Palo Alto Firewall Command Line Reference

Manage LDAP Users and Groups Commands

show user group list Lists all the Active Directory group that Paloalto firewall reads from LDAP profile
show user group-mapping statisticsList total groups with details of last sync and next sync time
debug user-id refresh group-mapping allForcefully refresh group mapping
show user group name "mention group name as show in show user group list command"Use double quote to retrieve members of specific Active Directory group


IPSec VPN Troubleshooting Commands

show vpn ike-sa gateway List Phase 1 info of specific tunnel
show vpn ipsec-saList Phase 2 details of all IPSec tunnels
show vpn ipsec-sa | match List Phase 2 info of a specify tunnel that matches the text
show vpn ipsec-sa tunnel List Phase 2 info of a specify tunnel
show vpn flow name | match bytesVerify traffic passes through tunnel.
If encapsulation bytes are increasing and decapsulation is constant, then the firewall is sending traffic via tunnel but is not receiving packets.
less mp-log ikemgr.logView IPSec VPN related logs
clear vpn ike-sa gateway Clear Phase 1
clear vpn ipsec-sa tunnel Clear Phase 2

If you open a file, use these commands to perform certain actions

  • q to exit log file and return to prompt
  • shift + g to end of file
  • g to beginning of file
  • /keyword to search specific text, while you are searching, use n for next line and shift + n for previous line
  • use arrow keys to scroll up and down