Howto validate security policies for content inspection enabled ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Howto validate security policies for content inspection enabled ?

L1 Bithead

Dear all,

How would it be possible to validate the security policy rules to have all a content inspection profile enabled?

Because the "option" field does not allow to be selected as filter in the editor tab. (as this is the case for e.g. addresses or zones)

Custom reports do also not include the ability to select content profile as an attribute.

Thank you in advance,

Kind regards,

Wim 

5 REPLIES 5

L5 Sessionator

Hi

If you want to filter rules which enables anti-virus profile, named 'default',

you can use following filter

(profile-setting/profiles/virus eq 'default')

Does it help you?

Regards,

Hi emr,

Thanks for reply, your answer is helpful.

For instance, we use a predefined set of security groups (but I didn't mentioned this one in my question)

Though, your feedback is applicable for security groups as well ! 🙂

(profile-setting/group eq 'my-group-reference')

I thought to be smart and use the "NEQ" operator in order to find out all rules WITHOUT a 'my-group-reference', but then, NONE rules are displayed. (suppose is would be the same as (profile-setting/profiles/virus neq 'default')

Do you know perhaps how to inverse the (profile-setting/group eq 'my-group-reference') ?

Thanks again ...

Hi,

I see same result as you saw.

I tried 'neq', 'ne', '!=', '<>', though nothing worked.

From the output of GUI debug, I guess GUI does not have criteria for negate query.

Here is an example:

<request cmd="op" cookie="3832618156237601" target-vsys="vsys1">

  <operations xml="yes">

    <deep-search>

      <address>(from/member neq 'L3-Trust1')</address>

    </deep-search>

  </operations>

</request>

<response status="error" code="17"><msg><line><![CDATA[deep-search -> address Invalid input]]></line></msg></response>

Regards,

L1 Bithead

Damn too bad. A technical shortcoming.

We already asked our PAN SE to apply for a feature request in order to have all operators available through all attribute in the policy rule editor.

Nevertheless, this one might do the job:

1) filter all rules that includes a security profile group, using profile-setting/group eq 'my-group-reference'

2) Once filterd, select all rules listed.

3) Remove the selection criteria from the policy editor.

Now all rules including a security profile group are selected, which should be the majority.

Rules that do not have security group enabled (or different) are not selected.

A visual cross check will indicate the suspected rules.

I must admit that it takes some creative thinking to come to such a nasty solution .. Smiley Happy

Kind regards,

Wim

L7 Applicator

With a little API work, it is possible to "report on the Security rulebase".  I found a good starting point in the devcenter communities, and then tweaked the sed lines to fix a formatting problem.  Here’s a single line that calls the API with curl, and then filters it through xmllint and sed:

curl -k 'https://10.1.1.155/esp/restapi.esp?type=config&key=KEY=&action=show&xpath=devices/entry/vsys/entry/r...' | xmllint --format --recover - | sed 's/<member>//g' | sed 's/<\/member>//g' > PAN_rules_`date "+%Y%m%d"`.xml

That makes a file called: PAN_rules_20120817.xml

The main reason to filter it through xmllint and sed is so that you can import the file directly into Excel.  Excel will automatically build a nice pretty interface that you can filter with some simple point&click action:

This is an easy way to report on things like “show me all rules that might permit inbound SSH” – just select “to trust” and “application any & ssh” and go from there.  The traffic log & custom reports can definitely do this for actual passed traffic, but not for dormant rules.

  • 2983 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!