security match-policiesYou can use thesecurity match-policies command to test the flow from one device to the other. This is an example of a test that is correct: > show security match-policies from-zone b1-trans2 to-zone n1-srv2 source-ip 10.50.81.39 destination-ip 10.120.81.39 protocol tcp source-port 12345 destination-port 443node0:--------------------------------------------------------------------------Policy: rule1, action-type: permit, State: enabled, Index: 50 Policy Type: Configured Sequence number: 1 From zone: b1-trans2, To zone: n1-srv2 Source addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Destination addresses: any-ipv4(global): 0.0.0.0/0 any-ipv6(global): ::/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Per policy TCP Options: SYN check: Yes, SEQ check: No{primary:node0}And this is an example of a test that fails: > show security match-policies from-zone b1-trans2 to-zone n1-srv2 source-ip 10.50.81.39 destination-ip 10.120.81.39 protocol tcp source-port 12345 destination-port 443node0:--------------------------------------------------------------------------Policy: Default-Policy, action-type: deny-all, State: enabled, Index: 2 Sequence number: 2{primary:node0}Firewall Filtertrack traffic going through the firewall. editset firewall family inet filter TESTCOUNT term MATCH from source-address 96.230.36.204/32set firewall family inet filter TESTCOUNT term MATCH from destination-address 38.111.225.242/32set firewall family inet filter TESTCOUNT term MATCH from protocol tcpset firewall family inet filter TESTCOUNT term MATCH then count testcounterset firewall family inet filter TESTCOUNT term MATCH then acceptset firewall family inet filter TESTCOUNT term EVERYTHINGELSE then acceptcommit confirmed 10# run show firewall filter TESTCOUNTFilter: TESTCOUNTCounters:Name Bytes Packetstestcounter 0 0References:
|