Same CLI commands with different cli output for Palo Alto Firewall

Reply
Highlighted
L1 Bithead

Same CLI commands with different cli output for Palo Alto Firewall

hi,

I am experiencing a strange behavior for 3 Palo Alto Firewall. The same 2 CLI commands to check if the firewall has implicit deny rule and logging in place. Commands are as follows;
#show rulebase default-security-rules interzone-default | match action

#show rulebase default-security-rule interzone-default | match log

However 3 PA Firewall shows different CLI output. Has anyone experience this before and what could be the possible problem causing this to happen? Is there any solution to show the correct CLI output?

image.png
Palo Alto Version 7.1.19 - Shows Invalid Syntax [But in GUI, the implicit deny rule and logging are in place ]

image.png
Palo Alto Version 7.1.19 - This is the correct output

image.png

Palo Alto Version 8.0.19 - No Output at all [But in GUI, the implicit deny rule and logging are in place ]


Accepted Solutions
Highlighted
L7 Applicator

Re: Same CLI commands with different cli output for Palo Alto Firewall

the one where you get a syntax error may be a type, if you shorten the command and use tab to autocomplete to see where it snags

The one where you get no output means that the rules are still default: default settings do not show up in config file

The one where you do see output means someone tinkered with the default rules and now they are included in

the config file (even changing them, committing and then putting them back to default will keep them in the config file)

 

 

reaper - PANgurus.com
I drink and I know things

View solution in original post


All Replies
Highlighted
L7 Applicator

Re: Same CLI commands with different cli output for Palo Alto Firewall

the one where you get a syntax error may be a type, if you shorten the command and use tab to autocomplete to see where it snags

The one where you get no output means that the rules are still default: default settings do not show up in config file

The one where you do see output means someone tinkered with the default rules and now they are included in

the config file (even changing them, committing and then putting them back to default will keep them in the config file)

 

 

reaper - PANgurus.com
I drink and I know things

View solution in original post

Highlighted
L7 Applicator

Re: Same CLI commands with different cli output for Palo Alto Firewall

7.1 is about to go end of life, so better plan upgrades, by the way

reaper - PANgurus.com
I drink and I know things
Highlighted
L1 Bithead

Re: Same CLI commands with different cli output for Palo Alto Firewall

RE: the one where you get a syntax error may be a type, if you shorten the command and use tab to autocomplete to see where it snags
As you said when I type "show" in configuration mode, the correct output by right should be whole chunk of deviceconfig information but apparently it shows only a few options. So I presume it was due to permission issue causing the invalid syntax.
RE: The one where you get no output means that the rules are still default: default settings do not show up in config file
For this what do you mean by the rules are still default? I actually do see interzone rules in this syntax except that action deny and all log* set up are not in. I thought by default (implicit deny) interzone-default should be denied? 
default-security-rules {
rules {
interzone-default

Highlighted
L1 Bithead

Re: Same CLI commands with different cli output for Palo Alto Firewall

Noted on the upgrades

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!