Palo Alto Networks Knowledgebase: Video Tutorial: Filtering the security policy

Video Tutorial: Filtering the security policy

4237
Created On 02/07/19 23:42 PM - Last Updated 02/07/19 23:43 PM
Resolution

VIDEO TRANSCRIPT

 

Hi!

 

This is Tom with the Community team and today we're going to take a look at how to filter through your security policy.

 

 

One of the easiest ways is to actually just type in any keyword you're looking for, anywhere in your policy.

So if you're looking for, for example, I have 'vwire' here, you can just go ahead and type 'vwire.'

And that's going to filter any keyword out, in this case only one security rule is going to pop-up.

 

If you're looking for anything else, anywhere else, just type any keyword and it will return everything that matches the string.

 

One caveat here is: you're looking through what is essentially an XML configuration file, so your string needs to match whatever you are looking for, you can't use any wildcards, you can't use a subnet mask but you can type anything that matches, even partially.

For example, I have a few IP addresses here and if I'm looking for a specific IP subnet, I can go ahead and leave the last octet out. And my search will match any IP in that particular subnet.

 

Another way to filter is to use the Tag Browser. I've tagged a bunch of my security policies and several of my zones, so now I have a list of available tags in the Tag Browser. If i'm looking for a particular tag, I can go ahead and mark those tags and it will populate my visible area in the security policy with security policies containing matching tags.

 

Lastly, we can use traditional searches. The 'hard' way is to actually type full search strings in the search field; the easy way is to use the dropdown menu for any of the collumns. As you can see, there is a filter which will automatically create a filter string.

 

So if you want to look for 'v1-trust', destination 'v1-untrust' it's just as easy as that.

 

We can expand on that: if we want to look for any policy that has 'allow' as an Acion (or 'deny').

Or, for example, any specific 'security profile'. I want to look for the AntiSpyware profile 'Block All', and this will return all policies that contain this specific AntiSpyware profile.

 

You can see that the search string is a little odd in comparison to the log filters, that's because we're searching in the XML file.

 

There are a couple of columns that do not have a drop-down option, like the 'Rule Type': you can only search for intrazone or interzone; there is no option for universal policies.

 

So if you want to search for any intra or interzone policies, you can type '(rule-type eq 'intrazone') and hit Enter, which will return all the intrazone policies, same for 'interzone.'

 

Another string that does not have a drop-down filter is the disabled policies. If you look at these policies, you can see they have been disabled. if you want to search for any disabled policies, for example, if you have a very lengthy rulebase and only need to see the disabled policies, you can go ahead and search for (disabled eq yes).

 

I've created a list of all the available search options in your security policy in the article that's been linked below so please feel free to check out the link:

 

Tags: (tag/member eq 'tagname')

Type: (rule-type eq 'intrazone|interzone')

Source Zone: (from/member eq 'zonename')

Source Address: (source/member eq 'any|ip|object')

Source User: (source-user/member eq 'any|username|groupname')

Hip profile:  (hip-profiles/member eq 'any|profilename')

Destination Zone: (to/member eq 'zonename')

Destination Address: (destination/member eq 'any|ip|object')

Destination User: (destination-user/member eq 'any|username|groupname')

Application: (application/member eq 'any|applicationname|applicationgroup|applicationfilter')

Service: (service/member eq 'any|servicename|application-default')

URL Category: (category/member eq 'any|categoryname')

           This is a destination category, not a URL filtering security profile

Action: (action eq 'allow|drop|deny|reset-client|reset-server|reset-both')

Action send ICMP unreachable: (icmp-unreachable eq 'yes')

Security Profiles:

      (profile-setting/profiles/virus/member eq 'profilename')

      (profile-setting/profiles/spyware/member eq 'profilename')

      (profile-setting/profiles/vulnerability/member eq 'profilename')

      (profile-setting/profiles/url-filtering/member eq 'profilename')

      (profile-setting/profiles/file-blocking/member eq 'profilename')

      (profile-setting/profiles/wildfire-analysis/member eq 'profilegroupname')

      (profile-setting/group/member eq 'profilename')

Disable server response inspection: (option/disable-server-response-inspection eq 'yes')

Log at session start: (log-start eq 'yes|no')

Log at session end: (log-end eq 'yes|no')

Schedule: (schedule eq 'schedulename')

Log Forwarding:  (log-setting eq "forwardingprofilename')

Qos Marking:    (qos/marking/ip-dscp eq 'codepoint')

                            (qos/marking/ip-precedence eq 'codepoint')

                            (qos/marking/follow-c2s-flow eq '')

Description: (description contains '<keyword>')

 

Disabled policy: (disabled yes|no)  

           policies will only respond to 'no' if they have been disabled before

 

 

Please feel free to coment below this video or in the blog (more illustrations there) and don't forget to subscribe to our channel on YouTube so you don't miss out on any of our new videos.

 

Thanks for watching.

 

Reaper out.



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClloCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language