show security match-policies

Syntax

show security match-policiesfrom-zone from-zone-nameto-zone to-zone-namesource-ip ip-addressdestination-ip ip-addresssource-port port-numberdestination-port port-numberprotocol protocol-name|protocol-number

Release Information

Command introduced in Release 10.3 of Junos OS.

Description

The show security match-policies command allows you to troubleshoot traffic problems in the five tuples: source port, destination port, source IP address, destination IP address, and protocol. For example, if your traffic is not passing because either a correct policy is not configured or the source of the traffic is incorrect, then the show security match-policies command allows you to work offline and identify where the problem actually exists. It uses the search engine to identify the problem and thus enables you to use the appropriate match policy for the traffic.

Note: The show security match-policies command is applicable only to security policies; idp policies are not supported. Only the first matched policy is returned.

Required Privilege Level

view

Related Topics

clear security policies statistics

List of Sample Output

show security match-policies

Output Fields

Table 141 lists the output fields for the show security match-policies command. Output fields are listed in the approximate order in which they appear.

Table 142: show security match-policies Output Fields

Field Name

Field Description

From zone

Name of the source zone.

To zone

Name of the destination zone.

Policy

Name of the applicable policy.

Sequence Number

Number of the policy within a given context. For example, three policies that are applicable in a from-zonez1-to-zonez2 context might be ordered with sequence numbers 1, 2, and 3. Also, in a from-zonez3-to-zonez4 context, four policies might have sequence numbers 1, 2, 3, and 4.

State

Status of the policy:

  • enabled: The policy can be used in the policy lookup process, which determines access rights for a packet and the action taken in regard to it.
  • disabled: The policy cannot be used in the policy lookup process, and therefore it is not available for access control.

Source address

For standard display mode, the names of the source addresses for a policy. Address sets are resolved to their individual names.

For detail display mode, the names and corresponding IP addresses of the source addresses for a policy. Address sets are resolved to their individual address name-IP address pairs.

Destination address

Name of the destination addresses (or address sets) as entered in the destination zone’s address book. A packet’s destination address must match this value for the policy to apply to it.

Applications

Name of a preconfigured or custom application whose type the packet matches, as specified at configuration time.

  • IP protocol: The IP protocol used by the application—for example, TCP, FTP, ICMP.
  • ALG: If an ALG is associated with the session, the name of the ALG. Otherwise, 0.
  • Inactivity timeout: Elapse time without activity after which the application is terminated.

Source-port

Number that identifies the source port. Range: 1 through 65535.

Destination-port

Number that identifies the destination port. Range: 1 through 65535

Action or Action-type

  • The action taken in regard to a packet that matches the policy’s tuples. Actions include the following:
    • permit
    • firewall-authentication
    • tunnel ipsec-vpn vpn-name
    • pair-policy pair-policy-name
    • source-nat pool pool-name
    • pool-set pool-set-name
    • interface
    • destination-nat name
    • deny
    • reject

Sample Output

show security match-policies

user@host> show security match-policies
From-zone: z1, To-zone: z2 
source-ip 10.10.10.1  destination-ip 30.30.30.1 source-port 1 destination-port 21 protocol tcp
Policy: p1, action-type: permit, State: enabled, Index: 4,AI: disabled, Scope Policy 0
Policy Type: Configured
  Sequence number: 1
  From zone: z1, To zone: z2
  Source addresses:
    a2: 20.20.0.0/16 
    a3: 10.10.10.1/32
  Destination addresses:
    d2: 40.40.0.0/16 
    d3: 30.30.30.1/32
  Application: junos-ftp
    IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800
      Source port range: [0-0] 
      Destination port range: [21-21]
  Intrusion Detection and Prevention: enabled
  Unified Access Control: enabled
Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.