03-30-2010 06:52 AM
Hello,
Is there way to export a policy from a PAN device in a read-able format? We are in the process of cutting over a new PAN internet firewall and all the rules had to be created by hand (from the previous vendor model). I'm looking for the ability to take what shows in the webui policy and print it out so that we can more easily review the rules for syntax and other errors - without doing screen shots to PDF. If there is not - can I request a feature request for that ability then. And for objects too. Thanks!
Cheers,
Mike
03-30-2010 08:29 AM
Hi Mike,
You can run the following command:
show running security-policy (PANOS 3.1)
debug dataplane show security-policy (PANOS 3.0 and below)
This will display the running rule set that can be copy/pasted off to a text file.
You can also view the configuration, including the policy, in a couple different human readable formats:
admin@pa-4000> set cli config-output-format
default default
set set
xml xml
"default" will show the config in normal curly-brace format, while "set" will show the configuration with the set commands. This works when the configuration is shown in Config mode:
admin@pa-4000> set cli config-output-format set
admin@pa-4000> configure
Entering configuration mode
[edit]
admin@pa-4000# edit rulebase security
[edit rulebase security]
admin@pa-4000# show
set rulebase security rules "Allow Facebook Webpage" source any
set rulebase security rules "Allow Facebook Webpage" destination any
set rulebase security rules "Allow Facebook Webpage" service any
set rulebase security rules "Allow Facebook Webpage" application facebook-base
set rulebase security rules "Allow Facebook Webpage" action allow
set rulebase security rules "Allow Facebook Webpage" source-user pancademo\finance
set rulebase security rules "Allow Facebook Webpage" source-user "pancademo\server operators"
set rulebase security rules "Allow Facebook Webpage" option disable-server-response-inspection no
set rulebase security rules "Allow Facebook Webpage" negate-source no
set rulebase security rules "Allow Facebook Webpage" negate-destination no
set rulebase security rules "Allow Facebook Webpage" disabled no
set rulebase security rules "Allow Facebook Webpage" log-start no
set rulebase security rules "Allow Facebook Webpage" log-end yes
set rulebase security rules "Allow Facebook Webpage" from trust
set rulebase security rules "Allow Facebook Webpage" to untrust
set rulebase security rules "Allow Facebook Webpage" profile-setting profiles virus alert-all
set rulebase security rules "Allow Facebook Webpage" profile-setting profiles spyware alert-all
set rulebase security rules "Allow Facebook Webpage" profile-setting profiles vulnerability alert-all
set rulebase security rules "Allow Facebook Webpage" profile-setting profiles file-blocking alert-all
set rulebase security rules "Allow Facebook Webpage" profile-setting profiles data-filtering cc
...
admin@pa-4000# run set cli config-output-format default
[edit rulebase security]
admin@pa-4000# show
security {
rules {
"Allow Facebook Webpage" {
source any;
destination any;
service any;
application facebook-base;
action allow;
source-user [ pancademo\finance "pancademo\server operators"];
option {
disable-server-response-inspection no;
}
negate-source no;
negate-destination no;
disabled no;
log-start no;
log-end yes;
from trust;
to untrust;
profile-setting {
profiles {
virus alert-all;
spyware alert-all;
vulnerability alert-all;
file-blocking alert-all;
data-filtering cc;
}
}
}
...
Cheers,
Kelly
03-30-2010 08:29 AM
Hi Mike,
You can run the following command:
show running security-policy (PANOS 3.1)
debug dataplane show security-policy (PANOS 3.0 and below)
This will display the running rule set that can be copy/pasted off to a text file.
You can also view the configuration, including the policy, in a couple different human readable formats:
admin@pa-4000> set cli config-output-format
default default
set set
xml xml
"default" will show the config in normal curly-brace format, while "set" will show the configuration with the set commands. This works when the configuration is shown in Config mode:
admin@pa-4000> set cli config-output-format set
admin@pa-4000> configure
Entering configuration mode
[edit]
admin@pa-4000# edit rulebase security
[edit rulebase security]
admin@pa-4000# show
set rulebase security rules "Allow Facebook Webpage" source any
set rulebase security rules "Allow Facebook Webpage" destination any
set rulebase security rules "Allow Facebook Webpage" service any
set rulebase security rules "Allow Facebook Webpage" application facebook-base
set rulebase security rules "Allow Facebook Webpage" action allow
set rulebase security rules "Allow Facebook Webpage" source-user pancademo\finance
set rulebase security rules "Allow Facebook Webpage" source-user "pancademo\server operators"
set rulebase security rules "Allow Facebook Webpage" option disable-server-response-inspection no
set rulebase security rules "Allow Facebook Webpage" negate-source no
set rulebase security rules "Allow Facebook Webpage" negate-destination no
set rulebase security rules "Allow Facebook Webpage" disabled no
set rulebase security rules "Allow Facebook Webpage" log-start no
set rulebase security rules "Allow Facebook Webpage" log-end yes
set rulebase security rules "Allow Facebook Webpage" from trust
set rulebase security rules "Allow Facebook Webpage" to untrust
set rulebase security rules "Allow Facebook Webpage" profile-setting profiles virus alert-all
set rulebase security rules "Allow Facebook Webpage" profile-setting profiles spyware alert-all
set rulebase security rules "Allow Facebook Webpage" profile-setting profiles vulnerability alert-all
set rulebase security rules "Allow Facebook Webpage" profile-setting profiles file-blocking alert-all
set rulebase security rules "Allow Facebook Webpage" profile-setting profiles data-filtering cc
...
admin@pa-4000# run set cli config-output-format default
[edit rulebase security]
admin@pa-4000# show
security {
rules {
"Allow Facebook Webpage" {
source any;
destination any;
service any;
application facebook-base;
action allow;
source-user [ pancademo\finance "pancademo\server operators"];
option {
disable-server-response-inspection no;
}
negate-source no;
negate-destination no;
disabled no;
log-start no;
log-end yes;
from trust;
to untrust;
profile-setting {
profiles {
virus alert-all;
spyware alert-all;
vulnerability alert-all;
file-blocking alert-all;
data-filtering cc;
}
}
}
...
Cheers,
Kelly
01-19-2011 06:32 AM
What else would I have to include in the show running security-policy command that will include the Virtual System policy? Thanks!
Mike
03-11-2011 09:44 AM
Hi Mike,
I'm not sure if this answers your question, but I believe you can see the individual running policies for the VSYS by entering into the VSYS and running the commands above. To enter a VSYS, use the following command:
set system setting target-vsys <vsys name>
Cheers,
Kelly
05-10-2018 09:28 AM
How to get the config from Panorama?
05-10-2018 09:39 AM
Use the same steps to see the policies from the device-group, or see this similar wquestion from earlier this week
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
