ProxySG & Advanced Secure Gateway

 View Only

 Is there a command to check what rule a traffic flow will hit?

Conlan Hartmann's profile image
Conlan Hartmann posted May 08, 2022 10:58 PM
Hi all.

Happy today!

I am new to the ProxySG platform and have a question about checking what rule a future traffic flow may match on.

I have a list of new traffic flows that will be implemented in the near future and have a task on myself to check that all these new flows will be actioned on appropriately.

Is there a command on the ProxySG devices that is similar to the Fortigate command that checks what policy a traffic flow will match on?

The Fortigate command is: 
#diag firewall iprope lookup <src_ip> <src_port> <dst_ip> <dst_port> <protocol> <Source interface>

Using this command the Fortigate will identify which rule will match the traffic flow.

Instead of configuring all the rules with no checks, my intention is to check which of the new traffic flows would already be covered by an existing rule. This way I can configure only the required rules.

The reason is that there are already 571 rules in 59 layers, and I REALLY don't want to add to this if not required.

From my googling it seems that all the hits say to use the Trace, but with the traffic flows not active as yet, there are not going to be any hits on the Trace rules.

Thanks!

Conlan
AKH_BC's profile image
Broadcom Knight AKH_BC posted May 16, 2022 06:11 PM
In regards to your direct Question, there is not a command specific to what you are looking for that mirrors what you do on Fortigate.

That said, there is some creative avenues that can be evaluated on Proxy to help guide where and when to put/place policy, but such would not be best discussed here, and beyond the traditional support model provided by tech support.  Engaging with a Partner who can assist in getting your policy simplified and streamlined is advised, as unnecessary layers and rules (or duplicated) will impact a speedy policy application.

Thanks.
Phil Jones's profile image
Phil Jones posted May 26, 2022 10:01 AM
You could check the Policy Coverage feature, this is used to help streamline complex and excessive policies.


https://knowledge.broadcom.com/external/article/165841/how-can-i-find-which-policy-rules-are-be.html
AKH_BC's profile image
Broadcom Knight AKH_BC posted May 26, 2022 10:39 AM
While Phil brings up a good point on the Policy Coverage, it won't give you the granular view of "what policy or which policies" will be applied against the transaction.  It is still a good idea to review it to make sure you have the traffic balanced between multiple proxy devices by reviewing both Policy Coverage files.