02-03-2020 07:16 PM - edited 02-03-2020 07:18 PM
hi,
I am experiencing a strange behavior for 3 Palo Alto Firewall. The same 2 CLI commands to check if the firewall has implicit deny rule and logging in place. Commands are as follows;
#show rulebase default-security-rules interzone-default | match action
#show rulebase default-security-rule interzone-default | match log
However 3 PA Firewall shows different CLI output. Has anyone experience this before and what could be the possible problem causing this to happen? Is there any solution to show the correct CLI output?
Palo Alto Version 7.1.19 - Shows Invalid Syntax [But in GUI, the implicit deny rule and logging are in place ]
Palo Alto Version 7.1.19 - This is the correct output
Palo Alto Version 8.0.19 - No Output at all [But in GUI, the implicit deny rule and logging are in place ]
02-04-2020 12:52 AM
the one where you get a syntax error may be a type, if you shorten the command and use tab to autocomplete to see where it snags
The one where you get no output means that the rules are still default: default settings do not show up in config file
The one where you do see output means someone tinkered with the default rules and now they are included in
the config file (even changing them, committing and then putting them back to default will keep them in the config file)
02-04-2020 12:52 AM
the one where you get a syntax error may be a type, if you shorten the command and use tab to autocomplete to see where it snags
The one where you get no output means that the rules are still default: default settings do not show up in config file
The one where you do see output means someone tinkered with the default rules and now they are included in
the config file (even changing them, committing and then putting them back to default will keep them in the config file)
02-04-2020 12:54 AM
7.1 is about to go end of life, so better plan upgrades, by the way 😉
02-04-2020 05:37 PM - edited 02-04-2020 05:37 PM
RE: the one where you get a syntax error may be a type, if you shorten the command and use tab to autocomplete to see where it snags
As you said when I type "show" in configuration mode, the correct output by right should be whole chunk of deviceconfig information but apparently it shows only a few options. So I presume it was due to permission issue causing the invalid syntax.
RE: The one where you get no output means that the rules are still default: default settings do not show up in config file
For this what do you mean by the rules are still default? I actually do see interzone rules in this syntax except that action deny and all log* set up are not in. I thought by default (implicit deny) interzone-default should be denied?
default-security-rules {
rules {
interzone-default
02-04-2020 05:38 PM
Noted on the upgrades 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
