Adding NAT rule order in Panorama cli

Reply
Highlighted
L0 Member

Adding NAT rule order in Panorama cli

Hi all,

 

I am looking to add around 60+ NAT rules for monitoring over IPsec that requires a policy NAT. I need to have them above another rule in the list for it to work. It is a very messy NAT list that I don't have the freedom to clean up. The NAT entries are being added to a device group in Panorama.

 

Thanks in advance,

 

Danny

Tags (3)
Highlighted
L2 Linker

Hi Danny,

 

As I understand, in short, you want to add 60+ NAT rule to be above an existing rule.

 

If that is the situation, you can configure the new NAT rules, and after you are done, clone this existing NAT rule, you can choose to have the new cloned rule to be after any rule you specify. After you clone it, delete old one.

 

Hope this helps,

Haytham

__________
Thank You Mario! But Our Princess is in Another Castle!
Highlighted
Cyber Elite

That would be the proper way to do it. I don't believe that you can actually do this automatically in the CLI, it's something that you have to modify after. 

I really wouldn't clone your existing rule and move it, just move the NAT rule that you need above the new ones. 

Highlighted
L3 Networker

You can re-order using the CLI but you can't create rules with sequence numbers to place them where you want in the policy. (That would be a nice feature)

So if you really wanted to get the rules in order as you go, you would have to use a 'move' command after creating each nat rule.

Maybe something like this, depending on what order you want things in.

set device-group <groupname> pre-rulebase nat rules NAT1 .......

move device-group <groupname> pre-rulebase nat rules NAT1 before CURRENTNAT (or you could use 'top' instead of 'before' if you want it first)

set device-group <groupname> pre-rulebase nat rules NAT2 .......

move device-group <groupname> pre-rulebase nat rules NAT2 before CURRENTNAT (or you could use 'after NAT1' if you want it beneath)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!