Use Policy Checker to Find a Policy

You can use Policy Checker to determine how your Firebox manages traffic for a particular protocol between a source and destination you specify. This can be a useful troubleshooting tool if your Firebox allows or denies traffic unexpectedly, or if you want to make sure your policies manage traffic the way you expect. Based on the parameters you specify, Policy Checker sends a test packet through your Firebox to see how the device manages the packet. If there is a policy that manages the traffic, Policy Checker highlights that policy in the Firewall Policies list.

When you run Policy Checker, you must specify these parameters:

  • An interface — Any active device interface (physical, VLAN, or bridge), or SSL-VPN, Any-BOVPN, or Any-MUVPN. The interface you select is the source interface where the traffic originates. For example, if you select the External interface, the Firebox will treat the connection as inbound.
  • A protocol — Ping, TCP, or UDP
  • Source and destination IP address
  • Source and destination port — Only applies if you select TCP or UDP as the Protocol

The results can include any of these details:

  • Policy type
  • Policy name
  • An action
  • An interface
  • Source or destination NAT IP address
  • Source or destination NAT port

You cannot use Policy Checker in Fireware Web UI for a FireCluster. Instead, use the policy-check command in the Command Line Interface. For more information, see the Command Line Interface Reference.

To run Policy Checker:

  1. Select Firewall > Firewall Policies.
    The Firewall Policies page appears.

Screenshot of the Fireware Web UI Policies page

  1. Click Show policy checker.
    The policy checker section appears.

Screen shot of Policy Checker

  1. From the Interface drop-down list, select an active interface on your Firebox.
  2. From the Protocol drop-down list, select an option: Ping, TCP, or UDP.
  3. In the Source IP text box, type the source IP address for the traffic.
  4. In the Destination IP text box, type the destination IP address for the traffic.
  5. If you selected TCP or UDP for the Protocol, in the Source Port text box, type or select the port for the traffic source.
    If you selected Ping as the Protocol, the port text box is disabled.
  6. If you selected TCP or UDP for the Protocol, in the Destination Port text box, type or select the port for the traffic destination.
    If you selected Ping as the Protocol, the port text box is disabled.
  7. Click Run policy checker.
    The results appear in the Results section.

Read the Results

If the packet was managed by a policy, the policy details appear in the Results section, and the policy is highlighted in the Firewall Policies list.

If the packet was not managed by a policy, but by another means (such as a hostile site match), that information appears in the Results section, but nothing is highlighted in the Firewall Policies list.

The only elements that always include a value in the Results section are the Name and Type elements. Values for all other elements are only present if their values are established.

Element Value Description
Type Policy The packet was allowed or denied by a policy.
  Security The packet was dropped by something other than a policy (for example, a blocked site match) and a security measure was triggered.
  Inconclusive There was an error in the interpretation of the disposition of the packet.
Name Depends on the Type value

If the type was Policy, the name of the policy appears.

Not all configured policies are exposed. If the policy name is unfamiliar, you can examine the configuration file for more information about the policy.

If the type was Security, the security function appears (for example, Blocked Sites). The set of supported security functions can be different from one release to the next.

  • ICMP Flood Attack
  • IKE Flood Attack
  • IPSec Flood Attack
  • TCP SYN Flood Attack
  • UDP Flood Attack
  • TCP SYN check
  • Broadcast
  • DNS forward inactive
  • FWSPEED license
  • Blocked Ports
  • Blocked Sites
  • Blocked connection — The packet matched an existing connection that was blocked by a policy.
  • Unit not activated
  • DDoS Client Quota
  • DDoS Server Quota
  • User count exceeded
  • IP source route
  • Spoofing Attack
  • Wireless Guest
  • Wireless MVPN
  • MAC Access Control
  • MAC/IP Address Binding

If the type was Inconclusive the name is Unspecified.
Action Allow The packet was allowed.
  Deny The packet was denied. This is always the result when the type is Security.
Interface Interface name The egress interface. This is the user-defined name (for example, External), not the system name (for example, eth0).
Source NAT IP IP address The IP address to which the original source IP address was changed by NAT.
Source NAT Port TCP/UDP port The TCP or UDP port to which the original source port was changed by NAT.
Destination NAT IP IP address The IP address to which the original destination IP address was changed by NAT.
Destination NAT Port TCP/UDP port The TCP or UDP port to which the original destination port was changed by NAT.

Related Topics

About Policies

About Proxy Actions