- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-22-2021 08:27 AM
I'm fairly new to Palo Alto gear and wanted to submit a suggestion about adding a sort capability to the information presented in the various tabs/pages. Just a few examples on the benefits of being able to sort: Trying to find that one rule where you know the name of it, but can't quickly spot it because you can't sort the name of the rules alphabetically. Looking through the Monitor tab and the URL Filtering section, it would be nice to sort and see which user accounts or systems could be visiting abnormal urls or how many visits certain urls are getting.
The ability to export this to a csv helps as a work around, but it would be great to skip that step.
12-28-2021 01:12 PM
Just to let you know, that inside of the Dashboard, more specifically the Policies tab, where you manage all of your rules.. you can use the search bar to search for a name of the rule.. I assume that you would know a part of the name.. and hit enter..
Here is a screenshot of it..
In that example, I knew a I had a name GRE, so I searched and it was the first on the list.
Sorting really isn't an option, because if left that way, it would throw off your entire rulebase.
I hope this helps. There are a lot of great things inside of the dashboard that make it much easier to use. and the search area is just one of those things.
12-28-2021 02:20 PM
@jdelio mentioned already how you would filter the rulebase, but the remainder of what you are mentioning is also mostly accomplished through the ACC tab, through log queries, or through reports. I would spend some time looking into the ACC tab and building custom reports and get familiar with those areas of the firewall.
There's definitely a lack of certain reporting aspects directly on the firewall that can be supplemented by forwarding the logs to something like Splunk or Graylog, but what you've mentioned can pretty easily be accomplished through the ACC tab or custom reports. I would look into those more and see if that meets your needs, or if you'll need to see about deploying a SIEM to build the dashboards you want/need.
12-29-2021 08:04 AM - edited 12-29-2021 08:04 AM
Hi Jdelio, you mentioned "Sorting really isn't an option, because if left that way, it would throw off your entire rulebase." Can you explain more about this? I would assume that the firewall would know which rules to process in a given order, which would make a visual sort irrelevant. Then again, I am "assuming"...
12-29-2021 08:12 AM
@BountyHunter21 wrote:
Hi Jdelio, you mentioned "Sorting really isn't an option, because if left that way, it would throw off your entire rulebase." Can you explain more about this? I would assume that the firewall would know which rules to process in a given order, which would make a visual sort irrelevant. Then again, I am "assuming"...
I just mean that the Firewall would know perfectly fine, but what about you? If you "forgot" that you organized the rules that way, and created a new rule for something to allow before another, not knowing that the rulebase is "out of order". That is why the rules are never sorted. They can be searched and filtered with the search bar.. but never reorganized.
12-29-2021 11:30 AM - edited 12-29-2021 11:33 AM
...If you "forgot" that you organized the rules that way, and created a new rule for something to allow before another, not knowing that the rulebase is "out of order"
But that is just it... there is already a rule number column on the left hand side. So you can already tell the processing order. Ideally there would also be a bold sort order arrow and different header color on the column header currently being sorted. Quite often it is helpful to be able to quickly sort rules (particularly when you have 100+) by src/dest, zone, user, packets processed, etc. when trying to debug an issue or understand what rules might be affecting a particular target.
I had a discussion with our local PA sales engineer about this same topic, that the interface needs a way to both sort rules (for quickly viewing like attributes) and a way of grouping like rules together (probably implemented as a new "group" column, akin to a table jump in iptables or grouping in Cisco Firepower). So logically, the packet matching order proceeds by the existing rule number, but visually your like rules (i.e. your DMZ-centric rules, mail server rules, outbound rules, etc.) can be logically grouped together for review.
(Yeah, you can kind of use tags as a grouping flag, but its not quite the same as a separate grouping.)
12-29-2021 01:48 PM
@Adrian_Jensen wrote:(Yeah, you can kind of use tags as a grouping flag, but its not quite the same as a separate grouping.)
Isn't this the whole purpose of Group Tag and View Rules by Tag Group?
The use case you are describing doesn't sound it should be solved by sorting function. Quickly displaying all rules with specific source/destination/zone should still be done with filtering, not sorting. Imagine you want have 1000 rules and you want to view only the rules with source zone "your-zone", with sorting you still need to scroll looong way down to reach that you are looking for and instead of focusing on the rule details you need to remember to look at the actual rule number (because deny rule for "your-zone" could be sorted above the actual allow rules).
Every person has different way of working, but I will agree with the others that sort function is not good solution for your use cases and I really don't see any benefit of sorting - anything that can be achieved by sorting is way easier to be achieved with filtering.
If all of your rules are tagged properly you can still use the search bar, by typing the name of the tag
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!