Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

show security match-policies

Syntax

Description

The show security match-policies command allows you to troubleshoot traffic problems using the match criteria: source port, destination port, source IP address, destination IP address, and protocol. For example, if your traffic is not passing because either an appropriate policy is not configured or the match criteria is incorrect, then the show security match-policies command allows you to work offline and identify where the problem actually exists. It uses the search engine to identify the problem and thus enables you to use the appropriate match policy for the traffic.

The result-count option specifies how many policies to display. The first enabled policy in the list is the policy that is applied to all matching traffic. Other policies below it are “shadowed” by the first and are never encountered by matching traffic.

Note:

The show security match-policies command is applicable only to security policies; IDP policies are not supported.

Options

  • destination-ip destination-ip—Displays the destination IP address of the traffic.

  • destination-port destination-port–Displays the destination port number of the traffic. Range is 1 through 65,535.

  • destination-vrf destination-vrf—(Optional) Displays the destination VRF information.

  • from-zone zone-name—Displays the name or ID of the source zone of the traffic. This is optional for global policies.

  • global—Displays information about global policies.

  • logical-system—Displays the logical system name.

  • protocol protocol-name | protocol-number–Displays the protocol name or numeric value of the traffic.

    • ah or 51

    • egp or 8

    • esp or 50

    • gre or 47

    • icmp or 1

    • igmp or 2

    • igp or 9

    • ipip or 94

    • ipv6 or 41

    • ospf or 89

    • pgm or 113

    • pim or 103

    • rdp or 27

    • rsvp or 46

    • sctp or 132

    • tcp or 6

    • udp or 17

    • vrrp or 112

  • result-count number—(Optional) Displays the number of policy matches. Valid range is from 1 through 16. The default value is 1.

  • root-logical-system—Displays root logical system as default.

  • source-end-user-profile device-identity-profile-name—(Optional) Displays the device identity profile that specifies characteristics that can apply to one or more devices.

  • source-identity role-name—(Optional) Displays the source identity of the traffic determined by the user role.

  • source-ip source-ip—Displays the source IP address of the traffic.

  • source-port source-port—Displays the source port number of the traffic. Range is 1 through 65,535.

  • tenant—Displays the name of the tenant system.

  • to-zone zone-name—Displays the name or ID of the destination zone of the traffic. This is optional for global policies.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security match-policies command. Output fields are listed in the approximate order in which they appear.

Table 1: show security match-policies Output Fields

Field Name

Field Description

Policy

Name of the applicable policy.

Action or Action-type

The action to be taken for traffic that matches the policy’s match criteria. Actions include the following:

  • permit

  • firewall-authentication

  • tunnel ipsec-vpn vpn-name

  • pair-policy pair-policy-name

  • deny

  • reject

State

Status of the policy:

  • enabled: The policy can be used in the policy lookup process, which determines access rights for a packet and the action taken in regard to it.

  • disabled: The policy cannot be used in the policy lookup process, and therefore it is not available for access control.

Index

An internal number associated with the policy.

Sequence number

Number of the policy within a given context. For example, three policies that are applicable in a from-zoneA-to-zoneB context might be ordered with sequence numbers 1, 2, and 3. Also, in a from-zoneC-to-zoneD context, four policies might have sequence numbers 1, 2, 3, and 4.

From zone

Name of the source zone.

To zone

Name of the destination zone.

Source addresses

The names and corresponding IP addresses of the source addresses for a policy. Address sets are resolved to their individual address name-IP address pairs.

Destination addresses

The names and corresponding IP addresses of the destination addresses (or address sets) for a policy as entered in the destination zone’s address book. A packet’s destination address must match one of these addresses for the policy to apply to it.

Application

Name of a preconfigured or custom application, or any if no application is specified.

IP protocol

Numeric value for the IP protocol used by the application, such as 6 for TCP or 1 for ICMP.

ALG

If an ALG is associated with the session, the name of the ALG. Otherwise, 0.

Inactivity timeout

Elapsed time without activity after which the application is terminated.

Source-port range

Range of matching source ports defined in the policy.

Destination-port range

Range of matching destination ports defined in the policy.

Source identities

One or more user roles defined in the matching policy.

global

Display information about global policies.

device-identity-profile-name

Device identity profile that specifies characteristics that can apply to one or more devices.

Sample Output

Example 1: show security match-policies

Example 2: show security match policies ... result-count

Example 3: show security match policies ... source-identity

Example 4: show security match policies ... global

show security match-policies tenant TN1 from-zone trust to-zone untrust source-ip 10.10.10.1 destination-ip 192.0.2.1 source-port 1 destination-port 21 protocol tcp

show security match-policies from-zone client to-zone svr source-ip 10.1.1.1 source-port 88 destination-ip 10.2.2.2 destination-port 80 protocol tcp url-category Enhanced_Games

Release Information

Command introduced in Junos OS Release 10.3.

Command updated in Junos OS Release 10.4.

Command updated in Junos OS Release 12.1.

Command updated to include optional from-zone and to-zone global match options in Junos OS Release 12.1X47-D10.

The tenant option is introduced in Junos OS Release 18.3R1.

The url category option is introduced in Junos OS Release 20.2R1.