Palo Alto Networks Knowledgebase: Hierarchy of Debug Levels for Daemons in PAN-OS
Hierarchy of Debug Levels for Daemons in PAN-OS
Created On 09/25/18 19:20 PM - Last Updated 09/25/18 23:09 PM
While troubleshooting, we may need to enable debug messages for various dameons associated with the issue that we are facing.
To do this, we need to understand the debug levels and hierarcy available in PAN-OS.
The hierarcy for debug level is as follows:
1. Error 2. Warn 3. Info 4. Debug 5. Dump (use with caution)
Enabling a debug level also enables the debug levels above them.
For example, If we enable Info level, it will also turn on Error & Warn. That's why Dump level should be used sparingly.
To check the existing debug level for a daemon/function, enter the command:
> debug <daemon/function> show (OR) > debug <daemon/function> global show
For example, to check the debug level on the DHCP daemon,
> debug dhcpd global show
To enable debug for a daemon, use the command below:
> debug <daemon/function> on <debug-level> (OR) > debug <daemon/function> global on <debug-level>
For example, to enable debug on the DHCP daemon,
> debug dhcpd global on debug
After checking the debug logs, remember to revert the debug level to the default.
> debug dhcpd global on info
PAN-OS 8.0 introduces a new set of command options that you can use to display and modify the debug levels of the various service. These new commands branch from debug sofware logging-level [tab]. Initial options are "set" and "show."
To show the current debug level for all services (PAN-OS 8.0 and later only):
> debug software logging-level show service all-services
To show the debug level and the debug features configurations using debug software logging-level show commands, you must run two separate instances of the command (PAN-OS 8.0 and later only):
debug software logging-level show level service <service-name> debug software logging-level show feature service <service-name>
To set the debug level for all services to their default settings (PAN-OS 8.0 and later only):
> debug software logging-level set level default service all-services