≡ Menu

15 PaloAlto CLI Examples to Manage Security and NAT Policies

While working with PaloAlto firewall, sometimes you’ll find it easier to use CLI instead of console.

Working on CLI is very helpful when you are testing something on a dev/test firewall, where you repeatedly try-out the same thing with different values, and don’t want to do multiple clicks from the UI and retype everything.

In this tutorial, we’ll explain how to create and manage PaloAlto security and NAT rules from CLI. The following examples are explained:

  1. View Current Security Policies
  2. View only Security Policy Names
  3. Create a New Security Policy Rule – Method 1
  4. Create a New Security Policy Rule – Method 2
  5. Move Security Rule to a Specific Location
  6. Commit and Review Security Rule Changes
  7. Delete an Existing Security Rule
  8. View Current NAT Policies
  9. Create a New NAT Rule Policy
  10. Move NAT Rule to a Specific Location
  11. Commit and Verify NAT Rule Changes
  12. Delete an Existing NAT Rule
  13. View Both Security and NAT Rules Together
  14. Set Output Format – Inside Configure
  15. Set Output Format – Outside Configure

1. View Current Security Policies

First, login to PaloAlto from CLI as shown below using ssh.

$ ssh admin@192.168.101.200
admin@PA-FW>

To view the current security policy execute show running security-policy as shown below.

admin@PA-FW> show running security-policy

"AllowMgmt; index: 1" {
        from Untrust;
        source any;
        source-region none;
        to Trust;
        destination any;
        destination-region none;
        user any;
        category any;
        application/service [0:ssh/tcp/any/22 1:ping/icmp/any/any ];
        action allow;
        icmp-unreachable: no
        terminal yes;
}

"AllowWebAccess; index: 2" {
        from Untrust;
        source any;
        source-region none;
        to Trust;
        destination any;
        destination-region none;
        user any;
...
...

The output of the above command will be in JSON format.

2. View only Security Policy Names

If you have many security rules and like to view only the security rule name and not the details of it, then use the match command to get just the 1st line of the JSON output that has the keyword “index” in it as shown below.

admin@PA-FW> show running security-policy | match index
"AllowMgmt; index: 1" {
"AllowWebAccess; index: 2" {
"WebServerToExternal; index: 3" {
"intrazone-default; index: 4" {
"vsys1+interzone-default; index: 5" {

As shown above, in this sytem, there are currently 5 security rules.

3. Create a New Security Policy Rule – Method 1

To create new security rule, use set rulebase command as shown below.

First, enter the configuration mode as shown below.

admin@PA-FW> configure
Entering configuration mode
[edit]

From the configuration mode, create the security rule as shown below. This will create a security rule called TheGeekStuffInternal.

set rulebase security rules TheGeekStuffInternal from Untrust to Trust source any destination any application any service any action allow

At this stage, if you do show running security-policy, you’ll not see the above newly created security rule, as it’s not yet committed. But, if you login to the console, you’ll see this new rule.

4. Create a New Security Policy Rule – Method 2

Instead of specify all the values of security rule in one line, you can also specify in multiple lines as shown below.

The following will create a new security rule called TheGeekStuffExternal with the following configuration values.

set rulebase security rules TheGeekStuffExternal to Trust
set rulebase security rules TheGeekStuffExternal from Untrust
set rulebase security rules TheGeekStuffExternal source any
set rulebase security rules TheGeekStuffExternal destination any
set rulebase security rules TheGeekStuffExternal source-user any
set rulebase security rules TheGeekStuffExternal category any
set rulebase security rules TheGeekStuffExternal application any
set rulebase security rules TheGeekStuffExternal service any
set rulebase security rules TheGeekStuffExternal hip-profiles any
set rulebase security rules TheGeekStuffExternal action allow
set rulebase security rules TheGeekStuffExternal log-start yes

In this tutorial, so far we’ve created two security rules. After this, if you login to the PaloAlto console, you’ll see both of these rules as shown below.

5. Move Security Rule to a Specific Location

The following will move TheGeekStuffInternal rule to the top of the list. This rule will be executed first.

move rulebase security rules TheGeekStuffInternal top

Instead of top or bottom, you can also move a rule before or after an existing rule as shown below.

The following will move the TheGeekStuffExternal before the already existing AllowWebAccess rule.

move rulebase security rules TheGeekStuffExternal before AllowWebAccess

After the above two commands, the security rules will be re-arranged as shown below.

[PaloAlto Security Rules Moved]

Valid actions are: top, bottom, before or after.

6. Commit and Review Security Rule Changes

Once you’ve created/modified rules, type commit as shown below to commit the changes.

admin@PA-FW# commit
Commit job 5 is in progress. Use Ctrl+C to return to command prompt
...55%70%98%.......100%

After a successful commit, you’ll see the new rules as shown below.

admin@PA-FW> show running security-policy | match index

"TheGeekStuffInternal; index: 1" {
"AllowMgmt; index: 2" {
"TheGeekStuffExternal; index: 3" {
"AllowWebAccess; index: 4" {
"WebServerToExternal; index: 5" {
"intrazone-default; index: 6" {
"vsys1+interzone-default; index: 7" {

If there is something wrong in the new security rule, you may get validation error as shown below:

Validation Error:
 rulebase -> security -> rules -> TheGeekStuffInternal  is missing 'source'
 rulebase -> security -> rules is invalid

If the new rule that you created is similar to an existing rule, you’ll get the following shadows rule warning message.

vsys1
   Security Policy:
   - Rule 'TheGeekStuffInternal' shadows rule 'AllowMgmt'
   - Rule 'TheGeekStuffExternal' shadows rule 'AllowWebAccess'
(Module: device)

7. Delete an Existing Security Rule

Execute the following command to delete an existing security rule

delete rulebase security rules TheGeekStuffExternal

8. View Current NAT Policies

The following will display all the existing NAT security rules in json format.

admin@PA-FW> show running nat-policy

"NAT2WebServer; index: 1" {
        nat-type ipv4;
        from Untrust;
        source any;
        to Untrust;
        to-interface  ;
        destination 192.168.0.10;
        service 0:any/any/any;
        translate-to "dst: 192.168.5.50";
        terminal no;
}

"NAT2External; index: 2" {
        nat-type ipv4;
        from Trust;
        source any;
        to Untrust;
        to-interface  ;
        destination any;
        service 0:any/any/any;
        translate-to "src: 192.168.0.10 (dynamic-ip-and-port) (pool idx: 1)";
        terminal no;
}

9. Create a New NAT Rule Policy

The following will create new NAT rule called TheGeekStuffNAT

configure
set rulebase nat rules TheGeekStuffNAT source-translation dynamic-ip-and-port interface-address interface ethernet1/2

You can edit an existing NAT rule, or add additional information to the above newly created NAT rule as shown below.

set rulebase nat rules TheGeekStuffNAT dynamic-destination-translation translated-address 192.168.6.40
set rulebase nat rules TheGeekStuffNAT dynamic-destination-translation translated-port 80
set rulebase nat rules TheGeekStuffNAT to Untrust
set rulebase nat rules TheGeekStuffNAT from Untrust
set rulebase nat rules TheGeekStuffNAT source any
set rulebase nat rules TheGeekStuffNAT destination 192.168.6.40
set rulebase nat rules TheGeekStuffNAT service any
set rulebase nat rules TheGeekStuffNAT to-interface any

[PaloAlto NAT Rules]

10. Move NAT Rule to a Specific Location

The following will move TheGeekStuffNAT to the top of the list.

move rulebase nat rules TheGeekStuffNAT top

The following will move TheGeekStuffNAT after the existing NAT2WebServer rule.

move rulebase nat rules TheGeekStuffNAT after NAT2WebServer

Valid actions are: top, bottom, before, after

11. Commit and Verify NAT Rule Changes

Once you’ve created new NAT rules, commit the changes as shown below.

admin@PA-FW# commit
Commit job 8 is in progress. Use Ctrl+C to return to command prompt
...55%70%98%.......100%
Configuration committed successfully

Verify to make sure the new NAT rule is created successfully as shown below.

admin@PA-FW> show running nat-policy | match index
"NAT2WebServer; index: 1" {
"NAT2External; index: 2" {
"TheGeekStuffNAT; index: 3" {

12. Delete an Existing NAT Rule

Execute the following command to delete an existing NAT rule

delete rulebase nat rules TheGeekStuffNAT

13. View Both Security and NAT Rules Together

You can also view both the security and NAT rules together using show command as shown below.

admin@PA-FW> configure
Entering configuration mode
[edit]

admin@PA-FW# edit rulebase security
[edit rulebase security]

admin@PA-FW# show
security {
  rules {
    AllowMgmt {
      to Trust;
      from Untrust;
      source any;
      destination any;
      source-user any;
      category any;
      application [ ping ssh];
      service application-default;
      hip-profiles any;
      action allow;
    }
..
..

If you want show command to display just the NAT rules, first go into the NAT edit mode as shown below, and then do a show.

admin@PA-FW# edit rulebase nat
[edit rulebase nat]

admin@PA-FW#
[edit rulebase nat]

admin@PA-FW# show
nat {
  rules {
    NAT2WebServer {
      destination-translation {
        translated-address 192.168.5.50;
      }
      to Untrust;
      from Untrust;
      source any;
      destination 192.168.0.10;
      service any;
    }
...
...

Just like the above, you can also do it for security rules by doing “edit rulebase security” followed by “show”

14. Set Output Format – Inside Configure

As you saw from the previous example, by default show will display the output in JSON format.

You can change this behavior to display the output in set format as shown below. This is very helpful, when you just want to copy the output and change a particular value and then paste it back in the CLI.

To change the output format, useset cli command and change the value of config-output-format to set as shown below.

admin@PA-FW# run set cli config-output-format set
[edit rulebase nat]

Once you do the above, show will start displaying the output in set format (instead of the default JSON format).

admin@PA-FW# show
set rulebase nat rules NAT2WebServer destination-translation translated-address 192.168.5.50
set rulebase nat rules NAT2WebServer to Untrust
set rulebase nat rules NAT2WebServer from Untrust
set rulebase nat rules NAT2WebServer source any
set rulebase nat rules NAT2WebServer destination 192.168.0.10
set rulebase nat rules NAT2WebServer service any
set rulebase nat rules NAT2External source-translation dynamic-ip-and-port translated-address 192.168.0.10
set rulebase nat rules NAT2External to Untrust
set rulebase nat rules NAT2External from Trust
set rulebase nat rules NAT2External source any
set rulebase nat rules NAT2External destination any
set rulebase nat rules NAT2External service any

Note: In the above, the run command is executed after we did the configure command.

The following are the possible options for set command.

run set cli config-output-format default
run set cli config-output-format json
run set cli config-output-format set
run set cli config-output-format xml

15. Set Output Format – Outside Configure

Note: If you are outside configure mode, don’t give run in front as shown below.

In the following, we are outside of configure option. Here, run command is not valid.

admin@PA-FW> run set cli config-output-format set
Unknown command: run

When you are outside configure, just execute the set command without run in the front as shown below.

admin@PA-FW> set cli config-output-format set
admin@PA-FW>

Now, go inside configure and then you’ll see the output in set format as shown below.

admin@PA-FW> configure
Entering configuration mode

admin@PA-FW# edit rulebase nat
[edit rulebase nat]

admin@PA-FW# show
set rulebase nat rules NAT2WebServer destination-translation translated-address 192.168.5.50
set rulebase nat rules NAT2WebServer to Untrust
...
...

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 0 comments… add one }

Leave a Comment