Track Rules Within a Rulebase

Table of Contents

Enforce Security Rule Description, Tag, and Audit Comment

Track Rules Within a Rulebase

Keep track of rules within a rulebase.

Where Can I Use This?	What Do I Need?
NGFW (Managed by Strata Cloud Manager) NGFW (Managed by PAN-OS or Panorama) Prisma Access (Managed by Panorama or Strata Cloud Manager)	Check for any license or role requirements for the products you're using.

Regularly tracking and auditing the rulebase is a best practice for network security. It involves reviewing and updating rules based on changing organizational needs, compliance requirements, or emerging threat landscapes. Rules that are too broad introduce security gaps because they allow applications that aren’t in use in your network. Security Rule Optimization for NGFW and Policy Optimizer for Strata Cloud Manager enable you to convert these overly permissive rules to more specific, focused rules that only allow the applications you’re actually using.

Your rulebase shows all configured rules in order of enforcement. This includes essential information such as rule names, rule types, applied security profiles, action settings, source and destination zones, and more. You can review and analyze this information to ensure that the rules align with the organization's security objectives and operational requirements.

Intuitive search and filtering capabilities are also available, enabling you to easily locate specific rules within the rulebase, manage security rules and troubleshoot efficiently.

Each rule within a rulebase is automatically numbered; when you move or reorder rules, the numbers change based on the new order. When you filter the list of rules to find rules that match specific criteria, each rule, its number in the context of the complete set of rules in the rulebase, and its place in the evaluation order is shown.

Rule numbering reflects the hierarchy and evaluation order of shared rules, device group pre-rules, device group post-rules, and default rules. You can view an ordered list of the total number of rules in your configuration.

Track Rules Within a Rulebase (Strata Cloud Manager)

Keep track of rules within a rulebase; manage pre-rules and post-rules and view the complete list of rules with numbers.

To view your Security policy rulebase, go to ConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy. Read on to learn more about how your rulebase is organized.

Pre-Rules and Post-Rules

For security rules that are in the shared configuration folder (they apply globally across your entire configuration), you can decide if the rule should be enforced ahead of or after rules in the other configuration folders. These are called pre-rules and post-rules.

With Strata Cloud Manager, you can apply configuration settings and enforce policy globally across your entire environment, or target settings and policy to certain parts of your organization. When working in your Strata Cloud Manager configuration management, the current Configuration Scope is always visible to you, and you can toggle your view to manage a broader or more granular configuration.

Pre-rules are global rules that take precedence over deployment-specific rules and are applied to traffic first.
Post-rules are global rules that are applied to traffic only after shared pre-rules and deployment-specific rules are applied.

When you’re setting up a shared security rule, specify for it to be a pre-rule or a post-rule.

When you’re looking at your Security policy rulebase, you can easily identify pre- and post-rules and distinguish them from deployment-specific rules.

When you’re working in a configuration folder that’s not shared, you can still easily identify the rules that are shared across your entire configuration — shared rules are highlighted so you can distinguish them from the rules that are specific to another configuration folder.

Rule Numbers

After you push your configuration to your devices, view the complete list of rules with numbers.

Select ConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy.

Track Rules Within a Rulebase (PAN-OS & Panorama)

Keep track of rules within a rulebase

To view your Security policy rulebase, go to PoliciesSecurity. Read on to learn more about how your rulebase is organized.

Rule Numbers

View the numbered list of rules on the firewall.

Select Policies and any rulebase under it. For example, PoliciesSecurity. The left-most column in the table displays the rule number.
View the numbered list of rules on Panorama.

Select Policies and any rulebase under it. For example, PoliciesSecurityPre-rules.
After you push the rules from Panorama, view the complete list of rules with numbers on the firewall.

From the web interface on the firewall, select Policies and pick any rulebase under it. For example, select PoliciesSecurity and view the complete set of numbered rules that the firewall will evaluate.

Rule UUIDs

(Panorama / PAN-OS only) The universally unique identifier (UUID) for a rule never changes even if you modify the rule, such as when you change the rule name. The UUID allows you to track the rule across rulebases even after you deleted the rule.

The UUID for a rule is a 32-character string (based on data such as the network address and the timestamp of creation) that the firewall or Panorama assigns to the rule. The UUID uses the format 8-4-4-4-12 (where 8, 4, and 12 represent the number of unique characters separated by hyphens). UUIDs identify rules for all policy rulebases. You can also use UUIDs to identify applicable rules in the following log types: Traffic, Threat, URL Filtering, WildFire Submission, Data Filtering, GTP, SCTP, Tunnel Inspection, Configuration, and Unified.

Using the UUID to search for a rule enables you to locate a specific rule you want to find among thousands of rules that may have similar or identical names. UUIDs also simplify automation and integration for rules in third-party systems (such as ticketing or orchestration) that do not support names.

In some cases, you may need to generate new UUIDs for existing rulebases. For example, if you want to export a configuration to another firewall, you need to regenerate the UUIDs for the rules as you import the configuration to ensure there are no duplicate UUIDs. If you regenerate UUIDs, you are no longer able to track those rules using their previous UUIDs and the hit data and app usage data for those rules are reset.

The firewall or Panorama assigns UUIDs when you:

Create new rules
Clone existing rules
Override the default security rules
Load a named configuration and regenerate UUIDs
Load a named configuration containing new rules that are not in the running configuration
Upgrade the firewall or Panorama to a PAN-OS 9.0 release

When you load a configuration that contains rules with UUIDs, the firewall considers rules to be the same if the rule name, rulebase, and virtual system all match. Panorama considers rules to be the same if the rule name, rulebase, and the device group all match.

Keep in mind the following important points for UUIDs:

If you manage firewall policy from Panorama, UUIDs are generated on Panorama and therefore must be pushed from Panorama. If you do not push the configuration from Panorama prior to upgrading the firewalls to PAN-OS 9.0, the firewall upgrade will not succeed because it will not have the UUIDs.
In addition, if you are upgrading an HA pair, upon upgrade to PAN-OS 9.0, each peer independently assigns UUIDs for each security rule. Because of this, the peers will show as out of sync until you sync the configuration (DashboardWidgetsSystemHigh AvailabilitySync to peer).
If you remove an existing high availability (HA) configuration after upgrading to PAN-OS 9.0, you must regenerate the UUIDs on one of the peers (DeviceSetupOperationsLoad named configuration snapshotRegenerate UUIDs for the selected named configuration) and commit the changes to prevent UUID duplication.
All rules pushed from Panorama will share the same UUID; all rules local to a firewall will have different UUIDs. If you create a rule locally on the firewall after you push the rules from Panorama to the firewalls, the rule you created locally has its own UUID.
To replace an RMA Panorama, make sure you Retain Rule UUIDs when you load the named Panorama configuration snapshot. If you do not select this option, Panorama removes all previous rule UUIDs from the configuration snapshot and assigns new UUIDs to the rules on Panorama, which means it does not retain information associated with the previous UUIDs, such as the security rule hit count.

Display the Rule UUID column for logs and the UUID column for policy rules.
To view the UUIDs, you must display the column, which does not display by default.
- To display the UUID in logs:
  1. Select Monitor and then expand the column header (
    
    ).
  2. Select Columns.
  3. Enable Rule UUID.
- To display UUIDs on the policy rulebase:
  1. Select Policies and then expand the column header (
    
    ).
  2. Select Columns.
  3. Enable Rule UUID.
    UUIDs are available for all policy rulebases.
Copy the UUID for a log or security rule.

Copying the UUID allows you to paste the UUID in to searches, the ACC, custom reports, filters, and anywhere else you want to locate a rule identified by that UUID.
1. Select the ellipses that display when you move your cursor over the entry in the Rule UUID column.
2. Copy the UUID from the pop-up.
  
  You can also go to the Policies tab, click the arrow to the right of the rule name, and Copy UUID.
Check the Configuration Logs to view UUIDs for deleted rules.

To view the UUID for a deleted rule, select MonitorLogsConfiguration.