topic Re: New to Palo Alto - Append Policy Question in General Topics

New to Palo Alto - Append Policy Question

wsteadman — Thu, 27 Feb 2014 16:30:45 GMT

Good day all,

I am new to Palo Alto so this question might actually seem rather trivial.

Most of my peers configure from the GUI and are not very familiar with the Command line. I am more comfortable with the command line so I am trying to do configurations that way.

If I want to add a source entity to an existing rulebase security rule do I just recreate the rule with the appended information and then when I commit, it will overwrite the existing rule?

For example

when I do a show rulebase security rules existing_policy

I get the following output:

"existing_policy" {

from dmz;

to trust;

source [ serverA serverB serverC ];

destination any;

source-user any;

application any;

service any;

hip-profiles any;

log-start no;

log-end yes;

negate-source no;

negate-destination no;

action allow;

}

If I wanted to add ServerD to the source would I do the following (I don't have a test box to test the commands that is why I am coming here):

set rulebase security rules existing_policy from dmz to trust source [ serverA serverB serverC ServerD ] destination any action allow

Any assistance would be appreciated.

Thanks

Wally

Re: New to Palo Alto - Append Policy Question

HULK — Thu, 27 Feb 2014 17:48:52 GMT

Hello Sir,

if youapply # set rulebase security rules existing_policy from dmz to trust source server-D destination any action allow >>>>>>> it will only add with the existing rule [ serverA serverB serverC ServerD ],

For example:

admin@DADA# show rulebase security rules LAN-ISP

LAN-ISP {

option {

disable-server-response-inspection no;

}

from Trust-LAN;

to Untrust-ISP;

source any; >>>>>>>>>>>>>>>>>>> before the change

destination any;

source-user any;

category any;

application any;

service any;

hip-profiles any;

action allow;

log-start no;

log-end yes;

negate-source no;

negate-destination no;

log-setting SYSLOG-ALL;

# set rulebase security rules LAN-ISP from Trust-LAN to Untrust-ISP source 1.1.1.1/32 destination any action allow

admin@DADA# show rulebase security rules LAN-ISP LAN-ISP {

option {

disable-server-response-inspection no;

}

from Trust-LAN;

to Untrust-ISP;

source [ any 1.1.1.1/32]; >>>>>>>>>>>>>>>>>>> added here

destination any;

source-user any;

category any;

application any;

service any;

hip-profiles any;

action allow;

log-start no;

log-end yes;

negate-source no;

negate-destination no;

log-setting SYSLOG-ALL;

}

Thanks

Re: New to Palo Alto - Append Policy Question

wsteadman — Thu, 27 Feb 2014 18:00:58 GMT

Thanks so much for your reply. So what I should have put in my initial post was that I am actually just adding a destination. So from the code below the destination is to two objects, but I want to add a third, so can I simply say

set rulebase security rules "to NG Sites" destination location3

Will that add the location3 to the destination and leave the current destinations there as well? I don't want to remove any of the current destinations or configurations so want to make sure my syntax is correct. Sorry for my earlier post, I thought I was just showing a general example but should have been more specific.

"to NG Sites" {

option {

disable-server-response-inspection no;

}

from [ DMZ1 DMZ2];

to [ Internal];

source any;

destination [ location1 location2];

source-user any;

application [ dns http-audio soap ssl web-browsing];

service application-default;

hip-profiles any;

log-start no;

log-end yes;

negate-source no;

negate-destination no;

action allow;

}

Re: New to Palo Alto - Append Policy Question

HULK — Thu, 27 Feb 2014 18:55:59 GMT

Hello Sir,

You are correct, if you apply CLI command # set rulebase security rules "to NG Sites" destination location3 >>>>>>>>>> This will add the location3 to the destination and leave the current destinations there as well. Please find below example from my test PA firewall:

admin@DADA# show rulebase security rules LAN-ISP

LAN-ISP {

option {

disable-server-response-inspection no;

}

from Trust-LAN; >>>>>>>>>>>>>>>>>>>

to Untrust-ISP; >>>>>>>>>>>>>>>>>>>>

source [ any 1.1.1.1/32];

destination any;

source-user any;

category any;

application any;

service any;

hip-profiles any;

action allow;

log-start no;

log-end yes;

negate-source no;

negate-destination no;

log-setting SYSLOG-ALL;

}

admin@DADA# set rulebase security rules LAN-ISP from trust to untrust >>>>>>>>>>>>>>>>>> Adding new source and destination zone

[edit]

admin@DADA# show rulebase security rules LAN-ISP

LAN-ISP {

option {

disable-server-response-inspection no;

}

from [ Trust-LAN trust]; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Added with the existing zone

to [ Untrust-ISP untrust]; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

source [ any 1.1.1.1/32];

destination any;

source-user any;

category any;

application any;

service any;

hip-profiles any;

action allow;

log-start no;

log-end yes;

negate-source no;

negate-destination no;

log-setting SYSLOG-ALL;

}

[edit]

admin@DADA#

I hope this helps.

Thanks