Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

show services stateful-firewall flows

Syntax

Description

Display stateful firewall flow table entries. When the interface is used for softwire processing, the type of softwire concentrator (DS-LITE or 6rd) is shown, and frame counts are provided.

Options

none

Display standard information about all stateful firewall flows.
brief | extensive | summary | terse

(Optional) Display the specified level of output.
application-protocol application-protocol

(Optional) Display information about one of the following application-level gateway (ALG) protocol types:

  • bootp—Bootstrap protocol

  • dce-rpc—Distributed Computing Environment (DCE) remote procedure call (RPC) protocol

    Note:

    Use this option to select Microsoft Remote Procedure Call (MSRPC).

  • dce-rpc-portmap—Distributed Computing Environment (DCE) remote procedure call (RPC) portmap protocol

  • dns—Domain Name Service protocol

  • exec—Remote execution protocol

  • ftp—File Transfer Protocol

  • h323—H.323 protocol

  • icmp—Internet Control Message Protocol

  • iiop—Internet Inter-ORB Protocol

  • ip—Internet protocol

  • netbios—NetBIOS protocol

  • netshow—Netshow protocol

  • pptp —Point-to-Point Tunneling Protocol

  • realaudio—RealAudio protocol

  • rpc—Remote Procedure Call protocol

    Note:

    Use this option to select Sun Microsystems Remote Procedure Call protocol (SunRPC).

  • rpc-portmap—Remote Procedure Call portmap protocol

  • rtsp—Real-Time Streaming Protocol

  • sip—Session Initiation Protocol

  • snmp—Simple Network Management Protocol

  • talk—Talk protocol

  • tftp—Trivial File Transfer Protocol

  • traceroute—Traceroute

  • winframe—WinFrame
count

(Optional) Display a count of the matching entries.
destination-port destination-port

(Optional) Display information for a particular destination port. The range of values is from 0 to 65535.
destination-prefix destination-prefix

(Optional) Display information for a particular destination prefix.
interface interface-name

(Optional) Display information about a particular interface. On M Series and T Series routers, interface-name can be ms-fpc/pic/port or rspnumber.

limit number

(Optional) Maximum number of entries to display.
protocol protocol

(Optional) Display information about one of the following IP types:

  • number—Numeric protocol value from 0 to 255

  • ah—IPsec Authentication Header protocol

  • egp—An exterior gateway protocol

  • esp—IPsec Encapsulating Security Payload protocol

  • gre—A generic routing encapsulation protocol

  • icmp—Internet Control Message Protocol

  • igmp—Internet Group Management Protocol

  • ipip—IP-within-IP Encapsulation Protocol

  • ospf—Open Shortest Path First protocol

  • pim—Protocol Independent Multicast protocol

  • rsvp—Resource Reservation Protocol

  • sctp—Stream Control Protocol

  • tcp—Transmission Control Protocol

  • udp—User Datagram Protocol
service-set service-set

(Optional) Display information for a particular service set.
source-port source-port

(Optional) Display information for a particular source port. The range of values is from 0 to 65535.
source-prefix source-prefix

(Optional) Display information for a particular source prefix.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show services stateful-firewall flows command. Output fields are listed in the approximate order in which they appear.

Table 1: show services stateful-firewall flows Output Fields

Field Name

Field Description

Interface

Name of the interface.

Service set

Name of a service set. Individual empty service sets are not displayed. If no service set has any flows, a flow table header is displayed for each service set.

Flow Count

Number of flows in a session.

Flow or Flow Prot

Protocol used for this flow.

Source

Source prefix of the flow in the format source-prefix:port. For ICMP flows, port information is not displayed.

Dest

Destination prefix of the flow. For ICMP flows, port information is not displayed.

State

Status of the flow:

  • Drop—Drop all packets in the flow without response.

  • Forward—Forward the packet in the flow without looking at it.

  • Reject—Drop all packets in the flow with response.

  • Watch—Inspect packets in the flow.

Dir

Direction of the flow: input (I) or output (O). For any configured stateful firewall rule, the reverse flow is dynamically created, so you will see an input and an output flow.

Frm count

Number of frames in the flow. If this value is zero, then that flow does not yet exist.

Sample Output

show services stateful-firewall flows

On the MX Series router, both input (I) and output (O) flow entries appear, even if traffic only flows in one direction. This applies to both NAT and non-NAT cases.

show services stateful-firewall flows (For Softwire Flows)

When a service set includes softwire processing, the following output format is used for the softwire flows:

show services stateful-firewall flows brief

The output for the show services stateful-firewall flows brief command is identical to that for the show services stateful-firewall flows command. For sample output, see show services stateful-firewall flows.

show services stateful-firewall flows extensive

show services stateful-firewall flows count

show services stateful-firewall flows destination port

show services stateful-firewall flows source port

show services stateful-firewall flows (Twice NAT)

Release Information

Command introduced before Junos OS Release 7.4.

pgcp option introduced in Junos OS Release 8.4.

application-protocol option introduced in Junos OS Release 10.4.

Related Documentation