Palo Alto Networks Knowledgebase: How to Decipher Index Numbers in Flow Basic Debugs

How to Decipher Index Numbers in Flow Basic Debugs

2532
Created On 02/07/19 23:41 PM - Last Updated 02/07/19 23:41 PM
Device Management Initial Configuration Installation QoS Zone and DoS Protection
Resolution

 

Before PAN OS 7.0 release

 

How to correlate the index numbers found inside a flow basic debug output, to the rule numbers for NAT and security policy.

 

Run the following command to match index numbers to rule numbers:
>debug device-server dump idmgr type security-rule all

 

This command cna be run for other types, including NAT policy:

>debug device-server dump idmgr type nat-rule all

 

 

After PAN OS 7.0 release

 

Onwards from PAN OS 7.0, debug device-server command doesn't display the correlation. Instead,

active rules can be counted to find the matching rule. For example, if flow basic debug has the

following match line:

 

Policy lookup, "matched rule index 4" 

 

then following command indicates that it is the rule_name5 security rule which is really matching the traffic.

 

> show running security-policy | match "\{"
rule_name1 { <-- 0
rule_name2 { <-- 1
rule_name3 { <-- 2
rule_name4 { <-- 3
rule_name5 { <-- 4
rule_name6 { <-- 5

 

 

owner: jseals

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClyvCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language