show security idp counters flow
Syntax
show security idp counters flow <logical-system (logical-system-name | all)> <tenant tenant-name>
Description
Displays the status of all IDP flow counter values.
On SRX Series Firewalls with IDP enabled, if IDP attacks are configured for a single direction (server or client), a flow in the opposite direction does not need IDP processing. For TCP traffic, the TCP optimization feature ensures minimal processing for these flows without running into reassembly errors.
Options
| none | Displays the status of all IDP flow counter values. |
| logical-system logical-system-name | (Optional) Displays the status of all IDP flow counter values for a specific logical system. |
| logical-system all | (Optional) Displays the status of all IDP flow counter values for all logical systems. |
| tenant tenant-name | (Optional) Displays the status of all IDP flow counter values for a specific tenant system. |
Required Privilege Level
view
Output Fields
Table 1 lists the output
fields for the show security idp counters flow command.
Output fields are listed in the approximate order in which they appear.
Field Name |
Description |
|---|---|
|
Number of packets that are set through fast path after completing IDP policy lookup. |
|
Number of packets that are sent through slow path during IDP policy lookup. |
(Unsupported) |
Number of times the packet failed to establish the session. |
|
Number of sessions that reached IDP sessions limit. |
|
Number of sessions that reached inspection depth. |
|
Number of sessions that reached memory limit. |
(Unsupported) |
Number of sessions that extended beyond time limit. |
(Unsupported) |
Invalid session index in session age-out message. |
|
Number of packets saved for packet logging. |
|
Number of sessions that matched policy cache. |
|
Number of sessions that did not match policy cache. |
|
Number of policy cache entries. |
|
Maximum number of packets, of one flow, that share the same hash value. |
|
Number of packets that share the same hash value. |
|
Number of gate entries added for dynamic port identification. |
(Unsupported) |
Number of times a gate is matched. |
|
Number of sessions deleted. |
(Unsupported) |
Number of sessions that are aged out if no traffic is received within session timeout value. |
(Unsupported) |
Number of sessions in use during session age-out. |
|
Number of sessions marked dead on TCP RST/FIN. |
|
Policy initiation failed. |
|
Number of times sessions exceeded the high mark. |
|
Number of sessions that exceed high mark. |
|
Number of sessions that fall below low mark. |
|
Session memory exceeds high mark. |
|
Session memory drops below low mark. |
|
Number of SM sessions that encountered memory failures. |
|
Number of SM packets that encountered memory failures. |
|
Number of sessions established. |
|
Number of SM sessions dropped. |
|
Number of sessions ignored in Security Module (SM). |
|
Number of SM sessions interested. |
|
Number of SM sessions not interested. |
|
Number of errors created for SM sessions interested. |
|
Number of sessions destructed. |
|
Number of SM sessions created. |
|
Number of packets processed from SM. |
|
Number of SM FTP data sessions that are ignored by IDP. |
|
Number of SM sessions closed. |
|
Number of SM client-to-server packets. |
|
Number of SM server-to-client packets. |
|
Number of SM client-to-server Layer 7 bytes. |
|
Number of SM server-to-client Layer 7 bytes. |
|
Number of client-to-server flow sessions that are ignored. |
|
Number of server-to-client flow sessions that are ignored. |
|
Number of server-to-client flow TCP sessions that are optimized. |
|
Number of client-to-server flow TCP sessions that are optimized. |
|
Number of server-to-client and client-to-server flow sessions that are ignored. |
|
Number of failover sessions dropped. |
|
Number of sessions dropped because there was no active IDP policy. |
|
Number of IDP stream sessions that are dropped because of memory failure. |
|
Number of IDP stream sessions that are ignored because of memory failure. |
|
Number of IDP stream sessions that are closed because of memory failure. |
|
Number of IDP stream sessions that are accepted. |
|
Number of IDP stream sessions that are constructed. |
|
Number of IDP stream sessions that are destructed. |
|
Number of stream data events handled by IDP. |
|
Number of IDP stream sessions that are ignored because of a JSF SSL proxy event. |
|
Number of IDP stream sessions that are not processed for no matching rules. |
|
Number of IDP stream plug-in buffers dropped. |
|
Number of IDP stream plug-in buffers injected. |
|
Number of packets saved as one or more packets of this session from stream plug-in. |
|
Number of saved packets for IDP stream plug-in sessions. |
|
Number of internal marked packets logged for IDP processing. |
|
Number of sessions that failed logical systems policy lookup. |
|
Number of packets saved as one or more packets of this session are handed off for asynchronous processing. |
|
Number of packets found with IP checksum error after asynchronous processing is completed. |
(async mode) |
Number of queued packets dropped based on policy action, reinjection failures, or if the session is marked to destruct. |
(async mode) |
Not used currently. |
|
Number of packets reinjected into the queue. |
|
Number of failed reinjected packets. |
|
Number of AI packets saved for which the asynchronous processing is completed. |
|
Number of times the busy packet count incremented in asynchronous processing. |
|
Number of times the busy packet count decremented in asynchronous processing. |
|
Number of sessions destructed as a part of asynchronous result processing. |
|
Number of sessions set to be destructed as a result of asynchronous processing. |
|
Number of sessions with one of the following status:
|
|
Number of AI saved packets given for signature matching. |
|
Number of packets given for signature matching without AI save. |
|
Number of times signature matching results processed out of packet receiving order. |
|
Number of IDP session ignored for content decompression in the IDP intelligent inspection mode. |
|
Number of IDP session ignored for bytes depth in the IDP intelligent inspection mode. |
|
Number of IDP session ignored for protocol decoding in the IDP intelligent inspection mode. |
|
Number of IDP session detected when the CPU usage crosses the CPU threshold of the IDP intelligent inspection. |
|
Number of IDP session detected when memory drops below the IDP intelligent inspect low memory threshold. |
Sample Output
- show security idp counters flow
- show security idp counters flow tenant TSYS1
- show security idp counters flow (unified parser)
show security idp counters flow
user@host> show security idp counters flow IDP counters: IDP counter type Value Fast-path packets 40252 Slow-path packets 127 Session construction failed 0 Session limit reached 0 Session inspection depth reached 0 Memory limit reached 0 Not a new session 0 Invalid index at ageout 0 Packet logging 0 Policy cache hits 92 Policy cache misses 67 Policy cache entries 67 Maximum flow hash collisions 0 Flow hash collisions 0 Gates added 0 Gate matches 0 Sessions deleted 127 Sessions aged-out 0 Sessions in-use while aged-out 0 TCP flows marked dead on RST/FIN 13 Policy init failed 0 Number of times Sessions exceed high mark 0 Number of times Sessions drop below low mark 0 Memory of Sessions exceeds high mark 0 Memory of Sessions drops below low mark 0 SM Sessions encountered memory failures 0 SM Packets on sessions with memory failures 0 IDP session gate creation requests 0 IDP session gate creation acknowledgements 0 IDP session gate hits 0 IDP session gate timeouts 0 Number of times Sessions crossed the CPU threshold value that is set 0 Number of times Sessions crossed the CPU upper threshold 0 Sessions constructed 127 SM Sessions ignored 0 SM Sessions dropped 0 SM Sessions interested 168 SM Sessions not interested 4 SM Sessions interest error 0 Sessions destructed 127 SM Session Create 127 SM Packet Process 52257 SM ftp data session ignored by idp 0 SM Session close 127 SM Client-to-server packets 20066 SM Server-to-client packets 32191 SM Client-to-server L7 bytes 167292 SM Server-to-client L7 bytes 28523514 Client-to-server flows ignored 1 Server-to-client flows ignored 1 Server-to-client flows tcp optimized 3 Client-to-server flows tcp optimized 0 Both directions flows ignored 32 Fail-over sessions dropped 0 Sessions dropped due to no policy 0 IDP Stream Sessions dropped due to memory failure 0 IDP Stream Sessions ignored due to memory failure 0 IDP Stream Sessions closed due to memory failure 0 IDP Stream Sessions accepted 0 IDP Stream Sessions constructed 0 IDP Stream Sessions destructed 0 IDP Stream Move Data 0 IDP Stream Sessions ignored on JSF SSL Event 0 IDP Stream Sessions not processed for no matching rules 0 IDP Stream stbuf dropped 0 IDP Stream stbuf reinjected 0 Busy pkts from stream plugin 0 Busy pkts from pkt plugin 0 bad kpp 0 Lsys policy id lookup failed sessions 0 Busy packets 0 Busy packet Errors 0 Dropped queued packets (async mode) 0 Dropped queued packets failed(async mode) 0 Reinjected packets (async mode) 0 Reinjected packets failed(async mode) 0 AI saved processed packet 0 busy packet count incremented 0 busy packet count decremented 0 session destructed in pme 0 session destruct set in pme 0 kq op hold 0 kq op drop 0 kq op route 0 kq op continue 35155 kq op error 0 kq op stop 0 PME wait not set 0 PME wait set 0 PME KQ run not called 0 IDP sessions ignored for content decompression in intel inspect mode 0 IDP sessions ignored for bytes depth limit in intel inspect mode 0 IDP sessions ignored for protocol decoding in intel inspect mode 0 IDP sessions detected CPU usage crossed intel inspect CPU threshold 0 IDP sessions detected mem drop below intel inspect low mem threshold 0
show security idp counters flow tenant TSYS1
user@host> show security idp counters flow tenant TSYS1 IDP counters: IDP counter type Value Fast-path packets 38 Slow-path packets 1 Session construction failed 0 Session limit reached 0 Session inspection depth reached 0 Memory limit reached 0 Not a new session 0 Invalid index at ageout 0 Packet logging 0 Policy cache hits 0 Policy cache misses 1 Policy cache entries 0 Maximum flow hash collisions 0 Flow hash collisions 0 Gates added 0 Gate matches 0 Sessions deleted 1 Sessions aged-out 0 Sessions in-use while aged-out 0 TCP flows marked dead on RST/FIN 1 Policy init failed 0 Policy reinit failed 0 Number of times Sessions exceed high mark 0 Number of times Sessions drop below low mark 0 Memory of Sessions exceeds high mark 0 Memory of Sessions drops below low mark 0 SM Sessions encountered memory failures 0 SM Packets on sessions with memory failures 0 IDP session gate creation requests 0 IDP session gate creation acknowledgements 0 IDP session gate hits 0 IDP session gate timeouts 0 Number of times Sessions crossed the CPU threshold value that is set 0 Number of times Sessions crossed the CPU upper threshold 0 Sessions constructed 1 SM Sessions ignored 0 SM Sessions dropped 0 SM Sessions interested 2 SM Sessions not interested 0 SM Sessions interest error 0 Sessions destructed 1 SM Session Create 1 SM Packet Process 38 SM ftp data session ignored by idp 1 SM Session close 1 SM Client-to-server packets 15 SM Server-to-client packets 23 SM Client-to-server L7 bytes 99 SM Server-to-client L7 bytes 367 Client-to-server flows ignored 0 Server-to-client flows ignored 0 Server-to-client flows tcp optimized 0 Client-to-server flows tcp optimized 0 Both directions flows ignored 1 Fail-over sessions dropped 0 Sessions dropped due to no policy 0 IDP Stream Sessions dropped due to memory failure 0 IDP Stream Sessions ignored due to memory failure 0 IDP Stream Sessions closed due to memory failure 0 IDP Stream Sessions accepted 0 IDP Stream Sessions constructed 0 IDP Stream Sessions destructed 0 IDP Stream Move Data 0 IDP Stream Sessions ignored on JSF SSL Event 0 IDP Stream Sessions not processed for no matching rules 0 IDP Stream stbuf dropped 0 IDP Stream stbuf reinjected 0 Busy pkts from stream plugin 0 Busy pkts from pkt plugin 0 bad kpp 0 Lsys policy id lookup failed sessions 0 NGAppID Events with no L7 App 0 NGAppID Events with no active-policy 0 NGAppID Detector failed from event handler 0 NGAppID Detector failed from API 0 Busy packets 0 Busy packet Errors 0 Dropped queued packets (async mode) 0 Dropped queued packets failed(async mode) 0 Reinjected packets (async mode) 0 Reinjected packets failed(async mode) 0 AI saved processed packet 0 busy packet count incremented 0 busy packet count decremented 0 session destructed in pme 0 session destruct set in pme 0 kq op hold 0 kq op drop 0 kq op route 0 kq op continue 37 kq op error 0 kq op stop 0 PME wait not set 0 PME wait set 0 PME KQ run not called 0 IDP sessions ignored for content decompression in intel inspect mode 0 IDP sessions ignored for bytes depth limit in intel inspect mode 0 IDP sessions ignored for protocol decoding in intel inspect mode 0 IDP sessions detected CPU usage crossed intel inspect CPU threshold 0 IDP sessions detected mem drop below intel inspect low mem threshold 0
show security idp counters flow (unified parser)
user@host> show security idp counters flow IDP counters: IDP counter type Value Fast-path packets 38 Slow-path packets 1 Session construction failed 0 Session limit reached 0 Session inspection depth reached 0 Memory limit reached 0 Not a new session 0 Invalid index at ageout 0 Packet logging 0 Policy cache hits 0 Policy cache misses 1 Policy cache entries 0 Maximum flow hash collisions 0 Flow hash collisions 0 Gates added 0 Gate matches 0 Sessions deleted 1 Sessions aged-out 0 Sessions in-use while aged-out 0 TCP flows marked dead on RST/FIN 1 Policy init failed 0 Policy reinit failed 0 Number of times Sessions exceed high mark 0 Number of times Sessions drop below low mark 0 Memory of Sessions exceeds high mark 0 Memory of Sessions drops below low mark 0 SM Sessions encountered memory failures 0 SM Packets on sessions with memory failures 0 IDP session gate creation requests 0 IDP session gate creation acknowledgements 0 IDP session gate hits 0 IDP session gate timeouts 0 Number of times Sessions crossed the CPU threshold value that is set 0 Number of times Sessions crossed the CPU upper threshold 0 Sessions constructed 1 SM Sessions ignored 0 SM Sessions dropped 0 SM Sessions interested 2 SM Sessions not interested 0 SM Sessions interest error 0 Sessions destructed 13 Sessions processed with Unified Parser 11 Sessions processed without Unified Parser 4 SM Session Create 15 SM Packet Process 38 SM ftp data session ignored by idp 1 SM Session close 1 SM Client-to-server packets 15 SM Server-to-client packets 23 SM Client-to-server L7 bytes 99 SM Server-to-client L7 bytes 367 Client-to-server flows ignored 0 Server-to-client flows ignored 0 Server-to-client flows tcp optimized 0 Client-to-server flows tcp optimized 0 Both directions flows ignored 1 Fail-over sessions dropped 0 Sessions dropped due to no policy 0 IDP Stream Sessions dropped due to memory failure 0 IDP Stream Sessions ignored due to memory failure 0 IDP Stream Sessions closed due to memory failure 0 IDP Stream Sessions accepted 0 IDP Stream Sessions constructed 0 IDP Stream Sessions destructed 0 IDP Stream Move Data 0 IDP Stream Sessions ignored on JSF SSL Event 0 IDP Stream Sessions not processed for no matching rules 0 IDP Stream stbuf dropped 0 IDP Stream stbuf reinjected 0 Busy pkts from stream plugin 0 Busy pkts from pkt plugin 0 bad kpp 0 Lsys policy id lookup failed sessions 0 NGAppID Events with no L7 App 0 NGAppID Events with no active-policy 0 NGAppID Detector failed from event handler 0 NGAppID Detector failed from API 0 Busy packets 0 Busy packet Errors 0 Dropped queued packets (async mode) 0 Dropped queued packets failed(async mode) 0 Reinjected packets (async mode) 0 Reinjected packets failed(async mode) 0 AI saved processed packet 0 busy packet count incremented 0 busy packet count decremented 0 session destructed in pme 0 session destruct set in pme 0 kq op hold 0 kq op drop 0 kq op route 0 kq op continue 37 kq op error 0 kq op stop 0 PME wait not set 0 PME wait set 0 PME KQ run not called 0 IDP sessions ignored for content decompression in intel inspect mode 0 IDP sessions ignored for bytes depth limit in intel inspect mode 0 IDP sessions ignored for protocol decoding in intel inspect mode 0 IDP sessions detected CPU usage crossed intel inspect CPU threshold 0 IDP sessions detected mem drop below intel inspect low mem threshold 0
Release Information
Command introduced in Junos OS Release 9.2.
logical-system option introduced in Junos OS Release 18.3R1.
tenant option introduced in Junos OS Release 19.2R1.