目次
【Paloalto】ポリシーを移動する方法
paloalto(PA-200)で検証を行っています。
今回はPaloalto(PA-200)で、ポリシーを移動する方法(CLI、GUI)をまとめていきます!
- 機種はPA-200
- OSのバージョンはsw-version: 8.0.19
CLIで設定する方法
【CLI】ポリシーを移動する方法
↓CLIでポリシーを移動するコマンド
configure
■vsys(仮装FW)を利用していない場合
move rulebase security rules <rulename> before <rulename>
move rulebase security rules <rulename> after <rulename>
move rulebase security rules <rulename> top
move rulebase security rules <rulename> bottom
■vsys(仮装FW)を利用している場合
move vsys <vsys#> rulebase security rules <rulename> before <rulename>
move vsys <vsys#> rulebase security rules <rulename> after <rulename>
move vsys <vsys#> rulebase security rules <rulename> top
move vsys <vsys#> rulebase security rules <rulename> bottom
commit【Paloalto公式】How to Move Security Rules Through the CLI
【CLI】実行結果
↓前提として、「rule1」「rule2」「rule3」というポリシーが存在します。
ポリシーの内容はすべてanyです。これらのポリシーを移動することを前提とします。
test-user@PA-200-first(active)> set cli pager off
test-user@PA-200-first(active)> set cli config-output-format set
test-user@PA-200-first(active)> configure
Entering configuration mode
[edit]
test-user@PA-200-first(active)# show rulebase security rules
set rulebase security rules rule1 from trust
set rulebase security rules rule1 to untrust
set rulebase security rules rule1 source any
set rulebase security rules rule1 destination any
set rulebase security rules rule1 service any
set rulebase security rules rule1 application any
set rulebase security rules rule1 action allow
set rulebase security rules rule1 log-end yes
set rulebase security rules rule2 from trust
set rulebase security rules rule2 to untrust
set rulebase security rules rule2 source any
set rulebase security rules rule2 destination any
set rulebase security rules rule2 service any
set rulebase security rules rule2 application any
set rulebase security rules rule2 action allow
set rulebase security rules rule2 log-end yes
set rulebase security rules rule3 from trust
set rulebase security rules rule3 to untrust
set rulebase security rules rule3 source any
set rulebase security rules rule3 destination any
set rulebase security rules rule3 service any
set rulebase security rules rule3 application any
set rulebase security rules rule3 action allow
set rulebase security rules rule3 log-end yes
[edit]
test-user@PA-200-first(active)#(例1)rule3をrule1の前に移動するコマンド
move rulebase security rules rule3 before rule1以下は実行結果になります。
(例2)rule3をrule1の後ろに移動するコマンド
move rulebase security rules rule3 after rule1以下は実行結果になります。
test-user@PA-200-first(active)# move rulebase security rules rule3 after rule1
[edit]
test-user@PA-200-first(active)# show rulebase security rules
set rulebase security rules rule1 from trust
set rulebase security rules rule1 to untrust
set rulebase security rules rule1 source any
set rulebase security rules rule1 destination any
set rulebase security rules rule1 service any
set rulebase security rules rule1 application any
set rulebase security rules rule1 action allow
set rulebase security rules rule1 log-end yes
set rulebase security rules rule3 from trust
set rulebase security rules rule3 to untrust
set rulebase security rules rule3 source any
set rulebase security rules rule3 destination any
set rulebase security rules rule3 service any
set rulebase security rules rule3 application any
set rulebase security rules rule3 action allow
set rulebase security rules rule3 log-end yes
set rulebase security rules rule2 from trust
set rulebase security rules rule2 to untrust
set rulebase security rules rule2 source any
set rulebase security rules rule2 destination any
set rulebase security rules rule2 service any
set rulebase security rules rule2 application any
set rulebase security rules rule2 action allow
set rulebase security rules rule2 log-end yes
[edit]
test-user@PA-200-first(active)#(例3)rule3を先頭に移動するコマンド
move rulebase security rules rule3 top以下は実行結果になります。
test-user@PA-200-first(active)# move rulebase security rules rule3 top
[edit]
test-user@PA-200-first(active)# show rulebase security rules
set rulebase security rules rule3 from trust
set rulebase security rules rule3 to untrust
set rulebase security rules rule3 source any
set rulebase security rules rule3 destination any
set rulebase security rules rule3 service any
set rulebase security rules rule3 application any
set rulebase security rules rule3 action allow
set rulebase security rules rule3 log-end yes
set rulebase security rules rule1 from trust
set rulebase security rules rule1 to untrust
set rulebase security rules rule1 source any
set rulebase security rules rule1 destination any
set rulebase security rules rule1 service any
set rulebase security rules rule1 application any
set rulebase security rules rule1 action allow
set rulebase security rules rule1 log-end yes
set rulebase security rules rule2 from trust
set rulebase security rules rule2 to untrust
set rulebase security rules rule2 source any
set rulebase security rules rule2 destination any
set rulebase security rules rule2 service any
set rulebase security rules rule2 application any
set rulebase security rules rule2 action allow
set rulebase security rules rule2 log-end yes
[edit]
test-user@PA-200-first(active)#(例4)rule1を後尾に移動するコマンド
move rulebase security rules rule1 bottom以下は実行結果になります。
test-user@PA-200-first(active)# move rulebase security rules rule1 bottom
[edit]
test-user@PA-200-first(active)# show rulebase security rules
set rulebase security rules rule2 from trust
set rulebase security rules rule2 to untrust
set rulebase security rules rule2 source any
set rulebase security rules rule2 destination any
set rulebase security rules rule2 service any
set rulebase security rules rule2 application any
set rulebase security rules rule2 action allow
set rulebase security rules rule2 log-end yes
set rulebase security rules rule3 from trust
set rulebase security rules rule3 to untrust
set rulebase security rules rule3 source any
set rulebase security rules rule3 destination any
set rulebase security rules rule3 service any
set rulebase security rules rule3 application any
set rulebase security rules rule3 action allow
set rulebase security rules rule3 log-end yes
set rulebase security rules rule1 from trust
set rulebase security rules rule1 to untrust
set rulebase security rules rule1 source any
set rulebase security rules rule1 destination any
set rulebase security rules rule1 service any
set rulebase security rules rule1 application any
set rulebase security rules rule1 action allow
set rulebase security rules rule1 log-end yes
[edit]
test-user@PA-200-first(active)#GUIで設定する方法
【GUI】ポリシーを移動する方法
↓「Policies」 → 「セキュリティ」に移動し、移動対象のポリシーの「↓」を選択し、「移動」をクリック。
例として、「rule1」を「rule3」の下に移動する方法を行っています。
【Paloalto公式】How to Move a Policy Before or After Another Policy in PAN-OS
「rule3」を選択して、「後に移動」をクリックします
「rule1」を「rule3」の下に移動することができました↓
コンフィグの差分比較をして、問題なければcommitをすれば完了です。
まとめ
最後にまとめになります!
- vsys(仮想FW)を利用している場合は、CLIコマンドで指定が必要
- GUIでは「Policies」 → 「セキュリティ」に移動し、移動対象のポリシーの「↓」を選択し、「移動」をクリック。移動先を選択して、簡単に移動できる
以上!