This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

List all deny rules from cli

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

List all deny rules from cli

jls3j999
L1 Bithead

‎11-01-2020 09:43 AM

I have to list all deny rules (from cli)

The following command "show running security-policy | match index " list all security rules by name

For example:

"AllowBrach1IN; index: 1" {

....etc

What I want is:

- deny INBOUND traffic rules only but regarding entire subnets (those having CIDR as their destination ...like 192.168.1.0/24..etc)

Is there any way to filter out that type of information?

Thanks,

 

0 Likes Likes
14 REPLIES 14

jls3j999
L1 Bithead
In response to reaper

‎11-02-2020 09:03 AM

thanks for your reply

this is what I get

superuser@point-1(active-primary)> configure
Entering configuration mode
[edit]
superuser@point-1(active-primary)# show
deviceconfig deviceconfig
mgt-config mgt-config
network network configuration
predefined predefined
shared shared
template template
vsys vsys
| Pipe through a command
<Enter> Finish input

Since I'm a bit scared, the command you suggested does that make any changes? I suppose not

I mean "show rulebase security | match drop" sorry for being a dummy

0 Likes Likes

jls3j999
L1 Bithead
In response to jls3j999

‎11-10-2020 04:03 AM

can anyone help me?

I mean are there any side-effects while entering the configuration mode?

My purpose is to list all deny rules only (no changes should be made)

thanks

0 Likes Likes

jls3j999
L1 Bithead
In response to jls3j999

‎11-10-2020 09:13 AM

After doing what you said

this is the output:

admin_user@FW-1(active-primary)> set cli config-output-format set
admin_user@FW-1(active-primary)> configure
Entering configuration mode
[edit]
admin_user@FW-1(active-primary)# show
deviceconfig deviceconfig
mgt-config mgt-config
network network configuration
predefined predefined
shared shared
template template
vsys vsys
| Pipe through a command
<Enter> Finish input

admin_user@FW-1(active-primary)# show rulebase security |match drop

Invalid syntax.
[edit]
admin_user@FW-1(active-primary)# 

 

 

can anyone help me?

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to jls3j999

‎11-10-2020 09:17 AM

There appears to be a space missing between the pipe and 'match' ( |match should be | match)

 

The show command in configure mode does not make any changes at all so is safe to use

Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy
0 Likes Likes

rmfalconer
L4 Transporter
In response to jls3j999

‎11-10-2020 09:59 AM

It also looks like you have multiple vsys on that system. If you want to use the entire show command as written, you have to specify the vsys.

show vsys vsysX rulebase security | match drop

 

Or you could just do show | match drop. This will expand the output but might give results that aren't relevant to what you're looking for.

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks