Policy Export

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Policy Export

L4 Transporter

Hello,

Is there way to export a policy from a PAN device in a read-able format? We are in the process of cutting over a new PAN internet firewall and all the rules had to be created by hand (from the previous vendor model). I'm looking for the ability to take what shows in the webui policy and print it out so that we can more easily review the rules for syntax and other errors - without doing screen shots to PDF. If there is not - can I request a feature request for that ability then. And for objects too. Thanks!

Cheers,

Mike

1 accepted solution

Accepted Solutions

L4 Transporter

Hi Mike,

You can run the following command:

show running security-policy                 (PANOS 3.1)

debug dataplane show security-policy         (PANOS 3.0 and below)

This will display the running rule set that can be copy/pasted off to a text file.

You can also view the configuration, including the policy, in a couple different human readable formats:

admin@pa-4000> set cli config-output-format

  default   default

  set       set

  xml       xml

"default" will show the config in normal curly-brace format, while "set" will show the configuration with the set commands.  This works when the configuration is shown in Config mode:

admin@pa-4000> set cli config-output-format set

admin@pa-4000> configure

Entering configuration mode

[edit]                                                                                                                                                                                           

admin@pa-4000# edit rulebase security

[edit rulebase security]                

admin@pa-4000# show

set rulebase security rules "Allow Facebook Webpage" source any

set rulebase security rules "Allow Facebook Webpage" destination any

set rulebase security rules "Allow Facebook Webpage" service any

set rulebase security rules "Allow Facebook Webpage" application facebook-base

set rulebase security rules "Allow Facebook Webpage" action allow

set rulebase security rules "Allow Facebook Webpage" source-user pancademo\finance

set rulebase security rules "Allow Facebook Webpage" source-user "pancademo\server operators"

set rulebase security rules "Allow Facebook Webpage" option disable-server-response-inspection no

set rulebase security rules "Allow Facebook Webpage" negate-source no

set rulebase security rules "Allow Facebook Webpage" negate-destination no

set rulebase security rules "Allow Facebook Webpage" disabled no

set rulebase security rules "Allow Facebook Webpage" log-start no

set rulebase security rules "Allow Facebook Webpage" log-end yes

set rulebase security rules "Allow Facebook Webpage" from trust

set rulebase security rules "Allow Facebook Webpage" to untrust

set rulebase security rules "Allow Facebook Webpage" profile-setting profiles virus alert-all

set rulebase security rules "Allow Facebook Webpage" profile-setting profiles spyware alert-all

set rulebase security rules "Allow Facebook Webpage" profile-setting profiles vulnerability alert-all

set rulebase security rules "Allow Facebook Webpage" profile-setting profiles file-blocking alert-all

set rulebase security rules "Allow Facebook Webpage" profile-setting profiles data-filtering cc

...


admin@pa-4000# run set cli config-output-format default

[edit rulebase security]                                                                                                                                                                         

admin@pa-4000# show

security {

  rules {

    "Allow Facebook Webpage" {

      source any;

      destination any;

      service any;

      application facebook-base;

      action allow;

      source-user [ pancademo\finance "pancademo\server operators"];

      option {

        disable-server-response-inspection no;

      }

      negate-source no;

      negate-destination no;

      disabled no;

      log-start no;

      log-end yes;

      from trust;

      to untrust;

      profile-setting {

        profiles {

          virus alert-all;

          spyware alert-all;

          vulnerability alert-all;

          file-blocking alert-all;

          data-filtering cc;

        }

      }

    }

...

Cheers,

Kelly

View solution in original post

5 REPLIES 5

L4 Transporter

Hi Mike,

You can run the following command:

show running security-policy                 (PANOS 3.1)

debug dataplane show security-policy         (PANOS 3.0 and below)

This will display the running rule set that can be copy/pasted off to a text file.

You can also view the configuration, including the policy, in a couple different human readable formats:

admin@pa-4000> set cli config-output-format

  default   default

  set       set

  xml       xml

"default" will show the config in normal curly-brace format, while "set" will show the configuration with the set commands.  This works when the configuration is shown in Config mode:

admin@pa-4000> set cli config-output-format set

admin@pa-4000> configure

Entering configuration mode

[edit]                                                                                                                                                                                           

admin@pa-4000# edit rulebase security

[edit rulebase security]                

admin@pa-4000# show

set rulebase security rules "Allow Facebook Webpage" source any

set rulebase security rules "Allow Facebook Webpage" destination any

set rulebase security rules "Allow Facebook Webpage" service any

set rulebase security rules "Allow Facebook Webpage" application facebook-base

set rulebase security rules "Allow Facebook Webpage" action allow

set rulebase security rules "Allow Facebook Webpage" source-user pancademo\finance

set rulebase security rules "Allow Facebook Webpage" source-user "pancademo\server operators"

set rulebase security rules "Allow Facebook Webpage" option disable-server-response-inspection no

set rulebase security rules "Allow Facebook Webpage" negate-source no

set rulebase security rules "Allow Facebook Webpage" negate-destination no

set rulebase security rules "Allow Facebook Webpage" disabled no

set rulebase security rules "Allow Facebook Webpage" log-start no

set rulebase security rules "Allow Facebook Webpage" log-end yes

set rulebase security rules "Allow Facebook Webpage" from trust

set rulebase security rules "Allow Facebook Webpage" to untrust

set rulebase security rules "Allow Facebook Webpage" profile-setting profiles virus alert-all

set rulebase security rules "Allow Facebook Webpage" profile-setting profiles spyware alert-all

set rulebase security rules "Allow Facebook Webpage" profile-setting profiles vulnerability alert-all

set rulebase security rules "Allow Facebook Webpage" profile-setting profiles file-blocking alert-all

set rulebase security rules "Allow Facebook Webpage" profile-setting profiles data-filtering cc

...


admin@pa-4000# run set cli config-output-format default

[edit rulebase security]                                                                                                                                                                         

admin@pa-4000# show

security {

  rules {

    "Allow Facebook Webpage" {

      source any;

      destination any;

      service any;

      application facebook-base;

      action allow;

      source-user [ pancademo\finance "pancademo\server operators"];

      option {

        disable-server-response-inspection no;

      }

      negate-source no;

      negate-destination no;

      disabled no;

      log-start no;

      log-end yes;

      from trust;

      to untrust;

      profile-setting {

        profiles {

          virus alert-all;

          spyware alert-all;

          vulnerability alert-all;

          file-blocking alert-all;

          data-filtering cc;

        }

      }

    }

...

Cheers,

Kelly

What else would I have to include in the show running security-policy command that will include the Virtual System policy? Thanks!

Mike

Hi Mike,

I'm not sure if this answers your question, but I believe you can see the individual running policies for the VSYS by entering into the VSYS and running the commands above.  To enter a VSYS, use the following command:

set system setting target-vsys <vsys name>

Cheers,

Kelly

How to get the config from Panorama?

Use the same steps to see the policies from the device-group, or see this similar wquestion from earlier this week

https://live.paloaltonetworks.com/t5/General-Topics/Panorama-Security-Rules-Export-in-Human-Readable...

  • 1 accepted solution
  • 6059 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!