CLI find security rule, known IP address

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

CLI find security rule, known IP address

L2 Linker

I have one question to engineers Paloalto, why from CLI can't find security rules which include example IP address. What is to difficult create that function?

Why such an advanced device does not have such a simple search. Another thing lack this function in CLI is big problem because i must used GUI.

What for is CLI?

11 REPLIES 11

L6 Presenter

Hi,

you can use

test security-policy-match

to find the security rule if you know source ip.

L2 Linker

it doesn't work if your security rule contain field "user"
example:
user cn=net_server ,ou=paloalto,dc=paloalto.org

it is working in my lab

test security-policy-match source-user dc\student1 source 192.168.10.17 destination 0.0.0.0  protocol 1

testrule {

        from any;

        source 192.168.10.17;

        source-region none;

        to any;

        destination any;

        destination-region none;

        user dc\student1;

        category any;

        application/service [ youtube-base/any/any/any youtube-safety-m/any/any/

any youtube-uploadin/any/any/any youtube-posting/any/any/any ];

        action deny;

        terminal no;

}

L2 Linker

Yes i know it's working if use dc\nameuser.

Please use domain group Active Directory

example:

user cn=net_server ,ou=paloalto,dc=paloalto.org

domain group ?

there is no option for group with that command

let me try with group

seems group is not supported.

but maybe there is a way with writing in another format but I don't know that.

L2 Linker

I have about 400 rules which use domain group. domaing group match to security rules.

Example

RED {
        from zone-lan;
        source any;
        source-region none;
        to zone-dmz ;
        destination 192.168.83.105;
        destination-region none;
        user cn=red,ou=paloalto,dc=paloalto.org;
        category any;
        application/service  any/tcp/any/3000;
        action allow;
        terminal yes;

It work's.

I have different way to get the rule, this not answer your question directly - but maybe will be helpfull.

from CLI:

show session all filter source 192.168.1.35

or if you know aplication:

show session all filter application ssh source 192.168.1.35

and next:

show session id XXXXX

you will see in "rule" parametr name of security policy what are you looking for.

regards

Slawek

it gave error with 2 different typing option

Server error : Error: Unknown source-user: 'dc\112'

Server error : Error: Unknown source-user: 'cn=112,cn=users,DN=dc,DC=palo,DC=edu'

There is a rule written for group 112.but it did not work.

Thank you

But you know it is workaround because rule exist in configuration but it is not now used. I see nothing.

  • 4897 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!