Security Rules using CLI

Hi ,

Also if you have GUI access you can just type in the ip address and it will bring up all the rules matching that ip address.

For example:

Hope this helps.

Thank you

Why is the search of the GUI not implemented in CLI? Comming from an other Firewall-Implementation the filtering of the rulebase is the on thing I miss most.

Best would be an operational Command like

> show security rules from untrust to trust dst-ip 10.10.10.10

But also the filtering syntax of the gui-search is acceptable.

I am still thinking about this problem. JunOS has the same problem out of the box, but for JunOS I found the possibility to use so called op-scripts. Here the link to the example usable for JunOS

policy-test - Juniper Networks

Now my Idea would be to use the PanOS-API to do something similar, but I don't know whether it is possible to use the API from the CLI interface? Does anybody know?

Thanks

Winfried

Hi @Wbm ,

Could you please help what is  {\|destination{\|10.3.83.13

@suba_muthuram 

It is a PaloAlto-style regular expression (regex) for filtering output from the "match" command on the CLI. Specifically, the CLI "show running security-policy" command will show all the Security Policies on the PaloAlto. The output of that is piped the to "match" command with the regex filter "{\|destination{\|10.3.83.13". This will match any line on the show command output that matches "{" or "destination{" or "10.3.83.13".

The pipe "|" is the also the OR operator in the regex, so it must be escaped with a "\|" to be interpreted as an OR in the CLI, instead of being a pipe to another command. The filter is also a bit weird as the "{" is half of another regex "{nn}" which will match nn number of characters... but apparently since the opening "{" bracket is not immediately followed by a number and closing "}" bracket, I guess it doesn't get interpreted as a regex. Note that I also think the "destination{" is wrong in this example as it would match "destination" explicitly followed by a "{" which doesn't exist in the show command output. (Perhaps it did in an earlier version of PANOS? This thread is 10 years old at this point.)

Because the "show" command outputs the Security Policies as multiple lines for the same policy and "match" only matches single lines, the given filter is kind of a hack to find all policies which might match the terms. It doesn't show just the policy with all the matching terms. So if you run a "show running security-policy" command you get an output with the entire policy set:

admin@PA(active)> show running security-policy
"Allow Trust to DMZ; index: 1" {
        from Trust;
        source [ 10.10.0.0/24 192.168.0.0/24];
        to DMZ;
        destination 192.0.2.0/24;
        application/service 0:any/any/any/any;
        action allow;
}
"Allow DMZ to Trust; index: 2" {
        from DMZ;
        source 192.0.2.0/24;
        to Trust;
        destination 10.10.0.0/24;
        application/service 0:any/any/any/any;
        action allow;
}
"Allow Internet to MailServer; index: 3" {
        from External;
        source any;
        to Trust;
        destination 192.168.0.25;
        application/service 0:any/any/any/any;
        action allow;
}
"Allow Trust to Internet; index: 4" {
        from Trust;
        source [ 10.10.0.0/24 192.168.0.0/24 ];
        to External;
        destination any;
        application/service 0:any/any/any/any;
        action allow;
}

If you wanted to find all Security Policies that might contain an internal destination or 192.168. address you could do a command like this:

admin@PA(active)> show running security-policy | match {\|destination\|192.168.0
"Allow Trust to DMZ; index: 1" {
        source [ 10.10.0.0/24 192.168.0.0/24];
        destination 192.0.2.0/24;
"Allow DMZ to Trust; index: 2" {
        destination 10.10.0.0/24;
"Allow Internet to MailServer; index: 3" {
        destination 192.168.0.25;
"Allow Trust to Internet; index: 4" {
        source [ 10.10.0.0/24 192.168.0.0/24 ];
        destination any;

The above is a poor example for the above stated reasons. Going back to @Wbm's reply, I would guess it should have been more like this searching for a specific address in the Security Polices:

admin@PA(active)> show running security-policy | match {\|192.168.0.25
"Allow Trust to DMZ; index: 1" {
"Allow DMZ to Trust; index: 2" {
"Allow Internet to MailServer; index: 3" {
        destination 192.168.0.25;
"Allow Trust to Internet; index: 4" {

Thanks for the clarification.