Security rule says disabled no for an enabled policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security rule says disabled no for an enabled policy

L3 Networker

I have 2 firewalls with identical config running same PANOS. The policy in question is enabled on both the firewalls.

But one firewall has an extra line in cli( which is picked in daily diff)

set rulebase security rules "rule name" disabled no - So it is saying policy is not disabled but enabled.

Why is it showing only for 1 enabled policy and not for all other enabled policies or on 2nd firewall with identical config.

1 accepted solution

Accepted Solutions

L4 Transporter

Hello

 

The value of "disabled" is set to "no" as a default value. You will only see the "disabled" keyword if you had disabled the rule (where the key-value pair "disabled" - "yes" was added). Re-enabling the rule changes the value to "no" (instead of removing the line).

View solution in original post

4 REPLIES 4

Community Team Member

HI @inderjit21 ,

 

Can you share a snippet of both CLI outputs?

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L3 Networker

Below is the config for policy in question. Only difference is 1 firewall has addtional last line.

Policy is enabled on both the firewalls.

 

set rulebase security rules "rule_name" profile-setting group group_name
set rulebase security rules "rule_name" to outside
set rulebase security rules "rule_name" from inside
set rulebase security rules "rule_name" source source_name
set rulebase security rules "rule_name" destination [ urls ]
set rulebase security rules "rule_name" source-user any
set rulebase security rules "rule_name" category any
set rulebase security rules "rule_name" application any
set rulebase security rules "rule_name" service [ https "tcp-8686" ]
set rulebase security rules "rule_name" source-hip any
set rulebase security rules "rule_name" destination-hip any
set rulebase security rules "rule_name" action allow
set rulebase security rules "rule_name" description *****
set rulebase security rules "rule_name" log-setting panorama
set rulebase security rules "rule_name" disabled no

L4 Transporter

Hello

 

The value of "disabled" is set to "no" as a default value. You will only see the "disabled" keyword if you had disabled the rule (where the key-value pair "disabled" - "yes" was added). Re-enabling the rule changes the value to "no" (instead of removing the line).

Cyber Elite
Cyber Elite

@inderjit21,

Just to add on to the correct answer @JoergSchuetter already gave, you can safely remove it completely if it bugs you to have that difference between the two units. As mentioned, if not present in the configuration that is the default assumed value. 

  • 1 accepted solution
  • 2443 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!