配置和实施
产品配置,方案实施等相关指南
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
请登录以查看我们的Customer Advisories区域中重要咨询的详细信息。
About 配置和实施
产品配置,方案实施等相关指南
概述 本文介绍了如何在CLI(命令行界面)中查看、创建和删除安全策略。   详细介绍 从CLI创建一个新的安全策略: > configure (按回车键) # set rulebase security rules <name> from <source zone> to <destination zone> destination <ip> application <application> service <any/application-default/service name> action <allow/deny> (按回车键) # exit   例子: # set rulebase security rules Generic-Security from Outside-L3 to Inside-L3 destination 63.63.63.63 application web-browsing service application-default action allow (按回车键) 注意:对于所有CLI命令的输入帮助,使用"?"或[tab]来获得可用命令的列表。   从CLI查看Palo Alto Networks安全策略: > show running security-policy   Rule       From         Source        To           Dest.           User                Proto Port Range Application  Action ---------- ------------ ------------- ------------ --------------- ------------------- ----- ---------- ------------ ------ Doms DLP   untrust-vwir 10.16.0.92    Untrust-vwir any             any                 any   any        any          allow            trust-vwire                trust-vwire   rule4      untrust-vwir any          untrust-vwir  10.16.0.92      any                 any   any        any          allow            trust-vwire                trust-vwire   rule3      trust-vwire  any          untrust-vwir  any             any                 any   any        any          allow     下面的命令将输出整个配置: > show config running   设定格式输出为set: > set cli config-output-format set   > configure Entering configuration mode [edit]   # edit rulebase security [edit rulebase security]   # show set rulebase security rules rashi from trust-vwire set rulebase security rules rashi from untrust-vwire set rulebase security rules rashi to trust-vwire set rulebase security rules rashi to untrust-vwire set rulebase security rules rashi source 10.16.0.21 set rulebase security rules rashi destination any set rulebase security rules rashi service any set rulebase security rules rashi application adobe-meeting-remote-control set rulebase security rules rashi application adobe-meeting set rulebase security rules rashi application adobe-online-office set rulebase security rules rashi action deny set rulebase security rules rashi source-user any set rulebase security rules rashi option disable-server-response-inspection no set rulebase security rules rashi negate-source no set rulebase security rules rashi negate-destination no set rulebase security rules rashi disabled yes set rulebase security rules rashi log-start no set rulebase security rules rashi log-end yes   切换为默认输出格式: 从配置模式: # run set cli config-output-format default   [edit rulebase security] # show security {   rules {     rashi {       from [ trust-vwire untrust-vwire];       to [ trust-vwire untrust-vwire];       source 10.16.0.21;       destination any;       service any;       application [ adobe-meeting-remote-control adobe-meeting adobe-online-office];       action deny;       source-user any;       option {         disable-server-response-inspection no;       }       negate-source no;       negate-destination no;       disabled yes;       log-start no;       log-end yes;       profile-setting {         profiles {           file-blocking rashi_file_alert;           data-filtering rashi_dlp;         }   使用XML格式查看配置: 从配置模式: # run set cli config-output-format xml   [edit rulebase security] # show <response status="success" code="19">   <result total-count="1" count="1">     <security>       <rules>         <entry name="rashi">           <from>             <member>trust-vwire</member>             <member>untrust-vwire</member>           </from>           <to>             <member>trust-vwire</member>             <member>untrust-vwire</member>           </to>           <source>             <member>10.16.0.21</member>           </source>           <destination>             <member>any</member>           </destination>           <service>             <member>any</member>           </service>           <application>             <member>adobe-meeting-remote-control</member>             <member>adobe-meeting</member>             <member>adobe-online-office</member>           </application>           <action>deny</action>           <source-user>             <member>any</member>           </source-user>           <option>             <disable-server-response-inspection>no</disable-server-response-inspection>           </option>           <negate-source>no</negate-source>           <negate-destination>no</negate-destination>           <disabled>yes</disabled>           <log-start>no</log-start>           <log-end>yes</log-end>           <profile-setting>             <profiles>               <file-blocking>                 <member>rashi_file_alert</member>               </file-blocking>               <data-filtering>   另外,如果你想用更短的方式在配置模式下查看和删除安全规则,你可以使用这两条命令: 查找一条规则: show rulebase security rules <rulename>   删除一条规则: delete rulebase security rules <rulename>
View full article
  • 40 Posts
  • 34 Subscriptions
Customer Advisories

Your security posture is important to us. If you’re a Palo Alto Networks customer, be sure to login to see the latest critical announcements and updates in our Customer Advisories area.

Learn how to subscribe to and receive email notifications here.

Listen to PANCast

PANCast is a Palo Alto Networks podcast that provides actionable insights to customers, helping you maximize your investment while improving your cybersecurity posture.

Labels
  • 策略 1
Top Contributors