Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


show system security-profile



Display information about a resource allocated to the logical system in a security profile. For each resource specified, the number used by the logical system and the configured maximum and reserved values are displayed.

The show system security-profile command can be used by the primary administrator to display resource information for the primary logical system or user logical system. This command can also be used by the user logical system administrator to display resource information for a user logical system.


Either specify all-resource to display information about all resources allocated for the logical system, or specify one of the following resources:

  • address-book—Address books.

  • appfw-rule-set—Application firewall rule set entries.

  • appfw-rule—Application firewall rule entries.

  • auth-entry—Firewall authentication entries.

  • cpu—CPU utilization.

  • flow-gate—Flow gates, also known as pinholes.

  • flow-session—Flow sessions.

  • icap-redirect-profile—ICAP redirect profile resource information.

  • nat-cone-binding—Network Address Translation (NAT) cone bindings.

  • nat-destination-pool—NAT destination pools.

  • nat-destination-rule—NAT destination rules.

  • nat-nopat-address—NAT without port address translations.

  • nat-pat-address—NAT with port address translations.

  • nat-pat-portnum—NAT source port numbers for port translation

  • nat-port-ol-ipnumber—NAT port overloading IP numbers.

  • nat-rule-referenced-prefix—NAT rule referenced IP-prefixes.

  • nat-source-pool—NAT source pools.

  • nat-source-rule—NAT source rules.

  • nat-static-rule—NAT static rules.

  • policy—Security policies.

  • policy-with-count—Security policies with a count.

  • scheduler—Schedulers.

  • zone—Security zones.

detail | terse—(Optional) Display the specified level of output.

The following options are available only to the primary administrator:

  • logical-system—Display resource information for a specified user logical system. Specify all to display resource information for all logical systems, including the primary logical system.

  • root-logical-system—Display resource information for the primary (root) logical system.

  • summary—Display summary information about the resource for all logical systems.

  • tenant—Display resource information for a specified tenant system. Specify all to display resource information for all tenant systems.

Required Privilege Level


Output Fields

Table 1 lists the output fields for the show system security-profile command. Output fields are listed in the approximate order in which they appear.

Table 1: show system security-profile Output Fields

Field Name

Field Description

logical system name

Name of the logical system.

tenant name

Name of the tenant system.

security profile name

Name of the security profile bound to the logical system.


Number of resources that are currently being used by the logical system.


Number of resources that are guaranteed to be available to the logical system.


Number of resources that the logical system can use. The maximum does not guarantee that the amount specified for the resource in the security profile is available. The maximum is not applicable for CPU resources.

CPU control

TRUE if CPU control is enabled or FALSE if CPU control is not enabled.

CPU control target

Upper limit for CPU utilization on the device. The default value is 80 percent.

CPU name

Central point (CP) or services processing unit (SPU). CP utilization and average utilization of all SPUs is shown. The detail option shows CPU utilization on each SPU.

drop rate

Packets dropped for CPU control.

Sample Output

show system security-profile all-resource

show system security-profile all-resource tenant all

show system security-profile policy

show system security-profile cpu

show system security-profile cpu logical-system all

show system security-profile cpu summary

show system security-profile nat-pat-portnum

show system security-profile nat-pat-portnum summary

show system security-profile icap-redirect-profile logical-system all

Release Information

Command introduced in Junos OS Release 11.2.

Support for application firewall added in Junos OS Release 11.3.

Option to display all resources for a logical system added in Junos OS Release 11.

Resource information for ports in source NAT pools with port translation added in Release Junos OS 11.4.

The tenant option is introduced in Junos OS Release 18.3R1.

The icap redirect profile option is introduced in Junos OS Release 18.3R1.