How to Tag and Filter Security Policy Rules

Printer Friendly Page

Overview

This document explains how to add tags to security policies and how to filter security policies based on the tags associated with them.

Creating Tags

  1. In the firewall's web interface go to Policies -> Security. Choose the security policy and click 'none' under the tag column.

    Image 1.gif

  2. Click "Add" and enter a name for the tag such as outbound if the rule is an outbound rule or inbound if it is an inbound rule and click OK.

    Image 2.gif

  3. The following image shows the security rules with the specified tags.

    Img 3.png

Note: One rule can be configured with more than one tag.


Filtering Security Rules

  1. In the search bar, enter the name of the tag (say 'Inbound') based on which the security rules need to be filtered

    Image 4.gif

  2. Click the green arrow next to the search bar.

    Image 5.gif

  3. The filtered security policies based on the tag 'Inbound' will be shown as below

    Image 6.gif

owner: gchandrasekaran

Tags (5)
Comments

Hi

Thats a usefull trick. I also often filter by name of the policies [i.e. "(name eq deny-ssh)" shows all rules that contain "deny-ssh" in their name]. But I wonder if its possible to filter for the other fields (like source address) as well. Does anyone know about this (and the syntax)?

Andi

Hello,

is it possible to remove or edit the tag entries? I don' aks for removing from policy, I ask for removing from the dropdown list!

Thank you in advance for your answer...

Same question. Also it's easy to make new custom tag and drag it later to any "none" tag, but impossible to drag and drop "none" tag to custom tag. Drag and drop new custom tag to previously made tag, doesn't change it, but adds second tag. Why?

I found "my failure". The tag has to be removed in every policy manually, than the tag dissapears from the dropdown menu...

I can add multiple tags to a rule.  For example rule1 tags: inbound and ssh;  rule2 tags: inbound and http. How do I filter for all rules containing "inbound"?  I am seeing only rules that contain only a single tag.

I re-read the example.  I did not know I could type a single word in the search field.  I was searching "(tag eq inbound)".  I am getting proper results.

Where I'm at we set the tags to be descriptions based on source and destinations. So it would be something like S.Trust_D.Internet that way if you know where your traffic is coming from or going to you can just put the whole tag or part of the tag to filter out the specific traffic.

Is there an option to filter OUT a specific tag?

(tag/member eq 'TAGNAME')   works great if you want to see everything with that tag but (tag/member neq 'TAGNAME')  gives no results.

I don't have a PA to test with at the moment but I think throwing an ! in front of the statement negates it.

So !(tag/member eq 'TAGNAME') should work

Thanks for the quick response! Unfortunately, I just tested that and adding an "!" in the front negates the entire command so it just lists everything as if there isn't a filter applied. Any other suggestions?

Change the "eq" to "neq"

So (tag/member neq 'TAGNAME') should work

Dave is correct, unless of course your rule has more than one tag assigned to it. :smileysad:

The solution (at least as of 6.0.4) I guess is to create more specific tags to your rules or do an standard search instead of filtering out using "eq" and "and" as this apparently *will* work (where "neq" and "and" wont).

As an example...

Will work to search for if it has multiple tags assigned to the rule:

(tag/member eq 'tag1') and (tag/member eq 'tag2')

Will not work to filter out if it has multiple tags:

(tag/member neq 'tag1') and (tag/member neq 'tag2')

(tag/member neq 'tag1') or (tag/member neq 'tag2')

(tag/member eq 'tag1') and (tag/member neq 'tag2')

They squashed the bug I mentioned above in 7.0.  It wasn't fixed as of 6.0.9.  I never checked on 6.0.10-6.1.x.

On a related topic, there is a way to show only disabled rules in your view. I did it once but can't recall how. Anyone know?

Edit: I found it, enter "disabled eq yes" in the filter.