目次
動作確認環境
- PA-200
- Version 8.1.19
Pager 機能の無効化(terminal length 0 的な)
- > set cli pager off
システム系
- > show system info
- ホスト名、管理IPアドレス
- 現在時刻、アップタイム
- 型番、シリアル番号
- ファームウェアバージョン
コマンド実行例(クリックで開く)
admin@PA-200> show system info
hostname: PA-200
ip-address: 192.168.1.1
public-ip-address: unknown
netmask: 255.255.255.0
default-gateway: 192.168.1.254
ip-assignment: static
ipv6-address: unknown
ipv6-link-local-address: fe80::b60c:25ff:fe83:3700/64
ipv6-default-gateway:
mac-address: b4:0c:25:83:37:00
time: Sat Feb 25 10:50:54 2023
uptime: 0 days, 3:19:26
family: 200
model: PA-200
serial: xxxxxxxxxxxx
cloud-mode: non-cloud
sw-version: 8.1.19
global-protect-client-package-version: 0.0.0
app-version: 8402-6681
app-release-date: 2021/05/04 10:39:22 JST
av-version: 0
av-release-date:
threat-version: 0
threat-release-date: 2021/05/04 10:39:22 JST
wf-private-version: 0
wf-private-release-date: unknown
url-db: paloaltonetworks
wildfire-version: 0
wildfire-release-date:
url-filtering-version: 0000.00.00.000
global-protect-datafile-version: unknown
global-protect-datafile-release-date: unknown
global-protect-clientless-vpn-version: 0
global-protect-clientless-vpn-release-date:
logdb-version: 8.1.8
platform-family: 200
vpn-disable-mode: off
multi-vsys: off
operational-mode: normal
device-certificate-status: None- > show system resources
- CPU 使用率、メモリ使用率、プロセス別リソース使用状況
コマンド実行例(クリックで開く)
admin@PA-200> show system resources
top - 11:05:24 up 3:33, 1 user, load average: 1.08, 1.12, 1.11
Tasks: 111 total, 2 running, 109 sleeping, 0 stopped, 0 zombie
Cpu(s): 54.2%us, 1.1%sy, 1.2%ni, 43.4%id, 0.1%wa, 0.0%hi, 0.1%si, 0.0%st
Mem: 2764928k total, 2459332k used, 305596k free, 26256k buffers
Swap: 7996k total, 0k used, 7996k free, 902132k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2601 20 0 70536 32m 6308 R 100.0 1.2 212:34.07 pan_task
19302 20 0 17984 6952 1880 R 3.8 0.3 0:00.07 top
3848 20 0 455m 172m 127m S 1.9 6.4 0:15.99 useridd
1 20 0 3212 868 704 S 0.0 0.0 0:00.43 init
2 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
3 20 0 0 0 0 S 0.0 0.0 0:02.74 ksoftirqd/0
5 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/0:0H
#以下略- > show ntp
- NTP 同期状態を表示
コマンド実行例(クリックで開く)
admin@PA-200> show ntp
NTP state:
NTP synched to ntp.nict.jp
NTP server: ntp.nict.jp
status: synched
reachable: yes
authentication-type: none- > show clock
- 現在時刻の表示
コマンド実行例(クリックで開く)
admin@PA-200> show clock
Sat Feb 25 11:20:12 JST 2023ハードウェア系
- > show system environmentals
- CPU 温度、システム温度、ファン状態、電源状態
コマンド実行例(クリックで開く)
admin@PA-200> show system environmentals
----Thermal----
Slot Description Alarm Degrees C Min C Max C
S1 6220 Core Temperature False 55.67 5.00 95.00
S1 System Temperature False 41.00 5.00 70.00
----Fans----
Slot Description Alarm RPMs Min RPM
S1 Fan RPM False 4111 1500
----Power----
Slot Description Alarm Volts Min V Max V
S1 1.0V CPU Core False 1.00 0.95 1.05
S1 12V Power Rail False 11.72 11.10 12.60
S1 5V Power Rail False 5.00 4.60 5.40
S1 3.3V Power Rail False 3.27 2.97 3.63
S1 2.5V Power Rail False 2.51 2.25 2.75
S1 1.5V DDR False 1.57 1.35 1.65
S1 3.3V RTC Battery False 3.26インターフェース
- > show interface management
- 管理インターフェースの Speed/Duplex/状態(up/down)、MAC/IP アドレス、統計情報
コマンド実行例(クリックで開く)
admin@PA-200> show interface management
-------------------------------------------------------------------------------
Name: Management Interface
Link status:
Runtime link speed/duplex/state: 100/full/up
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address b4:0c:25:83:37:00
Ip address: 192.168.1.1
Netmask: 255.255.255.0
Default gateway: 192.168.1.254
Ipv6 address: unknown
Ipv6 link local address: fe80::b60c:25ff:fe83:3700/64
Ipv6 default gateway:
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Logical interface counters:
-------------------------------------------------------------------------------
bytes received 1374410
bytes transmitted 17672271
packets received 9876
packets transmitted 15477
receive errors 0
transmit errors 0
receive packets dropped 0
transmit packets dropped 0
multicast packets received 0
-------------------------------------------------------------------------------- > show interface all
- 各インターフェースの Speed/Duplex/状態(up/down)、ゾーン、MAC/IP アドレス
コマンド実行例(クリックで開く)
admin@PA-200> show interface all
total configured hardware interfaces: 5
name id speed/duplex/state mac address
--------------------------------------------------------------------------------
ethernet1/1 16 1000/full/up b4:0c:25:83:37:10
ethernet1/2 17 1000/full/up b4:0c:25:83:37:11
vlan 1 [n/a]/[n/a]/up b4:0c:25:83:37:01
loopback 3 [n/a]/[n/a]/up b4:0c:25:83:37:03
tunnel 4 [n/a]/[n/a]/up b4:0c:25:83:37:04
aggregation groups: 0
total configured logical interfaces: 5
name id vsys zone forwarding tag address
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
ethernet1/1 16 1 Trust vr:default 0 10.10.1.1/24
ethernet1/2 17 1 DMZ vr:default 0 10.11.1.1/24
vlan 1 1 N/A 0 N/A
loopback 3 1 N/A 0 N/A
tunnel 4 1 N/A 0 N/A- > show interface <IF名>
- 指定したインターフェースの Speed/Duplex/状態(up/down)、ゾーン、MAC/IP アドレス、統計情報
コマンド実行例(クリックで開く)
admin@PA-200> show interface ethernet1/1
--------------------------------------------------------------------------------
Name: ethernet1/1, ID: 16
Link status:
Runtime link speed/duplex/state: 1000/full/up
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address b4:0c:25:83:37:10
Operation mode: layer3
Untagged sub-interface support: no
--------------------------------------------------------------------------------
Name: ethernet1/1, ID: 16
Operation mode: layer3
Virtual router default
Interface MTU 1500
Interface IP address: 10.10.1.1/24
Interface management profile: Ping_OK
ping: yes telnet: yes ssh: yes http: no https: yes
snmp: no response-pages: no userid-service: no
Service configured:
Zone: Trust, virtual system: vsys1
Adjust TCP MSS: no
Policing: no
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Physical port counters read from MAC:
--------------------------------------------------------------------------------
rx-broadcast 0
rx-bytes 83063
rx-multicast 0
rx-unicast 212
tx-broadcast 9
tx-bytes 832
tx-multicast 0
tx-unicast 4
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Detailed physical port counters read from MAC:
--------------------------------------------------------------------------------
rx packets 64 bytes 13
--------------------------------------------------------------------------------
Hardware interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received 82215
bytes transmitted 546
packets received 212
packets transmitted 13
receive incoming errors 0
receive discarded 0
receive errors 0
packets dropped 0
--------------------------------------------------------------------------------
Logical interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received 82215
bytes transmitted 546
packets received 212
packets transmitted 13
receive errors 0
packets dropped 205
packets dropped by flow state check 0
forwarding errors 0
no route 0
arp not found 0
neighbor not found 0
neighbor info pending 0
mac not found 0
packets routed to different zone 0
land attacks 0
ping-of-death attacks 0
teardrop attacks 0
ip spoof attacks 0
mac spoof attacks 0
ICMP fragment 0
layer2 encapsulated packets 0
layer2 decapsulated packets 0
tcp cps 0
udp cps 0
sctp cps 0
other cps 0
--------------------------------------------------------------------------------- > show pppoe interface all
- PPPoE クライアントインターフェース情報
コマンド実行例(クリックで開く)
admin@PA-200> show pppoe interface all
Interface PPPoE State PPP State Username Access Concentrator MAC IP
ethernet1/3 Connected Connected pppoeuser router ac:7a:56:28:15:fe 192.168.80.100- > show pppoe interface <IF名>
- 指定インターフェースの PPPoE クライアント詳細情報
コマンド実行例(クリックで開く)
admin@PA-200> show pppoe interface ethernet1/3
Interface: ethernet1/3
PPPoE State: Connected
PPP State: Connected
Connected since: Sat Feb 25 13:20:30 2023
Connection up for: 0 days, 0:06:18
Access Concentrator: router
AC MAC: ac:7a:56:28:15:fe
Authentication via: CHAP
Passive mode: Disabled
Username: pppoeuser
Local IP: 192.168.80.100
Primary DNS IP: 192.168.179.1
Secondary DNS IP: 0.0.0.0
Primary WINS IP: 0.0.0.0
Secondary WINS IP: 0.0.0.0
Remote IP: 10.99.1.1
Session ID: 147
Link MTU: 1454
PPPoE/PPP Counters:
PPPoE control packets received: 2
PPPoE control packets sent: 2
PPP control packets received: 141
PPP control packets sent: 140ルーティング
- > show routing route
- 仮想ルータ別のルーティングテーブルの表示
コマンド実行例(クリックで開く)
admin@PA-200> show routing route
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast
VIRTUAL ROUTER: default (id 1)
==========
destination nexthop metric flags age interface next-AS
10.10.1.0/24 10.10.1.1 0 A C ethernet1/1
10.10.1.1/32 0.0.0.0 0 A H
10.11.1.0/24 10.11.1.1 0 A C ethernet1/2
10.11.1.1/32 0.0.0.0 0 A H
total routes shown: 4- > show routing protocol ospf neighbor
- OSPF ネイバーの表示
コマンド実行例(クリックで開く)
admin@PA-200> show routing protocol ospf neighbor
Options: 0x80:reserved, O:Opaq-LSA capability, DC:demand circuits, EA:Ext-Attr LSA capability,
N/P:NSSA option, MC:multicase, E:AS external LSA capability, T:TOS capability
==========
virtual router: default
neighbor address: 10.1.1.254
local address binding: 0.0.0.0
type: dynamic
status: full
neighbor router ID: 10.1.1.254
area id: 0.0.0.0
neighbor priority: 1
lifetime remain: 38
messages pending: 0
LSA request pending: 0
options: 0x00
hello suppressed: no
restart helper status: not helping
restart helper time remaining: 0
restart helper exit reason: none- > show routing protocol ospf lsdb
- OSPF LSDB の表示
コマンド実行例(クリックで開く)
admin@PA-200> show routing protocol ospf lsdb
VIRTUAL ROUTER: default (id 1)
==========
VR Area ID Orig RTR ID LS ID LSA Type Seq Number CheckSum Age Size
1 0.0.0.0 10.1.1.1 10.1.1.1 type-1 (Router) 0x8000000A 0x0000CD18 1570 48
1 0.0.0.0 10.1.1.254 10.1.1.254 type-1 (Router) 0x80000010 0x00009543 1323 48
1 0.0.0.0 10.1.1.254 10.1.1.254/24 type-2 (Network) 0x80000003 0x00008B7E 1569 32セッション
- > show system statistics session
- スループット情報の表示
コマンド実行例(クリックで開く)
Device is up : 0 day 3 hours 44 mins 17 sec
Packet rate : 0/s
Throughput : 0 Kbps
Total active sessions : 0
Active TCP sessions : 0
Active UDP sessions : 0
Active ICMP sessions : 0- > show session all
- セッション情報、NAT 前後アドレス
コマンド実行例(クリックで開く)
admin@PA-200> show session all
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
72 ping ACTIVE FLOW NS 10.10.1.254[8]/trust/1 (10.11.1.100[8])
vsys1 10.11.1.254[0]/untrust (10.11.1.254[0])
75 ping ACTIVE FLOW NS 10.10.1.254[8]/trust/1 (10.11.1.100[8])
vsys1 10.11.1.254[3]/untrust (10.11.1.254[3])
73 ping ACTIVE FLOW NS 10.10.1.254[8]/trust/1 (10.11.1.100[8])
vsys1 10.11.1.254[1]/untrust (10.11.1.254[1])
76 ping ACTIVE FLOW NS 10.10.1.254[8]/trust/1 (10.11.1.100[8])
vsys1 10.11.1.254[4]/untrust (10.11.1.254[4])
74 ping ACTIVE FLOW NS 10.10.1.254[8]/trust/1 (10.11.1.100[8])
vsys1 10.11.1.254[2]/untrust (10.11.1.254[2])HA(High Availability、冗長化)
- > show high-availability all
- HA 状態の表示
- > show high-availability state
- HA 状態の表示
コマンド実行例(クリックで開く)
admin@PA-200-A(active)> show high-availability state
Group 1:
Mode: Active-Passive
Local Information:
Version: 1
Mode: Active-Passive
State: active (last 3 hours)
Device Information:
Management IPv4 Address: 192.168.1.1/24
Management IPv6 Address:
Mgmt HB Backup configured
HA1 Control Links Joint Configuration:
Encryption Enabled: no
Election Option Information:
Priority: 50
Preemptive: no
Version Compatibility:
Software Version: Match
Application Content Compatibility: Match
Anti-Virus Compatibility: Match
Threat Content Compatibility: Match
VPN Client Software Compatibility: Match
Global Protect Client Software Compatibility: Match
VM License Type: Mismatch
Peer Information:
Connection status: up
Version: 1
Mode: Active-Passive
State: passive (last 11 minutes)
Device Information:
Management IPv4 Address: 192.168.1.2/24
Management IPv6 Address:
Mgmt HB Backup Connection up
Connection up; Primary HA1 link
Connection up
Election Option Information:
Priority: 100
Preemptive: no
Configuration Synchronization:
Enabled: yes
Running Configuration: synchronized- > show high-availability flap-statistics
- HA 切り替わり回数の表示
コマンド実行例(クリックで開く)
admin@PA-200-A(active)> show high-availability flap-statistics
Group 1:
Mode: Active-Passive
Flap Statistics:
Preemptions since flap counter reset : 0
Non-functional states since flap counter reset : 1
Maximum flaps allowed before suspending device : 3VPN
- > show vpn ike-sa
- IKE SA の情報を表示
コマンド実行例(クリックで開く)
admin@PA-200> show vpn ike-sa
IKEv1 phase-1 SAs
GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2
-------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------
1 10.1.1.254 ike-gateway Resp Main PSK/DH14/A128/SHA256 Feb.25 19:00:51 Feb.26 03:00:51 v1 13 1 1
Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.
IKEv1 phase-2 SAs
Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt
------------ ---- ------ ------- ---- --------- ------- -------- ----- -- --
ike-gateway 1 ipsec-tunnel 1 Resp ESP/ /tunl/SHA2 EB9EF845 8D6A9793 3599CB37 9 1
Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.
There is no IKEv2 SA found.- > show vpn ipsec-sa
- IPsec SA の情報を表示
コマンド実行例(クリックで開く)
admin@PA-200> show vpn ipsec-sa
GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB)
-------------- ---- ------------ --------------- --------- ------- -------- ------------
1 1 10.1.1.254 ipsec-tunnel(ike-gateway) ESP/A128/SHA256 EB9EF845 8D6A9793 1241/4608000
Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found.UTM
- > show wildfire status
- WildFire 状態の表示
コマンド実行例(クリックで開く)
admin@PA-200-A(active)> show wildfire status
Connection info:
Signature verification: enable
Server selection: enable
File cache: enable
WildFire Public Cloud:
Server address: wildfire.paloaltonetworks.com
Best server:
Device registered: no
Through a proxy: no
Valid wildfire license: no
Service route IP address:
Global status: Disabled due to configuration
Count of available workers: 0
Available worker indices:
Upload status Usage: 'I': Idle, 'U': Uploading, 'Q': Querying
Upload worker index: 0 1 2 3 4
Upload status: Idle Idle Idle Idle Idle
Status time (seconds): 999+ 999+ 999+ 999+ 999+
WildFire Private Cloud:
Server address:
Best server:
Device registered: no
Through a proxy: no
Valid wildfire license: no
Service route IP address:
Global status: Disabled due to configuration
Count of available workers: 0
Available worker indices:
Upload status Usage: 'I': Idle, 'U': Uploading, 'Q': Querying
Upload worker index: 0 1 2 3 4
Upload status: Idle Idle Idle Idle Idle
Status time (seconds): 999+ 999+ 999+ 999+ 999+
File size limit info:
pe 10 MB
apk 10 MB
pdf 500 KB
ms-office 500 KB
jar 1 MB
flash 5 MB
MacOSX 1 MB
archive 10 MB
linux 2 MB
script 20 KB
Forwarding info:
file idle time out (second): 90
total concurrent files: 0
Public Cloud:
total file fwded : 0
total file failed: 0
total file skipped: 0
total cloud queries: 0
total cloud queries failed: 0
file forwarded in last minute: 0
concurrent files: 0
Private Cloud:
total file fwded : 0
total file failed: 0
total file skipped: 0
total cloud queries: 0
total cloud queries failed: 0
file forwarded in last minute: 0
concurrent files: 0- > show wildfire statistics
- WildFire の統計情報の表示
コマンド実行例(クリックで開く)
admin@PA-200-A(active)> show wildfire statistics
Packet based counters:
DP Files upload initiated: 0
DP Files upload succeeded: 0
Counters for file cancellation:
Counters for file forwarding:
file type: apk
file type: pdf
file type: email-link
file type: ms-office
file type: pe
file type: flash
file type: jar
file type: archive
file type: MacOSX
file type: linux
file type: unknown
file type: script
file type: pdns
Error counters:
Reset counters:
DP receiver reset cnt: 1
File cache reset cnt: 1
Public Cloud:
Private Cloud:
Resource meters:
data_buf_meter 0%
msg_buf_meter 0%
ctrl_msg_buf_meter 0%
wr_debug_log_buf_meter 0%
File forwarding queues:
priority: 1, size: 0 (PUB), 0 (PRIV)
priority: 2, size: 0 (PUB), 0 (PRIV)
priority: 3, size: 0 (PUB), 0 (PRIV)
priority: 4, size: 0 (PUB), 0 (PRIV)各種サービス
- > show dhcp server lease interface all
- DHCP サーバのリース情報の表示
コマンド実行例(クリックで開く)
admin@PA-200-A(active)> show dhcp server lease interface all
interface: "ethernet1/1" id: 16
Allocated IPs: 1, Total number of IPs in pool: 51. 2.0% used
ip mac hostname state duration lease_time
10.20.30.100 20:7b:d2:20:a1:d6 LegendaryPC01 committed 86400 Thu Feb 16 23:07:52 2023ログ表示
- > show log system
- システムログの表示
コマンド実行例(クリックで開く)
admin@PA-200-A(active)> show log system
Time Severity Subtype Object EventID ID Description
===============================================================================
1999/11/30 09:12:31 info general general 0 VPN Disable mode = off
2023/02/19 17:42:32 medium general general 0 Hostname changed to PA-200
2023/02/19 17:44:33 info general general 0 VPN Disable mode = off
2023/02/19 17:44:36 high general system- 1 The system is starting up.
2023/02/19 17:44:36 info routing routed- 0 Route daemon is initializing.
2023/02/19 17:44:36 info ras rasmgr- 0 RASMGR daemon is initializing.
2023/02/19 17:44:36 info vpn keymgr- 0 KEYMGR daemon is initializing.- > show log traffic
- トラフィックログの表示
コマンド実行例(クリックで開く)
admin@PA-200-A(active)> show log traffic
Time App From Src Port Source
Rule Action To Dst Port Destination
Src User Dst User End Reason
====================================================================================================
2023/02/23 18:26:03 telnet Untrust 16791 10.10.1.100
Untrust_to_DMZ_01 allow DMZ 2323 10.10.1.1
tcp-fin
2023/02/23 19:33:02 telnet Untrust 34713 10.10.1.100
Untrust_to_DMZ_01 allow DMZ 2323 10.10.1.1
tcp-fin
2023/02/24 21:14:36 ping Trust 0 10.10.1.100
Trust_to_DMZ_ping allow DMZ 0 10.11.1.100- > show log <ログ種別> direction equal forward start-time equal yyyy/mm/dd@hh:mm:ss
- 指定した日時以降のログを表示
コマンド実行例(クリックで開く)
admin@PA-200-A(active)> show log system direction equal forward start-time equal 2023/02/25@00:00:00
Time Severity Subtype Object EventID ID Description
===============================================================================
2023/02/25 07:44:07 info general general 0 VPN Disable mode = off
2023/02/25 07:44:12 info routing routed- 0 Route daemon is ready.
2023/02/25 07:44:12 info port MGT link-ch 0 Port MGT: Up 100Mb/s Full duplex
2023/02/25 07:44:12 high port MGT link-ch 0 Port MGT: Down 100Mb/s Full duplex
2023/02/25 07:44:12 info port MGT link-ch 0 Port MGT: Up 100Mb/s Full duplex
2023/02/25 07:44:12 high port MGT link-ch 0 Port MGT: Down 100Mb/s Full duplex
2023/02/25 07:44:12 info port MGT link-ch 0 Port MGT: Up 100Mb/s Full duplex
2023/02/25 07:44:12 high general system- 1 The system is starting up.Palo Alto 関連記事一覧
- 基礎知識
- システム設定
- 初期設定
- NTP
- DNS
- Syslog
- SNMP
- HA 設定(冗長化)
- インターフェース設定
- ルーティング設定
- ポリシー
- 基礎知識
- アドレス・サービス
- セキュリティポリシー
- NAT
- TIPS
- VPN
- サービス機能
- TIPS
- 参考資料
- https://docs.paloaltonetworks.com/
- https://docs.paloaltonetworks.com/translated/japanese#sort=relevancy&layout=card&numberOfResults=25
- https://docs.paloaltonetworks.com/search.html#q=pan-os%20admin%20guide&sort=relevancy&layout=card&numberOfResults=25
- https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-cli-quick-start/cli-command-hierarchy-for-pan-os-101/pan-os-101-configure-cli-command-hierarchy
Amazon で買えるおすすめアイテム
以下は Amazon アフィリエイトリンクです。ネットワーク作業向けにそこそこおすすめなアイテムです。
【整備済み品】HP ノートパソコン 830G5/13.3型フルHD/Win 11/MS Office H&B 2019/第7世代i5-7200U 2.50GHz/メモリ 16GB/SSD 512GB/指紋リーダー/USB 3.0/WEBカメラ/初期設定済
コメント