Details
To create a new security policy from the CLI:
> configure (press enter)
# set rulebase security rules <name> from <source zone> to <destination zone> destination <ip> application <application> service <any/application-default/service name> action <allow/deny> (press enter)
# exit
Example:
# set rulebase security rules Generic-Security from Outside-L3 to Inside-L3 destination 63.63.63.63 application web-browsing service application-default action allow (press enter)
Note: For help with entry of all CLI commands use "?" or [tab] to get a list of the available commands.
To view the Palo Alto Networks Security Policies from the CLI:
> show running security-policy
Rule From Source To Dest. User Proto Port Range Application Action
---------- ------------ ------------- ------------ --------------- ------------------- ----- ---------- ------------ ------
Doms DLP untrust-vwir 10.16.0.92 Untrust-vwir any any any any any allow
trust-vwire trust-vwire
rule4 untrust-vwir any untrust-vwir 10.16.0.92 any any any any allow
trust-vwire trust-vwire
rule3 trust-vwire any untrust-vwir any any any any any allow
The following command will output the entire configuration:
> show config running
For set format output:
> set cli config-output-format set
> configure
Entering configuration mode
[edit]
# edit rulebase security
[edit rulebase security]
# show
set rulebase security rules rashi from trust-vwire
set rulebase security rules rashi from untrust-vwire
set rulebase security rules rashi to trust-vwire
set rulebase security rules rashi to untrust-vwire
set rulebase security rules rashi source 10.16.0.21
set rulebase security rules rashi destination any
set rulebase security rules rashi service any
set rulebase security rules rashi application adobe-meeting-remote-control
set rulebase security rules rashi application adobe-meeting
set rulebase security rules rashi application adobe-online-office
set rulebase security rules rashi action deny
set rulebase security rules rashi source-user any
set rulebase security rules rashi option disable-server-response-inspection no
set rulebase security rules rashi negate-source no
set rulebase security rules rashi negate-destination no
set rulebase security rules rashi disabled yes
set rulebase security rules rashi log-start no
set rulebase security rules rashi log-end yes
To switch to the default output:
From configure mode:
# run set cli config-output-format default
[edit rulebase security]
# show
security {
rules {
rashi {
from [ trust-vwire untrust-vwire];
to [ trust-vwire untrust-vwire];
source 10.16.0.21;
destination any;
service any;
application [ adobe-meeting-remote-control adobe-meeting adobe-online-office];
action deny;
source-user any;
option {
disable-server-response-inspection no;
}
negate-source no;
negate-destination no;
disabled yes;
log-start no;
log-end yes;
profile-setting {
profiles {
file-blocking rashi_file_alert;
data-filtering rashi_dlp;
}
To view the configuration in XML format:
From configure mode:
# run set cli config-output-format xml
[edit rulebase security]
# show
<response status="success" code="19">
<result total-count="1" count="1">
<security>
<rules>
<entry name="rashi">
<from>
<member>trust-vwire</member>
<member>untrust-vwire</member>
</from>
<to>
<member>trust-vwire</member>
<member>untrust-vwire</member>
</to>
<source>
<member>10.16.0.21</member>
</source>
<destination>
<member>any</member>
</destination>
<service>
<member>any</member>
</service>
<application>
<member>adobe-meeting-remote-control</member>
<member>adobe-meeting</member>
<member>adobe-online-office</member>
</application>
<action>deny</action>
<source-user>
<member>any</member>
</source-user>
<option>
<disable-server-response-inspection>no</disable-server-response-inspection>
</option>
<negate-source>no</negate-source>
<negate-destination>no</negate-destination>
<disabled>yes</disabled>
<log-start>no</log-start>
<log-end>yes</log-end>
<profile-setting>
<profiles>
<file-blocking>
<member>rashi_file_alert</member>
</file-blocking>
<data-filtering>
Also, if you want a shorter way to View and Delete security rules inside configure mode, you can use these 2 commands:
To find a rule:
> show rulebase security rules <rulename>
To delete or remove a rule:
> delete rulebase security rules <rulename>
See Also
owner: panagent