Security
··1 min read

Palo Alto – Search Filter for Security Polices

There are times I need to search Security rules or NAT’s.  Below is great way to filter in to what you are looking for. 

Below are your options:

Tags: (tag/member eq ‘tagname’)

Name: (name contains ‘unlocate-block’)

Type: (rule-type eq ‘intrazone|interzone’)

Source Zone: (from/member eq ‘zonename’)

Source Address: (source/member eq ‘any|ip|object’)

Source User: (source-user/member eq ‘any|username|groupname’)

Hip profile:  (hip-profiles/member eq ‘any|profilename’)

Destination Zone: (to/member eq ‘zonename’)

Destination Address: (destination/member eq ‘any|ip|object’)

Destination User: (destination-user/member eq ‘any|username|groupname’)

Application: (application/member eq ‘any|applicationname|applicationgroup|applicationfilter’)

Service: (service/member eq ‘any|servicename|application-default’)

URL Category: (category/member eq ‘any|categoryname’)

This is a destination category, not a URL filtering security profile

Action: (action eq ‘allow|drop|deny|reset-client|reset-server|reset-both’)

Action send ICMP unreachable: (icmp-unreachable eq ‘yes’)

Security Profiles:

(profile-setting/profiles/virus/member eq ‘profilename’)

(profile-setting/profiles/spyware/member eq ‘profilename’)

(profile-setting/profiles/vulnerability/member eq ‘profilename’)

(profile-setting/profiles/url-filtering/member eq ‘profilename’)

(profile-setting/profiles/file-blocking/member eq ‘profilename’)

(profile-setting/profiles/wildfire-analysis/member eq ‘profilegroupname’)

(profile-setting/group/member eq ‘profilename’)

Disable server response inspection: (option/disable-server-response-inspection eq ‘yes’)

Log at session start: (log-start eq ‘yes|no’)

Log at session end: (log-end eq ‘yes|no’)

Schedule: (schedule eq ‘schedulename’)

Log Forwarding:  (log-setting eq “forwardingprofilename’)

Qos Marking:    (qos/marking/ip-dscp eq ‘codepoint’)

(qos/marking/ip-precedence eq ‘codepoint’)

(qos/marking/follow-c2s-flow eq ”)

Description: (description contains ‘<keyword>’)

Disabled policy: (disabled eq yes|no)

policies will only respond to ‘no’ if they have been disabled before

NOTES: 

  • searched terms are case sensitive! (Untrust or untrust)
  • operands include ‘eq’, ‘neq’ , ‘contains’

Some Examples:
Look for traffic from you DMZ to the Internal network:

(from/member eq 'DMZ') and (to/member eq 'Inside')

Look for traffic form your DMZ to the Internal network with the service and application set to “any”:

(from/member eq 'DMZ') and (to/member eq 'Inside') and (service/member eq 'any')

Look for traffic from your DMZ to the Internal network with the service and application set to “any”:

(from/member eq 'DMZ') and (to/member eq 'Inside') and (service/member eq 'any') and (application/member eq 'any')

Look for traffic to the Internal network with the service and application set to “any”:

(to/member eq 'Inside') and (service/member eq 'any') and (application/member eq 'any')
© Kerry Cordero 2020. All Rights Reserved.
More Stories
Network Speed and Throughput Issues – Some Things to Look For