Useful Palo Alto PAN-OS Commands

Fix terminal height/width

set cli terminal height 500
set cli terminal width 500

Update Content/Threats from CLI (update license first)

request license fetch 
request content upgrade check
request content upgrade download latest
request content upgrade install version latest

Update Anti-Virus (AV) from CLI

request anti-virus upgrade check 
request anti-virus upgrade download latest 
request anti-virus upgrade install version latest

Update PAN-OS Version from CLI

request system software info
request system software download version 9.0.3-h3
request system software install version 9.0.3-h3
request restart system

Set management port to DHCP

set deviceconfig system type dhcp-client accept-dhcp-domain yes accept-dhcp-hostname yes send-client-id yes send-hostname yes

Newer models – disable ZTP

request disable-ztp
Configure Panorama server and delete default config
set deviceconfig system panorama-server `IP/Hostname`

delete network virtual-wire default-vwire
delete rulebase security rules rule1
delete zone trust
delete zone untrust
delete network interface ethernet ethernet1/1
delete network interface ethernet ethernet1/2
delete network interface ethernet ethernet1/3
delete network interface ethernet ethernet1/4
delete network interface ethernet ethernet1/5
delete network interface ethernet ethernet1/6
delete network interface ethernet ethernet1/7
delete network interface ethernet ethernet1/8

FTD Authentication with Azure MFA

I recently configured Azure MFA to authenticate AnyConnect users connecting to a FTD firewall. This required some odd workarounds.

Problems to work around

  1. FTD cannot do SAML, must use RADIUS for AnyConnect AAA
  2. Microsoft NPS with Azure MFA extension must be used for RADIUS Integration to Azure MFA 
  3. Microsoft NPS has a limited number of attributes it can filter incoming RADIUS requests on
  4. Customer has a need to only allow certain AD groups access to certain tunnel groups

Authentication Flow

  1. Firewall sends Access-Request to ISE 
  2. ISE adds RADIUS:NAS Identifier attribute to Access-Request based on CVPN3000/ASA/PIX7x-Tunnel-Group-Name
  3. NPS filters incoming requests based on NAS Identifier to appropriately authenticate different tunnel groups and does primary authentication against AD.
  4. NPS requests secondary authentication from Azure MFA
  5. Azure MFA completes MFA with user, based on the user’s default MFA method. There is no way to select this during the authentication sequence.
  6. NPS sends result back to ISE
  7. ISE proxies result back to FTD

Authentication Diagram

Ftd anyconnect azuremfa

Identity Services Engine (ISE) Configuration

  • External RADIUS Servers – define your NPS server(s) and shared secret here
  • RADIUS Server Sequence
    • Create a sequence per tunnel group that needs to be differentiated 
    • In the Advanced Attribute Settings tab, add the NAS Identifier attribute

Ise modify attrib

  • Policy Sets
    • Create one policy set per tunnel group
    • Conditions: NAS-Port-Type Virtual AND CVPN3000/ASA/PIX7x-Tunnel-Group-Name = MyGroupName
    • Server Sequence: proxy sequence created above

Network Policy Server (NPS) Configuration

  • Install Azure MFA extension and link to Azure AD –]
    • Protip: use a new NPS server. Once you install the extension, all requests authenticated locally will be subject to MFA
  • RADIUS Clients
    • In the NPS console, configure your ISE servers as RADIUS clients, using the same shared secret as above. 
    • Vendor – RADIUS Standard
  • Network Policies 
    • Create one per tunnel group name
    • Type of network access server – Unspecified 
    • Conditions
      • NAS Identifier – the identifier ISE added
      • User Groups – group you want to filter on 
    • NAS-Port-Type Virtual
    • Authentication Methods – I have them all enabled, including PEAP and EAP-MSCHAPv2 You minimally need PAP, but I have lots of logs that say “Custom” for the Authentication Type.
    • Note: The Microsoft documentation says: PAP supports all the authentication methods of Azure MFA in the cloud: phone call, one-way text message, mobile app notification, OATH hardware tokens, and mobile app verification code. *CHAPV2 and EAP* support phone call and mobile app notification.”

Firepower Threat Defense (FTD) Configuration

  • Configure ISE as your RADIUS servers for AnyConnect AAA. 
  • Set the timeout to 60 seconds or longer—if users are waiting for an SMS, phone call, push notification, etc., you want to give them enough time to do it.

User Experience

  • Users will put in their username and password at the AnyConnect client 
  • If their preferred option (set at uses a code (verification code form app or text message), they will see a pop-up after their first authentication. 
  • If their preferred option is a voice call or push notification, the authentication will wait until the verification is complete before granting access. Make sure all timeouts in the chain are long enough to support this. 


The NPS logs are a pain to use for troubleshooting. I wrote a quick python script to help parse the logs. You can find it here:

Automating Certificate Install on ASA with Netmiko

Here is a little script I wrote to automate putting certificates onto ASAs. It also activates the cert on the inside interface (mine is a one-armed VPN concentrator). The cert is assumed to already in the correct format and named asabase64.cert.

#!/usr/bin/env python3

from netmiko import Netmiko
import base64
import datetime

# connection config for netmiko
asav = {
"host": "hostname",
"username": "user",
"password": "pass",
"device_type": "cisco_asa",
"secret": "enable secret"

# open and read the cert
with open("asabase64.cert", "r") as f:
cert =

# name the cert with today's date
# this helps when pushing a new cert
# to not have a namespace overlap
today ="%d-%m-%Y")
certname = today + "starcert"
certcmd = "crypto ca import " + certname + " pkcs12 asaexportpass"
# build the commands needed to install the cert
commands = []
commands.append("conf t")
commands = commands + cert
trustpoint = "ssl trust-point " + certname + " inside"

# connect to the firewall
net_connect = Netmiko(**asav)

# always a good test
output = net_connect.send_command_timing("show int ip br")

# send the commands
for command in commands:

# clean up

FDM FTD HA Upgrade

To upgrade an HA pair of Firepower firewalls managed by FDM, use the following procedure: 

1. Deploy any pending changes
2. Log into standby unit, upload the upgrade and install 
3. After the reboot and copmleted upgrade, on teh standby unit, go High Availability and Switch Mode. This will force failover. 
4. Log into new standby unit, upgrade that unit. 
5. Resume HA (if it does not automatically resume) 
6. Deploy policy if needed 

Restart FDM WebUI

Sometimes, the FDM Web UI stops responding. I’ve found this especially on 6.5 code. To restart tomcat, go into expert mode and disable/enable: 


> expert
admin@fp:~$ sudo su -
root@fp:~# cd /ngfw/var/cisco/ngfwWebUi/
## delete this file if it exists
root@fp:ngfwWebUi# rm .bootstrap-failed
root@fp:ngfwWebUi# pmtool disablebyid tomcat
root@fp:ngfwWebUi# pmtool enablebyid tomcat


The web service takes a while (10+ minutes) to come back online. 

h/t to Pieter-Jan Nefkens at