show security match-policies

Syntax

Description

The show security match-policies command allows you to troubleshoot traffic problems using the match criteria: source port, destination port, source IP address, destination IP address, and protocol. For example, if your traffic is not passing because either an appropriate policy is not configured or the match criteria is incorrect, then the show security match-policies command allows you to work offline and identify where the problem actually exists. It uses the search engine to identify the problem and thus enables you to use the appropriate match policy for the traffic.

The result-count option specifies how many policies to display. The first enabled policy in the list is the policy that is applied to all matching traffic. Other policies below it are “shadowed” by the first and are never encountered by matching traffic.

Note:

The show security match-policies command is applicable only to security policies; IDP policies are not supported.

Options

destination-ip destination-ip—Displays the destination IP address of the traffic.
destination-port destination-port–Displays the destination port number of the traffic. Range is 1 through 65,535.
destination-vrf destination-vrf—(Optional) Displays the destination VRF information.
from-zone zone-name—Displays the name or ID of the source zone of the traffic. This is optional for global policies.
global—Displays information about global policies.
logical-system—Displays the logical system name.
protocol protocol-name | protocol-number–Displays the protocol name or numeric value of the traffic.
- ah or 51
- egp or 8
- esp or 50
- gre or 47
- icmp or 1
- igmp or 2
- igp or 9
- ipip or 94
- ipv6 or 41
- ospf or 89
- pgm or 113
- pim or 103
- rdp or 27
- rsvp or 46
- sctp or 132
- tcp or 6
- udp or 17
- vrrp or 112
result-count number—(Optional) Displays the number of policy matches. Valid range is from 1 through 16. The default value is 1.
root-logical-system—Displays root logical system as default.
source-end-user-profile device-identity-profile-name—(Optional) Displays the device identity profile that specifies characteristics that can apply to one or more devices.
source-identity role-name—(Optional) Displays the source identity of the traffic determined by the user role.
source-ip source-ip—Displays the source IP address of the traffic.
source-port source-port—Displays the source port number of the traffic. Range is 1 through 65,535.
tenant—Displays the name of the tenant system.
to-zone zone-name—Displays the name or ID of the destination zone of the traffic. This is optional for global policies.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security match-policies command. Output fields are listed in the approximate order in which they appear.

Table 1: show security match-policies Output Fields
Field Name	Field Description
`Policy`	Name of the applicable policy.
`Action` or `Action-type`	The action to be taken for traffic that matches the policy’s match criteria. Actions include the following: `permit` `firewall-authentication` `tunnel ipsec-vpn vpn-name` `pair-policy pair-policy-name` `deny` `reject`
`State`	Status of the policy: `enabled`: The policy can be used in the policy lookup process, which determines access rights for a packet and the action taken in regard to it. `disabled`: The policy cannot be used in the policy lookup process, and therefore it is not available for access control.
`Index`	An internal number associated with the policy.
`Sequence number`	Number of the policy within a given context. For example, three policies that are applicable in a from-zoneA-to-zoneB context might be ordered with sequence numbers 1, 2, and 3. Also, in a from-zoneC-to-zoneD context, four policies might have sequence numbers 1, 2, 3, and 4.
`From zone`	Name of the source zone.
`To zone`	Name of the destination zone.
`Source addresses`	The names and corresponding IP addresses of the source addresses for a policy. Address sets are resolved to their individual address name-IP address pairs.
`Destination addresses`	The names and corresponding IP addresses of the destination addresses (or address sets) for a policy as entered in the destination zone’s address book. A packet’s destination address must match one of these addresses for the policy to apply to it.
`Application`	Name of a preconfigured or custom application, or `any` if no application is specified.
`IP protocol`	Numeric value for the IP protocol used by the application, such as 6 for TCP or 1 for ICMP.
`ALG`	If an ALG is associated with the session, the name of the ALG. Otherwise, 0.
`Inactivity timeout`	Elapsed time without activity after which the application is terminated.
`Source-port range`	Range of matching source ports defined in the policy.
`Destination-port range`	Range of matching destination ports defined in the policy.
`Source identities`	One or more user roles defined in the matching policy.
`global`	Display information about global policies.
`device-identity-profile-name`	Device identity profile that specifies characteristics that can apply to one or more devices.

Sample Output

Example 1: show security match-policies
Example 2: show security match policies ... result-count
Example 3: show security match policies ... source-identity
Example 4: show security match policies ... global
show security match-policies tenant TN1 from-zone trust to-zone untrust source-ip 10.10.10.1 destination-ip 192.0.2.1 source-port 1 destination-port 21 protocol tcp
show security match-policies from-zone client to-zone svr source-ip 10.1.1.1 source-port 88 destination-ip 10.2.2.2 destination-port 80 protocol tcp url-category Enhanced_Games

Example 1: show security match-policies

Example 2: show security match policies ... result-count

Example 3: show security match policies ... source-identity

Example 4: show security match policies ... global