How to View, Create and Delete Security Policies on the CLI

How to View, Create and Delete Security Policies on the CLI

163538
Created On 09/25/18 19:36 PM - Last Modified 04/20/20 21:49 PM


Resolution

Overview

This article describes how to view, create and delete security policies inside of the CLI (Command Line Interface).

 

Details

To create a new security policy from the CLI:

> configure (press enter)

# set rulebase security rules <name> from <source zone> to <destination zone> destination <ip> application <application> service <any/application-default/service name> action <allow/deny> (press enter)

# exit

 

Example:

# set rulebase security rules Generic-Security from Outside-L3 to Inside-L3 destination 63.63.63.63 application web-browsing service application-default action allow (press enter)

Note: For help with entry of all CLI commands use "?" or [tab] to get a list of the available commands.

 

To view the Palo Alto Networks Security Policies from the CLI:

> show running security-policy

 

Rule       From         Source        To           Dest.           User                Proto Port Range Application  Action
---------- ------------ ------------- ------------ --------------- ------------------- ----- ---------- ------------ ------
Doms DLP   untrust-vwir 10.16.0.92    Untrust-vwir any             any                 any   any        any          allow
           trust-vwire                trust-vwire

rule4      untrust-vwir any          untrust-vwir  10.16.0.92      any                 any   any        any          allow
           trust-vwire                trust-vwire

rule3      trust-vwire  any          untrust-vwir  any             any                 any   any        any          allow

 

The following command will output the entire configuration:

> show config running

 

For set format output:

> set cli config-output-format set

> configure
Entering configuration mode
[edit]

# edit rulebase security
[edit rulebase security]

# show
set rulebase security rules rashi from trust-vwire
set rulebase security rules rashi from untrust-vwire
set rulebase security rules rashi to trust-vwire
set rulebase security rules rashi to untrust-vwire
set rulebase security rules rashi source 10.16.0.21
set rulebase security rules rashi destination any
set rulebase security rules rashi service any
set rulebase security rules rashi application adobe-meeting-remote-control
set rulebase security rules rashi application adobe-meeting
set rulebase security rules rashi application adobe-online-office
set rulebase security rules rashi action deny
set rulebase security rules rashi source-user any
set rulebase security rules rashi option disable-server-response-inspection no
set rulebase security rules rashi negate-source no
set rulebase security rules rashi negate-destination no
set rulebase security rules rashi disabled yes
set rulebase security rules rashi log-start no
set rulebase security rules rashi log-end yes

 

To switch to the default output:

        From configure mode:

# run set cli config-output-format default

[edit rulebase security]
# show
security {
  rules {
    rashi {
      from [ trust-vwire untrust-vwire];
      to [ trust-vwire untrust-vwire];
      source 10.16.0.21;
      destination any;
      service any;
      application [ adobe-meeting-remote-control adobe-meeting adobe-online-office];
      action deny;
      source-user any;
      option {
        disable-server-response-inspection no;
      }
      negate-source no;
      negate-destination no;
      disabled yes;
      log-start no;
      log-end yes;
      profile-setting {
        profiles {
          file-blocking rashi_file_alert;
          data-filtering rashi_dlp;
        }

 

To view the configuration in XML format:

From configure mode:

# run set cli config-output-format xml

[edit rulebase security]
# show
<response status="success" code="19">
  <result total-count="1" count="1">
    <security>
      <rules>
        <entry name="rashi">
          <from>
            <member>trust-vwire</member>
            <member>untrust-vwire</member>
          </from>
          <to>
            <member>trust-vwire</member>
            <member>untrust-vwire</member>
          </to>
          <source>
            <member>10.16.0.21</member>
          </source>
          <destination>
            <member>any</member>
          </destination>
          <service>
            <member>any</member>
          </service>
          <application>
            <member>adobe-meeting-remote-control</member>
            <member>adobe-meeting</member>
            <member>adobe-online-office</member>
          </application>
          <action>deny</action>
          <source-user>
            <member>any</member>
          </source-user>
          <option>
            <disable-server-response-inspection>no</disable-server-response-inspection>
          </option>
          <negate-source>no</negate-source>
          <negate-destination>no</negate-destination>
          <disabled>yes</disabled>
          <log-start>no</log-start>
          <log-end>yes</log-end>
          <profile-setting>
            <profiles>
              <file-blocking>
                <member>rashi_file_alert</member>
              </file-blocking>
              <data-filtering>

 

Also, if you want a shorter way to View and Delete security rules inside configure mode, you can use these 2 commands:

To find a rule:

  • show rulebase security rules <rulename>

 

To delete or remove a rule:

  • delete rulebase security rules <rulename>

 

See Also

Command Line Interface Reference Guide Release 6.1

Command Line Interface Reference Guide Release 6.0

Command Line Interface Reference Guide Release 5.0

 

owner: panagent



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaCCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language