Security Rules using CLI

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Security Rules using CLI

L2 Linker

Hello

I have 400 security rules, how can i find security rule using CLI?

I know only IP address.

1 accepted solution

Accepted Solutions

Correct answer is

show running security-policy | match {\|destination{\|10.3.83.13

View solution in original post

11 REPLIES 11

L6 Presenter

it'll be difficult in cli as the grep lookup will skip the rule name as it scours for the value (ip address) as shown below.

admin@PA-200> show running security-policy

"test group" {

        from L3_Trust;

        source any;

        source-region none;

        to L3_Untrust;

        destination any;

        destination-region none;

        user any;

        category any;

        application/service  any/any/any/any;

        action allow;

        terminal yes;

}

no_custom_cat {

        from L3_Trust;

        source any;

        source-region none;

        to L3_Untrust;

        destination 130.199.4.27;

        destination-region none;

        user any;

        category any;

        application/service  any/tcp/any/21;

        action allow;

        terminal yes;

}

"iPad Mini" {

        from L3_Trust;

        source 172.16.20.211;

        source-region none;

        to L3_Untrust;

        destination any;

        destination-region none;

        user any;

        category bnl;

/196 <==== On the CLI, I've pressed the '/196' keys to search for that IP octet.

I'm then provided the first hit w/ the output below.

...skipping...

        source 196.165.14.2;

        source-region none;

        to L3_Untrust;

        destination any;

        destination-region none;

        user any;

        category bnl;

        application/service  any/any/any/any;

        action allow;

        terminal yes;

You could, however, output the running security policy command to a text file and perform a ctrl+f as a recourse in looking up one of your 400 security rules.

Hi ,

Also if you have GUI access you can just type in the ip address and it will bring up all the rules matching that ip address.

For example:

Capture.JPG

Hope this helps.

Thank you

Not applicable

you could change the output of the show commands in config mode, it might help you narrow it down easier:

admin@PA-200>set cli config-output-format set

admin@PA-200>configure

admin@PA-200#show rulebase security rules



L6 Presenter

Best way you can use

test security-policy-match

this will give you the rule output directly.

Why is the search of the GUI not implemented in CLI? Comming from an other Firewall-Implementation the filtering of the rulebase is the on thing I miss most.

Best would be an operational Command like

> show security rules from untrust to trust dst-ip 10.10.10.10

But also the filtering syntax of the gui-search is acceptable.

I am still thinking about this problem. JunOS has the same problem out of the box, but for JunOS I found the possibility to use so called op-scripts. Here the link to the example usable for JunOS

policy-test - Juniper Networks

Now my Idea would be to use the PanOS-API to do something similar, but I don't know whether it is possible to use the API from the CLI interface? Does anybody know?

Thanks

Winfried

L2 Linker

Thank you for answer

I tested you cannot find IP address example:

1. test security-policy-match - Does Not work if your policy rule have source-user, can't find policy which ip is used.

2. admin@PA-200>set cli config-output-format set - It is almost OK if you can use | match IP_ADDRESS

3.  GUI and txt file  no comments Smiley Sad

I have two solution:

- juniper:

root@router# show interfaces | display set | match 47                            
set interfaces ge-0/0/47 ether-options 802.3ad ae0                             
set interfaces ge-1/0/47 ether-options 802.3ad ae0

- If i can used pipe ( | ) in exe mode

Correct answer is

show running security-policy | match {\|destination{\|10.3.83.13

Hi @Wbm ,

 

Could you please help what is  {\|destination{\|10.3.83.13

 

suba

@suba_muthuram 

 

It is a PaloAlto-style regular expression (regex) for filtering output from the "match" command on the CLI. Specifically, the CLI "show running security-policy" command will show all the Security Policies on the PaloAlto. The output of that is piped the to "match" command with the regex filter "{\|destination{\|10.3.83.13". This will match any line on the show command output that matches "{" or "destination{" or "10.3.83.13".

 

The pipe "|" is the also the OR operator in the regex, so it must be escaped with a "\|" to be interpreted as an OR in the CLI, instead of being a pipe to another command. The filter is also a bit weird as the "{" is half of another regex "{nn}" which will match nn number of characters... but apparently since the opening "{" bracket is not immediately followed by a number and closing "}" bracket, I guess it doesn't get interpreted as a regex. Note that I also think the "destination{" is wrong in this example as it would match "destination" explicitly followed by a "{" which doesn't exist in the show command output. (Perhaps it did in an earlier version of PANOS? This thread is 10 years old at this point.)

 

Because the "show" command outputs the Security Policies as multiple lines for the same policy and "match" only matches single lines, the given filter is kind of a hack to find all policies which might match the terms. It doesn't show just the policy with all the matching terms. So if you run a "show running security-policy" command you get an output with the entire policy set:

admin@PA(active)> show running security-policy
"Allow Trust to DMZ; index: 1" {
        from Trust;
        source [ 10.10.0.0/24 192.168.0.0/24];
        to DMZ;
        destination 192.0.2.0/24;
        application/service 0:any/any/any/any;
        action allow;
}
"Allow DMZ to Trust; index: 2" {
        from DMZ;
        source 192.0.2.0/24;
        to Trust;
        destination 10.10.0.0/24;
        application/service 0:any/any/any/any;
        action allow;
}
"Allow Internet to MailServer; index: 3" {
        from External;
        source any;
        to Trust;
        destination 192.168.0.25;
        application/service 0:any/any/any/any;
        action allow;
}
"Allow Trust to Internet; index: 4" {
        from Trust;
        source [ 10.10.0.0/24 192.168.0.0/24 ];
        to External;
        destination any;
        application/service 0:any/any/any/any;
        action allow;
}

 

If you wanted to find all Security Policies that might contain an internal destination or 192.168. address you could do a command like this:

admin@PA(active)> show running security-policy | match {\|destination\|192.168.0
"Allow Trust to DMZ; index: 1" {
        source [ 10.10.0.0/24 192.168.0.0/24];
        destination 192.0.2.0/24;
"Allow DMZ to Trust; index: 2" {
        destination 10.10.0.0/24;
"Allow Internet to MailServer; index: 3" {
        destination 192.168.0.25;
"Allow Trust to Internet; index: 4" {
        source [ 10.10.0.0/24 192.168.0.0/24 ];
        destination any;

 

The above is a poor example for the above stated reasons. Going back to @Wbm's reply, I would guess it should have been more like this searching for a specific address in the Security Polices:

admin@PA(active)> show running security-policy | match {\|192.168.0.25
"Allow Trust to DMZ; index: 1" {
"Allow DMZ to Trust; index: 2" {
"Allow Internet to MailServer; index: 3" {
        destination 192.168.0.25;
"Allow Trust to Internet; index: 4" {

 

Thanks for the clarification.  

suba
  • 1 accepted solution
  • 16089 Views
  • 11 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!