≡菜单

15个用于管理安全性和NAT策略的PaloAlto CLI示例

在使用PaloAlto防火墙时,有时您’我会发现使用CLI代替控制台更容易。

在开发/测试防火墙上测试某些东西时,在CLI上工作非常有帮助,在该测试中您反复尝试使用不同的值进行相同的测试,然后’您想从用户界面中多次点击并重新输入所有内容。

在本教程中,我们’ll解释如何从CLI创建和管理PaloAlto安全和NAT规则。解释了以下示例:

  1. 查看当前的安全策略
  2. 仅查看安全策略名称
  3. 创建一个新的安全策略规则– Method 1
  4. 创建一个新的安全策略规则– Method 2
  5. 将安全规则移至特定位置
  6. 提交和审查安全规则更改
  7. 删除现有安全规则
  8. 查看当前的NAT策略
  9. 创建一个新的NAT规则策略
  10. 将NAT规则移到特定位置
  11. 提交并验证NAT规则更改
  12. 删除现有的NAT规则
  13. 同时查看安全性和NAT规则
  14. 设置输出格式– Inside Configure
  15. 设置输出格式– Outside Configure

1.查看当前的安全策略

First, login to PaloAlto from CLI as 节目n below using ssh.

$ ssh [email protected]
[email protected]>

To view the current security policy execute 节目 running security-policy as 节目n below.

[email protected]> 节目 running security-policy

"AllowMgmt; 指数: 1" {
        from Untrust;
        source any;
        source-region none;
        to Trust;
        destination any;
        destination-region none;
        user any;
        category any;
        application/service [0:ssh/tcp/any/22 1:ping/icmp/any/any ];
        action allow;
        icmp-unreachable: no
        terminal yes;
}

"AllowWebAccess; 指数: 2" {
        from Untrust;
        source any;
        source-region none;
        to Trust;
        destination any;
        destination-region none;
        user any;
...
...

上面命令的输出将为JSON格式。

2.仅查看安全策略名称

如果您有很多安全规则,并且只想查看安全规则名称,而不是查看其详细信息,则可以使用match命令获取具有关键字的JSON输出的第一行“index”如下所示。

[email protected]> 节目 running security-policy | match 指数
"AllowMgmt; 指数: 1" {
"AllowWebAccess; 指数: 2" {
"WebServerToExternal; 指数: 3" {
"intrazone-default; 指数: 4" {
"vsys1+interzone-default; 指数: 5" {

As 节目n above, in this sytem, there are currently 5 security rules.

3.创建一个新的安全策略规则– Method 1

To create new security rule, use set rulebase command as 节目n below.

First, enter the configuration mode as 节目n below.

[email protected]> configure
Entering configuration mode
[edit]

在配置模式下,如下所示创建安全规则。这将创建一个名为TheGeekStuffInternal的安全规则。

set rulebase security rules TheGeekStuffInternal from Untrust to Trust source any destination any application any service any action allow

在此阶段,如果确实显示正在运行的安全策略,则您’不会看到上面新创建的安全规则,因为它’尚未提交。但是,如果您登录到控制台,则您’会看到这个新规则。

4.创建一个新的安全策略规则– Method 2

除了在一行中指定安全规则的所有值之外,还可以在多行中进行指定,如下所示。

下面将使用以下配置值创建一个名为TheGeekStuffExternal的新安全规则。

set rulebase security rules TheGeekStuffExternal to Trust
set rulebase security rules TheGeekStuffExternal from Untrust
set rulebase security rules TheGeekStuffExternal source any
set rulebase security rules TheGeekStuffExternal destination any
set rulebase security rules TheGeekStuffExternal source-user any
set rulebase security rules TheGeekStuffExternal category any
set rulebase security rules TheGeekStuffExternal application any
set rulebase security rules TheGeekStuffExternal service any
set rulebase security rules TheGeekStuffExternal hip-profiles any
set rulebase security rules TheGeekStuffExternal action allow
set rulebase security rules TheGeekStuffExternal log-start yes

到目前为止,在本教程中’创建了两个安全规则。此后,如果您登录到PaloAlto控制台,则您’将会看到这两个规则,如下所示。

5.将安全规则移至特定位置

下面将把TheGeekStuffInternal规则移到列表的顶部。该规则将首先执行。

move rulebase security rules TheGeekStuffInternal top

Instead of top or bottom, you can also move a rule before or after an existing rule as 节目n below.

以下将在已存在的AllowWebAccess规则之前移动TheGeekStuffExternal。

move rulebase security rules TheGeekStuffExternal before AllowWebAccess

After the above two commands, the security rules will be re-arranged as 节目n below.

[PaloAlto安全规则已移动]

有效操作是:顶部,底部,之前或之后。

6.提交和审查安全规则更改

一旦您’ve created/modified rules, type commit as 节目n below to commit the changes.

[email protected]# commit
Commit job 5 is in progress. Use Ctrl+C to return to command prompt
...55%70%98%.......100%

成功提交后,您’ll see the new rules as 节目n below.

[email protected]> 节目 running security-policy | match 指数

"TheGeekStuffInternal; 指数: 1" {
"AllowMgmt; 指数: 2" {
"TheGeekStuffExternal; 指数: 3" {
"AllowWebAccess; 指数: 4" {
"WebServerToExternal; 指数: 5" {
"intrazone-default; 指数: 6" {
"vsys1+interzone-default; 指数: 7" {

If there is something wrong in the new security rule, you may get validation error as 节目n below:

Validation Error:
 rulebase -> security -> rules -> TheGeekStuffInternal  is missing 'source'
 rulebase -> security -> rules is invalid

如果您创建的新规则与现有规则相似,则您’ll得到以下阴影规则警告消息。

vsys1
   Security Policy:
   - Rule 'TheGeekStuffInternal' shadows rule 'AllowMgmt'
   - Rule 'TheGeekStuffExternal' shadows rule 'AllowWebAccess'
(Module: device)

7.删除现有的安全规则

执行以下命令删除现有的安全规则

delete rulebase security rules TheGeekStuffExternal

8.查看当前的NAT策略

下面将以json格式显示所有现有的NAT安全规则。

[email protected]> 节目 running nat-policy

"NAT2WebServer; 指数: 1" {
        nat-type ipv4;
        from Untrust;
        source any;
        to Untrust;
        to-interface  ;
        destination 192.168.0.10;
        service 0:any/any/any;
        translate-to "dst: 192.168.5.50";
        terminal no;
}

"NAT2External; 指数: 2" {
        nat-type ipv4;
        from Trust;
        source any;
        to Untrust;
        to-interface  ;
        destination any;
        service 0:any/any/any;
        translate-to "src: 192.168.0.10 (dynamic-ip-and-port) (pool idx: 1)";
        terminal no;
}

9.创建一个新的NAT规则策略

以下将创建名为TheGeekStuffNAT的新NAT规则

configure
set rulebase nat rules TheGeekStuffNAT source-translation dynamic-ip-and-port interface-address interface ethernet1/2

您可以编辑现有的NAT规则,或向上述新创建的NAT规则添加其他信息,如下所示。

set rulebase nat rules TheGeekStuffNAT dynamic-destination-translation translated-address 192.168.6.40
set rulebase nat rules TheGeekStuffNAT dynamic-destination-translation translated-port 80
set rulebase nat rules TheGeekStuffNAT to Untrust
set rulebase nat rules TheGeekStuffNAT from Untrust
set rulebase nat rules TheGeekStuffNAT source any
set rulebase nat rules TheGeekStuffNAT destination 192.168.6.40
set rulebase nat rules TheGeekStuffNAT service any
set rulebase nat rules TheGeekStuffNAT to-interface any

[PaloAlto NAT规则]

10.将NAT规则移到特定位置

下面将把TheGeekStuffNAT移到列表的顶部。

move rulebase nat rules TheGeekStuffNAT top

以下内容将在现有NAT2WebServer规则之后移动TheGeekStuffNAT。

move rulebase nat rules TheGeekStuffNAT after NAT2WebServer

有效操作是:顶部,底部,之前,之后

11.提交并验证NAT规则更改

一旦您’ve created new NAT rules, commit the changes as 节目n below.

[email protected]# commit
Commit job 8 is in progress. Use Ctrl+C to return to command prompt
...55%70%98%.......100%
Configuration committed successfully

Verify to make sure the new NAT rule is created successfully as 节目n below.

[email protected]> 节目 running nat-policy | match 指数
"NAT2WebServer; 指数: 1" {
"NAT2External; 指数: 2" {
"TheGeekStuffNAT; 指数: 3" {

12.删除现有的NAT规则

执行以下命令删除现有的NAT规则

delete rulebase nat rules TheGeekStuffNAT

13.一起查看安全规则和NAT规则

You can also view both the security and NAT rules together using 节目 command as 节目n below.

[email protected]> configure
Entering configuration mode
[edit]

[email protected]# 编辑规则库安全性
[编辑规则库安全性]

[email protected]# 节目
security {
  rules {
    AllowMgmt {
      to Trust;
      from Untrust;
      source any;
      destination any;
      source-user any;
      category any;
      application [ ping ssh];
      service application-default;
      hip-profiles any;
      action allow;
    }
..
..

如果要show命令仅显示NAT规则,请首先进入NAT编辑模式,如下所示,然后进行显示。

[email protected]# edit rulebase nat
[edit rulebase nat]

[email protected]#
[edit rulebase nat]

[email protected]# 节目
nat {
  rules {
    NAT2WebServer {
      destination-translation {
        translated-address 192.168.5.50;
      }
      to Untrust;
      from Untrust;
      source any;
      destination 192.168.0.10;
      service any;
    }
...
...

就像上面一样,您也可以通过执行以下操作来处理安全规则“编辑规则库安全性” followed 通过 “show”

14.设置输出格式– Inside Configure

As you saw from the previous example, 通过 default 节目 will display the output in JSON format.

您可以更改此行为,以设置格式显示输出,如下所示。当您只想复制输出并更改特定值然后将其粘贴回CLI时,这将非常有用。

要更改输出格式,请使用setcli命令,并将config-output-format的值更改为set,如下所示。

[email protected]# run set cli config-output-format set
[edit rulebase nat]

完成上述操作后,show将开始以设置格式(而不是默认的JSON格式)显示输出。

[email protected]# 节目
set rulebase nat rules NAT2WebServer destination-translation translated-address 192.168.5.50
set rulebase nat rules NAT2WebServer to Untrust
set rulebase nat rules NAT2WebServer from Untrust
set rulebase nat rules NAT2WebServer source any
set rulebase nat rules NAT2WebServer destination 192.168.0.10
set rulebase nat rules NAT2WebServer service any
set rulebase nat rules NAT2External source-translation dynamic-ip-and-port translated-address 192.168.0.10
set rulebase nat rules NAT2External to Untrust
set rulebase nat rules NAT2External from Trust
set rulebase nat rules NAT2External source any
set rulebase nat rules NAT2External destination any
set rulebase nat rules NAT2External service any

注意:在上面,运行命令是在执行configure命令之后执行的。

以下是set命令的可能选项。

run set cli config-output-format default
run set cli config-output-format json
run set cli config-output-format set
run set cli config-output-format xml

15.设置输出格式– Outside Configure

注意:如果您不在配置模式下,请不要’t give run in front as 节目n below.

在下文中,我们不在configure选项之外。在这里,运行命令无效。

[email protected]> run set cli config-output-format set
Unknown command: run

When you are outside configure, just execute the set command without run in the front as 节目n below.

[email protected]> set cli config-output-format set
[email protected]>

现在,进入配置,然后您’ll see the output in set format as 节目n below.

[email protected]> configure
Entering configuration mode

[email protected]# edit rulebase nat
[edit rulebase nat]

[email protected]# 节目
set rulebase nat rules NAT2WebServer destination-translation translated-address 192.168.5.50
set rulebase nat rules NAT2WebServer to Untrust
...
...

如果您喜欢这篇文章,您可能还会喜欢..

  1. 50个Linux Sysadmin教程
  2. 50个最常用的Linux命令(包括示例)
  3. 排名前25位的最佳Linux性能监视和调试工具
  4. 妈妈,我找到了! – 15个实用的Linux Find命令示例
  5. Linux 101 Hacks第二版电子书 Linux 101黑客手册

Bash 101 Hacks书 Sed和Awk 101黑客手册 Nagios Core 3书 Vim 101黑客手册

{ 0 评论… 加一 }

发表评论