Monitoring Policies

From the Security Policies Monitoring page, you can display, sort, and review policy activity for every activated policy configured on the device. Policies are grouped by Zone Context (the from and to zones of the traffic) to control the volume of data displayed at one time. From the policy list, select a policy to display statistics and current network activity.

To review policy activity using J-Web:

  1. Select Monitor>Security>Policy>Activities in the J-Web interface. The Security Policies Monitoring page is displayed. The policies from the first Zone Context are listed. See Table 136 for field descriptions.
  2. Select the Zone Context of the policy you want to monitor, and click Filter. All policies within the zone context are displayed in match sequence.
  3. Select a policy, and click one of the following functions:
    • Clear Statistics—Clear all counters to zero for the selected policy.
    • Deactivate—Deactivate the selected policy. When you click Deactivate, the commit window opens to confirm the deactivation.
    • Move—Reposition the selected policy in the match sequence. You have the option to move the policy up or down one row at a time, or to the top or bottom of the sequence.

Table 136: Security Policies Monitoring Output Fields

Field

Value

Additional Information

Zone Context (Total #)

Displays a list of all from and to zone combinations for the configured policies. The total number of active policies for each context is specified in the Total # field. By default, the policies from the first Zone Context are displayed.

To display policies for a different context, select a zone context and click Filter. Note that both inactive and active policies are displayed for each context. However, the Total # field for a context specifies the number of active policies only.

Default Policy action

Specifies the action to be taken for traffic that does not match any of the policies in the context:

  • permit-all—Permit all traffic that does not match a policy.
  • deny-all—Deny all traffic that does not match a policy.

From Zone

Displays the source zone to be used as match criteria for the policy.

To Zone

Displays the destination zone to be used as match criteria for the policy.

Name

Displays the name of the policy.

Source Address

Displays the source addresses to be used as match criteria for the policy. Address sets are resolved to their individual names. (In this case, only the names are given, not the IP addresses).

Destination Address

Displays the destination addresses (or address sets) to be used as match criteria for the policy. Addresses are entered as specified in the destination zone’s address book.

Application

Displays the name of a predefined or custom application signature to be used as match criteria for the policy.

Dynamic App

Displays the dynamic application signatures to be used as match criteria if an application firewall rule set is configured for the policy.

For a network firewall, a dynamic application is not defined.

The rule set is displayed in two lines. The first line displays the configured dynamic application signatures in the rule set. The second line displays the default dynamic application signature.

If more than two dynamic application signatures are specified for the rule set, hover over the output field to display the full list in a tooltip.

Action

Displays the action portion of the rule set if an application firewall rule set is configured for the policy.

  • permit—Permits access to the network services controlled by the policy. A green background signifies permission.
  • deny—Denies access to the network services controlled by the policy. A red background signifies denial.

The action portion of the rule set is displayed in two lines. The first line identifies the action to be taken when the traffic matches a dynamic application signature. The second line displays the default action when traffic does not match a dynamic application signature.

NW Services

Displays the network services permitted or denied by the policy if an application firewall rule set is configured. Network services include:

  • gprs-gtp-profile—Specifya GPRS Tunneling Protocol profile name.
  • idp—Perform intrusion detection and prevention.
  • redirect-wx—Set WX redirection.
  • reverse-redirect-wx—Set WX reverse redirection.
  • uac-policy—Enable unified access control enforcement of the policy.

Count

Specifies whether counters for computing session, packet, and byte statistics for the policy are enabled. By default, counters are not enabled.

Log

Specifies whether session logging is enabled. By default, session logging is not enabled. Session activity to be logged can include the following:

  • Session initialization
  • Session close
  • Both

Policy Hit Counters Graph

Provides a representation of the value over time for a specified counter. The graph is blank if Policy Counters indicates no data. As a selected counter accumulates data, the graph is updated at each refresh interval.

To toggle a graph on and off, click the counter name below the graph.

Policy Counters

Lists statistical counters for the selected policy if Count is enabled. The following counters are available for each policy:

  • input-bytes
  • input-byte-rate
  • output-bytes
  • output-byte-rate
  • input-packets
  • input-packet-rate
  • output-packets
  • output-packet-rate
  • session-creations
  • session-creation-rate
  • active-sessions

To graph or to remove a counter from the Policy Hit Counters Graph, toggle the counter name. The names of enabled counters appear below the graph.