How to View, Create and Delete Security Policies on the CLI
Resolution
Overview
This article describes how to view, create and delete security policies inside of the CLI (Command Line Interface).
Details
To create a new security policy from the CLI:
> configure (press enter)
# set rulebase security rules <name> from <source zone> to <destination zone> destination <ip> application <application> service <any/application-default/service name> action <allow/deny> (press enter)
# exit
Example:
# set rulebase security rules Generic-Security from Outside-L3 to Inside-L3 destination 63.63.63.63 application web-browsing service application-default action allow (press enter)
Note: For help with entry of all CLI commands use "?" or [tab] to get a list of the available commands.
To view the Palo Alto Networks Security Policies from the CLI:
> show running security-policy
Rule From Source To Dest. User Proto Port Range Application Action
---------- ------------ ------------- ------------ --------------- ------------------- ----- ---------- ------------ ------
Doms DLP untrust-vwir 10.16.0.92 Untrust-vwir any any any any any allow
trust-vwire trust-vwire
rule4 untrust-vwir any untrust-vwir 10.16.0.92 any any any any allow
trust-vwire trust-vwire
rule3 trust-vwire any untrust-vwir any any any any any allow
The following command will output the entire configuration:
> show config running
For set format output:
> set cli config-output-format set
> configure
Entering configuration mode
[edit]
# edit rulebase security
[edit rulebase security]
# show
set rulebase security rules rashi from trust-vwire
set rulebase security rules rashi from untrust-vwire
set rulebase security rules rashi to trust-vwire
set rulebase security rules rashi to untrust-vwire
set rulebase security rules rashi source 10.16.0.21
set rulebase security rules rashi destination any
set rulebase security rules rashi service any
set rulebase security rules rashi application adobe-meeting-remote-control
set rulebase security rules rashi application adobe-meeting
set rulebase security rules rashi application adobe-online-office
set rulebase security rules rashi action deny
set rulebase security rules rashi source-user any
set rulebase security rules rashi option disable-server-response-inspection no
set rulebase security rules rashi negate-source no
set rulebase security rules rashi negate-destination no
set rulebase security rules rashi disabled yes
set rulebase security rules rashi log-start no
set rulebase security rules rashi log-end yes
To switch to the default output:
From configure mode:
# run set cli config-output-format default
[edit rulebase security]
# show
security {
rules {
rashi {
from [ trust-vwire untrust-vwire];
to [ trust-vwire untrust-vwire];
source 10.16.0.21;
destination any;
service any;
application [ adobe-meeting-remote-control adobe-meeting adobe-online-office];
action deny;
source-user any;
option {
disable-server-response-inspection no;
}
negate-source no;
negate-destination no;
disabled yes;
log-start no;
log-end yes;
profile-setting {
profiles {
file-blocking rashi_file_alert;
data-filtering rashi_dlp;
}
To view the configuration in XML format:
From configure mode:
# run set cli config-output-format xml
[edit rulebase security]
# show
<response status="success" code="19">
<result total-count="1" count="1">
<security>
<rules>
<entry name="rashi">
<from>
<member>trust-vwire</member>
<member>untrust-vwire</member>
</from>
<to>
<member>trust-vwire</member>
<member>untrust-vwire</member>
</to>
<source>
<member>10.16.0.21</member>
</source>
<destination>
<member>any</member>
</destination>
<service>
<member>any</member>
</service>
<application>
<member>adobe-meeting-remote-control</member>
<member>adobe-meeting</member>
<member>adobe-online-office</member>
</application>
<action>deny</action>
<source-user>
<member>any</member>
</source-user>
<option>
<disable-server-response-inspection>no</disable-server-response-inspection>
</option>
<negate-source>no</negate-source>
<negate-destination>no</negate-destination>
<disabled>yes</disabled>
<log-start>no</log-start>
<log-end>yes</log-end>
<profile-setting>
<profiles>
<file-blocking>
<member>rashi_file_alert</member>
</file-blocking>
<data-filtering>
Also, if you want a shorter way to View and Delete security rules inside configure mode, you can use these 2 commands:
To find a rule:
- show rulebase security rules <rulename>
To delete or remove a rule:
- delete rulebase security rules <rulename>
See Also
Command Line Interface Reference Guide Release 6.1
Command Line Interface Reference Guide Release 6.0
Command Line Interface Reference Guide Release 5.0
owner: panagent