Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


show security flow statistics



Display security flow statistics on a specific SPU. A flow is a stream of related packets that meet the same matching criteria and share the same characteristics.

A packet undergoes flow-based processing after packet-based filters and some screens have been applied to it. A System Processing Unit (SPU) processes the packets of a flow according to the security features and other services configured for the session. Flow-based packet processing treats related packets, or a stream of packets, in the same way. Packet treatment depends on characteristics that were established for the first packet of the packet stream.

The show security flow statistics command displays information for individual SPUs. For each SPU, the active sessions on the SPU, packets received, packets transmitted, packets forwarded/queued, packets copied, packets dropped, packet fragments received in a flow on the SPU, pre-fragmented packets generated, and post-fragmented packets generated are displayed in terms of numbers.

There are many conditions that can cause a packet to be dropped. Here are some of them:

  • A screen module detects IP spoofing

  • The IPSec Encapsulating Security Payload (ESP) or the Authentication Header (AH) authentication failed. For example, incoming NAT errors could cause this to happen.

  • A packet matches more than one security policy that specifies user authentication. (Sometimes packets are looped through the system more than once. Each time a packet passes through the system, that packet must be permitted by a policy.)

  • A time constraint setting expires. For example, multicast streams with a packet interval of more than 60 seconds would experience premature aging-out of flow sessions. (In most cases, you can configure higher time-out value to prevent packet drop.)

Packet fragmentation can occur for a number of reasons, and, in some cases, it can be controlled through a configuration setting. Every link has a maximum transmission unit (MTU) size that specifies the size of the largest packet that the link can transmit. A larger MTU size means that fewer packets are required to transmit a certain amount of data. However, for a packet to successfully traverse the path from the source node to the destination node, the MTU size of the source node egress interface must be no larger than that of the smallest MTU size of all nodes on the path between the source and destination. This value is referred to as the path maximum transmission unit (path MTU).

When a packet is larger that the MTU size on any link in the data path, the link might fragment it or drop it.

  • For IPv4, if a node within the path between a source node and a destination node receives a packet that is larger than its MTU size, it can fragment the packet and transmit the resulting smaller packets.

  • For IPv6, an intermediate node cannot fragment a packet. If a packet is larger than a link’s MTU size, it is likely that the link will drop it. However, the source node (the node that sent the packet) can fragment a packet, and this is done to accommodate a path MTU size-adjustment requirement. Nodes along the path of a packet cannot fragment the packet to transmit it.

The fragmentation counters feature for IPsec tunnels provides the show output information for the pre-fragments generated and post-fragments generated fields.

Starting in Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1, SRX5K-MPC3-100G10G (IOC3) and SRX5K-MPC3-40G10G (IOC3) are introduced for SRX5400, SRX5600, and SRX5800 devices that perform hash-based datapath packet forwarding to interconnect with all existing IOC and SPC cards using the XL chip (packet-processing chip). The IOC3 XL chip uses a hash-based method to distribute ingress traffic to a pool of SPUs by default.



Displays the security flow statistics information.


(Optional) For chassis cluster configurations, displays all security flow statistics on a specific node (device) in the cluster.

  • node-id—Identification number of the node. It can be 0 or 1.

  • all—Displays information about all nodes.

  • local—Displays information about the local node.

  • primary—Displays information about the primary node.

logical-system logical-system-name

(Optional) Displays information about the specified logical system.

logical-system all

(Optional) Displays information about all the logical systems.

tenant tenant-name

(Optional) Displays information about the specified tenant system.

tenant all

(Optional) Displays information about all tenant systems.

Required Privilege Level


Output Fields

Table 1 lists the output fields for the show security flow statistics command. Output fields are listed in the approximate order in which they appear.

Table 1: show security flow statistics Output Fields

Field Name

Field Description

Current sessions

Number of active sessions on the SPU.

Packets received

Number of packets received in a security flow of a specific SPU. The packets are processed and forwarded on that SPU.

Packets transmitted

Number of packets returned to Jexec for transmission.

Packets forwarded/queued

Number of packets fowarded or number of packets queued up by other modules.


Dropped packets are not captured by this field.

Packets copied

Number of packets copied by other modules including fragmentation and tcp proxy.

Packets dropped

Number of packets dropped in a flow on a specific SPU.

The packets are received in the flow. However, during processing, the system discovers sanity check errors, security violations, or other conditions that caused the packet to be dropped.

See the description for some of the conditions and events that can cause a packet to be dropped.

Fragment packets

Number of fragments received in a flow on the SPU. See the description for information about packet fragments.

Pre fragments generated

For IPsec tunnels, the number of fragments that are self-generated by the SRX Series Firewall before it encapsulates the packet with the IPsec encryption header.

Post fragments generated

For IPsec tunnels, the number of fragments that are received by the SRX Series Firewall and packets that are fragmented after encryption.

Sample Output

show security flow statistics

show security flow statistics logical-system LSYS1

show security flow statistics

show security flow statistics tenant TSYS1

show security flow statistics

Release Information

Command introduced in Junos OS Release 10.2.

Fragmentation counters options introduced in Junos OS Release 15.1X49-90.

Support added at the logical system and tenant system level in Junos OS Release 20.1R1.