Wednesday, January 23, 2019

Palo Alto Firewall: PBF (Policy Based Forwarding) Testing In CLI

Did you know you can test your policy based forwarding yourself in CLI on the Palo Alto firewall?  You sure can.  Below, Im testing my zone L3-Inside (my inside zone) to verify it will go out Ethernet 1/3 port.  Based on the response below, it looks like it does work without having to involve the server guys.

killen@PA850-1(active)> test pbf-policy-match from L3-Inside application web-browsing source 192.168.5.5 destination 77.77.77.77 protocol 6 destination-port 443

"Exchange; index: 8" {
        id 9;
        from L3-Inside;
        source 192.168.5.5;
        destination any;
        user any;
        application/service  any/any/any/any;
        action Forward;
        symmetric-return no;
        forwarding-egress-IF/VSYS ethernet1/3;
        next-hop 65.65.65.65;
        terminal no;
}

killen@PA850-1(active)>

No comments:

Post a Comment

Your comment will be reviewed for approval. Thank you for submitting your comments.