Tips and Tricks: Filtering the Security Policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Community Team Member
100% helpful (4/4)

Digging into the depths of policy details can be quite the task, especially after a long and tiring day. But fear not, handy search tools are here to lighten your load!

 

Here's how it works: Simply pop in a keyword related to what you're hunting for. This could be the name of a policy (just squish it into one word), an IP address or object name, maybe an application, or even a service.

 

Keep in mind though, wildcards (like *) aren't supported. You'll need a partial or an exact match.

Add a partial IP address and you'll get all the partial and exact matches in the result:

 

Fig 1_Filtering-the-Security-Policy_palo-alto-networks.png

 

Want to narrow things down even further? You can target your search to specific fields like the source zone or application. And guess what? There’s a super handy drop-down function that sets up your search filter in a snap. Easy-peasy!

 

add to filter.gif

You can also create a search string manually. I've provided a list of all fields below:

 

Name: (name contains 'unlocate-block')

Tags: (tag/member eq 'tagname')

Type: (rule-type eq 'intrazone|interzone')

Source Zone: (from/member eq 'zonename')

Source Address: (source/member eq 'any|ip|object')

Source User: (source-user/member eq 'any|username|groupname')

Hip profile:  (hip-profiles/member eq 'any|profilename')

Destination Zone: (to/member eq 'zonename')

Destination Address: (destination/member eq 'any|ip|object')

Destination User: (destination-user/member eq 'any|username|groupname')

Application: (application/member eq 'any|applicationname|applicationgroup|applicationfilter')

Service: (service/member eq 'any|servicename|application-default')

URL Category: (category/member eq 'any|categoryname')

           This is a destination category, not a URL filtering security profile

Action: (action eq 'allow|drop|deny|reset-client|reset-server|reset-both')

Action send ICMP unreachable: (icmp-unreachable eq 'yes')

Security Profiles:

      (profile-setting/profiles/virus/member eq 'profilename')

      (profile-setting/profiles/spyware/member eq 'profilename')

      (profile-setting/profiles/vulnerability/member eq 'profilename')

      (profile-setting/profiles/url-filtering/member eq 'profilename')

      (profile-setting/profiles/file-blocking/member eq 'profilename')

      (profile-setting/profiles/wildfire-analysis/member eq 'profilegroupname')

      (profile-setting/group/member eq 'profilename')

Disable server response inspection: (option/disable-server-response-inspection eq 'yes')

Log at session start: (log-start eq 'yes|no')

Log at session end: (log-end eq 'yes|no')

Schedule: (schedule eq 'schedulename')

Log Forwarding:  (log-setting eq "forwardingprofilename')

Qos Marking:    (qos/marking/ip-dscp eq 'codepoint')

                            (qos/marking/ip-precedence eq 'codepoint')

                            (qos/marking/follow-c2s-flow eq '')

Description: (description contains '<keyword>')

Disabled policy: (disabled eq yes|no)  

           policies will only respond to 'no' if they have been disabled before

 

As you can see in the examples above the operands are 'contains' and 'eq' (=equals).

Note that you can also use the negate option using the operand 'neq' (=not equals).

For example, here's how you can use the negate option to list all the rules that do NOT have a ALLOW action: (action neq 'allow'):

 

Fig 3_Filtering-the-Security-Policy_palo-alto-networks.png

 

Tag Browser can also come in very handy if you're able to tag all your security policies. It can be used in a similar way as the search function and display only the selected tags.

 

More information and a tutorial video on the Tag Browser can be found here: Tutorial: Tag Browser

 

Hope this was helpful, feel free to ask questions or post remarks below.

 

Thanks for taking time to read this blog.

Don't forget to hit that Like (thumbs up) button and don't forget to subscribe to the LIVEcommunity Blog.

 

Stay Secure,
Kiwi out!

Rate this article:
(1)
Comments
L0 Member

Is there any way to sort and/or filter on the Created and Modified columns?

Community Team Member

Hi @BYates ,

 

You can filter on the columns. Click the arrow next to the column name. From there select "Columns" and you can check/uncheck all the columns you would like to see.

You can also drag/drop the columns to change the order you would like to see.

 

kiwi_0-1716816319465.png

 

As far as I know there is no filter option in the search bar at the top to filter out certain columns that way.

 

Still not what you need ? In that case custom reports also allow you define specific colums in the report.

 

Hope this helps,

-Kim.

L0 Member

Any way to filter for udp protocol?

Community Team Member

Hi @AWAW ,

 

Yes you can use the filter (proto eq udp)

 

Kind regards,

-Kim.

L1 Bithead

If you want to filter for Rule ID which is called UUID the filter is:

(uuid eq xyz)

 

L0 Member

how about searching by modified date?

Community Team Member

Hi @J.Healy ,

 

You can't seem to add a filter based on modified date on the policies tab.

 

However, knowing the modified date should allow you to do a Config Audit (Device tab > Config Audit) for that date/config version and verify all the changes in the config (including the rules).

 

If that doesn't provide you the requested information then a feature request might be in order.

L0 Member

Thank you @kiwi 

L0 Member

Hello @kiwi 

 

How would one filter the security policy view in Panorama by targeted device?

L0 Member

Hello Team, 

Can I create filter to see only rules in specific Device Group. I have device group which have 3 parent Device Groups and there are 500 rules coming from them. This is pre-rules, so every time I have to scroll down to the local rules for the Device Group. Can I filter only for local rules in this Device Group without seeing all the rules coming from parents? 

Kind Regards

  • 30316 Views
  • 10 comments
  • 11 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎01-16-2024 12:30 PM
Updated by: