01-18-2019 05:46 AM
we are using Paloalto PA-5220 PAN-OS 8.0.7 virtual firewall. using a third tool we trying to fetch the policies using the command "show running security-policy". when the command is entered it stays still and the policies are not shown. It happens sometimes only. But other times we are able to fetch the policies correctly. couldn't able to find the issue. whether after the command entered timeout happens or some issues leading to it. please help
01-18-2019 02:32 PM
Since you don't mention what this outside tool is or how you are trying to record the CLI output, the only thing I would really test is if this works directly on the CLI reliably. If you are consistently able to get results via the CLI you would have to detail this "third tool" and the process it is using to record the output from the Palo Alto.
01-21-2019 11:11 PM
@BPryThank you for the valuable comments. I will check that.
08-21-2019 10:56 PM - edited 08-21-2019 10:56 PM
I have a case where customer has over 5000 rules on PA-3220. And every time they try running command "show running security-policy" either from CLI or via API they always get only first 2664 rules?
08-24-2019 07:44 PM
Hmm. The only platform that I have with that many rules is a 5200 and 7000 series chassis, so I'm not sure if your running into a platform limit with the 3200? What do you have the output format set to, set or xml? I might be able to duplicate this in a lab unit and verify if it's at least something with the platform or not.
Out of curiosity what are you attempting to do with the output. Generally if you are attempting to do a backup or something like that it's actually easier to setup a script to utilize the API to export the running-config.xml off of the box.
08-25-2019 11:12 PM
According to specs (from FW comparison tool: https://www.paloaltonetworks.com/products/product-comparison.html?chosen=pa-850,pa-220,pa-3220) PA-3220 should be able to have 10.000 security rules. The output is in xml format.
They are making an internal app which will check all their firewalls for rules associated with certain IP.
08-26-2019 12:13 AM
Output format:
"aclIPVT_in_2; index: 2" {
from INSIDE;
source [ 10.200.10.116 10.200.10.115 10.200.10.110 10.200.11.0/24 10.200.10.113 10.200.10.112 10.200.10.117 10.200.10.111 10.200.10.0/24 10.200.10.114 ];
source-region none;
to OUTSIDE;
destination [ 10.140.1.15 10.140.1.10 10.140.1.20 ];
destination-region none;
user any;
category any;
application/service [0:any/tcp/any/49152-65535 1:any/tcp/any/42 2:any/tcp/any/53 3:any/tcp/any/88 4:any/tcp/any/135 5:any/tcp/any/139 6:any/tcp/any/389 7:any/tcp/any/445 8:any/tcp/any/636 9:any/tcp/any/3268 10:any/tcp/any/3269 11:any/tcp/any/1025-5000 12:any/tcp/any/9389 ];
action allow;
icmp-unreachable: no
terminal yes;
}
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
