如何在CLI上查看、创建和删除安全策略

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L2 Linker
Did you find this article helpful? Yes No
No ratings

概述

本文介绍了如何在CLI(命令行界面)中查看、创建和删除安全策略。

 

详细介绍

从CLI创建一个新的安全策略:

> configure (按回车键)

# set rulebase security rules <name> from <source zone> to <destination zone> destination <ip> application <application> service <any/application-default/service name> action <allow/deny> (按回车键)

# exit

 

例子:

# set rulebase security rules Generic-Security from Outside-L3 to Inside-L3 destination 63.63.63.63 application web-browsing service application-default action allow (按回车键)

注意:对于所有CLI命令的输入帮助,使用"?"或[tab]来获得可用命令的列表。

 

从CLI查看Palo Alto Networks安全策略:

> show running security-policy

 

Rule       From         Source        To           Dest.           User                Proto Port Range Application  Action

---------- ------------ ------------- ------------ --------------- ------------------- ----- ---------- ------------ ------

Doms DLP   untrust-vwir 10.16.0.92    Untrust-vwir any             any                 any   any        any          allow

           trust-vwire                trust-vwire

 

rule4      untrust-vwir any          untrust-vwir  10.16.0.92      any                 any   any        any          allow

           trust-vwire                trust-vwire

 

rule3      trust-vwire  any          untrust-vwir  any             any                 any   any        any          allow

 

 

下面的命令将输出整个配置:

> show config running

 

设定格式输出为set:

> set cli config-output-format set

 

> configure

Entering configuration mode

[edit]

 

# edit rulebase security

[edit rulebase security]

 

# show

set rulebase security rules rashi from trust-vwire

set rulebase security rules rashi from untrust-vwire

set rulebase security rules rashi to trust-vwire

set rulebase security rules rashi to untrust-vwire

set rulebase security rules rashi source 10.16.0.21

set rulebase security rules rashi destination any

set rulebase security rules rashi service any

set rulebase security rules rashi application adobe-meeting-remote-control

set rulebase security rules rashi application adobe-meeting

set rulebase security rules rashi application adobe-online-office

set rulebase security rules rashi action deny

set rulebase security rules rashi source-user any

set rulebase security rules rashi option disable-server-response-inspection no

set rulebase security rules rashi negate-source no

set rulebase security rules rashi negate-destination no

set rulebase security rules rashi disabled yes

set rulebase security rules rashi log-start no

set rulebase security rules rashi log-end yes

 

切换为默认输出格式:

从配置模式:

# run set cli config-output-format default

 

[edit rulebase security]

# show

security {

  rules {

    rashi {

      from [ trust-vwire untrust-vwire];

      to [ trust-vwire untrust-vwire];

      source 10.16.0.21;

      destination any;

      service any;

      application [ adobe-meeting-remote-control adobe-meeting adobe-online-office];

      action deny;

      source-user any;

      option {

        disable-server-response-inspection no;

      }

      negate-source no;

      negate-destination no;

      disabled yes;

      log-start no;

      log-end yes;

      profile-setting {

        profiles {

          file-blocking rashi_file_alert;

          data-filtering rashi_dlp;

        }

 

使用XML格式查看配置:

从配置模式:

# run set cli config-output-format xml

 

[edit rulebase security]

# show

<response status="success" code="19">

  <result total-count="1" count="1">

    <security>

      <rules>

        <entry name="rashi">

          <from>

            <member>trust-vwire</member>

            <member>untrust-vwire</member>

          </from>

          <to>

            <member>trust-vwire</member>

            <member>untrust-vwire</member>

          </to>

          <source>

            <member>10.16.0.21</member>

          </source>

          <destination>

            <member>any</member>

          </destination>

          <service>

            <member>any</member>

          </service>

          <application>

            <member>adobe-meeting-remote-control</member>

            <member>adobe-meeting</member>

            <member>adobe-online-office</member>

          </application>

          <action>deny</action>

          <source-user>

            <member>any</member>

          </source-user>

          <option>

            <disable-server-response-inspection>no</disable-server-response-inspection>

          </option>

          <negate-source>no</negate-source>

          <negate-destination>no</negate-destination>

          <disabled>yes</disabled>

          <log-start>no</log-start>

          <log-end>yes</log-end>

          <profile-setting>

            <profiles>

              <file-blocking>

                <member>rashi_file_alert</member>

              </file-blocking>

              <data-filtering>

 

另外,如果你想用更短的方式在配置模式下查看和删除安全规则,你可以使用这两条命令:

查找一条规则:

show rulebase security rules <rulename>

 

删除一条规则:

delete rulebase security rules <rulename>

Rate this article:
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last update:
‎01-12-2023 12:52 AM
Updated by: