Tips and Tricks: Filtering the Security Policy

Thanks Reaper.  I am not following what you mean about creating search strings manually though. Would you elaborate a bit more or follow up with a breif tutorial video for this too?

good news @Lora, the tutorial video is in the shop  (it's being edited and should be made available soon) 😉

you can use a more complex search string to search for a specific 'type' of policy and if you want, you can create these in advance so you'd only need to copy/paste them into the search bar,

eg. 

(from/member eq 'trust') and (to/member eq 'dmz') and (destination/member eq 'webserver')

hope this helps

Do we enter those searcgh strings in the search bar of the Policy tab?  They don't seem to work at all for me if so. We are on the PAN OS 7.1 strand, are these only available in 8.0?

Hi @Lora

yes, they go in the search bar. This works for all versions of PAN-OS, could you share a screenshot?

7.1 example

My issue was I was entering the Zones in all lower case, turns out the search is case sensitive.  Thanks @reaper

@Lora good point! I've added a note to highlight the search is case sensitive, thanks for pointing that out!

@reaper

This is great. Thanks!

As a note to @Lora's feedback, on our PA3020 running 7.1.7 searching for Zone by name does NOT appear case sensitive. Filtering for (name contains 'vpn') finds zones named 'VPN_Whatever'. This is the same for other words, as wellMaybe this is different in specific revs?

Also, I'm trying to negate a filter search and not having any luck.

I'm using:

not (name contains 'vpn') 

And it's not working (it returns all policies). Just doing "name contains 'vpn'" works just fine. I'm also able to use AND and OR operands with separate search conditions in parenthesis just fine in Security Policy. For example: (name contains vpn) and (name contains users). So, it's just the negation (not) that doesn't seem to work for me. Works in log filtering. Any ideas?

I guess it's possible there are separate filter/search facilities for search in these areas vs filters in logs,  but I don't see why they wouldn't have it uniform. 

Ultimately I'd like to filter out the noise having a filter string that omits our VPN, GP, and other policies that crowd out the others. 

@locampo the 'neq' operand should help filter out unwanted matches

if you tag all your policies you could tag your VPN rules and then (tag/member neq 'vpn'), for example

there's a difference in search facilities because the logs are a database you can query while the policies are a search in XML

you could open a feature request with your local sales contact to have the 'query/filter builder' added to the policies

@reaper, I replied in the other thread as well just to confirm that neq can only negate a full match (whole policy name), right? So, essentially, what I'm trying to do (negate matching a string within a name using some form of "contains" or "does not contain") is not possible. Is that right?

Edit: @reaper confirmed it is not possible.

@reaper
Thank you, this list is an excellent resource.

How can we filter by an empty configuration option? For example, to show only rules without any Security Policy or Log Forwarding? When I attempt " (profile-setting/group/member neq '') " or " (profile-setting/profiles/virus/member neq '') " I get no results.

hi @marroquin 

you can't, you can only look for a keyword to match, not a condition

so where a policy has 'any' you can look for "eq 'any' " or "neq 'any' " but not ' ' as the XML will not allow empty fields:

- there is either a condition to indicate _anything_ can be used as 'any' (eg. source any; )

- or the entry is simply deleted from the XML if no parameter is set:if logging is disabled, the log-end line is simply deleted

Hi,  

In the new versions of PANOS 8.1 we have the hit counter (and the rule usage in Panorama)  is there a search keyword for these?  I know you can highlight unused, but I would love to generate a pdf report of the unused rules.

What exactly does this mean?

policies will only respond to 'no' if they have been disabled before

When I use the filter (disables eq yes) I get the expected results, all of my disabled rules

When I use the filter (disabled eq no) I do not get all of the enabled rules

So can some explain the disabled before in a bit more detail? This implies it was once disabled and then is now enabled?

How does it flag this and how do you clear it? Reboot or via a cmd?

Thanks,

Mark

@MarkDufault,

Essentially what you are searching for is the string <disabled>yes</disabled> or <disabled>no</disabled> in the security rulebase entry. By default, this line is not included unless you've previously disabled the entry and then reenabled it. 

If you want to make this search work across your rulebase, simply set 'disabled no' on your entries or manually add <disabled>no</disabled> in the XML of your configuration.

Hi
I would also like to know if its possible to filter out all unused rules, to be able to generate a report of the unused rules only

@Anders_Bohman check out the Policy Optimizer in PAN-OS 9.0 :

PAN-OS 9.0 Release Features: Policy Optimizer and App-ID

Hi @Anders_Bohman 

Did you find a way to filter out the unused rules to generate a report. Please let me know.

Thanks.

@jpage386 

Hey, did you find a way to filter out the unused rules, in order to get a report of the unused rules. Please let me know.

Thanks.

show running rule-use highlight rule-base security type unused vsys vsys1

or

show running rule-use highlight rule-base security type used vsys vsys1

Thank you very much @MarkDufault

Sorry, I did not, I am glad Mark posted.

Sorry for something that might be easy, but I am not successful in searching the rules.  I want to search for source ip and destination ip.  src: 1.1.1.1 and dst: 2.2.2.2.  Can someone please provide the palo syntax to do this?  I've tried to just do a search on a source that I see the rule for and when I use this  (addr.src in 30.128.32.137)  all the rules disappear so clearly this doesn't work.  I got his example from https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSlCAK so that knowledgebase article seems to have bad info.  Thanks in advance.

Hi @Matthew.Sherman 

You can't search security rules for random IP addresses, you can only search for exactly (partially)matching object names

So if you created an object _callef_  1.1.1.1 you'll be able to find it, else the search will turn up empty

On the other hand, if you want to find which rule a connection would match, use the troubleshooting tool under the > Device tab

Thanks for the response. 

That's not as useful then.  By searching by IP allows you to find rules that have networks that include that IP.  Checkpoint does this quite well and makes it so you don't have duplicate rules.  Although checkpoint does let you know if you are hiding/shadowing a rule, but a search makes it quicker to figure this out.  Searching with IPs also helps show you which rules allow traffic for a user that isn't working.  Their specific IP might not have a rule but a network might and you can see what is currently allowed or specifically denied. There are times when traffic isn't making it to the firewall but at least you can see if a rule will allow the traffic once it does make it that far.  Does anyone know if this has already been put in for a feature request or should I go ahead and ask my rep?  Thanks

@Matthew.Sherman 

If you can login to the GUI and Monitor>Traffic, we can find the traffic logs. You can select all the columns that can be viewed in that traffic monitor tab. Over there you can check the "rule" column to be displayed, then filter out the Source and Destination IP address. You can find the rule which is allowing/denying the traffic. This process worked for me previously.

Hope this helps.

@Matthew.Sherman 

You can find matched rules in log for past traffic, traffic debugging tool for expected traffic, and rule usage statistics to see if a rule is being hit or not

Plenty of roads leading to Rome 🙂

@reaper are these applying to rules only? I am to trying to filter the devices "Panorama | Managed Devices | Summary ", but odes not seem to work. You can tag a device, but it you don't seem to be able to filter based on the tag? 

Is There any way to filter all policies where schedule has been expired

can someone please share the screenshot of how we can filter firewall policy by both source IP address and destination IP address and possible by port number as well(like Checkpoint Firewall).

I can filter policy by just source IP address or just Destination IP address but not both at the same time and we have large rule base so it takes long time to trace if we have existing Firewall rule or not.

@getjamshedkhan To search for a specific IP you can use  (source/member eq '1.1.1.1') or (destination/member eq '1.1.1.1')

If you are trying to filter a subnet, you can use 'contains' rather than 'eq' as shown here (source/member contains '10.98.6') or (destination/member contains '10.98.6')

Also, depending on your needs you might want to change the 'or' to 'and'.

So, I am interested in finding all security policies that are lacking an antivirus profile. How can I use filters to do this?

I thought I would try something like:

• (profile-setting/profiles/spyware/member eq 'none')
• (profile-setting/profiles/spyware/member eq '')
• (profile-setting/profiles/spyware/member eq ' ')
• (profile-setting/profiles/spyware/member eq null)

But... no luck. I was able to start filtering for individual profile names, negate them using "neq", and then join more together with "and". But this becomes cumbersome in an environment with many AntiVirus profiles in use and a few or more profile groups also in use.

Anyone know of a better way?

@getjamshedkhan 

You should be able to do what you want with the following string.. 

( addr.src in x.x.x.x ) and ( addr.dst in y.y.y.y ) and ( port.dst eq zzzz)

Is it possible to search for rules created after a specified date?

@Jan-Ivar 
I looked, and although you can see when the rule was created, you cannot search by it. 

At least I have not found out how to do that yet.

Can you please share filter for object tab (address, services.add-grp ect.) as well

Nice!

Hi All.  Does anybody know if there is a way to filter all policies that contain hosts within a certain subnet, when hosts are defined as Addresses/Address Groups, and the names of these objects don't contain the IP address?

When you define an Address Object you also define an IP address for it.  So even if the name of your Address Object doesn't have the IP address in the name, you can still query the address.  Does this answer your question or am I missing something?