Palo Alto – Search Filter for Security Polices

There are times I need to search Security rules.  Below is great way to filter in to what you are looking for.

OPTIONS

Tags: (tag/member eq ‘tagname’)
Name: (name contains ‘unlocate-block’)
Type: (rule-type eq ‘intrazone|interzone’)
Source Zone: (from/member eq ‘zonename’)
Source Address: (source/member eq ‘any|ip|object’)
Source User: (source-user/member eq ‘any|username|groupname’)
Hip profile:  (hip-profiles/member eq ‘any|profilename’)
Destination Zone: (to/member eq ‘zonename’)
Destination Address: (destination/member eq ‘any|ip|object’)
Destination User: (destination-user/member eq ‘any|username|groupname’)
Application: (application/member eq ‘any|applicationname|applicationgroup|applicationfilter’)
Service: (service/member eq ‘any|servicename|application-default’)
URL Category: (category/member eq ‘any|categoryname’)
This is a destination category, not a URL filtering security profile
Action: (action eq ‘allow|drop|deny|reset-client|reset-server|reset-both’)
Action send ICMP unreachable: (icmp-unreachable eq ‘yes’)
Security Profiles:
(profile-setting/profiles/virus/member eq ‘profilename’)
(profile-setting/profiles/spyware/member eq ‘profilename’)
(profile-setting/profiles/vulnerability/member eq ‘profilename’)
(profile-setting/profiles/url-filtering/member eq ‘profilename’)
(profile-setting/profiles/file-blocking/member eq ‘profilename’)
(profile-setting/profiles/wildfire-analysis/member eq ‘profilegroupname’)
(profile-setting/group/member eq ‘profilename’)
Disable server response inspection: (option/disable-server-response-inspection eq ‘yes’)
Log at session start: (log-start eq ‘yes|no’)
Log at session end: (log-end eq ‘yes|no’)
Schedule: (schedule eq ‘schedulename’)
Log Forwarding:  (log-setting eq “forwardingprofilename’)
Qos Marking:    (qos/marking/ip-dscp eq ‘codepoint’)
(qos/marking/ip-precedence eq ‘codepoint’)
(qos/marking/follow-c2s-flow eq ”)
Description: (description contains ‘<keyword>’)
Disabled policy: (disabled eq yes|no)
policies will only respond to ‘no’ if they have been disabled before

NOTES: 

  • searched terms are case sensitive! (Untrust or untrust)
  • operands include ‘eq’, ‘neq’ , ‘contains’

 

EXAMPLES

Look for traffic from your DMZ to the Internal network:

(from/member eq 'DMZ') and (to/member eq 'Inside')

Look for traffic form your DMZ to the Internal network with the service and application set to “any”:

(from/member eq 'DMZ') and (to/member eq 'Inside') and (service/member eq 'any')

Look for traffic from your DMZ to the Internal network with the service and application set to “any”:

(from/member eq 'DMZ') and (to/member eq 'Inside') and (service/member eq 'any') and (application/member eq 'any')

Look for traffic to the Internal network with the service and application set to “any”:

(to/member eq 'Inside') and (service/member eq 'any') and (application/member eq 'any')

 

ANOTHER WAY TO DO IT

You can also use these to help filter but leave out the “`”:

1. `rule-name neq Policy2`
This command will return all post rules that do not have ‘Policy2’ as their rule name.

2. `from neq DMZ`
This command will return all post rules that do not have ‘DMZ’ as their source zone.

3. `to neq Trust`
This command will return all post rules where ‘Trust’ is not the destination zone.

4. `application neq skype`
This command will return all post rules that do not regulate the Skype application.

5. `service neq service-https`
This command will return all post rules that do not involve the HTTPS service.

6. `action neq allow`
This command will return all post rules where the action is not set to ‘allow’.

7. `source neq 192.168.1.100`
This command will return all post rules that do not apply to the source address 192.168.1.100.

8. `destination neq 10.0.0.100`
This command will return all post rules that do not apply to the destination address 10.0.0.100.

9. `tag neq Tag2`
This command will return all post rules not tagged with ‘Tag2’.

10. `source-user neq user2`
This command will return all post rules not defined for the user ‘user2’.

`rule-name eq Policy1`
`from eq Trust`
`to eq Untrust`
`application eq facebook`
`service eq service-http`
`action eq deny`
`source eq 10.0.0.1`
`destination eq 192.168.1.1`
`tag eq Tag1`
`source-user eq user1`

Remember, you can also use logical operators (‘and’, ‘or’, ‘not’) and parentheses for more complex queries. For instance, to find post rules that are set to allow the HTTP service but not from the DMZ zone, you might use: `(service eq service-http) and (from neq DMZ)`.