show security flow session
Syntax
Release Information
Command introduced in Junos OS Release 8.5.
Support for filter and view options added in Junos OS Release 10.2.
Application firewall, dynamic application, and logical system filters added in Junos OS Release 11.2.
Policy ID filter added in Junos OS Release 12.3X48-D10.
Support for connection tag added in Junos OS Release 15.1X49-D40.
The tenant option introduced in Junos OS Release 18.3R1.
The tunnel-inspection-type option is introduced in Junos OS Release 20.4R1.
Description
Display information about all currently active security sessions on the device. For the normal flow sessions, the show security flow session command displays byte counters based on IP header length. However, for sessions in Express Path mode, the statistics are collected from the IOC2 (SRX5K-MPC), IOC3 (SRX5K-MPC3-100G10G and SRX5K-MPC3-40G10G), and IOC4 (SRX5K-IOC4-MRAT and SRX5K-IOC4-10G) ASIC hardware engines and include full packet length with L2 headers. Because of this, the output displays slightly larger byte counters for sessions in Express Path mode than for the normal flow session.
Options
filter—Filter the display by the specified criteria.
The following filters reduce the display to those sessions that match the criteria specified by the filter. Refer to the specific show command for examples of the filtered output.
advanced-anti-malware—Show advanced-anti-malware sessions. For details on the advanced-anti-malware option, see the Sky Advanced Threat Prevention CLI Reference Guide.all-logical-systems-tenants—All multitenancy systems.application—Predefined application name.application-firewall—Application firewall enabled.application-firewall-rule-set—Application firewall enabled with the specified rule set.application-traffic-control—Application traffic control session.application-traffic-control-rule-set—Application traffic control rule set name and rule name.conn-tag—Session connection tag (0..4294967295).destination-port—Destination port.destination-prefix—Destination IP prefix or address.dynamic-application—Dynamic application.dynamic-application-group—Dynamic application.encrypted—Encrypted traffic.family—Display session by family.idp—IDP-enabled sessions.interface—Name of incoming or outgoing interface.logical-system (all | logical-system-name)—Name of a specific logical system or all to display all logical systems.nat—Display sessions with network address translation.node—(Optional) For chassis cluster configurations, display security flow session information on a specific node (device) in the cluster.node-id —Identification number of the node. It can be 0 or 1.
all —Display information about all nodes.
local —Display information about the local node.
primary—Display information about the primary node.
policy-id—Display session information based on policy ID; the range is 1 through 4,294,967,295.protocol—IP protocol number.resource-manager—Resource manager.root-logical-system—Display root logical system as default.security-intelligence—Display security intelligence sessions.services-offload—Display services offload sessions.session-identifier—Display session with specified session identifier.source-port—Source port.source-prefix—Source IP prefix.tenant—Displays the security flow session information for a tenant system.tunnel—Tunnel sessions.tunnel-inspection-type—Tunnel inspection typegre—Displays gre tunnel inspectionipip—Displays ipip tunnel inspectionvxlan—Displays vxlan tunnel inspectionvxlan-vni —It only lists the tunnel session which vni matches the one you specify in the command.brief | extensive | summary—Display the specified level of output.
none—Display information about all active sessions.
Required Privilege Level
view
Related Documentation
List of Sample Output
show security flow sessionshow security flow session (with default policy)
show security flow session (drop flow)
show security flow session brief
show security flow session extensive
show security flow session extensive
show security flow session summary
show security flow session tunnel-inspection-type
show security flow session tunnel-inspection-type
Output Fields
Table 1 lists the output fields for the show security flow session command. Output fields are listed in the approximate order in which they appear.
Table 1: show security flow session Output Fields
Field Name | Field Description | Level of Output |
|---|---|---|
Session ID | Number that identifies the session. Use this ID to get more information about the session. | brief extensive none |
If | Interface name. | brief none |
State | Status of security flow session. | brief extensive none |
Conn Tag | A 32-bit connection tag that uniquely identifies the GPRS tunneling protocol, user plane (GTP-U) and the Stream Control Transmission Protocol (STCP) sessions. The connection tag for GTP-U is the tunnel endpoint identifier (TEID) and for SCTP is the vTag. The connection ID remains 0 if the connection tag is not used by the sessions. | brief extensive none |
CP Session ID | Number that identifies the central point session. Use this ID to get more information about the central point session. | brief extensive none |
Policy name | Name and ID of the policy that the first packet of the session matched. | brief extensive none |
Timeout | Idle timeout after which the session expires. | brief extensive none |
In | Incoming flow (source and destination IP addresses, application protocol, interface, session token, route, gateway, tunnel, port sequence, FIN sequence, FIN state, packets and bytes). | brief extensive none |
Bytes | Number of received and transmitted bytes. | brief extensive none |
Pkts | Number of received and transmitted packets. | brief extensive none |
Total sessions | Total number of sessions. | brief extensive none |
Out | Reverse flow (source and destination IP addresses, application protocol, interface, session token, route, gateway, tunnel, port sequence, FIN sequence, FIN state, packets and bytes). | brief extensive none |
Status | Session status. | extensive |
Flag | Internal flag depicting the state of the session, used for debugging purposes. | extensive |
Source NAT pool | The name of the source pool where NAT is used. | extensive |
Dynamic application | Name of the application. | extensive |
Application traffic control rule-set | AppQoS rule set for this session. | extensive |
Rule | AppQoS rule for this session. | extensive |
Maximum timeout | Maximum session timeout. | extensive |
Current timeout | Remaining time for the session unless traffic exists in the session. | extensive |
Session State | Session state. | extensive |
Start time | Time when the session was created, offset from the system start time. | extensive |
Unicast-sessions | Number of unicast sessions. | Summary |
Multicast-sessions | Number of multicast sessions. | Summary |
Services-offload-sessions | Number of services-offload sessions. | Summary |
Failed-sessions | Number of failed sessions. | Summary |
Sessions-in-use | Number of sessions in use.
| Summary |
Maximum-sessions | Maximum number of sessions permitted. | Summary |
Sample Output
show security flow session
root> show security flow sessionFlow Sessions on FPC0 PIC1: Session ID: 10115977, Policy name: SG/4, State: Active, Timeout: 56, Valid In: 203.0.113.1/1000 --> 203.0.113.11/2000;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 1, Bytes: 86, CP Session ID: 10320276 Out: 203.0.113.11/2000 --> 203.0.113.1/1000;udp, Conn Tag: 0x0, If: reth0.0, Pkts: 0, Bytes: 0, CP Session ID: 10320276 Total sessions: 1
show security flow session (with default policy)
root> show security flow sessionSession ID: 36, Policy name: pre-id-default-policy/n, Timeout: 2, Valid In: 10.10.10.2/61606 --> 10.10.10.1/179;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 64, Out: 10.10.10.1/179 --> 10.10.10.2/61606;tcp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 40,
show security flow session (drop flow)
Shows dropped flows for SRX5400.
root> show security flow sessionOutgoing wing: CP session ID: 12, CP sess SPU Id: 4617 1.0.0.1/55069 <- 1.0.0.254/23;6, Conn, Drop Flow Tag: 0x0, VRF GRP ID: 0(0), If: xe-1/0/0.0 (7), Flag: 0x40000020, Vector index: 0x00000002 WSF: 1, Diff: 0, Sequence: 0, Ack: 0, Port sequence: 0, FIN sequence: 0, FIN state: 0 Zone Id: 7, NH: 0x40010, NSP tunnel: 0x0, NP info: 0xffthread id:255
show security flow session brief
root> show security flow session brief Flow Sessions on FPC0 PIC1: Session ID: 10115977, Policy name: SG/4, State: Active, Timeout: 62, Valid In: 203.0.113.11/1000 --> 203.0.113.1/2000;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 1, Bytes: 86, CP Session ID: 10320276 Out: 203.0.113.1/2000 --> 203.0.113.11/1000;udp, Conn Tag: 0x0, If: reth0.0, Pkts: 0, Bytes: 0, CP Session ID: 10320276 Total sessions: 1
show security flow session extensive
root> show security flow session extensiveFlow Sessions on FPC0 PIC1:
Session ID: 10115977, Status: Normal, State: Active
Flags: 0x8000040/0x18000000/0x12000003
Policy name: SG/4
Source NAT pool: Null, Application: junos-gprs-gtp-v0-udp/76
Dynamic application: junos:UNKNOWN,
Encryption: Unknown
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: 90, Current timeout: 54
Session State: Valid
Start time: 6704, Duration: 35
In: 203.0.113.11/1000 --> 201.11.0.100/2000;udp,
Conn Tag: 0x0, Interface: reth1.0,
Session token: 0x6, Flag: 0x40000021
Route: 0x86053c2, Gateway: 201.10.0.100, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 1, Bytes: 86
CP Session ID: 10320276
Out: 203.0.113.1/2000 --> 203.0.113.11/1000;udp,
Conn Tag: 0x0, Interface: reth0.0,
Session token: 0x7, Flag: 0x50000000
Route: 0x86143c2, Gateway: 203.0.113.11, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 0, Bytes: 0
CP Session ID: 10320276
Total sessions: 1show security flow session extensive
root> show security flow session extensiveFlow Sessions on FPC0 PIC0:
Session ID: 10000059, Status: Normal
Flags: 0x10000/0x0/0x10/0x1
Policy name: N/A
Source NAT pool: Null
Dynamic application: junos:UNKNOWN,
Encryption: Unknown
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: N/A, Current timeout: N/A
Session State: Valid
Start time: 642, Duration: 369
In: 3.0.0.2/64387 --> 2.0.0.1/8940;esp,
Conn Tag: 0x0, Interface: xe-2/0/2.0,
Session token: 0x7, Flag: 0x80100621
Route: 0xc0010, Gateway: 2.0.0.2, Tunnel: 0
ESP/AH frag Rx: 0, Generated: 0
Inner IPv4 frag Rx: 0, Tx: 0, Generated: 0,
Inner IPv6 frag Rx: 0, Tx: 0, Generated: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 25, Bytes: 3760
CP Session ID: 0
Session ID: 10000060, Status: Normal
Flags: 0x10000/0x0/0x10/0x1
Policy name: N/A
Source NAT pool: Null
Dynamic application: junos:UNKNOWN,
Encryption: Unknown
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: N/A, Current timeout: N/A
Session State: Valid
Start time: 642, Duration: 369
In: 3.0.0.2/0 --> 2.0.0.1/0;esp,
Conn Tag: 0x0, Interface: xe-2/0/2.0,
Session token: 0x7, Flag: 0x621
Route: 0xc0010, Gateway: 2.0.0.2, Tunnel: 0
ESP/AH frag Rx: 0, Generated: 0
Inner IPv4 frag Rx: 0, Tx: 0, Generated: 0,
Inner IPv6 frag Rx: 0, Tx: 0, Generated: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 0, Bytes: 0
CP Session ID: 0
Total sessions: 2
show security flow session summary
root> show security flow session summaryFlow Sessions on FPC10 PIC1: Unicast-sessions: 1 Multicast-sessions: 0 Services-offload-sessions: 0 Failed-sessions: 0 Sessions-in-use: 1 Valid sessions: 1 Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Maximum-sessions: 6291456 Flow Sessions on FPC10 PIC2: Unicast-sessions: 0 Multicast-sessions: 0 Services-offload-sessions: 0 Failed-sessions: 0 Sessions-in-use: 0 Valid sessions: 0 Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Maximum-sessions: 6291456 Flow Sessions on FPC10 PIC3: Unicast-sessions: 0 Multicast-sessions: 0 Services-offload-sessions: 0 Failed-sessions: 0 Sessions-in-use: 0 Valid sessions: 0 Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Maximum-sessions: 6291456
show security flow session tunnel-inspection-type
root> show security flow session tunnel-inspection-type
vxlanSession ID: 335544369, Policy name: p1/7, Timeout: 2, Valid In: 192.168.200.100/19183 --> 192.168.200.101/2;icmp, Conn Tag: 0xfcd, If: xe-7/0/0.0, Pkts: 2, Bytes: 2048, CP Session ID: 30, Tunnel Session ID: 268435486, Type: VXLAN, VNI: 1000 Out: 192.168.200.101/2 --> 192.168.200.100/19183;icmp, Conn Tag: 0xfcd, If: xe-7/0/1.0, Pkts: 2, Bytes: 2048, CP Session ID: 30, Tunnel Session ID: 268435488, Type: VXLAN, VNI: 1000
show security flow session tunnel-inspection-type
root> show security flow session vxlan-vni 400Session ID: 1677861258, Policy name: pset1_p1/6, Timeout: 2, Valid In: 192.150.0.12/55908 --> 192.160.0.66/80;tcp, Conn Tag: 0xfcd, If: xe-3/0/0.0, Pkts: 5, Bytes: 465, CP Session ID: 7021087, Type: VXLAN, VNI: 400, Tunnel Session ID: 1680264845 Out: 192.160.0.66/80 --> 192.150.0.12/55908;tcp, Conn Tag: 0xfcd, If: xe-3/0/1.0, Pkts: 3, Bytes: 328, CP Session ID: 7021087, Type: VXLAN, VNI: 400, Tunnel Session ID: 1679640460 Session ID: 1678454648, Policy name: pset1_p1/6, Timeout: 2, Valid In: 192.150.0.13/56659 --> 192.160.0.67/80;tcp, Conn Tag: 0xfcd, If: xe-3/0/0.0, Pkts: 5, Bytes: 465, CP Session ID: 5589311, Type: VXLAN, VNI: 400, Tunnel Session ID: 1679698941 Out: 192.160.0.67/80 --> 192.150.0.13/56659;tcp, Conn Tag: 0xfcd, If: xe-3/0/1.0, Pkts: 3, Bytes: 328, CP Session ID: 5589311, Type: VXLAN, VNI: 400, Tunnel Session ID: 1679872223