Matching Security Policies

The show security match-policies command allows you to troubleshoot traffic problems in the five tuples: source port, destination port, source IP address, destination IP address, and protocol. For example, if your traffic is not passing because either a correct policy is not configured or the source of the traffic is incorrect, then the show security match-policies command allows you to work offline and identify where the problem actually exists. It uses the search engine to identify the problem and thus enables you to use the appropriate match policy for the traffic.

Note: The show security match-policies command is applicable only to security policies; IDP policies are not supported. Only the first matched policy is returned.

show security match-policies


user@host> show security match-policies
From-zone: z1, To-zone: z2 
source-ip 10.10.10.1  destination-ip 30.30.30.1 source-port 1 destination-port 21 protocol tcp
Policy: p1, action-type: permit, State: enabled, Index: 4,AI: disabled, Scope Policy 0
Policy Type: Configured
  Sequence number: 1
  From zone: z1, To zone: z2
  Source addresses:
    a2: 20.20.0.0/16 
    a3: 10.10.10.1/32
  Destination addresses:
    d2: 40.40.0.0/16 
    d3: 30.30.30.1/32
  Application: junos-ftp
    IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800
      Source port range: [0-0] 
      Destination port range: [21-21]
  Intrusion Detection and Prevention: enabled
  Unified Access Control: enabled

For more information on matching policies and a description of the output fields, see the Junos OS CLI Reference.

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.