New to Palo Alto - Append Policy Question

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

New to Palo Alto - Append Policy Question

L0 Member

Good day all,

I am new to Palo Alto so this question might actually seem rather trivial.

Most of my peers configure from the GUI and are not very familiar with the Command line.  I am more comfortable with the command line so I am trying to do configurations that way. 

If I want to add a source entity to an existing rulebase security rule do I just recreate the rule with the appended information and then when I commit, it will overwrite the existing rule?

For example

when I do a show rulebase security rules existing_policy

I get the following output:

"existing_policy" {

  from dmz;

  to trust;

  source [ serverA serverB serverC ];

  destination any;

  source-user any;

  application any;

  service any;

  hip-profiles any;

  log-start no;

  log-end yes;

  negate-source no;

  negate-destination no;

  action allow;

}

If I wanted to add ServerD to the source would I do the following (I don't have a test box to test the commands that is why I am coming here):

set rulebase security rules existing_policy from dmz to trust source [ serverA serverB serverC ServerD ] destination any action allow

Any assistance would be appreciated.

Thanks

Wally

1 accepted solution

Accepted Solutions

Hello Sir,

You are correct, if you apply CLI command  # set rulebase security rules "to NG Sites" destination location3 >>>>>>>>>> This will add the location3 to the destination and leave the current destinations there as well. Please find below example from my test PA firewall:

admin@DADA# show rulebase security rules LAN-ISP

LAN-ISP {

  option {

    disable-server-response-inspection no;

  }

  from Trust-LAN;   >>>>>>>>>>>>>>>>>>>

  to Untrust-ISP;  >>>>>>>>>>>>>>>>>>>>

  source [ any 1.1.1.1/32];

  destination any;

  source-user any;

  category any;

  application any;

  service any;

  hip-profiles any;

  action allow;

  log-start no;

  log-end yes;

  negate-source no;

  negate-destination no;

  log-setting SYSLOG-ALL;

}

admin@DADA# set rulebase security rules LAN-ISP from trust to untrust  >>>>>>>>>>>>>>>>>> Adding new source and destination zone

[edit]

admin@DADA# show rulebase security rules LAN-ISP

LAN-ISP {

  option {

    disable-server-response-inspection no;

  }

  from [ Trust-LAN trust];  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Added with the existing zone

  to [ Untrust-ISP untrust]; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

  source [ any 1.1.1.1/32];

  destination any;

  source-user any;

  category any;

  application any;

  service any;

  hip-profiles any;

  action allow;

  log-start no;

  log-end yes;

  negate-source no;

  negate-destination no;

  log-setting SYSLOG-ALL;

}

[edit]

admin@DADA#

I hope this helps.

Thanks

View solution in original post

3 REPLIES 3

L7 Applicator

Hello Sir,

if youapply # set rulebase security rules existing_policy from dmz to trust source server-D destination any action allow >>>>>>> it will only add with the existing rule [ serverA serverB serverC ServerD ],

For example:

admin@DADA# show rulebase security rules LAN-ISP

LAN-ISP {

  option {

    disable-server-response-inspection no;

  }

  from Trust-LAN;

  to Untrust-ISP;

  source any;  >>>>>>>>>>>>>>>>>>> before the change

  destination any;

  source-user any;

  category any;

  application any;

  service any;

  hip-profiles any;

  action allow;

  log-start no;

  log-end yes;

  negate-source no;

  negate-destination no;

  log-setting SYSLOG-ALL;

# set rulebase security rules LAN-ISP from Trust-LAN to Untrust-ISP source 1.1.1.1/32 destination any action allow

admin@DADA# show rulebase security rules LAN-ISP                                                               LAN-ISP {

  option {

    disable-server-response-inspection no;

  }

  from Trust-LAN;

  to Untrust-ISP;

  source [ any 1.1.1.1/32]; >>>>>>>>>>>>>>>>>>> added here

  destination any;

  source-user any;

  category any;

  application any;

  service any;

  hip-profiles any;

  action allow;

  log-start no;

  log-end yes;

  negate-source no;

  negate-destination no;

  log-setting SYSLOG-ALL;

}

Thanks

Thanks so much for your reply.  So what I should have put in my initial post was that I am actually just adding a destination.  So from the code below the destination is to two objects, but I want to add a third, so can I simply say

set rulebase security rules "to NG Sites" destination location3

Will that add the location3 to the destination and leave the current destinations there as well?  I don't want to remove any of the current destinations or configurations so want to make sure my syntax is correct.  Sorry for my earlier post, I thought I was just showing a general example but should have been more specific.

"to NG Sites" {

  option {

    disable-server-response-inspection no;

  }

  from [ DMZ1 DMZ2];

  to [ Internal];

  source any;

  destination [ location1 location2];

  source-user any;

  application [ dns http-audio soap ssl web-browsing];

  service application-default;

  hip-profiles any;

  log-start no;

  log-end yes;

  negate-source no;

  negate-destination no;

  action allow;

}

Hello Sir,

You are correct, if you apply CLI command  # set rulebase security rules "to NG Sites" destination location3 >>>>>>>>>> This will add the location3 to the destination and leave the current destinations there as well. Please find below example from my test PA firewall:

admin@DADA# show rulebase security rules LAN-ISP

LAN-ISP {

  option {

    disable-server-response-inspection no;

  }

  from Trust-LAN;   >>>>>>>>>>>>>>>>>>>

  to Untrust-ISP;  >>>>>>>>>>>>>>>>>>>>

  source [ any 1.1.1.1/32];

  destination any;

  source-user any;

  category any;

  application any;

  service any;

  hip-profiles any;

  action allow;

  log-start no;

  log-end yes;

  negate-source no;

  negate-destination no;

  log-setting SYSLOG-ALL;

}

admin@DADA# set rulebase security rules LAN-ISP from trust to untrust  >>>>>>>>>>>>>>>>>> Adding new source and destination zone

[edit]

admin@DADA# show rulebase security rules LAN-ISP

LAN-ISP {

  option {

    disable-server-response-inspection no;

  }

  from [ Trust-LAN trust];  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Added with the existing zone

  to [ Untrust-ISP untrust]; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

  source [ any 1.1.1.1/32];

  destination any;

  source-user any;

  category any;

  application any;

  service any;

  hip-profiles any;

  action allow;

  log-start no;

  log-end yes;

  negate-source no;

  negate-destination no;

  log-setting SYSLOG-ALL;

}

[edit]

admin@DADA#

I hope this helps.

Thanks

  • 1 accepted solution
  • 2622 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!