Home‎ > ‎Juniper‎ > ‎Basic JunOS Configs‎ > ‎

debugging




security match-policies

You can use the security match-policies command to test the flow from one device to the other.  

This is an example of a test that is correct: 
> show security match-policies from-zone b1-trans2 to-zone n1-srv2 source-ip 10.50.81.39 destination-ip 10.120.81.39 protocol tcp source-port 12345 destination-port 443

node0:
--------------------------------------------------------------------------
Policy: rule1, action-type: permit, State: enabled, Index: 5
0
  Policy Type: Configured
  Sequence number: 1
  From zone: b1-trans2, To zone: n1-srv2
  Source addresses:
    any-ipv4(global): 0.0.0.0/0
    any-ipv6(global): ::/0
  Destination addresses:
    any-ipv4(global): 0.0.0.0/0
    any-ipv6(global): ::/0
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
  Per policy TCP Options: SYN check: Yes, SEQ check: No

{primary:node0}

And this is an example of a test that fails: 
show security match-policies from-zone b1-trans2 to-zone n1-srv2 source-ip 10.50.81.39 destination-ip 10.120.81.39 protocol tcp source-port 12345 destination-port 443
node0:
--------------------------------------------------------------------------
Policy: Default-Policy, action-type: deny-all, State: enabled, Index: 2
  Sequence number: 2

{primary:node0}


References: 


Comments