概述
本文介绍了如何在CLI(命令行界面)中查看、创建和删除安全策略。
详细介绍
从CLI创建一个新的安全策略:
> configure (按回车键)
# set rulebase security rules <name> from <source zone> to <destination zone> destination <ip> application <application> service <any/application-default/service name> action <allow/deny> (按回车键)
# exit
例子:
# set rulebase security rules Generic-Security from Outside-L3 to Inside-L3 destination 63.63.63.63 application web-browsing service application-default action allow (按回车键)
注意:对于所有CLI命令的输入帮助,使用"?"或[tab]来获得可用命令的列表。
从CLI查看Palo Alto Networks安全策略:
> show running security-policy
Rule From Source To Dest. User Proto Port Range Application Action
---------- ------------ ------------- ------------ --------------- ------------------- ----- ---------- ------------ ------
Doms DLP untrust-vwir 10.16.0.92 Untrust-vwir any any any any any allow
trust-vwire trust-vwire
rule4 untrust-vwir any untrust-vwir 10.16.0.92 any any any any allow
trust-vwire trust-vwire
rule3 trust-vwire any untrust-vwir any any any any any allow
下面的命令将输出整个配置:
> show config running
设定格式输出为set:
> set cli config-output-format set
> configure
Entering configuration mode
[edit]
# edit rulebase security
[edit rulebase security]
# show
set rulebase security rules rashi from trust-vwire
set rulebase security rules rashi from untrust-vwire
set rulebase security rules rashi to trust-vwire
set rulebase security rules rashi to untrust-vwire
set rulebase security rules rashi source 10.16.0.21
set rulebase security rules rashi destination any
set rulebase security rules rashi service any
set rulebase security rules rashi application adobe-meeting-remote-control
set rulebase security rules rashi application adobe-meeting
set rulebase security rules rashi application adobe-online-office
set rulebase security rules rashi action deny
set rulebase security rules rashi source-user any
set rulebase security rules rashi option disable-server-response-inspection no
set rulebase security rules rashi negate-source no
set rulebase security rules rashi negate-destination no
set rulebase security rules rashi disabled yes
set rulebase security rules rashi log-start no
set rulebase security rules rashi log-end yes
切换为默认输出格式:
从配置模式:
# run set cli config-output-format default
[edit rulebase security]
# show
security {
rules {
rashi {
from [ trust-vwire untrust-vwire];
to [ trust-vwire untrust-vwire];
source 10.16.0.21;
destination any;
service any;
application [ adobe-meeting-remote-control adobe-meeting adobe-online-office];
action deny;
source-user any;
option {
disable-server-response-inspection no;
}
negate-source no;
negate-destination no;
disabled yes;
log-start no;
log-end yes;
profile-setting {
profiles {
file-blocking rashi_file_alert;
data-filtering rashi_dlp;
}
使用XML格式查看配置:
从配置模式:
# run set cli config-output-format xml
[edit rulebase security]
# show
<response status="success" code="19">
<result total-count="1" count="1">
<security>
<rules>
<entry name="rashi">
<from>
<member>trust-vwire</member>
<member>untrust-vwire</member>
</from>
<to>
<member>trust-vwire</member>
<member>untrust-vwire</member>
</to>
<source>
<member>10.16.0.21</member>
</source>
<destination>
<member>any</member>
</destination>
<service>
<member>any</member>
</service>
<application>
<member>adobe-meeting-remote-control</member>
<member>adobe-meeting</member>
<member>adobe-online-office</member>
</application>
<action>deny</action>
<source-user>
<member>any</member>
</source-user>
<option>
<disable-server-response-inspection>no</disable-server-response-inspection>
</option>
<negate-source>no</negate-source>
<negate-destination>no</negate-destination>
<disabled>yes</disabled>
<log-start>no</log-start>
<log-end>yes</log-end>
<profile-setting>
<profiles>
<file-blocking>
<member>rashi_file_alert</member>
</file-blocking>
<data-filtering>
另外,如果你想用更短的方式在配置模式下查看和删除安全规则,你可以使用这两条命令:
查找一条规则:
show rulebase security rules <rulename>
删除一条规则:
delete rulebase security rules <rulename>
