debug enabled alert on Palo Alto Networks firewall

debug enabled alert on Palo Alto Networks firewall

The body of the alert doesn't provide much value and there doesn't appear to be an easy way to view or disable debug that I am finding. It sure would be helpfull to provide the command run for the alert or provid a link to PANW's documentation on how to disable debug if you don't know what debug is enabled.

For example: searching for md.apps.s1.cp.cfg.debug-level on PANW's Live Communitiy yields no results. Unless you know what each of those stand for you won't know what to disable debug on. I haven't found PA's to have an option like Cisco's undebug all command.

You cannot type "debug" and then md.apps.s1.cp.cfg.debug-level as the notification message states that you can.

this has been a hot topic of debate across customers. On the one hand, Indeni should identify when debug is enabled. However, it appears that PAN firewalls have the tendency to be left at "info" mode. Is that standard/best practice or should we reduce the sensitivity of the scripts to debugger > "info".

This is from one of the docs I found,


To enable CLI debugging, login to the Palo Alto Networks firewall ssh session and run the following command:

> debug cli on

Note: Use the command, debug cli off, to disable the CLI debugging.

I do not have a PAN in my lab at this to run this!