How To Troubleshoot Security Policy Rules

How To Troubleshoot Security Policy Rules

18152
Created On 01/21/20 02:06 AM - Last Modified 04/27/20 18:57 PM


Objective


In this document we will learn how to troubleshoot security policy rules. 
  • We will discuss how to restore functionality quickly to prevent outages while we troubleshoot the issue further.
  • Find which part of the security policy is causing the issue.
  • Once the issue has been identified what to do next.

Environment


Security policies that contain the following:
  • Address Objects
  • FQDN
  • Security Profiles
  • URL Category
  • EDL
  • Source User

Procedure


  1. On the Windows or Mac PC use ipconfig /all or ifconfig to find the private IP address of the local machine that will be used to test the security policy. 
  2. In the source address field place the IP Address of the test machine.
  3. Place the security policy rule all the way at the top.
  4. Leave everything else to any and if possible also remove the security profile.
  5. Before committing please be aware of any security issues that might occur since the security rule is open and only contains a source IP address in order to prevent the rule from being completely open.
  6. Clear the session for the test user by using the following command: >clear session all filter source <IP address of test machine goes here>
  7. Please initiate the test and see if you are able to reach the destination.
  8. If you are able to reach the destination then clear the session again and this time add the destination IP address if it is known and test again after doing a commit.
  9. Next add the source zone and repeat.
  10. Add the destination zone and repeat.
  11. Keep adding additional fields such as applications, source user, service ports, URL filtering, until the security policy stops working. Also, if security permits add the security profile at the very end.
  12. Once you determine which part is causing the issue begin troubleshooting using advanced troubleshooting debug commands such as flow basic, appid basic, ctd basic, url_trie, proxy all, ssl all, etc.
  13. Please be aware that using the advanced debug commands can be very resource intensive and if used for too long or incorrectly can lead to packet loss and reboot of the device which at that stage will cause a complete outage unless there is a HA pair firewall to take over. If advanced debug commands are needed please call TAC.

Additional Information


Please be aware that there are things such as the ones outline below that can affect the security policy rules: 
  • Policy Based Forwarding
  • Decryption
  • The 6 Tuple
  • Routing
  • Upstream devices
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POIWCA4&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail