This cheatsheet provides a concise, practical reference for Palo Alto Networks Firewall administrators, covering essential PAN-OS concepts, CLI commands, GUI tasks, and troubleshooting tips for real-world enterprise environments. Information is current as of December 2025, primarily referencing PAN-OS 11.1+.
Quick Reference: Most Used Commands
| Command/Method | Description | Example |
|---|---|---|
configure | Enters configuration mode. | configure |
commit | Saves and applies pending configuration changes. | commit force |
show system info | Displays general system information. | show system info |
show session all filter application <app-name> | Shows active sessions filtered by application. | show session all filter application ssl |
test security-policy-match source <src-ip> destination <dst-ip> destination-port <port> application <app> | Tests which security policy rule matches specific traffic. | test security-policy-match source 10.1.1.10 destination 192.168.1.50 destination-port 443 application ssl |
clear session all | Clears all active sessions (use with caution). | clear session all |
ping host <ip-address> | Pings a host from the firewall. | ping host 8.8.8.8 |
traceroute host <ip-address> | Traces the route to a host. | traceroute host 8.8.8.8 |
debug flow basic | Starts basic packet flow debugging. | debug flow basic |
request restart system | Restarts the firewall system. | request restart system |
Basic Operations & System Management
CLI Modes
| Mode | Prompt | Description |
|---|---|---|
| Operational | > | Default mode for monitoring, troubleshooting, and system requests. |
| Configuration | # | For making configuration changes. Entered via configure. |
| Paging | --More-- | Appears when output exceeds screen size. Press Space for next page, q to quit. |
Basic System Commands
| Command/Method | Description | Example |
|---|---|---|
show system info | Displays hardware, software, and license details. | show system info |
show clock | Shows current system time. | show clock |
set system hostname <name> | Sets the firewall’s hostname. | set system hostname PA-FW-01 |
set system timezone <zone> | Configures the system timezone. | set system timezone America/New_York |
request license fetch | Fetches licenses from Palo Alto Networks. | request license fetch |
request software check | Checks for available PAN-OS updates. | request software check |
request software install version <version> | Installs a specific PAN-OS version. | request software install version 11.1.0 |
request restart system | Restarts the firewall. | request restart system |
request shutdown system | Shuts down the firewall. | request shutdown system |
Configuration Management
| Command/Method | Description | Example |
|---|---|---|
configure | Enters configuration mode. | configure |
show | Displays current configuration (in config mode). | show running full |
set <path> <value> | Configures a parameter. | set deviceconfig system dns-setting servers primary 8.8.8.8 |
delete <path> | Deletes a configuration element. | delete network interface ethernet ethernet1/1 layer3 ip 192.168.1.1/24 |
commit | Saves and applies changes. | commit |
commit force | Forces a commit, overriding warnings. | commit force |
commit partial <target> | Commits only specific configuration changes. | commit partial device-and-vsys |
save config to <filename> | Saves the current candidate configuration to a file. | save config to my_config_backup.xml |
load config from <filename> | Loads a configuration from a file. | load config from my_config_backup.xml |
revert config | Discards uncommitted changes. | revert config |
Network Configuration
Zones and Interfaces
Palo Alto Networks firewalls use security zones to group interfaces with similar security requirements. Policies are applied between zones, not directly between interfaces.
Interface Types
| Type | Description | Use Case |
|---|---|---|
| Layer 3 | Standard routed interface with IP address. | Routing traffic between different subnets/VLANs. |
| Layer 2 | Bridged interface, operates like a switch port. | Transparently inserting firewall into an existing Layer 2 network. |
| Virtual Wire (Tap/Inline) | Transparently passes traffic, no IP address on interface. | Non-disruptive deployment for monitoring (Tap) or inline security enforcement (Inline). |
| Tap | Receives a copy of traffic for monitoring, no enforcement. | Passive monitoring, IDS/IPS without affecting traffic flow. |
| Aggregate Ethernet (AE) | Link aggregation group (LAG/LACP). | Increased bandwidth and redundancy. |
| Loopback | Virtual interface with an IP, always up. | Router-ID, source for management traffic, VPN endpoints. |
| Tunnel | Used for VPNs (IPSec, GlobalProtect). | Encapsulating and decapsulating VPN traffic. |
CLI Examples for Interface Configuration (Layer 3)
// Enter configuration mode
configure
// Set Ethernet interface 1/1 to Layer3 mode
set network interface ethernet ethernet1/1 layer3
// Assign IP address and management profile
set network interface ethernet ethernet1/1 layer3 ip 192.168.1.1/24
set network interface ethernet ethernet1/1 layer3 management-profile allow-all
// Create a Security Zone
set network zone LAN type layer3
set network zone LAN interface ethernet1/1
// Commit changes
commit
Virtual Routers
Virtual routers manage routing tables and forward traffic between connected interfaces.
| Command/Method | Description | Example |
|---|---|---|
set network virtual-router <name> | Creates a new virtual router. | set network virtual-router default |
set network virtual-router <name> interface ethernet1/1 | Adds an interface to a virtual router. | set network virtual-router default interface ethernet1/1 |
set network virtual-router <name> routing-table ip static-route <route-name> destination <network> nexthop ip-address <gateway> | Configures a static route. | set network virtual-router default routing-table ip static-route default-route destination 0.0.0.0/0 nexthop ip-address 10.0.0.1 |
show routing route | Displays the routing table. | show routing route |
Security Policies
Security policies are the core of the firewall’s enforcement, controlling traffic flow based on App-ID, User-ID, Content-ID, zones, and more.
Policy Structure
| Field | Description | Best Practice |
|---|---|---|
| Rule Name | Unique identifier for the rule. | Descriptive, e.g., Allow-Users-to-Internet |
| Rule Type | universal (default), intrazone, interzone. | universal for most cases. |
| Source Zone | Zone(s) where traffic originates. | Be specific, avoid any. |
| Source Address | IP address(es) or address objects of origin. | Be specific, use address objects. |
| Source User | User(s) or user groups (requires User-ID). | Leverage User-ID for granular control. |
| Destination Zone | Zone(s) where traffic is destined. | Be specific, avoid any. |
| Destination Address | IP address(es) or address objects of destination. | Be specific, use address objects. |
| Application | App-ID(s) to allow/block. | Always use App-ID, avoid any. |
| Service/URL Category | Port/protocol (e.g., tcp/80) or URL category. | Use application-default with App-ID. |
| Action | allow, deny, drop, reset-client, reset-server, reset-both. | allow for permitted traffic, deny for explicit blocking. |
| Profile Settings | Security Profiles (Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering, File Blocking, Data Filtering, WildFire Analysis). | Apply relevant profiles to allow rules. |
| Log Forwarding | Where to send logs (e.g., Panorama, Syslog). | Always log sessions for allowed/denied traffic. |
App-ID Overview
App-ID identifies applications regardless of port, protocol, or evasive tactics. It’s crucial for granular policy enforcement.
Explanation: App-ID uses multiple classification mechanisms (application signatures, decryption, protocol decoding, heuristics) to identify the exact application traversing the firewall.
Use Case: Instead of allowing tcp/80 and tcp/443, you can allow web-browsing, facebook-base, sharepoint-online, providing much finer control and visibility.
User-ID Overview
User-ID maps IP addresses to usernames, integrating with directory services (AD, LDAP) to enforce policies based on users/groups.
Explanation: User-ID agents (Windows, Linux, Exchange) or direct firewall integration (Syslog, API, Captive Portal) collect user-to-IP mappings. Use Case: Create policies like “HR Group can access Payroll Application” instead of “IP Range X can access IP Range Y on port Z”.
Content-ID (Security Profiles)
Content-ID refers to the suite of security profiles that inspect allowed traffic for threats, sensitive data, and malicious content.
| Profile Type | Description |
|---|---|
| Antivirus | Scans for known malware and viruses. |
| Anti-Spyware | Detects and blocks spyware and malicious C2 traffic. |
| Vulnerability Protection | Prevents exploits against known vulnerabilities. |
| URL Filtering | Blocks access to malicious or inappropriate websites based on categories. |
| File Blocking | Prevents transfer of specific file types (e.g., executables). |
| Data Filtering | Prevents transfer of sensitive data (e.g., credit card numbers, PII). |
| WildFire Analysis | Submits unknown files for cloud-based sandboxing and analysis. |
CLI Example: Basic Security Policy
// Enter configuration mode
configure
// Create an Address Object
set address Internal_Users ip-netmask 192.168.1.0/24
// Create a Security Policy Rule
set rulebase security rules "Allow Web Browsing" from LAN to WAN source Internal_Users destination any application web-browsing service application-default action allow
set rulebase security rules "Allow Web Browsing" profile-setting group "default-profiles" // Assuming a profile group exists
// Commit changes
commit
NAT Rules
Network Address Translation (NAT) rules modify IP addresses and/or ports of packets as they traverse the firewall.
NAT Rule Types
| Type | Description | Use Case |
|---|---|---|
| Source NAT (SNAT) | Changes the source IP address of outbound connections. | Allowing internal users to access the internet using a public IP. |
| Destination NAT (DNAT) | Changes the destination IP address of inbound connections. | Publishing an internal server (e.g., web server) to the internet. |
| U-Turn NAT | Combination of SNAT and DNAT for internal clients accessing internal servers via public IP. | Internal users accessing an internal web server using its public IP address. |
Source NAT Configuration (Dynamic IP and Port)
// Enter configuration mode
configure
// Create a NAT policy rule
set rulebase nat rules "Outbound SNAT" from LAN to WAN source any destination any service any
set rulebase nat rules "Outbound SNAT" translate-packet source dynamic-ip-and-port interface ethernet1/2 // Assuming ethernet1/2 is the WAN interface
set rulebase nat rules "Outbound SNAT" to-interface ethernet1/2
// Commit changes
commit
Destination NAT Configuration (Port Forwarding)
// Enter configuration mode
configure
// Create an Address Object for the public IP
set address Public_Web_IP ip-netmask 203.0.113.10/32
// Create an Address Object for the internal server
set address Internal_Web_Server ip-netmask 10.0.0.50/32
// Create a NAT policy rule
set rulebase nat rules "Inbound DNAT Web" from WAN to LAN source any destination Public_Web_IP service tcp/80
set rulebase nat rules "Inbound DNAT Web" translate-packet destination static-ip Internal_Web_Server
set rulebase nat rules "Inbound DNAT Web" to-interface ethernet1/1 // Assuming ethernet1/1 is the LAN interface
// Commit changes
commit
SSL Decryption Basics
SSL/TLS decryption allows the firewall to inspect encrypted traffic for threats, sensitive data, and policy violations.
Decryption Types
| Type | Description | Requirements |
|---|---|---|
| SSL Forward Proxy (Outbound) | Decrypts traffic from internal users to external websites. Firewall acts as a Man-in-the-Middle. | Root CA certificate deployed to client trust stores. |
| SSL Inbound Inspection (Server Protection) | Decrypts traffic from external users to internal servers. | Server’s private key and certificate imported to firewall. |
Decryption Policy
Decryption policies determine which traffic to decrypt and which to exclude.
| Field | Description |
|---|---|
| Rule Name | Unique identifier. |
| Source Zone/Address/User | Who initiates the traffic. |
| Destination Zone/Address | Where the traffic is going. |
| Service | Typically service-https. |
| Action | decrypt, no-decrypt, no-decrypt-and-alert. |
CLI Example: Basic Forward Proxy Decryption
// Enter configuration mode
configure
// Generate a new self-signed root CA for decryption (or import existing)
set deviceconfig certificate generate-certificate name "Decryption-CA" common-name "PaloAlto-Decryption-CA" certificate-authority yes algorithm rsa bits 2048 expire-on 2035-12-30
// Set the generated CA as the Forward Trust and Untrust CA
set deviceconfig setting ssl-decrypt forward-proxy-cert "Decryption-CA"
set deviceconfig setting ssl-decrypt forward-untrust-cert "Decryption-CA"
// Create a Decryption Policy to decrypt all outbound HTTPS traffic
set rulebase decryption rules "Decrypt Outbound HTTPS" from LAN to WAN source any destination any service service-https action decrypt
// Commit changes
commit
Note: The generated certificate needs to be exported and imported into client trust stores for seamless decryption.
VPN
IPSec VPN (Site-to-Site)
Connects two networks securely over an untrusted network (e.g., internet).
| Component | Description | CLI Path Example |
|---|---|---|
| IKE Gateway | Defines parameters for IKE (Phase 1) negotiation. | set network ike gateway <name> |
| IPSec Crypto Profile | Defines parameters for IPSec (Phase 2) negotiation. | set network ipsec crypto-profile <name> |
| IPSec Tunnel | Binds IKE gateway, crypto profile, and local/remote proxies. | set network ipsec tunnel <name> |
| Tunnel Interface | Logical interface for VPN traffic. | set network interface tunnel <id> |
| Static Route | Routes interesting traffic over the tunnel interface. | set network virtual-router default routing-table ip static-route <name> interface tunnel.<id> |
| Security Policy | Allows traffic to flow between zones connected by VPN. | set rulebase security rules "Allow VPN Traffic" |
CLI Example: Verifying IPSec Tunnel Status
show vpn ike-sa
show vpn ipsec-sa
GlobalProtect (Remote Access VPN)
Provides secure remote access for mobile users to corporate resources.
| Component | Description |
|---|---|
| Gateway | The firewall interface that terminates GlobalProtect connections. |
| Portal | Provides client software, connection configurations, and authentication. |
| Agent | Client software installed on end-user devices. |
| Internal Host Detection | Determines if a client is internal or external. |
| Authentication Profiles | LDAP, RADIUS, SAML, Local DB for user authentication. |
| Client Settings | Defines user access, IP pools, split tunneling, security profiles. |
CLI Example: Verifying GlobalProtect Status
show global-protect gateway current-user
show global-protect portal current-user
Logging & Monitoring
Log Types
| Log Type | Description |
|---|---|
| Traffic | Records all sessions allowed or denied by security policies. |
| Threat | Records detected threats (viruses, spyware, vulnerabilities, WildFire). |
| URL Filtering | Records URLs accessed and blocked by URL filtering. |
| Data Filtering | Records sensitive data detected by data filtering profiles. |
| WildFire Submissions | Records files submitted to WildFire for analysis. |
| Authentication | Records user authentication events (User-ID, GlobalProtect). |
| System | Records firewall system events (reboots, configuration changes, errors). |
| Configuration | Records successful and failed configuration changes. |
| HIP Match | Records Host Information Profile (HIP) matches. |
| GTP/SCTP | Mobile network specific logs. |
Monitoring Tools
- Monitor Tab (GUI): Centralized view for logs, reports, ACC (Application Command Center).
- ACC (Application Command Center): Interactive dashboard for network visibility and threat analysis.
- CLI:
showcommands for real-time status and logs. - External Log Collectors: Panorama, Syslog servers, SIEMs.
CLI Example: Viewing Logs
// Show traffic logs
show log traffic
// Show threat logs filtered by severity
show log threat severity critical
// Show system logs
show log system
// Show logs for a specific source IP
show log traffic source 192.168.1.10
Advanced CLI & Troubleshooting
Packet Flow & Debugging
Understanding the packet flow is crucial for troubleshooting.
// Syntax for packet flow debug (use with caution in production)
debug flow set log-packet on
debug flow basic
debug flow filter match source <src-ip> destination <dst-ip> protocol <proto> destination-port <port>
debug flow on
// ... generate traffic ...
debug flow off
less mp-log pan_packet_diag.log
Explanation: This sequence enables packet debugging, sets a filter, turns on debugging, waits for traffic, turns off debugging, and then displays the log. Use Case: Pinpointing exactly where a packet is dropped or misrouted within the firewall’s processing stages.
Session Management
| Command/Method | Description | Example |
|---|---|---|
show session all | Displays all active sessions. | show session all |
show session all filter source <ip> | Filters sessions by source IP. | show session all filter source 192.168.1.10 |
show session id <id> | Shows details for a specific session ID. | show session id 12345 |
clear session all filter source <ip> | Clears sessions matching a filter. | clear session all filter source 192.168.1.10 |
clear session id <id> | Clears a specific session. | clear session id 12345 |
Policy Troubleshooting
| Command/Method | Description | Example |
|---|---|---|
test security-policy-match source <src-ip> destination <dst-ip> destination-port <port> application <app> | Simulates traffic against security policies to find the matching rule. | test security-policy-match source 10.1.1.10 destination 192.168.1.50 destination-port 443 application ssl |
show running rulebase security rules <rule-name> | Displays details of a specific security rule. | show running rulebase security rules "Allow Web Browsing" |
Interface Troubleshooting
| Command/Method | Description | Example |
|---|---|---|
show interface ethernet <id> | Displays status and statistics for an Ethernet interface. | show interface ethernet ethernet1/1 |
show interface management | Displays management interface details. | show interface management |
ping source <interface> host <ip-address> | Pings from a specific interface. | ping source ethernet1/1 host 8.8.8.8 |
show arp all | Displays the ARP table. | show arp all |
show mac all | Displays the MAC address table (for Layer 2 interfaces). | show mac all |
Common Patterns
Basic Internet Access Policy
// Goal: Allow internal users to browse the internet securely.
1. **NAT Rule:** Source NAT (Dynamic IP and Port) from LAN to WAN, using the WAN interface IP.
- `from: LAN`, `to: WAN`, `source: any`, `destination: any`, `service: any`
- `translate-packet: source dynamic-ip-and-port interface ethernet1/2` (WAN interface)
2. **Security Policy:** Allow web browsing and other internet applications.
- `name: Allow-Internal-Internet`
- `from: LAN`, `to: WAN`
- `source: Internal-Users` (Address object for internal subnets/users)
- `destination: any`
- `application: web-browsing, ssl, dns, office365-base, google-base` (be specific, avoid `any`)
- `service: application-default`
- `action: allow`
- `profile-setting: default-profiles` (or custom security profile group)
- `log-forwarding: default` (ensure logging is enabled)
3. **Decryption Policy (Optional but Recommended):** Decrypt outbound SSL/TLS traffic.
- `name: Decrypt-Outbound`
- `from: LAN`, `to: WAN`
- `source: Internal-Users`
- `destination: any`
- `service: service-https`
- `action: decrypt`
DMZ Access Policy
// Goal: Allow limited, secure access to a DMZ web server from the internet.
1. **Address Objects:**
- `Public_Web_IP` (e.g., 203.0.113.10/32)
- `Internal_Web_Server` (e.g., 10.0.0.50/32)
2. **NAT Rule:** Destination NAT for inbound web traffic.
- `from: WAN`, `to: DMZ`
- `source: any`, `destination: Public_Web_IP`, `service: tcp/80, tcp/443`
- `translate-packet: destination static-ip Internal_Web_Server`
- `to-interface: ethernet1/3` (DMZ interface)
3. **Security Policy:** Allow specific web applications to the DMZ server.
- `name: Allow-Internet-to-DMZ-Web`
- `from: WAN`, `to: DMZ`
- `source: any`
- `destination: Internal_Web_Server`
- `application: web-browsing, ssl`
- `service: application-default`
- `action: allow`
- `profile-setting: default-profiles` (or custom security profile group)
- `log-forwarding: default`
Tips & Tricks
Pro Tips
- Always use App-ID: Avoid
anyfor applications. Useapplication-defaultfor services. - Leverage User-ID: Implement User-ID for granular, user-based policies.
- Security Profiles on all
allowrules: Don’t just permit traffic; inspect it. - Policy Ordering: Place more specific rules higher. Deny rules should be above broad allow rules.
- Commit Comments: Always add descriptive comments to your commits.
- Test before Deploy: Use
test security-policy-matchandvalidatebeforecommit. - Regularly Review Logs: Monitor logs (Traffic, Threat, URL) to understand network behavior and identify anomalies.
- Use Address/Service/Application Groups: Simplify policy management.
- Profile Groups: Apply consistent security profiles across multiple rules.
Common Gotchas & Misconfigurations
anyin policies: Overly permissive rules (anyfor source, destination, application, service) are a major security risk.- NAT before Security Policy: Remember NAT occurs before policy lookup for inbound traffic, and after for outbound.
- Missing Security Profiles: Allowing traffic without inspecting it (no AV, URL, VP) defeats the purpose of a Next-Gen Firewall.
- Incorrect Zone Assignment: Interfaces must be in the correct security zones for policies to apply.
- Asymmetric Routing: Traffic exiting via a different path than it entered can cause session drops.
- Decryption Issues: Incorrect CA deployment on clients or missing server certificates for inbound decryption.
- Commit Failures: Often due to syntax errors or conflicting configurations; read the error messages carefully.
- DNS Resolution: Ensure the firewall can resolve DNS for App-ID updates, URL filtering, and management.
Quick Troubleshooting Checks
- Connectivity (Ping/Traceroute):
ping host <ip>traceroute host <ip>ping source <interface> host <ip>
- Interface Status:
show interface ethernet <id>(Check link/speed, errors)
- Routing:
show routing route(Is there a route to the destination?)
- Security Policy Match:
test security-policy-match source <src-ip> destination <dst-ip> destination-port <port> application <app>(Is the correct rule being hit? Is the actionallow?)
- Session Lookup:
show session all filter source <src-ip> destination <dst-ip>(Is a session being established? What’s the state?)
- Logs:
- Check Traffic logs for
denyactions, Threat logs for blocks, URL logs for filtering. show log traffic filter source <src-ip> destination <dst-ip>
- Check Traffic logs for
- NAT Rules:
show running rulebase nat(Is the NAT rule configured correctly and matching?)
- App-ID/User-ID:
show session all filter source <src-ip>(Check identified application and user)show user ip-user-mapping all(Verify User-ID mappings)
- Resource Utilization:
show running resource-monitor(CPU, memory, session count)
Version Information
This cheatsheet is based on features and commands available in PAN-OS Version 11.1+ as of December 2025. While many commands and concepts are consistent across PAN-OS versions, specific features, CLI syntax, and best practices may evolve with newer releases. Always refer to the official Palo Alto Networks documentation for the most accurate and up-to-date information for your specific PAN-OS version.
References
- Palo Alto Networks Documentation Portal
- PAN-OS CLI Quick Start
- Security Policy Best Practices
- App-ID Overview
- Decryption Basics
Transparency Note
This cheatsheet was generated by an AI expert based on publicly available documentation and common industry practices for Palo Alto Networks Firewalls. While efforts have been made to ensure accuracy and currency as of December 2025, network security configurations are highly specific to individual environments. Always validate commands and configurations against your specific PAN-OS version and network requirements, and consult official vendor documentation for critical deployments.