Highlighted
Visitor.. Spencer_Ervin
Visitor..
240 views

How to create policy block for Palo Alto firewall security policies?

Has anyone been able to successfully use HPNA to check for compliance of Palo Alto (or similiarly formatted configurations)?

How can I format a policy to parse through the set commands to ensure every rule has log-end set to yes. (This is something that won't always appear in the configuration, so a negative would not always appear. It could default to exluding in the configuration).

How can I use configuration blocks to anchor the rules properly? It doesn't seem to let me use the auto-remediation variables within configuration blocks or text (ex: $block_start.regex_group_0$):

 

Config Example:

 

set rulebase security rules MY-RULE-00001 from any

set rulebase security rules MY-RULE-00001 to any

set rulebase security rules MY-RULE-00001 source any

set rulebase security rules MY-RULE-00001 destination any

set rulebase security rules MY-RULE-00001 service any

set rulebase security rules MY-RULE-00001 log-end yes

set rulebase security rules MY-RULE-00002 from any

set rulebase security rules MY-RULE-00002 to any

set rulebase security rules MY-RULE-00002 source any

set rulebase security rules MY-RULE-00002 destination any

set rulebase security rules MY-RULE-00002 service any

set rulebase security rules MY-RULE-00003 source any

set rulebase security rules MY-RULE-00003 destination any

set rulebase security rules MY-RULE-00003 service any

set rulebase security rules MY-RULE-00003 from any

set rulebase security rules MY-RULE-00003 to any

0 Likes
2 Replies
Micro Focus Contributor
Micro Focus Contributor

Re: How to create policy block for Palo Alto firewall security policies?

is the log-end based on a specific Palto Alto version?  If so you can create a boolean expression if A then B else C.   A being the unique OS version  where B=log-end exist and C is everything else.

0 Likes
Visitor.. Spencer_Ervin
Visitor..

Re: How to create policy block for Palo Alto firewall security policies?

Unfortunately not. It's not something that is easily flagged on the device information.

 

Ideally, I would like to do something similiar to:

 

Text Block Start:

set rulebase security rules ([A-Za-z0-9\-\_]+).*

 

Text Block Start

set rulebase security rules ((?!\1).)*

or

set rulebase security rules ((?!$block_start.regex_group_1$).)*

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.