CLI commands for Palo Alto configuration

Reply
L1 Bithead

CLI commands for Palo Alto configuration

Hi,

 

Are there any CLI commands which we can use to assess all the checks listed in the CIS Palo Alto Firewall 7 Benchmark?

 For Example:

Check : Ensure 'Minimum Password Complexity' is enabled

 

Navigate to Device > Setup > Management > Minimum Password Complexity.

Verify Enabled is checked.

 

Is there any CLI command on Palo Alto Firewall device for getting configuration such kind of configuration?

L4 Transporter

Re: CLI commands for Palo Alto configuration

As long as you know the syntax of the command you are searching for, you can find it pretty easily.

I prefer to use the set-based output on the CLI:

fw> set cli config-output-format set

 

Then just do a match on the string you're trying to find:

fw# show | match complexity
set mgt-config password-complexity enabled yes
set mgt-config password-complexity minimum-length 8
set mgt-config password-complexity minimum-lowercase-letters 1
set mgt-config password-complexity minimum-numeric-letters 1
set mgt-config password-complexity minimum-special-characters 1
set mgt-config password-complexity minimum-uppercase-letters 1
set mgt-config password-complexity block-repeated-characters 3
set mgt-config password-complexity block-username-inclusion yes

 

L3 Networker

Re: CLI commands for Palo Alto configuration

If you are using Panorama to push configs you would need to log into that instead and run.

Panorama> set cli config-output-format set
Panorama> configure
Panorama# show device-group MY_FIREWALL | match complexity

This is the same result but if you push from Panorama the local firewall does not show those configs.  You would have to view them in the view not config mode and there is no output format option so it is all xml.

 

Brian

L1 Bithead

Re: CLI commands for Palo Alto configuration

Thanks for the quick response. That's helpful.

 

We need to do configuration assessment for palo alto firewall device as per the CIS benchmark

recommendations.

Can anyone let me know if there are any CLI commands to set and get the following configurations:

 

Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured
Ensure 'V3' is selected for SNMP polling
Ensure 'Verify Update Server Identity' is enabled

Ensure that User-ID is only enabled for internal trusted interfaces

Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring
Ensure 'Passive Link State' and 'Preemptive' are configured appropriately
Ensure 'Antivirus Update Schedule' is set to download and install updates hourly
Ensure 'Applications and Threats Update Schedule' is set to download and install updates daily
Ensure that WildFire file size upload limits are maximized
Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles
Ensure a WildFire file blocking profile is enabled for all security policies allowing Internet traffic flows
Ensure forwarding of decrypted content to WildFire is enabled
Ensure all WildFire session information settings are enabled
Ensure alerts are enabled for malicious files detected by WildFire
Ensure 'WildFire Update Schedule' is set to download and install updates every 15 minutes
Ensure at least one antivirus profile is set to block on all decoders except 'imap' and 'pop3'
Ensure a secure antivirus profile is applied to all relevant security policies
Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats
Ensure DNS sinkholing is configured on all anti-spyware profiles in use
Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use
Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet
Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities
Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic
Ensure that PAN-DB URL Filtering is used
Ensure that URL Filtering uses the action of “block” or “override” on the <enterprise approved value> URL categories
Ensure that access to every URL is logged
Ensure all HTTP Header Logging options are enabled
Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet
Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled
Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the Internet
Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones
Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actions
Ensure all zones have Zone Protection Profiles that drop specially crafted packets
Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone
Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist
Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured
Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS
L4 Transporter

Re: CLI commands for Palo Alto configuration

You should be able to get everything you need from CLI commands using ' | match'.  You'll probably just have to figure out the exact syntax for each item you want, like 'show | match snmp' or 'show | match download'.

L7 Applicator

Re: CLI commands for Palo Alto configuration

@Arti_K,

SOme of these that you have listed won't be answered by using the 'match' command without quite a bit of CLI knowledge to ensure nothing get's overlooked. I highly recommend that you actually review the configuration to ensure each recommendation is acutally being followed by physically looking over the configuration. 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!