Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to Test Which Security Policy Applies to a Traffic Flow - Knowledge Base - Palo Alto Networks

How to Test Which Security Policy Applies to a Traffic Flow

91657
Created On 09/25/18 19:36 PM - Last Modified 06/12/23 16:13 PM


Resolution


If you know the source IP address, the protocol number and optionally the destination IP, the test command from the CLI will search the security policies and display the best match:

 

Example:

 

> test security-policy-match source <source IP> destination <destination IP/netmask> protocol <protocol number>

 

The output will show which policy rule (first hit) will be applied to this traffic match based on the source and destination IP addresses.

Additional options:

+ application      Application name
+ category Category name
+ destination-port Destination port
+ from Source zone
+ protocol IP protocol value
+ show-all show all potential match rules until first allow rule
+ source-user Source User
+ to Destination zone

 

 

While 'destination' is a mandatory parameter, 0.0.0.0/0 can be used if the remote IP is unknown or a subnet if multiple hosts need to be included

 

 

owner: sjanita



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cla1CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language