Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

show services stateful-firewall flows

Syntax

show services stateful-firewall flows <brief | extensive | summary | terse><application-protocol protocol> <count> <destination-port destination-port><destination-prefix destination-prefix><interface interface-name><limit number> <protocol protocol> <service-set service-set> <source-port source-port> <source-prefix source-prefix>

Release Information

Command introduced before Junos OS Release 7.4.

pgcp option introduced in Junos OS Release 8.4.

application-protocol option introduced in Junos OS Release 10.4.

Description

Display stateful firewall flow table entries. When the interface is used for softwire processing, the type of softwire concentrator (DS-LITE or 6rd) is shown, and frame counts are provided.

Options

none

Display standard information about all stateful firewall flows.

brief | extensive | summary | terse

(Optional) Display the specified level of output.

application-protocol application-protocol

(Optional) Display information about one of the following application-level gateway (ALG) protocol types:

  • bootp—Bootstrap protocol
  • dce-rpc—Distributed Computing Environment (DCE) remote procedure call (RPC) protocol

    Note: Use this option to select Microsoft Remote Procedure Call (MSRPC).

  • dce-rpc-portmap—Distributed Computing Environment (DCE) remote procedure call (RPC) portmap protocol
  • dns—Domain Name Service protocol
  • exec—Remote execution protocol
  • ftp—File Transfer Protocol
  • h323—H.323 protocol
  • icmp—Internet Control Message Protocol
  • iiop—Internet Inter-ORB Protocol
  • ip—Internet protocol
  • netbios—NetBIOS protocol
  • netshow—Netshow protocol
  • pptp —Point-to-Point Tunneling Protocol
  • realaudio—RealAudio protocol
  • rpc—Remote Procedure Call protocol

    Note: Use this option to select Sun Microsystems Remote Procedure Call protocol (SunRPC).

  • rpc-portmap—Remote Procedure Call portmap protocol
  • rtsp—Real-Time Streaming Protocol
  • sip—Session Initiation Protocol
  • snmp—Simple Network Management Protocol
  • talk—Talk protocol
  • tftp—Trivial File Transfer Protocol
  • traceroute—Traceroute
  • winframe—WinFrame
count

(Optional) Display a count of the matching entries.

destination-port destination-port

(Optional) Display information for a particular destination port. The range of values is from 0 to 65535.

destination-prefix destination-prefix

(Optional) Display information for a particular destination prefix.

interface interface-name

(Optional) Display information about a particular interface. On M Series and T Series routers, interface-name can be ms-fpc/pic/port or rspnumber. On J Series routers, interface-name is ms-pim/0/port.

limit number

(Optional) Maximum number of entries to display.

protocol protocol

(Optional) Display information about one of the following IP types:

  • number—Numeric protocol value from 0 to 255
  • ah—IPsec Authentication Header protocol
  • egp—An exterior gateway protocol
  • esp—IPsec Encapsulating Security Payload protocol
  • gre—A generic routing encapsulation protocol
  • icmp—Internet Control Message Protocol
  • igmp—Internet Group Management Protocol
  • ipip—IP-within-IP Encapsulation Protocol
  • ospf—Open Shortest Path First protocol
  • pim—Protocol Independent Multicast protocol
  • rsvp—Resource Reservation Protocol
  • sctp—Stream Control Protocol
  • tcp—Transmission Control Protocol
  • udp—User Datagram Protocol
service-set service-set

(Optional) Display information for a particular service set.

source-port source-port

(Optional) Display information for a particular source port. The range of values is from 0 to 65535.

source-prefix source-prefix

(Optional) Display information for a particular source prefix.

Required Privilege Level

view

 

Related Documentation

 

List of Sample Output

show services stateful-firewall flows
show services stateful-firewall flows (For Softwire Flows)
show services stateful-firewall flows brief
show services stateful-firewall flows extensive
show services stateful-firewall flows count
show services stateful-firewall flows destination port
show services stateful-firewall flows source port
show services stateful-firewall flows (Twice NAT)

Output Fields

Table 1 lists the output fields for the show services stateful-firewall flows command. Output fields are listed in the approximate order in which they appear.

Table 1: show services stateful-firewall flows Output Fields

Field Name

Field Description

Interface

Name of the interface.

Service set

Name of a service set. Individual empty service sets are not displayed. If no service set has any flows, a flow table header is displayed for each service set.

Flow Count

Number of flows in a session.

Flow or Flow Prot

Protocol used for this flow.

Source

Source prefix of the flow in the format source-prefix:port. For ICMP flows, port information is not displayed.

Dest

Destination prefix of the flow. For ICMP flows, port information is not displayed.

State

Status of the flow:

  • Drop—Drop all packets in the flow without response.
  • Forward—Forward the packet in the flow without looking at it.
  • Reject—Drop all packets in the flow with response.
  • Watch—Inspect packets in the flow.

Dir

Direction of the flow: input (I) or output (O).

Frm count

Number of frames in the flow.

Sample Output

show services stateful-firewall flows

user@host> show services stateful-firewall flows 
Interface: ms-1/3/0, Service set: green

Flow       
Prot     Source                 Dest               State      Dir     Frm count
TCP     10.58.255.178:23   ->    10.59.16.100:4000 Forward    O               
TCP      10.58.255.50:33005->   10.58.255.178:23   Forward    I              1
  Source NAT    10.58.255.50:33005->    10.59.16.100:4000
  Destin NAT    10.58.255.178:23   ->         0.0.0.0:4000

show services stateful-firewall flows (For Softwire Flows)

When a service set includes softwire processing, the following output format is used for the softwire flows:

user@host> show services stateful-firewall flows 
Interface: sp-0/1/0, Service set: dslite-svc-set2
Flow                                                State    Dir       Frm count
TCP      200.200.200.2:80    ->     44.44.44.1:1025  Forward  O          219942
    NAT dest        44.44.44.1:1025    ->       20.20.1.4:1025
    Softwire           2001::2         ->         1001::1
TCP          20.20.1.2:1025  ->  200.200.200.2:80    Forward  I          110244
    NAT source       20.20.1.2:1025    ->      44.44.44.1:1024
    Softwire           2001::2         ->         1001::1
TCP      200.200.200.2:80    ->     44.44.44.1:1024  Forward  O          219140
    NAT dest        44.44.44.1:1024    ->       20.20.1.2:1025
    Softwire           2001::2         ->         1001::1
DS-LITE         2001::2      ->        1001::1       Forward  I          988729
TCP      200.200.200.2:80    ->     44.44.44.1:1026  Forward  O          218906
    NAT dest        44.44.44.1:1026    ->       20.20.1.3:1025
    Softwire           2001::2         ->         1001::1
TCP          20.20.1.3:1025  ->  200.200.200.2:80    Forward  I          110303
    NAT source       20.20.1.3:1025    ->      44.44.44.1:1026
    Softwire           2001::2         ->         1001::1
TCP          20.20.1.4:1025  ->  200.200.200.2:80    Forward  I          110944
    NAT source       20.20.1.4:1025    ->      44.44.44.1:1025
    Softwire           2001::2         ->         1001::1

show services stateful-firewall flows brief

The output for the show services stateful-firewall flows brief command is identical to that for the show services stateful-firewall flows command. For sample output, see show services stateful-firewall flows.

show services stateful-firewall flows extensive

user@host> show services stateful-firewall flows extensive 
Interface: ms-0/3/0, Service set: ss_nat
Flow                                                				State    	Dir       Frm count
TCP           16.1.0.1:2330  ->      16.49.0.1:21    				Forward  		I              8
    NAT source        16.1.0.1:2330    ->       16.41.0.1:2330
    NAT dest         16.49.0.1:21      ->       16.99.0.1:21
  Byte count: 455, TCP established, TCP window size: 57344
  TCP acknowledge: 3251737524, TCP tickle enabled, tcp_tickle: 0
  Flow role: Master, Timeout: 720
TCP          16.99.0.1:21    ->      16.41.0.1:2330  				Forward  		O              5
    NAT source       16.99.0.1:21      ->       16.49.0.1:21
    NAT dest         16.41.0.1:2330    ->        16.1.0.1:2330
  Byte count: 480, TCP established, TCP window size: 57344
  TCP acknowledge: 463128048, TCP tickle enabled, tcp_tickle: 0
  Flow role: Responder, Timeout: 720

show services stateful-firewall flows count

user@host> show services stateful-firewall flows count 
Interface             Service set                                    Flow Count

ms-1/3/0              green                                                   2

show services stateful-firewall flows destination port

user@router> show services stateful-firewall flows destination-port 21
Interface: ms-0/3/0, Service set: svc_set_trust
Flow
                                                State    Dir       Frm count
Interface: ms-0/3/0, Service set: svc_set_untrust
Flow                                                State    Dir       Frm count
TCP         10.50.10.2:2143  ->     10.50.20.2:21    Watch    O               0

show services stateful-firewall flows source port

user@router> show services stateful-firewall flows source-port 2143
Interface: ms-0/3/0, Service set: svc_set_trust
Flow   
                                             State    Dir       Frm count
Interface: ms-0/3/0, Service set: svc_set_untrust
Flow                                                State    Dir       Frm count
TCP         10.50.10.2:2143  ->     10.50.20.2:21    Watch    O               0

show services stateful-firewall flows (Twice NAT)

user@router> show services stateful-firewall flows
Flow                                               State    Dir       Frm count
UDP          40.0.0.8:23439 ->     80.0.0.1:16485   Watch    I             20
    NAT source        40.0.0.8:23439   ->     172.16.1.10:1028
    NAT dest          80.0.0,1:16485   ->     192.16.1.10:22415
UDP      192.16.1.10:22415  ->  172.16.1.10:1028    Watch    O             20
    NAT source     192.16.1.10:22415   ->        80.0.0.1:16485
    NAT dest       172.16.1.10:1028    ->        40.0.0.8:23439

Published: 2013-03-14

Previous Page Next Page