desnaon-address|xff-address|user>
set shared log-sengs userid match-list <name> acons <name> type tagging acon <add-tag|
remove-tag>
set shared log-sengs userid match-list <name> acons <name> type tagging registraon
set shared log-sengs userid match-list <name> acons <name> type tagging registraon
localhost
set shared log-sengs userid match-list <name> acons <name> type tagging registraon
panorama
set shared log-sengs userid match-list <name> acons <name> type tagging registraon remote
set shared log-sengs userid match-list <name> acons <name> type tagging registraon remote
hp-profile <value>
set shared log-sengs userid match-list <name> acons <name> type tagging meout
<0-43200>
set shared log-sengs userid match-list <name> acons <name> type tagging tags [ <tags1>
<tags2>... ]
set shared log-sengs iptag
set shared log-sengs iptag match-list
set shared log-sengs iptag match-list <name>
set shared log-sengs iptag match-list <name> descripon <value>
set shared log-sengs iptag match-list <name> filter <value>
set shared log-sengs iptag match-list <name> send-to-panorama <yes|no>
set shared log-sengs iptag match-list <name> send-snmptrap [ <send-snmptrap1> <send-
snmptrap2>... ]
set shared log-sengs iptag match-list <name> send-email [ <send-email1> <send-email2>... ]
set shared log-sengs iptag match-list <name> send-syslog [ <send-syslog1> <send-syslog2>... ]
set shared log-sengs iptag match-list <name> send-hp [ <send-hp1> <send-hp2>... ]
set shared log-sengs iptag match-list <name> quaranne <yes|no>
set shared log-sengs iptag match-list <name> acons
set shared log-sengs iptag match-list <name> acons <name>
set shared log-sengs iptag match-list <name> acons <name> type
set shared log-sengs iptag match-list <name> acons <name> type tagging

PAN-OS CLI Quick Start Version Version 10.1 600 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared log-sengs iptag match-list <name> acons <name> type tagging target <source-
address|desnaon-address|xff-address|user>
set shared log-sengs iptag match-list <name> acons <name> type tagging acon <add-tag|
remove-tag>
set shared log-sengs iptag match-list <name> acons <name> type tagging registraon
set shared log-sengs iptag match-list <name> acons <name> type tagging registraon localhost
set shared log-sengs iptag match-list <name> acons <name> type tagging registraon
panorama
set shared log-sengs iptag match-list <name> acons <name> type tagging registraon remote
set shared log-sengs iptag match-list <name> acons <name> type tagging registraon remote
hp-profile <value>
set shared log-sengs iptag match-list <name> acons <name> type tagging meout <0-43200>
set shared log-sengs iptag match-list <name> acons <name> type tagging tags [ <tags1>
<tags2>... ]
set shared log-sengs globalprotect
set shared log-sengs globalprotect match-list
set shared log-sengs globalprotect match-list <name>
set shared log-sengs globalprotect match-list <name> descripon <value>
set shared log-sengs globalprotect match-list <name> filter <value>
set shared log-sengs globalprotect match-list <name> send-to-panorama <yes|no>
set shared log-sengs globalprotect match-list <name> send-snmptrap [ <send-snmptrap1>
<send-snmptrap2>... ]
set shared log-sengs globalprotect match-list <name> send-email [ <send-email1> <send-
email2>... ]
set shared log-sengs globalprotect match-list <name> send-syslog [ <send-syslog1> <send-
syslog2>... ]
set shared log-sengs globalprotect match-list <name> send-hp [ <send-hp1> <send-
hp2>... ]
set shared log-sengs globalprotect match-list <name> quaranne <yes|no>
set shared log-sengs globalprotect match-list <name> acons
set shared log-sengs globalprotect match-list <name> acons <name>
set shared log-sengs globalprotect match-list <name> acons <name> type
set shared log-sengs globalprotect match-list <name> acons <name> type tagging
set shared log-sengs globalprotect match-list <name> acons <name> type tagging target
<source-address|desnaon-address|xff-address|user>
set shared log-sengs globalprotect match-list <name> acons <name> type tagging acon <add-
tag|remove-tag>

PAN-OS CLI Quick Start Version Version 10.1 601 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared log-sengs globalprotect match-list <name> acons <name> type tagging registraon
set shared log-sengs globalprotect match-list <name> acons <name> type tagging registraon
localhost
set shared log-sengs globalprotect match-list <name> acons <name> type tagging registraon
panorama
set shared log-sengs globalprotect match-list <name> acons <name> type tagging registraon
remote
set shared log-sengs globalprotect match-list <name> acons <name> type tagging registraon
remote hp-profile <value>
set shared log-sengs globalprotect match-list <name> acons <name> type tagging meout
<0-43200>
set shared log-sengs globalprotect match-list <name> acons <name> type tagging tags
[ <tags1> <tags2>... ]
set shared log-sengs hipmatch
set shared log-sengs hipmatch match-list
set shared log-sengs hipmatch match-list <name>
set shared log-sengs hipmatch match-list <name> descripon <value>
set shared log-sengs hipmatch match-list <name> filter <value>
set shared log-sengs hipmatch match-list <name> send-to-panorama <yes|no>
set shared log-sengs hipmatch match-list <name> send-snmptrap [ <send-snmptrap1> <send-
snmptrap2>... ]
set shared log-sengs hipmatch match-list <name> send-email [ <send-email1> <send-email2>... ]
set shared log-sengs hipmatch match-list <name> send-syslog [ <send-syslog1> <send-
syslog2>... ]
set shared log-sengs hipmatch match-list <name> send-hp [ <send-hp1> <send-hp2>... ]
set shared log-sengs hipmatch match-list <name> quaranne <yes|no>
set shared log-sengs hipmatch match-list <name> acons
set shared log-sengs hipmatch match-list <name> acons <name>
set shared log-sengs hipmatch match-list <name> acons <name> type
set shared log-sengs hipmatch match-list <name> acons <name> type tagging
set shared log-sengs hipmatch match-list <name> acons <name> type tagging target <source-
address|desnaon-address|xff-address|user>
set shared log-sengs hipmatch match-list <name> acons <name> type tagging acon <add-tag|
remove-tag>
set shared log-sengs hipmatch match-list <name> acons <name> type tagging registraon
set shared log-sengs hipmatch match-list <name> acons <name> type tagging registraon
localhost

PAN-OS CLI Quick Start Version Version 10.1 602 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared log-sengs hipmatch match-list <name> acons <name> type tagging registraon
panorama
set shared log-sengs hipmatch match-list <name> acons <name> type tagging registraon
remote
set shared log-sengs hipmatch match-list <name> acons <name> type tagging registraon
remote hp-profile <value>
set shared log-sengs hipmatch match-list <name> acons <name> type tagging meout
<0-43200>
set shared log-sengs hipmatch match-list <name> acons <name> type tagging tags [ <tags1>
<tags2>... ]
set shared log-sengs correlaon
set shared log-sengs correlaon match-list
set shared log-sengs correlaon match-list <name>
set shared log-sengs correlaon match-list <name> descripon <value>
set shared log-sengs correlaon match-list <name> filter <value>
set shared log-sengs correlaon match-list <name> send-snmptrap [ <send-snmptrap1> <send-
snmptrap2>... ]
set shared log-sengs correlaon match-list <name> send-email [ <send-email1> <send-
email2>... ]
set shared log-sengs correlaon match-list <name> send-syslog [ <send-syslog1> <send-
syslog2>... ]
set shared log-sengs correlaon match-list <name> send-hp [ <send-hp1> <send-hp2>... ]
set shared log-sengs correlaon match-list <name> quaranne <yes|no>
set shared log-sengs correlaon match-list <name> acons
set shared log-sengs correlaon match-list <name> acons <name>
set shared log-sengs correlaon match-list <name> acons <name> type
set shared log-sengs correlaon match-list <name> acons <name> type tagging
set shared log-sengs correlaon match-list <name> acons <name> type tagging target
<source-address|desnaon-address|xff-address|user>
set shared log-sengs correlaon match-list <name> acons <name> type tagging acon <add-
tag|remove-tag>
set shared log-sengs correlaon match-list <name> acons <name> type tagging registraon
set shared log-sengs correlaon match-list <name> acons <name> type tagging registraon
localhost
set shared log-sengs correlaon match-list <name> acons <name> type tagging registraon
panorama
set shared log-sengs correlaon match-list <name> acons <name> type tagging registraon
remote

PAN-OS CLI Quick Start Version Version 10.1 603 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared log-sengs correlaon match-list <name> acons <name> type tagging registraon
remote hp-profile <value>
set shared log-sengs correlaon match-list <name> acons <name> type tagging meout
<0-43200>
set shared log-sengs correlaon match-list <name> acons <name> type tagging tags [ <tags1>
<tags2>... ]
set shared log-sengs snmptrap
set shared log-sengs snmptrap <name>
set shared log-sengs snmptrap <name> version
set shared log-sengs snmptrap <name> version v2c
set shared log-sengs snmptrap <name> version v2c server
set shared log-sengs snmptrap <name> version v2c server <name>
set shared log-sengs snmptrap <name> version v2c server <name> manager <ip/netmask>|
<value>
set shared log-sengs snmptrap <name> version v2c server <name> community <value>
set shared log-sengs snmptrap <name> version v3
set shared log-sengs snmptrap <name> version v3 server
set shared log-sengs snmptrap <name> version v3 server <name>
set shared log-sengs snmptrap <name> version v3 server <name> manager <ip/netmask>|
<value>
set shared log-sengs snmptrap <name> version v3 server <name> user <value>
set shared log-sengs snmptrap <name> version v3 server <name> engineid <value>
set shared log-sengs snmptrap <name> version v3 server <name> authpwd <value>
set shared log-sengs snmptrap <name> version v3 server <name> privpwd <value>
set shared log-sengs snmptrap <name> version v3 server <name> authproto <SHA|SHA-224|
SHA-256|SHA-384|SHA-512>
set shared log-sengs snmptrap <name> version v3 server <name> privproto <AES|AES-192|
AES-256>
set shared log-sengs email
set shared log-sengs email <name>
set shared log-sengs email <name> server
set shared log-sengs email <name> server <name>
set shared log-sengs email <name> server <name> display-name <value>
set shared log-sengs email <name> server <name> from <value>
set shared log-sengs email <name> server <name> to <value>
set shared log-sengs email <name> server <name> and-also-to <value>

PAN-OS CLI Quick Start Version Version 10.1 604 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared log-sengs email <name> server <name> gateway <value>

set shared log-sengs email <name> server <name> protocol <SMTP|TLS>
set shared log-sengs email <name> server <name> port <1-65535>
set shared log-sengs email <name> server <name> tls-version <1.2|1.1>
set shared log-sengs email <name> server <name> auth <Auto|Login|Plain>
set shared log-sengs email <name> server <name> cerficate-profile <value>
set shared log-sengs email <name> server <name> username <value>
set shared log-sengs email <name> server <name> password <value>
set shared log-sengs email <name> format
set shared log-sengs email <name> format traffic <value>
set shared log-sengs email <name> format threat <value>
set shared log-sengs email <name> format wildfire <value>
set shared log-sengs email <name> format url <value>
set shared log-sengs email <name> format data <value>
set shared log-sengs email <name> format tunnel <value>
set shared log-sengs email <name> format auth <value>
set shared log-sengs email <name> format userid <value>
set shared log-sengs email <name> format iptag <value>
set shared log-sengs email <name> format decrypon <value>
set shared log-sengs email <name> format config <value>
set shared log-sengs email <name> format system <value>
set shared log-sengs email <name> format globalprotect <value>
set shared log-sengs email <name> format hip-match <value>
set shared log-sengs email <name> format correlaon <value>
set shared log-sengs email <name> format escaping
set shared log-sengs email <name> format escaping escaped-characters <value>
set shared log-sengs email <name> format escaping escape-character <value>
set shared log-sengs syslog
set shared log-sengs syslog <name>
set shared log-sengs syslog <name> server
set shared log-sengs syslog <name> server <name>
set shared log-sengs syslog <name> server <name> server <value>
set shared log-sengs syslog <name> server <name> transport <UDP|TCP|SSL>

PAN-OS CLI Quick Start Version Version 10.1 605 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared log-sengs syslog <name> server <name> port <1-65535>

set shared log-sengs syslog <name> server <name> format <BSD|IETF>
set shared log-sengs syslog <name> server <name> facility <LOG_USER|LOG_LOCAL0|
LOG_LOCAL1|LOG_LOCAL2|LOG_LOCAL3|LOG_LOCAL4|LOG_LOCAL5|LOG_LOCAL6|
LOG_LOCAL7>
set shared log-sengs syslog <name> format
set shared log-sengs syslog <name> format traffic <value>
set shared log-sengs syslog <name> format threat <value>
set shared log-sengs syslog <name> format wildfire <value>
set shared log-sengs syslog <name> format url <value>
set shared log-sengs syslog <name> format data <value>
set shared log-sengs syslog <name> format tunnel <value>
set shared log-sengs syslog <name> format auth <value>
set shared log-sengs syslog <name> format userid <value>
set shared log-sengs syslog <name> format iptag <value>
set shared log-sengs syslog <name> format decrypon <value>
set shared log-sengs syslog <name> format config <value>
set shared log-sengs syslog <name> format system <value>
set shared log-sengs syslog <name> format globalprotect <value>
set shared log-sengs syslog <name> format hip-match <value>
set shared log-sengs syslog <name> format correlaon <value>
set shared log-sengs syslog <name> format escaping
set shared log-sengs syslog <name> format escaping escaped-characters <value>
set shared log-sengs syslog <name> format escaping escape-character <value>
set shared log-sengs hp
set shared log-sengs hp <name>
set shared log-sengs hp <name> tag-registraon <yes|no>
set shared log-sengs hp <name> server
set shared log-sengs hp <name> server <name>
set shared log-sengs hp <name> server <name> address <value>
set shared log-sengs hp <name> server <name> protocol <HTTP|HTTPS>
set shared log-sengs hp <name> server <name> port <1-65535>
set shared log-sengs hp <name> server <name> tls-version <1.2|1.1|1.0>
set shared log-sengs hp <name> server <name> cerficate-profile <value>

PAN-OS CLI Quick Start Version Version 10.1 606 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared log-sengs hp <name> server <name> hp-method <value>

set shared log-sengs hp <name> server <name> username <value>
set shared log-sengs hp <name> server <name> password <value>
set shared log-sengs hp <name> format
set shared log-sengs hp <name> format config
set shared log-sengs hp <name> format config name <value>
set shared log-sengs hp <name> format config url-format <value>
set shared log-sengs hp <name> format config headers
set shared log-sengs hp <name> format config headers <name>
set shared log-sengs hp <name> format config headers <name> value <value>
set shared log-sengs hp <name> format config params
set shared log-sengs hp <name> format config params <name>
set shared log-sengs hp <name> format config params <name> value <value>
set shared log-sengs hp <name> format config payload <value>
set shared log-sengs hp <name> format system
set shared log-sengs hp <name> format system name <value>
set shared log-sengs hp <name> format system url-format <value>
set shared log-sengs hp <name> format system headers
set shared log-sengs hp <name> format system headers <name>
set shared log-sengs hp <name> format system headers <name> value <value>
set shared log-sengs hp <name> format system params
set shared log-sengs hp <name> format system params <name>
set shared log-sengs hp <name> format system params <name> value <value>
set shared log-sengs hp <name> format system payload <value>
set shared log-sengs hp <name> format traffic
set shared log-sengs hp <name> format traffic name <value>
set shared log-sengs hp <name> format traffic url-format <value>
set shared log-sengs hp <name> format traffic headers
set shared log-sengs hp <name> format traffic headers <name>
set shared log-sengs hp <name> format traffic headers <name> value <value>
set shared log-sengs hp <name> format traffic params
set shared log-sengs hp <name> format traffic params <name>
set shared log-sengs hp <name> format traffic params <name> value <value>

PAN-OS CLI Quick Start Version Version 10.1 607 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared log-sengs hp <name> format traffic payload <value>

set shared log-sengs hp <name> format threat
set shared log-sengs hp <name> format threat name <value>
set shared log-sengs hp <name> format threat url-format <value>
set shared log-sengs hp <name> format threat headers
set shared log-sengs hp <name> format threat headers <name>
set shared log-sengs hp <name> format threat headers <name> value <value>
set shared log-sengs hp <name> format threat params
set shared log-sengs hp <name> format threat params <name>
set shared log-sengs hp <name> format threat params <name> value <value>
set shared log-sengs hp <name> format threat payload <value>
set shared log-sengs hp <name> format wildfire
set shared log-sengs hp <name> format wildfire name <value>
set shared log-sengs hp <name> format wildfire url-format <value>
set shared log-sengs hp <name> format wildfire headers
set shared log-sengs hp <name> format wildfire headers <name>
set shared log-sengs hp <name> format wildfire headers <name> value <value>
set shared log-sengs hp <name> format wildfire params
set shared log-sengs hp <name> format wildfire params <name>
set shared log-sengs hp <name> format wildfire params <name> value <value>
set shared log-sengs hp <name> format wildfire payload <value>
set shared log-sengs hp <name> format url
set shared log-sengs hp <name> format url name <value>
set shared log-sengs hp <name> format url url-format <value>
set shared log-sengs hp <name> format url headers
set shared log-sengs hp <name> format url headers <name>
set shared log-sengs hp <name> format url headers <name> value <value>
set shared log-sengs hp <name> format url params
set shared log-sengs hp <name> format url params <name>
set shared log-sengs hp <name> format url params <name> value <value>
set shared log-sengs hp <name> format url payload <value>
set shared log-sengs hp <name> format data
set shared log-sengs hp <name> format data name <value>

PAN-OS CLI Quick Start Version Version 10.1 608 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared log-sengs hp <name> format data url-format <value>

set shared log-sengs hp <name> format data headers
set shared log-sengs hp <name> format data headers <name>
set shared log-sengs hp <name> format data headers <name> value <value>
set shared log-sengs hp <name> format data params
set shared log-sengs hp <name> format data params <name>
set shared log-sengs hp <name> format data params <name> value <value>
set shared log-sengs hp <name> format data payload <value>
set shared log-sengs hp <name> format tunnel
set shared log-sengs hp <name> format tunnel name <value>
set shared log-sengs hp <name> format tunnel url-format <value>
set shared log-sengs hp <name> format tunnel headers
set shared log-sengs hp <name> format tunnel headers <name>
set shared log-sengs hp <name> format tunnel headers <name> value <value>
set shared log-sengs hp <name> format tunnel params
set shared log-sengs hp <name> format tunnel params <name>
set shared log-sengs hp <name> format tunnel params <name> value <value>
set shared log-sengs hp <name> format tunnel payload <value>
set shared log-sengs hp <name> format auth
set shared log-sengs hp <name> format auth name <value>
set shared log-sengs hp <name> format auth url-format <value>
set shared log-sengs hp <name> format auth headers
set shared log-sengs hp <name> format auth headers <name>
set shared log-sengs hp <name> format auth headers <name> value <value>
set shared log-sengs hp <name> format auth params
set shared log-sengs hp <name> format auth params <name>
set shared log-sengs hp <name> format auth params <name> value <value>
set shared log-sengs hp <name> format auth payload <value>
set shared log-sengs hp <name> format userid
set shared log-sengs hp <name> format userid name <value>
set shared log-sengs hp <name> format userid url-format <value>
set shared log-sengs hp <name> format userid headers
set shared log-sengs hp <name> format userid headers <name>

PAN-OS CLI Quick Start Version Version 10.1 609 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared log-sengs hp <name> format userid headers <name> value <value>
set shared log-sengs hp <name> format userid params
set shared log-sengs hp <name> format userid params <name>
set shared log-sengs hp <name> format userid params <name> value <value>
set shared log-sengs hp <name> format userid payload <value>
set shared log-sengs hp <name> format iptag
set shared log-sengs hp <name> format iptag name <value>
set shared log-sengs hp <name> format iptag url-format <value>
set shared log-sengs hp <name> format iptag headers
set shared log-sengs hp <name> format iptag headers <name>
set shared log-sengs hp <name> format iptag headers <name> value <value>
set shared log-sengs hp <name> format iptag params
set shared log-sengs hp <name> format iptag params <name>
set shared log-sengs hp <name> format iptag params <name> value <value>
set shared log-sengs hp <name> format iptag payload <value>
set shared log-sengs hp <name> format decrypon
set shared log-sengs hp <name> format decrypon name <value>
set shared log-sengs hp <name> format decrypon url-format <value>
set shared log-sengs hp <name> format decrypon headers
set shared log-sengs hp <name> format decrypon headers <name>
set shared log-sengs hp <name> format decrypon headers <name> value <value>
set shared log-sengs hp <name> format decrypon params
set shared log-sengs hp <name> format decrypon params <name>
set shared log-sengs hp <name> format decrypon params <name> value <value>
set shared log-sengs hp <name> format decrypon payload <value>
set shared log-sengs hp <name> format globalprotect
set shared log-sengs hp <name> format globalprotect name <value>
set shared log-sengs hp <name> format globalprotect url-format <value>
set shared log-sengs hp <name> format globalprotect headers
set shared log-sengs hp <name> format globalprotect headers <name>
set shared log-sengs hp <name> format globalprotect headers <name> value <value>
set shared log-sengs hp <name> format globalprotect params
set shared log-sengs hp <name> format globalprotect params <name>

PAN-OS CLI Quick Start Version Version 10.1 610 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared log-sengs hp <name> format globalprotect params <name> value <value>
set shared log-sengs hp <name> format globalprotect payload <value>
set shared log-sengs hp <name> format hip-match
set shared log-sengs hp <name> format hip-match name <value>
set shared log-sengs hp <name> format hip-match url-format <value>
set shared log-sengs hp <name> format hip-match headers
set shared log-sengs hp <name> format hip-match headers <name>
set shared log-sengs hp <name> format hip-match headers <name> value <value>
set shared log-sengs hp <name> format hip-match params
set shared log-sengs hp <name> format hip-match params <name>
set shared log-sengs hp <name> format hip-match params <name> value <value>
set shared log-sengs hp <name> format hip-match payload <value>
set shared log-sengs hp <name> format correlaon
set shared log-sengs hp <name> format correlaon name <value>
set shared log-sengs hp <name> format correlaon url-format <value>
set shared log-sengs hp <name> format correlaon headers
set shared log-sengs hp <name> format correlaon headers <name>
set shared log-sengs hp <name> format correlaon headers <name> value <value>
set shared log-sengs hp <name> format correlaon params
set shared log-sengs hp <name> format correlaon params <name>
set shared log-sengs hp <name> format correlaon params <name> value <value>
set shared log-sengs hp <name> format correlaon payload <value>
set shared log-sengs profiles
set shared log-sengs profiles <name>
set shared log-sengs profiles <name> descripon <value>
set shared log-sengs profiles <name> enhanced-applicaon-logging <yes|no>
set shared log-sengs profiles <name> match-list
set shared log-sengs profiles <name> match-list <name>
set shared log-sengs profiles <name> match-list <name> acon-desc <value>
set shared log-sengs profiles <name> match-list <name> log-type <traffic|threat|wildfire|url|
data|tunnel|auth|decrypon>
set shared log-sengs profiles <name> match-list <name> filter <value>
set shared log-sengs profiles <name> match-list <name> send-to-panorama <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 611 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared log-sengs profiles <name> match-list <name> send-snmptrap [ <send-snmptrap1>

<send-snmptrap2>... ]
set shared log-sengs profiles <name> match-list <name> send-email [ <send-email1> <send-
email2>... ]
set shared log-sengs profiles <name> match-list <name> send-syslog [ <send-syslog1> <send-
syslog2>... ]
set shared log-sengs profiles <name> match-list <name> send-hp [ <send-hp1> <send-
hp2>... ]
set shared log-sengs profiles <name> match-list <name> quaranne <yes|no>
set shared log-sengs profiles <name> match-list <name> acons
set shared log-sengs profiles <name> match-list <name> acons <name>
set shared log-sengs profiles <name> match-list <name> acons <name> type
set shared log-sengs profiles <name> match-list <name> acons <name> type tagging
set shared log-sengs profiles <name> match-list <name> acons <name> type tagging target
<source-address|desnaon-address|xff-address|user>
set shared log-sengs profiles <name> match-list <name> acons <name> type tagging acon
<add-tag|remove-tag>
set shared log-sengs profiles <name> match-list <name> acons <name> type tagging
registraon
set shared log-sengs profiles <name> match-list <name> acons <name> type tagging
registraon localhost
set shared log-sengs profiles <name> match-list <name> acons <name> type tagging
registraon panorama
set shared log-sengs profiles <name> match-list <name> acons <name> type tagging
registraon remote
set shared log-sengs profiles <name> match-list <name> acons <name> type tagging
registraon remote hp-profile <value>
set shared log-sengs profiles <name> match-list <name> acons <name> type tagging meout
<0-43200>
set shared log-sengs profiles <name> match-list <name> acons <name> type tagging tags
[ <tags1> <tags2>... ]
set shared cerficate
set shared cerficate <name>
set shared cerficate <name> common-name <value>
set shared cerficate <name> algorithm <value>
set shared cerficate <name> not-valid-aer <value>
set shared cerficate <name> not-valid-before <value>
set shared cerficate <name> expiry-epoch <value>

PAN-OS CLI Quick Start Version Version 10.1 612 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared cerficate <name> subject <value>

set shared cerficate <name> subject-hash <value>
set shared cerficate <name> issuer <value>
set shared cerficate <name> issuer-hash <value>
set shared cerficate <name>
set shared cerficate <name> csr <value>
set shared cerficate <name> public-key <value>
set shared cerficate <name>
set shared cerficate <name> private-key <value>
set shared cerficate <name> private-key-on-hsm <yes|no>
set shared cerficate <name> status <valid|revoked>
set shared cerficate <name> revoke-date-epoch <value>
set shared ssl-tls-service-profile
set shared ssl-tls-service-profile <name>
set shared ssl-tls-service-profile <name> cerficate <value>
set shared ssl-tls-service-profile <name> protocol-sengs
set shared ssl-tls-service-profile <name> protocol-sengs min-version <tls1-0|tls1-1|tls1-2>
set shared ssl-tls-service-profile <name> protocol-sengs max-version <tls1-0|tls1-1|tls1-2|max>
set shared ssl-tls-service-profile <name> protocol-sengs keyxchg-algo-rsa <yes|no>
set shared ssl-tls-service-profile <name> protocol-sengs keyxchg-algo-dhe <yes|no>
set shared ssl-tls-service-profile <name> protocol-sengs keyxchg-algo-ecdhe <yes|no>
set shared ssl-tls-service-profile <name> protocol-sengs enc-algo-3des <yes|no>
set shared ssl-tls-service-profile <name> protocol-sengs enc-algo-rc4 <yes|no>
set shared ssl-tls-service-profile <name> protocol-sengs enc-algo-aes-128-cbc <yes|no>
set shared ssl-tls-service-profile <name> protocol-sengs enc-algo-aes-256-cbc <yes|no>
set shared ssl-tls-service-profile <name> protocol-sengs enc-algo-aes-128-gcm <yes|no>
set shared ssl-tls-service-profile <name> protocol-sengs enc-algo-aes-256-gcm <yes|no>
set shared ssl-tls-service-profile <name> protocol-sengs auth-algo-sha1 <yes|no>
set shared ssl-tls-service-profile <name> protocol-sengs auth-algo-sha256 <yes|no>
set shared ssl-tls-service-profile <name> protocol-sengs auth-algo-sha384 <yes|no>
set shared response-page
set shared response-page applicaon-block-page <value>
set shared response-page capve-portal-text <value>

PAN-OS CLI Quick Start Version Version 10.1 613 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared response-page file-block-connue-page <value>

set shared response-page file-block-page <value>
set shared response-page ssl-cert-status-page <value>
set shared response-page ssl-optout-text <value>
set shared response-page url-block-page <value>
set shared response-page url-coach-text <value>
set shared response-page credenal-block-page <value>
set shared response-page credenal-coach-text <value>
set shared response-page virus-block-page <value>
set shared response-page data-filter-block-page <value>
set shared response-page safe-search-block-page <value>
set shared response-page saml-auth-internal-error-page <value>
set shared response-page mfa-login-page <value>
set shared response-page global-protect-portal-custom-login-page
set shared response-page global-protect-portal-custom-login-page <name>
set shared response-page global-protect-portal-custom-login-page <name> page <value>
set shared response-page global-protect-portal-custom-home-page
set shared response-page global-protect-portal-custom-home-page <name>
set shared response-page global-protect-portal-custom-home-page <name> page <value>
set shared response-page global-protect-portal-custom-help-page
set shared response-page global-protect-portal-custom-help-page <name>
set shared response-page global-protect-portal-custom-help-page <name> page <value>
set shared response-page global-protect-portal-custom-welcome-page
set shared response-page global-protect-portal-custom-welcome-page <name>
set shared response-page global-protect-portal-custom-welcome-page <name> page <value>
set shared local-user-database
set shared local-user-database user
set shared local-user-database user <name>
set shared local-user-database user <name> phash <value>
set shared local-user-database user <name> disabled <yes|no>
set shared local-user-database user-group
set shared local-user-database user-group <name>
set shared local-user-database user-group <name> user [ <user1> <user2>... ]

PAN-OS CLI Quick Start Version Version 10.1 614 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared ocsp-responder

set shared ocsp-responder <name>
set shared ocsp-responder <name> host-name <value>
set shared ssl-decrypt
set shared ssl-decrypt forward-trust-cerficate
set shared ssl-decrypt forward-trust-cerficate rsa <value>
set shared ssl-decrypt forward-trust-cerficate ecdsa <value>
set shared ssl-decrypt forward-untrust-cerficate
set shared ssl-decrypt forward-untrust-cerficate rsa <value>
set shared ssl-decrypt forward-untrust-cerficate ecdsa <value>
set shared ssl-decrypt ssl-exclude-cert
set shared ssl-decrypt ssl-exclude-cert <name>
set shared ssl-decrypt ssl-exclude-cert <name> descripon <value>
set shared ssl-decrypt ssl-exclude-cert <name> exclude <yes|no>
set shared ssl-decrypt root-ca-exclude-list [ <root-ca-exclude-list1> <root-ca-exclude-list2>... ]
set shared ssl-decrypt trusted-root-CA [ <trusted-root-CA1> <trusted-root-CA2>... ]
set shared ssl-decrypt disabled-ssl-exclude-cert-from-predefined [ <disabled-ssl-exclude-cert-
from-predefined1> <disabled-ssl-exclude-cert-from-predefined2>... ]
set shared url-content-types [ <url-content-types1> <url-content-types2>... ]
set shared admin-role
set shared admin-role <name>
set shared admin-role <name> descripon <value>
set shared admin-role <name> role
set shared admin-role <name> role device
set shared admin-role <name> role device webui
set shared admin-role <name> role device webui dashboard <enable|disable>
set shared admin-role <name> role device webui acc <enable|disable>
set shared admin-role <name> role device webui monitor
set shared admin-role <name> role device webui monitor logs
set shared admin-role <name> role device webui monitor logs traffic <enable|disable>
set shared admin-role <name> role device webui monitor logs threat <enable|disable>
set shared admin-role <name> role device webui monitor logs url <enable|disable>
set shared admin-role <name> role device webui monitor logs wildfire <enable|disable>
set shared admin-role <name> role device webui monitor logs data-filtering <enable|disable>

PAN-OS CLI Quick Start Version Version 10.1 615 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role device webui monitor logs hipmatch <enable|disable>
set shared admin-role <name> role device webui monitor logs globalprotect <enable|disable>
set shared admin-role <name> role device webui monitor logs iptag <enable|disable>
set shared admin-role <name> role device webui monitor logs userid <enable|disable>
set shared admin-role <name> role device webui monitor logs decrypon <enable|disable>
set shared admin-role <name> role device webui monitor logs gtp <enable|disable>
set shared admin-role <name> role device webui monitor logs tunnel <enable|disable>
set shared admin-role <name> role device webui monitor logs sctp <enable|disable>
set shared admin-role <name> role device webui monitor logs configuraon <enable|disable>
set shared admin-role <name> role device webui monitor logs system <enable|disable>
set shared admin-role <name> role device webui monitor logs alarm <enable|disable>
set shared admin-role <name> role device webui monitor logs authencaon <enable|disable>
set shared admin-role <name> role device webui monitor external-logs <enable|disable>
set shared admin-role <name> role device webui monitor automated-correlaon-engine
set shared admin-role <name> role device webui monitor automated-correlaon-engine
correlaon-objects <enable|disable>
set shared admin-role <name> role device webui monitor automated-correlaon-engine
correlated-events <enable|disable>
set shared admin-role <name> role device webui monitor packet-capture <enable|read-only|
disable>
set shared admin-role <name> role device webui monitor app-scope <enable|disable>
set shared admin-role <name> role device webui monitor session-browser <enable|read-only|
disable>
set shared admin-role <name> role device webui monitor block-ip-list <enable|read-only|disable>
set shared admin-role <name> role device webui monitor botnet <enable|read-only|disable>
set shared admin-role <name> role device webui monitor pdf-reports
set shared admin-role <name> role device webui monitor pdf-reports manage-pdf-summary
<enable|read-only|disable>
set shared admin-role <name> role device webui monitor pdf-reports pdf-summary-reports
<enable|disable>
set shared admin-role <name> role device webui monitor pdf-reports user-acvity-report <enable|
read-only|disable>
set shared admin-role <name> role device webui monitor pdf-reports saas-applicaon-usage-
report <enable|read-only|disable>
set shared admin-role <name> role device webui monitor pdf-reports report-groups <enable|read-
only|disable>

PAN-OS CLI Quick Start Version Version 10.1 616 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role device webui monitor pdf-reports email-scheduler <enable|
read-only|disable>
set shared admin-role <name> role device webui monitor custom-reports
set shared admin-role <name> role device webui monitor custom-reports applicaon-stascs
<enable|disable>
set shared admin-role <name> role device webui monitor custom-reports data-filtering-log
<enable|disable>
set shared admin-role <name> role device webui monitor custom-reports threat-log <enable|
disable>
set shared admin-role <name> role device webui monitor custom-reports threat-summary
<enable|disable>
set shared admin-role <name> role device webui monitor custom-reports traffic-log <enable|
disable>
set shared admin-role <name> role device webui monitor custom-reports traffic-summary
<enable|disable>
set shared admin-role <name> role device webui monitor custom-reports url-log <enable|disable>
set shared admin-role <name> role device webui monitor custom-reports url-summary <enable|
disable>
set shared admin-role <name> role device webui monitor custom-reports hipmatch <enable|
disable>
set shared admin-role <name> role device webui monitor custom-reports globalprotect <enable|
disable>
set shared admin-role <name> role device webui monitor custom-reports wildfire-log <enable|
disable>
set shared admin-role <name> role device webui monitor custom-reports gtp-log <enable|disable>
set shared admin-role <name> role device webui monitor custom-reports gtp-summary <enable|
disable>
set shared admin-role <name> role device webui monitor custom-reports tunnel-log <enable|
disable>
set shared admin-role <name> role device webui monitor custom-reports tunnel-summary
<enable|disable>
set shared admin-role <name> role device webui monitor custom-reports sctp-log <enable|
disable>
set shared admin-role <name> role device webui monitor custom-reports sctp-summary <enable|
disable>
set shared admin-role <name> role device webui monitor custom-reports iptag <enable|disable>
set shared admin-role <name> role device webui monitor custom-reports userid <enable|disable>
set shared admin-role <name> role device webui monitor custom-reports auth <enable|disable>
set shared admin-role <name> role device webui monitor view-custom-reports <enable|disable>

PAN-OS CLI Quick Start Version Version 10.1 617 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role device webui monitor applicaon-reports <enable|disable>
set shared admin-role <name> role device webui monitor threat-reports <enable|disable>
set shared admin-role <name> role device webui monitor url-filtering-reports <enable|disable>
set shared admin-role <name> role device webui monitor traffic-reports <enable|disable>
set shared admin-role <name> role device webui monitor gtp-reports <enable|disable>
set shared admin-role <name> role device webui monitor sctp-reports <enable|disable>
set shared admin-role <name> role device webui policies
set shared admin-role <name> role device webui policies security-rulebase <enable|read-only|
disable>
set shared admin-role <name> role device webui policies nat-rulebase <enable|read-only|disable>
set shared admin-role <name> role device webui policies qos-rulebase <enable|read-only|disable>
set shared admin-role <name> role device webui policies pbf-rulebase <enable|read-only|disable>
set shared admin-role <name> role device webui policies ssl-decrypon-rulebase <enable|read-
only|disable>
set shared admin-role <name> role device webui policies network-packet-broker-rulebase
<enable|read-only|disable>
set shared admin-role <name> role device webui policies tunnel-inspect-rulebase <enable|read-
only|disable>
set shared admin-role <name> role device webui policies applicaon-override-rulebase <enable|
read-only|disable>
set shared admin-role <name> role device webui policies authencaon-rulebase <enable|read-
only|disable>
set shared admin-role <name> role device webui policies dos-rulebase <enable|read-only|disable>
set shared admin-role <name> role device webui policies sdwan-rulebase <enable|read-only|
disable>
set shared admin-role <name> role device webui policies rule-hit-count-reset <enable|disable>
set shared admin-role <name> role device webui objects
set shared admin-role <name> role device webui objects addresses <enable|read-only|disable>
set shared admin-role <name> role device webui objects address-groups <enable|read-only|
disable>
set shared admin-role <name> role device webui objects regions <enable|read-only|disable>
set shared admin-role <name> role device webui objects dynamic-user-groups <enable|read-only|
disable>
set shared admin-role <name> role device webui objects applicaons <enable|read-only|disable>
set shared admin-role <name> role device webui objects applicaon-groups <enable|read-only|
disable>

PAN-OS CLI Quick Start Version Version 10.1 618 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role device webui objects applicaon-filters <enable|read-only|
disable>
set shared admin-role <name> role device webui objects services <enable|read-only|disable>
set shared admin-role <name> role device webui objects service-groups <enable|read-only|
disable>
set shared admin-role <name> role device webui objects tags <enable|read-only|disable>
set shared admin-role <name> role device webui objects devices <enable|read-only|disable>
set shared admin-role <name> role device webui objects global-protect
set shared admin-role <name> role device webui objects global-protect hip-objects <enable|read-
only|disable>
set shared admin-role <name> role device webui objects global-protect hip-profiles <enable|read-
only|disable>
set shared admin-role <name> role device webui objects dynamic-block-lists <enable|read-only|
disable>
set shared admin-role <name> role device webui objects custom-objects
set shared admin-role <name> role device webui objects custom-objects data-paerns <enable|
read-only|disable>
set shared admin-role <name> role device webui objects custom-objects spyware <enable|read-
only|disable>
set shared admin-role <name> role device webui objects custom-objects vulnerability <enable|
read-only|disable>
set shared admin-role <name> role device webui objects custom-objects url-category <enable|
read-only|disable>
set shared admin-role <name> role device webui objects security-profiles
set shared admin-role <name> role device webui objects security-profiles anvirus <enable|read-
only|disable>
set shared admin-role <name> role device webui objects security-profiles an-spyware <enable|
read-only|disable>
set shared admin-role <name> role device webui objects security-profiles vulnerability-protecon
<enable|read-only|disable>
set shared admin-role <name> role device webui objects security-profiles url-filtering <enable|
read-only|disable>
set shared admin-role <name> role device webui objects security-profiles file-blocking <enable|
read-only|disable>
set shared admin-role <name> role device webui objects security-profiles wildfire-analysis
<enable|read-only|disable>
set shared admin-role <name> role device webui objects security-profiles data-filtering <enable|
read-only|disable>

PAN-OS CLI Quick Start Version Version 10.1 619 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role device webui objects security-profiles dos-protecon <enable|
read-only|disable>
set shared admin-role <name> role device webui objects security-profile-groups <enable|read-
only|disable>
set shared admin-role <name> role device webui objects log-forwarding <enable|read-only|
disable>
set shared admin-role <name> role device webui objects authencaon <enable|read-only|
disable>
set shared admin-role <name> role device webui objects decrypon
set shared admin-role <name> role device webui objects decrypon decrypon-profile <enable|
read-only|disable>
set shared admin-role <name> role device webui objects packet-broker-profile <enable|read-only|
disable>
set shared admin-role <name> role device webui objects sdwan
set shared admin-role <name> role device webui objects sdwan sdwan-profile <enable|read-only|
disable>
set shared admin-role <name> role device webui objects sdwan sdwan-saas-quality-profile
<enable|read-only|disable>
set shared admin-role <name> role device webui objects sdwan sdwan-dist-profile <enable|read-
only|disable>
set shared admin-role <name> role device webui objects sdwan sdwan-error-correcon-profile
<enable|read-only|disable>
set shared admin-role <name> role device webui objects schedules <enable|read-only|disable>
set shared admin-role <name> role device webui network
set shared admin-role <name> role device webui network interfaces <enable|read-only|disable>
set shared admin-role <name> role device webui network zones <enable|read-only|disable>
set shared admin-role <name> role device webui network vlans <enable|read-only|disable>
set shared admin-role <name> role device webui network virtual-wires <enable|read-only|disable>
set shared admin-role <name> role device webui network virtual-routers <enable|read-only|
disable>
set shared admin-role <name> role device webui network roung
set shared admin-role <name> role device webui network roung logical-routers <enable|read-
only|disable>
set shared admin-role <name> role device webui network roung roung-profiles
set shared admin-role <name> role device webui network roung roung-profiles bgp <enable|
read-only|disable>
set shared admin-role <name> role device webui network ipsec-tunnels <enable|read-only|
disable>

PAN-OS CLI Quick Start Version Version 10.1 620 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role device webui network gre-tunnels <enable|read-only|disable>
set shared admin-role <name> role device webui network dhcp <enable|read-only|disable>
set shared admin-role <name> role device webui network dns-proxy <enable|read-only|disable>
set shared admin-role <name> role device webui network global-protect
set shared admin-role <name> role device webui network global-protect portals <enable|read-
only|disable>
set shared admin-role <name> role device webui network global-protect gateways <enable|read-
only|disable>
set shared admin-role <name> role device webui network global-protect mdm <enable|read-only|
disable>
set shared admin-role <name> role device webui network global-protect clientless-apps <enable|
read-only|disable>
set shared admin-role <name> role device webui network global-protect clientless-app-groups
<enable|read-only|disable>
set shared admin-role <name> role device webui network qos <enable|read-only|disable>
set shared admin-role <name> role device webui network lldp <enable|read-only|disable>
set shared admin-role <name> role device webui network network-profiles
set shared admin-role <name> role device webui network network-profiles gp-app-ipsec-crypto
<enable|read-only|disable>
set shared admin-role <name> role device webui network network-profiles ike-gateways <enable|
read-only|disable>
set shared admin-role <name> role device webui network network-profiles ipsec-crypto <enable|
read-only|disable>
set shared admin-role <name> role device webui network network-profiles ike-crypto <enable|
read-only|disable>
set shared admin-role <name> role device webui network network-profiles tunnel-monitor
<enable|read-only|disable>
set shared admin-role <name> role device webui network network-profiles interface-mgmt
<enable|read-only|disable>
set shared admin-role <name> role device webui network network-profiles zone-protecon
<enable|read-only|disable>
set shared admin-role <name> role device webui network network-profiles qos-profile <enable|
read-only|disable>
set shared admin-role <name> role device webui network network-profiles lldp-profile <enable|
read-only|disable>
set shared admin-role <name> role device webui network network-profiles bfd-profile <enable|
read-only|disable>
set shared admin-role <name> role device webui network sdwan-interface-profile <enable|read-
only|disable>

PAN-OS CLI Quick Start Version Version 10.1 621 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role device webui device

set shared admin-role <name> role device webui device setup
set shared admin-role <name> role device webui device setup management <enable|read-only|
disable>
set shared admin-role <name> role device webui device setup operaons <enable|read-only|
disable>
set shared admin-role <name> role device webui device setup services <enable|read-only|disable>
set shared admin-role <name> role device webui device setup interfaces <enable|read-only|
disable>
set shared admin-role <name> role device webui device setup telemetry <enable|read-only|
disable>
set shared admin-role <name> role device webui device setup content-id <enable|read-only|
disable>
set shared admin-role <name> role device webui device setup wildfire <enable|read-only|disable>
set shared admin-role <name> role device webui device setup session <enable|read-only|disable>
set shared admin-role <name> role device webui device setup hsm <enable|read-only|disable>
set shared admin-role <name> role device webui device high-availability <enable|read-only|
disable>
set shared admin-role <name> role device webui device config-audit <enable|disable>
set shared admin-role <name> role device webui device administrators <read-only|disable>
set shared admin-role <name> role device webui device admin-roles <read-only|disable>
set shared admin-role <name> role device webui device access-domain <enable|read-only|
disable>
set shared admin-role <name> role device webui device authencaon-profile <enable|read-only|
disable>
set shared admin-role <name> role device webui device authencaon-sequence <enable|read-
only|disable>
set shared admin-role <name> role device webui device user-idenficaon <enable|read-only|
disable>
set shared admin-role <name> role device webui device data-redistribuon <enable|read-only|
disable>
set shared admin-role <name> role device webui device device-quaranne <enable|read-only|
disable>
set shared admin-role <name> role device webui device vm-info-source <enable|read-only|
disable>
set shared admin-role <name> role device webui device troubleshoong <enable|read-only|
disable>

PAN-OS CLI Quick Start Version Version 10.1 622 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role device webui device virtual-systems <enable|read-only|
disable>
set shared admin-role <name> role device webui device shared-gateways <enable|read-only|
disable>
set shared admin-role <name> role device webui device cerficate-management
set shared admin-role <name> role device webui device cerficate-management cerficates
<enable|read-only|disable>
set shared admin-role <name> role device webui device cerficate-management cerficate-profile
<enable|read-only|disable>
set shared admin-role <name> role device webui device cerficate-management ocsp-responder
<enable|read-only|disable>
set shared admin-role <name> role device webui device cerficate-management ssl-tls-service-
profile <enable|read-only|disable>
set shared admin-role <name> role device webui device cerficate-management scep <enable|
read-only|disable>
set shared admin-role <name> role device webui device cerficate-management ssl-decrypon-
exclusion <enable|read-only|disable>
set shared admin-role <name> role device webui device cerficate-management ssh-service-
profile <enable|read-only|disable>
set shared admin-role <name> role device webui device block-pages <enable|read-only|disable>
set shared admin-role <name> role device webui device log-sengs
set shared admin-role <name> role device webui device log-sengs system <enable|read-only|
disable>
set shared admin-role <name> role device webui device log-sengs config <enable|read-only|
disable>
set shared admin-role <name> role device webui device log-sengs iptag <enable|read-only|
disable>
set shared admin-role <name> role device webui device log-sengs user-id <enable|read-only|
disable>
set shared admin-role <name> role device webui device log-sengs hipmatch <enable|read-only|
disable>
set shared admin-role <name> role device webui device log-sengs globalprotect <enable|read-
only|disable>
set shared admin-role <name> role device webui device log-sengs correlaon <enable|read-
only|disable>
set shared admin-role <name> role device webui device log-sengs cc-alarm <enable|read-only|
disable>
set shared admin-role <name> role device webui device log-sengs manage-log <enable|read-
only|disable>

PAN-OS CLI Quick Start Version Version 10.1 623 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role device webui device server-profile

set shared admin-role <name> role device webui device server-profile snmp-trap <enable|read-
only|disable>
set shared admin-role <name> role device webui device server-profile syslog <enable|read-only|
disable>
set shared admin-role <name> role device webui device server-profile email <enable|read-only|
disable>
set shared admin-role <name> role device webui device server-profile hp <enable|read-only|
disable>
set shared admin-role <name> role device webui device server-profile nelow <enable|read-only|
disable>
set shared admin-role <name> role device webui device server-profile radius <enable|read-only|
disable>
set shared admin-role <name> role device webui device server-profile tacplus <enable|read-only|
disable>
set shared admin-role <name> role device webui device server-profile ldap <enable|read-only|
disable>
set shared admin-role <name> role device webui device server-profile kerberos <enable|read-only|
disable>
set shared admin-role <name> role device webui device server-profile saml_idp <enable|read-only|
disable>
set shared admin-role <name> role device webui device server-profile dns <enable|read-only|
disable>
set shared admin-role <name> role device webui device server-profile mfa <enable|read-only|
disable>
set shared admin-role <name> role device webui device local-user-database
set shared admin-role <name> role device webui device local-user-database users <enable|read-
only|disable>
set shared admin-role <name> role device webui device local-user-database user-groups <enable|
read-only|disable>
set shared admin-role <name> role device webui device scheduled-log-export <enable|disable>
set shared admin-role <name> role device webui device soware <enable|read-only|disable>
set shared admin-role <name> role device webui device global-protect-client <enable|read-only|
disable>
set shared admin-role <name> role device webui device dynamic-updates <enable|read-only|
disable>
set shared admin-role <name> role device webui device plugins <enable|disable>
set shared admin-role <name> role device webui device licenses <enable|read-only|disable>
set shared admin-role <name> role device webui device support <enable|read-only|disable>

PAN-OS CLI Quick Start Version Version 10.1 624 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role device webui device master-key <enable|read-only|disable>
set shared admin-role <name> role device webui device policy-recommendaons
set shared admin-role <name> role device webui device policy-recommendaons iot <enable|
read-only|disable>
set shared admin-role <name> role device webui device policy-recommendaons saas <enable|
read-only|disable>
set shared admin-role <name> role device webui operaons
set shared admin-role <name> role device webui operaons reboot <enable|disable>
set shared admin-role <name> role device webui operaons generate-tech-support-file <enable|
disable>
set shared admin-role <name> role device webui operaons generate-stats-dump-file <enable|
disable>
set shared admin-role <name> role device webui operaons download-core-files <enable|disable>
set shared admin-role <name> role device webui privacy
set shared admin-role <name> role device webui privacy show-full-ip-addresses <enable|disable>
set shared admin-role <name> role device webui privacy show-user-names-in-logs-and-reports
<enable|disable>
set shared admin-role <name> role device webui privacy view-pcap-files <enable|disable>
set shared admin-role <name> role device webui validate <enable|disable>
set shared admin-role <name> role device webui save
set shared admin-role <name> role device webui save paral-save <enable|disable>
set shared admin-role <name> role device webui save save-for-other-admins <enable|disable>
set shared admin-role <name> role device webui commit
set shared admin-role <name> role device webui commit device <enable|disable>
set shared admin-role <name> role device webui commit commit-for-other-admins <enable|
disable>
set shared admin-role <name> role device webui tasks <enable|disable>
set shared admin-role <name> role device webui global
set shared admin-role <name> role device webui global system-alarms <enable|disable>
set shared admin-role <name> role device xmlapi
set shared admin-role <name> role device xmlapi report <enable|disable>
set shared admin-role <name> role device xmlapi log <enable|disable>
set shared admin-role <name> role device xmlapi config <enable|disable>
set shared admin-role <name> role device xmlapi op <enable|disable>
set shared admin-role <name> role device xmlapi commit <enable|disable>

PAN-OS CLI Quick Start Version Version 10.1 625 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role device xmlapi user-id <enable|disable>

set shared admin-role <name> role device xmlapi iot <enable|disable>
set shared admin-role <name> role device xmlapi export <enable|disable>
set shared admin-role <name> role device xmlapi import <enable|disable>
set shared admin-role <name> role device cli <superuser|superreader|deviceadmin|devicereader>
set shared admin-role <name> role device restapi
set shared admin-role <name> role device restapi objects
set shared admin-role <name> role device restapi objects addresses <enable|read-only|disable>
set shared admin-role <name> role device restapi objects address-groups <enable|read-only|
disable>
set shared admin-role <name> role device restapi objects regions <enable|read-only|disable>
set shared admin-role <name> role device restapi objects dynamic-user-groups <enable|read-only|
disable>
set shared admin-role <name> role device restapi objects applicaons <enable|read-only|disable>
set shared admin-role <name> role device restapi objects applicaon-groups <enable|read-only|
disable>
set shared admin-role <name> role device restapi objects applicaon-filters <enable|read-only|
disable>
set shared admin-role <name> role device restapi objects services <enable|read-only|disable>
set shared admin-role <name> role device restapi objects service-groups <enable|read-only|
disable>
set shared admin-role <name> role device restapi objects tags <enable|read-only|disable>
set shared admin-role <name> role device restapi objects devices <enable|read-only|disable>
set shared admin-role <name> role device restapi objects globalprotect-hip-objects <enable|read-
only|disable>
set shared admin-role <name> role device restapi objects globalprotect-hip-profiles <enable|read-
only|disable>
set shared admin-role <name> role device restapi objects external-dynamic-lists <enable|read-
only|disable>
set shared admin-role <name> role device restapi objects custom-data-paerns <enable|read-
only|disable>
set shared admin-role <name> role device restapi objects custom-spyware-signatures <enable|
read-only|disable>
set shared admin-role <name> role device restapi objects custom-vulnerability-signatures <enable|
read-only|disable>
set shared admin-role <name> role device restapi objects custom-url-categories <enable|read-
only|disable>

PAN-OS CLI Quick Start Version Version 10.1 626 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role device restapi objects anvirus-security-profiles <enable|read-
only|disable>
set shared admin-role <name> role device restapi objects an-spyware-security-profiles <enable|
read-only|disable>
set shared admin-role <name> role device restapi objects vulnerability-protecon-security-profiles
<enable|read-only|disable>
set shared admin-role <name> role device restapi objects url-filtering-security-profiles <enable|
read-only|disable>
set shared admin-role <name> role device restapi objects file-blocking-security-profiles <enable|
read-only|disable>
set shared admin-role <name> role device restapi objects wildfire-analysis-security-profiles
<enable|read-only|disable>
set shared admin-role <name> role device restapi objects data-filtering-security-profiles <enable|
read-only|disable>
set shared admin-role <name> role device restapi objects dos-protecon-security-profiles
<enable|read-only|disable>
set shared admin-role <name> role device restapi objects security-profile-groups <enable|read-
only|disable>
set shared admin-role <name> role device restapi objects log-forwarding-profiles <enable|read-
only|disable>
set shared admin-role <name> role device restapi objects authencaon-enforcements <enable|
read-only|disable>
set shared admin-role <name> role device restapi objects decrypon-profiles <enable|read-only|
disable>
set shared admin-role <name> role device restapi objects packet-broker-profiles <enable|read-
only|disable>
set shared admin-role <name> role device restapi objects schedules <enable|read-only|disable>
set shared admin-role <name> role device restapi objects sdwan-path-quality-profiles <enable|
read-only|disable>
set shared admin-role <name> role device restapi objects sdwan-saas-quality-profiles <enable|
read-only|disable>
set shared admin-role <name> role device restapi objects sdwan-traffic-distribuon-profiles
<enable|read-only|disable>
set shared admin-role <name> role device restapi objects sdwan-error-correcon-profiles <enable|
read-only|disable>
set shared admin-role <name> role device restapi policies
set shared admin-role <name> role device restapi policies security-rules <enable|read-only|
disable>
set shared admin-role <name> role device restapi policies nat-rules <enable|read-only|disable>

PAN-OS CLI Quick Start Version Version 10.1 627 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role device restapi policies qos-rules <enable|read-only|disable>
set shared admin-role <name> role device restapi policies policy-based-forwarding-rules <enable|
read-only|disable>
set shared admin-role <name> role device restapi policies decrypon-rules <enable|read-only|
disable>
set shared admin-role <name> role device restapi policies network-packet-broker-rules <enable|
read-only|disable>
set shared admin-role <name> role device restapi policies tunnel-inspecon-rules <enable|read-
only|disable>
set shared admin-role <name> role device restapi policies applicaon-override-rules <enable|read-
only|disable>
set shared admin-role <name> role device restapi policies authencaon-rules <enable|read-only|
disable>
set shared admin-role <name> role device restapi policies dos-rules <enable|read-only|disable>
set shared admin-role <name> role device restapi policies sdwan-rules <enable|read-only|disable>
set shared admin-role <name> role device restapi network
set shared admin-role <name> role device restapi network aggregate-ethernet-interfaces <enable|
read-only|disable>
set shared admin-role <name> role device restapi network ethernet-interfaces <enable|read-only|
disable>
set shared admin-role <name> role device restapi network vlan-interfaces <enable|read-only|
disable>
set shared admin-role <name> role device restapi network loopback-interfaces <enable|read-only|
disable>
set shared admin-role <name> role device restapi network tunnel-interfaces <enable|read-only|
disable>
set shared admin-role <name> role device restapi network zones <enable|read-only|disable>
set shared admin-role <name> role device restapi network vlans <enable|read-only|disable>
set shared admin-role <name> role device restapi network virtual-wires <enable|read-only|
disable>
set shared admin-role <name> role device restapi network virtual-routers <enable|read-only|
disable>
set shared admin-role <name> role device restapi network logical-routers <enable|read-only|
disable>
set shared admin-role <name> role device restapi network bgp-roung-profiles <enable|read-only|
disable>
set shared admin-role <name> role device restapi network ipsec-tunnels <enable|read-only|
disable>
set shared admin-role <name> role device restapi network gre-tunnels <enable|read-only|disable>

PAN-OS CLI Quick Start Version Version 10.1 628 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role device restapi network dhcp-servers <enable|read-only|
disable>
set shared admin-role <name> role device restapi network dhcp-relays <enable|read-only|disable>
set shared admin-role <name> role device restapi network dns-proxies <enable|read-only|disable>
set shared admin-role <name> role device restapi network globalprotect-portals <enable|read-
only|disable>
set shared admin-role <name> role device restapi network globalprotect-gateways <enable|read-
only|disable>
set shared admin-role <name> role device restapi network globalprotect-mdm-servers <enable|
read-only|disable>
set shared admin-role <name> role device restapi network globalprotect-clientless-apps <enable|
read-only|disable>
set shared admin-role <name> role device restapi network globalprotect-clientless-app-groups
<enable|read-only|disable>
set shared admin-role <name> role device restapi network qos-interfaces <enable|read-only|
disable>
set shared admin-role <name> role device restapi network lldp <enable|read-only|disable>
set shared admin-role <name> role device restapi network globalprotect-ipsec-crypto-network-
profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi network ike-gateway-network-profiles <enable|
read-only|disable>
set shared admin-role <name> role device restapi network ipsec-crypto-network-profiles <enable|
read-only|disable>
set shared admin-role <name> role device restapi network ike-crypto-network-profiles <enable|
read-only|disable>
set shared admin-role <name> role device restapi network tunnel-monitor-network-profiles
<enable|read-only|disable>
set shared admin-role <name> role device restapi network interface-management-network-
profiles <enable|read-only|disable>
set shared admin-role <name> role device restapi network zone-protecon-network-profiles
<enable|read-only|disable>
set shared admin-role <name> role device restapi network qos-network-profiles <enable|read-
only|disable>
set shared admin-role <name> role device restapi network lldp-network-profiles <enable|read-
only|disable>
set shared admin-role <name> role device restapi network bfd-network-profiles <enable|read-
only|disable>
set shared admin-role <name> role device restapi network sdwan-interfaces <enable|read-only|
disable>

PAN-OS CLI Quick Start Version Version 10.1 629 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role device restapi network sdwan-interface-profiles <enable|read-
only|disable>
set shared admin-role <name> role device restapi device
set shared admin-role <name> role device restapi device log-interface-seng <enable|read-only|
disable>
set shared admin-role <name> role device restapi device virtual-systems <enable|read-only|
disable>
set shared admin-role <name> role device restapi system
set shared admin-role <name> role device restapi system configuraon <enable|read-only|disable>
set shared admin-role <name> role vsys
set shared admin-role <name> role vsys webui
set shared admin-role <name> role vsys webui dashboard <enable|disable>
set shared admin-role <name> role vsys webui acc <enable|disable>
set shared admin-role <name> role vsys webui monitor
set shared admin-role <name> role vsys webui monitor logs
set shared admin-role <name> role vsys webui monitor logs traffic <enable|disable>
set shared admin-role <name> role vsys webui monitor logs threat <enable|disable>
set shared admin-role <name> role vsys webui monitor logs url <enable|disable>
set shared admin-role <name> role vsys webui monitor logs wildfire <enable|disable>
set shared admin-role <name> role vsys webui monitor logs data-filtering <enable|disable>
set shared admin-role <name> role vsys webui monitor logs hipmatch <enable|disable>
set shared admin-role <name> role vsys webui monitor logs globalprotect <enable|disable>
set shared admin-role <name> role vsys webui monitor logs iptag <enable|disable>
set shared admin-role <name> role vsys webui monitor logs userid <enable|disable>
set shared admin-role <name> role vsys webui monitor logs decrypon <enable|disable>
set shared admin-role <name> role vsys webui monitor logs gtp <enable|disable>
set shared admin-role <name> role vsys webui monitor logs tunnel <enable|disable>
set shared admin-role <name> role vsys webui monitor logs sctp <enable|disable>
set shared admin-role <name> role vsys webui monitor logs authencaon <enable|disable>
set shared admin-role <name> role vsys webui monitor external-logs <enable|disable>
set shared admin-role <name> role vsys webui monitor automated-correlaon-engine
set shared admin-role <name> role vsys webui monitor automated-correlaon-engine correlaon-
objects <enable|disable>
set shared admin-role <name> role vsys webui monitor automated-correlaon-engine correlated-
events <enable|disable>

PAN-OS CLI Quick Start Version Version 10.1 630 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role vsys webui monitor app-scope <enable|disable>
set shared admin-role <name> role vsys webui monitor session-browser <enable|read-only|
disable>
set shared admin-role <name> role vsys webui monitor block-ip-list <enable|read-only|disable>
set shared admin-role <name> role vsys webui monitor pdf-reports
set shared admin-role <name> role vsys webui monitor pdf-reports manage-pdf-summary
<enable|read-only|disable>
set shared admin-role <name> role vsys webui monitor pdf-reports pdf-summary-reports <enable|
disable>
set shared admin-role <name> role vsys webui monitor pdf-reports user-acvity-report <enable|
read-only|disable>
set shared admin-role <name> role vsys webui monitor pdf-reports saas-applicaon-usage-report
<enable|read-only|disable>
set shared admin-role <name> role vsys webui monitor pdf-reports report-groups <enable|read-
only|disable>
set shared admin-role <name> role vsys webui monitor pdf-reports email-scheduler <enable|read-
only|disable>
set shared admin-role <name> role vsys webui monitor custom-reports
set shared admin-role <name> role vsys webui monitor custom-reports applicaon-stascs
<enable|disable>
set shared admin-role <name> role vsys webui monitor custom-reports data-filtering-log <enable|
disable>
set shared admin-role <name> role vsys webui monitor custom-reports threat-log <enable|
disable>
set shared admin-role <name> role vsys webui monitor custom-reports threat-summary <enable|
disable>
set shared admin-role <name> role vsys webui monitor custom-reports traffic-log <enable|
disable>
set shared admin-role <name> role vsys webui monitor custom-reports traffic-summary <enable|
disable>
set shared admin-role <name> role vsys webui monitor custom-reports url-log <enable|disable>
set shared admin-role <name> role vsys webui monitor custom-reports url-summary <enable|
disable>
set shared admin-role <name> role vsys webui monitor custom-reports hipmatch <enable|disable>
set shared admin-role <name> role vsys webui monitor custom-reports globalprotect <enable|
disable>
set shared admin-role <name> role vsys webui monitor custom-reports wildfire-log <enable|
disable>
set shared admin-role <name> role vsys webui monitor custom-reports gtp-log <enable|disable>

PAN-OS CLI Quick Start Version Version 10.1 631 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role vsys webui monitor custom-reports gtp-summary <enable|
disable>
set shared admin-role <name> role vsys webui monitor custom-reports tunnel-log <enable|
disable>
set shared admin-role <name> role vsys webui monitor custom-reports tunnel-summary <enable|
disable>
set shared admin-role <name> role vsys webui monitor custom-reports sctp-log <enable|disable>
set shared admin-role <name> role vsys webui monitor custom-reports sctp-summary <enable|
disable>
set shared admin-role <name> role vsys webui monitor custom-reports iptag <enable|disable>
set shared admin-role <name> role vsys webui monitor custom-reports userid <enable|disable>
set shared admin-role <name> role vsys webui monitor custom-reports auth <enable|disable>
set shared admin-role <name> role vsys webui monitor view-custom-reports <enable|disable>
set shared admin-role <name> role vsys webui policies
set shared admin-role <name> role vsys webui policies security-rulebase <enable|read-only|
disable>
set shared admin-role <name> role vsys webui policies nat-rulebase <enable|read-only|disable>
set shared admin-role <name> role vsys webui policies qos-rulebase <enable|read-only|disable>
set shared admin-role <name> role vsys webui policies pbf-rulebase <enable|read-only|disable>
set shared admin-role <name> role vsys webui policies ssl-decrypon-rulebase <enable|read-only|
disable>
set shared admin-role <name> role vsys webui policies network-packet-broker-rulebase <enable|
read-only|disable>
set shared admin-role <name> role vsys webui policies tunnel-inspect-rulebase <enable|read-only|
disable>
set shared admin-role <name> role vsys webui policies applicaon-override-rulebase <enable|
read-only|disable>
set shared admin-role <name> role vsys webui policies authencaon-rulebase <enable|read-only|
disable>
set shared admin-role <name> role vsys webui policies dos-rulebase <enable|read-only|disable>
set shared admin-role <name> role vsys webui policies sdwan-rulebase <enable|read-only|disable>
set shared admin-role <name> role vsys webui policies rule-hit-count-reset <enable|disable>
set shared admin-role <name> role vsys webui objects
set shared admin-role <name> role vsys webui objects addresses <enable|read-only|disable>
set shared admin-role <name> role vsys webui objects address-groups <enable|read-only|disable>
set shared admin-role <name> role vsys webui objects regions <enable|read-only|disable>

PAN-OS CLI Quick Start Version Version 10.1 632 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role vsys webui objects dynamic-user-groups <enable|read-only|
disable>
set shared admin-role <name> role vsys webui objects applicaons <enable|read-only|disable>
set shared admin-role <name> role vsys webui objects applicaon-groups <enable|read-only|
disable>
set shared admin-role <name> role vsys webui objects applicaon-filters <enable|read-only|
disable>
set shared admin-role <name> role vsys webui objects services <enable|read-only|disable>
set shared admin-role <name> role vsys webui objects service-groups <enable|read-only|disable>
set shared admin-role <name> role vsys webui objects tags <enable|read-only|disable>
set shared admin-role <name> role vsys webui objects devices <enable|read-only|disable>
set shared admin-role <name> role vsys webui objects global-protect
set shared admin-role <name> role vsys webui objects global-protect hip-objects <enable|read-
only|disable>
set shared admin-role <name> role vsys webui objects global-protect hip-profiles <enable|read-
only|disable>
set shared admin-role <name> role vsys webui objects dynamic-block-lists <enable|read-only|
disable>
set shared admin-role <name> role vsys webui objects custom-objects
set shared admin-role <name> role vsys webui objects custom-objects data-paerns <enable|
read-only|disable>
set shared admin-role <name> role vsys webui objects custom-objects spyware <enable|read-only|
disable>
set shared admin-role <name> role vsys webui objects custom-objects vulnerability <enable|read-
only|disable>
set shared admin-role <name> role vsys webui objects custom-objects url-category <enable|read-
only|disable>
set shared admin-role <name> role vsys webui objects security-profiles
set shared admin-role <name> role vsys webui objects security-profiles anvirus <enable|read-
only|disable>
set shared admin-role <name> role vsys webui objects security-profiles an-spyware <enable|
read-only|disable>
set shared admin-role <name> role vsys webui objects security-profiles vulnerability-protecon
<enable|read-only|disable>
set shared admin-role <name> role vsys webui objects security-profiles url-filtering <enable|read-
only|disable>
set shared admin-role <name> role vsys webui objects security-profiles file-blocking <enable|read-
only|disable>

PAN-OS CLI Quick Start Version Version 10.1 633 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role vsys webui objects security-profiles wildfire-analysis <enable|
read-only|disable>
set shared admin-role <name> role vsys webui objects security-profiles data-filtering <enable|
read-only|disable>
set shared admin-role <name> role vsys webui objects security-profiles dos-protecon <enable|
read-only|disable>
set shared admin-role <name> role vsys webui objects security-profile-groups <enable|read-only|
disable>
set shared admin-role <name> role vsys webui objects log-forwarding <enable|read-only|disable>
set shared admin-role <name> role vsys webui objects authencaon <enable|read-only|disable>
set shared admin-role <name> role vsys webui objects decrypon
set shared admin-role <name> role vsys webui objects decrypon decrypon-profile <enable|
read-only|disable>
set shared admin-role <name> role vsys webui objects packet-broker-profile <enable|read-only|
disable>
set shared admin-role <name> role vsys webui objects sdwan
set shared admin-role <name> role vsys webui objects sdwan sdwan-profile <enable|read-only|
disable>
set shared admin-role <name> role vsys webui objects sdwan sdwan-saas-quality-profile <enable|
read-only|disable>
set shared admin-role <name> role vsys webui objects sdwan sdwan-dist-profile <enable|read-
only|disable>
set shared admin-role <name> role vsys webui objects sdwan sdwan-error-correcon-profile
<enable|read-only|disable>
set shared admin-role <name> role vsys webui objects schedules <enable|read-only|disable>
set shared admin-role <name> role vsys webui network
set shared admin-role <name> role vsys webui network zones <enable|read-only|disable>
set shared admin-role <name> role vsys webui network global-protect
set shared admin-role <name> role vsys webui network global-protect portals <enable|read-only|
disable>
set shared admin-role <name> role vsys webui network global-protect gateways <enable|read-
only|disable>
set shared admin-role <name> role vsys webui network global-protect mdm <enable|read-only|
disable>
set shared admin-role <name> role vsys webui network global-protect clientless-apps <enable|
read-only|disable>
set shared admin-role <name> role vsys webui network global-protect clientless-app-groups
<enable|read-only|disable>

PAN-OS CLI Quick Start Version Version 10.1 634 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role vsys webui network sdwan-interface-profile <enable|read-
only|disable>
set shared admin-role <name> role vsys webui device
set shared admin-role <name> role vsys webui device setup
set shared admin-role <name> role vsys webui device setup management <read-only|disable>
set shared admin-role <name> role vsys webui device setup operaons <read-only|disable>
set shared admin-role <name> role vsys webui device setup services <enable|read-only|disable>
set shared admin-role <name> role vsys webui device setup interfaces <enable|read-only|disable>
set shared admin-role <name> role vsys webui device setup telemetry <read-only|disable>
set shared admin-role <name> role vsys webui device setup content-id <read-only|disable>
set shared admin-role <name> role vsys webui device setup wildfire <read-only|disable>
set shared admin-role <name> role vsys webui device setup session <read-only|disable>
set shared admin-role <name> role vsys webui device setup hsm <read-only|disable>
set shared admin-role <name> role vsys webui device administrators <read-only|disable>
set shared admin-role <name> role vsys webui device authencaon-profile <enable|read-only|
disable>
set shared admin-role <name> role vsys webui device authencaon-sequence <enable|read-only|
disable>
set shared admin-role <name> role vsys webui device user-idenficaon <enable|read-only|
disable>
set shared admin-role <name> role vsys webui device data-redistribuon <enable|read-only|
disable>
set shared admin-role <name> role vsys webui device device-quaranne <enable|read-only|
disable>
set shared admin-role <name> role vsys webui device vm-info-source <enable|read-only|disable>
set shared admin-role <name> role vsys webui device troubleshoong <enable|read-only|disable>
set shared admin-role <name> role vsys webui device cerficate-management
set shared admin-role <name> role vsys webui device cerficate-management cerficates
<enable|read-only|disable>
set shared admin-role <name> role vsys webui device cerficate-management cerficate-profile
<enable|read-only|disable>
set shared admin-role <name> role vsys webui device cerficate-management ocsp-responder
<enable|read-only|disable>
set shared admin-role <name> role vsys webui device cerficate-management ssl-tls-service-
profile <enable|read-only|disable>
set shared admin-role <name> role vsys webui device cerficate-management scep <enable|read-
only|disable>

PAN-OS CLI Quick Start Version Version 10.1 635 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role vsys webui device cerficate-management ssl-decrypon-
exclusion <enable|read-only|disable>
set shared admin-role <name> role vsys webui device cerficate-management ssh-service-profile
<enable|read-only|disable>
set shared admin-role <name> role vsys webui device block-pages <enable|read-only|disable>
set shared admin-role <name> role vsys webui device log-sengs
set shared admin-role <name> role vsys webui device log-sengs system <read-only|disable>
set shared admin-role <name> role vsys webui device log-sengs config <read-only|disable>
set shared admin-role <name> role vsys webui device log-sengs iptag <read-only|disable>
set shared admin-role <name> role vsys webui device log-sengs user-id <read-only|disable>
set shared admin-role <name> role vsys webui device log-sengs hipmatch <read-only|disable>
set shared admin-role <name> role vsys webui device log-sengs globalprotect <read-only|
disable>
set shared admin-role <name> role vsys webui device log-sengs correlaon <read-only|disable>
set shared admin-role <name> role vsys webui device server-profile
set shared admin-role <name> role vsys webui device server-profile snmp-trap <enable|read-only|
disable>
set shared admin-role <name> role vsys webui device server-profile syslog <enable|read-only|
disable>
set shared admin-role <name> role vsys webui device server-profile email <enable|read-only|
disable>
set shared admin-role <name> role vsys webui device server-profile hp <enable|read-only|
disable>
set shared admin-role <name> role vsys webui device server-profile nelow <enable|read-only|
disable>
set shared admin-role <name> role vsys webui device server-profile radius <enable|read-only|
disable>
set shared admin-role <name> role vsys webui device server-profile tacplus <enable|read-only|
disable>
set shared admin-role <name> role vsys webui device server-profile ldap <enable|read-only|
disable>
set shared admin-role <name> role vsys webui device server-profile kerberos <enable|read-only|
disable>
set shared admin-role <name> role vsys webui device server-profile saml_idp <enable|read-only|
disable>
set shared admin-role <name> role vsys webui device server-profile dns <enable|read-only|
disable>

PAN-OS CLI Quick Start Version Version 10.1 636 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role vsys webui device server-profile mfa <enable|read-only|
disable>
set shared admin-role <name> role vsys webui device local-user-database
set shared admin-role <name> role vsys webui device local-user-database users <enable|read-
only|disable>
set shared admin-role <name> role vsys webui device local-user-database user-groups <enable|
read-only|disable>
set shared admin-role <name> role vsys webui device policy-recommendaons
set shared admin-role <name> role vsys webui device policy-recommendaons iot <enable|read-
only|disable>
set shared admin-role <name> role vsys webui device policy-recommendaons saas <enable|read-
only|disable>
set shared admin-role <name> role vsys webui operaons
set shared admin-role <name> role vsys webui operaons reboot <enable|disable>
set shared admin-role <name> role vsys webui operaons generate-tech-support-file <enable|
disable>
set shared admin-role <name> role vsys webui operaons generate-stats-dump-file <enable|
disable>
set shared admin-role <name> role vsys webui operaons download-core-files <enable|disable>
set shared admin-role <name> role vsys webui privacy
set shared admin-role <name> role vsys webui privacy show-full-ip-addresses <enable|disable>
set shared admin-role <name> role vsys webui privacy show-user-names-in-logs-and-reports
<enable|disable>
set shared admin-role <name> role vsys webui privacy view-pcap-files <enable|disable>
set shared admin-role <name> role vsys webui validate <enable|disable>
set shared admin-role <name> role vsys webui save
set shared admin-role <name> role vsys webui save paral-save <enable|disable>
set shared admin-role <name> role vsys webui save save-for-other-admins <enable|disable>
set shared admin-role <name> role vsys webui commit
set shared admin-role <name> role vsys webui commit virtual-systems <enable|disable>
set shared admin-role <name> role vsys webui commit commit-for-other-admins <enable|disable>
set shared admin-role <name> role vsys webui tasks <enable|disable>
set shared admin-role <name> role vsys xmlapi
set shared admin-role <name> role vsys xmlapi report <enable|disable>
set shared admin-role <name> role vsys xmlapi log <enable|disable>
set shared admin-role <name> role vsys xmlapi config <enable|disable>

PAN-OS CLI Quick Start Version Version 10.1 637 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role vsys xmlapi op <enable|disable>

set shared admin-role <name> role vsys xmlapi commit <enable|disable>
set shared admin-role <name> role vsys xmlapi user-id <enable|disable>
set shared admin-role <name> role vsys xmlapi iot <enable|disable>
set shared admin-role <name> role vsys xmlapi export <enable|disable>
set shared admin-role <name> role vsys xmlapi import <enable|disable>
set shared admin-role <name> role vsys cli <vsysadmin|vsysreader>
set shared admin-role <name> role vsys restapi
set shared admin-role <name> role vsys restapi objects
set shared admin-role <name> role vsys restapi objects addresses <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects address-groups <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects regions <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects dynamic-user-groups <enable|read-only|
disable>
set shared admin-role <name> role vsys restapi objects applicaons <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects applicaon-groups <enable|read-only|
disable>
set shared admin-role <name> role vsys restapi objects applicaon-filters <enable|read-only|
disable>
set shared admin-role <name> role vsys restapi objects services <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects service-groups <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects tags <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects devices <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects globalprotect-hip-objects <enable|read-
only|disable>
set shared admin-role <name> role vsys restapi objects globalprotect-hip-profiles <enable|read-
only|disable>
set shared admin-role <name> role vsys restapi objects external-dynamic-lists <enable|read-only|
disable>
set shared admin-role <name> role vsys restapi objects custom-data-paerns <enable|read-only|
disable>
set shared admin-role <name> role vsys restapi objects custom-spyware-signatures <enable|read-
only|disable>
set shared admin-role <name> role vsys restapi objects custom-vulnerability-signatures <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi objects custom-url-categories <enable|read-only|
disable>

PAN-OS CLI Quick Start Version Version 10.1 638 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role vsys restapi objects anvirus-security-profiles <enable|read-
only|disable>
set shared admin-role <name> role vsys restapi objects an-spyware-security-profiles <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi objects vulnerability-protecon-security-profiles
<enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects url-filtering-security-profiles <enable|read-
only|disable>
set shared admin-role <name> role vsys restapi objects file-blocking-security-profiles <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi objects wildfire-analysis-security-profiles <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi objects data-filtering-security-profiles <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi objects dos-protecon-security-profiles <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi objects security-profile-groups <enable|read-only|
disable>
set shared admin-role <name> role vsys restapi objects log-forwarding-profiles <enable|read-only|
disable>
set shared admin-role <name> role vsys restapi objects authencaon-enforcements <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi objects decrypon-profiles <enable|read-only|
disable>
set shared admin-role <name> role vsys restapi objects packet-broker-profiles <enable|read-only|
disable>
set shared admin-role <name> role vsys restapi objects schedules <enable|read-only|disable>
set shared admin-role <name> role vsys restapi objects sdwan-path-quality-profiles <enable|read-
only|disable>
set shared admin-role <name> role vsys restapi objects sdwan-saas-quality-profiles <enable|read-
only|disable>
set shared admin-role <name> role vsys restapi objects sdwan-traffic-distribuon-profiles <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi objects sdwan-error-correcon-profiles <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi policies
set shared admin-role <name> role vsys restapi policies security-rules <enable|read-only|disable>
set shared admin-role <name> role vsys restapi policies nat-rules <enable|read-only|disable>
set shared admin-role <name> role vsys restapi policies qos-rules <enable|read-only|disable>

PAN-OS CLI Quick Start Version Version 10.1 639 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared admin-role <name> role vsys restapi policies policy-based-forwarding-rules <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi policies decrypon-rules <enable|read-only|
disable>
set shared admin-role <name> role vsys restapi policies network-packet-broker-rules <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi policies tunnel-inspecon-rules <enable|read-only|
disable>
set shared admin-role <name> role vsys restapi policies applicaon-override-rules <enable|read-
only|disable>
set shared admin-role <name> role vsys restapi policies authencaon-rules <enable|read-only|
disable>
set shared admin-role <name> role vsys restapi policies dos-rules <enable|read-only|disable>
set shared admin-role <name> role vsys restapi policies sdwan-rules <enable|read-only|disable>
set shared admin-role <name> role vsys restapi network
set shared admin-role <name> role vsys restapi network zones <enable|read-only|disable>
set shared admin-role <name> role vsys restapi network globalprotect-portals <enable|read-only|
disable>
set shared admin-role <name> role vsys restapi network globalprotect-gateways <enable|read-
only|disable>
set shared admin-role <name> role vsys restapi network globalprotect-mdm-servers <enable|read-
only|disable>
set shared admin-role <name> role vsys restapi network globalprotect-clientless-apps <enable|
read-only|disable>
set shared admin-role <name> role vsys restapi network globalprotect-clientless-app-groups
<enable|read-only|disable>
set shared admin-role <name> role vsys restapi device
set shared admin-role <name> role vsys restapi device log-interface-seng <enable|read-only|
disable>
set shared admin-role <name> role vsys restapi device virtual-systems <enable|read-only|disable>
set shared admin-role <name> role vsys restapi system
set shared admin-role <name> role vsys restapi system configuraon <enable|read-only|disable>
set shared scep
set shared scep <name>
set shared scep <name> scep-challenge
set shared scep <name> scep-challenge none
set shared scep <name> scep-challenge fixed <value>

PAN-OS CLI Quick Start Version Version 10.1 640 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set shared scep <name> scep-challenge dynamic

set shared scep <name> scep-challenge dynamic otp-server-url <value>
set shared scep <name> scep-challenge dynamic otp-server-url <value>
set shared scep <name> scep-challenge dynamic username <value>
set shared scep <name> scep-challenge dynamic password <value>
set shared scep <name> scep-url <value>
set shared scep <name> scep-url <value>
set shared scep <name> scep-ca-cert <value>
set shared scep <name> scep-client-cert <value>
set shared scep <name> ca-identy-name <value>
set shared scep <name> subject <value>
set shared scep <name> algorithm
set shared scep <name> algorithm rsa
set shared scep <name> algorithm rsa rsa-nbits <value>
set shared scep <name> digest <value>
set shared scep <name> fingerprint <value>
set shared scep <name> cerficate-aributes
set shared scep <name> cerficate-aributes rfc822name <value>
set shared scep <name> cerficate-aributes dnsname <value>
set shared scep <name> cerficate-aributes uniform-resource-idenfier <value>
set shared scep <name> use-as-digital-signature <yes|no>
set shared scep <name> use-for-key-encipherment <yes|no>
set shared user-id-hub
set shared user-id-hub vsys <value>
set shared user-id-hub ip-user-mapping <yes|no>
set shared user-id-hub user-group-mapping <yes|no>
set vsys
set vsys <name>
set vsys <name> display-name <value>
set vsys <name> seng
set vsys <name> seng nat
set vsys <name> seng nat reserve-ip <yes|no>
set vsys <name> seng nat reserve-me <1-604800>

PAN-OS CLI Quick Start Version Version 10.1 641 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> seng ssl-decrypt

set vsys <name> seng ssl-decrypt allow-forward-decrypted-content <yes|no>
set vsys <name> seng ssl-decrypt url-wait <yes|no>
set vsys <name> seng ssl-decrypt url-proxy <yes|no>
set vsys <name> seng ssl-decrypt nofy-user <yes|no>
set vsys <name> seng ssl-decrypt answer-meout <1-86400>
set vsys <name> import
set vsys <name> import dns-proxy <value>
set vsys <name> import network
set vsys <name> import network interface [ <interface1> <interface2>... ]
set vsys <name> import network virtual-wire [ <virtual-wire1> <virtual-wire2>... ]
set vsys <name> import network vlan [ <vlan1> <vlan2>... ]
set vsys <name> import network virtual-router [ <virtual-router1> <virtual-router2>... ]
set vsys <name> import network logical-router [ <logical-router1> <logical-router2>... ]
set vsys <name> import resource
set vsys <name> import resource max-sessions <1-4194290>
set vsys <name> import resource max-site-to-site-vpn-tunnels <0-10000>
set vsys <name> import resource max-concurrent-ssl-vpn-tunnels <0-65535>
set vsys <name> import resource max-security-rules <0-65000>
set vsys <name> import resource max-nat-rules <0-16000>
set vsys <name> import resource max-ssl-decrypon-rules <0-5000>
set vsys <name> import resource max-qos-rules <0-8000>
set vsys <name> import resource max-applicaon-override-rules <0-4000>
set vsys <name> import resource max-pbf-rules <0-2000>
set vsys <name> import resource max-auth-rules <0-8000>
set vsys <name> import resource max-dos-rules <0-2000>
set vsys <name> import resource max-sdwan-rules <0-2000>
set vsys <name> import visible-vsys [ <visible-vsys1> <visible-vsys2>... ]
set vsys <name> route
set vsys <name> route service
set vsys <name> route service <name>
set vsys <name> route service <name> source
set vsys <name> route service <name> source interface <value>

PAN-OS CLI Quick Start Version Version 10.1 642 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> route service <name> source address <value>

set vsys <name> route service <name> source-v6
set vsys <name> route service <name> source-v6 interface <value>
set vsys <name> route service <name> source-v6 address <value>
set vsys <name> authencaon-profile
set vsys <name> authencaon-profile <name>
set vsys <name> authencaon-profile <name> username-modifier <value>|<validate>|<
%USERINPUT%|%USERINPUT%@%USERDOMAIN%|%USERDOMAIN%\%USERINPUT%>
set vsys <name> authencaon-profile <name> user-domain <value>
set vsys <name> authencaon-profile <name> single-sign-on
set vsys <name> authencaon-profile <name> single-sign-on realm <value>
set vsys <name> authencaon-profile <name> single-sign-on service-principal <value>
set vsys <name> authencaon-profile <name> single-sign-on kerberos-keytab <value>
set vsys <name> authencaon-profile <name> single-sign-on kerberos-keytab <value>
set vsys <name> authencaon-profile <name> lockout
set vsys <name> authencaon-profile <name> lockout failed-aempts <0-10>
set vsys <name> authencaon-profile <name> lockout lockout-me <0-60>
set vsys <name> authencaon-profile <name> allow-list [ <allow-list1> <allow-list2>... ]
set vsys <name> authencaon-profile <name> method
set vsys <name> authencaon-profile <name> method none
set vsys <name> authencaon-profile <name> method cloud
set vsys <name> authencaon-profile <name> method cloud region
set vsys <name> authencaon-profile <name> method cloud region region_id <value>
set vsys <name> authencaon-profile <name> method cloud region tenant
set vsys <name> authencaon-profile <name> method cloud region tenant tenant_id <value>
set vsys <name> authencaon-profile <name> method cloud region tenant profile
set vsys <name> authencaon-profile <name> method cloud region tenant profile profile_id
<value>
set vsys <name> authencaon-profile <name> method cloud region tenant profile mfa
set vsys <name> authencaon-profile <name> method cloud region tenant profile mfa force-mfa
<value>
set vsys <name> authencaon-profile <name> method cloud clock-skew <1-900>
set vsys <name> authencaon-profile <name> method local-database
set vsys <name> authencaon-profile <name> method radius

PAN-OS CLI Quick Start Version Version 10.1 643 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> authencaon-profile <name> method radius server-profile <value>

set vsys <name> authencaon-profile <name> method radius checkgroup <yes|no>
set vsys <name> authencaon-profile <name> method ldap
set vsys <name> authencaon-profile <name> method ldap server-profile <value>
set vsys <name> authencaon-profile <name> method ldap login-aribute <value>
set vsys <name> authencaon-profile <name> method ldap passwd-exp-days <0-255>
set vsys <name> authencaon-profile <name> method kerberos
set vsys <name> authencaon-profile <name> method kerberos server-profile <value>
set vsys <name> authencaon-profile <name> method kerberos realm <value>
set vsys <name> authencaon-profile <name> method tacplus
set vsys <name> authencaon-profile <name> method tacplus server-profile <value>
set vsys <name> authencaon-profile <name> method tacplus checkgroup <yes|no>
set vsys <name> authencaon-profile <name> method saml-idp
set vsys <name> authencaon-profile <name> method saml-idp server-profile <value>
set vsys <name> authencaon-profile <name> method saml-idp enable-single-logout <yes|no>
set vsys <name> authencaon-profile <name> method saml-idp request-signing-cerficate
<value>
set vsys <name> authencaon-profile <name> method saml-idp cerficate-profile <value>
set vsys <name> authencaon-profile <name> method saml-idp aribute-name-username
<value>
set vsys <name> authencaon-profile <name> method saml-idp aribute-name-usergroup
<value>
set vsys <name> authencaon-profile <name> method saml-idp aribute-name-admin-role
<value>
set vsys <name> authencaon-profile <name> method saml-idp aribute-name-access-domain
<value>
set vsys <name> authencaon-profile <name> mul-factor-auth
set vsys <name> authencaon-profile <name> mul-factor-auth mfa-enable <yes|no>
set vsys <name> authencaon-profile <name> mul-factor-auth factors [ <factors1>
<factors2>... ]
set vsys <name> authencaon-sequence
set vsys <name> authencaon-sequence <name>
set vsys <name> authencaon-sequence <name> use-domain-find-profile <yes|no>
set vsys <name> authencaon-sequence <name> authencaon-profiles [ <authencaon-
profiles1> <authencaon-profiles2>... ]
set vsys <name> cerficate-profile

PAN-OS CLI Quick Start Version Version 10.1 644 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> cerficate-profile <name>

set vsys <name> cerficate-profile <name> username-field
set vsys <name> cerficate-profile <name> username-field subject <common-name>
set vsys <name> cerficate-profile <name> username-field subject-alt <email|principal-name>
set vsys <name> cerficate-profile <name> domain <value>
set vsys <name> cerficate-profile <name> CA
set vsys <name> cerficate-profile <name> CA <name>
set vsys <name> cerficate-profile <name> CA <name> default-ocsp-url <value>
set vsys <name> cerficate-profile <name> CA <name> ocsp-verify-cert <value>
set vsys <name> cerficate-profile <name> CA <name> template-name <value>
set vsys <name> cerficate-profile <name> use-crl <yes|no>
set vsys <name> cerficate-profile <name> use-ocsp <yes|no>
set vsys <name> cerficate-profile <name> crl-receive-meout <1-60>
set vsys <name> cerficate-profile <name> ocsp-receive-meout <1-60>
set vsys <name> cerficate-profile <name> ocsp-exclude-nonce <yes|no>
set vsys <name> cerficate-profile <name> cert-status-meout <0-60>
set vsys <name> cerficate-profile <name> block-unknown-cert <yes|no>
set vsys <name> cerficate-profile <name> block-meout-cert <yes|no>
set vsys <name> cerficate-profile <name> block-unauthencated-cert <yes|no>
set vsys <name> cerficate-profile <name> block-expired-cert <yes|no>
set vsys <name> server-profile
set vsys <name> server-profile ldap
set vsys <name> server-profile ldap <name>
set vsys <name> server-profile ldap <name> ldap-type <acve-directory|e-directory|sun|other>
set vsys <name> server-profile ldap <name> server
set vsys <name> server-profile ldap <name> server <name>
set vsys <name> server-profile ldap <name> server <name> address <ip/netmask>|<value>
set vsys <name> server-profile ldap <name> server <name> port <1-65535>
set vsys <name> server-profile ldap <name> ssl <yes|no>
set vsys <name> server-profile ldap <name> ssl <yes>
set vsys <name> server-profile ldap <name> verify-server-cerficate <yes|no>
set vsys <name> server-profile ldap <name> disabled <yes|no>
set vsys <name> server-profile ldap <name> base <value>

PAN-OS CLI Quick Start Version Version 10.1 645 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> server-profile ldap <name> bind-dn <value>

set vsys <name> server-profile ldap <name> bind-password <value>
set vsys <name> server-profile ldap <name> melimit <1-30>
set vsys <name> server-profile ldap <name> bind-melimit <1-60>
set vsys <name> server-profile ldap <name> retry-interval <60-3600>
set vsys <name> server-profile radius
set vsys <name> server-profile radius <name>
set vsys <name> server-profile radius <name> meout <1-120>
set vsys <name> server-profile radius <name> retries <1-5>
set vsys <name> server-profile radius <name> protocol
set vsys <name> server-profile radius <name> protocol CHAP
set vsys <name> server-profile radius <name> protocol PAP
set vsys <name> server-profile radius <name> protocol PEAP-MSCHAPv2
set vsys <name> server-profile radius <name> protocol PEAP-MSCHAPv2 anon-outer-id <yes|no>
set vsys <name> server-profile radius <name> protocol PEAP-MSCHAPv2 allow-pwd-change
<yes|no>
set vsys <name> server-profile radius <name> protocol PEAP-MSCHAPv2 radius-cert-profile
<value>
set vsys <name> server-profile radius <name> protocol PEAP-with-GTC
set vsys <name> server-profile radius <name> protocol PEAP-with-GTC anon-outer-id <yes|no>
set vsys <name> server-profile radius <name> protocol PEAP-with-GTC radius-cert-profile
<value>
set vsys <name> server-profile radius <name> protocol EAP-TTLS-with-PAP
set vsys <name> server-profile radius <name> protocol EAP-TTLS-with-PAP anon-outer-id <yes|
no>
set vsys <name> server-profile radius <name> protocol EAP-TTLS-with-PAP radius-cert-profile
<value>
set vsys <name> server-profile radius <name> server
set vsys <name> server-profile radius <name> server <name>
set vsys <name> server-profile radius <name> server <name> ip-address <ip/netmask>|<value>
set vsys <name> server-profile radius <name> server <name> secret <value>
set vsys <name> server-profile radius <name> server <name> port <1-65535>
set vsys <name> server-profile kerberos
set vsys <name> server-profile kerberos <name>
set vsys <name> server-profile kerberos <name> server

PAN-OS CLI Quick Start Version Version 10.1 646 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> server-profile kerberos <name> server <name>

set vsys <name> server-profile kerberos <name> server <name> host <ip/netmask>|<value>
set vsys <name> server-profile kerberos <name> server <name> port <1-65535>
set vsys <name> server-profile tacplus
set vsys <name> server-profile tacplus <name>
set vsys <name> server-profile tacplus <name> meout <1-30>
set vsys <name> server-profile tacplus <name> use-single-connecon <yes|no>
set vsys <name> server-profile tacplus <name> protocol <CHAP|PAP>
set vsys <name> server-profile tacplus <name> server
set vsys <name> server-profile tacplus <name> server <name>
set vsys <name> server-profile tacplus <name> server <name> address <ip/netmask>|<value>
set vsys <name> server-profile tacplus <name> server <name> secret <value>
set vsys <name> server-profile tacplus <name> server <name> port <1-65535>
set vsys <name> server-profile saml-idp
set vsys <name> server-profile saml-idp <name>
set vsys <name> server-profile saml-idp <name> enty-id <value>
set vsys <name> server-profile saml-idp <name> cerficate <value>
set vsys <name> server-profile saml-idp <name> sso-url <value>
set vsys <name> server-profile saml-idp <name> sso-bindings <post|redirect>
set vsys <name> server-profile saml-idp <name> slo-url <value>
set vsys <name> server-profile saml-idp <name> slo-bindings <post|redirect>
set vsys <name> server-profile saml-idp <name> validate-idp-cerficate <yes|no>
set vsys <name> server-profile saml-idp <name> want-auth-requests-signed <yes|no>
set vsys <name> server-profile saml-idp <name> max-clock-skew <1-900>
set vsys <name> server-profile nelow
set vsys <name> server-profile nelow <name>
set vsys <name> server-profile nelow <name> template-refresh-rate
set vsys <name> server-profile nelow <name> template-refresh-rate minutes <1-3600>
set vsys <name> server-profile nelow <name> template-refresh-rate packets <1-600>
set vsys <name> server-profile nelow <name> acve-meout <1-60>
set vsys <name> server-profile nelow <name> export-enterprise-fields <yes|no>
set vsys <name> server-profile nelow <name> server
set vsys <name> server-profile nelow <name> server <name>

PAN-OS CLI Quick Start Version Version 10.1 647 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> server-profile nelow <name> server <name> host <ip/netmask>|<value>
set vsys <name> server-profile nelow <name> server <name> port <1-65535>
set vsys <name> server-profile dns
set vsys <name> server-profile dns <name>
set vsys <name> server-profile dns <name> inheritance
set vsys <name> server-profile dns <name> inheritance source <value>
set vsys <name> server-profile dns <name> primary <validate>|<ip/netmask>|<inherited>
set vsys <name> server-profile dns <name> secondary <validate>|<ip/netmask>|<inherited>
set vsys <name> server-profile dns <name> source
set vsys <name> server-profile dns <name> source interface <value>
set vsys <name> server-profile dns <name> source address <value>
set vsys <name> server-profile dns <name> source-v6
set vsys <name> server-profile dns <name> source-v6 interface <value>
set vsys <name> server-profile dns <name> source-v6 address <value>
set vsys <name> server-profile mfa-server-profile
set vsys <name> server-profile mfa-server-profile <name>
set vsys <name> server-profile mfa-server-profile <name> mfa-vendor-type <value>
set vsys <name> server-profile mfa-server-profile <name> mfa-cert-profile <value>
set vsys <name> server-profile mfa-server-profile <name> mfa-config
set vsys <name> server-profile mfa-server-profile <name> mfa-config <name>
set vsys <name> server-profile mfa-server-profile <name> mfa-config <name> value <value>
set vsys <name> dns-proxy
set vsys <name> dns-proxy <name>
set vsys <name> dns-proxy <name> enabled <yes|no>
set vsys <name> dns-proxy <name> interface [ <interface1> <interface2>... ]
set vsys <name> dns-proxy <name> server-profile <value>
set vsys <name> dns-proxy <name> domain-servers
set vsys <name> dns-proxy <name> domain-servers <name>
set vsys <name> dns-proxy <name> domain-servers <name> cacheable <yes|no>
set vsys <name> dns-proxy <name> domain-servers <name> domain-name [ <domain-name1>
<domain-name2>... ]
set vsys <name> dns-proxy <name> domain-servers <name> server-profile <value>
set vsys <name> dns-proxy <name> cache
set vsys <name> dns-proxy <name> cache enabled <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 648 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> dns-proxy <name> cache cache-edns <yes|no>

set vsys <name> dns-proxy <name> cache max-l
set vsys <name> dns-proxy <name> cache max-l enabled <yes|no>
set vsys <name> dns-proxy <name> cache max-l me-to-live <60-86400>
set vsys <name> dns-proxy <name> stac-entries
set vsys <name> dns-proxy <name> stac-entries <name>
set vsys <name> dns-proxy <name> stac-entries <name> domain <value>
set vsys <name> dns-proxy <name> stac-entries <name> address [ <address1> <address2>... ]
set vsys <name> dns-proxy <name> tcp-queries
set vsys <name> dns-proxy <name> tcp-queries enabled <yes|no>
set vsys <name> dns-proxy <name> tcp-queries max-pending-requests <64-256>
set vsys <name> dns-proxy <name> udp-queries
set vsys <name> dns-proxy <name> udp-queries retries
set vsys <name> dns-proxy <name> udp-queries retries interval <1-30>
set vsys <name> dns-proxy <name> udp-queries retries aempts <1-30>
set vsys <name> log-sengs
set vsys <name> log-sengs snmptrap
set vsys <name> log-sengs snmptrap <name>
set vsys <name> log-sengs snmptrap <name> version
set vsys <name> log-sengs snmptrap <name> version v2c
set vsys <name> log-sengs snmptrap <name> version v2c server
set vsys <name> log-sengs snmptrap <name> version v2c server <name>
set vsys <name> log-sengs snmptrap <name> version v2c server <name> manager <ip/
netmask>|<value>
set vsys <name> log-sengs snmptrap <name> version v2c server <name> community <value>
set vsys <name> log-sengs snmptrap <name> version v3
set vsys <name> log-sengs snmptrap <name> version v3 server
set vsys <name> log-sengs snmptrap <name> version v3 server <name>
set vsys <name> log-sengs snmptrap <name> version v3 server <name> manager <ip/
netmask>|<value>
set vsys <name> log-sengs snmptrap <name> version v3 server <name> user <value>
set vsys <name> log-sengs snmptrap <name> version v3 server <name> engineid <value>
set vsys <name> log-sengs snmptrap <name> version v3 server <name> authpwd <value>
set vsys <name> log-sengs snmptrap <name> version v3 server <name> privpwd <value>

PAN-OS CLI Quick Start Version Version 10.1 649 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> log-sengs snmptrap <name> version v3 server <name> authproto <SHA|
SHA-224|SHA-256|SHA-384|SHA-512>
set vsys <name> log-sengs snmptrap <name> version v3 server <name> privproto <AES|
AES-192|AES-256>
set vsys <name> log-sengs email
set vsys <name> log-sengs email <name>
set vsys <name> log-sengs email <name> server
set vsys <name> log-sengs email <name> server <name>
set vsys <name> log-sengs email <name> server <name> display-name <value>
set vsys <name> log-sengs email <name> server <name> from <value>
set vsys <name> log-sengs email <name> server <name> to <value>
set vsys <name> log-sengs email <name> server <name> and-also-to <value>
set vsys <name> log-sengs email <name> server <name> gateway <value>
set vsys <name> log-sengs email <name> server <name> protocol <SMTP|TLS>
set vsys <name> log-sengs email <name> server <name> port <1-65535>
set vsys <name> log-sengs email <name> server <name> tls-version <1.2|1.1>
set vsys <name> log-sengs email <name> server <name> auth <Auto|Login|Plain>
set vsys <name> log-sengs email <name> server <name> cerficate-profile <value>
set vsys <name> log-sengs email <name> server <name> username <value>
set vsys <name> log-sengs email <name> server <name> password <value>
set vsys <name> log-sengs email <name> format
set vsys <name> log-sengs email <name> format traffic <value>
set vsys <name> log-sengs email <name> format threat <value>
set vsys <name> log-sengs email <name> format wildfire <value>
set vsys <name> log-sengs email <name> format url <value>
set vsys <name> log-sengs email <name> format data <value>
set vsys <name> log-sengs email <name> format tunnel <value>
set vsys <name> log-sengs email <name> format auth <value>
set vsys <name> log-sengs email <name> format userid <value>
set vsys <name> log-sengs email <name> format iptag <value>
set vsys <name> log-sengs email <name> format decrypon <value>
set vsys <name> log-sengs email <name> format config <value>
set vsys <name> log-sengs email <name> format system <value>
set vsys <name> log-sengs email <name> format globalprotect <value>

PAN-OS CLI Quick Start Version Version 10.1 650 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> log-sengs email <name> format hip-match <value>

set vsys <name> log-sengs email <name> format correlaon <value>
set vsys <name> log-sengs email <name> format escaping
set vsys <name> log-sengs email <name> format escaping escaped-characters <value>
set vsys <name> log-sengs email <name> format escaping escape-character <value>
set vsys <name> log-sengs syslog
set vsys <name> log-sengs syslog <name>
set vsys <name> log-sengs syslog <name> server
set vsys <name> log-sengs syslog <name> server <name>
set vsys <name> log-sengs syslog <name> server <name> server <value>
set vsys <name> log-sengs syslog <name> server <name> transport <UDP|TCP|SSL>
set vsys <name> log-sengs syslog <name> server <name> port <1-65535>
set vsys <name> log-sengs syslog <name> server <name> format <BSD|IETF>
set vsys <name> log-sengs syslog <name> server <name> facility <LOG_USER|LOG_LOCAL0|
LOG_LOCAL1|LOG_LOCAL2|LOG_LOCAL3|LOG_LOCAL4|LOG_LOCAL5|LOG_LOCAL6|
LOG_LOCAL7>
set vsys <name> log-sengs syslog <name> format
set vsys <name> log-sengs syslog <name> format traffic <value>
set vsys <name> log-sengs syslog <name> format threat <value>
set vsys <name> log-sengs syslog <name> format wildfire <value>
set vsys <name> log-sengs syslog <name> format url <value>
set vsys <name> log-sengs syslog <name> format data <value>
set vsys <name> log-sengs syslog <name> format tunnel <value>
set vsys <name> log-sengs syslog <name> format auth <value>
set vsys <name> log-sengs syslog <name> format userid <value>
set vsys <name> log-sengs syslog <name> format iptag <value>
set vsys <name> log-sengs syslog <name> format decrypon <value>
set vsys <name> log-sengs syslog <name> format config <value>
set vsys <name> log-sengs syslog <name> format system <value>
set vsys <name> log-sengs syslog <name> format globalprotect <value>
set vsys <name> log-sengs syslog <name> format hip-match <value>
set vsys <name> log-sengs syslog <name> format correlaon <value>
set vsys <name> log-sengs syslog <name> format escaping
set vsys <name> log-sengs syslog <name> format escaping escaped-characters <value>

PAN-OS CLI Quick Start Version Version 10.1 651 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> log-sengs syslog <name> format escaping escape-character <value>
set vsys <name> log-sengs hp
set vsys <name> log-sengs hp <name>
set vsys <name> log-sengs hp <name> tag-registraon <yes|no>
set vsys <name> log-sengs hp <name> server
set vsys <name> log-sengs hp <name> server <name>
set vsys <name> log-sengs hp <name> server <name> address <value>
set vsys <name> log-sengs hp <name> server <name> protocol <HTTP|HTTPS>
set vsys <name> log-sengs hp <name> server <name> port <1-65535>
set vsys <name> log-sengs hp <name> server <name> tls-version <1.2|1.1|1.0>
set vsys <name> log-sengs hp <name> server <name> cerficate-profile <value>
set vsys <name> log-sengs hp <name> server <name> hp-method <value>
set vsys <name> log-sengs hp <name> server <name> username <value>
set vsys <name> log-sengs hp <name> server <name> password <value>
set vsys <name> log-sengs hp <name> format
set vsys <name> log-sengs hp <name> format config
set vsys <name> log-sengs hp <name> format config name <value>
set vsys <name> log-sengs hp <name> format config url-format <value>
set vsys <name> log-sengs hp <name> format config headers
set vsys <name> log-sengs hp <name> format config headers <name>
set vsys <name> log-sengs hp <name> format config headers <name> value <value>
set vsys <name> log-sengs hp <name> format config params
set vsys <name> log-sengs hp <name> format config params <name>
set vsys <name> log-sengs hp <name> format config params <name> value <value>
set vsys <name> log-sengs hp <name> format config payload <value>
set vsys <name> log-sengs hp <name> format system
set vsys <name> log-sengs hp <name> format system name <value>
set vsys <name> log-sengs hp <name> format system url-format <value>
set vsys <name> log-sengs hp <name> format system headers
set vsys <name> log-sengs hp <name> format system headers <name>
set vsys <name> log-sengs hp <name> format system headers <name> value <value>
set vsys <name> log-sengs hp <name> format system params
set vsys <name> log-sengs hp <name> format system params <name>

PAN-OS CLI Quick Start Version Version 10.1 652 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> log-sengs hp <name> format system params <name> value <value>
set vsys <name> log-sengs hp <name> format system payload <value>
set vsys <name> log-sengs hp <name> format traffic
set vsys <name> log-sengs hp <name> format traffic name <value>
set vsys <name> log-sengs hp <name> format traffic url-format <value>
set vsys <name> log-sengs hp <name> format traffic headers
set vsys <name> log-sengs hp <name> format traffic headers <name>
set vsys <name> log-sengs hp <name> format traffic headers <name> value <value>
set vsys <name> log-sengs hp <name> format traffic params
set vsys <name> log-sengs hp <name> format traffic params <name>
set vsys <name> log-sengs hp <name> format traffic params <name> value <value>
set vsys <name> log-sengs hp <name> format traffic payload <value>
set vsys <name> log-sengs hp <name> format threat
set vsys <name> log-sengs hp <name> format threat name <value>
set vsys <name> log-sengs hp <name> format threat url-format <value>
set vsys <name> log-sengs hp <name> format threat headers
set vsys <name> log-sengs hp <name> format threat headers <name>
set vsys <name> log-sengs hp <name> format threat headers <name> value <value>
set vsys <name> log-sengs hp <name> format threat params
set vsys <name> log-sengs hp <name> format threat params <name>
set vsys <name> log-sengs hp <name> format threat params <name> value <value>
set vsys <name> log-sengs hp <name> format threat payload <value>
set vsys <name> log-sengs hp <name> format wildfire
set vsys <name> log-sengs hp <name> format wildfire name <value>
set vsys <name> log-sengs hp <name> format wildfire url-format <value>
set vsys <name> log-sengs hp <name> format wildfire headers
set vsys <name> log-sengs hp <name> format wildfire headers <name>
set vsys <name> log-sengs hp <name> format wildfire headers <name> value <value>
set vsys <name> log-sengs hp <name> format wildfire params
set vsys <name> log-sengs hp <name> format wildfire params <name>
set vsys <name> log-sengs hp <name> format wildfire params <name> value <value>
set vsys <name> log-sengs hp <name> format wildfire payload <value>
set vsys <name> log-sengs hp <name> format url

PAN-OS CLI Quick Start Version Version 10.1 653 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> log-sengs hp <name> format url name <value>
set vsys <name> log-sengs hp <name> format url url-format <value>
set vsys <name> log-sengs hp <name> format url headers
set vsys <name> log-sengs hp <name> format url headers <name>
set vsys <name> log-sengs hp <name> format url headers <name> value <value>
set vsys <name> log-sengs hp <name> format url params
set vsys <name> log-sengs hp <name> format url params <name>
set vsys <name> log-sengs hp <name> format url params <name> value <value>
set vsys <name> log-sengs hp <name> format url payload <value>
set vsys <name> log-sengs hp <name> format data
set vsys <name> log-sengs hp <name> format data name <value>
set vsys <name> log-sengs hp <name> format data url-format <value>
set vsys <name> log-sengs hp <name> format data headers
set vsys <name> log-sengs hp <name> format data headers <name>
set vsys <name> log-sengs hp <name> format data headers <name> value <value>
set vsys <name> log-sengs hp <name> format data params
set vsys <name> log-sengs hp <name> format data params <name>
set vsys <name> log-sengs hp <name> format data params <name> value <value>
set vsys <name> log-sengs hp <name> format data payload <value>
set vsys <name> log-sengs hp <name> format tunnel
set vsys <name> log-sengs hp <name> format tunnel name <value>
set vsys <name> log-sengs hp <name> format tunnel url-format <value>
set vsys <name> log-sengs hp <name> format tunnel headers
set vsys <name> log-sengs hp <name> format tunnel headers <name>
set vsys <name> log-sengs hp <name> format tunnel headers <name> value <value>
set vsys <name> log-sengs hp <name> format tunnel params
set vsys <name> log-sengs hp <name> format tunnel params <name>
set vsys <name> log-sengs hp <name> format tunnel params <name> value <value>
set vsys <name> log-sengs hp <name> format tunnel payload <value>
set vsys <name> log-sengs hp <name> format auth
set vsys <name> log-sengs hp <name> format auth name <value>
set vsys <name> log-sengs hp <name> format auth url-format <value>
set vsys <name> log-sengs hp <name> format auth headers

PAN-OS CLI Quick Start Version Version 10.1 654 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> log-sengs hp <name> format auth headers <name>
set vsys <name> log-sengs hp <name> format auth headers <name> value <value>
set vsys <name> log-sengs hp <name> format auth params
set vsys <name> log-sengs hp <name> format auth params <name>
set vsys <name> log-sengs hp <name> format auth params <name> value <value>
set vsys <name> log-sengs hp <name> format auth payload <value>
set vsys <name> log-sengs hp <name> format userid
set vsys <name> log-sengs hp <name> format userid name <value>
set vsys <name> log-sengs hp <name> format userid url-format <value>
set vsys <name> log-sengs hp <name> format userid headers
set vsys <name> log-sengs hp <name> format userid headers <name>
set vsys <name> log-sengs hp <name> format userid headers <name> value <value>
set vsys <name> log-sengs hp <name> format userid params
set vsys <name> log-sengs hp <name> format userid params <name>
set vsys <name> log-sengs hp <name> format userid params <name> value <value>
set vsys <name> log-sengs hp <name> format userid payload <value>
set vsys <name> log-sengs hp <name> format iptag
set vsys <name> log-sengs hp <name> format iptag name <value>
set vsys <name> log-sengs hp <name> format iptag url-format <value>
set vsys <name> log-sengs hp <name> format iptag headers
set vsys <name> log-sengs hp <name> format iptag headers <name>
set vsys <name> log-sengs hp <name> format iptag headers <name> value <value>
set vsys <name> log-sengs hp <name> format iptag params
set vsys <name> log-sengs hp <name> format iptag params <name>
set vsys <name> log-sengs hp <name> format iptag params <name> value <value>
set vsys <name> log-sengs hp <name> format iptag payload <value>
set vsys <name> log-sengs hp <name> format decrypon
set vsys <name> log-sengs hp <name> format decrypon name <value>
set vsys <name> log-sengs hp <name> format decrypon url-format <value>
set vsys <name> log-sengs hp <name> format decrypon headers
set vsys <name> log-sengs hp <name> format decrypon headers <name>
set vsys <name> log-sengs hp <name> format decrypon headers <name> value <value>
set vsys <name> log-sengs hp <name> format decrypon params

PAN-OS CLI Quick Start Version Version 10.1 655 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> log-sengs hp <name> format decrypon params <name>
set vsys <name> log-sengs hp <name> format decrypon params <name> value <value>
set vsys <name> log-sengs hp <name> format decrypon payload <value>
set vsys <name> log-sengs hp <name> format globalprotect
set vsys <name> log-sengs hp <name> format globalprotect name <value>
set vsys <name> log-sengs hp <name> format globalprotect url-format <value>
set vsys <name> log-sengs hp <name> format globalprotect headers
set vsys <name> log-sengs hp <name> format globalprotect headers <name>
set vsys <name> log-sengs hp <name> format globalprotect headers <name> value <value>
set vsys <name> log-sengs hp <name> format globalprotect params
set vsys <name> log-sengs hp <name> format globalprotect params <name>
set vsys <name> log-sengs hp <name> format globalprotect params <name> value <value>
set vsys <name> log-sengs hp <name> format globalprotect payload <value>
set vsys <name> log-sengs hp <name> format hip-match
set vsys <name> log-sengs hp <name> format hip-match name <value>
set vsys <name> log-sengs hp <name> format hip-match url-format <value>
set vsys <name> log-sengs hp <name> format hip-match headers
set vsys <name> log-sengs hp <name> format hip-match headers <name>
set vsys <name> log-sengs hp <name> format hip-match headers <name> value <value>
set vsys <name> log-sengs hp <name> format hip-match params
set vsys <name> log-sengs hp <name> format hip-match params <name>
set vsys <name> log-sengs hp <name> format hip-match params <name> value <value>
set vsys <name> log-sengs hp <name> format hip-match payload <value>
set vsys <name> log-sengs hp <name> format correlaon
set vsys <name> log-sengs hp <name> format correlaon name <value>
set vsys <name> log-sengs hp <name> format correlaon url-format <value>
set vsys <name> log-sengs hp <name> format correlaon headers
set vsys <name> log-sengs hp <name> format correlaon headers <name>
set vsys <name> log-sengs hp <name> format correlaon headers <name> value <value>
set vsys <name> log-sengs hp <name> format correlaon params
set vsys <name> log-sengs hp <name> format correlaon params <name>
set vsys <name> log-sengs hp <name> format correlaon params <name> value <value>
set vsys <name> log-sengs hp <name> format correlaon payload <value>

PAN-OS CLI Quick Start Version Version 10.1 656 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> log-sengs profiles

set vsys <name> log-sengs profiles <name>
set vsys <name> log-sengs profiles <name> descripon <value>
set vsys <name> log-sengs profiles <name> enhanced-applicaon-logging <yes|no>
set vsys <name> log-sengs profiles <name> match-list
set vsys <name> log-sengs profiles <name> match-list <name>
set vsys <name> log-sengs profiles <name> match-list <name> acon-desc <value>
set vsys <name> log-sengs profiles <name> match-list <name> log-type <traffic|threat|wildfire|
url|data|tunnel|auth|decrypon>
set vsys <name> log-sengs profiles <name> match-list <name> filter <value>
set vsys <name> log-sengs profiles <name> match-list <name> send-to-panorama <yes|no>
set vsys <name> log-sengs profiles <name> match-list <name> send-snmptrap [ <send-
snmptrap1> <send-snmptrap2>... ]
set vsys <name> log-sengs profiles <name> match-list <name> send-email [ <send-email1>
<send-email2>... ]
set vsys <name> log-sengs profiles <name> match-list <name> send-syslog [ <send-syslog1>
<send-syslog2>... ]
set vsys <name> log-sengs profiles <name> match-list <name> send-hp [ <send-hp1> <send-
hp2>... ]
set vsys <name> log-sengs profiles <name> match-list <name> quaranne <yes|no>
set vsys <name> log-sengs profiles <name> match-list <name> acons
set vsys <name> log-sengs profiles <name> match-list <name> acons <name>
set vsys <name> log-sengs profiles <name> match-list <name> acons <name> type
set vsys <name> log-sengs profiles <name> match-list <name> acons <name> type tagging
set vsys <name> log-sengs profiles <name> match-list <name> acons <name> type tagging
target <source-address|desnaon-address|xff-address|user>
set vsys <name> log-sengs profiles <name> match-list <name> acons <name> type tagging
acon <add-tag|remove-tag>
set vsys <name> log-sengs profiles <name> match-list <name> acons <name> type tagging
registraon
set vsys <name> log-sengs profiles <name> match-list <name> acons <name> type tagging
registraon localhost
set vsys <name> log-sengs profiles <name> match-list <name> acons <name> type tagging
registraon panorama
set vsys <name> log-sengs profiles <name> match-list <name> acons <name> type tagging
registraon remote

PAN-OS CLI Quick Start Version Version 10.1 657 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> log-sengs profiles <name> match-list <name> acons <name> type tagging
registraon remote hp-profile <value>
set vsys <name> log-sengs profiles <name> match-list <name> acons <name> type tagging
meout <0-43200>
set vsys <name> log-sengs profiles <name> match-list <name> acons <name> type tagging
tags [ <tags1> <tags2>... ]
set vsys <name> cerficate
set vsys <name> cerficate <name>
set vsys <name> cerficate <name> common-name <value>
set vsys <name> cerficate <name> algorithm <value>
set vsys <name> cerficate <name> not-valid-aer <value>
set vsys <name> cerficate <name> not-valid-before <value>
set vsys <name> cerficate <name> expiry-epoch <value>
set vsys <name> cerficate <name> subject <value>
set vsys <name> cerficate <name> subject-hash <value>
set vsys <name> cerficate <name> issuer <value>
set vsys <name> cerficate <name> issuer-hash <value>
set vsys <name> cerficate <name>
set vsys <name> cerficate <name> csr <value>
set vsys <name> cerficate <name> public-key <value>
set vsys <name> cerficate <name>
set vsys <name> cerficate <name> private-key <value>
set vsys <name> cerficate <name> private-key-on-hsm <yes|no>
set vsys <name> cerficate <name> status <valid|revoked>
set vsys <name> cerficate <name> revoke-date-epoch <value>
set vsys <name> ssl-tls-service-profile
set vsys <name> ssl-tls-service-profile <name>
set vsys <name> ssl-tls-service-profile <name> cerficate <value>
set vsys <name> ssl-tls-service-profile <name> protocol-sengs
set vsys <name> ssl-tls-service-profile <name> protocol-sengs min-version <tls1-0|tls1-1|
tls1-2>
set vsys <name> ssl-tls-service-profile <name> protocol-sengs max-version <tls1-0|tls1-1|tls1-2|
max>
set vsys <name> ssl-tls-service-profile <name> protocol-sengs keyxchg-algo-rsa <yes|no>
set vsys <name> ssl-tls-service-profile <name> protocol-sengs keyxchg-algo-dhe <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 658 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> ssl-tls-service-profile <name> protocol-sengs keyxchg-algo-ecdhe <yes|no>

set vsys <name> ssl-tls-service-profile <name> protocol-sengs enc-algo-3des <yes|no>
set vsys <name> ssl-tls-service-profile <name> protocol-sengs enc-algo-rc4 <yes|no>
set vsys <name> ssl-tls-service-profile <name> protocol-sengs enc-algo-aes-128-cbc <yes|no>
set vsys <name> ssl-tls-service-profile <name> protocol-sengs enc-algo-aes-256-cbc <yes|no>
set vsys <name> ssl-tls-service-profile <name> protocol-sengs enc-algo-aes-128-gcm <yes|no>
set vsys <name> ssl-tls-service-profile <name> protocol-sengs enc-algo-aes-256-gcm <yes|no>
set vsys <name> ssl-tls-service-profile <name> protocol-sengs auth-algo-sha1 <yes|no>
set vsys <name> ssl-tls-service-profile <name> protocol-sengs auth-algo-sha256 <yes|no>
set vsys <name> ssl-tls-service-profile <name> protocol-sengs auth-algo-sha384 <yes|no>
set vsys <name> response-page
set vsys <name> response-page applicaon-block-page <value>
set vsys <name> response-page capve-portal-text <value>
set vsys <name> response-page file-block-connue-page <value>
set vsys <name> response-page file-block-page <value>
set vsys <name> response-page ssl-cert-status-page <value>
set vsys <name> response-page ssl-optout-text <value>
set vsys <name> response-page url-block-page <value>
set vsys <name> response-page url-coach-text <value>
set vsys <name> response-page credenal-block-page <value>
set vsys <name> response-page credenal-coach-text <value>
set vsys <name> response-page virus-block-page <value>
set vsys <name> response-page data-filter-block-page <value>
set vsys <name> response-page safe-search-block-page <value>
set vsys <name> response-page saml-auth-internal-error-page <value>
set vsys <name> response-page mfa-login-page <value>
set vsys <name> response-page global-protect-portal-custom-login-page
set vsys <name> response-page global-protect-portal-custom-login-page <name>
set vsys <name> response-page global-protect-portal-custom-login-page <name> page <value>
set vsys <name> response-page global-protect-portal-custom-home-page
set vsys <name> response-page global-protect-portal-custom-home-page <name>
set vsys <name> response-page global-protect-portal-custom-home-page <name> page <value>
set vsys <name> response-page global-protect-portal-custom-help-page

PAN-OS CLI Quick Start Version Version 10.1 659 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> response-page global-protect-portal-custom-help-page <name>

set vsys <name> response-page global-protect-portal-custom-help-page <name> page <value>
set vsys <name> response-page global-protect-portal-custom-welcome-page
set vsys <name> response-page global-protect-portal-custom-welcome-page <name>
set vsys <name> response-page global-protect-portal-custom-welcome-page <name> page
<value>
set vsys <name> local-user-database
set vsys <name> local-user-database user
set vsys <name> local-user-database user <name>
set vsys <name> local-user-database user <name> phash <value>
set vsys <name> local-user-database user <name> disabled <yes|no>
set vsys <name> local-user-database user-group
set vsys <name> local-user-database user-group <name>
set vsys <name> local-user-database user-group <name> user [ <user1> <user2>... ]
set vsys <name> ssl-decrypt
set vsys <name> ssl-decrypt forward-trust-cerficate
set vsys <name> ssl-decrypt forward-trust-cerficate rsa <value>
set vsys <name> ssl-decrypt forward-trust-cerficate ecdsa <value>
set vsys <name> ssl-decrypt forward-untrust-cerficate
set vsys <name> ssl-decrypt forward-untrust-cerficate rsa <value>
set vsys <name> ssl-decrypt forward-untrust-cerficate ecdsa <value>
set vsys <name> ssl-decrypt ssl-exclude-cert
set vsys <name> ssl-decrypt ssl-exclude-cert <name>
set vsys <name> ssl-decrypt ssl-exclude-cert <name> descripon <value>
set vsys <name> ssl-decrypt ssl-exclude-cert <name> exclude <yes|no>
set vsys <name> ssl-decrypt root-ca-exclude-list [ <root-ca-exclude-list1> <root-ca-exclude-
list2>... ]
set vsys <name> ssl-decrypt trusted-root-CA [ <trusted-root-CA1> <trusted-root-CA2>... ]
set vsys <name> ocsp-responder
set vsys <name> ocsp-responder <name>
set vsys <name> ocsp-responder <name> host-name <value>
set vsys <name> scep
set vsys <name> scep <name>
set vsys <name> scep <name> scep-challenge

PAN-OS CLI Quick Start Version Version 10.1 660 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> scep <name> scep-challenge none

set vsys <name> scep <name> scep-challenge fixed <value>
set vsys <name> scep <name> scep-challenge dynamic
set vsys <name> scep <name> scep-challenge dynamic otp-server-url <value>
set vsys <name> scep <name> scep-challenge dynamic otp-server-url <value>
set vsys <name> scep <name> scep-challenge dynamic username <value>
set vsys <name> scep <name> scep-challenge dynamic password <value>
set vsys <name> scep <name> scep-url <value>
set vsys <name> scep <name> scep-url <value>
set vsys <name> scep <name> scep-ca-cert <value>
set vsys <name> scep <name> scep-client-cert <value>
set vsys <name> scep <name> ca-identy-name <value>
set vsys <name> scep <name> subject <value>
set vsys <name> scep <name> algorithm
set vsys <name> scep <name> algorithm rsa
set vsys <name> scep <name> algorithm rsa rsa-nbits <value>
set vsys <name> scep <name> digest <value>
set vsys <name> scep <name> fingerprint <value>
set vsys <name> scep <name> cerficate-aributes
set vsys <name> scep <name> cerficate-aributes rfc822name <value>
set vsys <name> scep <name> cerficate-aributes dnsname <value>
set vsys <name> scep <name> cerficate-aributes uniform-resource-idenfier <value>
set vsys <name> scep <name> use-as-digital-signature <yes|no>
set vsys <name> scep <name> use-for-key-encipherment <yes|no>
set vsys <name> url-content-types [ <url-content-types1> <url-content-types2>... ]
set vsys <name> ts-agent
set vsys <name> ts-agent <name>
set vsys <name> ts-agent <name> host <ip/netmask>|<value>
set vsys <name> ts-agent <name> port <1-65535>
set vsys <name> ts-agent <name> ip-list [ <ip-list1> <ip-list2>... ]
set vsys <name> ts-agent <name> disabled <yes|no>
set vsys <name> redistribuon-agent
set vsys <name> redistribuon-agent <name>

PAN-OS CLI Quick Start Version Version 10.1 661 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> redistribuon-agent <name>

set vsys <name> redistribuon-agent <name> serial-number <value>
set vsys <name> redistribuon-agent <name> host-port
set vsys <name> redistribuon-agent <name> host-port host <ip/netmask>|<value>
set vsys <name> redistribuon-agent <name> host-port ldap-proxy <yes|no>
set vsys <name> redistribuon-agent <name> host-port port <1-65535>
set vsys <name> redistribuon-agent <name> host-port collectorname <value>
set vsys <name> redistribuon-agent <name> host-port secret <value>
set vsys <name> redistribuon-agent <name> disabled <yes|no>
set vsys <name> redistribuon-agent <name> ip-user-mappings <yes|no>
set vsys <name> redistribuon-agent <name> ip-tags <yes|no>
set vsys <name> redistribuon-agent <name> user-tags <yes|no>
set vsys <name> redistribuon-agent <name> hip <yes|no>
set vsys <name> redistribuon-agent <name> quaranne-list <yes|no>
set vsys <name> ipuser-include-exclude-list
set vsys <name> ipuser-include-exclude-list include-exclude-network
set vsys <name> ipuser-include-exclude-list include-exclude-network <name>
set vsys <name> ipuser-include-exclude-list include-exclude-network <name> disabled <yes|no>
set vsys <name> ipuser-include-exclude-list include-exclude-network <name> discovery <include|
exclude>
set vsys <name> ipuser-include-exclude-list include-exclude-network <name> network-address
<ip/netmask>
set vsys <name> iptag-include-exclude-list
set vsys <name> iptag-include-exclude-list include-exclude-network
set vsys <name> iptag-include-exclude-list include-exclude-network <name>
set vsys <name> iptag-include-exclude-list include-exclude-network <name> disabled <yes|no>
set vsys <name> iptag-include-exclude-list include-exclude-network <name> discovery <include|
exclude>
set vsys <name> iptag-include-exclude-list include-exclude-network <name> network-address
<ip/netmask>
set vsys <name> redistribuon-collector
set vsys <name> redistribuon-collector seng
set vsys <name> redistribuon-collector seng collectorname <value>
set vsys <name> redistribuon-collector seng secret <value>
set vsys <name> user-id-ssl-auth

PAN-OS CLI Quick Start Version Version 10.1 662 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> user-id-ssl-auth cerficate-profile <value>

set vsys <name> vm-info-source
set vsys <name> vm-info-source <name>
set vsys <name> vm-info-source <name>
set vsys <name> vm-info-source <name> AWS-VPC
set vsys <name> vm-info-source <name> AWS-VPC descripon <value>
set vsys <name> vm-info-source <name> AWS-VPC disabled <yes|no>
set vsys <name> vm-info-source <name> AWS-VPC source <value>
set vsys <name> vm-info-source <name> AWS-VPC access-key-id <value>
set vsys <name> vm-info-source <name> AWS-VPC secret-access-key <value>
set vsys <name> vm-info-source <name> AWS-VPC update-interval <60-1200>
set vsys <name> vm-info-source <name> AWS-VPC vm-info-meout-enable <yes|no>
set vsys <name> vm-info-source <name> AWS-VPC vm-info-meout <2-10>
set vsys <name> vm-info-source <name> AWS-VPC vpc-id <value>
set vsys <name> vm-info-source <name> Google-Compute-Engine
set vsys <name> vm-info-source <name> Google-Compute-Engine descripon <value>
set vsys <name> vm-info-source <name> Google-Compute-Engine disabled <yes|no>
set vsys <name> vm-info-source <name> Google-Compute-Engine service-auth-type
set vsys <name> vm-info-source <name> Google-Compute-Engine service-auth-type service-in-
gce
set vsys <name> vm-info-source <name> Google-Compute-Engine service-auth-type service-
account
set vsys <name> vm-info-source <name> Google-Compute-Engine service-auth-type service-
account service-account-cred <value>
set vsys <name> vm-info-source <name> Google-Compute-Engine project-id <value>
set vsys <name> vm-info-source <name> Google-Compute-Engine zone-name <value>
set vsys <name> vm-info-source <name> Google-Compute-Engine update-interval <60-1200>
set vsys <name> vm-info-source <name> Google-Compute-Engine vm-info-meout-enable <yes|
no>
set vsys <name> vm-info-source <name> Google-Compute-Engine vm-info-meout <2-10>
set vsys <name> vm-info-source <name> VMware-ESXi
set vsys <name> vm-info-source <name> VMware-ESXi descripon <value>
set vsys <name> vm-info-source <name> VMware-ESXi port <1-65535>
set vsys <name> vm-info-source <name> VMware-ESXi disabled <yes|no>
set vsys <name> vm-info-source <name> VMware-ESXi vm-info-meout-enable <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 663 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> vm-info-source <name> VMware-ESXi vm-info-meout <2-10>

set vsys <name> vm-info-source <name> VMware-ESXi source <ip/netmask>|<value>
set vsys <name> vm-info-source <name> VMware-ESXi username <value>
set vsys <name> vm-info-source <name> VMware-ESXi password <value>
set vsys <name> vm-info-source <name> VMware-ESXi update-interval <5-600>
set vsys <name> vm-info-source <name> VMware-vCenter
set vsys <name> vm-info-source <name> VMware-vCenter descripon <value>
set vsys <name> vm-info-source <name> VMware-vCenter port <1-65535>
set vsys <name> vm-info-source <name> VMware-vCenter disabled <yes|no>
set vsys <name> vm-info-source <name> VMware-vCenter vm-info-meout-enable <yes|no>
set vsys <name> vm-info-source <name> VMware-vCenter vm-info-meout <2-10>
set vsys <name> vm-info-source <name> VMware-vCenter source <ip/netmask>|<value>
set vsys <name> vm-info-source <name> VMware-vCenter username <value>
set vsys <name> vm-info-source <name> VMware-vCenter password <value>
set vsys <name> vm-info-source <name> VMware-vCenter update-interval <5-600>
set vsys <name> group-mapping
set vsys <name> group-mapping <name>
set vsys <name> group-mapping <name> server-profile <value>
set vsys <name> group-mapping <name> disabled <yes|no>
set vsys <name> group-mapping <name> use-ldap-for-serialno-check <yes|no>
set vsys <name> group-mapping <name> use-modify-mestamp <yes|no>
set vsys <name> group-mapping <name> limited-group-search <yes|no>
set vsys <name> group-mapping <name> nested-group-level <1-20>
set vsys <name> group-mapping <name> group-filter <value>
set vsys <name> group-mapping <name> user-filter <value>
set vsys <name> group-mapping <name> domain <value>
set vsys <name> group-mapping <name> update-interval <60-86400>
set vsys <name> group-mapping <name> group-object [ <group-object1> <group-object2>... ]
set vsys <name> group-mapping <name> group-member [ <group-member1> <group-
member2>... ]
set vsys <name> group-mapping <name> group-name [ <group-name1> <group-name2>... ]
set vsys <name> group-mapping <name> user-object [ <user-object1> <user-object2>... ]
set vsys <name> group-mapping <name> user-name [ <user-name1> <user-name2>... ]
set vsys <name> group-mapping <name> user-email [ <user-email1> <user-email2>... ]

PAN-OS CLI Quick Start Version Version 10.1 664 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> group-mapping <name> group-email [ <group-email1> <group-email2>... ]

set vsys <name> group-mapping <name> alternate-user-name-1 [ <alternate-user-name-11>
<alternate-user-name-12>... ]
set vsys <name> group-mapping <name> alternate-user-name-2 [ <alternate-user-name-21>
<alternate-user-name-22>... ]
set vsys <name> group-mapping <name> alternate-user-name-3 [ <alternate-user-name-31>
<alternate-user-name-32>... ]
set vsys <name> group-mapping <name> container-object [ <container-object1> <container-
object2>... ]
set vsys <name> group-mapping <name> last-modify-ar [ <last-modify-ar1> <last-modify-
ar2>... ]
set vsys <name> group-mapping <name> group-include-list [ <group-include-list1> <group-
include-list2>... ]
set vsys <name> group-mapping <name> custom-group
set vsys <name> group-mapping <name> custom-group <name>
set vsys <name> group-mapping <name> custom-group <name> ldap-filter <value>
set vsys <name> cloud-identy-engine
set vsys <name> cloud-identy-engine <name>
set vsys <name> cloud-identy-engine <name> region <value>
set vsys <name> cloud-identy-engine <name> cloud-identy-engine-instance <value>
set vsys <name> cloud-identy-engine <name> domain <value>
set vsys <name> cloud-identy-engine <name> update-interval <5-1440>
set vsys <name> cloud-identy-engine <name> enabled <yes|no>
set vsys <name> cloud-identy-engine <name> primary-user <value>
set vsys <name> cloud-identy-engine <name> user-email <value>
set vsys <name> cloud-identy-engine <name> alt-username-1 <value>
set vsys <name> cloud-identy-engine <name> alt-username-2 <value>
set vsys <name> cloud-identy-engine <name> alt-username-3 <value>
set vsys <name> cloud-identy-engine <name> group-name <value>
set vsys <name> cloud-identy-engine <name> group-email <value>
set vsys <name> cloud-identy-engine <name> endpoint-serial-number <value>
set vsys <name> capve-portal
set vsys <name> capve-portal enable-capve-portal <yes|no>
set vsys <name> capve-portal idle-mer <1-1440>
set vsys <name> capve-portal mer <1-1440>

PAN-OS CLI Quick Start Version Version 10.1 665 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> capve-portal redirect-host <ip/netmask>|<value>

set vsys <name> capve-portal ssl-tls-service-profile <value>
set vsys <name> capve-portal gp-udp-port <1-65535>
set vsys <name> capve-portal mode
set vsys <name> capve-portal mode transparent
set vsys <name> capve-portal mode redirect
set vsys <name> capve-portal mode redirect session-cookie
set vsys <name> capve-portal mode redirect session-cookie enable <yes|no>
set vsys <name> capve-portal mode redirect session-cookie meout <60-10080>
set vsys <name> capve-portal mode redirect session-cookie roaming <yes|no>
set vsys <name> capve-portal authencaon-profile <value>
set vsys <name> capve-portal cerficate-profile <value>
set vsys <name> user-id-collector
set vsys <name> user-id-collector seng
set vsys <name> user-id-collector seng wmi-account <value>
set vsys <name> user-id-collector seng wmi-password <value>
set vsys <name> user-id-collector seng domain-name <value>
set vsys <name> user-id-collector seng server-profile <value>
set vsys <name> user-id-collector seng enable-security-log <yes|no>
set vsys <name> user-id-collector seng security-log-interval <1-3600>
set vsys <name> user-id-collector seng enable-session <yes|no>
set vsys <name> user-id-collector seng session-interval <1-3600>
set vsys <name> user-id-collector seng edirectory-query-interval <1-3600>
set vsys <name> user-id-collector seng enable-probing <yes|no>
set vsys <name> user-id-collector seng client-probing-interval <1-1440>
set vsys <name> user-id-collector seng enable-mapping-meout <yes|no>
set vsys <name> user-id-collector seng ip-user-mapping-meout <1-1440>
set vsys <name> user-id-collector seng enable-user-match <yes|no>
set vsys <name> user-id-collector seng syslog-service-profile <value>
set vsys <name> user-id-collector syslog-parse-profile
set vsys <name> user-id-collector syslog-parse-profile <name>
set vsys <name> user-id-collector syslog-parse-profile <name> descripon <value>
set vsys <name> user-id-collector syslog-parse-profile <name>

PAN-OS CLI Quick Start Version Version 10.1 666 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> user-id-collector syslog-parse-profile <name> regex-idenfier

set vsys <name> user-id-collector syslog-parse-profile <name> regex-idenfier event-regex
<value>
set vsys <name> user-id-collector syslog-parse-profile <name> regex-idenfier username-regex
<value>
set vsys <name> user-id-collector syslog-parse-profile <name> regex-idenfier address-regex
<value>
set vsys <name> user-id-collector syslog-parse-profile <name> field-idenfier
set vsys <name> user-id-collector syslog-parse-profile <name> field-idenfier event-string
<value>
set vsys <name> user-id-collector syslog-parse-profile <name> field-idenfier username-prefix
<value>
set vsys <name> user-id-collector syslog-parse-profile <name> field-idenfier username-delimiter
<value>
set vsys <name> user-id-collector syslog-parse-profile <name> field-idenfier address-prefix
<value>
set vsys <name> user-id-collector syslog-parse-profile <name> field-idenfier address-delimiter
<value>
set vsys <name> user-id-collector syslog-parse-profile <name> field-idenfier address-per-log
<1-3>
set vsys <name> user-id-collector server-monitor
set vsys <name> user-id-collector server-monitor <name>
set vsys <name> user-id-collector server-monitor <name> descripon <value>
set vsys <name> user-id-collector server-monitor <name> disabled <yes|no>
set vsys <name> user-id-collector server-monitor <name>
set vsys <name> user-id-collector server-monitor <name> acve-directory
set vsys <name> user-id-collector server-monitor <name> acve-directory type <WMI|WinRM-
HTTP|WinRM-HTTPS>
set vsys <name> user-id-collector server-monitor <name> acve-directory host <ip/netmask>|
<value>
set vsys <name> user-id-collector server-monitor <name> exchange
set vsys <name> user-id-collector server-monitor <name> exchange type <WMI|WinRM-HTTP|
WinRM-HTTPS>
set vsys <name> user-id-collector server-monitor <name> exchange host <ip/netmask>|<value>
set vsys <name> user-id-collector server-monitor <name> e-directory
set vsys <name> user-id-collector server-monitor <name> e-directory server-profile <value>
set vsys <name> user-id-collector server-monitor <name> syslog

PAN-OS CLI Quick Start Version Version 10.1 667 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> user-id-collector server-monitor <name> syslog address <ip/netmask>

set vsys <name> user-id-collector server-monitor <name> syslog connecon-type <udp|ssl>
set vsys <name> user-id-collector server-monitor <name> syslog syslog-parse-profile
set vsys <name> user-id-collector server-monitor <name> syslog syslog-parse-profile <name>
set vsys <name> user-id-collector server-monitor <name> syslog syslog-parse-profile <name>
event-type <login|logout>
set vsys <name> user-id-collector server-monitor <name> syslog default-domain-name <value>
set vsys <name> user-id-collector include-exclude-network
set vsys <name> user-id-collector include-exclude-network <name>
set vsys <name> user-id-collector include-exclude-network <name> disabled <yes|no>
set vsys <name> user-id-collector include-exclude-network <name> discovery <include|exclude>
set vsys <name> user-id-collector include-exclude-network <name> network-address <ip/
netmask>
set vsys <name> user-id-collector include-exclude-network-sequence
set vsys <name> user-id-collector include-exclude-network-sequence include-exclude-network
[ <include-exclude-network1> <include-exclude-network2>... ]
set vsys <name> user-id-collector ignore-user [ <ignore-user1> <ignore-user2>... ]
set vsys <name> url-admin-override
set vsys <name> url-admin-override password <value>
set vsys <name> url-admin-override ssl-tls-service-profile <value>
set vsys <name> url-admin-override mode
set vsys <name> url-admin-override mode transparent
set vsys <name> url-admin-override mode redirect
set vsys <name> url-admin-override mode redirect address <ip/netmask>|<value>
set vsys <name> zone
set vsys <name> zone <name>
set vsys <name> zone <name> enable-user-idenficaon <yes|no>
set vsys <name> zone <name> enable-device-idenficaon <yes|no>
set vsys <name> zone <name> network
set vsys <name> zone <name> network zone-protecon-profile <value>
set vsys <name> zone <name> network enable-packet-buffer-protecon <yes|no>
set vsys <name> zone <name> network log-seng <value>
set vsys <name> zone <name> network
set vsys <name> zone <name> network tap [ <tap1> <tap2>... ]

PAN-OS CLI Quick Start Version Version 10.1 668 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> zone <name> network virtual-wire [ <virtual-wire1> <virtual-wire2>... ]

set vsys <name> zone <name> network layer2 [ <layer21> <layer22>... ]
set vsys <name> zone <name> network layer3 [ <layer31> <layer32>... ]
set vsys <name> zone <name> network external [ <external1> <external2>... ]
set vsys <name> zone <name> network tunnel
set vsys <name> zone <name> user-acl
set vsys <name> zone <name> user-acl include-list [ <include-list1> <include-list2>... ]
set vsys <name> zone <name> user-acl exclude-list [ <exclude-list1> <exclude-list2>... ]
set vsys <name> zone <name> device-acl
set vsys <name> zone <name> device-acl include-list [ <include-list1> <include-list2>... ]
set vsys <name> zone <name> device-acl exclude-list [ <exclude-list1> <exclude-list2>... ]
set vsys <name> sdwan-interface-profile
set vsys <name> sdwan-interface-profile <name>
set vsys <name> sdwan-interface-profile <name> link-tag <value>
set vsys <name> sdwan-interface-profile <name> link-type <ADSL/DSL|Cablemodem|Ethernet|
Fiber|LTE/3G/4G/5G|MPLS|Microwave/Radio|Satellite|WiFi|Other>
set vsys <name> sdwan-interface-profile <name> vpn-data-tunnel-support <yes|no>
set vsys <name> sdwan-interface-profile <name> maximum-download <float>
set vsys <name> sdwan-interface-profile <name> maximum-upload <float>
set vsys <name> sdwan-interface-profile <name> error-correcon <yes|no>
set vsys <name> sdwan-interface-profile <name> path-monitoring <Aggressive|Relaxed>
set vsys <name> sdwan-interface-profile <name> vpn-failover-metric <1-65535>
set vsys <name> sdwan-interface-profile <name> probe-frequency <1-5>
set vsys <name> sdwan-interface-profile <name> probe-idle-me <1-86400>
set vsys <name> sdwan-interface-profile <name> failback-hold-me <20-120>
set vsys <name> sdwan-interface-profile <name> comment <value>
set vsys <name> global-protect
set vsys <name> global-protect global-protect-portal
set vsys <name> global-protect global-protect-portal <name>
set vsys <name> global-protect global-protect-portal <name> portal-config
set vsys <name> global-protect global-protect-portal <name> portal-config local-address
set vsys <name> global-protect global-protect-portal <name> portal-config local-address ip-
address-family <ipv4|ipv6|ipv4_ipv6>

PAN-OS CLI Quick Start Version Version 10.1 669 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> global-protect global-protect-portal <name> portal-config local-address interface

<value>
set vsys <name> global-protect global-protect-portal <name> portal-config local-address
set vsys <name> global-protect global-protect-portal <name> portal-config local-address ip
set vsys <name> global-protect global-protect-portal <name> portal-config local-address ip ipv4
<value>
set vsys <name> global-protect global-protect-portal <name> portal-config local-address ip ipv6
<value>
set vsys <name> global-protect global-protect-portal <name> portal-config local-address floang-
ip
set vsys <name> global-protect global-protect-portal <name> portal-config local-address floang-
ip ipv4 <value>
set vsys <name> global-protect global-protect-portal <name> portal-config local-address floang-
ip ipv6 <value>
set vsys <name> global-protect global-protect-portal <name> portal-config ssl-tls-service-profile
<value>
set vsys <name> global-protect global-protect-portal <name> portal-config client-auth
set vsys <name> global-protect global-protect-portal <name> portal-config client-auth <name>
set vsys <name> global-protect global-protect-portal <name> portal-config client-auth <name> os
<value>|<Any|Browser|Satellite>
set vsys <name> global-protect global-protect-portal <name> portal-config client-auth <name>
authencaon-profile <value>
set vsys <name> global-protect global-protect-portal <name> portal-config client-auth <name>
auto-retrieve-passcode <yes|no>
set vsys <name> global-protect global-protect-portal <name> portal-config client-auth <name>
username-label <value>
set vsys <name> global-protect global-protect-portal <name> portal-config client-auth <name>
password-label <value>
set vsys <name> global-protect global-protect-portal <name> portal-config client-auth <name>
authencaon-message <value>
set vsys <name> global-protect global-protect-portal <name> portal-config client-auth <name>
user-credenal-or-client-cert-required <no|yes>
set vsys <name> global-protect global-protect-portal <name> portal-config cerficate-profile
<value>
set vsys <name> global-protect global-protect-portal <name> portal-config custom-login-page
<value>
set vsys <name> global-protect global-protect-portal <name> portal-config custom-home-page
<value>

PAN-OS CLI Quick Start Version Version 10.1 670 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> global-protect global-protect-portal <name> portal-config custom-help-page

<value>
set vsys <name> global-protect global-protect-portal <name> portal-config log-success <yes|no>
set vsys <name> global-protect global-protect-portal <name> portal-config log-fail <yes|no>
set vsys <name> global-protect global-protect-portal <name> portal-config log-seng <value>
set vsys <name> global-protect global-protect-portal <name> portal-config config-selecon
set vsys <name> global-protect global-protect-portal <name> portal-config config-selecon
cerficate-profile <value>
set vsys <name> global-protect global-protect-portal <name> portal-config config-selecon
custom-checks
set vsys <name> global-protect global-protect-portal <name> portal-config config-selecon
custom-checks windows
set vsys <name> global-protect global-protect-portal <name> portal-config config-selecon
custom-checks windows registry-key
set vsys <name> global-protect global-protect-portal <name> portal-config config-selecon
custom-checks windows registry-key <name>
set vsys <name> global-protect global-protect-portal <name> portal-config config-selecon
custom-checks windows registry-key <name> registry-value [ <registry-value1> <registry-
value2>... ]
set vsys <name> global-protect global-protect-portal <name> portal-config config-selecon
custom-checks mac-os
set vsys <name> global-protect global-protect-portal <name> portal-config config-selecon
custom-checks mac-os plist
set vsys <name> global-protect global-protect-portal <name> portal-config config-selecon
custom-checks mac-os plist <name>
set vsys <name> global-protect global-protect-portal <name> portal-config config-selecon
custom-checks mac-os plist <name> key [ <key1> <key2>... ]
set vsys <name> global-protect global-protect-portal <name> clientless-vpn
set vsys <name> global-protect global-protect-portal <name> clientless-vpn hostname <value>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn security-zone
<value>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn login-lifeme
set vsys <name> global-protect global-protect-portal <name> clientless-vpn login-lifeme minutes
<60-1440>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn login-lifeme hours
<1-24>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn inacvity-logout
set vsys <name> global-protect global-protect-portal <name> clientless-vpn inacvity-logout
minutes <5-1440>

PAN-OS CLI Quick Start Version Version 10.1 671 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> global-protect global-protect-portal <name> clientless-vpn inacvity-logout

hours <1-24>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn max-user <1-30000>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn dns-proxy <value>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs ssl-
protocol
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs ssl-
protocol min-version <sslv3|tls1-0|tls1-1|tls1-2>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs ssl-
protocol max-version <sslv3|tls1-0|tls1-1|tls1-2|max>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs ssl-
protocol keyxchg-algo-rsa <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs ssl-
protocol keyxchg-algo-dhe <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs ssl-
protocol keyxchg-algo-ecdhe <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs ssl-
protocol enc-algo-3des <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs ssl-
protocol enc-algo-rc4 <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs ssl-
protocol enc-algo-aes-128-cbc <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs ssl-
protocol enc-algo-aes-256-cbc <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs ssl-
protocol enc-algo-aes-128-gcm <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs ssl-
protocol enc-algo-aes-256-gcm <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs ssl-
protocol auth-algo-md5 <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs ssl-
protocol auth-algo-sha1 <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs ssl-
protocol auth-algo-sha256 <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs ssl-
protocol auth-algo-sha384 <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs
server-cert-verificaon

PAN-OS CLI Quick Start Version Version 10.1 672 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs

server-cert-verificaon block-expired-cerficate <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs
server-cert-verificaon block-untrusted-issuer <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs
server-cert-verificaon block-unknown-cert <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn crypto-sengs
server-cert-verificaon block-meout-cert <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn rewrite-exclude-
domain-list [ <rewrite-exclude-domain-list1> <rewrite-exclude-domain-list2>... ]
set vsys <name> global-protect global-protect-portal <name> clientless-vpn apps-to-user-
mapping
set vsys <name> global-protect global-protect-portal <name> clientless-vpn apps-to-user-
mapping <name>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn apps-to-user-
mapping <name> source-user [ <source-user1> <source-user2>... ]
set vsys <name> global-protect global-protect-portal <name> clientless-vpn apps-to-user-
mapping <name> applicaons [ <applicaons1> <applicaons2>... ]
set vsys <name> global-protect global-protect-portal <name> clientless-vpn apps-to-user-
mapping <name> enable-custom-app-URL-address-bar <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn apps-to-user-
mapping <name> display-global-protect-agent-download-link <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn proxy-server-seng
set vsys <name> global-protect global-protect-portal <name> clientless-vpn proxy-server-seng
<name>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn proxy-server-seng
<name> domains [ <domains1> <domains2>... ]
set vsys <name> global-protect global-protect-portal <name> clientless-vpn proxy-server-seng
<name> use-proxy <yes|no>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn proxy-server-seng
<name> proxy-server
set vsys <name> global-protect global-protect-portal <name> clientless-vpn proxy-server-seng
<name> proxy-server server <value>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn proxy-server-seng
<name> proxy-server port <1-65535>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn proxy-server-seng
<name> proxy-server user <value>
set vsys <name> global-protect global-protect-portal <name> clientless-vpn proxy-server-seng
<name> proxy-server password <value>
set vsys <name> global-protect global-protect-portal <name> client-config

PAN-OS CLI Quick Start Version Version 10.1 673 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> global-protect global-protect-portal <name> client-config root-ca

set vsys <name> global-protect global-protect-portal <name> client-config root-ca <name>
set vsys <name> global-protect global-protect-portal <name> client-config root-ca <name> install-
in-cert-store <yes|no>
set vsys <name> global-protect global-protect-portal <name> client-config agent-user-override-
key <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> save-
user-credenals <0|1|2|3>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
portal-2fa <yes|no>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
internal-gateway-2fa <yes|no>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> auto-
discovery-external-gateway-2fa <yes|no>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
manual-only-gateway-2fa <yes|no>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
source-user [ <source-user1> <source-user2>... ]
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
cerficate
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
cerficate criteria
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
cerficate criteria cerficate-profile <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria registry-key
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria registry-key <name>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria registry-key <name> default-value-data <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria registry-key <name> negate <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 674 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> global-protect global-protect-portal <name> client-config configs <name>

custom-checks criteria registry-key <name> registry-value
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria registry-key <name> registry-value <name>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria registry-key <name> registry-value <name> value-data <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria registry-key <name> registry-value <name> negate <yes|no>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria plist
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria plist <name>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria plist <name> negate <yes|no>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria plist <name> key
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria plist <name> key <name>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria plist <name> key <name> value <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
custom-checks criteria plist <name> key <name> negate <yes|no>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
machine-account-exists-with-serialno
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
machine-account-exists-with-serialno no
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
machine-account-exists-with-serialno yes
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
refresh-config <yes|no>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways internal
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways internal list
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways internal list <name>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways internal list <name>

PAN-OS CLI Quick Start Version Version 10.1 675 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> global-protect global-protect-portal <name> client-config configs <name>

gateways internal list <name> fqdn <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways internal list <name> ip
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways internal list <name> ip ipv4 <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways internal list <name> ip ipv6 <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways internal list <name> source-ip [ <source-ip1> <source-ip2>... ]
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways internal dhcp-opon-code [ <dhcp-opon-code1> <dhcp-opon-code2>... ]
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external cutoff-me <0-10>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external list
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external list <name>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external list <name>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external list <name> fqdn <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external list <name> ip
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external list <name> ip ipv4 <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external list <name> ip ipv6 <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external list <name> priority-rule
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external list <name> priority-rule <name>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external list <name> priority-rule <name> priority <0|1|2|3|4|5>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
gateways external list <name> manual <yes|no>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
internal-host-detecon

PAN-OS CLI Quick Start Version Version 10.1 676 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> global-protect global-protect-portal <name> client-config configs <name>

internal-host-detecon ip-address <ip/netmask>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
internal-host-detecon hostname <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
internal-host-detecon-v6
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
internal-host-detecon-v6 ip-address <ip/netmask>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
internal-host-detecon-v6 hostname <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> agent-
ui
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> agent-
ui passcode <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> agent-
ui uninstall-password <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> agent-
ui agent-user-override-meout <0-65535>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> agent-
ui max-agent-user-overrides <0-65535>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> agent-
ui welcome-page
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> agent-
ui welcome-page page <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon cerficate-profile <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon exclusion
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon exclusion category
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon exclusion category <name>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon exclusion category <name> vendor
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon exclusion category <name> vendor <name>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon exclusion category <name> vendor <name> product [ <product1> <product2>... ]

PAN-OS CLI Quick Start Version Version 10.1 677 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks windows
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks windows registry-key
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks windows registry-key <name>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
hip-collecon custom-checks windows registry-key <name> registry-value [ <registry-value1>
<registry-value2>... ]
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks windows process-list [ <process-list1> <process-list2>... ]
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks mac-os
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks mac-os plist
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks mac-os plist <name>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks mac-os plist <name> key [ <key1> <key2>... ]
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks mac-os process-list [ <process-list1> <process-list2>... ]
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks linux
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon custom-checks linux process-list [ <process-list1> <process-list2>... ]
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon max-wait-me <10-60>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> hip-
collecon collect-hip-data <yes|no>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> third-
party-vpn-clients [ <third-party-vpn-clients1> <third-party-vpn-clients2>... ]
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> agent-
config
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> gp-
app-config
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> gp-
app-config config

PAN-OS CLI Quick Start Version Version 10.1 678 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> global-protect global-protect-portal <name> client-config configs <name> gp-
app-config config <name>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> gp-
app-config config <name> value [ <value1> <value2>... ]
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> os
[ <os1> <os2>... ]
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> mdm-
address <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> mdm-
enrollment-port <443|7443|8443>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> client-
cerficate
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> client-
cerficate local <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name> client-
cerficate scep <value>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
authencaon-override
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
authencaon-override generate-cookie <yes|no>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
authencaon-override accept-cookie
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
authencaon-override accept-cookie cookie-lifeme
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
authencaon-override accept-cookie cookie-lifeme lifeme-in-days <1-365>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
authencaon-override accept-cookie cookie-lifeme lifeme-in-hours <1-72>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
authencaon-override accept-cookie cookie-lifeme lifeme-in-minutes <1-59>
set vsys <name> global-protect global-protect-portal <name> client-config configs <name>
authencaon-override cookie-encrypt-decrypt-cert <value>
set vsys <name> global-protect global-protect-portal <name> satellite-config
set vsys <name> global-protect global-protect-portal <name> satellite-config root-ca [ <root-ca1>
<root-ca2>... ]
set vsys <name> global-protect global-protect-portal <name> satellite-config client-cerficate
set vsys <name> global-protect global-protect-portal <name> satellite-config client-cerficate
local
set vsys <name> global-protect global-protect-portal <name> satellite-config client-cerficate
local issuing-cerficate <value>

PAN-OS CLI Quick Start Version Version 10.1 679 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> global-protect global-protect-portal <name> satellite-config client-cerficate

local ocsp-responder <value>
set vsys <name> global-protect global-protect-portal <name> satellite-config client-cerficate
local cerficate-life-me <7-365>
set vsys <name> global-protect global-protect-portal <name> satellite-config client-cerficate
local cerficate-renewal-period <3-30>
set vsys <name> global-protect global-protect-portal <name> satellite-config client-cerficate
scep
set vsys <name> global-protect global-protect-portal <name> satellite-config client-cerficate
scep scep <value>
set vsys <name> global-protect global-protect-portal <name> satellite-config client-cerficate
scep cerficate-renewal-period <3-30>
set vsys <name> global-protect global-protect-portal <name> satellite-config configs
set vsys <name> global-protect global-protect-portal <name> satellite-config configs <name>
set vsys <name> global-protect global-protect-portal <name> satellite-config configs <name>
devices [ <devices1> <devices2>... ]
set vsys <name> global-protect global-protect-portal <name> satellite-config configs <name>
source-user [ <source-user1> <source-user2>... ]
set vsys <name> global-protect global-protect-portal <name> satellite-config configs <name>
gateways
set vsys <name> global-protect global-protect-portal <name> satellite-config configs <name>
gateways <name>
set vsys <name> global-protect global-protect-portal <name> satellite-config configs <name>
gateways <name>
set vsys <name> global-protect global-protect-portal <name> satellite-config configs <name>
gateways <name> fqdn <value>
set vsys <name> global-protect global-protect-portal <name> satellite-config configs <name>
gateways <name> ip
set vsys <name> global-protect global-protect-portal <name> satellite-config configs <name>
gateways <name> ip ipv4 <value>
set vsys <name> global-protect global-protect-portal <name> satellite-config configs <name>
gateways <name> ip ipv6 <value>
set vsys <name> global-protect global-protect-portal <name> satellite-config configs <name>
gateways <name> ipv6-preferred <yes|no>
set vsys <name> global-protect global-protect-portal <name> satellite-config configs <name>
gateways <name> priority <1-25>
set vsys <name> global-protect global-protect-portal <name> satellite-config configs <name>
config-refresh-interval <1-48>
set vsys <name> global-protect global-protect-gateway

PAN-OS CLI Quick Start Version Version 10.1 680 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> global-protect global-protect-gateway <name>

set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel <value>
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name>
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> source-user [ <source-user1> <source-user2>... ]
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> authencaon-override
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> authencaon-override generate-cookie <yes|no>
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> authencaon-override accept-cookie
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> authencaon-override accept-cookie cookie-lifeme
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> authencaon-override accept-cookie cookie-lifeme lifeme-in-days <1-365>
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> authencaon-override accept-cookie cookie-lifeme lifeme-in-hours <1-72>
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> authencaon-override accept-cookie cookie-lifeme lifeme-in-minutes <1-59>
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> authencaon-override cookie-encrypt-decrypt-cert <value>
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> os [ <os1> <os2>... ]
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> source-address
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> source-address region [ <region1> <region2>... ]
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> source-address ip-address [ <ip-address1> <ip-address2>... ]
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> dns-server [ <dns-server1> <dns-server2>... ]
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> dns-suffix [ <dns-suffix1> <dns-suffix2>... ]
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> ip-pool [ <ip-pool1> <ip-pool2>... ]
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> split-tunneling

PAN-OS CLI Quick Start Version Version 10.1 681 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs

<name> split-tunneling access-route [ <access-route1> <access-route2>... ]
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> split-tunneling exclude-access-route [ <exclude-access-route1> <exclude-access-
route2>... ]
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> split-tunneling include-applicaons [ <include-applicaons1> <include-applicaons2>... ]
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> split-tunneling include-domains
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> split-tunneling include-domains list
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> split-tunneling include-domains list <name>
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> split-tunneling include-domains list <name> ports [ <ports1> <ports2>... ]
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-
configs <name> split-tunneling exclude-applicaons [ <exclude-applicaons1> <exclude-
applicaons2>... ]
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> split-tunneling exclude-domains
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> split-tunneling exclude-domains list
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> split-tunneling exclude-domains list <name>
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> split-tunneling exclude-domains list <name> ports [ <ports1> <ports2>... ]
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> no-direct-access-to-local-network <yes|no>
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> retrieve-framed-ip-address <yes|no>
set vsys <name> global-protect global-protect-gateway <name> remote-user-tunnel-configs
<name> authencaon-server-ip-pool [ <authencaon-server-ip-pool1> <authencaon-server-
ip-pool2>... ]
set vsys <name> global-protect global-protect-gateway <name> ssl-tls-service-profile <value>
set vsys <name> global-protect global-protect-gateway <name> client-auth
set vsys <name> global-protect global-protect-gateway <name> client-auth <name>
set vsys <name> global-protect global-protect-gateway <name> client-auth <name> os <value>|
<Any|Satellite|X-Auth>
set vsys <name> global-protect global-protect-gateway <name> client-auth <name>
authencaon-profile <value>

PAN-OS CLI Quick Start Version Version 10.1 682 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> global-protect global-protect-gateway <name> client-auth <name> auto-

retrieve-passcode <yes|no>
set vsys <name> global-protect global-protect-gateway <name> client-auth <name> username-
label <value>
set vsys <name> global-protect global-protect-gateway <name> client-auth <name> password-
label <value>
set vsys <name> global-protect global-protect-gateway <name> client-auth <name>
authencaon-message <value>
set vsys <name> global-protect global-protect-gateway <name> client-auth <name> user-
credenal-or-client-cert-required <no|yes>
set vsys <name> global-protect global-protect-gateway <name> cerficate-profile <value>
set vsys <name> global-protect global-protect-gateway <name> satellite-tunnel <value>
set vsys <name> global-protect global-protect-gateway <name> tunnel-mode <yes|no>
set vsys <name> global-protect global-protect-gateway <name> local-address
set vsys <name> global-protect global-protect-gateway <name> local-address ip-address-family
<ipv4|ipv6|ipv4_ipv6>
set vsys <name> global-protect global-protect-gateway <name> local-address interface <value>
set vsys <name> global-protect global-protect-gateway <name> local-address
set vsys <name> global-protect global-protect-gateway <name> local-address ip
set vsys <name> global-protect global-protect-gateway <name> local-address ip ipv4 <value>
set vsys <name> global-protect global-protect-gateway <name> local-address ip ipv6 <value>
set vsys <name> global-protect global-protect-gateway <name> local-address floang-ip
set vsys <name> global-protect global-protect-gateway <name> local-address floang-ip ipv4
<value>
set vsys <name> global-protect global-protect-gateway <name> local-address floang-ip ipv6
<value>
set vsys <name> global-protect global-protect-gateway <name> security-restricons
set vsys <name> global-protect global-protect-gateway <name> security-restricons disallow-
automac-restoraon <yes|no>
set vsys <name> global-protect global-protect-gateway <name> security-restricons source-ip-
enforcement
set vsys <name> global-protect global-protect-gateway <name> security-restricons source-ip-
enforcement enable <yes|no>
set vsys <name> global-protect global-protect-gateway <name> security-restricons source-ip-
enforcement
set vsys <name> global-protect global-protect-gateway <name> security-restricons source-ip-
enforcement default

PAN-OS CLI Quick Start Version Version 10.1 683 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> global-protect global-protect-gateway <name> security-restricons source-ip-

enforcement custom
set vsys <name> global-protect global-protect-gateway <name> security-restricons source-ip-
enforcement custom source-ipv4-netmask <0-32>
set vsys <name> global-protect global-protect-gateway <name> security-restricons source-ip-
enforcement custom source-ipv6-netmask <0-128>
set vsys <name> global-protect global-protect-gateway <name> block-quaranned-devices <yes|
no>
set vsys <name> global-protect global-protect-gateway <name> roles
set vsys <name> global-protect global-protect-gateway <name> roles <name>
set vsys <name> global-protect global-protect-gateway <name> roles <name> login-lifeme
set vsys <name> global-protect global-protect-gateway <name> roles <name> login-lifeme
minutes <120-43200>
set vsys <name> global-protect global-protect-gateway <name> roles <name> login-lifeme hours
<2-720>
set vsys <name> global-protect global-protect-gateway <name> roles <name> login-lifeme days
<1-30>
set vsys <name> global-protect global-protect-gateway <name> roles <name> inacvity-logout
<5-43200>
set vsys <name> global-protect global-protect-gateway <name> hip-noficaon
set vsys <name> global-protect global-protect-gateway <name> hip-noficaon <name>
set vsys <name> global-protect global-protect-gateway <name> hip-noficaon <name> match-
message
set vsys <name> global-protect global-protect-gateway <name> hip-noficaon <name> match-
message include-app-list <yes|no>
set vsys <name> global-protect global-protect-gateway <name> hip-noficaon <name> match-
message show-noficaon-as <system-tray-balloon|pop-up-message>
set vsys <name> global-protect global-protect-gateway <name> hip-noficaon <name> match-
message message <value>
set vsys <name> global-protect global-protect-gateway <name> hip-noficaon <name> not-
match-message
set vsys <name> global-protect global-protect-gateway <name> hip-noficaon <name> not-
match-message show-noficaon-as <system-tray-balloon|pop-up-message>
set vsys <name> global-protect global-protect-gateway <name> hip-noficaon <name> not-
match-message message <value>
set vsys <name> global-protect global-protect-gateway <name> log-success <yes|no>
set vsys <name> global-protect global-protect-gateway <name> log-fail <yes|no>
set vsys <name> global-protect global-protect-gateway <name> log-seng <value>

PAN-OS CLI Quick Start Version Version 10.1 684 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> global-protect global-protect-mdm

set vsys <name> global-protect global-protect-mdm <name>
set vsys <name> global-protect global-protect-mdm <name> disabled <yes|no>
set vsys <name> global-protect global-protect-mdm <name> host <value>
set vsys <name> global-protect global-protect-mdm <name> port <1-65535>
set vsys <name> global-protect global-protect-mdm <name> root-ca [ <root-ca1> <root-ca2>... ]
set vsys <name> global-protect global-protect-mdm <name> client-cerficate <value>
set vsys <name> global-protect clientless-app
set vsys <name> global-protect clientless-app <name>
set vsys <name> global-protect clientless-app <name> applicaon-home-url <value>
set vsys <name> global-protect clientless-app <name> descripon <value>
set vsys <name> global-protect clientless-app <name> app-icon <value>
set vsys <name> global-protect clientless-app-group
set vsys <name> global-protect clientless-app-group <name>
set vsys <name> global-protect clientless-app-group <name> members [ <members1>
<members2>... ]
set vsys <name> profiles
set vsys <name> profiles hip-objects
set vsys <name> profiles hip-objects <name>
set vsys <name> profiles hip-objects <name> descripon <value>
set vsys <name> profiles hip-objects <name> host-info
set vsys <name> profiles hip-objects <name> host-info criteria
set vsys <name> profiles hip-objects <name> host-info criteria domain
set vsys <name> profiles hip-objects <name> host-info criteria domain
set vsys <name> profiles hip-objects <name> host-info criteria domain contains <value>
set vsys <name> profiles hip-objects <name> host-info criteria domain is <value>
set vsys <name> profiles hip-objects <name> host-info criteria domain is-not <value>
set vsys <name> profiles hip-objects <name> host-info criteria os
set vsys <name> profiles hip-objects <name> host-info criteria os
set vsys <name> profiles hip-objects <name> host-info criteria os contains
set vsys <name> profiles hip-objects <name> host-info criteria os contains
set vsys <name> profiles hip-objects <name> host-info criteria os contains Microso <value>
set vsys <name> profiles hip-objects <name> host-info criteria os contains Apple <value>
set vsys <name> profiles hip-objects <name> host-info criteria os contains Google <value>

PAN-OS CLI Quick Start Version Version 10.1 685 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles hip-objects <name> host-info criteria os contains Linux <value>
set vsys <name> profiles hip-objects <name> host-info criteria os contains Other <value>
set vsys <name> profiles hip-objects <name> host-info criteria client-version
set vsys <name> profiles hip-objects <name> host-info criteria client-version
set vsys <name> profiles hip-objects <name> host-info criteria client-version contains <value>
set vsys <name> profiles hip-objects <name> host-info criteria client-version is <value>
set vsys <name> profiles hip-objects <name> host-info criteria client-version is-not <value>
set vsys <name> profiles hip-objects <name> host-info criteria host-name
set vsys <name> profiles hip-objects <name> host-info criteria host-name
set vsys <name> profiles hip-objects <name> host-info criteria host-name contains <value>
set vsys <name> profiles hip-objects <name> host-info criteria host-name is <value>
set vsys <name> profiles hip-objects <name> host-info criteria host-name is-not <value>
set vsys <name> profiles hip-objects <name> host-info criteria host-id
set vsys <name> profiles hip-objects <name> host-info criteria host-id
set vsys <name> profiles hip-objects <name> host-info criteria host-id contains <value>
set vsys <name> profiles hip-objects <name> host-info criteria host-id is <value>
set vsys <name> profiles hip-objects <name> host-info criteria host-id is-not <value>
set vsys <name> profiles hip-objects <name> host-info criteria managed <no|yes>
set vsys <name> profiles hip-objects <name> host-info criteria serial-number
set vsys <name> profiles hip-objects <name> host-info criteria serial-number
set vsys <name> profiles hip-objects <name> host-info criteria serial-number contains <value>
set vsys <name> profiles hip-objects <name> host-info criteria serial-number is <value>
set vsys <name> profiles hip-objects <name> host-info criteria serial-number is-not <value>
set vsys <name> profiles hip-objects <name> network-info
set vsys <name> profiles hip-objects <name> network-info criteria
set vsys <name> profiles hip-objects <name> network-info criteria network
set vsys <name> profiles hip-objects <name> network-info criteria network is
set vsys <name> profiles hip-objects <name> network-info criteria network is wifi
set vsys <name> profiles hip-objects <name> network-info criteria network is wifi ssid <value>
set vsys <name> profiles hip-objects <name> network-info criteria network is mobile
set vsys <name> profiles hip-objects <name> network-info criteria network is mobile carrier
<value>
set vsys <name> profiles hip-objects <name> network-info criteria network is unknown
set vsys <name> profiles hip-objects <name> network-info criteria network is-not

PAN-OS CLI Quick Start Version Version 10.1 686 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles hip-objects <name> network-info criteria network is-not wifi
set vsys <name> profiles hip-objects <name> network-info criteria network is-not wifi ssid
<value>
set vsys <name> profiles hip-objects <name> network-info criteria network is-not mobile
set vsys <name> profiles hip-objects <name> network-info criteria network is-not mobile carrier
<value>
set vsys <name> profiles hip-objects <name> network-info criteria network is-not ethernet
set vsys <name> profiles hip-objects <name> network-info criteria network is-not unknown
set vsys <name> profiles hip-objects <name> patch-management
set vsys <name> profiles hip-objects <name> patch-management criteria
set vsys <name> profiles hip-objects <name> patch-management criteria is-installed <yes|no>
set vsys <name> profiles hip-objects <name> patch-management criteria is-enabled <no|yes|not-
available>
set vsys <name> profiles hip-objects <name> patch-management criteria missing-patches
set vsys <name> profiles hip-objects <name> patch-management criteria missing-patches severity
set vsys <name> profiles hip-objects <name> patch-management criteria missing-patches severity
set vsys <name> profiles hip-objects <name> patch-management criteria missing-patches severity
greater-equal <0-100000>
set vsys <name> profiles hip-objects <name> patch-management criteria missing-patches severity
greater-than <0-100000>
set vsys <name> profiles hip-objects <name> patch-management criteria missing-patches severity
is <0-100000>
set vsys <name> profiles hip-objects <name> patch-management criteria missing-patches severity
is-not <0-100000>
set vsys <name> profiles hip-objects <name> patch-management criteria missing-patches severity
less-equal <0-100000>
set vsys <name> profiles hip-objects <name> patch-management criteria missing-patches severity
less-than <0-100000>
set vsys <name> profiles hip-objects <name> patch-management criteria missing-patches patches
[ <patches1> <patches2>... ]
set vsys <name> profiles hip-objects <name> patch-management criteria missing-patches check
<has-any|has-none|has-all>
set vsys <name> profiles hip-objects <name> patch-management vendor
set vsys <name> profiles hip-objects <name> patch-management vendor <name>
set vsys <name> profiles hip-objects <name> patch-management vendor <name> product
[ <product1> <product2>... ]
set vsys <name> profiles hip-objects <name> patch-management exclude-vendor <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 687 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles hip-objects <name> data-loss-prevenon

set vsys <name> profiles hip-objects <name> data-loss-prevenon criteria
set vsys <name> profiles hip-objects <name> data-loss-prevenon criteria is-installed <yes|no>
set vsys <name> profiles hip-objects <name> data-loss-prevenon criteria is-enabled <no|yes|not-
available>
set vsys <name> profiles hip-objects <name> data-loss-prevenon vendor
set vsys <name> profiles hip-objects <name> data-loss-prevenon vendor <name>
set vsys <name> profiles hip-objects <name> data-loss-prevenon vendor <name> product
[ <product1> <product2>... ]
set vsys <name> profiles hip-objects <name> data-loss-prevenon exclude-vendor <yes|no>
set vsys <name> profiles hip-objects <name> firewall
set vsys <name> profiles hip-objects <name> firewall criteria
set vsys <name> profiles hip-objects <name> firewall criteria is-installed <yes|no>
set vsys <name> profiles hip-objects <name> firewall criteria is-enabled <no|yes|not-available>
set vsys <name> profiles hip-objects <name> firewall vendor
set vsys <name> profiles hip-objects <name> firewall vendor <name>
set vsys <name> profiles hip-objects <name> firewall vendor <name> product [ <product1>
<product2>... ]
set vsys <name> profiles hip-objects <name> firewall exclude-vendor <yes|no>
set vsys <name> profiles hip-objects <name> an-malware
set vsys <name> profiles hip-objects <name> an-malware criteria
set vsys <name> profiles hip-objects <name> an-malware criteria virdef-version
set vsys <name> profiles hip-objects <name> an-malware criteria virdef-version
set vsys <name> profiles hip-objects <name> an-malware criteria virdef-version within
set vsys <name> profiles hip-objects <name> an-malware criteria virdef-version within days
<1-65535>
set vsys <name> profiles hip-objects <name> an-malware criteria virdef-version within versions
<1-65535>
set vsys <name> profiles hip-objects <name> an-malware criteria virdef-version not-within
set vsys <name> profiles hip-objects <name> an-malware criteria virdef-version not-within days
<1-65535>
set vsys <name> profiles hip-objects <name> an-malware criteria virdef-version not-within
versions <1-65535>
set vsys <name> profiles hip-objects <name> an-malware criteria product-version
set vsys <name> profiles hip-objects <name> an-malware criteria product-version

PAN-OS CLI Quick Start Version Version 10.1 688 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles hip-objects <name> an-malware criteria product-version greater-equal
<value>
set vsys <name> profiles hip-objects <name> an-malware criteria product-version greater-than
<value>
set vsys <name> profiles hip-objects <name> an-malware criteria product-version is <value>
set vsys <name> profiles hip-objects <name> an-malware criteria product-version is-not <value>
set vsys <name> profiles hip-objects <name> an-malware criteria product-version less-equal
<value>
set vsys <name> profiles hip-objects <name> an-malware criteria product-version less-than
<value>
set vsys <name> profiles hip-objects <name> an-malware criteria product-version contains
<value>
set vsys <name> profiles hip-objects <name> an-malware criteria product-version within
set vsys <name> profiles hip-objects <name> an-malware criteria product-version within
versions <1-1>
set vsys <name> profiles hip-objects <name> an-malware criteria product-version not-within
set vsys <name> profiles hip-objects <name> an-malware criteria product-version not-within
versions <1-1>
set vsys <name> profiles hip-objects <name> an-malware criteria is-installed <yes|no>
set vsys <name> profiles hip-objects <name> an-malware criteria real-me-protecon <no|yes|
not-available>
set vsys <name> profiles hip-objects <name> an-malware criteria last-scan-me
set vsys <name> profiles hip-objects <name> an-malware criteria last-scan-me
set vsys <name> profiles hip-objects <name> an-malware criteria last-scan-me not-available
set vsys <name> profiles hip-objects <name> an-malware criteria last-scan-me within
set vsys <name> profiles hip-objects <name> an-malware criteria last-scan-me within days
<1-65535>
set vsys <name> profiles hip-objects <name> an-malware criteria last-scan-me within hours
<1-65535>
set vsys <name> profiles hip-objects <name> an-malware criteria last-scan-me not-within
set vsys <name> profiles hip-objects <name> an-malware criteria last-scan-me not-within days
<1-65535>
set vsys <name> profiles hip-objects <name> an-malware criteria last-scan-me not-within
hours <1-65535>
set vsys <name> profiles hip-objects <name> an-malware vendor
set vsys <name> profiles hip-objects <name> an-malware vendor <name>
set vsys <name> profiles hip-objects <name> an-malware vendor <name> product [ <product1>
<product2>... ]

PAN-OS CLI Quick Start Version Version 10.1 689 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles hip-objects <name> an-malware exclude-vendor <yes|no>

set vsys <name> profiles hip-objects <name> disk-backup
set vsys <name> profiles hip-objects <name> disk-backup criteria
set vsys <name> profiles hip-objects <name> disk-backup criteria is-installed <yes|no>
set vsys <name> profiles hip-objects <name> disk-backup criteria last-backup-me
set vsys <name> profiles hip-objects <name> disk-backup criteria last-backup-me
set vsys <name> profiles hip-objects <name> disk-backup criteria last-backup-me not-available
set vsys <name> profiles hip-objects <name> disk-backup criteria last-backup-me within
set vsys <name> profiles hip-objects <name> disk-backup criteria last-backup-me within days
<1-65535>
set vsys <name> profiles hip-objects <name> disk-backup criteria last-backup-me within hours
<1-65535>
set vsys <name> profiles hip-objects <name> disk-backup criteria last-backup-me not-within
set vsys <name> profiles hip-objects <name> disk-backup criteria last-backup-me not-within
days <1-65535>
set vsys <name> profiles hip-objects <name> disk-backup criteria last-backup-me not-within
hours <1-65535>
set vsys <name> profiles hip-objects <name> disk-backup vendor
set vsys <name> profiles hip-objects <name> disk-backup vendor <name>
set vsys <name> profiles hip-objects <name> disk-backup vendor <name> product [ <product1>
<product2>... ]
set vsys <name> profiles hip-objects <name> disk-backup exclude-vendor <yes|no>
set vsys <name> profiles hip-objects <name> disk-encrypon
set vsys <name> profiles hip-objects <name> disk-encrypon criteria
set vsys <name> profiles hip-objects <name> disk-encrypon criteria is-installed <yes|no>
set vsys <name> profiles hip-objects <name> disk-encrypon criteria encrypted-locaons
set vsys <name> profiles hip-objects <name> disk-encrypon criteria encrypted-locaons <name>
set vsys <name> profiles hip-objects <name> disk-encrypon criteria encrypted-locaons <name>
encrypon-state
set vsys <name> profiles hip-objects <name> disk-encrypon criteria encrypted-locaons <name>
encrypon-state is <encrypted|unencrypted|paral|unknown>
set vsys <name> profiles hip-objects <name> disk-encrypon criteria encrypted-locaons <name>
encrypon-state is-not <encrypted|unencrypted|paral|unknown>
set vsys <name> profiles hip-objects <name> disk-encrypon vendor
set vsys <name> profiles hip-objects <name> disk-encrypon vendor <name>

PAN-OS CLI Quick Start Version Version 10.1 690 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles hip-objects <name> disk-encrypon vendor <name> product
[ <product1> <product2>... ]
set vsys <name> profiles hip-objects <name> disk-encrypon exclude-vendor <yes|no>
set vsys <name> profiles hip-objects <name> custom-checks
set vsys <name> profiles hip-objects <name> custom-checks criteria
set vsys <name> profiles hip-objects <name> custom-checks criteria process-list
set vsys <name> profiles hip-objects <name> custom-checks criteria process-list <name>
set vsys <name> profiles hip-objects <name> custom-checks criteria process-list <name> running
<yes|no>
set vsys <name> profiles hip-objects <name> custom-checks criteria registry-key
set vsys <name> profiles hip-objects <name> custom-checks criteria registry-key <name>
set vsys <name> profiles hip-objects <name> custom-checks criteria registry-key <name> default-
value-data <value>
set vsys <name> profiles hip-objects <name> custom-checks criteria registry-key <name> negate
<yes|no>
set vsys <name> profiles hip-objects <name> custom-checks criteria registry-key <name> registry-
value
set vsys <name> profiles hip-objects <name> custom-checks criteria registry-key <name> registry-
value <name>
set vsys <name> profiles hip-objects <name> custom-checks criteria registry-key <name> registry-
value <name> value-data <value>
set vsys <name> profiles hip-objects <name> custom-checks criteria registry-key <name> registry-
value <name> negate <yes|no>
set vsys <name> profiles hip-objects <name> custom-checks criteria plist
set vsys <name> profiles hip-objects <name> custom-checks criteria plist <name>
set vsys <name> profiles hip-objects <name> custom-checks criteria plist <name> negate <yes|
no>
set vsys <name> profiles hip-objects <name> custom-checks criteria plist <name> key
set vsys <name> profiles hip-objects <name> custom-checks criteria plist <name> key <name>
set vsys <name> profiles hip-objects <name> custom-checks criteria plist <name> key <name>
value <value>
set vsys <name> profiles hip-objects <name> custom-checks criteria plist <name> key <name>
negate <yes|no>
set vsys <name> profiles hip-objects <name> mobile-device
set vsys <name> profiles hip-objects <name> mobile-device criteria
set vsys <name> profiles hip-objects <name> mobile-device criteria jailbroken <no|yes>
set vsys <name> profiles hip-objects <name> mobile-device criteria disk-encrypted <no|yes>

PAN-OS CLI Quick Start Version Version 10.1 691 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles hip-objects <name> mobile-device criteria passcode-set <no|yes>
set vsys <name> profiles hip-objects <name> mobile-device criteria last-checkin-me
set vsys <name> profiles hip-objects <name> mobile-device criteria last-checkin-me
set vsys <name> profiles hip-objects <name> mobile-device criteria last-checkin-me within
set vsys <name> profiles hip-objects <name> mobile-device criteria last-checkin-me within days
<1-365>
set vsys <name> profiles hip-objects <name> mobile-device criteria last-checkin-me not-within
set vsys <name> profiles hip-objects <name> mobile-device criteria last-checkin-me not-within
days <1-365>
set vsys <name> profiles hip-objects <name> mobile-device criteria imei
set vsys <name> profiles hip-objects <name> mobile-device criteria imei
set vsys <name> profiles hip-objects <name> mobile-device criteria imei contains <value>
set vsys <name> profiles hip-objects <name> mobile-device criteria imei is <value>
set vsys <name> profiles hip-objects <name> mobile-device criteria imei is-not <value>
set vsys <name> profiles hip-objects <name> mobile-device criteria model
set vsys <name> profiles hip-objects <name> mobile-device criteria model
set vsys <name> profiles hip-objects <name> mobile-device criteria model contains <value>
set vsys <name> profiles hip-objects <name> mobile-device criteria model is <value>
set vsys <name> profiles hip-objects <name> mobile-device criteria model is-not <value>
set vsys <name> profiles hip-objects <name> mobile-device criteria phone-number
set vsys <name> profiles hip-objects <name> mobile-device criteria phone-number
set vsys <name> profiles hip-objects <name> mobile-device criteria phone-number contains
<value>
set vsys <name> profiles hip-objects <name> mobile-device criteria phone-number is <value>
set vsys <name> profiles hip-objects <name> mobile-device criteria phone-number is-not <value>
set vsys <name> profiles hip-objects <name> mobile-device criteria tag
set vsys <name> profiles hip-objects <name> mobile-device criteria tag
set vsys <name> profiles hip-objects <name> mobile-device criteria tag contains <value>
set vsys <name> profiles hip-objects <name> mobile-device criteria tag is <value>
set vsys <name> profiles hip-objects <name> mobile-device criteria tag is-not <value>
set vsys <name> profiles hip-objects <name> mobile-device criteria applicaons
set vsys <name> profiles hip-objects <name> mobile-device criteria applicaons has-malware
set vsys <name> profiles hip-objects <name> mobile-device criteria applicaons has-malware no
set vsys <name> profiles hip-objects <name> mobile-device criteria applicaons has-malware yes

PAN-OS CLI Quick Start Version Version 10.1 692 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles hip-objects <name> mobile-device criteria applicaons has-malware yes
excludes
set vsys <name> profiles hip-objects <name> mobile-device criteria applicaons has-malware yes
excludes <name>
set vsys <name> profiles hip-objects <name> mobile-device criteria applicaons has-malware yes
excludes <name> package <value>
set vsys <name> profiles hip-objects <name> mobile-device criteria applicaons has-malware yes
excludes <name> hash <value>
set vsys <name> profiles hip-objects <name> mobile-device criteria applicaons has-unmanaged-
app <no|yes>
set vsys <name> profiles hip-objects <name> mobile-device criteria applicaons includes
set vsys <name> profiles hip-objects <name> mobile-device criteria applicaons includes <name>
set vsys <name> profiles hip-objects <name> mobile-device criteria applicaons includes <name>
package <value>
set vsys <name> profiles hip-objects <name> mobile-device criteria applicaons includes <name>
hash <value>
set vsys <name> profiles hip-objects <name> cerficate
set vsys <name> profiles hip-objects <name> cerficate criteria
set vsys <name> profiles hip-objects <name> cerficate criteria cerficate-profile <value>
set vsys <name> profiles hip-objects <name> cerficate criteria cerficate-aributes
set vsys <name> profiles hip-objects <name> cerficate criteria cerficate-aributes <name>
set vsys <name> profiles hip-objects <name> cerficate criteria cerficate-aributes <name>
value <value>
set vsys <name> profiles virus
set vsys <name> profiles virus <name>
set vsys <name> profiles virus <name> descripon <value>
set vsys <name> profiles virus <name> packet-capture <yes|no>
set vsys <name> profiles virus <name> mlav-engine-filebased-enabled
set vsys <name> profiles virus <name> mlav-engine-filebased-enabled <name>
set vsys <name> profiles virus <name> mlav-engine-filebased-enabled <name> mlav-policy-acon
<enable|enable(alert-only)|disable>
set vsys <name> profiles virus <name> decoder
set vsys <name> profiles virus <name> decoder <name>
set vsys <name> profiles virus <name> decoder <name> acon <default|allow|alert|drop|reset-
client|reset-server|reset-both>
set vsys <name> profiles virus <name> decoder <name> wildfire-acon <default|allow|alert|drop|
reset-client|reset-server|reset-both>

PAN-OS CLI Quick Start Version Version 10.1 693 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles virus <name> decoder <name> mlav-acon <default|allow|alert|drop|
reset-client|reset-server|reset-both>
set vsys <name> profiles virus <name> applicaon
set vsys <name> profiles virus <name> applicaon <name>
set vsys <name> profiles virus <name> applicaon <name> acon <default|allow|alert|drop|reset-
client|reset-server|reset-both>
set vsys <name> profiles virus <name> threat-excepon
set vsys <name> profiles virus <name> threat-excepon <name>
set vsys <name> profiles virus <name> mlav-excepon
set vsys <name> profiles virus <name> mlav-excepon <name>
set vsys <name> profiles virus <name> mlav-excepon <name> filename <value>
set vsys <name> profiles virus <name> mlav-excepon <name> descripon <value>
set vsys <name> profiles spyware
set vsys <name> profiles spyware <name>
set vsys <name> profiles spyware <name> descripon <value>
set vsys <name> profiles spyware <name> botnet-domains
set vsys <name> profiles spyware <name> botnet-domains lists
set vsys <name> profiles spyware <name> botnet-domains lists <name>
set vsys <name> profiles spyware <name> botnet-domains lists <name> acon
set vsys <name> profiles spyware <name> botnet-domains lists <name> acon alert
set vsys <name> profiles spyware <name> botnet-domains lists <name> acon allow
set vsys <name> profiles spyware <name> botnet-domains lists <name> acon block
set vsys <name> profiles spyware <name> botnet-domains lists <name> acon sinkhole
set vsys <name> profiles spyware <name> botnet-domains lists <name> packet-capture <disable|
single-packet|extended-capture>
set vsys <name> profiles spyware <name> botnet-domains dns-security-categories
set vsys <name> profiles spyware <name> botnet-domains dns-security-categories <name>
set vsys <name> profiles spyware <name> botnet-domains dns-security-categories <name> acon
<default|allow|block|sinkhole>
set vsys <name> profiles spyware <name> botnet-domains dns-security-categories <name> log-
level <default|none|low|informaonal|medium|high|crical>
set vsys <name> profiles spyware <name> botnet-domains dns-security-categories <name>
packet-capture <disable|single-packet|extended-capture>
set vsys <name> profiles spyware <name> botnet-domains whitelist
set vsys <name> profiles spyware <name> botnet-domains whitelist <name>

PAN-OS CLI Quick Start Version Version 10.1 694 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles spyware <name> botnet-domains whitelist <name> descripon <value>
set vsys <name> profiles spyware <name> botnet-domains sinkhole
set vsys <name> profiles spyware <name> botnet-domains sinkhole ipv4-address <value>|
<127.0.0.1|pan-sinkhole-default-ip>
set vsys <name> profiles spyware <name> botnet-domains sinkhole ipv6-address <ip/netmask>|
<::1>
set vsys <name> profiles spyware <name> botnet-domains threat-excepon
set vsys <name> profiles spyware <name> botnet-domains threat-excepon <name>
set vsys <name> profiles spyware <name> rules
set vsys <name> profiles spyware <name> rules <name>
set vsys <name> profiles spyware <name> rules <name> threat-name <value>|<any>
set vsys <name> profiles spyware <name> rules <name> category <value>|<any>
set vsys <name> profiles spyware <name> rules <name> severity [ <severity1> <severity2>... ]
set vsys <name> profiles spyware <name> rules <name> acon
set vsys <name> profiles spyware <name> rules <name> acon default
set vsys <name> profiles spyware <name> rules <name> acon allow
set vsys <name> profiles spyware <name> rules <name> acon alert
set vsys <name> profiles spyware <name> rules <name> acon drop
set vsys <name> profiles spyware <name> rules <name> acon reset-client
set vsys <name> profiles spyware <name> rules <name> acon reset-server
set vsys <name> profiles spyware <name> rules <name> acon reset-both
set vsys <name> profiles spyware <name> rules <name> acon block-ip
set vsys <name> profiles spyware <name> rules <name> acon block-ip track-by <source|source-
and-desnaon>
set vsys <name> profiles spyware <name> rules <name> acon block-ip duraon <1-3600>
set vsys <name> profiles spyware <name> rules <name> packet-capture <disable|single-packet|
extended-capture>
set vsys <name> profiles spyware <name> threat-excepon
set vsys <name> profiles spyware <name> threat-excepon <name>
set vsys <name> profiles spyware <name> threat-excepon <name> packet-capture <disable|
single-packet|extended-capture>
set vsys <name> profiles spyware <name> threat-excepon <name> acon
set vsys <name> profiles spyware <name> threat-excepon <name> acon default
set vsys <name> profiles spyware <name> threat-excepon <name> acon allow
set vsys <name> profiles spyware <name> threat-excepon <name> acon alert

PAN-OS CLI Quick Start Version Version 10.1 695 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles spyware <name> threat-excepon <name> acon drop
set vsys <name> profiles spyware <name> threat-excepon <name> acon reset-both
set vsys <name> profiles spyware <name> threat-excepon <name> acon reset-client
set vsys <name> profiles spyware <name> threat-excepon <name> acon reset-server
set vsys <name> profiles spyware <name> threat-excepon <name> acon block-ip
set vsys <name> profiles spyware <name> threat-excepon <name> acon block-ip track-by
<source|source-and-desnaon>
set vsys <name> profiles spyware <name> threat-excepon <name> acon block-ip duraon
<1-3600>
set vsys <name> profiles spyware <name> threat-excepon <name> exempt-ip
set vsys <name> profiles spyware <name> threat-excepon <name> exempt-ip <name>
set vsys <name> profiles vulnerability
set vsys <name> profiles vulnerability <name>
set vsys <name> profiles vulnerability <name> descripon <value>
set vsys <name> profiles vulnerability <name> rules
set vsys <name> profiles vulnerability <name> rules <name>
set vsys <name> profiles vulnerability <name> rules <name> threat-name <value>|<any>
set vsys <name> profiles vulnerability <name> rules <name> cve [ <cve1> <cve2>... ]
set vsys <name> profiles vulnerability <name> rules <name> host <any|client|server>
set vsys <name> profiles vulnerability <name> rules <name> vendor-id [ <vendor-id1> <vendor-
id2>... ]
set vsys <name> profiles vulnerability <name> rules <name> severity [ <severity1> <severity2>... ]
set vsys <name> profiles vulnerability <name> rules <name> category <value>|<any>
set vsys <name> profiles vulnerability <name> rules <name> acon
set vsys <name> profiles vulnerability <name> rules <name> acon default
set vsys <name> profiles vulnerability <name> rules <name> acon allow
set vsys <name> profiles vulnerability <name> rules <name> acon alert
set vsys <name> profiles vulnerability <name> rules <name> acon drop
set vsys <name> profiles vulnerability <name> rules <name> acon reset-client
set vsys <name> profiles vulnerability <name> rules <name> acon reset-server
set vsys <name> profiles vulnerability <name> rules <name> acon reset-both
set vsys <name> profiles vulnerability <name> rules <name> acon block-ip
set vsys <name> profiles vulnerability <name> rules <name> acon block-ip track-by <source|
source-and-desnaon>
set vsys <name> profiles vulnerability <name> rules <name> acon block-ip duraon <1-3600>

PAN-OS CLI Quick Start Version Version 10.1 696 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles vulnerability <name> rules <name> packet-capture <disable|single-
packet|extended-capture>
set vsys <name> profiles vulnerability <name> threat-excepon
set vsys <name> profiles vulnerability <name> threat-excepon <name>
set vsys <name> profiles vulnerability <name> threat-excepon <name> packet-capture <disable|
single-packet|extended-capture>
set vsys <name> profiles vulnerability <name> threat-excepon <name> acon
set vsys <name> profiles vulnerability <name> threat-excepon <name> acon default
set vsys <name> profiles vulnerability <name> threat-excepon <name> acon allow
set vsys <name> profiles vulnerability <name> threat-excepon <name> acon alert
set vsys <name> profiles vulnerability <name> threat-excepon <name> acon drop
set vsys <name> profiles vulnerability <name> threat-excepon <name> acon reset-client
set vsys <name> profiles vulnerability <name> threat-excepon <name> acon reset-server
set vsys <name> profiles vulnerability <name> threat-excepon <name> acon reset-both
set vsys <name> profiles vulnerability <name> threat-excepon <name> acon block-ip
set vsys <name> profiles vulnerability <name> threat-excepon <name> acon block-ip track-by
<source|source-and-desnaon>
set vsys <name> profiles vulnerability <name> threat-excepon <name> acon block-ip duraon
<1-3600>
set vsys <name> profiles vulnerability <name> threat-excepon <name> me-aribute
set vsys <name> profiles vulnerability <name> threat-excepon <name> me-aribute interval
<1-3600>
set vsys <name> profiles vulnerability <name> threat-excepon <name> me-aribute threshold
<1-65535>
set vsys <name> profiles vulnerability <name> threat-excepon <name> me-aribute track-by
<source|desnaon|source-and-desnaon>
set vsys <name> profiles vulnerability <name> threat-excepon <name> exempt-ip
set vsys <name> profiles vulnerability <name> threat-excepon <name> exempt-ip <name>
set vsys <name> profiles url-filtering
set vsys <name> profiles url-filtering <name>
set vsys <name> profiles url-filtering <name> descripon <value>
set vsys <name> profiles url-filtering <name> allow [ <allow1> <allow2>... ]
set vsys <name> profiles url-filtering <name> alert [ <alert1> <alert2>... ]
set vsys <name> profiles url-filtering <name> block [ <block1> <block2>... ]
set vsys <name> profiles url-filtering <name> connue [ <connue1> <connue2>... ]
set vsys <name> profiles url-filtering <name> override [ <override1> <override2>... ]

PAN-OS CLI Quick Start Version Version 10.1 697 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles url-filtering <name> credenal-enforcement

set vsys <name> profiles url-filtering <name> credenal-enforcement mode
set vsys <name> profiles url-filtering <name> credenal-enforcement mode disabled
set vsys <name> profiles url-filtering <name> credenal-enforcement mode ip-user
set vsys <name> profiles url-filtering <name> credenal-enforcement mode domain-credenals
set vsys <name> profiles url-filtering <name> credenal-enforcement mode group-mapping
<value>
set vsys <name> profiles url-filtering <name> credenal-enforcement log-severity <value>
set vsys <name> profiles url-filtering <name> credenal-enforcement allow [ <allow1>
<allow2>... ]
set vsys <name> profiles url-filtering <name> credenal-enforcement alert [ <alert1> <alert2>... ]
set vsys <name> profiles url-filtering <name> credenal-enforcement block [ <block1>
<block2>... ]
set vsys <name> profiles url-filtering <name> credenal-enforcement connue [ <connue1>
<connue2>... ]
set vsys <name> profiles url-filtering <name> enable-container-page <yes|no>
set vsys <name> profiles url-filtering <name> log-container-page-only <yes|no>
set vsys <name> profiles url-filtering <name> safe-search-enforcement <yes|no>
set vsys <name> profiles url-filtering <name> log-hp-hdr-xff <yes|no>
set vsys <name> profiles url-filtering <name> log-hp-hdr-user-agent <yes|no>
set vsys <name> profiles url-filtering <name> log-hp-hdr-referer <yes|no>
set vsys <name> profiles url-filtering <name> hp-header-inseron
set vsys <name> profiles url-filtering <name> hp-header-inseron <name>
set vsys <name> profiles url-filtering <name> hp-header-inseron <name> type
set vsys <name> profiles url-filtering <name> hp-header-inseron <name> type <name>
set vsys <name> profiles url-filtering <name> hp-header-inseron <name> type <name> headers
set vsys <name> profiles url-filtering <name> hp-header-inseron <name> type <name> headers
<name>
set vsys <name> profiles url-filtering <name> hp-header-inseron <name> type <name> headers
<name> header <value>
set vsys <name> profiles url-filtering <name> hp-header-inseron <name> type <name> headers
<name> value <value>
set vsys <name> profiles url-filtering <name> hp-header-inseron <name> type <name> headers
<name> log <yes|no>
set vsys <name> profiles url-filtering <name> hp-header-inseron <name> type <name>
domains [ <domains1> <domains2>... ]

PAN-OS CLI Quick Start Version Version 10.1 698 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles url-filtering <name> mlav-category-excepon [ <mlav-category-

excepon1> <mlav-category-excepon2>... ]
set vsys <name> profiles url-filtering <name> mlav-engine-urlbased-enabled
set vsys <name> profiles url-filtering <name> mlav-engine-urlbased-enabled <name>
set vsys <name> profiles url-filtering <name> mlav-engine-urlbased-enabled <name> mlav-policy-
acon <block|alert|allow>
set vsys <name> profiles file-blocking
set vsys <name> profiles file-blocking <name>
set vsys <name> profiles file-blocking <name> descripon <value>
set vsys <name> profiles file-blocking <name> rules
set vsys <name> profiles file-blocking <name> rules <name>
set vsys <name> profiles file-blocking <name> rules <name> applicaon [ <applicaon1>
<applicaon2>... ]
set vsys <name> profiles file-blocking <name> rules <name> file-type [ <file-type1> <file-
type2>... ]
set vsys <name> profiles file-blocking <name> rules <name> direcon <upload|download|both>
set vsys <name> profiles file-blocking <name> rules <name> acon <alert|block|connue>
set vsys <name> profiles wildfire-analysis
set vsys <name> profiles wildfire-analysis <name>
set vsys <name> profiles wildfire-analysis <name> descripon <value>
set vsys <name> profiles wildfire-analysis <name> rules
set vsys <name> profiles wildfire-analysis <name> rules <name>
set vsys <name> profiles wildfire-analysis <name> rules <name> applicaon [ <applicaon1>
<applicaon2>... ]
set vsys <name> profiles wildfire-analysis <name> rules <name> file-type [ <file-type1> <file-
type2>... ]
set vsys <name> profiles wildfire-analysis <name> rules <name> direcon <upload|download|
both>
set vsys <name> profiles wildfire-analysis <name> rules <name> analysis <public-cloud|private-
cloud>
set vsys <name> profiles custom-url-category
set vsys <name> profiles custom-url-category <name>
set vsys <name> profiles custom-url-category <name> descripon <value>
set vsys <name> profiles custom-url-category <name> list [ <list1> <list2>... ]
set vsys <name> profiles custom-url-category <name> type <value>
set vsys <name> profiles data-objects

PAN-OS CLI Quick Start Version Version 10.1 699 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles data-objects <name>

set vsys <name> profiles data-objects <name> descripon <value>
set vsys <name> profiles data-objects <name> paern-type
set vsys <name> profiles data-objects <name> paern-type predefined
set vsys <name> profiles data-objects <name> paern-type predefined paern
set vsys <name> profiles data-objects <name> paern-type predefined paern <name>
set vsys <name> profiles data-objects <name> paern-type predefined paern <name> file-type
[ <file-type1> <file-type2>... ]
set vsys <name> profiles data-objects <name> paern-type regex
set vsys <name> profiles data-objects <name> paern-type regex paern
set vsys <name> profiles data-objects <name> paern-type regex paern <name>
set vsys <name> profiles data-objects <name> paern-type regex paern <name> file-type [ <file-
type1> <file-type2>... ]
set vsys <name> profiles data-objects <name> paern-type regex paern <name> regex <value>
set vsys <name> profiles data-objects <name> paern-type file-properes
set vsys <name> profiles data-objects <name> paern-type file-properes paern
set vsys <name> profiles data-objects <name> paern-type file-properes paern <name>
set vsys <name> profiles data-objects <name> paern-type file-properes paern <name> file-
type <value>
set vsys <name> profiles data-objects <name> paern-type file-properes paern <name> file-
property <value>
set vsys <name> profiles data-objects <name> paern-type file-properes paern <name>
property-value <value>
set vsys <name> profiles data-filtering
set vsys <name> profiles data-filtering <name>
set vsys <name> profiles data-filtering <name> descripon <value>
set vsys <name> profiles data-filtering <name> data-capture <yes|no>
set vsys <name> profiles data-filtering <name> rules
set vsys <name> profiles data-filtering <name> rules <name>
set vsys <name> profiles data-filtering <name> rules <name> data-object <value>
set vsys <name> profiles data-filtering <name> rules <name> applicaon [ <applicaon1>
<applicaon2>... ]
set vsys <name> profiles data-filtering <name> rules <name> file-type [ <file-type1> <file-
type2>... ]
set vsys <name> profiles data-filtering <name> rules <name> direcon <upload|download|both>
set vsys <name> profiles data-filtering <name> rules <name> alert-threshold <0-65535>

PAN-OS CLI Quick Start Version Version 10.1 700 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles data-filtering <name> rules <name> block-threshold <0-65535>
set vsys <name> profiles data-filtering <name> rules <name> log-severity <value>
set vsys <name> profiles hip-profiles
set vsys <name> profiles hip-profiles <name>
set vsys <name> profiles hip-profiles <name> descripon <value>
set vsys <name> profiles hip-profiles <name> match <value>
set vsys <name> profiles dos-protecon
set vsys <name> profiles dos-protecon <name>
set vsys <name> profiles dos-protecon <name> type <aggregate|classified>
set vsys <name> profiles dos-protecon <name> descripon <value>
set vsys <name> profiles dos-protecon <name> flood
set vsys <name> profiles dos-protecon <name> flood tcp-syn
set vsys <name> profiles dos-protecon <name> flood tcp-syn enable <yes|no>
set vsys <name> profiles dos-protecon <name> flood tcp-syn
set vsys <name> profiles dos-protecon <name> flood tcp-syn red
set vsys <name> profiles dos-protecon <name> flood tcp-syn red alarm-rate <0-2000000>
set vsys <name> profiles dos-protecon <name> flood tcp-syn red acvate-rate <1-2000000>
set vsys <name> profiles dos-protecon <name> flood tcp-syn red maximal-rate <1-2000000>
set vsys <name> profiles dos-protecon <name> flood tcp-syn red block
set vsys <name> profiles dos-protecon <name> flood tcp-syn red block duraon <1-21600>
set vsys <name> profiles dos-protecon <name> flood tcp-syn syn-cookies
set vsys <name> profiles dos-protecon <name> flood tcp-syn syn-cookies alarm-rate
<0-2000000>
set vsys <name> profiles dos-protecon <name> flood tcp-syn syn-cookies acvate-rate
<0-2000000>
set vsys <name> profiles dos-protecon <name> flood tcp-syn syn-cookies maximal-rate
<1-2000000>
set vsys <name> profiles dos-protecon <name> flood tcp-syn syn-cookies block
set vsys <name> profiles dos-protecon <name> flood tcp-syn syn-cookies block duraon
<1-21600>
set vsys <name> profiles dos-protecon <name> flood udp
set vsys <name> profiles dos-protecon <name> flood udp enable <yes|no>
set vsys <name> profiles dos-protecon <name> flood udp red
set vsys <name> profiles dos-protecon <name> flood udp red alarm-rate <0-2000000>
set vsys <name> profiles dos-protecon <name> flood udp red acvate-rate <1-2000000>

PAN-OS CLI Quick Start Version Version 10.1 701 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles dos-protecon <name> flood udp red maximal-rate <1-2000000>
set vsys <name> profiles dos-protecon <name> flood udp red block
set vsys <name> profiles dos-protecon <name> flood udp red block duraon <1-21600>
set vsys <name> profiles dos-protecon <name> flood icmp
set vsys <name> profiles dos-protecon <name> flood icmp enable <yes|no>
set vsys <name> profiles dos-protecon <name> flood icmp red
set vsys <name> profiles dos-protecon <name> flood icmp red alarm-rate <0-2000000>
set vsys <name> profiles dos-protecon <name> flood icmp red acvate-rate <1-2000000>
set vsys <name> profiles dos-protecon <name> flood icmp red maximal-rate <1-2000000>
set vsys <name> profiles dos-protecon <name> flood icmp red block
set vsys <name> profiles dos-protecon <name> flood icmp red block duraon <1-21600>
set vsys <name> profiles dos-protecon <name> flood icmpv6
set vsys <name> profiles dos-protecon <name> flood icmpv6 enable <yes|no>
set vsys <name> profiles dos-protecon <name> flood icmpv6 red
set vsys <name> profiles dos-protecon <name> flood icmpv6 red alarm-rate <0-2000000>
set vsys <name> profiles dos-protecon <name> flood icmpv6 red acvate-rate <1-2000000>
set vsys <name> profiles dos-protecon <name> flood icmpv6 red maximal-rate <1-2000000>
set vsys <name> profiles dos-protecon <name> flood icmpv6 red block
set vsys <name> profiles dos-protecon <name> flood icmpv6 red block duraon <1-21600>
set vsys <name> profiles dos-protecon <name> flood other-ip
set vsys <name> profiles dos-protecon <name> flood other-ip enable <yes|no>
set vsys <name> profiles dos-protecon <name> flood other-ip red
set vsys <name> profiles dos-protecon <name> flood other-ip red alarm-rate <0-2000000>
set vsys <name> profiles dos-protecon <name> flood other-ip red acvate-rate <1-2000000>
set vsys <name> profiles dos-protecon <name> flood other-ip red maximal-rate <1-2000000>
set vsys <name> profiles dos-protecon <name> flood other-ip red block
set vsys <name> profiles dos-protecon <name> flood other-ip red block duraon <1-21600>
set vsys <name> profiles dos-protecon <name> resource
set vsys <name> profiles dos-protecon <name> resource sessions
set vsys <name> profiles dos-protecon <name> resource sessions enabled <yes|no>
set vsys <name> profiles dos-protecon <name> resource sessions max-concurrent-limit
<1-4194304>
set vsys <name> profiles sdwan-path-quality
set vsys <name> profiles sdwan-path-quality <name>

PAN-OS CLI Quick Start Version Version 10.1 702 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles sdwan-path-quality <name> metric

set vsys <name> profiles sdwan-path-quality <name> metric latency
set vsys <name> profiles sdwan-path-quality <name> metric latency threshold <10-3000>
set vsys <name> profiles sdwan-path-quality <name> metric latency sensivity <low|medium|
high>
set vsys <name> profiles sdwan-path-quality <name> metric pkt-loss
set vsys <name> profiles sdwan-path-quality <name> metric pkt-loss threshold <1-100>
set vsys <name> profiles sdwan-path-quality <name> metric pkt-loss sensivity <low|medium|
high>
set vsys <name> profiles sdwan-path-quality <name> metric jier
set vsys <name> profiles sdwan-path-quality <name> metric jier threshold <10-2000>
set vsys <name> profiles sdwan-path-quality <name> metric jier sensivity <low|medium|high>
set vsys <name> profiles sdwan-traffic-distribuon
set vsys <name> profiles sdwan-traffic-distribuon <name>
set vsys <name> profiles sdwan-traffic-distribuon <name> traffic-distribuon <Best Available
Path|Top Down Priority|Weighted Session Distribuon>
set vsys <name> profiles sdwan-traffic-distribuon <name> link-tags
set vsys <name> profiles sdwan-traffic-distribuon <name> link-tags <name>
set vsys <name> profiles sdwan-traffic-distribuon <name> link-tags <name> weight <0-100>
set vsys <name> profiles sdwan-saas-quality
set vsys <name> profiles sdwan-saas-quality <name>
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode adapve
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode stac-ip
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode stac-ip
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode stac-ip ip-address
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode stac-ip ip-address <name>
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode stac-ip ip-address <name>
probe-interval <1-60>
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode stac-ip fqdn
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode stac-ip fqdn fqdn-name
<value>
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode stac-ip fqdn probe-interval
<1-60>

PAN-OS CLI Quick Start Version Version 10.1 703 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles sdwan-saas-quality <name> monitor-mode hp-hps

set vsys <name> profiles sdwan-saas-quality <name> monitor-mode hp-hps monitored-url
<value>
set vsys <name> profiles sdwan-saas-quality <name> monitor-mode hp-hps probe-interval
<3-60>
set vsys <name> profiles sdwan-error-correcon
set vsys <name> profiles sdwan-error-correcon <name>
set vsys <name> profiles sdwan-error-correcon <name> acvaon-threshold <1-99>
set vsys <name> profiles sdwan-error-correcon <name> mode
set vsys <name> profiles sdwan-error-correcon <name> mode
set vsys <name> profiles sdwan-error-correcon <name> mode forward-error-correcon
set vsys <name> profiles sdwan-error-correcon <name> mode forward-error-correcon rao
<10% (20:2)|20% (20:4)|30% (20:6)|40% (20:8)|50% (20:10)>
set vsys <name> profiles sdwan-error-correcon <name> mode forward-error-correcon
recovery-duraon <1-5000>
set vsys <name> profiles sdwan-error-correcon <name> mode packet-duplicaon
set vsys <name> profiles sdwan-error-correcon <name> mode packet-duplicaon recovery-
duraon-pd <1-5000>
set vsys <name> profiles decrypon
set vsys <name> profiles decrypon <name>
set vsys <name> profiles decrypon <name> interface <value>
set vsys <name> profiles decrypon <name> forwarded-only <yes|no>
set vsys <name> profiles decrypon <name> ssl-forward-proxy
set vsys <name> profiles decrypon <name> ssl-forward-proxy block-expired-cerficate <yes|no>
set vsys <name> profiles decrypon <name> ssl-forward-proxy block-untrusted-issuer <yes|no>
set vsys <name> profiles decrypon <name> ssl-forward-proxy block-tls13-downgrade-no-
resource <yes|no>
set vsys <name> profiles decrypon <name> ssl-forward-proxy restrict-cert-exts <yes|no>
set vsys <name> profiles decrypon <name> ssl-forward-proxy block-unsupported-version <yes|
no>
set vsys <name> profiles decrypon <name> ssl-forward-proxy block-unsupported-cipher <yes|
no>
set vsys <name> profiles decrypon <name> ssl-forward-proxy block-client-cert <yes|no>
set vsys <name> profiles decrypon <name> ssl-forward-proxy block-if-no-resource <yes|no>
set vsys <name> profiles decrypon <name> ssl-forward-proxy block-if-hsm-unavailable <yes|no>
set vsys <name> profiles decrypon <name> ssl-forward-proxy block-unknown-cert <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 704 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles decrypon <name> ssl-forward-proxy block-meout-cert <yes|no>

set vsys <name> profiles decrypon <name> ssl-forward-proxy auto-include-altname <yes|no>
set vsys <name> profiles decrypon <name> ssl-forward-proxy strip-alpn <yes|no>
set vsys <name> profiles decrypon <name> ssl-inbound-proxy
set vsys <name> profiles decrypon <name> ssl-inbound-proxy block-unsupported-version <yes|
no>
set vsys <name> profiles decrypon <name> ssl-inbound-proxy block-unsupported-cipher <yes|
no>
set vsys <name> profiles decrypon <name> ssl-inbound-proxy block-if-no-resource <yes|no>
set vsys <name> profiles decrypon <name> ssl-inbound-proxy block-tls13-downgrade-no-
resource <yes|no>
set vsys <name> profiles decrypon <name> ssl-inbound-proxy block-if-hsm-unavailable <yes|no>
set vsys <name> profiles decrypon <name> ssl-protocol-sengs
set vsys <name> profiles decrypon <name> ssl-protocol-sengs min-version <sslv3|tls1-0|tls1-1|
tls1-2|tls1-3>
set vsys <name> profiles decrypon <name> ssl-protocol-sengs max-version <sslv3|tls1-0|
tls1-1|tls1-2|tls1-3|max>
set vsys <name> profiles decrypon <name> ssl-protocol-sengs keyxchg-algo-rsa <yes|no>
set vsys <name> profiles decrypon <name> ssl-protocol-sengs keyxchg-algo-dhe <yes|no>
set vsys <name> profiles decrypon <name> ssl-protocol-sengs keyxchg-algo-ecdhe <yes|no>
set vsys <name> profiles decrypon <name> ssl-protocol-sengs enc-algo-3des <yes|no>
set vsys <name> profiles decrypon <name> ssl-protocol-sengs enc-algo-rc4 <yes|no>
set vsys <name> profiles decrypon <name> ssl-protocol-sengs enc-algo-aes-128-cbc <yes|no>
set vsys <name> profiles decrypon <name> ssl-protocol-sengs enc-algo-aes-256-cbc <yes|no>
set vsys <name> profiles decrypon <name> ssl-protocol-sengs enc-algo-aes-128-gcm <yes|
no>
set vsys <name> profiles decrypon <name> ssl-protocol-sengs enc-algo-aes-256-gcm <yes|
no>
set vsys <name> profiles decrypon <name> ssl-protocol-sengs enc-algo-chacha20-poly1305
<yes|no>
set vsys <name> profiles decrypon <name> ssl-protocol-sengs auth-algo-md5 <yes|no>
set vsys <name> profiles decrypon <name> ssl-protocol-sengs auth-algo-sha1 <yes|no>
set vsys <name> profiles decrypon <name> ssl-protocol-sengs auth-algo-sha256 <yes|no>
set vsys <name> profiles decrypon <name> ssl-protocol-sengs auth-algo-sha384 <yes|no>
set vsys <name> profiles decrypon <name> ssl-no-proxy
set vsys <name> profiles decrypon <name> ssl-no-proxy block-expired-cerficate <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 705 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles decrypon <name> ssl-no-proxy block-untrusted-issuer <yes|no>

set vsys <name> profiles decrypon <name> ssh-proxy
set vsys <name> profiles decrypon <name> ssh-proxy block-unsupported-version <yes|no>
set vsys <name> profiles decrypon <name> ssh-proxy block-unsupported-alg <yes|no>
set vsys <name> profiles decrypon <name> ssh-proxy block-ssh-errors <yes|no>
set vsys <name> profiles decrypon <name> ssh-proxy block-if-no-resource <yes|no>
set vsys <name> profiles packet-broker
set vsys <name> profiles packet-broker <name>
set vsys <name> profiles packet-broker <name> descripon <value>
set vsys <name> profiles packet-broker <name> interface-primary <value>
set vsys <name> profiles packet-broker <name> interface-secondary <value>
set vsys <name> profiles packet-broker <name> flow <unidireconal|bidireconal>
set vsys <name> profiles packet-broker <name>
set vsys <name> profiles packet-broker <name> transparent
set vsys <name> profiles packet-broker <name> transparent enable-ipv6 <yes|no>
set vsys <name> profiles packet-broker <name> routed
set vsys <name> profiles packet-broker <name> routed security-chain
set vsys <name> profiles packet-broker <name> routed security-chain <name>
set vsys <name> profiles packet-broker <name> routed security-chain <name> enable <yes|no>
set vsys <name> profiles packet-broker <name> routed security-chain <name> first-device <ip/
netmask>
set vsys <name> profiles packet-broker <name> routed security-chain <name> first-device-
descripon <value>
set vsys <name> profiles packet-broker <name> routed security-chain <name> last-device <ip/
netmask>
set vsys <name> profiles packet-broker <name> routed security-chain <name> last-device-
descripon <value>
set vsys <name> profiles packet-broker <name> routed distribuon <round-robin|ip-modulo|ip-
hash|lowest-latency>
set vsys <name> profiles packet-broker <name> health-check
set vsys <name> profiles packet-broker <name> health-check failure-acon <bypass|block>
set vsys <name> profiles packet-broker <name> health-check failure-condion <any|all>
set vsys <name> profiles packet-broker <name> health-check path-enable <yes|no>
set vsys <name> profiles packet-broker <name> health-check path-count <1-10>
set vsys <name> profiles packet-broker <name> health-check path-interval-s <1-60>

PAN-OS CLI Quick Start Version Version 10.1 706 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> profiles packet-broker <name> health-check path-recovery-hold-s <0-65535>

set vsys <name> profiles packet-broker <name> health-check hp-enable <yes|no>
set vsys <name> profiles packet-broker <name> health-check hp-count <1-10>
set vsys <name> profiles packet-broker <name> health-check hp-interval-s <1-60>
set vsys <name> profiles packet-broker <name> health-check hp-latency-enable <yes|no>
set vsys <name> profiles packet-broker <name> health-check hp-latency-maximum-ms
<10-65535>
set vsys <name> profiles packet-broker <name> health-check hp-latency-duraon-s <1-65535>
set vsys <name> profiles packet-broker <name> health-check hp-latency-log-exceeded <yes|no>
set vsys <name> profile-group
set vsys <name> profile-group <name>
set vsys <name> profile-group <name> virus [ <virus1> <virus2>... ]
set vsys <name> profile-group <name> spyware [ <spyware1> <spyware2>... ]
set vsys <name> profile-group <name> vulnerability [ <vulnerability1> <vulnerability2>... ]
set vsys <name> profile-group <name> url-filtering [ <url-filtering1> <url-filtering2>... ]
set vsys <name> profile-group <name> file-blocking [ <file-blocking1> <file-blocking2>... ]
set vsys <name> profile-group <name> wildfire-analysis [ <wildfire-analysis1> <wildfire-
analysis2>... ]
set vsys <name> profile-group <name> data-filtering [ <data-filtering1> <data-filtering2>... ]
set vsys <name> service
set vsys <name> service <name>
set vsys <name> service <name> descripon <value>
set vsys <name> service <name> protocol
set vsys <name> service <name> protocol tcp
set vsys <name> service <name> protocol tcp port <0-65535,...>
set vsys <name> service <name> protocol tcp source-port <0-65535,...>
set vsys <name> service <name> protocol tcp override
set vsys <name> service <name> protocol tcp override no
set vsys <name> service <name> protocol tcp override yes
set vsys <name> service <name> protocol tcp override yes meout <1-604800>
set vsys <name> service <name> protocol tcp override yes halfclose-meout <1-604800>
set vsys <name> service <name> protocol tcp override yes mewait-meout <1-600>
set vsys <name> service <name> protocol udp
set vsys <name> service <name> protocol udp port <0-65535,...>

PAN-OS CLI Quick Start Version Version 10.1 707 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> service <name> protocol udp source-port <0-65535,...>

set vsys <name> service <name> protocol udp override
set vsys <name> service <name> protocol udp override no
set vsys <name> service <name> protocol udp override yes
set vsys <name> service <name> protocol udp override yes meout <1-604800>
set vsys <name> service <name> tag [ <tag1> <tag2>... ]
set vsys <name> service-group
set vsys <name> service-group <name>
set vsys <name> service-group <name> members [ <members1> <members2>... ]
set vsys <name> service-group <name> tag [ <tag1> <tag2>... ]
set vsys <name> reports
set vsys <name> reports <name>
set vsys <name> reports <name> descripon <value>
set vsys <name> reports <name> disabled <yes|no>
set vsys <name> reports <name> query <value>
set vsys <name> reports <name> capon <value>
set vsys <name> reports <name> frequency <daily>
set vsys <name> reports <name> start-me <value>
set vsys <name> reports <name> end-me <value>
set vsys <name> reports <name> period <last-15-minutes|last-hour|last-6-hrs|last-12-hrs|
last-24-hrs|last-calendar-day|last-7-days|last-7-calendar-days|last-calendar-week|last-30-days|
last-30-calendar-days|last-60-days|last-60-calendar-days|last-90-days|last-90-calendar-days|last-
calendar-month>
set vsys <name> reports <name> topn <1-10000>
set vsys <name> reports <name> topm <1-50>
set vsys <name> reports <name> type
set vsys <name> reports <name> type appstat
set vsys <name> reports <name> type appstat aggregate-by [ <aggregate-by1> <aggregate-
by2>... ]
set vsys <name> reports <name> type appstat group-by <serial|vsys_name|device_name|vsys|
name|risk|day-of-receive_me|hour-of-receive_me|quarter-hour-of-receive_me|subcategory-of-
name|category-of-name|risk-of-name|container-of-name|technology-of-name>
set vsys <name> reports <name> type appstat values [ <values1> <values2>... ]
set vsys <name> reports <name> type appstat labels [ <labels1> <labels2>... ]
set vsys <name> reports <name> type appstat sortby <nbytes|nsess|npkts|nthreats>

PAN-OS CLI Quick Start Version Version 10.1 708 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> reports <name> type decrypon

set vsys <name> reports <name> type decrypon aggregate-by [ <aggregate-by1> <aggregate-
by2>... ]
set vsys <name> reports <name> type decrypon group-by <serial|me_generated|src|dst|natsrc|
natdst|rule|srcuser|dstuser|srcloc|dstloc|app|vsys|from|to|inbound_if|outbound_if|sport|dport|
natsport|natdport|proto|acon|tunnel|rule_uuid|s_encrypted|category-of-app|subcategory-
of-app|technology-of-app|container-of-app|risk-of-app|vsys_name|device_name|tls_version|
tls_keyxchg|tls_enc|tls_auth|ec_curve|err_index|root_status|proxy_type|policy_name|cn|issuer_cn|
root_cn|sni|error|src_dag|dst_dag|src_edl|dst_edl|container_id|pod_namespace|pod_name|
src_category|src_profile|src_model|src_vendor|src_osfamily|src_osversion|src_host|src_mac|
dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|day-
of-receive_me|hour-of-receive_me|quarter-hour-of-receive_me>
set vsys <name> reports <name> type decrypon values [ <values1> <values2>... ]
set vsys <name> reports <name> type decrypon labels [ <labels1> <labels2>... ]
set vsys <name> reports <name> type decrypon sortby <repeatcnt|nunique-of-src_profile|
nunique-of-dst_profile>
set vsys <name> reports <name> type desum
set vsys <name> reports <name> type desum aggregate-by [ <aggregate-by1> <aggregate-
by2>... ]
set vsys <name> reports <name> type desum group-by <serial|me_generated|vsys_name|
device_name|category-of-app|subcategory-of-app|technology-of-app|container-of-app|risk-of-
app|app|src|dst|srcuser|dstuser|vsys|tls_version|tls_keyxchg|tls_enc|tls_auth|sni|error|err_index|
src_edl|dst_edl|container_id|pod_namespace|pod_name|src_category|src_profile|src_model|
src_vendor|src_osfamily|src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|
dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|src_dag|dst_dag|day-of-receive_me|
hour-of-receive_me|quarter-hour-of-receive_me>
set vsys <name> reports <name> type desum values [ <values1> <values2>... ]
set vsys <name> reports <name> type desum labels [ <labels1> <labels2>... ]
set vsys <name> reports <name> type desum sortby <repeatcnt|nunique-of-src_profile|nunique-
of-dst_profile>
set vsys <name> reports <name> type threat
set vsys <name> reports <name> type threat aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set vsys <name> reports <name> type threat group-by <serial|me_generated|src|dst|natsrc|
natdst|rule|srcuser|dstuser|srcloc|dstloc|app|vsys|from|to|inbound_if|outbound_if|sport|dport|
natsport|natdport|proto|acon|tunnel|rule_uuid|s_encrypted|category-of-app|subcategory-of-
app|technology-of-app|container-of-app|risk-of-app|vsys_name|device_name|parent_session_id|
parent_start_me|thread|category|severity|direcon|hp_method|nssai_sst|filedigest|filetype|
hp2_connecon|xff_ip|threat_name|src_edl|dst_edl|dynusergroup_name|hosd|paral_hash|
src_category|src_profile|src_model|src_vendor|src_osfamily|src_osversion|src_host|src_mac|
dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac|
container_id|pod_namespace|pod_name|misc|src_dag|dst_dag|day-of-receive_me|hour-of-
receive_me|quarter-hour-of-receive_me|pbf-s2c|pbf-c2s|flag-nat|flag-pcap|subtype|transacon|

PAN-OS CLI Quick Start Version Version 10.1 709 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

capve-portal|flag-proxy|non-std-dport|tunnelid|monitortag|users|category-of-thread|threat-
type>
set vsys <name> reports <name> type threat values [ <values1> <values2>... ]
set vsys <name> reports <name> type threat labels [ <labels1> <labels2>... ]
set vsys <name> reports <name> type threat sortby <repeatcnt|nunique-of-users|nunique-of-
src_profile|nunique-of-dst_profile>
set vsys <name> reports <name> type url
set vsys <name> reports <name> type url aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set vsys <name> reports <name> type url group-by <acon|app|category|category-of-app|
direcon|dport|dst|dstuser|from|inbound_if|misc|hp_headers|natdport|natdst|natsport|natsrc|
outbound_if|proto|risk-of-app|rule|rule_uuid|severity|sport|src|srcuser|subcategory-of-app|
technology-of-app|container-of-app|to|dstloc|srcloc|vsys|quarter-hour-of-receive_me|hour-
of-receive_me|day-of-receive_me|contenype|user_agent|device_name|vsys_name|url|
tunnelid|monitortag|parent_session_id|parent_start_me|hp2_connecon|tunnel|hp_method|
url_category_list|xff_ip|container_id|pod_namespace|pod_name|src_dag|dst_dag|src_edl|dst_edl|
src_category|src_profile|src_model|src_vendor|src_osfamily|src_osversion|src_host|src_mac|
dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac>
set vsys <name> reports <name> type url values [ <values1> <values2>... ]
set vsys <name> reports <name> type url labels [ <labels1> <labels2>... ]
set vsys <name> reports <name> type url sortby <repeatcnt|nunique-of-users>
set vsys <name> reports <name> type wildfire
set vsys <name> reports <name> type wildfire aggregate-by [ <aggregate-by1> <aggregate-
by2>... ]
set vsys <name> reports <name> type wildfire group-by <app|category|category-of-app|dport|
dst|dstuser|from|inbound_if|misc|natdport|natdst|natsport|natsrc|outbound_if|proto|risk-of-app|
rule|rule_uuid|sport|src|srcuser|subcategory-of-app|technology-of-app|container-of-app|to|dstloc|
srcloc|vsys|quarter-hour-of-receive_me|hour-of-receive_me|day-of-receive_me|vsys_name|
device_name|filetype|filename|filedigest|tunnelid|monitortag|parent_session_id|parent_start_me|
hp2_connecon|tunnel|xff_ip|src_dag|dst_dag|src_edl|dst_edl>
set vsys <name> reports <name> type wildfire values [ <values1> <values2>... ]
set vsys <name> reports <name> type wildfire labels [ <labels1> <labels2>... ]
set vsys <name> reports <name> type wildfire sortby <repeatcnt|nunique-of-users>
set vsys <name> reports <name> type data
set vsys <name> reports <name> type data aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set vsys <name> reports <name> type data group-by <acon|app|category-of-app|direcon|dport|
dst|dstuser|from|inbound_if|misc|natdport|natdst|natsport|natsrc|outbound_if|proto|risk-of-app|
rule|rule_uuid|severity|sport|src|srcuser|subcategory-of-app|subtype|technology-of-app|container-
of-app|thread|to|dstloc|srcloc|vsys|quarter-hour-of-receive_me|hour-of-receive_me|day-of-
receive_me|vsys_name|device_name|data-type|filename|tunnelid|monitortag|parent_session_id|
parent_start_me|hp2_connecon|tunnel|xff_ip|src_dag|dst_dag|src_edl|dst_edl|src_category|

PAN-OS CLI Quick Start Version Version 10.1 710 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

src_profile|src_model|src_vendor|src_osfamily|src_osversion|src_host|src_mac|dst_category|
dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|dst_mac>
set vsys <name> reports <name> type data values [ <values1> <values2>... ]
set vsys <name> reports <name> type data labels [ <labels1> <labels2>... ]
set vsys <name> reports <name> type data sortby <repeatcnt|nunique-of-users>
set vsys <name> reports <name> type thsum
set vsys <name> reports <name> type thsum aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set vsys <name> reports <name> type thsum group-by <serial|me_generated|vsys_name|
device_name|app|src|dst|rule|thread|srcuser|dstuser|srcloc|dstloc|xff_ip|vsys|from|to|dev_serial|
dport|acon|severity|inbound_if|outbound_if|category|category-of-app|subcategory-of-
app|technology-of-app|container-of-app|risk-of-app|parent_session_id|parent_start_me|
tunnel|direcon|assoc_id|ppid|hp2_connecon|rule_uuid|threat_name|src_edl|dst_edl|hosd|
dynusergroup_name|nssai_sst|src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|
dst_osversion|dst_host|dst_mac|container_id|pod_namespace|pod_name|src_dag|dst_dag|day-of-
receive_me|hour-of-receive_me|quarter-hour-of-receive_me|subtype|tunnelid|monitortag|
category-of-thread|threat-type>
set vsys <name> reports <name> type thsum values [ <values1> <values2>... ]
set vsys <name> reports <name> type thsum labels [ <labels1> <labels2>... ]
set vsys <name> reports <name> type thsum sortby <sessions|count|nunique-of-apps|nunique-of-
users|nunique-of-src_profile|nunique-of-dst_profile>
set vsys <name> reports <name> type traffic
set vsys <name> reports <name> type traffic aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set vsys <name> reports <name> type traffic group-by <serial|me_generated|src|dst|
natsrc|natdst|rule|srcuser|dstuser|srcloc|dstloc|app|vsys|from|to|inbound_if|outbound_if|
sport|dport|natsport|natdport|proto|acon|tunnel|rule_uuid|s_encrypted|category-of-app|
subcategory-of-app|technology-of-app|container-of-app|risk-of-app|vsys_name|device_name|
parent_session_id|parent_start_me|category|session_end_reason|acon_source|nssai_sst|
nssai_sd|hp2_connecon|xff_ip|dynusergroup_name|src_edl|dst_edl|hosd|session_owner|
policy_id|offloaded|src_category|src_profile|src_model|src_vendor|src_osfamily|src_osversion|
src_host|src_mac|dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|
dst_host|dst_mac|container_id|pod_namespace|pod_name|src_dag|dst_dag|day-of-receive_me|
hour-of-receive_me|quarter-hour-of-receive_me|pbf-s2c|pbf-c2s|decrypt-mirror|threat-type|
flag-nat|flag-pcap|capve-portal|flag-proxy|non-std-dport|transacon|sym-return|sessionid|flag-
decrypt-fwd|tunnelid|monitortag>
set vsys <name> reports <name> type traffic values [ <values1> <values2>... ]
set vsys <name> reports <name> type traffic labels [ <labels1> <labels2>... ]
set vsys <name> reports <name> type traffic sortby <repeatcnt|bytes|bytes_sent|bytes_received|
packets|pkts_sent|pkts_received|chunks|chunks_sent|chunks_received|nunique-of-users|elapsed|
nunique-of-src_profile|nunique-of-dst_profile>
set vsys <name> reports <name> type urlsum

PAN-OS CLI Quick Start Version Version 10.1 711 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> reports <name> type urlsum aggregate-by [ <aggregate-by1> <aggregate-
by2>... ]
set vsys <name> reports <name> type urlsum group-by <serial|me_generated|vsys_name|
device_name|app|category|src|dst|rule|srcuser|dstuser|srcloc|dstloc|vsys|from|to|dev_serial|
inbound_if|outbound_if|dport|acon|tunnel|url_domain|user_agent|hp_method|
hp2_connecon|category-of-app|subcategory-of-app|technology-of-app|container-of-
app|risk-of-app|parent_session_id|parent_start_me|rule_uuid|xff_ip|src_edl|dst_edl|hosd|
dynusergroup_name|nssai_sst|src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|
dst_osversion|dst_host|dst_mac|container_id|pod_namespace|pod_name|url_category_list|
src_dag|dst_dag|day-of-receive_me|hour-of-receive_me|quarter-hour-of-receive_me|tunnelid|
monitortag>
set vsys <name> reports <name> type urlsum values [ <values1> <values2>... ]
set vsys <name> reports <name> type urlsum labels [ <labels1> <labels2>... ]
set vsys <name> reports <name> type urlsum sortby <repeatcnt|nunique-of-users|nunique-of-
src_profile|nunique-of-dst_profile>
set vsys <name> reports <name> type trsum
set vsys <name> reports <name> type trsum aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set vsys <name> reports <name> type trsum group-by <serial|me_generated|vsys_name|
device_name|app|src|dst|xff_ip|rule|srcuser|dstuser|srcloc|dstloc|category|vsys|from|to|
dev_serial|dport|acon|tunnel|inbound_if|outbound_if|category-of-app|subcategory-of-app|
technology-of-app|container-of-app|risk-of-app|parent_session_id|parent_start_me|assoc_id|
hp2_connecon|rule_uuid|src_edl|dst_edl|dynusergroup_name|s_decrypted|s_encrypted|hosd|
nssai_sst|src_category|src_profile|src_model|src_vendor|src_osfamily|src_osversion|src_host|
src_mac|dst_category|dst_profile|dst_model|dst_vendor|dst_osfamily|dst_osversion|dst_host|
dst_mac|container_id|pod_namespace|pod_name|src_dag|dst_dag|day-of-receive_me|hour-of-
receive_me|quarter-hour-of-receive_me|tunnelid|monitortag|standard-ports-of-app>
set vsys <name> reports <name> type trsum values [ <values1> <values2>... ]
set vsys <name> reports <name> type trsum labels [ <labels1> <labels2>... ]
set vsys <name> reports <name> type trsum sortby <bytes|sessions|bytes_sent|bytes_received|
nthreats|nrans|ndpmatches|nurlcount|chunks|chunks_sent|chunks_received|ncontent|nunique-
of-apps|nunique-of-users|nunique-of-src_profile|nunique-of-dst_profile>
set vsys <name> reports <name> type tunnel
set vsys <name> reports <name> type tunnel aggregate-by [ <aggregate-by1> <aggregate-
by2>... ]
set vsys <name> reports <name> type tunnel group-by <acon|app|category-of-app|dport|
dst|dstuser|from|inbound_if|natdport|natdst|natsport|natsrc|outbound_if|proto|risk-of-app|
rule|rule_uuid|sessionid|sport|src|srcuser|subcategory-of-app|technology-of-app|container-
of-app|to|dstloc|srcloc|vsys|quarter-hour-of-receive_me|hour-of-receive_me|day-of-
receive_me|vsys_name|device_name|tunnelid|monitortag|parent_session_id|parent_start_me|
session_end_reason|acon_source|tunnel|tunnel_insp_rule|src_dag|dst_dag|src_edl|dst_edl>
set vsys <name> reports <name> type tunnel values [ <values1> <values2>... ]

PAN-OS CLI Quick Start Version Version 10.1 712 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> reports <name> type tunnel labels [ <labels1> <labels2>... ]
set vsys <name> reports <name> type tunnel sortby <repeatcnt|bytes|bytes_sent|bytes_received|
packets|pkts_sent|pkts_received|max_encap|unknown_proto|strict_check|tunnel_fragment|
sessions_created|sessions_closed|nunique-of-users>
set vsys <name> reports <name> type tunnelsum
set vsys <name> reports <name> type tunnelsum aggregate-by [ <aggregate-by1> <aggregate-
by2>... ]
set vsys <name> reports <name> type tunnelsum group-by <acon|app|category-of-app|dst|risk-
of-app|rule|rule_uuid|src|subcategory-of-app|technology-of-app|container-of-app|dstloc|srcloc|
vsys|quarter-hour-of-receive_me|hour-of-receive_me|day-of-receive_me|serial|vsys_name|
device_name|tunnelid|monitortag|parent_session_id|parent_start_me|tunnel|tunnel_insp_rule|
src_dag|dst_dag|src_edl|dst_edl>
set vsys <name> reports <name> type tunnelsum values [ <values1> <values2>... ]
set vsys <name> reports <name> type tunnelsum labels [ <labels1> <labels2>... ]
set vsys <name> reports <name> type tunnelsum sortby <repeatcnt|bytes|bytes_sent|
bytes_received>
set vsys <name> reports <name> type userid
set vsys <name> reports <name> type userid aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set vsys <name> reports <name> type userid group-by <serial|me_generated|vsys_name|
device_name|vsys|ip|user|datasourcename|beginport|endport|datasource|datasourcetype|
factortype|factorcompleonme|factorno|tag_name|day-of-receive_me|hour-of-receive_me|
quarter-hour-of-receive_me|subtype>
set vsys <name> reports <name> type userid values [ <values1> <values2>... ]
set vsys <name> reports <name> type userid labels [ <labels1> <labels2>... ]
set vsys <name> reports <name> type userid sortby <repeatcnt|factortype|factorcompleonme>
set vsys <name> reports <name> type auth
set vsys <name> reports <name> type auth aggregate-by [ <aggregate-by1> <aggregate-by2>... ]
set vsys <name> reports <name> type auth group-by <serial|me_generated|vsys_name|
device_name|vsys|ip|user|normalize_user|object|authpolicy|authid|vendor|clienype|event|
factorno|authproto|rule_uuid|src_category|src_profile|src_model|src_vendor|src_osfamily|
src_osversion|src_host|src_mac|day-of-receive_me|hour-of-receive_me|quarter-hour-of-
receive_me|serverprofile|desc>
set vsys <name> reports <name> type auth values [ <values1> <values2>... ]
set vsys <name> reports <name> type auth labels [ <labels1> <labels2>... ]
set vsys <name> reports <name> type auth sortby <repeatcnt|me_generated|vendor>
set vsys <name> reports <name> type iptag
set vsys <name> reports <name> type iptag aggregate-by [ <aggregate-by1> <aggregate-by2>... ]

PAN-OS CLI Quick Start Version Version 10.1 713 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> reports <name> type iptag group-by <serial|me_generated|vsys_name|

device_name|vsys|ip|tag_name|event_id|datasourcename|datasource_type|datasource_subtype|
day-of-receive_me|hour-of-receive_me|quarter-hour-of-receive_me>
set vsys <name> reports <name> type iptag values [ <values1> <values2>... ]
set vsys <name> reports <name> type iptag labels [ <labels1> <labels2>... ]
set vsys <name> reports <name> type iptag sortby <repeatcnt|me_generated>
set vsys <name> reports <name> type hipmatch
set vsys <name> reports <name> type hipmatch aggregate-by [ <aggregate-by1> <aggregate-
by2>... ]
set vsys <name> reports <name> type hipmatch group-by <serial|me_generated|vsys_name|
device_name|srcuser|vsys|machinename|src|matchname|os|matchtype|srcipv6|hosd|mac|day-of-
receive_me|hour-of-receive_me|quarter-hour-of-receive_me>
set vsys <name> reports <name> type hipmatch values [ <values1> <values2>... ]
set vsys <name> reports <name> type hipmatch labels [ <labels1> <labels2>... ]
set vsys <name> reports <name> type hipmatch sortby <repeatcnt>
set vsys <name> reports <name> type hipmatch last-match-by <>
set vsys <name> reports <name> type globalprotect
set vsys <name> reports <name> type globalprotect aggregate-by [ <aggregate-by1> <aggregate-
by2>... ]
set vsys <name> reports <name> type globalprotect group-by <serial|me_generated|vsys_name|
device_name|vsys|evend|status|stage|auth_method|tunnel_type|portal|srcuser|srcregion|
machinename|public_ip|public_ipv6|private_ip|private_ipv6|hosd|serialnumber|client_ver|
client_os|client_os_ver|login_duraon|connect_method|reason|error_code|error|opaque|gateway|
selecon_type|response_me|priority|aempted_gateways|day-of-receive_me|hour-of-
receive_me|quarter-hour-of-receive_me>
set vsys <name> reports <name> type globalprotect values [ <values1> <values2>... ]
set vsys <name> reports <name> type globalprotect labels [ <labels1> <labels2>... ]
set vsys <name> reports <name> type globalprotect sortby <repeatcnt|nunique-of-ips|nunique-of-
gateways|nunique-of-users|nunique-of-hosd>
set vsys <name> report-group
set vsys <name> report-group <name>
set vsys <name> report-group <name> tle-page <yes|no>
set vsys <name> report-group <name>
set vsys <name> report-group <name> predefined <user-acvity-report|saas-applicaon-usage-
report>
set vsys <name> report-group <name> custom-widget
set vsys <name> report-group <name> custom-widget <name>
set vsys <name> report-group <name> custom-widget <name>

PAN-OS CLI Quick Start Version Version 10.1 714 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> report-group <name> custom-widget <name> custom-report <value>

set vsys <name> report-group <name> custom-widget <name> pdf-summary-report <value>
set vsys <name> report-group <name> custom-widget <name> log-view <value>
set vsys <name> report-group <name> custom-widget <name> csv <value>
set vsys <name> report-group <name>
set vsys <name> report-group <name> all
set vsys <name> report-group <name> all entry
set vsys <name> report-group <name> all entry include-user-groups-info <yes|no>
set vsys <name> report-group <name> all entry user-groups [ <user-groups1> <user-groups2>... ]
set vsys <name> report-group <name> selected-zone
set vsys <name> report-group <name> selected-zone entry
set vsys <name> report-group <name> selected-zone entry include-user-groups-info <yes|no>
set vsys <name> report-group <name> selected-zone entry user-groups [ <user-groups1> <user-
groups2>... ]
set vsys <name> report-group <name> selected-zone entry zone <value>
set vsys <name> report-group <name> selected-user-group
set vsys <name> report-group <name> selected-user-group entry
set vsys <name> report-group <name> selected-user-group entry user-group <value>
set vsys <name> report-group <name> variable
set vsys <name> report-group <name> variable <name>
set vsys <name> report-group <name> variable <name> value <value>
set vsys <name> pdf-summary-report
set vsys <name> pdf-summary-report <name>
set vsys <name> pdf-summary-report <name> header
set vsys <name> pdf-summary-report <name> header capon <value>
set vsys <name> pdf-summary-report <name> footer
set vsys <name> pdf-summary-report <name> footer note <value>
set vsys <name> pdf-summary-report <name> custom-widget
set vsys <name> pdf-summary-report <name> custom-widget <name>
set vsys <name> pdf-summary-report <name> custom-widget <name> chart-type <pie|line|bar|
table>
set vsys <name> pdf-summary-report <name> custom-widget <name> row <1-6>
set vsys <name> pdf-summary-report <name> custom-widget <name> column <1-3>
set vsys <name> email-scheduler

PAN-OS CLI Quick Start Version Version 10.1 715 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> email-scheduler <name>

set vsys <name> email-scheduler <name> report-group <value>
set vsys <name> email-scheduler <name> email-profile <value>
set vsys <name> email-scheduler <name> recipient-emails <value>
set vsys <name> email-scheduler <name> recurring
set vsys <name> email-scheduler <name> recurring disabled
set vsys <name> email-scheduler <name> recurring daily
set vsys <name> email-scheduler <name> recurring weekly <sunday|monday|tuesday|wednesday|
thursday|friday|saturday>
set vsys <name> email-scheduler <name> recurring monthly <1-31>
set vsys <name> external-list
set vsys <name> external-list <name>
set vsys <name> external-list <name> type
set vsys <name> external-list <name> type predefined-ip
set vsys <name> external-list <name> type predefined-ip excepon-list [ <excepon-list1>
<excepon-list2>... ]
set vsys <name> external-list <name> type predefined-ip descripon <value>
set vsys <name> external-list <name> type predefined-ip url <value>
set vsys <name> external-list <name> type predefined-url
set vsys <name> external-list <name> type predefined-url excepon-list [ <excepon-list1>
<excepon-list2>... ]
set vsys <name> external-list <name> type predefined-url descripon <value>
set vsys <name> external-list <name> type predefined-url url <value>
set vsys <name> external-list <name> type ip
set vsys <name> external-list <name> type ip excepon-list [ <excepon-list1> <excepon-
list2>... ]
set vsys <name> external-list <name> type ip descripon <value>
set vsys <name> external-list <name> type ip url <value>
set vsys <name> external-list <name> type ip cerficate-profile <value>|<None>
set vsys <name> external-list <name> type ip auth
set vsys <name> external-list <name> type ip auth username <value>
set vsys <name> external-list <name> type ip auth password <value>
set vsys <name> external-list <name> type ip recurring
set vsys <name> external-list <name> type ip recurring
set vsys <name> external-list <name> type ip recurring five-minute

PAN-OS CLI Quick Start Version Version 10.1 716 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> external-list <name> type ip recurring hourly

set vsys <name> external-list <name> type ip recurring daily
set vsys <name> external-list <name> type ip recurring daily at <value>
set vsys <name> external-list <name> type ip recurring weekly
set vsys <name> external-list <name> type ip recurring weekly day-of-week <sunday|monday|
tuesday|wednesday|thursday|friday|saturday>
set vsys <name> external-list <name> type ip recurring weekly at <value>
set vsys <name> external-list <name> type ip recurring monthly
set vsys <name> external-list <name> type ip recurring monthly day-of-month <1-31>
set vsys <name> external-list <name> type ip recurring monthly at <value>
set vsys <name> external-list <name> type domain
set vsys <name> external-list <name> type domain excepon-list [ <excepon-list1> <excepon-
list2>... ]
set vsys <name> external-list <name> type domain descripon <value>
set vsys <name> external-list <name> type domain url <value>
set vsys <name> external-list <name> type domain cerficate-profile <value>|<None>
set vsys <name> external-list <name> type domain auth
set vsys <name> external-list <name> type domain auth username <value>
set vsys <name> external-list <name> type domain auth password <value>
set vsys <name> external-list <name> type domain recurring
set vsys <name> external-list <name> type domain recurring
set vsys <name> external-list <name> type domain recurring hourly
set vsys <name> external-list <name> type domain recurring five-minute
set vsys <name> external-list <name> type domain recurring daily
set vsys <name> external-list <name> type domain recurring daily at <value>
set vsys <name> external-list <name> type domain recurring weekly
set vsys <name> external-list <name> type domain recurring weekly day-of-week <sunday|
monday|tuesday|wednesday|thursday|friday|saturday>
set vsys <name> external-list <name> type domain recurring weekly at <value>
set vsys <name> external-list <name> type domain recurring monthly
set vsys <name> external-list <name> type domain recurring monthly day-of-month <1-31>
set vsys <name> external-list <name> type domain recurring monthly at <value>
set vsys <name> external-list <name> type domain expand-domain <yes|no>
set vsys <name> external-list <name> type url

PAN-OS CLI Quick Start Version Version 10.1 717 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> external-list <name> type url excepon-list [ <excepon-list1> <excepon-
list2>... ]
set vsys <name> external-list <name> type url descripon <value>
set vsys <name> external-list <name> type url url <value>
set vsys <name> external-list <name> type url cerficate-profile <value>|<None>
set vsys <name> external-list <name> type url auth
set vsys <name> external-list <name> type url auth username <value>
set vsys <name> external-list <name> type url auth password <value>
set vsys <name> external-list <name> type url recurring
set vsys <name> external-list <name> type url recurring
set vsys <name> external-list <name> type url recurring hourly
set vsys <name> external-list <name> type url recurring five-minute
set vsys <name> external-list <name> type url recurring daily
set vsys <name> external-list <name> type url recurring daily at <value>
set vsys <name> external-list <name> type url recurring weekly
set vsys <name> external-list <name> type url recurring weekly day-of-week <sunday|monday|
tuesday|wednesday|thursday|friday|saturday>
set vsys <name> external-list <name> type url recurring weekly at <value>
set vsys <name> external-list <name> type url recurring monthly
set vsys <name> external-list <name> type url recurring monthly day-of-month <1-31>
set vsys <name> external-list <name> type url recurring monthly at <value>
set vsys <name> address
set vsys <name> address <name>
set vsys <name> address <name> descripon <value>
set vsys <name> address <name>
set vsys <name> address <name> ip-netmask <ip/netmask>
set vsys <name> address <name> ip-range <ip-range>
set vsys <name> address <name> ip-wildcard <ipdiscontmask>
set vsys <name> address <name> fqdn <value>
set vsys <name> address <name> tag [ <tag1> <tag2>... ]
set vsys <name> address-group
set vsys <name> address-group <name>
set vsys <name> address-group <name> descripon <value>
set vsys <name> address-group <name>

PAN-OS CLI Quick Start Version Version 10.1 718 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> address-group <name> stac [ <stac1> <stac2>... ]

set vsys <name> address-group <name> dynamic
set vsys <name> address-group <name> dynamic filter <value>
set vsys <name> address-group <name> tag [ <tag1> <tag2>... ]
set vsys <name> dynamic-user-group
set vsys <name> dynamic-user-group <name>
set vsys <name> dynamic-user-group <name> descripon <value>
set vsys <name> dynamic-user-group <name> filter <value>
set vsys <name> dynamic-user-group <name> tag [ <tag1> <tag2>... ]
set vsys <name> schedule
set vsys <name> schedule <name>
set vsys <name> schedule <name> schedule-type
set vsys <name> schedule <name> schedule-type recurring
set vsys <name> schedule <name> schedule-type recurring weekly
set vsys <name> schedule <name> schedule-type recurring weekly sunday [ <sunday1>
<sunday2>... ]
set vsys <name> schedule <name> schedule-type recurring weekly monday [ <monday1>
<monday2>... ]
set vsys <name> schedule <name> schedule-type recurring weekly tuesday [ <tuesday1>
<tuesday2>... ]
set vsys <name> schedule <name> schedule-type recurring weekly wednesday [ <wednesday1>
<wednesday2>... ]
set vsys <name> schedule <name> schedule-type recurring weekly thursday [ <thursday1>
<thursday2>... ]
set vsys <name> schedule <name> schedule-type recurring weekly friday [ <friday1> <friday2>... ]
set vsys <name> schedule <name> schedule-type recurring weekly saturday [ <saturday1>
<saturday2>... ]
set vsys <name> schedule <name> schedule-type recurring daily [ <daily1> <daily2>... ]
set vsys <name> schedule <name> schedule-type non-recurring [ <non-recurring1> <non-
recurring2>... ]
set vsys <name> threats
set vsys <name> threats vulnerability
set vsys <name> threats vulnerability <name>
set vsys <name> threats vulnerability <name> threatname <value>
set vsys <name> threats vulnerability <name> affected-host
set vsys <name> threats vulnerability <name> affected-host client <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 719 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> threats vulnerability <name> affected-host server <yes|no>

set vsys <name> threats vulnerability <name> comment <value>
set vsys <name> threats vulnerability <name> severity <value>
set vsys <name> threats vulnerability <name> direcon <value>
set vsys <name> threats vulnerability <name> default-acon
set vsys <name> threats vulnerability <name> default-acon alert
set vsys <name> threats vulnerability <name> default-acon drop
set vsys <name> threats vulnerability <name> default-acon reset-client
set vsys <name> threats vulnerability <name> default-acon reset-server
set vsys <name> threats vulnerability <name> default-acon reset-both
set vsys <name> threats vulnerability <name> default-acon block-ip
set vsys <name> threats vulnerability <name> default-acon block-ip track-by <source|source-
and-desnaon>
set vsys <name> threats vulnerability <name> default-acon block-ip duraon <1-3600>
set vsys <name> threats vulnerability <name> default-acon allow
set vsys <name> threats vulnerability <name> cve [ <cve1> <cve2>... ]
set vsys <name> threats vulnerability <name> bugtraq [ <bugtraq1> <bugtraq2>... ]
set vsys <name> threats vulnerability <name> vendor [ <vendor1> <vendor2>... ]
set vsys <name> threats vulnerability <name> reference [ <reference1> <reference2>... ]
set vsys <name> threats vulnerability <name> signature
set vsys <name> threats vulnerability <name> signature standard
set vsys <name> threats vulnerability <name> signature standard <name>
set vsys <name> threats vulnerability <name> signature standard <name> comment <value>
set vsys <name> threats vulnerability <name> signature standard <name> scope <protocol-data-
unit|session>
set vsys <name> threats vulnerability <name> signature standard <name> order-free <yes|no>
set vsys <name> threats vulnerability <name> signature standard <name> and-condion
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name>
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator

PAN-OS CLI Quick Start Version Version 10.1 720 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator less-than
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator less-than context <value>
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator less-than value <0-4294967295>
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator less-than qualifier
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator less-than qualifier <name>
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator less-than qualifier <name> value <1-127>|<value>
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator equal-to
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator equal-to context <value>
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator equal-to value <0-4294967295>
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator equal-to qualifier
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator equal-to qualifier <name>
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator equal-to qualifier <name> value <1-127>|<value>
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator greater-than
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator greater-than context <value>
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator greater-than value <0-4294967295>
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator greater-than qualifier
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator greater-than qualifier <name>
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator greater-than qualifier <name> value <1-127>|<value>
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator paern-match
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator paern-match context <value>

PAN-OS CLI Quick Start Version Version 10.1 721 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator paern-match paern <value>
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator paern-match negate <yes|no>
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator paern-match qualifier
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator paern-match qualifier <name>
set vsys <name> threats vulnerability <name> signature standard <name> and-condion <name>
or-condion <name> operator paern-match qualifier <name> value <1-127>|<value>
set vsys <name> threats vulnerability <name> signature combinaon
set vsys <name> threats vulnerability <name> signature combinaon me-aribute
set vsys <name> threats vulnerability <name> signature combinaon me-aribute interval
<1-3600>
set vsys <name> threats vulnerability <name> signature combinaon me-aribute threshold
<1-255>
set vsys <name> threats vulnerability <name> signature combinaon me-aribute track-by
<source|desnaon|source-and-desnaon>
set vsys <name> threats vulnerability <name> signature combinaon order-free <yes|no>
set vsys <name> threats vulnerability <name> signature combinaon and-condion
set vsys <name> threats vulnerability <name> signature combinaon and-condion <name>
set vsys <name> threats vulnerability <name> signature combinaon and-condion <name> or-
condion
set vsys <name> threats vulnerability <name> signature combinaon and-condion <name> or-
condion <name>
set vsys <name> threats vulnerability <name> signature combinaon and-condion <name> or-
condion <name> threat-id <value>
set vsys <name> threats spyware
set vsys <name> threats spyware <name>
set vsys <name> threats spyware <name> threatname <value>
set vsys <name> threats spyware <name> comment <value>
set vsys <name> threats spyware <name> severity <value>
set vsys <name> threats spyware <name> direcon <value>
set vsys <name> threats spyware <name> default-acon
set vsys <name> threats spyware <name> default-acon alert
set vsys <name> threats spyware <name> default-acon drop
set vsys <name> threats spyware <name> default-acon reset-client

PAN-OS CLI Quick Start Version Version 10.1 722 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> threats spyware <name> default-acon reset-server

set vsys <name> threats spyware <name> default-acon reset-both
set vsys <name> threats spyware <name> default-acon block-ip
set vsys <name> threats spyware <name> default-acon block-ip track-by <source|source-and-
desnaon>
set vsys <name> threats spyware <name> default-acon block-ip duraon <1-3600>
set vsys <name> threats spyware <name> default-acon allow
set vsys <name> threats spyware <name> cve [ <cve1> <cve2>... ]
set vsys <name> threats spyware <name> bugtraq [ <bugtraq1> <bugtraq2>... ]
set vsys <name> threats spyware <name> vendor [ <vendor1> <vendor2>... ]
set vsys <name> threats spyware <name> reference [ <reference1> <reference2>... ]
set vsys <name> threats spyware <name> signature
set vsys <name> threats spyware <name> signature standard
set vsys <name> threats spyware <name> signature standard <name>
set vsys <name> threats spyware <name> signature standard <name> comment <value>
set vsys <name> threats spyware <name> signature standard <name> scope <protocol-data-unit|
session>
set vsys <name> threats spyware <name> signature standard <name> order-free <yes|no>
set vsys <name> threats spyware <name> signature standard <name> and-condion
set vsys <name> threats spyware <name> signature standard <name> and-condion <name>
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name>
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than value <0-4294967295>
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than context <value>
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than qualifier
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than qualifier <name>

PAN-OS CLI Quick Start Version Version 10.1 723 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator less-than qualifier <name> value <1-127>|<value>
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to value <0-4294967295>
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to context <value>
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to qualifier
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to qualifier <name>
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator equal-to qualifier <name> value <1-127>|<value>
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than value <0-4294967295>
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than context <value>
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than qualifier
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than qualifier <name>
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator greater-than qualifier <name> value <1-127>|<value>
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match context <value>
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match paern <value>
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match negate <yes|no>
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match qualifier
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match qualifier <name>
set vsys <name> threats spyware <name> signature standard <name> and-condion <name> or-
condion <name> operator paern-match qualifier <name> value <1-127>|<value>

PAN-OS CLI Quick Start Version Version 10.1 724 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> threats spyware <name> signature combinaon

set vsys <name> threats spyware <name> signature combinaon me-aribute
set vsys <name> threats spyware <name> signature combinaon me-aribute interval <1-3600>
set vsys <name> threats spyware <name> signature combinaon me-aribute threshold
<1-255>
set vsys <name> threats spyware <name> signature combinaon me-aribute track-by <source|
desnaon|source-and-desnaon>
set vsys <name> threats spyware <name> signature combinaon order-free <yes|no>
set vsys <name> threats spyware <name> signature combinaon and-condion
set vsys <name> threats spyware <name> signature combinaon and-condion <name>
set vsys <name> threats spyware <name> signature combinaon and-condion <name> or-
condion
set vsys <name> threats spyware <name> signature combinaon and-condion <name> or-
condion <name>
set vsys <name> threats spyware <name> signature combinaon and-condion <name> or-
condion <name> threat-id <value>
set vsys <name> applicaon
set vsys <name> applicaon <name>
set vsys <name> applicaon <name> default
set vsys <name> applicaon <name> default port [ <port1> <port2>... ]
set vsys <name> applicaon <name> default ident-by-ip-protocol <0-255,...>
set vsys <name> applicaon <name> default ident-by-icmp-type
set vsys <name> applicaon <name> default ident-by-icmp-type type <0-255,...>
set vsys <name> applicaon <name> default ident-by-icmp-type code <0-255,...>
set vsys <name> applicaon <name> default ident-by-icmp6-type
set vsys <name> applicaon <name> default ident-by-icmp6-type type <0-255,...>
set vsys <name> applicaon <name> default ident-by-icmp6-type code <0-255,...>
set vsys <name> applicaon <name> category <value>
set vsys <name> applicaon <name> subcategory <value>
set vsys <name> applicaon <name> technology <value>
set vsys <name> applicaon <name> descripon <value>
set vsys <name> applicaon <name> meout <0-604800>
set vsys <name> applicaon <name> tcp-meout <0-604800>
set vsys <name> applicaon <name> udp-meout <0-604800>
set vsys <name> applicaon <name> tcp-half-closed-meout <1-604800>

PAN-OS CLI Quick Start Version Version 10.1 725 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> applicaon <name> tcp-me-wait-meout <1-600>

set vsys <name> applicaon <name> risk <1-5>
set vsys <name> applicaon <name> evasive-behavior <yes|no>
set vsys <name> applicaon <name> consume-big-bandwidth <yes|no>
set vsys <name> applicaon <name> used-by-malware <yes|no>
set vsys <name> applicaon <name> able-to-transfer-file <yes|no>
set vsys <name> applicaon <name> has-known-vulnerability <yes|no>
set vsys <name> applicaon <name> tunnel-other-applicaon <yes|no>
set vsys <name> applicaon <name> tunnel-applicaons <yes|no>
set vsys <name> applicaon <name> prone-to-misuse <yes|no>
set vsys <name> applicaon <name> pervasive-use <yes|no>
set vsys <name> applicaon <name> file-type-ident <yes|no>
set vsys <name> applicaon <name> virus-ident <yes|no>
set vsys <name> applicaon <name> data-ident <yes|no>
set vsys <name> applicaon <name> no-appid-caching <yes|no>
set vsys <name> applicaon <name> alg-disable-capability <value>
set vsys <name> applicaon <name> parent-app <value>
set vsys <name> applicaon <name> signature
set vsys <name> applicaon <name> signature <name>
set vsys <name> applicaon <name> signature <name> comment <value>
set vsys <name> applicaon <name> signature <name> scope <protocol-data-unit|session>
set vsys <name> applicaon <name> signature <name> order-free <yes|no>
set vsys <name> applicaon <name> signature <name> and-condion
set vsys <name> applicaon <name> signature <name> and-condion <name>
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name>
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator paern-match
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator paern-match context <value>
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator paern-match paern <value>

PAN-OS CLI Quick Start Version Version 10.1 726 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator paern-match qualifier
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator paern-match qualifier <name>
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator paern-match qualifier <name> value <1-127>|<value>
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator greater-than
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator greater-than context <value>
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator greater-than value <0-4294967295>
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator greater-than qualifier
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator greater-than qualifier <name>
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator greater-than qualifier <name> value <1-127>|<value>
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator less-than
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator less-than context <value>
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator less-than value <0-4294967295>
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator less-than qualifier
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator less-than qualifier <name>
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator less-than qualifier <name> value <1-127>|<value>
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator equal-to
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator equal-to context <value>|<unknown-req-tcp|unknown-rsp-tcp|unknown-req-
udp|unknown-rsp-udp>
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator equal-to posion <value>
set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator equal-to mask <value>

PAN-OS CLI Quick Start Version Version 10.1 727 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> applicaon <name> signature <name> and-condion <name> or-condion
<name> operator equal-to value <value>
set vsys <name> applicaon-tag
set vsys <name> applicaon-tag <name>
set vsys <name> applicaon-tag <name> tag [ <tag1> <tag2>... ]
set vsys <name> applicaon-filter
set vsys <name> applicaon-filter <name>
set vsys <name> applicaon-filter <name> category [ <category1> <category2>... ]
set vsys <name> applicaon-filter <name> subcategory [ <subcategory1> <subcategory2>... ]
set vsys <name> applicaon-filter <name> technology [ <technology1> <technology2>... ]
set vsys <name> applicaon-filter <name> evasive <yes>
set vsys <name> applicaon-filter <name> excessive-bandwidth-use <yes>
set vsys <name> applicaon-filter <name> used-by-malware <yes>
set vsys <name> applicaon-filter <name> transfers-files <yes>
set vsys <name> applicaon-filter <name> has-known-vulnerabilies <yes>
set vsys <name> applicaon-filter <name> tunnels-other-apps <yes>
set vsys <name> applicaon-filter <name> prone-to-misuse <yes>
set vsys <name> applicaon-filter <name> pervasive <yes>
set vsys <name> applicaon-filter <name> is-saas <yes>
set vsys <name> applicaon-filter <name> new-appid <yes>
set vsys <name> applicaon-filter <name> risk [ <risk1> <risk2>... ]
set vsys <name> applicaon-filter <name> saas-cerficaons [ <saas-cerficaons1> <saas-
cerficaons2>... ]
set vsys <name> applicaon-filter <name> saas-risk [ <saas-risk1> <saas-risk2>... ]
set vsys <name> applicaon-filter <name> tagging
set vsys <name> applicaon-filter <name> tagging no-tag <yes>
set vsys <name> applicaon-filter <name> tagging tag [ <tag1> <tag2>... ]
set vsys <name> applicaon-filter <name> exclude [ <exclude1> <exclude2>... ]
set vsys <name> applicaon-group
set vsys <name> applicaon-group <name>
set vsys <name> applicaon-group <name> members [ <members1> <members2>... ]
set vsys <name> device-object
set vsys <name> device-object <name>
set vsys <name> device-object <name> descripon <value>

PAN-OS CLI Quick Start Version Version 10.1 728 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> device-object <name> category [ <category1> <category2>... ]

set vsys <name> device-object <name> profile [ <profile1> <profile2>... ]
set vsys <name> device-object <name> osfamily [ <osfamily1> <osfamily2>... ]
set vsys <name> device-object <name> os [ <os1> <os2>... ]
set vsys <name> device-object <name> model [ <model1> <model2>... ]
set vsys <name> device-object <name> vendor [ <vendor1> <vendor2>... ]
set vsys <name> region
set vsys <name> region <name>
set vsys <name> region <name> geo-locaon
set vsys <name> region <name> geo-locaon latude <float>
set vsys <name> region <name> geo-locaon longitude <float>
set vsys <name> region <name> address [ <address1> <address2>... ]
set vsys <name> tag
set vsys <name> tag <name>
set vsys <name> tag <name> color <color1|color2|color3|color4|color5|color6|color7|color8|
color9|color10|color11|color12|color13|color14|color15|color16|color17|color19|color20|color21|
color22|color23|color24|color25|color26|color27|color28|color29|color30|color31|color32|
color33|color34|color35|color36|color37|color38|color39|color40|color41|color42>
set vsys <name> tag <name> comments <value>
set vsys <name> authencaon-object
set vsys <name> authencaon-object <name>
set vsys <name> authencaon-object <name> authencaon-method <web-form|no-capve-
portal|browser-challenge>
set vsys <name> authencaon-object <name> authencaon-profile <value>
set vsys <name> authencaon-object <name> message <value>
set vsys <name> rulebase
set vsys <name> rulebase security
set vsys <name> rulebase security rules
set vsys <name> rulebase security rules <name>
set vsys <name> rulebase security rules <name> from [ <from1> <from2>... ]
set vsys <name> rulebase security rules <name> to [ <to1> <to2>... ]
set vsys <name> rulebase security rules <name> source [ <source1> <source2>... ]
set vsys <name> rulebase security rules <name> source-user [ <source-user1> <source-user2>... ]
set vsys <name> rulebase security rules <name> desnaon [ <desnaon1> <desnaon2>... ]
set vsys <name> rulebase security rules <name> service [ <service1> <service2>... ]

PAN-OS CLI Quick Start Version Version 10.1 729 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> rulebase security rules <name> category [ <category1> <category2>... ]
set vsys <name> rulebase security rules <name> applicaon [ <applicaon1> <applicaon2>... ]
set vsys <name> rulebase security rules <name> source-hip [ <source-hip1> <source-hip2>... ]
set vsys <name> rulebase security rules <name> desnaon-hip [ <desnaon-hip1>
<desnaon-hip2>... ]
set vsys <name> rulebase security rules <name> schedule <value>
set vsys <name> rulebase security rules <name> tag [ <tag1> <tag2>... ]
set vsys <name> rulebase security rules <name> negate-source <yes|no>
set vsys <name> rulebase security rules <name> negate-desnaon <yes|no>
set vsys <name> rulebase security rules <name> disabled <yes|no>
set vsys <name> rulebase security rules <name> descripon <value>
set vsys <name> rulebase security rules <name> group-tag <value>
set vsys <name> rulebase security rules <name> hip-profiles [ <hip-profiles1> <hip-profiles2>... ]
set vsys <name> rulebase security rules <name> acon <deny|allow|drop|reset-client|reset-server|
reset-both>
set vsys <name> rulebase security rules <name> icmp-unreachable <yes|no>
set vsys <name> rulebase security rules <name> rule-type <universal|intrazone|interzone>
set vsys <name> rulebase security rules <name> opon
set vsys <name> rulebase security rules <name> opon disable-server-response-inspecon <yes|
no>
set vsys <name> rulebase security rules <name> log-seng <value>
set vsys <name> rulebase security rules <name> log-start <yes|no>
set vsys <name> rulebase security rules <name> log-end <yes|no>
set vsys <name> rulebase security rules <name> profile-seng
set vsys <name> rulebase security rules <name> profile-seng profiles
set vsys <name> rulebase security rules <name> profile-seng profiles url-filtering [ <url-
filtering1> <url-filtering2>... ]
set vsys <name> rulebase security rules <name> profile-seng profiles data-filtering [ <data-
filtering1> <data-filtering2>... ]
set vsys <name> rulebase security rules <name> profile-seng profiles file-blocking [ <file-
blocking1> <file-blocking2>... ]
set vsys <name> rulebase security rules <name> profile-seng profiles wildfire-analysis
[ <wildfire-analysis1> <wildfire-analysis2>... ]
set vsys <name> rulebase security rules <name> profile-seng profiles virus [ <virus1>
<virus2>... ]

PAN-OS CLI Quick Start Version Version 10.1 730 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> rulebase security rules <name> profile-seng profiles spyware [ <spyware1>
<spyware2>... ]
set vsys <name> rulebase security rules <name> profile-seng profiles vulnerability
[ <vulnerability1> <vulnerability2>... ]
set vsys <name> rulebase security rules <name> profile-seng group [ <group1> <group2>... ]
set vsys <name> rulebase security rules <name> qos
set vsys <name> rulebase security rules <name> qos marking
set vsys <name> rulebase security rules <name> qos marking ip-dscp <value>|<ef|af11|af12|af13|
af21|af22|af23|af31|af32|af33|af41|af42|af43|cs0|cs1|cs2|cs3|cs4|cs5|cs6|cs7>
set vsys <name> rulebase security rules <name> qos marking ip-precedence <value>|<cs0|cs1|cs2|
cs3|cs4|cs5|cs6|cs7>
set vsys <name> rulebase security rules <name> qos marking follow-c2s-flow
set vsys <name> rulebase default-security-rules
set vsys <name> rulebase default-security-rules rules
set vsys <name> rulebase default-security-rules rules <name>
set vsys <name> rulebase default-security-rules rules <name> tag [ <tag1> <tag2>... ]
set vsys <name> rulebase default-security-rules rules <name> log-seng <value>
set vsys <name> rulebase default-security-rules rules <name> log-start <yes|no>
set vsys <name> rulebase default-security-rules rules <name> log-end <yes|no>
set vsys <name> rulebase default-security-rules rules <name> profile-seng
set vsys <name> rulebase default-security-rules rules <name> profile-seng profiles
set vsys <name> rulebase default-security-rules rules <name> profile-seng profiles url-filtering
[ <url-filtering1> <url-filtering2>... ]
set vsys <name> rulebase default-security-rules rules <name> profile-seng profiles data-filtering
[ <data-filtering1> <data-filtering2>... ]
set vsys <name> rulebase default-security-rules rules <name> profile-seng profiles file-blocking
[ <file-blocking1> <file-blocking2>... ]
set vsys <name> rulebase default-security-rules rules <name> profile-seng profiles wildfire-
analysis [ <wildfire-analysis1> <wildfire-analysis2>... ]
set vsys <name> rulebase default-security-rules rules <name> profile-seng profiles virus
[ <virus1> <virus2>... ]
set vsys <name> rulebase default-security-rules rules <name> profile-seng profiles spyware
[ <spyware1> <spyware2>... ]
set vsys <name> rulebase default-security-rules rules <name> profile-seng profiles vulnerability
[ <vulnerability1> <vulnerability2>... ]
set vsys <name> rulebase default-security-rules rules <name> profile-seng group [ <group1>
<group2>... ]

PAN-OS CLI Quick Start Version Version 10.1 731 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> rulebase default-security-rules rules <name> group-tag <value>

set vsys <name> rulebase default-security-rules rules <name> acon <deny|allow|drop|reset-
client|reset-server|reset-both>
set vsys <name> rulebase default-security-rules rules <name> icmp-unreachable <yes|no>
set vsys <name> rulebase applicaon-override
set vsys <name> rulebase applicaon-override rules
set vsys <name> rulebase applicaon-override rules <name>
set vsys <name> rulebase applicaon-override rules <name> from [ <from1> <from2>... ]
set vsys <name> rulebase applicaon-override rules <name> to [ <to1> <to2>... ]
set vsys <name> rulebase applicaon-override rules <name> source [ <source1> <source2>... ]
set vsys <name> rulebase applicaon-override rules <name> source-user [ <source-user1>
<source-user2>... ]
set vsys <name> rulebase applicaon-override rules <name> desnaon [ <desnaon1>
<desnaon2>... ]
set vsys <name> rulebase applicaon-override rules <name> tag [ <tag1> <tag2>... ]
set vsys <name> rulebase applicaon-override rules <name> negate-source <yes|no>
set vsys <name> rulebase applicaon-override rules <name> negate-desnaon <yes|no>
set vsys <name> rulebase applicaon-override rules <name> disabled <yes|no>
set vsys <name> rulebase applicaon-override rules <name> descripon <value>
set vsys <name> rulebase applicaon-override rules <name> group-tag <value>
set vsys <name> rulebase applicaon-override rules <name> protocol <tcp|udp>
set vsys <name> rulebase applicaon-override rules <name> port <0-65535,...>
set vsys <name> rulebase applicaon-override rules <name> applicaon <value>
set vsys <name> rulebase decrypon
set vsys <name> rulebase decrypon rules
set vsys <name> rulebase decrypon rules <name>
set vsys <name> rulebase decrypon rules <name> from [ <from1> <from2>... ]
set vsys <name> rulebase decrypon rules <name> to [ <to1> <to2>... ]
set vsys <name> rulebase decrypon rules <name> source [ <source1> <source2>... ]
set vsys <name> rulebase decrypon rules <name> source-user [ <source-user1> <source-
user2>... ]
set vsys <name> rulebase decrypon rules <name> desnaon [ <desnaon1>
<desnaon2>... ]
set vsys <name> rulebase decrypon rules <name> tag [ <tag1> <tag2>... ]
set vsys <name> rulebase decrypon rules <name> negate-source <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 732 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> rulebase decrypon rules <name> negate-desnaon <yes|no>

set vsys <name> rulebase decrypon rules <name> disabled <yes|no>
set vsys <name> rulebase decrypon rules <name> descripon <value>
set vsys <name> rulebase decrypon rules <name> group-tag <value>
set vsys <name> rulebase decrypon rules <name> source-hip [ <source-hip1> <source-hip2>... ]
set vsys <name> rulebase decrypon rules <name> desnaon-hip [ <desnaon-hip1>
<desnaon-hip2>... ]
set vsys <name> rulebase decrypon rules <name> service [ <service1> <service2>... ]
set vsys <name> rulebase decrypon rules <name> category [ <category1> <category2>... ]
set vsys <name> rulebase decrypon rules <name> acon <no-decrypt|decrypt>
set vsys <name> rulebase decrypon rules <name> type
set vsys <name> rulebase decrypon rules <name> type ssl-forward-proxy
set vsys <name> rulebase decrypon rules <name> type ssh-proxy
set vsys <name> rulebase decrypon rules <name> type ssl-inbound-inspecon <value>
set vsys <name> rulebase decrypon rules <name> profile <value>
set vsys <name> rulebase decrypon rules <name> log-success <yes|no>
set vsys <name> rulebase decrypon rules <name> log-fail <yes|no>
set vsys <name> rulebase decrypon rules <name> log-seng <value>
set vsys <name> rulebase authencaon
set vsys <name> rulebase authencaon rules
set vsys <name> rulebase authencaon rules <name>
set vsys <name> rulebase authencaon rules <name> from [ <from1> <from2>... ]
set vsys <name> rulebase authencaon rules <name> to [ <to1> <to2>... ]
set vsys <name> rulebase authencaon rules <name> source [ <source1> <source2>... ]
set vsys <name> rulebase authencaon rules <name> source-user [ <source-user1> <source-
user2>... ]
set vsys <name> rulebase authencaon rules <name> desnaon [ <desnaon1>
<desnaon2>... ]
set vsys <name> rulebase authencaon rules <name> source-hip [ <source-hip1> <source-
hip2>... ]
set vsys <name> rulebase authencaon rules <name> desnaon-hip [ <desnaon-hip1>
<desnaon-hip2>... ]
set vsys <name> rulebase authencaon rules <name> tag [ <tag1> <tag2>... ]
set vsys <name> rulebase authencaon rules <name> negate-source <yes|no>
set vsys <name> rulebase authencaon rules <name> negate-desnaon <yes|no>

PAN-OS CLI Quick Start Version Version 10.1 733 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> rulebase authencaon rules <name> disabled <yes|no>

set vsys <name> rulebase authencaon rules <name> descripon <value>
set vsys <name> rulebase authencaon rules <name> group-tag <value>
set vsys <name> rulebase authencaon rules <name> service [ <service1> <service2>... ]
set vsys <name> rulebase authencaon rules <name> category [ <category1> <category2>... ]
set vsys <name> rulebase authencaon rules <name> hip-profiles [ <hip-profiles1> <hip-
profiles2>... ]
set vsys <name> rulebase authencaon rules <name> authencaon-enforcement <value>
set vsys <name> rulebase authencaon rules <name> log-seng <value>
set vsys <name> rulebase authencaon rules <name> meout <1-1440>
set vsys <name> rulebase authencaon rules <name> log-authencaon-meout <yes|no>
set vsys <name> rulebase tunnel-inspect
set vsys <name> rulebase tunnel-inspect rules
set vsys <name> rulebase tunnel-inspect rules <name>
set vsys <name> rulebase tunnel-inspect rules <name> from [ <from1> <from2>... ]
set vsys <name> rulebase tunnel-inspect rules <name> to [ <to1> <to2>... ]
set vsys <name> rulebase tunnel-inspect rules <name> source [ <source1> <source2>... ]
set vsys <name> rulebase tunnel-inspect rules <name> source-user [ <source-user1> <source-
user2>... ]
set vsys <name> rulebase tunnel-inspect rules <name> desnaon [ <desnaon1>
<desnaon2>... ]
set vsys <name> rulebase tunnel-inspect rules <name> tag [ <tag1> <tag2>... ]
set vsys <name> rulebase tunnel-inspect rules <name> negate-source <yes|no>
set vsys <name> rulebase tunnel-inspect rules <name> negate-desnaon <yes|no>
set vsys <name> rulebase tunnel-inspect rules <name> disabled <yes|no>
set vsys <name> rulebase tunnel-inspect rules <name> descripon <value>
set vsys <name> rulebase tunnel-inspect rules <name> group-tag <value>
set vsys <name> rulebase tunnel-inspect rules <name> applicaon [ <applicaon1>
<applicaon2>... ]
set vsys <name> rulebase tunnel-inspect rules <name> tunnel-id
set vsys <name> rulebase tunnel-inspect rules <name> tunnel-id vni
set vsys <name> rulebase tunnel-inspect rules <name> tunnel-id vni <name>
set vsys <name> rulebase tunnel-inspect rules <name> tunnel-id vni <name> id <0-16777215,...>
set vsys <name> rulebase tunnel-inspect rules <name> inspect-opons

PAN-OS CLI Quick Start Version Version 10.1 734 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> rulebase tunnel-inspect rules <name> inspect-opons max-level-inspecon <1|
2>
set vsys <name> rulebase tunnel-inspect rules <name> inspect-opons drop-over-max <yes|no>
set vsys <name> rulebase tunnel-inspect rules <name> inspect-opons drop-unknown-protocol
<yes|no>
set vsys <name> rulebase tunnel-inspect rules <name> inspect-opons drop-strict-checking <yes|
no>
set vsys <name> rulebase tunnel-inspect rules <name> inspect-opons return-vxlan-to-source
<yes|no>
set vsys <name> rulebase tunnel-inspect rules <name> zone-assign
set vsys <name> rulebase tunnel-inspect rules <name> zone-assign source [ <source1>
<source2>... ]
set vsys <name> rulebase tunnel-inspect rules <name> zone-assign desnaon [ <desnaon1>
<desnaon2>... ]
set vsys <name> rulebase tunnel-inspect rules <name> monitor-opons
set vsys <name> rulebase tunnel-inspect rules <name> monitor-opons monitor-name <value>
set vsys <name> rulebase tunnel-inspect rules <name> monitor-opons monitor-id
<1-16777215>
set vsys <name> rulebase tunnel-inspect rules <name> monitor-opons log-seng-override
set vsys <name> rulebase tunnel-inspect rules <name> monitor-opons log-seng-override
enable <yes|no>
set vsys <name> rulebase tunnel-inspect rules <name> monitor-opons log-seng-override log-
seng <value>
set vsys <name> rulebase tunnel-inspect rules <name> monitor-opons log-seng-override log-
start <yes|no>
set vsys <name> rulebase tunnel-inspect rules <name> monitor-opons log-seng-override log-
end <yes|no>
set vsys <name> rulebase nat
set vsys <name> rulebase nat rules
set vsys <name> rulebase nat rules <name>
set vsys <name> rulebase nat rules <name> from [ <from1> <from2>... ]
set vsys <name> rulebase nat rules <name> to [ <to1> <to2>... ]
set vsys <name> rulebase nat rules <name> source [ <source1> <source2>... ]
set vsys <name> rulebase nat rules <name> desnaon [ <desnaon1> <desnaon2>... ]
set vsys <name> rulebase nat rules <name> service <value>
set vsys <name> rulebase nat rules <name> nat-type <ipv4|nat64|nptv6>
set vsys <name> rulebase nat rules <name> to-interface <value>|<any>

PAN-OS CLI Quick Start Version Version 10.1 735 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> rulebase nat rules <name> source-translaon

set vsys <name> rulebase nat rules <name> source-translaon
set vsys <name> rulebase nat rules <name> source-translaon dynamic-ip-and-port
set vsys <name> rulebase nat rules <name> source-translaon dynamic-ip-and-port
set vsys <name> rulebase nat rules <name> source-translaon dynamic-ip-and-port translated-
address [ <translated-address1> <translated-address2>... ]
set vsys <name> rulebase nat rules <name> source-translaon dynamic-ip-and-port interface-
address
set vsys <name> rulebase nat rules <name> source-translaon dynamic-ip-and-port interface-
address interface <value>
set vsys <name> rulebase nat rules <name> source-translaon dynamic-ip-and-port interface-
address
set vsys <name> rulebase nat rules <name> source-translaon dynamic-ip-and-port interface-
address ip <value>
set vsys <name> rulebase nat rules <name> source-translaon dynamic-ip-and-port interface-
address floang-ip <value>
set vsys <name> rulebase nat rules <name> source-translaon dynamic-ip
set vsys <name> rulebase nat rules <name> source-translaon dynamic-ip translated-address
[ <translated-address1> <translated-address2>... ]
set vsys <name> rulebase nat rules <name> source-translaon dynamic-ip fallback
set vsys <name> rulebase nat rules <name> source-translaon dynamic-ip fallback
set vsys <name> rulebase nat rules <name> source-translaon dynamic-ip fallback translated-
address [ <translated-address1> <translated-address2>... ]
set vsys <name> rulebase nat rules <name> source-translaon dynamic-ip fallback interface-
address
set vsys <name> rulebase nat rules <name> source-translaon dynamic-ip fallback interface-
address interface <value>
set vsys <name> rulebase nat rules <name> source-translaon dynamic-ip fallback interface-
address
set vsys <name> rulebase nat rules <name> source-translaon dynamic-ip fallback interface-
address ip <value>
set vsys <name> rulebase nat rules <name> source-translaon dynamic-ip fallback interface-
address floang-ip <value>
set vsys <name> rulebase nat rules <name> source-translaon stac-ip
set vsys <name> rulebase nat rules <name> source-translaon stac-ip translated-address
<value>|<ip/netmask>|<ip-range>
set vsys <name> rulebase nat rules <name> source-translaon stac-ip bi-direconal <yes|no>
set vsys <name> rulebase nat rules <name>

PAN-OS CLI Quick Start Version Version 10.1 736 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> rulebase nat rules <name> desnaon-translaon

set vsys <name> rulebase nat rules <name> desnaon-translaon translated-address <value>|
<ip/netmask>|<ip-range>
set vsys <name> rulebase nat rules <name> desnaon-translaon translated-port <1-65535>
set vsys <name> rulebase nat rules <name> desnaon-translaon
set vsys <name> rulebase nat rules <name> desnaon-translaon dns-rewrite
set vsys <name> rulebase nat rules <name> desnaon-translaon dns-rewrite direcon
<reverse|forward>
set vsys <name> rulebase nat rules <name> dynamic-desnaon-translaon
set vsys <name> rulebase nat rules <name> dynamic-desnaon-translaon translated-address
<value>|<ip/netmask>|<ip-range>
set vsys <name> rulebase nat rules <name> dynamic-desnaon-translaon translated-port
<1-65535>
set vsys <name> rulebase nat rules <name> dynamic-desnaon-translaon distribuon <round-
robin|source-ip-hash|ip-modulo|ip-hash|least-sessions>
set vsys <name> rulebase nat rules <name> acve-acve-device-binding <primary|both|0|1>
set vsys <name> rulebase nat rules <name> tag [ <tag1> <tag2>... ]
set vsys <name> rulebase nat rules <name> disabled <yes|no>
set vsys <name> rulebase nat rules <name> descripon <value>
set vsys <name> rulebase nat rules <name> group-tag <value>
set vsys <name> rulebase qos
set vsys <name> rulebase qos rules
set vsys <name> rulebase qos rules <name>
set vsys <name> rulebase qos rules <name> from [ <from1> <from2>... ]
set vsys <name> rulebase qos rules <name> to [ <to1> <to2>... ]
set vsys <name> rulebase qos rules <name> source [ <source1> <source2>... ]
set vsys <name> rulebase qos rules <name> source-user [ <source-user1> <source-user2>... ]
set vsys <name> rulebase qos rules <name> desnaon [ <desnaon1> <desnaon2>... ]
set vsys <name> rulebase qos rules <name> service [ <service1> <service2>... ]
set vsys <name> rulebase qos rules <name> category [ <category1> <category2>... ]
set vsys <name> rulebase qos rules <name> applicaon [ <applicaon1> <applicaon2>... ]
set vsys <name> rulebase qos rules <name> source-hip [ <source-hip1> <source-hip2>... ]
set vsys <name> rulebase qos rules <name> desnaon-hip [ <desnaon-hip1> <desnaon-
hip2>... ]
set vsys <name> rulebase qos rules <name> schedule <value>

PAN-OS CLI Quick Start Version Version 10.1 737 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> rulebase qos rules <name> tag [ <tag1> <tag2>... ]
set vsys <name> rulebase qos rules <name> negate-source <yes|no>
set vsys <name> rulebase qos rules <name> negate-desnaon <yes|no>
set vsys <name> rulebase qos rules <name> disabled <yes|no>
set vsys <name> rulebase qos rules <name> descripon <value>
set vsys <name> rulebase qos rules <name> group-tag <value>
set vsys <name> rulebase qos rules <name> dscp-tos
set vsys <name> rulebase qos rules <name> dscp-tos any
set vsys <name> rulebase qos rules <name> dscp-tos codepoints
set vsys <name> rulebase qos rules <name> dscp-tos codepoints <name>
set vsys <name> rulebase qos rules <name> dscp-tos codepoints <name>
set vsys <name> rulebase qos rules <name> dscp-tos codepoints <name> ef
set vsys <name> rulebase qos rules <name> dscp-tos codepoints <name> ef codepoint <ef>
set vsys <name> rulebase qos rules <name> dscp-tos codepoints <name> af
set vsys <name> rulebase qos rules <name> dscp-tos codepoints <name> af codepoint <af11|
af12|af13|af21|af22|af23|af31|af32|af33|af41|af42|af43>
set vsys <name> rulebase qos rules <name> dscp-tos codepoints <name> cs
set vsys <name> rulebase qos rules <name> dscp-tos codepoints <name> cs codepoint <cs0|cs1|
cs2|cs3|cs4|cs5|cs6|cs7>
set vsys <name> rulebase qos rules <name> dscp-tos codepoints <name> tos
set vsys <name> rulebase qos rules <name> dscp-tos codepoints <name> tos codepoint <cs0|cs1|
cs2|cs3|cs4|cs5|cs6|cs7>
set vsys <name> rulebase qos rules <name> dscp-tos codepoints <name> custom
set vsys <name> rulebase qos rules <name> dscp-tos codepoints <name> custom codepoint
set vsys <name> rulebase qos rules <name> dscp-tos codepoints <name> custom codepoint name
<value>
set vsys <name> rulebase qos rules <name> dscp-tos codepoints <name> custom codepoint value
<value>
set vsys <name> rulebase qos rules <name> acon
set vsys <name> rulebase qos rules <name> acon class <1|2|3|4|5|6|7|8>
set vsys <name> rulebase pbf
set vsys <name> rulebase pbf rules
set vsys <name> rulebase pbf rules <name>
set vsys <name> rulebase pbf rules <name> from
set vsys <name> rulebase pbf rules <name> from

PAN-OS CLI Quick Start Version Version 10.1 738 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> rulebase pbf rules <name> from zone [ <zone1> <zone2>... ]
set vsys <name> rulebase pbf rules <name> from interface [ <interface1> <interface2>... ]
set vsys <name> rulebase pbf rules <name> source [ <source1> <source2>... ]
set vsys <name> rulebase pbf rules <name> source-user [ <source-user1> <source-user2>... ]
set vsys <name> rulebase pbf rules <name> desnaon [ <desnaon1> <desnaon2>... ]
set vsys <name> rulebase pbf rules <name> service [ <service1> <service2>... ]
set vsys <name> rulebase pbf rules <name> schedule <value>
set vsys <name> rulebase pbf rules <name> tag [ <tag1> <tag2>... ]
set vsys <name> rulebase pbf rules <name> negate-source <yes|no>
set vsys <name> rulebase pbf rules <name> negate-desnaon <yes|no>
set vsys <name> rulebase pbf rules <name> disabled <yes|no>
set vsys <name> rulebase pbf rules <name> descripon <value>
set vsys <name> rulebase pbf rules <name> group-tag <value>
set vsys <name> rulebase pbf rules <name> applicaon [ <applicaon1> <applicaon2>... ]
set vsys <name> rulebase pbf rules <name> acon
set vsys <name> rulebase pbf rules <name> acon
set vsys <name> rulebase pbf rules <name> acon forward
set vsys <name> rulebase pbf rules <name> acon forward egress-interface <value>
set vsys <name> rulebase pbf rules <name> acon forward nexthop
set vsys <name> rulebase pbf rules <name> acon forward nexthop
set vsys <name> rulebase pbf rules <name> acon forward nexthop ip-address <value>|<ip/
netmask>
set vsys <name> rulebase pbf rules <name> acon forward nexthop fqdn <value>
set vsys <name> rulebase pbf rules <name> acon forward monitor
set vsys <name> rulebase pbf rules <name> acon forward monitor profile <value>
set vsys <name> rulebase pbf rules <name> acon forward monitor disable-if-unreachable <yes|
no>
set vsys <name> rulebase pbf rules <name> acon forward monitor ip-address <ip/netmask>
set vsys <name> rulebase pbf rules <name> acon forward-to-vsys <value>
set vsys <name> rulebase pbf rules <name> acon discard
set vsys <name> rulebase pbf rules <name> acon no-pbf
set vsys <name> rulebase pbf rules <name> enforce-symmetric-return
set vsys <name> rulebase pbf rules <name> enforce-symmetric-return enabled <yes|no>
set vsys <name> rulebase pbf rules <name> enforce-symmetric-return nexthop-address-list

PAN-OS CLI Quick Start Version Version 10.1 739 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> rulebase pbf rules <name> enforce-symmetric-return nexthop-address-list

<name>
set vsys <name> rulebase pbf rules <name> acve-acve-device-binding <both|0|1>
set vsys <name> rulebase sdwan
set vsys <name> rulebase sdwan rules
set vsys <name> rulebase sdwan rules <name>
set vsys <name> rulebase sdwan rules <name> from [ <from1> <from2>... ]
set vsys <name> rulebase sdwan rules <name> to [ <to1> <to2>... ]
set vsys <name> rulebase sdwan rules <name> source [ <source1> <source2>... ]
set vsys <name> rulebase sdwan rules <name> source-user [ <source-user1> <source-user2>... ]
set vsys <name> rulebase sdwan rules <name> desnaon [ <desnaon1> <desnaon2>... ]
set vsys <name> rulebase sdwan rules <name> applicaon [ <applicaon1> <applicaon2>... ]
set vsys <name> rulebase sdwan rules <name> service [ <service1> <service2>... ]
set vsys <name> rulebase sdwan rules <name> tag [ <tag1> <tag2>... ]
set vsys <name> rulebase sdwan rules <name> negate-source <yes|no>
set vsys <name> rulebase sdwan rules <name> negate-desnaon <yes|no>
set vsys <name> rulebase sdwan rules <name> disabled <yes|no>
set vsys <name> rulebase sdwan rules <name> descripon <value>
set vsys <name> rulebase sdwan rules <name> group-tag <value>
set vsys <name> rulebase sdwan rules <name> path-quality-profile <value>
set vsys <name> rulebase sdwan rules <name> saas-quality-profile <value>
set vsys <name> rulebase sdwan rules <name> error-correcon-profile <value>
set vsys <name> rulebase sdwan rules <name> acon
set vsys <name> rulebase sdwan rules <name> acon traffic-distribuon-profile <value>
set vsys <name> rulebase sdwan rules <name> acon app-failover-for-nat-sessions <keep-
exisng-link|failover-to-beer-path>
set vsys <name> rulebase dos
set vsys <name> rulebase dos rules
set vsys <name> rulebase dos rules <name>
set vsys <name> rulebase dos rules <name> from
set vsys <name> rulebase dos rules <name> from
set vsys <name> rulebase dos rules <name> from zone [ <zone1> <zone2>... ]
set vsys <name> rulebase dos rules <name> from interface [ <interface1> <interface2>... ]
set vsys <name> rulebase dos rules <name> to

PAN-OS CLI Quick Start Version Version 10.1 740 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> rulebase dos rules <name> to

set vsys <name> rulebase dos rules <name> to zone [ <zone1> <zone2>... ]
set vsys <name> rulebase dos rules <name> to interface [ <interface1> <interface2>... ]
set vsys <name> rulebase dos rules <name> source [ <source1> <source2>... ]
set vsys <name> rulebase dos rules <name> source-user [ <source-user1> <source-user2>... ]
set vsys <name> rulebase dos rules <name> desnaon [ <desnaon1> <desnaon2>... ]
set vsys <name> rulebase dos rules <name> service [ <service1> <service2>... ]
set vsys <name> rulebase dos rules <name> schedule <value>
set vsys <name> rulebase dos rules <name> tag [ <tag1> <tag2>... ]
set vsys <name> rulebase dos rules <name> negate-source <yes|no>
set vsys <name> rulebase dos rules <name> negate-desnaon <yes|no>
set vsys <name> rulebase dos rules <name> disabled <yes|no>
set vsys <name> rulebase dos rules <name> descripon <value>
set vsys <name> rulebase dos rules <name> group-tag <value>
set vsys <name> rulebase dos rules <name> protecon
set vsys <name> rulebase dos rules <name> protecon aggregate
set vsys <name> rulebase dos rules <name> protecon aggregate profile <value>
set vsys <name> rulebase dos rules <name> protecon classified
set vsys <name> rulebase dos rules <name> protecon classified profile <value>
set vsys <name> rulebase dos rules <name> protecon classified classificaon-criteria
set vsys <name> rulebase dos rules <name> protecon classified classificaon-criteria address
<source-ip-only|desnaon-ip-only|src-dest-ip-both>
set vsys <name> rulebase dos rules <name> acon
set vsys <name> rulebase dos rules <name> acon
set vsys <name> rulebase dos rules <name> acon deny
set vsys <name> rulebase dos rules <name> acon allow
set vsys <name> rulebase dos rules <name> acon protect
set vsys <name> rulebase dos rules <name> log-seng <value>
set vsys <name> rulebase network-packet-broker
set vsys <name> rulebase network-packet-broker rules
set vsys <name> rulebase network-packet-broker rules <name>
set vsys <name> rulebase network-packet-broker rules <name> from [ <from1> <from2>... ]
set vsys <name> rulebase network-packet-broker rules <name> to [ <to1> <to2>... ]
set vsys <name> rulebase network-packet-broker rules <name> source [ <source1> <source2>... ]

PAN-OS CLI Quick Start Version Version 10.1 741 ©2021 Palo Alto Networks, Inc.
CLI Command Hierarchy for PAN-OS 10.1

set vsys <name> rulebase network-packet-broker rules <name> source-user [ <source-user1>

<source-user2>... ]
set vsys <name> rulebase network-packet-broker rules <name> desnaon [ <desnaon1>
<desnaon2>... ]
set vsys <name> rulebase network-packet-broker rules <name> applicaon [ <applicaon1>
<applicaon2>... ]
set vsys <name> rulebase network-packet-broker rules <name> service [ <service1>
<service2>... ]
set vsys <name> rulebase network-packet-broker rules <name> tag [ <tag1> <tag2>... ]
set vsys <name> rulebase network-packet-broker rules <name> negate-source <yes|no>
set vsys <name> rulebase network-packet-broker rules <name> negate-desnaon <yes|no>
set vsys <name> rulebase network-packet-broker rules <name> disabled <yes|no>
set vsys <name> rulebase network-packet-broker rules <name> descripon <value>
set vsys <name> rulebase network-packet-broker rules <name> group-tag <value>
set vsys <name> rulebase network-packet-broker rules <name> source-hip [ <source-hip1>
<source-hip2>... ]
set vsys <name> rulebase network-packet-broker rules <name> desnaon-hip [ <desnaon-
hip1> <desnaon-hip2>... ]
set vsys <name> rulebase network-packet-broker rules <name> traffic-type
set vsys <name> rulebase network-packet-broker rules <name> traffic-type tls-decrypted <yes|
no>
set vsys <name> rulebase network-packet-broker rules <name> traffic-type tls-encrypted <yes|
no>
set vsys <name> rulebase network-packet-broker rules <name> traffic-type non-tls <yes|no>
set vsys <name> rulebase network-packet-broker rules <name> acon
set vsys <name> rulebase network-packet-broker rules <name> acon packet-broker-profile
<value>

PAN-OS CLI Quick Start Version Version 10.1 742 ©2021 Palo Alto Networks, Inc.