show services stateful-firewall statistics
Command introduced before Junos OS Release 7.4.
Display stateful firewall statistics.
Required Privilege Level
List of Sample Outputshow services stateful-firewall statistics extensive
Table 1 lists the output fields for the show services stateful-firewall statistics command. Output fields are listed in the approximate order in which they appear.
Table 1: show services stateful-firewall statistics Output Fields
Name of an adaptive services interface.
Name of a service set.
Rule match counters for new flows:
Existing flow types packet counters
Rule match counters for existing flows:
Total errors, categorized by protocol:
TCP protocol errors:
UDP protocol errors:
ICMP protocol errors:
Accumulation of all the application-level gateway protocol (ALG) drops counted separately in the ALG context:
show services stateful-firewall statistics extensive
user@host> show services stateful-firewall statistics extensive
Interface: ms-1/3/0 Service set: interface-svc-set New flows: Rule Accepts: 907, Rule Discards: 0, Rule Rejects: 0 Existing flow types packet counters: Accepts: 3535, Drop: 0, Rejects: 0 Haripinning counters: Slow Path Hairpinned Packets: 0, Fast Path Hairpinned Packets: 0 Drops: IP option: 0, TCP SYN defense: 0 NAT ports exhausted: 0, Sessions dropped due to subscriber flow limit: 0 Errors: IP: 0, TCP: 0 UDP: 0, ICMP: 0 Non-IP packets: 0, ALG: 0 IP errors: IP packet length inconsistencies: 0 Minimum IP header length check failures: 0 Reassembled packet exceeds maximum IP length: 0 Illegal source address: 0 Illegal destination address: 0 TTL zero errors: 0, Illegal IP protocol number (0 or 255): 0 Land attack: 0 Non-IPv4 packets: 0, Bad checksum: 0 Illegal IP fragment length: 0 IP fragment overlap: 0 IP fragment reassembly timeout: 0 IP fragment limit exceeded:0 Unknown: 0 TCP errors: TCP header length inconsistencies: 0 Source or destination port number is zero: 0 Illegal sequence number and flags combination: 0 SYN attack (multiple SYN messages seen for the same flow): 0 First packet not a SYN message: 0 TCP port scan (TCP handshake, RST seen from server for SYN): 0 Bad SYN cookie response: 0 TCP reconstructor sequence number error: 0 TCP reconstructor retransmissions: 0 TCP partially opened connection timeout (SYN): 0 TCP partially opened connection timeout (SYN-ACK): 0 TCP partially closed connection reuse: 0 TCP 3-way error - client sent SYN+ACK: 0 TCP 3-way error - server sent ACK: 0 TCP 3-way error - SYN seq number retransmission mismatch: 0 TCP 3-way error - RST seq number mismatch: 0 TCP 3-way error - FIN received: 0 TCP 3-way error - invalid flags (PSH, URG, ECE, CWR): 0 TCP 3-way error - SYN recvd but no client flows: 0 TCP 3-way error - first packet SYN+ACK: 0 TCP 3-way error - first packet FIN+ACK: 0 TCP 3-way error - first packet FIN: 0 TCP 3-way error - first packet RST: 0 TCP 3-way error - first packet ACK: 0 TCP 3-way error - first packet invalid flags (PSH, URG, ECE, CWR): 0 TCP Close error - no final ACK: 0 TCP Resumed Flow: 0 UDP errors: IP data length less than minimum UDP header length (8 bytes): 0 Source or destination port is zero: 0 UDP port scan (ICMP error seen for UDP flow): 0 ICMP errors: IP data length less than minimum ICMP header length (8 bytes): 0 ICMP error length inconsistencies: 0 Duplicate ping sequence number: 0 Mismatched ping sequence number: 0 No matching flow: 0 ALG errors: BOOTP: 0, DCE-RPC: 0, DCE-RPC portmap: 0 DNS: 0, Exec: 0, FTP: 0 H323: 0, ICMP: 0, IIOP: 0 Login: 0, NetBIOS: 0, Netshow: 0 Real Audio: 0, RPC: 0, RPC portmap: 0 RTSP: 0, Shell: 0, SIP: 0 SNMP: 0, SQLNet: 0, TFTP: 0 Traceroute: 0 Drop Flows: Maximum Ingress Drop flows allowed: 20 Maximum Egress Drop flows allowed: 20 Current Ingress Drop flows: 0 Current Egress Drop flows: 0 Ingress Drop Flow limit drops count: 0 Egress Drop Flow limit drops count: 0
**If max-drop-flows is not configured, the following is shown** Drop Flows: Maximum Ingress Drop flows allowed: Default Maximum Egress Drop flows allowed: Default