Security Rules using CLI

Reply
L2 Linker

Security Rules using CLI

Hello

I have 400 security rules, how can i find security rule using CLI?

I know only IP address.

L6 Presenter

Re: Security Rules using CLI

it'll be difficult in cli as the grep lookup will skip the rule name as it scours for the value (ip address) as shown below.

admin@PA-200> show running security-policy

"test group" {

        from L3_Trust;

        source any;

        source-region none;

        to L3_Untrust;

        destination any;

        destination-region none;

        user any;

        category any;

        application/service  any/any/any/any;

        action allow;

        terminal yes;

}

no_custom_cat {

        from L3_Trust;

        source any;

        source-region none;

        to L3_Untrust;

        destination 130.199.4.27;

        destination-region none;

        user any;

        category any;

        application/service  any/tcp/any/21;

        action allow;

        terminal yes;

}

"iPad Mini" {

        from L3_Trust;

        source 172.16.20.211;

        source-region none;

        to L3_Untrust;

        destination any;

        destination-region none;

        user any;

        category bnl;

/196 <==== On the CLI, I've pressed the '/196' keys to search for that IP octet.

I'm then provided the first hit w/ the output below.

...skipping...

        source 196.165.14.2;

        source-region none;

        to L3_Untrust;

        destination any;

        destination-region none;

        user any;

        category bnl;

        application/service  any/any/any/any;

        action allow;

        terminal yes;

You could, however, output the running security policy command to a text file and perform a ctrl+f as a recourse in looking up one of your 400 security rules.

L5 Sessionator

Re: Security Rules using CLI

Hi ,

Also if you have GUI access you can just type in the ip address and it will bring up all the rules matching that ip address.

For example:

Capture.JPG

Hope this helps.

Thank you

Not applicable

Re: Security Rules using CLI

you could change the output of the show commands in config mode, it might help you narrow it down easier:

admin@PA-200>set cli config-output-format set

admin@PA-200>configure

admin@PA-200#show rulebase security rules



L6 Presenter

Re: Security Rules using CLI

Best way you can use

test security-policy-match

this will give you the rule output directly.

L2 Linker

Re: Security Rules using CLI

Why is the search of the GUI not implemented in CLI? Comming from an other Firewall-Implementation the filtering of the rulebase is the on thing I miss most.

Best would be an operational Command like

> show security rules from untrust to trust dst-ip 10.10.10.10

But also the filtering syntax of the gui-search is acceptable.

L2 Linker

Re: Security Rules using CLI

I am still thinking about this problem. JunOS has the same problem out of the box, but for JunOS I found the possibility to use so called op-scripts. Here the link to the example usable for JunOS

policy-test - Juniper Networks

Now my Idea would be to use the PanOS-API to do something similar, but I don't know whether it is possible to use the API from the CLI interface? Does anybody know?

Thanks

Winfried

L2 Linker

Re: Security Rules using CLI

Thank you for answer

I tested you cannot find IP address example:

1. test security-policy-match - Does Not work if your policy rule have source-user, can't find policy which ip is used.

2. admin@PA-200>set cli config-output-format set - It is almost OK if you can use | match IP_ADDRESS

3.  GUI and txt file  no comments :smileysad:

I have two solution:

- juniper:

root@router# show interfaces | display set | match 47                            
set interfaces ge-0/0/47 ether-options 802.3ad ae0                             
set interfaces ge-1/0/47 ether-options 802.3ad ae0

- If i can used pipe ( | ) in exe mode

Highlighted
L2 Linker

Re: Security Rules using CLI

Correct answer is

show running security-policy | match {\|destination{\|10.3.83.13

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!