Using CLI Commands “test security-policy-match” & “test decryption-policy-match”
test security-policy-match command allows you to determine which security policy rule would match a hypothetical packet based on the criteria you provide. This can help to verify if your security policies are correctly set up.
Quick way to see which rule it getting hit.
COR-FW-A(active)> test security-policy-match category social-networking source 192.168.10.122 destination 31.13.67.35 protocol 6 destination-port 443
"CORE Employee Internet Access; index: 14" {
from Inside;
source any;
source-region none;
to Outside;
destination any;
destination-region none;
user any;
category any;
application/service [0:ssl/tcp/any/443 1:web-browsing/tcp/any/80 ];
action allow;
icmp-unreachable: no
terminal yes;
}
test decryption-policy-match command allows you to determine which decryption policy rule would match a hypothetical packet. It can be used to verify if your decryption policies are working correctly and whether traffic will be decrypted or not.:
COR-FW-A(active)> test decryption-policy-match source 192.168.100.122 destination 13.89.141.56 Matched rule: 'Do Not Decrypt URLs' action: no-decrypt
Test URLs with PANDB Test Pages
New category “scanning activity”:
https://urlfiltering.paloaltonetworks.com/test-scanning-activity
Here is a list of test pages for low, medium and high risk categories:
https://urlfiltering.paloaltonetworks.com/test-low-risk
https://urlfiltering.paloaltonetworks.com/test-medium-risk
https://urlfiltering.paloaltonetworks.com/test-high-risk
Here is a list of test pages for malicious categories:
https://urlfiltering.paloaltonetworks.com/test-malware
https://urlfiltering.paloaltonetworks.com/test-phishing
https://urlfiltering.paloaltonetworks.com/test-command-and-control
Here is a list of test pages for newly registered domains:
https://urlfiltering.paloaltonetworks.com/test-newly-registered-domains
Here is a list of test pages non-malicious categories:
https://urlfiltering.paloaltonetworks.com/test-abortion
https://urlfiltering.paloaltonetworks.com/test-abused-drugs
https://urlfiltering.paloaltonetworks.com/test-adult
https://urlfiltering.paloaltonetworks.com/test-alcohol-and-tobacco
https://urlfiltering.paloaltonetworks.com/test-auctions
https://urlfiltering.paloaltonetworks.com/test-business-and-economy
https://urlfiltering.paloaltonetworks.com/test-computer-and-internet-info
https://urlfiltering.paloaltonetworks.com/test-content-delivery-networks
https://urlfiltering.paloaltonetworks.com/test-copyright-infringement
https://urlfiltering.paloaltonetworks.com/test-dating
https://urlfiltering.paloaltonetworks.com/test-dynamic-dns
https://urlfiltering.paloaltonetworks.com/test-educational-institutions
https://urlfiltering.paloaltonetworks.com/test-entertainment-and-arts
https://urlfiltering.paloaltonetworks.com/test-extremism
https://urlfiltering.paloaltonetworks.com/test-financial-services
https://urlfiltering.paloaltonetworks.com/test-gambling
https://urlfiltering.paloaltonetworks.com/test-games
https://urlfiltering.paloaltonetworks.com/test-government
https://urlfiltering.paloaltonetworks.com/test-hacking
https://urlfiltering.paloaltonetworks.com/test-health-and-medicine
https://urlfiltering.paloaltonetworks.com/test-home-and-garden
https://urlfiltering.paloaltonetworks.com/test-hunting-and-fishing
https://urlfiltering.paloaltonetworks.com/test-insufficient-content
https://urlfiltering.paloaltonetworks.com/test-internet-communications-and-telephony
https://urlfiltering.paloaltonetworks.com/test-internet-portals
https://urlfiltering.paloaltonetworks.com/test-job-search
https://urlfiltering.paloaltonetworks.com/test-legal
https://urlfiltering.paloaltonetworks.com/test-military
https://urlfiltering.paloaltonetworks.com/test-motor-vehicles
https://urlfiltering.paloaltonetworks.com/test-music
https://urlfiltering.paloaltonetworks.com/test-news
https://urlfiltering.paloaltonetworks.com/test-nudity
https://urlfiltering.paloaltonetworks.com/test-online-storage-and-backup
https://urlfiltering.paloaltonetworks.com/test-parked
https://urlfiltering.paloaltonetworks.com/test-peer-to-peer
https://urlfiltering.paloaltonetworks.com/test-personal-sites-and-blogs
https://urlfiltering.paloaltonetworks.com/test-philosophy-and-political-advocacy
https://urlfiltering.paloaltonetworks.com/test-private-ip-addresses
https://urlfiltering.paloaltonetworks.com/test-proxy-avoidance-and-anonymizers
https://urlfiltering.paloaltonetworks.com/test-questionable
https://urlfiltering.paloaltonetworks.com/test-real-estate
https://urlfiltering.paloaltonetworks.com/test-recreation-and-hobbies
https://urlfiltering.paloaltonetworks.com/test-reference-and-research
https://urlfiltering.paloaltonetworks.com/test-religion
https://urlfiltering.paloaltonetworks.com/test-search-engines
https://urlfiltering.paloaltonetworks.com/test-sex-education
https://urlfiltering.paloaltonetworks.com/test-shareware-and-freeware
https://urlfiltering.paloaltonetworks.com/test-shopping
https://urlfiltering.paloaltonetworks.com/test-social-networking
https://urlfiltering.paloaltonetworks.com/test-society
https://urlfiltering.paloaltonetworks.com/test-sports
https://urlfiltering.paloaltonetworks.com/test-stock-advice-and-tools
https://urlfiltering.paloaltonetworks.com/test-streaming-media
https://urlfiltering.paloaltonetworks.com/test-swimsuits-and-intimate-apparel
https://urlfiltering.paloaltonetworks.com/test-training-and-tools
https://urlfiltering.paloaltonetworks.com/test-translation
https://urlfiltering.paloaltonetworks.com/test-travel
https://urlfiltering.paloaltonetworks.com/test-unknown
https://urlfiltering.paloaltonetworks.com/test-weapons
https://urlfiltering.paloaltonetworks.com/test-web-advertisements
https://urlfiltering.paloaltonetworks.com/test-web-hosting
https://urlfiltering.paloaltonetworks.com/test-web-based-email
https://urlfiltering.paloaltonetworks.com/test-cryptocurrency
https://urlfiltering.paloaltonetworks.com/test-grayware