https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/ta-p/573184 <DIV class="lia-message-template-content-zone"> <DIV class="flex flex-grow flex-col max-w-full"> <DIV class="min-h-[20px] text-message flex flex-col items-start gap-3 whitespace-pre-wrap break-words [.text-message+&amp;]:mt-5 overflow-x-auto" data-message-author-role="assistant" data-message-id="2f8ca960-21bd-4f44-8bc1-cbb55ba82ed1"> <DIV class="markdown prose w-full break-words dark:prose-invert light"> <P>Digging into the depths of policy details can be quite the task, especially after a long and tiring day. But fear not, handy search tools are here to lighten your load!</P> <P>&nbsp;</P> <P>Here's how it works: Simply pop in a keyword related to what you're hunting for. This could be the name of a policy (just squish it into one word), an IP address or object name, maybe an application, or even a service.</P> <P>&nbsp;</P> <P>Keep in mind though,&nbsp;wildcards (like *) aren't supported. You'll need a partial or an exact match.</P> <P>Add a partial IP address and you'll get all the partial and exact matches in the result:</P> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Fig 1_Filtering-the-Security-Policy_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56550iB13BEB62B7692626/image-size/large?v=v2&amp;px=999" role="button" title="Fig 1_Filtering-the-Security-Policy_palo-alto-networks.png" alt="Fig 1_Filtering-the-Security-Policy_palo-alto-networks.png" /></span> <P>&nbsp;</P> <P>Want to narrow things down even further? You can target your search to specific fields like the source zone or application. And guess what? There’s a super handy drop-down function that sets up your search filter in a snap. Easy-peasy!</P> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="add to filter.gif" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56545i4C5DAF5DE6E5C8AF/image-size/large?v=v2&amp;px=999" role="button" title="add to filter.gif" alt="add to filter.gif" /></span> <P> </P> <P>You can also create a search string manually. I've provided a list of all fields below:</P> <P>&nbsp;</P> <P><STRONG>Name</STRONG>:&nbsp;(name contains 'unlocate-block')</P> <P><STRONG>Tags</STRONG>: (tag/member eq 'tagname')</P> <P><STRONG>Type</STRONG>: (rule-type eq 'intrazone|interzone')</P> <P><STRONG>Source Zone</STRONG>: (from/member eq 'zonename')</P> <P><STRONG>Source Address</STRONG>: (source/member eq 'any|ip|object')</P> <P><STRONG>Source User</STRONG>: (source-user/member eq 'any|username|groupname')</P> <P><STRONG>Hip profile</STRONG>: &nbsp;(hip-profiles/member eq 'any|profilename')</P> <P><STRONG>Destination Zone</STRONG>: (to/member eq 'zonename')</P> <P><STRONG>Destination Address</STRONG>: (destination/member eq 'any|ip|object')</P> <P><STRONG>Destination User</STRONG>: (destination-user/member eq 'any|username|groupname')</P> <P><STRONG>Application</STRONG>: (application/member eq 'any|applicationname|applicationgroup|applicationfilter')</P> <P><STRONG>Service</STRONG>: (service/member eq 'any|servicename|application-default')</P> <P><STRONG>URL Category</STRONG>: (category/member eq 'any|categoryname')</P> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; This is a destination category, not a URL filtering security profile</P> <P><STRONG>Action</STRONG>: (action eq 'allow|drop|deny|reset-client|reset-server|reset-both')</P> <P><STRONG>Action send ICMP unreachable</STRONG>: (icmp-unreachable eq 'yes')</P> <P><STRONG>Security Profiles</STRONG>:</P> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (profile-setting/profiles/virus/member eq 'profilename')</P> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (profile-setting/profiles/spyware/member eq 'profilename')</P> <P>&nbsp;&nbsp;&nbsp; &nbsp; (profile-setting/profiles/vulnerability/member eq 'profilename')</P> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (profile-setting/profiles/url-filtering/member eq 'profilename')</P> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (profile-setting/profiles/file-blocking/member eq 'profilename')</P> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (profile-setting/profiles/wildfire-analysis/member eq 'profilegroupname')</P> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (profile-setting/group/member eq 'profilename')</P> <P><STRONG>Disable server response inspection</STRONG>: (option/disable-server-response-inspection eq 'yes')</P> <P><STRONG>Log at session start</STRONG>: (log-start eq 'yes|no')</P> <P><STRONG>Log at session end</STRONG>: (log-end eq 'yes|no')</P> <P><STRONG>Schedule</STRONG>: (schedule eq 'schedulename')</P> <P><STRONG>Log Forwarding</STRONG>: &nbsp;(log-setting eq "forwardingprofilename')</P> <P><STRONG>Qos Marking</STRONG>:&nbsp; &nbsp; (qos/marking/ip-dscp eq 'codepoint')</P> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; (qos/marking/ip-precedence eq 'codepoint')</P> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp; &nbsp; (qos/marking/follow-c2s-flow eq '')</P> <P><STRONG>Description</STRONG>:&nbsp;(description contains '&lt;keyword&gt;')</P> <P><STRONG>Disabled policy</STRONG>: (disabled eq yes|no)&nbsp;&nbsp;</P> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; policies will only respond to 'no' if they have been disabled before</P> <P>&nbsp;</P> <P>As you can see in the examples above the operands are 'contains' and 'eq' (=equals).</P> <P>Note that you can also use the negate option using the operand 'neq' (=not equals).</P> <P>For example, here's how you can use the negate option to list all the rules that do NOT have a ALLOW action: (action neq 'allow'):</P> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Fig 3_Filtering-the-Security-Policy_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56551i2637A92E90959D91/image-size/large?v=v2&amp;px=999" role="button" title="Fig 3_Filtering-the-Security-Policy_palo-alto-networks.png" alt="Fig 3_Filtering-the-Security-Policy_palo-alto-networks.png" /></span> <P>&nbsp;</P> <P>Tag Browser can also come in very handy if you're able to tag all your security policies. It can be used in a similar way as the search function and display only the selected tags.</P> <P>&nbsp;</P> <P>More information and a tutorial video on the Tag Browser can be found here: <A title="Tag Browser | Knowledge Base | Palo Alto Networks" href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTyCAK" target="_blank" rel="noopener nofollow noreferrer"><STRONG>Tutorial: Tag Browser</STRONG></A></P> <P>&nbsp;</P> <P>Hope this was helpful, feel free to ask questions or post remarks below.</P> <P>&nbsp;</P> <P>Thanks<SPAN>&nbsp;</SPAN>for taking time to read this blog.</P> <P>Don't forget to hit that<SPAN>&nbsp;</SPAN><FONT color="#FF6600"><STRONG>Like (thumbs up)</STRONG></FONT><SPAN>&nbsp;</SPAN>button and don't forget to<SPAN>&nbsp;</SPAN><FONT color="#339966"><STRONG>subscribe</STRONG></FONT><SPAN>&nbsp;</SPAN>to the<SPAN>&nbsp;</SPAN><A title="LIVEcommunity Blog | Palo Alto Networks" href="https://live.paloaltonetworks.com/t5/Blogs/bg-p/CommunityBlog" target="_self"><STRONG>LIVEcommunity Blog</STRONG></A>.</P> <P>&nbsp;</P> <P>Stay Secure,<BR />Kiwi out!</P> </DIV> </DIV> </DIV> </DIV> Tue, 16 Jan 2024 20:30:07 GMT kiwi 2024-01-16T20:30:07Z https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/ta-p/573184 <P>Digging into the depths of policy details can be quite the task, especially after a long and tiring day. But fear not, handy search tools are here to lighten your load!</P> Tue, 16 Jan 2024 20:30:07 GMT https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/ta-p/573184 kiwi 2024-01-16T20:30:07Z https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/573478#M698 <P>Is there any way to sort and/or filter on the Created and Modified columns?</P> Thu, 18 Jan 2024 15:04:32 GMT https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/573478#M698 BYates 2024-01-18T15:04:32Z https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/588010#M715 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/291421">@BYates</a> ,</P> <P>&nbsp;</P> <P>You can filter on the columns. Click the arrow next to the column name. From there select "Columns" and you can check/uncheck all the columns you would like to see.</P> <P>You can also drag/drop the columns to change the order you would like to see.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kiwi_0-1716816319465.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60053iDE97415F63283412/image-size/medium?v=v2&amp;px=400" role="button" title="kiwi_0-1716816319465.png" alt="kiwi_0-1716816319465.png" /></span></P> <P>&nbsp;</P> <P>As far as I know there is no filter option in the search bar at the top to filter out certain columns that way.</P> <P>&nbsp;</P> <P>Still not what you need ? In that case custom reports also allow you define specific colums in the report.</P> <P>&nbsp;</P> <P>Hope this helps,</P> <P>-Kim.</P> Mon, 27 May 2024 13:28:21 GMT https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/588010#M715 kiwi 2024-05-27T13:28:21Z https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/589915#M718 <P>Any way to filter for udp protocol?</P> Wed, 19 Jun 2024 16:40:21 GMT https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/589915#M718 AWAW 2024-06-19T16:40:21Z https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/589992#M719 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/142815">@AWAW</a>&nbsp;,</P> <P>&nbsp;</P> <P>Yes you can use the filter <STRONG>(proto eq udp)</STRONG></P> <P>&nbsp;</P> <P>Kind regards,</P> <P>-Kim.</P> Thu, 20 Jun 2024 12:03:58 GMT https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/589992#M719 kiwi 2024-06-20T12:03:58Z https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/591050#M726 <P>If you want to filter for Rule ID which is called UUID the filter is:</P><P>(uuid eq xyz)</P><P>&nbsp;</P> Wed, 03 Jul 2024 12:08:56 GMT https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/591050#M726 AlexHalbarth 2024-07-03T12:08:56Z https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/592070#M731 <P>how about searching by modified date?</P> Mon, 15 Jul 2024 19:35:17 GMT https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/592070#M731 J_Healy 2024-07-15T19:35:17Z https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/592100#M732 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1423359225">@J_Healy</a>&nbsp;,</P> <P>&nbsp;</P> <P>You can't seem to add a filter based on modified date on the policies tab.</P> <P>&nbsp;</P> <P>However, knowing the modified date should allow you to do a Config Audit (Device tab &gt; Config Audit) for that date/config version and verify all the changes in the config (including the rules).</P> <P>&nbsp;</P> <P>If that doesn't provide you the requested information then a feature request might be in order.</P> Tue, 16 Jul 2024 06:10:57 GMT https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/592100#M732 kiwi 2024-07-16T06:10:57Z https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/592337#M734 <P>Thank you&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>&nbsp;</P> Wed, 17 Jul 2024 20:39:16 GMT https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/592337#M734 J_Healy 2024-07-17T20:39:16Z https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/592576#M735 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>&nbsp;</P><P>&nbsp;</P><P>How would one filter the security policy view in Panorama by targeted device?</P> Fri, 19 Jul 2024 18:28:44 GMT https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/592576#M735 JR-Astound 2024-07-19T18:28:44Z https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/597542#M748 <P>Hello Team,&nbsp;<BR /><BR />Can I create filter to see only rules in specific Device Group. I have device group which have 3 parent Device Groups and there are 500 rules coming from them. This is pre-rules, so every time I have to scroll down to the local rules for the Device Group. Can I filter only for local rules in this Device Group without seeing all the rules coming from parents?&nbsp;<BR /><BR />Kind Regards</P> Wed, 11 Sep 2024 12:42:29 GMT https://live.paloaltonetworks.com/t5/general-articles/tips-and-tricks-filtering-the-security-policy/tac-p/597542#M748 ildragoev 2024-09-11T12:42:29Z