Paloalto

【Paloalto】ポリシーを移動する方法【CLI,GUI】

【Paloalto】ポリシーを移動する方法

paloalto(PA-200)で検証を行っています。
今回はPaloalto(PA-200)で、ポリシーを移動する方法(CLI、GUI)をまとめていきます!

  • 機種はPA-200
  • OSのバージョンはsw-version: 8.0.19

CLIで設定する方法

【CLI】ポリシーを移動する方法

↓CLIでポリシーを移動するコマンド

configure

■vsys(仮装FW)を利用していない場合
move rulebase security rules <rulename> before <rulename>
move rulebase security rules <rulename> after <rulename>
move rulebase security rules <rulename> top
move rulebase security rules <rulename> bottom

■vsys(仮装FW)を利用している場合
move vsys <vsys#> rulebase security rules <rulename> before <rulename>
move vsys <vsys#> rulebase security rules <rulename> after <rulename>
move vsys <vsys#> rulebase security rules <rulename> top
move vsys <vsys#> rulebase security rules <rulename> bottom


commit

【Paloalto公式】How to Move Security Rules Through the CLI

【CLI】実行結果

↓前提として、「rule1」「rule2」「rule3」というポリシーが存在します。
ポリシーの内容はすべてanyです。これらのポリシーを移動することを前提とします。

test-user@PA-200-first(active)> set cli pager off
test-user@PA-200-first(active)> set cli config-output-format set 
test-user@PA-200-first(active)> configure 
Entering configuration mode 
[edit]
test-user@PA-200-first(active)# show rulebase security rules 
set rulebase security rules rule1 from trust 
set rulebase security rules rule1 to untrust 
set rulebase security rules rule1 source any 
set rulebase security rules rule1 destination any 
set rulebase security rules rule1 service any 
set rulebase security rules rule1 application any 
set rulebase security rules rule1 action allow 
set rulebase security rules rule1 log-end yes 
set rulebase security rules rule2 from trust 
set rulebase security rules rule2 to untrust 
set rulebase security rules rule2 source any 
set rulebase security rules rule2 destination any 
set rulebase security rules rule2 service any 
set rulebase security rules rule2 application any 
set rulebase security rules rule2 action allow 
set rulebase security rules rule2 log-end yes 
set rulebase security rules rule3 from trust 
set rulebase security rules rule3 to untrust 
set rulebase security rules rule3 source any 
set rulebase security rules rule3 destination any 
set rulebase security rules rule3 service any 
set rulebase security rules rule3 application any 
set rulebase security rules rule3 action allow 
set rulebase security rules rule3 log-end yes 
[edit] 
test-user@PA-200-first(active)#
(例1)rule3をrule1の前に移動するコマンド
move rulebase security rules rule3 before rule1

以下は実行結果になります。

test-user@PA-200-first(active)# move rulebase security rules rule3 before rule1 
[edit]
test-user@PA-200-first(active)# show rulebase security rules 
set rulebase security rules rule3 from trust 
set rulebase security rules rule3 to untrust 
set rulebase security rules rule3 source any 
set rulebase security rules rule3 destination any 
set rulebase security rules rule3 service any 
set rulebase security rules rule3 application any 
set rulebase security rules rule3 action allow 
set rulebase security rules rule3 log-end yes 
set rulebase security rules rule1 from trust 
set rulebase security rules rule1 to untrust 
set rulebase security rules rule1 source any 
set rulebase security rules rule1 destination any 
set rulebase security rules rule1 service any 
set rulebase security rules rule1 application any 
set rulebase security rules rule1 action allow 
set rulebase security rules rule1 log-end yes 
set rulebase security rules rule2 from trust 
set rulebase security rules rule2 to untrust 
set rulebase security rules rule2 source any 
set rulebase security rules rule2 destination any 
set rulebase security rules rule2 service any 
set rulebase security rules rule2 application any 
set rulebase security rules rule2 action allow 
set rulebase security rules rule2 log-end yes 
[edit] 
test-user@PA-200-first(active)#

(例2)rule3をrule1の後ろに移動するコマンド

move rulebase security rules rule3 after rule1

以下は実行結果になります。

test-user@PA-200-first(active)# move rulebase security rules rule3 after rule1 
[edit]
test-user@PA-200-first(active)# show rulebase security rules 
set rulebase security rules rule1 from trust 
set rulebase security rules rule1 to untrust 
set rulebase security rules rule1 source any 
set rulebase security rules rule1 destination any 
set rulebase security rules rule1 service any 
set rulebase security rules rule1 application any 
set rulebase security rules rule1 action allow 
set rulebase security rules rule1 log-end yes 
set rulebase security rules rule3 from trust 
set rulebase security rules rule3 to untrust 
set rulebase security rules rule3 source any 
set rulebase security rules rule3 destination any 
set rulebase security rules rule3 service any 
set rulebase security rules rule3 application any 
set rulebase security rules rule3 action allow 
set rulebase security rules rule3 log-end yes 
set rulebase security rules rule2 from trust 
set rulebase security rules rule2 to untrust 
set rulebase security rules rule2 source any 
set rulebase security rules rule2 destination any 
set rulebase security rules rule2 service any 
set rulebase security rules rule2 application any 
set rulebase security rules rule2 action allow 
set rulebase security rules rule2 log-end yes 
[edit] 
test-user@PA-200-first(active)#

(例3)rule3を先頭に移動するコマンド

move rulebase security rules rule3 top

以下は実行結果になります。

test-user@PA-200-first(active)# move rulebase security rules rule3 top 
[edit] 
test-user@PA-200-first(active)# show rulebase security rules 
set rulebase security rules rule3 from trust 
set rulebase security rules rule3 to untrust 
set rulebase security rules rule3 source any 
set rulebase security rules rule3 destination any 
set rulebase security rules rule3 service any 
set rulebase security rules rule3 application any 
set rulebase security rules rule3 action allow 
set rulebase security rules rule3 log-end yes 
set rulebase security rules rule1 from trust 
set rulebase security rules rule1 to untrust 
set rulebase security rules rule1 source any 
set rulebase security rules rule1 destination any 
set rulebase security rules rule1 service any 
set rulebase security rules rule1 application any 
set rulebase security rules rule1 action allow 
set rulebase security rules rule1 log-end yes 
set rulebase security rules rule2 from trust 
set rulebase security rules rule2 to untrust 
set rulebase security rules rule2 source any 
set rulebase security rules rule2 destination any 
set rulebase security rules rule2 service any 
set rulebase security rules rule2 application any 
set rulebase security rules rule2 action allow 
set rulebase security rules rule2 log-end yes 
[edit] 
test-user@PA-200-first(active)#

(例4)rule1を後尾に移動するコマンド

move rulebase security rules rule1 bottom

以下は実行結果になります。

test-user@PA-200-first(active)# move rulebase security rules rule1 bottom 
[edit] 
test-user@PA-200-first(active)# show rulebase security rules 
set rulebase security rules rule2 from trust 
set rulebase security rules rule2 to untrust 
set rulebase security rules rule2 source any 
set rulebase security rules rule2 destination any 
set rulebase security rules rule2 service any 
set rulebase security rules rule2 application any 
set rulebase security rules rule2 action allow 
set rulebase security rules rule2 log-end yes 
set rulebase security rules rule3 from trust 
set rulebase security rules rule3 to untrust 
set rulebase security rules rule3 source any 
set rulebase security rules rule3 destination any 
set rulebase security rules rule3 service any 
set rulebase security rules rule3 application any 
set rulebase security rules rule3 action allow 
set rulebase security rules rule3 log-end yes 
set rulebase security rules rule1 from trust 
set rulebase security rules rule1 to untrust 
set rulebase security rules rule1 source any 
set rulebase security rules rule1 destination any 
set rulebase security rules rule1 service any 
set rulebase security rules rule1 application any 
set rulebase security rules rule1 action allow 
set rulebase security rules rule1 log-end yes 
[edit] 
test-user@PA-200-first(active)#

GUIで設定する方法

【GUI】ポリシーを移動する方法

「Policies」 → 「セキュリティ」に移動し、移動対象のポリシーの「↓」を選択し、「移動」をクリック

例として、「rule1」を「rule3」の下に移動する方法を行っています。

【Paloalto公式】How to Move a Policy Before or After Another Policy in PAN-OS

「rule3」を選択して、「後に移動」をクリックします

「rule1」を「rule3」の下に移動することができました↓

コンフィグの差分比較をして、問題なければcommitをすれば完了です。

まとめ

最後にまとめになります!

  • vsys(仮想FW)を利用している場合は、CLIコマンドで指定が必要
  • GUIでは「Policies」 → 「セキュリティ」に移動し、移動対象のポリシーの「↓」を選択し、「移動」をクリック。移動先を選択して、簡単に移動できる

以上!

おすすめの関連記事