Test Policy Matches
You can use test commands to verify that your policies are working as expected.
Test Policy Matches
Test a security policy rule. Use the test security-policy-match command to determine whether a security policy rule is configured correctly. For example, suppose you have a user mcanha in your marketing department who is responsible for posting company updates to Twitter. Instead of adding a new rule just for that user, you want to test whether twitter will be allowed via an existing rule. By running the following test command, you can see that the user mcanha is indeed allowed to post to twitter based on your existing Allowed Personal Apps security policy rule: admin@PA-3060> test security-policy-match application twitter-posting source-user acme\mcanha destination destination-port 80 source protocol 6 "Allowed Personal Apps" { from trust; source any; source-region none; to untrust; destination any; destination-region none; user any; category any; application/service [ twitter-posting/tcp/any/80 twitter-posting/tcp/any/443 finger/tcp/any/79 finger/udp/any/79 irc-base/tcp/any/6665-6669 vidsoft/tcp/any/51222 vidsoft/tcp/any/80 vidsoft/tcp/any/443 vidsoft/tcp/any/1853 vidsoft/udp/any/51222 vidsoft/udp/any/1853 rtsp/tcp/any/554 rtsp/udp/any/554 kkbox/tcp/any/80 yahoo-mail/tcp/any/80 yahoo-mail/tcp/any/143 0 msn-base/tcp/any/443 msn-base/tcp/any/1863 msn-base/tcp/any/7001 msn-base/udp/any/7001 ebuddy/tcp/any/80 gmail-base/tcp/any/80 gmail-base/tcp/any/443 hovrs/tcp/any/443 hov application/service(implicit) [ http/tcp/any/80 http/tcp/any/443 http/tcp/any/6788 http/tcp/any/6789 http/tcp/any/7456 http/tcp/any/8687 http/tcp/any/9100 http/tcp/any/9200 http/udp/any/1513 http/udp/any/1514 jabber/tcp/any/any jabber/tcp/any/80 jabber/tcp/any/443 jabber/tcp/any/5228 jabber/tcp/any/25553 jabber/udp/any/any stun/tcp/any/any stun/tcp/any/3158 stun/udp/any/any web-browsing/any/any/any web-browsing/tcp/any/any web-browsing/tcp/any/80 action allow; icmp-unreachable: no terminal yes; }
Test a Captive Portal policy rule. Use the test cp-policy-match command to test your Captive Portal policy. For example, you want to make sure that all users accessing Salesforce are authenticated. You would use the following test command to make sure that if users are not identified using any other mechanism, the Captive Portal policy will force them to authenticate: admin@PA-3060> test cp-policy-match from trust to untrust source destination Matched rule: 'salesforce' action: web-form
Test a Decryption policy rule. Use the test decryption-policy-match category command to test whether traffic to a specific destination and URL category will be decrypted according to your policy rules. For example, to verify that your no-decrypt policy for traffic to financial services sites is not being decrypted, you would enter a command similar to the following: admin@PA-3060> test decryption-policy-match category financial-services from trust source destination Matched rule: 'test' action: no-decrypt

Related Documentation