Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    show services stateful-firewall flows

    Syntax

    show services stateful-firewall flows <brief | extensive | summary | terse><application-protocol protocol> <count> <destination-port destination-port><destination-prefix destination-prefix><interface interface-name><limit number> <protocol protocol> <service-set service-set> <source-port source-port> <source-prefix source-prefix>

    Release Information

    Command introduced in Junos OS Release 10.4.

    Description

    Display stateful firewall flow table entries. When the interface is used for softwire processing, the type of softwire concentrator (DS-LITE or 6rd) is shown, and frame counts are provided.

    Options

    none

    Display standard information about all stateful firewall flows.

    brief | extensive | summary | terse

    (Optional) Display the specified level of output.

    application-protocol application-protocol

    (Optional) Display information about one of the following application-level gateway (ALG) protocol types:

    • bootp—Bootstrap protocol
    • dce-rpc—Distributed Computing Environment (DCE) remote procedure call (RPC) protocol

      Note: Use this option to select Microsoft Remote Procedure Call (MSRPC).

    • dce-rpc-portmap—Distributed Computing Environment (DCE) remote procedure call (RPC) portmap protocol
    • dns—Domain Name Service protocol
    • exec—Remote execution protocol
    • ftp—File Transfer Protocol
    • h323—H.323 protocol
    • icmp—Internet Control Message Protocol
    • iiop—Internet Inter-ORB Protocol
    • ip—Internet protocol
    • netbios—NetBIOS protocol
    • netshow—Netshow protocol
    • pptp —Point-to-Point Tunneling Protocol
    • realaudio—RealAudio protocol
    • rpc—Remote Procedure Call protocol

      Note: Use this option to select Sun Microsystems Remote Procedure Call protocol (SunRPC).

    • rpc-portmap—Remote Procedure Call portmap protocol
    • rtsp—Real-Time Streaming Protocol
    • sip—Session Initiation Protocol
    • snmp—Simple Network Management Protocol
    • talk—Talk protocol
    • tftp—Trivial File Transfer Protocol
    • traceroute—Traceroute
    • winframe—WinFrame
    count

    (Optional) Display a count of the matching entries.

    destination-port destination-port

    (Optional) Display information for a particular destination port. The range of values is from 0 to 65535.

    destination-prefix destination-prefix

    (Optional) Display information for a particular destination prefix.

    interface interface-name

    (Optional) Display information about a particular interface. On M Series and T Series routers, interface-name can be ms-fpc/pic/port or rspnumber. On J Series routers, interface-name is ms-pim/0/port.

    limit number

    (Optional) Maximum number of entries to display.

    protocol protocol

    (Optional) Display information about one of the following IP types:

    • number—Numeric protocol value from 0 to 255
    • ah—IPsec Authentication Header protocol
    • egp—An exterior gateway protocol
    • esp—IPsec Encapsulating Security Payload protocol
    • gre—A generic routing encapsulation protocol
    • icmp—Internet Control Message Protocol
    • igmp—Internet Group Management Protocol
    • ipip—IP-within-IP Encapsulation Protocol
    • ospf—Open Shortest Path First protocol
    • pim—Protocol Independent Multicast protocol
    • rsvp—Resource Reservation Protocol
    • sctp—Stream Control Protocol
    • tcp—Transmission Control Protocol
    • udp—User Datagram Protocol
    service-set service-set

    (Optional) Display information for a particular service set.

    source-port source-port

    (Optional) Display information for a particular source port. The range of values is from 0 to 65535.

    source-prefix source-prefix

    (Optional) Display information for a particular source prefix.

    Required Privilege Level

    view

    List of Sample Output

    show services stateful-firewall flows
    show services stateful-firewall flows (For Softwire Flows)
    show services stateful-firewall flows brief
    show services stateful-firewall flows extensive
    show services stateful-firewall flows count
    show services stateful-firewall flows destination port
    show services stateful-firewall flows source port
    show services stateful-firewall flows (Twice NAT)

    Output Fields

    Table 1 lists the output fields for the show services stateful-firewall flows command. Output fields are listed in the approximate order in which they appear.

    Table 1: show services stateful-firewall flows Output Fields

    Field Name

    Field Description

    Interface

    Name of the interface.

    Service set

    Name of a service set. Individual empty service sets are not displayed. If no service set has any flows, a flow table header is displayed for each service set.

    Flow Count

    Number of flows in a session.

    Flow or Flow Prot

    Protocol used for this flow.

    Source

    Source prefix of the flow in the format source-prefix:port. For ICMP flows, port information is not displayed.

    Dest

    Destination prefix of the flow. For ICMP flows, port information is not displayed.

    State

    Status of the flow:

    • Drop—Drop all packets in the flow without response.
    • Forward—Forward the packet in the flow without looking at it.
    • Reject—Drop all packets in the flow with response.
    • Watch—Inspect packets in the flow.

    Dir

    Direction of the flow: input (I) or output (O).

    Frm count

    Number of frames in the flow.

    Sample Output

    show services stateful-firewall flows

    user@host> show services stateful-firewall flows
    Interface: ms-1/3/0, Service set: green
    
    Flow       
    Prot     Source                 Dest               State      Dir     Frm count
    TCP     10.58.255.178:23   ->    10.59.16.100:4000 Forward    O               
    TCP      10.58.255.50:33005->   10.58.255.178:23   Forward    I              1
      Source NAT    10.58.255.50:33005->    10.59.16.100:4000
      Destin NAT    10.58.255.178:23   ->         0.0.0.0:4000
    

    show services stateful-firewall flows (For Softwire Flows)

    When a service set includes softwire processing, the following output format is used for the softwire flows:

    user@host> show services stateful-firewall flows
    Interface: sp-0/1/0, Service set: dslite-svc-set2
    Flow                                                State    Dir       Frm count
    TCP      200.200.200.2:80    ->     44.44.44.1:1025  Forward  O          219942
        NAT dest        44.44.44.1:1025    ->       20.20.1.4:1025
        Softwire           2001::2         ->         1001::1
    TCP          20.20.1.2:1025  ->  200.200.200.2:80    Forward  I          110244
        NAT source       20.20.1.2:1025    ->      44.44.44.1:1024
        Softwire           2001::2         ->         1001::1
    TCP      200.200.200.2:80    ->     44.44.44.1:1024  Forward  O          219140
        NAT dest        44.44.44.1:1024    ->       20.20.1.2:1025
        Softwire           2001::2         ->         1001::1
    DS-LITE         2001::2      ->        1001::1       Forward  I          988729
    TCP      200.200.200.2:80    ->     44.44.44.1:1026  Forward  O          218906
        NAT dest        44.44.44.1:1026    ->       20.20.1.3:1025
        Softwire           2001::2         ->         1001::1
    TCP          20.20.1.3:1025  ->  200.200.200.2:80    Forward  I          110303
        NAT source       20.20.1.3:1025    ->      44.44.44.1:1026
        Softwire           2001::2         ->         1001::1
    TCP          20.20.1.4:1025  ->  200.200.200.2:80    Forward  I          110944
        NAT source       20.20.1.4:1025    ->      44.44.44.1:1025
        Softwire           2001::2         ->         1001::1
    

    show services stateful-firewall flows brief

    The output for the show services stateful-firewall flows brief command is identical to that for the show services stateful-firewall flows command. For sample output, see show services stateful-firewall flows.

    show services stateful-firewall flows extensive

    user@host> show services stateful-firewall flows extensive
    Interface: ms-0/3/0, Service set: ss_nat
    Flow                                                				State    	Dir       Frm count
    TCP           16.1.0.1:2330  ->      16.49.0.1:21    				Forward  		I              8
        NAT source        16.1.0.1:2330    ->       16.41.0.1:2330
        NAT dest         16.49.0.1:21      ->       16.99.0.1:21
      Byte count: 455, TCP established, TCP window size: 57344
      TCP acknowledge: 3251737524, TCP tickle enabled, tcp_tickle: 0
      Flow role: Master, Timeout: 720
    TCP          16.99.0.1:21    ->      16.41.0.1:2330  				Forward  		O              5
        NAT source       16.99.0.1:21      ->       16.49.0.1:21
        NAT dest         16.41.0.1:2330    ->        16.1.0.1:2330
      Byte count: 480, TCP established, TCP window size: 57344
      TCP acknowledge: 463128048, TCP tickle enabled, tcp_tickle: 0
      Flow role: Responder, Timeout: 720

    show services stateful-firewall flows count

    user@host> show services stateful-firewall flows count
    Interface             Service set                                    Flow Count
    
    ms-1/3/0              green                                                   2
    

    show services stateful-firewall flows destination port

    user@router> show services stateful-firewall flows destination-port 21
    Interface: ms-0/3/0, Service set: svc_set_trust
    Flow
                                                    State    Dir       Frm count
    Interface: ms-0/3/0, Service set: svc_set_untrust
    Flow                                                State    Dir       Frm count
    TCP         10.50.10.2:2143  ->     10.50.20.2:21    Watch    O               0
    

    show services stateful-firewall flows source port

    user@router> show services stateful-firewall flows source-port 2143
    Interface: ms-0/3/0, Service set: svc_set_trust
    Flow   
                                                 State    Dir       Frm count
    Interface: ms-0/3/0, Service set: svc_set_untrust
    Flow                                                State    Dir       Frm count
    TCP         10.50.10.2:2143  ->     10.50.20.2:21    Watch    O               0
    

    show services stateful-firewall flows (Twice NAT)

    user@router> show services stateful-firewall flows
    Flow                                               State    Dir       Frm count
    UDP          40.0.0.8:23439 ->     80.0.0.1:16485   Watch    I             20
        NAT source        40.0.0.8:23439   ->     172.16.1.10:1028
        NAT dest          80.0.0,1:16485   ->     192.16.1.10:22415
    UDP      192.16.1.10:22415  ->  172.16.1.10:1028    Watch    O             20
        NAT source     192.16.1.10:22415   ->        80.0.0.1:16485
        NAT dest       172.16.1.10:1028    ->        40.0.0.8:23439

    Published: 2012-07-02