How to perform Policy Match and Connectivity Tests from the Web Interface

How to perform Policy Match and Connectivity Tests from the Web Interface

14521
Created On 11/21/19 02:23 AM - Last Modified 10/08/21 20:23 PM


Objective
  • This document explains how to perform Policy Match and Connectivity Tests from the Web Interface.
  • With the ability to run test commands on the web interface, you can avoid over-provisioning administrator roles with CLI access while still giving administrators a way to determine firewalls are configured correctly.


Environment
  • Palo Alto Firewall
  • PAN-OS 9.0 or above


Procedure
  1. Select GUI: Device > Troubleshooting
       User-added image
  1. One can perform Policy Match test and Connectivity Tests using this option on the firewall and available policy match tests are
  •  
  • QoS Policy Match
  • Authentication Policy Match
  • Decryption/SSL Policy Match
  • NAT Policy Match
  • Policy Based Forwarding Policy Match
  • DoS Policy Match
Example:- Security Policy Match
  • If you wish to test security policy match for a specific source and destination IP you can select the test as “Security Policy Match” in “Test Configuration” column
  • You can fill the required fields in the test configuration such as IP, port, etc and click on “Execute”
  • he specified traffic will match
  • You can select the policy name in “Test Result” column and “Policy Detail” column will show more details about the policy.
  • Please refer the below screenshot which shows a sample test.
        User-added image
 
  1. We can also perform connectivity tests using web interface. and available policy match tests are
  • Routing
  • Test Wildfire
  • Threat Vault
  • Ping
  • Trace Route
  • Log Collector Connectivity
  • External Dynamic List
  • Update Server
  • Test Cloud Logging Service Status
  • Test Cloud GP Service Status
Example 1: Routing
  • If you wish to check the presence of a route entry in the routing table of the firewall then you can select the test option “Routing”
  • You can fill the Destination IP and Virtual router name and click on Execute
  • Click on “Test Result” columns output and you will see the route details under “Result Detail” column
  • Please refer the below screenshot which shows a sample test.
       User-added image

Example 2: Update Server
  • If you wish to the check the connectivity to Palo Alto update server select the option “Update Server Connectivity”
  • Click on Execute to perform the connectivity test and will provide the result in “Test Result” Column
  • Please refer the below screenshot which shows a sample test.
       User-added image















     


    Additional Information
    Policy match can be done from CLI too. Please refer the below KB article for the same. Running the test using CLI is not specific to PAN-OS version 9.0. This can be done on previous PAN-OS versions too.
    How To Test Security, NAT, and PBF Rules via the CLI


    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNaK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Attachments
    Choose Language