If you know the source IP address, the protocol number and optionally the destination IP, the test command from the CLI will search the security policies and display the best match:
The output will show which policy rule (first hit) will be applied to this traffic match based on the source and destination IP addresses.
Additional options:
+ application Application name + category Category name + destination-port Destination port + from Source zone + protocol IP protocol value + show-all show all potential match rules until first allow rule + source-user Source User + to Destination zone
While 'destination' is a mandatory parameter, 0.0.0.0/0 can be used if the remote IP is unknown or a subnet if multiple hosts need to be included