Command Function

find command keyword <keyword> Lets you find any

command as long as you know what you're looking for.
| match <value> Filters the output of a
command and only return the line that has a positive match.
| except <value> Filters the output of a command and
return everything except the lines that match the value.
tcpdump snaplen 0 filter "not port 22" Captures all sessions on
the management interface except sessions on port 22.
view-pcap debug-pcap|filter-pcap|mgmt-pcap no-dns-lookup Shows packet captures
taken on daemons, via packet-diag or tcpdump.
show admins Shows currently logged-in admins.
delete admin-sessions username <user> Terminates an admin's
session.
set system setting target-vsys <vsys> Change operational
commends to a vsys perspective.
show authentication allowlist Shows the allow list for all
authentication profiles.
show system environmentals Shows system core
temperatures and power levels.
scp|tftp export <thing> to user@destination:/path/ Many things can be
exported from the system, including log files, packet captures, or core files.

Basic system information

show system info Returns basic device information
like serial, IP, installed content and software versions.
show system software status Shows if all processes are
running properly.
show system logdb-quota Returns the log db usage.
show system disk-space Returns disk volume
information.
show jobs all/id Returns status of all commit,
download, install and qfdn jobs, and additional details on specific IDs.
show system files Shows if any core dump files have
been created due to a process crash.
request license fetch/info Retrieves and shows currently
active licenses.
show netstat all yes Shows all listening and
established connections on the management plane, per process.
show chassis-ready Shows if the dataplane is
ready to process sessions.
show panorama-status Verify connectivity with
panorama.

High Availability
show high-availability state Shows a quick rundown of the
local peer's HA condition.
show high-availability all Summary of all HA runtime.
show high-availability state-synchronization Displays statistics
about sent and received sync messages.
request high-availability sessions-reestablish force Reestablishes HA1 link
if link was lost, use 'force' if HA1 backup is not configured.
show high-availability session-reestablish-status Shows when HA1 and HA1-
backup links were last reestablished.
request high-availability sync-to-remote running-config manually Syncs running
configuration to peer, in case automatic sync failed or if status is out-of-sync.
request high-availability state functional|suspend Suspend or activate
local device.
request high-availability state peer functional|suspend Suspend or
activate peer device.
show high-availability transitions Indicates how many times a
device has transitioned between HA states.
show high-availability flap statistics Details about
preemptions 'flaps' (preemption activates device, error encountered again, device
non-funct, recovers, preempt activates, error encountered again, etc.).
show high-availability control-link statistics Detailed information
about HA1 messages.

performance information
show system resources Shows management plane
resource usage like 'top' in linux.
show running resource-monitor Shows dataplane CPU core
utilization and buffer usage.
debug dataplane pool statistics Shows software buffer
pool usage.
show session info Shows number of active sessions,
packets per second, thoughput and other session related paramerters.
debug log-receiver statistics Information on log volume per
second and any errors while writing or forwarding log.
show system statistics application|session Shows live statistics
about top applications, or system throughput.
show report jobs Indicate if reports are currently
being generated (this could have an impact on management plane CPU usage).

dns operations
show system setting ssl-decrypt dns-cache Shows ssl decryption dns
cache.
show dns-proxy cache all Shows the dns proxy cache.
show system setting ssl-decrypt memory Shows ssl decryption
memory usage.
show dns-proxy fqdn all Show all FQDN objects with
their resolved IP addresses.
request system fqdn refresh Refresh all FQDN objects.
debug dataplane internal vif link Returns statistics on the
internal hardwre interfaces.

packet flow
show counter global filter delta yes Shows global counters.
show session all filter <filters> Shows active, discard and
predict sessions matching the filer (or 'all' sessions).
set session offload yes|no Enables and disables session
offloading to hardware.
set session tcp-reject-non-syn yes|no Disable dropping TCP ACK
packets coming in without a proper handshake.
# set deviceconfig setting tcp asymmetric-path bypass|drop Disable dropping packets
that arrive out of window or out of sync.

Layer 2 and 3
show routing route Output the routing table
(Routing Informtion Base, or rib).
show routing fib Shows the forwarding table
(Forwarding Information Base).
show arp all Shows the content of the ARP
table (layer 3).
show mac all Shows the content of the MAC
table (layer 2).
show routing protocol ospf|bgp|rip summary Returns a summary of the
ospf, bgp or rip status.
show routing resource Verify the number of routes
is not reaching the system limits.
debug routing pcap ospf|bgp|rip on|off eEnables/disables
packetcaptures on the routing engine for the routing protocol. Use for
troubleshooting only.

policies
show running nat-policy Show all active NAT rules.
show running nat-rule-ippool rule <rulename> Show memory usage, over
subscription ratio and allocations per rule.
show running global-ippool Show runtime statistics for
global dynamic source nat.
show running ippool Show overall source nat
statistics.
show session all filter qos-class [1-8] Displays all sessions
that match a specific QoS class.
show qos interface <interface> counter Shows general counter on
QoS configured on an interface.
show qos interface <interface> throughput <Qid as seen in counters> Returns
actual throughput for a Qid on an interface.
show zone-protection zone <zone> Show zone protection
statistics for the zone.
show dos-protection rule <rulename> statistics Show statistics for a
dos-protection rule.
show dos-protection zone <zone> blocked source Show swhich IP addresses
are currently being blocked due to DoS protection.

URL filtering
test url-info-cloud <url> Show the category for a URL
via cloud lookup.
test url-info-host <url> Show the category for a URL
in the Management plane cache.
show running url Show the category for a URL in the
dataplane cache.
request url-iltering update url <url> Refreshes the management
plane cache entry for a url with a cloud lookup.
show running url-cache all Outputs the URL cache to mp-
log dp_url_DB.log.
show running url-cache statistics Shows memory usage of the URL
cache.
show url-cloud status Returns connectivity
information for URL lookup cloud connection.
clear url-cache all|url <url> Clears a single url from
cache, or the entire cache from dataplane.
delete url-database all|url Clears a single url from
cache, or the entire cache from management plane.

Panorama
show logging-status device <serial> Returns log forwarding
information for a device logging to panorama.
debug log-collector log-collection-stats show incoming-logs Shows incoming log
statistics including current log rate.
show system raid detail Shows information of RAID
array on M- appliance.
show system disk details Shows information of disk
status on VM- appliance.
replace old <serial> new <serial Replaces a managed device's
serial with a new one after an RMA. This lods all the configuration previously
associated with one device with a new one without needing to go in and assign
configuration to the new serial (it removes the old serial).
request log-fwd-ctrl action latest|start-from-lastack device <serial> Start log
forwrding from device from the last log|last acked log.
request log-fwd-ctrl start|stop latest device <serial> Start or stop log
forwarding from a device to panorama wit buffering.
request log-fwd-ctrl action live device <serial> Start log forwarding
without buffering (this could cause a large flood of inbound logs).

IPSec
show running tunnel flow info Shows basic statistics
about all vpn tunnels.
test vpn ike-sa gateway <gateway> Initiates an IKE negotiation
with the designated gateway.
test vpn ipsec-sa tunnel <tunnel> Initiates an ipsec
negotiation for the designated tunnel.
clear vpn ike-sa gateway <gateway> Clears the IKE SA for a given
gateway.
clear vpn ipsec-sa tunnel <tunnel> Clears the IPSec SA for a
given tunnel.
show vpn ike-sa gateway <gateway> Shows the IKE SA for a given
gateway.
show vpn ipsec-sa tunnel <tunnel> Shows the IPSec SA for a
given tunnel.
show global-protect-gateway current-satellite Show currently connected
satellites to GlobalProtect.
show global-protect-gateway current-user Show currently connected
users to GlobalProtect.

User-ID
show user ip-user-mapping all|ip Show all mapped users or the
mapped user(s) for a specific IP on the dataplane.
show user ip-user-mapping-mp all|ip Show all mapped users or the
mapped user(s) for a specific IP on the management plane.
debug user-id refresh group-mapping all Refresh group-mapping
memberships.
show user group list Show all groups used in
group-mapping.
show user group name <group> Shows all members of a group.
show user group-mapping state all Show the state of all group
mapping profiles.
show user group-mapping statistics Show last/next refresh of
group mapping.
show user user-id-agent statistics | state all Show user-ID agent state
and statistics.
show user ts-agent statistics |state all Show terminal server agent
state and statistics.
show user server-monitor statistics|state all Shows the state of the
agentless User-ID agent.
show user ip-port-user-mapping all Show user to port mapping for
terminal server agents or a specific server IP.

WildFire
show wildfire status Show connection status to
wildfire cloud.
show sildfire statistics Show file transfer
statistics.
test wildfire registration Test connectivity to wildfire
cloud.
services
show dhcp server lease all Show all dhcp leases.
clear dhcp lease interface <interface> ip|mac|expiredonly <value> Clears a
lease for an IP or MAC address, or all the expired ones.
debug dhcpd pcap on|off Enables packetcapture of dhcp
transactions on the daemon.
show dhcp client state <interface> Show dhcp information for an
interface that is DHCP client.
request dhcp client release|renew <interface> Release or renew dhcp
client lease for a dhcp client interface.

super command
show system state This command returns the stte of
the entire device.
show system state filter env.* Show system core
temperatures and power levels.
show system state | match fan Search the system state for
any line containing 'fan' to find fan speeds.
show system state | match cfg.general.max Returns the maximum number of
configurable objects the system supports.
show system state filter-pretty sys.s1.* Show information about all
the interfaces in slot 1.