Policy test

You can test firewall rules, SSL/TLS inspection rules, and web policies to see the action that XG Firewall would take for traffic matching these criteria.

Use the policy test before and after you edit a rule or policy to verify the applied action. You can go to the rule and policy you want to edit directly from the test results. Rerun the test after editing to verify the results.

Specify the URL, user, time schedule, source zone, and source IP address and then apply the rules or policies you want to test.

The feature tests web traffic in transparent mode.

  1. Enter the URL to test.
  2. Select Authenticated user and then select the user to test.
  3. Select the time and day. The test applies to traffic for this period.
  4. For Test method, select the rules and policies to test.
    • Firewall, SSL/TLS, and web: Applies the firewall rule (including web protection, if specified in the rule) and the SSL/TLS inspection rule that match the service in the URL and the source IP address you specify.

      You can test the traffic to any destination port. XG Firewall applies the test using the default port of the specified protocol, such as SMTP and FTP.

      Example: If you specify https://www.example.com, it matches the rules with HTTPS protocol over port 443. If you don't specify the protocol, HTTP is used by default.

      You can also specify the port, for example, testexample.com:21.

      If the firewall rule includes a web policy that's applied, and the test is for HTTP or HTTPS protocols, the results include the web protection details, including the matched web rule.

    • Web policy only: Use this only to test a web policy. Firewall rules aren't applied. Select the web policy you want to test. For web policy, XG Firewall tests only HTTP and HTTPS protocols.
    Note Policy test can't match traffic with firewall rules and SSL/TLS inspection rules that have Source networks and devices set to MAC addresses.
  5. Enter the source IP address (the IP address from which the URL request is made).
  6. Select the source zone.

    Select Auto-detection to allow XG Firewall to determine the zone based on the source IP address you specify. Alternatively, select the zone if you want to limit the test to a specific zone, or if you find that an incorrect zone is detected.

    Note Test results won't reflect changed zones when SD-WAN policy routing routes the connection through a zone other than the specified zone.
  7. Click Test.

    If a firewall rule or an SSL/TLS inspection rule is matched for the test, the hyperlinked name of the applied rule shows in the test results. Select the link to go to the rule in the corresponding rule table. You can then edit the rule, or click Reset filter to see all the rules in the table.

    If a web policy is matched for the test, only the web rule attached to the policy and matching the traffic shows in the test results. To open the web policy, click Edit next to the name of the web policy.