close

keyboard_arrow_left

Table of Contents Expand all

list Table of Contents

English

show security idp counters flow

date_range 19-Nov-23

arrow_backward

arrow_forward

Syntax

content_copy zoom_out_map
show security idp counters flow
<logical-system (logical-system-name | all)>
<tenant tenant-name>

Description

Displays the status of all IDP flow counter values.

Note:

On SRX Series Firewalls with IDP enabled, if IDP attacks are configured for a single direction (server or client), a flow in the opposite direction does not need IDP processing. For TCP traffic, the TCP optimization feature ensures minimal processing for these flows without running into reassembly errors.

Options

none	Displays the status of all IDP flow counter values.
logical-system `logical-system-name`	(Optional) Displays the status of all IDP flow counter values for a specific logical system.
logical-system all	(Optional) Displays the status of all IDP flow counter values for all logical systems.
tenant `tenant-name`	(Optional) Displays the status of all IDP flow counter values for a specific tenant system.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security idp counters flow command. Output fields are listed in the approximate order in which they appear.

Table 1: show security idp counters flow Output Fields
Field Name	Description
`Fast-path packets`	Number of packets that are set through fast path after completing IDP policy lookup.
`Slow-path packets`	Number of packets that are sent through slow path during IDP policy lookup.
`Session construction failed` (Unsupported)	Number of times the packet failed to establish the session.
`Session limit reached`	Number of sessions that reached IDP sessions limit.
`Session inspection depth reached`	Number of sessions that reached inspection depth.
`Memory limit reached`	Number of sessions that reached memory limit.
`Not a new session` (Unsupported)	Number of sessions that extended beyond time limit.
`Invalid index at age-out` (Unsupported)	Invalid session index in session age-out message.
`Packet logging`	Number of packets saved for packet logging.
`Policy cache hits`	Number of sessions that matched policy cache.
`Policy cache misses`	Number of sessions that did not match policy cache.
`Policy cache entries`	Number of policy cache entries.
`Maximum flow hash collisions`	Maximum number of packets, of one flow, that share the same hash value.
`Flow hash collisions`	Number of packets that share the same hash value.
`Gates added`	Number of gate entries added for dynamic port identification.
`Gate matches` (Unsupported)	Number of times a gate is matched.
`Sessions deleted`	Number of sessions deleted.
`Sessions aged-out` (Unsupported)	Number of sessions that are aged out if no traffic is received within session timeout value.
`Sessions in-use while aged-out` (Unsupported)	Number of sessions in use during session age-out.
`TCP flows marked dead on RST/FIN`	Number of sessions marked dead on TCP RST/FIN.
`policy init failed`	Policy initiation failed.
`Number of times Sessions exceed high mark`	Number of times sessions exceeded the high mark.
`Number of sessions exceeds high mark`	Number of sessions that exceed high mark.
`Number of sessions drops below low mark`	Number of sessions that fall below low mark.
`Memory of sessions exceeds high mark`	Session memory exceeds high mark.
`Memory of sessions drops below low mark`	Session memory drops below low mark.
`SM Sessions encountered memory failures`	Number of SM sessions that encountered memory failures.
`SM Packets on sessions with memory failures`	Number of SM packets that encountered memory failures.
`Sessions constructed`	Number of sessions established.
`SM Sessions dropped`	Number of SM sessions dropped.
`SM sessions ignored`	Number of sessions ignored in Security Module (SM).
`SM sessions interested`	Number of SM sessions interested.
`SM sessions not interested`	Number of SM sessions not interested.
`SM sessions interest error`	Number of errors created for SM sessions interested.
`Sessions destructed`	Number of sessions destructed.
`SM Session Create`	Number of SM sessions created.
`SM Packet Process`	Number of packets processed from SM.
`SM FTP data session ignored by IDP`	Number of SM FTP data sessions that are ignored by IDP.
`SM Session close`	Number of SM sessions closed.
`SM client-to-server packets`	Number of SM client-to-server packets.
`SM server-to-client packets`	Number of SM server-to-client packets.
`SM client-to-server L7 bytes`	Number of SM client-to-server Layer 7 bytes.
`SM server-to-client L7 bytes`	Number of SM server-to-client Layer 7 bytes.
`Client-to-server flows ignored`	Number of client-to-server flow sessions that are ignored.
`Server-to-client flows ignored`	Number of server-to-client flow sessions that are ignored.
`Server-to-client flows tcp optimized`	Number of server-to-client flow TCP sessions that are optimized.
`Client-to-server flows tcp optimized`	Number of client-to-server flow TCP sessions that are optimized.
`Both directions flows ignored`	Number of server-to-client and client-to-server flow sessions that are ignored.
`Fail-over sessions dropped`	Number of failover sessions dropped.
`Sessions dropped due to no policy`	Number of sessions dropped because there was no active IDP policy.
`IDP Stream Sessions dropped due to memory failure`	Number of IDP stream sessions that are dropped because of memory failure.
`IDP Stream Sessions ignored due to memory failure`	Number of IDP stream sessions that are ignored because of memory failure.
`IDP Stream Sessions closed due to memory failure`	Number of IDP stream sessions that are closed because of memory failure.
`IDP Stream Sessions accepted`	Number of IDP stream sessions that are accepted.
`IDP Stream Sessions constructed`	Number of IDP stream sessions that are constructed.
`IDP Stream Sessions destructed`	Number of IDP stream sessions that are destructed.
`IDP Stream Move Data`	Number of stream data events handled by IDP.
`IDP Stream Sessions ignored on JSF SSL Event`	Number of IDP stream sessions that are ignored because of a JSF SSL proxy event.
`IDP Stream Sessions not processed for no matching rules`	Number of IDP stream sessions that are not processed for no matching rules.
`IDP Stream stbuf dropped`	Number of IDP stream plug-in buffers dropped.
`IDP Stream stbuf reinjected`	Number of IDP stream plug-in buffers injected.
`Busy packets from stream plugin`	Number of packets saved as one or more packets of this session from stream plug-in.
`Busy packets from packets plugin`	Number of saved packets for IDP stream plug-in sessions.
`Bad kpp`	Number of internal marked packets logged for IDP processing.
`Lsys policy id lookup failed sessions`	Number of sessions that failed logical systems policy lookup.
`Busy packets`	Number of packets saved as one or more packets of this session are handed off for asynchronous processing.
`Busy packet errors`	Number of packets found with IP checksum error after asynchronous processing is completed.
`Dropped queued packets` (async mode)	Number of queued packets dropped based on policy action, reinjection failures, or if the session is marked to destruct.
`Dropped queued packets failed` (async mode)	Not used currently.
`Reinjected packets (async mode)`	Number of packets reinjected into the queue.
`Reinjected packets failed(async mode)`	Number of failed reinjected packets.
`AI saved processed packet`	Number of AI packets saved for which the asynchronous processing is completed.
`Busy packet count incremented`	Number of times the busy packet count incremented in asynchronous processing.
`busy packet count decremented`	Number of times the busy packet count decremented in asynchronous processing.
`session destructed in pme`	Number of sessions destructed as a part of asynchronous result processing.
`session destruct set in pme`	Number of sessions set to be destructed as a result of asynchronous processing.
`KQ op`	Number of sessions with one of the following status: KQ op hold–number of times packets held by IDP. KQ op drop–number of times packets dropped by IDP. KQ op route–number of times IDP decided to be route the packet directly. KQ op Continue–number of times IDP decided to continue to process the packet. KQ op error–number of times error occurred while IPD processing packet. KQ op stop–number of times IDP decided to stop processing the packet.
`PME wait not set`	Number of AI saved packets given for signature matching.
`PME wait set`	Number of packets given for signature matching without AI save.
`PME KQ run not called`	Number of times signature matching results processed out of packet receiving order.
`IDP sessions ignored for content decompression in intel inspect mode`	Number of IDP session ignored for content decompression in the IDP intelligent inspection mode.
`IDP sessions ignored for bytes depth limit in intel inspect mode`	Number of IDP session ignored for bytes depth in the IDP intelligent inspection mode.
`IDP sessions ignored for protocol decoding in intel inspect mode`	Number of IDP session ignored for protocol decoding in the IDP intelligent inspection mode.
`IDP sessions detected CPU usage crossed intel inspect CPU threshold`	Number of IDP session detected when the CPU usage crosses the CPU threshold of the IDP intelligent inspection.
`IDP sessions detected mem drop below intel inspect low mem threshold`	Number of IDP session detected when memory drops below the IDP intelligent inspect low memory threshold.

Sample Output

show security idp counters flow
show security idp counters flow tenant TSYS1
show security idp counters flow (unified parser)