Viewing Access Policy Sessions - HP 7102dl - ProCurve Secure Router Configuration Manual

ProCurve# show ip policy-class
Policy-class "Inside":
Entry 1 - allow list MatchAll
Policy-class "Outside":
Entry 1 - allow list Region
Entry 2 - allow list InWeb
Entry 3 - discard list MatchAll
Figure 5-17. Displaying All the ACPs Configured on the Router
For example, in Figure 5-17 the "allow list Region" entry is entered before the
"discard list MatchAll." If the "discard list MatchAll" was the first entry and
the ACL MatchALL included the entry "permit any," the Secure Router OS
would process that entry first and discard all traffic entering the interface.
Because the "allow list Region" and the "allow list InWeb" entries are listed
first, however, the Secure Router OS will process those entries first and allow
any traffic that matches permit entries in these ACLs.
If traffic does not match the "allow list Region" and the "allow list InWeb"
entries, it will match the "discard list MatchAll" and be blocked.

Viewing Access Policy Sessions

After you enable the firewall and assign an ACP to an interface, the Secure
Router OS firewall checks all the packets entering that interface. When a
packet matches an ACL, the Secure Router OS treats it as specified in the ACP.
If the ACP allows the packet, then the Secure Router OS firewall can establish
a connection (also called a session) between the packet's source and its
destination.
The ProCurve Secure Router records information about that session. To view
this information, move to the enable mode context and enter:
Syntax: show ip policy-sessions
The Secure Router OS lists each ACP, or policy class, by name. Under a specific
policy, you can view the traffic that matched this policy as it arrived on the
interface. You can also view information about the traffic, such as:
source IP address
source port
destination IP address
destination port
Applying Access Control to Router Interfaces
Viewing ACLs and ACPs
5-53