CLI find security rule, known IP address

Reply
L2 Linker

CLI find security rule, known IP address

I have one question to engineers Paloalto, why from CLI can't find security rules which include example IP address. What is to difficult create that function?

Why such an advanced device does not have such a simple search. Another thing lack this function in CLI is big problem because i must used GUI.

What for is CLI?

L6 Presenter

Re: CLI find security rule, known IP address

Hi,

you can use

test security-policy-match

to find the security rule if you know source ip.

L2 Linker

Re: CLI find security rule, known IP address

it doesn't work if your security rule contain field "user"
example:
user cn=net_server ,ou=paloalto,dc=paloalto.org

L6 Presenter

Re: CLI find security rule, known IP address

it is working in my lab

test security-policy-match source-user dc\student1 source 192.168.10.17 destination 0.0.0.0  protocol 1

testrule {

        from any;

        source 192.168.10.17;

        source-region none;

        to any;

        destination any;

        destination-region none;

        user dc\student1;

        category any;

        application/service [ youtube-base/any/any/any youtube-safety-m/any/any/

any youtube-uploadin/any/any/any youtube-posting/any/any/any ];

        action deny;

        terminal no;

}

L2 Linker

Re: CLI find security rule, known IP address

Yes i know it's working if use dc\nameuser.

Please use domain group Active Directory

example:

user cn=net_server ,ou=paloalto,dc=paloalto.org

L6 Presenter

Re: CLI find security rule, known IP address

domain group ?

there is no option for group with that command

L6 Presenter

Re: CLI find security rule, known IP address

let me try with group

L6 Presenter

Re: CLI find security rule, known IP address

seems group is not supported.

but maybe there is a way with writing in another format but I don't know that.

Highlighted
L2 Linker

Re: CLI find security rule, known IP address

I have about 400 rules which use domain group. domaing group match to security rules.

Example

RED {
        from zone-lan;
        source any;
        source-region none;
        to zone-dmz ;
        destination 192.168.83.105;
        destination-region none;
        user cn=red,ou=paloalto,dc=paloalto.org;
        category any;
        application/service  any/tcp/any/3000;
        action allow;
        terminal yes;

It work's.

L4 Transporter

Re: CLI find security rule, known IP address

I have different way to get the rule, this not answer your question directly - but maybe will be helpfull.

from CLI:

show session all filter source 192.168.1.35

or if you know aplication:

show session all filter application ssh source 192.168.1.35

and next:

show session id XXXXX

you will see in "rule" parametr name of security policy what are you looking for.

regards

Slawek

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!