TechLibrary

Navigation Back up to About Overview

show security policies

Syntax

show security policies<detail><none>policy-name policy-name<detail><global>

Release Information

Command modified in Junos OS Release 9.2. Support for IPv6 addresses added in Junos OS Release 10.2. Support for IPv6 addresses in active/active chassis cluster configurations in addition to the existing support of active/passive chassis cluster configurations added in Junos OS Release 10.4. Support for wildcard addresses added in Junos OS Release 11.1. Support for global policy added in Junos OS Release 11.4. Support for services offloading added in Junos OS Release 11.4. Support for source-identities added in Junos OS Release 12.1. The Description output field added in Junos OS Release 12.1. Support for negated address added in Junos OS Release 12.1X45-D10. The output fields for Policy Statistics expanded, and the output fields for the global and policy-name options expanded to include from-zone and to-zone global match criteria in Junos OS Release 12.1X47-D10.

Description

Display a summary of all security policies configured on the device. If a particular policy is specified, display information particular to that policy.

Options

  • none—Display basic information about all configured policies.
  • detail—(Optional) Display a detailed view of all of the policies configured on the device.
  • policy-name policy-name—(Optional) Display information about the specified policy.
  • global—Display information about global policies.

Required Privilege Level

view

List of Sample Output

show security policies
show security policies policy-name p1 detail
show security policies (services-offload)
show security policies detail
show security policies policy-name p1 (Negated Address)
show security policies policy-name p1 detail (Negated Address)
show security policies global

Output Fields

Table 1 lists the output fields for the show security policies command. Output fields are listed in the approximate order in which they appear.

Table 1: show security policies Output Fields

Field Name

Field Description

From zone

Name of the source zone.

To zone

Name of the destination zone.

Policy

Name of the applicable policy.

Description

Description of the applicable policy.

State

Status of the policy:

  • enabled: The policy can be used in the policy lookup process, which determines access rights for a packet and the action taken in regard to it.
  • disabled: The policy cannot be used in the policy lookup process, and therefore it is not available for access control.

Index

Internal number associated with the policy.

Sequence number

Number of the policy within a given context. For example, three policies that are applicable in a from-zoneA-to-zoneB context might be ordered with sequence numbers 1, 2, 3. Also, in a from-zoneC-to-zoneD context, four policies might have sequence numbers 1, 2, 3, 4.

Source addresses

For standard display mode, the names of the source addresses for a policy. Address sets are resolved to their individual names.

For detail display mode, the names and corresponding IP addresses of the source addresses for a policy. Address sets are resolved to their individual address name-IP address pairs.

Destination addresses

Name of the destination address (or address set) as it was entered in the destination zone’s address book. A packet’s destination address must match this value for the policy to apply to it.

Source addresses (excluded)

Name of the source address excluded from the policy.

Destination addresses (excluded)

Name of the destination address excluded from the policy.

Source identities

One or more user roles specified for a policy.

Applications

Name of a preconfigured or custom application whose type the packet matches, as specified at configuration time.

  • IP protocol: The Internet protocol used by the application—for example, TCP, UDP, ICMP.
  • ALG: If an ALG is explicitly associated with the policy, the name of the ALG is displayed. If application-protocol ignore is configured, ignore is displayed. Otherwise, 0 is displayed.

    However, even if this command shows ALG: 0, ALGs might be triggered for packets destined to well-known ports on which ALGs are listening, unless ALGs are explicitly disabled or when application-protocol ignore is not configured for custom applications.

  • Inactivity timeout: Elapsed time without activity after which the application is terminated.
  • Source port range: The low-high source port range for the session application.

Destination Address Translation

Status of the destination address translation traffic:

  • drop translated—Drop the packets with translated destination addresses.
  • drop untranslated—Drop the packets without translated destination addresses.

Application Firewall

An application firewall includes the following:

  • Rule-set—Name of the rule set.
  • Rule—Name of the rule.
    • Dynamic applications—Name of the applications.
    • Dynamic application groups—Name of the application groups.
    • Action—The action taken with respect to a packet that matches the application firewall rule set. Actions include the following:
      • permit
      • deny
  • Default rule—The default rule applied when the identified application is not specified in any rules of the rule set.

Action or Action-type

  • The action taken in regard to a packet that matches the policy’s tuples. Actions include the following:
    • permit
    • firewall-authentication
    • tunnel ipsec-vpn vpn-name
    • pair-policy pair-policy-name
    • source-nat pool pool-name
    • pool-set pool-set-name
    • interface
    • destination-nat name
    • deny
    • reject
    • services-offload

Session log

Session log entry that indicates whether the at-create and at-close flags were set at configuration time to log session information.

Scheduler name

Name of a preconfigured scheduler whose schedule determines when the policy is active and can be used as a possible match for traffic.

Policy statistics

  • Input bytes—The total number of bytes presented for processing by the device.
    • Initial direction—The number of bytes presented for processing by the device from the initial direction.
    • Reply direction—The number of bytes presented for processing by the device from the reply direction.
  • Output bytes—The total number of bytes actually processed by the device.
    • Initial direction—The number of bytes from the initial direction actually processed by the device.
    • Reply direction—The number of bytes from the reply direction actually processed by the device.
  • Input packets—The total number of packets presented for processing by the device.
    • Initial direction—The number of packets presented for processing by the device from the initial direction.
    • Reply direction—The number of packets presented for processing by the device from the reply direction.
  • Output packets—The total number of packets actually processed by the device.
    • Initial direction—The number of packets actually processed by the device from the initial direction.
    • Reply direction—The number of packets actually processed by the device from the reply direction.
  • Session rate—The total number of active and deleted sessions.
  • Active sessions—The number of sessions currently present because of access control lookups that used this policy.
  • Session deletions—The number of sessions deleted since system startup.
  • Policy lookups—The number of times the policy was accessed to check for a match.

Note: Configure the Policy P1 with the count option to display policy statistics.

Sample Output

show security policies

user@host> show security policies
From zone: trust, To zone: untrust
  Policy: p1, State: enabled, Index: 4, Sequence number: 1
    Source addresses:
    sa-1-ipv4: 2.2.2.0/24
    sa-2-ipv6: 2001:0db8::/32
    sa-3-ipv6: 2001:0db6/24
    sa-4-wc: 192.168.0.11/255.255.0.255
    Destination addresses:
    da-1-ipv4: 2.2.2.0/24
    da-2-ipv6: 2400:0af8::/32
    da-3-ipv6: 2400:0d78:0/24 
    da-4-wc: 192.168.22.11/255.255.0.255
    Source identities: role1, role2, role4
    Applications: any
    Action: permit, application services, log, scheduled
    Application firewall : my_ruleset1 
  Policy: p2, State: enabled, Index: 5, Sequence number: 2
    Source addresses:
    sa-1-ipv4: 2.2.2.0/24
    sa-2-ipv6: 2001:0db8::/32
    sa-3-ipv6: 2001:0db6/24
    Destination addresses:
    da-1-ipv4: 2.2.2.0/24
    da-2-ipv6: 2400:0af8::/32
    da-3-ipv6: 2400:0d78:0/24
    Source identities: role1, role4
    Applications: any
    Action: deny, scheduled

show security policies policy-name p1 detail

user@host> show security policies policy-name p1 detail
Policy: p1, action-type: permit, State: enabled, Index: 4
  Description: The policy p1 is for the sales team
  Sequence number: 1
  From zone: trust, To zone: untrust
  Source addresses:
    sa-1-ipv4: 2.2.2.0/24
    sa-2-ipv6: 2001:0db8::/32
    sa-3-ipv6: 2001:0db6/24
    sa-4-wc: 192.168.0.11/255.255.0.255
  Destination addresses:
    da-1-ipv4: 2.2.2.0/24
    da-2-ipv6: 2400:0af8::/32
    da-3-ipv6: 2400:0d78:0/24
    da-4-wc: 192.168.22.11/255.255.0.255
	Source identities:
		role1
		role2
		role4
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
  Destination Address Translation: drop translated
  Application firewall :
	 Rule-set: my_ruleset1
	   Rule: rule1
	     Dynamic Applications: junos:FACEBOOK, junos:YSMG
	     Dynamic Application groups: junos:web, junos:chat
	     Action: deny
	   Default rule: permit	     
  Session log: at-create, at-close
  Scheduler name: sch20
  Per policy TCP Options: SYN check: No, SEQ check: No
  Policy statistics:
    Input  bytes       :                18144                  545 bps
      Initial direction:                 9072              	  272 bps  
      Reply direction  :                 9072                  272 bps 
    Output bytes       :                18144                  545 bps
      Initial direction:                 9072                  272 bps 
      Reply direction  :                 9072                  272 bps 
    Input  packets     :                  216                    6 pps
      Initial direction:                  108                    3 bps   
      Reply direction  :                  108                    3 bps   
    Output packets     :                  216                    6 pps
      Initial direction:                  108                    3 bps   
      Reply direction  :                  108                    3 bps   
    Session rate       :                  108                    3 sps
    Active sessions    :                   93
    Session deletions  :                   15
    Policy lookups     :                  108

show security policies (services-offload)

user@host> show security policies
Default policy: deny-all
From zone: trust, To zone: untrust
  Policy: p1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Source identities: role1, role2, role4
    Applications: any
    Action: permit, services-offload, count
From zone: untrust, To zone: trust
  Policy: p2, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Source identities: role1, role2, role4
    Applications: any
    Action: permit, services-offload

show security policies detail

user@host> show security policies detail
Default policy: deny-all
Policy: p1, action-type: permit, services-offload:enabled , State: enabled, Index: 4, Scope Policy: 0
  Policy Type: Configured
  Description: The policy p1 is for the sales team
  Sequence number: 1
  From zone: trust, To zone: untrust
  Source addresses:
    any-ipv4(global): 0.0.0.0/0 
    any-ipv6(global): ::/0
  Destination addresses:
    any-ipv4(global): 0.0.0.0/0 
    any-ipv6(global): ::/0
	Source identities:
		role1
		role2
		role4
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0] 
      Destination port range: [0-0]
  Per policy TCP Options: SYN check: No, SEQ check: No
  Policy statistics:
    Input  bytes       :                18144                  545 bps
      Initial direction:                 9072              	  272 bps  
      Reply direction  :                 9072                  272 bps 
    Output bytes       :                18144                  545 bps
      Initial direction:                 9072                  272 bps 
      Reply direction  :                 9072                  272 bps 
    Input  packets     :                  216                    6 pps
      Initial direction:                  108                    3 bps   
      Reply direction  :                  108                    3 bps   
    Output packets     :                  216                    6 pps
      Initial direction:                  108                    3 bps   
      Reply direction  :                  108                    3 bps   
    Session rate       :                  108                    3 sps
    Active sessions    :                   93
    Session deletions  :                   15
    Policy lookups     :                  108    
Policy: p2, action-type: permit, services-offload:enabled , State: enabled, Index: 5, Scope Policy: 0
  Policy Type: Configured
  Description: The policy p2 is for the sales team
  Sequence number: 1
  From zone: untrust, To zone: trust
  Source addresses:
    any-ipv4(global): 0.0.0.0/0 
    any-ipv6(global): ::/0
  Destination addresses:
    any-ipv4(global): 0.0.0.0/0 
    any-ipv6(global): ::/0
	Source identities:
		role1
		role2
		role4
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0] 
      Destination port range: [0-0]
  Per policy TCP Options: SYN check: No, SEQ check: No

show security policies policy-name p1 (Negated Address)

user@host>show security policies policy-name p1
node0:
--------------------------------------------------------------------------
From zone: trust, To zone: untrust
  Policy: p1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
    Source addresses(excluded): as1
    Destination addresses(excluded): as2
    Applications: any
    Action: permit

show security policies policy-name p1 detail (Negated Address)

user@host>show security policies policy-name p1 detail
node0:
--------------------------------------------------------------------------
Policy: p1, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 1
  From zone: trust, To zone: untrust
  Source addresses(excluded):
    ad1(ad): 255.255.255.255/32 
    ad2(ad): 1.1.1.1/32 
    ad3(ad): 15.100.199.56 ~ 15.200.100.16 
    ad4(ad): 15.100.196.0/22 
    ad5(ad): 15.1.7.199 ~ 15.1.8.19 
    ad6(ad): 15.1.8.0/21 
    ad7(ad): 15.1.7.0/24
  Destination addresses(excluded): 
    ad13(ad2): 20.1.7.0/24 
    ad12(ad2): 20.1.4.1/32 
    ad11(ad2): 20.1.7.199 ~ 20.1.8.19 
    ad10(ad2): 50.1.4.0/22 
    ad9(ad2): 20.1.1.11 ~ 50.1.5.199 
    ad8(ad2): 2.1.1.1/32
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0] 
      Destination port range: [0-0]
  Per policy TCP Options: SYN check: No, SEQ check: No

show security policies global

user@host>show security policies global policy-name Pa
node0:
--------------------------------------------------------------------------
  Global policies:
  Policy: Pa, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
    From zones: zone1, zone2
    To zones: zone3, zone4
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
        

Published: 2014-05-26