Troubleshooting Commands in Palo Alto Firewalls

1. show routing route

For example

2. ping source IP host IP

3. traceroute host IP

4. test routing fib-lookup IP

blin@HSA-Firewall> test routing fib-lookup virtual-router default ip 10.2.2.36

runtime route lookup

virtual-router: default
destination: 10.2.2.36
result:
via 12.x.x.129 interface ethernet1/1, source 12.1x.x.130, metric 10

runtime route lookup

virtual-router: Test
destination: 10.2.2.36
result:
via 50.x.x.126 interface tunnel.100, source 169.x.x.250, metric 10

5. test vpn ipsec-sa

blin@HSA-Firewall> test vpn ipsec-sa

tunnel test for given VPN tunnel
| Pipe through a command
Finish input

blin@HSA-Firewall> test vpn ipsec-sa tunnel
ADP-Tunnel:net1 ADP-Tunnel:net1
Azure-Tunnel Azure-Tunnel
Comcast Comcast
Home-VPN Home-VPN
ipsec-tunnel-1 ipsec-tunnel-1
ipsec-tunnel-2 ipsec-tunnel-2
test for given VPN tunnel

blin@HSA-Firewall> test vpn ipsec-sa tunnel Comcast

Start time: Sep.25 19:03:48
Initiate 1 IPSec SA for tunnel Comcast.

Published by

Bob Lin

Bob Lin, Chicagotech-MVP, MCSE & CNE Data recovery, Windows OS Recovery, Networking, and Computer Troubleshooting on http://www.ChicagoTech.net How to Install and Configure Windows, VMware, Virtualization and Cisco on http://www.HowToNetworking.com View all posts by Bob Lin