• Related Topics
• clear services stateful-firewall flows

show services stateful-firewall flows

Syntax

Release Information

Command introduced before Junos OS Release 7.4.

pgcp option introduced in Junos OS Release 8.4.

Description

Display stateful firewall flow table entries.

Options

none

Display standard information about all stateful firewall flows.

brief | extensive | summary | terse

(Optional) Display the specified level of output.

application-protocol protocol

(Optional) Display information about one of the following application protocols:

• bootp—Bootstrap protocol
• dce-rpc—Distributed Computing Environment-Remote Procedure Call protocols
• dce-rpc-portmap—Distributed Computing Environment-Remote Procedure Call protocols portmap service
• dns—Domain Name System protocol
• exec—Exec
• ftp—File Transfer Protocol
• h323—H.323 standards
• icmp—Internet Control Message Protocol
• iiop—Internet Inter-ORB Protocol
• login—Login
• netbios—NetBIOS
• netshow—NetShow
• realaudio—RealAudio
• rpc—Remote Procedure Call protocol
• rpc-portmap—Remote Procedure Call protocol portmap service
• rtsp—Real-Time Streaming Protocol
• shell—Shell
• sip—Session Initiation Protocol
• snmp—Simple Network Management Protocol
• sqlnet—SQLNet
• tftp—Trivial File Transfer Protocol
• traceroute—Traceroute
• winframe—WinFrame

count

(Optional) Display a count of the matching entries.

destination-port destination-port

(Optional) Display information for a particular destination port. The range of values is from 0 to 65535.

destination-prefix destination-prefix

(Optional) Display information for a particular destination prefix.

interface interface-name

(Optional) Display information about a particular interface. On M Series and T Series routers, interface-name can be sp-fpc/pic/port or rspnumber. On J Series routers, interface-name is sp-pim/0/port.

limit number

(Optional) Maximum number of entries to display.

pgcp

(Optional) Display stateful firewall information for Packet Gateway Control Protocol (PGCP) flows.

protocol protocol

(Optional) Display information about one of the following IP types:

• number—Numeric protocol value from 0 to 255
• ah—IPsec Authentication Header protocol
• egp—An exterior gateway protocol
• esp—IPsec Encapsulating Security Payload protocol
• gre—A generic routing encapsulation protocol
• icmp—Internet Control Message Protocol
• igmp—Internet Group Management Protocol
• ipip—IP-within-IP Encapsulation Protocol
• ospf—Open Shortest Path First protocol
• pim—Protocol Independent Multicast protocol
• rsvp—Resource Reservation Protocol
• sctp—Stream Control Protocol
• tcp—Transmission Control Protocol
• udp—User Datagram Protocol

service-set service-set

(Optional) Display information for a particular service set.

source-port source-port

(Optional) Display information for a particular source port. The range of values is from 0 to 65535.

source-prefix source-prefix

(Optional) Display information for a particular source prefix.

Required Privilege Level

view

List of Sample Output

Output Fields

Table 1 lists the output fields for the show services stateful-firewall flows command. Output fields are listed in the approximate order in which they appear.

Sample Output

Interface: sp-1/3/0, Service set: green

Flow       
Prot     Source                 Dest               State      Dir     Frm count
TCP     10.58.255.178:23   ->    10.59.16.100:4000 Forward    O               
TCP      10.58.255.50:33005->   10.58.255.178:23   Forward    I              1
  Source NAT    10.58.255.50:33005->    10.59.16.100:4000
  Destin NAT    10.58.255.178:23   ->         0.0.0.0:4000

Interface: sp-0/3/0, Service set: ss_nat
Flow                                                				State    	Dir       Frm count
TCP           16.1.0.1:2330  ->      16.49.0.1:21    				Forward  		I              8
    NAT source        16.1.0.1:2330    ->       16.41.0.1:2330
    NAT dest         16.49.0.1:21      ->       16.99.0.1:21
  Byte count: 455, TCP established, TCP window size: 57344
  TCP acknowledge: 3251737524, TCP tickle enabled, tcp_tickle: 0
  Flow role: Master, Timeout: 720
TCP          16.99.0.1:21    ->      16.41.0.1:2330  				Forward  		O              5
    NAT source       16.99.0.1:21      ->       16.49.0.1:21
    NAT dest         16.41.0.1:2330    ->        16.1.0.1:2330
  Byte count: 480, TCP established, TCP window size: 57344
  TCP acknowledge: 463128048, TCP tickle enabled, tcp_tickle: 0
  Flow role: Responder, Timeout: 720

Interface             Service set                                    Flow Count

sp-1/3/0              green                                                   2

Interface: sp-0/3/0, Service set: svc_set_trust
Flow
                                                State    Dir       Frm count
Interface: sp-0/3/0, Service set: svc_set_untrust
Flow                                                State    Dir       Frm count
TCP         10.50.10.2:2143  ->     10.50.20.2:21    Watch    O               0

Interface: sp-0/3/0, Service set: svc_set_trust
Flow   
                                             State    Dir       Frm count
Interface: sp-0/3/0, Service set: svc_set_untrust
Flow                                                State    Dir       Frm count
TCP         10.50.10.2:2143  ->     10.50.20.2:21    Watch    O               0

Flow                                               State    Dir       Frm count
UDP          40.0.0.8:23439 ->     80.0.0.1:16485   Watch    I             20
    NAT source        40.0.0.8:23439   ->     172.16.1.10:1028
    NAT dest          80.0.0,1:16485   ->     192.16.1.10:22415
UDP      192.16.1.10:22415  ->  172.16.1.10:1028    Watch    O             20
    NAT source     192.16.1.10:22415   ->        80.0.0.1:16485
    NAT dest       172.16.1.10:1028    ->        40.0.0.8:23439