How to check shadow security rules or warning messages on PA firewall and Panorama via cli

How to check shadow security rules or warning messages on PA firewall and Panorama via cli

7759
Created On 03/29/23 16:36 PM - Last Modified 01/15/25 03:05 AM


Objective


  • For security rules optimization it is helpful to be able to check the shadow rules or warning messages via cli.
  • The command "show jobs all" will show the recent jobs only.
  • For additional details use the hidden command that won’t display options until you type the string "show shadow-warning".
  • This command will provide you the shadow rule details. 

Environment


  • Palo Alto Firewalls or Panorama
  • Supported PAN-OS
  • Shadow Rules

Procedure


On Firewall, the command sets are as below:

1. Vsys and uuid are mandatory. You can find out uuid, vsys number or name and names of the security rule by using the following command.

> debug device-server dump idmgr type security-rule all | match <rule name>

Example:

admin@PA-VM_primary> debug device-server dump idmgr type security-rule all

ID         Version    Name
---------- ---------- --------------------
1          predefined intrazone-default (uuid: 11111111-1111-1111-1111-111111111111)
2          predefined interzone-default (uuid: 22222222-2222-2222-2222-222222222222)
3          8          vsys1+allow-sftp-test (uuid: 724036b2-c25e-4203-ab51-305d6810de39)
4          8          vsys1+trust-to-untrust (uuid: 8657977b-00e8-42d7-a249-e3ce18d00a19)
5          8          vsys1+GPZone-to-Internet-vice-versa (uuid: 2859bc1b-5e4f-4d91-acdd-584927ce9aec)
6          8          vsys1+intrazone-default (uuid: 3a3754c7-cbae-45c7-8f05-e0034c01b057)
7          8          vsys1+interzone-default (uuid: 49dd983d-7936-4f4a-9d09-c4f7ccfae08a)
8          8          vsys1+Allow-All (uuid: 93414bd5-4927-410f-bc3c-42fa628a1e4a)
9          8          vsys1+trust-to-untrust-Test (uuid: 0acd6a5b-88cf-4af2-a2bc-fc96bbc9484e)
10         5          vsys1+trust-to-untrus-1 (uuid: 56ddb30c-d03f-47a0-888c-6ccaf102c895)
11         8          vsys1+trust-to-vpn-1 (uuid: 9bf33d02-49b9-4575-8f6e-9c9f6a9e1f70)


2. Then use the vsys name and uuid in the following command to dump the shadow rules. 

> show shadow-warning warning-message vsys <vsys name> uuid <rule uuid>

Example: 

admin@PA-VM_primary> show shadow-warning warning-message vsys vsys1 uuid 8657977b-00e8-42d7-a249-e3ce18d00a19
Rule 'trust-to-untrust' shadows rule 'allow-sftp-test'.
Rule 'trust-to-untrust' shadows rule 'trust-to-untrust-Test'.

On Panorama, the command sets are as below:

1. You will need the device serial number, device group and security rule uuid. You can get device serial number from firewall or Panorama and use the same uuid from firewall or enable option" Rule UUID" in Panorama to see the UUIDs as shown in screenshot given below and device group from Panorama to use in the command.



> show shadow-warning warning-message device-serial <> device-group <> uuid <>

Example:

admin@Panorama(primary-active)> show shadow-warning warning-message device-serial 015351000083371 device-group PA-VM_primary uuid 8657977b-00e8-42d7-a249-e3ce18d00a19

Rule 'trust-to-untrust' shadows rule 'allow-sftp-test'.
Rule 'trust-to-untrust' shadows rule 'trust-to-untrust-Test'.

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000g18TCAQ&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail