In Palo Alto Firewall-How to test Security, NAT, and PBF Rules via the CLI

Palo Alto Firewall

The following arguments will always be needed to run the test Security policy , NAT policy and PBF policy :
• source – source IP address
• destination – destination IP address
• destination port – specify the destination port number
• protocol – specify the IP protocol number expected for the packet between 1 and 255 .
e .g TCP – 6 , UDP – 17 , ICMP – 1 and ESP – 50

If you want to match the expected security policy when there are a lot of security policies configured with the same source and destination zones , it is strongly recommended to must have the source and destination zones . In a case where the zones are not specified, then the test command will return results for rules based on zones that the source and destination IP addresses do not belong in.

Testing Security Rules

test security-policy-match

+ application        Application name

+ category          Category name

+ destination        destination IP address

+ destination-port  Destination port

+ from              from

+ protocol          IP protocol value

+ show-all          show all potential match rules

+ source            source IP address

+ source-user        Source User

+ to                to

  <Enter>            Finish input

 

Example 1:

 test security-policy-match protocol 1 from L3-Trust to L3-Untrust source 192.168.11.1 destination 1.1.1.1 destination-port 80

 

Output:

Trust.Untrust {

        from L3-Trust;

        source any;

        source-region any;

        to L3-Untrust;

        destination any;

        destination-region any;

        user any;

        category any;

        application/service any/any/any/any;

        action allow;

}

Example 2: (No rule match)

test security-policy-match protocol 6 from L3-Trust to L3-Untrust source 192.168.11.1 destination 202.54.20.50 destination-port 80 application facebook-base

 

Output:

No rule matched

Testing NAT Rules

test nat-policy-match

+ destination        destination IP address

+ destination-port  Destination port

+ from              from

+ ha-device-id      HA Active-Active device ID

+ protocol          IP protocol value

+ source            source IP address

+ source-port        Source port

+ to                to

+ to-interface      Egress interface to use

  <Enter>            Finish input

 

Example 1:

 test nat-policy-match protocol 17 from L3-Trust to L3-Untrust source 192.168.11.1 destination 202.54.20.50 destination-port 80

 

Output:

Source-NAT: Rule matched: Source_NAT

192.168.11.1:0 => 10.60.10.30:38214 (17),

Example 2: (No rule match)

 test nat-policy-match protocol 6 from L3-Trust to L3-Untrust source 192.168.11.1 destination 202.54.20.50 destination-port 443

 

Output:

Server error :

Testing PBF Rules

test pbf-policy-match

+ application        Application name

+ destination        destination IP address

+ destination-port  Destination port

+ from              From zone

+ from-interface    From interface

+ ha-device-id      HA Active-Active device ID

+ protocol          IP protocol value

+ source            source IP address

+ source-user        Source User

  <Enter>            Finish input

 

Example 1:

 test pbf-policy-match protocol 6 from L3-Trust source 192.168.11.1 destination 202.54.20.50 destination-port 80


Output:

“PBF any” {

        from L3-Trust;

        source any;

        destination any;

        user any;

        application/service any/any/any/any;

        action Forward;

        forwarding-egress-IF/VSYS ethernet1/3;

        next-hop 0.0.0.0;

}

Example 2: (No rule match)

test pbf-policy-match protocol 17 from L3-Trust source 192.168.52.1 destination 69.171.242.11 destination-port 80

 

Output:

Server error : Error running policy lookup