Monitoring Policies

Purpose

Display, sort, and review policy activity for every activated policy configured on the device. Policies are grouped by Zone Context (the from and to zones of the traffic) to control the volume of data displayed at one time. From the policy list, select a policy to display statistics and current network activity.

Action

To review policy activity:

  1. Select Monitor>Security>Policy>Activities in the J-Web user interface. The Security Policies Monitoring page appears and lists the policies from the first Zone Context. See Table 191 for field descriptions.
  2. Select the Zone Context of the policy you want to monitor, and click Filter. All policies within the zone context appear in match sequence.
  3. Select a policy, and click one of the following functions:
    • Clear Statistics—Clears all counters to zero for the selected policy.
    • Deactivate—Deactivates the selected policy. When you click Deactivate, the commit window appears for you to confirm the deactivation.
    • Move—Repositions the selected policy in the match sequence. You have the option to move the policy up or down one row at a time, or to the top or bottom of the sequence.

Table 191: Security Policies Monitoring Output Fields

Field

Value

Additional Information

Zone Context (Total #)

Displays a list of all from and to zone combinations for the configured policies. The total number of active policies for each context is specified in the Total # field. By default, the policies from the first Zone Context are displayed.

To display policies for a different context, select a zone context and click Filter. Both inactive and active policies appear for each context. However, the Total # field for a context specifies the number of active policies only.

Default Policy action

Specifies the action to take for traffic that does not match any of the policies in the context:

  • permit-all—Permit all traffic that does not match a policy.
  • deny-all—Deny all traffic that does not match a policy.

From Zone

Displays the source zone to be used as match criteria for the policy.

To Zone

Displays the destination zone to be used as match criteria for the policy.

Name

Displays the name of the policy.

Source Address

Displays the source addresses to be used as match criteria for the policy. Address sets are resolved to their individual names. (In this case, only the names are given, not the IP addresses).

Destination Address

Displays the destination addresses (or address sets) to be used as match criteria for the policy. Addresses are entered as specified in the destination zone’s address book.

Application

Displays the name of a predefined or custom application signature to be used as match criteria for the policy.

Dynamic App

Displays the dynamic application signatures to be used as match criteria if an application firewall rule set is configured for the policy.

For a network firewall, a dynamic application is not defined.

The rule set appears in two lines. The first line displays the configured dynamic application signatures in the rule set. The second line displays the default dynamic application signature.

If more than two dynamic application signatures are specified for the rule set, hover over the output field to display the full list in a tooltip.

Action

Displays the action portion of the rule set if an application firewall rule set is configured for the policy.

  • permit—Permits access to the network services controlled by the policy. A green background signifies permission.
  • deny—Denies access to the network services controlled by the policy. A red background signifies denial.

The action portion of the rule set appears in two lines. The first line identifies the action to be taken when the traffic matches a dynamic application signature. The second line displays the default action when traffic does not match a dynamic application signature.

NW Services

Displays the network services permitted or denied by the policy if an application firewall rule set is configured. Network services include:

  • gprs-gtp-profile—Specify a GPRS Tunneling Protocol profile name.
  • idp—Perform intrusion detection and prevention.
  • redirect-wx—Set WX redirection.
  • reverse-redirect-wx—Set WX reverse redirection.
  • uac-policy—Enable unified access control enforcement of the policy.

Count

Specifies whether counters for computing session, packet, and byte statistics for the policy are enabled. By default, counters are not enabled.

Log

Specifies whether session logging is enabled. By default, session logging is not enabled. Session activity to log can include the following:

  • Session initialization
  • Session close
  • Both

Policy Hit Counters Graph

Provides a representation of the value over time for a specified counter. The graph is blank if Policy Counters indicates no data. As a selected counter accumulates data, the graph is updated at each refresh interval.

To toggle a graph on and off, click the counter name below the graph.

Policy Counters

Lists statistical counters for the selected policy if Count is enabled. The following counters are available for each policy:

  • input-bytes
  • input-byte-rate
  • output-bytes
  • output-byte-rate
  • input-packets
  • input-packet-rate
  • output-packets
  • output-packet-rate
  • session-creations
  • session-creation-rate
  • active-sessions

To graph or to remove a counter from the Policy Hit Counters Graph, toggle the counter name. The names of enabled counters appear below the graph.

Related Documentation

Copyright© 2011 Juniper Networks, Inc. All rights reserved.