How to perform Policy Match and Connectivity Tests from the Web Interface
54864
Created On 11/21/19 02:23 AM - Last Modified 01/30/24 09:44 AM
Objective
- This document explains how to perform Policy Match and Connectivity Tests from the Web Interface.
- With the ability to run test commands on the web interface, you can avoid over-provisioning administrator roles with CLI access while still giving administrators a way to determine firewalls are configured correctly.
Environment
- Palo Alto Firewall
- PAN-OS 9.0 or above
Procedure
- Select GUI: Device > Troubleshooting
- One can perform Policy Match test and Connectivity Tests using this option on the firewall and available policy match tests are
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- If you wish to test security policy match for a specific source and destination IP you can select the test as “Security Policy Match” in “Test Configuration” column
- You can fill the required fields in the test configuration such as From and To zone, Source and Destination IP, port, etc
- Click on “Execute”. The specified traffic will match
- You can select the policy name in “Test Result” column and “Policy Detail” column will show more details about the policy.
- Please refer the below screenshot which shows a sample test.
- We can also perform connectivity tests using web interface. and available policy match tests are
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- If you wish to check the presence of a route entry in the routing table of the firewall then you can select the test option “Routing”
- You can fill the Destination IP and Virtual router name and click on Execute
- Click on “Test Result” columns output and you will see the route details under “Result Detail” column
- Please refer the below screenshot which shows a sample test.
Example 2: Update Server
- If you wish to the check the connectivity to Palo Alto update server select the option “Update Server Connectivity”
- Click on Execute to perform the connectivity test and will provide the result in “Test Result” Column
- Please refer the below screenshot which shows a sample test.
Additional Information
Policy match can be done from CLI too. Please refer the below KB article for the same. Running the test using CLI is not specific to PAN-OS version 9.0. This can be done on previous PAN-OS versions too.
How To Test Security, NAT, and PBF Rules via the CLI