Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

show security idp counters flow

Syntax

Description

Displays the status of all IDP flow counter values.

Note:

On SRX Series devices with IDP enabled, if IDP attacks are configured for a single direction (server or client), a flow in the opposite direction does not need IDP processing. For TCP traffic, the TCP optimization feature ensures minimal processing for these flows without running into reassembly errors.

Options

none

Displays the status of all IDP flow counter values.

logical-system logical-system-name

(Optional) Displays the status of all IDP flow counter values for a specific logical system.

logical-system all

(Optional) Displays the status of all IDP flow counter values for all logical systems.

tenant tenant-name

(Optional) Displays the status of all IDP flow counter values for a specific tenant system.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security idp counters flow command. Output fields are listed in the approximate order in which they appear.

Table 1: show security idp counters flow Output Fields

Field Name

Description

Fast-path packets

Number of packets that are set through fast path after completing IDP policy lookup.

Slow-path packets

Number of packets that are sent through slow path during IDP policy lookup.

Session construction failed

(Unsupported)

Number of times the packet failed to establish the session.

Session limit reached

Number of sessions that reached IDP sessions limit.

Session inspection depth reached

Number of sessions that reached inspection depth.

Memory limit reached

Number of sessions that reached memory limit.

Not a new session

(Unsupported)

Number of sessions that extended beyond time limit.

Invalid index at age-out

(Unsupported)

Invalid session index in session age-out message.

Packet logging

Number of packets saved for packet logging.

Policy cache hits

Number of sessions that matched policy cache.

Policy cache misses

Number of sessions that did not match policy cache.

Policy cache entries

Number of policy cache entries.

Maximum flow hash collisions

Maximum number of packets, of one flow, that share the same hash value.

Flow hash collisions

Number of packets that share the same hash value.

Gates added

Number of gate entries added for dynamic port identification.

Gate matches

(Unsupported)

Number of times a gate is matched.

Sessions deleted

Number of sessions deleted.

Sessions aged-out

(Unsupported)

Number of sessions that are aged out if no traffic is received within session timeout value.

Sessions in-use while aged-out

(Unsupported)

Number of sessions in use during session age-out.

TCP flows marked dead on RST/FIN

Number of sessions marked dead on TCP RST/FIN.

policy init failed

Policy initiation failed.

Number of times Sessions exceed high mark

Number of times sessions exceeded the high mark.

Number of sessions exceeds high mark

Number of sessions that exceed high mark.

Number of sessions drops below low mark

Number of sessions that fall below low mark.

Memory of sessions exceeds high mark

Session memory exceeds high mark.

Memory of sessions drops below low mark

Session memory drops below low mark.

SM Sessions encountered memory failures

Number of SM sessions that encountered memory failures.

SM Packets on sessions with memory failures

Number of SM packets that encountered memory failures.

Sessions constructed

Number of sessions established.

SM Sessions dropped

Number of SM sessions dropped.

SM sessions ignored

Number of sessions ignored in Security Module (SM).

SM sessions interested

Number of SM sessions interested.

SM sessions not interested

Number of SM sessions not interested.

SM sessions interest error

Number of errors created for SM sessions interested.

Sessions destructed

Number of sessions destructed.

SM Session Create

Number of SM sessions created.

SM Packet Process

Number of packets processed from SM.

SM FTP data session ignored by IDP

Number of SM FTP data sessions that are ignored by IDP.

SM Session close

Number of SM sessions closed.

SM client-to-server packets

Number of SM client-to-server packets.

SM server-to-client packets

Number of SM server-to-client packets.

SM client-to-server L7 bytes

Number of SM client-to-server Layer 7 bytes.

SM server-to-client L7 bytes

Number of SM server-to-client Layer 7 bytes.

Client-to-server flows ignored

Number of client-to-server flow sessions that are ignored.

Server-to-client flows ignored

Number of server-to-client flow sessions that are ignored.

Server-to-client flows tcp optimized

Number of server-to-client flow TCP sessions that are optimized.

Client-to-server flows tcp optimized

Number of client-to-server flow TCP sessions that are optimized.

Both directions flows ignored

Number of server-to-client and client-to-server flow sessions that are ignored.

Fail-over sessions dropped

Number of failover sessions dropped.

Sessions dropped due to no policy

Number of sessions dropped because there was no active IDP policy.

IDP Stream Sessions dropped due to memory failure

Number of IDP stream sessions that are dropped because of memory failure.

IDP Stream Sessions ignored due to memory failure

Number of IDP stream sessions that are ignored because of memory failure.

IDP Stream Sessions closed due to memory failure

Number of IDP stream sessions that are closed because of memory failure.

IDP Stream Sessions accepted

Number of IDP stream sessions that are accepted.

IDP Stream Sessions constructed

Number of IDP stream sessions that are constructed.

IDP Stream Sessions destructed

Number of IDP stream sessions that are destructed.

IDP Stream Move Data

Number of stream data events handled by IDP.

IDP Stream Sessions ignored on JSF SSL Event

Number of IDP stream sessions that are ignored because of a JSF SSL proxy event.

IDP Stream Sessions not processed for no matching rules

Number of IDP stream sessions that are not processed for no matching rules.

IDP Stream stbuf dropped

Number of IDP stream plug-in buffers dropped.

IDP Stream stbuf reinjected

Number of IDP stream plug-in buffers injected.

Busy packets from stream plugin

Number of packets saved as one or more packets of this session from stream plug-in.

Busy packets from packets plugin

Number of saved packets for IDP stream plug-in sessions.

Bad kpp

Number of internal marked packets logged for IDP processing.

Lsys policy id lookup failed sessions

Number of sessions that failed logical systems policy lookup.

Busy packets

Number of packets saved as one or more packets of this session are handed off for asynchronous processing.

Busy packet errors

Number of packets found with IP checksum error after asynchronous processing is completed.

Dropped queued packets

(async mode)

Number of queued packets dropped based on policy action, reinjection failures, or if the session is marked to destruct.

Dropped queued packets failed

(async mode)

Not used currently.

Reinjected packets (async mode)

Number of packets reinjected into the queue.

Reinjected packets failed(async mode)

Number of failed reinjected packets.

AI saved processed packet

Number of AI packets saved for which the asynchronous processing is completed.

Busy packet count incremented

Number of times the busy packet count incremented in asynchronous processing.

busy packet count decremented

Number of times the busy packet count decremented in asynchronous processing.

session destructed in pme

Number of sessions destructed as a part of asynchronous result processing.

session destruct set in pme

Number of sessions set to be destructed as a result of asynchronous processing.

KQ op

Number of sessions with one of the following status:

  • KQ op hold–number of times packets held by IDP.

  • KQ op drop–number of times packets dropped by IDP.

  • KQ op route–number of times IDP decided to be route the packet directly.

  • KQ op Continue–number of times IDP decided to continue to process the packet.

  • KQ op error–number of times error occurred while IPD processing packet.

  • KQ op stop–number of times IDP decided to stop processing the packet.

PME wait not set

Number of AI saved packets given for signature matching.

PME wait set

Number of packets given for signature matching without AI save.

PME KQ run not called

Number of times signature matching results processed out of packet receiving order.

IDP sessions ignored for content decompression in intel inspect mode

Number of IDP session ignored for content decompression in the IDP intelligent inspection mode.

IDP sessions ignored for bytes depth limit in intel inspect mode

Number of IDP session ignored for bytes depth in the IDP intelligent inspection mode.

IDP sessions ignored for protocol decoding in intel inspect mode

Number of IDP session ignored for protocol decoding in the IDP intelligent inspection mode.

IDP sessions detected CPU usage crossed intel inspect CPU threshold

Number of IDP session detected when the CPU usage crosses the CPU threshold of the IDP intelligent inspection.

IDP sessions detected mem drop below intel inspect low mem threshold

Number of IDP session detected when memory drops below the IDP intelligent inspect low memory threshold.

Sample Output

show security idp counters flow

show security idp counters flow tenant TSYS1

show security idp counters flow (unified parser)

Release Information

Command introduced in Junos OS Release 9.2.

logical-system option introduced in Junos OS Release 18.3R1.

tenant option introduced in Junos OS Release 19.2R1.