配置和实施

产品配置，方案实施等相关指南

概述本文介绍了如何在CLI（命令行界面）中查看、创建和删除安全策略。详细介绍从CLI创建一个新的安全策略： > configure （按回车键） # set rulebase security rules <name> from <source zone> to <destination zone> destination <ip> application <application> service <any/application-default/service name> action <allow/deny> （按回车键） # exit 例子： # set rulebase security rules Generic-Security from Outside-L3 to Inside-L3 destination 63.63.63.63 application web-browsing service application-default action allow （按回车键）注意：对于所有CLI命令的输入帮助，使用"?"或[tab]来获得可用命令的列表。从CLI查看Palo Alto Networks安全策略： > show running security-policy Rule From Source To Dest. User Proto Port Range Application Action ---------- ------------ ------------- ------------ --------------- ------------------- ----- ---------- ------------ ------ Doms DLP untrust-vwir 10.16.0.92 Untrust-vwir any any any any any allow trust-vwire trust-vwire rule4 untrust-vwir any untrust-vwir 10.16.0.92 any any any any allow trust-vwire trust-vwire rule3 trust-vwire any untrust-vwir any any any any any allow 下面的命令将输出整个配置： > show config running 设定格式输出为set： > set cli config-output-format set > configure Entering configuration mode [edit] # edit rulebase security [edit rulebase security] # show set rulebase security rules rashi from trust-vwire set rulebase security rules rashi from untrust-vwire set rulebase security rules rashi to trust-vwire set rulebase security rules rashi to untrust-vwire set rulebase security rules rashi source 10.16.0.21 set rulebase security rules rashi destination any set rulebase security rules rashi service any set rulebase security rules rashi application adobe-meeting-remote-control set rulebase security rules rashi application adobe-meeting set rulebase security rules rashi application adobe-online-office set rulebase security rules rashi action deny set rulebase security rules rashi source-user any set rulebase security rules rashi option disable-server-response-inspection no set rulebase security rules rashi negate-source no set rulebase security rules rashi negate-destination no set rulebase security rules rashi disabled yes set rulebase security rules rashi log-start no set rulebase security rules rashi log-end yes 切换为默认输出格式：从配置模式： # run set cli config-output-format default [edit rulebase security] # show security { rules { rashi { from [ trust-vwire untrust-vwire]; to [ trust-vwire untrust-vwire]; source 10.16.0.21; destination any; service any; application [ adobe-meeting-remote-control adobe-meeting adobe-online-office]; action deny; source-user any; option { disable-server-response-inspection no; } negate-source no; negate-destination no; disabled yes; log-start no; log-end yes; profile-setting { profiles { file-blocking rashi_file_alert; data-filtering rashi_dlp; } 使用XML格式查看配置：从配置模式： # run set cli config-output-format xml [edit rulebase security] # show <response status="success" code="19"> <result total-count="1" count="1"> <security> <rules> <entry name="rashi"> <from> <member>trust-vwire</member> <member>untrust-vwire</member> </from> <to> <member>trust-vwire</member> <member>untrust-vwire</member> </to> <source> <member>10.16.0.21</member> </source> <destination> <member>any</member> </destination> <service> <member>any</member> </service> <application> <member>adobe-meeting-remote-control</member> <member>adobe-meeting</member> <member>adobe-online-office</member> </application> <action>deny</action> <source-user> <member>any</member> </source-user> <option> <disable-server-response-inspection>no</disable-server-response-inspection> </option> <negate-source>no</negate-source> <negate-destination>no</negate-destination> <disabled>yes</disabled> <log-start>no</log-start> <log-end>yes</log-end> <profile-setting> <profiles> <file-blocking> <member>rashi_file_alert</member> </file-blocking> <data-filtering> 另外，如果你想用更短的方式在配置模式下查看和删除安全规则，你可以使用这两条命令：查找一条规则： show rulebase security rules <rulename> 删除一条规则： delete rulebase security rules <rulename>