show services stateful-firewall flows

Syntax

Release Information

Command introduced before JUNOS Release 7.4.

pgcp option introduced in JUNOS Release 8.4.

Description

Display stateful firewall flow table entries.

Options

none — Display standard information about all stateful firewall flows.

brief | extensive | summary | terse — (Optional) Display the specified level of output.

application-protocol protocol — (Optional) Display information about one of the following application protocols:

• bootp—Bootstrap protocol
• dce-rpc—Distributed Computing Environment-Remote Procedure Call protocols
• dce-rpc-portmap—Distributed Computing Environment-Remote Procedure Call protocols portmap service
• dns—Domain Name System protocol
• exec—Exec
• ftp—File Transfer Protocol
• h323—H.323 standards
• icmp—Internet Control Message Protocol
• iiop—Internet Inter-ORB Protocol
• login—Login
• netbios—NetBIOS
• netshow—NetShow
• realaudio—RealAudio
• rpc—Remote Procedure Call protocol
• rpc-portmap—Remote Procedure Call protocol portmap service
• rtsp—Real-Time Streaming Protocol
• shell—Shell
• sip—Session Initiation Protocol
• snmp—Simple Network Management Protocol
• sqlnet—SQLNet
• tftp—Trivial File Transfer Protocol
• traceroute—Traceroute
• winframe—WinFrame

count — (Optional) Display a count of the matching entries.

destination-port destination-port — (Optional) Display information for a particular destination port. The range of values is from 0 to 65535.

destination-prefix destination-prefix — (Optional) Display information for a particular destination prefix.

interface interface-name — (Optional) Display information about a particular interface. On M Series and T Series routers, interface-name can be sp-fpc/pic/port or rspnumber. On the J Series routers, interface-name is sp-pim/0/port.

limit number — (Optional) Maximum number of entries to display.

pgcp — (Optional) Display stateful firewall information for Packet Gateway Control Protocol (PGCP) flows.

protocol protocol — (Optional) Display information about one of the following IP protocol types:

• number—Numeric protocol value from 0 to 255
• ah—IPSec Authentication Header protocol
• egp—An exterior gateway protocol
• esp—IPSec Encapsulating Security Payload protocol
• gre—A generic routing encapsulation protocol
• icmp—Internet Control Message Protocol
• igmp—Internet Group Management Protocol
• ipip—IP-within-IP Encapsulation Protocol
• ospf—Open Shortest Path First protocol
• pim—Protocol Independent Multicast protocol
• rsvp—Resource Reservation Protocol
• sctp—Stream Control Protocol
• tcp—Transmission Control Protocol
• udp—User Datagram Protocol

service-set service-set — (Optional) Display information for a particular service set.

source-port source-port — (Optional) Display information for a particular source port. The range of values is from 0 to 65535.

source-prefix source-prefix — (Optional) Display information for a particular source prefix.

Required Privilege Level

view

Related Topics

clear services stateful-firewall flows

List of Sample Output

Output Fields

Table 283 lists the output fields for the show services stateful-firewall flows command. Output fields are listed in the approximate order in which they appear.

Table 283: show services stateful-firewall flows Output Fields

Sample Output

Interface: sp-1/3/0, Service set: green

Flow       
Prot     Source                 Dest               State      Dir     Frm count
TCP     10.58.255.178:23   ->    10.59.16.100:4000 Forward    O               
TCP      10.58.255.50:33005->   10.58.255.178:23   Forward    I              1
  Source NAT    10.58.255.50:33005->    10.59.16.100:4000
  Destin NAT    10.58.255.178:23   ->         0.0.0.0:4000

Interface: sp-0/3/0, Service set: ss_nat
Flow                                                				State    	Dir       Frm count
TCP           16.1.0.1:2330  ->      16.49.0.1:21    				Forward  		I              8
    NAT source        16.1.0.1:2330    ->       16.41.0.1:2330
    NAT dest         16.49.0.1:21      ->       16.99.0.1:21
  Byte count: 455, TCP established, TCP window size: 57344
  TCP acknowledge: 3251737524, TCP tickle enabled, tcp_tickle: 0
  Flow role: Master, Timeout: 720
TCP          16.99.0.1:21    ->      16.41.0.1:2330  				Forward  		O              5
    NAT source       16.99.0.1:21      ->       16.49.0.1:21
    NAT dest         16.41.0.1:2330    ->        16.1.0.1:2330
  Byte count: 480, TCP established, TCP window size: 57344
  TCP acknowledge: 463128048, TCP tickle enabled, tcp_tickle: 0
  Flow role: Responder, Timeout: 720

Interface             Service set                                    Flow Count

sp-1/3/0              green                                                   2

Interface: sp-0/3/0, Service set: svc_set_trust
Flow
                                                State    Dir       Frm count
Interface: sp-0/3/0, Service set: svc_set_untrust
Flow                                                State    Dir       Frm count
TCP         10.50.10.2:2143  ->     10.50.20.2:21    Watch    O               0

Interface: sp-0/3/0, Service set: svc_set_trust
Flow   
                                             State    Dir       Frm count
Interface: sp-0/3/0, Service set: svc_set_untrust
Flow                                                State    Dir       Frm count
TCP         10.50.10.2:2143  ->     10.50.20.2:21    Watch    O               0

Flow                                               State    Dir       Frm count
UDP          40.0.0.8:23439 ->     80.0.0.1:16485   Watch    I             20
    NAT source        40.0.0.8:23439   ->     172.16.1.10:1028
    NAT dest          80.0.0,1:16485   ->     192.16.1.10:22415
UDP      192.16.1.10:22415  ->  172.16.1.10:1028    Watch    O             20
    NAT source     192.16.1.10:22415   ->        80.0.0.1:16485
    NAT dest       172.16.1.10:1028    ->        40.0.0.8:23439