Tips and Tricks: Filtering the Security Policy

cancel
Showing results for 
Search instead for 
Did you mean: 
Cyber Elite
Cyber Elite

 

 

 

Manually searching through the policies can be pretty hard if there are many rules and it's been a long day. Luckily, there are search functions available to you to make life a little easier.

 

First off, you can simply type in any keyword you are looking for, which can be a policy name (as one word), an IP address/subnet or object name, an application, or a service.

 

One caveat is that this needs to be a string match, so it cannot be a subnet. Wildcards (*) are not supported.

 

You can also search within a specific field, like source zone or application. There's an easy drop-down function you can use to automatically create the search filter.

 

You can also create a search string manually. I've provided a list of all fields below:

 

Tags: (tag/member eq 'tagname')

Name: (name contains 'unlocate-block')

Type: (rule-type eq 'intrazone|interzone')

Source Zone: (from/member eq 'zonename')

Source Address: (source/member eq 'any|ip|object')

Source User: (source-user/member eq 'any|username|groupname')

Hip profile:  (hip-profiles/member eq 'any|profilename')

Destination Zone: (to/member eq 'zonename')

Destination Address: (destination/member eq 'any|ip|object')

Destination User: (destination-user/member eq 'any|username|groupname')

Application: (application/member eq 'any|applicationname|applicationgroup|applicationfilter')

Service: (service/member eq 'any|servicename|application-default')

URL Category: (category/member eq 'any|categoryname')

           This is a destination category, not a URL filtering security profile

Action: (action eq 'allow|drop|deny|reset-client|reset-server|reset-both')

Action send ICMP unreachable: (icmp-unreachable eq 'yes')

Security Profiles:

      (profile-setting/profiles/virus/member eq 'profilename')

      (profile-setting/profiles/spyware/member eq 'profilename')

      (profile-setting/profiles/vulnerability/member eq 'profilename')

      (profile-setting/profiles/url-filtering/member eq 'profilename')

      (profile-setting/profiles/file-blocking/member eq 'profilename')

      (profile-setting/profiles/wildfire-analysis/member eq 'profilegroupname')

      (profile-setting/group/member eq 'profilename')

Disable server response inspection: (option/disable-server-response-inspection eq 'yes')

Log at session start: (log-start eq 'yes|no')

Log at session end: (log-end eq 'yes|no')

Schedule: (schedule eq 'schedulename')

Log Forwarding:  (log-setting eq "forwardingprofilename')

Qos Marking:    (qos/marking/ip-dscp eq 'codepoint')

                            (qos/marking/ip-precedence eq 'codepoint')

                            (qos/marking/follow-c2s-flow eq '')

Description: (description contains '<keyword>')

 

Disabled policy: (disabled eq yes|no)  

           policies will only respond to 'no' if they have been disabled before

 

NOTES: 

  • searched terms are case sensitive! (Untrust or untrust)
  • operands include 'eq', 'neq', 'contains'

 

Lastly, the Tag Browser can also come in very handy if you're able to tag all your security policies. It can be used in a similar way as the search function and display only the selected tags.

 

More information and a tutorial video on the Tag Browser can be found here: Tutorial: Tag Browser

 

 

Also take a look at our video and transcript on Filtering the Security Policy

 

Hope this was helpful, feel free to ask questions or post remarks below.

 

Reaper out

34 Comments
Register or Sign-in
Labels