topic Security Rules using CLI in General Topics

Security Rules using CLI

Wbm — Tue, 28 May 2013 18:40:59 GMT

Hello

I have 400 security rules, how can i find security rule using CLI?

I know only IP address.

Re: Security Rules using CLI

gswcowboy — Tue, 28 May 2013 19:14:31 GMT

it'll be difficult in cli as the grep lookup will skip the rule name as it scours for the value (ip address) as shown below.

admin@PA-200> show running security-policy

"test group" {

from L3_Trust;

source any;

source-region none;

to L3_Untrust;

destination any;

destination-region none;

user any;

category any;

application/service any/any/any/any;

action allow;

terminal yes;

}

no_custom_cat {

from L3_Trust;

source any;

source-region none;

to L3_Untrust;

destination 130.199.4.27;

destination-region none;

user any;

category any;

application/service any/tcp/any/21;

action allow;

terminal yes;

}

"iPad Mini" {

from L3_Trust;

source 172.16.20.211;

source-region none;

to L3_Untrust;

destination any;

destination-region none;

user any;

category bnl;

/196 <==== On the CLI, I've pressed the '/196' keys to search for that IP octet.

I'm then provided the first hit w/ the output below.

...skipping...

source 196.165.14.2;

source-region none;

to L3_Untrust;

destination any;

destination-region none;

user any;

category bnl;

application/service any/any/any/any;

action allow;

terminal yes;

You could, however, output the running security policy command to a text file and perform a ctrl+f as a recourse in looking up one of your 400 security rules.

Re: Security Rules using CLI

mbutt — Tue, 28 May 2013 21:46:06 GMT

Hi ,

Also if you have GUI access you can just type in the ip address and it will bring up all the rules matching that ip address.

For example:

Hope this helps.

Thank you

Re: Security Rules using CLI

gil_arevalo — Tue, 04 Jun 2013 17:45:39 GMT

you could change the output of the show commands in config mode, it might help you narrow it down easier:

admin@PA-200>set cli config-output-format set

admin@PA-200>configure

admin@PA-200#show rulebase security rules

Re: Security Rules using CLI

Retired Member — Wed, 26 Jun 2013 14:15:26 GMT

Best way you can use

test security-policy-match

this will give you the rule output directly.

Re: Security Rules using CLI

Unibw — Tue, 27 Aug 2013 18:58:51 GMT

Why is the search of the GUI not implemented in CLI? Comming from an other Firewall-Implementation the filtering of the rulebase is the on thing I miss most.

Best would be an operational Command like

> show security rules from untrust to trust dst-ip 10.10.10.10

But also the filtering syntax of the gui-search is acceptable.

Re: Security Rules using CLI

Unibw — Thu, 29 Aug 2013 09:27:34 GMT

I am still thinking about this problem. JunOS has the same problem out of the box, but for JunOS I found the possibility to use so called op-scripts. Here the link to the example usable for JunOS

policy-test - Juniper Networks

Now my Idea would be to use the PanOS-API to do something similar, but I don't know whether it is possible to use the API from the CLI interface? Does anybody know?

Thanks

Winfried

Re: Security Rules using CLI

Wbm — Wed, 02 Oct 2013 15:18:14 GMT

Thank you for answer

I tested you cannot find IP address example:

1. test security-policy-match - Does Not work if your policy rule have source-user, can't find policy which ip is used.

2. admin@PA-200>set cli config-output-format set - It is almost OK if you can use | match IP_ADDRESS

3. GUI and txt file no comments

I have two solution:

- juniper:

root@router# show interfaces | display set | match 47
set interfaces ge-0/0/47 ether-options 802.3ad ae0
set interfaces ge-1/0/47 ether-options 802.3ad ae0

- If i can used pipe ( | ) in exe mode

Re: Security Rules using CLI

Wbm — Thu, 05 Feb 2015 09:54:07 GMT

Correct answer is

show running security-policy | match {\|destination{\|10.3.83.13

Re: Security Rules using CLI

suba_muthuram — Thu, 21 Dec 2023 11:46:11 GMT

Hi @Wbm ,

Could you please help what is {\|destination{\|10.3.83.13

Re: Security Rules using CLI

Adrian_Jensen — Tue, 26 Dec 2023 22:32:48 GMT

@suba_muthuram

It is a PaloAlto-style regular expression (regex) for filtering output from the "match" command on the CLI. Specifically, the CLI "show running security-policy" command will show all the Security Policies on the PaloAlto. The output of that is piped the to "match" command with the regex filter "{\|destination{\|10.3.83.13". This will match any line on the show command output that matches "{" or "destination{" or "10.3.83.13".

The pipe "|" is the also the OR operator in the regex, so it must be escaped with a "\|" to be interpreted as an OR in the CLI, instead of being a pipe to another command. The filter is also a bit weird as the "{" is half of another regex "{nn}" which will match nn number of characters... but apparently since the opening "{" bracket is not immediately followed by a number and closing "}" bracket, I guess it doesn't get interpreted as a regex. Note that I also think the "destination{" is wrong in this example as it would match "destination" explicitly followed by a "{" which doesn't exist in the show command output. (Perhaps it did in an earlier version of PANOS? This thread is 10 years old at this point.)

Because the "show" command outputs the Security Policies as multiple lines for the same policy and "match" only matches single lines, the given filter is kind of a hack to find all policies which might match the terms. It doesn't show just the policy with all the matching terms. So if you run a "show running security-policy" command you get an output with the entire policy set:

admin@PA(active)> show running security-policy "Allow Trust to DMZ; index: 1" { from Trust; source [ 10.10.0.0/24 192.168.0.0/24]; to DMZ; destination 192.0.2.0/24; application/service 0:any/any/any/any; action allow; } "Allow DMZ to Trust; index: 2" { from DMZ; source 192.0.2.0/24; to Trust; destination 10.10.0.0/24; application/service 0:any/any/any/any; action allow; } "Allow Internet to MailServer; index: 3" { from External; source any; to Trust; destination 192.168.0.25; application/service 0:any/any/any/any; action allow; } "Allow Trust to Internet; index: 4" { from Trust; source [ 10.10.0.0/24 192.168.0.0/24 ]; to External; destination any; application/service 0:any/any/any/any; action allow; }

If you wanted to find all Security Policies that might contain an internal destination or 192.168. address you could do a command like this:

admin@PA(active)> show running security-policy | match {\|destination\|192.168.0 "Allow Trust to DMZ; index: 1" { source [ 10.10.0.0/24 192.168.0.0/24]; destination 192.0.2.0/24; "Allow DMZ to Trust; index: 2" { destination 10.10.0.0/24; "Allow Internet to MailServer; index: 3" { destination 192.168.0.25; "Allow Trust to Internet; index: 4" { source [ 10.10.0.0/24 192.168.0.0/24 ]; destination any;

The above is a poor example for the above stated reasons. Going back to @Wbm's reply, I would guess it should have been more like this searching for a specific address in the Security Polices:

admin@PA(active)> show running security-policy | match {\|192.168.0.25 "Allow Trust to DMZ; index: 1" { "Allow DMZ to Trust; index: 2" { "Allow Internet to MailServer; index: 3" { destination 192.168.0.25; "Allow Trust to Internet; index: 4" {

Re: Security Rules using CLI

suba_muthuram — Wed, 27 Dec 2023 16:24:59 GMT

Thanks for the clarification.