CLI Reference¶
The pan-scm-cli command-line interface provides a structured set of commands for managing resources in Palo Alto Networks Strata Cloud Manager.
Command Structure¶
All commands follow this pattern:
| Component | Description | Examples |
|---|---|---|
<action> |
Operation to perform | set, delete, load, show, backup |
<category> |
Category of resource | object, network, security, sase |
<resource> |
Specific resource type | address, security-zone, rule |
[options] |
Resource-specific parameters | --folder, --name, --file |
Note
All show commands default to listing all items when no --name parameter
is provided.
Objects¶
Commands for managing configuration objects.
| Resource | Page | Operations |
|---|---|---|
| Address | address | set, delete, load, show, backup |
| Address Group | address-group | set, delete, load, show, backup |
| Application | application | set, delete, load, show, backup |
| Application Filter | application-filter | set, delete, load, show, backup |
| Application Group | application-group | set, delete, load, show, backup |
| Dynamic User Group | dynamic-user-group | set, delete, load, show, backup |
| External Dynamic List | external-dynamic-list | set, delete, load, show, backup |
| HIP Object | hip-object | set, delete, load, show, backup |
| HIP Profile | hip-profile | set, delete, load, show, backup |
| HTTP Server Profile | http-server-profile | set, delete, load, show, backup |
| Log Forwarding Profile | log-forwarding-profile | set, delete, load, show, backup |
| Quarantined Device | quarantined-device | show |
| Region | region | show |
| Schedule | schedule | show |
| Service | service | set, delete, load, show, backup |
| Service Group | service-group | set, delete, load, show, backup |
| Syslog Server Profile | syslog-server-profile | set, delete, load, show, backup |
| Tag | tag | set, delete, load, show, backup |
Tip
Bulk operations (load, backup) use YAML files. See individual resource
pages for file format details.
Security¶
Commands for managing security policies and profiles.
| Resource | Page | Operations |
|---|---|---|
| Security Rule | rule | set, delete, load, show |
| Anti-Spyware Profile | anti-spyware-profile | set, delete, load, show, backup |
| App Override Rule | app-override-rule | show |
| Authentication Rule | authentication-rule | show |
| Decryption Profile | decryption-profile | set, delete, load, show, backup |
| Decryption Rule | decryption-rule | show |
| DNS Security Profile | dns-security-profile | show |
| URL Access Profile | url-access-profile | show |
| URL Category | url-category | show |
| Vulnerability Protection Profile | vulnerability-protection-profile | show |
| Wildfire Antivirus Profile | wildfire-antivirus-profile | show |
Network¶
Commands for managing network configurations.
| Resource | Page | Operations |
|---|---|---|
| Security Zone | security-zone | set, delete, load, show, backup |
| Aggregate Interface | aggregate-interface | show |
| BGP Address Family Profile | bgp-address-family-profile | show |
| BGP Auth Profile | bgp-auth-profile | show |
| BGP Filtering Profile | bgp-filtering-profile | show |
| BGP Redistribution Profile | bgp-redistribution-profile | show |
| BGP Route Map | bgp-route-map | show |
| BGP Route Map Redistribution | bgp-route-map-redistribution | show |
| DHCP Interface | dhcp-interface | show |
| Ethernet Interface | ethernet-interface | show |
| IKE Crypto Profile | ike-crypto-profile | show |
| IKE Gateway | ike-gateway | show |
| IPsec Crypto Profile | ipsec-crypto-profile | show |
| Layer2 Subinterface | layer2-subinterface | show |
| Layer3 Subinterface | layer3-subinterface | show |
| Loopback Interface | loopback-interface | show |
| NAT Rule | nat-rule | show |
| OSPF Auth Profile | ospf-auth-profile | show |
| Route Access List | route-access-list | show |
| Route Prefix List | route-prefix-list | show |
| Tunnel Interface | tunnel-interface | show |
| VLAN Interface | vlan-interface | show |
SASE / Deployment¶
Commands for managing SASE deployment configurations.
| Resource | Page | Operations |
|---|---|---|
| Bandwidth Allocation | bandwidth | set, delete, load, show |
| BGP Routing | bgp-routing | show |
| Internal DNS Server | internal-dns-server | show |
| Network Location | network-location | show |
| Remote Network | remote-network | set, delete, load, show, backup |
| Service Connection | service-connection | set, delete, load, show, backup |
Identity¶
Commands for managing identity and authentication configurations.
| Resource | Page | Operations |
|---|---|---|
| Authentication Profile | authentication-profile | show |
| Kerberos Server Profile | kerberos-server-profile | show |
| LDAP Server Profile | ldap-server-profile | show |
| RADIUS Server Profile | radius-server-profile | show |
| SAML Server Profile | saml-server-profile | show |
| TACACS Server Profile | tacacs-server-profile | show |
Mobile Agent¶
Commands for managing GlobalProtect mobile agent configurations.
| Resource | Page | Operations |
|---|---|---|
| Agent Version | agent-version | show |
| Auth Setting | auth-setting | show |
Setup¶
Commands for managing setup and organizational configurations.
| Resource | Page | Operations |
|---|---|---|
| Device | device | show |
| Folder | folder | show |
| Label | label | show |
| Snippet | snippet | show |
| Variable | variable | show |
Operational Commands¶
| Command | Page | Description |
|---|---|---|
| Commit | commit | Push candidate configurations to running |
| Jobs | jobs | Monitor and manage configuration jobs |
| Insights | insights | Query SASE health and connectivity data |
| Context | context | Manage authentication contexts |
Global Options¶
Options that apply to all commands:
| Option | Description |
|---|---|
--help |
Show help message for any command |
--version |
Show the CLI version information |
--verbose |
Enable verbose output for additional details |
--mock |
Run in mock mode without API connections |
Related Topics¶
- Getting Started for initial setup and basic usage
- Installation for setup instructions
- Troubleshooting for common issues and solutions