[j-nsp] SRX Command

Tue Sep 24 18:45:43 EDT 2013

Harri,

As per the link below - add "then count" to all your policies (using the following apply-group will do this quickly for you):

set groups COUNT-ALL security policies from-zone <*> to-zone <*> policy <*> then count
set apply-groups COUNT-ALL

If you install the op-script provided and run it after a month or so, it will show you pretty quickly which policies are being used, but if you don't want to use an op script, try:

run show security policies detail | match "Policy:|zone|lookups"

Again - the lookups field will only be there if the policy has count enabled.

Cheers,

Ben

On 24/09/2013, at 10:37 PM, Harri Makela <harri_makela at yahoo.com> wrote:

> Thanks for lookup
> 
> We have JUNOS Software Release [10.4R5.5] and it doesn`t look like that we have the option indictaed in last mail
> 
> admin at SRX-3600-P> show security policies ?
> Possible completions:
>   <[Enter]>            Execute this command
>   detail               Show the detailed information
>   from-zone            Show the policy information matching the given source zone
>   policy-name          Show the policy information matching the given policy name
>   to-zone              Show the policy information matching the given destination zone
>   |                    Pipe through a command
> {primary:node0}
> admin at SRX-3600-P> show security policies hit
>                                                ^
> 
> I can capture all duplicate policies and delete which are not required for same flow but the ones which are not being used and are there for nothing, I would like to delete them. Not sure how I can accomlpish that with a JUNOS command which I have to run in parallel with a shell script.
> 
> Looking forward to get some feedback.
> 
> Thanks
> HM
> 
> 
> 
> From: Ben Dale <bdale at comlinx.com.au>
> To: Edward Dore <edward.dore at freethought-internet.co.uk> 
> Cc: Harri Makela <harri_makela at yahoo.com>; "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net> 
> Sent: Tuesday, 24 September 2013, 5:45
> Subject: Re: [j-nsp] SRX Command
> 
> After I spent a bit of time building an op script to print policy matches out in a nicely formatted table, I notice that this feature is now available for all policies even without the "then count" action from 12.1:
> 
> show security policies hit-count
> 
> Cheers,
> 
> Ben
> 
> On 24/09/2013, at 8:45 AM, Edward Dore <edward.dore at freethought-internet.co.uk> wrote:
> 
> > You'll need to add the "count" action to the "then" statement on each security policy if you want to track the number of times that the policy has been matched.
> > 
> > Edward Dore 
> > Freethought Internet 
> > 
> > On 23 Sep 2013, at 23:08, Harri Makela wrote:
> > 
> >> Hi All
> >> 
> >> Is there any command in SRX which I can use to check "number of times FW policy has been used". Actually I want to clear all FW policies which are not being used for last 12 months or so.  I don`t know much about scripting but can try to get some help if I can think of a command which can be rung through different zones combinations.
> >> 
> >> 
> >> Thanks in Advance !
> >> HM
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> > 
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> > 
> 
> 