- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
The Palo Alto Networks Web Interface for NGFW PAN-OS has a lot of great features, but one that hasn't been talked about much is the Test Policy Match feature.
This feature can actually be found in two places:
This is a very powerful tool that can help you quickly troubleshoot and see if you have a rule that will catch certain traffic or not. Rules should never negate each other. The bigger your NGFW Security Rulebase gets, the more handy this trick will be.
The tool is almost exactly the same when you access it from the Policies tab as opposed from the Device > Troubleshooting area—but there are some differences I'm going to talk about today.
From the Policies tab, you have the option for "Test Policy Match" on the bottom of the following pages:
The Device > Troubleshooting page will give you more options, as you can see from the drop down pictured above.
The extra selection tests you get from that page are:
These pages all work the same way: They allow you to test your current security policy/configuration to see if you already have a rule that overlaps with a new proposal.
I can tell you from experience that few things are more frustrating than working to configure a new security policy, only to find out that I already had one that covered that! Or trying to troubleshoot an issue where the traffic in question was allowed or denied by a different rule.
As an example, if you wanted to test and see where traffic would pass for UDP Port 53 from an internal 192.168.1.100 to 1.1.1.1, the test would look like this:
You even have an extra option there to "show all potential match rules until first allow rule." This will show all potential rule matches until the first matched rule result. Disable (clear) to return only the first matched rule in the test results.
Select the rule name in the "Test Result" column to see the details of the rule matching the test.
If you are on Panorama Panorama , and run these options, you will have two extra options not shown here, which are for:
These options will show up above "From" in the Test Policy Match window.
By eliminating the extra step, it helps reduce a pain point in administering your Next-Generation firewall.
I hope this quick tip will help you with your day-to-day admin work!
Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumb up) button, don't forget to subscribe to the LIVEcommunity Blog area.
As always, we welcome all comments and feedback in the comments section below.
Stay Secure,
Joe Delio
End of line
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
3 Likes | |
2 Likes | |
1 Like | |
1 Like | |
1 Like |