Global policy count in SRX

As far as I know there is no single command to enable policy count option globally but you can do it via a group statement.
Be aware that policy count is a performance affecting feature, so think twice if your traffic volume is high. Here is how we can do it;

groups {
    policy_count {
        security {
            policies {
                from-zone <*> to-zone <*> {
                    policy <*> {
                        then {
                            count;
                        }
                    }
                }
            }
        }
    }
}

apply-groups policy_count;

Once you apply this group, you can check any policy to see the policy counters;

user@srx100-1> show security policies policy-name permit-trust detail
Policy: permit-trust, action-type: permit, State: enabled, Index: 9, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 1
  From zone: trust, To zone: transit-zone
  Source addresses:
    any-ipv4: 0.0.0.0/0
    any-ipv6: ::/0
  Destination addresses:
    any-ipv4: 0.0.0.0/0
    any-ipv6: ::/0
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
  Per policy TCP Options: SYN check: No, SEQ check: No
  Policy statistics:
    Input  bytes     :                    0                    0 bps
    Output bytes     :                    0                    0 bps
    Input  packets   :                    0                    0 pps
    Output packets   :                    0                    0 pps
    Session rate     :                    0                    0 sps
    Active sessions  :                    0
    Session deletions:                    0
    Policy lookups   :                    0

You can see that policy statistics are enabled. When you check for other policies, you will see that it is enabled for all.

About: rtoodtoo

Genco has worked for more than 10 years as a Network/Support Engineer. He is also interested in Python, Linux, Security and SD-WAN, currently lives in the Netherlands and works as a Network Support Engineer at Tesla Inc. // JNCIE-SEC #223 / RHCE / PCNSE


2 thoughts on “Global policy count in SRX”

  1. Hi,

    When using a 12.1 or higher release this is not needed anymore for security policies.
    Use the operational commands below to work with the counters per security policy.

    > show security policies hit-count ?
    > clear security policies hit-count ?

    The same can be done with NAT rules and pools.

    Regards

    Z.

You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.