How to Test Which Security Policy Applies to a Traffic Flow

How to Test Which Security Policy Applies to a Traffic Flow

86520
Created On 09/25/18 19:36 PM - Last Modified 06/12/23 16:13 PM


Resolution


If you know the source IP address, the protocol number and optionally the destination IP, the test command from the CLI will search the security policies and display the best match:

 

Example:

 

> test security-policy-match source <source IP> destination <destination IP/netmask> protocol <protocol number>

 

The output will show which policy rule (first hit) will be applied to this traffic match based on the source and destination IP addresses.

Additional options:

+ application      Application name
+ category         Category name
+ destination-port Destination port
+ from             Source zone 
+ protocol         IP protocol value
+ show-all         show all potential match rules until first allow rule
+ source-user      Source User
+ to               Destination zone

 

 

While 'destination' is a mandatory parameter, 0.0.0.0/0 can be used if the remote IP is unknown or a subnet if multiple hosts need to be included

 

 

owner: sjanita
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cla1CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language