Security

Policy

Monitoring Policies

From the Security Policies Monitoring page, you can display, sort, and review policy activity for every activated policy configured on the device. Policies are grouped by Zone Context (the from and to zones of the traffic) to control the volume of data displayed at one time. From the policy list, select a policy to display statistics and current network activity.

To review policy activity using J-Web:

Select Monitor > Security > Policy > Activities in the J-Web interface. The Security Policies Monitoring page is displayed. The policies from the first Zone Context are listed. See Table 140 for field descriptions.
Select the Zone Context of the policy you want to monitor, and click Filter. All policies within the zone context are displayed in match sequence.
Select a policy, and click one of the following functions:
- Clear Statistics—Clear all counters to zero for the selected policy.
- Deactivate—Deactivate the selected policy. When you click Deactivate, the commit window opens to confirm the deactivation.
- Move—Reposition the selected policy in the match sequence. You have the option to move the policy up or down one row at a time, or to the top or bottom of the sequence.

Table 140: Security Policies Monitoring Output Fields

Field	Values	Additional Information
Zone Context (Total #)	Displays a list of all from and to zone combinations for the configured policies. The total number of active policies for each context is specified in the Total # field. By default, the policies from the first Zone Context are displayed.	To display policies for a different context, select a Zone Context and click Filter. Note that both inactive and active policies are displayed for each context. However, the Total # field for a context specifies the number of active policies only.
Default Policy action	Specifies the action to be taken for traffic that does not match any of the policies in the context: permit-all—Permit all traffic that does not match a policy. deny-all—Deny all traffic that does not match a policy.
From Zone	Displays the source zone to be used as match criteria for the policy.
To Zone	Displays the destination zone to be used as match criteria for the policy.
Name	Displays the name of the policy.
Source Address	Displays the source addresses to be used as match criteria for the policy. Address sets are resolved to their individual names. (In this case, only the names are given, not the IP addresses).
Destination Address	Displays the destination addresses (or address sets) to be used as match criteria for the policy. Addresses are entered as specified in the destination zone’s address book.
Application	Displays the name of a predefined or custom application signature to be used as match criteria for the policy.
Dynamic App	Displays the dynamic application signatures to be used as match criteria if an application firewall rule set is configured for the policy. For a network firewall, a dynamic application is not defined.	The rule set is displayed in two lines. The first line displays the configured dynamic application signatures in the rule set. The second line displays the default dynamic application signature. If more than two dynamic application signatures are specified for the rule set, hover over the output field to display the full list in a tooltip.
Action	Displays the action portion of the rule set if an application firewall rule set is configured for the policy. permit—Permits access to the network services controlled by the policy. A green background signifies permission. deny—Denies access to the network services controlled by the policy. A red background signifies denial.	The action portion of the rule set is displayed in two lines. The first line identifies the action to be taken when the traffic matches a dynamic application signature. The second line displays the default action when traffic does not match a dynamic application signature.
NW Services	Displays the network services permitted or denied by the policy if an application firewall rule set is configured. Network services include: gprs-gtp-profile—Specify a GPRS Tunneling Protocol profile name. idp—Perform intrusion detection and prevention. redirect-wx—Set WX redirection. reverse-redirect-wx—Set WX reverse redirection. uac-policy—Enable unified access control enforcement of the policy.
Count	Specifies whether counters for computing session, packet, and byte statistics for the policy are enabled. By default, counters are not enabled.
Log	Specifies whether session logging is enabled. By default, session logging is not enabled. Session activity to be logged can include the following: Session initialization Session close Both
Policy Hit Counters Graph	Provides a representation of the value over time for a specified counter. The graph is blank if Policy Counters indicates no data. As a selected counter accumulates data, the graph is updated at each refresh interval.	To toggle a graph on and off, click the counter name below the graph.
Policy Counters	Lists statistical counters for the selected policy if Count is enabled. The following counters are available for each policy: input-bytes input-byte-rate output-bytes output-byte-rate input-packets input-packet-rate output-packets output-packet-rate session-creations session-creation-rate active-sessions	To graph or to remove a counter from the Policy Hit Counters Graph, toggle the counter name. The names of enabled counters appear below the graph.

Checking Policies

The Check Policies page in the J-Web interface provides a search pane where you can enter match criteria and conduct a policy search. The search results include all policies that match the traffic criteria in the sequence in which they will be encountered.

Alternatively, to list matching policies using the CLI, enter the following command, your match criteria, and the number of matching policies to display:

show security match-policies

Because policy matches are listed in the sequence in which they would be encountered, you can tell if a specific policy is not being applied correctly. The first policy in the list is applied to all matching traffic. Policies listed after this one remain in the “shadow” of the first policy and are never encountered by this traffic.

By manipulating the traffic criteria and policy sequence, you can tune policy application to suit your needs. During policy development, you can use this feature to establish the appropriate sequence of policies for optimum traffic matches. When troubleshooting, use this feature to determine if specific traffic is encountering the appropriate policy.

Select Monitor>Security>Policy>Check Policies in the J-Web interface. The Check Policies page appears. Table 141 explains the content of this page.
In the top pane, enter the From Zone and To Zone to supply the context for the search.
Enter match criteria for the traffic, namely, the source address and port, the destination address and port, and the protocol of the traffic.
Enter the number of matching policies to display.
Click Search to find policies matching your criteria. The lower pane displays all policies matching the criteria up to the number of policies you specified.
- The first policy will be applied to all traffic with this match criteria.
- Remaining policies will not be encountered by any traffic with this match criteria.
To manipulate the position and activation of a policy, select the policy and click the appropriate button:
Delete
—
Delete the selected policy. The policy is removed from the policy configuration.
Deactivate
—
Deactivate the selected policy. A deactivated policy remains in the policy configuration, but it is no longer included in policy matching until it is reactivated.
Move
—
Move the selected policy up or down to position it at a more appropriate point in the search sequence.

Table 141: Check Policies Output

Field

Function

Check Policies Search Input Pane

From Zone

Name or ID of the source zone. If a From Zone is specified by name, the name is translated to its ID internally.

To Zone

Name or ID of the destination zone. If a To Zone is specified by name, the name is translated to its ID internally.

Source Address

Address of the source in IP notation.

Source Port

Port number of the source.

Destination Address

Address of the destination in IP notation.

Destination Port

Port number of the destination.

Protocol

Name or equivalent value of the protocol to be matched.

—

egp

—

esp

—

gre

—

icmp

—

igmp

—

igp

—

ipip

—

ipv6

—

ospf

—

pgm

—

113

pim

—

103

rdp

—

rsvp

—

sctp

—

132

tcp

—

udp

—

vrrp

—

112

Result Count

(Optional) Number of policies to display. Default value is 1. Maximum value is 16.

Check Policies List

From Zone

Name of the source zone.

To Zone

Name of the destination zone.

Total Policies

Number of policies retrieved.

Default Policy action

The action to be taken if no match occurs.

Name

Policy name

Source Address

Name of the source address (not the IP address) of a policy. Address sets are resolved to their individual names.

Destination Address

Name of the destination address or address set. A packet’s destination address must match this value for the policy to apply to it.

Application

Name of a preconfigured or custom application of the policy match.

Action

Action taken when a match occurs as specified in the policy.

Hit Counts

Number of matches for this policy. This value is the same as the Policy Lookups in a policy statistics report.

Active Sessions

Number of active sessions matching this policy.

Monitoring Screen Counters

To view screen statistics for a specified security zone, select Monitor>Security>Screen Counters in the J-Web interface, or enter the following CLI command:

show security screen statistics zone zone-name

Table 142 summarizes key output fields in the screen counters display.

Table 142: Summary of Key Screen Counters Output Fields

Field	Values	Additional Information
Zones
ICMP Flood	Internet Control Message Protocol (ICMP) flood counter.	An ICMP flood typically occurs when ICMP echo requests use all resources in responding, such that valid network traffic can no longer be processed.
UDP Flood	User Datagram Protocol (UDP) flood counter.	UDP flooding occurs when an attacker sends IP packets containing UDP datagrams with the purpose of slowing down the resources, such that valid connections can no longer be handled.
TCP Winnuke	Number of Transport Control Protocol (TCP) WinNuke attacks.	WinNuke is a denial-of-service (DoS) attack targeting any computer on the Internet running Windows.
TCP Port Scan	Number of TCP port scans.	The purpose of this attack is to scan the available services in the hopes that at least one port will respond, thus identifying a service to target.
ICMP Address Sweep	Number of ICMP address sweeps.	An IP address sweep can occur with the intent of triggering responses from active hosts.
IP Tear Drop	Number of teardrop attacks.	Teardrop attacks exploit the reassembly of fragmented IP packets.
TCP SYN Attack	Number of TCP SYN attacks.
IP Spoofing	Number of IP spoofs.	IP spoofing occurs when an invalid source address is inserted in the packet header to make the packet appear to come from a trusted source.
ICMP Ping of Death	ICMP ping of death counter.	Ping of death occurs when IP packets are sent that exceed the maximum legal length (65,535 bytes).
IP Source Route	Number of IP source route attacks.
TCP Land Attack	Number of land attacks.	Land attacks occur when attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and source IP address.
TCP SYN Fragment	Number of TCP SYN fragments.
TCP No Flag	Number of TCP headers without flags set.	A normal TCP segment header has at least one control flag set.
IP Unknown Protocol	Number of unknown Internet protocols.
IP Bad Options	Number of invalid options.
IP Record Route Option	Number of packets with the IP record route option enabled.	This option records the IP addresses of the network devices along the path that the IP packet travels.
IP Timestamp Option	Number of IP timestamp option attacks.	This option records the time (in Universal Time) when each network device receives the packet during its trip from the point of origin to its destination.
IP Security Option	Number of IP security option attacks.
IP Loose route Option	Number of IP loose route option attacks.	This option specifies a partial route list for a packet to take on its journey from source to destination.
IP Strict Source Route Option	Number of IP strict source route option attacks.	This option specifies the complete route list for a packet to take on its journey from source to destination.
IP Stream Option	Number of stream option attacks.	This option provides a way for the 16-bit SATNET stream identifier to be carried through networks that do not support streams.
ICMP Fragment	Number of ICMP fragments.	Because ICMP packets contain very short messages, there is no legitimate reason for ICMP packets to be fragmented. If an ICMP packet is so large that it must be fragmented, something is amiss.
ICMP Large Packet	Number of large ICMP packets.
TCP SYN FIN Packet	Number of TCP SYN FIN packets.
TCP FIN without ACK	Number of TCP FIN flags without the acknowledge (ACK) flag.
TCP SYN-ACK-ACK Proxy	Number of TCP flags enabled with SYN-ACK-ACK.	To prevent flooding with SYN-ACK-ACK sessions, you can enable the SYN-ACK-ACK proxy protection screen option. After the number of connections from the same IP address reaches the SYN-ACK-ACK proxy threshold, Junos OS rejects further connection requests from that IP address.
IP Block Fragment	Number of IP block fragments.

UTM

Monitoring Antivirus Scan Results (J-Web)

View antivirus scan results using J-Web as follows:

Select Monitor>UTM>Anti-Virus.
The following information becomes viewable in the right pane.
Antivirus license key status
- View license expiration dates.
Antivirus pattern update server settings
- View update URL (HTTP or HTTPS-based).
- View update interval.
Antivirus pattern database status
- View auto update status.
- View last result of database loading.
- If the download completes, view database version timestamp virus record number.
- If the download fails, view failure reason.
Antivirus statistics provide
- The number of scan request being pre-windowed.
- The total number of scan request forwarded to the engine.
- The number of scan requests using scan-all mode.
- The number of scan requests using scan-by-extension mode.
Scan code counters provide
- Number of clean files.
- Number of infected files.
- Number of password protected files.
- Number of decompress layers.
- Number of corrupt files.
- When the engine is out of resources.
- When there is an internal error.
Fallback applied status provides either a log-and-permit or block result when the following has occurred
- Scan engine not ready.
- Password protected file found.
- Decompress layer too large.
- Corrupt file found.
- Out of resources.
- Timeout occurred.
- Maximum content size reached.
- Too many requests.
- Other.
You can click the Clear Anti-Virus Statistics button to clear all current viewable statistics and begin collecting new statistics.

Using J-Web to Monitor Web Filtering

View Web filtering statistics using J-Web as follows:

Select Monitor>UTM>Web Filtering.
The following information becomes viewable in the right pane.
white list hit: #Black list hit: #Queries to server: #Server reply permit: #Server reply block: #Custom category permit: #Custom category block: #Cache hit permit: #Cache hit block: #Web-filtering sessions in total: #Web-filtering sessions in use: #Fall back: log-and-permit blockDefault # #Timeout # #Connectivity # #Too-many-requests # #
You can click the Clear Web Filtering STAT button to clear all current viewable statistics and begin collecting new statistics.

Using J-Web for Antispam Monitoring

View antispam statistics using J-Web as follows:

Select Monitor>Security>UTM>Anti Spam.
The following information becomes viewable in the right pane.
user@host > show security utm anti-spam status
SBL Whitelist Server:SBL Blacklist Server:server.juniper.netDNS Server: Primary : 1.2.3.4, Src Interface: ge-0/0/0Secondary: 2.3.4.5, Src Interface: ge-0/0/1Ternary : 0.0.0.0, Src Interface: fe-0/0/2
Total connections: #Denied connections: #Total greetings: #Denied greetings: #Total e-mail scanned: #Spam total: #Spam tagged: #Spam dropped: #DNS errors: #Timeout errors: #Return errors: #Invalid parameter errors: #Statistics start time:Statistics for the last 10 days.
You can click the Clear Antispam statistics button to clear all current viewable statistics and begin collecting new statistics.

Using J-Web to Monitor Content Filtering

View content filtering statistics using J-Web as follows:

Select Monitor>Security>UTM>Content Filtering.
The following statistics becomes viewable in the right pane.
Base on command list: # Passed # BlockedBase on mime list: # Passed # BlockedBase on extension list: # Passed # BlockedActiveX plugin: # Passed # BlockedJava applet: # Passed # BlockedEXE files: # Passed # BlockedZIP files: # Passed # BlockedHTTP cookie: # Passed # Blocked
You can click Clear Content filtering statistics to clear all current viewable statistics and begin collecting new statistics.

Monitoring IDP

IDP monitoring pages allow you to display detailed information about the IDP Status, Memory, Counters, Policy rulebase statistics and Attack table statistics

This topic contains:

Monitoring IDP Status

Monitoring IDP Status

To view Intrusion Detection and Prevention (IDP) table information, select Monitor>Security>IDP>Status in the J-Web interface, or enter the following CLI command:

show security idp status
show security idp memory

Table 143 summarizes key output fields in the IDP display.

Table 143: Summary of IDP Status Output Fields

Field	Values	Additional Information
IDP Status
Status of IDP	Displays the status of the current IDP policy.
Up Since	Displays the time from when the IDP policy first began running on the system.
Packets/Second	Displays the number of packets received and returned per second.
Peak	Displays the maximum number of packets received per second and the time when the maximum was reached.
Kbits/Second	Displays the aggregated throughput (kilobits per second) for the system.
Peak Kbits	Displays the maximum kilobits per second and the time when the maximum was reached.
Latency (Microseconds)	Displays the delay, in microseconds, for a packet to receive and return by a node .
Current Policy	Displays the name of the current installed IDP policy.
IDP Memory Statistics	Displays the status of all IDP data plane memory.
PIC Name	Displays the name of the PIC.
Total IDP Data Plane Memory (MB)	Displays the total memory space, in megabytes, allocated for the IDP data plane.
Used (MB)	Displays the used memory space, in megabytes, for the data plane.
Available (MB)	Displays the available memory space, in megabytes, for the data plane.

Monitoring Flow Session Statistics

The J-Web interface provides session statistics according to the session filter you select on the Flow Session Statistics page.

This section contains the following topics:

Monitoring Flow Session Statistics Summary Information

To view summary information about existing sessions, including types of sessions, active and failed sessions, and the maximum allowed number of sessions, select Monitor>Security>Flow Session Statistics in the J-Web interface. Then select summary from the Session Filter list and click Show. Alternatively, enter the following CLI command:

show security flow session summary

Table 144 summarizes key output fields in the flow session statistics display.

Table 144: Summary of Key Flow Session Statistics Output Fields

Field	Values	Additional Information
Flow Session Statistics: session filter—summary (By default)
Unicast-sessions	Total number of active unicast sessions.
Multicast-sessions	Total number of active multicast sessions.
Failed-sessions	Total number of failed sessions.
Active-sessions	Total number of active sessions.
Maximum-sessions	Maximum number of supported sessions.

Monitoring Flow Information for All Sessions

To view information about all currently active security sessions on the device, select Monitor>Security>Flow Session Statistics in the J-Web interface. Then select all from the Session Filter list and click Show. To view information about the incoming and outgoing source and destination addresses and the protocol and interface for a specific session, select the session ID on the Flow Session Statistics page.

Alternatively, enter the following CLI command:

show security flow session

Table 145 summarizes key output fields in the flow all session display.

Table 145: Summary of Key Flow All Session Information Output Fields

Field	Values	Additional Information
Flow Session Statistics: session filter—all
Session ID	Number that identifies the session. Use this ID to get more information about the session.
Policy name	Policy that permitted the traffic.
Timeout	Idle timeout after which the session expires.
Flow Session Statistics: Session ID
In	Incoming flow (source and destination IP addresses, application protocol, and interface).
Out	Reverse flow (source and destination IP addresses, application protocol, and interface).

Monitoring Flow Information for Application Sessions

To view information about each session of the specified application type, select Monitor>Security>Flow Session Statistics in the J-Web interface. Then select application from the Session Filter list and click Show. Alternatively, enter the following CLI command:

show security flow session application application-name

Table 146 summarizes key output fields in the flow session application display.

Table 146: Summary of Key Flow Application Session Information Output Fields

Field	Values	Additional Information
Flow Session Statistics: session filter—application
Session ID	Number that identifies the session. Use this ID to get more information about the session.
Policy name	Policy that permitted the traffic.
Timeout	Idle timeout after which the session expires.
In	Incoming flow (source and destination IP addresses, application protocol, and interface).
Out	Reverse flow (source and destination IP addresses, application protocol, and interface).

Monitoring Flow Session Destination Port Information

To view information about each session that uses the specified destination port, select Monitor>Security>Flow Session Statistics in the J-Web interface. Then select destination port from the Session Filter list and click Show. Alternatively, enter the following CLI command:

show security flow session destination-port destination-port-number

Table 147 summarizes key output fields in the flow session destination port display.

Table 147: Summary of Key Flow Destination Port Session Information Output Fields

Field	Values	Additional Information
Flow Session Statistics: session filter—destination port
Session ID	Number that identifies the session. Use this ID to get more information about the session.
Policy name	Policy that permitted the traffic.
Timeout	Idle timeout after which the session expires.
In	Incoming flow (source and destination IP addresses, application protocol, and interface).
Out	Reverse flow (source and destination IP addresses, application protocol, and interface).

Monitoring Flow Session Destination Prefix Information

To view information about each session that uses the specified destination prefix, select Monitor>Security>Flow Session Statistics in the J-Web interface. Then select destination prefix from the Session Filter list and click Show. Alternatively, enter the following CLI command:

show security flow session destination-prefix destination-prefix-number

Table 148 summarizes key output fields in the flow session destination prefix display.

Table 148: Summary of Key Flow Destination Prefix Session Information Output Fields

Field	Values	Additional Information
Flow Session Statistics: session filter—destination prefix
Session ID	Number that identifies the session. Use this ID to get more information about the session.
Policy name	Policy that permitted the traffic.
Timeout	Idle timeout after which the session expires.
In	Incoming flow (source and destination IP addresses, application protocol, and interface).
Out	Reverse flow (source and destination IP addresses, application protocol, and interface).

Monitoring Flow Session Interface Information

To view information about each session that uses the specified incoming or outgoing interface, select Monitor>Security>Flow Session Statistics in the J-Web interface. Then select interface from the Session Filter list and click Show. Alternatively, enter the following CLI command:

show security flow session interface interface-name

Table 149 summarizes key output fields in the flow session interface display.

Table 149: Summary of Key Flow Interface Session Information Output Fields

Field	Values	Additional Information
Flow Session Statistics: session filter—interface
Session ID	Number that identifies the session. Use this ID to get more information about the session.
Policy name	Policy that permitted the traffic.
Timeout	Idle timeout after which the session expires.
In	Incoming flow (source and destination IP addresses, application protocol, and interface).
Out	Reverse flow (source and destination IP addresses, application protocol, and interface).

Monitoring Flow Session Protocol Information

To view information about each session that uses the specified protocol, select Monitor>Security>Flow Session Statistics in the J-Web interface. Then select protocol from the Session Filter list and click Show. Alternatively, enter the following CLI command:

show security flow session protocol protocol-name

Table 150 summarizes key output fields in the flow session protocol display.

Table 150: Summary of Key Flow Protocol Session Information Output Fields

Field	Values	Additional Information
Flow Session Statistics: session filter—protocol
Session ID	Number that identifies the session. Use this ID to get more information about the session.
Policy name	Policy that permitted the traffic.
Timeout	Idle timeout after which the session expires.
In	Incoming flow (source and destination IP addresses, application protocol, and interface).
Out	Reverse flow (source and destination IP addresses, application protocol, and interface).

Monitoring Flow Session Resource Manager

To view information about sessions created by the resource manager, select Monitor>Security>Flow Session Statistics in the J-Web interface. Then select resource manager from the Session Filter list and click Show. Alternatively, enter the following CLI command:

show security flow session resource-manager

Table 151 summarizes key output fields in the flow session resource manager display.

Table 151: Summary of Key Flow Resource Manager Session Output Fields

Field	Values	Additional Information
Flow Session Statistics: session filter—resource manager
Session ID	Number that identifies the session. Use this ID to get more information about the session.
Policy name	Policy that permitted the traffic.
Timeout	Idle timeout after which the session expires.
Resource information	Information about the session particular to the resource manager, including the name of the ALG, the group ID. and the resource ID.
Flow Session Statistics: Session ID
In	Incoming flow (source and destination IP addresses, application protocol, and interface).
Out	Reverse flow (source and destination IP addresses, application protocol, and interface).

Monitoring Flow Session Identifier Session

To view information about the session, select Monitor>Security>Flow Session Statistics in the J-Web interface. Then select session identifier from the Session Filter list and click Show. Alternatively, enter the following CLI command:

show security flow session session-identifier session-identifier

Table 152 summarizes key output fields in the flow session identifier session display.

Table 152: Summary of Key Flow Session Identifier Output Fields

Field	Values	Additional Information
Flow Session Statistics: session filter—session identifier
Session ID	Number that identifies the session. Use this ID to get more information about the session.
Status	Session status.
Flag	Internal flag depicting the state of the session, used for debugging purposes.
Virtual system	Virtual system to which the session belongs.
Policy name	Name and ID of the policy that the first packet of the session matched.
Maximum timeout	Maximum session timeout.
Current timeout	Remaining time for the session unless traffic exists in the session.
Start time	Time when the session was created, offset from the system start time.
Duration	Length of time for which the session is active.
In	For the input flow: Source and destination addresses and protocol tuple for the input flow. Interface: Input flow interface. Session token: Internal token derived from the virtual routing instance. Flag: Internal debugging flags. Route: Internal next hop of the route to be used by the flow. Gateway: Next-hop gateway of the flow. Tunnel: If the flow is going into a tunnel, the tunnel ID. Otherwise, 0 (zero). Port Sequence, FIN sequence, FIN state, Cookie: Internal TCP state tracking information.
Out	For the reverse flow: Source and destination addresses and protocol tuple for the input flow. Interface: Input flow interface. Session token: Internal token derived from the virtual routing instance. Flag: Internal debugging flags. Route: Internal next hop of the route to be used by the flow. Gateway: Next-hop gateway of the flow. Tunnel: If the flow is going into a tunnel, the tunnel ID. Otherwise, 0 (zero). Port Sequence, FIN sequence, FIN state, Cookie: Internal TCP state tracking information.

Monitoring Flow Session Source Port Information

To view information about each session that uses the specified source port, select Monitor>Security>Flow Session Statistics in the J-Web interface. Then select source port from the Session Filter list and click Show. Alternatively, enter the following CLI command:

show security flow session source–port source-port-number

Table 153 summarizes key output fields in the flow session source port display.

Table 153: Summary of Key Flow Source Port Session Output Fields

Field	Values	Additional Information
Flow Session Statistics: session filter—source port
Session ID	Number that identifies the session. Use this ID to get more information about the session.
Policy name	Policy that permitted the traffic.
Timeout	Idle timeout after which the session expires.
In	Incoming flow (source and destination IP addresses, application protocol, and interface).
Out	Reverse flow (source and destination IP addresses, application protocol, and interface).

Monitoring Flow Session Source Prefix Information

To view information about each session that uses the specified source prefix, select Monitor>Security>Flow Session Statistics in the J-Web interface. Then select source prefix from the Session Filter list and click Show. Alternatively, enter the following CLI command:

show security flow session source–prefix source-prefix-number

Table 154 summarizes key output fields in the flow session source prefix display.

Table 154: Summary of Key Flow Source Prefix Session Output Fields

Field	Values	Additional Information
Flow Session Statistics: session filter—source prefix
Session ID	Number that identifies the session. Use this ID to get more information about the session.
Policy name	Policy that permitted the traffic.
Timeout	Idle timeout after which the session expires.
In	Incoming flow (source and destination IP addresses, application protocol, and interface).
Out	Reverse flow (source and destination IP addresses, application protocol, and interface).

Monitoring Flow Session Tunnel Information

To view information about all tunnel session, select Monitor>Security>Flow Session Statistics in the J-Web interface. Then select tunnel from the Session Filter list and click Show. Alternatively, enter the following CLI command:

show security flow session tunnel

Table 155 summarizes key output fields in the flow session tunnel display.

Table 155: Summary of Key Flow Tunnel Session Output Fields

Field	Values	Additional Information
Flow Session Statistics: session filter—tunnel
Session ID	Number that identifies the session. Use this ID to get more information about the session.
Policy name	Policy that permitted the traffic.
Timeout	Idle timeout after which the session expires.
In	Incoming flow (source and destination IP addresses, application protocol, and interface).

Monitoring Firewall Authentication

The J-Web interface provides information about user authentications and history of authentications.

This section contains the following topics:

Monitoring Firewall Authentication Table

The firewall authentication user information is divided into multiple parts. To view information about authentication table, select Monitor>Security>Firewall Authentication>Authentication Table in the J-Web interface. To view detailed information about the user with a particular identifier, select the ID on the Authentication Table page. To view detailed information about the user at a particular source IP address, select the Source IP on the Authentication Table page.

Alternatively, enter the following CLI commands:

show security firewall-authentication users
show security firewall-authentication users address ip-address
show security firewall-authentication users identifier identifier

Table 156 summarizes key output fields in firewall authentication table display.

Table 156: Summary of Key Firewall Authentication Table Output Fields

Field	Values	Additional Information
Firewall authentication users
Total users in table	Number of users in the authentication table.
Authentication table
ID	Authentication identification number.
Source Ip	IP address of the authentication source.
Age	Idle timeout for the user.
Status	Status of authentication (success or failure).
user	Name of the user.
Detailed report per ID selected: ID
Source Zone	Name of the source zone.
Destination Zone	Name of the destination zone.
profile	Name of the profile.	Users information.
Authentication method	Path chosen for authentication.
Policy Id	Policy Identifier.
Interface name	Name of the interface.
Bytes sent by this user	Number of packets in bytes sent by this user.
Bytes received by this user	Number of packets in bytes received by this user.
Client-groups	Name of the client group.
Detailed report per Source Ip selected
Entries from Source IP	IP address of the authentication source.
Source Zone	Name of the source zone.
Destination Zone	Name of the destination zone.
profile	Name of the profile.
Age	Idle timeout for the user.
Status	Status of authentication (success or failure).
user	Name of the user.
Authentication method	Path chosen for authentication.
Policy Id	Policy Identifier.
Interface name	Name of the interface.
Bytes sent by this user	Number of packets in bytes sent by this user.
Bytes received by this user	Number of packets in bytes received by this user.
Client-groups	Name of the client group.

Monitoring Firewall Authentication History

The firewall authentication history information is divided into multiple parts. To view information about the authentication history, select Monitor>Security>Firewall Authentication>Authentication History in the J-Web interface. To view the detailed history of the authentication with this identifier, select the ID on the Firewall Authentication History page. To view a detailed authentication history of this source IP address, select the Source IP on the Firewall Authentication History page.

Alternatively, enter the following CLI show commands:

show security firewall-authentication history
show security firewall-authentication history address ip-address
show security firewall-authentication history identifier identifier

Table 157 summarizes key output fields in firewall authentication history display.

Table 157: Summary of Key Firewall Authentication History Output Fields

Field	Values	Additional Information
History of Firewall Authentication Data
Total authentications	Number of authentication.
History Table
ID	Identification number.
Source Ip	IP address of the authentication source.
Start Date	Authentication date.
Start Time	Authentication time.
Duration	Authentication duration.
Status	Status of authentication (success or failure).
User	Name of the user.
Detail history of selected Id: ID
Authentication method	Path chosen for authentication.
Policy Id	Security policy identifier.
Source zone	Name of the source zone.
Destination Zone	Name of the destination zone.
Interface name	Name of the interface.
Bytes sent by this user	Number of packets in bytes sent by this user.
Bytes received by this user	Number of packets in bytes received by this user.
Client-groups	Name of the client group.
Detail history of selected Source Ip:Source Ip
User	Name of the user.
Start Date	Authentication date.
Start Time	Authentication time.
Duration	Authentication duration.
Status	Status of authentication (success or failure).
Profile	Name of the profile.
Authentication method	Path chosen for authentication.
Policy Id	Security policy identifier.
Source zone	Name of the source zone.
Destination Zone	Name of the destination zone.
Interface name	Name of the interface.
Bytes sent by this user	Number of packets in bytes sent by this user.
Bytes received by this user	Number of packets in bytes received by this user.
Client-groups	Name of the client group.