Useful Palo Alto Networks CLI Commands

Resource utilization and Informational

show running resource-monitor

  • Look for high CPU (app-id, decoders, session setup and teardown)

show session info

  • Look for high concurrent sessions and CPS
  • Packet rate and Throughput do not count packets forwarded in hardware

show session id <id-number>

  • Shows session details by entering the session ID number

debug dataplane pool statistics

  • Look for depleted buffers (small number on the left)
  • Work Queue Entries: in charge of segment reassembly, normalization to Content Engine

show counter global filter aspect resource

  • General resource counters, including FPGA hits and TCP window issues

show system statistics

  • General app and system real-time counters

test url

  • Check URL category

show user group name <user group>

  • Check what users PAN sees in a group

show user user-ids match-user <username>

  • Check if PAN sees user in any groups

show system setting ssl-decrypt memory

show system setting ssl-decrypt certificate-cache

  • Check ssl decryption memory usage

show global-protect-gateway current-user

  • Check GlobalProtect current users

show global-protect-gateway gateway

  • Check GlobalProtect gateway configuration

Errors, drops, fragments

show counter global | match drop

show counter global | match syn

show counter global | match deny

show counter global | match error

show interface ethernetX/X

show system state filter * | match over

ping source <IP_addr_src_int> host <IP_addr_host>

  • Ping from a specified device source interface to destination IP

ping host <IP>

  • Ping from the management interface

show session all filter source <source-IP> destination <destination-IP>

  • Shows specific sessions in the sessions table for source and destination IPs


debug user-id refresh group-mapping all

  • Updates AD group mapping