"test security-policy-match" will find the rule on the firewall that will block a flow. Of course, the firewall never sees "just" an IP address out of context.... it will also see source/destination IPs, source/destination ports, protocols, etc. The "test security-policy-match" requires that information in order to determine whether or not it would block that flow. Changing any one of those variables (src/dst address/port, protocol, app) will affect the firewall's decision to allow/deny. For example, let's say you have only two firewall rules: rule1: permit from x.x.x.x to "any ip" on udp/53 rule2: deny all traffic Your question is will "x.x.x.x" be blocked? If it meets the additional conditions to match rule #1, then no, it won't be blocked. If it doesn't meet the conditions to match rule #1, then it matches rule #2 and will be blocked. Now ask the question, with this same policy, will "y.y.y.y" be blocked? If x.x.x.x initiates a connection to y.y.y.y on udp/53, then it will match rule #1 and will not be blocked. If x.x.x.x initiates a connection to y.y.y.y on tcp/80, then it does not match rule #1 and will be blocked.
... View more