How to Test Which Security Policy Applies to a Traffic Flow

Printer Friendly Page

If you know the source IP address, the protocol number and optionally the destination IP, the test command from the CLI will search the security policies and display the best match:




> test security-policy-match source <source IP> destination <destination IP/netmask> protocol <protocol number>


The output will show which policy rule (first hit) will be applied to this traffic match based on the source and destination IP addresses.

Additional options:

+ application      Application name
+ category Category name
+ destination-port Destination port
+ from Source zone
+ protocol IP protocol value
+ show-all show all potential match rules until first allow rule
+ source-user Source User
+ to Destination zone



While 'destination' is a mandatory parameter, can be used if the remote IP is unknown or a subnet if multiple hosts need to be included



owner: sjanita



is this a match against candidate or running config?



This would match the running config, not the candidate config.

When using the security-policy-match command does it expand groups?

If I run a test against a rule that has a user ID variable (i.e. specific user ID) this command will match the expected rule i.e. if the rule only permits 'Bob', and I add Bob as the source-user it matches correctly.

However, if I run it against a rule that has an AD group as the user variable it fails to match the expected rule i.e. if the rule permits 'Employees', of which Bob is a member, the rule does not match when I test using Bob.

It can get very frustrating when debugging as I'm never sure if a problem is in the rule base or the rule test!

This is happening to me as well, but I only tried the CLI test because this is actually the behavior in testing.

apackard - That's a pretty big problem for customers utilizing AD groups.  Seems like a bug/oversight.  Any comments from PAN on this?

Any changes to the test command and testing against a user that is part of an AD group? This is a MAJOR fustration and limits the testing feature practically useless since most rules are moving to a role-based model.

Hi @Gun-Slinger,


I have just tested this on a PAN-OS 7.1.3 version without success.  


Adding specific users in the security policy returns a positive result when testing the user.

Adding a group in the security policy returns no result when testing the user which is part of the group.


Wasn't able  to find a feature request for this either.  You might want to check with support.  If it's considered a bug then it will be fixed ... if not then a feature request is recommended.

Thanks @kiwi


I tested on 7.1.5 and no success.

I was able to talk with the developer for the user-id services and this is by design. I have asked our SE to submit a FR and/or vote if one is in place. I am in the Rome beta program and have not been able to test this as of yet. once I have our Rome environment intergrated with user-id and AD, I will test but based on feedback from the development team and the way the systems compiles user-id and group mappings, it will still not work.



I have made security policy on Paloalto as per port base requirment.



I have allowed http,  https, dns as a service. But i also want ping to be allowed in the same policy.


Please advice how can achive this.




hi @samirs

It is recommended to use applications in your policy and to set the service to application-default

if you only use services, this is not possible and you will need to create a second security policy solely for ping



Just tried this feature and I get a pretty weird result. Indeed, I asked for a policy match like this :


test security-policy-match source <source IP> destination <destination IP> destination-port <port> protocol <protocol number> from <source security zone>




I get result of a rule that matches following items :


source IP : OK

destination IP : ok

protocol : OK

source security zone : OK


But the destination port is not part of the applications/services configured in the rule




How about test agaisnt an URL, not an IP.  This test command only lets me use a Dest IP, how can I test if an URL is allowed by my PA security policies, I have so many URL filters and customed URL catagories.

hi @yuewei


please add "category" to your test, and use as destination ip


admin@myNGFW> test security-policy-match category 
  abortion                                abortion
  abused-drugs                            abused-drugs
  adult                                   adult
  alcohol-and-tobacco                     alcohol-and-tobacco
  any                                     any
  auctions                                auctions
  blocked                                 blocked
  business-and-economy                    business-and-economy
  command-and-control                     command-and-control

Is it possible to use an unidentified user on the test security policy as source-user?