Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

show security policies

 

Syntax

Release Information

Command modified in Junos OS Release 9.2.

Support for IPv6 addresses is added in Junos OS Release 10.2.

Support for wildcard addresses is added in Junos OS Release 11.1.

Support for global policy and services offloading is added in Junos OS Release 11.4.

Support for source-identities and the Description output field is added in Junos OS Release 12.1.

Support for negated address added in Junos OS Release 12.1X45-D10.

The output fields for Policy Statistics expanded, and the output fields for the global and policy-name options are expanded to include from-zone and to-zone global match criteria in Junos OS Release 12.1X47-D10.

Support for the initial-tcp-mss and reverse-tcp-mss options is added in Junos OS Release 12.3X48-D20.

Output field and description for source-end-user-profile option is added in Junos OS Release 15.1x49-D70.

Output field and description for dynamic-applications option is added in Junos OS Release 15.1x49-D100.

Output field and description for dynapp-redir-profile option is added in Junos OS Release 18.2R1.

The tenant option is introduced in Junos OS Release 18.3R1.

The <all-logical-systems-tenants> option is introduced in Junos OS Release 18.4R1.

The information option is introduced in Junos OS Release 18.4R1.

The checksum option is introduced in Junos OS Release 18.4R1.

Description

Displays a summary of all security policies configured on the device. If a particular policy is specified, display information specific to that policy. The existing show commands for displaying the policies configured with multiple tenant support are enhanced. A security policy controls the traffic flow from one zone to another zone. The security policies allow you to deny, permit, reject (deny and send a TCP RST or ICMP port unreachable message to the source host), encrypt and decrypt, authenticate, prioritize, schedule, filter, and monitor the traffic attempting to cross from one security zone to another.

Options

  • all-logical-systems-tenants—Displays all multitenancy systems.

  • checksum—Displays the policy information checksum.

  • count—Displays the number of policies to show. Range is 1 through 65,535.

  • detail—(Optional) Displays a detailed view of all of the policies configured on the device.

  • from-zone—Displays the policy information matching the given source zone.

  • global—(Optional) Displays the policy information about global policies.

  • hit-count—Displays the policies hit count.

  • information—Displays the policy information.

  • logical-system—Displays the logical system name.

  • policy-name—(Optional) Displays the policy information matching the given policy name.

  • root-logical-system—Displays root logical system as default.

  • service-set—Displays the name of the service set.

  • start—Displays the policies from a given position. Range is 1 through 65,535.

  • tenant—Displays the name of the tenant system.

  • to-zone—Displays the policy information matching the given destination zone.

  • unknown-source-identity—Displays the unknown-source-identity of a policy.

  • zone-context—Displays the count of policies in each context (from-zone and to-zone).

Required Privilege Level

view

List of Sample Output

show security policies

show security policies (Dynamic Applications)

show security policies policy-name p2

show security policies policy-name detail

show security policies (Services-Offload)

show security policies (Device Identity)

show security policies detail

show security policies detail (TCP Options)

show security policies policy-name (Negated Address)

show security policies policy-name detail (Negated Address)

show security policies global

show security policies detail tenant

Output Fields

Table 1 lists the output fields for the show security policies command. Output fields are listed in the approximate order in which they appear.

Table 1: show security policies Output Fields

Field Name

Field Description

From zone

Name of the source zone.

To zone

Name of the destination zone.

Policy-name

Name of the applicable policy.

Description

Description of the applicable policy.

State

Status of the policy:

  • enabled: The policy can be used in the policy lookup process, which determines access rights for a packet and the action taken in regard to it.

  • disabled: The policy cannot be used in the policy lookup process, and therefore it is not available for access control.

Index

Internal number associated with the policy.

Sequence number

Number of the policy within a given context. For example, three policies that are applicable in a from-zoneA-to-zoneB context might be ordered with sequence numbers 1, 2, 3. Also, in a from-zoneC-to-zoneD context, four policies might have sequence numbers 1, 2, 3, 4.

Source addresses

For standard display mode, the names of the source addresses for a policy. Address sets are resolved to their individual names.

For detail display mode, the names and corresponding IP addresses of the source addresses for a policy. Address sets are resolved to their individual address name-IP address pairs.

Destination addresses

Name of the destination address (or address set) as it was entered in the destination zone’s address book. A packet’s destination address must match this value for the policy to apply to it.

source-end-user-profile

Name of the device identity profile (referred to as end-user-profile in the CLI) that contains attributes, or characteristics of a device. Specification of the device identity profile in the source-end-user-profile field is part of the device identity feature. If a device matches the attributes specified in the profile and other security policy parameters, then the security policy’s action is applied to traffic issuing from the device.

Source addresses (excluded)

Name of the source address excluded from the policy.

Destination addresses (excluded)

Name of the destination address excluded from the policy.

Source identities

One or more user roles specified for a policy.

Applications

Name of a preconfigured or custom application whose type the packet matches, as specified at configuration time.

  • IP protocol: The Internet protocol used by the application—for example, TCP, UDP, ICMP.

  • ALG: If an ALG is explicitly associated with the policy, the name of the ALG is displayed. If application-protocol ignore is configured, ignore is displayed. Otherwise, 0 is displayed.

    However, even if this command shows ALG: 0, ALGs might be triggered for packets destined to well-known ports on which ALGs are listening, unless ALGs are explicitly disabled or when application-protocol ignore is not configured for custom applications.

  • Inactivity timeout: Elapsed time without activity after which the application is terminated.

  • Source port range: The low-high source port range for the session application.

Dynamic Applications

Application identification-based Layer 7 dynamic applications.

Destination Address Translation

Status of the destination address translation traffic:

  • drop translated—Drop the packets with translated destination addresses.

  • drop untranslated—Drop the packets without translated destination addresses.

Application Firewall

An application firewall includes the following:

  • Rule-set—Name of the rule set.

  • Rule—Name of the rule.

    • Dynamic applications—Name of the applications.

    • Dynamic application groups—Name of the application groups.

    • Action—The action taken with respect to a packet that matches the application firewall rule set. Actions include the following:

      • permit

      • deny

  • Default rule—The default rule applied when the identified application is not specified in any rules of the rule set.

Action or Action-type

  • The action taken for a packet that matches the policy’s tuples. Actions include the following:

    • permit

    • feed

    • firewall-authentication

    • tunnel ipsec-vpn vpn-name

    • pair-policy pair-policy-name

    • source-nat pool pool-name

    • pool-set pool-set-name

    • interface

    • destination-nat name

    • deny

    • reject

    • services-offload

Session log

Session log entry that indicates whether the at-create and at-close flags were set at configuration time to log session information.

Scheduler name

Name of a preconfigured scheduler whose schedule determines when the policy is active and can be used as a possible match for traffic.

Policy statistics

  • Input bytes—The total number of bytes presented for processing by the device.

    • Initial direction—The number of bytes presented for processing by the device from the initial direction.

    • Reply direction—The number of bytes presented for processing by the device from the reply direction.

  • Output bytes—The total number of bytes actually processed by the device.

    • Initial direction—The number of bytes from the initial direction actually processed by the device.

    • Reply direction—The number of bytes from the reply direction actually processed by the device.

  • Input packets—The total number of packets presented for processing by the device.

    • Initial direction—The number of packets presented for processing by the device from the initial direction.

    • Reply direction—The number of packets presented for processing by the device from the reply direction.

  • Output packets—The total number of packets actually processed by the device.

    • Initial direction—The number of packets actually processed by the device from the initial direction.

    • Reply direction—The number of packets actually processed by the device from the reply direction.

  • Session rate—The total number of active and deleted sessions.

  • Active sessions—The number of sessions currently present because of access control lookups that used this policy.

  • Session deletions—The number of sessions deleted since system startup.

  • Policy lookups—The number of times the policy was accessed to check for a match.

dynapp-redir-profile

Displays unified policy redirect profile. See profile(dynamic-application).

Per policy TCP Options

Configured syn and sequence checks, and the configured TCP MSS value for the initial direction, the reverse direction or, both.

Sample Output

show security policies

user@host> show security policies

show security policies (Dynamic Applications)

user@host>show security policies

The following example displays the output with unified policies configured.

user@host> show security policies

show security policies policy-name p2

user@host> show security policies policy-name p2

show security policies policy-name detail

user@host> show security policies policy-name p2 detail
user@host> show security policies policy-name p1 detail

show security policies (Services-Offload)

user@host> show security policies

show security policies (Device Identity)

user@host> show security policies

show security policies detail

user@host> show security policies detail

The following example displays the output with unified policies configured.

user@host> show security policies detail

show security policies detail (TCP Options)

user@host> show security policies policy-name p2 detail

show security policies policy-name (Negated Address)

user@host> show security policies policy-name p1

show security policies policy-name detail (Negated Address)

user@host> show security policies policy-name p1 detail

show security policies global

user@host> show security policies global policy-name Pa

show security policies detail tenant

user@host> show security policies detail tenant TN1