How to Decipher Index Numbers in Flow Basic Debugs

How to Decipher Index Numbers in Flow Basic Debugs

Created On 09/26/18 13:54 PM - Last Updated 02/07/19 23:41 PM



Before PAN OS 7.0 release


How to correlate the index numbers found inside a flow basic debug output, to the rule numbers for NAT and security policy.


Run the following command to match index numbers to rule numbers:
>debug device-server dump idmgr type security-rule all


This command cna be run for other types, including NAT policy:

>debug device-server dump idmgr type nat-rule all



After PAN OS 7.0 release


Onwards from PAN OS 7.0, debug device-server command doesn't display the correlation. Instead,

active rules can be counted to find the matching rule. For example, if flow basic debug has the

following match line:


Policy lookup, "matched rule index 4" 


then following command indicates that it is the rule_name5 security rule which is really matching the traffic.


> show running security-policy | match "\{"
rule_name1 { <-- 0
rule_name2 { <-- 1
rule_name3 { <-- 2
rule_name4 { <-- 3
rule_name5 { <-- 4
rule_name6 { <-- 5



owner: jseals


  • Print
  • Copy Link

Choose Language