Use the z/OS UNIX pasearch command to query information from the z/OS UNIX Policy Agent. The command is issued from the UNIX System Services shell.
Restriction: The pasearch command requires access to the PAPI DLL at run time. Ensure that the LIBPATH environment variable is specified and points to the /usr/lib directory. For example, specify: export LIBPATH=/usr/lib
Note: If the
user is not a superuser, see z/OS Communications Server: IP Configuration
Guide for information about configuring the Policy
Agent and setting up authorization for the client to retrieve policies.
Result: If any of the information that is requested by the pasearch command is not currently available, the pasearch command displays <not available>. For example, when the pasearch command is issued on a policy client, some information might need to be obtained from the policy server. Reissue the pasearch command later to see the complete information.
Format
.----------------. V | >>-pasearch----+------------+-+-------------------------------->< '-| Option |-' Option .- -A -e-----------------. |--+------------------------+-----------------------------------| +- -A--------------------+ +- -a--------------------+ +- -C--------------------+ +- -c--------------------+ +- -d--------------------+ +- -e--------------------+ +- -f --PolicyFilterName-+ +- -g--------------------+ +- -I--------------------+ +- -i--------------------+ +- -n--------------------+ +- -o--------------------+ +- -p --image------------+ +- -q--------------------+ +- -R--------------------+ +- -r--------------------+ +- -s --PolicyScopeName--+ +- -T--------------------+ +- -t--------------------+ +- -v--+-a-+-------------+ | +-f-+ | | +-k-+ | | '-l-' | +- -w--------------------+ '- -?--------------------'
Parameters
- -A
- Display active policy entries that match input options for pasearch. This is the default. If all policy entries are requested (pasearch -e, pasearch, or pasearch -a -r) and the policy rule is active, then active policy actions are returned. Policies on the policy server that are loaded on behalf of policy clients always display as active policies.
- -a
- Display all policy actions that match the input options for the pasearch command. Because the default action is to return all types of policy actions, use the -i, -q, -R, -t, or -v option to limit the type of policy actions that are returned.
- -C
- Display all image names with policies that are configured in Policy Agent. This includes locally defined images (those defined on a TcpImage statement) and connected policy clients (where the image name is defined by each client on the ClientName parameter on the PolicyServer statement).
- -c
- Display policy object information (for example, FLUSH or NOFLUSH,
PURGE or NOPURGE). This option can be used with the image option
(-p), or the policy type options (-i, -q, -R, -t,
or -v). All other options are either ignored
or are not valid. See the following descriptions of policy object fields:
- ConfigLocation
- Indicates the source from which the policies were loaded. The
following might be displayed on the policy server:
- Local
- Indicates that the policies were loaded from local configuration files, an LDAP server, or both.
- Client
- Indicates that the policies were loaded for a connected policy client.
- Local
- Indicates that the policies were loaded from local configuration files, an LDAP server, or both.
- Remote
- Indicates that the policies were loaded from the policy server.
- LDAPServer
- Indicates whether or not an LDAP server is used for local policies.
- CommonFileName
- Indicates the name of the common configuration file, if one exists.
- ImageFileName
- Indicates the name of the stack-specific configuration file.
- ClientName
- Indicates the policy client name.
- ClientUserid
- Indicates the user ID being used for a policy client.
- PolicyServerAddr
- Indicates the IP address of the policy server being used for remote policies.
- PolicyServerPort
- Indicates the port of the policy server being used for remote policies.
- PolicyServSysname
- Indicates the system name of the policy server being used for remote policies.
- PolicyClientAddr
- Indicates the IP address of a connected policy client.
- PolicyClientPort
- Indicates the port of a connected policy client.
- ConnectTime
- Indicates the time when a policy client connected to the policy server.
- ApplyFlush
- Indicates whether the policy type uses the PolicyFlush flag for FLUSH or NOFLUSH processing.
- DeleteOnNoflush
- Indicates whether or not NOFLUSH processing is honored.
- ApplyPurge
- Indicates whether the policy type uses the PurgePolicies flag for PURGE or NOPURGE processing.
- AtomicParse
- Indicates whether or not parsing of the policy type is atomic. With atomic parsing, any errors result in the entire set of policy changes for that policy type being discarded. Without atomic parsing, only objects found to be in error are discarded.
- DummyOnEmptyPolicy
- Indicates whether the TCP/IP stack is informed if no policies are configured for this type of policy.
- ModifyOnIDChange
- Indicates whether or not a rule or action object is considered changed if only the rule or action ID changes due to the order of policies.
- PolicyFlush
- For policy types that honor FLUSH, indicates whether FLUSH or NOFLUSH was configured on the TcpImage, PEPInstance, or specific type configuration statement (for example TTLSConfig).
- PurgePolicies
- For policy types that honor PURGE, indicates whether PURGE or NOPURGE was configured on the TcpImage, PEPInstance, or specific type configuration statement (for example TTLSConfig).
- Configured
- Indicates whether any policies were configured for this policy type.
- UpdateInterval
- Indicates the time interval (in seconds) for checking the creation or modification time of the configuration file or files, and for refreshing policies from the LDAP server.
- PerfColEnabled
- Indicates whether the PolicyPerformanceCollection statement was enabled.
- InstanceId
- An identification associated with the last update for this policy type.
- LastPolicyChanged
- The time stamp value that indicates when any policy rule, policy action, or table for this policy type was last updated.
- Policy updated
- The time stamp value that indicates when the IPSec policy object was last updated.
- -d
- Display debug information to stdout.
- -e
- Display all policy entries (policy rules and policy actions) that match the input options for the pasearch command. If policy action matches, then the associated policy rule is returned. This is the default.
- -f PolicyFilterName
- Display policy entries that match the policy name based on input
options for the pasearch command. For a
policy rule or policy action the name is either the policy name specified
on the configuration file statement that defines the policy entry
(policy rule or policy action) or the name specified using the ServiceName, policyActionName, PolicyRulesName,
or policyRuleName attribute for policy entries
defined on an LDAP server. For the route table the name is the name
configured on the RouteTable statement. Rules:
- The name is case sensitive.
- To match the PolicyFilterName attribute with multiple policy entries, use the -w option with the -f option. The PolicyFilterName attribute is treated as a wildcard name; the default action is to find an exact match.
- To match the PolicyFilterName attribute with the policy rule name, do not use the -g option with the -f option. This is the default.
- To match the PolicyFilterName attribute with the policy action name, use the -g option with the -f option.
- To match the PolicyFilterName attribute with the route table name, use the -T option with the -f option.
- -g
- Matches the PolicyFilterName attribute to policy actions. If retrieving both policy rules and policy actions, then this request returns a policy rule when there is a matching policy action. If no PolicyFilterName attribute is passed, then no action name filtering is performed.
- -I
- Display inactive policy entries that match input options for the pasearch command. If all policy entries are requested (pasearch -e -I, pasearch -I, or pasearch -I -a -r) and the policy rule is inactive, then inactive policy actions are returned. Policies on the policy server that are loaded on behalf of policy clients always display as active policies.
- -i
- Display all IDS policy entries that match the input options for the pasearch command.
- -n
- Display only policy rule, policy action, or route table names (policy details are not displayed).
- -o
- Display the policy rule condition original level and condition original arrays. This option applies only to complex rules (those that use CNF or DNF conditions). For such rules, there are two sets of condition arrays maintained: the original set of specified conditions, and a working set that has been collapsed or summarized for performance reasons. By default, only the working set is displayed. Use this option to display the original set.
- -p image
- Display all policy entries that belong to the specified image name
that match input options for the pasearch command.
The default action is to return all policy entries for all TCP/IP
stacks. The value used for the image name
must match one of the values that is specified on the TcpImage or
PEPInstance statement in the Policy Agent configuration file, or match
a connected policy client name.
Result: If the -p option is not used, then only the policies that are configured with the TcpImage or PEPInstance statement are returned.
- -q
- Display all QoS policy entries that match the input options for the pasearch command.
- -R
- Display all Routing policy entries that match the input options
for the pasearch command.
- With the -e option, this displays Routing policy rules and policy actions. This is the default.
- With the -r option or the -a option, this displays Routing policy rules or policy actions.
- With the -T option, this displays route tables.
- -r
- Display all policy rules that match the input options for the pasearch command.
- -s PolicyScopeName
- Display all policy actions that match the PolicyScopeName value.
The PolicyScopeName attribute is not case
sensitive.
- Display all QoS, IpFilter, or AT-TLS policy actions that match
the PolicyScopeName value.
- Valid QoS PolicyScopeName values are DataTraffic, RSVP, or both.
- Valid IpFilter PolicyScopeName values are DynamicVpn, ManualVpn, GenericFilter, or LocalStart.
- Valid AT-TLS PolicyScopeName values are Group, Environment, or Connection.
- If both policy rules and policy actions are requested (pasearch -e -s PolicyScopeName or pasearch -a - r -s PolicyScopeName), then the policy rule is returned with all its policy actions when there is a matching policy action with the requested PolicyScopeName value.
- Display all QoS, IpFilter, or AT-TLS policy actions that match
the PolicyScopeName value.
- -T
- Display all tables that match the input options for the pasearch command.
The only supported table is routing policy type (-R).
The -R policy type is the default.
- With the -A option, the -T option displays active routing tables. These are routing tables that are configured and referenced by an active Routing policy rule and its associated Routing policy action. This is the default.
- With the -I option, the -T option displays inactive routing tables. These are routing tables that are configured but not referenced by an active Routing policy rule and its associated Routing policy action.
- -t
- Display all Application Transparent Transport Layer Security (AT-TLS)
policy entries that match the input options for pasearch. Results:
- Pasearch does not display optional parameters that do not have a default value.
- Pasearch does not display the value of a password parameter and indicates only whether it is configured with a value of Yes or No.
- -v
- Displays IPSec IpFilter, KeyExchange, and LocalDynVpn policies
that match the input options for the pasearch command.
- a
- Display all IPSec policy entries.
- f
- Display only IpFilter policy entries.
- k
- Display only KeyExchange policy entries.
- l
- Display only LocalDynVpn policy entries.
- -w
- The PolicyFilterName is a wildcard to be matched to the name. For example, if PolicyFilterName = Web, then all policy rules, policy actions, or route tables with the first 3 characters of their names equal to Web are returned. If no PolicyFilterName is passed, then no name filtering is done.
- -?
- Display pasearch options help information.
Examples
The following
example shows policy object information for all types of policies:
========================================================================
================== pasearch -c =========================================
========================================================================
TCP/IP pasearch CS V2R1 Image Name: TCPCS1
Date: 09/18/2011 Time: 13:30:32
PAPI Version: 9 DLL Version: 9
Qos Policy Object:
ConfigLocation: Local LDAPServer: True
ImageFileName: /u/user10/pagallcimagea.conf
ApplyFlush: True PolicyFlush: True
ApplyPurge: True PurgePolicies: True
AtomicParse: False DeleteOnNoflush: False
DummyOnEmptyPolicy: False ModifyOnIDChange: True
Configured: True UpdateInterval: 120
PerfColEnabled: False
InstanceId: 1253294875
LastPolicyChanged: Fri Sep 18 13:27:55 2011
Ids Policy Object:
ConfigLocation: Local LDAPServer: True
CommonFileName:
ImageFileName: /usr/lpp/tcpip/samples/pagent_IDS.conf
ApplyFlush: True PolicyFlush: True
ApplyPurge: True PurgePolicies: True
AtomicParse: False DeleteOnNoflush: False
DummyOnEmptyPolicy: False ModifyOnIDChange: False
Configured: True UpdateInterval: 120
InstanceId: 1253294875
LastPolicyChanged: Fri Sep 18 13:27:55 2011
IPSec Policy Object:
ConfigLocation: Remote LDAPServer: False
ClientName: VIC136_TCPCS1
ClientUserid: USER1
PolicyServerAddr 9.42.104.23
PolicyServerPort: 8211 PolicyServSysname: VIC137
ClientSSLActive: True
ConnectTime: Fri Sep 18 13:29:51 2011
ApplyFlush: False
ApplyPurge: False
AtomicParse: True DeleteOnNoflush: True
DummyOnEmptyPolicy: True ModifyOnIDChange: False
IpSecEnabled IPv4: True IpSecEnabled IPv6: False
IpSec3DESEnabled: True IpSecAESEnabled: True
IpSecAESGCM16Enabled: True
UpdateInterval: 300
InstanceId: 1253294993
LastPolicyChanged: Fri Sep 18 13:29:53 2011
IpFilter Policy Object:
Configured: True PreDecapOn: Off
FilterLogging: On FilterLogImplicit: No
AllowOnDemand: No ImplDiscardAction: Silent
FIPS140: No
KeyExchange Policy Object:
Configured: True
AllowNat: No NatKeepAliveIntvl: 20
HowToInitiate: Main LivenessInterval: 30
BypassIpValidation: No CertURLLookupPref: Tolerate
RevocationChecking: Loose
LocalDynVpn Policy Object:
Configured: True
Policy updated: Fri Sep 18 13:29:53 2011
Routing Policy Object:
ConfigLocation: Local LDAPServer: False
CommonFileName:
ImageFileName: /usr/lpp/tcpip/samples/pagent_Routing.conf
ApplyFlush: True PolicyFlush: True
ApplyPurge: True PurgePolicies: False
AtomicParse: True DeleteOnNoflush: False
DummyOnEmptyPolicy: True ModifyOnIDChange: False
Configured: True UpdateInterval: 120
InstanceId: 1253294871
LastPolicyChanged: Fri Sep 18 13:27:51 2011
TTLS Policy Object:
ConfigLocation: Remote LDAPServer: False
ClientName: VIC136_TCPCS1
ClientUserid: USER1
PolicyServerAddr 9.42.104.23
PolicyServerPort: 8211 PolicyServSysname: VIC137
ClientSSLActive: True
ConnectTime: Fri Sep 18 13:29:51 2011
ApplyFlush: True PolicyFlush: True
ApplyPurge: True PurgePolicies: True
AtomicParse: True DeleteOnNoflush: False
DummyOnEmptyPolicy: True ModifyOnIDChange: False
Configured: True UpdateInterval: 300
TTLS Enabled: False
InstanceId: 1253294993
LastPolicyChanged: Fri Sep 18 13:29:53 2011The
following example shows active QoS policies for TCP image TCPCS:
========================================================================
================== pasearch -q -p TCPCS1 ===============================
========================================================================
TCP/IP pasearch CS V2R1 Image Name: TCPCS1
Date: 09/18/2011 Time: 13:30:32
QoS Instance Id: 1253294875
policyRule: web-catalog-rule
Rule Type: QoS
Version: 3 Status: Active
Distinguish Name: cn=web-catalog-rule,cn=QoS,cn=advanced,ou=policy,o=IBM,c=US
Group Distinguish Nm: cn=main,cn=QoS,cn=advanced,ou=policy,o=IBM,c=US
Weight: 110 ForLoadDist: False
Priority: 10 Sequence Actions: Don't Care
No. Policy Action: 1 ConditionListType: DNF
policyAction: interactive1-action
ActionType: QOS
Action Sequence: 1
Time Periods:
Day of Month Mask:
First to Last: 1111111111111111111111111111111
Last to First: 1111111111111111111111111111111
Month of Yr Mask: 111111111111
Day of Week Mask: 1111111 (Sunday - Saturday)
Start Date Time: None
End Date Time: None
Fr TimeOfDay: 00:00 To TimeOfDay: 24:00
Fr TimeOfDay UTC: 04:00 To TimeOfDay UTC: 04:00
TimeZone: Local
Net Condition Summary: NegativeIndicator: Off
RouteCondition:
InInterface: All
OutInterface: All
IncomingTOS: 00000000 IncomingTOSMask: 0
HostCondition:
SourceIpFrom: All
SourceIpTo: All
DestIpFrom: All
DestIpTo: All
DestHostDomainName:
ApplicationCondition:
ProtocolNumFrom: 6 ProtocolNumTo: 6
SourcePortFrom: 80 SourcePortTo: 80
DestPortFrom: 0 DestPortTo: 0
ApplicationName: ApplPriority: 0
ApplicationData: /catalog
Policy created: Fri Sep 18 13:27:55 2011
Policy updated: Fri Sep 18 13:27:55 2011
Qos Action: interactive1-action
Version: 3 Status: Active
Distinguish Name: cn=interactive1,cn=QoSact,cn=repository,o=IBM,c=US
Scope: DataTraffic OutgoingTOS: 10000000
Permission: Allowed
MaxRate: 0 MinRate: 0
MaxConn: 0
Routing Interfaces: 0
RSVP Attributes:
ServiceType: 0 MaxRatePerFlow: 0
MaxTokBuckPerFlw: 0 MaxFlows: 0
SignalClient: True
DiffServ Attributes:
InProfRate: 0 InProfPeakRate: 0
InProfTokBuck: 0 InProfMaxPackSz: 0
OutProfXmtTOSByte: 00000000 ExcessTrafficTr: BestEffort
Policy created: Fri Sep 18 13:27:55 2011
Policy updated: Fri Sep 18 13:27:55 2011The
following example shows active KeyExchange policies:
========================================================================
================== pasearch -v k =======================================
========================================================================
TCP/IP pasearch CS V2R1 Image Name: TCPCS1
Date: 09/18/2011 Time: 13:30:32
IPSec Instance Id: 1253294993
policyRule: Admin_KeyExRule1
Rule Type: KeyExchange
Version: 3 Status: Active
Weight: 105 ForLoadDist: False
Priority: 5 Sequence Actions: Don't Care
No. Policy Action: 1
IpSecType: policyKeyExchange
policyAction: Bronze-PSK
ActionType: KeyExchange
Action Sequence: 0
Time Periods:
Day of Month Mask: 0000000000000000000000000000000
Month of Yr Mask: 000000000000
Day of Week Mask: 0000000 (Sunday - Saturday)
Start Date Time: None
End Date Time: None
Fr TimeOfDay: 00:00 To TimeOfDay: 00:00
Fr TimeOfDay UTC: 00:00 To TimeOfDay UTC: 00:00
TimeZone: Local
IpSec Condition Summary: NegativeIndicator: Off
KeyExchange Condition:
LocalSecurityEndPoint:
Location:
FromAddr: All4
ToAddr: All4
Identity:
UserAtFqdn:
admin@secureserver.raleigh.ibm.com
RemoteSecurityEndPoint:
Location:
FromAddr: 9.1.1.2
ToAddr: 9.1.1.2
Identity:
IpAddr:
FromAddr: 9.1.1.2
ToAddr: 9.1.1.2
Policy created: Fri Sep 18 13:29:53 2011
Policy updated: Fri Sep 18 13:29:53 2011
KeyExchange Action: Bronze-PSK
Version: 3 Status: Active
HowToInitiate: Aggressive HowToRespondIKEv1: Aggressive
AllowNat: No FilterByIdentity: No
HowToAuthMe: RsaSignature ReauthInterval: 0
BypassIpValidation: No CertURLLookupPref: Tolerate
KeyExchangeOffer: 0
HowToEncrypt: DES KeyLength: N/A
HowToAuthPeers: PresharedKey DHGroup: Group1
HowToAuthMsgs: SHA1
HowToVerifyMsgs: HMAC_SHA1_96 PseudoRandomFunc: HMAC_SHA1
RefLifeTmPropose: 480
RefLifeTmAcptMin: 240 RefLifeTmAcptMax: 1440
RefLifeSzPropose: None
RefLifeSzAccept : None
Policy created: Fri Sep 18 13:29:53 2011
Policy updated: Fri Sep 18 13:29:53 2011The
following example shows an active LocalDynVpn policy rule:
========================================================================
================== pasearch -v l =======================================
========================================================================
TCP/IP pasearch CS V2R1 Image Name: TCPCS1
Date: 09/18/2011 Time: 13:30:32
IPSec Instance Id: 1253294993
policyRule: ZoneC_VPN-EE1
Rule Type: LocalDynVpn
Version: 3 Status: Active
GroupName: ZoneC_BranchOfficeVPNs
Weight: 108 ForLoadDist: False
Priority: 8 Sequence Actions: Don't Care
No. Policy Action: 0
IpSecType: policyDynamicVpn
Time Periods:
Day of Month Mask: 0000000000000000000000000000000
Month of Yr Mask: 000000000000
Day of Week Mask: 0000000 (Sunday - Saturday)
Start Date Time: None
End Date Time: None
Fr TimeOfDay: 00:00 To TimeOfDay: 00:00
Fr TimeOfDay UTC: 00:00 To TimeOfDay UTC: 00:00
TimeZone: Local
IpSec Condition Summary: NegativeIndicator: Off
LocalDynVpn Condition:
LocalIp:
FromAddr: 9.3.3.3
ToAddr: 9.3.3.3
RemoteIp:
FromAddr: 9.5.0.0
Prefix: 16
LocalDataPort: 12000 RemoteDataPort: 12000
AutoActivate: Yes
Protocol: UDP (17)
Policy created: Fri Sep 18 13:29:53 2011
Policy updated: Fri Sep 18 13:29:53 2011The
following example shows all active IPSec policies names:
========================================================================
================== pasearch -v a -n ====================================
========================================================================
TCP/IP pasearch CS V2R1 Image Name: TCPCS1
Date: 09/18/2011 Time: 13:30:32
IPSec Instance Id: 1253294993
policyRule: Rule1Admin
IpFilter Action: permit
policyRule: Rule2Admin
IpFilter Action: ipsec
IpFilter Action: Silver-TransportMode
policyRule: Rule1A
IpFilter Action: permit
policyRule: Rule2A
IpFilter Action: ipsec
IpFilter Action: Bronze-TransportMode
policyRule: Rule1B
IpFilter Action: permit
policyRule: Rule2B
IpFilter Action: ipsec
IpFilter Action: Gold-TransportMode
policyRule: Rule1C
IpFilter Action: permit
policyRule: Rule2C
IpFilter Action: ipsec
IpFilter Action: Gold-TunnelMode
IpFilter Action: StartZoneC
policyRule: Rule1DtoC
IpFilter Action: permit
policyRule: Rule2DtoC
IpFilter Action: ipsec
IpFilter Action: Gold-TunnelMode
IpFilter Action: StartZoneDtoZoneC
policyRule: Rule1N
IpFilter Action: permit
policyRule: Rule2N
IpFilter Action: ipsec
IpFilter Action: Gold-TransportMode
policyRule: Rule1All-IPv4-Permit
IpFilter Action: permit
policyRule: Rule2All-IPv4-Deny
IpFilter Action: deny-log
policyRule: Rule1All-IPv6-Permit
IpFilter Action: permit
policyRule: Rule2All-IPv6-Deny
IpFilter Action: deny-log
policyRule: DenyAllRule_Generated___________Inbnd
policyRule: DenyAllRule_Generated___________Outbnd
policyRule: Admin_KeyExRule1
KeyExchange Action: Bronze-PSK
policyRule: ZoneA_KeyExRule1
KeyExchange Action: Silver-RSA
policyRule: ZoneB_KeyExRule1
KeyExchange Action: Gold-RSA
policyRule: ZoneC_KeyExRule1
KeyExchange Action: Gold-RSA
policyRule: ZoneN_KeyExRule1
KeyExchange Action: Gold-RSA-AllowNat
policyRule: ZoneC_VPN-EE1
policyRule: ZoneC_VPN-EE2
policyRule: ZoneC_VPN-EE3
policyRule: ZoneC_VPN-EE4
policyRule: ZoneC_VPN-EE5
policyRule: ZoneC_VPN-FTP-Data
policyRule: ZoneC_VPN-FTP-Control
policyRule: ZoneC_VPN-CICS-3000The
following example shows active IPFilter policies with Policy Action
scope of DynamicVpn.
========================================================================
================== pasearch -s DynamicVpn -v f =========================
========================================================================
TCP/IP pasearch CS V2R1 Image Name: TCPCS1
Date: 09/18/2011 Time: 13:30:32
IPSec Instance Id: 1253294993
policyRule: Rule2Admin
Rule Type: IpFilter
Version: 3 Status: Active
GroupName: Admin
Weight: 119 ForLoadDist: False
Priority: 19 Sequence Actions: Don't Care
No. Policy Action: 2 ConditionListType: CNF
IpSecType: policyIpFilter
policyAction: ipsec
ActionType: IpFilter GenericFilter
Action Sequence: 0
policyAction: Silver-TransportMode
ActionType: IpFilter DynamicVpn
Action Sequence: 0
Time Periods:
Day of Month Mask:
First to Last: 1111111111111111111111111111111
Last to First: 1111111111111111111111111111111
Month of Yr Mask: 111111111111
Day of Week Mask: 1111111 (Sunday - Saturday)
Start Date Time: None
End Date Time: None
Fr TimeOfDay: 00:00 To TimeOfDay: 24:00
Fr TimeOfDay UTC: 04:00 To TimeOfDay UTC: 04:00
TimeZone: Local
IpSec Condition Summary: NegativeIndicator: Off
IpFilter Condition:
Source Address:
Destination Address:
Service Condition:
Protocol: 0
Direction: 0
RouteType: 0 SecurityClass: 0
FragmentsOnly: No
Condition Work Level: 0
Group Number: 0 Cond Count: 2
Ignore: No
IpSec Condition Work Summary: NegativeIndicator: Off
IpFilter Condition:
Source Address:
Destination Address:
Service Condition:
Protocol: 0
Direction: 0
RouteType: 0 SecurityClass: 0
FragmentsOnly: No
IpSec Condition Work: NegativeIndicator: Off
IpFilter Condition:
Source Address:
FromAddr: 9.1.1.1
ToAddr: 9.1.1.1
Destination Address:
Service Condition:
Protocol: 0
Direction: 0
RouteType: 0 SecurityClass: 0
FragmentsOnly: No
Condition Work Level: 1
Group Number: 1 Cond Count: 2
Ignore: No
IpSec Condition Work Summary: NegativeIndicator: Off
IpFilter Condition:
Source Address:
Destination Address:
Service Condition:
Protocol: 0
Direction: 0
RouteType: 0 SecurityClass: 0
FragmentsOnly: No
IpSec Condition Work: NegativeIndicator: Off
IpFilter Condition:
Source Address:
Destination Address:
FromAddr: 9.1.1.2
ToAddr: 9.1.1.2
Service Condition:
Protocol: 0
Direction: 0
RouteType: 0 SecurityClass: 0
FragmentsOnly: No
Condition Work Level: 2
Group Number: 3 Cond Count: 2
Ignore: No
IpSec Condition Work Summary: NegativeIndicator: Off
IpFilter Condition:
Source Address:
Destination Address:
Service Condition:
Protocol: 0
Direction: 0
RouteType: 0 SecurityClass: 0
FragmentsOnly: No
IpSec Condition Work: NegativeIndicator: Off
IpFilter Condition:
Source Address:
Destination Address:
Service Condition:
Protocol: All
Direction: Bidirectional
RouteType: Local SecurityClass: 0
FragmentsOnly: No
Policy created: Fri Sep 18 13:29:53 2011
Policy updated: Fri Sep 18 13:29:53 2011
IpFilter Action: ipsec
Version: 3 Status: Active
Scope: GenericFilter
ipFilterAction: IPSec IpFilterLogging: Yes Logdeny
DiscardAction: Silent
Policy created: Fri Sep 18 13:29:53 2011
Policy updated: Fri Sep 18 13:29:53 2011
IpFilter Action: Silver-TransportMode
Version: 3 Status: Active
Scope: DynamicVpn
Initiation: Either VpnLife: 1440
AcceptablePfs: None
InitiateWithPfs: None IpDataOfferNum: 1
PassthroughDSCP: Yes PassthroughDF: Yes
HowToEncapIKEv2: Either
IPDataOffer: 0
HowToEncap: Transport
HowToEncrypt: DES KeyLength: N/A
HowToAuth: ESP HowToAuthAlgr: HMAC_SHA1
RefLifeTmPropose: 240
RefLifeTmAcptMin: 120 RefLifeTmAcptMax: 480
RefLifeSzPropose: None
RefLifeSzAccept : None
Policy created: Fri Sep 18 13:29:53 2011
Policy updated: Fri Sep 18 13:29:53 2011The
following example shows active IDS policies whose names match the
prefix AttackMalformed:
========================================================================
================== pasearch -i -w -f AttackMalformed ===================
========================================================================
TCP/IP pasearch CS V2R1 Image Name: TCPCS2
Date: 09/28/2011 Time: 12:01:32
IDS Instance Id: 1285689675
policyRule: AttackMalformed-rule
Rule Type: IDS
Version: 4 Status: Active
Weight: 102 ForLoadDist: False
Priority: 2 Sequence Actions: Don't Care
No. Policy Action: 1
IdsType: policyIdsAttack
policyAction: Attack-action
ActionType: IDS
Action Sequence: 0
Time Periods:
Day of Month Mask:
First to Last: 1111111111111111111111111111111
Last to First: 1111111111111111111111111111111
Month of Yr Mask: 111111111111
Day of Week Mask: 1111111 (Sunday - Saturday)
Start Date Time: None
End Date Time: None
Fr TimeOfDay: 00:00 To TimeOfDay: 24:00
Fr TimeOfDay UTC: 04:00 To TimeOfDay UTC: 04:00
TimeZone: Local
Ids Condition Summary: NegativeIndicator: Off
Attack Condition:
IdsAttackType: MALFORMED_PACKET
Policy created: Tue Sep 28 12:01:15 2011
Policy updated: Tue Sep 28 12:01:15 2011
Ids Action: Attack-action
Version: 4 Status: Active
Attack ActionType: NoDiscard
TypeActions: Statistics Log
StatType: Exception StatInterval: 60
LogDetail: No LoggingLevel: 1
Policy created: Tue Sep 28 12:01:15 2011
Policy updated: Tue Sep 28 12:01:15 2011The
following example shows active IDS rules and actions configured from
the IDS configuration file:
========================================================================
================== pasearch -i ========================================
========================================================================
TCP/IP pasearch CS V2R1 Image Name: TCPCS2
Date: 09/28/2011 Time: 12:01:55
IDS Instance Id: 1285689675
policyRule: ScanEventLowTcp-rule
Rule Type: IDS
Version: 4 Status: Active
Weight: 102 ForLoadDist: False
Priority: 2 Sequence Actions: Don't Care
No. Policy Action: 1
IdsType: policyIdsScanEvent
policyAction: ScanEventLow-action
ActionType: IDS
Action Sequence: 0
Time Periods:
Day of Month Mask:
First to Last: 1111111111111111111111111111111
Last to First: 1111111111111111111111111111111
Month of Yr Mask: 111111111111
Day of Week Mask: 1111111 (Sunday - Saturday)
Start Date Time: None
End Date Time: None
Fr TimeOfDay: 00:00 To TimeOfDay: 24:00
Fr TimeOfDay UTC: 04:00 To TimeOfDay UTC: 04:00
TimeZone: Local
Ids Condition Summary: NegativeIndicator: Off
ScanEvent Condition:
Sensitivity: Low
Protocol: TCP (6)
LocalPortFrom: 1 LocalPortTo: 1023
LocalHostAddress:
FromAddr: All
ToAddr: All
Policy created: Tue Sep 28 12:01:15 2011
Policy updated: Tue Sep 28 12:01:15 2011
Ids Action: ScanEventLow-action
Version: 4 Status: Active
ScanEvent ActionType: Count
Policy created: Tue Sep 28 12:01:15 2011
Policy updated: Tue Sep 28 12:01:15 2011The
following example shows active AT-TLS policies:
========================================================================
================== pasearch -t ========================================
========================================================================
policyRule: Secure_Telnet_23_Debug
Rule Type: TTLS
Version: 3 Status: Active
Weight: 20 ForLoadDist: False
Priority: 20 Sequence Actions: Don't Care
No. Policy Action: 3
policyAction: grp_Production
ActionType: TTLS Group
Action Sequence: 0
policyAction: Secure_Telnet_Env
ActionType: TTLS Environment
Action Sequence: 0
policyAction: Secure_Telnet_Conn_Debug
ActionType: TTLS Connection
Action Sequence: 0
Time Periods:
Day of Month Mask:
First to Last: 1111111111111111111111111111111
Last to First: 1111111111111111111111111111111
Month of Yr Mask: 111111111111
Day of Week Mask: 1111111 (Sunday - Saturday)
Start Date Time: None
End Date Time: None
Fr TimeOfDay: 00:00 To TimeOfDay: 24:00
Fr TimeOfDay UTC: 04:00 To TimeOfDay UTC: 04:00
TimeZone: Local
TTLS Condition Summary: NegativeIndicator: Off
Local Address:
FromAddr: 10.1.2.3
ToAddr: 10.1.2.3
Remote Address:
FromAddr: 10.45.23.10
ToAddr: 10.45.23.10
LocalPortFrom: 23 LocalPortTo: 23
RemotePortFrom: 0 RemotePortTo: 0
JobName: UserId:
ServiceDirection: Inbound
Policy created: Wed Mar 9 06:31:13 2011
Policy updated: Wed Mar 9 06:31:13 2011
TTLS Action: grp_Production
Version: 3
Status: Active
Scope: Group
TTLSEnabled: On
CtraceClearText: Off
Trace: 2
FIPS140: Off
TTLSGroupAdvancedParms:
SecondaryMap: Off
SyslogFacility: Daemon
Policy created: Wed Mar 9 06:31:13 2011
Policy updated: Wed Mar 9 06:31:13 2011
TTLS Action: Secure_Telnet_Env
Version: 3
Status: Active
Scope: Environment
HandshakeRole: Server
SuiteBProfile: Off
TTLSKeyringParms:
Keyring: TCPCSsafkeyring
TTLSEnvironmentAdvancedParms:
SSLv2: Off
SSLv3: On
TLSv1: On
TLSv1.1: On
TLSv1.2: Off
ApplicationControlled: On
HandshakeTimeout: 5
ClientAuthType: Required
ResetCipherTimer: 0
TruncatedHMAC: Off
CertValidationMode: Any
ServerMaxSSLFragment: Off
ClientMaxSSLFragment: Off
ServerHandshakeSNI: Off
ClientHandshakeSNI: Off
Renegotiation: Default
RenegotiationIndicator: Optional
RenegotiationCertCheck: Off
EnvironmentUserInstance: 0
Policy created: Wed Mar 9 06:31:13 2011
Policy updated: Wed Mar 9 06:31:13 2011
TTLS Action: Secure_Telnet_Conn_Debug
Version: 3
Status: Active
Scope: Connection
CtraceClearText: On
Trace: 254
Policy created: Wed Mar 9 06:31:13 2011
Policy updated: Wed Mar 9 06:31:13 2011The
following example shows active routing policies:
========================================================================
================== pasearch -R ========================================
========================================================================
TCP/IP pasearch CS V2R1 Image Name: TCPCS3
Date: 10/12/2012 Time: 11:00:46
Routing Instance Id: 1350050178
policyRule: GenericRoutingRule
Rule Type: Routing
Version: 4 Status: Active
Weight: 10 ForLoadDist: False
Priority: 10 Sequence Actions: Don't Care
No. Policy Action: 1
policyAction: GenericRoutingAction
ActionType: Routing
Action Sequence: 0
Time Periods:
Day of Month Mask:
First to Last: 1111111111111111111111111111111
Last to First: 1111111111111111111111111111111
Month of Yr Mask: 111111111111
Day of Week Mask: 1111111 (Sunday - Saturday)
Start Date Time: None
End Date Time: None
Fr TimeOfDay: 08:00 To TimeOfDay: 17:00
Fr TimeOfDay UTC: 11:00 To TimeOfDay UTC: 20:00
TimeZone: Local
Routing Condition Summary: NegativeIndicator: Off
IpSourceAddr Address:
FromAddr: All
ToAddr: All
IpDestAddr Address:
FromAddr: 0.0.0.0
Prefix: 0
TrafficDescriptor:
Protocol: TCP (6)
SourcePortFrom 111 SourcePortTo 111
DestinationPortFrom 1024 DestinationPortTo 65535
JobName JOB1 SecurityZone SECZONE
SecurityLabel SECLABEL
Policy created: Fri Oct 12 10:56:18 2012
Policy updated: Fri Oct 12 10:56:18 2012
Routing Action: GenericRoutingAction
Version: 4 Status: Active
UseMainRouteTable Yes
RouteTable: RtTbl1
RouteTable: RtTbl2
RouteTable: RtTbl3
Policy created: Fri Oct 12 10:56:18 2012
Policy updated: Fri Oct 12 10:56:18 2012The
following example shows active route tables:
========================================================================
================== pasearch -T ========================================
========================================================================
TCP/IP pasearch CS V2R1 Image Name: TCPCS3
Date: 10/12/2012 Time: 11:03:00
Routing Instance Id: 1350050178
Route Table: RtTbl1
Version: 1 Status: Active
IPv4 table Active
IgnorePathMtuUpdate No
MultiPath PerConnection DynamicXCFRoutes No
IPv6 table Active
IgnorePathMtuUpdate6 No
MultiPath6 PerConnection DynamicXCFRoutes6 No
Route (IPv4)
Destination:
ipaddress 1.1.1.1
First Hop:
gateway_addr =
link_name LINK1
MTU size 1492
Replaceable No
MaximumRetransmitTime 120.000
MinimumRetransmitTime 0.500
RoundTripGain 0.125
VarianceGain 0.250
VarianceMultiplier 2.000
DelayAcks Yes
Route (IPv4)
Destination:
ipaddress 1.0.0.0
Prefix 8
First Hop:
gateway_addr 2.2.2.2
link_name LINK2
MTU size 1492
Replaceable No
MaximumRetransmitTime 120.000
MinimumRetransmitTime 0.500
RoundTripGain 0.125
VarianceGain 0.250
VarianceMultiplier 2.000
DelayAcks Yes
Route (IPv4)
Destination Default
First Hop:
gateway_addr 4.4.4.4
link_name LINK4
MTU size DEFAULTSIZE
Replaceable No
MaximumRetransmitTime 120.000
MinimumRetransmitTime 0.500
RoundTripGain 0.125
VarianceGain 0.250
VarianceMultiplier 2.000
DelayAcks Yes
Route (IPv6)
Destination:
ipaddress 2001:db8:0:0:1::
Prefix 80
First Hop:
gateway_addr fe80::2:2:2:2
link_name LINK2V6
MTU size 5000
Replaceable No
MaximumRetransmitTime 120.000
MinimumRetransmitTime 0.500
RoundTripGain 0.125
VarianceGain 0.250
VarianceMultiplier 2.000
DelayAcks Yes
Route (IPv6)
Destination Default6
First Hop:
gateway_addr fe80::4:4:4:4
link_name LINK4V6
MTU size DEFAULTSIZE
Replaceable No
MaximumRetransmitTime 120.000
MinimumRetransmitTime 0.500
RoundTripGain 0.125
VarianceGain 0.250
VarianceMultiplier 2.000
DelayAcks Yes
Policy created: Fri Oct 12 10:56:18 2012
Policy updated: Fri Oct 12 10:56:18 2012
Route Table: RtTbl2
Version: 1 Status: Active
IPv4 table Active
IgnorePathMtuUpdate No
MultiPath UseGlobal DynamicXCFRoutes No
IPv6 table Active
IgnorePathMtuUpdate6 No
MultiPath6 UseGlobal DynamicXCFRoutes6 No
DynamicRoutingParms (IPv4)
link_name LINK1 IPv4
DynamicRoutingParms (IPv4)
link_name LINK2
gateway_addr 2.1.1.1
DynamicRoutingParms (IPv4)
link_name LINK2
gateway_addr 2.2.2.2
DynamicRoutingParms (IPv6)
link_name LINK1V6 IPv6
DynamicRoutingParms (IPv6)
link_name LINK2V6
gateway_addr fe80::2:1:1:1
Policy created: Fri Oct 12 10:56:18 2012
Policy updated: Fri Oct 12 10:56:18 2012
Route Table: RtTbl3
Version: 1 Status: Active
IPv4 table Active
IgnorePathMtuUpdate No
MultiPath UseGlobal DynamicXCFRoutes No
IPv6 table Active
IgnorePathMtuUpdate6 No
MultiPath6 UseGlobal DynamicXCFRoutes6 No
Route (IPv4)
Destination:
ipaddress 1.1.1.1
First Hop:
gateway_addr =
link_name LINK1
MTU size 1492
Replaceable No
MaximumRetransmitTime 120.000
MinimumRetransmitTime 0.500
RoundTripGain 0.125
VarianceGain 0.250
VarianceMultiplier 2.000
DelayAcks Yes
Route (IPv4)
Destination:
ipaddress 1.1.0.0
Prefix 16
First Hop:
gateway_addr 2.2.2.2
link_name LINK2
MTU size 1492
Replaceable Yes
MaximumRetransmitTime 120.000
MinimumRetransmitTime 0.500
RoundTripGain 0.125
VarianceGain 0.250
VarianceMultiplier 2.000
DelayAcks Yes
Route (IPv6)
Destination:
ipaddress 2001:db8::1:1:0:0
Prefix 96
First Hop:
gateway_addr fe80::2:2:2:2
link_name LINK2V6
MTU size 5000
Replaceable Yes
MaximumRetransmitTime 120.000
MinimumRetransmitTime 0.500
RoundTripGain 0.125
VarianceGain 0.250
VarianceMultiplier 2.000
DelayAcks Yes
DynamicRoutingParms (IPv4)
link_name LINK2 IPv4
DynamicRoutingParms (IPv6)
link_name LINK2V6 IPv6
Policy created: Fri Oct 12 10:56:18 2012
Policy updated: Fri Oct 12 10:56:18 2012