[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
show security policies
Syntax
-
show security policies
-
<detail>
-
<policy-name policy-name>
Release Information
Command modified
in Release 9.2 of JUNOS software.
Description
Display a summary of all security policies
configured on the device. If a particular policy is specified, display
information particular to that policy.
This command is supported on J-series and SRX-series devices.
Options
none—Display basic
information about all configured policies.
detail—(Optional) Display a detailed view of
all of the policies configured on the device.
policy-name policy-name—(Optional)
Display information about the specified policy.
Required Privilege Level
view
Related Topics
clear security policies statistics
List of Sample Output
show security policies
sshow security policies policy-name p1 detail
Output Fields
Table 88 lists the output fields for the show
security policies command. Output fields are listed in the approximate
order in which they appear.
Table 88: show security
policies Output Fields
|
Field Name
|
Field Description
|
|
From zone
|
Name of the source zone.
|
|
To zone
|
Name of the destination zone.
|
|
Policy
|
Name of the applicable Policy.
|
|
Sequence number
|
Number of the policy within a given context. For example,
three policies that are applicable in a from-zoneA to-zoneB context
might be ordered with sequence numbers 1, 2, and 3. Also, in a from-zoneC
to-zoneD context, four policies might have sequence numbers 1, 2,
3, and 4.
|
|
State
|
Status of the policy:
-
enabled: The policy can be used in the policy
lookup process which determines access rights for a packet and the
action taken in regard to it.
-
disabled: The policy cannot be used in the policy
lookup process, and therefore it is not available for access control.
|
|
Source addresses
|
For standard display mode, the names of the source addresses
for a policy. Address sets are resolved to their individual names.
(In this case, only the names are given, not their IP addresses.)
For detail display mode, the names and corresponding IP addresses
of the source addresses for a policy. Address sets are resolved to
their individual address name-IP address pairs.
|
|
Destination addresses
|
Name of the destination address (or address set) as it
was entered in the destination zone’s address book. A packet’s
destination address must match this value for the policy to apply
to it.
|
|
Applications
|
Name of a preconfigured or custom application whose type
the packet matches, as specified at configuration time.
-
IP protocol: The IP protocol used by the application—for
example, TCP, UDP, ICMP.
-
ALG: If an ALG is associated with the session,
the name of the ALG. Otherwise, 0.
-
Inactivity timeout: Elapse time without activity
after which the application is terminated.
-
Source port range: The low-high source port range
for the session application.
|
|
Destination Address Translation
|
Status of the destination address translation traffic:
- drop translated— Drop the packets with translated
destination address.
- drop untranslated—Drop the packets without translated
destination address.
|
|
Action or Action-type
|
- The action taken in regard to a packet that matches the
policy's tuples. Actions include the following:
-
permit
-
firewall-authentication
-
tunnel ipsec-vpn vpn-name
-
pair-policy pair-policy-name
-
source-nat pool pool-name
-
pool-set pool-set-name
-
interface
-
destination-nat name
-
deny
-
reject
|
|
Index
|
An internal number associated with the policy.
|
|
Session log
|
Session log entry that indicates whether the at-create and at-close flags were set at configuration time to log
session information.
|
|
Scheduler name
|
Name of a preconfigured scheduler whose schedule determines
when the policy is active (or inactive) to check an incoming packet
to determine how to treat the packet.
|
|
Policy statistics
|
Policy statistics include the following:
-
Input bytes—The number of bytes presented
for processing by the device.
-
Output bytes—The number of bytes actually
processed by the device.
-
Input packets—The number of packets presented
for processing by the device.
-
Active sessions—The number of sessions
currently present because of access control lookups that used this
policy.
-
Session deletions—The number of sessions
deleted since system startup.
-
Policy lookups—Number of times the policy
was accessed to check for a match.
|
Sample Output
show security policies
user@host> show security policies
From zone: trust, To zone: untrust
Policy: p1, State: enabled, Index: 4, Sequence number: 1
Source addresses: v-2-2-2-0
Destination addresses: v-1-1-1-0
Applications: any
Action: permit, log, scheduled
Policy: p2, State: enabled, Index: 5, Sequence number: 2
Source addresses: v-2-2-2-0
Destination addresses: v-1-1-1-0
Applications: any
Action: deny, scheduled
Sample Output
sshow security policies policy-name p1 detail
user@host> show security policies policy-name
p1 detail
Policy: p1, action-type: permit, State: enabled, Index: 4
Sequence number: 1
From zone: trust, To zone: untrust
Source addresses:
v-2-2-2-0: 2.2.2.0/24
Destination addresses:
v-1-1-1-0: 1.1.1.0/24
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Destination Address Translation: drop translated
Session log: at-create, at-close
Scheduler name: sch20
Policy statistics:
Input bytes : 50000 100 bps
Output bytes : 40000 100 bps
Input packets : 200 200 pps
Output packets : 100 100 pps
Session rate : 2 1 sps
Active sessions : 11
Session deletions: 20
Policy lookups : 12
[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
