Table: panos_security_rule - Query Panorama Security Rules using SQL
Panorama Security Rules are a feature within that control network access by defining the source and destination addresses, application, and action (allow, deny, or drop). These rules are critical for managing network security and ensuring that only authorized traffic can access certain resources. Panorama Security Rules can be configured in a variety of ways to meet the specific needs of your network.
Table Usage Guide
The panos_security_rule table provides insights into Panorama Security Rules within. As a network administrator, explore rule-specific details through this table, including source and destination addresses, application, and action. Utilize it to manage network security and ensure that only authorized traffic can access certain resources.
Examples
Basic ingress rule info
Explore the specifics of your network's security rules, including the type, action, and details about source and destination zones and addresses. This can help you understand how your network's security is configured and identify potential vulnerabilities.
select name, type, action, source_zones, source_addresses, destination_zones, destination_addresses source_usersfrom panos_security_rule;select name, type, action, source_zones, source_addresses, destination_zones, destination_addresses, source_usersfrom panos_security_rule;List disabled security rules
Uncover the details of inactive security rules to understand the system's potential vulnerabilities and areas for improvement.
select name, type, descriptionfrom panos_security_rulewhere disabled;select name, type, descriptionfrom panos_security_rulewhere disabled = 1;Get security rules count by group
Determine the number of security rules associated with each group to understand the level of security measures applied. This can help identify areas where security may be lacking or overly stringent.
select case when group_tag is null then 'none' else group_tag end as group_tag, count(*)from panos_security_rulegroup by group_tag;select case when group_tag is null then 'none' else group_tag end as group_tag, count(*)from panos_security_rulegroup by group_tag;List security rules having public access to specific tagged addresses
Determine the areas in which security rules allow public access to addresses tagged with high impact. This can help identify potential security risks and tighten access controls where necessary.
with high_impact_tags as ( select name from panos_administrative_tag where color = 'color1' -- red),address_with_high_impact_tags as ( select a.name from panos_address_object as a join high_impact_tags as t on a.tags ? t.name)select r.name, r.source_addresses, r.destination_addressesfrom panos_security_rule as r join address_with_high_impact_tags as ht on r.source_addresses ? 'any' and r.destination_addresses ? ht.name;Error: SQLite does not support the '?' operator used in JSON queries in PostgreSQL.List of security rules without application tag
Discover the segments that lack an 'application' tag in your security rules. This can help you identify potential gaps in your rule tagging, thereby improving your security rule management.
select name, type, description, source_zones, destination_zonesfrom panos_security_rulewhere not tags ? 'application';select name, type, description, source_zones, destination_zonesfrom panos_security_rulewhere not json_extract(tags, '$.application');Lis security rules which contain any administrative tag with color yellow
Explore which security rules contain administrative tags marked in yellow. This can be useful for quickly identifying and reviewing specific security policies in your network that are flagged with this color for administrative purposes.
with yellow_tags as ( select name from panos_administrative_tag where color = 'color4';-- yellow)select panos_security_rule.name, panos_security_rule.type, panos_security_rule.descriptionfrom panos_security_rule join yellow_tags on panos_security_rule.tags ? yellow_tags.name;select panos_security_rule.name, panos_security_rule.type, panos_security_rule.descriptionfrom panos_security_rule join ( select name from panos_administrative_tag where color = 'color4' -- yellow ) as yellow_tags on json_extract(panos_security_rule.tags, yellow_tags.name) is not null;Schema for panos_security_rule
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| action | text | Specifies the action for the matched traffic. Possible values are: allow (default), deny, drop, reset-client, reset-server, or reset-both. | |
| applications | jsonb | A list of applications. | |
| categories | jsonb | A list of categories. | |
| data_filtering | text | The data filtering setting. | |
| description | text | The security rule's description. | |
| destination_addresses | jsonb | A list of destination addresses. | |
| destination_zones | jsonb | A list of destination zones. | |
| device_group | text | = | [Panorama] The device group location (default: shared). |
| disable_server_response_inspection | boolean | Indicates if server response inspection is disabled. | |
| disabled | boolean | Indicates whether this rule is disabled. | |
| file_blocking | text | The file blocking setting. | |
| group | text | The group profile name. | |
| group_tag | text | Specifies the group tag assigned to this rule. | |
| hip_profiles | jsonb | A list of HIP profiles. | |
| icmp_unreachable | boolean | Indicates whether ICMP is unreachable. | |
| log_end | boolean | Log the end of the traffic flow. | |
| log_setting | text | Log forwarding profile. | |
| log_start | boolean | Log the start of the traffic flow. | |
| name | text | = | Name of the rule. |
| negate_destination | boolean | Indicates if the destination is negated. | |
| negate_source | boolean | Indicates if the source is negated. | |
| negate_target | boolean | Instead of applying the rule for the given serial numbers, it is applied to everything except them. | |
| rule_base | text | = | [Panorama] The rulebase. This can be either pre-rulebase (default for panorama), rulebase, or post-rulebase. |
| schedule | text | The security rule schedule. | |
| services | jsonb | A list of services. | |
| source_addresses | jsonb | A list of source addresses. | |
| source_users | jsonb | A list of source users. | |
| source_zones | jsonb | A list of source zones. | |
| spyware | text | The anti-spyware setting. | |
| tags | jsonb | A list of administrative tags assigned to the rule. | |
| targets | jsonb | A dictionary of target definitions. | |
| type | text | The type of security rule. Default sets to universal. Other possibles values are: interzone, or intrazone. | |
| url_filtering | text | The URL filtering setting. | |
| uuid | text | The PAN-OS UUID. | |
| virus | text | The antivirus setting. | |
| vsys | text | = | [NGFW] The vsys the security rule belongs to (default: vsys1). |
| vulnerability | text | The vulnerability protection setting. | |
| wild_fire_analysis | text | The wildfire analysis setting. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- panosYou can pass the configuration to the command with the --config argument:
steampipe_export_panos --config '<your_config>' panos_security_rule