TransIT AI

Vendor coverage

Palo Alto PAN-OS

Palo Alto PAN-OS — Palo Alto Networks firewalls and Panorama. PAN-OS has its own CLI flavor — candidate-config + commit model (like Junos), separate request restart system / request shutdown system verbs, and a unique shell-escape vector at debug software shell that drops to a Linux root shell on the firewall.

Shorthand expansion

AliasCanonical
sh, sho, shwshow
pping
trtraceroute

We deliberately do not canonicalize deldelete. delete is blocked anyway; the alias would risk turning unrelated del-foo commands into spurious block hits.

Allowed (head)

  • show, ping, traceroute
  • less, tail — read-only file/log viewers
  • find — search (find command …)
  • grep — filter applied to running output
  • view-config — read-only candidate-config view
  • set cli pager, set cli terminal, set cli timeout — pager, terminal type/width, idle timeout. These are the only carved-out set heads — everything else under set (set deviceconfig, set network, set rulebase, …) falls through to default-deny.

Blocked (head)

Configuration model:

  • configure — enters config mode
  • edit — navigates within config
  • delete, commit, commit-all, commit-force
  • load, save, revert, rename, move, copy

File / transfer:

  • scpscp export, scp import
  • tftp, ftp — legacy file transfer
  • clear — counters, logs, sessions, ARP entries

The critical shell escape:

  • debug software shell — drops to the underlying Linux shell as root. The single most important block on PAN-OS — once in the shell, the permit list is fully bypassed and the attacker has root on the firewall.

Other debug subtrees:

  • debug system debug system maint-mode reboots into maintenance mode; adjacent subcommands (loadcfg, disk-image) modify persistent state. Block the entire prefix.

System control:

  • request restart, request shutdown
  • request system — license/cert imports + more
  • request platform-software — image management
  • request high-availability — HA state mutation
  • request password-hash — password hash generation (escapes redaction)

Session / mode manipulation:

  • exit, quit, logout
  • run — escape from config-mode to operational mode

Pipe stages

Allowed: match, except, count

Blocked:

  • redirect — writes output to a file/URL
  • tee — display AND save (uncommon on PAN-OS but documented)