Tips & Tricks: Filtering the security policy

by ‎06-26-2017 07:27 AM - edited ‎07-24-2017 12:21 PM (17,328 Views)

Manually searching through the policies can be pretty hard if there are many rules and it's been a long day. Luckily there are search functions available to you to make life a little easier.

 

First off, you can simply type in any keyword you are looking for, which can be a policy name, az one, an IP address/subnet or object name, an application or service.

Keyword searchesKeyword searches

One caveat is that this needs to be a string match, so it cannot be a subnet. Wildcards  (*) are not supported.

Searching for an IPSearching for an IP

You can also search within a specific field, like source zone or application. There's an easy drop-down function you can use to automatically create the search filter:

Filter auto creationFilter auto creation

You can also create a search string manually, I've provided a list of all fields below:

 

Tags: (tag/member eq 'tagname')

Name: (name contains 'unlocate-block')

Type: (rule-type eq 'intrazone|interzone')

Source Zone: (from/member eq 'zonename')

Source Address: (source/member eq 'any|ip|object')

Source User: (source-user/member eq 'any|username|groupname')

Hip profile:  (hip-profiles/member eq 'any|profilename')

Destination Zone: (to/member eq 'zonename')

Destination Address: (destination/member eq 'any|ip|object')

Destination User: (destination-user/member eq 'any|username|groupname')

Application: (application/member eq 'any|applicationname|applicationgroup|applicationfilter')

Service: (service/member eq 'any|servicename|application-default')

URL Category: (category/member eq 'any|categoryname')

           This is a destination category, not a URL filtering security profile

Action: (action eq 'allow|drop|deny|reset-client|reset-server|reset-both')

Action send ICMP unreachable: (icmp-unreachable eq 'yes')

Security Profiles:

      (profile-setting/profiles/virus/member eq 'profilename')

      (profile-setting/profiles/spyware/member eq 'profilename')

      (profile-setting/profiles/vulnerability/member eq 'profilename')

      (profile-setting/profiles/url-filtering/member eq 'profilename')

      (profile-setting/profiles/file-blocking/member eq 'profilename')

      (profile-setting/profiles/wildfire-analysis/member eq 'profilegroupname')

      (profile-setting/group/member eq 'profilename')

Disable server response inspection: (option/disable-server-response-inspection eq 'yes')

Log at session start: (log-start eq 'yes|no')

Log at session end: (log-end eq 'yes|no')

Schedule: (schedule eq 'schedulename')

Log Forwarding:  (log-setting eq "forwardingprofilename')

Qos Marking:    (qos/marking/ip-dscp eq 'codepoint')

                            (qos/marking/ip-precedence eq 'codepoint')

                            (qos/marking/follow-c2s-flow eq '')

Description: (description contains '<keyword>')

 

Disabled policy: (disabled yes|no)  

           policies will only respond to 'no' if they have been disabled before

 

notes: 

  • searched terms are case sensitive! (Untrust or untrust)
  • operands includ 'eq', 'neq' , 'contains'

 

Lastly, the Tag Browser can also come in very handy if you're able to tag all your security policies. It can be used in a similar way as the search function and display only the selected tags:

Tag Browser in actionTag Browser in action

More information and a tutorial video on the Tag Browser can be found here: Tutorial: Tag Browser

 

 

Also take a look at our video and transcript on Filtering the Security Policy

 

Hope this was helpful, feel free to ask questions or post remarks below.

 

Reaper out

Comments
by Lora
on ‎07-10-2017 12:55 PM

Thanks Reaper.  I am not following what you mean about creating search strings manually though. Would you elaborate a bit more or follow up with a breif tutorial video for this too?

 

 

by
on ‎07-11-2017 12:05 AM

good news @Lora, the tutorial video is in the shop  (it's being edited and should be made available soon) ;)

you can use a more complex search string to search for a specific 'type' of policy and if you want, you can create these in advance so you'd only need to copy/paste them into the search bar,

 

eg. 

(from/member eq 'trust') and (to/member eq 'dmz') and (destination/member eq 'webserver')

hope this helps

by Lora
on ‎07-11-2017 01:05 PM

Do we enter those searcgh strings in the search bar of the Policy tab?  They don't seem to work at all for me if so. We are on the PAN OS 7.1 strand, are these only available in 8.0?

by
on ‎07-12-2017 01:07 AM

Hi @Lora

yes, they go in the search bar. This works for all versions of PAN-OS, could you share a screenshot?

7.1 example7.1 example

by Lora
on ‎07-12-2017 08:42 AM

My issue was I was entering the Zones in all lower case, turns out the search is case sensitive.  Thanks @reaper

by
on ‎07-12-2017 01:17 PM

@Lora good point! I've added a note to highlight the search is case sensitive, thanks for pointing that out!

by LogicalParadox
‎07-12-2017 02:05 PM - edited ‎07-12-2017 02:11 PM

@reaper

This is great. Thanks!

 

As a note to @Lora's feedback, on our PA3020 running 7.1.7 searching for Zone by name does NOT appear case sensitive. Filtering for (name contains 'vpn') finds zones named 'VPN_Whatever'. This is the same for other words, as wellMaybe this is different in specific revs?

 

Also, I'm trying to negate a filter search and not having any luck.

 

I'm using:

not (name contains 'vpn') 

 

And it's not working (it returns all policies). Just doing "name contains 'vpn'" works just fine. I'm also able to use AND and OR operands with separate search conditions in parenthesis just fine in Security Policy. For example: (name contains vpn) and (name contains users). So, it's just the negation (not) that doesn't seem to work for me. Works in log filtering. Any ideas?

 

I guess it's possible there are separate filter/search facilities for search in these areas vs filters in logs,  but I don't see why they wouldn't have it uniform. 

 

Ultimately I'd like to filter out the noise having a filter string that omits our VPN, GP, and other policies that crowd out the others. 

 

by
on ‎07-13-2017 12:44 AM

@LOcampo the 'neq' operand should help filter out unwanted matches

 

if you tag all your policies you could tag your VPN rules and then (tag/member neq 'vpn'), for example

 

there's a difference in search facilities because the logs are a database you can query while the policies are a search in XML

you could open a feature request with your local sales contact to have the 'query/filter builder' added to the policies

by LogicalParadox
‎07-13-2017 06:52 AM - edited ‎07-14-2017 05:58 AM

@reaper, I replied in the other thread as well just to confirm that neq can only negate a full match (whole policy name), right? So, essentially, what I'm trying to do (negate matching a string within a name using some form of "contains" or "does not contain") is not possible. Is that right?

 

Edit: @reaper confirmed it is not possible.

by marroquin
on ‎07-24-2017 01:48 PM

@reaper
Thank you, this list is an excellent resource.

How can we filter by an empty configuration option? For example, to show only rules without any Security Policy or Log Forwarding? When I attempt " (profile-setting/group/member neq '') " or " (profile-setting/profiles/virus/member neq '') " I get no results.

by
on ‎07-31-2017 03:31 AM

hi @marroquin 

you can't, you can only look for a keyword to match, not a condition

so where a policy has 'any' you can look for "eq 'any' " or "neq 'any' " but not ' ' as the XML will not allow empty fields:

- there is either a condition to indicate _anything_ can be used as 'any' (eg. source any; )

- or the entry is simply deleted from the XML if no parameter is set:if logging is disabled, the log-end line is simply deleted

 

policy xml.png

Ask Questions Get Answers Join the Live Community
Top Liked Posts