topic Re: Howto validate security policies for content inspection enabled ? in General Topics

Howto validate security policies for content inspection enabled ?

wimjuste — Tue, 12 Mar 2013 14:00:29 GMT

Dear all,

How would it be possible to validate the security policy rules to have all a content inspection profile enabled?

Because the "option" field does not allow to be selected as filter in the editor tab. (as this is the case for e.g. addresses or zones)

Custom reports do also not include the ability to select content profile as an attribute.

Thank you in advance,

Kind regards,

Wim

Re: Howto validate security policies for content inspection enabled ?

emr_1 — Tue, 12 Mar 2013 14:23:41 GMT

If you want to filter rules which enables anti-virus profile, named 'default',

you can use following filter

(profile-setting/profiles/virus eq 'default')

Does it help you?

Regards,

Re: Howto validate security policies for content inspection enabled ?

wimjuste — Tue, 12 Mar 2013 14:54:58 GMT

Hi emr,

Thanks for reply, your answer is helpful.

For instance, we use a predefined set of security groups (but I didn't mentioned this one in my question)

Though, your feedback is applicable for security groups as well ! 🙂

(profile-setting/group eq 'my-group-reference')

I thought to be smart and use the "NEQ" operator in order to find out all rules WITHOUT a 'my-group-reference', but then, NONE rules are displayed. (suppose is would be the same as (profile-setting/profiles/virus neq 'default')

Do you know perhaps how to inverse the (profile-setting/group eq 'my-group-reference') ?

Thanks again ...

Re: Howto validate security policies for content inspection enabled ?

emr_1 — Tue, 12 Mar 2013 15:26:24 GMT

Hi,

I see same result as you saw.

I tried 'neq', 'ne', '!=', '<>', though nothing worked.

From the output of GUI debug, I guess GUI does not have criteria for negate query.

Here is an example:

<deep-search>

<address>(from/member neq 'L3-Trust1')</address>

</deep-search>

</operations>

</request>

<response status="error" code="17"><msg><line><![CDATA[deep-search -> address Invalid input]]></line></msg></response>

Regards,

Re: Howto validate security policies for content inspection enabled ?

wimjuste — Tue, 12 Mar 2013 15:59:38 GMT

Damn too bad. A technical shortcoming.

We already asked our PAN SE to apply for a feature request in order to have all operators available through all attribute in the policy rule editor.

Nevertheless, this one might do the job:

1) filter all rules that includes a security profile group, using profile-setting/group eq 'my-group-reference'

2) Once filterd, select all rules listed.

3) Remove the selection criteria from the policy editor.

Now all rules including a security profile group are selected, which should be the majority.

Rules that do not have security group enabled (or different) are not selected.

A visual cross check will indicate the suspected rules.

I must admit that it takes some creative thinking to come to such a nasty solution ..

Kind regards,

Wim

Re: Howto validate security policies for content inspection enabled ?

jvalentine — Tue, 12 Mar 2013 22:23:53 GMT

With a little API work, it is possible to "report on the Security rulebase". I found a good starting point in the devcenter communities, and then tweaked the sed lines to fix a formatting problem. Here’s a single line that calls the API with curl, and then filters it through xmllint and sed:

curl -k 'https://10.1.1.155/esp/restapi.esp?type=config&key=KEY=&action=show&xpath=devices/entry/vsys/entry/rulebase/security' | xmllint --format --recover - | sed 's/<member>//g' | sed 's/<\/member>//g' > PAN_rules_`date "+%Y%m%d"`.xml

That makes a file called: PAN_rules_20120817.xml

The main reason to filter it through xmllint and sed is so that you can import the file directly into Excel. Excel will automatically build a nice pretty interface that you can filter with some simple point&click action:

This is an easy way to report on things like “show me all rules that might permit inbound SSH” – just select “to trust” and “application any & ssh” and go from there. The traffic log & custom reports can definitely do this for actual passed traffic, but not for dormant rules.