show security flow session
Syntax
show security flow session
Syntax
show security flow session <source-prefix ipprefix> <destination-prefix ipprefix> <source-port> <destination-port> <protocol> <summary | brief | extensive | pretty | plugins> <encrypted> <idp | ssl | tunnel | nat | services-offload | resource-manager | application-traffic-control | security-intelligence | advanced-anti-malware | anti-virus | drop-flow | selective-sync-disabled | content-filtering | web-filtering> <family> <policy-id> <zone zone> <interface interface> <application-traffic-control-rule-set application-traffic-control-rule-set> <dynamic-application dynamic-application> <url-category url-category> <dynamic-application-group dynamic-application-group> <logical-system | root-logical-system | tenant | all-logical-systems-tenants> <conn-tag> <vrf-group vrf-group> <session-state> <tunnel-inspection-type> <vxlan-vni> <geneve-vni> <ha-link> <plugin-name> <plugin-status> <duration-more-than> <duration-less-than> <timeout-more-than> <timeout-less-than> <curr-more-than> <curr-less-than> <packets-more-than> <packets-less-than> <bytes-more-than> <bytes-less-than> <source-tenant source-tenant> <destination-service destination-service> <aging> <source-nat-pool source-nat-pool> <nat-port-overload-index> <tunnel-info> <session-type> <gbp-src-tag> <gbp-dst-tag> <domain-id> <node-id>
Description
Display information about all
currently active security sessions on the device. For the normal flow sessions, the
show security flow session command displays byte counters based on IP
header length. However, for sessions in Express Path mode, the statistics are collected from
the IOC2 (SRX5K-MPC), IOC3 (SRX5K-MPC3-100G10G and SRX5K-MPC3-40G10G), and IOC4
(SRX5K-IOC4-MRAT and SRX5K-IOC4-10G) ASIC hardware engines and include full packet length
with L2 headers. Because of this, the output displays slightly larger byte counters for
sessions in Express Path mode than for the normal flow session.
Options
-
filter—Filter the display by the specified criteria.
The following filters reduce the display to those sessions that match the criteria specified by the filter. Refer to the specific
showcommand for examples of the filtered output.advanced-anti-malware Show advanced-anti-malware sessions. For details on the
advanced-anti-malwareoption, see the Sky Advanced Threat Prevention CLI Reference Guide.all-logical-systems-tenants All multitenancy systems.
application Predefined application name.
application-firewall Application firewall enabled.
application-firewall-rule-set Application firewall enabled with the specified rule set.
application-traffic-control Application traffic control session.
application-traffic-control-rule-set Application traffic control rule set name and rule name.
bytes-less-than Define session's bytes-count less than a value (1..4294967295). bytes-more-than Define session's bytes-count more a value (1..4294967295). conn-tag Session connection tag (0..4294967295).
content-filtering Display the content filtering session details.
curr-less-than Define session's current-timeout value less than a value (1..100000). curr-more-than Define session's current-timeout value more than a value (1..100000). destination-port Destination port.
destination-prefix Destination IP prefix or address.
domain-id Domain identification number in a four-node Multinode High Availability setup (1 or 2) dynamic-application Dynamic application.
dynamic-application-group Dynamic application.
duration-less-than Define session's duration time less than a value (1..100000). duration-more-than Define session's duration time more than a value (1..100000). encrypted Encrypted traffic.
family Display session by family.
gbp-src-tag Source gbp tag
gbp-dst-tag Destination gbp tag
ha-link Display HA link session information. idp IDP-enabled sessions.
interface Name of incoming or outgoing interface.
logical-system (all | logical-system-name) Name of a specific logical system or
allto display all logical systems.nat Display sessions with network address translation.
nat-port-overload-index Displays NAT port overload index; the range is 0 through 127. node(Optional) For chassis cluster configurations, display security flow session information on a specific node (device) in the cluster.
-
node-id—Identification number of the node. It can be 0 or 1. -
all—Display information about all nodes. -
local—Display information about the local node. -
primary—Display information about the primary node.
node-id Node identification number in a four-node Multinode High Availability setup (1..255) packets-less-than Define session's packets-count less than a value (1..4294967295). packets-more-than Define session's packets-count more than a value (1..4294967295). plugin-name Plugin name. plugin-status Plugin status. plugins Display the flow session information of plugins. policy-id Display session information based on policy ID; the range is 1 through 4,294,967,295.
pretty Display the flow session information in a list to make it easy for you to read and monitor. protocol IP protocol number
-
ah—IP Security authentication header
-
egp—Exterior gateway protocol
-
esp—IPSec Encapsulating Security Payload
-
gre—Generic routing encapsulation
-
icmp—Internet Control Message Protocol
-
icmp6—Internet Control Message Protocol Version 6
-
igmp—Internet Group Management Protocol
-
ipip—IP in IP
-
ospf—Open Shortest Path First
-
pim—Protocol Independent Multicast
-
protocol-number—Numeric protocol value (0 .. 255)
-
rsvp—Resource Reservation Protocol
-
sctp—Stream Control Transmission Protocol
-
tcp—Transmission Control Protocol
-
udp—User Datagram Protocol
resource-manager Resource manager.
root-logical-system Display root logical system as default.
security-intelligence Display security intelligence sessions.
services-offload Display services offload sessions.
session-identifier Display session with specified session identifier.
session-state Session state. session-type Session type
-
HTTP2-child—HTTP2 child session
-
HTTP2-parent—HTTP2 parent session
source-nat-pool Displays the source NAT pool name. source-port Source port.
source-prefix Source IP prefix.
ssl Display the SSL proxy sessions information. tenant Displays the security flow session information for a tenant system.
timeout-less-than Define session's timeout value less than a value (1..100000). timeout-more-than Define session's timeout value more than a value (1..100000). tunnel Tunnel sessions.
tunnel-inspection-type Tunnel inspection type
-
geneve—Show geneve tunnel inspection
-
gre—Show gre tunnel inspection
-
ipip—Show ipip tunnel inspection
-
vxlan—Show vxlan tunnel inspection
vxlan-vni It only lists the tunnel session which vni matches the one you specify in the command.
url-category Display flow session information by url-category. vrf-group Display flow session information by L3VPN VRF Group. web-filtering Display the web filtering sessions details. -
-
brief | extensive | summary—Display the specified level of output.
-
none—Display information about all active sessions.
Required Privilege Level
view
Output Fields
Table 1 lists the output fields for the
show security flow session command. Output fields are listed in the
approximate order in which they appear.
|
Field Name |
Field Description |
Level of Output |
|---|---|---|
|
|
Number that identifies the session. Use this ID to get more information about the session. |
brief extensive none |
|
If |
Interface name. |
brief none |
|
State |
Status of security flow session. |
brief extensive none |
|
|
A 32-bit connection tag that uniquely identifies the GPRS tunneling protocol, user plane (GTP-U) and the Stream Control Transmission Protocol (STCP) sessions. The connection tag for GTP-U is the tunnel endpoint identifier (TEID) and for SCTP is the vTag. The connection ID remains 0 if the connection tag is not used by the sessions. |
brief extensive none |
|
|
Number that identifies the central point session. Use this ID to get more information about the central point session. |
brief extensive none |
|
|
Name and ID of the policy that the first packet of the session matched. |
brief extensive none |
|
|
Idle timeout after which the session expires. |
brief extensive none |
|
|
Incoming flow (source and destination IP addresses, application protocol, interface, session token, route, gateway, tunnel, port sequence, FIN sequence, FIN state, packets and bytes). |
brief extensive none |
|
Bytes |
Number of received and transmitted bytes. |
brief extensive none |
|
Pkts |
Number of received and transmitted packets. |
brief extensive none |
|
|
Total number of sessions. |
brief extensive none |
|
|
Reverse flow (source and destination IP addresses, application protocol, interface, session token, route, gateway, tunnel, port sequence, FIN sequence, FIN state, packets and bytes). |
brief extensive none |
|
|
Session status. |
extensive |
|
|
Internal flag depicting the state of the session, used for debugging purposes. |
extensive |
|
|
The name of the source pool where NAT is used. |
extensive |
|
|
Name of the application. |
extensive |
|
|
AppQoS rule set for this session. |
extensive |
|
|
AppQoS rule for this session. |
extensive |
|
|
Maximum session timeout. |
extensive |
|
|
Remaining time for the session unless traffic exists in the session. |
extensive |
|
|
Session state. |
extensive |
|
|
Time when the session was created, offset from the system start time. |
extensive |
|
|
Number of unicast sessions. |
Summary |
|
|
Number of multicast sessions. |
Summary |
|
|
Number of services-offload sessions. |
Summary |
|
|
Number of failed sessions. |
Summary |
Selective-session-sync: |
Number of sessions synchronizaed to ICL and IDL with selective-session-synch options applied. |
Summary |
|
|
Number of sessions in use.
|
Summary |
|
|
Maximum number of sessions permitted. |
Summary |
Active Domain Id |
Domain identifier that is currently active in a four-node MNHA setup. |
Summary |
Node Id |
Domain identifier that is currently active in a four-node MNHA setup. |
Summary |
Sample Output
- show security flow session
- show security flow session (with default policy)
- show security flow session (drop flow)
- show security flow session (IPv6 tunnel)
- show security flow session brief
- show security flow session content-filtering
- show security flow session extensive
- show security flow session extensive
- show security flow session summary
- show security flow session tunnel-inspection-type
- show security flow session tunnel-inspection-type
- show security flow session web-filtering
- show security flow session (source and destination tags)
- show security flow session extensive (source and destination tags)
- show security flow session session-identifier (source and destination tags)
- show security flow session gbp-dst-tag
- show security flow session gbp-dst-tag
- show security flow session summary (Selective Session Sync)
- show security flow session (Four-Node MNHA)
- show security flow session (Interface Zone to VRF Zone)
- show security flow session (VRF Zone to VRF Zone)
- show security flow session (When incoming traffic is pure IP based and outgoing traffic is VRF based and that VRF is not attached to any VRF zone)
show security flow session
user@host> show security flow session Flow Sessions on FPC0 PIC1: Session ID: 10115977, Policy name: SG/4, State: Active, Timeout: 56, Valid In: 203.0.113.1/1000 --> 203.0.113.11/2000;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 1, Bytes: 86, CP Session ID: 10320276 Out: 203.0.113.11/2000 --> 203.0.113.1/1000;udp, Conn Tag: 0x0, If: reth0.0, Pkts: 0, Bytes: 0, CP Session ID: 10320276 Total sessions: 1
show security flow session (with default policy)
user@host> show security flow session Session ID: 36, Policy name: pre-id-default-policy/n, Timeout: 2, Valid In: 10.10.10.2/61606 --> 10.10.10.1/179;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 64, Out: 10.10.10.1/179 --> 10.10.10.2/61606;tcp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 40,
show security flow session (drop flow)
Shows dropped flows for SRX5400.
user@host> show security flow session Outgoing wing: CP session ID: 12, CP sess SPU Id: 4617 1.0.0.1/55069 <- 1.0.0.254/23;6, Conn, Drop Flow Tag: 0x0, VRF GRP ID: 0(0), If: xe-1/0/0.0 (7), Flag: 0x40000020, Vector index: 0x00000002 WSF: 1, Diff: 0, Sequence: 0, Ack: 0, Port sequence: 0, FIN sequence: 0, FIN state: 0 Zone Id: 7, NH: 0x40010, NSP tunnel: 0x0, NP info: 0xffthread id:255
show security flow session (IPv6 tunnel)
user@host> show security flow session Session ID: 44, Policy name: N/A, State: Stand-alone, Timeout: N/A, Valid In: 9001::4/1 --> 9001::3/1;ipip, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 0, Bytes: 0, Session ID: 45, Policy name: N/A, State: Stand-alone, Timeout: N/A, Valid In: 9001::4/1 --> 9001::3/1;ipv6, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 0, Bytes: 0, Session ID: 57, Policy name: default-policy-logical-system-00/2, State: Stand-alone, Timeout: 1796, Valid In: 20.0.0.2/37628 --> 30.0.0.2/22;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 22, Bytes: 4409, Out: 30.0.0.2/22 --> 20.0.0.2/37628;tcp, Conn Tag: 0x0, If: ip-0/0/0.1, Pkts: 30, Bytes: 5209, Session ID: 58, Policy name: default-policy-logical-system-00/2, State: Stand-alone, Timeout: 1784, Valid In: 2001::2/58602 --> 3001::2/22;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 31, Bytes: 5569, Out: 3001::2/22 --> 2001::2/58602;tcp, Conn Tag: 0x0, If: ip-0/0/0.1, Pkts: 28, Bytes: 6249, Total sessions: 4
show security flow session brief
user@host> show security flow session brief Flow Sessions on FPC0 PIC1: Session ID: 10115977, Policy name: SG/4, State: Active, Timeout: 62, Valid In: 203.0.113.11/1000 --> 203.0.113.1/2000;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 1, Bytes: 86, CP Session ID: 10320276 Out: 203.0.113.1/2000 --> 203.0.113.11/1000;udp, Conn Tag: 0x0, If: reth0.0, Pkts: 0, Bytes: 0, CP Session ID: 10320276 Total sessions: 1
show security flow session content-filtering
user@host> show security flow session content-filtering Flow Sessions on FPC0 PIC1: Session ID: 10115977, Policy name: SG/4, State: Active, Timeout: 62, Valid In: 192.0.2.0/24/1000 --> 203.0.113.0/2000;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 1, Bytes: 86, CP Session ID: 10320276 Out: 203.0.113.0/2000 --> 192.0.2.0/24/1000;udp, Conn Tag: 0x0, If: reth0.0, Pkts: 0, Bytes: 0, CP Session ID: 10320276 Total sessions: 1
show security flow session extensive
user@host> show security flow session extensive
Flow Sessions on FPC0 PIC1:
Session ID: 10115977, Status: Normal, State: Active
Flags: 0x8000040/0x18000000/0x12000003
Policy name: SG/4
Source NAT pool: Null, Application: junos-gprs-gtp-v0-udp/76
Dynamic application: junos:UNKNOWN,
Encryption: Unknown
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: 90, Current timeout: 54
Session State: Valid
Start time: 6704, Duration: 35
In: 203.0.113.11/1000 --> 201.11.0.100/2000;udp,
Conn Tag: 0x0, Interface: reth1.0,
Session token: 0x6, Flag: 0x40000021
Route: 0x86053c2, Gateway: 201.10.0.100, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 1, Bytes: 86
CP Session ID: 10320276
Out: 203.0.113.1/2000 --> 203.0.113.11/1000;udp,
Conn Tag: 0x0, Interface: reth0.0,
Session token: 0x7, Flag: 0x50000000
Route: 0x86143c2, Gateway: 203.0.113.11, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 0, Bytes: 0
CP Session ID: 10320276
Total sessions: 1show security flow session extensive
user@host> show security flow session extensive
Flow Sessions on FPC0 PIC0:
Session ID: 10000059, Status: Normal
Flags: 0x10000/0x0/0x10/0x1
Policy name: N/A
Source NAT pool: Null
Dynamic application: junos:UNKNOWN,
Encryption: Unknown
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: N/A, Current timeout: N/A
Session State: Valid
Start time: 642, Duration: 369
In: 3.0.0.2/64387 --> 2.0.0.1/8940;esp,
Conn Tag: 0x0, Interface: xe-2/0/2.0,
Session token: 0x7, Flag: 0x80100621
Route: 0xc0010, Gateway: 2.0.0.2, Tunnel: 0
ESP/AH frag Rx: 0, Generated: 0
Inner IPv4 frag Rx: 0, Tx: 0, Generated: 0,
Inner IPv6 frag Rx: 0, Tx: 0, Generated: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 25, Bytes: 3760
CP Session ID: 0
Session ID: 10000060, Status: Normal
Flags: 0x10000/0x0/0x10/0x1
Policy name: N/A
Source NAT pool: Null
Dynamic application: junos:UNKNOWN,
Encryption: Unknown
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: N/A, Current timeout: N/A
Session State: Valid
Start time: 642, Duration: 369
In: 3.0.0.2/0 --> 2.0.0.1/0;esp,
Conn Tag: 0x0, Interface: xe-2/0/2.0,
Session token: 0x7, Flag: 0x621
Route: 0xc0010, Gateway: 2.0.0.2, Tunnel: 0
ESP/AH frag Rx: 0, Generated: 0
Inner IPv4 frag Rx: 0, Tx: 0, Generated: 0,
Inner IPv6 frag Rx: 0, Tx: 0, Generated: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 0, Bytes: 0
CP Session ID: 0
Total sessions: 2
show security flow session summary
user@host> show security flow session summary Flow Sessions on FPC10 PIC1: Unicast-sessions: 1 Multicast-sessions: 0 Services-offload-sessions: 0 Failed-sessions: 0 Sessions-in-use: 1 Valid sessions: 1 Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Maximum-sessions: 6291456 Flow Sessions on FPC10 PIC2: Unicast-sessions: 0 Multicast-sessions: 0 Services-offload-sessions: 0 Failed-sessions: 0 Sessions-in-use: 0 Valid sessions: 0 Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Maximum-sessions: 6291456 Flow Sessions on FPC10 PIC3: Unicast-sessions: 0 Multicast-sessions: 0 Services-offload-sessions: 0 Failed-sessions: 0 Sessions-in-use: 0 Valid sessions: 0 Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Maximum-sessions: 6291456
show security flow session tunnel-inspection-type
user@host> show security flow session tunnel-inspection-type vxlan Session ID: 335544369, Policy name: p1/7, Timeout: 2, Valid In: 192.168.200.100/19183 --> 192.168.200.101/2;icmp, Conn Tag: 0xfcd, If: xe-7/0/0.0, Pkts: 2, Bytes: 2048, CP Session ID: 30, Tunnel Session ID: 268435486, Type: VXLAN, VNI: 1000 Out: 192.168.200.101/2 --> 192.168.200.100/19183;icmp, Conn Tag: 0xfcd, If: xe-7/0/1.0, Pkts: 2, Bytes: 2048, CP Session ID: 30, Tunnel Session ID: 268435488, Type: VXLAN, VNI: 1000
show security flow session tunnel-inspection-type
user@host> show security flow session vxlan-vni 400 Session ID: 1677861258, Policy name: pset1_p1/6, Timeout: 2, Valid In: 192.150.0.12/55908 --> 192.160.0.66/80;tcp, Conn Tag: 0xfcd, If: xe-3/0/0.0, Pkts: 5, Bytes: 465, CP Session ID: 7021087, Type: VXLAN, VNI: 400, Tunnel Session ID: 1680264845 Out: 192.160.0.66/80 --> 192.150.0.12/55908;tcp, Conn Tag: 0xfcd, If: xe-3/0/1.0, Pkts: 3, Bytes: 328, CP Session ID: 7021087, Type: VXLAN, VNI: 400, Tunnel Session ID: 1679640460 Session ID: 1678454648, Policy name: pset1_p1/6, Timeout: 2, Valid In: 192.150.0.13/56659 --> 192.160.0.67/80;tcp, Conn Tag: 0xfcd, If: xe-3/0/0.0, Pkts: 5, Bytes: 465, CP Session ID: 5589311, Type: VXLAN, VNI: 400, Tunnel Session ID: 1679698941 Out: 192.160.0.67/80 --> 192.150.0.13/56659;tcp, Conn Tag: 0xfcd, If: xe-3/0/1.0, Pkts: 3, Bytes: 328, CP Session ID: 5589311, Type: VXLAN, VNI: 400, Tunnel Session ID: 1679872223
show security flow session web-filtering
user@host> show security flow session web-filtering Session ID: 256, Policy name: p/4, Timeout: 1794, Session State: Valid In: 198.51.100.0/33170 --> 203.0.113.0/443;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 3, Bytes: 351, Out: 203.0.113.0/443 --> 192.0.2.0/13089;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 44, Total sessions: 1
show security flow session (source and destination tags)
user@host> show security flow session brief
Session ID: 709, Policy name: default-policy-logical-system-00/2, Timeout: 2,
Session State: Valid
In: 10.20.20.2/1 --> 10.40.40.2/684;icmp,
Conn Tag: 0xY, Tag Type: Source-GBP-TAG,
If: ge-0/0/2.0, Pkts: 1, Bytes: 84,
Out: 10.40.40.2/684 --> 10.20.20.2/1;icmp,
Conn Tag: 0xZ, Tag Type: Dest-GBP-TAG,
If: ge-0/0/0.0, Pkts: 1, Bytes: 84,
show security flow session extensive (source and destination tags)
user@host> show security flow session brief
Session ID: 12, Status: Normal
Flags: 0x40/0x0/0x2/0x2000003
Policy name: default-policy-logical-system-00/2
Source NAT pool: Null
Dynamic application: junos:UNKNOWN,
Encryption: Unknown
Url-category: Unknown
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: 60, Current timeout: 4
Session State: Valid
Start time: 1735896239, Duration: 56
In: 10.20.20.2/1 --> 40.40.40.2/1;icmp,
Conn Tag: 0xc8000000, Tag Type: Source-GBP-TAG, Attachment Id: 0, GW Endpoint Id: 0, Flow Cookie: 0, Interface: ge-0/0/2.0,
Session token: 0x9, Flag: 0x21,
Power-Mode Active: False
Route: 0x1008f, Gateway: 10.20.20.2, Tunnel ID: 1048576, Tunnel type: VXLAN, Tunnel info: 3759144960
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 1, Bytes: 84
Out: 10.40.40.2/1 --> 20.20.20.2/1;icmp,
Conn Tag: 0x0, Tag Type: Dest-GBP-TAG, Interface: ge-0/0/0.0,
Session token: 0x9, Flag: 0x20,
Power-Mode Active: False
Route: 0x4008f, Gateway: 10.40.40.2, Tunnel ID: 1048577, Tunnel type: VXLAN, Tunnel info: 3759144961
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 0, Bytes: 0
show security flow session session-identifier (source and destination tags)
user@host> show security flow session session-identifier 795
Session ID: 795, Status: Normal
Flags: 0x80000040/0x0/0x2/0x2800003
Policy name: default-policy-logical-system-00/2
Source NAT pool: Null
Dynamic application: junos:UNKNOWN,
Encryption: Unknown
Url-category: Unknown
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: 4, Current timeout: 2
Session State: Valid
Start time: 1732604464, Duration: 2
In: 10.20.20.2/1 --> 10.40.40.2/727;icmp,
Conn Tag: 0xY, Tag Type: Source-GBP-TAG, Attachment Id: 0, GW Endpoint Id: 0, Flow Cookie: 0, Interface: ge-0/0/2.0,
Session token: 0x9, Flag: 0x21,
Power-Mode Active: False
Route: 0x1008f, Gateway: 20.20.20.2, Tunnel ID: 1048576, Tunnel type: VXLAN, Tunnel info: 3759144960
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 1, Bytes: 84
Out: 10.40.40.2/727 --> 10.20.20.2/1;icmp,
Conn Tag: 0xZ, Tag Type: Dest-GBP-TAG, Interface: ge-0/0/0.0,
Session token: 0x9, Flag: 0x20,
Power-Mode Active: False
Route: 0x4008f, Gateway: 40.40.40.2, Tunnel ID: 1048577, Tunnel type: VXLAN, Tunnel info: 3759144961
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 1, Bytes: 84
show security flow session gbp-dst-tag
user@host> show security flow session gbp-dst-tag 400
Session ID: 1606, Status: Normal
Flags: 0x40/0x0/0x2/0x2000003
Policy name: default-policy-logical-system-00/2
Source NAT pool: Null
Dynamic application: junos:UNKNOWN,
Encryption: Unknown
Url-category: Unknown
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: 60, Current timeout: 2
Session State: Valid
Start time: 1737649382, Duration: 60
In: 10.20.20.2/30 --> 10.40.40.2/87;icmp,
Conn Tag: 0xc8, Tag Type: Source-GBP-TAG, Attachment Id: 0, GW Endpoint Id: 0, Flow Cookie: 0, Interface: ge-0/0/0.0,
Session token: 0x8, Flag: 0x21,
Power-Mode Active: False
Route: 0x7008f, Gateway: 10.20.20.2, Tunnel ID: 1048577, Tunnel type: VXLAN, Tunnel info: 3759144961
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 1, Bytes: 84
Out: 40.40.40.2/87 --> 20.20.20.2/30;icmp,
Conn Tag: 0x190, Tag Type: Dest-GBP-TAG, Interface: ge-0/0/2.0,
Session token: 0x8, Flag: 0x20,
Power-Mode Active: False
Route: 0x1008f, Gateway: 10.40.40.2, Tunnel ID: 1048576, Tunnel type: VXLAN, Tunnel info: 3759144960
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 0, Bytes: 0
show security flow session gbp-dst-tag
user@host> show security flow session gbp-src-tag 200
Session ID: 1426, Status: Normal
Flags: 0x40/0x0/0x2/0x2000003
Policy name: default-policy-logical-system-00/2
Source NAT pool: Null
Dynamic application: junos:UNKNOWN,
Encryption: Unknown
Url-category: Unknown
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: 60, Current timeout: 42
Session State: Valid
Start time: 1737649296, Duration: 19
In: 20.20.20.2/30 --> 40.40.40.2/1;icmp,
Conn Tag: 0xc8, Tag Type: Source-GBP-TAG, Attachment Id: 0, GW Endpoint Id: 0, Flow Cookie: 0, Interface: ge-0/0/0.0,
Session token: 0x8, Flag: 0x21,
Power-Mode Active: False
Route: 0x7008f, Gateway: 20.20.20.2, Tunnel ID: 1048577, Tunnel type: VXLAN, Tunnel info: 3759144961
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 1, Bytes: 84
Out: 40.40.40.2/1 --> 20.20.20.2/30;icmp,
Conn Tag: 0x190, Tag Type: Dest-GBP-TAG, Interface: ge-0/0/2.0,
Session token: 0x8, Flag: 0x20,
Power-Mode Active: False
Route: 0x1008f, Gateway: 40.40.40.2, Tunnel ID: 1048576, Tunnel type: VXLAN, Tunnel info: 3759144960
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 0, Bytes: 0
show security flow session summary (Selective Session Sync)
user@host> show security flow session summary
Unicast-sessions: 16
Multicast-sessions: 0
Services-offload-sessions: 0
Failed-sessions: 0
Sessions-in-drop-flow: 0
Selective-sync-session: 13
Sessions-in-use: 16
Valid sessions: 16
Pending sessions: 0
Invalidated sessions: 0
Sessions in other states: 0
Maximum-sessions: 262144show security flow session (Four-Node MNHA)
user@host> show security flow session Session ID: 57, Policy name: default-policy-logical-system-00/2, HA State: Warm, Timeout: 13800, Session State: Valid In: 10.15.0.20/35876 --> 10.20.0.20/22;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 0, Bytes: 0, HA Wing State: Warm, Out: 10.20.0.20/22 --> 10.15.0.20/35876;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 0, Bytes: 0, HA Wing State: Warm, Active Domain Id: 1, Node Id: 1 Total sessions: 15
show security flow session (Interface Zone to VRF Zone)
user@host> show security flow session Session ID: 295, Policy name: policy_2/7, Timeout: 1800, Session State: Valid In: 4.0.0.1/33651 --> 5.0.0.1/443;tcp, Conn Tag: 0x0, VRF: VRF_4000, If: ge-0/0/0.0, Pkts: 60, Bytes: 3720, Out: 5.0.0.1/443 -- > 4.0.0.1/33651;tcp, Conn Tag: 0x0, VRF: VRF_5000, VRF Zone: UNTRUST_VRF, If: ge-0/0/1.0, Pkts: 513, Bytes: 562745, Total sessions: 15
show security flow session (VRF Zone to VRF Zone)
user@host> show security flow session Session ID: 364, Policy name: policy_1/6, Timeout: 1800, Session State: Valid In: 4.0.0.1/46503 --> 5.0.0.1/443;tcp, Conn Tag: 0x0, VRF: VRF_4000, VRF Zone: TRUST_VRF_CLIENT1, If: ge-0/0/0.0, Pkts: 70, Bytes: 4240, Out: 5.0.0.1/443 --> 4.0.0.1/46503;tcp, Conn Tag: 0x0, VRF: VRF_5000, VRF Zone: UNTRUST_VRF_SERVER1, If: ge-0/0/1.0, Pkts: 606, Bytes: 658805, Total sessions: 1
show security flow session (When incoming traffic is pure IP based and outgoing traffic is VRF based and that VRF is not attached to any VRF zone)
user@host> show security flow session Session ID: 673, Policy name: default-policy-logical-system-00/2, Timeout: 1800, Session State: Valid In: 6000::1/33846 --> 7000::1/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 65, Bytes: 5300, Out: 7000::1/443 --> 6000::1/33846;tcp, Conn Tag: 0x0, VRF: VRF_6000, If: ge-0/0/2.0, Pkts: 114, Bytes: 132654,
Release Information
Command introduced in Junos OS Release 8.5.
Support for filter and view options added in Junos OS Release 10.2.
Application firewall, dynamic application, and logical system filters added in Junos OS Release 11.2.
Policy ID filter added in Junos OS Release 12.3X48-D10.
Support for connection tag added in Junos OS Release 15.1X49-D40.
The tenant option introduced in Junos OS Release 18.3R1.
The tunnel-inspection-type option is introduced in Junos OS Release
20.4R1.
The content filtering and Web filtering filtering options
are introduced in Junos OS Release 23.1R1.
The nat, nat-port-overload-index, and
source-nat-pool are introduced in Junos OS Release 23.4R1.
The gbp-dst-tag and gbp-src-tag are introduced in Junos
OS Release 25.4R1.
The VRF and VRF-Zone parameters are introduced in Junos
OS Release 25.4R1.