How To Test Security, NAT, and PBF Rules via the CLI
Symptom
This document explains how to validate whether a session is matching an expected policy using the test security, address translation (NAT), and policy-based forwarding (PBF) rules via CLI.
Environment
- Palo Alto Firewall
- PAN-OS 7.1 and above.
- Testing Policy Rules.
Resolution
The following arguments are always required to run the test security policy, NAT policy and PBF policy:
- Source - source IP address
- Destination - destination IP address
- Destination port - specify the destination port number
- Protocol - specify the IP protocol number expected for the packet between 1 and 255 (TCP - 6, UDP - 17, ICMP - 1, ESP - 50)
If the value for any of the above arguments is unknown or does not matter like in the scenario where the rule that is expected to match has "any" as the fields value, then a fake or a dummy value may be entered. Also, 'application', 'category', 'from' and 'to' zones can be specified.
Note: In order to match the expected security policy when there are many security policies configured with the same source and destination zones, it is recommended to specify the source and destination zones. If the zones are not specified, then the test command will return results for rules based on zones that the source and destination IP addresses do not belong in.
Details
Testing Security Rules
test security-policy-match
+ application Application name
+ category Category name
+ destination destination IP address
+ destination-port Destination port
+ from from
+ protocol IP protocol value
+ show-all show all potential match rules
+ source source IP address
+ source-user Source User
+ to to
<Enter> Finish input
Example 1: (When the values for the required arguments are known)
test security-policy-match protocol 6 from L3-Trust to L3-Untrust source 192.168.52.1 destination 74.125.225.69 destination-port 80 application gmail-base
Trust_Untrust {
from L3-Trust;
source 192.168.52.1;
source-region any;
to L3-Untrust;
destination 74.125.225.69;
destination-region any;
user any;
category any;
application/service[ gmail-base/tcp/any/80 gmail-base/tcp/any/8080 web-browsing/tcp/any/80 web-browsing/tcp/any/8080 gmail-chat/tcp/any/80
gmail-chat/tcp/any/8080 gmail-enterprise/tcp/any/80 gmail-enterprise/tcp/any/8080 gmail-call-phone/tcp/any/80 gmail-call-hone/tcp/any/8080
gmail-video-chat/tcp/any/80 gmail-video-chat/tcp/any/8080 ];
action allow;
}
Example 2: (When the values for the required arguments are unknown like in the scenario where the rule has "any" as the fields value)
test security-policy-match protocol 1 from L3-Trust to L3-Untrust source 192.168.52.1 destination 4.4.4.4 destination-port 80
Trust.Untrust {
from L3-Trust;
source any;
source-region any;
to L3-Untrust;
destination any;
destination-region any;
user any;
category any;
application/service any/any/any/any;
action allow;
}
Example 3: (No rule match)
test security-policy-match protocol 6 from L3-Trust to L3-Untrust source 192.168.52.1 destination 69.171.242.11 destination-port 80 application facebook-base
No rule matched
Testing NAT Rules:
test nat-policy-match
+ destination destination IP address
+ destination-port Destination port
+ from from
+ ha-device-id HA Active-Active device ID
+ protocol IP protocol value
+ source source IP address
+ source-port Source port
+ to to
+ to-interface Egress interface to use
<Enter> Finish input
Example 1: ((When the values for the required arguments are known)
test nat-policy-match protocol 6 from L3-Trust to L3-Untrust source 192.168.52.1 destination 171.161.148.173 destination-port 443
Source-NAT: Rule matched: Src_NAT
192.168.52.1:0 => 10.30.6.52:15473 (6),
Example 2: (When the values for the required arguments are unknown like in the scenario where the rule has "any" as the fields value)
test nat-policy-match protocol 17 from L3-Trust to L3-Untrust source 192.168.52.1 destination 69.171.242.11 destination-port 80
Source-NAT: Rule matched: Source_NAT
192.168.52.1:0 => 10.30.6.52:47927 (17),
Example 3: (No rule match)
test nat-policy-match protocol 6 from L3-Trust to L3-Untrust source 192.168.52.1 destination 212.58.241.131 destination-port 443 Server error :
Testing PBF Rules:
test pbf-policy-match
+ application Application name
+ destination destination IP address
+ destination-port Destination port
+ from From zone
+ from-interface From interface
+ ha-device-id HA Active-Active device ID
+ protocol IP protocol value
+ source source IP address
+ source-user Source User
<Enter> Finish input
Example 1: (When the values for the required arguments are known)
test pbf-policy-match protocol 6 from L3-Trust source 192.168.52.1 destination 74.125.225.69 destination-port 80 application web-browsing
PBF {
from L3-Trust;
source 192.168.52.1;
destination 74.125.225.69;
user any;
application/service web-browsing/any/any/any;
action Forward;
forwarding-egress-IF/VSYS ethernet1/3;
next-hop 0.0.0.0;
}
Example 2: (When the values for the required arguments are unknown like in the scenario where the rule has "any" as the fields value)
test pbf-policy-match protocol 6 from L3-Trust source 192.168.52.1 destination 171.161.148.173 destination-port 80
"PBF any" {
from L3-Trust;
source any;
destination any;
user any;
application/service any/any/any/any;
action Forward;
forwarding-egress-IF/VSYS ethernet1/3;
next-hop 0.0.0.0;
}
Example 3: (No rule match)
test pbf-policy-match protocol 17 from L3-Trust source 192.168.52.1 destination 69.171.242.11 destination-port 80
Server error : Error running policy lookup
Multi-vsys Environment
To test the above commands in a multi-vsys environment, first change the context to that particular vsys using the set system setting target-vsys <vsys> command on the CLI. Then, run the test:
admin@PA-5050 vsys2(passive)> test security-policy-match from vsys2_trust to vsys2_untrust destination-port 80 protocol 6 source 1.1.1.1 destination 2.2.2.2
Temp {
from any;
source any;
source-region none;
to any;
destination any;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
terminal yes;
}
To revert to the default setting, run the set system setting target-vsys none command.
Additional Information
- Starting PAN-OS 9.0 these checks can be performed via WebGUI: How to perform Policy Match and Connectivity Tests from the Web Interface
- If the "Source" and "Destination" are used in multiple policies, then it is mandatory to include "Source Zone" and "Destination Zone" in the test command to get an accurate match.