test security-policy-match shows blank output instead of "No rule matched"

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

test security-policy-match shows blank output instead of "No rule matched"

Hello to the community,

 

First I'd like to thank everyone for contributing. The community is invaluable.

 

I was wondering if anybody have any ideas why I always see this behavior? Reading through the discussions and doing my own research, I have seen it result showing "No rule matched" whereas my output is always just blank when no rule is matched.

 

I enabled override on the interzone-default, and I do see the logs appear in "monitor" in the GUI. But executing test security-policy-match in CLI for the same traffic results in no output at all.

 

Example of blank output:

 

admin@f1-nttptc-dmz-pa(active)> test security-policy-match from DMZ to IPAM source 155.16.250.9 destination 155.16.38.141 destination-port 53 protocol 17


admin@f1-nttptc-dmz-pa(active)>

 

I have always seen this behavior over numerous versions of PA 8.x / 9.x. Is this the expected behavior? Why do I see other posts with output results showing the helpful "No Rule Found" message? The only way I can get output from this command in CLI is if I add an explicit "deny any any" at the bottom, but this comes with its own set of issues as it overrides the default allow for "intrazone" traffic, affecting stuff like BGP, IPSec, Interface Mgmt, etc.,

 

I appreciate any feedback from others' experiences and whether this is the expected behavior?

 

Thanks to all in advance,

G


Accepted Solutions
Highlighted
Cyber Elite

@gb2057,

At least for me, this would be expected behavior. It used to be on older releases I would get the "No rule matched", but that changed with a later release and I simply don't get anything until it matches a rulebase entry. I'm not sure exactly when this change was introduced, or really if it's expected behavior, but I deal with enough environments that I can tell you it's standard from what I've seen. 

View solution in original post


All Replies
Highlighted
Cyber Elite

@gb2057,

At least for me, this would be expected behavior. It used to be on older releases I would get the "No rule matched", but that changed with a later release and I simply don't get anything until it matches a rulebase entry. I'm not sure exactly when this change was introduced, or really if it's expected behavior, but I deal with enough environments that I can tell you it's standard from what I've seen. 

View solution in original post

Highlighted
L1 Bithead

@BPry - Thanks for taking the time to respond with your answer. I can see you have solid experience, so I have gone ahead and accepted your response as the solution. Kudos

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!