Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    show security policies

    Syntax

    show security policies<detail><none>policy-name policy-name<detail><global>

    Release Information

    Command modified in Junos OS Release 9.2. Support for IPv6 addresses added in Junos OS Release 10.2. Support for IPv6 addresses in active/active chassis cluster configurations in addition to the existing support of active/passive chassis cluster configurations added in Junos OS Release 10.4. Support for wildcard addresses added in Junos OS Release 11.1. Support for global policy added in Junos OS Release 11.4. Support for services offloading added in Junos OS Release 11.4. Support for source-identities added in Junos OS Release 12.1. The Description output field added in Junos OS Release 12.1. Support for negated address added in Junos OS Release 12.1X45-D10. The output fields for Policy Statistics expanded, and the output fields for the global and policy-name options expanded to include from-zone and to-zone global match criteria in Junos OS Release 12.1X47-D10. Support for the initial-tcp-mss and reverse-tcp-mss options added in Junos OS Release 12.3X48-D20.

    Description

    Display a summary of all security policies configured on the device. If a particular policy is specified, display information particular to that policy.

    Options

    • none—Display basic information about all configured policies.
    • detail—(Optional) Display a detailed view of all of the policies configured on the device.
    • policy-name policy-name—(Optional) Display information about the specified policy.
    • global—Display information about global policies.

    Required Privilege Level

    view

    List of Sample Output

    show security policies
    show security policies policy-name p1 detail
    show security policies (services-offload)
    show security policies detail
    show security policies detail (TCP Options)
    show security policies policy-name p1 (Negated Address)
    show security policies policy-name p1 detail (Negated Address)
    show security policies global

    Output Fields

    Table 1 lists the output fields for the show security policies command. Output fields are listed in the approximate order in which they appear.

    Table 1: show security policies Output Fields

    Field Name

    Field Description

    From zone

    Name of the source zone.

    To zone

    Name of the destination zone.

    Policy

    Name of the applicable policy.

    Description

    Description of the applicable policy.

    State

    Status of the policy:

    • enabled: The policy can be used in the policy lookup process, which determines access rights for a packet and the action taken in regard to it.
    • disabled: The policy cannot be used in the policy lookup process, and therefore it is not available for access control.

    Index

    Internal number associated with the policy.

    Sequence number

    Number of the policy within a given context. For example, three policies that are applicable in a from-zoneA-to-zoneB context might be ordered with sequence numbers 1, 2, 3. Also, in a from-zoneC-to-zoneD context, four policies might have sequence numbers 1, 2, 3, 4.

    Source addresses

    For standard display mode, the names of the source addresses for a policy. Address sets are resolved to their individual names.

    For detail display mode, the names and corresponding IP addresses of the source addresses for a policy. Address sets are resolved to their individual address name-IP address pairs.

    Destination addresses

    Name of the destination address (or address set) as it was entered in the destination zone’s address book. A packet’s destination address must match this value for the policy to apply to it.

    Source addresses (excluded)

    Name of the source address excluded from the policy.

    Destination addresses (excluded)

    Name of the destination address excluded from the policy.

    Source identities

    One or more user roles specified for a policy.

    Applications

    Name of a preconfigured or custom application whose type the packet matches, as specified at configuration time.

    • IP protocol: The Internet protocol used by the application—for example, TCP, UDP, ICMP.
    • ALG: If an ALG is explicitly associated with the policy, the name of the ALG is displayed. If application-protocol ignore is configured, ignore is displayed. Otherwise, 0 is displayed.

      However, even if this command shows ALG: 0, ALGs might be triggered for packets destined to well-known ports on which ALGs are listening, unless ALGs are explicitly disabled or when application-protocol ignore is not configured for custom applications.

    • Inactivity timeout: Elapsed time without activity after which the application is terminated.
    • Source port range: The low-high source port range for the session application.

    Destination Address Translation

    Status of the destination address translation traffic:

    • drop translated—Drop the packets with translated destination addresses.
    • drop untranslated—Drop the packets without translated destination addresses.

    Application Firewall

    An application firewall includes the following:

    • Rule-set—Name of the rule set.
    • Rule—Name of the rule.
      • Dynamic applications—Name of the applications.
      • Dynamic application groups—Name of the application groups.
      • Action—The action taken with respect to a packet that matches the application firewall rule set. Actions include the following:
        • permit
        • deny
    • Default rule—The default rule applied when the identified application is not specified in any rules of the rule set.

    Action or Action-type

    • The action taken in regard to a packet that matches the policy’s tuples. Actions include the following:
      • permit
      • firewall-authentication
      • tunnel ipsec-vpn vpn-name
      • pair-policy pair-policy-name
      • source-nat pool pool-name
      • pool-set pool-set-name
      • interface
      • destination-nat name
      • deny
      • reject
      • services-offload

    Session log

    Session log entry that indicates whether the at-create and at-close flags were set at configuration time to log session information.

    Scheduler name

    Name of a preconfigured scheduler whose schedule determines when the policy is active and can be used as a possible match for traffic.

    Policy statistics

    • Input bytes—The total number of bytes presented for processing by the device.
      • Initial direction—The number of bytes presented for processing by the device from the initial direction.
      • Reply direction—The number of bytes presented for processing by the device from the reply direction.
    • Output bytes—The total number of bytes actually processed by the device.
      • Initial direction—The number of bytes from the initial direction actually processed by the device.
      • Reply direction—The number of bytes from the reply direction actually processed by the device.
    • Input packets—The total number of packets presented for processing by the device.
      • Initial direction—The number of packets presented for processing by the device from the initial direction.
      • Reply direction—The number of packets presented for processing by the device from the reply direction.
    • Output packets—The total number of packets actually processed by the device.
      • Initial direction—The number of packets actually processed by the device from the initial direction.
      • Reply direction—The number of packets actually processed by the device from the reply direction.
    • Session rate—The total number of active and deleted sessions.
    • Active sessions—The number of sessions currently present because of access control lookups that used this policy.
    • Session deletions—The number of sessions deleted since system startup.
    • Policy lookups—The number of times the policy was accessed to check for a match.

    Note: Configure the Policy P1 with the count option to display policy statistics.

    Per policy TCP Options

    Configured sync and sequence checks, and the configured TCP MSS value for the initial direction and /or the reverse direction.

    Sample Output

    show security policies

    user@host> show security policies
    From zone: trust, To zone: untrust
      Policy: p1, State: enabled, Index: 4, Sequence number: 1
        Source addresses:
        sa-1-ipv4: 2.2.2.0/24
        sa-2-ipv6: 2001:0db8::/32
        sa-3-ipv6: 2001:0db6/24
        sa-4-wc: 192.168.0.11/255.255.0.255
        Destination addresses:
        da-1-ipv4: 2.2.2.0/24
        da-2-ipv6: 2400:0af8::/32
        da-3-ipv6: 2400:0d78:0/24 
        da-4-wc: 192.168.22.11/255.255.0.255
        Source identities: role1, role2, role4
        Applications: any
        Action: permit, application services, log, scheduled
        Application firewall : my_ruleset1 
      Policy: p2, State: enabled, Index: 5, Sequence number: 2
        Source addresses:
        sa-1-ipv4: 2.2.2.0/24
        sa-2-ipv6: 2001:0db8::/32
        sa-3-ipv6: 2001:0db6/24
        Destination addresses:
        da-1-ipv4: 2.2.2.0/24
        da-2-ipv6: 2400:0af8::/32
        da-3-ipv6: 2400:0d78:0/24
        Source identities: role1, role4
        Applications: any
        Action: deny, scheduled
    

    show security policies policy-name p1 detail

    user@host> show security policies policy-name p1 detail
    Policy: p1, action-type: permit, State: enabled, Index: 4
      Description: The policy p1 is for the sales team
      Sequence number: 1
      From zone: trust, To zone: untrust
      Source addresses:
        sa-1-ipv4: 2.2.2.0/24
        sa-2-ipv6: 2001:0db8::/32
        sa-3-ipv6: 2001:0db6/24
        sa-4-wc: 192.168.0.11/255.255.0.255
      Destination addresses:
        da-1-ipv4: 2.2.2.0/24
        da-2-ipv6: 2400:0af8::/32
        da-3-ipv6: 2400:0d78:0/24
        da-4-wc: 192.168.22.11/255.255.0.255
    	Source identities:
    		role1
    		role2
    		role4
      Application: any
        IP protocol: 0, ALG: 0, Inactivity timeout: 0
          Source port range: [0-0]
          Destination port range: [0-0]
      Destination Address Translation: drop translated
      Application firewall :
    	 Rule-set: my_ruleset1
    	   Rule: rule1
    	     Dynamic Applications: junos:FACEBOOK, junos:YSMG
    	     Dynamic Application groups: junos:web, junos:chat
    	     Action: deny
    	   Default rule: permit	     
      Session log: at-create, at-close
      Scheduler name: sch20
      Per policy TCP Options: SYN check: No, SEQ check: No
      Policy statistics:
        Input  bytes       :                18144                  545 bps
          Initial direction:                 9072              	  272 bps  
          Reply direction  :                 9072                  272 bps 
        Output bytes       :                18144                  545 bps
          Initial direction:                 9072                  272 bps 
          Reply direction  :                 9072                  272 bps 
        Input  packets     :                  216                    6 pps
          Initial direction:                  108                    3 bps   
          Reply direction  :                  108                    3 bps   
        Output packets     :                  216                    6 pps
          Initial direction:                  108                    3 bps   
          Reply direction  :                  108                    3 bps   
        Session rate       :                  108                    3 sps
        Active sessions    :                   93
        Session deletions  :                   15
        Policy lookups     :                  108

    show security policies (services-offload)

    user@host> show security policies
    Default policy: deny-all
    From zone: trust, To zone: untrust
      Policy: p1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
        Source addresses: any
        Destination addresses: any
        Source identities: role1, role2, role4
        Applications: any
        Action: permit, services-offload, count
    From zone: untrust, To zone: trust
      Policy: p2, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
        Source addresses: any
        Destination addresses: any
        Source identities: role1, role2, role4
        Applications: any
        Action: permit, services-offload

    show security policies detail

    user@host> show security policies detail
    Default policy: deny-all
    Policy: p1, action-type: permit, services-offload:enabled , State: enabled, Index: 4, Scope Policy: 0
      Policy Type: Configured
      Description: The policy p1 is for the sales team
      Sequence number: 1
      From zone: trust, To zone: untrust
      Source addresses:
        any-ipv4(global): 0.0.0.0/0 
        any-ipv6(global): ::/0
      Destination addresses:
        any-ipv4(global): 0.0.0.0/0 
        any-ipv6(global): ::/0
    	Source identities:
    		role1
    		role2
    		role4
      Application: any
        IP protocol: 0, ALG: 0, Inactivity timeout: 0
          Source port range: [0-0] 
          Destination port range: [0-0]
      Per policy TCP Options: SYN check: No, SEQ check: No
      Policy statistics:
        Input  bytes       :                18144                  545 bps
          Initial direction:                 9072              	  272 bps  
          Reply direction  :                 9072                  272 bps 
        Output bytes       :                18144                  545 bps
          Initial direction:                 9072                  272 bps 
          Reply direction  :                 9072                  272 bps 
        Input  packets     :                  216                    6 pps
          Initial direction:                  108                    3 bps   
          Reply direction  :                  108                    3 bps   
        Output packets     :                  216                    6 pps
          Initial direction:                  108                    3 bps   
          Reply direction  :                  108                    3 bps   
        Session rate       :                  108                    3 sps
        Active sessions    :                   93
        Session deletions  :                   15
        Policy lookups     :                  108    
    Policy: p2, action-type: permit, services-offload:enabled , State: enabled, Index: 5, Scope Policy: 0
      Policy Type: Configured
      Description: The policy p2 is for the sales team
      Sequence number: 1
      From zone: untrust, To zone: trust
      Source addresses:
        any-ipv4(global): 0.0.0.0/0 
        any-ipv6(global): ::/0
      Destination addresses:
        any-ipv4(global): 0.0.0.0/0 
        any-ipv6(global): ::/0
    	Source identities:
    		role1
    		role2
    		role4
      Application: any
        IP protocol: 0, ALG: 0, Inactivity timeout: 0
          Source port range: [0-0] 
          Destination port range: [0-0]
      Per policy TCP Options: SYN check: No, SEQ check: No
    

    show security policies detail (TCP Options)

    user@host> show security policies policy-name policy1 detail
    node0:
    --------------------------------------------------------------------------
    Policy: policy1, action-type: permit, State: enabled, Index: 7, Scope Policy: 0
      Policy Type: Configured
      Sequence number: 2
      From zone: trust, To zone: untrust
      Source addresses:
        any-ipv4(global): 0.0.0.0/0
        any-ipv6(global): ::/0
      Destination addresses:
        any-ipv4(global): 0.0.0.0/0
        any-ipv6(global): ::/0
      Application: any
        IP protocol: 0, ALG: 0, Inactivity timeout: 0
          Source port range: [0-0]
          Destination port range: [0-0]
      Per policy TCP Options: SYN check: No, SEQ check: No
      Per policy TCP MSS: initial: 800, reverse: 900
    

    show security policies policy-name p1 (Negated Address)

    user@host>show security policies policy-name p1
    node0:
    --------------------------------------------------------------------------
    From zone: trust, To zone: untrust
      Policy: p1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
        Source addresses(excluded): as1
        Destination addresses(excluded): as2
        Applications: any
        Action: permit
    

    show security policies policy-name p1 detail (Negated Address)

    user@host>show security policies policy-name p1 detail
    node0:
    --------------------------------------------------------------------------
    Policy: p1, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
      Policy Type: Configured
      Sequence number: 1
      From zone: trust, To zone: untrust
      Source addresses(excluded):
        ad1(ad): 255.255.255.255/32 
        ad2(ad): 1.1.1.1/32 
        ad3(ad): 15.100.199.56 ~ 15.200.100.16 
        ad4(ad): 15.100.196.0/22 
        ad5(ad): 15.1.7.199 ~ 15.1.8.19 
        ad6(ad): 15.1.8.0/21 
        ad7(ad): 15.1.7.0/24
      Destination addresses(excluded): 
        ad13(ad2): 20.1.7.0/24 
        ad12(ad2): 20.1.4.1/32 
        ad11(ad2): 20.1.7.199 ~ 20.1.8.19 
        ad10(ad2): 50.1.4.0/22 
        ad9(ad2): 20.1.1.11 ~ 50.1.5.199 
        ad8(ad2): 2.1.1.1/32
      Application: any
        IP protocol: 0, ALG: 0, Inactivity timeout: 0
          Source port range: [0-0] 
          Destination port range: [0-0]
      Per policy TCP Options: SYN check: No, SEQ check: No
    

    show security policies global

    user@host>show security policies global policy-name Pa
    node0:
    --------------------------------------------------------------------------
      Global policies:
      Policy: Pa, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
        From zones: zone1, zone2
        To zones: zone3, zone4
        Source addresses: any
        Destination addresses: any
        Applications: any
        Action: permit
            

    Modified: 2016-11-10