CLI Changes in PAN-OS 7.1
PAN-OS 7.1 has the following CLI changes, which also affect corresponding PAN-OS XML API requests. You can use the CLI in debug mode to view the corresponding XML API syntax for CLI commands. For changes that are specific to the XML API, see XML API Changes in PAN-OS 7.1.
App-ID CLI Changes
PAN-OS 7.1 has the following CLI changes for App-ID features:
Feature Change
Application status With the role-based access control enhancements, on firewalls enabled for multiple virtual systems, you must specify the target virtual system before you can view or set application status. The following commands have changed: PAN-OS 7.0 and earlier releases: request get-disabled-applications vsys <value> request get-application-status vsys <value> application <value> request set-application-status-recursive vsys <value> enable-dependent-apps <yes|no> application <value> status <enabled|disabled> PAN-OS 7.1 and later releases: First set the target vsys. set system setting target-vsys <value> Then enter the command to retrieve or set the application status. request get-disabled-applications request get-application-status application <value> request set-application-status-recursive enable-dependent-apps <yes|no> application <value> status <enabled|disabled>
GlobalProtect CLI Changes
PAN-OS 7.1 has the following CLI changes for GlobalProtect features:
Feature Change
Two-factor authentication With the introduction of two-factor authentication in GlobalProtect, a number of API requests have been changed. Use the CLI with the command debug cli on to see changes in the corresponding XML requests. Affected commands are within the following command hierarchy: set global-protect global-protect-portal <name> satellite-config set global-protect global-protect-portal <name> client-config set global-protect global-protect-portal <name> portal-config
Management CLI Changes
PAN-OS 7.1 has the following CLI changes for management features:
Feature Change
API keys ( PAN-OS 7.1.7 and later releases ) New commands enable you to manage API keys. These keys are required when performing secure credential operations, including VM-Series license deactivation. Refer to VM-Series License Deactivation API Key. Use the following commands to manage API keys: To show the current API key: request license api-key show To delete the current API key: request license api-key delete To configure the API key: request license api-key set key <key>
Restarting processes ( PAN-OS 7.1.5 and later releases ) New commands enable you to restart firewall processes (bfd, cryptod, dhcpd, ikemgr, keymgr, and pppoed) that previously required root access to restart: debug software restart process bfd debug software restart process crypto debug software restart process dhcp debug software restart process ikemgr debug software restart process keymgr debug software restart process pppoe
Content updates ( PAN-OS 7.1.3 and later releases ) New commands enable you to check for application and threat content updates hourly and to verify the configuration: debug management-server content hourly-check set enable debug management-server content hourly-check show
Operational modes The maintenance mode menu for selecting the mode of operation changed: Firewall platforms —The Set CCEAL4 mode menu is renamed to Set FIPS-CC mode. Additionally, the Set FIPS mode menu is removed Panorama virtual appliances, M-Series appliances, and WF-500 appliances —The Set CCEAL4 mode menu is renamed to Set FIPS-CC mode. If your firewall is set to FIPS mode, you must change the mode of operation to CCEAL4 mode (using Set CCEAL4 mode menu option in maintenance mode) before you upgrade to a PAN-OS 7.0. or later release. See upgrade considerations for more details on upgrading a firewall that is set to FIPS mode. When you change from FIPS mode to CCEAL4 mode, you lose all configuration settings so it is important to back up your configuration first and re-import it after you change modes (and before you upgrade). For information on changing to FIP-CC mode, refer to Certifications.
Decompression modes Hardware-based and software-based decompression is supported on all Palo Alto Networks platforms (excluding VM-Series firewalls). Starting in PAN-OS 7.1, a hybrid mode (enabled by default) allows firewalls to dynamically switch from hardware-based decompression to software-based decompression when the hardware decompression engine is under a heavy load and then switch back when the load decreases. Prior to PAN-OS 7.1, you could manually switch between decompression modes but you could choose only one mode at a time: hardware (default) or software. You can modify this new setting ( zip mode auto ) so that the firewall performs only hardware-based decompression or software-based decompression as needed. PAN-OS 7.0 and earlier releases: set deviceconfig setting zip sw [yes|no] PAN-OS 7.1 and later releases: set deviceconfig setting zip mode [sw | hw | auto] New counters are also introduced to the show system setting zip command output to monitor the number of times that the firewall switches from hardware-based decompression to software-based decompression: Number of SW Forced Switchovers —The number of times that the firewall forces a switchover to software-based decompression. A forced switchover can occur when the firewall is in hardware zip mode if the hardware decompression engine becomes unresponsive. Number of SW Automatic Switchovers —The number of times the firewall has dynamically switched from hardware-based to software-based decompression when in automatic zip mode.
CPU monitoring The following command now shows asterisks (*) instead of zeroes (0) when a corresponding CPU core load percentage is not currently being measured or cannot be measured: show running resource-monitor An asterisk may indicate potential issues such as a malfunction that causes packet processing to pause. When issues like this occur, the response repeatedly shows an asterisk instead of a number. It is normal for core 0 to always show an asterisk.
Monitoring CLI Changes
PAN-OS 7.1 has the following CLI change for monitoring features:
Feature Change
Log filtering To view the results of a query, the request format has been updated to be uniform between firewalls and Panorama: PAN-OS 7.0 and earlier releases: show query id <1-4294967295> PAN-OS 7.1 and later releases: show query result id <1-4294967295> skip <0-4294967295>
Networking CLI Changes
PAN-OS 7.1 has the following CLI changes for networking features:
Feature Change
VLANs ( PAN-OS 7.1.5 and later releases ) A new command allows you to configure how the firewall handles the Priority Code Point (PCP) value in the VLAN tag field when forwarding the frame between different VLANs. By default, the firewall automatically unsets the PCP value when forwarding between VLANs for greater security. To address a requirement in a particular customer environment, you can configure the firewall to pass through the PCP value so that it is preserved on frame forwarding. Use the following command to configure this behavior, where the default value is no to disable PCP pass-through: set session pass-through-1q-pcp <yes|no> To view the PCP configuration, use the existing command to display VLANs: show vlan all The command output has the following updates associated with the PCP pass-through configuration: pvst+ tag rewrite: enabled pvst+ native vlan id: 1 drop stp: disabled 802.1Q PCP pass through: disabled
Interfaces With the introduction of configurable maximum segment size (MSS) adjustment sizes, the request format to enable MSS adjustment has changed: PAN-OS 7.0 and earlier releases: set network interface ethernet <name> layer3 adjust-tcp-mss <yes|no> set network interface ethernet <name> layer3 units <name> adjust-tcp-mss <yes|no> set network interface vlan adjust-tcp-mss <yes|no> set network interface vlan units <name> adjust-tcp-mss <yes|no> set network interface loopback adjust-tcp-mss <yes|no> set network interface loopback units <name> adjust-tcp-mss <yes|no> PAN-OS 7.1 and later releases: set network interface ethernet <name> layer3 adjust-tcp-mss enable <yes|no> set network interface ethernet <name> layer3 units <name> adjust-tcp-mss enable <yes|no> set network interface vlan adjust-tcp-mss enable <yes|no> set network interface vlan units <name> adjust-tcp-mss enable <yes|no> set network interface loopback adjust-tcp-mss enable <yes|no> set network interface loopback units <name> adjust-tcp-mss enable <yes|no> The netstat command has moved from the root level to within the request command hierarchy: PAN-OS 7.0 and earlier releases: netstat programs yes interface yes PAN-OS 7.1 and later releases: request netstat programs yes interface yes Additionally, use of the request netstat programs command option now requires superuser or superreader permissions.
Session settings The CLI command to set the maximum number of multicast packets queued per session has changed. The new command updates the configuration instead of running an operational command. This change, which persists even if the firewall is reset, now requires you to commit your configuration changes: PAN-OS 7.0 and earlier releases: set session max-pending-mcast-pkts-per-session <0-2000> PAN-OS 7.1 and later releases: set deviceconfig setting session max-pending-mcast-pkts-per-session <1-2000>
Threat Prevention CLI Changes
PAN-OS 7.1 has the following CLI changes for threat prevention features:
Feature Change
Anti-Spyware profiles With the new ability to specify intelligence sources through a list on an external domain, you must now specify the list. Example changes in the CLI follow: PAN-OS 7.0 and earlier releases: show profiles spyware <name> botnet-domains action show profiles spyware <name> botnet-domains action alert show profiles spyware <name> botnet-domains action allow show profiles spyware <name> botnet-domains action block show profiles spyware <name> botnet-domains action sinkhole PAN-OS 7.1 and later releases: show profiles spyware <name> botnet-domains lists <name> action show profiles spyware <name> botnet-domains lists <name> action alert show profiles spyware <name> botnet-domains lists <name> action allow show profiles spyware <name> botnet-domains lists <name> action block show profiles spyware <name> botnet-domains lists <name> action sinkhole
URL Filtering CLI Changes
PAN-OS 7.1 has the following CLI change for URL Filtering features:
Feature Change
External Dynamic Lists When indicating an hourly polling time for external block lists (now called external dynamic lists ), you can no longer indicate a specific minute within the hour. The change in the CLI is as follows: PAN-OS 7.0 and earlier releases: set external-list <name> recurring hourly at <value> PAN-OS 7.1 and later releases: set external-list <name> recurring hourly
User-ID CLI Changes
PAN-OS 7.1 has the following CLI changes for User-ID features:
Feature Change
Username-to-group mapping The following User-ID configuration commands, used to retrieve the list of groups and the corresponding list of members from an LDAP server, now require you to specify the virtual system to which the LDAP server profile belongs: PAN-OS 7.0 and earlier releases: show user group-mapping naming-context server <ip/netmask>|<value> server-port <1-65535> use-ssl <yes|no> is-active-directory <yes|no> proxy-agent <ip/netmask>|<value> proxy-agent-port <1-65535> show user group-selection use-ssl <yes|no> base <value> bind-dn <value> bind-password <value> name-attribute <value> group-object <value> container-object <value> filter <value> search-scope <one|subtree> proxy-agent <ip/netmask>|<value> proxy-agent-port <1-65535> force <yes|no> server [ <server1> <server2>... ] show user group-selection use-ssl <yes|no> base <value> bind-dn <value> bind-password <value> name-attribute <value> group-object <value> container-object <value> filter <value> search-scope <one|subtree> proxy-agent <ip/netmask>|<value> proxy-agent-port <1-65535> force <yes|no> server-port [ <server-port1> <server-port2>... ] PAN-OS 7.1 and later releases: show user group-mapping naming-context server <ip/netmask>|<value> sp_vsys_id <value> server-port <1-65535> use-ssl <yes|no> is-active-directory <yes|no> proxy-agent <ip/netmask>|<value> proxy-agent-port <1-65535> show user group-selection sp_vsys_id <value> use-ssl <yes|no> base <value> bind-dn <value> bind-password <value> name-attribute <value> group-object <value> container-object <value> filter <value> search-scope <one|subtree> proxy-agent <ip/netmask>|<value> proxy-agent-port <1-65535> force <yes|no> server [ <server1> <server2>... ] show user group-selection sp_vsys_id <value> use-ssl <yes|no> base <value> bind-dn <value> bind-password <value> name-attribute <value> group-object <value> container-object <value> filter <value> search-scope <one|subtree> proxy-agent <ip/netmask>|<value> proxy-agent-port <1-65535> force <yes|no> server-port [ <server-port1> <server-port2>... ]

Related Documentation