What services does SKYLINE provide?

We provide specialized divisions including: Data Centre Design & Build (Tier III/IV), Cybersecurity SOC/NOC Operations, SCADA & Automation, Fire Safety, Construction, HVAC, AI Solutions, Server Infrastructure with HPE & Dell, and Software Development.

Does SKYLINE design and build data centres?

Yes, we specialize in Tier III and Tier IV data centre design and construction including electrical infrastructure, precision cooling, raised flooring, fire suppression, and Schneider Electric UPS systems. All our projects are SACS-002 compliant and trusted by major clients like Saudi Aramco and SABIC.

Where is SKYLINE located?

Our headquarters is in Dammam, Eastern Province, Saudi Arabia. We serve all regions of Saudi Arabia and GCC countries including Riyadh, Jeddah, Khobar, Dhahran, and Jubail.

What compliance certifications does SKYLINE hold?

We comply with NCA-ECC (Essential Cybersecurity Controls), SACS-002 (Saudi Communications Standards for Data Centres), ISO 27001 (Information Security Management), and SAMA Cybersecurity Framework.

What experience does SKYLINE have in the Saudi market?

SKYLINE was founded in 2019 with 6+ years of experience, has completed 15+ mega projects including the FIFA Club World Cup, and serves 200+ clients including Saudi Aramco, SABIC, Maaden, and STC.

Configure Palo Alto PAN-OS Security Policy & NAT via CLI

A practical, command-by-command walkthrough for configuring a Palo Alto NGFW from the PAN-OS CLI: security rules, NAT, commit and live session troubleshooting.

SKYLINE Engineering @skyline

Published: May 31, 2026
Reading time: 3 min

This SKYLINE knowledge-base article is a practical reference for configuring and troubleshooting a Palo Alto Networks NGFW from the PAN-OS command line. The CLI is the fastest way to make precise changes, script repeatable work and diagnose live traffic. All commands below reflect standard PAN-OS syntax (10.x/11.x). Always test in a lab or maintenance window first, and keep a saved configuration you can revert to.

1. CLI modes and getting oriented

PAN-OS has two main modes. You log in to operational mode, shown by the > prompt, and enter configuration mode with configure, shown by the # prompt.

admin@PA-440> configure
Entering configuration mode
admin@PA-440#

Useful navigation while in configure mode:

# show          # display the candidate configuration
# exit          # leave configuration mode back to operational mode
run show clock   # run an operational command from within configure mode

2. Initial management settings (operational bring-up)

From configuration mode, set the management interface, default gateway and DNS:

# set deviceconfig system ip-address 192.168.1.10 netmask 255.255.255.0 default-gateway 192.168.1.1 dns-setting servers primary 8.8.8.8 secondary 8.8.4.4
# set deviceconfig system ntp-servers primary-ntp-server ntp-server-address pool.ntp.org

3. Create a security policy rule

Palo Alto policy is application-aware. The canonical form of a security rule sets the source and destination zones, addresses, the application (App-ID), the service and the action:

# set rulebase security rules Allow-Web from trust to untrust source any destination any application [ ssl web-browsing ] service application-default action allow

Attach logging and a security profile group so the rule actually inspects traffic:

# set rulebase security rules Allow-Web log-end yes
# set rulebase security rules Allow-Web profile-setting group Strict-Profiles

An explicit deny with logging is good hygiene at the bottom of the rulebase:

# set rulebase security rules Deny-All from any to any source any destination any application any service any action deny log-end yes

4. Create a NAT rule (source and destination)

Source NAT with dynamic IP and port (DIPP) for outbound internet access, translating to the egress interface address:

# set rulebase nat rules Outbound-NAT from trust to untrust source any destination any service any source-translation dynamic-ip-and-port interface-address interface ethernet1/1

Destination NAT to publish an internal web server (the firewall translates the public address to the private host; your security rule then references the original public destination):

# set rulebase nat rules Web-DNAT from untrust to untrust source any destination 203.0.113.10 service service-https destination-translation translated-address 10.10.10.20 translated-port 443

5. Commit your changes

PAN-OS uses a candidate/running model: your edits sit in the candidate config until you commit. From operational or configure mode:

# commit

Other useful variants:

> commit                              # commit candidate config to running config
> commit description "<change ticket / message>"   # commit with an audit note
run commit                            # run commit from inside configure mode

Track the job:

> show jobs all
> show jobs id 5

6. Verify the running configuration

> show running security-policy
> show running nat-policy

7. Troubleshoot with policy-match and live sessions

Confirm which security rule a flow will hit without sending real traffic. Protocol numbers: TCP=6, UDP=17, ICMP=1:

> test security-policy-match from trust to untrust source 10.10.10.5 destination 203.0.113.10 destination-port 443 protocol 6
> test nat-policy-match from trust to untrust source 10.10.10.5 destination 203.0.113.10 destination-port 443 protocol 6

Inspect active sessions in the dataplane:

> show session info
> show session all
> show session all filter destination 203.0.113.10
> show session id 12345

Clear a stuck or stale session when you need to force re-evaluation:

> clear session id 12345

8. Save and restart safely

# save config to pre-change-backup.xml      # save candidate to a named file
> request restart system                  # full system restart (use with care)

Putting it together

A typical change flow is: configure → edit with set → review with show → commit → verify with show running ... and test ...-policy-match → confirm live with show session. This loop keeps changes deliberate and auditable.

If a commit fails, a GlobalProtect tunnel won't establish, or a NAT/security ordering issue is dropping traffic, SKYLINE can help. We install, configure, support and troubleshoot Palo Alto firewalls across Saudi Arabia. Browse the Firewalls & Network Security category and the wider Marketplace, read our KSA deployment best-practices guide, or reach an engineer via contact or on +966 50 993 9334.

SKYLINE Engineering

@skyline

The engineering team at SKYLINE Industrial Solutions. We publish field-tested guides drawn from real KSA and GCC deployments.

See author profile

SKYLINE engineering services

Need this implemented for you?

Reading is free — building it right takes a team. SKYLINE engineers ship Firewalls & Network Security for Aramco vendors, banks, hospitals and government agencies across Saudi Arabia. Talk to us before you start.

Cybersecurity & Data Centre SACS-210, NCA ECC, SOC, 24/7 ops IT AMC Annual maintenance, 24/7 SLA, Bronze→Platinum

Talk to a SKYLINE engineer WhatsApp · +966 50 993 9334 Call +966 50 993 9334

Aramco Approved Contractor ISO 9001 · ISO 27001 SAMA CSF aligned NCA ECC ready 247+ KSA clients

Comments

0 total · 0 threads

Be the first to leave a comment.