show security policies
Syntax
show security policies
<all-logical-systems-tenants>
<checksum>
<count>
<detail>
<from-zone zone-name>
<global>
<hit-count>
<information>
<logical-system logical-system-name>
<policy-name policy-name>
<root-logical-system>
<service-set>
<start>
<tenant tenant-name>
<to-zone zone-name>
<unknown-source-identity>
<zone-context>
Description
Displays a summary of all security policies configured on the device. If a particular policy is specified, display information specific to that policy. The existing show commands for displaying the policies configured with multiple tenant support are enhanced. A security policy controls the traffic flow from one zone to another zone. The security policies allow you to deny, permit, reject (deny and send a TCP RST or ICMP port unreachable message to the source host), encrypt and decrypt, authenticate, prioritize, schedule, filter, and monitor the traffic attempting to cross from one security zone to another.
Options
all-logical-systems-tenants
—Displays all multitenancy systems.checksum
—Displays the policy information checksum.count
—Displays the number of policies to show. Range is 1 through 65,535.detail
—(Optional) Displays a detailed view of all of the policies configured on the device.from-zone
—Displays the policy information matching the given source zone.global
—(Optional) Displays the policy information about global policies.hit-count
—Displays the policies hit count.information
—Displays the policy information.logical-system
—Displays the logical system name.policy-name
—(Optional) Displays the policy information matching the given policy name.root-logical-system
—Displays root logical system as default.service-set
—Displays the name of the service set.start
—Displays the policies from a given position. Range is 1 through 65,535.tenant
—Displays the name of the tenant system.to-zone
—Displays the policy information matching the given destination zone.unknown-source-identity
—Displays the unknown-source-identity of a policy.zone-context
—Displays the count of policies in each context (from-zone and to-zone).
Required Privilege Level
view
Output Fields
Table 1 lists the output
fields for the show security policies
command. Output fields
are listed in the approximate order in which they appear.
Field Name |
Field Description |
---|---|
|
Name of the source zone. |
|
Name of the destination zone. |
|
Name of the applicable policy. |
|
Description of the applicable policy. |
|
Status of the policy:
|
|
Internal number associated with the policy. |
|
Number of the policy within a given context. For example, three policies that are applicable in a from-zoneA-to-zoneB context might be ordered with sequence numbers 1, 2, 3. Also, in a from-zoneC-to-zoneD context, four policies might have sequence numbers 1, 2, 3, 4. |
|
For standard display mode, the names of the source addresses for a policy. Address sets are resolved to their individual names. For detail display mode, the names and corresponding IP addresses of the source addresses for a policy. Address sets are resolved to their individual address name-IP address pairs. |
|
Name of the destination address (or address set) as it was entered in the destination zone’s address book. A packet’s destination address must match this value for the policy to apply to it. |
|
Name of the device identity profile (referred to as |
|
Name of the source address excluded from the policy. |
|
Name of the destination address excluded from the policy. |
|
One or more user roles specified for a policy. |
|
Name of a preconfigured or custom application whose type the packet matches, as specified at configuration time.
|
Source identity feeds |
Name of a source identity (user name) added as match criteria |
Destination identity feeds |
Name of a destination identity (user name) added as match criteria |
|
Application identification-based Layer 7 dynamic applications. |
|
Status of the destination address translation traffic:
|
|
An application firewall includes the following:
|
|
|
|
Session log entry that indicates whether the |
|
Name of a preconfigured scheduler whose schedule determines when the policy is active and can be used as a possible match for traffic. |
|
|
|
Displays unified policy redirect profile. See profile(dynamic-application). |
|
Configured syn and sequence checks, and the configured TCP MSS value for the initial direction, the reverse direction or, both. |
|
Feeds details added in the security policy. The supported feeds are:
|
Sample Output
- show security policies
- show security policies (Dynamic Applications)
- show security policies policy-name p2
- show security policies policy-name detail
- show security policies (Services-Offload)
- show security policies (Device Identity)
- show security policies detail
- show security policies detail (TCP Options)
- show security policies policy-name (Negated Address)
- show security policies policy-name detail (Negated Address)
- show security policies global
- show security policies detail tenant
- show security policies (threat profile feeds)
- show security policies detail (threat profile feeds)
- show security policies detail (services-offload enabled)
- show security policies policy-name SOF-enable
- show security policies detail (services-offload disabled)
- show security policies policy-name SOF-disable
- show security policies (destination-identity)
- show security policies from-zone trust to-zone untrust detail (destination-identity)
- show security policies detail (destination-identity)
- show security policies global detail (destination-identity)
show security policies
user@host> show security policies From zone: trust, To zone: untrust Policy: p1, State: enabled, Index: 4, Sequence number: 1 Source addresses: sa-1-ipv4: 198.51.100.11/24 sa-2-ipv6: 2001:db8:a0b:12f0::1/32 sa-3-ipv6: 2001:db8:a0b:12f0::22/32 sa-4-wc: 203.0.113.1/255.255.0.255 Destination addresses: da-1-ipv4: 10.2.2.2/24 da-2-ipv6: 2001:db8:a0b:12f0::8/32 da-3-ipv6: 2001:db8:a0b:12f0::9/32 da-4-wc: 192.168.22.11/255.255.0.255 Source identities: role1, role2, role4 Applications: any Action: permit, application services, log, scheduled Application firewall : my_ruleset1 Policy: p2, State: enabled, Index: 5, Sequence number: 2 Source addresses: sa-1-ipv4: 198.51.100.11/24 sa-2-ipv6: 2001:db8:a0b:12f0::1/32 sa-3-ipv6: 2001:db8:a0b:12f0::22/32 Destination addresses: da-1-ipv4: 10.2.2.2/24 da-2-ipv6: 2001:db8:a0b:12f0::1/32 da-3-ipv6: 2001:db8:a0b:12f0::9/32 Source identities: role1, role4 Applications: any Action: deny, scheduled
show security policies (Dynamic Applications)
user@host>show security policies Policy: p1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1 Source addresses: any Destination addresses: any Applications: any Dynamic Applications: junos:YAHOO Action: deny, log Policy: p2, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2 Source addresses: any Destination addresses: any Applications: any Dynamic Applications: junos:web, junos:web:social-networking:facebook, junos:TFTP, junos:QQ Action: permit, log Policy: p3, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 3 Source addresses: any Destination addresses: any Applications: any Dynamic Applications: junos:HTTP, junos:SSL Action: permit, application services, log
The following example displays the output with unified policies configured.
user@host> show security policies Default policy: deny-all Pre ID default policy: permit-all From zone: trust, To zone: untrust Policy: p2, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1 Source addresses: any Destination addresses: any Applications: junos-defaults Dynamic Applications: junos:GMAIL, junos:FACEBOOK-CHAT dynapp-redir-profile: profile1
show security policies policy-name p2
user@host> show security policies policy-name p2 Policy: p2, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1 From zones: any To zones: any Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Dynamic Applications: any Action: permit, application services, feed
show security policies policy-name detail
user@host> show security policies policy-name p2 detail Policy: p2, action-type: permit, State: enabled, Index: 4, Scope Policy: 0 Policy Type: Configured, global Sequence number: 1 From zones: any To zones: any Source vrf group: any Destination vrf group: any Source addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Destination addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination ports: [0-0] Dynamic Application: any: 0 Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No Intrusion Detection and Prevention: disabled Unified Access Control: disabled Feed: add-source-ip-to-feed user@host> show security policies policy-name p1 detail Policy: p1, action-type: permit, State: enabled, Index: 4, Scope Policy: 0 Description: The policy p1 is for the sales team Sequence number: 1 From zone: trust, To zone: untrust Source addresses: sa-1-ipv4: 198.51.100.11/24 sa-2-ipv6: 2001:db8:a0b:12f0::1/32 sa-3-ipv6: 2001:db8:a0b:12f0::9/32 sa-4-wc: 203.0.113.1/255.255.0.255 Destination addresses: da-1-ipv4: 192.0.2.0/24 da-2-ipv6: 2001:db8:a0b:12f0::1/32 da-3-ipv6: 2001:db8:a0b:12f0::9/32 da-4-wc: 192.168.22.11/255.255.0.255 Source identities: role1 role2 role4 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Destination Address Translation: drop translated Application firewall : Rule-set: my_ruleset1 Rule: rule1 Dynamic Applications: junos:FACEBOOK-ACCESS, junos:YMSG Dynamic Application groups: junos:web, junos:chat Action: deny Default rule: permit Session log: at-create, at-close Scheduler name: sch20 Per policy TCP Options: SYN check: No, SEQ check: No Policy statistics: Input bytes : 18144 545 bps Initial direction: 9072 272 bps Reply direction : 9072 272 bps Output bytes : 18144 545 bps Initial direction: 9072 272 bps Reply direction : 9072 272 bps Input packets : 216 6 pps Initial direction: 108 3 bps Reply direction : 108 3 bps Output packets : 216 6 pps Initial direction: 108 3 bps Reply direction : 108 3 bps Session rate : 108 3 sps Active sessions : 93 Session deletions : 15 Policy lookups : 108
show security policies (Services-Offload)
user@host> show security policies Policy: p1, action-type: reject, State: enabled, Index: 4, Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: trust, To zone: trust Source addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Destination addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] dynapp-redir-profile: profile1(1) Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
show security policies (Device Identity)
user@host> show security policies From zone: trust, To zone: untrust Policy: dev-id-marketing, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1 Source addresses: any Destination addresses: any source-end-user-profile: marketing-profile Applications: any Action: permit
show security policies detail
user@host> show security policies detail Default policy: deny-all Policy: p1, action-type: permit, services-offload:enabled , State: enabled, Index: 4, Scope Policy: 0 Policy Type: Configured Description: The policy p1 is for the sales team Sequence number: 1 From zone: trust, To zone: untrust Source addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Destination addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Source identities: role1 role2 role4 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Per policy TCP Options: SYN check: No, SEQ check: No Policy statistics: Input bytes : 18144 545 bps Initial direction: 9072 272 bps Reply direction : 9072 272 bps Output bytes : 18144 545 bps Initial direction: 9072 272 bps Reply direction : 9072 272 bps Input packets : 216 6 pps Initial direction: 108 3 bps Reply direction : 108 3 bps Output packets : 216 6 pps Initial direction: 108 3 bps Reply direction : 108 3 bps Session rate : 108 3 sps Active sessions : 93 Session deletions : 15 Policy lookups : 108 Policy: p2, action-type: permit, services-offload:enabled , State: enabled, Index: 5, Scope Policy: 0 Policy Type: Configured Description: The policy p2 is for the sales team Sequence number: 1 From zone: untrust, To zone: trust Source addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Destination addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Source identities: role1 role2 role4 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Per policy TCP Options: SYN check: No, SEQ check: No
The following example displays the output with unified policies configured.
user@host> show security policies detail Default policy: deny-all Pre ID default policy: permit-all Policy: p2, action-type: reject, State: enabled, Index: 4, Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: trust, To zone: untrust Source addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Destination addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Application: junos-defaults IP protocol: 6, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [443-443] IP protocol: 6, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [5432-5432] IP protocol: 6, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [80-80] IP protocol: 6, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [3128-3128] IP protocol: 6, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [8000-8000] IP protocol: 6, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [8080-8080] IP protocol: 17, ALG: 0, Inactivity timeout: 60 Source port range: [0-0] Destination port range: [1-65535] IP protocol: 6, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [443-443] IP protocol: 6, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [5432-5432] IP protocol: 6, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [80-80] IP protocol: 6, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [3128-3128] IP protocol: 6, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [8000-8000] IP protocol: 6, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [8080-8080] IP protocol: 17, ALG: 0, Inactivity timeout: 60 Source port range: [0-0] Destination port range: [1-65535] Dynamic Application: junos:FACEBOOK-CHAT: 10704 junos:GMAIL: 51 dynapp-redir-profile: profile1(1) Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
show security policies detail (TCP Options)
user@host> show security policies policy-name p2 detail node0: -------------------------------------------------------------------------- Policy:p2, action-type:permit, State: enabled,Index: 4, Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: trust, To zone: trust Source addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Destination addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Application: junos-defaults IP protocol: tcp, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [80-80] Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No Dynamic-application: junos:HTTP
show security policies policy-name (Negated Address)
user@host> show security policies policy-name p1 node0: -------------------------------------------------------------------------- From zone: trust, To zone: untrust Policy: p1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1 Source addresses(excluded): as1 Destination addresses(excluded): as2 Applications: any Action: permit
show security policies policy-name detail (Negated Address)
user@host> show security policies policy-name p1 detail node0: -------------------------------------------------------------------------- Policy: p1, action-type: permit, State: enabled, Index: 4, Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: trust, To zone: untrust Source addresses(excluded): ad1(ad): 255.255.255.255/32 ad2(ad): 198.51.100.1/24 ad3(ad): 198.51.100.6 ~ 198.51.100.56 ad4(ad): 192.0.2.8/24 ad5(ad): 198.51.100.99 ~ 198.51.100.199 ad6(ad): 203.0.113.9/24 ad7(ad): 203.0.113.23/24 Destination addresses(excluded): ad13(ad2): 198.51.100.76/24 ad12(ad2): 198.51.100.88/24 ad11(ad2): 192.0.2.23 ~ 192.0.2.66 ad10(ad2): 192.0.2.93 ad9(ad2): 203.0.113.76 ~ 203.0.113.106 ad8(ad2): 203.0.113.199 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Per policy TCP Options: SYN check: No, SEQ check: No
show security policies global
user@host> show security policies global policy-name Pa node0: -------------------------------------------------------------------------- Global policies: Policy: Pa, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1 From zones: any To zones: any Source addresses: H0 Destination addresses: H1 Applications: junos-http Action: permit
show security policies detail tenant
user@host> show security policies detail tenant TN1 Default policy: deny-all Pre ID default policy: permit-all Policy: p1, action-type: permit, State: enabled, Index: 4, Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: trust, To zone: untrust Source addresses: any Destination addresses: any Application: junos-ping IP protocol: 1, ALG: 0, Inactivity timeout: 60 ICMP Information: type=255, code=0 Application: junos-telnet IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [23-23] Application: app_udp IP protocol: udp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [5000-5000] Application: junos-icmp6-all IP protocol: 58, ALG: 0, Inactivity timeout: 60 ICMP Information: type=255, code=0 Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No Session log: at-create, at-close Policy statistics: Input bytes : 0 0 bps Initial direction: 0 0 bps Reply direction : 0 0 bps Output bytes : 0 0 bps Initial direction: 0 0 bps Reply direction : 0 0 bps Input packets : 0 0 pps Initial direction: 0 0 bps Reply direction : 0 0 bps Output packets : 0 0 pps Initial direction: 0 0 bps Reply direction : 0 0 bps Session rate : 0 0 sps Active sessions : 0 Session deletions: 0 Policy lookups : 0
show security policies (threat profile feeds)
user@host> show security policies policy-name p2 From zone: trust, To zone: untrust Policy: p2, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: user_feed_1, user_feed_2 Destination identity feeds: user_feed_3, user_feed_4 Action: permit, application services, feed
show security policies detail (threat profile feeds)
user@host> show security policies policy-name p2 detail Policy: p2, action-type: permit, State: enabled, Index: 5, Scope Policy: 0 Policy Type: Configured Sequence number: 2 From zone: trust, To zone: untrust Source vrf group: any Destination vrf group: any Source addresses: any-ipv4(bob_addrbook_1): 0.0.0.0/0 any-ipv6(bob_addrbook_1): ::/0 Destination addresses: any-ipv4(bob_addrbook_1): 0.0.0.0/0 any-ipv6(bob_addrbook_1): ::/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination ports: [0-0] Source identity feeds: user_feed_1 user_feed_2 Destination identity feeds: user_feed_3 user_feed_4 Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No Intrusion Detection and Prevention: disabled Unified Access Control: disabled Feed: add-source-ip-to-feed Feed: add-destination-ip-to-feed Feed: add-source-identity-to-feed Feed: add-destination-identity-to-feed
show security policies detail (services-offload enabled)
user@host> show security policies detail Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all Policy: SOF-enable, action-type: permit, services-offload:enabled , State: enabled, Index: 5, Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: trust, To zone: untrust1 Source vrf group: any Destination vrf group: any Source addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Destination addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination ports: [0-0] Dynamic Application: any: 0 Source identity feeds: any Destination identity feeds: any Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
show security policies policy-name SOF-enable
user@host> show security policies policy-name SOF-enable From zone: trust, To zone: untrust1 Policy: SOF-enable, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Dynamic Applications: any Source identity feeds: any Destination identity feeds: any Action: permit, services-offload
show security policies detail (services-offload disabled)
user@host> show security policies detail Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all Policy: SOF-disable, action-type: permit, services-offload:disabled , State: enabled, Index: 5, Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: trust, To zone: untrust1 Source vrf group: any Destination vrf group: any Source addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Destination addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination ports: [0-0] Dynamic Application: any: 0 Source identity feeds: any Destination identity feeds: any Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
show security policies policy-name SOF-disable
user@host> show security policies policy-name SOF-disable From zone: trust, To zone: untrust1 Policy: SOF-disable, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Dynamic Applications: any Source identity feeds: any Destination identity feeds: any Action: permit, no-services-offload
show security policies (destination-identity)
user@host> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: untrust Policy: p1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: junos-http, junos-https Dynamic Applications: junos:HTTP, junos:HTTP-VIDEO, junos:HTTP-AUDIO-CONTENT, junos:BMFF, junos:SSL Source identities: role1, role3 Source identity feeds: any Destination identity context: role2, role4 Destination identity context profile: hr Destination identity feeds: any Action: permit
show security policies from-zone trust to-zone untrust detail (destination-identity)
user@host> show security policies from-zone trust to-zone untrust detail Policy: p2, action-type: permit, services-offload:not-configured , State: enabled, Index: 6, Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: trust, To zone: untrust Source vrf group: any Destination vrf group: any Source addresses: any-ipv4: 0.0.0.0/0 any-ipv6: ::/0 Destination addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Application: junos-http IP protocol: tcp, ALG: 0, Inactivity timeout: 300 Source port range: [0-0] Destination ports: 80 Application: junos-https IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination ports: 443 Application: junos-ssh IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination ports: 22 Source identity feeds: any Destination identity context: role2 role4 Destination identity context profile: hr Destination identity feeds: any Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
show security policies detail (destination-identity)
user@host> show security policies detail Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all Policy: p1, action-type: permit, services-offload:not-configured , State: enabled, Index: 4, Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: trust, To zone: untrust Source vrf group: any Destination vrf group: any Source addresses: any-ipv4: 0.0.0.0/0 any-ipv6: ::/0 Destination addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Application: junos-http IP protocol: tcp, ALG: 0, Inactivity timeout: 300 Source port range: [0-0] Destination ports: 80 Application: junos-https IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination ports: 443 Dynamic Application: junos:SSL: 199 junos:BMFF: 1293 junos:HTTP-AUDIO-CONTENT: 10806 junos:HTTP-VIDEO: 11032 junos:HTTP: 67 Source identities: role1 role3 Source identity feeds: any Destination identity context: role2 role4 Destination identity context profile: hr Destination identity feeds: any Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
show security policies global detail (destination-identity)
user@host> show security policies global detail Policy: g1, action-type: reject, services-offload:not-configured , State: enabled, Index: 8, Scope Policy: 0 Policy Type: Configured, global Sequence number: 1 From zones: any To zones: any Source vrf group: any Destination vrf group: any Source addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Destination addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Application: junos-http IP protocol: tcp, ALG: 0, Inactivity timeout: 300 Source port range: [0-0] Destination ports: 80 Application: junos-https IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination ports: 443 Dynamic Application: junos:HTTP: 67 Source identities: unauthenticated-user role1 Source identity feeds: any Destination identity context: role2 role4 Destination identity context profile: hr Destination identity feeds: any Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
Release Information
Command modified in Junos OS Release 9.2.
Support for IPv6 addresses is added in Junos OS Release 10.2.
Support for wildcard addresses is added in Junos OS Release 11.1.
Support for global policy and services offloading is added in Junos OS Release 11.4.
Support for source-identities and the Description
output field is added in Junos OS Release 12.1.
Support for negated address added in Junos OS Release 12.1X45-D10.
The output fields for Policy Statistics expanded,
and the output fields for the global
and policy-name
options are expanded to include from-zone and to-zone global match
criteria in Junos OS Release 12.1X47-D10.
Support for the initial-tcp-mss
and reverse-tcp-mss
options is added in Junos OS Release 12.3X48-D20.
Output field and description for source-end-user-profile
option is added in Junos OS Release 15.1x49-D70.
Output field and description for dynamic-applications
option is added in Junos OS Release 15.1x49-D100.
Output field and description for dynapp-redir-profile
option is added in Junos OS Release 18.2R1.
The tenant
option is introduced in Junos
OS Release 18.3R1.
The <all-logical-systems-tenants>
option is introduced
in Junos OS Release 18.4R1.
The information
option is introduced in Junos OS
Release 18.4R1.
The checksum
option is introduced in Junos OS Release
18.4R1.