03-12-2024 06:35 PM
I have 2 firewalls with identical config running same PANOS. The policy in question is enabled on both the firewalls.
But one firewall has an extra line in cli( which is picked in daily diff)
set rulebase security rules "rule name" disabled no - So it is saying policy is not disabled but enabled.
Why is it showing only for 1 enabled policy and not for all other enabled policies or on 2nd firewall with identical config.
03-13-2024 12:41 AM
Hello
The value of "disabled" is set to "no" as a default value. You will only see the "disabled" keyword if you had disabled the rule (where the key-value pair "disabled" - "yes" was added). Re-enabling the rule changes the value to "no" (instead of removing the line).
03-12-2024 10:19 PM
HI @inderjit21 ,
Can you share a snippet of both CLI outputs?
03-12-2024 10:33 PM
Below is the config for policy in question. Only difference is 1 firewall has addtional last line.
Policy is enabled on both the firewalls.
set rulebase security rules "rule_name" profile-setting group group_name
set rulebase security rules "rule_name" to outside
set rulebase security rules "rule_name" from inside
set rulebase security rules "rule_name" source source_name
set rulebase security rules "rule_name" destination [ urls ]
set rulebase security rules "rule_name" source-user any
set rulebase security rules "rule_name" category any
set rulebase security rules "rule_name" application any
set rulebase security rules "rule_name" service [ https "tcp-8686" ]
set rulebase security rules "rule_name" source-hip any
set rulebase security rules "rule_name" destination-hip any
set rulebase security rules "rule_name" action allow
set rulebase security rules "rule_name" description *****
set rulebase security rules "rule_name" log-setting panorama
set rulebase security rules "rule_name" disabled no
03-13-2024 12:41 AM
Hello
The value of "disabled" is set to "no" as a default value. You will only see the "disabled" keyword if you had disabled the rule (where the key-value pair "disabled" - "yes" was added). Re-enabling the rule changes the value to "no" (instead of removing the line).
03-13-2024 06:06 AM
Just to add on to the correct answer @JoergSchuetter already gave, you can safely remove it completely if it bugs you to have that difference between the two units. As mentioned, if not present in the configuration that is the default assumed value.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
