Palo Alto Networks PAN-OS Debugs and Default State


#1

Debugs, what they are for and their default states.

I started writing this to refresh a set of scripts. I found most of the debugs and states are not well documented yet. If you know otherwise, please post a comment. I will continue updating this table of data as I get to it. If there is anything else that should be added, please post the entries for all columns and I will get the table itself updated.


Debug Indicator(s)

Command(s)

Default State After Reboot (normal state)

Purpose of this debug command

Community References

debug level: debug

debug device-server show

info

debug:on level:debug

debug log-receiver show

debug:on level:info

cfg.global-protect.portal.debug = True

show system state | match portal.debug OR debug global-protect portal show

blank/no result/False

sw.ikedaemon.debug.global: debug

show system state | match debug.global OR debug ike global show

normal

sw.sslvpn.debug.global: debug

show system state | match debug.global OR debug ssl-vpn global show

info

sw.keymgr.debug.global: debug

show system state | match debug.global OR debug keymgr global show

normal

sw.rasmgr.debug.global: debug

show system state | match debug.global OR debug rasmgr show

normal

sw.satd.debug.global: debug

show system state | match debug.global OR debug rasmgr show

normal

sw.ikedaemon.debug.pcap: True

show system state | match debug.global OR debug ike pcap show

False

sw.sysd.debug-level: 4

show system state | match debug-level

4

sha.app.debug.level: debug

show system state | match debug.level

debug

md.apps.s0.mp.cfg.debug-level: debug

md.apps.s1.mp.cfg.debug-level: debug

md.apps.s1.dp1.cfg.debug-level: debug

md.apps.s1.dp0.cfg.debug-level: debug

md.apps.s1.mp.cfg.debug-level: debug

show system state | match debug-level OR debug master-service show

info

sw.cryptod.runtime.debug.level: debug

show system state | match debug.level OR debug cryptod global show

info

sw.dnsproxyd.runtime.debug.level: warn

show system state | match debug.level OR debug dnsproxyd global show

warn

sw.l2ctrld.lacp.runtime.debug.level: debug

show system state | match debug.level OR debug l2ctrld lacp show debug-level

info

sw.l2ctrld.lldp.runtime.debug.level: debug

show system state | match debug.level OR debug l2ctrld lacp show debug-level

warn

sw.l2ctrld.runtime.debug.level: debug

show system state | match debug.level OR debug l2ctrld global show

info

sw.pppoed.runtime.debug.level: debug

show system state | match debug.level OR debug pppoed global show

warn

sw.routed.runtime.debug.level: debug

show system state | match debug.level OR debug routing global show

info

sw.sslmgr.runtime.debug.level: debug

show system state | match debug.level OR debug sslmgr show setting

info

sw.dhcpd.runtime.debug.level: debug

show system state | match debug.level OR debug dhcpd global show

info

management-server debug:debug

debug management-server show

info

sw.mprelay.s1.cp.debug

debug mprelay show

info

sw.mprelay.s1.dp0.debug

debug mprelay show

info

sw.mprelay.s1.dp1.debug

debug mprelay show

info

sw.mprelay.s1.dp2.debug

debug mprelay show

info

sw.mprelay.s1.dp3.debug

debug mprelay show

info

sw.mprelay.s1.dp5.debug

debug mprelay show

info

sw.mprelay.s1.dp6.debug

debug mprelay show

info

sw.mprelay.s1.dp7.debug

debug mprelay show

info

sw.mprelay.s1.dp8.debug

debug mprelay show

info

sw.mprelay.s1.dp9.debug

debug mprelay show

info

debug.user-id.get

debug user-id get

info

debug: on level

debug var-data RX



See also: https://live.paloaltonetworks.com/t5/Learning-Articles/Hierarchy-of-Debug-Levels-for-Daemons-in-PAN-OS/ta-p/70564


#2

Great table. Very useful. Want to make this a blog post so we can refer this table from the actual alert. Thanks!


#3

Brad, hi. My name is Peri and I"m a Palo engineer at a customer site. We would like to implement Indeni but I’m having some reservations. Can you give me a list of questions to ask the Indeni engineers or what to be aware of?. Our PA is 5060 and there has been major problems.


#4

@kingman112 Hi Peri, you have had major problems with Indeni or major problems with your PA-5060? Indeni can be a great help with diagnosing firewall issues. If you are referring to issues with Indeni itself causing firewall issues I’d be concerned about there being an underlying issue with the firewall. I’d be happy to discuss your concerns either way with Indeni support or with the Indeni’s sales team you are working with.