Useful CLIs for monitoring PBR

Run the monitoring commands described in this topic from the Firewall Threat Defense device CLI.

Interface configurations

To view the interface configurations of the device, run the show run interface command:

> show run interface
!
interface Ethernetl/l 
 description Outside ispl handoff 
 nameif outside1
 security-level 0 
 zone-member ECMP-WAN 
 ip address dhcp setroute 
 policy-route cost 10 
 policy-route path-monitoring 8.8.8.8 
 policy-route path-monitoring object-group network-service FMC_NSG_4295470581 policy-route path-monitoring object-group network-service FMC_NSG_4295470600
!
interface Ethernet1/2
 description Outside isp2 handoff 
 nameif outside2 
 security-level 0 
 zone-member ECMP-WAN
 ip address 192.133.243.240 255.255.255.192 
 policy-route cost 20 
 policy-route path-monitoring 8.8.8.8
 policy-route path-monitoring object-group network-service FMC_NSG_4295470581 policy-route path-monitoring object-group network-service FMC_NSG_4295470600
!

DNS configurations

Application-based routing only uses trusted DNS servers to resolve domains. To view the dns configurations of the device, run the show run dns command:

> show run dns
DNS server-group DefaultDNS 
dns trusted-source 10.100.0.5 
dns trusted-source 10.200.0.5

Route map configurations

When you configure PBR on the device, the Management Center auto-generates the route-map and applies it to the specified ingress interface. To view the route maps of the device, run the show run route-map command:

> show run route-map 
!
route-map FMC_VPN_CONNECTED_DIST_RMAP_1000 permit 10 
 match interface inside-employee
 set community 1000 
!
route-map FMC GENERATED PBR 1729024850865 permit 5
 match ip address Cloud-storage-apps-acl
  set adaptive-intertace cost outside1 outside2

!
route-map FMC_GENERATED PBR 1729024850865 permit 10 
match ip address Social-media-apps-acl  
set adaptive-interface rtt outsidel outside2

!
route-map FMC GENERATED PBR 1729024850865 permit 15
match ip address Conferencing-apps-acl
set adaptive-interface jitter outside1 outside2

!
route-map FMC_GENERATED_PBR_1729024850865 permit 20
match ip address Corp-internal-apps-acl
set adaptive-interface cost outsidel_static_vti_1 outside2_static_vti_4

Access lists and network service groups configurations

The route-map applied to the ingress interface can reference an extended access control list. To view the details of an access list for PBR, run the show run access list <access list_name> command:

> show run access-list Cloud-storage-apps-acl
access-list Cloud-storage-apps-acl extended permit ip any object-group-network-service FMC_NSG_4295470562

The network-service objects and object-groups are configured in extended access control lists and referenced in policy-based routing route maps and access control groups. To view the NSG configurations, run the show object-group network-service <network-service-groups-name> command. The network-service-groups-name is derived from the above show command for an access list.

> show object-group network-service FMC_NSG_4295470562
 object-group network-servire FMC_NSG_4295470562 (id=@xfdff0000) 
 network-service-member "Box" dynamic 
 description File storage and transfer site.
 app-id 1326
 domain box.com (bid=436735707) ip (hitcnt=0)
 domain boxcloud.com (bid=436924171) ip (hitcnt=0)
 domain box.net (bid=437080553) ip (hitcnt=0)
 domain box.org (bid=437174273) ip (hitcnt=0)
 domain boxcdn.net (bid=437272231) ip (hitcnt=0)
 domain boxrelay.com (bid=437481703) ip (hitcnt=0)
 domain boxenterprise.net (bid=437626005) ip {hitcnt=0)
 domain boxinvestorrelations.com (bid=437672765) ip (hitcnt=0)
 domain segment-box.com (bid=437886771) ip (hitcnt=0)
 domain box-corp.com (bid=437924995) ip (hitcnt=0)
 domain boxcn.net (bid=438072833) ip (hitcnt=0)
network-service-member "Dropbox" dynamic
 description Cloud based tile storage. 
 app-id 125
 domain dropbox.com (bid=24259639) ip (hitcnt=0)
 domain cfl.dropboxstatic.com (bid=24495525) ip (hitcnt=0)
 domain dl.dropboxusercontent.com (bid=24596237) ip (hitcnt=0)
 domain dropboxapi.com (bid=24694467) ip (hitcnt=0)
 domain dropboxbusiness.com (bid=24859859) ip (hitcnt=0)
 domain dropboxcaptcha.com (bid=25008145) ip {hitcnt=0)
 domain dropbox-dns.com (bid=25087753) ip (hitcnt=0)
 domain dropboxer.net (bid=25236751) ip (hitcnt=0)
 domain dropboxusercontent.com (bid=25324335) ip (hitcnt=0)
 domain getdropbox.com (bid=25437501) ip (hitcnt=0)
 domain cloudon.com (bid=25580229) ip (hitcnt=0)

Path monitoring configurations

To view the path monitoring metrics collected on the egress interface, run the show path-monitor command:

> show path-monitor 
Interface: outside2 (Ethernetl/2) 
Remote peer: 8.8.8.8
    Remote peer reachable: Yes
    RTT average: 9138 microsecondes) Jitter: 1093 microsecond(s)
    Packet loss: 0% MOS: 4.39
    Last updated: 12 second(s) ago
Interface: outside2 (Ethernetl/2) 
Remote NSG: FMC_NSG_4295470581
    Network Service: Facebook Domain name: fbsbx.com Remote peer reachable: Yes
    RTT average: 17460 microsecond(s) Jitter: 911 microseconde)
    Packet loss: 0%
    MOS: 4.39
    Last updated: 12 second(s) ago

    Network Service: Facebook 
    Domain name: facebook.net 
    Remote peer reachable: Yes 
    RTT average: 17444 microsecondes) 
    Jitter: 836 microsecondes)
    Packet loss: 0%
    MOS: 4.39
    Last updated: 12 second(s) ago

    Network Service: Instagram
    Domain name: instagram.com Remote peer reachable: Yes
    RTT average: 17576 microsecondes)
    Jitter: 429 microsecondes)
    Packet loss: 0%
    MOS: 4.39
    Last updated: 12 secondes) ago

Interface: outside2 (Ethernetl/2) 
Remote NSG: FMC_NSG_4295470600
    Network Service: WebEx 
    Domain name: webex.com Remote peer reachable: Yes RTT average: 18537 microsecond(s) Jitter: 318 microseconde)
    Packet loss: 0%
    MOS: 4.39
    Last updated: 12 second(s) ago
    Network Service: Zoom Domain name: zoom.com Remote peer reachable: Yes
    RTT average: 98196 microsecond(s) Jitter: 4120 microseconde)
    Packet loss: 0%
    MOS: 4.34
    Last updated: 12 second(s) ago