How to View, Create and Delete Security Policies on the CLI

Overview

This article describes how to view, create and delete security policies inside of the CLI (Command Line Interface).

Details

To create a new security policy from the CLI:

> configure (press enter)

# set rulebase security rules <name> from <source zone> to <destination zone> destination <ip> application <application> service <any/application-default/service name> action <allow/deny> (press enter)

# exit

Example:

# set rulebase security rules Generic-Security from Outside-L3 to Inside-L3 destination 63.63.63.63 application web-browsing service application-default action allow (press enter)

Note: For help with entry of all CLI commands use "?" or [tab] to get a list of the available commands.

To view the Palo Alto Networks Security Policies from the CLI:

> show running security-policy

Rule       From         Source        To           Dest.           User                Proto Port Range Application  Action
---------- ------------ ------------- ------------ --------------- ------------------- ----- ---------- ------------ ------
Doms DLP   untrust-vwir 10.16.0.92    Untrust-vwir any             any                 any   any        any          allow
           trust-vwire                trust-vwire

rule4      untrust-vwir any          untrust-vwir  10.16.0.92      any                 any   any        any          allow
           trust-vwire                trust-vwire

rule3      trust-vwire  any          untrust-vwir  any             any                 any   any        any          allow

The following command will output the entire configuration:

> show config running

For set format output:

> set cli config-output-format set

> configure
Entering configuration mode
[edit]

# edit rulebase security
[edit rulebase security]

# show
set rulebase security rules rashi from trust-vwire
set rulebase security rules rashi from untrust-vwire
set rulebase security rules rashi to trust-vwire
set rulebase security rules rashi to untrust-vwire
set rulebase security rules rashi source 10.16.0.21
set rulebase security rules rashi destination any
set rulebase security rules rashi service any
set rulebase security rules rashi application adobe-meeting-remote-control
set rulebase security rules rashi application adobe-meeting
set rulebase security rules rashi application adobe-online-office
set rulebase security rules rashi action deny
set rulebase security rules rashi source-user any
set rulebase security rules rashi option disable-server-response-inspection no
set rulebase security rules rashi negate-source no
set rulebase security rules rashi negate-destination no
set rulebase security rules rashi disabled yes
set rulebase security rules rashi log-start no
set rulebase security rules rashi log-end yes

To switch to the default output:

        From configure mode:

# run set cli config-output-format default

[edit rulebase security]
# show
security {
  rules {
    rashi {
      from [ trust-vwire untrust-vwire];
      to [ trust-vwire untrust-vwire];
      source 10.16.0.21;
      destination any;
      service any;
      application [ adobe-meeting-remote-control adobe-meeting adobe-online-office];
      action deny;
      source-user any;
      option {
        disable-server-response-inspection no;
      }
      negate-source no;
      negate-destination no;
      disabled yes;
      log-start no;
      log-end yes;
      profile-setting {
        profiles {
          file-blocking rashi_file_alert;
          data-filtering rashi_dlp;
        }

To view the configuration in XML format:

From configure mode:

# run set cli config-output-format xml

[edit rulebase security]
# show
<response status="success" code="19">
  <result total-count="1" count="1">
    <security>
      <rules>
        <entry name="rashi">
          <from>
            <member>trust-vwire</member>
            <member>untrust-vwire</member>
          </from>
          <to>
            <member>trust-vwire</member>
            <member>untrust-vwire</member>
          </to>
          <source>
            <member>10.16.0.21</member>
          </source>
          <destination>
            <member>any</member>
          </destination>
          <service>
            <member>any</member>
          </service>
          <application>
            <member>adobe-meeting-remote-control</member>
            <member>adobe-meeting</member>
            <member>adobe-online-office</member>
          </application>
          <action>deny</action>
          <source-user>
            <member>any</member>
          </source-user>
          <option>
            <disable-server-response-inspection>no</disable-server-response-inspection>
          </option>
          <negate-source>no</negate-source>
          <negate-destination>no</negate-destination>
          <disabled>yes</disabled>
          <log-start>no</log-start>
          <log-end>yes</log-end>
          <profile-setting>
            <profiles>
              <file-blocking>
                <member>rashi_file_alert</member>
              </file-blocking>
              <data-filtering>

Also, if you want a shorter way to View and Delete security rules inside configure mode, you can use these 2 commands:

To find a rule:

• show rulebase security rules <rulename>

To delete or remove a rule:

• delete rulebase security rules <rulename>

See Also

Command Line Interface Reference Guide Release 6.1

Command Line Interface Reference Guide Release 6.0

Command Line Interface Reference Guide Release 5.0

owner: panagent