Skip to content

Policy tester

You can test firewall rules, SSL/TLS inspection rules, and web policies to see the action that Sophos Firewall would take for traffic matching these criteria.

Use the policy test before and after you edit a rule or policy to verify the applied action. You can go to the rule and policy you want to edit directly from the test results. Then, rerun the test after editing to verify the results.

Specify the URL, user, time schedule, source zone, and source IP address, and then apply the rules or policies you want to test.


Test results don't reflect SD-WAN routes. So, the test results can be different from the actual outcome.

The feature tests web traffic in transparent mode.

  1. Enter the URL to test.
  2. Select Authenticated user and then select the user to test.
  3. Select the time and day.

    The test applies to traffic for this period.

  4. For Test method, select the rules and policies to test.

    • Firewall, SSL/TLS, and web: Applies the firewall rule (including web protection, if specified in the rule) and the SSL/TLS inspection rule that matches the service in the URL and the source IP address you specify.

      You can test the traffic to any destination port. Sophos Firewall applies the test using the default port of the specified protocol, such as SMTP and FTP.

      Example: If you specify, it matches the rules with HTTPS protocol over port 443. If you don't specify the protocol, it uses HTTP by default.

      You can also specify the port, for example,

      If the firewall rule includes an applied web policy, and the test is for HTTP or HTTPS protocols, the results include the web protection details, including the matched web policy.

    • Web policy only: Use this only to test a web policy. Firewall rules aren't applied. Select the web policy you want to test. For web policy, Sophos Firewall tests only HTTP and HTTPS protocols.


      Policy test can't match traffic with firewall rules and SSL/TLS inspection rules that have Source networks and devices set to MAC addresses.

  5. Enter the source IP address (the IP address from which the URL request is made).

  6. Select the source zone.

    Select Auto-detection to allow Sophos Firewall to determine the zone based on the source IP address you specify. Alternatively, select the zone if you want to limit the test to a specific zone or if you find that an incorrect zone is detected.

  7. Click Test.

    If a firewall rule or an SSL/TLS inspection rule is matched for the test, the hyperlinked name of the applied rule shows in the test results. Select the link to go to the rule in the corresponding rule table. You can then edit the rule or click Reset filter to see all the rules in the table.

    If a web policy is matched for the test, only the web policy attached to the policy and matching the traffic shows in the test results. To open the web policy, click the edit button Edit button. next to the name of the web policy.

More resources