topic Re: List all deny rules from cli in General Topics

List all deny rules from cli

jls3j999 — Sun, 01 Nov 2020 17:43:31 GMT

I have to list all deny rules (from cli)

The following command "show running security-policy | match index " list all security rules by name

For example:

"AllowBrach1IN; index: 1" {

....etc

What I want is:

- deny INBOUND traffic rules only but regarding entire subnets (those having CIDR as their destination ...like 192.168.1.0/24..etc)

Is there any way to filter out that type of information?

Thanks,

Re: List all deny rules from cli

reaper — Sun, 01 Nov 2020 21:44:56 GMT

Give this a shot:

reaper@PANgurus> set cli config-output-format set reaper@PANgurus> configure Entering configuration mode [edit] reaper@PANgurus# show rulebase security | match drop

Re: List all deny rules from cli

jls3j999 — Mon, 02 Nov 2020 11:44:24 GMT

thanks a lot but it seems to me that show rulebase command is missing

here's the putput I get if I type show

> admins Show active administrators
> api-key-expiration-ts Shows the time before which any API keys would be invalid
> arp Show ARP information
> auth auth state variables
> authentication Show authentication related information
> chassis Chassis state and information
> chassis-ready Show whether dataplane has a running policy
> cli Show CLI properties
> clock Show system date and time
> commit-locks Show list of commit locks
> config Show configuration
> config-locks Show list of config locks
> counter Show system counter information
> device-certificate Show device certificate
> dhcp Show DHCP data
> dns-proxy Show DNS Proxy information
> dos-block-table Show hardware ACL or Block-ip table
> dos-protection Show DoS protection related information
> global-protect Show settings for GlobalProtect
> global-protect-gateway Show GlobalProtect gateway run-time objects
> global-protect-mdm Show settings for GlobalProtect MDM
> global-protect-portal Show gloabl protect poral user session info
--more--
> global-protect-satellite Show GlobalProtect satellite run-time objects
> gtp Show GTP information
> high-availability Show high-availability information
> hsm Show HSM information
> interface Show interface information
> jobs Show management server jobs
> lacp Show LACP state
> license-token-files Show license token files for manual license deactivation
> lldp Show LLDP state
> location Show geographic location
> log Show logs related information
> log-collector Show log-collector information
> logging-status Show logging status and info
> mac Show MAC address information
> management-clients Show internal management server clients
> max-num-images Show maximum number of software or content images
> neighbor Show IPv6 neighbor information
> netstat Print network connections and statistics
> ntp Show NTP synchronization state
> object Show IP address object
> obsolete-disabled-ssl-exclusions Show disabled predefined ssl-decrypt exclusions not present in the installed content
> operational-mode Show device operational mode setting
> oss-license show license for open source packages
--more--
> panorama-certificates Show panorama certificate list
> panorama-status Show panorama connection status
> parent-info show parent info
> pbf Show policy-based-forwarding run-time information
> plugins Request information of plugins
> pppoe Show pppoe statistics
> predefined Show predefined config
> qos Show QoS run-time information
> query Show query jobs
> report Show report jobs
> resource Show resource limits information
> routing Show routing run-time objects
> rule-hit-count Show policy rule hit-count information
> running Show running operational parameters
> sctp Show SCTP information
> session Show session information
> sp-metadata sp-metadata
> ssh-fingerprints Show management ssh public key fingerprints
> ssl-conn-on-cert Show setting for ssl fail connection on cert
> sslmgr-store Show sslmgr dynamic configuration
> statistics Show device statistics
> syslogng-ssl-conn-validation Show syslog-ng ssl connection validation settings
> system Show system state and information
--more--
> threat Show Threat id descriptions
> url-cloud Show URL cloud info
> user Show user identification information
> virtual-wire Show virtual-wire information
> vlan Show vlan information
> vm-monitor Show VM monitoring information
> vpn Show IKE/IPSec VPN run-time objects
> wildfire Show wildfire information
> zone-protection Show zone protection runtime statistics

Re: List all deny rules from cli

aleksandar.astardzhiev — Mon, 02 Nov 2020 13:45:54 GMT

Hi @jls3j999 ,

"show rulebase security" is command in configuration mode, while you are still in user mode.

If you look again the instructions from @reaper you will see that before executing the "show" command you need to enter configuration mode by typing "configure"

Re: List all deny rules from cli

reaper — Mon, 02 Nov 2020 14:05:32 GMT

@jls3j999 please follow all the steps, else it won't work 😉

Change the cli output mode to set commands

Go into configure mode

Run the show command

Re: List all deny rules from cli

jls3j999 — Mon, 02 Nov 2020 17:03:45 GMT

thanks for your reply

this is what I get

superuser@point-1(active-primary)> configure
Entering configuration mode
[edit]
superuser@point-1(active-primary)# show
deviceconfig deviceconfig
mgt-config mgt-config
network network configuration
predefined predefined
shared shared
template template
vsys vsys
| Pipe through a command
<Enter> Finish input

Since I'm a bit scared, the command you suggested does that make any changes? I suppose not

I mean "show rulebase security | match drop" sorry for being a dummy

Re: List all deny rules from cli

jls3j999 — Tue, 10 Nov 2020 12:03:00 GMT

can anyone help me?

I mean are there any side-effects while entering the configuration mode?

My purpose is to list all deny rules only (no changes should be made)

thanks

Re: List all deny rules from cli

jls3j999 — Tue, 10 Nov 2020 17:13:27 GMT

After doing what you said

this is the output:

admin_user@FW-1(active-primary)> set cli config-output-format set
admin_user@FW-1(active-primary)> configure
Entering configuration mode
[edit]
admin_user@FW-1(active-primary)# show
deviceconfig deviceconfig
mgt-config mgt-config
network network configuration
predefined predefined
shared shared
template template
vsys vsys
| Pipe through a command
<Enter> Finish input

admin_user@FW-1(active-primary)# show rulebase security |match drop

Invalid syntax.
[edit]
admin_user@FW-1(active-primary)#

can anyone help me?

Re: List all deny rules from cli

reaper — Tue, 10 Nov 2020 17:17:38 GMT

There appears to be a space missing between the pipe and 'match' ( |match should be | match)

The show command in configure mode does not make any changes at all so is safe to use

Re: List all deny rules from cli

rmfalconer — Tue, 10 Nov 2020 17:59:08 GMT

It also looks like you have multiple vsys on that system. If you want to use the entire show command as written, you have to specify the vsys.

show vsys vsysX rulebase security | match drop

Or you could just do show | match drop. This will expand the output but might give results that aren't relevant to what you're looking for.

Re: List all deny rules from cli

jls3j999 — Tue, 10 Nov 2020 18:27:13 GMT

@rmfalconer thanks this command works fine:

show vsys vsys1 rulebase security | match deny

example output:

set vsys vsys1 rulebase security rules FTP-INBOUND-DENY action deny

....

But I expected to get network details as well such as:

192.168.0.10/24 or whatever related to every rule whose action is equal to deny

Re: List all deny rules from cli

rmfalconer — Tue, 10 Nov 2020 19:06:09 GMT

Using the match command will only output the line where that word specifically appears. If you want detail on each policy, you'll need to match on the policy name.

show vsys vsys1 rulebase security | match FTP-INBOUND-DENY

Is there a specific reason you want to use CLI? There's a filter and export function in the GUI that might work for you. You can filter on the action and then export the table to csv or pdf.

Re: List all deny rules from cli

jls3j999 — Sun, 15 Nov 2020 22:40:03 GMT

Your suggestion sounds good but my purpose is to get details about the subnets involved

So as well as the list of all DENY rules whose action is actually "deny" I'd like to get further details on the network segment

For instance, with reference to the rule called FTP-INBOUND-DENY, it would be great if I could see something like:

FTP-INBOUND-DENY 192.168.1.0/24

Through cli it would be better I believe

Re: List all deny rules from cli

rmfalconer — Mon, 16 Nov 2020 16:27:39 GMT

I think using the GUI would be easier in this case. Filer the security policies with (action eq 'deny') or (action eq 'drop') [or whatever action you want to filter on] and export to CSV.

It shows rule name, src/dst addresses, zones, plus other info. At that point, you can just hide any columns you don't want and you'll have what you're looking for.

Re: List all deny rules from cli

reaper — Mon, 16 Nov 2020 17:02:05 GMT

@rmfalconer wrote:
I think using the GUI would be easier in this case. Filer the security policies with (action eq 'deny') or (action eq 'drop') [or whatever action you want to filter on] and export to CSV.
It shows rule name, src/dst addresses, zones, plus other info. At that point, you can just hide any columns you don't want and you'll have what you're looking for.

In this case the best filter is probably (action neq 'allow') 🙂