PaloAlto PaloAlto CLI Commit Example PaloAlto CLI Configure Example PaloAlto CLI nat-policy Example PaloAlto CLI rulebase Example PaloAlto NAT Rule Example PaloAlto Security Rule Example PaloAlto Show Running Config

15 PaloAlto CLI Examples to Manage Security and NAT Policies

While working with PaloAlto firewall, typically you’ll discover it easier to use CLI as an alternative of console.

Working on CLI could be very useful when you’re testing something on a dev/check firewall, the place you repeatedly try-out the identical factor with totally different values, and don’t want to do a number of clicks from the UI and retype every part.

In this tutorial, we’ll explain how to create and manage PaloAlto security and NAT guidelines from CLI. The next examples are explained:

  1. View Current Security Policies
  2. View only Security Coverage Names
  3. Create a New Security Policy Rule – Technique 1
  4. Create a New Security Coverage Rule – Technique 2
  5. Move Security Rule to a Specific Location
  6. Commit and Evaluate Security Rule Modifications
  7. Delete an Present Security Rule
  8. View Current NAT Policies
  9. Create a New NAT Rule Coverage
  10. Move NAT Rule to a Specific Location
  11. Commit and Confirm NAT Rule Modifications
  12. Delete an Present NAT Rule
  13. View Both Security and NAT Guidelines Together
  14. Set Output Format – Inside Configure
  15. Set Output Format – Outdoors Configure

1. View Present Security Policies

First, login to PaloAlto from CLI as proven under utilizing ssh.

$ ssh [email protected]
[email protected]>

To view the current safety policy execute show operating security-policy as proven under.

[email protected]> present operating security-policy

“AllowMgmt; index: 1”
from Untrust;
source any;
source-region none;
to Trust;
vacation spot any;
destination-region none;
consumer any;
category any;
software/service [0:ssh/tcp/any/22 1:ping/icmp/any/any ];
action permit;
icmp-unreachable: no
terminal yes;

“AllowWebAccess; index: 2”
from Untrust;
source any;
source-region none;
to Belief;
vacation spot any;
destination-region none;
consumer any;

The output of the above command will probably be in JSON format.

2. View solely Security Policy Names

When you’ve got many security guidelines and like to view only the safety rule identify and not the small print of it, then use the match command to get simply the 1st line of the JSON output that has the keyword “index” in it as shown under.

[email protected]> present operating security-policy | match index
“AllowMgmt; index: 1”
“AllowWebAccess; index: 2”
“WebServerToExternal; index: 3”
“intrazone-default; index: 4”
“vsys1+interzone-default; index: 5”

As shown above, in this sytem, there are at present 5 security guidelines.

3. Create a New Security Coverage Rule – Technique 1

To create new safety rule, use set rulebase command as proven under.

First, enter the configuration mode as proven under.

[email protected]> configure
Getting into configuration mode
[edit]

From the configuration mode, create the security rule as shown under. This can create a safety rule referred to as TheGeekStuffInternal.

set rulebase safety guidelines TheGeekStuffInternal from Untrust to Trust source any destination any software any service any action permit

At this stage, in the event you do show operating security-policy, you’ll not see the above newly created security rule, because it’s not but dedicated. However, in case you login to the console, you’ll see this new rule.

four. Create a New Security Coverage Rule – Technique 2

As an alternative of specify all of the values of security rule in one line, you may as well specify in multiple strains as shown under.

The following will create a new security rule referred to as TheGeekStuffExternal with the following configuration values.

set rulebase safety guidelines TheGeekStuffExternal to Trust
set rulebase safety guidelines TheGeekStuffExternal from Untrust
set rulebase safety rules TheGeekStuffExternal source any
set rulebase safety guidelines TheGeekStuffExternal vacation spot any
set rulebase security guidelines TheGeekStuffExternal source-user any
set rulebase safety rules TheGeekStuffExternal category any
set rulebase safety rules TheGeekStuffExternal software any
set rulebase security guidelines TheGeekStuffExternal service any
set rulebase safety guidelines TheGeekStuffExternal hip-profiles any
set rulebase safety rules TheGeekStuffExternal action permit
set rulebase safety guidelines TheGeekStuffExternal log-start sure

In this tutorial, to date we’ve created two safety guidelines. After this, in case you login to the PaloAlto console, you’ll see each of those guidelines as shown under.

5. Move Security Rule to a Specific Location

The next will transfer TheGeekStuffInternal rule to the top of the listing. This rule will probably be executed first.

move rulebase safety rules TheGeekStuffInternal prime

As an alternative of prime or backside, you may also move a rule earlier than or after an present rule as shown under.

The next will move the TheGeekStuffExternal before the already present AllowWebAccess rule.

transfer rulebase safety rules TheGeekStuffExternal earlier than AllowWebAccess

After the above two commands, the security guidelines might be re-arranged as proven under.

[PaloAlto Security Rules Moved]

Valid actions are: prime, backside, earlier than or after.

6. Commit and Evaluate Security Rule Modifications

Once you’ve created/modified guidelines, sort commit as proven under to commit the modifications.

[email protected]# commit
Commit job 5 is in progress. Use Ctrl+C to return to command immediate
…55%70%98%…….100%

After a successful commit, you’ll see the new rules as shown under.

[email protected]> show operating security-policy | match index

“TheGeekStuffInternal; index: 1”
“AllowMgmt; index: 2”
“TheGeekStuffExternal; index: 3”
“AllowWebAccess; index: 4”
“WebServerToExternal; index: 5”
“intrazone-default; index: 6”
“vsys1+interzone-default; index: 7”

If there’s something improper in the new safety rule, you could get validation error as shown under:

Validation Error:
rulebase -> security -> rules -> TheGeekStuffInternal is lacking ‘supply’
rulebase -> safety -> guidelines is invalid

If the new rule that you simply created is analogous to an present rule, you’ll get the next shadows rule warning message.

vsys1
Security Policy:
– Rule ‘TheGeekStuffInternal’ shadows rule ‘AllowMgmt’
– Rule ‘TheGeekStuffExternal’ shadows rule ‘AllowWebAccess’
(Module: system)

7. Delete an Present Security Rule

Execute the next command to delete an present security rule

delete rulebase security guidelines TheGeekStuffExternal

eight. View Present NAT Policies

The next will display all the prevailing NAT security guidelines in json format.

[email protected]> show operating nat-policy

“NAT2WebServer; index: 1”
nat-type ipv4;
from Untrust;
source any;
to Untrust;
to-interface ;
vacation spot 192.168.zero.10;
service zero:any/any/any;
translate-to “dst: 192.168.5.50”;
terminal no;

“NAT2External; index: 2”
nat-type ipv4;
from Belief;
source any;
to Untrust;
to-interface ;
vacation spot any;
service 0:any/any/any;
translate-to “src: 192.168.0.10 (dynamic-ip-and-port) (pool idx: 1)”;
terminal no;

9. Create a New NAT Rule Policy

The following will create new NAT rule referred to as TheGeekStuffNAT

configure
set rulebase nat guidelines TheGeekStuffNAT source-translation dynamic-ip-and-port interface-address interface ethernet1/2

You possibly can edit an present NAT rule, or add further info to the above newly created NAT rule as proven under.

set rulebase nat rules TheGeekStuffNAT dynamic-destination-translation translated-address 192.168.6.40
set rulebase nat rules TheGeekStuffNAT dynamic-destination-translation translated-port 80
set rulebase nat guidelines TheGeekStuffNAT to Untrust
set rulebase nat rules TheGeekStuffNAT from Untrust
set rulebase nat guidelines TheGeekStuffNAT source any
set rulebase nat guidelines TheGeekStuffNAT vacation spot 192.168.6.40
set rulebase nat rules TheGeekStuffNAT service any
set rulebase nat guidelines TheGeekStuffNAT to-interface any

[PaloAlto NAT Rules]

10. Move NAT Rule to a Specific Location

The following will move TheGeekStuffNAT to the top of the listing.

transfer rulebase nat rules TheGeekStuffNAT prime

The following will move TheGeekStuffNAT after the prevailing NAT2WebServer rule.

move rulebase nat rules TheGeekStuffNAT after NAT2WebServer

Valid actions are: prime, backside, earlier than, after

11. Commit and Verify NAT Rule Modifications

When you’ve created new NAT guidelines, commit the modifications as shown under.

[email protected]# commit
Commit job eight is in progress. Use Ctrl+C to return to command prompt
…55%70%98%…….100%
Configuration dedicated successfully

Verify to ensure the brand new NAT rule is created efficiently as proven under.

[email protected]> present operating nat-policy | match index
“NAT2WebServer; index: 1”
“NAT2External; index: 2”
“TheGeekStuffNAT; index: 3”

12. Delete an Present NAT Rule

Execute the following command to delete an present NAT rule

delete rulebase nat rules TheGeekStuffNAT

13. View Both Security and NAT Rules Together

It’s also possible to view each the security and NAT rules together utilizing present command as shown under.

[email protected]> configure
Getting into configuration mode
[edit]

[email protected]# edit rulebase safety
[edit rulebase security]

[email protected]# present
safety
guidelines
AllowMgmt
to Belief;
from Untrust;
supply any;
destination any;
source-user any;
category any;
software [ ping ssh];
service application-default;
hip-profiles any;
motion permit;

..
..

If you’d like show command to show simply the NAT guidelines, first go into the NAT edit mode as shown under, and then do a present.

[email protected]# edit rulebase nat
[edit rulebase nat]

[email protected]#
[edit rulebase nat]

[email protected]# show
nat
rules
NAT2WebServer
destination-translation
translated-address 192.168.5.50;

to Untrust;
from Untrust;
source any;
destination 192.168.zero.10;
service any;


Identical to the above, you can too do it for safety guidelines by doing “edit rulebase security” adopted by “show”

14. Set Output Format – Inside Configure

As you noticed from the previous example, by default show will show the output in JSON format.

You possibly can change this conduct to show the output in set format as proven under. That is very useful, whenever you just need to copy the output and change a specific worth and then paste it again in the CLI.

To vary the output format, useset cli command and change the value of config-output-format to set as shown under.

[email protected]# run set cli config-output-format set
[edit rulebase nat]

Once you do the above, present will begin displaying the output in set format (as an alternative of the default JSON format).

[email protected]# show
set rulebase nat guidelines NAT2WebServer destination-translation translated-address 192.168.5.50
set rulebase nat rules NAT2WebServer to Untrust
set rulebase nat rules NAT2WebServer from Untrust
set rulebase nat guidelines NAT2WebServer supply any
set rulebase nat rules NAT2WebServer vacation spot 192.168.0.10
set rulebase nat rules NAT2WebServer service any
set rulebase nat rules NAT2External source-translation dynamic-ip-and-port translated-address 192.168.zero.10
set rulebase nat rules NAT2External to Untrust
set rulebase nat rules NAT2External from Trust
set rulebase nat rules NAT2External supply any
set rulebase nat guidelines NAT2External vacation spot any
set rulebase nat guidelines NAT2External service any

Observe: Within the above, the run command is executed after we did the configure command.

The following are the attainable choices for set command.

run set cli config-output-format default
run set cli config-output-format json
run set cli config-output-format set
run set cli config-output-format xml

15. Set Output Format – Outdoors Configure

Notice: In case you are outdoors configure mode, don’t give run in front as proven under.

In the following, we are outdoors of configure choice. Here, run command isn’t valid.

[email protected]> run set cli config-output-format set
Unknown command: run

If you end up outdoors configure, just execute the set command with out run in the entrance as proven under.

[email protected]> set cli config-output-format set
[email protected]>

Now, go inside configure and you then’ll see the output in set format as proven under.

[email protected]> configure
Getting into configuration mode

[email protected]# edit rulebase nat
[edit rulebase nat]

[email protected]# present
set rulebase nat guidelines NAT2WebServer destination-translation translated-address 192.168.5.50
set rulebase nat rules NAT2WebServer to Untrust

Should you loved this article, you may also like..