Skip to content

Palo Alto Networks — Operational & Troubleshooting CLI Commands

Purpose of This Page

This page provides a practical collection of frequently used CLI commands for Palo Alto firewalls. These commands are commonly used by engineers during:

  • Traffic validation
  • Policy troubleshooting
  • Routing checks
  • Operational health verification

This is not a replacement for documentation, but a field-ready reference.

🔎 System Information 

show system info
show system environmentals
show system software-status
show system logdb-quota

Session Inspection

View Active Sessions 

show session all

Used to confirm whether traffic is hitting the firewall and being processed.

View a Specific Session

Helps validate source, destination, application, and NAT details for a single flow.

Clear Sessions 

clear session all

Clear Session (All) — Operational Warning

⚠️ Use with extreme caution. Clearing all sessions immediately terminates all active connections and forces applications/users to re-establish sessions, which can cause availability impact.

Best practice: Clear sessions only for the specific session ID whenever possible. Use Clear Session (All) only when absolutely required.

Typically used after policy or NAT changes to force traffic re-evaluation.

⚠️ Use with caution in production environments.

Routing & Network Validation

Display Routing Table 

show routing route

Confirms how the firewall is forwarding traffic.

Check Interface Status 

show interface all

Useful for validating link status, speed, and errors.

Inspect a Specific Interface 

show interface ethernet1/1

Helps isolate physical or logical interface issues.

Policy Validation

View Running Security Policies 

show running security-policy

Confirms loaded policies on the dataplane.

Test Policy Matching

Used to verify which rule will match specific traffic before troubleshooting further.

Logging & Visibility

View Traffic Logs 

show log traffic

Confirms whether traffic is allowed, denied, or dropped.

View System Logs 

show log system

Helpful for identifying system-level events, commits, or errors.

Operational Health Checks

Check Dataplane Resource Usage 

show system resources

Used to monitor CPU and memory utilization.

Check High Availability Status 

show high-availability state

Validates HA role, sync state, and peer health.

Practical Troubleshooting Workflow

When traffic is not working as expected, follow this order:

  1. Confirm routing (show routing route)
  2. Verify interface status
  3. Test policy match
  4. Inspect active sessions
  5. Review traffic logs
  6. Clear sessions if required

This approach avoids unnecessary packet captures in most cases.

Best Practices

  • Always validate policy match before deeper troubleshooting
  • Enable logging at session end for critical rules
  • Avoid clearing all sessions during peak business hours
  • Document commands used during incident resolution

Final Notes

CLI access provides deep operational insight, but should be used with discipline. Most issues can be identified quickly using sessions, logs, and policy validation—without disruption.