show security policies hit-count

Syntax

Description

Display the utility rate of security policies by listing the number of times a security policy rule matches the traffic (number of hits). You can specify the options to list the output in ascending or descending order. You can specify the range to display security policies with certain number of hits. You can filter the output by zones, logical or tenant systems, dynamic applications, and URL categories.

When the device is operating in chassis cluster mode, the count displayed is a sum of all the Services Processing Cards (SPC) hit counts in the cluster setup. The security device retains the count if a Packet Forwarding Engine (PFE) in a node is in failover mode, but does not reboot. . The device clears the count if a node reboots and the PFE in the node also reboots. During an in-service software upgrade (ISSU), all PFEs reboot, therefore all counters are cleared.

Use this command without options to display the number of hits in random order for all security policies and for all zones.

The show security policies hit-count command with to-zone and from-zone options work for zone-based policies only and not for global policies.

Options

• ascending—(Optional) Displays the number of hits for security policies in ascending order.

• descending—(Optional) Displays the number of hits for security policies in descending order.

• dynamic-applications—(Optional) Displays the number of hits for security policies configured with dynamic applications.

  When you display the policy count for the dynamic applications, the device considers the count for the final matched application identification. For example, if the traffic’s classification path is: HTTP:FACEBOOK-ACCESS:FACEBOOK-CHAT, then the count increases only for FACEBOOK-CHAT.

• from-zone zone-name—(Optional) Displays the number of hits for security policies associated with the named source zone.

• greater-than count—(Optional) Displays security policies for which the number of hits is greater than the specified number.

  Range: 0 through 4,294,967,295

• less-than count—(Optional) Displays security policies for which the number of hits is less than the specified number.

  Range: 0 through 4,294,967,295

• logical-system—Displays the logical system name.

• root-logical-system—Displays the number of hits for security policies configured for a root logical system.

• tenant—Displays the number of hits for security policies configured for the tenant system.

• to-zone zone-name—(Optional) Displays the number of hits for security policies associated with the named destination zone.

• url-categories—(Optional) Displays the number of hits for security policies based on the matching URL categories.

Required Privilege Level

view

Output Fields

#show-security-policies-hit-count__show-security-policy-hit-count-tbl lists the output fields for the show security policies hit-count command. Output fields are listed in the approximate order in which they appear.

show security policies hit-count Output Fields

Field Name	Field Description
index	Displays the line number
from-zone	Name of the source zone
to-zone	Name of the destination zone
name	Name of the security policy
policy count	Number of hits for each security policy
tenant	Displays the name of the tenant system.
Action	Policy action - Permit or Deny.
Redirect	Number of permitted sessions that are redirected by the policy
Dynamic-applications	Details of the dynamic applications. Name - Dynamic-application name Count- Number of hits for each dynamic application
url-categories	Details of the URL categories. Name - URL category name Count- Number of hits for each URL category

Sample Output

Sample Output

Sample Output

Sample Output

Sample Output

Sample Output

Sample Output

Sample Output

Release Information

Command introduced in Junos OS Release 12.1.

The tenant option is introduced in Junos OS Release 18.3R1.

The dynamic-applications and url-categories options are introduced in Junos OS Release 21.2R1.