Palo Alto Networks Knowledgebase: How to Test Which Security Policy Applies to a Traffic Flow

How to Test Which Security Policy Applies to a Traffic Flow

4381
Created On 09/25/18 19:36 PM - Last Updated 09/25/18 23:09 PM
Policy
Resolution

If you know the source IP address, the protocol number and optionally the destination IP, the test command from the CLI will search the security policies and display the best match:

 

Example:

 

> test security-policy-match source <source IP> destination <destination IP/netmask> protocol <protocol number>

 

The output will show which policy rule (first hit) will be applied to this traffic match based on the source and destination IP addresses.

Additional options:

+ application      Application name
+ category Category name
+ destination-port Destination port
+ from Source zone
+ protocol IP protocol value
+ show-all show all potential match rules until first allow rule
+ source-user Source User
+ to Destination zone

 

 

While 'destination' is a mandatory parameter, 0.0.0.0/0 can be used if the remote IP is unknown or a subnet if multiple hosts need to be included

 

 

owner: sjanita



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cla1CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language