Same CLI commands with different cli output for Palo Alto Firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Same CLI commands with different cli output for Palo Alto Firewall

L1 Bithead

hi,

I am experiencing a strange behavior for 3 Palo Alto Firewall. The same 2 CLI commands to check if the firewall has implicit deny rule and logging in place. Commands are as follows;
#show rulebase default-security-rules interzone-default | match action

#show rulebase default-security-rule interzone-default | match log

However 3 PA Firewall shows different CLI output. Has anyone experience this before and what could be the possible problem causing this to happen? Is there any solution to show the correct CLI output?

image.png
Palo Alto Version 7.1.19 - Shows Invalid Syntax [But in GUI, the implicit deny rule and logging are in place ]

image.png
Palo Alto Version 7.1.19 - This is the correct output

image.png

Palo Alto Version 8.0.19 - No Output at all [But in GUI, the implicit deny rule and logging are in place ]

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

the one where you get a syntax error may be a type, if you shorten the command and use tab to autocomplete to see where it snags

The one where you get no output means that the rules are still default: default settings do not show up in config file

The one where you do see output means someone tinkered with the default rules and now they are included in

the config file (even changing them, committing and then putting them back to default will keep them in the config file)

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

the one where you get a syntax error may be a type, if you shorten the command and use tab to autocomplete to see where it snags

The one where you get no output means that the rules are still default: default settings do not show up in config file

The one where you do see output means someone tinkered with the default rules and now they are included in

the config file (even changing them, committing and then putting them back to default will keep them in the config file)

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Cyber Elite
Cyber Elite

7.1 is about to go end of life, so better plan upgrades, by the way 😉

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

RE: the one where you get a syntax error may be a type, if you shorten the command and use tab to autocomplete to see where it snags
As you said when I type "show" in configuration mode, the correct output by right should be whole chunk of deviceconfig information but apparently it shows only a few options. So I presume it was due to permission issue causing the invalid syntax.
RE: The one where you get no output means that the rules are still default: default settings do not show up in config file
For this what do you mean by the rules are still default? I actually do see interzone rules in this syntax except that action deny and all log* set up are not in. I thought by default (implicit deny) interzone-default should be denied? 
default-security-rules {
rules {
interzone-default

Noted on the upgrades 🙂

  • 1 accepted solution
  • 3702 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!