topic Re: CLI find security rule, known IP address in General Topics

CLI find security rule, known IP address

Wbm — Wed, 16 Oct 2013 18:14:41 GMT

I have one question to engineers Paloalto, why from CLI can't find security rules which include example IP address. What is to difficult create that function?

Why such an advanced device does not have such a simple search. Another thing lack this function in CLI is big problem because i must used GUI.

What for is CLI?

Re: CLI find security rule, known IP address

Retired Member — Wed, 16 Oct 2013 18:50:04 GMT

Hi,

you can use

test security-policy-match

to find the security rule if you know source ip.

Re: CLI find security rule, known IP address

Wbm — Fri, 18 Oct 2013 07:44:03 GMT

it doesn't work if your security rule contain field "user"
example:
user cn=net_server ,ou=paloalto,dc=paloalto.org

Re: CLI find security rule, known IP address

Retired Member — Fri, 18 Oct 2013 08:04:58 GMT

it is working in my lab

test security-policy-match source-user dc\student1 source 192.168.10.17 destination 0.0.0.0 protocol 1

testrule {

from any;

source 192.168.10.17;

source-region none;

to any;

destination any;

destination-region none;

user dc\student1;

category any;

application/service [ youtube-base/any/any/any youtube-safety-m/any/any/

any youtube-uploadin/any/any/any youtube-posting/any/any/any ];

action deny;

terminal no;

}

Re: CLI find security rule, known IP address

Wbm — Fri, 18 Oct 2013 08:20:01 GMT

Yes i know it's working if use dc\nameuser.

Please use domain group Active Directory

example:

user cn=net_server ,ou=paloalto,dc=paloalto.org

Re: CLI find security rule, known IP address

Retired Member — Fri, 18 Oct 2013 08:24:53 GMT

domain group ?

there is no option for group with that command

Re: CLI find security rule, known IP address

Retired Member — Fri, 18 Oct 2013 08:27:15 GMT

let me try with group

Re: CLI find security rule, known IP address

Retired Member — Fri, 18 Oct 2013 08:40:32 GMT

seems group is not supported.

but maybe there is a way with writing in another format but I don't know that.

Re: CLI find security rule, known IP address

Wbm — Fri, 18 Oct 2013 09:08:42 GMT

I have about 400 rules which use domain group. domaing group match to security rules.

Example

RED {
        from zone-lan;
        source any;
        source-region none;
        to zone-dmz ;
        destination 192.168.83.105;
        destination-region none;
        user cn=red,ou=paloalto,dc=paloalto.org;
        category any;
        application/service any/tcp/any/3000;
        action allow;
        terminal yes;

It work's.

Re: CLI find security rule, known IP address

_slv_ — Fri, 18 Oct 2013 09:14:34 GMT

I have different way to get the rule, this not answer your question directly - but maybe will be helpfull.

from CLI:

show session all filter source 192.168.1.35

or if you know aplication:

show session all filter application ssh source 192.168.1.35

and next:

show session id XXXXX

you will see in "rule" parametr name of security policy what are you looking for.

regards

Slawek

Re: CLI find security rule, known IP address

Retired Member — Fri, 18 Oct 2013 09:16:40 GMT

it gave error with 2 different typing option

Server error : Error: Unknown source-user: 'dc\112'

Server error : Error: Unknown source-user: 'cn=112,cn=users,DN=dc,DC=palo,DC=edu'

There is a rule written for group 112.but it did not work.

Re: CLI find security rule, known IP address

Wbm — Fri, 18 Oct 2013 12:09:17 GMT

Thank you

But you know it is workaround because rule exist in configuration but it is not now used. I see nothing.