Video Tutorial: Filtering the security policy

by Community Manager on ‎07-07-2017 06:58 AM - edited on ‎07-20-2017 09:12 PM by (17,864 Views)





This is Tom with the Community team and today we're going to take a look at how to filter through your security policy.



One of the easiest ways is to actually just type in any keyword you're looking for, anywhere in your policy.

So if you're looking for, for example, I have 'vwire' here, you can just go ahead and type 'vwire.'

And that's going to filter any keyword out, in this case only one security rule is going to pop-up.


If you're looking for anything else, anywhere else, just type any keyword and it will return everything that matches the string.


One caveat here is: you're looking through what is essentially an XML configuration file, so your string needs to match whatever you are looking for, you can't use any wildcards, you can't use a subnet mask but you can type anything that matches, even partially.

For example, I have a few IP addresses here and if I'm looking for a specific IP subnet, I can go ahead and leave the last octet out. And my search will match any IP in that particular subnet.


Another way to filter is to use the Tag Browser. I've tagged a bunch of my security policies and several of my zones, so now I have a list of available tags in the Tag Browser. If i'm looking for a particular tag, I can go ahead and mark those tags and it will populate my visible area in the security policy with security policies containing matching tags.


Lastly, we can use traditional searches. The 'hard' way is to actually type full search strings in the search field; the easy way is to use the dropdown menu for any of the collumns. As you can see, there is a filter which will automatically create a filter string.


So if you want to look for 'v1-trust', destination 'v1-untrust' it's just as easy as that.


We can expand on that: if we want to look for any policy that has 'allow' as an Acion (or 'deny').

Or, for example, any specific 'security profile'. I want to look for the AntiSpyware profile 'Block All', and this will return all policies that contain this specific AntiSpyware profile.


You can see that the search string is a little odd in comparison to the log filters, that's because we're searching in the XML file.


There are a couple of columns that do not have a drop-down option, like the 'Rule Type': you can only search for intrazone or interzone; there is no option for universal policies.


So if you want to search for any intra or interzone policies, you can type '(rule-type eq 'intrazone') and hit Enter, which will return all the intrazone policies, same for 'interzone.'


Another string that does not have a drop-down filter is the disabled policies. If you look at these policies, you can see they have been disabled. if you want to search for any disabled policies, for example, if you have a very lengthy rulebase and only need to see the disabled policies, you can go ahead and search for (disabled eq yes).


I've created a list of all the available search options in your security policy in the article that's been linked below so please feel free to check out the link:


Tags: (tag/member eq 'tagname')

Type: (rule-type eq 'intrazone|interzone')

Source Zone: (from/member eq 'zonename')

Source Address: (source/member eq 'any|ip|object')

Source User: (source-user/member eq 'any|username|groupname')

Hip profile:  (hip-profiles/member eq 'any|profilename')

Destination Zone: (to/member eq 'zonename')

Destination Address: (destination/member eq 'any|ip|object')

Destination User: (destination-user/member eq 'any|username|groupname')

Application: (application/member eq 'any|applicationname|applicationgroup|applicationfilter')

Service: (service/member eq 'any|servicename|application-default')

URL Category: (category/member eq 'any|categoryname')

           This is a destination category, not a URL filtering security profile

Action: (action eq 'allow|drop|deny|reset-client|reset-server|reset-both')

Action send ICMP unreachable: (icmp-unreachable eq 'yes')

Security Profiles:

      (profile-setting/profiles/virus/member eq 'profilename')

      (profile-setting/profiles/spyware/member eq 'profilename')

      (profile-setting/profiles/vulnerability/member eq 'profilename')

      (profile-setting/profiles/url-filtering/member eq 'profilename')

      (profile-setting/profiles/file-blocking/member eq 'profilename')

      (profile-setting/profiles/wildfire-analysis/member eq 'profilegroupname')

      (profile-setting/group/member eq 'profilename')

Disable server response inspection: (option/disable-server-response-inspection eq 'yes')

Log at session start: (log-start eq 'yes|no')

Log at session end: (log-end eq 'yes|no')

Schedule: (schedule eq 'schedulename')

Log Forwarding:  (log-setting eq "forwardingprofilename')

Qos Marking:    (qos/marking/ip-dscp eq 'codepoint')

                            (qos/marking/ip-precedence eq 'codepoint')

                            (qos/marking/follow-c2s-flow eq '')

Description: (description contains '<keyword>')


Disabled policy: (disabled yes|no)  

           policies will only respond to 'no' if they have been disabled before



Please feel free to coment below this video or in the blog (more illustrations there) and don't forget to subscribe to our channel on YouTube so you don't miss out on any of our new videos.


Thanks for watching.


Reaper out.

by VijayChandar
on ‎02-28-2018 04:51 PM

Why can't I filter out unused/used NAT rules in the GUI??


This should be a very basic feature in any enterprise level firewall IMHO.

by Community Manager
on ‎03-01-2018 02:47 AM

Hi @VijayChandar

you can .....


unused NAT.png

by VijayChandar
on ‎03-01-2018 10:23 AM

Yes I know that already :)


I'm looking for something similar to "disabled eq yes" so I can take a screenshot of just the unused ones. "Highlight" doesnt help much in exporting to a spreadsheet.

by Community Manager
on ‎03-02-2018 04:42 AM

the 'unused' is a little more complex, as there is a dataplane statistics lookup that highlights the rules that have not matched in session statistics since last counter reset, it does not use a matching criteria like a filter (which filters out only matching rules in the XML config file)


if you'd like a simpler version that simply outputs the rule names you can use the CLI command:


> show running rule-use vsys vsys1 rule-base nat type unused 
by VijayChandar
on ‎03-02-2018 10:44 AM

Cool thanks, that command was helpful. 

by birish
on ‎04-03-2018 12:50 PM

If a security policy uses an application group, is there a way to create a filter to search through those?  Thanks!

by Community Manager
on ‎04-03-2018 01:06 PM

hi @birish


Unfortunately no, the search on the GUI is a simple object search where a group is it's own entity. the contained apps are only 'put together' on the dataplane after you push the config

by birish
on ‎04-03-2018 01:27 PM

Hi @reaper


Is there a cli command that can be run on Panorama that will show all of the policies and expands the contents of an application group in that ouput?


Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community