How To Test Security, NAT, and PBF Rules via the CLI

254527

Created On 09/25/18 18:40 PM - Last Modified 12/06/21 23:59 PM

Policy

PAN-OS

Symptom

This document explains how to validate whether a session is matching an expected policy using the test security, address translation (NAT), and policy-based forwarding (PBF) rules via CLI.

Environment

Palo Alto Firewall
PAN-OS 7.1 and above.
Testing Policy Rules.

Resolution

The following arguments are always required to run the test security policy, NAT policy and PBF policy:

Source - source IP address
Destination - destination IP address
Destination port - specify the destination port number
Protocol - specify the IP protocol number expected for the packet between 1 and 255 (TCP - 6, UDP - 17, ICMP - 1, ESP - 50)

If the value for any of the above arguments is unknown or does not matter like in the scenario where the rule that is expected to match has "any" as the fields value, then a fake or a dummy value may be entered. Also, 'application', 'category', 'from' and 'to' zones can be specified.

Note: In order to match the expected security policy when there are many security policies configured with the same source and destination zones, it is recommended to specify the source and destination zones. If the zones are not specified, then the test command will return results for rules based on zones that the source and destination IP addresses do not belong in.

Details

Testing Security Rules

test security-policy-match

+ application        Application name
+ category          Category name
+ destination        destination IP address
+ destination-port  Destination port
+ from              from
+ protocol          IP protocol value
+ show-all          show all potential match rules
+ source            source IP address
+ source-user        Source User
+ to                to

  <Enter>            Finish input

Example 1: (When the values for the required arguments are known)

test security-policy-match protocol 6 from L3-Trust to L3-Untrust source 192.168.52.1 destination 74.125.225.69 destination-port 80 application gmail-base

Trust_Untrust {
        from L3-Trust;
        source 192.168.52.1;
        source-region any;
        to L3-Untrust;
        destination 74.125.225.69;
        destination-region any;
        user any;
        category any;
        application/service[ gmail-base/tcp/any/80 gmail-base/tcp/any/8080 web-browsing/tcp/any/80 web-browsing/tcp/any/8080 gmail-chat/tcp/any/80
        gmail-chat/tcp/any/8080 gmail-enterprise/tcp/any/80 gmail-enterprise/tcp/any/8080 gmail-call-phone/tcp/any/80 gmail-call-hone/tcp/any/8080 
        gmail-video-chat/tcp/any/80 gmail-video-chat/tcp/any/8080 ];
        action allow;

}

Example 2: (When the values for the required arguments are unknown like in the scenario where the rule has "any" as the fields value)

test security-policy-match protocol 1 from L3-Trust to L3-Untrust source 192.168.52.1 destination 4.4.4.4 destination-port 80

Trust.Untrust {
        from L3-Trust;
        source any;
        source-region any;
        to L3-Untrust;
        destination any;
        destination-region any;
        user any;
        category any;
        application/service any/any/any/any;
        action allow;

}

Example 3: (No rule match)

test security-policy-match protocol 6 from L3-Trust to L3-Untrust source 192.168.52.1 destination 69.171.242.11 destination-port 80 application facebook-base
No rule matched

Testing NAT Rules:

test nat-policy-match

+ destination        destination IP address
+ destination-port  Destination port
+ from              from
+ ha-device-id      HA Active-Active device ID
+ protocol          IP protocol value
+ source            source IP address
+ source-port        Source port
+ to                to
+ to-interface      Egress interface to use
  <Enter>            Finish input

Example 1: ((When the values for the required arguments are known)

test nat-policy-match protocol 6 from L3-Trust to L3-Untrust source 192.168.52.1 destination 171.161.148.173 destination-port 443

Source-NAT: Rule matched: Src_NAT
192.168.52.1:0 => 10.30.6.52:15473 (6),

Example 2: (When the values for the required arguments are unknown like in the scenario where the rule has "any" as the fields value)

test nat-policy-match protocol 17 from L3-Trust to L3-Untrust source 192.168.52.1 destination 69.171.242.11 destination-port 80

Source-NAT: Rule matched: Source_NAT
192.168.52.1:0 => 10.30.6.52:47927 (17),

Example 3: (No rule match)

test nat-policy-match protocol 6 from L3-Trust to L3-Untrust source 192.168.52.1 destination 212.58.241.131 destination-port 443
Server error :

Testing PBF Rules:

test pbf-policy-match

+ application        Application name
+ destination        destination IP address
+ destination-port  Destination port
+ from              From zone
+ from-interface    From interface
+ ha-device-id      HA Active-Active device ID
+ protocol          IP protocol value
+ source            source IP address
+ source-user        Source User
  <Enter>            Finish input

Example 1: (When the values for the required arguments are known)

test pbf-policy-match protocol 6 from L3-Trust source 192.168.52.1 destination 74.125.225.69 destination-port 80 application web-browsing

PBF {
        from L3-Trust;
        source 192.168.52.1;
        destination 74.125.225.69;
        user any;
        application/service web-browsing/any/any/any;
        action Forward;
        forwarding-egress-IF/VSYS ethernet1/3;
        next-hop 0.0.0.0;
}

Example 2: (When the values for the required arguments are unknown like in the scenario where the rule has "any" as the fields value)

test pbf-policy-match protocol 6 from L3-Trust source 192.168.52.1 destination 171.161.148.173 destination-port 80

"PBF any" {
        from L3-Trust;
        source any;
        destination any;
        user any;
        application/service any/any/any/any;
        action Forward;
        forwarding-egress-IF/VSYS ethernet1/3;
        next-hop 0.0.0.0;
}

Example 3: (No rule match)

test pbf-policy-match protocol 17 from L3-Trust source 192.168.52.1 destination 69.171.242.11 destination-port 80
Server error : Error running policy lookup

Multi-vsys Environment

To test the above commands in a multi-vsys environment, first change the context to that particular vsys using the set system setting target-vsys <vsys> command on the CLI. Then, run the test:

admin@PA-5050 vsys2(passive)> test security-policy-match from vsys2_trust to vsys2_untrust destination-port 80 protocol 6 source 1.1.1.1 destination 2.2.2.2

Temp {
        from any;
        source any;
        source-region none;
        to any;
        destination any;
        destination-region none;
        user any;
        category any;
        application/service  any/any/any/any;
        action allow;
        terminal yes;
}

To revert to the default setting, run the set system setting target-vsys none command.

Additional Information

Starting PAN-OS 9.0 these checks can be performed via WebGUI: How to perform Policy Match and Connectivity Tests from the Web Interface
If the "Source" and "Destination" are used in multiple policies, then it is mandatory to include "Source Zone" and "Destination Zone" in the test command to get an accurate match.

How To Test Security, NAT, and PBF Rules via the CLI

Symptom

Environment

Resolution

Details

Additional Information

Other users also viewed: