目次
【Paloalto】ポリシーを移動する方法
paloalto(PA-200)で検証を行っています。今回はPaloalto(PA-200)で、ポリシーを移動する方法(CLI、GUI)をまとめます。
- 機種はPA-200
- OSのバージョンはsw-version: 8.0.19
CLIで設定する方法
【CLI】ポリシーを移動する方法
↓CLIでポリシーを移動するコマンド
configure
■vsys(仮装FW)を利用していない場合
move rulebase security rules <rulename> before <rulename>
move rulebase security rules <rulename> after <rulename>
move rulebase security rules <rulename> top
move rulebase security rules <rulename> bottom
■vsys(仮装FW)を利用している場合
move vsys <vsys#> rulebase security rules <rulename> before <rulename>
move vsys <vsys#> rulebase security rules <rulename> after <rulename>
move vsys <vsys#> rulebase security rules <rulename> top
move vsys <vsys#> rulebase security rules <rulename> bottom
commit
【Paloalto公式】How to Move Security Rules Through the CLI
【CLI】実行例
↓前提として、「rule1」「rule2」「rule3」というポリシーが存在します。ポリシーの内容はすべてanyです。これらのポリシーを移動することを前提とします。
test-user@PA-200-first(active)> set cli pager off
test-user@PA-200-first(active)> set cli config-output-format set
test-user@PA-200-first(active)> configure
Entering configuration mode
[edit]
test-user@PA-200-first(active)# show rulebase security rules
set rulebase security rules rule1 from trust
set rulebase security rules rule1 to untrust
set rulebase security rules rule1 source any
set rulebase security rules rule1 destination any
set rulebase security rules rule1 service any
set rulebase security rules rule1 application any
set rulebase security rules rule1 action allow
set rulebase security rules rule1 log-end yes
set rulebase security rules rule2 from trust
set rulebase security rules rule2 to untrust
set rulebase security rules rule2 source any
set rulebase security rules rule2 destination any
set rulebase security rules rule2 service any
set rulebase security rules rule2 application any
set rulebase security rules rule2 action allow
set rulebase security rules rule2 log-end yes
set rulebase security rules rule3 from trust
set rulebase security rules rule3 to untrust
set rulebase security rules rule3 source any
set rulebase security rules rule3 destination any
set rulebase security rules rule3 service any
set rulebase security rules rule3 application any
set rulebase security rules rule3 action allow
set rulebase security rules rule3 log-end yes
[edit]
test-user@PA-200-first(active)#
(例1)rule3をrule1の前に移動するコマンド
move rulebase security rules rule3 before rule1
以下は実行結果になります。
test-user@PA-200-first(active)# move rulebase security rules rule3 before rule1
[edit]
test-user@PA-200-first(active)# show rulebase security rules
set rulebase security rules rule3 from trust
set rulebase security rules rule3 to untrust
set rulebase security rules rule3 source any
set rulebase security rules rule3 destination any
set rulebase security rules rule3 service any
set rulebase security rules rule3 application any
set rulebase security rules rule3 action allow
set rulebase security rules rule3 log-end yes
set rulebase security rules rule1 from trust
set rulebase security rules rule1 to untrust
set rulebase security rules rule1 source any
set rulebase security rules rule1 destination any
set rulebase security rules rule1 service any
set rulebase security rules rule1 application any
set rulebase security rules rule1 action allow
set rulebase security rules rule1 log-end yes
set rulebase security rules rule2 from trust
set rulebase security rules rule2 to untrust
set rulebase security rules rule2 source any
set rulebase security rules rule2 destination any
set rulebase security rules rule2 service any
set rulebase security rules rule2 application any
set rulebase security rules rule2 action allow
set rulebase security rules rule2 log-end yes
[edit]
test-user@PA-200-first(active)#
(例2)rule3をrule1の後ろに移動するコマンド
move rulebase security rules rule3 after rule1
以下は実行結果になります。
test-user@PA-200-first(active)# move rulebase security rules rule3 after rule1
[edit]
test-user@PA-200-first(active)# show rulebase security rules
set rulebase security rules rule1 from trust
set rulebase security rules rule1 to untrust
set rulebase security rules rule1 source any
set rulebase security rules rule1 destination any
set rulebase security rules rule1 service any
set rulebase security rules rule1 application any
set rulebase security rules rule1 action allow
set rulebase security rules rule1 log-end yes
set rulebase security rules rule3 from trust
set rulebase security rules rule3 to untrust
set rulebase security rules rule3 source any
set rulebase security rules rule3 destination any
set rulebase security rules rule3 service any
set rulebase security rules rule3 application any
set rulebase security rules rule3 action allow
set rulebase security rules rule3 log-end yes
set rulebase security rules rule2 from trust
set rulebase security rules rule2 to untrust
set rulebase security rules rule2 source any
set rulebase security rules rule2 destination any
set rulebase security rules rule2 service any
set rulebase security rules rule2 application any
set rulebase security rules rule2 action allow
set rulebase security rules rule2 log-end yes
[edit]
test-user@PA-200-first(active)#
(例3)rule3を先頭に移動するコマンド
move rulebase security rules rule3 top
以下は実行結果になります。
test-user@PA-200-first(active)# move rulebase security rules rule3 top
[edit]
test-user@PA-200-first(active)# show rulebase security rules
set rulebase security rules rule3 from trust
set rulebase security rules rule3 to untrust
set rulebase security rules rule3 source any
set rulebase security rules rule3 destination any
set rulebase security rules rule3 service any
set rulebase security rules rule3 application any
set rulebase security rules rule3 action allow
set rulebase security rules rule3 log-end yes
set rulebase security rules rule1 from trust
set rulebase security rules rule1 to untrust
set rulebase security rules rule1 source any
set rulebase security rules rule1 destination any
set rulebase security rules rule1 service any
set rulebase security rules rule1 application any
set rulebase security rules rule1 action allow
set rulebase security rules rule1 log-end yes
set rulebase security rules rule2 from trust
set rulebase security rules rule2 to untrust
set rulebase security rules rule2 source any
set rulebase security rules rule2 destination any
set rulebase security rules rule2 service any
set rulebase security rules rule2 application any
set rulebase security rules rule2 action allow
set rulebase security rules rule2 log-end yes
[edit]
test-user@PA-200-first(active)#
(例4)rule1を後尾に移動するコマンド
move rulebase security rules rule1 bottom
以下は実行結果になります。
test-user@PA-200-first(active)# move rulebase security rules rule1 bottom
[edit]
test-user@PA-200-first(active)# show rulebase security rules
set rulebase security rules rule2 from trust
set rulebase security rules rule2 to untrust
set rulebase security rules rule2 source any
set rulebase security rules rule2 destination any
set rulebase security rules rule2 service any
set rulebase security rules rule2 application any
set rulebase security rules rule2 action allow
set rulebase security rules rule2 log-end yes
set rulebase security rules rule3 from trust
set rulebase security rules rule3 to untrust
set rulebase security rules rule3 source any
set rulebase security rules rule3 destination any
set rulebase security rules rule3 service any
set rulebase security rules rule3 application any
set rulebase security rules rule3 action allow
set rulebase security rules rule3 log-end yes
set rulebase security rules rule1 from trust
set rulebase security rules rule1 to untrust
set rulebase security rules rule1 source any
set rulebase security rules rule1 destination any
set rulebase security rules rule1 service any
set rulebase security rules rule1 application any
set rulebase security rules rule1 action allow
set rulebase security rules rule1 log-end yes
[edit]
test-user@PA-200-first(active)#
GUIで設定する方法
【GUI】ポリシーを移動する方法
↓「Policies」 → 「セキュリティ」に移動し、移動対象のポリシーの「↓」を選択し、「移動」をクリック。例として、「rule1」を「rule3」の下に移動する方法を行っています。参考
「rule3」を選択して、「後に移動」をクリックします
「rule1」を「rule3」の下に移動できました。コンフィグの差分比較をして、問題なければcommitをすれば完了です。
まとめ
最後にまとめになります!
- Paloaltoでポリシーを移動する方法はCLIとGUIで両方ある
以上!