show security policies
Syntax
show security policies<all-logical-systems-tenants><checksum><count><detail><from-zone zone-name><global><hit-count><information><logical-system logical-system-name><policy-name policy-name><root-logical-system><service-set><start><tenant tenant-name><to-zone zone-name><unknown-source-identity><zone-context>
Description
Displays a summary of all security policies configured on the device. If a particular policy is specified, display information specific to that policy. The existing show commands for displaying the policies configured with multiple tenant support are enhanced. A security policy controls the traffic flow from one zone to another zone. The security policies allow you to deny, permit, reject (deny and send a TCP RST or ICMP port unreachable message to the source host), encrypt and decrypt, authenticate, prioritize, schedule, filter, and monitor the traffic attempting to cross from one security zone to another.
Options
all-logical-systems-tenants—Displays all multitenancy systems.checksum—Displays the policy information checksum.count—Displays the number of policies to show. Range is 1 through 65,535.detail—(Optional) Displays a detailed view of all of the policies configured on the device.from-zone—Displays the policy information matching the given source zone.global—(Optional) Displays the policy information about global policies.hit-count—Displays the policies hit count.information—Displays the policy information.logical-system—Displays the logical system name.policy-name—(Optional) Displays the policy information matching the given policy name.root-logical-system—Displays root logical system as default.service-set—Displays the name of the service set.start—Displays the policies from a given position. Range is 1 through 65,535.tenant—Displays the name of the tenant system.to-zone—Displays the policy information matching the given destination zone.unknown-source-identity—Displays the unknown-source-identity of a policy.zone-context—Displays the count of policies in each context (from-zone and to-zone).
Required Privilege Level
view
Output Fields
Table 1 lists the output
fields for the show security policies command. Output fields
are listed in the approximate order in which they appear.
Field Name |
Field Description |
|---|---|
|
Name of the source zone. |
|
Name of the destination zone. |
|
Name of the applicable policy. |
|
Description of the applicable policy. |
|
Status of the policy:
|
|
Internal number associated with the policy. |
|
Number of the policy within a given context. For example, three policies that are applicable in a from-zoneA-to-zoneB context might be ordered with sequence numbers 1, 2, 3. Also, in a from-zoneC-to-zoneD context, four policies might have sequence numbers 1, 2, 3, 4. |
|
For standard display mode, the names of the source addresses for a policy. Address sets are resolved to their individual names. For detail display mode, the names and corresponding IP addresses of the source addresses for a policy. Address sets are resolved to their individual address name-IP address pairs. |
|
Name of the destination address (or address set) as it was entered in the destination zone’s address book. A packet’s destination address must match this value for the policy to apply to it. |
|
Name of the device identity profile (referred to as |
|
Name of the source address excluded from the policy. |
|
Name of the destination address excluded from the policy. |
|
One or more user roles specified for a policy. |
|
Name of a preconfigured or custom application whose type the packet matches, as specified at configuration time.
|
Source identity feeds |
Name of a source identity (user name) added as match criteria |
Destination identity feeds |
Name of a destination identity (user name) added as match criteria |
|
Application identification-based Layer 7 dynamic applications. |
|
Status of the destination address translation traffic:
|
|
An application firewall includes the following:
|
|
|
|
Session log entry that indicates whether the |
|
Name of a preconfigured scheduler whose schedule determines when the policy is active and can be used as a possible match for traffic. |
|
|
|
Displays unified policy redirect profile. See profile(dynamic-application). |
|
Configured syn and sequence checks, and the configured TCP MSS value for the initial direction, the reverse direction or, both. |
|
|
Feeds details added in the security policy. The supported feeds are:
|
Sample Output
- show security policies
- show security policies (Dynamic Applications)
- show security policies policy-name p2
- show security policies policy-name detail
- show security policies (Services-Offload)
- show security policies (Device Identity)
- show security policies detail
- show security policies detail (TCP Options)
- show security policies policy-name (Negated Address)
- show security policies policy-name detail (Negated Address)
- show security policies global
- show security policies detail tenant
- show security policies (threat profile feeds)
- show security policies detail (threat profile feeds)
- show security policies detail (services-offload enabled)
- show security policies policy-name SOF-enable
- show security policies detail (services-offload disabled)
- show security policies policy-name SOF-disable
- show security policies (destination-identity)
- show security policies from-zone trust to-zone untrust detail (destination-identity)
- show security policies detail (destination-identity)
- show security policies global detail (destination-identity)
show security policies
user@host> show security policies
From zone: trust, To zone: untrust
Policy: p1, State: enabled, Index: 4, Sequence number: 1
Source addresses:
sa-1-ipv4: 198.51.100.11/24
sa-2-ipv6: 2001:db8:a0b:12f0::1/32
sa-3-ipv6: 2001:db8:a0b:12f0::22/32
sa-4-wc: 203.0.113.1/255.255.0.255
Destination addresses:
da-1-ipv4: 10.2.2.2/24
da-2-ipv6: 2001:db8:a0b:12f0::8/32
da-3-ipv6: 2001:db8:a0b:12f0::9/32
da-4-wc: 192.168.22.11/255.255.0.255
Source identities: role1, role2, role4
Applications: any
Action: permit, application services, log, scheduled
Application firewall : my_ruleset1
Policy: p2, State: enabled, Index: 5, Sequence number: 2
Source addresses:
sa-1-ipv4: 198.51.100.11/24
sa-2-ipv6: 2001:db8:a0b:12f0::1/32
sa-3-ipv6: 2001:db8:a0b:12f0::22/32
Destination addresses:
da-1-ipv4: 10.2.2.2/24
da-2-ipv6: 2001:db8:a0b:12f0::1/32
da-3-ipv6: 2001:db8:a0b:12f0::9/32
Source identities: role1, role4
Applications: any
Action: deny, scheduled
show security policies (Dynamic Applications)
user@host>show security policies
Policy: p1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Dynamic Applications: junos:YAHOO
Action: deny, log
Policy: p2, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
Source addresses: any
Destination addresses: any
Applications: any
Dynamic Applications: junos:web, junos:web:social-networking:facebook,
junos:TFTP, junos:QQ
Action: permit, log
Policy: p3, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 3
Source addresses: any
Destination addresses: any
Applications: any
Dynamic Applications: junos:HTTP, junos:SSL
Action: permit, application services, log
The following example displays the output with unified policies configured.
user@host> show security policies
Default policy: deny-all
Pre ID default policy: permit-all
From zone: trust, To zone: untrust
Policy: p2, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: junos-defaults
Dynamic Applications: junos:GMAIL, junos:FACEBOOK-CHAT
dynapp-redir-profile: profile1
show security policies policy-name p2
user@host> show security policies policy-name p2
Policy: p2, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
From zones: any
To zones: any
Source vrf group: any
Destination vrf group: any
Source addresses: any
Destination addresses: any
Applications: any
Dynamic Applications: any
Action: permit, application services, feed
show security policies policy-name detail
user@host> show security policies policy-name p2 detail
Policy: p2, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
Policy Type: Configured, global
Sequence number: 1
From zones:
any
To zones:
any
Source vrf group:
any
Destination vrf group:
any
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination ports: [0-0]
Dynamic Application:
any: 0
Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
Intrusion Detection and Prevention: disabled
Unified Access Control: disabled
Feed: add-source-ip-to-feed
user@host> show security policies policy-name p1 detail
Policy: p1, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
Description: The policy p1 is for the sales team
Sequence number: 1
From zone: trust, To zone: untrust
Source addresses:
sa-1-ipv4: 198.51.100.11/24
sa-2-ipv6: 2001:db8:a0b:12f0::1/32
sa-3-ipv6: 2001:db8:a0b:12f0::9/32
sa-4-wc: 203.0.113.1/255.255.0.255
Destination addresses:
da-1-ipv4: 192.0.2.0/24
da-2-ipv6: 2001:db8:a0b:12f0::1/32
da-3-ipv6: 2001:db8:a0b:12f0::9/32
da-4-wc: 192.168.22.11/255.255.0.255
Source identities:
role1
role2
role4
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Destination Address Translation: drop translated
Application firewall :
Rule-set: my_ruleset1
Rule: rule1
Dynamic Applications: junos:FACEBOOK-ACCESS, junos:YMSG
Dynamic Application groups: junos:web, junos:chat
Action: deny
Default rule: permit
Session log: at-create, at-close
Scheduler name: sch20
Per policy TCP Options: SYN check: No, SEQ check: No
Policy statistics:
Input bytes : 18144 545 bps
Initial direction: 9072 272 bps
Reply direction : 9072 272 bps
Output bytes : 18144 545 bps
Initial direction: 9072 272 bps
Reply direction : 9072 272 bps
Input packets : 216 6 pps
Initial direction: 108 3 bps
Reply direction : 108 3 bps
Output packets : 216 6 pps
Initial direction: 108 3 bps
Reply direction : 108 3 bps
Session rate : 108 3 sps
Active sessions : 93
Session deletions : 15
Policy lookups : 108show security policies (Services-Offload)
user@host> show security policies
Policy: p1, action-type: reject, State: enabled, Index: 4, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: trust
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
dynapp-redir-profile: profile1(1)
Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: Noshow security policies (Device Identity)
user@host> show security policies
From zone: trust, To zone: untrust
Policy: dev-id-marketing, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
source-end-user-profile: marketing-profile
Applications: any
Action: permitshow security policies detail
user@host> show security policies detail
Default policy: deny-all
Policy: p1, action-type: permit, services-offload:enabled , State: enabled, Index: 4, Scope Policy: 0
Policy Type: Configured
Description: The policy p1 is for the sales team
Sequence number: 1
From zone: trust, To zone: untrust
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Source identities:
role1
role2
role4
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
Policy statistics:
Input bytes : 18144 545 bps
Initial direction: 9072 272 bps
Reply direction : 9072 272 bps
Output bytes : 18144 545 bps
Initial direction: 9072 272 bps
Reply direction : 9072 272 bps
Input packets : 216 6 pps
Initial direction: 108 3 bps
Reply direction : 108 3 bps
Output packets : 216 6 pps
Initial direction: 108 3 bps
Reply direction : 108 3 bps
Session rate : 108 3 sps
Active sessions : 93
Session deletions : 15
Policy lookups : 108
Policy: p2, action-type: permit, services-offload:enabled , State: enabled, Index: 5, Scope Policy: 0
Policy Type: Configured
Description: The policy p2 is for the sales team
Sequence number: 1
From zone: untrust, To zone: trust
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Source identities:
role1
role2
role4
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
The following example displays the output with unified policies configured.
user@host> show security policies detail
Default policy: deny-all
Pre ID default policy: permit-all
Policy: p2, action-type: reject, State: enabled, Index: 4, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: untrust
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Application: junos-defaults
IP protocol: 6, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [443-443]
IP protocol: 6, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [5432-5432]
IP protocol: 6, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [80-80]
IP protocol: 6, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [3128-3128]
IP protocol: 6, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [8000-8000]
IP protocol: 6, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [8080-8080]
IP protocol: 17, ALG: 0, Inactivity timeout: 60
Source port range: [0-0]
Destination port range: [1-65535]
IP protocol: 6, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [443-443]
IP protocol: 6, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [5432-5432]
IP protocol: 6, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [80-80]
IP protocol: 6, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [3128-3128]
IP protocol: 6, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [8000-8000]
IP protocol: 6, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [8080-8080]
IP protocol: 17, ALG: 0, Inactivity timeout: 60
Source port range: [0-0]
Destination port range: [1-65535]
Dynamic Application:
junos:FACEBOOK-CHAT: 10704
junos:GMAIL: 51
dynapp-redir-profile: profile1(1)
Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: Noshow security policies detail (TCP Options)
user@host> show security policies policy-name p2 detail
node0:
--------------------------------------------------------------------------
Policy:p2, action-type:permit, State: enabled,Index: 4, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: trust
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Application: junos-defaults
IP protocol: tcp, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [80-80]
Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
Dynamic-application: junos:HTTPshow security policies policy-name (Negated Address)
user@host> show security policies policy-name p1
node0:
--------------------------------------------------------------------------
From zone: trust, To zone: untrust
Policy: p1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses(excluded): as1
Destination addresses(excluded): as2
Applications: any
Action: permit
show security policies policy-name detail (Negated Address)
user@host> show security policies policy-name p1 detail
node0:
--------------------------------------------------------------------------
Policy: p1, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: untrust
Source addresses(excluded):
ad1(ad): 255.255.255.255/32
ad2(ad): 198.51.100.1/24
ad3(ad): 198.51.100.6 ~ 198.51.100.56
ad4(ad): 192.0.2.8/24
ad5(ad): 198.51.100.99 ~ 198.51.100.199
ad6(ad): 203.0.113.9/24
ad7(ad): 203.0.113.23/24
Destination addresses(excluded):
ad13(ad2): 198.51.100.76/24
ad12(ad2): 198.51.100.88/24
ad11(ad2): 192.0.2.23 ~ 192.0.2.66
ad10(ad2): 192.0.2.93
ad9(ad2): 203.0.113.76 ~ 203.0.113.106
ad8(ad2): 203.0.113.199
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
show security policies global
user@host> show security policies global policy-name Pa
node0:
--------------------------------------------------------------------------
Global policies:
Policy: Pa, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1
From zones: any
To zones: any
Source addresses: H0
Destination addresses: H1
Applications: junos-http
Action: permit
show security policies detail tenant
user@host> show security policies detail tenant TN1 Default policy: deny-all Pre ID default policy: permit-all Policy: p1, action-type: permit, State: enabled, Index: 4, Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: trust, To zone: untrust Source addresses: any Destination addresses: any Application: junos-ping IP protocol: 1, ALG: 0, Inactivity timeout: 60 ICMP Information: type=255, code=0 Application: junos-telnet IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [23-23] Application: app_udp IP protocol: udp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [5000-5000] Application: junos-icmp6-all IP protocol: 58, ALG: 0, Inactivity timeout: 60 ICMP Information: type=255, code=0 Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No Session log: at-create, at-close Policy statistics: Input bytes : 0 0 bps Initial direction: 0 0 bps Reply direction : 0 0 bps Output bytes : 0 0 bps Initial direction: 0 0 bps Reply direction : 0 0 bps Input packets : 0 0 pps Initial direction: 0 0 bps Reply direction : 0 0 bps Output packets : 0 0 pps Initial direction: 0 0 bps Reply direction : 0 0 bps Session rate : 0 0 sps Active sessions : 0 Session deletions: 0 Policy lookups : 0
show security policies (threat profile feeds)
user@host> show security policies policy-name p2
From zone: trust, To zone: untrust
Policy: p2, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
Source vrf group: any
Destination vrf group: any
Source addresses: any
Destination addresses: any
Applications: any
Source identity feeds: user_feed_1, user_feed_2
Destination identity feeds: user_feed_3, user_feed_4
Action: permit, application services, feed
show security policies detail (threat profile feeds)
user@host> show security policies policy-name p2 detail
Policy: p2, action-type: permit, State: enabled, Index: 5, Scope Policy: 0
Policy Type: Configured
Sequence number: 2
From zone: trust, To zone: untrust
Source vrf group:
any
Destination vrf group:
any
Source addresses:
any-ipv4(bob_addrbook_1): 0.0.0.0/0
any-ipv6(bob_addrbook_1): ::/0
Destination addresses:
any-ipv4(bob_addrbook_1): 0.0.0.0/0
any-ipv6(bob_addrbook_1): ::/0
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination ports: [0-0]
Source identity feeds:
user_feed_1
user_feed_2
Destination identity feeds:
user_feed_3
user_feed_4
Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
Intrusion Detection and Prevention: disabled
Unified Access Control: disabled
Feed: add-source-ip-to-feed
Feed: add-destination-ip-to-feed
Feed: add-source-identity-to-feed
Feed: add-destination-identity-to-feed
show security policies detail (services-offload enabled)
user@host> show security policies detail Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all Policy: SOF-enable, action-type: permit, services-offload:enabled , State: enabled, Index: 5, Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: trust, To zone: untrust1 Source vrf group: any Destination vrf group: any Source addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Destination addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination ports: [0-0] Dynamic Application: any: 0 Source identity feeds: any Destination identity feeds: any Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
show security policies policy-name SOF-enable
user@host> show security policies policy-name SOF-enable
From zone: trust, To zone: untrust1
Policy: SOF-enable, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
Source vrf group: any
Destination vrf group: any
Source addresses: any
Destination addresses: any
Applications: any
Dynamic Applications: any
Source identity feeds: any
Destination identity feeds: any
Action: permit, services-offload
show security policies detail (services-offload disabled)
user@host> show security policies detail
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
Policy: SOF-disable, action-type: permit, services-offload:disabled , State: enabled, Index: 5, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: untrust1
Source vrf group:
any
Destination vrf group:
any
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination ports: [0-0]
Dynamic Application:
any: 0
Source identity feeds:
any
Destination identity feeds:
any
Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No show security policies policy-name SOF-disable
user@host> show security policies policy-name SOF-disable
From zone: trust, To zone: untrust1
Policy: SOF-disable, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
Source vrf group: any
Destination vrf group: any
Source addresses: any
Destination addresses: any
Applications: any
Dynamic Applications: any
Source identity feeds: any
Destination identity feeds: any
Action: permit, no-services-offload show security policies (destination-identity)
user@host> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: untrust
Policy: p1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
Source vrf group: any
Destination vrf group: any
Source addresses: any
Destination addresses: any
Applications: junos-http, junos-https
Dynamic Applications: junos:HTTP, junos:HTTP-VIDEO, junos:HTTP-AUDIO-CONTENT, junos:BMFF, junos:SSL
Source identities: role1, role3
Source identity feeds: any
Destination identity context: role2, role4
Destination identity context profile: hr
Destination identity feeds: any
Action: permit
show security policies from-zone trust to-zone untrust detail (destination-identity)
user@host> show security policies from-zone trust to-zone untrust detail
Policy: p2, action-type: permit, services-offload:not-configured , State: enabled, Index: 6, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: untrust
Source vrf group:
any
Destination vrf group:
any
Source addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Application: junos-http
IP protocol: tcp, ALG: 0, Inactivity timeout: 300
Source port range: [0-0]
Destination ports: 80
Application: junos-https
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination ports: 443
Application: junos-ssh
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination ports: 22
Source identity feeds:
any
Destination identity context:
role2
role4
Destination identity context profile:
hr
Destination identity feeds:
any
Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
show security policies detail (destination-identity)
user@host> show security policies detail
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
Policy: p1, action-type: permit, services-offload:not-configured , State: enabled, Index: 4, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: untrust
Source vrf group:
any
Destination vrf group:
any
Source addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Application: junos-http
IP protocol: tcp, ALG: 0, Inactivity timeout: 300
Source port range: [0-0]
Destination ports: 80
Application: junos-https
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination ports: 443
Dynamic Application:
junos:SSL: 199
junos:BMFF: 1293
junos:HTTP-AUDIO-CONTENT: 10806
junos:HTTP-VIDEO: 11032
junos:HTTP: 67
Source identities:
role1
role3
Source identity feeds:
any
Destination identity context:
role2
role4
Destination identity context profile:
hr
Destination identity feeds:
any
Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
show security policies global detail (destination-identity)
user@host> show security policies global detail
Policy: g1, action-type: reject, services-offload:not-configured , State: enabled, Index: 8, Scope Policy: 0
Policy Type: Configured, global
Sequence number: 1
From zones:
any
To zones:
any
Source vrf group:
any
Destination vrf group:
any
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Application: junos-http
IP protocol: tcp, ALG: 0, Inactivity timeout: 300
Source port range: [0-0]
Destination ports: 80
Application: junos-https
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination ports: 443
Dynamic Application:
junos:HTTP: 67
Source identities:
unauthenticated-user
role1
Source identity feeds:
any
Destination identity context:
role2
role4
Destination identity context profile:
hr
Destination identity feeds:
any
Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
Release Information
Command modified in Junos OS Release 9.2.
Support for IPv6 addresses is added in Junos OS Release 10.2.
Support for wildcard addresses is added in Junos OS Release 11.1.
Support for global policy and services offloading is added in Junos OS Release 11.4.
Support for source-identities and the Description output field is added in Junos OS Release 12.1.
Support for negated address added in Junos OS Release 12.1X45-D10.
The output fields for Policy Statistics expanded,
and the output fields for the global and policy-name options are expanded to include from-zone and to-zone global match
criteria in Junos OS Release 12.1X47-D10.
Support for the initial-tcp-mss and reverse-tcp-mss options is added in Junos OS Release 12.3X48-D20.
Output field and description for source-end-user-profile option is added in Junos OS Release 15.1x49-D70.
Output field and description for dynamic-applications option is added in Junos OS Release 15.1x49-D100.
Output field and description for dynapp-redir-profile option is added in Junos OS Release 18.2R1.
The tenant option is introduced in Junos
OS Release 18.3R1.
The <all-logical-systems-tenants> option is introduced
in Junos OS Release 18.4R1.
The information option is introduced in Junos OS
Release 18.4R1.
The checksum option is introduced in Junos OS Release
18.4R1.