如何在CLI上查看、创建和删除安全策略

wxiao — Thu, 12 Jan 2023 08:52:39 GMT

概述

本文介绍了如何在CLI（命令行界面）中查看、创建和删除安全策略。

详细介绍

从CLI创建一个新的安全策略：

> configure （按回车键）

# set rulebase security rules <name> from <source zone> to <destination zone> destination <ip> application <application> service <any/application-default/service name> action <allow/deny> （按回车键）

# exit

例子：

# set rulebase security rules Generic-Security from Outside-L3 to Inside-L3 destination 63.63.63.63 application web-browsing service application-default action allow （按回车键）

注意：对于所有CLI命令的输入帮助，使用"?"或[tab]来获得可用命令的列表。

从CLI查看Palo Alto Networks安全策略：

> show running security-policy

Rule From Source To Dest. User Proto Port Range Application Action

---------- ------------ ------------- ------------ --------------- ------------------- ----- ---------- ------------ ------

Doms DLP untrust-vwir 10.16.0.92 Untrust-vwir any any any any any allow

trust-vwire trust-vwire

rule4 untrust-vwir any untrust-vwir 10.16.0.92 any any any any allow

trust-vwire trust-vwire

rule3 trust-vwire any untrust-vwir any any any any any allow

下面的命令将输出整个配置：

> show config running

设定格式输出为set：

> set cli config-output-format set

> configure

Entering configuration mode

[edit]

# edit rulebase security

[edit rulebase security]

# show

set rulebase security rules rashi from trust-vwire

set rulebase security rules rashi from untrust-vwire

set rulebase security rules rashi to trust-vwire

set rulebase security rules rashi to untrust-vwire

set rulebase security rules rashi source 10.16.0.21

set rulebase security rules rashi destination any

set rulebase security rules rashi service any

set rulebase security rules rashi application adobe-meeting-remote-control

set rulebase security rules rashi application adobe-meeting

set rulebase security rules rashi application adobe-online-office

set rulebase security rules rashi action deny

set rulebase security rules rashi source-user any

set rulebase security rules rashi option disable-server-response-inspection no

set rulebase security rules rashi negate-source no

set rulebase security rules rashi negate-destination no

set rulebase security rules rashi disabled yes

set rulebase security rules rashi log-start no

set rulebase security rules rashi log-end yes

切换为默认输出格式：

从配置模式：

# run set cli config-output-format default

[edit rulebase security]

# show

security {

rules {

rashi {

from [ trust-vwire untrust-vwire];

to [ trust-vwire untrust-vwire];

source 10.16.0.21;

destination any;

service any;

application [ adobe-meeting-remote-control adobe-meeting adobe-online-office];

action deny;

source-user any;

option {

disable-server-response-inspection no;

}

negate-source no;

negate-destination no;

disabled yes;

log-start no;

log-end yes;

profile-setting {

profiles {

file-blocking rashi_file_alert;

data-filtering rashi_dlp;

}

使用XML格式查看配置：

从配置模式：

# run set cli config-output-format xml

[edit rulebase security]

# show

<rules>

<from>

<member>trust-vwire</member>

<member>untrust-vwire</member>

</from>

<to>

<member>trust-vwire</member>

<member>untrust-vwire</member>

</to>

</source>

</destination>

</service>

<member>adobe-meeting-remote-control</member>

<member>adobe-meeting</member>

<member>adobe-online-office</member>

</application>

<source-user>

</source-user>

<disable-server-response-inspection>no</disable-server-response-inspection>

</option>

<negate-source>no</negate-source>

<negate-destination>no</negate-destination>

<log-start>no</log-start>

<log-end>yes</log-end>

<profile-setting>

<file-blocking>

<member>rashi_file_alert</member>

</file-blocking>

<data-filtering>

另外，如果你想用更短的方式在配置模式下查看和删除安全规则，你可以使用这两条命令：

查找一条规则：

show rulebase security rules <rulename>

删除一条规则：

delete rulebase security rules <rulename>

article 如何在CLI上查看、创建和删除安全策略 in 配置和实施

如何在CLI上查看、创建和删除安全策略