Before PAN OS 7.0 release
How to correlate the index numbers found inside a flow basic debug output, to the rule numbers for NAT and security policy.
Run the following command to match index numbers to rule numbers:
>debug device-server dump idmgr type security-rule all
This command cna be run for other types, including NAT policy:
>debug device-server dump idmgr type nat-rule all
After PAN OS 7.0 release
Onwards from PAN OS 7.0, debug device-server command doesn't display the correlation. Instead,
active rules can be counted to find the matching rule. For example, if flow basic debug has the
following match line:
Policy lookup, "matched rule index 4"
then following command indicates that it is the rule_name5 security rule which is really matching the traffic.
> show running security-policy | match "\{"
rule_name1 { <-- 0
rule_name2 { <-- 1
rule_name3 { <-- 2
rule_name4 { <-- 3
rule_name5 { <-- 4
rule_name6 { <-- 5
owner: jseals