show security match-policies
Syntax
show security match-policies
destination-ip <ip-address>
destination-port < port-number>
destination-vrf <destination-vrf>
from-zone <zone-name>
global
logical-system <logical-system-name>
protocol <protocol-name | protocol-number>
result-count <number>
root-logical-system
source-end-user-profile <device-identity-profile-name>
source-identity <role-name>
source-ip <ip-address>
source-port <port-number>
tenant <tenant-name>
to-zone
<zone-name>url category
<url-category>
Description
The show security match-policies
command allows you to troubleshoot
traffic problems using the match criteria: source port, destination port, source IP address,
destination IP address, and protocol. For example, if your traffic is not passing because
either an appropriate policy is not configured or the match criteria is incorrect, then the
show security match-policies
command allows you to work offline and
identify where the problem actually exists. It uses the search engine to identify the
problem and thus enables you to use the appropriate match policy for the traffic.
The result-count
option specifies how many policies to display. The first
enabled policy in the list is the policy that is applied to all matching traffic. Other
policies below it are “shadowed” by the first and are never encountered by matching traffic.
The show security match-policies
command is applicable only to security
policies; IDP policies are not supported.
Options
-
destination-ip destination-ip
—Displays the destination IP address of the traffic. -
destination-port destination-port
–Displays the destination port number of the traffic. Range is 1 through 65,535. -
destination-vrf destination-vrf
—(Optional) Displays the destination VRF information. -
from-zone zone-name
—Displays the name or ID of the source zone of the traffic. This is optional for global policies. -
global
—Displays information about global policies. -
logical-system
—Displays the logical system name. -
protocol protocol-name | protocol-number
–Displays the protocol name or numeric value of the traffic.-
ah
or51
-
egp
or8
-
esp
or50
-
gre
or47
-
icmp
or1
-
igmp
or2
-
igp
or9
-
ipip
or94
-
ipv6
or41
-
ospf
or89
-
pgm
or113
-
pim
or103
-
rdp
or27
-
rsvp
or46
-
sctp
or132
-
tcp
or6
-
udp
or17
-
vrrp
or112
-
-
result-count number
—(Optional) Displays the number of policy matches. Valid range is from 1 through 16. The default value is 1. -
root-logical-system
—Displays root logical system as default. -
source-end-user-profile
device-identity-profile-name—(Optional) Displays the device identity profile that specifies characteristics that can apply to one or more devices. -
source-identity role-name
—(Optional) Displays the source identity of the traffic determined by the user role. -
source-ip source-ip
—Displays the source IP address of the traffic. -
source-port source-port
—Displays the source port number of the traffic. Range is 1 through 65,535. -
tenant
—Displays the name of the tenant system. -
to-zone zone-name
—Displays the name or ID of the destination zone of the traffic. This is optional for global policies.
Required Privilege Level
view
Output Fields
Table 1 lists the output fields for the
show security match-policies
command. Output fields are listed in the
approximate order in which they appear.
Field Name |
Field Description |
---|---|
|
Name of the applicable policy. |
|
The action to be taken for traffic that matches the policy’s match criteria. Actions include the following:
|
|
Status of the policy:
|
|
An internal number associated with the policy. |
|
Number of the policy within a given context. For example, three policies that are applicable in a from-zoneA-to-zoneB context might be ordered with sequence numbers 1, 2, and 3. Also, in a from-zoneC-to-zoneD context, four policies might have sequence numbers 1, 2, 3, and 4. |
|
Name of the source zone. |
|
Name of the destination zone. |
|
The names and corresponding IP addresses of the source addresses for a policy. Address sets are resolved to their individual address name-IP address pairs. |
|
The names and corresponding IP addresses of the destination addresses (or address sets) for a policy as entered in the destination zone’s address book. A packet’s destination address must match one of these addresses for the policy to apply to it. |
|
Name of a preconfigured or custom application, or |
|
Numeric value for the IP protocol used by the application, such as 6 for TCP or 1 for ICMP. |
|
If an ALG is associated with the session, the name of the ALG. Otherwise, 0. |
|
Elapsed time without activity after which the application is terminated. |
|
Range of matching source ports defined in the policy. |
|
Range of matching destination ports defined in the policy. |
|
One or more user roles defined in the matching policy. |
|
Display information about global policies. |
|
Device identity profile that specifies characteristics that can apply to one or more devices. |
Sample Output
- Example 1: show security match-policies
- Example 2: show security match policies ... result-count
- Example 3: show security match policies ... source-identity
- Example 4: show security match policies ... global
- show security match-policies tenant TN1 from-zone trust to-zone untrust source-ip 10.10.10.1 destination-ip 192.0.2.1 source-port 1 destination-port 21 protocol tcp
- show security match-policies from-zone client to-zone svr source-ip 10.1.1.1 source-port 88 destination-ip 10.2.2.2 destination-port 80 protocol tcp url-category Enhanced_Games
Example 1: show security match-policies
user@host> show security match-policies from-zone z1 to-zone z2 source-ip 10.10.10.1 destination-ip 192.0.2.1 source-port 1 destination-port 21 protocol tcp Policy: p1, action-type: permit, State: enabled, Index: 4 Sequence number: 1 From zone: z1, To zone: z2 Source addresses: a2: 198.51.100.0/24 a3: 10.10.10.1/32 Destination addresses: d2: 203.0.113.0/24 d3: 192.0.2.1/32 Application: junos-ftp IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [21-21]
Example 2: show security match policies ... result-count
user@host> show security match-policies from-zone zone-A to-zone zone-B source-ip 10.10.10.1 destination-ip 192.0.2.5 source_port 1004 destination_port 80 protocol tcp result_count 5 Policy: p1, action-type: permit, State: enabled, Index: 4 Sequence number: 1 From zone: zone-A, To zone: zone-B Source addresses: sa1: 10.10.0.0/16 Destination addresses: da5: 192.0.2.0/24 Application: any IP protocol: 1, ALG: 0, Inactivity timeout: 0 Source port range: [1000-1030] Destination port range: [80-80] Policy: p15, action-type: deny, State: enabled, Index: 18 Sequence number: 15 From zone: zone-A, To zone: zone-B Source addresses: sa11: 10.10.10.1/32 Destination addresses: da15: 192.0.2.5/32 Application: any IP protocol: 1, ALG: 0, Inactivity timeout: 0 Source port range: [1000-1030] Destination port range: [80-80]
Example 3: show security match policies ... source-identity
user@host> show security match-policies from-zone untrust to-zone trust source-ip 10.10.10.1 destination-ip 192.0.2.1 destination_port 21 protocol 6 source-port 1234 source-identity role1 Policy: p1, action-type: permit, State: enabled, Index: 40 Policy Type: Configured Sequence number: 1 From zone: untrust, To zone: trust Source addresses: a1: 10.0.0.0/8 Destination addresses: d1: 192.0.2.0/24 Application: junos-ftp IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [21-21] Source identities: role1 Per policy TCP Options: SYN check: No, SEQ check: No
Example 4: show security match policies ... global
user@host> show security match-policies global source-ip 10.10.10.1 destination-ip 192.0.2.5 source_port 1004 destination_port 80 protocol tcp result_count 5 Policy: gp1, action-type: permit, State: enabled, Index: 6, Scope Policy: 0 Policy Type: Configured, global Sequence number: 1 From zones: Any To zones: Any Source addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Destination addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
show security match-policies tenant TN1 from-zone trust to-zone untrust source-ip 10.10.10.1 destination-ip 192.0.2.1 source-port 1 destination-port 21 protocol tcp
user@host> show security match-policies tenant TN1 from-zone trust to-zone untrust source-ip 10.10.10.1 destination-ip 192.0.2.1 source-port 1 destination-port 21 protocol tcp Policy: p1, action-type: permit, State: enabled, Index: 4 Sequence number: 1 From zone: trust, To zone: untrust Source addresses: a2: 198.51.100.0/24 a3: 10.10.10.1/32 Destination addresses: d2: 203.0.113.0/24 d3: 192.0.2.1/32 Application: junos-ftp IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [21-21]
show security match-policies from-zone client to-zone svr source-ip 10.1.1.1 source-port 88 destination-ip 10.2.2.2 destination-port 80 protocol tcp url-category Enhanced_Games
user@host> show security match-policies from-zone client to-zone svr source-ip 10.1.1.1 source-port 88 destination-ip 10.2.2.2 destination-port 80 protocol tcp url-category Enhanced_Games Policy: p1, action-type: permit, State: enabled, Index: 7 0 Policy Type: Configured Sequence number: 1 From zone: client, To zone: server Source vrf group: any Destination vrf group: any Source addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Destination addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination ports: [0-0] Url-category: Enhanced_Sex: 234881056 Enhanced_Games: 234881037 Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No Intrusion Detection and Prevention: disabled Unified Access Control: disabled Unified Threat Management: enabled
Release Information
Command introduced in Junos OS Release 10.3.
Command updated in Junos OS Release 10.4.
Command updated in Junos OS Release 12.1.
Command updated to include optional from-zone and to-zone global match options in Junos OS Release 12.1X47-D10.
The tenant
option is introduced in Junos OS Release 18.3R1.
The url category
option is introduced in Junos OS Release 20.2R1.