request security policies check
Syntax
request security policies check <from-zone zone name> <global> <logical-system (logical-system name | all)> <pfe> <root-logical-system> <to-zone zone-name> <tenant tenant-name>
Description
Displays the security policy sync status between the Routing Engine and the Packet Forwarding Engine. Use the command to display a list of all security polices which are in-sync or out-of-sync on the device.
Use the show security policies checksum command to
display the security policy checksum value and use the request
security policies resync command to synchronize the configuration
of security policies in the Routing Engine and Packet Forwarding Engine.
Options
| <from-zone zone-name | Displays security policies sync status from this zone. |
| global | Displays global policies sync status. |
| logical-system (logical-system name | all) | Displays security policies sync status for the security policies configured on a logical system or on all logical systems. |
| pfe | Displays security policies sync status for the security policies on the Packet Forwarding Engine. |
| root-logical-system | Displays security policies sync status for the security policies configured on the root logical system. This is the default outcome. |
| to-zone zone-name | Displays security policies sync status to this zone. |
| tenant tenant-name | Displays security policies sync status for the security policies configured on a tenant. |
Additional Information
Security policies are stored in the routing engine and the packet forwarding engine. Security policies are pushed from the Routing Engine to the Packet Forwarding Engine when you commit configurations. If the security policies on the Routing Engine are out of sync with the Packet Forwarding Engine, the commit of a configuration fails. Core dump files may be generated if the commit is tried repeatedly. The out of sync can be due to:
A policy message from Routing Engine to the Packet Forwarding Engine is lost in transit.
An error with the routing engine, such as a reused policy UID.
When the policy configurations are modified and the policies
are out of sync, the following error message displays - error:
Warning: policy might be out of sync between RE and PFE <SPU-name(s)>.
Please request security policies check/resync.
Required Privilege Level
maintenance
Sample Output
- request security policies check
- request security policies check logical-system LSYS1
- request security policies check logical-system all
- request security policies check from-zone trust to-zone untrust
request security policies check
user@host> request security policies check Start sending policies ... Success Total sent 1 policy. Policy Checking Result: PFE master in-sync
request security policies check logical-system LSYS1
user@host> request security policies check logical-system LSYS1 Start sending policies ... Success Total sent 1 policy. Policy Checking Result: PFE fpc0.pic3 in-sync PFE fpc0.pic1 in-sync PFE fpc0.pic0 in-sync PFE fpc0.pic2 in-sync
request security policies check logical-system all
user@host> request security policies check logical-system all Start sending policies ... Success Total sent 2 policies. Policy Checking Result: PFE fpc0.pic1 in-sync PFE fpc0.pic3 in-sync PFE fpc0.pic2 in-sync PFE fpc0.pic0 in-sync
request security policies check from-zone trust to-zone untrust
user@host> request security policies check from-zone trust to-zone untrust Start sending policies ... Success Total sent 2 policies. Policy Checking Result: PFE fpc4.pic0 in-sync PFE fpc4.pic1 out-of-sync
Release Information
Command introduced in Junos OS Release 18.4R1.