Checking Policies
Purpose
Enter match criteria and conduct a policy search. The search results include all policies that match the traffic criteria in the sequence in which they will be encountered.
Because policy matches are listed in the sequence in which they would be encountered, you can determine whether a specific policy is being applied correctly or not. The first policy in the list is applied to all matching traffic. Policies listed after this one remain in the “shadow” of the first policy and are never encountered by this traffic.
By manipulating the traffic criteria and policy sequence, you can tune policy application to suit your needs. During policy development, you can use this feature to establish the appropriate sequence of policies for optimum traffic matches. When troubleshooting, use this feature to determine if specific traffic is encountering the appropriate policy.
Action
- Select Monitor>Security>Policy>Shadow Policies in the J-Web user interface. The Check Policies page appears. Table 206 explains the content of this page.
- In the top pane, enter the From Zone and To Zone to supply the context for the search.
- Enter match criteria for the traffic, including the source address and port, the destination address and port, and the protocol of the traffic.
- Enter the number of matching policies to display.
- Click Search to find policies matching
your criteria. The lower pane displays all policies matching the criteria
up to the number of policies you specified.
- The first policy will be applied to all traffic with this match criteria.
- Remaining policies will not be encountered by any traffic with this match criteria.
- To manipulate the position and activation of a policy,
select the policy and click the appropriate button:
- Move—Moves the selected policy up or down to position it at a more appropriate point in the search sequence.
- Move to—Moves the selected policy by allowing you to drag and drop it to a different location on the same page.
Table 206: Check Policies Output
Field | Function | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Check Policies Search Input Pane | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
From Zone | Name or ID of the source zone. If a From Zone is specified by name, the name is translated to its ID internally. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
To Zone | Name or ID of the destination zone. If a To Zone is specified by name, the name is translated to its ID internally. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Source Address | Address of the source in IP notation. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Source Port | Port number of the source. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Destination Address | Address of the destination in IP notation. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Destination Port | Port number of the destination. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Source Identity | Name of the source identity. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Protocol | Name or equivalent value of the protocol to be matched.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Result Count | (Optional) Number of policies to display. Default value is 1. Maximum value is 16. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Check Policies List | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
From Zone | Name of the source zone. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
To Zone | Name of the destination zone. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Total Policies | Number of policies retrieved. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Default Policy action | The action to be taken if no match occurs. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Name | Policy name | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Source Address | Name of the source address (not the IP address) of a policy. Address sets are resolved to their individual names. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Destination Address | Name of the destination address or address set. A packet’s destination address must match this value for the policy to apply to it. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Source Identity | Name of the source identity for the policy. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Application | Name of a preconfigured or custom application of the policy match. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Action | Action taken when a match occurs as specified in the policy. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Hit Counts | Number of matches for this policy. This value is the same as the Policy Lookups in a policy statistics report. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Active Sessions | Number of active sessions matching this policy. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Alternatively, to list matching policies using the CLI, enter the show security match-policies command and include your match criteria and the number of matching policies to display.