Skip to content

Policy

Jump to bottom
Scott Ware edited this page Jun 19, 2019 · 29 revisions

This page will help to show you how the CSV file is formatted when used to import and update rules in a policy.

Usage

This command will allow you to import and export an entire security policy, along
with moving rules within the policy. When importing, this allows you to create new rules,
or modify existing values in rules.

When moving rules, if you are only doing one at a time, you do not need to specify a CSV file
or the '--movemultiple' flag. However, if you are wanting to move multiple rules around, then
you will want to use a CSV file, and it must include the '--movemultiple' flag.

See https://github.com/scottdware/panco/Wiki for more information

Usage:
  panco policy [flags]

Flags:
  -a, --action string        Action to perform; import or export
  -d, --device string        Firewall or Panorama device to connect to
  -g, --devicegroup string   Device Group name; only needed when ran against Panorama
  -f, --file string          Name of the CSV file to import/export to
  -h, --help                 help for policy
  -l, --location string      Rule location; pre or post when ran against Panorama (default "post")
  -m, --movemultiple         Specifies you wish to move multiple rules; use only with --file (default true)
  -w, --ruledest string      Where to move the rule - after, before, top, or bottom
  -n, --rulename string      Name of the rule you wish to move
  -t, --targetrule string    Name of the rule 'ruledest' is referencing
  -u, --user string          User to connect to the device as
  -v, --vsys string          Vsys name when ran against a firewall (default "vsys1")

CSV Structure

Importing

When importing a CSV to create rules or modify them, the file MUST have the following fields in this order:

Name,Type,Description,Tags,SourceZones,SourceAddresses,NegateSource,SourceUsers,HipProfiles,DestinationZones,DestinationAddresses,NegateDestination,Applications,Services,Categories,Action,LogSetting,LogStart,LogEnd,Disabled,Schedule,IcmpUnreachable,DisableServerResponseInspection,Group,Targets,NegateTarget,Virus,Spyware,Vulnerability,UrlFiltering,FileBlocking,WildFireAnalysis,DataFiltering

The easiest way to make the modifications all while adhering to this order, is to export the policy first (using the --action export), and then modifying that file.

Here is an example CSV file of a policy that has been exported:

policy.csv

And here is a screenshot of this policy:

Screenshot: Policy

Moving Rules

When you specify the option to move multiple rules (--movemultiple flag in conjunction with --file) using a CSV file, here is the format that the CSV file must adhere to:

RuleName,RuleDestination,TargetRule,<blank>,<blank>,Device group/Vsys

Here is an example CSV file which has 3 rules we want to move:

policy_move_rules.csv

Importing and Modifying Rules

When you import (create) rules, or want to modify existing values of a rule, you DO NOT need to have every column that is listed above filled out with a value. You still NEED them to be defined/listed, but they can be empty.

Any field that you want to add or modify you need to have a value there, but at the very least, you MUST have values in the following fields:

Name, Type, Action

Examples

Add Profiles

Based on the policy above, none of our rules have any security profiles configured. Let's say we want to add some (AV, Vulnerability, Wildfire, etc.), along with add a security profile to a couple of rules. Here is a CSV file that we will use to accomplise this:

policy_add_profiles.csv

As you can see in the file, we only have the Name, Type, Action and profile/group fields defined with the values we want to add. Once panco has imported this file, our policy should now reflect the security profiles that we defined:

Screenshot: Policy with profiles

Add Rules

Now let's add a couple of rules to our policy, and then add tags to a couple of existing ones. Here is the CSV file we will be using for this task:

policy_add_rules.csv

As you can see in this file, we are doing the following:

  • Add a rule that will deny traffic to gaming sites, as well as the Gaming_Apps application filter we have defined.
  • Add a rule that will deny access to Reddit.
  • Add a rule that will allow access to the social-networking URL category.
  • Add the Internet tag to two existing rules: Web_Browsing-APP and Web_Browsing-SVC

Once we import this using panco, our policy will now reflect all of the changes we have done:

Screenshot: Policy with new rules

Move Rules

Based on the two above examples, we can see that the newly added rules aren't really in the location that we want. Let's move Gaming, Deny_Reddit, and Allow_Social_Media before the Web_Browsing-APP rule so we know we will match the traffic correctly. Here's the CSV file we will use to accomplish this:

policy_move_rules.csv

We can import this using panco by running the following command:

panco policy --action move --file policy_move_rules.csv --movemultiple --device pa-vm --user admin

Once we import this, our rule base will now look like the following:

Screenshot: Policy with all changes

Moving a Single Rule

If you wish to only move one rule at a time, you can do that by using the following options:

panco policy --action move --rulename <existing rule to move> --ruledest <after|before|top|bottom> --targetrule <rule that references --ruledest> --device pa-vm --user admin

So say you wish to move an SSH rule above a Ping_Traceroute rule, your command would look like:

panco policy --action move --rulename SSH --ruledest before --targetrule Ping_Traceroute --device pa-vm --user admin

Clone this wiki locally