| Palo Basic Setup | 您所在的位置:网站首页 › installation route › Palo Basic Setup |
Palo Basic Setup
|
A run through using the CLI to set up a Palo firewall at home covering the initial configuration, upgrading, BGP routing and a basic firewall policy. Table Of ContentsSimilar to Cisco software the CLI has two modes of operation: operational (>): Show commands of the operational state, general system settings and troubleshooting configuration (#): For making system and policy changes, can run operational commands in config mode by prepending them with ‘run’In general when issuing show commands (interfaces, sessions, etc) they are displayed as a table unless a specific object is specified (such as an interface) with the result being a lot more detail on that object (non-table view). Any commands that take follow will show the data in realtime, kind of like tail -f does in linux. Using tab or ? in a command shows all the possible options, + is an option and > means that there are further sub-options. # set deviceconfig system dns-setting ? > dns-proxy-object Dns proxy object to use for resolving fqdns > servers Primary and secondary dns servers Finish input ste@HME-PAL-OEW1# set deviceconfig system dns-setting servers + primary Primary DNS server IP address + secondary Secondary DNS server IP address Finish inputfind is a super useful command similar to a wiki that lets you search all cli commands (show, set, clear, etc) that contain the keyword. find command keyword cli_keywordRequest commands are run in operational mode and are used for displaying system information and performing system-level tasks such as licensing, upgrades, plugins, High-availability and reboots. request restart systemrequest shutdown systemWithin operational mode the XML formatted running config can be viewed with the optional use of xpath (xpath is a WCS standard) to filter this down to different sections. > show config running > show config running xpath mgt-config > show config running xpath devices > show config running xpath devices/entry[@name='localhost.localdomain']/deviceconfig/system > show config running xpath devices/entry[@name='localhost.localdomain']/network/interface > show config running xpath *//rulebase/security/rulesWithin configuration mode the per-section configuration (includes non-committed changes) can be viewed as xml (default), json or a more traditional per line output with set. This setting is per-console session, it does not survive the console session. > set cli config-output-format [default | json | set | xml] > configure # show config mgt-config # show deviceconfig system # show network interface # show rulebase security rulesFor any tasks (upgrades, commit, etc) that are been processed or have previously performed can check the progress and status using show jobs. ste@HME-PAL-OEW1> show jobs ? > all All jobs > id By id > pending Pending jobs > processed Completed/active jobsFor normal administrative operations the CLI is set to interact and provide feedback in the form of auto-completion and error messages if a command is incorrect or there are invisible line breaks. scripting mode is useful for entering long lists of set commands as it disables interaction (no auto-complete or error messages) and suppresses special characters to help to prevent pasted config failing because of one-line errors. > set cli scripting-mode on Basic setupWhen a Palo boots up it takes a while for the services to startup meaning you can SSH in pretty quickly but user authentication will fail with a wrong password message until the services have finished starting. Change management interface from DHCP to static, turn off password complexity (does not apply to admin password) and add a user (prompts for password). If you wish all the commands for a configuration section can be chained into the one line rather than split across multiple lines. set deviceconfig system type staticset mgt-config password-complexity enabled noset mgt-config users ste permissions role-based superuser yesset mgt-config users ste passwordSet the base management configuration, this is in its own routing table separate from any firewall virtual-routers (VRFs). set deviceconfig system hostname HME-PAL-OEW1set deviceconfig system ip-address 10.10.128.3 netmask 255.255.255.0 default-gateway 10.10.128.1set deviceconfig system dns-setting servers primary 10.10.10.104 secondary 1.1.1.1set deviceconfig system domain stesworld.comset deviceconfig system timezone Europe/Londonset deviceconfig system ntp-servers primary-ntp-server ntp-server-address 10.10.10.51set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address time.cloudflare.comTo view settings (in xml or as flat config lines if have changed cli config-output-format) before applying. show mgt-config show deviceconfig commitAdd management profiles (what protocols are allowed to interfaces), interfaces, zones and the default gateway. Similar to a VRF Palos use the concept of virtual-routers to allow for multiple separate routing tables which each hold member interfaces and routing elements. 
In this example the configuration is all under the default virtual-router. set network profiles interface-management-profile north ping yesset network interface ethernet ethernet1/1 layer3 ip 192.168.1.3/24set network interface ethernet ethernet1/1 comment 'outside interface on vlan999'set network interface ethernet ethernet1/1 layer3 interface-management-profile northset zone north network layer3 ethernet1/1set network virtual-router default interface ethernet1/1set network virtual-router default routing-table ip static-route default-route interface ethernet1/1 destination 0.0.0.0/0 nexthop ip-address 192.168.1.254set network profiles interface-management-profile south ping yes ssh yes https yes snmp yesset network interface ethernet ethernet1/2 layer3 ip 10.10.254.3/29set network interface ethernet ethernet1/2 comment 'transit interface on vlan3101'set network interface ethernet ethernet1/2 layer3 interface-management-profile southset zone south network layer3 ethernet1/2set network virtual-router default interface ethernet1/2show network interfacecommitWithout leaving configure mode you can check the operational state by prefixing operation show commands with run. # run show interface logical total configured logical interfaces: 2 name id vsys zone forwarding tag address ------------------- ----- ---- ---------------- ------------------------ ------ ------------------ ethernet1/1 16 1 north vr:default 0 192.168.1.3/24 ethernet1/2 17 1 south vr:default 0 10.10.254.3/29To configure an interface to use DHCP for its IP address and default route rather than being statically assigned. set network interface ethernet ethernet1/1 layer3 dhcp-client enable yes create-default-route yesMistakes can undone by using delete, for example to delete a zone and re-add. delete zone inside network layer3 ethernet1/2set zone south network layer3 ethernet1/2Commands for checking the system, interfaces and connectivity. show system info Everything about the system like model, serial, license, versions, uptime, etcshow system software status See processes running and the IDshow system resources Same as top showing processes and resources used (add *follow* for realtime)show clock Time and timezoneshow ntp NTP statusshow interface hardware Layer2 info such as speed/duplex/state and MAC addressshow interface logical Layer3 info such as vsys, virtual router, IP and security zoneshow interface all Layer2 (hardware) and Layer3 (logical) interface infoshow interface interface-name Statistics for a specific interfaceshow counter interface all Statistics for all interfacesshow dhcp client state allping source 192.168.1.3 host 8.8.8.8 Source is optional, by default it uses the management interfacetraceroute source 192.168.1.3 host 8.8.8.8show mac all MAC address table, replace all with VLAN name to limit the scopeshow arp all ARP table, replace all with interface to limit the scope LicensingLicensing is based on feature-set and CPUs (2 vCPU VM-100 is 16.5 credits) meaning that if a VM has more vCPUs than you want to license the number used must be limited for firewall registration. A reboot is required for this to take effect. request plugins vm_series set-cores cores number-of-coresrequest restart systemshow system info To check CPUs once rebootedNGFW credits are assigned via a deployment profile within Palo portal » Assets » Software Credits and the resulting auth-code applied on the firewall. Can mix and match features and CPUs to be more granular on the number of credits used. It is a good idea to make sure the FW can ping the Palo licensing site before doing the registration. Upon registration FW services are restarted meaning the console session will be closed, when you log back in will get the usual wrong password messages until all services have restarted. ping host updates.paloaltonetworks.comrequest license fetch auth-code Dxxxxxxxrequest license info To system is licensedWhen deleting a firewall you should first deactivate it in the portal so that the credits are returned to the deployment profile (can still be done if the firewall is offline). If the firewall is to be re-licensed rather than destroyed you have to also do the deactivation on the firewall, if you dont it will fail the new activation with the message “Server error : Failed to install licenses. Invalid serial number”. request license deactivate VM-Capacity mode manualrequest restart system UpgradesThe Palos need to be licensed to be able to check for updates, without it you will get a generic connection failure error. PAN-OS comes in: Major version (X.y.z): New version released every year Feature release (x.Y.z): Contain some new and updated features normally about half a year after major Maintenance release (x.y.Z): Released every 6 to 8 weeks (for both minor and major) and mostly contain bugfixes Hotfix version (x.y.z-h*): *Bugfixes needed sooner than maintenance release*When upgrading across multiple major versions (8.1 to 9.0 to 9.1) you must upgrade to the next major version before moving on to the one after it (can’t skip a major version). When upgrading to the latest maintenance release from an earlier maintenance version (9.1.1 to 9.1.10), you do not need to install any intermediary maintenance versions. The firewall has two system volumes that contain a fully installed PAN-OS of which only one partition is active. The inactive partition either contains the previously installed version or the next version if you have just installed it but not rebooted yet. The upgrade process is similar to F5s where you install the new version on a different partition and boot to that partition. Check for latest updates and download the required version. Use show jobs to keep track of the download process (all or id). request system software checkrequest system software download version 10.1.6-h3show jobs allOnce downloaded the new image will be in maint ready to be installed on a partition, the RUNNING-ACTIVE partition is the current version. > debug swm status Partition State Version -------------------------------------------------------------------------------- sysroot0 RUNNING-ACTIVE 10.1.6 sysroot1 EMPTY None maint READY 10.1.6-h3Install the downloaded image onto the sysroot1 a partition, once again can keep an eye on the progress by viewing the job. request system software install version 10.1.6-h3Download job enqueued with jobid 1010show jobs id 6Once the installation has finished it will be in a PENDING-CHANGE state. > debug swm status Partition State Version -------------------------------------------------------------------------------- sysroot0 RUNNING-ACTIVE 10.1.6 sysroot1 PENDING-CHANGE 10.1.6-h3 maint READY 10.1.6-h3Reboot the firewall to complete the upgrade. request restart systemAs it uses partitions the rollback process is fairly straight forward, you just have to switch the boot partition. > debug swm status Partition State Version -------------------------------------------------------------------------------- sysroot0 REVERTABLE 10.1.6 sysroot1 RUNNING-ACTIVE 10.1.6-h3 maint READY 10.1.6-h3 > debug swm list Product B Version Built Loaded -------------------------------------------------------------------------------- panos * 10.1.0 2021-06-01 19:06:12 2022-06-01 13:15:55 panos 10.1.6 2022-05-20 19:55:49 2022-06-01 13:16:15 panos 10.1.6-h3 2022-06-08 18:53:34 2022-07-30 22:22:13Revert the update by activating the previous partition and rebooting. debug swm revertReverting from 10.1.6-h3 (sysroot0) to 10.1.6 (sysroot1)request restart systemBelow are some useful commands when looking at versions. svm stands for Pan Software Manager, you can see its options using debug swm *. request license info All licenses installeddebug swm status Different partitions and images installed on eachdebug swm list Timestamps for the different panos versions that have been rundebug swm info Version of software being runshow plugins installed Plugins installed Service routesBy default the firewall uses its management interface to communicate with the various management services such as licensing, updates, DNS, email, User-ID agent, syslog, Panorama, etc. Service routes allow you to choose which interface is used on a per-service basis. Only an interface with a statically assigned IP addresses can be used for service routes, it wont give you the option of IP or interface if that interface is using DHCP. 
Change paloalto-networks-services so that ethernet1/1 rather than the management interface is used for software updates and licensing. set deviceconfig system route service paloalto-networks-services source address 10.1.242.116/28 interface ethernet1/1It is also possible to same thing for a specific destination IP or URL rather than a defined service. set deviceconfig system route destination IP or FQDN source address 10.1.242.116/28 interface ethernet1/1 Routing - BGPFor a firewall the BGP options available in Palo are pretty impressive, communities (including regex matching) as well as other BGP attributes such as weight, local preference, MED, AS-path, origin and next-hop are all supported in some form. The only thing missing is some sort of multi-VRF address-family like MPLS-VPN or EVPN, but is probably a step too far for a firewall. BFD is possible on higher license models, I tried on a VM-100 but got the error “BFD profile ‘default’ can not be enabled as bfd is not supported on this platform.(Module: routed)". BGP and BFD (if used) need to be explicitly allowed in the firewall security policy. By default any prefixes learnt via BGP including the default route will not be put in the routing table, this is configured under the general settings. 
set network virtual-router default protocol bgp
+ allow-redist-default-route allow redistribute default route to BGP
+ ecmp-multi-as Support multiple AS in ECMP
+ enforce-first-as Enforce First AS for EBGP
+ install-route Populate BGP learned route to global route table
+ reject-default-route do not learn default route from BGP
Peer groups are a collection of BGP peers that share settings and advertisements. Route-reflector configuration would be done under peers on a per-peer basis. There are 4 types of peer-groups (ebgp, ebgp-confed, ibgp, ibgp-confed) with the main difference being the next-hop options. iBGP: export next-hop can be set to either Original (use next hop address from route advertisement) or Use Self (replace the Next Hop with the virtual router’s IP). eBgp: export next-hop can be set to either Resolve (resolve the next hop using the FIB) or Use Self. It also has the option of import next-hop (original or Use Peer) and Remove Private AS (from the AS-path).
Create an iBGP peer, installs the BGP routes into the routing table and allow for dynamically updating the BGP routing table when routing changes are made (soft-reset-with-stored-info). Each peer must specify a local-address interface or IP (if multiple IPs on interface). set network virtual-router default protocol bgp enable yes local-as 65101 router-id 10.10.254.3 install-route yesset network virtual-router default protocol bgp peer-group iBGP type ibgp export-nexthop use-selfset network virtual-router default protocol bgp peer-group iBGP soft-reset-with-stored-info yesset network virtual-router default protocol bgp peer-group iBGP peer HME-C3560-SWI01 local-address interface ethernet1/2set network virtual-router default protocol bgp peer-group iBGP peer HME-C3560-SWI01 peer-as 65101 peer-address ip 10.10.254.1set network virtual-router default protocol bgp peer-group iBGP peer HME-C3560-SWI01 connection-options keep-alive-interval 3 hold-time 9It is worth noting that when you commit BGP changes it flaps the BGP peerings. Advertising prefixesThere are 5 types of advertisement, import, export, conditional advertisement and aggregates are associated to a peer-group (aggregates can also be associated to a peer) and redistribution (redist-rules) applied to the whole BGP process. Import/ Export: Import or export BGP prefixes using match and action statement. It has similar feature parity to route-maps in terms of what they can do such as matching and/or setting AS-path, next-hop, metrics, communities, etc Conditional Advertisement: Control route advertisement in the event that a preferred route (and optionally route attribute) is not available in the local BGP routing table (LocRIB) Aggregate: Combines specific routes (longer prefix length) into a single route. Can suppress and aggregate based on peers, next-hops, community, med, as-path, etc, as well as change these values in the aggregate Redistribution: Redistribute BGP routes (using redistribute profile) setting attributes such as metric, Local preference, origin and communityRedistribution profiles allow static routes or other routing protocols to be advertised on a priority basis with conditional filtering. The priority of the redistribution profiles (lower priority profiles are matched first) allows for redistributed route inclusion or exclusion. All redistribute profiles must have an action of redistribute or don’t redistribute for the matched filter. If only 1 prefix needs to be redistributed this can be done without the need for a redistribution profile. # set network virtual-router default protocol redist-profile STATIC_to_BGP priority 1 filter type [ Start a list of values. bgp bgp connect connect ospf ospf rip rip static static # set network virtual-router default protocol redist-profile STATIC_to_BGP priority 1 filter type static > bgp specify candidate BGP routes' attributes (community) > destination specify candidate routes' destination networks (subnet match) > interface specify candidate routes' interfaces > nexthop specify candidate routes' next-hop addresses (subnet match) > ospf specify candidate OSPF routes' attributes (area, path-type (E1, E2, inter-area, intra-area)) # set network virtual-router default protocol redist-profile STATIC_to_BGP action no-redist do not redistibute when this rule matched redist redistibute when this rule matched Finish input
Each redistribution profile is associated to the BGP process (where priorities come in) and BGP attributes set (by default set-origin is incomplete). # set network virtual-router default protocol bgp redist-rules STATIC_to_BGP + address-family-identifier select redistribution profile type + metric metric value + route-table select destination SAFI for redistribution + set-as-path-limit add the AS_PATHLIMIT path attribute + set-local-preference add the LOCAL_PREF path attribute + set-med add the MULTI_EXIT_DISC path attribute + set-origin add the ORIGIN path attribute > set-community add the COMMUNITY path attribute > set-extended-community add the EXTENDED COMMUNITY path attributeAdvertise the RFC1918 ranges and a default route into BGP using static Null routes and allow-redist-default-route. set network virtual-router default routing-table ip static-route RFC1918-ClassA destination 10.0.0.0/8 nexthop discardset network virtual-router default routing-table ip static-route RFC1918-ClassB destination 172.16.0.0/12 nexthop discardset network virtual-router default routing-table ip static-route RFC1918-ClassC destination 192.168.0.0/16 nexthop discardset network virtual-router default protocol redist-profile STATIC_to_BGP priority 1 filter type static destination 0.0.0.0/0 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16set network virtual-router default protocol redist-profile STATIC_to_BGP action redistset network virtual-router default protocol bgp redist-rules STATIC_to_BGP enable yes address-family-identifier ipv4set network virtual-router default protocol bgp allow-redist-default-route yesSome routing show commands, the virtual-router can be added to most of these commands to limit it to a specific routing table show routing fib Show the forwarding tableshow routing route Show the routing tableshow routing summary Number routes of the different routing protocol typesshow routing bfd summary BFD neighbors and protocols used by itshow routing protocol bgp summary General info on each peer such as local pref and number of accepted & advertisedshow routing protocol bgp peer Detailed info on each peer including all the settings and statisticsshow routing protocol bgp loc-rib Show the BGP prefixes received from all neighborsshow routing protocol bgp loc-rib peer HME-C3560-SWI01 BGP prefixes received from one specific neighborshow routing protocol bgp loc-rib-detail Shows the BGP attributes for each prefix receivedshow routing protocol bgp rib-out Shows the BGP prefixes advertised out to all neighborsshow routing protocol bgp rib-out peer HME-C3560-SWI01 BGP prefixes advertised to one specific neighborshow routing protocol bgp rib-out-detail Shows the BGP attributes for each prefix advertisedshow routing protocol bgp policy import Shows the peer-group, prefixes imported, hit count and any actionsshow routing protocol bgp policy export Shows the peer-group, prefixes exported, hit count and any actions such as change next-hopshow routing protocol bgp policy cond-adv Shows the peer-group and conditional advertisements appliedshow routing protocol bgp policy aggregate Shows the peer-group, peers and aggregatesshow routing protocol redist bgp Shows prefixes redistributed into BGP via different methods and any attributed set FW Policy (security rulebase)Tags can be used for multiple purposes, I have used them to colour address and address-groups within the security policy, define membership within dynamic address-groups and to group rules within the different policies. Each object can have up to 64 tags, when an object has multiple tags it displays the color of the first tag applied. set tag Blue color color24 comments 'Blue zone (BLU) objects and rules'set tag Green color color22 comments 'Green zone (GRN) objects and rules'set tag Amber color color6 comments 'Amber zone (AMB) objects and rules'set tag Red color color1 comments 'Red zone (RED) objects and rules'set tag iNET color color1 comments 'Internet based services'set tag Infra/Transit color color39 comments 'Infrastructure or transit zone (TRI) objects and rules'set tag 'Network Services' color color31 comments 'Network Services (NST) objects and rules'An empty address group cant be created, the commit will fail with “Error: Fail to count address groups”. As per most set commands, to define multiple objects within a command use [] to define the list with each list object separated by a space. set address net_blu_aggr tag Blue ip-netmask 10.10.0.0/18 set address net_blu_lp12 tag [Blue Grey] ip-netmask 10.10.255.12/32 set address net_grn_aggr tag Green ip-netmask 10.10.64.0/19 set address net_amb_aggr tag Amber ip-netmask 10.10.96.0/19 set address hst_google_dns tag [ iNET "Network Services" ] ip-netmask 8.8.8.8/32 set address hst_cloudflare_dns tag [ iNET "Network Services" ] ip-netmask 1.1.1.1/32 set address hst_pihole_dns tag [ Blue "Network Services" ] ip-netmask 10.10.10.104/32 set address hst_cloudflare_ntp tag [ iNET "Network Services" ] fqdn time.cloudflare.com set address hst_esx01_ntp tag [ Blue "Network Services"] ip-netmask 10.10.10.51/32 set address-group grp_blu_zone description "All Blue subnets" tag Blue static [ net_blu_aggr net_blu_lp12 ] set address-group grp_grn_zone description "All Green subnets" tag Green static [ net_grn_aggr ] set address-group grp_amb_zone description "All Amber subnets" tag Amber static [ net_amb_aggr ] set address-group grp_all_zones description "All zones" static [ net_blu_aggr net_blu_lp12 net_grn_aggr net_amb_aggr ] set address-group grp_dns description "DNS servers" tag "Network Services" static [ hst_google_dns hst_cloudflare_dns hst_pihole_dns ] set address-group grp_ntp description "NTP servers" tag "Network Services" static [ hst_cloudflare_ntp hst_esx01_ntp ]
There are multiple actions that handle inbound connections, some of which are stealthy and some of which are noisy and informative. If you check Send ICMP Unreachable and the ingress interface is Layer 3, an ICMP Unreachable packet is sent to the client for all of the dropped sessions. Deny: Drop the session and enforce the default Deny action. Some applications may silently drop while others send an RST packet Allow: Allows the session to go through Drop: Silently discards packets Reset Client: Sends a TCP RST to the client Reset Server: Sends a TCP RST to the server Reset Both: Sends a TCP RST to both the client and the serverThe default action for new security rules is to allow traffic and log once the session is closed (Log at session end). I only really choose Log at session start if I am doing testing. set rulebase security rules 'Ping and traceroute' action allow from any to any source any destination any service application-default application ping rule-type universal description 'Ping and traceroute in any direction' group-tag 'Network Servicesset rulebase security rules DNS action allow from south to any source grp_all_zones destination grp_dns service application-default application dns rule-type universal description 'DNS lookups from all zones' group-tag 'Network Servicesset rulebase security rules NTP action allow from south to any source grp_all_zones destination grp_ntp service application-default application ntp rule-type universal description 'NTP lookups from all zones' group-tag 'Network Servicesset rulebase security rules 'BGP over transit' action allow from south to south source net_transit destination net_transit service application-default application bgp rule-type intrazone description 'BGP peering to HME-C3560-SWI01' group-tag 'Network Servicesset rulebase security rules 'Blue to Green' action allow from south to south source grp_blu_zone destination grp_grn_zone service any application any rule-type intrazone description 'Blue to Green zone traffic' group-tag Blueset rulebase security rules 'Blue to Amber' action allow from south to south source grp_blu_zone destination grp_amb_zone service any application any rule-type intrazone description 'Blue to Amber zone traffic' group-tag Blueset rulebase security rules 'Green to Blue' action allow from south to south source grp_grn_zone destination grp_blu_zone service any application any rule-type intrazone description 'Green to Blue zone traffic' group-tag Greenset rulebase security rules 'Green to Amber' action allow from south to south source grp_grn_zone destination grp_amb_zone service any application any rule-type intrazone description 'Green to Amber zone traffic' group-tag Greenset rulebase security rules 'Amber to Blue' action allow from south to south source grp_amb_zone destination grp_blu_zone service any application any rule-type intrazone description 'Amber to Blue zone traffic' group-tag Amberset rulebase security rules 'Amber to Green' action allow from south to south source grp_amb_zone destination grp_grn_zone service any application any rule-type intrazone description 'Amber to Green zone traffic' group-tag Amberset rulebase security rules 'Blue to iNET' action allow from south to north source grp_blu_zone destination net_any service any application any rule-type interzone description 'Blue zone to Internet' group-tag iNETset rulebase security rules 'Green to iNET' action allow from south to north source grp_grn_zone destination net_any service any application any rule-type interzone description 'Green zone to Internet' group-tag iNETset rulebase security rules 'Amber to iNET' action allow from south to north source grp_amb_zone destination net_any service any application any rule-type interzone description 'Amber zone to Internet' group-tag iNET
By adding group-tag to the security rules Group rules by tags can be used within the GUI to view the rulebase in categories based on this tag value. While viewing the rulebase as groups the policy order and priority is maintained meaning that if tagged rules are not sequential the categories will not contain all rules (will be multiple categories of same name in different places). 
By default every security policy has 2 default catch-all rules, if changed a red cog indicates that the default setting has been overridden. intrazone-default (permit no log): This policy is for traffic coming from a zone and destined to the same zone interzone-default (deny no log): The default deny policy for traffic coming from one zone and destined to another zone
set rulebase default-security-rules rules intrazone-default action deny log-end yesset rulebase default-security-rules rules interzone-default action deny log-end yes
Can move rules around (with after, before, bottom, top) or delete them. # move rulebase security rules PING after after before before bottom bottom top top # move rulebase security rules PING after NTP # delete rulebase security rules PINGSecurity policy objects can be viewed from operation or configuration mode. > show running security-policy-addresses Show the addresses> show running security-policy Shows the security policy> show running rule-use hit-count vsys vsys1 rules all rule-base security Show recent rulebase hit-count> show rule-hit-count vsys vsys-name vsys1 rule-base security rules all Shows more detail rulebase hit-count and when rules created# show tag Show all the tags configuration# show address Show all the addresses configuration# show address-group Show all the address-groups configuration# show rulebase security Show all the rules configuration# show rulebase security rules PING Show a specific rule configuration# show rule-hit-count vsys vsys-name vsys1 rule-base security rules all show the hit count for each rule and last time hit NAT PolicyThe source and destination zone for inbound NAT are determined before the NAT policy is evaluated which means the source and destination zone will always be identical. For inbound NAT the source zone will reflect the interface that the clients are connected to and the destination zone the egress interface that a routing lookup determines based on the original packet. Hide NAT (Dynamic IP and Port (DIPP)) supports around 64,000 concurrent sessions per available source IP, multiplied by the oversubscription factor supported by the platform. As a rule of thumb, smaller platforms commonly support 2x oversubscription, larger platforms support 4x, and extra-large platforms up to 8x (use show running nat-rule-ippool rule to check oversubscription). set address nat_blu_zone tag Red description 'PAT address for BLU zone Internet traffic' ip-netmask 192.168.1.201set address nat_grn_zone tag Red description 'PAT address for GRN zone Internet traffic' ip-netmask 192.168.1.202set address nat_gry_zone tag Red description 'PAT address for GRY zone Internet traffic' ip-netmask 192.168.1.203set address nat_catchall tag Red description 'CatchAll PAT address for all other Internet traffic' ip-netmask 192.168.1.204set rulebase nat rules 'Blue PAT' from south to north source grp_blu_zone destination any service any description 'NAT address for BLU zone to iNET' group-tag Blue source-translation dynamic-ip-and-port translated-address nat_blu_zoneset rulebase nat rules 'Green PAT' from south to north source grp_grn_zone destination any service any description 'NAT address for GRN zone to iNET' group-tag Green source-translation dynamic-ip-and-port translated-address nat_grn_zoneset rulebase nat rules 'Grey PAT' from south to north source grp_gry_zone destination any service any description 'NAT address for GRY zone to iNET' group-tag Grey source-translation dynamic-ip-and-port translated-address nat_gry_zoneset rulebase nat rules 'CatchAll PAT' from south to north source any destination any service any description 'CatchAll NAT address for all other traffic to iNET' source-translation dynamic-ip-and-port translated-address nat_catchall
Alternatively Hide NAT can use the interface IP address instead of a dedicated IP addresses. set rulebase nat rules PAT from south to north source any destination any service any source-translation dynamic-ip-and-port interface-address interface ethernet1/1As per security rules the NAT policy can also be grouped and displayed in the GUI using tags, the show comand syntax is also very simialr. > show running nat-policy-addresses Show the NAT addresses> show running nat-policy Shows the NAT policy> show running rule-use hit-count vsys vsys1 rules all rule-base nat Show recent rulebase hit-count> show rule-hit-count vsys vsys-name vsys1 rule-base nat rules all Shows more detail rulebase hit-count and when rules created# show running nat-policy Display the NAT policy configuration Referenceshttps://weberblog.net/cli-commands-for-troubleshooting-palo-alto-firewalls/ https://live.paloaltonetworks.com/t5/general-topics/quot-set-cli-terminal-height-500-quot-not-work/td-p/391630 https://itsecworks.com/2013/12/10/palo-alto-troubleshooting-commands/ https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clfi https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-tags/create-tags https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/license-the-vm-series-firewall/software-ngfw/limit-licensed-vcpus https://www.thegeekstuff.com/2020/06/paloalto-panos-upgrade/ https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-cli-quick-start/use-the-cli/modify-the-configuration ← Previous Post Next Post → |
【本文地址】
| 今日新闻 |
| 推荐新闻 |
| 专题文章 |