F Prisma SD-WAN: Complete CLI Commands Guide (All Commands Explained) - The Network DNA: Networking, Cloud, and Security Technology Blog
Home / Paloalto / Prisma SDWAN / Prisma SD-WAN: Complete CLI Commands Guide (All Commands Explained)

Prisma SD-WAN: Complete CLI Commands Guide (All Commands Explained)

May 15, 2026 ,

Prisma SD-WAN: Complete CLI Commands Guide (All Commands Explained)

Published by THE NETWORK DNA  |  Updated 2026  |  SEO Optimized Technical Guide

Quick Summary: This comprehensive guide covers all Prisma SD-WAN CLI commands including show commands, debug commands, configuration commands, interface commands, routing commands, and troubleshooting commands for Palo Alto Prisma SD-WAN (formerly CloudGenix). Perfect for network engineers, SD-WAN administrators, and Palo Alto certified professionals.

>> Table of Contents

  1. Introduction to Prisma SD-WAN CLI
  2. Accessing Prisma SD-WAN CLI
  3. Basic Navigation Commands
  4. Show Commands (Monitoring)
  5. Interface Commands
  6. Routing and BGP Commands
  7. VPN and Tunnel Commands
  8. Debug and Troubleshooting Commands
  9. System and Admin Commands
  10. Log and Event Commands
  11. Policy and QoS Commands
  12. Network Diagnostics Commands
  13. Pro Tips and Best Practices

1. Introduction to Prisma SD-WAN CLI

Palo Alto Networks Prisma SD-WAN (formerly known as CloudGenix) provides a powerful Command Line Interface (CLI) that enables network administrators to manage, monitor, troubleshoot, and configure SD-WAN devices from the terminal. The CLI is available on all Prisma SD-WAN ION devices and provides granular control over system behavior.

Whether you are an SD-WAN engineer working on enterprise networks, a Palo Alto Networks certified professional, or a network administrator handling day-to-day operations, mastering Prisma SD-WAN CLI commands is essential for:

  • Real-time network monitoring and troubleshooting
  • Interface and routing configuration verification
  • VPN tunnel validation and debugging
  • Performance diagnostics and path selection analysis
  • System health checks and log analysis

2. Accessing Prisma SD-WAN CLI

You can access the Prisma SD-WAN CLI through multiple methods depending on your environment:

>> Method 1: SSH Access

ssh admin@<ION-Device-IP>
ssh admin@192.168.1.1
ssh -p 22 admin@<ION-Hostname>

>> Method 2: Console Access

# Connect via serial console (9600 baud, 8N1)
# Username: admin
# Default password: as configured during provisioning

☁ Method 3: Prisma SD-WAN Controller Portal (Toolkit)

# Navigate to: Prisma SD-WAN Portal
# Go to: Devices > Select ION Device > Toolkit > CLI
⚠ Note: The Prisma SD-WAN CLI operates in a restricted shell environment. Most configuration changes must be pushed via the controller portal or API, while CLI provides read/diagnostic access.

3. ▶ Basic Navigation Commands

These are the foundational commands to navigate the Prisma SD-WAN CLI environment:

Command Description
? Display all available commands at current level
help Display help menu
exit Exit current CLI session
quit Quit CLI session
clear screen Clear the terminal screen
history Display command history
Tab Key Auto-complete commands

4. Show Commands (Monitoring & Verification)

Show commands are the most frequently used commands in Prisma SD-WAN CLI. They allow you to verify the operational state of the device without making any changes.

>> System Information Commands

show version
show system info
show system status
show system uptime
show system resources
show system memory
show system cpu
show system disk
show hostname
show clock
show platform

>> Interface Status Commands

show interfaces
show interfaces all
show interfaces brief
show interfaces <interface-name>
show interfaces ethernet 1
show interfaces wan
show interfaces lan
show interface statistics
show interface counters
show interface errors
show interface <name> detail
show ip interface brief

>> WAN Link Commands

show wan-links
show wan-links all
show wan-links status
show wan-links <wan-link-id>
show wan-links statistics
show wan-links quality
show wan-links latency
show wan-links jitter
show wan-links packet-loss
show wan-links bandwidth
show wan-links health

>> VPN / Tunnel Status Commands

show tunnels
show tunnels all
show tunnels status
show tunnels statistics
show tunnels <tunnel-id>
show tunnels up
show tunnels down
show tunnels peer <peer-ip>
show vpn tunnels
show ipsec sa
show ipsec sa detail
show ipsec statistics
show ipsec peers

5. Interface Commands

Interface commands help you view, configure, and troubleshoot physical and logical interfaces on Prisma SD-WAN ION devices.

# View all interfaces
show interfaces all

# Check specific interface details
show interface <interface-name> detail

# Check interface IP configuration
show interface <interface-name> ip

# Show interface MAC address
show interface <interface-name> mac

# Check interface duplex and speed
show interface <interface-name> speed-duplex

# Check DHCP lease on interface
show dhcp interface <interface-name>

# Show all DHCP leases
show dhcp leases

# Interface traffic statistics
show interface <interface-name> statistics

# Check SFP/transceiver info
show interface <interface-name> transceiver

# Reset interface counters
clear interface <interface-name> counters

# Shutdown interface (if permitted)
interface <interface-name> shutdown

# Bring interface up
interface <interface-name> no shutdown

6. Routing and BGP Commands

Routing commands allow you to inspect the routing table, verify BGP sessions, and troubleshoot path selection in your Prisma SD-WAN environment.

>> Static and Dynamic Routing Commands

show ip route
show ip route all
show ip route summary
show ip route <prefix>
show ip route static
show ip route connected
show ip route bgp
show ip route ospf
show ip routing-table
show route <destination-ip>
show ip fib
show ip fib detail

>> BGP Commands

show bgp summary
show bgp neighbors
show bgp neighbors <neighbor-ip>
show bgp neighbors <neighbor-ip> advertised-routes
show bgp neighbors <neighbor-ip> received-routes
show bgp routes
show bgp routes <prefix>
show bgp peers
show bgp status
show bgp statistics
show bgp community
show bgp as-path
debug bgp
debug bgp updates
debug bgp events
clear bgp neighbor <ip> soft
clear bgp neighbor all soft

>> OSPF Commands

show ospf neighbors
show ospf database
show ospf routes
show ospf statistics
show ospf interface
show ospf summary
debug ospf events
debug ospf packets

7. VPN and Tunnel Commands

Prisma SD-WAN uses encrypted tunnels to connect branch sites over public or private WAN links. The following commands help you validate tunnel health and troubleshoot connectivity issues.

# Display all VPN tunnels
show vpn tunnels

# Show tunnel summary
show tunnels summary

# Show specific tunnel
show tunnel <tunnel-id>

# Show tunnel QoS
show tunnel <tunnel-id> qos

# Show tunnel BFD (Bidirectional Forwarding Detection)
show bfd sessions
show bfd sessions all
show bfd session <session-id>
show bfd statistics

# IPsec SA (Security Association)
show ipsec sa
show ipsec sa all
show ipsec sa <sa-id>
show ipsec sa summary
show ipsec policy
show ipsec statistics

# IKE (Internet Key Exchange)
show ike sa
show ike sa all
show ike peers
show ike statistics

# GRE Tunnels
show gre tunnels
show gre tunnel <id> detail

# Clear specific tunnel
clear tunnel <tunnel-id>
clear ipsec sa <peer-ip>

8. Debug and Troubleshooting Commands

Debug commands are used for deep-dive troubleshooting. Use with caution in production environments as they may generate high CPU load.

⚠ Warning: Always use debug commands carefully in production. Use undebug all or no debug all to stop debugging sessions.

>> General Debug Commands

debug all
undebug all
no debug all
debug level <level>
debug system events
debug process <process-name>
debug connectivity
debug path-selection
debug flow <flow-id>
debug wan-links
debug tunnels
debug routing
debug policy
debug dns
debug dhcp
debug ntp
debug syslog
debug controller connectivity

>> Packet Capture Commands

# Start packet capture on interface
tcpdump interface <interface-name>
tcpdump interface eth1 host 192.168.1.1
tcpdump interface eth1 port 443
tcpdump interface eth1 -c 100
tcpdump interface eth1 -w /tmp/capture.pcap

# Advanced tcpdump filters
tcpdump interface eth1 "tcp and host 10.0.0.1"
tcpdump interface eth1 "icmp"
tcpdump interface wan0 "udp port 500"
tcpdump interface wan0 "udp port 4500"

# Stop capture
Ctrl + C

>> Ping and Traceroute Commands

# Basic ping
ping <destination-ip>
ping 8.8.8.8

# Ping with count
ping <ip> count <number>
ping 8.8.8.8 count 100

# Ping with source interface
ping <ip> source <interface>
ping 8.8.8.8 source eth1

# Ping with size
ping <ip> size <bytes>
ping 8.8.8.8 size 1400

# Traceroute
traceroute <destination-ip>
traceroute 8.8.8.8

# Traceroute with source
traceroute <ip> source <interface>

# MTR (combined ping + traceroute)
mtr <destination-ip>
mtr 8.8.8.8

9. ⚙ System and Admin Commands

These commands allow administrators to manage system-level operations, software updates, and configuration on Prisma SD-WAN ION devices.

# Show system version
show version
show software version

# Show running configuration
show running-config
show config
show config all

# Show startup configuration
show startup-config

# Reboot device
reboot
reload
reboot now

# Shutdown device
halt
shutdown

# Save configuration
write memory
copy running-config startup-config
save config

# Factory reset
factory-reset
factory-default

# Show NTP status
show ntp
show ntp status
show ntp associations

# Show DNS configuration
show dns
show dns resolution
show dns servers

# Test DNS resolution
nslookup <hostname>
nslookup google.com
dig <hostname>

# Software upgrade
upgrade software <version>
show upgrade status
show software images

# Show license information
show license
show license detail
show license status

# Show hardware inventory
show hardware
show inventory
show chassis

# Show environment (temperature, fans, PSU)
show environment
show environment temperature
show environment fans
show environment power

10. Log and Event Commands

Log commands help engineers review historical events, system alerts, and audit trails on Prisma SD-WAN devices.

# Show system logs
show log
show log system
show log system last 100
show log events
show log events last 50

# Show alarms
show alarms
show alarms active
show alarms history
show alarms critical

# Show audit logs
show audit-log
show audit-log last 100

# Show syslog
show syslog
show syslog config

# Show event history
show events
show events all
show events filtered <type>

# Clear logs
clear log system
clear alarms

# Follow live logs
tail-log system
tail-log events

11. Policy and QoS Commands

Prisma SD-WAN uses application-aware policies and QoS rules to prioritize traffic. These commands allow you to verify and monitor policy enforcement.

>> QoS and Traffic Policy Commands

# Show QoS policies
show qos
show qos policy
show qos policy all
show qos class-map
show qos statistics
show qos queues
show qos queues detail
show qos interface <interface>

# Show application policies
show policy
show policy all
show policy application
show policy application <app-name>
show policy network
show policy path-select

# Show path selection
show path-select
show path-select summary
show path-select policy
show path-select flows

# Show application flows
show flows
show flows all
show flows active
show flows application <app-name>
show flows top
show flows summary

# Show bandwidth usage
show bandwidth
show bandwidth usage
show bandwidth per-interface
show bandwidth per-application

12. Network Diagnostics Commands

These comprehensive diagnostic commands help identify and resolve network issues across WAN links, LAN segments, and controller connectivity.

>> ARP and MAC Commands

show arp
show arp all
show arp interface <interface>
show arp <ip-address>
clear arp
clear arp <ip-address>
show mac-address-table
show mac-address-table interface <interface>
show neighbors
show ip neighbors

>> Controller Connectivity Commands

show controller connectivity
show controller status
show controller connection
show controller details
show controller last-seen
show controller heartbeat
show controller sync-status
show management-interface
show management-plane
show control-plane status
show control-plane connections

>> NAT Commands

show nat
show nat translations
show nat translations all
show nat statistics
show nat policy
show nat table
clear nat translations
clear nat translations all

>> SNMP and Monitoring Commands

show snmp
show snmp config
show snmp community
show snmp traps
show snmp statistics
show monitoring
show monitoring status
show sflow
show netflow
show netflow statistics
show netflow collectors

>> Security and Firewall Commands

show security
show security policy
show security policy all
show security zones
show security zones detail
show acl
show acl all
show acl interface <interface>
show firewall rules
show firewall statistics
show threat-protection
show ids-ips status
show certificates
show certificates detail
show ssl-decryption
show users
show users logged-in
show users local
show aaa
show aaa authentication
show radius servers
show tacacs servers

13. ⚡ Pro Tips and Best Practices

>> Tip 1: Use Tab Completion

Always press the Tab key for command auto-completion. Prisma SD-WAN CLI supports intelligent tab completion which saves time and prevents typos.

>> Tip 2: Use Pipe Filters

You can pipe commands to filter output using | grep for targeted output.

show interfaces | grep "eth1"
show ip route | grep "0.0.0.0"
show bgp neighbors | grep "Established"

>> Tip 3: Regularly Check WAN Quality Metrics

Use show wan-links quality and show wan-links latency frequently to proactively monitor WAN link health before user complaints.

>> Tip 4: Verify Controller Connectivity First

When troubleshooting any issue, always start with show controller connectivity to ensure the ION device is properly connected to the Prisma SD-WAN controller.

>> Tip 5: Document Debug Sessions

Always use terminal logging when running debug commands. Use script <filename> to capture the entire session to a file for later analysis.

⚡ Prisma SD-WAN CLI Quick Reference Cheat Sheet

Category Key Command Purpose
System show version Display software version
Interface show interfaces all Show all interfaces
Routing show ip route Show routing table
BGP show bgp summary Show BGP peer summary
WAN show wan-links quality Show WAN link quality
Tunnels show tunnels all Show all VPN tunnels
IPsec show ipsec sa Show IPsec SAs
Controller show controller status Show controller connection
QoS show qos statistics Show QoS stats
Flows show flows active Show active traffic flows
Logs show log system Show system logs
Debug undebug all Stop all debug output
Packet tcpdump interface eth1 Capture packets
ARP show arp all Show ARP table
NAT show nat translations Show NAT table

>> Conclusion

This comprehensive guide has covered all major Prisma SD-WAN CLI commands including show commands, interface commands, routing commands, BGP commands, VPN and IPsec commands, debug commands, packet capture commands, QoS policy commands, system administration commands, log commands, NAT commands, and network diagnostic commands.

Mastering the Prisma SD-WAN CLI is essential for any network professional working with Palo Alto Networks SD-WAN solutions. Regular practice with these commands ensures faster troubleshooting, better network visibility, and more efficient network management.

For the most up-to-date commands, always refer to the official Palo Alto Networks Prisma SD-WAN documentation portal and Prisma SD-WAN ION device release notes.

>> Related Keywords: Prisma SD-WAN CLI, Palo Alto SD-WAN commands, CloudGenix CLI commands, Prisma SD-WAN ION CLI, Prisma SD-WAN show commands, Prisma SD-WAN debug commands, Prisma SD-WAN troubleshooting, SD-WAN CLI reference, Palo Alto Networks SD-WAN configuration, Prisma SD-WAN BGP commands, Prisma SD-WAN VPN commands, Prisma SD-WAN interface commands, Prisma SDWAN all CLI commands, Prisma SD-WAN routing commands, Palo Alto SD-WAN ION device CLI

© 2026 THE NETWORK DNA | Prisma SD-WAN CLI Commands Reference Guide | All Rights Reserved