Question 98 - JN0-636 discussion

To troubleshoot the traffic problem using the match criteria, you need to use the show security match-policies CLI command. The other options are incorrect because:

A) The show security policy-report CLI command displays the policy report, which is a summary of the policy usage statistics, such as the number of sessions, bytes, and packets that match each policy. It does not show the match criteria or the reason why the traffic is not hitting the policy1.

B) The show security application-tracking counters CLI command displays the application tracking counters, which are the statistics of the application usage, such as the number of sessions, bytes, and packets that match each application. It does not show the match criteria or the reason why the traffic is not hitting the policy2.

D) The request security policies check CLI command checks the validity and consistency of the security policies, such as the syntax, the references, and the conflicts. It does not show the match criteria or the reason why the traffic is not hitting the policy3.

Therefore, the correct answer is C. You need to use the show security match-policies CLI command to troubleshoot the traffic problem using the match criteria. The show security match-policies CLI command displays the policies that match the specified criteria, such as the source and destination addresses, the zones, the protocols, and the ports. It also shows the action and the hit count of each matching policy. You can use this command to verify if the traffic is matching the expected policy or not, and if not, what policy is blocking or rejecting the traffic4