This page provides a practical collection of frequently used CLI commands for Palo Alto firewalls. These commands are commonly used by engineers during:
This is not a replacement for documentation, but a field-ready reference.
show system info
show system environmentals
show system software-status
show system logdb-quota
show session all
Used to confirm whether traffic is hitting the firewall and being processed.
Helps validate source, destination, application, and NAT details for a single flow.
clear session all
⚠️ Use with extreme caution. Clearing all sessions immediately terminates all active connections and forces applications/users to re-establish sessions, which can cause availability impact.
Best practice: Clear sessions only for the specific session ID whenever possible. Use Clear Session (All) only when absolutely required.
Typically used after policy or NAT changes to force traffic re-evaluation.
⚠️ Use with caution in production environments.
show routing route
Confirms how the firewall is forwarding traffic.
show interface all
Useful for validating link status, speed, and errors.
show interface ethernet1/1
Helps isolate physical or logical interface issues.
show running security-policy
Confirms loaded policies on the dataplane.
Used to verify which rule will match specific traffic before troubleshooting further.
show log traffic
Confirms whether traffic is allowed, denied, or dropped.
show log system
Helpful for identifying system-level events, commits, or errors.
show system resources
Used to monitor CPU and memory utilization.
show high-availability state
Validates HA role, sync state, and peer health.
When traffic is not working as expected, follow this order:
show routing route)This approach avoids unnecessary packet captures in most cases.
CLI access provides deep operational insight, but should be used with discipline. Most issues can be identified quickly using sessions, logs, and policy validation—without disruption.