test security-policy-match command giving me odd output?

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
TomMeadows
L2 Linker

test security-policy-match command giving me odd output?

I was trying to work out which security policy applied to traffic through my Palo Alto from 10.77.22.10 (in the trust zone) to 10.99.0.1

Firstly, I wanted to confirm what zone 10.99.0.1 was in using this page : https://alwaysnetworks.co.uk/identifying-which-zone-a-subnet-is-in-on-a-palo-alto-firewall-script/

 

 


administrator@CAMPA01(active)> test routing fib-lookup virtual-router default ip 10.99.0.1

--------------------------------------------------------------------------------
runtime route lookup
--------------------------------------------------------------------------------
virtual-router: default
destination: 10.99.0.1
result:
interface tunnel.27, metric 10

 

 

I then used this command to find out which zone tunnel.27 is in :

 

 

administrator@CAMPA01(active)> show interface tunnel.27 | match Zone
Zone: DataCenters, virtual system: vsys1

 

 


So 10.99.0.1 is in DataCenters zone

However, when trying to find out if users were permitted to 10.99.0.0/16, I referred to this page :

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cla1CAC
with title “how to test which security policy applies to a traffic flow”.

So I ran test security-policy-match command as below (where TCP = ip protocol 5).

 

 


administrator@CAMPA01(active)> test security-policy-match source 10.77.22.10 destination 10.99.0.1/16 protocol 5

"Allow Trust Out; index: 2" {
from trust;
source any;
source-region none;
to untrust;
destination any;
destination-region none;
user any;
category any;
application/service 0:any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

 

 

I was a bit confused, because the command suggested this traffic would be passed via “Allow Trust Out” policy which permits traffic from “trust” zone to “untrust” zone.

But destination IP is actually in DataCenters zone instead?

Why does it give me this output? I've confirmed that IPsec tunnel that uses interface tunnel.27 is up...


Accepted Solutions
TravisC
L2 Linker

@TomMeadows,

 

The test command that you are running does not specify what source or destination zone you are attempting to match to. The test command does not evaluate the routing to determine what zones are are attempting to references based on the source/destination IP. Instead the test command just matches on the first rule that would match the the source address, destination addresses, and protocol.

 

You could instead use the following command to designate which destination zone you are working with:

test security-policy-match to DataCenters source 10.77.22.10 destination 10.99.0.1/16 protocol 5


Another option would be to ask the firewall to return all rules. The test command by default only shows the first rule in the policy, but you can modify the behavior by using the show-all option.

 

test security-policy-match to DataCenters source 10.77.22.10 destination 10.99.0.1/16 protocol 5 show-all yes

View solution in original post


All Replies
Rene_Boehme
L2 Linker

Because its protocol 6 instead of 5.

 

https://de.wikipedia.org/wiki/Protokoll_(IP)

Kind regards,
René
// If you like my answer force commit it.
TravisC
L2 Linker

@TomMeadows,

 

The test command that you are running does not specify what source or destination zone you are attempting to match to. The test command does not evaluate the routing to determine what zones are are attempting to references based on the source/destination IP. Instead the test command just matches on the first rule that would match the the source address, destination addresses, and protocol.

 

You could instead use the following command to designate which destination zone you are working with:

test security-policy-match to DataCenters source 10.77.22.10 destination 10.99.0.1/16 protocol 5


Another option would be to ask the firewall to return all rules. The test command by default only shows the first rule in the policy, but you can modify the behavior by using the show-all option.

 

test security-policy-match to DataCenters source 10.77.22.10 destination 10.99.0.1/16 protocol 5 show-all yes

View solution in original post

TomMeadows
L2 Linker

Rene- you're correct. I did get the wrong protocol number, (you are correct), but I think it was missing zone information that was giving me the incorrect policy.

TomMeadows
L2 Linker

That seems the answer Travis. 

 

I did work this out myself afterwards, by looking at the available command completion options on CLI and noticing the zone information associated with from and to parameters.

 

I still think a bit odd that Palo Alto Knowledgebase example doesn't use them though.

 

Thanks.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!