04-19-2010 06:37 AM
Hello,
I need to know if there is any method to make research based on ip adresses or groups to find out witch rules are using it on the cli. In other words, how can i use the cli to search policies in witch an ip adresse or a group of ip adresses is used.
Regards.
04-19-2010 04:18 PM
Pre 3.1, the CLI command test security-policy-match show-all yes source (ip address) will display all security policies that apply to an ip address or source-user . Tab through the command to find the various search options.
In 3.1 the command requires that you specify the application name, source and destination IP address, ports, zone, protocol and user.
04-20-2010 05:28 AM
Hello
Thank you nrice, i tried the command given, but it seems to be not working, it return only the rules in witch the source and destination adresses are "any", even if i have rule's that should be returned based on a specific ip address. Also, it doesn't work on panorama.
Any idea please, it is so important in case of debugging.
Regards.
04-20-2010 02:01 PM
Hello Asia,
the way to do this is via the traffic logs by simply filtering them by source Ip. This of course can be done from the gui and from the cli.
The following command from the cli will also get you what you requested:
)> show log traffic src in 10.16.0.110
Time App From Src Port Source
Rule Action To Dst Port Destination
Src User Dst User
===============================================================================
2010/03/18 06:15:20 ping corp-trust 0 10.16.0.110
rule15 allow corp-untrust 0 10.0.0.253
paloaltonetwork
2010/03/18 06:15:20 ping corp-trust 0 10.16.0.110
rule15 allow corp-untrust 0 10.0.0.246
paloaltonetwork
2010/03/18 06:15:26 dns corp-trust 55609 10.16.0.110
rule15 allow corp-untrust 53 10.0.0.246
paloaltonetwork
2010/03/18 06:15:26 dns corp-trust 64021 10.16.0.110
rule15 allow corp-untrust 53 10.0.0.246
paloaltonetwork
2010/03/18 06:15:26 dns corp-trust 51470 10.16.0.110
rule15 allow corp-untrust 53 10.0.0.246
paloaltonetwork
2010/03/18 06:15:26 dns corp-trust 64022 10.16.0.110
rule15 allow corp-untrust 53 10.0.0.246
paloaltonetwork
2010/03/18 06:15:26 dns corp-trust 50010 10.16.0.110
rule15 allow corp-untrust 53 192.175.48.1
paloaltonetwork
2010/03/18 06:15:33 ping corp-trust 0 10.16.0.110
rule15 allow corp-untrust 0 10.0.0.252
paloaltonetwork
2010/03/18 06:15:33 ping corp-trust 0 10.16.0.110
rule15 allow corp-untrust 0 10.0.0.253
paloaltonetwork
2010/03/18 06:15:33 ping corp-trust 0 10.16.0.110
rule15 allow corp-untrust 0 10.0.0.246
paloaltonetwork
2010/03/18 06:15:33 ping corp-trust 0 10.16.0.110
rule15 allow corp-untrust 0 10.0.0.247
...........notice there are other filtering options after "show log traffic" that you can user other than "src (source ip)"...............
thanks,
Stephen
04-21-2010 01:19 AM
Thank stephen,
But i'am interesting in finding the objects in configuration, what about the option mentioned by nrice, is it working? Traffic logs doesn't cover all cases (what about a case in witch the object was used in a rule but there was not traffic matching it).
Regards.
04-27-2010 02:56 AM
Hello,
Any other idea please, the docs are so poor concerning this.
Regards,
04-28-2010 07:38 PM
One suggestion:
While in the web UI ==> Policies tab ==> Security rules, you can hit CTRL-F to perform a text search on the entire web page. This requires that your search is an exact match. For example, if a rule has IP address = 192.168.10.0/24, and you search for 192.168.10.8 then it is not an exact match. This will not work if you search for a object name, and the rule is an object group.
Cheers,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
