show security flow session application-firewall
Syntax
show security flow session application-firewall < dynamic-application (dyn-app-name | junos:UNKNOWN) > < dynamic-application-group (dyn-app-group | junos:UNASSIGNED) > < application-firewall-rule-set rule-set-name > < rule rule-name > < brief | extensive | summary >
Description
Display all sessions where application firewall is enabled.
Include options to filter the output and display only those enabled sessions with the specified features.
Options
dynamic-application (dyn-app-name | junos:UNKNOWN)–Display only those enabled sessions with the specified dynamic application. Enterjunos:UNKNOWNto display all enabled sessions where no dynamic application can be determined.dynamic-application-group (dyn-app-group | junos:UNASSIGNED)– Display only those enabled session with the specified dynamic application group. Enterjunos:UNASSIGNEDto display all enabled sessions where no dynamic application group can be determined.application-firewall-rule-set rule-set-name–Display only those enabled sessions that match the specified rule set.rule rule-name–Display only those enabled sessions that match the specified rule.brief | extensive | summary–Specify the level of detail for the display.The output fields for the
briefandsummaryoptions are the same as those of theshow security flow sessioncommand. Only theextensivedisplay is different and is shown in the following output table and examples.
Required Privilege Level
view
Output Fields
Table 1 lists the output fields
for the show security flow session application-firewall extensive command. Output fields are listed in the approximate order in which
they appear in the extensive display.
Field Name |
Field Description |
|---|---|
|
Number that identifies the session. Use this ID to display more information about a session. |
|
Session status. |
|
Current state of the session: Active, Pending, Closed, Unknown. |
|
Internal flag depicting the state of the session. It is used for debugging purposes. |
|
The name of the policy that permitted the traffic. |
|
The name of the source pool where NAT is used. |
|
Name of the dynamic application of the session. If the dynamic application has yet to be determined, the output indicates Pending. If the dynamic application cannot be determined, the output indicates junos:UNKNOWN. |
|
Name of the dynamic application group of the session. If the dynamic application cannot be determined, the output indicates junos:UNASSIGNED. |
|
Name of the dynamic nested application of the session if one exists. If the dynamic nested application is yet to be determined, the output indicates Pending. If the dynamic nested application cannot be determined, the output indicates junos:UNKNOWN. |
|
Name of the rule set that the session matched. |
|
Name of the rule that the session matched. If the match has not yet been made, the output indicates Pending. If the rule has been deleted since the match was made, the output indicates the rule is invalid. |
|
Maximum amount of idle time allowed for the session. |
|
Number of seconds that the current session has been idle. |
|
Session state. |
|
Time when the session was created. Start time is indicated as an offset from the system start time. |
|
Incoming flow (source and destination IP addresses, application protocol, interface, session token, route, gateway, tunnel, port sequence, FIN sequence, FIN state, packets, and bytes). |
|
Reverse flow (source and destination IP addresses, application protocol, interface, session token, route, gateway, tunnel, port sequence, FIN sequence, FIN state, packets and bytes). |
|
Total number of sessions per PIC that fit the display criteria. |
Sample Output
- show security flow session application-firewall extensive
- show security flow session application-firewall dynamic-application junos:FTP extensive
- show security flow session application-firewall dynamic-application junos:UNKNOWN extensive
- show security flow session application-firewall dynamic-application-group junos:WEB extensive
- show security flow session application-firewall application-firewall-rule-set rule-set1 extensive
show security flow session application-firewall extensive
The displayed information is similar to the show security
flow session output but includes dynamic application and application
firewall details for the session.
user@host> show security flow session application-firewall extensive
Flow Sessions on FPC9 PIC0:
Session ID: 3729, Status: Normal, State: Active
Policy name: self-traffic-policy/1
Source NAT pool: Null
Dynamic application: junos:HTTP, Dynamic nested application: junos:FACEBOOK-ACCESS
Application firewall rule-set: rule-set1, Rule: rule2
Maximum timeout: 300, Current timeout: 276
Session State: Valid
Start time: 18292, Duration: 603536
In: 192.0.2.1/1 --> 203.0.113.1/1;pim,
Interface: reth1.0,
Session token: 0x1c0, Flag: 0x0x21
Route: 0x0, Gateway: 192.0.2.4, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 21043, Bytes: 1136322
Out: 203.0.113.1/1 --> 192.0.2.1/1;pim,
Interface: .local..0,
Session token: 0x80, Flag: 0x0x30
Route: 0xfffd0000, Gateway: 203.0.113.13, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 0, Bytes: 0
Total sessions: 1
show security flow session application-firewall dynamic-application junos:FTP extensive
Entering a specific dynamic application in the command line filters the output and displays only those sessions with the specified application.
user@host> show security flow session application-firewall dynamic-application junos:FTP extensive
Flow Sessions on FPC3 PIC0:
Session ID: 180013338, Policy name: policy1/4, Timeout: 1776, Valid
Dynamic application: junos:FTP
Application firewall rule-set: rule-set1, Rule: rule1
Maximum timeout: 300, Current timeout: 276
Session State: Valid
Start time: 18292, Duration: 603536
In: 192.0.2.4/1 --> 203.0.113.13/1;pim,
Interface: reth1.0,
Session token: 0x1c0, Flag: 0x0x21
Route: 0x0, Gateway: 192.0.2.4, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 21043, Bytes: 1136322
Out: 203.0.113.13/1 --> 192.0.2.4/1;pim,
Interface: .local..0,
Session token: 0x80, Flag: 0x0x30
Route: 0xfffd0000, Gateway: 203.0.113.13, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 0, Bytes: 0
Total sessions: 1
show security flow session application-firewall dynamic-application junos:UNKNOWN extensive
Using the keyword junos:UNKNOWN displays those enabled
sessions where the dynamic application cannot be determined.
user@host> show security flow session application-firewall dynamic-application junos:UNKNOWN extensive
Flow Sessions on FPC9 PIC0:
Session ID: 180013338, Policy name: policy1/4, Timeout: 1776, Valid
Dynamic application: junos:UNKNOWN
Application firewall rule-set: rule-set1, Rule:rule1
Maximum timeout: 300, Current timeout: 276
Session State: Valid
Start time: 18292, Duration: 603536
In: 192.0.2.4/1 --> 203.0.113.13/1;pim,
Interface: reth1.0,
Session token: 0x1c0, Flag: 0x0x21
Route: 0x0, Gateway: 192.0.2.4, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 21043, Bytes: 1136322
Out: 203.0.113.13/1 --> 192.0.2.4/1;pim,
Interface: .local..0,
Session token: 0x80, Flag: 0x0x30
Route: 0xfffd0000, Gateway: 203.0.113.13, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 0, Bytes: 0
Session ID: 180013339, Policy name: policy1/4, Timeout: 1776, Valid
Dynamic application: junos:HTTP, Dynamic nested application: junos:UNKNOWN
Application firewall rule-set: rule-set1, Rule:rule1
Maximum timeout: 300, Current timeout: 276
Session State: Valid
Start time: 18292, Duration: 603536
In: 192.0.2.4/1 --> 203.0.113.13/1;pim,
Interface: reth1.0,
Session token: 0x1c0, Flag: 0x0x21
Route: 0x0, Gateway: 192.0.2.4, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 21043, Bytes: 1136322
Out: 203.0.113.13/1 --> 192.0.2.4/1;pim,
Interface: .local..0,
Session token: 0x80, Flag: 0x0x30
Route: 0xfffd0000, Gateway: 203.0.113.13, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 0, Bytes: 0
Total sessions: 2
show security flow session application-firewall dynamic-application-group junos:WEB extensive
Entering a specific dynamic application group in the command line filters the output and displays only those sessions with the specified application group.
user@host> show security flow session application-firewall dynamic-application-group junos:WEB extensive
Flow Sessions on FPC9 PIC0:
Session ID: 180013338, Policy name: policy1/4, Timeout: 1776, Valid
Dynamic application: junos:HOTMAIL
Application firewall rule-set: rule-set1, Rule: rule1
Maximum timeout: 300, Current timeout: 276
Session State: Valid
Start time: 18292, Duration: 603536
In: 192.0.2.4/1 --> 203.0.113.13/1;pim,
Interface: reth1.0,
Session token: 0x1c0, Flag: 0x0x21
Route: 0x0, Gateway: 192.0.2.4, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 21043, Bytes: 1136322
Out: 203.0.113.13/1 --> 192.0.2.4/1;pim,
Interface: .local..0,
Session token: 0x80, Flag: 0x0x30
Route: 0xfffd0000, Gateway: 203.0.113.13, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 0, Bytes: 0
Total sessions: 1
show security flow session application-firewall application-firewall-rule-set rule-set1 extensive
Specifying a rule set name reduces the display to only those sessions matching the specified rule set.
user@host> show security flow session application-firewall application-firewall-rule-set rule-set1 extensive
Flow Sessions on FPC9 PIC0:
Session ID: 180013338, Policy name: policy1/4, Timeout: 1776, Valid
Dynamic application: junos:FTP
Application firewall rule-set: rule-set1, Rule: rule1
Maximum timeout: 300, Current timeout: 276
Session State: Valid
Start time: 18292, Duration: 603536
In: 192.0.2.4/1 --> 203.0.113.13/1;pim,
Interface: reth1.0,
Session token: 0x1c0, Flag: 0x0x21
Route: 0x0, Gateway: 192.0.2.4, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 21043, Bytes: 1136322
Out: 203.0.113.13/1 --> 192.0.2.4/1;pim,
Interface: .local..0,
Session token: 0x80, Flag: 0x0x30
Route: 0xfffd0000, Gateway: 203.0.113.13, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 0, Bytes: 0
Session ID: 180013339, Policy name: policy1/4, Timeout: 1776, Valid
Dynamic application: junos:HTTP, Dynamic nested application: junos:FACEBOOK-ACCESS
Application firewall rule-set: rule-set1, Rule: rule2
Maximum timeout: 300, Current timeout: 276
Session State: Valid
Start time: 18292, Duration: 603536
In: 192.0.2.4/1 --> 203.0.113.13/1;pim,
Interface: reth1.0,
Session token: 0x1c0, Flag: 0x0x21
Route: 0x0, Gateway: 192.0.2.4, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 21043, Bytes: 1136322
Out: 203.0.113.13/1 --> 192.0.2.4/1;pim,
Interface: .local..0,
Session token: 0x80, Flag: 0x0x30
Route: 0xfffd0000, Gateway: 203.0.113.13, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 0, Bytes: 0
Total sessions: 2Release Information
Command introduced in Junos OS Release 11.2.