show security shadow-policies

Syntax

Description

Displays the shadowing and shadowed policies in a policy list. The output displays the list of all policies that shadows other policies. The concept of policy shadowing refers to the situation where a policy higher in the policy list always takes effect before a subsequent policy. Because the policy lookup always uses the first policy it finds that matches the five-part tuple of the source and destination zone, source and destination address, and application type, if another policy applies to the same tuple (or a subset of the tuple), the policy lookup uses the first policy in the list and never reaches the second one. The existing show command for security shadow-policy is enhanced with tenant support.

Options

• from-zone zone-name—Displays the name or ID of the source zone of the traffic.

• global—Displays the information about global policies.

• logical-system—Displays the name of the logical system.

• policy—Displays the shadow policy information for the given policy.

• reverse—Displays the policies which shadows the given policy.

• root-logical-system—Displays root logical system as default.

• tenant—Displays the name of the tenant system.

• to-zone zone-name—Displays the shadow policy information for the given destination zone.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security shadow-policies logical-system command. Output fields are listed in the approximate order in which they appear.

Sample Output

• show security shadow-policies from-zone zone-a to-zone zone-b
• show security shadow-policies from-zone zone-a to-zone zone-b policy P1
• show security shadow-policies from-zone zone-a to-zone zone-b policy P4 reverse
• show security shadow-policies tenant TN1 from-zone trust to-zone untrust

Release Information

Command introduced in Junos OS Release 12.1X44-D10.

The tenant option is added in Junos OS Release 18.3R1.