can't able to get response for show running security-policy command from the device via SSH

Reply
Highlighted
L0 Member

can't able to get response for show running security-policy command from the device via SSH

we are using Paloalto PA-5220 PAN-OS 8.0.7 virtual firewall. using a third tool we trying to fetch the policies using the command "show running security-policy".  when the command is entered it stays still and the policies are not shown. It happens sometimes only. But other times we are able to fetch the policies correctly. couldn't able to find the issue. whether after the command entered timeout happens or some issues leading to it. please help

L7 Applicator

Re: can't able to get response for show running security-policy command from the device via SSH

@samgowri,

Since you don't mention what this outside tool is or how you are trying to record the CLI output, the only thing I would really test is if this works directly on the CLI reliably. If you are consistently able to get results via the CLI you would have to detail this "third tool" and the process it is using to record the output from the Palo Alto.  

L0 Member

Re: can't able to get response for show running security-policy command from the device via SSH

@BPryThank you for the valuable comments. I will check that.

L5 Sessionator

Re: can't able to get response for show running security-policy command from the device via SSH

@BPry 

I have a case where customer has over 5000 rules on PA-3220. And every time they try running command "show running security-policy" either from CLI or via API they always get only first 2664 rules?

L7 Applicator

Re: can't able to get response for show running security-policy command from the device via SSH

@santonic,

Hmm. The only platform that I have with that many rules is a 5200 and 7000 series chassis, so I'm not sure if your running into a platform limit with the 3200? What do you have the output format set to, set or xml? I might be able to duplicate this in a lab unit and verify if it's at least something with the platform or not.

 

Out of curiosity what are you attempting to do with the output. Generally if you are attempting to do a backup or something like that it's actually easier to setup a script to utilize the API to export the running-config.xml off of the box. 

L5 Sessionator

Re: can't able to get response for show running security-policy command from the device via SSH

According to specs (from FW comparison tool: https://www.paloaltonetworks.com/products/product-comparison.html?chosen=pa-850,pa-220,pa-3220) PA-3220 should be able to have 10.000 security rules. The output is in xml format.

 

They are making an internal app which will check all their firewalls for rules associated with certain IP.

 

 

 

L5 Sessionator

Re: can't able to get response for show running security-policy command from the device via SSH

Output format:

"aclIPVT_in_2; index: 2" {

        from INSIDE;

        source [ 10.200.10.116 10.200.10.115 10.200.10.110 10.200.11.0/24 10.200.10.113 10.200.10.112 10.200.10.117 10.200.10.111 10.200.10.0/24 10.200.10.114 ];

        source-region none;

        to OUTSIDE;

        destination [ 10.140.1.15 10.140.1.10 10.140.1.20 ];

        destination-region none;

        user any;

        category any;

        application/service [0:any/tcp/any/49152-65535 1:any/tcp/any/42 2:any/tcp/any/53 3:any/tcp/any/88 4:any/tcp/any/135 5:any/tcp/any/139 6:any/tcp/any/389 7:any/tcp/any/445 8:any/tcp/any/636 9:any/tcp/any/3268 10:any/tcp/any/3269 11:any/tcp/any/1025-5000 12:any/tcp/any/9389 ];

        action allow;

        icmp-unreachable: no

        terminal yes;

}

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!