How to check the warning message for shadow rule via CLI
5435
Created On 04/11/22 07:51 AM - Last Modified 01/15/25 02:44 AM
Objective
- Starting from PAN OS 9.1 the 'shadows rule' warnings are now organized and presented in a clear manner for easy analysis.
- Upon completion, the commit or validate job window will now show a separate tab for any shadowed rules.
- This information is documented under Simplified Application Dependency Workflow.
Environment
- PAN-OS 9.1 and above
- Rule Shadow
Procedure
- The "show jobs id <id>" CLI command for commit no longer show shadow warnings anymore.
> show jobs id 38048
Enqueued Dequeued ID Type Status Result Completed
--------------------------------------------------------------------------------------------------------------------
2022/04/11 00:16:16 00:16:16 38048 Commit FIN OK 00:17:11
Warnings:
Details: Configuration committed successfully
Description:
- The CLI commands is hidden and are displayed only by using the CLI command string "show shadow-warning".
show shadow-warning warning-message vsys <vsys name> uuid <rule uuid>
- Vsys and uuid are mandatory. To find out uuid for security rule with using the following command.
debug device-server dump idmgr type security-rule all | match <rule name>
Example below
> debug device-server dump idmgr type security-rule all | match test1
25 vsys1+test1(uuid: 7b23a927-949e-4fad-a6a7-5f4e5eb7972f)
> show shadow-warning warning-message vsys vsys1 uuid 7b23a927-949e-4fad-a6a7-5f4e5eb7972f
Rule 'test1' shadows rule 'test2'.
Note: This CLI command is hidden and is not associated with the commit job-id. So one cannot specify the job-id to view the warnings all at once.