Related Topics
Use Policy Checker to Find a Policy
You can use Policy Checker to determine how your Firebox manages traffic for a particular protocol between a source and destination you specify. This can be a useful troubleshooting tool if your Firebox allows or denies traffic unexpectedly, or if you want to make sure your policies manage traffic the way you expect. Based on the parameters you specify, Policy Checker sends a test packet through your Firebox to see how the device manages the packet. If there is a policy that manages the traffic, Policy Checker highlights that policy in the Firewall Policies list.
When you run Policy Checker, you must specify these parameters:
- An interface — Any active device interface (physical, VLAN, or bridge), or SSL-VPN, Any-BOVPN, or Any-MUVPN
- A protocol — Ping, TCP, or UDP
- Source and destination IP address
- Source and destination port — Only applies if you select TCP or UDP as the Protocol
The results can include any of these details:
- Policy type
- Policy name
- An action
- An interface
- Source or destination NAT IP address
- Source or destination NAT port
You cannot use Policy Checker in Fireware Web UI for a FireCluster. Instead, use the policy-check command in the Command Line Interface. For more information, see the Command Line Interface Reference.
To run Policy Checker:
- Select Firewall > Firewall Policies.
The Firewall Policies page appears.
- Click Show policy checker.
The policy checker section appears.
- From the Interface drop-down list, select an active interface on your Firebox.
- From the Protocol drop-down list, select an option: Ping, TCP, or UDP.
- In the Source IP text box, type the source IP address for the traffic.
- In the Destination IP text box, type the destination IP address for the traffic.
- If you selected TCP or UDP for the Protocol, in the Source Port text box, type or select the port for the traffic source.
If you selected Ping as the Protocol, the port text box is disabled. - If you selected TCP or UDP for the Protocol, in the Destination Port text box, type or select the port for the traffic destination.
If you selected Ping as the Protocol, the port text box is disabled. - Click Run policy checker.
The results appear in the Results section.
Read the Results
If the packet was managed by a policy, the policy details appear in the Results section, and the policy is highlighted in the Firewall Policies list.
If the packet was not managed by a policy, but by another means (such as a hostile site match), that information appears in the Results section, but nothing is highlighted in the Firewall Policies list.
The only elements that always include a value in the Results section are the Name and Type elements. Values for all other elements are only present if their values are established.
Element | Value | Description |
---|---|---|
Type | Policy | The packet was allowed or denied by a policy. |
Security | The packet was dropped by something other than a policy (for example, a blocked site match) and a security measure was triggered. | |
Inconclusive | There was an error in the interpretation of the disposition of the packet. | |
Name | Depends on the Type value |
If the type was Policy, the name of the policy appears. Not all configured policies are exposed. If the policy name is unfamiliar, you can examine the configuration file for more information about the policy. If the type was Security, the security function appears (for example, Blocked Sites). The set of supported security functions can be different from one release to the next.
If the type was Inconclusive the name is Unspecified. |
Action | Allow | The packet was allowed. |
Deny | The packet was denied. This is always the result when the type is Security. | |
Interface | Interface name | The egress interface. This is the user-defined name (for example, External), not the system name (for example, eth0). |
Source NAT IP | IP address | The IP address to which the original source IP address was changed by NAT. |
Source NAT Port | TCP/UDP port | The TCP or UDP port to which the original source port was changed by NAT. |
Destination NAT IP | IP address | The IP address to which the original destination IP address was changed by NAT. |
Destination NAT Port | TCP/UDP port | The TCP or UDP port to which the original destination port was changed by NAT. |