Quickly Search the Security Profiles and rule attributes in a Security Policy

Printer Friendly Page

Sometimes we need to know which security policy has a required security profile applied, has a log at session end or start, or is disabled. 

 

To search security policies where

 

  • Antivirus profile AV1 is applied, use the following syntax:
    profile-setting/profiles/virus/member eq AV1

    Search.PNG

 

  • URL filtering profile UF1 is applied, use the following syntax:
    profile-setting/profiles/url-filtering/member eq UF1

  • Antispyware profile AS1 is applied, use the following syntax:
    profile-setting/profiles/spyware/member eq "AS 1"
  • Vulnerability profile VP1 is applied, use the following syntax:
    profile-setting/profiles/vulnerability/member eq VP1
  • File blocking profile FB1 is applied, use the following syntax:
    profile-setting/profiles/file-blocking/member eq FB1
  • If we want to search security policies all security policies that are disabled use following syntax
    disabled eq yes
  • Log at session start is selected, use the following syntax:
    log-start eq yes
  • Log at session end is selected, use the following syntax:
    log-end eq yes
  • A schedule profile is called, use the following syntax:
    schedule eq “Lunch time”
  • To search all security policies that are disabled, use the following syntax:
    disabled eq yes
  • To search a profile GROUP use the following syntax:
    profile-setting/group/member eq name-of-group
Tags (3)
Comments

How do you search Security Profile GROUPS?

Hi dusk2dusk,

 

Note that I added the syntax on how to search for a profile GROUP.

 

Regards,

-Kim.

Thanks for the tip, Kim! You might also add that this can be done visually by selecting "Filter" from the little pull-down that pops up when you hover the mouse over tags, zones, addresses, users, apps, and services. Regards, Nasir

can you filter by subnet ?

 

Thanks

How do I search for policies which are not set for log-forwarding?

you can search for the log forwarding profile name :

(log-setting eq 'splunk')

Can we get an update for version 8?  I know using the filter I can search for src/dst objects (destination/member eq 'cn.mns.net-24.0_24-printers') but what I really want is "destination in 172.16.0.0/16" or "destination in 172.16.9.4" and to have it show me any rule where that destination matches.

 

I don't think I can do that but I also can't find a document newer than version 6.1 that tells me what is allowed.

Hi @DaveNoonan

 

This article is not version specific and is valid for the most current PAN-OS

Searches in the security policy are designed to match a string rather than values inside objects

 

There is however a Feature Request to have this functionality added, please reach out to your local sales team to have your vode added : 

FR ID: 1038

@reaper - I know there are more options than the ones listed* and I can't find the document that lists ALL of them. I assumed it was because this needed an update but regardless, what I want is the complete list of the filtering syntax.  

 

I also wish they'd use the same syntax on all the filter boxes that's on the Monitor tab.  That one even has the handy expression builder.

 

 

* You can see other options by clicking the drop-down next to most of the fields and selecting Filter.  So there are options like (name contains 'test') and  (destination/member eq 'any') and (application/member eq 'any').  

 

 

I would very much like to see a complete list as well. I'd love to be able to do a search like all policies between zone A and B with application web-browsing or whatever. I just tried (zone contains "inside) on one of my PAs and that didn't seem to work but maybe there's some other syntax I need to know. 

Hi @John_Rodgers

 

The zones would look like this: "(from/member eq 'inside') and (to/member eq 'outside')"

The policy is searched more like going through the XML, so it requires a string to match and addresses the XML attributes (to > member > object name)

Awesome, thanks! I also just realized that you can hover over the values of any column in the policy tab, and choose to filter by it which helps a lot. 

Hello!

 

This is great. But, isn't there a comprehensive list / documentation of searchable terms and operands? 

 

I'm specifically interested in searching Security Policies by the Name column attribute. Like so:

- name [doesnotinclude] 'VPN'

- name [includes] 'VPN'

 

The eq and neq operands appear to be absolute, in that, they only match the exact name (the whole thing), not just a portion or specific string. 

 

The in operand appears to be something other than "include" in the Cisco iOS sense (which is functionally like a grep or find)

 

There is no valid wildcard I can find/figure out that allows me to use the eq and neq operands to accomplish this functionality.

 

Help? :)

there is!

please check here: Tips & Tricks: Filtering the security policy

 

you're looking for 'contains'

the 'in' operand is exclusive to the logs as it is used for subnet masks which aren't used in policy searches (a policy search is an XML search versus a log database query

@reaper: thanks. That's very helpful!

 

A couple of things... 

 

1. While I am very grateful for you sharing your user-created content, is there no official PAN documentation on this subject? I am just very surprised this isn't all laid out very clearly in the admin guide (it's not unless I'm just missing it) or at least in a separate doc.

 

2. I can't seem to figure out negation. I commented on the article you referenced so as to keep things organized, so go ahead and reply there. But, basically the following typed into the search bar for security policies is not working for me:

not (name contains 'vpn')

 

Hi @LogicalParadox

 

1. The articles on Live.paloaltonetworks.com are part of the Global Customer Support Knowledge Base, as a companion and extention to the admin guides on www.paloaltonetworks.com/documentation

 

so in that regard, they are official PANW documentation :)

 

2. I replied in the other article, the proper negate for policies is 'neq'

@reaper, I replied in the other thread as well just to confirm that neq can only negate a full match (whole policy name), right? So, essentially, what I'm trying to do (negate matching a string within a name using some form of "contains" or "does not contain") is not possible. Is that right?

 

Thanks for your help!

 

Edit: @reaper confirmed I was correct. There's apparently no way to filter exclusively by a name using a string contained by the name field.

Anyone know if it's possible to filter rules that have the profile type set to None?

@SaulSuarez, There is this article : How to Tag and Filter Security Policy Rules , that explains how to filter and tag rules:

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Tag-and-Filter-Security-Policy-Ru...

@jdelio Thank you. Is there any other way to filter?  We do not have Tags on all the rules.

@SaulSuarez, I understand you do not have any Tags on your rules. But it would facilitate the filtering, so I would recommend that you tag your rules to allow for the filtering.

Now, I do not know how many rules you currently have. I am assuming it is quite a large number, since you are asking about filtering.

Without the tagging, there is no way of properly "filtering" the rules how you would like.