show security policies

Syntax

show security policies<detail><policy-name policy-name>

Release Information

Command modified in Release 9.2 of Junos OS.

Support for IPv6 addresses added in Release 10.2 of Junos OS.

Description

Display a summary of all security policies configured on the device. If a particular policy is specified, display information particular to that policy.

Options

none—Display basic information about all configured policies.

detail—(Optional) Display a detailed view of all of the policies configured on the device.

policy-name policy-name—(Optional) Display information about the specified policy.

Required Privilege Level

view

Related Topics

clear security policies statistics

List of Sample Output

show security policies
show security policies policy-name p1 detail

Output Fields

Table 141 lists the output fields for the show security policies command. Output fields are listed in the approximate order in which they appear.

Table 141: show security policies Output Fields

Field Name

Field Description

From zone

Name of the source zone.

To zone

Name of the destination zone.

Policy

Name of the applicable policy.

Sequence number

Number of the policy within a given context. For example, three policies that are applicable in a from-zoneA-to-zoneB context might be ordered with sequence numbers 1, 2, and 3. Also, in a from-zoneC-to-zoneD context, four policies might have sequence numbers 1, 2, 3, and 4.

State

Status of the policy:

  • enabled: The policy can be used in the policy lookup process, which determines access rights for a packet and the action taken in regard to it.
  • disabled: The policy cannot be used in the policy lookup process, and therefore it is not available for access control.

Source addresses

For standard display mode, the names of the source addresses for a policy. Address sets are resolved to their individual names.

For detail display mode, the names and corresponding IP addresses of the source addresses for a policy. Address sets are resolved to their individual address name-IP address pairs.

Destination addresses

Name of the destination address (or address set) as it was entered in the destination zone’s address book. A packet’s destination address must match this value for the policy to apply to it.

Applications

Name of a preconfigured or custom application whose type the packet matches, as specified at configuration time.

  • IP protocol: The IP protocol used by the application—for example, TCP, UDP, ICMP.
  • ALG: If an ALG is associated with the session, the name of the ALG. Otherwise, 0.
  • Inactivity timeout: Elapse time without activity after which the application is terminated.
  • Source port range: The low-high source port range for the session application.

Destination Address Translation

Status of the destination address translation traffic:

  • drop translated— Drop the packets with translated destination address.
  • drop untranslated—Drop the packets without translated destination address.

Action or Action-type

  • The action taken in regard to a packet that matches the policy’s tuples. Actions include the following:
    • permit
    • firewall-authentication
    • tunnel ipsec-vpn vpn-name
    • pair-policy pair-policy-name
    • source-nat pool pool-name
    • pool-set pool-set-name
    • interface
    • destination-nat name
    • deny
    • reject

Index

An internal number associated with the policy.

Session log

Session log entry that indicates whether the at-create and at-close flags were set at configuration time to log session information.

Scheduler name

Name of a preconfigured scheduler whose schedule determines when the policy is active (or inactive) to check an incoming packet to determine how to treat the packet.

Policy statistics

Policy statistics include the following:

  • Input bytes—The number of bytes presented for processing by the device.
  • Output bytes—The number of bytes actually processed by the device.
  • Input packets—The number of packets presented for processing by the device.
  • Active sessions—The number of sessions currently present because of access control lookups that used this policy.
  • Session deletions—The number of sessions deleted since system startup.
  • Policy lookups—Number of times the policy was accessed to check for a match.

Note: Configure the Policy P1 with count option to display policy statistics.

Sample Output

show security policies

user@host> show security policies
From zone: trust, To zone: untrust
  Policy: p1, State: enabled, Index: 4, Sequence number: 1
    Source addresses:
    sa-1-ipv4: 2.2.2.0/24
    sa-2-ipv6: 2001:0db8::/32
    sa-3-ipv6: 2001:0db6/24
  Destination addresses:
    da-1-ipv4: 2.2.2.0/24
    da-2-ipv6: 2400:0af8::/32
    da-3-ipv6: 2400:0d78:0/24
    Applications: any
    Action: permit, log, scheduled
  Policy: p2, State: enabled, Index: 5, Sequence number: 2
    Source addresses:
    sa-1-ipv4: 2.2.2.0/24
    sa-2-ipv6: 2001:0db8::/32
    sa-3-ipv6: 2001:0db6/24
  Destination addresses:
    da-1-ipv4: 2.2.2.0/24
    da-2-ipv6: 2400:0af8::/32
    da-3-ipv6: 2400:0d78:0/24
    Applications: any
    Action: deny, scheduled

Sample Output

show security policies policy-name p1 detail

user@host> show security policies policy-name p1 detail
show security policies policy-name p1 detail
Policy: p1, action-type: permit, State: enabled, Index: 4
  Sequence number: 1
  From zone: trust, To zone: untrust
  Source addresses:
    sa-1-ipv4: 2.2.2.0/24
    sa-2-ipv6: 2001:0db8::/32
    sa-3-ipv6: 2001:0db6/24
  Destination addresses:
    da-1-ipv4: 2.2.2.0/24
    da-2-ipv6: 2400:0af8::/32
    da-3-ipv6: 2400:0d78:0/24
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
  Destination Address Translation: drop translated
  Session log: at-create, at-close
  Scheduler name: sch20
  Policy statistics:
    Input  bytes     :                50000                  100 bps
    Output bytes     :                40000                  100 bps
    Input  packets   :                  200                  200 pps
    Output packets   :                  100                  100 pps
    Session rate     :                    2                    1 sps
    Active sessions  :                   11
    Session deletions:                   20
    Policy lookups   :                   12
Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.