Tips and Tricks: Filtering the Security Policy

Manually searching through the policies can be pretty hard if there are many rules and it's been a long day. Luckily, there are search functions available to you to make life a little easier.

First off, you can simply type in any keyword you are looking for, which can be a policy name (as one word), an IP address/subnet or object name, an application, or a service.

One caveat is that this needs to be a string match, so it cannot be a subnet. Wildcards (*) are not supported.

You can also search within a specific field, like source zone or application. There's an easy drop-down function you can use to automatically create the search filter.

You can also create a search string manually. I've provided a list of all fields below:

Tags: (tag/member eq 'tagname')

Name: (name contains 'unlocate-block')

Type: (rule-type eq 'intrazone|interzone')

Source Zone: (from/member eq 'zonename')

Source Address: (source/member eq 'any|ip|object')

Source User: (source-user/member eq 'any|username|groupname')

Hip profile:  (hip-profiles/member eq 'any|profilename')

Destination Zone: (to/member eq 'zonename')

Destination Address: (destination/member eq 'any|ip|object')

Destination User: (destination-user/member eq 'any|username|groupname')

Application: (application/member eq 'any|applicationname|applicationgroup|applicationfilter')

Service: (service/member eq 'any|servicename|application-default')

URL Category: (category/member eq 'any|categoryname')

           This is a destination category, not a URL filtering security profile

Action: (action eq 'allow|drop|deny|reset-client|reset-server|reset-both')

Action send ICMP unreachable: (icmp-unreachable eq 'yes')

Security Profiles:

      (profile-setting/profiles/virus/member eq 'profilename')

      (profile-setting/profiles/spyware/member eq 'profilename')

      (profile-setting/profiles/vulnerability/member eq 'profilename')

      (profile-setting/profiles/url-filtering/member eq 'profilename')

      (profile-setting/profiles/file-blocking/member eq 'profilename')

      (profile-setting/profiles/wildfire-analysis/member eq 'profilegroupname')

      (profile-setting/group/member eq 'profilename')

Disable server response inspection: (option/disable-server-response-inspection eq 'yes')

Log at session start: (log-start eq 'yes|no')

Log at session end: (log-end eq 'yes|no')

Schedule: (schedule eq 'schedulename')

Log Forwarding:  (log-setting eq "forwardingprofilename')

Qos Marking:    (qos/marking/ip-dscp eq 'codepoint')

                            (qos/marking/ip-precedence eq 'codepoint')

                            (qos/marking/follow-c2s-flow eq '')

Description: (description contains '<keyword>')

Disabled policy: (disabled eq yes|no)  

           policies will only respond to 'no' if they have been disabled before

NOTES: 

• searched terms are case sensitive! (Untrust or untrust)
• operands include 'eq', 'neq', 'contains'

Lastly, the Tag Browser can also come in very handy if you're able to tag all your security policies. It can be used in a similar way as the search function and display only the selected tags.

More information and a tutorial video on the Tag Browser can be found here: Tutorial: Tag Browser

Also take a look at our video and transcript on Filtering the Security Policy. 

Hope this was helpful, feel free to ask questions or post remarks below.

Reaper out