02-27-2014 08:30 AM
Good day all,
I am new to Palo Alto so this question might actually seem rather trivial.
Most of my peers configure from the GUI and are not very familiar with the Command line. I am more comfortable with the command line so I am trying to do configurations that way.
If I want to add a source entity to an existing rulebase security rule do I just recreate the rule with the appended information and then when I commit, it will overwrite the existing rule?
For example
when I do a show rulebase security rules existing_policy
I get the following output:
"existing_policy" {
from dmz;
to trust;
source [ serverA serverB serverC ];
destination any;
source-user any;
application any;
service any;
hip-profiles any;
log-start no;
log-end yes;
negate-source no;
negate-destination no;
action allow;
}
If I wanted to add ServerD to the source would I do the following (I don't have a test box to test the commands that is why I am coming here):
set rulebase security rules existing_policy from dmz to trust source [ serverA serverB serverC ServerD ] destination any action allow
Any assistance would be appreciated.
Thanks
Wally
02-27-2014 10:55 AM
Hello Sir,
You are correct, if you apply CLI command # set rulebase security rules "to NG Sites" destination location3 >>>>>>>>>> This will add the location3 to the destination and leave the current destinations there as well. Please find below example from my test PA firewall:
admin@DADA# show rulebase security rules LAN-ISP
LAN-ISP {
option {
disable-server-response-inspection no;
}
from Trust-LAN; >>>>>>>>>>>>>>>>>>>
to Untrust-ISP; >>>>>>>>>>>>>>>>>>>>
source [ any 1.1.1.1/32];
destination any;
source-user any;
category any;
application any;
service any;
hip-profiles any;
action allow;
log-start no;
log-end yes;
negate-source no;
negate-destination no;
log-setting SYSLOG-ALL;
}
admin@DADA# set rulebase security rules LAN-ISP from trust to untrust >>>>>>>>>>>>>>>>>> Adding new source and destination zone
[edit]
admin@DADA# show rulebase security rules LAN-ISP
LAN-ISP {
option {
disable-server-response-inspection no;
}
from [ Trust-LAN trust]; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Added with the existing zone
to [ Untrust-ISP untrust]; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
source [ any 1.1.1.1/32];
destination any;
source-user any;
category any;
application any;
service any;
hip-profiles any;
action allow;
log-start no;
log-end yes;
negate-source no;
negate-destination no;
log-setting SYSLOG-ALL;
}
[edit]
admin@DADA#
I hope this helps.
Thanks
02-27-2014 09:48 AM
Hello Sir,
if youapply # set rulebase security rules existing_policy from dmz to trust source server-D destination any action allow >>>>>>> it will only add with the existing rule [ serverA serverB serverC ServerD ],
For example:
admin@DADA# show rulebase security rules LAN-ISP
LAN-ISP {
option {
disable-server-response-inspection no;
}
from Trust-LAN;
to Untrust-ISP;
source any; >>>>>>>>>>>>>>>>>>> before the change
destination any;
source-user any;
category any;
application any;
service any;
hip-profiles any;
action allow;
log-start no;
log-end yes;
negate-source no;
negate-destination no;
log-setting SYSLOG-ALL;
# set rulebase security rules LAN-ISP from Trust-LAN to Untrust-ISP source 1.1.1.1/32 destination any action allow
admin@DADA# show rulebase security rules LAN-ISP LAN-ISP {
option {
disable-server-response-inspection no;
}
from Trust-LAN;
to Untrust-ISP;
source [ any 1.1.1.1/32]; >>>>>>>>>>>>>>>>>>> added here
destination any;
source-user any;
category any;
application any;
service any;
hip-profiles any;
action allow;
log-start no;
log-end yes;
negate-source no;
negate-destination no;
log-setting SYSLOG-ALL;
}
Thanks
02-27-2014 10:00 AM
Thanks so much for your reply. So what I should have put in my initial post was that I am actually just adding a destination. So from the code below the destination is to two objects, but I want to add a third, so can I simply say
set rulebase security rules "to NG Sites" destination location3
Will that add the location3 to the destination and leave the current destinations there as well? I don't want to remove any of the current destinations or configurations so want to make sure my syntax is correct. Sorry for my earlier post, I thought I was just showing a general example but should have been more specific.
"to NG Sites" {
option {
disable-server-response-inspection no;
}
from [ DMZ1 DMZ2];
to [ Internal];
source any;
destination [ location1 location2];
source-user any;
application [ dns http-audio soap ssl web-browsing];
service application-default;
hip-profiles any;
log-start no;
log-end yes;
negate-source no;
negate-destination no;
action allow;
}
02-27-2014 10:55 AM
Hello Sir,
You are correct, if you apply CLI command # set rulebase security rules "to NG Sites" destination location3 >>>>>>>>>> This will add the location3 to the destination and leave the current destinations there as well. Please find below example from my test PA firewall:
admin@DADA# show rulebase security rules LAN-ISP
LAN-ISP {
option {
disable-server-response-inspection no;
}
from Trust-LAN; >>>>>>>>>>>>>>>>>>>
to Untrust-ISP; >>>>>>>>>>>>>>>>>>>>
source [ any 1.1.1.1/32];
destination any;
source-user any;
category any;
application any;
service any;
hip-profiles any;
action allow;
log-start no;
log-end yes;
negate-source no;
negate-destination no;
log-setting SYSLOG-ALL;
}
admin@DADA# set rulebase security rules LAN-ISP from trust to untrust >>>>>>>>>>>>>>>>>> Adding new source and destination zone
[edit]
admin@DADA# show rulebase security rules LAN-ISP
LAN-ISP {
option {
disable-server-response-inspection no;
}
from [ Trust-LAN trust]; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Added with the existing zone
to [ Untrust-ISP untrust]; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
source [ any 1.1.1.1/32];
destination any;
source-user any;
category any;
application any;
service any;
hip-profiles any;
action allow;
log-start no;
log-end yes;
negate-source no;
negate-destination no;
log-setting SYSLOG-ALL;
}
[edit]
admin@DADA#
I hope this helps.
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
