A nice SRX command I’ve never come across before

11 08 2015

Not sure why this command has to be so obscure, but I stumbled on this while writing a training course tonight – quite a nice way to see if packets are hitting your policies:

imtech@srx220-1-POD3> show security policies hit-count 
Logical system: root-logical-system
 Index   From zone        To zone           Name           Policy count
 1       VR3a             VR3b              P1             0            
 2       VR3a             untrust           3to1VPN        8320         
 3       VR3a             untrust           P1             3249         
 4       VR3b             VR3a              P1             0            
 5       VR3b             untrust           P1             0            
 6       untrust          junos-host        P1             8            
 7       untrust          VR3a              1to3           5523         
 8       untrust          VR3a              P1             5            
 9       untrust          VR3b              permit-to-3b   0            
 10      untrust          VR3b              DEFAULT-DENY   16



One response

5 12 2015
Simon Helson

It only appeared in JunOS 12 (along with policy description fields), so if you ran JTAC recommended it essentially didn’t exist until this year. Super-useful as opposed to the overhead of logging permits in a lot of situations.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: