Quickly add Objects to your new Paloalto firewalls via CLI

By | July 27, 2020

There are a few things that when setting up a new Palo Alto firewall you always do, you can save / export the running config and upload to a new firewall, but this will change your IP address etc.

You can ssh into the management interface of your firewall.

and paste the commands below

set cli config-output-format set
configure

Spyware profile

set profiles spyware AS botnet-domains lists default-paloalto-dns packet-capture disable
set profiles spyware AS botnet-domains lists default-paloalto-dns action sinkhole
set profiles spyware AS botnet-domains lists default-paloalto-cloud packet-capture disable
set profiles spyware AS botnet-domains lists default-paloalto-cloud action alert
set profiles spyware AS botnet-domains sinkhole ipv4-address pan-sinkhole-default-ip
set profiles spyware AS botnet-domains sinkhole ipv6-address ::1
set profiles spyware AS rules AS-HGH action block-ip track-by source
set profiles spyware AS rules AS-HGH action block-ip duration 3600
set profiles spyware AS rules AS-HGH severity [ critical high ]
set profiles spyware AS rules AS-HGH threat-name any
set profiles spyware AS rules AS-HGH category any
set profiles spyware AS rules AS-HGH packet-capture disable
set profiles spyware AS rules AS-Med action default
set profiles spyware AS rules AS-Med severity [ medium low informational ]
set profiles spyware AS rules AS-Med threat-name any
set profiles spyware AS rules AS-Med category any
set profiles spyware AS rules AS-Med packet-capture disable

AV Profile

set profiles virus AV decoder ftp action default
set profiles virus AV decoder ftp wildfire-action default
set profiles virus AV decoder http action default
set profiles virus AV decoder http wildfire-action default
set profiles virus AV decoder http2 action default
set profiles virus AV decoder http2 wildfire-action default
set profiles virus AV decoder imap action default
set profiles virus AV decoder imap wildfire-action default
set profiles virus AV decoder pop3 action default
set profiles virus AV decoder pop3 wildfire-action default
set profiles virus AV decoder smb action default
set profiles virus AV decoder smb wildfire-action default
set profiles virus AV decoder smtp action default
set profiles virus AV decoder smtp wildfire-action default

Vulnerability profile

set profiles vulnerability VP rules VP-HGH action block-ip duration 3600
set profiles vulnerability VP rules VP-HGH action block-ip track-by source
set profiles vulnerability VP rules VP-HGH vendor-id any
set profiles vulnerability VP rules VP-HGH severity [ critical high ]
set profiles vulnerability VP rules VP-HGH cve any
set profiles vulnerability VP rules VP-HGH threat-name any
set profiles vulnerability VP rules VP-HGH host any
set profiles vulnerability VP rules VP-HGH category any
set profiles vulnerability VP rules VP-HGH packet-capture disable
set profiles vulnerability VP rules VP-Med action default
set profiles vulnerability VP rules VP-Med vendor-id any
set profiles vulnerability VP rules VP-Med severity [ medium low informational ]
set profiles vulnerability VP rules VP-Med cve any
set profiles vulnerability VP rules VP-Med threat-name any
set profiles vulnerability VP rules VP-Med host any
set profiles vulnerability VP rules VP-Med category any
set profiles vulnerability VP rules VP-Med packet-capture disable

URL

set profiles url-filtering URL credential-enforcement mode disabled
set profiles url-filtering URL credential-enforcement log-severity medium
set profiles url-filtering URL credential-enforcement alert [ abortion abused-drugs alcohol-and-tobacco auctions business-and-economy computer-and-internet-info content-delivery-networks copyright-infringement cryptocurrency dating dynamic-dns educational-institutions entertainment-and-arts extremism financial-services gambling games government grayware health-and-medicine home-and-garden hunting-and-fishing insufficient-content internet-communications-and-telephony internet-portals job-search legal low-risk medium-risk military motor-vehicles music newly-registered-domain news not-resolved nudity online-storage-and-backup parked peer-to-peer personal-sites-and-blogs philosophy-and-political-advocacy private-ip-addresses proxy-avoidance-and-anonymizers questionable real-estate recreation-and-hobbies reference-and-research religion search-engines sex-education shareware-and-freeware shopping social-networking society sports stock-advice-and-tools streaming-media swimsuits-and-intimate-apparel training-and-tools translation travel unknown weapons web-advertisements web-based-email web-hosting ]
set profiles url-filtering URL credential-enforcement block [ adult command-and-control hacking high-risk malware phishing ]
set profiles url-filtering URL alert [ abortion abused-drugs alcohol-and-tobacco auctions business-and-economy computer-and-internet-info content-delivery-networks copyright-infringement cryptocurrency dating dynamic-dns educational-institutions entertainment-and-arts extremism financial-services gambling games government grayware health-and-medicine home-and-garden hunting-and-fishing insufficient-content internet-communications-and-telephony internet-portals job-search legal low-risk medium-risk military motor-vehicles music newly-registered-domain news not-resolved nudity online-storage-and-backup parked peer-to-peer personal-sites-and-blogs philosophy-and-political-advocacy private-ip-addresses proxy-avoidance-and-anonymizers questionable real-estate recreation-and-hobbies reference-and-research religion search-engines sex-education shareware-and-freeware shopping social-networking society sports stock-advice-and-tools streaming-media swimsuits-and-intimate-apparel training-and-tools translation travel unknown weapons web-advertisements web-based-email web-hosting ]
set profiles url-filtering URL block [ adult command-and-control hacking high-risk malware phishing ]

Profile Group

set profile-group Protect virus AV
set profile-group Protect spyware AS
set profile-group Protect vulnerability VP
set profile-group Protect url-filtering URL
set profile-group Protect wildfire-analysis default

commit

The Above Profile group all add all the profiles you created above to a profile group called “Protect” you can then add this to your security rules which are not classified as deny or dropped.

The Security profiles above are configured as a bare minimum best practice, you should verify them from the WEB UI and modify them as necessary.

Once you’re done don’t forget to commit

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.