Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

show services stateful-firewall statistics

Syntax

show services stateful-firewall statistics <application-protocol protocol> <brief | detail | extensive | summary> <interface interface-name> <service-set service-set>

Release Information

Command introduced before Junos OS Release 7.4.

Description

Display stateful firewall statistics.

Options

none

Display standard information about all stateful firewall statistics.

brief | detail | extensive | summary

(Optional) Display the specified level of output.

interface interface-name

(Optional) Display information about a particular interface. On M Series and T Series routers, the interface-name can be ms-fpc/pic/port or rspnumber. On J Series routers, the interface-name is ms-pim/0/port.

service-set service-set

(Optional) Display information about a particular service set.

Required Privilege Level

view

 

Related Documentation

 

List of Sample Output

show services stateful-firewall statistics extensive

Output Fields

Table 1 lists the output fields for the show services stateful-firewall statistics command. Output fields are listed in the approximate order in which they appear.

Table 1: show services stateful-firewall statistics Output Fields

Field Name

Field Description

Interface

Name of an adaptive services interface.

Service set

Name of a service set.

New flows

Rule match counters for new flows:

  • Accept—New flows accepted.
  • Discard—New flows discarded.
  • Reject—New flows rejected.

Existing flows

Rule match counters for existing flows:

  • Accept—Match existing forward or watch flow.
  • Discard—Match existing discard flow.
  • Reject—Match existing reject flow.

Drops

Drop counters:

  • TCP SYN defense—Packets dropped by SYN defender.
  • NAT ports exhausted—Hide mode. The router has no available Network Address Translation (NAT) ports for a given address or pool.

Errors

Total errors, categorized by protocol:

  • IP—Total IP version 4 errors.
  • TCP—Total Transmission Control Protocol (TCP) errors.
  • UDP—Total User Datagram Protocol (UDP) errors.
  • ICMP—Total Internet Control Message Protocol (ICMP) errors.
  • Non-IP—Total non-IPv4 errors.

IP Errors

IPv4 errors:

  • IP packet length inconsistencies—IP packet length does not match the Layer 2 reported length.
  • Minimum IP header length check failures—Minimum IP header length is 20 bytes. The received packet contains less than 20 bytes.
  • Reassembled packet exceeds maximum IP length—After fragment reassembly, the reassembled IP packet length exceeds 65,535.
  • Illegal source address 0—Source address is not a valid address. Invalid addresses are, loopback, broadcast, multicast, and reserved addresses. Source address 0, however, is allowed to support BOOTP and the destination address 0xffffffff.
  • Illegal destination address 0—Destination address is not a valid address.  The address is reserved.
  • TTL zero errors—Received packet had a time-to-live (TTL) value of 0.
  • IP protocol number 0 or 255—IP protocol is 0 or 255.
  • Land attack—IP source address is the same as the destination address.
  • Smurf attack—Echo request is sent to a directed broadcast address.
  • Non-IP packets—Packet did not conform to the IP standard.
  • IP option—Packet dropped because of a nonallowed IP option.
  • Non-IPv4 packets—Packet was not IPv4. (Only IPv4 is supported.)
  • Bad checksum—Packet had an invalid IP checksum.
  • Illegal IP fragment length—Illegal fragment length. All fragments (other than the last fragment) must have a length that is a multiple of 8 bytes.
  • IP fragment overlap—Fragments have overlapping fragment offsets.
  • IP fragment reassembly timeout—Some of the fragments for an IP packet were not received in time, and the reassembly handler dropped partial fragments.

TCP Errors

TCP protocol errors:

  • TCP header length inconsistencies—Minimum TCP header length is 20 bytes, and the IP packet received does not contain at least 20 bytes.
  • Source or destination port number is zero—TCP source or destination port is zero.
  • Illegal sequence number, flags combination—Dropped because of TCP errors, such as an illegal sequence number, which causes an illogical combination of flags to be set.
  • SYN attack (multiple SYN messages seen for the same flow)—Multiple SYN packets received for the same flow are treated as a SYN attack. The packets might be retransmitted SYN packets and therefore valid, but a large number is cause for concern.
  • First packet not SYN—First packets for a connection are not SYN packets. These packets might originate from previous connections or from someone performing an ACK/FIN scan.
  • TCP port scan (Handshake, RST seen from server for SYN)—In the case of a SYN defender, if an RST (reset) packet is received instead of a SYN/ACK message, someone is probably trying to scan the server. This behavior can result in false alarms if the RST packet is not combined with an intrusion detection service (IDS).
  • Bad SYN cookie response—SYN cookie generates a SYN/ACK message for all incoming SYN packets. If the ACK received for the SYN/ACK message does not match, this counter is incremented.

UDP Errors

UDP protocol errors:

  • IP data length less than minimum UDP header length (8 bytes)—Minimum UDP header length is 8 bytes. The received IP packets contain less than 8 bytes.
  • Source or destination port is zero—UDP source or destination port is 0.
  • UDP port scan (ICMP error seen for UDP flow)—ICMP error is received for a UDP flow. This could be a genuine UDP flow, but it is counted as an error.

ICMP Errors

ICMP protocol errors:

  • IP data length less than minimum ICMP header length (8 bytes)—ICMP header length is 8 bytes. This counter is incremented when received IP packets contain less than 8 bytes.
  • ICMP error length inconsistencies—Minimum length of an ICMP error packet is 48 bytes, and the maximum length is 576 bytes. This counter is incremented when the received ICMP error falls outside this range.
  • Ping duplicate sequence number—Received ping packet has a duplicate sequence number.
  • Ping mismatched sequence number—Received ping packet has a mismatched sequence number.

Drop Flows

  • Maximum Ingress Drop flows allowed-–Maximum number of ingress flow drops allowed.
  • Maximum Egress Drop flows allowed-–Maximum number of egress flow drops allowed.
  • Current Ingress Drop flows-–Current number of ingress flow drops.
  • Current Egress Drop flows-–Current number of egress flow drops.
  • Ingress Drop Flow limit drops count-–Number of ingress flow drops due to maximum number of ingress flow drops being exceeded.
  • Egress Drop Flow limit drops count-–Number of egress flow drops due to maximum number of egress flow drops being exceeded.

Sample Output

show services stateful-firewall statistics extensive

user@host> show services stateful-firewall statistics extensive 
Interface: ms-1/3/0
  Service set: interface-svc-set
    New flows:
      Accept: 907, Discard: 0, Reject: 0
    Existing flows:
      Accept: 3535, Discard: 0, Reject: 0
    Drops:
      IP option: 0, TCP SYN defense: 0
      NAT ports exhausted: 0
    Errors:
      IP: 0, TCP: 0
      UDP: 0, ICMP: 0
      Non-IP packets: 0, ALG: 0
    IP errors:
      IP packet length inconsistencies: 0
      Minimum IP header length check failures: 0
      Reassembled packet exceeds maximum IP length: 0
      Illegal source address: 0
      Illegal destination address: 0
      TTL zero errors: 0, IP protocol number 0 or 255: 0
      Land attack: 0, Smurf attack: 0
      Non IP packets: 0, IP option: 0
      Non-IPv4 packets: 0, Bad checksum: 0
      Illegal IP fragment length: 0
      IP fragment overlap: 0
      IP fragment reassembly timeout: 0
TCP errors:
      TCP header length inconsistencies: 0
      Source or destination port number is zero: 0
      Illegal sequence number, flags combination: 0
      SYN attack (multiple SYNs seen for the same flow): 0
      First packet not SYN: 0
      TCP port scan (Handshake, RST seen from server for SYN): 0
      Bad SYN cookie response: 0
    UDP errors:
      IP data length less than minimum UDP header length (8 bytes): 0
      Source or destination port is zero: 0
      UDP port scan (ICMP error seen for UDP flow): 0
    ICMP errors:
      IP data length less than minimum ICMP header length (8 bytes): 0
      ICMP error length inconsistencies: 0
      Ping duplicate sequence number: 0
      Ping mismatched sequence number: 0
    ALG drops:
      BOOTP: 0, DCE-RPC: 0, DCE-RPC portmap: 0
      DNS: 0, Exec: 0, FTP: 0
      ICMP: 0
      Login: 0, Netbios: 0, Netshow: 0
      RPC: 0, RPC portmap: 0
      RTSP: 0, Shell: 0
      SNMP: 0, Sqlnet: 0, TFTP: 0
      Traceroute: 0
    Drop Flows:
      Maximum Ingress Drop flows allowed: 20
      Maximum Egress Drop flows allowed: 20
      Current Ingress Drop flows: 0
      Current Egress Drop flows: 0
      Ingress Drop Flow limit drops count: 0
      Egress Drop Flow limit drops count: 0

**If max-drop-flows is not configured, the following is shown**
    Drop Flows:
      Maximum Ingress Drop flows allowed: Default
      Maximum Egress Drop flows allowed: Default

Published: 2013-03-14

Previous Page Next Page