PAN-OS CLI Quick Start
    : Test Policy Matches
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS CLI Quick Start
    4. Use the CLI
    5. Test the Configuration
    6. Test Policy Matches
    Download PDF

    PAN-OS CLI Quick Start

    Test Policy Matches

    Table of Contents
    End-of-Life (EoL)

    Test Policy Matches

    You can use test commands to verify that your policies are working as expected.
    • Test a security policy rule.
      Use the test security-policy-match command to determine whether a security policy rule is configured correctly. For example, suppose you have a user mcanha in your marketing department who is responsible for posting company updates to Twitter. Instead of adding a new rule just for that user, you want to test whether twitter will be allowed via an existing rule. By running the following test command, you can see that the user mcanha is indeed allowed to post to twitter based on your existing Allowed Personal Apps security policy rule:
      admin@PA-3060> test security-policy-match application twitter-posting source-user acme\mcanha destination 199.59.150.7 destination-port 80 source 10.40.14.197 protocol 6 
 
"Allowed Personal Apps" { 
        from trust; 
        source any; 
        source-region none; 
        to untrust; 
        destination any; 
        destination-region none; 
        user any; 
        category any; 
        application/service [ twitter-posting/tcp/any/80 twitter-posting/tcp/any/443 finger/tcp/any/79 finger/udp/any/79 irc-base/tcp/any/6665-6669 vidsoft/tcp/any/51222 vidsoft/tcp/any/80 vidsoft/tcp/any/443 vidsoft/tcp/any/1853 vidsoft/udp/any/51222 vidsoft/udp/any/1853 rtsp/tcp/any/554 rtsp/udp/any/554 kkbox/tcp/any/80 yahoo-mail/tcp/any/80 yahoo-mail/tcp/any/143 0 msn-base/tcp/any/443 msn-base/tcp/any/1863 msn-base/tcp/any/7001 msn-base/udp/any/7001 ebuddy/tcp/any/80 gmail-base/tcp/any/80 gmail-base/tcp/any/443 hovrs/tcp/any/443 hov application/service(implicit) [ http/tcp/any/80 http/tcp/any/443 http/tcp/any/6788 http/tcp/any/6789 http/tcp/any/7456 http/tcp/any/8687 http/tcp/any/9100 http/tcp/any/9200 http/udp/any/1513 http/udp/any/1514 jabber/tcp/any/any jabber/tcp/any/80 jabber/tcp/any/443 jabber/tcp/any/5228 jabber/tcp/any/25553 jabber/udp/any/any stun/tcp/any/any stun/tcp/any/3158 stun/udp/any/any web-browsing/any/any/any web-browsing/tcp/any/any web-browsing/tcp/any/80        action allow; 
        icmp-unreachable: no 
        terminal yes; 
}
    • Test an Authentication policy rule.
      Use the test authentication-policy-match command to test your Authentication policy. For example, you want to make sure that all users accessing Salesforce are authenticated. You would use the following test command to make sure that if users are not identified using any other mechanism, the Authentication policy will force them to authenticate:
      admin@PA-3060> test authentication-policy-match from trust to untrust source 192.168.201.10 destination 96.43.144.26 
 
Matched rule: 'salesforce' action: web-form
    • Test a Decryption policy rule.
      Use the test decryption-policy-match category command to test whether traffic to a specific destination and URL category will be decrypted according to your policy rules. For example, to verify that your no-decrypt policy for traffic to financial services sites is not being decrypted, you would enter a command similar to the following:
      admin@PA-3060> test decryption-policy-match category financial-services from trust source 10.40.14.197 destination 159.45.2.143 
 
Matched rule: 'test' action: no-decrypt

    © 2024 Palo Alto Networks, Inc. All rights reserved.