https://live.paloaltonetworks.com/t5/general-topics/security-rule-says-disabled-no-for-an-enabled-policy/m-p/580151#M116221 <P>Below is the config for policy in question. Only difference is 1 firewall has addtional last line.</P> <P>Policy is enabled on both the firewalls.</P> <P>&nbsp;</P> <P>set rulebase security rules "rule_name" profile-setting group group_name<BR />set rulebase security rules "rule_name" to outside<BR />set rulebase security rules "rule_name" from inside<BR />set rulebase security rules "rule_name" source source_name<BR />set rulebase security rules "rule_name" destination [ urls ]<BR />set rulebase security rules "rule_name" source-user any<BR />set rulebase security rules "rule_name" category any<BR />set rulebase security rules "rule_name" application any<BR />set rulebase security rules "rule_name" service [ https "tcp-8686" ]<BR />set rulebase security rules "rule_name" source-hip any<BR />set rulebase security rules "rule_name" destination-hip any<BR />set rulebase security rules "rule_name" action allow<BR />set rulebase security rules "rule_name" description *****<BR />set rulebase security rules "rule_name" log-setting panorama<BR />set rulebase security rules "rule_name" disabled no</P> Wed, 13 Mar 2024 05:33:19 GMT inderjit21 2024-03-13T05:33:19Z https://live.paloaltonetworks.com/t5/general-topics/security-rule-says-disabled-no-for-an-enabled-policy/m-p/580144#M116218 <P>I have 2 firewalls with identical config running same PANOS. The policy in question is enabled on both the firewalls.</P> <P>But one firewall has an extra line in cli( which is picked in daily diff)</P> <P>set rulebase security rules "rule name" disabled no - So it is saying policy is not disabled but enabled.</P> <P>Why is it showing only for 1 enabled policy and not for all other enabled policies or on 2nd firewall with identical config.</P> Wed, 13 Mar 2024 01:35:35 GMT https://live.paloaltonetworks.com/t5/general-topics/security-rule-says-disabled-no-for-an-enabled-policy/m-p/580144#M116218 inderjit21 2024-03-13T01:35:35Z https://live.paloaltonetworks.com/t5/general-topics/security-rule-says-disabled-no-for-an-enabled-policy/m-p/580149#M116219 <P>HI&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27715">@inderjit21</a>&nbsp;,</P> <P>&nbsp;</P> <P>Can you share a snippet of both CLI outputs?</P> Wed, 13 Mar 2024 05:19:52 GMT https://live.paloaltonetworks.com/t5/general-topics/security-rule-says-disabled-no-for-an-enabled-policy/m-p/580149#M116219 JayGolf 2024-03-13T05:19:52Z https://live.paloaltonetworks.com/t5/general-topics/security-rule-says-disabled-no-for-an-enabled-policy/m-p/580151#M116221 <P>Below is the config for policy in question. Only difference is 1 firewall has addtional last line.</P> <P>Policy is enabled on both the firewalls.</P> <P>&nbsp;</P> <P>set rulebase security rules "rule_name" profile-setting group group_name<BR />set rulebase security rules "rule_name" to outside<BR />set rulebase security rules "rule_name" from inside<BR />set rulebase security rules "rule_name" source source_name<BR />set rulebase security rules "rule_name" destination [ urls ]<BR />set rulebase security rules "rule_name" source-user any<BR />set rulebase security rules "rule_name" category any<BR />set rulebase security rules "rule_name" application any<BR />set rulebase security rules "rule_name" service [ https "tcp-8686" ]<BR />set rulebase security rules "rule_name" source-hip any<BR />set rulebase security rules "rule_name" destination-hip any<BR />set rulebase security rules "rule_name" action allow<BR />set rulebase security rules "rule_name" description *****<BR />set rulebase security rules "rule_name" log-setting panorama<BR />set rulebase security rules "rule_name" disabled no</P> Wed, 13 Mar 2024 05:33:19 GMT https://live.paloaltonetworks.com/t5/general-topics/security-rule-says-disabled-no-for-an-enabled-policy/m-p/580151#M116221 inderjit21 2024-03-13T05:33:19Z https://live.paloaltonetworks.com/t5/general-topics/security-rule-says-disabled-no-for-an-enabled-policy/m-p/580163#M116222 <P>Hello</P> <P>&nbsp;</P> <P>The value of "disabled" is set to "no" as a default value. You will only see the "disabled" keyword if you had disabled the rule (where the key-value pair "disabled" - "yes" was added). Re-enabling the rule changes the value to "no" (instead of removing the line).</P> Wed, 13 Mar 2024 07:41:52 GMT https://live.paloaltonetworks.com/t5/general-topics/security-rule-says-disabled-no-for-an-enabled-policy/m-p/580163#M116222 JoergSchuetter 2024-03-13T07:41:52Z https://live.paloaltonetworks.com/t5/general-topics/security-rule-says-disabled-no-for-an-enabled-policy/m-p/580214#M116230 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27715">@inderjit21</a>,</P> <P>Just to add on to the correct answer&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/83320">@JoergSchuetter</a>&nbsp;already gave, you&nbsp;<EM>can&nbsp;</EM>safely remove it completely if it bugs you to have that difference between the two units. As mentioned, if not present in the configuration that is the default assumed value.&nbsp;</P> Wed, 13 Mar 2024 13:06:53 GMT https://live.paloaltonetworks.com/t5/general-topics/security-rule-says-disabled-no-for-an-enabled-policy/m-p/580214#M116230 BPry 2024-03-13T13:06:53Z