show services stateful-firewall statistics

Interface

Name of an adaptive services interface.

Service set

Name of a service set.

New flows

Rule match counters for new flows:

• Accept—New flows accepted.
• Discard—New flows discarded.
• Reject—New flows rejected.

Existing flows

Rule match counters for existing flows:

• Accept—Match existing forward or watch flow.
• Discard—Match existing discard flow.
• Reject—Match existing reject flow.

Drops

Drop counters:

• IP option—Packets dropped in IP options processing.
• TCP SYN defense—Packets dropped by SYN defender.
• NAT ports exhausted—Hide mode. The router has no available NAT ports for a given address or pool.

Errors

Total errors, categorized by protocol:

• IP—Total IP version 4 errors.
• TCP—Total Transmission Control Protocol (TCP) errors.
• UDP—Total User Datagram Protocol (UDP) errors.
• ICMP—Total Internet Control Message Protocol (ICMP) errors.
• Non-IP—Total non-IPv4 errors.
• ALG—Total application-level gateway (ALG) errors.

IP Errors

IPv4 errors:

• IP packet length inconsistencies—IP packet length does not match the Layer 2 reported length.
• Minimum IP header length check failures—Minimum IP header length is 20 bytes. The received packet contains less than 20 bytes.
• Reassembled packet exceeds maximum IP length—After fragment reassembly, the reassembled IP packet length exceeds 65,535.
• Illegal source address 0—Source address is not a valid address. Invalid addresses are, loopback, broadcast, multicast, and reserved addresses. Source address 0, however, is allowed to support BOOTP and the destination address 0xffffffff.
• Illegal destination address 0—Destination address is not a valid address.  The address is reserved.
• TTL zero errors—Received packet had a time-to-live (TTL) value of 0.
• IP protocol number 0 or 255—IP protocol is 0 or 255.
• Land attack—IP source address is the same as the destination address.
• Smurf attack—Echo request is sent to a directed broadcast address.
• Non-IP packets—Packet did not conform to the IP standard.
• IP option—Packet dropped because of a nonallowed IP option.
• Non-IPv4 packets—Packet was not IPv4. (Only IPv4 is supported.)
• Bad checksum—Packet had an invalid IP checksum.
• Illegal IP fragment length—Illegal fragment length. All fragments (other than the last fragment) must have a length that is a multiple of 8 bytes.
• IP fragment overlap—Fragments have overlapping fragment offsets.
• IP fragment reassembly timeout—Some of the fragments for an IP packet were not received in time, and the reassembly handler dropped partial fragments.

TCP Errors

TCP protocol errors:

• TCP header length inconsistencies—Minimum TCP header length is 20 bytes, and the IP packet received does not contain at least 20 bytes.
• Source or destination port number is zero—TCP source or destination port is zero.
• Illegal sequence number, flags combination—Dropped because of TCP errors, such as an illegal sequence number, which causes an illogical combination of flags to be set.
• SYN attack (multiple SYN messages seen for the same flow)—Multiple SYN packets received for the same flow are treated as a SYN attack. The packets might be retransmitted SYN packets and therefore valid, but a large number is cause for concern.
• First packet not SYN—First packets for a connection are not SYN packets. These packets might originate from previous connections or from someone performing an ACK/FIN scan.
• TCP port scan (Handshake, RST seen from server for SYN)—In the case of a SYN defender, if an RST (reset) packet is received instead of a SYN/ACK message, someone is probably trying to scan the server. This behavior can result in false alarms if the RST packet is not combined with an intrusion detection service (IDS).
• Bad SYN cookie response—SYN cookie generates a SYN/ACK message for all incoming SYN packets. If the ACK received for the SYN/ACK message does not match, this counter is incremented.

UDP Errors

UDP protocol errors:

• IP data length less than minimum UDP header length (8 bytes)—Minimum UDP header length is 8 bytes. The received IP packets contain less than 8 bytes.
• Source or destination port is zero—UDP source or destination port is 0.
• UDP port scan (ICMP error seen for UDP flow)—ICMP error is received for a UDP flow. This could be a genuine UDP flow, but it is counted as an error.

ICMP Errors

ICMP protocol errors:

• IP data length less than minimum ICMP header length (8 bytes)—ICMP header length is 8 bytes. This counter is incremented when received IP packets contain less than 8 bytes.
• ICMP error length inconsistencies—Minimum length of an ICMP error packet is 48 bytes, and the maximum length is 576 bytes. This counter is incremented when the received ICMP error falls outside this range.
• Ping duplicate sequence number—Received ping packet has a duplicate sequence number.
• Ping mismatched sequence number—Received ping packet has a mismatched sequence number.

ALG drops

Accumulation of all the application-level gateway protocol (ALG) drops counted separately in the ALG context:

• BOOTP—Bootstrap protocol errors
• DCE-RPC—Distributed Computing Environment-Remote Procedure Call protocols errors
• DCE-RPC portmap—Distributed Computing Environment-Remote Procedure Call protocols portmap service errors
• DNS—Domain Name System protocol errors
• Exec—Exec errors
• FTP—File Transfer Protocol errors
• H323—H.323 standards errors
• ICMP—Internet Control Message Protocol errors
• IIOP—Internet Inter-ORB Protocol errors
• Login—Login errors
• Netbios—NetBIOS errors
• Netshow—NetShow errors
• Realaudio—RealAudio errors
• RPC—Remote Procedure Call protocol errors
• RPC portmap—Remote Procedure Call protocol portmap service errors
• RTSP—Real-Time Streaming Protocol errors
• Shell—Shell errors
• SNMP—Simple Network Management Protocol errors
• Sqlnet—SQLNet errors
• TFTP—Trivial File Transfer Protocol errors
• Traceroute—Traceroute errors