Tips & Tricks: Test Policy Match

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L7 Applicator

Read this blog to learn more about the Test Policy Match option in the PAN-OS Web Interface.Read this blog to learn more about the Test Policy Match option in the PAN-OS Web Interface.


The Palo Alto Networks Web Interface for NGFW PAN-OS has a lot of great features, but one that hasn't been talked about much is the Test Policy Match feature.


This feature can actually be found in two places: 


1. On the Policies Tab 



2. On the Device > Troubleshooting Page



This is a very powerful tool that can help you quickly troubleshoot and see if you have a rule that will catch certain traffic or not. Rules should never negate each other.  The bigger your NGFW Security Rulebase gets, the more handy this trick will be.


The tool is almost exactly the same when you access it from the Policies tab as opposed from the Device > Troubleshooting area—but there are some differences I'm going to talk about today. 


From the Policies tab, you have the option for "Test Policy Match" on the bottom of the following pages:

  • Security
  • NAT
  • QoS
  • Policy Based Forwarding
  • Decryption
  • Authentication
  • DoS Protection


The Device > Troubleshooting page will give you more options, as you can see from the drop down pictured above.

The extra selection tests you get from that page are:

  • Routing
  • Threat Vault
  • Ping
  • Trace Route
  • Log Collector Connectivity
  • External Dynamic List
  • Update Server Connectivity


These pages all work the same way: They allow you to test your current security policy/configuration to see if you already have a rule that overlaps with a new proposal. 


I can tell you from experience that few things are more frustrating than working to configure a new security policy, only to find out that I already had one that covered that! Or trying to troubleshoot an issue where the traffic in question was allowed or denied by a different rule. 


As an example, if you wanted to test and see where traffic would pass for UDP Port 53 from an internal to, the test would look like this:


Test Policy Match showing test resultTest Policy Match showing test result


You even have an extra option there to "show all potential match rules until first allow rule." This will show all potential rule matches until the first matched rule result. Disable (clear) to return only the first matched rule in the test results.


Select the rule name in the "Test Result" column to see the details of the rule matching the test.


Panorama only


If you are on Panorama Panorama , and run these options, you will have two extra options not shown here, which are for:


  • Select device: Select device/VSYS to specify which devices and virtual systems for which to test the policy functionality. Admin and device group and Template users are presented with the devices and virtual systems based on their access domain. Additionally, you can select the Panorama management server as a device.
  • Selected devices: This lists the devices and virtual systems selected for testing.

These options will show up above "From" in the Test Policy Match window.


By eliminating the extra step, it helps reduce a pain point in administering your Next-Generation firewall.


I hope this quick tip will help you with your day-to-day admin work! 


Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumb up) button, don't forget to subscribe to the LIVEcommunity Blog area.


As always, we welcome all comments and feedback in the comments section below.


Stay Secure,
Joe Delio
End of line

Register or Sign-in
Top Liked Authors