[Report an Error]

Monitoring Policies

The security policies information is divided into multiple parts. To view summary information such as the names of the source and destination addresses of the policy, the name of a preconfigured or custom application defined for the policy, or actions taken on packets matching the policies, select Monitor>Security>Policies in the J-Web interface. To view policy-specific properties such as policy or session statistics, select the policy name on the Security Policies page.

Alternatively, enter the following CLI commands:

Table 8 summarizes key output fields in the security policies information display.

Table 8: Summary of Key Security Policies Information Output Fields

Field

Values

Additional Information

Security Policies Information

Default policy

Actions the device takes on a packet that does not match any user-defined policy:

  • permit-all—Permit all traffic that does not match a policy.
  • deny-all—Deny all traffic that does not match a policy. Packets are dropped. This is the default.
 

From Zone

Name of the source zone.

 

To Zone

Name of the destination zone.

 

Policy Name

Name of the policy.

 

Source Address

Names of the source addresses for a policy. Address sets are resolved to their individual names. (In this case, only the names are given, not their IP address).

 

Destination Address

Name of the destination address (or address set) as it was entered in the destination zone’s address book. A packet’s destination address must match this value for the policy to apply to it.

 

Applications

Name of a preconfigured or custom application whose type the packet matches, as specified at configuration time.

 

Action

Action taken in regard to a packet that matches the policy’s tuples, or match conditions. Actions include the following:

  • permit
  • IPsec-VPN tunnel vpn-name
  • pair-policy pair-policy-name
  • source-nat pool pool-name
  • interface
  • pool-set pool-set-name
  • destination-nat name
  • firewall-authentication
  • pass-through
  • web-authentication
  • deny
  • reject
  • count
  • log
 

State

Status of the policy:

  • enabled—The policy can be used in the policy lookup process, which determines access rights for a packet and the action taken in regard to it.
  • disabled—The policy cannot be used in the policy lookup process, and therefore it is not available for access control.
 
Security Policies: policy-name

Index

An internal number associated with the policy.

 

Sequence Number

Number of the policy within a given context. For example, three policies that are applicable in a from-zoneA to-zoneB context might be ordered with sequence numbers 1, 2, and 3. Also, in a from-zoneC to-zoneD context, four policies might have sequence numbers 1, 2, 3, and 4.

 

From Zone

Name of the source zone.

 

To Zone

Name of the destination zone.

 

Action Type

Action taken in regard to a packet that matches the policy’s tuples, or match criteria. Actions include the following:

  • permit
  • IPsec-VPN tunnel vpn-name
  • pair-policy pair-policy-name
  • source-nat pool pool-name
  • interface
  • pool-set pool-set-name
  • destination-nat name
  • firewall-authentication
  • pass-through
  • web-authentication
  • deny
  • reject
  • count
  • log
 

State

Status of the policy:

  • enabled—The policy can be used in the policy lookup process, which determines access rights for a packet and the action taken in regard to it.
  • disabled—The policy cannot be used in the policy lookup process, and therefore it is not available for access control.
 

Source addresses

Names and corresponding IP addresses of the source addresses for a policy. Address sets are resolved to their individual address name-IP address pairs.

 

Destination addresses

Name of the destination address (or address set) as it was entered in the destination zone’s address book. A packet’s destination address must match this value for the policy to apply to it.

 

Applications

Name of a preconfigured or custom application whose type the packet matches, as specified at configuration time.

  • IP protocol—The IP protocol used by the application—for example, TCP, UDP, ICMP.
  • ALG—If an ALG is associated with the session, the name of the ALG. Otherwise, 0.
  • Inactivity timeout—Elapsed time without activity after which the application is terminated.
  • Source port range—The low-high source port range for the session application.
  • Destination port range—The low-high destination port range for the session application.
 

Session log

Indicates whether the at-create and at-close flags were set at configuration time to log session information.

 

Scheduler name

Name of a preconfigured scheduler whose schedule determines when the policy is active (or inactive). The device can use an active policy to check an incoming packet to determine how to treat the packet.

 

Policy Statistics

Policy statistics include the following:

  • Input bytes—The number of bytes presented for processing by the device.
  • Output bytes—The number of bytes actually processed by the device.
  • Input packets—The number of packets presented for processing by the device.
  • Output packets—The number of packets actually processed by the device.
 

Session Statistics

Session statistics include the following:

  • Session creations—The number of sessions created since system startup.
  • Active sessions—The number of sessions currently present because of access control lookups that used this policy.
  • Session deletions—The number of sessions deleted since system startup.
 

Policy lookups

Number of times the policy was accessed to check for a match.

 

[Report an Error]