Policy tracing from CLI on firewalls.

This post is just a quick reference on how to see whether or not some traffic will pass the rulebase or not.

Tracing policy matching on Juniper SRX (for actual live sessions use ‘show security-flow session’)

show security match-policies from-zone trust to-zone untrust source-port 1024 destination-port 40961 protocol tcp source-ip 10.243.0.1 destination-ip 10.243.15.12

Tracing policy matching on Cisco ASA (for live connections, use ‘show conn’)

packet-tracer input inside tcp 10.0.0.1 1024 4.2.2.1 443 [detailed]

Tracing policy matching on Palo Alto

test security-policy-match application twitter-posting source-user acme\mcanha destination 199.59.150.7 destination-port 80 source 10.40.14.197 protocol 6 

NB: protocol 6 = tcp, 17= UDP, 1 = ICMP
see https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

Tagged , , . Bookmark the permalink.

2 Responses to Policy tracing from CLI on firewalls.

  1. Grá says:

    I tend to run a similar command to the one above on the Juniper SRX firewalls to show which policy will apply based on a given set of criteria. In my case I’m often implementing policies before a Customer is able to test, so I run the same command , but substitute ‘match-policies’ for ‘flow’…and then verify that the appropriate policy is referenced. If the default ‘deny-all’ policy is flagged, then your policy is suspect.

    • sol says:

      Good spot – somehow I must have typo’d that in a brain fart! Your command is the correct one! D’oh – edited. :)

Leave a Reply

Your email address will not be published. Required fields are marked *