Enter match criteria and conduct a policy search. The search results include all policies that match the traffic criteria in the sequence in which they will be encountered.
Because policy matches are listed in the sequence in which they would be encountered, you can determine whether a specific policy is being applied correctly or not. The first policy in the list is applied to all matching traffic. Policies listed after this one remain in the “shadow” of the first policy and are never encountered by this traffic.
By manipulating the traffic criteria and policy sequence, you can tune policy application to suit your needs. During policy development, you can use this feature to establish the appropriate sequence of policies for optimum traffic matches. When troubleshooting, use this feature to determine if specific traffic is encountering the appropriate policy.
- Select Monitor>Security>Policy>Shadow Policies in the J-Web user interface. The Check Policies page appears. Table 46 explains the content of this page.
- In the top pane, enter the From Zone and To Zone to supply the context for the search.
- Enter match criteria for the traffic, including the source address and port, the destination address and port, and the protocol of the traffic.
- Enter the number of matching policies to display.
- Click Search to find policies matching your
criteria. The lower pane displays all policies matching the criteria
up to the number of policies you specified.
The first policy will be applied to all traffic with this match criteria.
Remaining policies will not be encountered by any traffic with this match criteria.
- To manipulate the position and activation of a policy,
select the policy and click the appropriate button:
Move—Moves the selected policy up or down to position it at a more appropriate point in the search sequence.
Move to—Moves the selected policy by allowing you to drag and drop it to a different location on the same page.
Table 46: Check Policies Output
|Check Policies Search Input Pane|
Name or ID of the source zone. If a From Zone is specified by name, the name is translated to its ID internally.
Name or ID of the destination zone. If a To Zone is specified by name, the name is translated to its ID internally.
Address of the source in IP notation.
Port number of the source.
Address of the destination in IP notation.
Port number of the destination.
Name of the source identity.
Name or equivalent value of the protocol to be matched.
(Optional) Number of policies to display. Default value is 1. Maximum value is 16.
|Check Policies List|
Name of the source zone.
Name of the destination zone.
Number of policies retrieved.
Default Policy action
The action to be taken if no match occurs.
Name of the source address (not the IP address) of a policy. Address sets are resolved to their individual names.
Name of the destination address or address set. A packet’s destination address must match this value for the policy to apply to it.
Name of the source identity for the policy.
Name of a preconfigured or custom application of the policy match.
Action taken when a match occurs as specified in the policy.
Number of matches for this policy. This value is the same as the Policy Lookups in a policy statistics report.
Number of active sessions matching this policy.
Alternatively, to list matching policies using the CLI, enter the show security match-policies command and include your match criteria and the number of matching policies to display.