[Prev][Next][Report an Error]

Checking Policies

The Check Policies page in the J-Web interface provides a search pane where you can enter match criteria and conduct a policy search. The search results include all policies that match the traffic criteria in the sequence in which they will be encountered.

Alternatively, to list matching policies using the CLI, enter the following command, your match criteria, and the number of matching policies to display:

Because policy matches are listed in the sequence in which they would be encountered, you can tell if a specific policy is not being applied correctly. The first policy in the list is applied to all matching traffic. Policies listed after this one remain in the “shadow” of the first policy and are never encountered by this traffic.

By manipulating the traffic criteria and policy sequence, you can tune policy application to suit your needs. During policy development, you can use this feature to establish the appropriate sequence of policies for optimum traffic matches. When troubleshooting, use this feature to determine if specific traffic is encountering the appropriate policy.

  1. Select Monitor>Security>Policy>Check Policies in the J-Web interface. The Check Policies page appears. Table 21 explains the content of this page.
  2. In the top pane, enter the From Zone and To Zone to supply the context for the search.
  3. Enter match criteria for the traffic, namely, the source address and port, the destination address and port, and the protocol of the traffic.
  4. Enter the number of matching policies to display.
  5. Click Search to find policies matching your criteria. The lower pane displays all policies matching the criteria up to the number of policies you specified.
  6. To manipulate the position and activation of a policy, select the policy and click the appropriate button:
    Delete
    Delete the selected policy. The policy is removed from the policy configuration.
    Deactivate
    Deactivate the selected policy. A deactivated policy remains in the policy configuration, but it is no longer included in policy matching until it is reactivated.
    Move
    Move the selected policy up or down to position it at a more appropriate point in the search sequence.

Table 21: Check Policies Output

Field

Function

Check Policies Search Input Pane

From Zone

Name or ID of the source zone. If a From Zone is specified by name, the name is translated to its ID internally.

To Zone

Name or ID of the destination zone. If a To Zone is specified by name, the name is translated to its ID internally.

Source Address

Address of the source in IP notation.

Source Port

Port number of the source.

Destination Address

Address of the destination in IP notation.

Destination Port

Port number of the destination.

Protocol

Name or equivalent value of the protocol to be matched.

ah
51
egp
8
esp
50
gre
47
icmp
1
igmp
2
igp
9
ipip
94
ipv6
41
ospf
89
pgm
113
pim
103
rdp
27
rsvp
46
sctp
132
tcp
6
udp
17
vrrp
112

Result Count

(Optional) Number of policies to display. Default value is 1. Maximum value is 16.

Check Policies List

From Zone

Name of the source zone.

To Zone

Name of the destination zone.

Total Policies

Number of policies retrieved.

Default Policy action

The action to be taken if no match occurs.

Name

Policy name

Source Address

Name of the source address (not the IP address) of a policy. Address sets are resolved to their individual names.

Destination Address

Name of the destination address or address set. A packet’s destination address must match this value for the policy to apply to it.

Application

Name of a preconfigured or custom application of the policy match.

Action

Action taken when a match occurs as specified in the policy.

Hit Counts

Number of matches for this policy. This value is the same as the Policy Lookups in a policy statistics report.

Active Sessions

Number of active sessions matching this policy.


[Prev][Next][Report an Error]