Checking Policies

Purpose

Enter match criteria and conduct a policy search. The search results include all policies that match the traffic criteria in the sequence in which they will be encountered.

Because policy matches are listed in the sequence in which they would be encountered, you can determine whether a specific policy is being applied correctly or not. The first policy in the list is applied to all matching traffic. Policies listed after this one remain in the “shadow” of the first policy and are never encountered by this traffic.

By manipulating the traffic criteria and policy sequence, you can tune policy application to suit your needs. During policy development, you can use this feature to establish the appropriate sequence of policies for optimum traffic matches. When troubleshooting, use this feature to determine if specific traffic is encountering the appropriate policy.

Action

  1. Select Monitor>Security>Policy>Shadow Policies in the J-Web user interface. The Check Policies page appears. Table 207 explains the content of this page.
  2. In the top pane, enter the From Zone and To Zone to supply the context for the search.
  3. Enter match criteria for the traffic, including the source address and port, the destination address and port, and the protocol of the traffic.
  4. Enter the number of matching policies to display.
  5. Click Search to find policies matching your criteria. The lower pane displays all policies matching the criteria up to the number of policies you specified.
    • The first policy will be applied to all traffic with this match criteria.
    • Remaining policies will not be encountered by any traffic with this match criteria.
  6. To manipulate the position and activation of a policy, select the policy and click the appropriate button:
    • Move—Moves the selected policy up or down to position it at a more appropriate point in the search sequence.
    • Move to—Moves the selected policy by allowing you to drag and drop it to a different location on the same page.

Table 207: Check Policies Output

Field

Function

Check Policies Search Input Pane

From Zone

Name or ID of the source zone. If a From Zone is specified by name, the name is translated to its ID internally.

To Zone

Name or ID of the destination zone. If a To Zone is specified by name, the name is translated to its ID internally.

Source Address

Address of the source in IP notation.

Source Port

Port number of the source.

Destination Address

Address of the destination in IP notation.

Destination Port

Port number of the destination.

Source Identity

Name of the source identity.

Protocol

Name or equivalent value of the protocol to be matched.

ah

51

egp

8

esp

50

gre

47

icmp

1

igmp

2

igp

9

ipip

94

ipv6

41

ospf

89

pgm

113

pim

103

rdp

27

rsvp

46

sctp

132

tcp

6

udp

17

vrrp

112

Result Count

(Optional) Number of policies to display. Default value is 1. Maximum value is 16.

Check Policies List

From Zone

Name of the source zone.

To Zone

Name of the destination zone.

Total Policies

Number of policies retrieved.

Default Policy action

The action to be taken if no match occurs.

Name

Policy name

Source Address

Name of the source address (not the IP address) of a policy. Address sets are resolved to their individual names.

Destination Address

Name of the destination address or address set. A packet’s destination address must match this value for the policy to apply to it.

Source Identity

Name of the source identity for the policy.

Application

Name of a preconfigured or custom application of the policy match.

Action

Action taken when a match occurs as specified in the policy.

Hit Counts

Number of matches for this policy. This value is the same as the Policy Lookups in a policy statistics report.

Active Sessions

Number of active sessions matching this policy.

Alternatively, to list matching policies using the CLI, enter the show security match-policies command and include your match criteria and the number of matching policies to display.

Related Documentation