- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-22-2020 12:04 PM
I was trying to work out which security policy applied to traffic through my Palo Alto from 10.77.22.10 (in the trust zone) to 10.99.0.1
Firstly, I wanted to confirm what zone 10.99.0.1 was in using this page : https://alwaysnetworks.co.uk/identifying-which-zone-a-subnet-is-in-on-a-palo-alto-firewall-script/
administrator@CAMPA01(active)> test routing fib-lookup virtual-router default ip 10.99.0.1
--------------------------------------------------------------------------------
runtime route lookup
--------------------------------------------------------------------------------
virtual-router: default
destination: 10.99.0.1
result:
interface tunnel.27, metric 10
I then used this command to find out which zone tunnel.27 is in :
administrator@CAMPA01(active)> show interface tunnel.27 | match Zone
Zone: DataCenters, virtual system: vsys1
So 10.99.0.1 is in DataCenters zone
However, when trying to find out if users were permitted to 10.99.0.0/16, I referred to this page :
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cla1CAC
with title “how to test which security policy applies to a traffic flow”.
So I ran test security-policy-match command as below (where TCP = ip protocol 5).
administrator@CAMPA01(active)> test security-policy-match source 10.77.22.10 destination 10.99.0.1/16 protocol 5
"Allow Trust Out; index: 2" {
from trust;
source any;
source-region none;
to untrust;
destination any;
destination-region none;
user any;
category any;
application/service 0:any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}
I was a bit confused, because the command suggested this traffic would be passed via “Allow Trust Out” policy which permits traffic from “trust” zone to “untrust” zone.
But destination IP is actually in DataCenters zone instead?
Why does it give me this output? I've confirmed that IPsec tunnel that uses interface tunnel.27 is up...
09-22-2020 01:44 PM - edited 09-24-2020 08:44 AM
The test command that you are running does not specify what source or destination zone you are attempting to match to. The test command does not evaluate the routing to determine what zones are are attempting to references based on the source/destination IP. Instead the test command just matches on the first rule that would match the the source address, destination addresses, and protocol.
You could instead use the following command to designate which destination zone you are working with:
test security-policy-match to DataCenters source 10.77.22.10 destination 10.99.0.1/16 protocol 5
Another option would be to ask the firewall to return all rules. The test command by default only shows the first rule in the policy, but you can modify the behavior by using the show-all option.
test security-policy-match to DataCenters source 10.77.22.10 destination 10.99.0.1/16 protocol 5 show-all yes
09-22-2020 01:34 PM
Because its protocol 6 instead of 5.
https://de.wikipedia.org/wiki/Protokoll_(IP)
09-22-2020 01:44 PM - edited 09-24-2020 08:44 AM
The test command that you are running does not specify what source or destination zone you are attempting to match to. The test command does not evaluate the routing to determine what zones are are attempting to references based on the source/destination IP. Instead the test command just matches on the first rule that would match the the source address, destination addresses, and protocol.
You could instead use the following command to designate which destination zone you are working with:
test security-policy-match to DataCenters source 10.77.22.10 destination 10.99.0.1/16 protocol 5
Another option would be to ask the firewall to return all rules. The test command by default only shows the first rule in the policy, but you can modify the behavior by using the show-all option.
test security-policy-match to DataCenters source 10.77.22.10 destination 10.99.0.1/16 protocol 5 show-all yes
09-30-2020 07:30 AM
Rene- you're correct. I did get the wrong protocol number, (you are correct), but I think it was missing zone information that was giving me the incorrect policy.
09-30-2020 07:33 AM
That seems the answer Travis.
I did work this out myself afterwards, by looking at the available command completion options on CLI and noticing the zone information associated with from and to parameters.
I still think a bit odd that Palo Alto Knowledgebase example doesn't use them though.
Thanks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!