Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

show security policy-report

Syntax

Description

Displays detailed security policy reports.

Optimizing security policies ensure that the policies are efficient. Over time, policies become disorganised and hence ineffective. You can use the show security policy-report command to notify end users when you create new policies or change existing policies which adversely affect other security policies.

Options

from-zone

Displays the policy report matching the given source zone.

  • Default: any
global

Displays the security policy report of the global policies.
report-type

Displays the type of the policy report.

You can configure the following options for report-type:

1-year-not-hit

Displays the policy report for policies that have not been hit in the last 1 year.
30d-not-hit

Displays the policy report for policies that have not been hit in the last 30 days.
60d-not-hit

Displays the policy report for policies that have not been hit in the last 60 days.
90d-not-hit

Displays the policy report for policies that have not been hit in the last 90 days.
consolidation

Displays the policy report for policies which can be consolidated.

When two policies share most fields in common and only one of the fields contains difference, they are eligible for consolidation.
expired

Displays the policy report for expired policies.
generalization

Displays the policy report for generalized policies.

A policy is generalized when a following policy matches all the packets of the current policy and the action for each policy is different.
least-hit

Displays the policy report for policies with the least hit count.
most-hit

Displays the policy report for policies with the most hit count.
no-comments

Displays the policy report for policies which have no comments.
no-logging

Displays the policy report for policies which do not have any logging

redundant

Displays the policy report for redundant policies.

A policy is redundant if there exists a preceding policy within the policy which performs the same action on the same packets as performed by the current policy.
scheduler

Displays the policy report for policies in which the scheduled has expired/policies that have an active or inactive schedule.
shadowing

Displays the policy report for shadowed policies.

A policy is shadowed when a preceding policy matches all the packets of the current policy and the action for each policy is different.
unused

Displays the policy report for policies which have a hit count value of zero.

  • Default: If you don’t configure a specific report-type, then all the reports are displayed.
to-zone

Displays the policy report matching the given destination zone.

  • Default: any
Note:

SRX series devices only analyze the following fields of a policy for the shadowing, redundant, generalization, and consolidation reports:

  • Source address (Ipv4 only)

  • Destination address (Ipv4 only)

  • Applications

Required Privilege Level

view

Sample Output

show security policy-report report-type consolidation

show security policy-report report-type scheduler

show security policy-report report-type 1-year-not-hit

Release Information

Command introduced in Junos OS Release 20.1R1.

Related Documentation