Home‎ > ‎Palo Alto‎ > ‎



Like the Juniper's, the PA's have the idea of entering in changes, saving those changes, checking to make sure those changes will work, and all the while, not having those changes take effect.  Then when your ready, you commit the changes and the system then uses the changes as part of its running configs.  

Entering commands: 

Use the following commands to enter in new commands to change the current configuration. 


To make any changes, you first need to enter the configuration mode.  
admin@PA-500> configure
Entering configuration mode


Rather then entering all set commands from the root, and only running all show statement from root, you can enter into the config tree and make changes/see configurations from that area, and not affecting the other sections of the config.  

Batch file import: scripting-mode

If you want to paste a lot of set commands all at once, you can use the "scripting mode" option to allow you to paste a lot of lines into the console without a lot of write-back from the terminal.  This also removes syntax checking, tab-completion help and help via the "?" key, so when you are done, you might want to change back to the other method.  

admin@PA-500> set cli scripting-mode on
admin@PA-500> configure
Entering configuration mode
admin@PA-500# # blablabla
admin@PA-500# quit
Exiting configuration mode
admin@PA-500> set cli scripting-mode off

Checking change before submitting: 

Before committing a change, you can validate it to ensure that there are no issues.  

admin@PA-500# validate full

Validate job enqueued with jobid 2

admin@PA-500# exit
Exiting configuration mode
admin@PA-500> show jobs id 2

Enqueued                     ID             Type    Status Result Completed
2015/10/20 08:22:08           2         Validate       FIN   FAIL 08:22:13
Details:Validation Error:
 zone -> trust -> network -> virtual-wire 'ethernet1/2' is not a valid reference
 zone -> trust -> network -> virtual-wire is invalid
 zone -> trust -> network is invalid

Saving / Viewing changes: 


the check command (in conf mode) will show you all the pending changes
admin@PA-500# check pending-changes



Like in JunOS, you commit your changes all at once (rather then one line at a time as you enter them). 

Viewing Configs: 

Show config: C-like format: 

You can view the configs in a JSON/C style 
admin@PA-500> set cli config-output-format default
admin@PA-500> configure
admin@PA-500# show 
deviceconfig {
  system {
    update-server updates.paloaltonetworks.com;
    update-schedule {
      threats {
        recurring {
          weekly {
            day-of-week wednesday;
            at 01:02;
            action download-only;
    timezone US/Pacific;
    service {
      disable-telnet yes;
      disable-http yes;

Show config: set format: 

you can view the configs via the set format, which is the way you would generally input the configs. 

admin@PA-500> set cli config-output-format set
admin@PA-500> configure
admin@PA-500# show

set deviceconfig system ip-address
set deviceconfig system netmask
set deviceconfig system update-server updates.paloaltonetworks.com
set deviceconfig system update-schedule threats recurring weekly day-of-week wednesday
set deviceconfig system update-schedule threats recurring weekly at 01:02
set deviceconfig system update-schedule threats recurring weekly action download-only
set deviceconfig system timezone US/Pacific
set deviceconfig system service disable-telnet yes
set deviceconfig system service disable-http yes
set deviceconfig system hostname PA-500
set deviceconfig setting config rematch yes
set deviceconfig setting management hostname-type-in-syslog FQDN
set network interface ethernet ethernet1/1 virtual-wire
set network interface ethernet ethernet1/2 virtual-wire
set network interface loopback units
set network interface vlan units
set network interface tunnel units
set network vlan

Show config: xml format: 

you can also view the configs in xml format 
admin@PA-500> set cli config-output-format xml
admin@PA-500> configure
admin@PA-500# show

<response status="success" code="19">
  <result total-count="1" count="1">

Show diff between candidate and running configs: 

You can view the difference between the config changes that have been entered, and the running config with the diff argument.  
admin@PA-500> show config diff
             disable-telnet yes;
             disable-http yes;
+          hostname PA-500;
         setting {
           config {