Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


show security flow cp-session



Display central point session-related flow information. This command is supported on the SRX5800, SRX5600, and SRX5400 devices.


  • conn-tag—Session connection tag (0..4294967295)

  • destination-port—Destination port (1..65535)

  • destination-prefix—Destination prefix

  • family—Display session by family.

  • logical-system—Logical-system name

  • node—(Optional) For chassis cluster configurations, display security flow cp-session information on a specific node (device) in the cluster.

    • node-id —Identification number of the node. It can be 0 or 1.

    • all —Display information about all nodes.

    • local —Display information about the local node.

    • primary—Display information about the primary node.

  • protocol—IP protocol number

  • root-logical-system—Root logical-system (default)

  • source-port—Source port (1..65535)

  • source-prefix—Source IP prefix or address

  • summary | terse–Display the specified level of output.

Required Privilege Level


Output Fields

Table 1 lists the output fields for the show security flow cp-session command. Output fields are listed in the approximate order in which they appear.

Table 1: show security flow cp-session Output Fields

Field Name

Field Description

Valid gates

Number of valid central point sessions.

Pending gates

Number of pending central point sessions.

Invalidated gates

Number of invalid central point sessions.

Gates in other states

Number of central point sessions in other states.

Total gates

Number of central point sessions in total.

Maximum sessions

Number of maximum central point sessions.

Maximum inet6 sessions

Number of maximum inet6 central point sessions.

Session ID

Number that identifies the session. Use this ID to get more information about the session.

Conn Tag

A 32-bit connection tag that uniquely identifies the GPRS tunneling protocol, user plane (GTP-U) and the Stream Control Transmission Protocol (STCP) sessions. The connection tag for GTP-U is the tunnel endpoint identifier (TEID) and for SCTP is the vTag. The connection ID remains 0 if the connection tag is not used by the sessions.


Services Processing Unit.


Incoming flow (source and destination IP addresses).


Reverse flow (source and destination IP addresses).

Sample Output

show security flow cp-session

Sample Output

show security flow cp-session summary

show security flow cp-session terse

Release Information

Command introduced in Junos OS Release 10.2. Support.