Test Policy Rules
Focus
Focus
Network Security

Test Policy Rules

Table of Contents

Test Policy Rules

Test the traffic policy matches of your configuration.
Where Can I Use This?
What Do I Need?
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS & Panorama Managed)
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
Check for any license or role requirements for the products you're using:
  • Prisma Access
    license or AIOps for NGFW license
Testing security policy rules helps ensure that the network's security posture is robust and effective against potential threats. Security policy rules define how traffic is handled and controlled within the network. Testing these rules ensures that your policy rules appropriately allow and deny traffic and access to applications and websites in compliance with your business needs and requirements.
We provide tools that let you simulate traffic flow based on a specific set of conditions defined in a policy rule. By entering the necessary parameters such as source and destination IP addresses, ports, and applications, you can simulate the traffic flow and observe how your configuration would process it based on the configured policy rules. This provides valuable insights into the effectiveness of the security policy, which lets you verify if the security actions you intend, such as allowing or denying traffic, are correctly applied as per the policy rules. You can also identify any misconfigurations or conflicts that might affect the policy's behavior.
Regularly testing security policy rules is essential for maintaining an efficient security posture. It enables you to adapt policy rules to changing network requirements and evolving threat landscapes. By conducting thorough tests and fine-tuning policy rules accordingly, you can ensure that your configuration operates optimally, providing reliable protection against a variety of cyberthreats.

Cloud Managed

Test the traffic policy matches of your configuration.
Updates to your Security policy rules are often time sensitive and require you to act quickly. However, you want to ensure that any update you make to your security policy rules meets your requirements and does not introduce errors or misconfigurations (such as changes that result in duplicate or conflicting rules). To overcome these challenges, Policy Analyzer enables you to optimize time and resources when implementing a change request. Policy Analyzer not only analyzes and provides suggestions for possible consolidation or removal of specific rules to meet your intended Security posture but it also checks for anomalies, such as shadows, redundancies, generalizations, correlations, and consolidations in your rulebase.
Use Policy Analyzer to analyze your Security policy rules both before and after you commit your changes.
  • Pre-Change Policy Analysis
    —Enables you to evaluate the impact of a new rule so you can compare that to your intent for that rule and ensure that it does not duplicate or conflict with existing rules before you commit to avoid policy rule inflation. You can also run a Security Policy Anomaly Analysis to check for shadows, redundancies, generalizations, correlations and consolidations.
  • Post-Change Policy Analysis
    —Enables you to clean the existing rulebase by identifying shadows, redundancies, and other anomalies that have accumulated over time.

PAN-OS & Panorama

Test the traffic policy matches of the running firewall configuration.
You can test and verify that your policy rules are allowing and denying the correct traffic by executing policy match tests for your firewalls directly from the web interface.
  1. Select
    Device
    Troubleshooting
    to perform a policy match or connectivity test.
  2. Enter the required information to perform the policy match test. In this example, we run a NAT policy match test.
    1. Select Test
      —Select
      NAT Policy Match
      .
    2. From
      —Select the zone traffic is originating from.
    3. To
      —Select the target zone of the traffic.
    4. Source
      —Enter the IP address from which traffic originated.
    5. Destination
      —Enter the IP address of the target device for the traffic.
    6. Destination Port
      —Enter the port used for the traffic. This port varies depending on the IP protocol used in the following step.
    7. Protocol
      —Enter the IP protocol used for the traffic.
    8. If necessary, enter any additional information relevant for your NAT policy rule testing.
  3. Execute
    the NAT policy match test.
  4. Review the
    NAT Policy Match Result
    to see the policy rules that match the test criteria.

Recommended For You