Network Security
Enforce Security Rule Description, Tag, and Audit Comment (PAN-OS & Panorama)
Table of Contents
Expand All
|
Collapse All
Network Security Docs
Enforce Security Rule Description, Tag, and Audit Comment (PAN-OS & Panorama)
Require that a description, tag, or audit comment be entered when creating or editing
a security rule.
By default, enforcement of a description, tag, and audit comment isn't enabled. You
can specify whether a description, tag, audit comment, or any combination of these
three is required to successfully add or modify a rule. The audit comment archive
allows you to view the audit comments entered for a selected rule, review the
configuration log history, and compare rule configuration versions.
- Launch the Web Interface.Select DeviceSetupManagement and edit the Policy Rulebase Settings.Configure the settings you want to enforce. In this example, tags and audit comments are required for all policies.Enforce audit comments for security rules to capture the reason an administrator creates or modifies a rule. Requiring audit comments on security rules helps maintain an accurate rule history for auditing purposes.Configure the Audit Comment Regular Expression to specify the audit comment format.When administrators create or modify a rule, you can require they enter a comment those audit comments adhere to a specific format that fits your business and auditing needs by specifying letter and number expressions. For example, you can use this setting to specify regular expressions that match your ticketing number formats:
- [0-9]{<Number of digits>}—Requires the audit comment to contain a minimum number of digits that range from 0 to 9. For example, [0-9]{6} requires a minimum of six digits in a numerical expression with numbers 0 to 9.
- <Letter Expression>—Requires the audit comment to contain a letter expression. For example, Reason for Change- requires that the administrator begin the audit comment with this letter expression.
- <Letter Expression>-[0-9]{<Number of digits>}—Requires the audit comment to contain a predetermined character followed by a minimum number of digits that range from 0 to 9. For example, SB-[0-9]{6} requires the audit comment format to begin with SB-, followed by a minimum six digits in a numerical expression with values from 0 to 9. For example, SB-012345.
- (<Letter Expression>)|(<Letter Expression>)|(<Letter Expression>)|-[0-9]{<Number of digits>}—Requires the audit comment to contain a prefix using any one of the predetermined letter expressions with a minimum number of digits that range from 0 to 9. For example, (SB|XY|PN)-[0-9]{6} requires the audit comment format to begin with SB-, XY-, or PN- followed by a minimum of six digits in a numerical expression with values from 0 to 9. For example, SB-012345, XY-654321, or PN-012543.
Click OK to apply the new policy rulebase settings.Commit the changes.After you commit the policy rulebase settings changes, modify the existing security rule based on the rulebase settings you decided to enforce.Verify that the firewall is enforcing the new policy rulebase settings.- Select Policies and Add a new rule.Confirm that you must add a tag and enter an audit comment click OK.