Monitoring Stateful Firewall Statistics

To view stateful firewall filter statistics in the J-Web interface, select Monitor > Firewall > Statistics Summary. Alternatively, enter the CLI command show services stateful-firewall statistics.

After you make changes to the configuration in this window, you must commit the changes immediately for them to take effect. To commit all changes to the active configuration, select Commit Options > Commit. See Using the Commit Options to Commit Configuration Changes (J-Web Procedure) for details about all commit options.

Table 42 summarizes key output fields for stateful firewall filter statistics.

Table 42: Summary of Key Stateful Firewall Statistics Output Fields

Field	Values
Interface	Name of the services interface on which the service set is applied.
Service Set	Name of the service set.
Accept	Number of packets accepted by all rules defined in the service set.
Discard	Number of packets discarded by all rules defined in the service set.
Reject	Number of packets rejected by all rules defined in the service set.
New flows	Number of packets matching rules defined in new flows: Accept—Number of packets accepted. Discards—Number of packets discarded. Rejects—Number of packets rejected.
Existing flows	Number of packets matching rules defined in existing flows: Accept—Number of packets accepted. Discards—Number of packets discarded. Rejects—Number of packets rejected.
Drops	Number of packets dropped due to the following match conditions: IP Option—Number of packets dropped due to the inspection of the IP options field of the packet. TCP SYN Defense—Number of packets dropped due to the SYN defender, which prevents denial-of-service (DoS) attacks. NAT Ports Exhausted—Number of packets dropped because the router has no available NAT ports to assign for a given source address.
Errors	Number of protocol errors detected: IP—Number of IPv4 errors (for example, minimum IP header length check failures). TCP—Number of TCP errors (for example, source or destination port number is zero). UDP—Number of UDP errors (for example, IP data length less than minimum UDP header length (8 bytes)). ICMP—Number of ICMP errors (for example, duplicate ping sequence number). Non-IP Packets—Number of errors in packets that are not IPv4 packets. ALG—Number of application-level gateway (ALG) errors. For a complete list of protocol errors that are counted, see the description of the show services stateful-firewall statistics command in the Junos System Basics and Services Command Reference.