Network Security
PAN-OS & Panorama
Table of Contents
Expand All
|
Collapse All
Network Security Docs
PAN-OS & Panorama
Require that a description, tag, or audit comment be entered when creating or editing
a security rule.
By default, enforcement of a description, tag, and audit comment isn't enabled. You
can specify whether a description, tag, audit comment, or any combination of these
three is required to successfully add or modify a rule. The audit comment archive
allows you to view the audit comments entered for a selected rule, review the
configuration log history, and compare rule configuration versions.
- Selectand edit the Policy Rulebase Settings.DeviceSetupManagement
- Configure the settings you want to enforce. In this example, tags and audit comments are required for all policies.Enforce audit comments for security rules to capture the reason an administrator creates or modifies a rule. Requiring audit comments on security rules helps maintain an accurate rule history for auditing purposes.
- Configure the Audit Comment Regular Expression to specify the audit comment format.When administrators create or modify a rule, you can require they enter a comment those audit comments adhere to a specific format that fits your business and auditing needs by specifying letter and number expressions. For example, you can use this setting to specify regular expressions that match your ticketing number formats:
- [0-9]{<Number of digits>}—Requires the audit comment to contain a minimum number of digits that range from 0 to 9. For example,[0-9]{6}requires a minimum of six digits in a numerical expression with numbers 0 to 9.
- <Letter Expression>—Requires the audit comment to contain a letter expression. For example,Reason for Change-requires that the administrator begin the audit comment with this letter expression.
- <Letter Expression>-[0-9]{<Number of digits>}—Requires the audit comment to contain a predetermined character followed by a minimum number of digits that range from 0 to 9. For example,SB-[0-9]{6}requires the audit comment format to begin withSB-, followed by a minimum six digits in a numerical expression with values from 0 to 9. For example,SB-012345.
- (<Letter Expression>)|(<Letter Expression>)|(<Letter Expression>)|-[0-9]{<Number of digits>}—Requires the audit comment to contain a prefix using any one of the predetermined letter expressions with a minimum number of digits that range from 0 to 9. For example,(SB|XY|PN)-[0-9]{6}requires the audit comment format to begin withSB-,XY-, orPN-followed by a minimum of six digits in a numerical expression with values from 0 to 9. For example,SB-012345,XY-654321, orPN-012543.
- ClickOKto apply the new policy rulebase settings.
- Committhe changes.After you commit the policy rulebase settings changes, modify the existing security rule based on the rulebase settings you decided to enforce.
- Verify that the firewall is enforcing the new policy rulebase settings.
- SelectPoliciesandAdda new rule.
- Confirm that you must add a tag and enter an audit comment clickOK.