Ad – Purchase on Amazon
Last updated on November 16th, 2022 at 04:11 pm
A best practice is to use the Palo Alto Networks External Dynamic Lists (EDL) to block inbound and outbound traffic. Also, the firewall supports Region Codes, which use a two-letter code to represent a country. These codes can be used in a Security Policy to block inbound or outbound traffic. If there is a need to add or remove multiple Region Codes outside of using Panorama, the CLI is much easier and faster to make this change. Although adding or removing each code via the GUI can be done, multiple changes can take time compared to the CLI.
In the example below, we have an inbound deny Security Policy with the EDLs and a couple of Region Codes. In this example, we only have two to keep it simple for this post, but there could be a dozen or more Region Codes depending on your industry or policies.
To view this Security policy at the CLI, use the commands below; minus the mode prompts, > or #, as those are included to show the context of the CLI.
> set cli config-output-format set
> configure
# show rulebase security
set rulebase security rules Inbound-Block to untrust
set rulebase security rules Inbound-Block from untrust
set rulebase security rules Inbound-Block source [ AF panw-bulletproof-ip-list panw-highrisk-ip-list panw-known-ip-list panw-torexit-ip-list RU ]
set rulebase security rules Inbound-Block destination any
set rulebase security rules Inbound-Block source-user any
set rulebase security rules Inbound-Block category any
set rulebase security rules Inbound-Block application any
set rulebase security rules Inbound-Block service any
set rulebase security rules Inbound-Block source-hip any
set rulebase security rules Inbound-Block destination-hip any
set rulebase security rules Inbound-Block action deny
We want to focus on the highlighted line “set rulebase security rules Inbound-Block source.” If we need to change this on multiple firewalls, we can copy, paste, edit the line, then copy and paste it to the other firewalls via the CLI. If Panorama is not used, but a Network Management System (NMS) is and supports automated CLI commands, then the commands with the edited line can be used. Python can also be used, but both are beyond the scope of this post.
In our example for this post, if we want to remove Region Code AF, below are the CLI commands with each description.
First, we need to set the CLI format to the “Set” output format:
set cli config-output-format set
The second command is to enter configuration mode:
configure
In the third command, we delete the Source field in the Security Policy named “Inbound-Block.” In the CLI, Security rule bases (policies) comprise multiple commands. So in this example, we delete the Source field, but this does not remove the whole Security Policy and only removes the Source field.
NOTE: Reapplying the “set rulebase” command with the unwanted Region Code removed does not remove that code from the Security Policy. It keeps the original source or destination addresses and does not remove what is unwanted. To remove a source or destination, the “delete rulebase security rules Security-Policy-Name source/destination” command must be used.
delete rulebase security rules Inbound-Block source
To complete this change, the fourth command is where we add the Source field back to the Security Policy named “Inbound-Block” with the source (or destination) addresses we want. The CLI supports EDLs, IP addresses, Address and Address Group objects, and Region Codes.
set rulebase security rules Inbound-Block source [ panw-bulletproof-ip-list panw-highrisk-ip-list panw-known-ip-list panw-torexit-ip-list RU ]
Viewing the Security Policy via the GUI, we see the AF Region Code is removed.
All commands together:
set cli config-output-format set
configure
delete rulebase security rules Inbound-Block source
set rulebase security rules Inbound-Block source [ panw-bulletproof-ip-list panw-highrisk-ip-list panw-known-ip-list panw-torexit-ip-list RU ]
To Add a Source or Destination Address:
If a Source or Destination address must be added to the Security Policy rule, the “delete rulebase security rules Security-Policy-Name source/destination” does not need to be used.
The “set rulebase security rules Security-Policy-Name source/destination” with additional address(es) can be used, and the rule base source/destination will add any additional addresses.
For example, using our previous example, we want to add the Region Code IQ, then we add it to the existing set command:
set cli config-output-format set
configure
set rulebase security rules Inbound-Block source [ AF IQ panw-bulletproof-ip-list panw-highrisk-ip-list panw-known-ip-list panw-torexit-ip-list RU ]
And so, in the example above, the delete command is not used.
Viewing the Security Policy via the GUI, we see the IQ Region Code is added to the source field.
Reference Links:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaCCAS
Copyright © Packet Passers 2024