The display security-policy rule command displays configuration information about all security policy rules, a specific security policy rule, or the security policy rules that match the security zone and 5-tuple conditions.
display security-policy rule all [ | include regular-expression | slot slot-id cpu cpu-id ]
display security-policy rule name rule-name
display security-policy rule [ verbose ] { source-zone { source-zone-name | any } | destination-zone { destination-zone-name | any } | source { source-ip-address | source-ipv6-address | any } | destination { destination-ip-address | destination-ipv6-address | any } | protocol { { tcp | udp | sctp } [ source-port source-port | destination-port destination-port ] * | icmp | protocol-number | any } } *
| Parameter | Description | Value |
|---|---|---|
all |
Indicates all security policy rules. |
- |
| include regular-expression |
Displays the configuration of the security policy that contains the string in a regular expression. The string is case-sensitive. |
- |
name rule-name |
Specifies the name of a security policy rule. |
The specified security policy rule must exist. |
slot slot-id |
Indicates the Slot ID. Only the USG6635E/6655E, USG6680E and USG6712E/6716E support this parameter. |
- |
cpu cpu-id |
Indicates the CPU ID. Only the USG6635E/6655E, USG6680E and USG6712E/6716E support this parameter. |
- |
verbose |
Indicates detailed information about a security policy rule. |
- |
source-zone source-zone-name |
Specifies the source zone of a security policy rule. |
- |
destination-zone destination-zone-name |
Specifies the destination zone of a security policy rule. |
- |
source source-ip-address |
Specifies the source IPv4 address configured in a security policy rule. |
The value is in dotted decimal notation. |
source source-ipv6-address |
Specifies the source IPv6 address configured in a security policy rule. |
The value is a 32-bit hexadecimal number, in the format of X:X:X:X:X:X:X:X. |
destination destination-ip-address |
Specifies the destination IPv4 address configured in a security policy rule. |
The value is in dotted decimal notation. |
destination destination-ipv6-address |
Specifies the destination IPv6 address configured in a security policy rule. |
The value is a 32-bit hexadecimal number, in the format of X:X:X:X:X:X:X:X. |
protocol |
Indicates a connection protocol. |
- |
tcp |
Indicates the Transmission Control Protocol (TCP). |
- |
udp |
Indicates the User Datagram Protocol (UDP). |
- |
sctp |
Indicates the Stream Control Transmission Protocol (SCTP). |
- |
icmp |
Indicates the Internet Control Message Protocol (ICMP). |
- |
protocol-number |
Indicates the protocol number except 1-ICMP, 6-TCP, and 17-UDP. |
The value is an integer ranging from 0 to 255. |
source-port source-port |
Specifies the source port configured in a security policy rule. |
The value is an integer ranging from 0 to 65535. |
destination-port destination-port |
Specifies the destination port configured in a security policy rule. |
The value is an integer ranging from 0 to 65535. |
any |
Indicates any source security zone, destination security zone, source address, destination address, or protocol in a security policy rule. |
- |
The display security-policy rule command output displays rules in priority descending order, excluding default policies.
# Display security policy rule test.
<sysname> display security-policy rule name test
(0 times matched)
rule name test
source-zone trust
destination-zone untrust
application app QQLive
action permit
# Display the security policy rule with the destination address being 1.1.1.1, protocol being TCP, and destination port being 8888.
<sysname> display security-policy rule destination 1.1.1.1 protocol tcp destination-port 8888 RULE ID RULE NAME STATE ACTION HITS ------------------------------------------------------------------------------- 1 1 enable permit 0 2 2 enable permit 0 5 5 enable permit 0 6 6 enable deny 0 0 default enable deny 0 -------------------------------------------------------------------------------
# Display the security policy rule with the source zone being untrust, destination address being 1.1.1.1, protocol being TCP, and destination port being 8888.
<sysname> display security-policy rule source-zone untrust destination 1.1.1.1 protocol tcp destination-port 8888 RULE ID RULE NAME STATE ACTION HITS ------------------------------------------------------------------------------- 1 1 enable permit 0 2 2 enable permit 0 5 5 enable permit 0 6 6 enable deny 0 0 default enable deny 0 -------------------------------------------------------------------------------
Item |
Description |
|---|---|
RULE ID |
Security policy rule ID |
RULE NAME |
Name of a security policy rule |
STATE |
When a security policy is enabled |
ACTION |
Security policy action |
HITS |
Security policy matching times |
# Display security policies that have bbs configured in a fuzzy manner.
<sysname> display security-policy rule all | include bbs rule name bbs source-zone trust source-address address-set d action permit rule name b description bbs action permit rule name c source-address address-set bbs action deny
# Display detailed information about all policies whose destination zone is Local.
<sysname> display security-policy rule verbose destination-zone local (0 times matched) rule name w1 source-zone trust destination-zone local action permit (0 times matched) rule name w2 source-zone untrust destination-zone local action permit