You can use Policy Checker to determine how your XTM device manages traffic for a particular protocol between a source and destination you specify. This can be a useful troubleshooting tool if your XTM device allows or denies traffic unexpectedly, or if you want to make sure your policies manage traffic the way you expect. Based on the parameters you specify, Policy Checker sends a test packet through your XTM device to see how the device manages the packet. If there is a policy that manages the traffic, Policy Checker highlights that policy in the Firewall Policies list.
When you run Policy Checker, you must specify these parameters:
The results can include any of these details:
You cannot use Policy Checker in Fireware XTM Web UI for a FireCluster. Instead, use the policy-check command in the Command Line Interface. For more information, see the Command Line Interface Reference.
To run Policy Checker:
If the packet was managed by a policy, the policy details appear in the Results section, and the policy is highlighted in the Firewall Policies list.
If the packet was not managed by a policy, but by another means (such as a hostile site match), that information appears in the Results section, but nothing is highlighted in the Firewall Policies list.
The only elements that always include a value in the Results section are the Name and Type elements. Values for all other elements are only present if their values are established.
|Type||Policy||The packet was allowed or denied by a policy.|
|Security||The packet was dropped by something other than a policy (for example, a blocked site match) and a security measure was triggered.|
|Inconclusive||There was an error in the interpretation of the disposition of the packet.|
|Name||Depends on the Type value||
If the type was Policy, the name of the policy appears.
Not all configured policies are exposed. If the policy name is unfamiliar, you can examine the configuration file for more information about the policy.
If the type was Security, the security function appears (for example, Blocked Sites). The set of supported security functions can be different from one release to the next.
If the type was Inconclusive the name is Unspecified.
|Action||Allow||The packet was allowed.|
|Deny||The packet was denied. This is always the result when the type is Security.|
|Interface||Interface name||The egress interface. This is the user-defined name (for example, External), not the system name (for example, eth0).|
|Source NAT IP||IP address||The IP address to which the original source IP address was changed by NAT.|
|Source NAT Port||TCP/UDP port||The TCP or UDP port to which the original source port was changed by NAT.|
|Destination NAT IP||IP address||The IP address to which the original destination IP address was changed by NAT.|
|Destination NAT Port||TCP/UDP port||The TCP or UDP port to which the original destination port was changed by NAT.|
About Proxy Actions