- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-16-2013 11:14 AM
I have one question to engineers Paloalto, why from CLI can't find security rules which include example IP address. What is to difficult create that function?
Why such an advanced device does not have such a simple search. Another thing lack this function in CLI is big problem because i must used GUI.
What for is CLI?
10-18-2013 01:04 AM
it is working in my lab
test security-policy-match source-user dc\student1 source 192.168.10.17 destination 0.0.0.0 protocol 1
testrule {
from any;
source 192.168.10.17;
source-region none;
to any;
destination any;
destination-region none;
user dc\student1;
category any;
application/service [ youtube-base/any/any/any youtube-safety-m/any/any/
any youtube-uploadin/any/any/any youtube-posting/any/any/any ];
action deny;
terminal no;
}
10-18-2013 01:24 AM
domain group ?
there is no option for group with that command
10-18-2013 01:27 AM
let me try with group
10-18-2013 01:40 AM
seems group is not supported.
but maybe there is a way with writing in another format but I don't know that.
10-18-2013 02:08 AM
I have about 400 rules which use domain group. domaing group match to security rules.
Example
RED {
from zone-lan;
source any;
source-region none;
to zone-dmz ;
destination 192.168.83.105;
destination-region none;
user cn=red,ou=paloalto,dc=paloalto.org;
category any;
application/service any/tcp/any/3000;
action allow;
terminal yes;
It work's.
10-18-2013 02:14 AM
I have different way to get the rule, this not answer your question directly - but maybe will be helpfull.
from CLI:
show session all filter source 192.168.1.35
or if you know aplication:
show session all filter application ssh source 192.168.1.35
and next:
show session id XXXXX
you will see in "rule" parametr name of security policy what are you looking for.
regards
Slawek
10-18-2013 02:16 AM
it gave error with 2 different typing option
Server error : Error: Unknown source-user: 'dc\112'
Server error : Error: Unknown source-user: 'cn=112,cn=users,DN=dc,DC=palo,DC=edu'
There is a rule written for group 112.but it did not work.
10-18-2013 05:09 AM
Thank you
But you know it is workaround because rule exist in configuration but it is not now used. I see nothing.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!