How to Export Core Files from a Palo Alto Networks Device

Details

Core files have to be exported from the Palo Alto Networks firewalls directly through the TFTP or SCP protocols.

The existence of core files on the device can be verified with the following command:

> show system files

If looking in the Tech Support file that was generated and uploaded to a case, this information can be found in the unzipped folder directory:

• \tmp\cli\techsupport

To find the section use find command (CTRL+F) and search for "show system files"

Core file extensions will be one of the examples below:

• .tar.gz
• .core
• core.(number)

Any files in the /cores/ directory will most likely be useful and should be exported as well. So using a wildcard (*) in the export commands, as in the example below, will ensure all files in a certain plane are exported for evaluation. The other types of files that will be in the directory with the core files are:

• .mem
• .gdb

Files that are NOT core files, that are included in the Tech Support file and cannot be exported from the device directly are as follows:

• .info
• .pcap
• kernel_panic_(number)

File Directory explanation:

• "var" is management-plane
  • Example: /var/cores/:
• "opt" is data-plane which includes cp, dp0, dp1, and dp2 respectively
  • Example: /opt/var.cp/cores/:
  • Example: /opt/var.dp0/cores/:
  • Example: /opt/var.dp1/cores/:
  • Example: /opt/var.dp2/cores/:

File directory that ends with /cores/ is where the .tar.gz, .core, core.<number>, .mem, and .gdb files can be seen and requires that they be exported from the device Manually, as they are not part of a Tech Support File. The example below uses the above mentioned (*) wildcard and will export all core file types at once from the /var/cores/ directory even if only one file exists.

• Example: /var/cores/:
  • scp export core-file management-plane from * to user@ip:/path

Core files are found on different planes of a device depending on the models as shown below:

PA-200 models can only have core files found on "management-plane"

--------------------------------------------------------------------------------------------------------------

admin@PA-200> show system files

/var/cores/:

total 4.0K

drwxrwxrwx 2 root root 4.0K Sep 25 13:52 crashinfo

/var/cores/crashinfo:

total 0

--------------------------------------------------------------------------------------------------------------

PA-500, PA-2000, PA-3000, and PA-4000 models can have core files on "management-plane" or "data-plane"

--------------------------------------------------------------------------------------------------------------

admin@PA-3020> show system files

/var/cores/:

total 4.0K

drwxrwxrwx 2 root root 4.0K Oct 24 14:36 crashinfo

/var/cores/crashinfo:

total 0

/opt/dpfs/var/cores/:

total 4.0K

drwxrwxrwx 2 root root 4.0K Oct 24 14:37 crashinfo

/opt/dpfs/var/cores/crashinfo:

total 0

--------------------------------------------------------------------------------------------------------------

Note: The 5000 series, different Data Plane directories for /opt/ are highlighted in BOLD

PA-5020 and PA-5050 models can have core files on "management-plane", "control-plane", "data-plane0", and "data-plane1"

--------------------------------------------------------------------------------------------------------------

admin@PA-5020> show system files

/var/cores/:

total 4.0K

drwxrwxrwx 2 root root 4.0K Dec  1 08:24 crashinfo

/var/cores/crashinfo:

total 0

/opt/var.cp/cores/:

total 4.0K

drwxrwxrwx 2 root root 4.0K Dec  1 08:25 crashinfo

/opt/var.cp/cores/crashinfo:

total 0

/opt/var.dp1/cores/:

total 4.0K

drwxrwxrwx 2 root root 4.0K Dec  1 08:25 crashinfo

/opt/var.dp1/cores/crashinfo:

total 0

/opt/var.dp0/cores/:

total 4.0K

drwxrwxrwx 2 root root 4.0K Dec  1 08:25 crashinfo

/opt/var.dp0/cores/crashinfo:

total 0

--------------------------------------------------------------------------------------------------------------

PA-5060 models can have core files on "management-plane", "control-plane", "data-plane0",  "data-plane1", and "data-plane2"

--------------------------------------------------------------------------------------------------------------

admin@PA-5060> show system files

/var/cores/:

total 4.0K

drwxrwxrwx 2 root root 4.0K Dec  1 06:59 crashinfo

/var/cores/crashinfo:

total 0

/opt/var.cp/cores/:

total 4.0K

drwxrwxrwx 2 root root 4.0K Dec  1 07:03 crashinfo

/opt/var.cp/cores/crashinfo:

total 0

/opt/var.dp2/cores/:

total 4.0K

drwxrwxrwx 2 root root 4.0K Dec  1 07:03 crashinfo

/opt/var.dp2/cores/crashinfo:

total 0

/opt/var.dp1/cores/:

total 4.0K

drwxrwxrwx 2 root root 4.0K Dec  1 07:03 crashinfo

/opt/var.dp1/cores/crashinfo:

total 0

/opt/var.dp0/cores/:

total 4.0K

drwxrwxrwx 2 root root 4.0K Dec  1 07:03 crashinfo

/opt/var.dp0/cores/crashinfo:

total 0

--------------------------------------------------------------------------------------------------------------

The core file can be exported from a Palo Alto Networks firewall or Panorama with the following commands:

• scp:
  > scp export core-file <control-plane/data-plane0/data-plane1/data-plane2/management-plane> from <use (*) wildcard to gather all core files or core file name> to <user@host:path>
• tftp:
  > tftp export core-file <control-plane/data-plane0/data-plane1/data-plane2/management-plane> from <use (*) wildcard to gather all core files or core file name> to <tftp_host>

The example below would retrieve and export all core files that are on Data Plane 1 and export them to the TFTP server on 10.10.20.3:

PA-5050> tftp export core-file data-plane1 from * to 10.10.20.3

Note: By default, the Management Interface is used to reach the SCP/TFTP server. If needed, a service route can be configured.

owner: bvandivier

Delete unnecessary or already exported core files
A core file can be deemed unnecessary if investigation around the core file is complete or they are very old files. Doing this will save the disk space on / root partition.

> delete core management-plane file <filename>