Global policy count in SRX
As far as I know there is no single command to enable policy count option globally but you can do it via a group statement.
Be aware that policy count is a performance affecting feature, so think twice if your traffic volume is high. Here is how we can do it;
groups {
policy_count {
security {
policies {
from-zone <*> to-zone <*> {
policy <*> {
then {
count;
}
}
}
}
}
}
}
apply-groups policy_count;
Once you apply this group, you can check any policy to see the policy counters;
user@srx100-1> show security policies policy-name permit-trust detail
Policy: permit-trust, action-type: permit, State: enabled, Index: 9, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: transit-zone
Source addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Destination addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
Policy statistics:
Input bytes : 0 0 bps
Output bytes : 0 0 bps
Input packets : 0 0 pps
Output packets : 0 0 pps
Session rate : 0 0 sps
Active sessions : 0
Session deletions: 0
Policy lookups : 0
You can see that policy statistics are enabled. When you check for other policies, you will see that it is enabled for all.
Hi,
When using a 12.1 or higher release this is not needed anymore for security policies.
Use the operational commands below to work with the counters per security policy.
> show security policies hit-count ?
> clear security policies hit-count ?
The same can be done with NAT rules and pools.
Regards
Z.
Thanks for the feedback. I really missed this feature. Several options are in the CLI reference guide http://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-collections/swconfig-cli/swconfig-cli.pdf
but as far as I can see there is no option to disable this feature if you don’t need it in case it affects performance.